]> git.ipfire.org Git - thirdparty/grsecurity-scrape.git/blame - test/changelog-test.txt
projects / thirdparty / grsecurity-scrape.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Auto commit, 1 new patch{es}.
[thirdparty/grsecurity-scrape.git] / test / changelog-test.txt
CommitLineData
48691cc4
PK		 1commit 5473ce509ab763c927aa2639f7db8aee384d3693
2Author: Eric Dumazet <edumazet@google.com>
3Date: Wed Mar 19 21:02:21 2014 -0700
4
5 Upstream commit: 632623153196bf183a69686ed9c07eee98ff1bf8
6
7 tcp: syncookies: do not use getnstimeofday()
8
9 While it is true that getnstimeofday() uses about 40 cycles if TSC
10 is available, it can use 1600 cycles if hpet is the clocksource.
11
12 Switch to get_jiffies_64(), as this is more than enough, and
13 go back to 60 seconds periods.
14
15 Fixes: 8c27bd75f04f ("tcp: syncookies: reduce cookie lifetime to 128 seconds")
16 Signed-off-by: Eric Dumazet <edumazet@google.com>
17 Cc: Florian Westphal <fw@strlen.de>
18 Acked-by: Florian Westphal <fw@strlen.de>
19 Signed-off-by: David S. Miller <davem@davemloft.net>
20
21 include/net/tcp.h | 11 ++++++-----
22 1 files changed, 6 insertions(+), 5 deletions(-)
23
24commit 580a16424470410a1655dd62f71847725a89e1f0
25Author: Dave Kleikamp <dave.kleikamp@oracle.com>
26Date: Fri Mar 14 10:42:01 2014 -0500
27
28 Upstream commit: 1535bd8adbdedd60a0ee62e28fd5225d66434371
29
30 sparc64: don't treat 64-bit syscall return codes as 32-bit
31
32 When checking a system call return code for an error,
33 linux_sparc_syscall was sign-extending the lower 32-bit value and
34 comparing it to -ERESTART_RESTARTBLOCK. lseek can return valid return
35 codes whose lower 32-bits alone would indicate a failure (such as 4G-1).
36 Use the whole 64-bit value to check for errors. Only the 32-bit path
37 should sign extend the lower 32-bit value.
38
39 Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
40 Acked-by: Bob Picco <bob.picco@oracle.com>
41 Acked-by: Allen Pais <allen.pais@oracle.com>
42 Cc: David S. Miller <davem@davemloft.net>
43 Cc: sparclinux@vger.kernel.org
44 Signed-off-by: David S. Miller <davem@davemloft.net>
45
46 arch/sparc/kernel/syscalls.S | 4 ++--
47 1 files changed, 2 insertions(+), 2 deletions(-)
48
49commit 29127b7a71024630e40d98ec08c77e3feb584e7e
50Author: Brad Spengler <spender@grsecurity.net>
51Date: Tue Mar 25 17:07:59 2014 -0400
52
53 update size_overflow hash table
54
55 tools/gcc/size_overflow_hash.data | 6 ++++++
56 1 files changed, 6 insertions(+), 0 deletions(-)
57
58commit d42eece8853149008b9645106936f9cd4ddb38bc
59Merge: df4b222 cb629d4
60Author: Brad Spengler <spender@grsecurity.net>
61Date: Mon Mar 24 19:07:49 2014 -0400
62
63 Merge branch 'pax-test' into grsec-test
64
65commit cb629d4458d7491cc16580860c234f85c463111d
66Merge: 3afa257 896c694
67Author: Brad Spengler <spender@grsecurity.net>
68Date: Mon Mar 24 19:07:30 2014 -0400
69
70 Merge branch 'linux-3.13.y' into pax-test
71
72 Conflicts:
73 arch/x86/kernel/head_32.S
74 drivers/cpufreq/intel_pstate.c
75
76commit df4b2229045f125eaa91dd2a696e56c589f8c962
77Merge: e440e3a 3afa257
78Author: Brad Spengler <spender@grsecurity.net>
79Date: Mon Mar 24 18:55:45 2014 -0400
80
81 Merge branch 'pax-test' into grsec-test
82
83commit 3afa2576ef64a8266c5a2f142e3cb3c970f21d3c
84Author: Brad Spengler <spender@grsecurity.net>
85Date: Mon Mar 24 18:54:38 2014 -0400
86
87 Update to pax-linux-3.13.7-test15.patch:
88 - fixed several compilation problems on arm all*configs, by spender
89 - small update to gcc-common.h
90 - Emese fixed a compile time infinite loop in the size overflow plugin (triggered by the upcoming 3.14 kernel only)
91
92 Makefile | 2 +-
93 arch/arm/include/asm/uaccess.h | 1 +
94 arch/ia64/include/asm/uaccess.h | 1 +
95 arch/powerpc/include/asm/uaccess.h | 1 +
96 arch/powerpc/mm/mmap.c | 6 +++---
97 arch/s390/include/asm/uaccess.h | 1 +
98 arch/x86/include/asm/uaccess.h | 2 +-
99 arch/x86/include/asm/uaccess_64.h | 12 ++++++------
100 8 files changed, 15 insertions(+), 11 deletions(-)
101
ba55a556
PK		 102commit e440e3aa4b4662f8d811120a87f51d8ab48d9c90
103Author: Brad Spengler <spender@grsecurity.net>
104Date: Thu Mar 20 23:16:11 2014 -0400
105
106 convert hvc tty driver to proper refcounted atomics on port.count, fixes ppc64 allyesconfig compilation
107
108 drivers/tty/hvc/hvsi.c | 10 +++++-----
109 1 files changed, 5 insertions(+), 5 deletions(-)
110
111commit 013c6d73e4a4ae358ee180b40428f3dd04dd3aa8
112Author: Brad Spengler <spender@grsecurity.net>
113Date: Thu Mar 20 22:53:31 2014 -0400
114
115 add local_unchecked_t accessors to fix ppc64 compilation
116
117 arch/powerpc/include/asm/local.h | 15 +++++++++++++++
118 1 files changed, 15 insertions(+), 0 deletions(-)
119
120commit 1cffa7895513b754c95673b12a8c638797e5b7e2
121Author: Brad Spengler <spender@grsecurity.net>
122Date: Thu Mar 20 22:25:47 2014 -0400
123
124 add access_ok_noprefault macro to fix ppc64+kvm compilation, patch
125 from pipacs
126
127 arch/arm/include/asm/uaccess.h | 1 +
128 arch/arm64/include/asm/uaccess.h | 1 +
129 arch/ia64/include/asm/uaccess.h | 1 +
130 arch/mips/include/asm/uaccess.h | 1 +
131 arch/powerpc/include/asm/uaccess.h | 1 +
132 arch/s390/include/asm/uaccess.h | 1 +
133 arch/x86/include/asm/uaccess.h | 2 +-
134 arch/x86/include/asm/uaccess_64.h | 12 ++++++------
135 arch/x86/mm/gup.c | 4 ++--
136 virt/kvm/kvm_main.c | 2 +-
137 10 files changed, 16 insertions(+), 10 deletions(-)
138
139commit 58bdcb9b494eb7ab916ead7944e444d0a6af5002
140Author: Brad Spengler <spender@grsecurity.net>
141Date: Thu Mar 20 21:53:32 2014 -0400
142
143 correct function definition for kvm_arch_init() to fix compilation on ppc64
144
145 arch/powerpc/kvm/powerpc.c | 2 +-
146 1 files changed, 1 insertions(+), 1 deletions(-)
147
148commit e3eb6820bfec5b4a4bfbb0056c057d50b8df4997
149Author: Brad Spengler <spender@grsecurity.net>
150Date: Thu Mar 20 21:47:35 2014 -0400
151
152 fix ppc64 allyesconfig compilation with RANDSTRUCT
153
154 arch/powerpc/platforms/cell/celleb_scc_pciex.c | 4 ++--
155 1 files changed, 2 insertions(+), 2 deletions(-)
156
157commit fb017032977cb38d750fe9b9a11d22fc565e576f
158Author: Brad Spengler <spender@grsecurity.net>
159Date: Thu Mar 20 21:36:39 2014 -0400
160
161 use $(LATENT_ENTROPY_PLUGIN_CFLAGS)
162
163 arch/powerpc/kernel/Makefile | 2 +-
164 1 files changed, 1 insertions(+), 1 deletions(-)
165
166commit e795367c8c4d750c3900f6546365ca27b9a8aad5
167Author: Brad Spengler <spender@grsecurity.net>
168Date: Thu Mar 20 21:24:01 2014 -0400
169
170 move REMOVE_CFLAGS
171
172 arch/powerpc/kernel/Makefile | 4 ++--
173 1 files changed, 2 insertions(+), 2 deletions(-)
174
175commit f80a67cf62542dbab790fcad2395c00e6534c26d
176Author: Brad Spengler <spender@grsecurity.net>
177Date: Thu Mar 20 20:30:35 2014 -0400
178
179 fix compilation by removing the latent entropy plugin from prom_init.c -- there's
180 a script for ppc64 that checks the object file for a whitelisted set of
181 exported symbols, code is very fragile
182
183 arch/powerpc/kernel/Makefile | 2 ++
184 1 files changed, 2 insertions(+), 0 deletions(-)
185
186commit cafe563e6cc19e3510c2f341c12440fdbd77a2aa
187Author: Brad Spengler <spender@grsecurity.net>
188Date: Thu Mar 20 20:28:07 2014 -0400
189
190 export LATENT_ENTROPY_PLUGIN_CFLAGS so we can remove it from prom_init.c on ppc64
191
192 Makefile | 2 +-
193 1 files changed, 1 insertions(+), 1 deletions(-)
194
195commit 90330189b37110d8343edd37147bb5c666feede4
196Author: Brad Spengler <spender@grsecurity.net>
197Date: Thu Mar 20 20:24:53 2014 -0400
198
199 fix ppc64 compilation, pass mm_struct through from arch_pick_mmap_layout
200
201 arch/powerpc/mm/mmap.c | 8 ++++----
202 1 files changed, 4 insertions(+), 4 deletions(-)
203
204commit 765a84b5300316d57eb9b82f7d941750d9ddf9ec
205Author: Brad Spengler <spender@grsecurity.net>
206Date: Wed Mar 19 21:53:12 2014 -0400
207
208 add ktla_ktva/ktva_ktla to sparc to fix compilation
209
210 arch/sparc/include/asm/pgtable.h | 4 ++++
211 1 files changed, 4 insertions(+), 0 deletions(-)
212
213commit 896004e18909d7de9ffe295180e12c275a623990
214Author: Brad Spengler <spender@grsecurity.net>
215Date: Wed Mar 19 21:32:20 2014 -0400
216
217 remove __read_mostly on ip_vs_genl_ops[], it's const so the attribute is bogus and causes compilation failure on MIPS
218
219 net/netfilter/ipvs/ip_vs_ctl.c | 2 +-
220 1 files changed, 1 insertions(+), 1 deletions(-)
221
222commit 143dcb4ff8b259163f978c468663dcaebfe573b4
223Author: Brad Spengler <spender@grsecurity.net>
224Date: Wed Mar 19 21:18:46 2014 -0400
225
226 Include second patch needed for compilation, not yet included by
227 upstream (so MIPS compilation is broken there):
228 http://patchwork.linux-mips.org/patch/6585/
229
230 arch/mips/include/asm/ftrace.h | 20 ++++++++++----------
231 1 files changed, 10 insertions(+), 10 deletions(-)
232
233commit b464eb7ac1132953ab99ff25826478e32690844f
234Author: Markos Chandras <markos.chandras@imgtec.com>
235Date: Wed Jan 22 14:39:57 2014 +0000
236
237 Upstream commit: a8031d2ce15bdb90baeae02d7a231ccece73da8b
238
239 MIPS: asm: syscall: Fix copying system call arguments
240
241 The syscall_get_arguments function expects the arguments to be copied
242 to the '*args' argument but instead a local variable was used to hold
243 the system call argument. As a result of which, this variable was
244 never passed to the filter and any filter testing the system call
245 arguments would fail. This is fixed by passing the '*args' variable
246 as the destination memory for the system call arguments.
247
248 Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
249 Reviewed-by: Paul Burton <paul.burton@imgtec.com>
250 Reviewed-by: James Hogan <james.hogan@imgtec.com>
251 Cc: linux-mips@linux-mips.org
252 Patchwork: https://patchwork.linux-mips.org/patch/6402/
253 Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
254
255 arch/mips/include/asm/syscall.h | 3 +--
256 1 files changed, 1 insertions(+), 2 deletions(-)
257
258commit b8f9d6f82e2fb814be37391109623d79e297571d
259Author: Brad Spengler <spender@grsecurity.net>
260Date: Wed Mar 19 21:01:40 2014 -0400
261
262 add ktla_ktva/ktva_ktla macros to MIPS
263
264 arch/mips/include/asm/pgtable.h | 3 +++
265 1 files changed, 3 insertions(+), 0 deletions(-)
266
267commit f0f660649f3b2cf1d448940ca8b7f4ab4249d8ce
268Author: Brad Spengler <spender@grsecurity.net>
269Date: Wed Mar 19 20:46:38 2014 -0400
270
271 include linux/prefetch.h to fix mips compilation
272
273 grsecurity/gracl.c | 1 +
274 1 files changed, 1 insertions(+), 0 deletions(-)
275
276commit 514ec7617daa1a925a0ec0fa910335396213ef45
277Author: Brad Spengler <spender@grsecurity.net>
278Date: Wed Mar 19 20:45:59 2014 -0400
279
280 Revert "fix compiler warning in hugetlbfs code"
281
282 This reverts commit 2c325ed37fe35aa85b4ca6deb67e6ca091704ed0.
283
284 fs/hugetlbfs/inode.c | 2 +-
285 1 files changed, 1 insertions(+), 1 deletions(-)
286
287commit 6da49b57e2795853a453f596e0b874aece27aa4b
288Author: Viller Hsiao <villerhsiao@gmail.com>
289Date: Sat Feb 22 15:46:49 2014 +0800
290
291 Upstream commit: a4671094227d11985c06ee1178d7205c5fd39f8a
292
293 MIPS: ftrace: Fix icache flush range error
294
295 In 32-bit mode, the start address passed to flush_icache_range is
296 shifted by 4 bytes before the second safe_store_code() call.
297
298 This causes system crash from time to time because the first 4 bytes
299 might not be flushed properly. This bug exists since linux-3.8.
300
301 Also remove obsoleted comment while at it.
302
303 Signed-off-by: Viller Hsiao <villerhsiao@gmail.com>
304 Cc: linux-mips@linux-mips.org
305 Cc: rostedt@goodmis.org
306 Cc: fweisbec@gmail.com
307 Cc: mingo@redhat.com
308 Cc: Qais.Yousef@imgtec.com
309 Patchwork: https://patchwork.linux-mips.org/patch/6586/
310 Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
311
312 arch/mips/kernel/ftrace.c | 5 ++---
313 1 files changed, 2 insertions(+), 3 deletions(-)
314
315commit 624ddea7bbda3535b7c9a779b6ff149e93863321
316Author: Lars Persson <lars.persson@axis.com>
317Date: Mon Mar 17 12:14:13 2014 +0100
318
319 Upstream commit: 86ca57b5a5525dbf89fc2a3285781fae807276b0
320
321 MIPS: Fix syscall tracing interface
322
323 Fix pointer computation for stack-based arguments.
324
325 Signed-off-by: Lars Persson <larper@axis.com>
326 Cc: linux-mips@linux-mips.org
327 Patchwork: https://patchwork.linux-mips.org/patch/6620/
328 Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
329
330 arch/mips/include/asm/syscall.h | 4 ++--
331 1 files changed, 2 insertions(+), 2 deletions(-)
332
333commit 7bf3daf307906cd7d03cb6eb64559ee98cdf3182
334Author: Brad Spengler <spender@grsecurity.net>
335Date: Wed Mar 19 20:28:16 2014 -0400
336
337 fix octeon compilation, add __maybe_unused to usp local var
338
339 arch/mips/include/asm/syscall.h | 2 +-
340 1 files changed, 1 insertions(+), 1 deletions(-)
341
342commit 2c325ed37fe35aa85b4ca6deb67e6ca091704ed0
343Author: Brad Spengler <spender@grsecurity.net>
344Date: Wed Mar 19 19:46:52 2014 -0400
345
346 fix compiler warning in hugetlbfs code
347
348 fs/hugetlbfs/inode.c | 2 +-
349 1 files changed, 1 insertions(+), 1 deletions(-)
350
351commit 43783f55374fe9bafc064ceacf915920ca45a6c5
352Merge: e018f0a aae8b87
353Author: Brad Spengler <spender@grsecurity.net>
354Date: Mon Mar 17 19:51:01 2014 -0400
355
356 Merge branch 'pax-test' into grsec-test
357
358 Conflicts:
359 drivers/gpio/gpio-rcar.c
360
361commit aae8b8720beec7c79d17ddd4f7d55bac0e83d5c6
362Author: Brad Spengler <spender@grsecurity.net>
363Date: Mon Mar 17 19:48:43 2014 -0400
364
365 Update to pax-linux-3.13.6-test14.patch:
366 - fixed several compilation problems on arm all*configs, by spender
367 - small update to gcc-common.h
368 - Emese fixed a compile time infinite loop in the size overflow plugin (triggered by the upcoming 3.14 kernel only)
369
370 arch/arm/include/asm/page.h | 1 +
371 drivers/base/power/domain.c | 4 +-
372 drivers/gpio/gpio-em.c | 2 +-
373 drivers/gpio/gpio-rcar.c | 2 +-
374 drivers/mfd/ab8500-debugfs.c | 2 +-
375 drivers/net/can/Kconfig | 2 +-
376 drivers/staging/imx-drm/imx-drm-core.c | 6 +-
377 include/linux/pm_domain.h | 2 +-
378 tools/gcc/gcc-common.h | 12 +++
379 tools/gcc/size_overflow_plugin.c | 116 +++++++++++++++++++++++---------
380 10 files changed, 106 insertions(+), 43 deletions(-)
381
382commit e018f0a38370496abe4289911eb67f1816cdc65d
383Author: Brad Spengler <spender@grsecurity.net>
384Date: Mon Mar 17 19:12:04 2014 -0400
385
386 move the location of the include to suit pipacs' OCD
387
388 arch/arm/include/asm/page.h | 3 +--
389 1 files changed, 1 insertions(+), 2 deletions(-)
390
391commit bb6742b0e35d1ee42ec643ea921a340d672ec3bc
392Author: Brad Spengler <spender@grsecurity.net>
393Date: Mon Mar 17 18:01:11 2014 -0400
394
395 revert lustre change, we'll include compiler.h from asm/page.h instead
396
397 .../lustre/include/linux/lnet/linux/lib-lnet.h | 1 -
398 1 files changed, 0 insertions(+), 1 deletions(-)
399
400commit a39c965db54a571780b9844d93cfec71265b2c5e
401Author: Brad Spengler <spender@grsecurity.net>
402Date: Mon Mar 17 18:00:13 2014 -0400
403
404 fix ARM compilation with constify plugin
405
406 arch/arm/include/asm/page.h | 2 ++
407 1 files changed, 2 insertions(+), 0 deletions(-)
408
409commit 721fb83dc182e1442311b8ca3a986963f9cf2b76
410Author: Brad Spengler <spender@grsecurity.net>
411Date: Mon Mar 17 17:18:04 2014 -0400
412
413 move header ordering
414
415 .../lustre/include/linux/lnet/linux/lib-lnet.h | 2 +-
416 1 files changed, 1 insertions(+), 1 deletions(-)
417
418commit 985afa44870e690fce35adf47979a99855db3323
419Author: Brad Spengler <spender@grsecurity.net>
420Date: Mon Mar 17 17:02:24 2014 -0400
421
422 compile fix for lustre on ARM with constify plugin
423
424 .../lustre/include/linux/lnet/linux/lib-lnet.h | 1 +
425 1 files changed, 1 insertions(+), 0 deletions(-)
426
427commit e5c4fe3e8fb7e1a64f1ab29887b7f787cc989c24
428Author: Brad Spengler <spender@grsecurity.net>
429Date: Mon Mar 17 16:04:34 2014 -0400
430
431 fix compiler error caused by constify plugin on ARM
432
433 drivers/mfd/ab8500-debugfs.c | 2 +-
434 1 files changed, 1 insertions(+), 1 deletions(-)
435
436commit b6e2f644cf05a858d3988fb9bb8a8ca6c0beeff4
437Author: Brad Spengler <spender@grsecurity.net>
438Date: Mon Mar 17 15:46:53 2014 -0400
439
440 fix more compile errors caused by RANDSTRUCT and constify plugins on ARM
441
442 drivers/base/power/domain.c | 4 ++--
443 include/linux/pm_domain.h | 2 +-
444 2 files changed, 3 insertions(+), 3 deletions(-)
445
446commit 2d33f0f25f7ee45412728f8bad6ef97b5bf40a66
447Author: Brad Spengler <spender@grsecurity.net>
448Date: Mon Mar 17 15:34:17 2014 -0400
449
450 fix another compile error caused by constify plugin on ARM
451
452 drivers/gpio/gpio-rcar.c | 2 +-
453 1 files changed, 1 insertions(+), 1 deletions(-)
454
455commit 05b33c660567d4dc74ebcd06e996bf0656146757
456Author: Brad Spengler <spender@grsecurity.net>
457Date: Mon Mar 17 15:08:49 2014 -0400
458
459 fix compile error caused by constify plugin on ARM
460
461 drivers/gpio/gpio-em.c | 2 +-
462 1 files changed, 1 insertions(+), 1 deletions(-)
463
464commit b9c8e0a83ba19e0228317675ffb4e1c1fb175b31
465Author: Brad Spengler <spender@grsecurity.net>
466Date: Sun Mar 16 21:17:20 2014 -0400
467
468 fix allyesconfig compilation with PAX_REFCOUNT
469
470 drivers/staging/imx-drm/imx-drm-core.c | 6 +++---
471 1 files changed, 3 insertions(+), 3 deletions(-)
472
473commit b855bafd2e8d4b50c13586e5a00905fb9c03ed5a
474Author: Brad Spengler <spender@grsecurity.net>
475Date: Sun Mar 16 21:04:10 2014 -0400
476
477 fix arm allmodconfig
478
479 drivers/net/can/Kconfig | 2 +-
480 1 files changed, 1 insertions(+), 1 deletions(-)
481
482commit 611bf735a4def802205cc83a131ec9c77c194662
483Author: Brad Spengler <spender@grsecurity.net>
484Date: Fri Mar 14 20:12:02 2014 -0400
485
486 add /usr/share/apport/apport to the allowed userland exec paths --
487 because apparently some distros have no problem just throwing
488 critical binaries around anywhere.
489
490 kernel/kmod.c | 3 ++-
491 1 files changed, 2 insertions(+), 1 deletions(-)
492
493commit 51692fc9a6be048dd0500f78f97aed4db87bc359
494Merge: 54fa0d5 7fcc1d0
495Author: Brad Spengler <spender@grsecurity.net>
496Date: Fri Mar 14 20:09:56 2014 -0400
497
498 Merge branch 'pax-test' into grsec-test
499
500 Conflicts:
501 arch/mips/mm/mmap.c
502
503commit 7fcc1d01537c3e4d4cb3494b4e19890864473376
504Author: Brad Spengler <spender@grsecurity.net>
505Date: Fri Mar 14 20:08:19 2014 -0400
506
507 Update to pax-linux-3.13.6-test13.patch:
508 - fixed a few compilation errors on MIPS, by Hinnerk van Bruinehsen <h.v.bruinehsen@fu-berlin.de>
509
510 arch/arm/include/asm/proc-fns.h | 2 +-
511 arch/arm/kernel/setup.c | 4 ++--
512 arch/arm/mm/mmu.c | 2 +-
513 arch/mips/cavium-octeon/dma-octeon.c | 2 +-
514 arch/mips/include/asm/hw_irq.h | 2 +-
515 arch/mips/kernel/i8259.c | 2 +-
516 arch/mips/kernel/irq-gt641xx.c | 2 +-
517 arch/mips/kernel/reset.c | 4 ++++
518 arch/mips/mm/mmap.c | 2 +-
519 arch/mips/pci/pci-octeon.c | 4 ++--
520 arch/mips/pci/pcie-octeon.c | 12 ++++++------
521 arch/mips/sni/rm200.c | 2 +-
522 arch/mips/vr41xx/common/icu.c | 2 +-
523 arch/mips/vr41xx/common/irq.c | 4 ++--
524 arch/x86/kernel/cpu/common.c | 2 +-
525 drivers/staging/octeon/ethernet-rx.c | 2 +-
526 ipc/mq_sysctl.c | 2 +-
527 kernel/panic.c | 2 +-
528 18 files changed, 29 insertions(+), 25 deletions(-)
529
530commit 54fa0d51929173d4eb6c060ea966ec5abe32faaf
531Author: Brad Spengler <spender@grsecurity.net>
532Date: Wed Mar 12 22:54:32 2014 -0400
533
534 add support for PAX_EMUTRAMP by default in the autoconfig
535
536 security/Kconfig | 5 +++--
537 1 files changed, 3 insertions(+), 2 deletions(-)
538
539commit 1a3518d87b5faa66b5684569bfe84024edc955ce
540Author: Laura Abbott <lauraa@codeaurora.org>
541Date: Mon Mar 10 15:49:44 2014 -0700
542
543 Upstream commit: 2af120bc040c5ebcda156df6be6a66610ab6957f
544
545 mm/compaction: break out of loop on !PageBuddy in isolate_freepages_block
546
547 We received several reports of bad page state when freeing CMA pages
548 previously allocated with alloc_contig_range:
549
550 BUG: Bad page state in process Binder_A pfn:63202
551 page:d21130b0 count:0 mapcount:1 mapping: (null) index:0x7dfbf
552 page flags: 0x40080068(uptodate|lru|active|swapbacked)
553
554 Based on the page state, it looks like the page was still in use. The
555 page flags do not make sense for the use case though. Further debugging
556 showed that despite alloc_contig_range returning success, at least one
557 page in the range still remained in the buddy allocator.
558
559 There is an issue with isolate_freepages_block. In strict mode (which
560 CMA uses), if any pages in the range cannot be isolated,
561 isolate_freepages_block should return failure 0. The current check
562 keeps track of the total number of isolated pages and compares against
563 the size of the range:
564
565 if (strict && nr_strict_required > total_isolated)
566 total_isolated = 0;
567
568 After taking the zone lock, if one of the pages in the range is not in
569 the buddy allocator, we continue through the loop and do not increment
570 total_isolated. If in the last iteration of the loop we isolate more
571 than one page (e.g. last page needed is a higher order page), the check
572 for total_isolated may pass and we fail to detect that a page was
573 skipped. The fix is to bail out if the loop immediately if we are in
574 strict mode. There's no benfit to continuing anyway since we need all
575 pages to be isolated. Additionally, drop the error checking based on
576 nr_strict_required and just check the pfn ranges. This matches with
577 what isolate_freepages_range does.
578
579 Signed-off-by: Laura Abbott <lauraa@codeaurora.org>
580 Acked-by: Minchan Kim <minchan@kernel.org>
581 Cc: Mel Gorman <mgorman@suse.de>
582 Acked-by: Vlastimil Babka <vbabka@suse.cz>
583 Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
584 Acked-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
585 Acked-by: Michal Nazarewicz <mina86@mina86.com>
586 Cc: <stable@vger.kernel.org>
587 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
588 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
589
590 mm/compaction.c | 20 +++++++++++++-------
591 1 files changed, 13 insertions(+), 7 deletions(-)
592
593commit 6c2a0937a7bb61db66b01160334fa83c93c05c7b
594Author: Artem Fetishev <artem_fetishev@epam.com>
595Date: Mon Mar 10 15:49:45 2014 -0700
596
597 Upstream commit: 70335abb2689c8cd5df91bf2d95a65649addf50b
598
599 fs/proc/base.c: fix GPF in /proc/$PID/map_files
600
601 The expected logic of proc_map_files_get_link() is either to return 0
602 and initialize 'path' or return an error and leave 'path' uninitialized.
603
604 By the time dname_to_vma_addr() returns 0 the corresponding vma may have
605 already be gone. In this case the path is not initialized but the
606 return value is still 0. This results in 'general protection fault'
607 inside d_path().
608
609 Steps to reproduce:
610
611 CONFIG_CHECKPOINT_RESTORE=y
612
613 fd = open(...);
614 while (1) {
615 mmap(fd, ...);
616 munmap(fd, ...);
617 }
618
619 ls -la /proc/$PID/map_files
620
621 Addresses https://bugzilla.kernel.org/show_bug.cgi?id=68991
622
623 Signed-off-by: Artem Fetishev <artem_fetishev@epam.com>
624 Signed-off-by: Aleksandr Terekhov <aleksandr_terekhov@epam.com>
625 Reported-by: <wiebittewas@gmail.com>
626 Acked-by: Pavel Emelyanov <xemul@parallels.com>
627 Acked-by: Cyrill Gorcunov <gorcunov@openvz.org>
628 Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com>
629 Cc: <stable@vger.kernel.org>
630 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
631 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
632
633 fs/proc/base.c | 1 +
634 1 files changed, 1 insertions(+), 0 deletions(-)
635
636commit 34d22047e821cdae1d31beb2fdda8e6e9fe40cdf
637Author: Matthew Leach <matthew.leach@arm.com>
638Date: Tue Mar 11 11:58:27 2014 +0000
639
640 Upstream commit: dbb490b96584d4e958533fb637f08b557f505657
641
642 net: socket: error on a negative msg_namelen
643
644 When copying in a struct msghdr from the user, if the user has set the
645 msg_namelen parameter to a negative value it gets clamped to a valid
646 size due to a comparison between signed and unsigned values.
647
648 Ensure the syscall errors when the user passes in a negative value.
649
650 Signed-off-by: Matthew Leach <matthew.leach@arm.com>
651 Signed-off-by: David S. Miller <davem@davemloft.net>
652
653 net/socket.c | 4 ++++
654 1 files changed, 4 insertions(+), 0 deletions(-)
655
656commit a28f7e3e1ec4d26bf7734c70ca3b6107e54597ca
657Author: Alexei Starovoitov <ast@plumgrid.com>
658Date: Mon Mar 10 15:56:51 2014 -0700
659
660 Upstream commit: fdfaf64e75397567257e1051931f9a3377360665
661
662 x86: bpf_jit: support negative offsets
663
664 Commit a998d4342337 claimed to introduce negative offset support to x86 jit,
665 but it couldn't be working, since at the time of the execution
666 of LD+ABS or LD+IND instructions via call into
667 bpf_internal_load_pointer_neg_helper() the %edx (3rd argument of this func)
668 had junk value instead of access size in bytes (1 or 2 or 4).
669
670 Store size into %edx instead of %ecx (what original commit intended to do)
671
672 Fixes: a998d4342337 ("bpf jit: Let the x86 jit handle negative offsets")
673 Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
674 Cc: Jan Seiffert <kaffeemonster@googlemail.com>
675 Cc: Eric Dumazet <edumazet@google.com>
676 Acked-by: Eric Dumazet <edumazet@google.com>
677 Signed-off-by: David S. Miller <davem@davemloft.net>
678
679 arch/x86/net/bpf_jit.S | 2 +-
680 1 files changed, 1 insertions(+), 1 deletions(-)
681
682commit 977ee3909139082a57a04afbb8e9ee202475aa27
683Author: Brad Spengler <spender@grsecurity.net>
684Date: Wed Mar 12 19:21:43 2014 -0400
685
686 Improve GRKERNSEC_JIT_HARDEN against a theoretical attack I dreamed up --
687 if an attacker had an arbitrary read vuln and ability to redirect control flow,
688 he could, in ~2,000,000,000 attempts have a 50% chance of pre-selecting a
689 32bit random key which the attacker has XORed with his desired immediates to
690 cause the constant blinding to produce a potentially useful instruction stream
691 (which he could verify by abusing the infoleak). Instead of using one key
692 per instruction stream, generate a new key for each instruction using prandom_u32().
693
694 The downside is some performance impact during JIT compilation, though this
695 shouldn't be so common an event for anyone to notice.
696
697 arch/x86/net/bpf_jit_comp.c | 8 ++++----
698 1 files changed, 4 insertions(+), 4 deletions(-)
699
700commit 1b3f7f8f68d05143c0d55e8ceba0904c21007ad4
701Author: Brad Spengler <spender@grsecurity.net>
702Date: Fri Mar 7 20:44:22 2014 -0500
703
704 fix typo
705
706 ipc/mq_sysctl.c | 2 +-
707 1 files changed, 1 insertions(+), 1 deletions(-)
708
709commit 90c31e93dc4eb2045775930cacbb64318cabafad
710Author: Brad Spengler <spender@grsecurity.net>
711Date: Fri Mar 7 20:25:53 2014 -0500
712
713 add no_const to ctl_table located on stack
714
715 ipc/mq_sysctl.c | 2 +-
716 1 files changed, 1 insertions(+), 1 deletions(-)
717
718commit 098fd10b3af4ef61b2edc60314ef18991b2f6f71
719Author: Sabrina Dubroca <sd@queasysnail.net>
720Date: Thu Mar 6 17:51:57 2014 +0100
721
722 Upstream commit: c88507fbad8055297c1d1e21e599f46960cbee39
723
724 ipv6: don't set DST_NOCOUNT for remotely added routes
725
726 DST_NOCOUNT should only be used if an authorized user adds routes
727 locally. In case of routes which are added on behalf of router
728 advertisments this flag must not get used as it allows an unlimited
729 number of routes getting added remotely.
730
731 Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
732 Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
733 Signed-off-by: David S. Miller <davem@davemloft.net>
734
735 net/ipv6/route.c | 2 +-
736 1 files changed, 1 insertions(+), 1 deletions(-)
737
738commit c4bd306f576cc03b5f0f9e56253e3f0a3be5d3bd
739Merge: 71ed8ef a2aac72
740Author: Brad Spengler <spender@grsecurity.net>
741Date: Fri Mar 7 20:10:30 2014 -0500
742
743 Merge branch 'pax-test' into grsec-test
744
745commit a2aac72603c2309d560a606493bb3003e2abe6c7
746Merge: 96545e3 404df65
747Author: Brad Spengler <spender@grsecurity.net>
748Date: Fri Mar 7 20:10:13 2014 -0500
749
750 Merge branch 'linux-3.13.y' into pax-test
751
752 Conflicts:
753 arch/arm/mm/mmu.c
754 mm/memory.c
755
756commit 71ed8ef8e7d2ffcc57b5ffacef3a9262ed8781c7
757Author: Brad Spengler <spender@grsecurity.net>
758Date: Tue Mar 4 18:08:29 2014 -0500
759
760 Backport security fix: http://seclists.org/oss-sec/2014/q1/477
761
762 net/ipv4/inet_fragment.c | 3 ++-
763 1 files changed, 2 insertions(+), 1 deletions(-)
764
765commit d752f1f1704ddbec282d7eb2150c75e05b9bcdd3
766Author: Daniel Borkmann <dborkman@redhat.com>
767Date: Mon Mar 3 17:23:04 2014 +0100
768
769 Upstream commit: ec0223ec48a90cb605244b45f7c62de856403729
770 Remote DoS fix
771
772 net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is AUTH capable
773
774 RFC4895 introduced AUTH chunks for SCTP; during the SCTP
775 handshake RANDOM; CHUNKS; HMAC-ALGO are negotiated (CHUNKS
776 being optional though):
777
778 ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
779 <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
780 -------------------- COOKIE-ECHO -------------------->
781 <-------------------- COOKIE-ACK ---------------------
782
783 A special case is when an endpoint requires COOKIE-ECHO
784 chunks to be authenticated:
785
786 ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
787 <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
788 ------------------ AUTH; COOKIE-ECHO ---------------->
789 <-------------------- COOKIE-ACK ---------------------
790
791 RFC4895, section 6.3. Receiving Authenticated Chunks says:
792
793 The receiver MUST use the HMAC algorithm indicated in
794 the HMAC Identifier field. If this algorithm was not
795 specified by the receiver in the HMAC-ALGO parameter in
796 the INIT or INIT-ACK chunk during association setup, the
797 AUTH chunk and all the chunks after it MUST be discarded
798 and an ERROR chunk SHOULD be sent with the error cause
799 defined in Section 4.1. [...] If no endpoint pair shared
800 key has been configured for that Shared Key Identifier,
801 all authenticated chunks MUST be silently discarded. [...]
802
803 When an endpoint requires COOKIE-ECHO chunks to be
804 authenticated, some special procedures have to be followed
805 because the reception of a COOKIE-ECHO chunk might result
806 in the creation of an SCTP association. If a packet arrives
807 containing an AUTH chunk as a first chunk, a COOKIE-ECHO
808 chunk as the second chunk, and possibly more chunks after
809 them, and the receiver does not have an STCB for that
810 packet, then authentication is based on the contents of
811 the COOKIE-ECHO chunk. In this situation, the receiver MUST
812 authenticate the chunks in the packet by using the RANDOM
813 parameters, CHUNKS parameters and HMAC_ALGO parameters
814 obtained from the COOKIE-ECHO chunk, and possibly a local
815 shared secret as inputs to the authentication procedure
816 specified in Section 6.3. If authentication fails, then
817 the packet is discarded. If the authentication is successful,
818 the COOKIE-ECHO and all the chunks after the COOKIE-ECHO
819 MUST be processed. If the receiver has an STCB, it MUST
820 process the AUTH chunk as described above using the STCB
821 from the existing association to authenticate the
822 COOKIE-ECHO chunk and all the chunks after it. [...]
823
824 Commit bbd0d59809f9 introduced the possibility to receive
825 and verification of AUTH chunk, including the edge case for
826 authenticated COOKIE-ECHO. On reception of COOKIE-ECHO,
827 the function sctp_sf_do_5_1D_ce() handles processing,
828 unpacks and creates a new association if it passed sanity
829 checks and also tests for authentication chunks being
830 present. After a new association has been processed, it
831 invokes sctp_process_init() on the new association and
832 walks through the parameter list it received from the INIT
833 chunk. It checks SCTP_PARAM_RANDOM, SCTP_PARAM_HMAC_ALGO
834 and SCTP_PARAM_CHUNKS, and copies them into asoc->peer
835 meta data (peer_random, peer_hmacs, peer_chunks) in case
836 sysctl -w net.sctp.auth_enable=1 is set. If in INIT's
837 SCTP_PARAM_SUPPORTED_EXT parameter SCTP_CID_AUTH is set,
838 peer_random != NULL and peer_hmacs != NULL the peer is to be
839 assumed asoc->peer.auth_capable=1, in any other case
840 asoc->peer.auth_capable=0.
841
842 Now, if in sctp_sf_do_5_1D_ce() chunk->auth_chunk is
843 available, we set up a fake auth chunk and pass that on to
844 sctp_sf_authenticate(), which at latest in
845 sctp_auth_calculate_hmac() reliably dereferences a NULL pointer
846 at position 0..0008 when setting up the crypto key in
847 crypto_hash_setkey() by using asoc->asoc_shared_key that is
848 NULL as condition key_id == asoc->active_key_id is true if
849 the AUTH chunk was injected correctly from remote. This
850 happens no matter what net.sctp.auth_enable sysctl says.
851
852 The fix is to check for net->sctp.auth_enable and for
853 asoc->peer.auth_capable before doing any operations like
854 sctp_sf_authenticate() as no key is activated in
855 sctp_auth_asoc_init_active_key() for each case.
856
857 Now as RFC4895 section 6.3 states that if the used HMAC-ALGO
858 passed from the INIT chunk was not used in the AUTH chunk, we
859 SHOULD send an error; however in this case it would be better
860 to just silently discard such a maliciously prepared handshake
861 as we didn't even receive a parameter at all. Also, as our
862 endpoint has no shared key configured, section 6.3 says that
863 MUST silently discard, which we are doing from now onwards.
864
865 Before calling sctp_sf_pdiscard(), we need not only to free
866 the association, but also the chunk->auth_chunk skb, as
867 commit bbd0d59809f9 created a skb clone in that case.
868
869 I have tested this locally by using netfilter's nfqueue and
870 re-injecting packets into the local stack after maliciously
871 modifying the INIT chunk (removing RANDOM; HMAC-ALGO param)
872 and the SCTP packet containing the COOKIE_ECHO (injecting
873 AUTH chunk before COOKIE_ECHO). Fixed with this patch applied.
874
875 Fixes: bbd0d59809f9 ("[SCTP]: Implement the receive and verification of AUTH chunk")
876 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
877 Cc: Vlad Yasevich <yasevich@gmail.com>
878 Cc: Neil Horman <nhorman@tuxdriver.com>
879 Acked-by: Vlad Yasevich <vyasevich@gmail.com>
880 Signed-off-by: David S. Miller <davem@davemloft.net>
881
882 net/sctp/sm_statefuns.c | 7 +++++++
883 1 files changed, 7 insertions(+), 0 deletions(-)
884
885commit 855c02e8cb1af9b40752258060af547805881899
886Author: Brad Spengler <spender@grsecurity.net>
887Date: Tue Mar 4 18:05:10 2014 -0500
888
889 Backport local DoS fix: http://seclists.org/oss-sec/2014/q1/494
890
891 security/keys/keyring.c | 6 +++++-
892 1 files changed, 5 insertions(+), 1 deletions(-)
893
894commit 4877e98529649880ac76ade11e5529403a40ea73
895Author: Brad Spengler <spender@grsecurity.net>
896Date: Mon Mar 3 14:42:58 2014 -0500
897
898 mark 'processor' as __read_only instead of forcing constify on it
899 to avoid a GCC constant propagation that will cause a NULL deref on boot
900 on ARM MULTI_CPU configs
901
902 Thanks to Arnaud Fontaine and Arnaud Ebalard for the report, fix is from
903 the PaX Team
904
905 arch/arm/include/asm/proc-fns.h | 2 +-
906 arch/arm/kernel/setup.c | 4 ++--
907 2 files changed, 3 insertions(+), 3 deletions(-)
908
909commit 9c8d2926262f0345af454da45b41c6259bdc89e8
910Author: Andrew Honig <ahonig@google.com>
911Date: Thu Feb 27 19:35:14 2014 +0100
912
913 Upstream commit: a08d3b3b99efd509133946056531cdf8f3a0c09b
914
915 kvm: x86: fix emulator buffer overflow (CVE-2014-0049)
916
917 The problem occurs when the guest performs a pusha with the stack
918 address pointing to an mmio address (or an invalid guest physical
919 address) to start with, but then extending into an ordinary guest
920 physical address. When doing repeated emulated pushes
921 emulator_read_write sets mmio_needed to 1 on the first one. On a
922 later push when the stack points to regular memory,
923 mmio_nr_fragments is set to 0, but mmio_is_needed is not set to 0.
924
925 As a result, KVM exits to userspace, and then returns to
926 complete_emulated_mmio. In complete_emulated_mmio
927 vcpu->mmio_cur_fragment is incremented. The termination condition of
928 vcpu->mmio_cur_fragment == vcpu->mmio_nr_fragments is never achieved.
929 The code bounces back and fourth to userspace incrementing
930 mmio_cur_fragment past it's buffer. If the guest does nothing else it
931 eventually leads to a a crash on a memcpy from invalid memory address.
932
933 However if a guest code can cause the vm to be destroyed in another
934 vcpu with excellent timing, then kvm_clear_async_pf_completion_queue
935 can be used by the guest to control the data that's pointed to by the
936 call to cancel_work_item, which can be used to gain execution.
937
938 Fixes: f78146b0f9230765c6315b2e14f56112513389ad
939 Signed-off-by: Andrew Honig <ahonig@google.com>
940 Cc: stable@vger.kernel.org (3.5+)
941 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
942
943 arch/x86/kvm/x86.c | 2 +-
944 1 files changed, 1 insertions(+), 1 deletions(-)
945
946commit 40051b60939861d365baf66d95dadd3f090542ac
947Author: Mike Pecovnik <mike.pecovnik@gmail.com>
948Date: Mon Feb 24 21:11:16 2014 +0100
949
950 Upstream commit: 46833a86f7ab30101096d81117dd250bfae74c6f
951
952 net: Fix permission check in netlink_connect()
953
954 netlink_sendmsg() was changed to prevent non-root processes from sending
955 messages with dst_pid != 0.
956 netlink_connect() however still only checks if nladdr->nl_groups is set.
957 This patch modifies netlink_connect() to check for the same condition.
958
959 Signed-off-by: Mike Pecovnik <mike.pecovnik@gmail.com>
960 Signed-off-by: David S. Miller <davem@davemloft.net>
961
962 net/netlink/af_netlink.c | 4 ++--
963 1 files changed, 2 insertions(+), 2 deletions(-)
964
965commit a3be34042aa8d3eccb476cb240d8cdc85024b18a
966Author: Brad Spengler <spender@grsecurity.net>
967Date: Sat Mar 1 23:17:33 2014 -0500
968
969 Apply role_umask RBAC restrictions to POSIX ACLs as well
970
971 fs/posix_acl.c | 7 +++++--
972 fs/xattr_acl.c | 9 +++++++++
973 2 files changed, 14 insertions(+), 2 deletions(-)
974
975commit 652b798b80f39815b94fc9b7192d648ad6b6cf64
976Author: Brad Spengler <spender@grsecurity.net>
977Date: Mon Feb 24 21:57:37 2014 -0500
978
979 mention in config help that gcc 4.6.4 or higher is needed for RANDSTRUCT
980
981 grsecurity/Kconfig | 4 ++++
982 1 files changed, 4 insertions(+), 0 deletions(-)
983
984commit 5ffde76a88cb5dadc307cabc33d7ad253158b608
985Author: Brad Spengler <spender@grsecurity.net>
986Date: Mon Feb 24 18:54:34 2014 -0500
987
988 use current_umask() helper in lustre instead of current->fs->umask
989
990 drivers/staging/lustre/lustre/llite/dir.c | 2 +-
991 1 files changed, 1 insertions(+), 1 deletions(-)
992
993commit 49761e88b63e2771f09aa16cb4e98c681515cf31
994Merge: daf0afa 96545e3
995Author: Brad Spengler <spender@grsecurity.net>
996Date: Mon Feb 24 17:43:09 2014 -0500
997
998 Merge branch 'pax-test' into grsec-test
999
1000 Conflicts:
1001 arch/x86/kernel/cpu/common.c
1002
1003commit 96545e3f1c4df86c1d9b74a1916d1b712138345f
1004Merge: 1ea0c4a dc0ead5
1005Author: Brad Spengler <spender@grsecurity.net>
1006Date: Mon Feb 24 17:37:59 2014 -0500
1007
1008 Update to pax-linux-3.13.5-test11.patch:
1009 - fixed a mismerge in atomic64_sub_return on arm, reported by Arnaud Fontaine
1010 - the latent entropy plugin can now initialize structure variables as well
1011
1012 Merge branch 'linux-3.13.y' into pax-test
1013
1014 Conflicts:
1015 arch/x86/kernel/ftrace.c
1016 include/linux/compiler-gcc4.h
1017
1018commit daf0afa64695bd49bf6be19450fea0a533edc3ab
1019Author: Brad Spengler <spender@grsecurity.net>
1020Date: Mon Feb 24 17:16:47 2014 -0500
1021
1022 when IPC hardening is disabled via sysctl, we shouldn't be imposing
1023 any additional restrictions
1024 thanks to Mathias Krause (minipli) for the report
1025
1026 grsecurity/grsec_ipc.c | 2 +-
1027 1 files changed, 1 insertions(+), 1 deletions(-)
1028
1029commit 179bf20a88510350fc86383c7d1b8e7d422cc604
1030Author: Brad Spengler <spender@grsecurity.net>
1031Date: Fri Feb 21 12:06:41 2014 -0500
1032
1033 add missing return in the ARM refcount code.
1034
1035 Thanks to Arnaud Fontaine for the report and patch!
1036
1037 arch/arm/include/asm/atomic.h | 2 ++
1038 1 files changed, 2 insertions(+), 0 deletions(-)
1039
1040commit 5eecd26548fa8462296745eedf66858bf83532c9
1041Merge: d32875c 1ea0c4a
1042Author: Brad Spengler <spender@grsecurity.net>
1043Date: Thu Feb 20 21:39:25 2014 -0500
1044
1045 Merge branch 'pax-test' into grsec-test
1046
1047commit 1ea0c4ab7114838fb5f7b320c5c4bee6269c2f99
1048Author: Brad Spengler <spender@grsecurity.net>
1049Date: Thu Feb 20 21:39:02 2014 -0500
1050
1051 Update to pax-linux-3.13.4-test10.patch
1052
1053 tools/gcc/latent_entropy_plugin.c | 10 +++++-----
1054 1 files changed, 5 insertions(+), 5 deletions(-)
1055
1056commit d32875ccf8800fd9b458907fbd9f08e74847012b
1057Author: Brad Spengler <spender@grsecurity.net>
1058Date: Thu Feb 20 18:42:11 2014 -0500
1059
1060 work around pipacs' latent_entropy plugin
1061
1062 tools/gcc/randomize_layout_plugin.c | 6 +++++-
1063 1 files changed, 5 insertions(+), 1 deletions(-)
1064
1065commit 91ea54c68a7f728341371d3ca8c6208acc885706
1066Author: Brad Spengler <spender@grsecurity.net>
1067Date: Thu Feb 20 17:57:36 2014 -0500
1068
1069 .data takes the address of the ints, not their values
1070
1071 net/core/neighbour.c | 8 ++++----
1072 1 files changed, 4 insertions(+), 4 deletions(-)
1073
1074commit bc41258c48ca6acae51d191e914556ab37ca7c92
1075Merge: 3051292 0ce19d4
1076Author: Brad Spengler <spender@grsecurity.net>
1077Date: Thu Feb 20 17:45:07 2014 -0500
1078
1079 Merge branch 'pax-test' into grsec-test
1080
1081 Conflicts:
1082 include/linux/compiler-gcc4.h
1083
1084commit 0ce19d411496f0ab77a86c1c5091b909fd720665
1085Author: Brad Spengler <spender@grsecurity.net>
1086Date: Thu Feb 20 17:43:26 2014 -0500
1087
1088 Update to pax-linux-3.13.4-test10.patch:
1089 - fixed asm goto for all gcc versions, backport from upstream (https://git.kernel.org/linus/a9f180345f5378ac87)
1090 - fixed a size overflow false positive in the ELF loader (needs a non-0 based PIE to trigger), reported by spender
1091 - the latent entropy plugin will now insert some entropy at compile time into the random pools
1092
1093 drivers/char/random.c | 6 +-
1094 fs/binfmt_elf.c | 2 +-
1095 include/linux/compiler-gcc4.h | 4 --
1096 tools/gcc/gcc-common.h | 10 ++++-
1097 tools/gcc/latent_entropy_plugin.c | 84 +++++++++++++++++++++++++++++++++----
1098 tools/gcc/stackleak_plugin.c | 5 +-
1099 6 files changed, 90 insertions(+), 21 deletions(-)
1100
1101commit 3051292e84bf30c218e447a105ab898e8c509b44
1102Merge: 71d207d 8a3ecf6
1103Author: Brad Spengler <spender@grsecurity.net>
1104Date: Thu Feb 20 17:19:54 2014 -0500
1105
1106 Merge branch 'pax-test' into grsec-test
1107
1108commit 8a3ecf6d2b7e6304d259608e77a7259daeeeab9b
1109Merge: 98242db 93ee5dc
1110Author: Brad Spengler <spender@grsecurity.net>
1111Date: Thu Feb 20 17:17:30 2014 -0500
1112
1113 Merge branch 'linux-3.13.y' into pax-test
1114
1115commit 71d207d2df0cc95b1cf26d1499317d5b010c4033
1116Author: Brad Spengler <spender@grsecurity.net>
1117Date: Thu Feb 20 16:59:26 2014 -0500
1118
1119 Fix a 16+ year old hack in Linux that exposed itself when RANDSTRUCT was
1120 enabled, reported by jacekalex on the forums
1121
1122 include/net/neighbour.h | 1 -
1123 net/core/neighbour.c | 9 +++++----
1124 2 files changed, 5 insertions(+), 5 deletions(-)
1125
1126commit 6d3beec0d1c79dfad2ba060c4d06ebf65ce39d15
1127Author: Brad Spengler <spender@grsecurity.net>
1128Date: Wed Feb 19 22:01:38 2014 -0500
1129
1130 Backport CIFS vuln fix: http://article.gmane.org/gmane.linux.kernel.cifs/9401
1131
1132 fs/cifs/file.c | 37 ++++++++++++++++++++++++++++++++++---
1133 1 files changed, 34 insertions(+), 3 deletions(-)
1134
1135commit 20eb03803ea2fea3f8c420b69097058122de32f6
1136Author: Trond Myklebust <trond.myklebust@primarydata.com>
1137Date: Tue Feb 11 09:15:54 2014 -0500
1138
1139 Upstream commit: 06ea0bfe6e6043cb56a78935a19f6f8ebc636226
1140
1141 SUNRPC: Fix races in xs_nospace()
1142
1143 When a send failure occurs due to the socket being out of buffer space,
1144 we call xs_nospace() in order to have the RPC task wait until the
1145 socket has drained enough to make it worth while trying again.
1146 The current patch fixes a race in which the socket is drained before
1147 we get round to setting up the machinery in xs_nospace(), and which
1148 is reported to cause hangs.
1149
1150 Link: http://lkml.kernel.org/r/20140210170315.33dfc621@notabene.brown
1151 Fixes: a9a6b52ee1ba (SUNRPC: Don't start the retransmission timer...)
1152 Reported-by: Neil Brown <neilb@suse.com>
1153 Cc: stable@vger.kernel.org
1154 Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
1155
1156 net/sunrpc/xprtsock.c | 6 +++++-
1157 1 files changed, 5 insertions(+), 1 deletions(-)
1158
1159commit 9fff690287df8c389126420e1dab2608ddb4be75
1160Author: Trond Myklebust <trond.myklebust@primarydata.com>
1161Date: Tue Feb 11 13:56:54 2014 -0500
1162
1163 Upstream commit: 628356791b04ea988fee070f66a748a823d001bb
1164
1165 SUNRPC: Fix potential memory scribble in xprt_free_bc_request()
1166
1167 The call to xprt_free_allocation() will call list_del() on
1168 req->rq_bc_pa_list, which is not attached to a list.
1169 This patch moves the list_del() out of xprt_free_allocation()
1170 and into those callers that need it.
1171
1172 Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
1173
1174 net/sunrpc/backchannel_rqst.c | 6 ++++--
1175 1 files changed, 4 insertions(+), 2 deletions(-)
1176
1177commit 5382ae56cf22adf34d2dd9da03b3a44af0c846f1
1178Author: Trond Myklebust <trond.myklebust@primarydata.com>
1179Date: Sun Feb 16 12:14:13 2014 -0500
1180
1181 Upstream commit: 9eb2ddb48ce3a7bd745c14a933112994647fa3cd
1182
1183 SUNRPC: Ensure that gss_auth isn't freed before its upcall messages
1184
1185 Fix a race in which the RPC client is shutting down while the
1186 gss daemon is processing a downcall. If the RPC client manages to
1187 shut down before the gss daemon is done, then the struct gss_auth
1188 used in gss_release_msg() may have already been freed.
1189
1190 Link: http://lkml.kernel.org/r/1392494917.71728.YahooMailNeo@web140002.mail.bf1.yahoo.com
1191 Reported-by: John <da_audiophile@yahoo.com>
1192 Reported-by: Borislav Petkov <bp@alien8.de>
1193 Cc: stable@vger.kernel.org # 3.12+
1194 Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
1195
1196 net/sunrpc/auth_gss/auth_gss.c | 13 +++++++++++--
1197 1 files changed, 11 insertions(+), 2 deletions(-)
1198
1199commit 76e2d40cfc26bc44ba2ff4604c1f0ff4821ec13b
1200Author: Trond Myklebust <trond.myklebust@primarydata.com>
1201Date: Sun Feb 16 13:28:01 2014 -0500
1202
1203 Upstream commit: e9776d0f4adee8877145672f6416b06b57f2dc27
1204
1205 SUNRPC: Fix a pipe_version reference leak
1206
1207 In gss_alloc_msg(), if the call to gss_encode_v1_msg() fails, we
1208 want to release the reference to the pipe_version that was obtained
1209 earlier in the function.
1210
1211 Fixes: 9d3a2260f0f4b (SUNRPC: Fix buffer overflow checking in...)
1212 Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
1213
1214 net/sunrpc/auth_gss/auth_gss.c | 4 +++-
1215 1 files changed, 3 insertions(+), 1 deletions(-)
1216
1217commit 715c3e4109210d090282b360463aa474c978dcf5
1218Author: Christoffer Dall <christoffer.dall@linaro.org>
1219Date: Sun Feb 2 22:21:31 2014 +0100
1220
1221 Upstream commit: 4d9c5b89cf3605bbc39c6e274351ff25f0d83e6a
1222
1223 ARM: 7950/1: mm: Fix stage-2 device memory attributes
1224
1225 The stage-2 memory attributes are distinct from the Hyp memory
1226 attributes and the Stage-1 memory attributes. We were using the stage-1
1227 memory attributes for stage-2 mappings causing device mappings to be
1228 mapped as normal memory. Add the S2 equivalent defines for memory
1229 attributes and fix the comments explaining the defines while at it.
1230
1231 Add a prot_pte_s2 field to the mem_type struct and fill out the field
1232 for device mappings accordingly.
1233
1234 Cc: <stable@vger.kernel.org> [3.9+]
1235 Acked-by: Marc Zyngier <marc.zyngier@arm.com>
1236 Acked-by: Catalin Marinas <catalin.marinas@arm.com>
1237 Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
1238 Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
1239
1240 Conflicts:
1241
1242 arch/arm/mm/mmu.c
1243
1244 arch/arm/include/asm/pgtable-3level.h | 15 +++++++++------
1245 arch/arm/mm/mm.h | 1 +
1246 arch/arm/mm/mmu.c | 7 ++++++-
1247 3 files changed, 16 insertions(+), 7 deletions(-)
1248
1249commit 49f25f2842b5e567ca45d5648460ad7cfd2af7ab
1250Author: Will Deacon <will.deacon@arm.com>
1251Date: Fri Feb 7 19:12:20 2014 +0100
1252
1253 Upstream commit: bae0ca2bc550d1ec6a118fb8f2696f18c4da3d8e
1254
1255 ARM: 7953/1: mm: ensure TLB invalidation is complete before enabling MMU
1256
1257 During __v{6,7}_setup, we invalidate the TLBs since we are about to
1258 enable the MMU on return to head.S. Unfortunately, without a subsequent
1259 dsb instruction, the invalidation is not guaranteed to have completed by
1260 the time we write to the sctlr, potentially exposing us to junk/stale
1261 translations cached in the TLB.
1262
1263 This patch reworks the init functions so that the dsb used to ensure
1264 completion of cache/predictor maintenance is also used to ensure
1265 completion of the TLB invalidation.
1266
1267 Cc: <stable@vger.kernel.org>
1268 Reported-by: Albin Tonnerre <Albin.Tonnerre@arm.com>
1269 Signed-off-by: Will Deacon <will.deacon@arm.com>
1270 Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
1271
1272 arch/arm/mm/proc-v6.S | 3 ++-
1273 arch/arm/mm/proc-v7.S | 2 +-
1274 2 files changed, 3 insertions(+), 2 deletions(-)
1275
1276commit fa4b67556529451bd4489b07472f58feec35d51d
1277Author: Will Deacon <will.deacon@arm.com>
1278Date: Fri Feb 7 19:12:32 2014 +0100
1279
1280 Upstream commit: 7c8746a9eb287642deaad0e7c2cdf482dce5e4be
1281
1282 ARM: 7955/1: spinlock: ensure we have a compiler barrier before sev
1283
1284 When unlocking a spinlock, we require the following, strictly ordered
1285 sequence of events:
1286
1287 <barrier> /* dmb */
1288 <unlock>
1289 <barrier> /* dsb */
1290 <sev>
1291
1292 Whilst the code does indeed reflect this in terms of the architecture,
1293 the final <barrier> + <sev> have been contracted into a single inline
1294 asm without a "memory" clobber, therefore the compiler is at liberty to
1295 reorder the unlock to the end of the above sequence. In such a case,
1296 a waiting CPU may be woken up before the lock has been unlocked, leading
1297 to extremely poor performance.
1298
1299 This patch reworks the dsb_sev() function to make use of the dsb()
1300 macro and ensure ordering against the unlock.
1301
1302 Cc: <stable@vger.kernel.org>
1303 Reported-by: Mark Rutland <mark.rutland@arm.com>
1304 Signed-off-by: Will Deacon <will.deacon@arm.com>
1305 Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
1306
1307 arch/arm/include/asm/spinlock.h | 15 +++------------
1308 1 files changed, 3 insertions(+), 12 deletions(-)
1309
1310commit f3efaba9e0a1d5d96fc0783ae8ec8e733e113bfa
1311Author: Russell King <rmk+kernel@arm.linux.org.uk>
1312Date: Tue Feb 11 17:11:04 2014 +0000
1313
1314 Upstream commit: e83b366487b5582274374f8226e489cb214ae5a6
1315
1316 Fix uses of dma_max_pfn() when converting to a limiting address
1317
1318 We must use a 64-bit for this, otherwise overflowed bits get lost, and
1319 that can result in a lower than intended value set.
1320
1321 Fixes: 8e0cb8a1f6ac ("ARM: 7797/1: mmc: Use dma_max_pfn(dev) helper for bounce_limit calculations")
1322 Fixes: 7d35496dd982 ("ARM: 7796/1: scsi: Use dma_max_pfn(dev) helper for bounce_limit calculations")
1323 Tested-Acked-by: Santosh Shilimkar <santosh.shilimkar@ti.com>
1324 Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
1325 Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
1326
1327 drivers/mmc/card/queue.c | 2 +-
1328 drivers/scsi/scsi_lib.c | 2 +-
1329 2 files changed, 2 insertions(+), 2 deletions(-)
1330
1331commit 5a3e8a10d439ba8bcd893bf2159618908fe80384
1332Author: Vinayak Kale <vkale@apm.com>
1333Date: Wed Feb 12 07:30:01 2014 +0100
1334
1335 Upstream commit: 39544ac9df20f73e49fc6b9ac19ff533388c82c0
1336
1337 ARM: 7957/1: add DSB after icache flush in __flush_icache_all()
1338
1339 Add DSB after icache flush to complete the cache maintenance operation.
1340
1341 Signed-off-by: Vinayak Kale <vkale@apm.com>
1342 Acked-by: Catalin Marinas <catalin.marinas@arm.com>
1343 Cc: <stable@vger.kernel.org>
1344 Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
1345
1346 arch/arm/include/asm/cacheflush.h | 1 +
1347 1 files changed, 1 insertions(+), 0 deletions(-)
1348
1349commit 26d22a6946dfbb4f4a760038816c43ba49504863
1350Author: Linus Torvalds <torvalds@linux-foundation.org>
1351Date: Mon Feb 17 12:24:45 2014 -0800
1352
1353 Upstream commit: e4178d809fdaee32a56833fff1f5056c99e90a1a
1354
1355 printk: fix syslog() overflowing user buffer
1356
1357 This is not a buffer overflow in the traditional sense: we don't
1358 overflow any *kernel* buffers, but we do mis-count the amount of data we
1359 copy back to user space for the SYSLOG_ACTION_READ_ALL case.
1360
1361 In particular, if the user buffer is too small to hold everything, and
1362 *if* there is a continuation line at just the right place, we can end up
1363 giving the user more data than he asked for.
1364
1365 The reason is that we first count up the number of bytes all the log
1366 records contains, then we walk the records again until we've skipped the
1367 records at the beginning that won't fit, and then we walk the rest of
1368 the records and copy them to the user space buffer.
1369
1370 And in between that "skip the initial records that won't fit" and the
1371 "copy the records that *will* fit to user space", we reset the 'prev'
1372 variable that contained the record information for the last record not
1373 copied. That meant that when we started copying to user space, we now
1374 had a different character count than what we had originally calculated
1375 in the first record walk-through.
1376
1377 The fix is to simply not clear the 'prev' flags value (in both cases
1378 where we had the same logic: syslog_print_all and kmsg_dump_get_buffer:
1379 the latter is used for pstore-like dumping)
1380
1381 Reported-and-tested-by: Debabrata Banerjee <dbanerje@akamai.com>
1382 Acked-by: Kay Sievers <kay@vrfy.org>
1383 Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1384 Cc: Jeff Mahoney <jeffm@suse.com>
1385 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1386
1387 kernel/printk/printk.c | 2 --
1388 1 files changed, 0 insertions(+), 2 deletions(-)
1389
1390commit 88d5fdac3aa7813d963ab5a3325c2f15c36c97cf
1391Author: Rafael Aquini <aquini@redhat.com>
1392Date: Mon Feb 10 14:25:48 2014 -0800
1393
1394 Upstream commit: a0b54adda3fe4b4cc6d28f2a9217cd35d1aa888c
1395
1396 mm: fix page leak at nfs_symlink()
1397
1398 Changes in commit a0b8cab3b9b2 ("mm: remove lru parameter from
1399 __pagevec_lru_add and remove parts of pagevec API") have introduced a
1400 call to add_to_page_cache_lru() which causes a leak in nfs_symlink() as
1401 now the page gets an extra refcount that is not dropped.
1402
1403 Jan Stancek observed and reported the leak effect while running test8
1404 from Connectathon Testsuite. After several iterations over the test
1405 case, which creates several symlinks on a NFS mountpoint, the test
1406 system was quickly getting into an out-of-memory scenario.
1407
1408 This patch fixes the page leak by dropping that extra refcount
1409 add_to_page_cache_lru() is grabbing.
1410
1411 Signed-off-by: Jan Stancek <jstancek@redhat.com>
1412 Signed-off-by: Rafael Aquini <aquini@redhat.com>
1413 Acked-by: Mel Gorman <mgorman@suse.de>
1414 Acked-by: Rik van Riel <riel@redhat.com>
1415 Cc: Jeff Layton <jlayton@redhat.com>
1416 Cc: Trond Myklebust <trond.myklebust@primarydata.com>
1417 Cc: <stable@vger.kernel.org> [3.11.x+]
1418 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
1419 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1420
1421 fs/nfs/dir.c | 5 +++++
1422 1 files changed, 5 insertions(+), 0 deletions(-)
1423
1424commit bf53635ba34d0ef231a89dd30aa9954b0fa3d87b
1425Author: Dan Carpenter <dan.carpenter@oracle.com>
1426Date: Mon Feb 17 20:33:01 2014 -0500
1427
1428 Upstream commit: 92e3b40537707001d17bbad800d150ab04e53bf4
1429
1430 jbd2: fix use after free in jbd2_journal_start_reserved()
1431
1432 If start_this_handle() fails then it leads to a use after free of
1433 "handle".
1434
1435 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
1436 Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
1437 Cc: stable@vger.kernel.org
1438
1439 fs/jbd2/transaction.c | 6 ++++--
1440 1 files changed, 4 insertions(+), 2 deletions(-)
1441
1442commit 7eb9d6b170b2d83e9a59d8d5e9c3eaec76b3e1a2
1443Author: Theodore Ts'o <tytso@mit.edu>
1444Date: Sat Feb 15 22:42:25 2014 -0500
1445
1446 Upstream commit: 3d2660d0c9c2f296837078c189b68a47f6b2e3b5
1447
1448 ext4: fix online resize with a non-standard blocks per group setting
1449
1450 The set_flexbg_block_bitmap() function assumed that the number of
1451 blocks in a blockgroup was sb->blocksize * 8, which is normally true,
1452 but not always! Use EXT4_BLOCKS_PER_GROUP(sb) instead, to fix block
1453 bitmap corruption after:
1454
1455 mke2fs -t ext4 -g 3072 -i 4096 /dev/vdd 1G
1456 mount -t ext4 /dev/vdd /vdd
1457 resize2fs /dev/vdd 8G
1458
1459 Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
1460 Reported-by: Jon Bernard <jbernard@tuxion.com>
1461 Cc: stable@vger.kernel.org
1462
1463 fs/ext4/resize.c | 2 +-
1464 1 files changed, 1 insertions(+), 1 deletions(-)
1465
1466commit 588500229af3505116b0fe05c4e54a06cabd64e4
1467Author: Theodore Ts'o <tytso@mit.edu>
1468Date: Sat Feb 15 21:33:13 2014 -0500
1469
1470 Upstream commit: b93c95353413041a8cebad915a8109619f66bcc6
1471
1472 ext4: fix online resize with very large inode tables
1473
1474 If a file system has a large number of inodes per block group, all of
1475 the metadata blocks in a flex_bg may be larger than what can fit in a
1476 single block group. Unfortunately, ext4_alloc_group_tables() in
1477 resize.c was never tested to see if it would handle this case
1478 correctly, and there were a large number of bugs which caused the
1479 following sequence to result in a BUG_ON:
1480
1481 kernel bug at fs/ext4/resize.c:409!
1482 ...
1483 call trace:
1484 [<ffffffff81256768>] ext4_flex_group_add+0x1448/0x1830
1485 [<ffffffff81257de2>] ext4_resize_fs+0x7b2/0xe80
1486 [<ffffffff8123ac50>] ext4_ioctl+0xbf0/0xf00
1487 [<ffffffff811c111d>] do_vfs_ioctl+0x2dd/0x4b0
1488 [<ffffffff811b9df2>] ? final_putname+0x22/0x50
1489 [<ffffffff811c1371>] sys_ioctl+0x81/0xa0
1490 [<ffffffff81676aa9>] system_call_fastpath+0x16/0x1b
1491 code: c8 4c 89 df e8 41 96 f8 ff 44 89 e8 49 01 c4 44 29 6d d4 0
1492 rip [<ffffffff81254fa1>] set_flexbg_block_bitmap+0x171/0x180
1493
1494 This can be reproduced with the following command sequence:
1495
1496 mke2fs -t ext4 -i 4096 /dev/vdd 1G
1497 mount -t ext4 /dev/vdd /vdd
1498 resize2fs /dev/vdd 8G
1499
1500 To fix this, we need to make sure the right thing happens when a block
1501 group's inode table straddles two block groups, which means the
1502 following bugs had to be fixed:
1503
1504 1) Not clearing the BLOCK_UNINIT flag in the second block group in
1505 ext4_alloc_group_tables --- the was proximate cause of the BUG_ON.
1506
1507 2) Incorrectly determining how many block groups contained contiguous
1508 free blocks in ext4_alloc_group_tables().
1509
1510 3) Incorrectly setting the start of the next block range to be marked
1511 in use after a discontinuity in setup_new_flex_group_blocks().
1512
1513 Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
1514 Cc: stable@vger.kernel.org
1515
1516 fs/ext4/resize.c | 32 ++++++++++++++++++++------------
1517 1 files changed, 20 insertions(+), 12 deletions(-)
1518
1519commit dfb5654f8a9946e06f67d0481c907fa9ae4c6b04
1520Author: Theodore Ts'o <tytso@mit.edu>
1521Date: Wed Feb 12 12:16:04 2014 -0500
1522
1523 Upstream commit: 23301410972330c0ae9a8afc379ba2005e249cc6
1524
1525 ext4: don't try to modify s_flags if the the file system is read-only
1526
1527 If an ext4 file system is created by some tool other than mke2fs
1528 (perhaps by someone who has a pathalogical fear of the GPL) that
1529 doesn't set one or the other of the EXT2_FLAGS_{UN}SIGNED_HASH flags,
1530 and that file system is then mounted read-only, don't try to modify
1531 the s_flags field. Otherwise, if dm_verity is in use, the superblock
1532 will change, causing an dm_verity failure.
1533
1534 Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
1535 Cc: stable@vger.kernel.org
1536
1537 fs/ext4/super.c | 20 +++++++++++++-------
1538 1 files changed, 13 insertions(+), 7 deletions(-)
1539
1540commit d2a631f973d3cff9a1c015cb64b08bb9cc52de8b
1541Author: Eric Whitney <enwlinux@gmail.com>
1542Date: Wed Feb 12 10:42:45 2014 -0500
1543
1544 Upstream commit: 15cc17678547676c82a5da9ccf357447333fc342
1545
1546 ext4: fix xfstest generic/299 block validity failures
1547
1548 Commit a115f749c1 (ext4: remove wait for unwritten extent conversion from
1549 ext4_truncate) exposed a bug in ext4_ext_handle_uninitialized_extents().
1550 It can be triggered by xfstest generic/299 when run on a test file
1551 system created without a journal. This test continuously fallocates and
1552 truncates files to which random dio/aio writes are simultaneously
1553 performed by a separate process. The test completes successfully, but
1554 if the test filesystem is mounted with the block_validity option, a
1555 warning message stating that a logical block has been mapped to an
1556 illegal physical block is posted in the kernel log.
1557
1558 The bug occurs when an extent is being converted to the written state
1559 by ext4_end_io_dio() and ext4_ext_handle_uninitialized_extents()
1560 discovers a mapping for an existing uninitialized extent. Although it
1561 sets EXT4_MAP_MAPPED in map->m_flags, it fails to set map->m_pblk to
1562 the discovered physical block number. Because map->m_pblk is not
1563 otherwise initialized or set by this function or its callers, its
1564 uninitialized value is returned to ext4_map_blocks(), where it is
1565 stored as a bogus mapping in the extent status tree.
1566
1567 Since map->m_pblk can accidentally contain illegal values that are
1568 larger than the physical size of the file system, calls to
1569 check_block_validity() in ext4_map_blocks() that are enabled if the
1570 block_validity mount option is used can fail, resulting in the logged
1571 warning message.
1572
1573 Signed-off-by: Eric Whitney <enwlinux@gmail.com>
1574 Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
1575 Cc: stable@vger.kernel.org # 3.11+
1576
1577 fs/ext4/extents.c | 1 +
1578 1 files changed, 1 insertions(+), 0 deletions(-)
1579
1580commit 7eb52392ee886f01a5c944f35fbe95edc2169877
1581Author: Zheng Liu <wenqing.lz@taobao.com>
1582Date: Wed Feb 12 11:48:31 2014 -0500
1583
1584 Upstream commit: 30d29b119ef01776e0a301444ab24defe8d8bef3
1585
1586 ext4: fix error paths in swap_inode_boot_loader()
1587
1588 In swap_inode_boot_loader() we forgot to release ->i_mutex and resume
1589 unlocked dio for inode and inode_bl if there is an error starting the
1590 journal handle. This commit fixes this issue.
1591
1592 Reported-by: Ahmed Tamrawi <ahmedtamrawi@gmail.com>
1593 Cc: Andreas Dilger <adilger.kernel@dilger.ca>
1594 Cc: Dr. Tilmann Bubeck <t.bubeck@reinform.de>
1595 Signed-off-by: Zheng Liu <wenqing.lz@taobao.com>
1596 Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
1597 Cc: stable@vger.kernel.org # v3.10+
1598
1599 fs/ext4/ioctl.c | 3 ++-
1600 1 files changed, 2 insertions(+), 1 deletions(-)
1601
1602commit 4dc90c1991032c483b11690717ba07952f4fef07
1603Author: Theodore Ts'o <tytso@mit.edu>
1604Date: Sun Feb 16 19:29:32 2014 -0500
1605
1606 Upstream commit: 19ea80603715d473600cd993b9987bc97d042e02
1607
1608 ext4: don't leave i_crtime.tv_sec uninitialized
1609
1610 If the i_crtime field is not present in the inode, don't leave the
1611 field uninitialized.
1612
1613 Fixes: ef7f38359 ("ext4: Add nanosecond timestamps")
1614 Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
1615 Tested-by: Vegard Nossum <vegard.nossum@oracle.com>
1616 Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
1617 Cc: stable@vger.kernel.org
1618
1619 fs/ext4/ext4.h | 2 ++
1620 1 files changed, 2 insertions(+), 0 deletions(-)
1621
1622commit 9d8aa319cfbfdb4bdf7a5d4adc4b93fe028bec12
1623Author: Brad Spengler <spender@grsecurity.net>
1624Date: Wed Feb 19 20:39:37 2014 -0500
1625
1626 While a Xen dom0 is technically a guest, it's perceived as a host by many
1627 and there's really no Linux "host" for Xen, so allow PARAVIRT to be
1628 enabled on "host" kernels only when Xen is selected
1629
1630 Thanks to gaima on the forums for the report
1631
1632 Conflicts:
1633
1634 arch/x86/Kconfig
1635
1636 arch/x86/Kconfig | 2 +-
1637 1 files changed, 1 insertions(+), 1 deletions(-)
1638
1639commit 8ef15c34cb044db1ae729a53327e5b848631fbee
1640Author: Petr Písař <petr.pisar@atlas.cz>
1641Date: Thu Feb 6 21:01:23 2014 +0100
1642
1643 Upstream commit: 0930b0950a8996aa88b0d2ba4bb2bab27cc36bc7
1644
1645 vt: Fix secure clear screen
1646
1647 \E[3J console code (secure clear screen) needs to update_screen(vc)
1648 in order to write-through blanks into off-screen video memory.
1649
1650 This has been removed accidentally in 3.6 by:
1651
1652 commit 81732c3b2fede049a692e58a7ceabb6d18ffb18c
1653 Author: Jean-François Moine <moinejf@free.fr>
1654 Date: Thu Sep 6 19:24:13 2012 +0200
1655
1656 tty vt: Fix line garbage in virtual console on command line edition
1657
1658 Signed-off-by: Petr Písař <petr.pisar@atlas.cz>
1659 Cc: stable <stable@vger.kernel.org> # 3.6
1660 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1661
1662 drivers/tty/vt/vt.c | 2 ++
1663 1 files changed, 2 insertions(+), 0 deletions(-)
1664
1665commit 8568da92bd738464772c24fd68a9b300d22985b5
1666Author: H. Peter Anvin <hpa@linux.intel.com>
1667Date: Thu Feb 13 07:46:04 2014 -0800
1668
1669 Upstream commit: 4640c7ee9b8953237d05a61ea3ea93981d1bc961
1670
1671 x86, smap: smap_violation() is bogus if CONFIG_X86_SMAP is off
1672
1673 If CONFIG_X86_SMAP is disabled, smap_violation() tests for conditions
1674 which are incorrect (as the AC flag doesn't matter), causing spurious
1675 faults.
1676
1677 The dynamic disabling of SMAP (nosmap on the command line) is fine
1678 because it disables X86_FEATURE_SMAP, therefore causing the
1679 static_cpu_has() to return false.
1680
1681 Found by Fengguang Wu's test system.
1682
1683 [ v3: move all predicates into smap_violation() ]
1684 [ v2: use IS_ENABLED() instead of #ifdef ]
1685
1686 Reported-by: Fengguang Wu <fengguang.wu@intel.com>
1687 Link: http://lkml.kernel.org/r/20140213124550.GA30497@localhost
1688 Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
1689 Cc: <stable@vger.kernel.org> # v3.7+
1690
1691 arch/x86/mm/fault.c | 14 +++++++++-----
1692 1 files changed, 9 insertions(+), 5 deletions(-)
1693
1694commit dc68abaa1208e66be3bc07eb57855d4ab413373c
1695Author: H. Peter Anvin <hpa@linux.intel.com>
1696Date: Thu Feb 13 07:34:30 2014 -0800
1697
1698 Upstream commit: 03bbd596ac04fef47ce93a730b8f086d797c3021
1699
1700 x86, smap: Don't enable SMAP if CONFIG_X86_SMAP is disabled
1701
1702 If SMAP support is not compiled into the kernel, don't enable SMAP in
1703 CR4 -- in fact, we should clear it, because the kernel doesn't contain
1704 the proper STAC/CLAC instructions for SMAP support.
1705
1706 Found by Fengguang Wu's test system.
1707
1708 Reported-by: Fengguang Wu <fengguang.wu@intel.com>
1709 Link: http://lkml.kernel.org/r/20140213124550.GA30497@localhost
1710 Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
1711 Cc: <stable@vger.kernel.org> # v3.7+
1712
1713 arch/x86/kernel/cpu/common.c | 7 ++++++-
1714 1 files changed, 6 insertions(+), 1 deletions(-)
1715
1716commit 6d804df770568f2d41f36cc446dc2c4b9ddbdc66
1717Author: Steven Noonan <steven@uplinklabs.net>
1718Date: Wed Feb 12 23:01:07 2014 -0800
1719
1720 Upstream commit: a9f180345f5378ac87d80ed0bea55ba421d83859
1721
1722 compiler/gcc4: Make quirk for asm_volatile_goto() unconditional
1723
1724 I started noticing problems with KVM guest destruction on Linux
1725 3.12+, where guest memory wasn't being cleaned up. I bisected it
1726 down to the commit introducing the new 'asm goto'-based atomics,
1727 and found this quirk was later applied to those.
1728
1729 Unfortunately, even with GCC 4.8.2 (which ostensibly fixed the
1730 known 'asm goto' bug) I am still getting some kind of
1731 miscompilation. If I enable the asm_volatile_goto quirk for my
1732 compiler, KVM guests are destroyed correctly and the memory is
1733 cleaned up.
1734
1735 So make the quirk unconditional for now, until bug is found
1736 and fixed.
1737
1738 Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
1739 Signed-off-by: Steven Noonan <steven@uplinklabs.net>
1740 Cc: Peter Zijlstra <peterz@infradead.org>
1741 Cc: Steven Rostedt <rostedt@goodmis.org>
1742 Cc: Jakub Jelinek <jakub@redhat.com>
1743 Cc: Richard Henderson <rth@twiddle.net>
1744 Cc: Andrew Morton <akpm@linux-foundation.org>
1745 Cc: Oleg Nesterov <oleg@redhat.com>
1746 Cc: <stable@vger.kernel.org>
1747 Link: http://lkml.kernel.org/r/1392274867-15236-1-git-send-email-steven@uplinklabs.net
1748 Link: http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58670
1749 Signed-off-by: Ingo Molnar <mingo@kernel.org>
1750
1751 include/linux/compiler-gcc4.h | 6 +-----
1752 1 files changed, 1 insertions(+), 5 deletions(-)
1753
1754commit df681ad2079c8b443dd98a66daa49a96f6803118
1755Author: Brad Spengler <spender@grsecurity.net>
1756Date: Sat Feb 15 14:43:58 2014 -0500
1757
1758 add note on how to disable rate limiting on log messages
1759
1760 grsecurity/Kconfig | 6 ++++++
1761 1 files changed, 6 insertions(+), 0 deletions(-)
1762
1763commit 247661801d1a9904eac479770aac8c31adfb3a03
1764Merge: 294e38e 98242db
1765Author: Brad Spengler <spender@grsecurity.net>
1766Date: Thu Feb 13 20:17:09 2014 -0500
1767
1768 Merge branch 'pax-test' into grsec-test
1769
1770commit 98242dba193affafa9996207af8aaee0a58e237c
1771Author: Brad Spengler <spender@grsecurity.net>
1772Date: Thu Feb 13 20:16:39 2014 -0500
1773
1774 Update to pax-linux-3.13.3-test9.patch:
1775 - forward port to 3.13.3
1776 - updated hash table from Emese, missing entries reported by Adam Chyła and Matthew Thode
1777
1778 kernel/sched/core.c | 2 +-
1779 kernel/trace/ftrace.c | 8 ++++----
1780 tools/gcc/size_overflow_hash.data | 6 ++++++
1781 3 files changed, 11 insertions(+), 5 deletions(-)
1782
1783commit 294e38ee2ac097654f11df09cfe8c5584a573b6c
1784Merge: d1fd1fc 990a904
1785Author: Brad Spengler <spender@grsecurity.net>
1786Date: Thu Feb 13 18:11:12 2014 -0500
1787
1788 Merge branch 'pax-test' into grsec-test
1789
1790commit 990a9041b296c2afe56f7c5ff4bb2e2e0ed6298f
1791Merge: d32ab3c 7955a48
1792Author: Brad Spengler <spender@grsecurity.net>
1793Date: Thu Feb 13 18:11:01 2014 -0500
1794
1795 Merge branch 'linux-3.13.y' into pax-test
1796
1797 Conflicts:
1798 kernel/trace/ftrace.c
1799
1800commit d1fd1fc0d4c9d07cd6f2f2dad040db0f1c433b5d
1801Author: Brad Spengler <spender@grsecurity.net>
1802Date: Thu Feb 13 16:50:39 2014 -0500
1803
1804 Force off all virtualization guest options if the autoconfig choice
1805 was not for the kernel to be used for vm guests
1806 likewise force off Xen if it wasn't mentioned in the autoconfig
1807
1808 arch/x86/Kconfig | 1 +
1809 arch/x86/xen/Kconfig | 1 +
1810 2 files changed, 2 insertions(+), 0 deletions(-)
1811
1812commit 6f7fd76856916bda9145d3fb89b3462b18630c75
1813Merge: 32aa9fa d32ab3c
1814Author: Brad Spengler <spender@grsecurity.net>
1815Date: Thu Feb 13 15:25:21 2014 -0500
1816
1817 Merge branch 'pax-test' into grsec-test
1818
1819commit d32ab3c04e157fd34738846fc1cbdbed5eab1147
1820Author: Brad Spengler <spender@grsecurity.net>
1821Date: Thu Feb 13 15:24:57 2014 -0500
1822
1823 Update to pax-linux-3.13.2-test9.patch:
1824 - fixed some gcc plugins to work in low-memory environments as well, reported by many, big thanks to niv <n@e-ix.net> for help
1825
1826 tools/gcc/Makefile | 2 +-
1827 tools/gcc/latent_entropy_plugin.c | 18 +++++++++--
1828 tools/gcc/size_overflow_plugin.c | 19 +++++++++--
1829 tools/gcc/stackleak_plugin.c | 58 ++++++++++++++++++++++++++++--------
1830 4 files changed, 76 insertions(+), 21 deletions(-)
1831
1832commit 32aa9fa0174969476774c472226d304f122291a5
1833Author: Brad Spengler <spender@grsecurity.net>
1834Date: Thu Feb 13 12:35:16 2014 -0500
1835
1836 add missing header
1837
1838 grsecurity/grsec_mem.c | 1 +
1839 1 files changed, 1 insertions(+), 0 deletions(-)
1840
1841commit d48d8d3b1b527d8dc7a9162bda44d32608906632
1842Author: Brad Spengler <spender@grsecurity.net>
1843Date: Thu Feb 13 12:04:44 2014 -0500
1844
1845 export msr_write logging function and convert all exported symbols to EXPORT_SYMBOL_GPL
1846
1847 Conflicts:
1848
1849 grsecurity/gracl.c
1850 grsecurity/grsec_disabled.c
1851 grsecurity/grsec_exec.c
1852
1853 grsecurity/gracl.c | 8 ++++----
1854 grsecurity/grsec_chroot.c | 2 +-
1855 grsecurity/grsec_disabled.c | 4 ++--
1856 grsecurity/grsec_exec.c | 8 ++++----
1857 grsecurity/grsec_init.c | 2 +-
1858 grsecurity/grsec_mem.c | 1 +
1859 grsecurity/grsec_sock.c | 12 ++++++------
1860 grsecurity/grsec_time.c | 2 +-
1861 8 files changed, 20 insertions(+), 19 deletions(-)
1862
1863commit 3c05c8568522f6a660debeaacf536a99a0212342
1864Author: Brad Spengler <spender@grsecurity.net>
1865Date: Thu Feb 13 11:28:26 2014 -0500
1866
1867 add missing header
1868
1869 arch/x86/kernel/msr.c | 1 +
1870 1 files changed, 1 insertions(+), 0 deletions(-)
1871
1872commit e68254d468db8b3a28fa549606136fdba9276a75
1873Author: Brad Spengler <spender@grsecurity.net>
1874Date: Thu Feb 13 11:12:36 2014 -0500
1875
1876 fix typo
1877
1878 arch/x86/kernel/msr.c | 4 ++--
1879 include/linux/grsecurity.h | 2 +-
1880 2 files changed, 3 insertions(+), 3 deletions(-)
1881
1882commit 2845d9e8598070db65f7429ecf2ac1803077ed9e
1883Author: Brad Spengler <spender@grsecurity.net>
1884Date: Thu Feb 13 10:57:06 2014 -0500
1885
1886 PLUGIN_FINISH_DECL is an enum, so use explicit gcc version checking instead
1887
1888 tools/gcc/randomize_layout_plugin.c | 4 ++--
1889 1 files changed, 2 insertions(+), 2 deletions(-)
1890
1891commit 1cd63e6169739aa7881796ac74b43b83bdbd8626
1892Author: Brad Spengler <spender@grsecurity.net>
1893Date: Thu Feb 13 09:23:29 2014 -0500
1894
1895 Relax MSR restrictions under GRKERNSEC_KMEM, allow MSR reads but not writes. Log all writing attempts.
1896
1897 arch/x86/Kconfig | 1 -
1898 arch/x86/kernel/msr.c | 9 +++++++++
1899 grsecurity/grsec_mem.c | 6 ++++++
1900 include/linux/grmsg.h | 1 +
1901 include/linux/grsecurity.h | 1 +
1902 5 files changed, 17 insertions(+), 1 deletions(-)
1903
1904commit a750206a1934759fc0da5ab831852a22ce720862
1905Author: Richard Yao <ryao@gentoo.org>
1906Date: Sat Feb 8 19:32:01 2014 -0500
1907
1908 Upstream commit: b6f52ae2f0d32387bde2b89883e3b64d88b9bfe8
1909
1910 9p/trans_virtio.c: Fix broken zero-copy on vmalloc() buffers
1911
1912 The 9p-virtio transport does zero copy on things larger than 1024 bytes
1913 in size. It accomplishes this by returning the physical addresses of
1914 pages to the virtio-pci device. At present, the translation is usually a
1915 bit shift.
1916
1917 That approach produces an invalid page address when we read/write to
1918 vmalloc buffers, such as those used for Linux kernel modules. Any
1919 attempt to load a Linux kernel module from 9p-virtio produces the
1920 following stack.
1921
1922 [<ffffffff814878ce>] p9_virtio_zc_request+0x45e/0x510
1923 [<ffffffff814814ed>] p9_client_zc_rpc.constprop.16+0xfd/0x4f0
1924 [<ffffffff814839dd>] p9_client_read+0x15d/0x240
1925 [<ffffffff811c8440>] v9fs_fid_readn+0x50/0xa0
1926 [<ffffffff811c84a0>] v9fs_file_readn+0x10/0x20
1927 [<ffffffff811c84e7>] v9fs_file_read+0x37/0x70
1928 [<ffffffff8114e3fb>] vfs_read+0x9b/0x160
1929 [<ffffffff81153571>] kernel_read+0x41/0x60
1930 [<ffffffff810c83ab>] copy_module_from_fd.isra.34+0xfb/0x180
1931
1932 Subsequently, QEMU will die printing:
1933
1934 qemu-system-x86_64: virtio: trying to map MMIO memory
1935
1936 This patch enables 9p-virtio to correctly handle this case. This not
1937 only enables us to load Linux kernel modules off virtfs, but also
1938 enables ZFS file-based vdevs on virtfs to be used without killing QEMU.
1939
1940 Special thanks to both Avi Kivity and Alexander Graf for their
1941 interpretation of QEMU backtraces. Without their guidence, tracking down
1942 this bug would have taken much longer. Also, special thanks to Linus
1943 Torvalds for his insightful explanation of why this should use
1944 is_vmalloc_addr() instead of is_vmalloc_or_module_addr():
1945
1946 https://lkml.org/lkml/2014/2/8/272
1947
1948 Signed-off-by: Richard Yao <ryao@gentoo.org>
1949 Signed-off-by: David S. Miller <davem@davemloft.net>
1950
1951 net/9p/trans_virtio.c | 5 ++++-
1952 1 files changed, 4 insertions(+), 1 deletions(-)
1953
1954commit 6f3de18441f63778b664f2815cfc0d2af0d22f4f
1955Author: Brad Spengler <spender@grsecurity.net>
1956Date: Thu Feb 13 08:38:14 2014 -0500
1957
1958 rename finish_decl function to fix compat with gcc 4.7.2 that exposed too much of its internals
1959 add a useful compile error if we try building with < gcc 4.6.4
1960
1961 tools/gcc/randomize_layout_plugin.c | 8 ++++++--
1962 1 files changed, 6 insertions(+), 2 deletions(-)
1963
1964commit 596b24936ed3687455327c3d26a8a820263a1f88
1965Author: Brad Spengler <spender@grsecurity.net>
1966Date: Tue Feb 11 17:33:49 2014 -0500
1967
1968 [PATCH] random: fix overflow for big nbits values in credit_entropy_bits()
1969
1970 Commit 30e37ec516ae "random: account for entropy loss due to overwrites"
1971 introduced an overflow in the arithmetics of credit_entropy_bits() when
1972 CONFIG_GRKERNSEC_RANDNET is enabled as the latter quadruples the pool
1973 size and therefore invalidates the assumptions of the "nifty" formula.
1974
1975 Fix the overflow by using 64bit arithmetics.
1976
1977 Reported-by: Torsten Hilbrich <torsten.hilbrich@secunet.com>
1978 Signed-off-by: Mathias Krause <mathias.krause@secunet.com>
1979
1980 This bug is at worst a privileged DoS -- with RANDNET enabled, an admin
1981 with CAP_SYS_ADMIN feeding large amounts of entropy into the pool at once
1982 can cause less than expected entropy to be credited (but this doesn't
1983 affect how much is actually added). For specific buffer sizes, this
1984 can result in 0 entropy being credited and end in a situation in which
1985 the kernel can't recover, causing future reads from /dev/random to stall.
1986
1987 Many thanks to Torsten and Mathias for the report!
1988
1989 drivers/char/random.c | 5 +----
1990 1 files changed, 1 insertions(+), 4 deletions(-)
1991
1992commit 04f9fc1040b96a623cca444b330a3a96c104d3af
1993Author: Brad Spengler <spender@grsecurity.net>
1994Date: Sun Feb 9 11:30:53 2014 -0500
1995
1996 just ignore the seed file, the hash is in a different dir
1997
1998 tools/gcc/.gitignore | 1 -
1999 1 files changed, 0 insertions(+), 1 deletions(-)
2000
2001commit eaddc3f039b57731d04d90e334cf75c6cdde895d
2002Author: Brad Spengler <spender@grsecurity.net>
2003Date: Sun Feb 9 11:27:22 2014 -0500
2004
2005 Don't pass the hashed seed via build commandline, generate a header to include in vermagic.h instead
2006
2007 Documentation/dontdiff | 2 +-
2008 Makefile | 4 +---
2009 include/linux/vermagic.h | 1 +
2010 tools/gcc/.gitignore | 4 ++--
2011 tools/gcc/Makefile | 9 ++++-----
2012 tools/gcc/gen-random-seed.sh | 3 ++-
2013 6 files changed, 11 insertions(+), 12 deletions(-)
2014
2015commit d3fcb6991a09d163867dd6e7e04ad5675f9c3202
2016Author: Brad Spengler <spender@grsecurity.net>
2017Date: Sat Feb 8 22:03:25 2014 -0500
2018
2019 update dontdiff and .gitignore to reflect new seed/hash filenames for RANDSTRUCT
2020
2021 Documentation/dontdiff | 4 ++--
2022 tools/gcc/.gitignore | 4 ++--
2023 2 files changed, 4 insertions(+), 4 deletions(-)
2024
2025commit 3e96d2ad6f7e3373a978767099f3b3bb12890644
2026Author: Brad Spengler <spender@grsecurity.net>
2027Date: Sat Feb 8 20:02:12 2014 -0500
2028
2029 don't divide cputime by HZ as some architectures can't handle this
2030 use proper task_cputime and cputime_to_secs wrappers
2031 Thanks to Michael Tremer for the report
2032
2033 grsecurity/gracl.c | 23 ++++++++++++-----------
2034 1 files changed, 12 insertions(+), 11 deletions(-)
2035
2036commit bff837da26077ae243118561da6e31e8d2ef83b7
2037Author: Brad Spengler <spender@grsecurity.net>
2038Date: Thu Feb 6 21:26:51 2014 -0500
2039
2040 gcc 4.9 update for RANDSTRUCT plugin part 1
2041
2042 tools/gcc/randomize_layout_plugin.c | 7 +------
2043 1 files changed, 1 insertions(+), 6 deletions(-)
2044
2045commit 58eee46f846245affdc86a1fd057bc7802bfef63
2046Merge: 954a136 2b56794
2047Author: Brad Spengler <spender@grsecurity.net>
2048Date: Thu Feb 6 20:36:18 2014 -0500
2049
2050 Merge branch 'pax-test' into grsec-test
2051
2052commit 2b56794a375594b35d2984d0950059977624a5ed
2053Author: Brad Spengler <spender@grsecurity.net>
2054Date: Thu Feb 6 20:35:40 2014 -0500
2055
2056 Update to pax-linux-3.13.2-test8.patch:
2057 - fixed compile errors on arm due to constification, reported by Michael Tremer <michael.tremer@ipfire.org>
2058 - fixed the PLUGIN_START_UNIT callback names in the latent entropy and size overflow plugins, reported by spender
2059 - added a new header to gcc-common.h, reported by spender
2060 - some useful backports from upstream 3.14:
2061 - debug info for .S: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7db436325db821b400328563ed693b09f8c4c46c
2062 - make v4 -s handling: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e36aaea28972c57a32a3ba5365e61633739719b9
2063
2064 Makefile | 8 +++++++-
2065 arch/arm/mach-omap2/powerdomains43xx_data.c | 5 ++++-
2066 arch/x86/include/asm/tlbflush.h | 1 -
2067 drivers/gpu/drm/armada/armada_drv.c | 10 +---------
2068 drivers/gpu/drm/tegra/hdmi.c | 2 +-
2069 drivers/misc/eeprom/sunxi_sid.c | 4 +++-
2070 drivers/mmc/host/sdhci-esdhc-imx.c | 7 +++++--
2071 include/drm/drmP.h | 1 +
2072 include/drm/ttm/ttm_page_alloc.h | 1 +
2073 tools/gcc/gcc-common.h | 1 +
2074 10 files changed, 24 insertions(+), 16 deletions(-)
2075
2076commit 954a136c7f2ce3a76f9a8b148c49614092554b5b
2077Author: Brad Spengler <spender@grsecurity.net>
2078Date: Thu Feb 6 20:20:41 2014 -0500
2079
2080 Backport SELinux DoS fix from http://marc.info/?l=selinux&m=139110025203759&w=2
2081
2082 security/selinux/ss/services.c | 4 ++++
2083 1 files changed, 4 insertions(+), 0 deletions(-)
2084
2085commit a16066ea179a4f15b368cd5003d9c3638aa7f48e
2086Author: Brad Spengler <spender@grsecurity.net>
2087Date: Thu Feb 6 20:16:57 2014 -0500
2088
2089 don't pass the seed via build commandline, store it in a header file instead
2090 and build it into the RANDSTRUCT plugin.
2091 set up proper dependencies for the generated files used by the RANDSTRUCT plugin,
2092 fixing some race conditions in the build process
2093 support O= argument to make and place generated files in the target directory tree
2094 update RANDSTRUCT documentation
2095
2096 Makefile | 6 ++----
2097 grsecurity/Kconfig | 2 +-
2098 scripts/gen-random-seed.sh | 8 --------
2099 tools/gcc/Makefile | 10 +++++++++-
2100 tools/gcc/gen-random-seed.sh | 7 +++++++
2101 tools/gcc/randomize_layout_plugin.c | 23 ++++++++---------------
2102 6 files changed, 27 insertions(+), 29 deletions(-)
2103
2104commit 79cb2972d4d5e61a831e8eae996b286f433afd10
2105Author: Brad Spengler <spender@grsecurity.net>
2106Date: Thu Feb 6 18:15:24 2014 -0500
2107
2108 make GRKERNSEC_HIDESYM also protect the target directory specified with the O= arg to 'make'
2109
2110 grsecurity/Makefile | 1 +
2111 1 files changed, 1 insertions(+), 0 deletions(-)
2112
2113commit 10a483b7ae687f15e3836234175920518ec50fa7
2114Merge: 95e6c94 5a87ea7
2115Author: Brad Spengler <spender@grsecurity.net>
2116Date: Thu Feb 6 17:21:02 2014 -0500
2117
2118 Merge branch 'pax-test' into grsec-test
2119
2120commit 5a87ea74aab86c3c211612d1ae7cac26694b736d
2121Merge: 1554390 fd82174
2122Author: Brad Spengler <spender@grsecurity.net>
2123Date: Thu Feb 6 17:19:50 2014 -0500
2124
2125 Merge branch 'linux-3.13.y' into pax-test
2126
2127 Conflicts:
2128 net/compat.c
2129
2130commit 95e6c94d6945ce8acfb56997feada8fde8aab8a6
2131Author: Brad Spengler <spender@grsecurity.net>
2132Date: Wed Feb 5 23:43:27 2014 -0500
2133
2134 avoid printing jibberish in some instances with RANDSTRUCT and modules
2135 built with other seeds, as the kernel's module loader trusts the
2136 module layout
2137
2138 kernel/module.c | 25 +++++++++++++++++++++++++
2139 1 files changed, 25 insertions(+), 0 deletions(-)
2140
2141commit 71ff747386915adda2113b08c47b0ccb1683dea5
2142Author: Brad Spengler <spender@grsecurity.net>
2143Date: Wed Feb 5 23:32:26 2014 -0500
2144
2145 Introduce the non-performance mode -- the performance mode had previously been
2146 inadvertently forced on regardless of config setting
2147
2148 Resolve an issue with gcc completing declarations for recently finished
2149 types *before* the plugin's finish_type being called to randomize that structure.
2150 This resulted in too small a structure size being emitted for this_module
2151 and generally crashes whenever modules were loaded.
2152
2153 Makefile | 2 +-
2154 tools/gcc/randomize_layout_plugin.c | 23 +++++++++++++++++++++++
2155 2 files changed, 24 insertions(+), 1 deletions(-)
2156
2157commit e17b47e4f837bb769f5159b928f5accce5131514
2158Author: Brad Spengler <spender@grsecurity.net>
2159Date: Mon Feb 3 17:30:32 2014 -0500
2160
2161 select DEBUG_KERNEL in addition to DEBUG_LIST
2162
2163 security/Kconfig | 1 +
2164 1 files changed, 1 insertions(+), 0 deletions(-)
2165
2166commit 1a4fd0231e9cee0203dd7f10faf89d721883b6a4
2167Merge: 5fb88fe 1554390
2168Author: Brad Spengler <spender@grsecurity.net>
2169Date: Sun Feb 2 21:25:11 2014 -0500
2170
2171 Merge branch 'pax-test' into grsec-test
2172
2173commit 1554390d0c012ebcbe8734216913fcb94681db2b
2174Author: Brad Spengler <spender@grsecurity.net>
2175Date: Sun Feb 2 21:24:45 2014 -0500
2176
2177 update plugin start_unit names
2178
2179 tools/gcc/latent_entropy_plugin.c | 2 +-
2180 tools/gcc/size_overflow_plugin.c | 2 +-
2181 2 files changed, 2 insertions(+), 2 deletions(-)
2182
2183commit 5fb88febacff2f061c9aad406d107177acc3f950
2184Author: Brad Spengler <spender@grsecurity.net>
2185Date: Sun Feb 2 21:23:30 2014 -0500
2186
2187 update copyright date
2188
2189 grsecurity/Makefile | 2 +-
2190 1 files changed, 1 insertions(+), 1 deletions(-)
2191
2192commit f4d392661ab08166ed1aa81d4f1d90fec146f761
2193Author: Brad Spengler <spender@grsecurity.net>
2194Date: Sun Feb 2 21:23:08 2014 -0500
2195
2196 update copyright message
2197
2198 grsecurity/Makefile | 22 ++++++++++++++++------
2199 1 files changed, 16 insertions(+), 6 deletions(-)
2200
2201commit 7bd6dcd5823155b1948fe0815a7aa173da6bea35
2202Author: Brad Spengler <spender@grsecurity.net>
2203Date: Sat Feb 1 19:53:04 2014 -0500
2204
2205 update RANDSTRUCT plugin to eliminate false posities on struct type mismatches
2206 resulting from an IS_ERR() sequence
2207 add checks for bad casts in local and global variable initializers
2208 use the main variant when comparing types
2209
2210 tools/gcc/randomize_layout_plugin.c | 150 +++++++++++++++++++++++++++++++++--
2211 1 files changed, 144 insertions(+), 6 deletions(-)
2212
2213commit 5349795dd080969318409078672c2c53c0645354
2214Author: Brad Spengler <spender@grsecurity.net>
2215Date: Sat Feb 1 15:13:06 2014 -0500
2216
2217 remove unnecessary TODO_* flags for our passive bad cast gimple pass
2218
2219 tools/gcc/randomize_layout_plugin.c | 2 +-
2220 1 files changed, 1 insertions(+), 1 deletions(-)
2221
2222commit a22b89b09d12e3db4b464d3b26e45c7b3a65c0ba
2223Author: Brad Spengler <spender@grsecurity.net>
2224Date: Sat Feb 1 10:55:36 2014 -0500
2225
2226 fix RANDSTRUCT plugin compatibility with gcc 4.9
2227
2228 tools/gcc/randomize_layout_plugin.c | 2 +-
2229 1 files changed, 1 insertions(+), 1 deletions(-)
2230
2231commit b3d5d360931c93bdeaf6fa199e29f47e7f70b17b
2232Author: Brad Spengler <spender@grsecurity.net>
2233Date: Fri Jan 31 21:52:14 2014 -0500
2234
2235 sanity check to make sure we never randomize a struct in include/uapi/*
2236
2237 scripts/gen-random-seed.sh | 2 +-
2238 tools/gcc/randomize_layout_plugin.c | 7 +++++++
2239 2 files changed, 8 insertions(+), 1 deletions(-)
2240
2241commit d2057f02e759a707a700bc9c80d1f7f55afa89f1
2242Author: Brad Spengler <spender@grsecurity.net>
2243Date: Fri Jan 31 18:11:51 2014 -0500
2244
2245 force on modversion support if RANDSTRUCT is enabled so that we're sure
2246 no modules can be loaded that were built with a different seed
2247
2248 grsecurity/Kconfig | 1 +
2249 1 files changed, 1 insertions(+), 0 deletions(-)
2250
2251commit 5e1f8e0b67af1f2876f1906eab828914a1c2670b
2252Author: Brad Spengler <spender@grsecurity.net>
2253Date: Thu Jan 30 16:47:31 2014 -0500
2254
2255 Fix an extremely serious vulnerability (it's nearly an arbitrary write) introduced
2256 in 3.4 with the addition of X32 support. Hopefully most users haven't enabled this
2257 option, but as it's enabled now in some distros (e.g. Ubuntu, which is affected)
2258 the chance is more likely for those importing base configs from such a distro.
2259
2260 I would recommend you disable X32 support, especially if you're not using it. As
2261 this bug could have been discovered with even a completely dumb syscall fuzzer, it
2262 should be clear what level of testing went into X32 support.
2263
2264 Normally we would have fixed this immediately, announced it, and moved on, but
2265 this was not my bug and not my choice. So I got to wait for the likes of linux-distros
2266 and security@kernel.org to decide when it could be fixed, while I had to continue
2267 releasing grsecurity patches without the fix for a serious vulnerability I was aware
2268 of for two days. I'm not happy at all about this, and this is exactly why I refuse
2269 to work in any kind of situation where I would become aware of something that I
2270 couldn't fix immediately. Hopefully this is the last time this will happen.
2271
2272 Credits to the PaX Team for finding the bug and writing the fix. This is CVE-2014-0038.
2273
2274 net/compat.c | 9 ++-------
2275 1 files changed, 2 insertions(+), 7 deletions(-)
2276
2277commit 9d599455aa9fb272a7160c3f8276771a5af7c74a
2278Merge: 6aeb51b f93afd1
2279Author: Brad Spengler <spender@grsecurity.net>
2280Date: Wed Jan 29 21:49:00 2014 -0500
2281
2282 Merge branch 'pax-test' into grsec-test
2283
2284commit f93afd1627ef450a96e96bdb2b984aefb66cb531
2285Author: Brad Spengler <spender@grsecurity.net>
2286Date: Wed Jan 29 21:48:24 2014 -0500
2287
2288 Update to pax-linux-3.13.1-test6.patch:
2289 - forward port to 3.13.1
2290 - fixed a weak UDEREF regression resulting in a kernel hang on boot, reported by Negres
2291
2292 arch/x86/include/asm/uaccess_64.h | 4 ++--
2293 1 files changed, 2 insertions(+), 2 deletions(-)
2294
2295commit 18727190851782d5ee2b5fe579e4a4c379303a34
2296Merge: b9c766b 07ecf16
2297Author: Brad Spengler <spender@grsecurity.net>
2298Date: Wed Jan 29 21:41:57 2014 -0500
2299
2300 Merge branch 'linux-3.13.y' into pax-test
2301
2302commit 6aeb51bccfcad549c3b39235df08aa043cdfa9bc
2303Author: Weston Andros Adamson <dros@netapp.com>
2304Date: Tue Dec 17 12:16:11 2013 -0500
2305
2306 Upstream commit: 6ff33b7dd0228b7d7ed44791bbbc98b03fd15d9d
2307
2308 sunrpc: Fix infinite loop in RPC state machine
2309
2310 When a task enters call_refreshresult with status 0 from call_refresh and
2311 !rpcauth_uptodatecred(task) it enters call_refresh again with no rate-limiting
2312 or max number of retries.
2313
2314 Instead of trying forever, make use of the retry path that other errors use.
2315
2316 This only seems to be possible when the crrefresh callback is gss_refresh_null,
2317 which only happens when destroying the context.
2318
2319 To reproduce:
2320
2321 1) mount with sec=krb5 (or sec=sys with krb5 negotiated for non FSID specific
2322 operations).
2323
2324 2) reboot - the client will be stuck and will need to be hard rebooted
2325
2326 BUG: soft lockup - CPU#0 stuck for 22s! [kworker/0:2:46]
2327 Modules linked in: rpcsec_gss_krb5 nfsv4 nfs fscache ppdev crc32c_intel aesni_intel aes_x86_64 glue_helper lrw gf128mul ablk_helper cryptd serio_raw i2c_piix4 i2c_core e1000 parport_pc parport shpchp nfsd auth_rpcgss oid_registry exportfs nfs_acl lockd sunrpc autofs4 mptspi scsi_transport_spi mptscsih mptbase ata_generic floppy
2328 irq event stamp: 195724
2329 hardirqs last enabled at (195723): [<ffffffff814a925c>] restore_args+0x0/0x30
2330 hardirqs last disabled at (195724): [<ffffffff814b0a6a>] apic_timer_interrupt+0x6a/0x80
2331 softirqs last enabled at (195722): [<ffffffff8103f583>] __do_softirq+0x1df/0x276
2332 softirqs last disabled at (195717): [<ffffffff8103f852>] irq_exit+0x53/0x9a
2333 CPU: 0 PID: 46 Comm: kworker/0:2 Not tainted 3.13.0-rc3-branch-dros_testing+ #4
2334 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/31/2013
2335 Workqueue: rpciod rpc_async_schedule [sunrpc]
2336 task: ffff8800799c4260 ti: ffff880079002000 task.ti: ffff880079002000
2337 RIP: 0010:[<ffffffffa0064fd4>] [<ffffffffa0064fd4>] __rpc_execute+0x8a/0x362 [sunrpc]
2338 RSP: 0018:ffff880079003d18 EFLAGS: 00000246
2339 RAX: 0000000000000005 RBX: 0000000000000007 RCX: 0000000000000007
2340 RDX: 0000000000000007 RSI: ffff88007aecbae8 RDI: ffff8800783d8900
2341 RBP: ffff880079003d78 R08: ffff88006e30e9f8 R09: ffffffffa005a3d7
2342 R10: ffff88006e30e7b0 R11: ffff8800783d8900 R12: ffffffffa006675e
2343 R13: ffff880079003ce8 R14: ffff88006e30e7b0 R15: ffff8800783d8900
2344 FS: 0000000000000000(0000) GS:ffff88007f200000(0000) knlGS:0000000000000000
2345 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
2346 CR2: 00007f3072333000 CR3: 0000000001a0b000 CR4: 00000000001407f0
2347 Stack:
2348 ffff880079003d98 0000000000000246 0000000000000000 ffff88007a9a4830
2349 ffff880000000000 ffffffff81073f47 ffff88007f212b00 ffff8800799c4260
2350 ffff8800783d8988 ffff88007f212b00 ffffe8ffff604800 0000000000000000
2351 Call Trace:
2352 [<ffffffff81073f47>] ? trace_hardirqs_on_caller+0x145/0x1a1
2353 [<ffffffffa00652d3>] rpc_async_schedule+0x27/0x32 [sunrpc]
2354 [<ffffffff81052974>] process_one_work+0x211/0x3a5
2355 [<ffffffff810528d5>] ? process_one_work+0x172/0x3a5
2356 [<ffffffff81052eeb>] worker_thread+0x134/0x202
2357 [<ffffffff81052db7>] ? rescuer_thread+0x280/0x280
2358 [<ffffffff81052db7>] ? rescuer_thread+0x280/0x280
2359 [<ffffffff810584a0>] kthread+0xc9/0xd1
2360 [<ffffffff810583d7>] ? __kthread_parkme+0x61/0x61
2361 [<ffffffff814afd6c>] ret_from_fork+0x7c/0xb0
2362 [<ffffffff810583d7>] ? __kthread_parkme+0x61/0x61
2363 Code: e8 87 63 fd e0 c6 05 10 dd 01 00 01 48 8b 43 70 4c 8d 6b 70 45 31 e4 a8 02 0f 85 d5 02 00 00 4c 8b 7b 48 48 c7 43 48 00 00 00 00 <4c> 8b 4b 50 4d 85 ff 75 0c 4d 85 c9 4d 89 cf 0f 84 32 01 00 00
2364
2365 And the output of "rpcdebug -m rpc -s all":
2366
2367 RPC: 61 call_refresh (status 0)
2368 RPC: 61 call_refresh (status 0)
2369 RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0
2370 RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0
2371 RPC: 61 call_refreshresult (status 0)
2372 RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0
2373 RPC: 61 call_refreshresult (status 0)
2374 RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0
2375 RPC: 61 call_refresh (status 0)
2376 RPC: 61 call_refreshresult (status 0)
2377 RPC: 61 call_refresh (status 0)
2378 RPC: 61 call_refresh (status 0)
2379 RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0
2380 RPC: 61 call_refreshresult (status 0)
2381 RPC: 61 call_refresh (status 0)
2382 RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0
2383 RPC: 61 call_refresh (status 0)
2384 RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0
2385 RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0
2386 RPC: 61 call_refreshresult (status 0)
2387 RPC: 61 call_refresh (status 0)
2388 RPC: 61 call_refresh (status 0)
2389 RPC: 61 call_refresh (status 0)
2390 RPC: 61 call_refresh (status 0)
2391 RPC: 61 call_refreshresult (status 0)
2392 RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0
2393
2394 Signed-off-by: Weston Andros Adamson <dros@netapp.com>
2395 Cc: stable@vger.kernel.org # 2.6.37+
2396 Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
2397
2398 net/sunrpc/clnt.c | 8 ++++++--
2399 1 files changed, 6 insertions(+), 2 deletions(-)
2400
2401commit 9ad04e13872458b4883e9f8f087cad538ae8f3e3
2402Author: Scott Mayhew <smayhew@redhat.com>
2403Date: Fri Jan 17 15:12:05 2014 -0500
2404
2405 Upstream commit: 263b4509ec4d47e0da3e753f85a39ea12d1eff24
2406
2407 nfs: always make sure page is up-to-date before extending a write to cover the entire page
2408
2409 We should always make sure the cached page is up-to-date when we're
2410 determining whether we can extend a write to cover the full page -- even
2411 if we've received a write delegation from the server.
2412
2413 Commit c7559663 added logic to skip this check if we have a write
2414 delegation, which can lead to data corruption such as the following
2415 scenario if client B receives a write delegation from the NFS server:
2416
2417 Client A:
2418 # echo 123456789 > /mnt/file
2419
2420 Client B:
2421 # echo abcdefghi >> /mnt/file
2422 # cat /mnt/file
2423 0�D0�abcdefghi
2424
2425 Just because we hold a write delegation doesn't mean that we've read in
2426 the entire page contents.
2427
2428 Cc: <stable@vger.kernel.org> # v3.11+
2429 Signed-off-by: Scott Mayhew <smayhew@redhat.com>
2430 Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
2431
2432 fs/nfs/write.c | 11 ++++++-----
2433 1 files changed, 6 insertions(+), 5 deletions(-)
2434
2435commit d6a427afc951e705a45d18fe513b4a9644b54586
2436Author: Trond Myklebust <trond.myklebust@primarydata.com>
2437Date: Fri Jan 17 17:03:41 2014 -0500
2438
2439 Upstream commit: 64590daa9e0dfb3aad89e3ab9230683b76211d5b
2440
2441 NFSv4.1: Handle errors correctly in nfs41_walk_client_list
2442
2443 Both nfs41_walk_client_list and nfs40_walk_client_list expect the
2444 'status' variable to be set to the value -NFS4ERR_STALE_CLIENTID
2445 if the loop fails to find a match.
2446 The problem is that the 'pos->cl_cons_state > NFS_CS_READY' changes
2447 the value of 'status', and sets it either to the value '0' (which
2448 indicates success), or to the value EINTR.
2449
2450 Cc: stable@vger.kernel.org # 3.7.x: 7b1f1fd1842e6: NFSv4/4.1: Fix bugs in
2451 Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
2452
2453 fs/nfs/nfs4client.c | 8 +++++---
2454 1 files changed, 5 insertions(+), 3 deletions(-)
2455
2456commit f7c465156fdef12a66d0a59114582dc4d4d7f406
2457Author: Weston Andros Adamson <dros@primarydata.com>
2458Date: Sun Jan 19 22:45:36 2014 -0500
2459
2460 Upstream commit: abad2fa5ba67725a3f9c376c8cfe76fbe94a3041
2461
2462 nfs4: fix discover_server_trunking use after free
2463
2464 If clp is new (cl_count = 1) and it matches another client in
2465 nfs4_discover_server_trunking, the nfs_put_client will free clp before
2466 ->cl_preserve_clid is set.
2467
2468 Cc: stable@vger.kernel.org # 3.7+
2469 Signed-off-by: Weston Andros Adamson <dros@primarydata.com>
2470 Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
2471
2472 fs/nfs/nfs4client.c | 10 ++++------
2473 1 files changed, 4 insertions(+), 6 deletions(-)
2474
2475commit d3737c02af42ac32da97dc30dac94ae7343cec14
2476Author: Heiko Carstens <heiko.carstens@de.ibm.com>
2477Date: Mon Jan 27 17:07:19 2014 -0800
2478
2479 Upstream commit: 592f6b842f64e416c7598a1b97c649b34241e22d
2480
2481 compat: fix sys_fanotify_mark
2482
2483 Commit 91c2e0bcae72 ("unify compat fanotify_mark(2), switch to
2484 COMPAT_SYSCALL_DEFINE") added a new unified compat fanotify_mark syscall
2485 to be used by all architectures.
2486
2487 Unfortunately the unified version merges the split mask parameter in a
2488 wrong way: the lower and higher word got swapped.
2489
2490 This was discovered with glibc's tst-fanotify test case.
2491
2492 Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
2493 Reported-by: Andreas Krebbel <krebbel@linux.vnet.ibm.com>
2494 Cc: "James E.J. Bottomley" <jejb@parisc-linux.org>
2495 Acked-by: "David S. Miller" <davem@davemloft.net>
2496 Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
2497 Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
2498 Cc: Ingo Molnar <mingo@redhat.com>
2499 Cc: Ralf Baechle <ralf@linux-mips.org>
2500 Cc: <stable@vger.kernel.org> [3.10+]
2501 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2502 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2503
2504 fs/notify/fanotify/fanotify_user.c | 4 ++--
2505 1 files changed, 2 insertions(+), 2 deletions(-)
2506
2507commit ae72596a96d46255c781f07ee2de05abe57d43ff
2508Merge: 5254ff7 b9c766b
2509Author: Brad Spengler <spender@grsecurity.net>
2510Date: Tue Jan 28 18:23:25 2014 -0500
2511
2512 Merge branch 'pax-test' into grsec-test
2513
2514commit b9c766bc9706fcfe5bbe0df099178e8eaa643327
2515Author: Brad Spengler <spender@grsecurity.net>
2516Date: Tue Jan 28 18:22:46 2014 -0500
2517
2518 Update to pax-linux-3.13-test6.patch:
2519 - fixed the TRACE_IRQFLAGS/KERNEXEC problem for real, 3rd time's a charm, by minipli
2520 - fixed a size overflow false positive in skb_network_offset due to an intentional overflow, by Emese Revfy, reported by Nikita Matovs
2521
2522 arch/x86/kernel/entry_64.S | 22 ++++++++++++----------
2523 include/linux/skbuff.h | 2 +-
2524 2 files changed, 13 insertions(+), 11 deletions(-)
2525
2526commit 5254ff73f13759d893213092da5fd654ca22960f
2527Merge: 7e5aad2 c956349
2528Author: Brad Spengler <spender@grsecurity.net>
2529Date: Mon Jan 27 22:52:22 2014 -0500
2530
2531 Merge branch 'pax-test' into grsec-test
2532
2533commit c956349a3335c72308d1bce7524f2e0f521ff709
2534Author: Brad Spengler <spender@grsecurity.net>
2535Date: Mon Jan 27 22:51:57 2014 -0500
2536
2537 Update to pax-linux-3.13-test5.patch:
2538 - new size overflow hash table from spender
2539 - backported http://git.kernel.org/linus/34228d473ef
2540 - fixed CONFIG_MEM_SOFT_DIRTY interference with _PAGE_NX on x86
2541 - fixed the size overflow plugin for gcc 4.9, by Emese Revfy
2542
2543 arch/x86/include/asm/pgtable_types.h | 2 +-
2544 mm/mmap.c | 12 +++++++++-
2545 tools/gcc/gcc-common.h | 2 +
2546 tools/gcc/size_overflow_hash.data | 33 ++++++++++++++++++++++++++--
2547 tools/gcc/size_overflow_plugin.c | 38 +++++++++++++++++-----------------
2548 5 files changed, 62 insertions(+), 25 deletions(-)
2549
2550commit 7e5aad2c98c49f82bdd6a6949133c0393b743e4a
2551Author: Brad Spengler <spender@grsecurity.net>
2552Date: Mon Jan 27 21:12:59 2014 -0500
2553
2554 update size_overflow hash table
2555
2556 tools/gcc/size_overflow_hash.data | 9 +++++++--
2557 1 files changed, 7 insertions(+), 2 deletions(-)
2558
2559commit 9583ac30e401a97397c5a4a30564521bc2d8afeb
2560Author: Brad Spengler <spender@grsecurity.net>
2561Date: Mon Jan 27 20:33:30 2014 -0500
2562
2563 Relicense RANDSTRUCT plugin as GPLv2, removing the GPLv3 option
2564
2565 tools/gcc/randomize_layout_plugin.c | 2 +-
2566 1 files changed, 1 insertions(+), 1 deletions(-)
2567
2568commit f4afefdb6f09d22d5c0a74cf2a3ff4f44a67a8c8
2569Author: Brad Spengler <spender@grsecurity.net>
2570Date: Mon Jan 27 20:30:10 2014 -0500
2571
2572 Make all grsecurity code GPLv2 only for future releases. Not really
2573 important as grsecurity is a derivative work of the Linux kernel and
2574 thus forced to be GPLv2, the "or higher" was superfluous.
2575
2576 grsecurity/Makefile | 2 +-
2577 1 files changed, 1 insertions(+), 1 deletions(-)
2578
2579commit 718e2b2400f29a7fa414c6c5d383f82658a3457f
2580Author: Brad Spengler <spender@grsecurity.net>
2581Date: Sun Jan 26 22:22:52 2014 -0500
2582
2583 update size_overflow hash table
2584
2585 tools/gcc/size_overflow_hash.data | 5 +++++
2586 1 files changed, 5 insertions(+), 0 deletions(-)
2587
2588commit a4369fd780e658a9d26bedc53415261286caefe5
2589Merge: c93ceb8 f3b1213
2590Author: Brad Spengler <spender@grsecurity.net>
2591Date: Sun Jan 26 21:24:43 2014 -0500
2592
2593 Merge branch 'pax-test' into grsec-test
2594
2595commit f3b12134d032b0bfc2a9fc2183a50fabcaabdbf5
2596Author: Brad Spengler <spender@grsecurity.net>
2597Date: Sun Jan 26 21:24:17 2014 -0500
2598
2599 Update to pax-linux-3.13-test4.patch:
2600 - fixed a constify plugin regression, reported by spender
2601 - updated gcc-common.h
2602
2603 tools/gcc/constify_plugin.c | 4 +-
2604 tools/gcc/gcc-common.h | 68 +++++++++++++++++++++++++++++++++++++++---
2605 2 files changed, 65 insertions(+), 7 deletions(-)
2606
2607commit 962a3acff3d42cf360932f438a666224b8597012
2608Author: Brad Spengler <spender@grsecurity.net>
2609Date: Sun Jan 26 21:24:01 2014 -0500
2610
2611 Revert "fix an assert triggering in constify plugin update, real fix coming later"
2612
2613 This reverts commit 899baaf06fdd79f9b9b410a414695ba7b80f6203.
2614
2615 tools/gcc/constify_plugin.c | 2 ++
2616 1 files changed, 2 insertions(+), 0 deletions(-)
2617
2618commit c93ceb8d5ed604ddd5580de9a764fc411824c5c0
2619Author: Brad Spengler <spender@grsecurity.net>
2620Date: Sun Jan 26 21:18:31 2014 -0500
2621
2622 update size_overflow hash table
2623
2624 tools/gcc/size_overflow_hash.data | 19 ++++++++++++++++++-
2625 1 files changed, 18 insertions(+), 1 deletions(-)
2626
2627commit b42c965a52f58915c8fd048749c1dc5bcf373339
2628Merge: 663306e 899baaf
2629Author: Brad Spengler <spender@grsecurity.net>
2630Date: Sun Jan 26 20:35:52 2014 -0500
2631
2632 Merge branch 'pax-test' into grsec-test
2633
2634commit 899baaf06fdd79f9b9b410a414695ba7b80f6203
2635Author: Brad Spengler <spender@grsecurity.net>
2636Date: Sun Jan 26 20:34:49 2014 -0500
2637
2638 fix an assert triggering in constify plugin update, real fix coming later
2639
2640 tools/gcc/constify_plugin.c | 2 --
2641 1 files changed, 0 insertions(+), 2 deletions(-)
2642
2643commit 663306edb8f76d8be46c39ba6aafcdec3e000ab1
2644Author: Brad Spengler <spender@grsecurity.net>
2645Date: Sun Jan 26 18:24:44 2014 -0500
2646
2647 fix typo
2648
2649 tools/gcc/randomize_layout_plugin.c | 2 +-
2650 1 files changed, 1 insertions(+), 1 deletions(-)
2651
2652commit 4539e5f2729719d07095cf267ea426524f7dc8f9
2653Author: Brad Spengler <spender@grsecurity.net>
2654Date: Sun Jan 26 18:22:33 2014 -0500
2655
2656 Update RANDSTRUCT plugin for gcc 4.9 and gcc-common.h
2657
2658 tools/gcc/randomize_layout_plugin.c | 77 +++++++++++++++++++----------------
2659 1 files changed, 42 insertions(+), 35 deletions(-)
2660
2661commit 3344ccde1ca59e4e0a4105f25ffbab561e5ee582
2662Merge: ff96162 0b83e85
2663Author: Brad Spengler <spender@grsecurity.net>
2664Date: Sun Jan 26 18:04:38 2014 -0500
2665
2666 Merge branch 'pax-test' into grsec-test
2667
2668commit 0b83e85c64c9e6e4328cac45d980cdd7e088f157
2669Author: Brad Spengler <spender@grsecurity.net>
2670Date: Sun Jan 26 18:03:50 2014 -0500
2671
2672 Update to pax-linux-3.13-test3.patch:
2673 - gcc plugin updates
2674 - ported them to gcc trunk (future 4.9)
2675 - introduced gcc-common.h to simplify gcc version dependencies
2676 - updated size overflow hash table from spender
2677 - fixed kallocstat to detect constant size arguments early
2678 - fixed constify to preserve type qualifiers on pointer-to-self fields
2679 - added a few sparse/checker annotations and changes to satisfy gcc's address space logic
2680 - fixed the TRACE_IRQFLAGS problem reported by minipli again
2681
2682 arch/x86/ia32/ia32_signal.c | 6 +-
2683 arch/x86/include/asm/uaccess_64.h | 4 +-
2684 arch/x86/kernel/entry_64.S | 112 ++++----
2685 arch/x86/kernel/preempt.S | 3 +
2686 arch/x86/kernel/tboot.c | 2 +-
2687 arch/x86/kernel/xsave.c | 8 +-
2688 arch/x86/lib/thunk_64.S | 2 +-
2689 block/compat_ioctl.c | 2 +-
2690 drivers/gpu/drm/drm_crtc.c | 2 +-
2691 drivers/gpu/drm/qxl/qxl_ioctl.c | 6 +-
2692 drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 10 +-
2693 drivers/media/v4l2-core/v4l2-ctrls.c | 4 +-
2694 drivers/media/v4l2-core/v4l2-ioctl.c | 2 +-
2695 drivers/mmc/card/block.c | 2 +-
2696 drivers/net/macvtap.c | 2 +-
2697 drivers/vhost/vringh.c | 18 +-
2698 drivers/video/fbmem.c | 2 +-
2699 fs/compat_ioctl.c | 2 +-
2700 fs/exec.c | 2 +-
2701 fs/proc/vmcore.c | 4 +-
2702 include/uapi/linux/videodev2.h | 2 +-
2703 ipc/compat.c | 2 +-
2704 kernel/compat.c | 2 +-
2705 kernel/kmod.c | 4 +-
2706 net/9p/client.c | 6 +-
2707 net/compat.c | 2 +-
2708 net/core/filter.c | 2 +-
2709 net/netfilter/nft_compat.c | 4 +-
2710 net/socket.c | 6 +-
2711 net/tipc/subscr.c | 2 +-
2712 sound/pci/hda/hda_codec.c | 2 +-
2713 tools/gcc/Makefile | 2 +-
2714 tools/gcc/checker_plugin.c | 30 +--
2715 tools/gcc/colorize_plugin.c | 62 +++--
2716 tools/gcc/constify_plugin.c | 105 ++++----
2717 tools/gcc/gcc-common.h | 207 +++++++++++++++
2718 tools/gcc/kallocstat_plugin.c | 164 +++++++------
2719 tools/gcc/kernexec_plugin.c | 333 ++++++++++++++----------
2720 tools/gcc/latent_entropy_plugin.c | 146 +++++------
2721 tools/gcc/size_overflow_hash.data | 68 +++++-
2722 tools/gcc/size_overflow_plugin.c | 348 +++++++++++--------------
2723 tools/gcc/stackleak_plugin.c | 236 +++++++++--------
2724 tools/gcc/structleak_plugin.c | 90 +++----
2725 43 files changed, 1149 insertions(+), 871 deletions(-)
2726
2727commit ff9616214c2e875db763bd395dce11df378df896
2728Author: Brad Spengler <spender@grsecurity.net>
2729Date: Sun Jan 26 13:35:44 2014 -0500
2730
2731 pass hashed seed define as a string
2732
2733 Makefile | 2 +-
2734 1 files changed, 1 insertions(+), 1 deletions(-)
2735
2736commit 39961e3ad1abacccc8a2de280868bcfe52a1edff
2737Author: Brad Spengler <spender@grsecurity.net>
2738Date: Sun Jan 26 12:44:21 2014 -0500
2739
2740 add a sha256-hashed version of the seed to modversion to ensure no
2741 modules compiled with another seed can be loaded
2742
2743 Documentation/dontdiff | 1 +
2744 Makefile | 4 +++-
2745 include/linux/vermagic.h | 8 +++++++-
2746 scripts/gen-random-seed.sh | 2 +-
2747 tools/gcc/.gitignore | 1 +
2748 5 files changed, 13 insertions(+), 3 deletions(-)
2749
2750commit 1df9ff15112f3713997ac10e915b99ad99d2e33a
2751Author: Brad Spengler <spender@grsecurity.net>
2752Date: Sun Jan 26 11:26:44 2014 -0500
2753
2754 Force HIDESYM on if RANDSTRUCT is used, just in case there is a user
2755 who already isn't enabling it (to prevent the seed from potentially being
2756 visible to other users if compiled on the same machine).
2757 Suggested by minipli
2758
2759 grsecurity/Kconfig | 1 +
2760 1 files changed, 1 insertions(+), 0 deletions(-)
2761
2762commit 5ee75cac712d37f79de1e6f509a18749258b2085
2763Author: Brad Spengler <spender@grsecurity.net>
2764Date: Sun Jan 26 01:01:31 2014 -0500
2765
2766 Update size_overflow hash table
2767
2768 tools/gcc/size_overflow_hash.data | 19 +++++++++++++++++--
2769 1 files changed, 17 insertions(+), 2 deletions(-)
2770
2771commit d87a88e0b3298c9d39bb7b3257dabb8fc17b8e9c
2772Author: Brad Spengler <spender@grsecurity.net>
2773Date: Sat Jan 25 22:19:55 2014 -0500
2774
2775 update to new mount_lock
2776
2777 grsecurity/gracl.c | 24 +++++++++++-------------
2778 1 files changed, 11 insertions(+), 13 deletions(-)
2779
2780commit 677d1d169912d98b7a139563ab7f7fb82ee6c3c5
2781Author: Brad Spengler <spender@grsecurity.net>
2782Date: Sat Jan 25 19:05:59 2014 -0500
2783
2784 compile fix
2785
2786 init/main.c | 4 ----
2787 1 files changed, 0 insertions(+), 4 deletions(-)
2788
2789commit c8496c1e0bb5cbed7aff11ee208a7a89ffd80b40
2790Author: Brad Spengler <spender@grsecurity.net>
2791Date: Sat Jan 25 19:00:50 2014 -0500
2792
2793 resync random code with 3.13
2794
2795 include/linux/random.h | 4 ++++
2796 include/uapi/linux/random.h | 7 -------
2797 2 files changed, 4 insertions(+), 7 deletions(-)
2798
2799commit 3d168ee50cb706276c805ae1d6a5e8417a91067a
2800Author: Brad Spengler <spender@grsecurity.net>
2801Date: Sat Jan 25 14:54:11 2014 -0500
2802
2803 Fix another compiler error caught by RANDSTRUCT
2804
2805 Signed-off-by: Brad Spengler <spender@grsecurity.net>
2806
2807 sound/isa/sb/emu8000_synth.c | 4 ++--
2808 1 files changed, 2 insertions(+), 2 deletions(-)
2809
2810commit bc4a5595404b985a2b17e84d29765b7af7e968ca
2811Author: Brad Spengler <spender@grsecurity.net>
2812Date: Sat Jan 25 14:34:12 2014 -0500
2813
2814 Fix another compiler error caught by RANDSTRUCT
2815
2816 Signed-off-by: Brad Spengler <spender@grsecurity.net>
2817
2818 drivers/net/wan/z85230.c | 24 ++++++++++++------------
2819 1 files changed, 12 insertions(+), 12 deletions(-)
2820
2821commit 0f0da7cb40431fe816aa356499bff026452cfc44
2822Author: Brad Spengler <spender@grsecurity.net>
2823Date: Sat Jan 25 14:30:46 2014 -0500
2824
2825 fix compilation with RANDSTRUCT plugin
2826
2827 Signed-off-by: Brad Spengler <spender@grsecurity.net>
2828
2829 sound/drivers/opl4/opl4_seq.c | 4 ++--
2830 1 files changed, 2 insertions(+), 2 deletions(-)
2831
2832commit 97d6cc865b9cf64fada1fcaabfa923fecee54ef7
2833Author: Brad Spengler <spender@grsecurity.net>
2834Date: Sat Jan 25 14:16:18 2014 -0500
2835
2836 avoid problems by just building our fake field decl node from scratch
2837
2838 Signed-off-by: Brad Spengler <spender@grsecurity.net>
2839
2840 tools/gcc/randomize_layout_plugin.c | 10 +++++-----
2841 1 files changed, 5 insertions(+), 5 deletions(-)
2842
2843commit 6455dfb41e9c0d3f26f00ef2f505bd0f74aa8dca
2844Author: Brad Spengler <spender@grsecurity.net>
2845Date: Sat Jan 25 13:45:18 2014 -0500
2846
2847 while in non-debug mode, don't emit notes for non-randomized struct types
2848
2849 clear all signs from our fake field decl of being a bitfield
2850
2851 Signed-off-by: Brad Spengler <spender@grsecurity.net>
2852
2853 tools/gcc/randomize_layout_plugin.c | 11 +++++++++++
2854 1 files changed, 11 insertions(+), 0 deletions(-)
2855
2856commit 35909486eebb6c1ab27956ef6cc35e19e19282a2
2857Author: Brad Spengler <spender@grsecurity.net>
2858Date: Sat Jan 25 12:56:05 2014 -0500
2859
2860 revert change to read-only marking of fake struct field
2861
2862 Signed-off-by: Brad Spengler <spender@grsecurity.net>
2863
2864 tools/gcc/randomize_layout_plugin.c | 2 +-
2865 1 files changed, 1 insertions(+), 1 deletions(-)
2866
2867commit bbd5d12c912390e0bdb6ddde81279b579fc94edb
2868Author: Brad Spengler <spender@grsecurity.net>
2869Date: Sat Jan 25 12:42:48 2014 -0500
2870
2871 Update RANDSTRUCT plugin help
2872
2873 Signed-off-by: Brad Spengler <spender@grsecurity.net>
2874
2875 tools/gcc/randomize_layout_plugin.c | 6 ++++--
2876 1 files changed, 4 insertions(+), 2 deletions(-)
2877
2878commit 0d829e61f501ae59387a6e1d0f9060d5555ac588
2879Author: Brad Spengler <spender@grsecurity.net>
2880Date: Sat Jan 25 12:25:43 2014 -0500
2881
2882 Introduce GRKERNSEC_RANDSTRUCT: automatic structure layout randomization of pure ops structs randomization of marked sensitive kernel structures
2883
2884 automatically enabled by GRKERNSEC_CONFIG_AUTO
2885 performance mode is activated if the config priority is set to performance
2886
2887 Signed-off-by: Brad Spengler <spender@grsecurity.net>
2888
2889 Documentation/dontdiff | 1 +
2890 Makefile | 12 +-
2891 arch/x86/include/asm/floppy.h | 20 +-
2892 arch/x86/include/asm/paravirt_types.h | 23 +-
2893 arch/x86/include/asm/processor.h | 2 +-
2894 drivers/acpi/acpica/hwxfsleep.c | 11 +-
2895 drivers/block/cciss.h | 30 +-
2896 drivers/block/drbd/drbd_interval.c | 6 +-
2897 drivers/block/smart1,2.h | 40 +-
2898 drivers/gpu/drm/nouveau/nouveau_ttm.c | 30 +-
2899 drivers/gpu/drm/ttm/ttm_bo_manager.c | 10 +-
2900 drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c | 10 +-
2901 drivers/infiniband/hw/ipath/ipath_dma.c | 26 +-
2902 drivers/infiniband/hw/nes/nes_cm.c | 22 +-
2903 drivers/isdn/gigaset/bas-gigaset.c | 32 +-
2904 drivers/isdn/gigaset/ser-gigaset.c | 32 +-
2905 drivers/isdn/gigaset/usb-gigaset.c | 32 +-
2906 drivers/isdn/i4l/isdn_concap.c | 6 +-
2907 drivers/isdn/i4l/isdn_x25iface.c | 16 +-
2908 drivers/misc/sgi-xp/xp_main.c | 12 +-
2909 drivers/net/ethernet/brocade/bna/bna_enet.c | 8 +-
2910 drivers/net/wan/lmc/lmc_media.c | 97 ++--
2911 drivers/scsi/bfa/bfa_fcs.c | 19 +-
2912 drivers/scsi/bfa/bfa_fcs_lport.c | 29 +-
2913 drivers/scsi/bfa/bfa_modules.h | 12 +-
2914 drivers/scsi/hpsa.h | 20 +-
2915 drivers/staging/lustre/lustre/ldlm/ldlm_flock.c | 2 +-
2916 drivers/staging/lustre/lustre/libcfs/module.c | 10 +-
2917 drivers/staging/media/solo6x10/solo6x10-g723.c | 2 +-
2918 drivers/video/matrox/matroxfb_DAC1064.c | 10 +-
2919 drivers/video/matrox/matroxfb_Ti3026.c | 5 +-
2920 fs/mount.h | 4 +-
2921 fs/proc/internal.h | 4 +-
2922 fs/reiserfs/item_ops.c | 24 +-
2923 grsecurity/Kconfig | 31 +-
2924 include/linux/compiler-gcc4.h | 5 +
2925 include/linux/compiler.h | 8 +
2926 include/linux/cred.h | 4 +-
2927 include/linux/dcache.h | 2 +-
2928 include/linux/fs.h | 14 +-
2929 include/linux/fs_struct.h | 2 +-
2930 include/linux/ipc_namespace.h | 2 +-
2931 include/linux/kobject.h | 2 +-
2932 include/linux/mm_types.h | 4 +-
2933 include/linux/module.h | 4 +-
2934 include/linux/mount.h | 2 +-
2935 include/linux/pid_namespace.h | 2 +-
2936 include/linux/proc_ns.h | 2 +-
2937 include/linux/rbtree_augmented.h | 4 +-
2938 include/linux/sched.h | 6 +-
2939 include/linux/sysctl.h | 2 +-
2940 include/linux/tty.h | 2 +-
2941 include/linux/tty_driver.h | 2 +-
2942 include/linux/user_namespace.h | 2 +-
2943 include/linux/utsname.h | 2 +-
2944 include/net/neighbour.h | 2 +-
2945 include/net/net_namespace.h | 2 +-
2946 lib/rbtree.c | 4 +-
2947 net/atm/lec.c | 6 +-
2948 net/atm/mpoa_caches.c | 42 +-
2949 net/decnet/dn_dev.c | 2 +-
2950 net/vmw_vsock/vmci_transport_notify.c | 30 +-
2951 net/vmw_vsock/vmci_transport_notify_qstate.c | 30 +-
2952 net/x25/sysctl_net_x25.c | 2 +-
2953 scripts/Makefile | 2 +
2954 scripts/gen-random-seed.sh | 8 +
2955 sound/core/seq/oss/seq_oss.c | 4 +-
2956 sound/core/seq/seq_midi.c | 4 +-
2957 sound/drivers/opl3/opl3_seq.c | 4 +-
2958 sound/pci/emu10k1/emu10k1_synth.c | 4 +-
2959 sound/synth/emux/emux_seq.c | 14 +-
2960 tools/gcc/.gitignore | 1 +
2961 tools/gcc/Makefile | 2 +
2962 tools/gcc/randomize_layout_plugin.c | 726 +++++++++++++++++++++++
2963 74 files changed, 1222 insertions(+), 390 deletions(-)
2964
2965commit 301f9fc40e1bed50d31034a192bc95874d5bf3b6
2966Author: Brad Spengler <spender@grsecurity.net>
2967Date: Sun Jan 19 09:00:56 2014 -0500
2968
2969 compile fix
2970
2971 Signed-off-by: Brad Spengler <spender@grsecurity.net>
2972
2973 include/linux/random.h | 4 ----
2974 include/uapi/linux/random.h | 7 +++++++
2975 2 files changed, 7 insertions(+), 4 deletions(-)
2976
2977commit b79910431008b8ce731d45aa3aecc75fe33c928c
2978Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
2979Date: Mon Nov 11 12:20:34 2013 +0100
2980
2981 Upstream commit: 4af712e8df998475736f3e2727701bd31e3751a9
2982
2983 random32: add prandom_reseed_late() and call when nonblocking pool becomes initialized
2984
2985 The Tausworthe PRNG is initialized at late_initcall time. At that time the
2986 entropy pool serving get_random_bytes is not filled sufficiently. This
2987 patch adds an additional reseeding step as soon as the nonblocking pool
2988 gets marked as initialized.
2989
2990 On some machines it might be possible that late_initcall gets called after
2991 the pool has been initialized. In this situation we won't reseed again.
2992
2993 (A call to prandom_seed_late blocks later invocations of early reseed
2994 attempts.)
2995
2996 Joint work with Daniel Borkmann.
2997
2998 Cc: Eric Dumazet <eric.dumazet@gmail.com>
2999 Cc: Theodore Ts'o <tytso@mit.edu>
3000 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
3001 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
3002 Acked-by: "Theodore Ts'o" <tytso@mit.edu>
3003 Signed-off-by: David S. Miller <davem@davemloft.net>
3004
3005 Conflicts:
3006
3007 lib/random32.c
3008 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3009
3010 drivers/char/random.c | 2 +-
3011 1 files changed, 1 insertions(+), 1 deletions(-)
3012
3013commit 31dee23268ac47eaaafacb186229bc14fb84fa9b
3014Author: Brad Spengler <spender@grsecurity.net>
3015Date: Sat Jan 18 20:43:43 2014 -0500
3016
3017 Since the reworking of recvmsg handlers by Hannes Frederic Sowa, it should be safe to revert our workaround for large number of infoleaks the previous interface made possible, restoring some performance to these syscalls
3018
3019 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3020
3021 net/socket.c | 4 ++--
3022 1 files changed, 2 insertions(+), 2 deletions(-)
3023
3024commit ffccf022adef560230b6a641c612f33600ce0e6b
3025Author: Brad Spengler <spender@grsecurity.net>
3026Date: Wed Jan 8 20:24:27 2014 -0500
3027
3028 zeroing out btime from /proc/stat breaks ps aux, it's the seconds of uptime for the system, information which is also available elsewhere (/proc/uptime), so there's no reason to limit it
3029
3030 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3031
3032 fs/proc/stat.c | 4 +---
3033 1 files changed, 1 insertions(+), 3 deletions(-)
3034
3035commit a96a6e3b96ffa8c96fa3939c109dc783de2110e0
3036Author: Brad Spengler <spender@grsecurity.net>
3037Date: Wed Jan 8 18:13:15 2014 -0500
3038
3039 fix typo
3040
3041 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3042
3043 mm/vmstat.c | 2 +-
3044 1 files changed, 1 insertions(+), 1 deletions(-)
3045
3046commit 4c084ac8468cdd4bbb8458fae4d0b6d2d1d5afd1
3047Author: Brad Spengler <spender@grsecurity.net>
3048Date: Wed Jan 8 18:06:53 2014 -0500
3049
3050 provide a zeroed out /proc/vmstat to unprivileged users instead of denied access, some poorly-written desktop apps bail out completely when it can't be opened
3051
3052 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3053
3054 mm/vmstat.c | 21 +++++++++++++++------
3055 1 files changed, 15 insertions(+), 6 deletions(-)
3056
3057commit e0d003dfd4911828f08fa93da2138c9f3be4f352
3058Author: Brad Spengler <spender@grsecurity.net>
3059Date: Wed Jan 8 17:46:46 2014 -0500
3060
3061 back out recently-added capability checks to various pci write methods as they break Xorg radeon drivers
3062
3063 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3064
3065 drivers/pci/pci-sysfs.c | 9 ---------
3066 drivers/pci/proc.c | 3 ---
3067 2 files changed, 0 insertions(+), 12 deletions(-)
3068
3069commit 0a0823fe85e85b9ad92131a35fe57e9aebc30260
3070Author: Brad Spengler <spender@grsecurity.net>
3071Date: Thu Jan 2 17:05:39 2014 -0500
3072
3073 add missing #include
3074
3075 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3076
3077 fs/proc/stat.c | 1 +
3078 1 files changed, 1 insertions(+), 0 deletions(-)
3079
3080commit 867c7a59c12374d99c59b9c99a1bf8214583baad
3081Author: Brad Spengler <spender@grsecurity.net>
3082Date: Thu Jan 2 17:02:24 2014 -0500
3083
3084 Back off recent PCI BAR restrictions as they break various existing necessary functionality (Xorg with VMware video driver, etc)
3085
3086 Add CAP_SYS_RAWIO checks instead to code operating off just uid == 0
3087 checks currently
3088
3089 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3090
3091 drivers/pci/pci-sysfs.c | 17 +++++++----------
3092 drivers/pci/proc.c | 13 ++-----------
3093 drivers/pci/syscall.c | 4 ----
3094 3 files changed, 9 insertions(+), 25 deletions(-)
3095
3096commit e9075cc0c4bab695e2eea8e8ba8f8acfa3cef2ed
3097Author: Brad Spengler <spender@grsecurity.net>
3098Date: Tue Dec 31 10:30:20 2013 -0500
3099
3100 Resolve compatibility with libgtop and recent restriction of /proc/stat, reported by KacKurx. We now provide a properly-formatted but zeroed /proc/stat instead of denying unpriv access to the entry
3101
3102 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3103
3104 fs/proc/stat.c | 34 ++++++++++++++++++++++++----------
3105 1 files changed, 24 insertions(+), 10 deletions(-)
3106
3107commit 7a559ce128070d9d79bf4490a258dba677fa741e
3108Author: Brad Spengler <spender@grsecurity.net>
3109Date: Mon Dec 30 11:19:53 2013 -0500
3110
3111 Restrict access to /proc/interrupts and /proc/stat as suggested by Vasiliy Kulikov: http://www.openwall.com/lists/kernel-hardening/2011/11/07/1
3112
3113 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3114
3115 fs/proc/interrupts.c | 4 ++++
3116 fs/proc/stat.c | 4 ++++
3117 2 files changed, 8 insertions(+), 0 deletions(-)
3118
3119commit 3898c8157466ff87ef613785f207c019ba8174cb
3120Author: Brad Spengler <spender@grsecurity.net>
3121Date: Mon Dec 30 11:13:49 2013 -0500
3122
3123 Update to phase two of the IPC hardening. I've heard no complaints about the patch I released, but including it here will generate better information.
3124
3125 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3126
3127 grsecurity/Kconfig | 16 ++++++++++------
3128 grsecurity/grsec_ipc.c | 32 +++++++++++++++++++++++++++++---
3129 include/linux/grmsg.h | 2 +-
3130 ipc/util.c | 3 ++-
3131 4 files changed, 42 insertions(+), 11 deletions(-)
3132
3133commit 2a5eb70e0981fd24168be9e5d1c30735a922edca
3134Author: Brad Spengler <spender@grsecurity.net>
3135Date: Thu Dec 26 19:20:26 2013 -0500
3136
3137 add missing #include
3138
3139 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3140
3141 grsecurity/grsec_mount.c | 1 +
3142 1 files changed, 1 insertions(+), 0 deletions(-)
3143
3144commit 7d66c996e754d41be945e7a2997b364643a13977
3145Author: Brad Spengler <spender@grsecurity.net>
3146Date: Thu Dec 26 15:51:51 2013 -0500
3147
3148 Update config help to reflect requirements for proper security, similar to what we mention for GRKERNSEC_KMEM or GRKERNSEC_HIDESYM
3149
3150 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3151
3152 grsecurity/Kconfig | 7 ++++++-
3153 1 files changed, 6 insertions(+), 1 deletions(-)
3154
3155commit bc9b4fe1db97c913b2c1163a90805c52c0f0df65
3156Author: Brad Spengler <spender@grsecurity.net>
3157Date: Thu Dec 26 15:35:31 2013 -0500
3158
3159 Whenever we perform checks against block devices we should also test for raw character devices provided by CONFIG_RAW_DRIVER. Unlike other OSes, Linux's raw device support has been obsoleted many years ago and is unlikely to be present in a given kernel config (modulo an allyesconfig).
3160
3161 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3162
3163 grsecurity/gracl.c | 2 +-
3164 grsecurity/grsec_mount.c | 4 +++-
3165 2 files changed, 4 insertions(+), 2 deletions(-)
3166
3167commit 2b5ad27e4a323648a0db99a9fa3f27b042dd70f0
3168Author: Brad Spengler <spender@grsecurity.net>
3169Date: Wed Dec 25 16:37:02 2013 -0500
3170
3171 Add some of the more obscure, config-dependent kernel modification defenses to GRKERNSEC_KMEM, to be split out into a separate option if this causes any compatibility problems. From Matthew Garrett: https://lkml.org/lkml/2013/9/9/532
3172
3173 Also make make hibernation depend on !PAX_MEMORY_SANITIZE and not
3174 the other way around (to produce more secure settings when distro
3175 configs are used as a base)
3176
3177 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3178
3179 drivers/acpi/custom_method.c | 4 ++++
3180 drivers/pci/pci-sysfs.c | 12 ++++++++++++
3181 drivers/pci/proc.c | 12 ++++++++++++
3182 drivers/pci/syscall.c | 4 ++++
3183 drivers/platform/x86/asus-wmi.c | 12 ++++++++++++
3184 kernel/power/Kconfig | 2 ++
3185 security/Kconfig | 1 -
3186 7 files changed, 46 insertions(+), 1 deletions(-)
3187
3188commit c70c49f956beb3d785ca20466c4e5c1d84d7356b
3189Author: Brad Spengler <spender@grsecurity.net>
3190Date: Wed Dec 25 15:11:51 2013 -0500
3191
3192 remove unused 'dentry' variable
3193
3194 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3195
3196 fs/xattr.c | 1 -
3197 1 files changed, 0 insertions(+), 1 deletions(-)
3198
3199commit cb20fb467591aa2a85a8c12a1bc215a01ed75b18
3200Author: Brad Spengler <spender@grsecurity.net>
3201Date: Wed Dec 25 15:03:13 2013 -0500
3202
3203 Add RBAC mediation of *removexattr(), as this has security implications in the case of PaX with softmode enabled or the rare case of RBAC+SELinux use.
3204
3205 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3206
3207 fs/xattr.c | 18 +++++++++++-------
3208 grsecurity/gracl_fs.c | 6 ++++++
3209 grsecurity/grsec_disabled.c | 6 ++++++
3210 include/linux/grmsg.h | 3 ++-
3211 include/linux/grsecurity.h | 2 ++
3212 5 files changed, 27 insertions(+), 8 deletions(-)
3213
3214commit 482ec0da63b38a9c20cc2205bc7ea87a3985d164
3215Author: Brad Spengler <spender@grsecurity.net>
3216Date: Fri Dec 20 20:18:56 2013 -0500
3217
3218 compile fix
3219
3220 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3221
3222 fs/stat.c | 1 +
3223 1 files changed, 1 insertions(+), 0 deletions(-)
3224
3225commit 038cc5994b483905c9c0b9e6259a84f7333becc2
3226Author: Brad Spengler <spender@grsecurity.net>
3227Date: Fri Dec 13 19:39:54 2013 -0500
3228
3229 Fix a use-after-free on fakefs_obj_rw/fakefs_obj_rwx introduced by the recent atomic reload improvement. These two objects are used only for "files" private to the kernel which don't exist on any mounted filesystem and have no visible path. Only the mode field of these objects is ever used, and we would never attempt to free these objects a second time (due to their being allocated into the memory manager associated with the initial policy)
3230
3231 In practice this causes bogus auditing messages for / and could potentially
3232 cause a subject without executable shared memory support to permit executable
3233 shared memory (if PaX is disabled on the binary).
3234
3235 Instead just allocate these two special objects with kzalloc at enable time
3236 and free them at disable time.
3237
3238 Thanks to nyt@countercultured.net for the report
3239
3240 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3241
3242 grsecurity/gracl_policy.c | 9 +++++++--
3243 1 files changed, 7 insertions(+), 2 deletions(-)
3244
3245commit b67b5e4666934693bb1fc4804ca60724f98a54d7
3246Author: Brad Spengler <spender@grsecurity.net>
3247Date: Wed Dec 4 18:15:02 2013 -0500
3248
3249 Don't duplicate __get_dumpable, also make sure we check against SUID_DUMP_USER, otherwise we wouldn't trigger suid bruteforcing detection when suid_dumpable was set to 2
3250
3251 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3252
3253 fs/coredump.c | 7 +++++--
3254 grsecurity/grsec_sig.c | 14 ++------------
3255 include/linux/grsecurity.h | 2 +-
3256 3 files changed, 8 insertions(+), 15 deletions(-)
3257
3258commit ad3f9d56b43c4c448d5ba55d4e073e66a59898d7
3259Author: Brad Spengler <spender@grsecurity.net>
3260Date: Tue Dec 3 19:39:04 2013 -0500
3261
3262 Update documentation for GRKERNSEC_KMEM and GRKERNSEC_IO, see: http://forums.grsecurity.net/viewtopic.php?f=3&t=3879 The previous info was many years outdated.
3263
3264 Disable KEXEC when GRKERNSEC_KMEM is enabled:
3265 http://mjg59.dreamwidth.org/28746.html
3266
3267 Also workaround the GRKERNSEC_IO incompatibility with Xorg by returning
3268 -ENODEV instead of -EPERM in the cases where CAP_SYS_RAWIO is present
3269
3270 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3271
3272 arch/arm/Kconfig | 1 +
3273 arch/ia64/Kconfig | 1 +
3274 arch/mips/Kconfig | 1 +
3275 arch/powerpc/Kconfig | 1 +
3276 arch/tile/Kconfig | 1 +
3277 arch/x86/Kconfig | 1 +
3278 arch/x86/kernel/ioport.c | 12 ++++++------
3279 grsecurity/Kconfig | 27 +++++++++++----------------
3280 8 files changed, 23 insertions(+), 22 deletions(-)
3281
3282commit 7044221d2d6e8d8e8fa26d5c30c72bd6e1d9b599
3283Author: Brad Spengler <spender@grsecurity.net>
3284Date: Tue Nov 26 15:16:48 2013 -0500
3285
3286 Fix null deref on application of the shutdown role, reported by zakalwe
3287
3288 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3289
3290 grsecurity/gracl.c | 58 ++++++++++++++++++++++++++++++++++++++++++++-
3291 grsecurity/gracl_policy.c | 58 ++++-----------------------------------------
3292 2 files changed, 62 insertions(+), 54 deletions(-)
3293
3294commit 1f894d3a1357fa9c7b2f849079546115fc797fd8
3295Author: Brad Spengler <spender@grsecurity.net>
3296Date: Tue Nov 26 13:04:07 2013 -0500
3297
3298 Add system library paths to allowed areas for usermode helper calls, later we will also add checks to ensure the file is owned by root
3299
3300 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3301
3302 kernel/kmod.c | 5 +++--
3303 1 files changed, 3 insertions(+), 2 deletions(-)
3304
3305commit aa561a3ad4b30e8c03837ff96bbcd868e363cb21
3306Author: Brad Spengler <spender@grsecurity.net>
3307Date: Tue Nov 26 12:59:00 2013 -0500
3308
3309 Fix gr_policy_state -> gr_reload_state typo that clobbered the oldalloc pointer causing a NULL deref on RBAC reload, reported by zakalwe
3310
3311 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3312
3313 grsecurity/gracl_policy.c | 2 +-
3314 1 files changed, 1 insertions(+), 1 deletions(-)
3315
3316commit b031d4f071e25462e94f742166b0ea6b8874dae4
3317Author: Brad Spengler <spender@grsecurity.net>
3318Date: Mon Nov 25 22:33:33 2013 -0500
3319
3320 compile fix
3321
3322 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3323
3324 kernel/kmod.c | 2 +-
3325 1 files changed, 1 insertions(+), 1 deletions(-)
3326
3327commit 00a30755e85c7dbfd1042a0f4c5d911e288c8cc9
3328Author: Brad Spengler <spender@grsecurity.net>
3329Date: Mon Nov 25 12:01:21 2013 -0500
3330
3331 Conventions exist for a reason -- systemd knows better though and decides to put security-sensitive system administration utilities into /usr/lib/systemd in contrast to *every* other user of usermode helpers. Work around this stupidity
3332
3333 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3334
3335 kernel/kmod.c | 4 ++--
3336 1 files changed, 2 insertions(+), 2 deletions(-)
3337
3338commit 7177ab477fcc5d670718dafba3f6a454ed2e121e
3339Author: Brad Spengler <spender@grsecurity.net>
3340Date: Sun Nov 24 22:49:05 2013 -0500
3341
3342 Revert "HID: multitouch: validate feature report details"
3343
3344 This reverts commit 8aeb7645473b408fc6b2bd78a72671351fc8e684.
3345
3346 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3347
3348 drivers/hid/hid-multitouch.c | 25 +++++--------------------
3349 1 files changed, 5 insertions(+), 20 deletions(-)
3350
3351commit f0d33fb85de097278d1ae605c3d98fc99b578d56
3352Author: Brad Spengler <spender@grsecurity.net>
3353Date: Sun Nov 24 22:48:49 2013 -0500
3354
3355 Revert "HID: lenovo-tpkbd: validate output report details"
3356
3357 This reverts commit 91bfda18a5711db32c984c632f47fa57458d993a.
3358
3359 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3360
3361 drivers/hid/hid-lenovo-tpkbd.c | 5 -----
3362 1 files changed, 0 insertions(+), 5 deletions(-)
3363
3364commit 0c2a1258705b5c90732c2895664965da6a16bebc
3365Author: Brad Spengler <spender@grsecurity.net>
3366Date: Sun Nov 24 22:48:33 2013 -0500
3367
3368 Revert "HID: steelseries: validate output report details"
3369
3370 This reverts commit 0996966348dc3c3f7515567d3245292785d484fc.
3371
3372 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3373
3374 drivers/hid/hid-steelseries.c | 5 -----
3375 1 files changed, 0 insertions(+), 5 deletions(-)
3376
3377commit b17b436bd1781a43866931ce6b6ba2811882ade5
3378Author: Brad Spengler <spender@grsecurity.net>
3379Date: Sun Nov 24 22:08:33 2013 -0500
3380
3381 add missing header
3382
3383 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3384
3385 fs/proc/proc_sysctl.c | 3 +++
3386 1 files changed, 3 insertions(+), 0 deletions(-)
3387
3388commit 45eefce5c5dc37368ed21d2b22a2d15973b7c06b
3389Author: Brad Spengler <spender@grsecurity.net>
3390Date: Sun Nov 24 22:04:55 2013 -0500
3391
3392 Replace nsown_capable with an ns_capable check against the user_ns associated with the net namespace
3393
3394 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3395
3396 fs/proc/proc_sysctl.c | 2 +-
3397 1 files changed, 1 insertions(+), 1 deletions(-)
3398
3399commit 804611c10dcd6e9486cf374fcbfb2053a80f918d
3400Author: Brad Spengler <spender@grsecurity.net>
3401Date: Sun Nov 24 17:50:21 2013 -0500
3402
3403 remove unnecessary code/comments after new reload method
3404
3405 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3406
3407 grsecurity/gracl.c | 4 ----
3408 grsecurity/gracl_policy.c | 13 -------------
3409 2 files changed, 0 insertions(+), 17 deletions(-)
3410
3411commit 4aeb0dc39f03db1c2c55ebc0cb7797289948a872
3412Author: Brad Spengler <spender@grsecurity.net>
3413Date: Sun Nov 24 16:05:01 2013 -0500
3414
3415 Version bumped to 3.0 (we'd been on 2.9.1 for way too long and numerous features have been added since then)
3416
3417 Introduce new atomic RBAC reload method, developed as part of sponsorship
3418 by EIG
3419
3420 This is accompanied by an updated 3.0 gradm which will use the new reload
3421 method when -R is passed to gradm. The old method will still be available
3422 via gradm -r (which is what a 2.9.1 gradm will continue to use).
3423
3424 The new RBAC reload method is atomic in the sense that at no point in the
3425 reload process will the system not be covered by a coherent full policy.
3426 In contrast to previous reload behavior, it also preserves inherited subjects
3427 and special roles.
3428
3429 The old RBAC reload method has also been made atomic. Both methods have
3430 been updated to perform role_allowed_ip checks only against the IP tagged
3431 to the task at the time its role was first applied or changed. This resolves
3432 long-standing usability problems with the use of role_allowed_ip and matches
3433 the policies created by learning.
3434
3435 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3436
3437 grsecurity/Makefile | 2 +-
3438 grsecurity/gracl.c | 3903 +++++++++++++------------------------------
3439 grsecurity/gracl_alloc.c | 42 +-
3440 grsecurity/gracl_compat.c | 3 +-
3441 grsecurity/gracl_policy.c | 1838 ++++++++++++++++++++
3442 grsecurity/gracl_segv.c | 12 +-
3443 grsecurity/grsec_disabled.c | 7 -
3444 grsecurity/grsec_init.c | 15 -
3445 include/linux/gracl.h | 43 +-
3446 include/linux/grinternal.h | 1 -
3447 include/linux/grsecurity.h | 1 -
3448 include/linux/sched.h | 2 +
3449 12 files changed, 3082 insertions(+), 2787 deletions(-)
3450
3451commit cdfd01e44815f0e0cb700b5597b3b2eb44352903
3452Author: Brad Spengler <spender@grsecurity.net>
3453Date: Sun Nov 24 15:08:28 2013 -0500
3454
3455 compile fix for recent GRKERNSEC_CHROOT_INITRD change
3456
3457 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3458
3459 init/main.c | 8 +++-----
3460 1 files changed, 3 insertions(+), 5 deletions(-)
3461
3462commit 3ac09de20b5b3967c77a59ed064cd05e607ecca8
3463Author: Brad Spengler <spender@grsecurity.net>
3464Date: Sat Nov 23 18:27:37 2013 -0500
3465
3466 Make the recent usermode_helper protection race-free as far as userland is concerned by creating a copy of the path to be executed, then check against that copied path instead of the still-mutable original path
3467
3468 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3469
3470 include/linux/kmod.h | 3 +++
3471 kernel/kmod.c | 13 +++++++++++++
3472 2 files changed, 16 insertions(+), 0 deletions(-)
3473
3474commit 7fc979f0a8ffdc501b57e0c9c8b5251b8458d98e
3475Author: Brad Spengler <spender@grsecurity.net>
3476Date: Sat Nov 23 17:20:15 2013 -0500
3477
3478 Produce a UDEREF message when faulting on kernel access to a non-present page in the userland range. This is purely for consistency of logs, due to there being no domain present to fault based on. An "Unable to handle kernel fault.." oops would already (and still is) generated for these cases, triggering grsec's bruteforce prevention.
3479
3480 Reported by acez on IRC
3481
3482 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3483
3484 arch/arm/mm/fault.c | 11 ++++++++---
3485 1 files changed, 8 insertions(+), 3 deletions(-)
3486
3487commit 9b5ffb45694e2381a73275b029d1cde3ba090555
3488Author: Brad Spengler <spender@grsecurity.net>
3489Date: Sat Nov 23 16:56:46 2013 -0500
3490
3491 Make GRKERNSEC_CHROOT_INITRD depend on the correct initrd option, Also make sure we mark init as run if no initrd was used. Though this should already be enforced in grsec_chroot.c, this should future-proof the feature a bit in case userland somehow changes drastically.
3492
3493 Conflicts:
3494
3495 init/main.c
3496
3497 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3498
3499 grsecurity/Kconfig | 2 +-
3500 grsecurity/grsec_chroot.c | 2 +-
3501 init/main.c | 15 +++++++++++++++
3502 3 files changed, 17 insertions(+), 2 deletions(-)
3503
3504commit 71ea2cc2fb940a4eaa6a4f6e5084efc91197bed1
3505Author: Brad Spengler <spender@grsecurity.net>
3506Date: Sat Nov 23 16:33:20 2013 -0500
3507
3508 limit all usermode helper binaries to /sbin, all other attempts will be logged and rejected
3509
3510 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3511
3512 kernel/kmod.c | 8 ++++++++
3513 1 files changed, 8 insertions(+), 0 deletions(-)
3514
3515commit 36895fdbcf3b528221475a894076611c6340bc6f
3516Author: Brad Spengler <spender@grsecurity.net>
3517Date: Sat Nov 23 16:02:01 2013 -0500
3518
3519 perform USERCOPY kernel text checks against the linear mapping on amd64 as well
3520
3521 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3522
3523 fs/exec.c | 8 ++++++++
3524 1 files changed, 8 insertions(+), 0 deletions(-)
3525
3526commit 47474491a88a18956b3c23a0f8ea5a793aeaaf0b
3527Author: Brad Spengler <spender@grsecurity.net>
3528Date: Fri Nov 22 20:31:37 2013 -0500
3529
3530 Revert "Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69"
3531
3532 This reverts commit 8bb32f2682953e1b748a59c4a4363b237c3510df.
3533
3534 It caused errors with traceroute, reported to upstream and fixed with
3535 http://patchwork.ozlabs.org/patch/293614/
3536 But there's no reason for us to maintain this backport as we're
3537 already impervious to recvmsg/msg_name infoleaks
3538
3539 Conflicts:
3540
3541 net/ipv4/ping.c
3542
3543 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3544
3545 net/ieee802154/dgram.c | 3 ++-
3546 net/ipv4/ping.c | 11 +++++++++--
3547 net/ipv4/raw.c | 4 +++-
3548 net/ipv4/udp.c | 7 ++++++-
3549 net/ipv6/raw.c | 4 +++-
3550 net/ipv6/udp.c | 5 ++++-
3551 net/l2tp/l2tp_ip.c | 4 +++-
3552 net/phonet/datagram.c | 9 +++++----
3553 8 files changed, 35 insertions(+), 12 deletions(-)
3554
3555commit 8aeb360164c3165b8d843b90776f92748cb0826f
3556Author: Brad Spengler <spender@grsecurity.net>
3557Date: Thu Nov 14 20:15:51 2013 -0500
3558
3559 GRKERNSEC_HARDEN_IPC should depend on SYSVIPC
3560
3561 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3562
3563 grsecurity/Kconfig | 1 +
3564 1 files changed, 1 insertions(+), 0 deletions(-)
3565
3566commit 65982aa12f534a722a92dd211e9b2461cac099cd
3567Author: Brad Spengler <spender@grsecurity.net>
3568Date: Thu Nov 14 19:07:11 2013 -0500
3569
3570 Not necessary since CPU_V6 is the only bool that would select CPU_USE_DOMAINS and that depended on !PAX_KERNEXEC && !PAX_MEMORY_UDEREF, but this helps make it more obvious that while we make use of domains, CPU_USE_DOMAINS is disabled as far as the kernel knows
3571
3572 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3573
3574 arch/arm/mm/Kconfig | 2 +-
3575 1 files changed, 1 insertions(+), 1 deletions(-)
3576
3577commit c07ac5819bfcbb29fe75896f409517acc95f09d0
3578Author: Brad Spengler <spender@grsecurity.net>
3579Date: Thu Nov 14 19:01:59 2013 -0500
3580
3581 Add a new feature: GRKERNSEC_HARDEN_IPC in response to Tim Brown's research on overly-permissive shared memory found in hundreds of areas in Linux distros: http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/
3582
3583 Will let this sit in -test for a while to weed out any app incompatibilities
3584
3585 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3586
3587 grsecurity/Kconfig | 17 +++++++++++++++++
3588 grsecurity/Makefile | 2 +-
3589 grsecurity/grsec_init.c | 4 ++++
3590 grsecurity/grsec_ipc.c | 22 ++++++++++++++++++++++
3591 grsecurity/grsec_sysctl.c | 9 +++++++++
3592 include/linux/grinternal.h | 1 +
3593 include/linux/grmsg.h | 1 +
3594 ipc/util.c | 5 +++++
3595 8 files changed, 60 insertions(+), 1 deletions(-)
3596
3597commit 7a03cf3e714a075ce6d1b1c4e2cbe269968c32d9
3598Author: Brad Spengler <spender@grsecurity.net>
3599Date: Mon Nov 11 10:48:10 2013 -0500
3600
3601 Fix the overflowable range check just to be correct. Referenced in http://www.x90c.org/advisories/xadv-2013003_linux_kernel.txt but I believe this to be unexploitable due to bounds checks on 'count' from rw_verify_area() in fs/read_write.c
3602
3603 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3604
3605 drivers/video/arcfb.c | 2 +-
3606 1 files changed, 1 insertions(+), 1 deletions(-)
3607
3608commit 1822dec9af44fef43a2092fbb98d986d40688e92
3609Author: Brad Spengler <spender@grsecurity.net>
3610Date: Sun Nov 10 22:01:33 2013 -0500
3611
3612 Add missing include
3613
3614 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3615
3616 fs/proc/proc_sysctl.c | 1 +
3617 1 files changed, 1 insertions(+), 0 deletions(-)
3618
3619commit 252aafc936113beb2c4b654c51ca4f69e34e7ece
3620Author: Brad Spengler <spender@grsecurity.net>
3621Date: Sun Nov 10 17:50:12 2013 -0500
3622
3623 add an option to handle old ARM userlands to properly toggle the KUSER_HELPERS option: GRKERNSEC_OLD_ARM_USERLAND
3624
3625 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3626
3627 arch/arm/mm/Kconfig | 2 +-
3628 grsecurity/Kconfig | 14 ++++++++++++++
3629 2 files changed, 15 insertions(+), 1 deletions(-)
3630
3631commit d91a8c0aac4fd7d52d861fa389d094b0dbe69d8b
3632Author: Brad Spengler <spender@grsecurity.net>
3633Date: Sun Nov 10 15:19:27 2013 -0500
3634
3635 On ARM (and other arches) we were defaulting mmap_min_addr to 64K if the LSM-based mmap_min_addr was disabled in config. This caused non-root execs to fail in some cases (via SIGKILL during ELF loading). Fix this by setting a proper default on these architectures like set on the LSM-based mmap_min_addr.
3636
3637 Thanks to acez from IRC for debugging.
3638
3639 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3640
3641 mm/Kconfig | 1 +
3642 1 files changed, 1 insertions(+), 0 deletions(-)
3643
3644commit 521a19248a7f3ae875854835be586208d7e94362
3645Author: Brad Spengler <spender@grsecurity.net>
3646Date: Sun Nov 10 13:54:25 2013 -0500
3647
3648 Compatibility fix for LXC: Don't require CAP_SYS_ADMIN to modify our own net namespace's sysctl values, use a CAP_NET_ADMIN check within the user namespace of the process performing the modification CAP_SYS_ADMIN is still required for any other sysctl modification, including modification of sysctls of a net namespace other than our own
3649
3650 This allows for LXC containers to not need CAP_SYS_ADMIN to be able to set up their namespace's
3651 networking
3652
3653 Thanks to ncopa from IRC for testing
3654
3655 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3656
3657 fs/proc/proc_sysctl.c | 9 +++++++--
3658 1 files changed, 7 insertions(+), 2 deletions(-)
3659
3660commit 88abc9f686cef116d741924e96c8264c6feeb280
3661Author: Brad Spengler <spender@grsecurity.net>
3662Date: Wed Nov 6 16:23:36 2013 -0500
3663
3664 Force on DEBUG_LIST so all users can benefit from safe linking/unlinking
3665
3666 Conflicts:
3667
3668 security/Kconfig
3669
3670 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3671
3672 security/Kconfig | 1 +
3673 1 files changed, 1 insertions(+), 0 deletions(-)
3674
3675commit ca2e0bc771e1868a1b993013d725ab602d8e0454
3676Author: Brad Spengler <spender@grsecurity.net>
3677Date: Wed Nov 6 16:19:21 2013 -0500
3678
3679 change DEBUG_LIST WARNs back to BUGs so they can benefit from the kernel bruteforce deterrence
3680
3681 Conflicts:
3682
3683 lib/list_debug.c
3684
3685 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3686
3687 lib/list_debug.c | 65 ++++++++++++++++++++++++++++++++++-------------------
3688 1 files changed, 42 insertions(+), 23 deletions(-)
3689
3690commit 9f9fda5bdad944095d49943719343439cebceb34
3691Author: Linus Torvalds <torvalds@linux-foundation.org>
3692Date: Tue Oct 29 10:21:34 2013 -0700
3693
3694 Fixed a little differently than Linus...
3695
3696 Obfuscated upstream security commit: 7314e613d5ff9f0934f7a0f74ed7973b903315d1
3697
3698 Fix a few incorrectly checked [io_]remap_pfn_range() calls
3699
3700 Nico Golde reports a few straggling uses of [io_]remap_pfn_range() that
3701 really should use the vm_iomap_memory() helper. This trivially converts
3702 two of them to the helper, and comments about why the third one really
3703 needs to continue to use remap_pfn_range(), and adds the missing size
3704 check.
3705
3706 Reported-by: Nico Golde <nico@ngolde.de>
3707 Cc: stable@kernel.org
3708 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org.
3709
3710 Conflicts:
3711
3712 drivers/uio/uio.c
3713 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3714
3715 drivers/uio/uio.c | 6 +++++-
3716 1 files changed, 5 insertions(+), 1 deletions(-)
3717
3718commit 0f332bf501f3c2035c63fc3e58f07be9cc96924b
3719Author: Brad Spengler <spender@grsecurity.net>
3720Date: Fri Sep 27 21:06:17 2013 -0400
3721
3722 Don't log attempts to create a socket with a family that the kernel doesn't support Further, if the kernel doesn't support the socket family, instead of returning -EACCES, return -EAFNOSUPPORT -- should resolve the need to allow ipv6 sockets in RBAC policy despite a kernel that doesn't support ipv6 observed during a Debian userland update necessitating a policy change
3723
3724 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3725
3726 grsecurity/gracl_ip.c | 7 +++----
3727 net/socket.c | 26 +++++++++++++++-----------
3728 2 files changed, 18 insertions(+), 15 deletions(-)
3729
3730commit d6aeef5cb3bbaa011f74eb38133043965302cc32
3731Author: Brad Spengler <spender@grsecurity.net>
3732Date: Sun Sep 22 18:14:07 2013 -0400
3733
3734 Revert "Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db"
3735
3736 This reverts commit 7a430f97a2f6538693cb8e354c67c874f24c5ebf.
3737
3738 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3739
3740 net/netlink/genetlink.c | 7 -------
3741 1 files changed, 0 insertions(+), 7 deletions(-)
3742
3743commit 02b18c56607ff93f00659ee100517bba70972aca
3744Author: Brad Spengler <spender@grsecurity.net>
3745Date: Sun Sep 15 09:19:21 2013 -0400
3746
3747 remove unnecessary check from when protocol was signed
3748
3749 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3750
3751 net/phonet/af_phonet.c | 2 +-
3752 1 files changed, 1 insertions(+), 1 deletions(-)
3753
3754commit c8991fc98b032a2338b9fda708d2dad227fbcd83
3755Author: Brad Spengler <spender@grsecurity.net>
3756Date: Sat Sep 14 21:12:45 2013 -0400
3757
3758 Fix invalid dependency causing warning: warning: (DEBUG_WW_MUTEX_SLOWPATH) selects DEBUG_LOCK_ALLOC which has unmet direct dependencies (DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN)
3759
3760 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3761
3762 lib/Kconfig.debug | 2 +-
3763 1 files changed, 1 insertions(+), 1 deletions(-)
3764
3765commit c63230b915355cea2649fac21c9469a8c3f88876
3766Author: Brad Spengler <spender@grsecurity.net>
3767Date: Sat Sep 14 19:16:48 2013 -0400
3768
3769 Fix a bad git merge, re-applied a previously reverted patch
3770
3771 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3772
3773 arch/x86/include/asm/processor.h | 4 ++--
3774 arch/x86/kernel/cpu/common.c | 2 +-
3775 arch/x86/kernel/process_64.c | 2 +-
3776 arch/x86/kernel/smpboot.c | 2 +-
3777 arch/x86/xen/smp.c | 2 +-
3778 5 files changed, 6 insertions(+), 6 deletions(-)
3779
3780commit 0dcfe7e8eac4751d2bbabc48fb63a0118bb353eb
3781Author: Brad Spengler <spender@grsecurity.net>
3782Date: Sat Sep 14 16:56:37 2013 -0400
3783
3784 finish porting namei.c
3785
3786 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3787
3788 fs/namei.c | 12 +++++++++++-
3789 1 files changed, 11 insertions(+), 1 deletions(-)
3790
3791commit 89d5374f91319363bb79c916764c747f3229759c
3792Author: Brad Spengler <spender@grsecurity.net>
3793Date: Sat Sep 14 16:44:08 2013 -0400
3794
3795 cred->user -> current_user()
3796
3797 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3798
3799 fs/exec.c | 2 +-
3800 1 files changed, 1 insertions(+), 1 deletions(-)
3801
3802commit fefeb37bc66cf8e1b8c32a1f1e9776f6b701b245
3803Author: Brad Spengler <spender@grsecurity.net>
3804Date: Sat Sep 14 16:36:24 2013 -0400
3805
3806 Fix GRKERNSEC_DENYUSB dependency as reported by Victor Roman of Funtoo Linux
3807
3808 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3809
3810 grsecurity/Kconfig | 3 ++-
3811 1 files changed, 2 insertions(+), 1 deletions(-)
3812
3813commit e4a184da44ae23ab3ee9e250d4bc38050e4a3533
3814Author: Brad Spengler <spender@grsecurity.net>
3815Date: Thu Sep 5 19:36:23 2013 -0400
3816
3817 fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB
3818
3819 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3820
3821 grsecurity/Kconfig | 3 ++-
3822 1 files changed, 2 insertions(+), 1 deletions(-)
3823
3824commit c96e77a4ec0b7045e4e3e8f6d33937c078a79cb6
3825Author: Brad Spengler <spender@grsecurity.net>
3826Date: Thu Sep 5 19:17:02 2013 -0400
3827
3828 Allow the deny_new_usb sysctl to be toggled off by a user with CAP_SYS_ADMIN. This allows for more inventive uses of the feature that would be impossible otherwise (like toggling it while the screen is locked, etc)
3829
3830 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3831
3832 grsecurity/grsec_sysctl.c | 4 +---
3833 1 files changed, 1 insertions(+), 3 deletions(-)
3834
3835commit 600c8f5a6a7b57e4ecbb16d10eab3bdfae399299
3836Author: Brad Spengler <spender@grsecurity.net>
3837Date: Thu Sep 5 18:41:49 2013 -0400
3838
3839 Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for users who know they want the functionality but don't want to bother with modifying init scripts
3840
3841 Also eliminate reset_security_ops() as a ROP target when
3842 SECURITY_SELINUX_DISABLE is disabled as it's the only user
3843
3844 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3845
3846 grsecurity/Kconfig | 17 ++++++++++++++++-
3847 grsecurity/grsec_init.c | 3 +++
3848 grsecurity/grsec_sysctl.c | 2 +-
3849 3 files changed, 20 insertions(+), 2 deletions(-)
3850
3851commit 979cb67c276ef34486ed64bb58ed30020bc8a53f
3852Author: Brad Spengler <spender@grsecurity.net>
3853Date: Fri Aug 30 17:11:11 2013 -0400
3854
3855 fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast
3856
3857 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3858
3859 grsecurity/grsec_sysctl.c | 7 ++++---
3860 1 files changed, 4 insertions(+), 3 deletions(-)
3861
3862commit d259a636db5500db5e3ddacab82857db244bf46f
3863Author: Brad Spengler <spender@grsecurity.net>
3864Date: Wed Aug 28 20:42:39 2013 -0400
3865
3866 add export of gr_handle_new_usb()
3867
3868 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3869
3870 grsecurity/grsec_usb.c | 2 ++
3871 1 files changed, 2 insertions(+), 0 deletions(-)
3872
3873commit 73872d212f992833add967be12de9628941bdd5b
3874Author: Brad Spengler <spender@grsecurity.net>
3875Date: Wed Aug 28 19:24:47 2013 -0400
3876
3877 Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit Kees' recent findings are motivation enough to publish it
3878
3879 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3880
3881 drivers/usb/core/hub.c | 5 +++++
3882 grsecurity/Kconfig | 20 ++++++++++++++++++++
3883 grsecurity/Makefile | 3 ++-
3884 grsecurity/grsec_init.c | 1 +
3885 grsecurity/grsec_sysctl.c | 11 +++++++++++
3886 grsecurity/grsec_usb.c | 13 +++++++++++++
3887 include/linux/grinternal.h | 1 +
3888 include/linux/grsecurity.h | 2 ++
3889 8 files changed, 55 insertions(+), 1 deletions(-)
3890
3891commit 57a621395b231025d33da789f7593da0e9c591a4
3892Author: Kees Cook <keescook@chromium.org>
3893Date: Wed Aug 14 09:14:34 2013 -0700
3894
3895 HID: steelseries: validate output report details
3896
3897 A HID device could send a malicious output report that would cause the
3898 steelseries HID driver to write beyond the output report allocation
3899 during initialization, causing a heap overflow:
3900
3901 [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410
3902 ...
3903 [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten
3904
3905 CVE-2013-2891
3906
3907 Signed-off-by: Kees Cook <keescook@chromium.org>
3908 Cc: stable@kernel.org
3909 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3910
3911 drivers/hid/hid-steelseries.c | 5 +++++
3912 1 files changed, 5 insertions(+), 0 deletions(-)
3913
3914commit 6261da1c18366e4b2e0ff28781e0a769a2d31d1b
3915Author: Kees Cook <keescook@chromium.org>
3916Date: Thu Aug 15 23:21:23 2013 -0700
3917
3918 HID: lenovo-tpkbd: validate output report details
3919
3920 A HID device could send a malicious output report that would cause the
3921 lenovo-tpkbd HID driver to write just beyond the output report allocation
3922 during initialization, causing a heap overflow:
3923
3924 [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009
3925 ...
3926 [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
3927
3928 CVE-2013-2894
3929
3930 Signed-off-by: Kees Cook <keescook@chromium.org>
3931 Cc: stable@kernel.org
3932 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3933
3934 drivers/hid/hid-lenovo-tpkbd.c | 5 +++++
3935 1 files changed, 5 insertions(+), 0 deletions(-)
3936
3937commit 9a7678270debd6b7c14ed1e91fb502d73bfaee08
3938Author: Kees Cook <keescook@chromium.org>
3939Date: Fri Aug 16 00:11:32 2013 -0700
3940
3941 HID: multitouch: validate feature report details
3942
3943 When working on report indexes, always validate that they are in bounds.
3944 Without this, a HID device could report a malicious feature report that
3945 could trick the driver into a heap overflow:
3946
3947 [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
3948 ...
3949 [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
3950
3951 CVE-2013-2897
3952
3953 Signed-off-by: Kees Cook <keescook@chromium.org>
3954 Cc: stable@kernel.org
3955 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3956
3957 drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++-----
3958 1 files changed, 20 insertions(+), 5 deletions(-)
3959
3960commit efb7731d700d5b4568871670ac0841a84f003029
3961Author: Brad Spengler <spender@grsecurity.net>
3962Date: Mon Aug 19 22:10:04 2013 -0400
3963
3964 fix bad git merge (call to __cpu_disable_lazy_restore was duplicated) as reported by pipacs
3965
3966 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3967
3968 arch/x86/kernel/smpboot.c | 3 ---
3969 1 files changed, 0 insertions(+), 3 deletions(-)
3970
3971commit 3469d59da7f6bd0c5838764e5b06bad97193f628
3972Author: Brad Spengler <spender@grsecurity.net>
3973Date: Sat Aug 17 12:00:20 2013 -0400
3974
3975 make kallsyms_lookup_size_offset available to approved source files
3976
3977 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3978
3979 include/linux/kallsyms.h | 3 +++
3980 1 files changed, 3 insertions(+), 0 deletions(-)
3981
3982commit 03b91bfc983379670fd439b2b3fbec633ea6468d
3983Author: Brad Spengler <spender@grsecurity.net>
3984Date: Sat Aug 17 11:18:09 2013 -0400
3985
3986 allow use of kallsyms_lookup_name to approved source files
3987
3988 Signed-off-by: Brad Spengler <spender@grsecurity.net>
3989
3990 include/linux/kallsyms.h | 1 +
3991 1 files changed, 1 insertions(+), 0 deletions(-)
3992
3993commit 2e9828b85e2ab096affe9e8b52cd68d7a0d8839d
3994Author: Johannes Berg <johannes.berg@intel.com>
3995Date: Tue Aug 13 09:04:05 2013 +0200
3996
3997 Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db
3998
3999 genetlink: fix family dump race
4000
4001 When dumping generic netlink families, only the first dump call
4002 is locked with genl_lock(), which protects the list of families,
4003 and thus subsequent calls can access the data without locking,
4004 racing against family addition/removal. This can cause a crash.
4005 Fix it - the locking needs to be conditional because the first
4006 time around it's already locked.
4007
4008 A similar bug was reported to me on an old kernel (3.4.47) but
4009 the exact scenario that happened there is no longer possible,
4010 on those kernels the first round wasn't locked either. Looking
4011 at the current code I found the race described above, which had
4012 also existed on the old kernel.
4013
4014 Cc: stable@vger.kernel.org
4015 Reported-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
4016 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
4017 Signed-off-by: David S. Miller <davem@davemloft.net>
4018 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4019
4020 net/netlink/genetlink.c | 7 +++++++
4021 1 files changed, 7 insertions(+), 0 deletions(-)
4022
4023commit aeddd9080b145f520dfdba52e07ffe7ac5c2940a
4024Author: Brad Spengler <spender@grsecurity.net>
4025Date: Sat Aug 17 08:58:34 2013 -0400
4026
4027 Fix two harmless compiler warnings
4028
4029 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4030
4031 arch/arm/kernel/process.c | 4 ++--
4032 fs/exec.c | 2 +-
4033 2 files changed, 3 insertions(+), 3 deletions(-)
4034
4035commit 8953b010e785f55d35e96de6d7913b7e6791d9f9
4036Author: Brad Spengler <spender@grsecurity.net>
4037Date: Fri Aug 16 22:46:01 2013 -0400
4038
4039 Fix HIDESYM compatibility with kprobes, as reported by feandil at: http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376
4040
4041 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4042
4043 include/linux/kallsyms.h | 2 +-
4044 kernel/kprobes.c | 3 +++
4045 2 files changed, 4 insertions(+), 1 deletions(-)
4046
4047commit 346b6fb51f351bc8a2e52c158794c863b88c730b
4048Author: Brad Spengler <spender@grsecurity.net>
4049Date: Sat Aug 10 09:41:40 2013 -0400
4050
4051 propagate the threadstack offset through to the topdown/bottomup allocators on sparc64 hugepages
4052
4053 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4054
4055 arch/sparc/mm/hugetlbpage.c | 12 ++++++++----
4056 1 files changed, 8 insertions(+), 4 deletions(-)
4057
4058commit 5a95c583a8e74e8b980ae810c3755d7490f9f208
4059Author: Brad Spengler <spender@grsecurity.net>
4060Date: Mon Aug 5 17:58:42 2013 -0400
4061
4062 Disable RANDKSTACK for a VirtualBox host as mentioned on the gentoo-hardened bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=382793
4063
4064 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4065
4066 security/Kconfig | 2 +-
4067 1 files changed, 1 insertions(+), 1 deletions(-)
4068
4069commit be64e6e8a615622f5c8b8feefdbae24dfe1eb13a
4070Author: Brad Spengler <spender@grsecurity.net>
4071Date: Mon Aug 5 17:26:40 2013 -0400
4072
4073 Move user namespace capability check to shared create_user_ns code so we cover unshare() as well.
4074
4075 Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to
4076 user namespaces!
4077
4078 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4079
4080 kernel/fork.c | 17 -----------------
4081 kernel/user_namespace.c | 15 +++++++++++++++
4082 2 files changed, 15 insertions(+), 17 deletions(-)
4083
4084commit bf41ff82977f5629d76e58b4eec76e78b6e0794c
4085Author: Brad Spengler <spender@grsecurity.net>
4086Date: Mon Aug 5 16:05:41 2013 -0400
4087
4088 silence a warning on older gcc
4089
4090 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4091
4092 grsecurity/gracl.c | 2 +-
4093 1 files changed, 1 insertions(+), 1 deletions(-)
4094
4095commit 80c4d845fa846426a226c1807310670fdc3f4fb9
4096Author: Brad Spengler <spender@grsecurity.net>
4097Date: Sat Aug 3 08:31:08 2013 -0400
4098
4099 we only care about mmaps of the beginning of an ELF, filter out all others as suggested by pipacs
4100
4101 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4102
4103 mm/mmap.c | 2 +-
4104 1 files changed, 1 insertions(+), 1 deletions(-)
4105
4106commit 29f82c7cc74a11260863cea855cb7bb7b79506db
4107Author: Brad Spengler <spender@grsecurity.net>
4108Date: Fri Aug 2 23:54:51 2013 -0400
4109
4110 add include
4111
4112 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4113
4114 grsecurity/grsec_log.c | 1 +
4115 1 files changed, 1 insertions(+), 0 deletions(-)
4116
4117commit b313d3d863fe87ecf4f79f61e9670955df66685e
4118Author: Brad Spengler <spender@grsecurity.net>
4119Date: Fri Aug 2 23:49:13 2013 -0400
4120
4121 fix compilation
4122
4123 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4124
4125 include/linux/grinternal.h | 3 ++-
4126 1 files changed, 2 insertions(+), 1 deletions(-)
4127
4128commit e0b580d61744ac72ba2275fb5211de2bfc570058
4129Author: Brad Spengler <spender@grsecurity.net>
4130Date: Fri Aug 2 23:34:35 2013 -0400
4131
4132 Improve PaX reporting (tells when anon mapping is stack or heap) Remove textrel logging option, combine into rwx logging option Enhance RWX logging option to display when PT_GNU_STACK-enabled library is loaded under an MPROTECTed binary Enhance RWX mprotect logging to display stack/heap instead of just anon mapping
4133
4134 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4135
4136 fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++
4137 fs/exec.c | 4 ++++
4138 grsecurity/Kconfig | 21 +++++----------------
4139 grsecurity/grsec_init.c | 4 ----
4140 grsecurity/grsec_log.c | 14 ++++++++++++++
4141 grsecurity/grsec_pax.c | 19 ++++++++++++++-----
4142 grsecurity/grsec_sysctl.c | 9 ---------
4143 include/linux/binfmts.h | 1 +
4144 include/linux/grinternal.h | 2 +-
4145 include/linux/grmsg.h | 3 ++-
4146 include/linux/grsecurity.h | 3 ++-
4147 mm/mmap.c | 7 +++++++
4148 mm/mprotect.c | 2 +-
4149 13 files changed, 88 insertions(+), 38 deletions(-)
4150
4151commit 2860f00640ffc0745e102fc8eea1b4787747a34f
4152Author: Brad Spengler <spender@grsecurity.net>
4153Date: Thu Aug 1 18:52:02 2013 -0400
4154
4155 add missing #define
4156
4157 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4158
4159 grsecurity/gracl.c | 1 +
4160 1 files changed, 1 insertions(+), 0 deletions(-)
4161
4162commit 271a28185b48e1c659c497837e26350f0b98b56b
4163Author: Brad Spengler <spender@grsecurity.net>
4164Date: Thu Aug 1 18:43:53 2013 -0400
4165
4166 fix compilation for !COMPAT as reported on the forums
4167
4168 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4169
4170 grsecurity/gracl.c | 195 ++++++++++++++++++++++++++--------------------------
4171 1 files changed, 97 insertions(+), 98 deletions(-)
4172
4173commit c7b8b1a6d33fb9f2f33b6661d98ccf034bc4fa88
4174Author: Brad Spengler <spender@grsecurity.net>
4175Date: Wed Jul 31 17:47:20 2013 -0400
4176
4177 Revert "revert recent PaX change that causes boot failures with 32bit userland"
4178
4179 This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4.
4180
4181 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4182
4183 arch/x86/include/asm/processor.h | 4 ++--
4184 arch/x86/kernel/cpu/common.c | 2 +-
4185 arch/x86/kernel/process_64.c | 2 +-
4186 arch/x86/kernel/smpboot.c | 2 +-
4187 arch/x86/xen/smp.c | 2 +-
4188 5 files changed, 6 insertions(+), 6 deletions(-)
4189
4190commit 506d84be8c4e9db0b655d3f6da2cec92482b610f
4191Author: Brad Spengler <spender@grsecurity.net>
4192Date: Wed Jul 31 16:26:58 2013 -0400
4193
4194 compile fix for !COMPAT as mentioned on forums
4195
4196 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4197
4198 grsecurity/gracl.c | 2 ++
4199 1 files changed, 2 insertions(+), 0 deletions(-)
4200
4201commit 7b7d053d1c9209c6810ee0e82d902d633df55114
4202Author: Brad Spengler <spender@grsecurity.net>
4203Date: Tue Jul 30 22:33:14 2013 -0400
4204
4205 perform compat conversion of rlimit infinity
4206
4207 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4208
4209 grsecurity/gracl_compat.c | 10 ++++++++--
4210 1 files changed, 8 insertions(+), 2 deletions(-)
4211
4212commit f9503913fa6c0b461e5a6c991eb04b8e369e0dd2
4213Author: Brad Spengler <spender@grsecurity.net>
4214Date: Tue Jul 30 22:21:40 2013 -0400
4215
4216 remove debugging
4217
4218 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4219
4220 grsecurity/gracl_compat.c | 44 +++++++++++---------------------------------
4221 1 files changed, 11 insertions(+), 33 deletions(-)
4222
4223commit 4d203a112c51248189db81e89926ed2ccbbf3727
4224Author: Brad Spengler <spender@grsecurity.net>
4225Date: Tue Jul 30 22:20:32 2013 -0400
4226
4227 eliminate compat_dev_t
4228
4229 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4230
4231 include/linux/gracl_compat.h | 4 ++--
4232 1 files changed, 2 insertions(+), 2 deletions(-)
4233
4234commit 98cc5ab35c0f012765475db240189e0d72e9e936
4235Author: Brad Spengler <spender@grsecurity.net>
4236Date: Tue Jul 30 22:13:22 2013 -0400
4237
4238 fix compat rlimit size
4239
4240 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4241
4242 grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++-------------
4243 include/linux/gracl_compat.h | 4 +-
4244 2 files changed, 49 insertions(+), 23 deletions(-)
4245
4246commit aa8d1edbfb648b1b942996d59fa446fd830df989
4247Author: Brad Spengler <spender@grsecurity.net>
4248Date: Tue Jul 30 21:20:18 2013 -0400
4249
4250 compile fix
4251
4252 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4253
4254 grsecurity/gracl.c | 4 ++--
4255 1 files changed, 2 insertions(+), 2 deletions(-)
4256
4257commit 28b7a6a844d93d88bb83383bb6273cdc22c595ad
4258Author: Brad Spengler <spender@grsecurity.net>
4259Date: Tue Jul 30 21:14:29 2013 -0400
4260
4261 copy correct pointer size in new compat code
4262
4263 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4264
4265 grsecurity/gracl.c | 8 ++++----
4266 grsecurity/gracl_compat.c | 4 ++--
4267 2 files changed, 6 insertions(+), 6 deletions(-)
4268
4269commit 9490ca70e30846522d28b6f9ca7caf28cdb7b9e3
4270Author: Brad Spengler <spender@grsecurity.net>
4271Date: Tue Jul 30 19:15:50 2013 -0400
4272
4273 compile fix
4274
4275 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4276
4277 grsecurity/gracl_compat.c | 6 ++++++
4278 1 files changed, 6 insertions(+), 0 deletions(-)
4279
4280commit 5f7d6c7e7e4ef41577b73936595ed1f28649e9e9
4281Author: Brad Spengler <spender@grsecurity.net>
4282Date: Tue Jul 30 19:12:46 2013 -0400
4283
4284 remove BUILD_BUG_ONs
4285
4286 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4287
4288 grsecurity/gracl_compat.c | 20 --------------------
4289 1 files changed, 0 insertions(+), 20 deletions(-)
4290
4291commit 91c416711e2e713d870dc52ce17af0607a82cb75
4292Author: Brad Spengler <spender@grsecurity.net>
4293Date: Tue Jul 30 00:18:36 2013 -0400
4294
4295 compile fixes
4296
4297 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4298
4299 grsecurity/gracl_compat.c | 8 ++++----
4300 include/linux/gracl_compat.h | 2 +-
4301 2 files changed, 5 insertions(+), 5 deletions(-)
4302
4303commit 99cad551389634d849387cf5e2054d9aa2c1c1b4
4304Author: Brad Spengler <spender@grsecurity.net>
4305Date: Tue Jul 30 00:16:42 2013 -0400
4306
4307 compile fixes
4308
4309 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4310
4311 grsecurity/gracl.c | 4 ++--
4312 grsecurity/gracl_compat.c | 2 +-
4313 2 files changed, 3 insertions(+), 3 deletions(-)
4314
4315commit 9ec58c4629d5aba15d09d4a740b83bf4cdb6da90
4316Author: Brad Spengler <spender@grsecurity.net>
4317Date: Tue Jul 30 00:13:51 2013 -0400
4318
4319 compile fixes
4320
4321 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4322
4323 grsecurity/gracl.c | 8 ++++----
4324 1 files changed, 4 insertions(+), 4 deletions(-)
4325
4326commit dd368be2aef36cae4f997fc798087069fb64d442
4327Author: Brad Spengler <spender@grsecurity.net>
4328Date: Tue Jul 30 00:11:03 2013 -0400
4329
4330 compile fixes
4331
4332 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4333
4334 grsecurity/gracl_compat.c | 3 +++
4335 1 files changed, 3 insertions(+), 0 deletions(-)
4336
4337commit 8970e77a91e35ddac604cf96462c600651e94baa
4338Author: Brad Spengler <spender@grsecurity.net>
4339Date: Tue Jul 30 00:08:21 2013 -0400
4340
4341 more compile fixes
4342
4343 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4344
4345 grsecurity/gracl.c | 28 ++++++++++++++--------------
4346 1 files changed, 14 insertions(+), 14 deletions(-)
4347
4348commit d5711d44bf668cdc5d29383e5e16ff884f1991ee
4349Author: Brad Spengler <spender@grsecurity.net>
4350Date: Mon Jul 29 23:59:50 2013 -0400
4351
4352 more compile fixes
4353
4354 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4355
4356 grsecurity/gracl.c | 10 +++++++++-
4357 1 files changed, 9 insertions(+), 1 deletions(-)
4358
4359commit f9bf16c3f73ff249219c1a7d457f10b5f5448da1
4360Author: Brad Spengler <spender@grsecurity.net>
4361Date: Mon Jul 29 23:56:47 2013 -0400
4362
4363 additional compile fixes
4364
4365 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4366
4367 grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++--------
4368 1 files changed, 49 insertions(+), 10 deletions(-)
4369
4370commit afb88b8065edeb572c4d7992c6916d19a8bbc483
4371Author: Brad Spengler <spender@grsecurity.net>
4372Date: Mon Jul 29 23:47:15 2013 -0400
4373
4374 fix typo
4375
4376 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4377
4378 grsecurity/gracl.c | 2 +-
4379 1 files changed, 1 insertions(+), 1 deletions(-)
4380
4381commit 981fbde7260e575f99c7c9fc83239fca752cb543
4382Author: Brad Spengler <spender@grsecurity.net>
4383Date: Mon Jul 29 23:46:59 2013 -0400
4384
4385 compile fixes
4386
4387 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4388
4389 grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++-------------
4390 1 files changed, 39 insertions(+), 14 deletions(-)
4391
4392commit c3ebfc69b7c5c12f54ee8b2c34776c503eb825f5
4393Author: Brad Spengler <spender@grsecurity.net>
4394Date: Mon Jul 29 23:22:44 2013 -0400
4395
4396 Initial commit of compat RBAC loading Permits 32bit gradm to load policy for a 64bit kernel
4397
4398 Also removed code duplication for copying strings into the kernel
4399
4400 Work performed as part of sponsorship
4401
4402 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4403
4404 grsecurity/Makefile | 4 +
4405 grsecurity/gracl.c | 315 +++++++++++++++++++++++-------------------
4406 grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++
4407 include/linux/gracl_compat.h | 156 +++++++++++++++++++++
4408 4 files changed, 603 insertions(+), 142 deletions(-)
4409
4410commit 5f3672544ae20bb1a595a849b304d1c168254e2b
4411Author: Brad Spengler <spender@grsecurity.net>
4412Date: Tue Jul 16 20:40:24 2013 -0400
4413
4414 allow viewing of ecryptfs version under SYSFS_RESTRICT
4415
4416 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4417
4418 fs/sysfs/dir.c | 2 +-
4419 1 files changed, 1 insertions(+), 1 deletions(-)
4420
4421commit f892f6cf3070e516828ef6b81c39abdec77d7e93
4422Author: Brad Spengler <spender@grsecurity.net>
4423Date: Sun Jul 14 11:49:17 2013 -0400
4424
4425 Update PaX fix, just return the error
4426
4427 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4428
4429 mm/madvise.c | 11 +++++------
4430 1 files changed, 5 insertions(+), 6 deletions(-)
4431
4432commit bacca56a4c5ce1734004a310588d710ab642c14d
4433Author: Brad Spengler <spender@grsecurity.net>
4434Date: Sun Jul 14 11:36:00 2013 -0400
4435
4436 Fix madvise oops reported by Peter Keel
4437
4438 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4439
4440 mm/madvise.c | 11 ++++++-----
4441 1 files changed, 6 insertions(+), 5 deletions(-)
4442
4443commit bb802e55264979a3517687cc4e3ea4043187a4d6
4444Author: Brad Spengler <spender@grsecurity.net>
4445Date: Tue Jul 9 22:04:59 2013 -0400
4446
4447 compile fixes
4448
4449 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4450
4451 fs/exec.c | 2 +-
4452 mm/mmap.c | 4 ++--
4453 2 files changed, 3 insertions(+), 3 deletions(-)
4454
4455commit 80af0d78732fcd1345751765d6bdba75e4453096
4456Author: Brad Spengler <spender@grsecurity.net>
4457Date: Sat Sep 14 16:15:10 2013 -0400
4458
4459 Initial port of grsecurity to 3.11 using new git method
4460
4461 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4462
4463 Documentation/kernel-parameters.txt | 4 +
4464 Makefile | 8 +-
4465 arch/alpha/include/asm/cache.h | 4 +-
4466 arch/alpha/kernel/osf_sys.c | 12 +-
4467 arch/arm/include/asm/thread_info.h | 3 +-
4468 arch/arm/kernel/ptrace.c | 9 +
4469 arch/arm/kernel/traps.c | 7 +-
4470 arch/arm/mm/fault.c | 29 +-
4471 arch/arm/mm/mmap.c | 8 +-
4472 arch/avr32/include/asm/cache.h | 4 +-
4473 arch/blackfin/include/asm/cache.h | 3 +-
4474 arch/cris/include/arch-v10/arch/cache.h | 3 +-
4475 arch/cris/include/arch-v32/arch/cache.h | 3 +-
4476 arch/frv/include/asm/cache.h | 3 +-
4477 arch/frv/mm/elf-fdpic.c | 4 +-
4478 arch/hexagon/include/asm/cache.h | 6 +-
4479 arch/ia64/include/asm/cache.h | 3 +-
4480 arch/ia64/kernel/sys_ia64.c | 2 +
4481 arch/ia64/mm/hugetlbpage.c | 2 +
4482 arch/m32r/include/asm/cache.h | 4 +-
4483 arch/m68k/include/asm/cache.h | 4 +-
4484 arch/metag/mm/hugetlbpage.c | 1 +
4485 arch/microblaze/include/asm/cache.h | 3 +-
4486 arch/mips/include/asm/cache.h | 3 +-
4487 arch/mips/include/asm/thread_info.h | 9 +-
4488 arch/mips/kernel/ptrace.c | 9 +
4489 arch/mips/mm/mmap.c | 4 +-
4490 arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +-
4491 arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +-
4492 arch/openrisc/include/asm/cache.h | 4 +-
4493 arch/parisc/include/asm/cache.h | 5 +-
4494 arch/parisc/kernel/sys_parisc.c | 13 +-
4495 arch/powerpc/include/asm/cache.h | 3 +-
4496 arch/powerpc/kernel/process.c | 10 +-
4497 arch/powerpc/kernel/ptrace.c | 14 +
4498 arch/powerpc/kernel/traps.c | 5 +
4499 arch/s390/include/asm/cache.h | 4 +-
4500 arch/score/include/asm/cache.h | 4 +-
4501 arch/sh/include/asm/cache.h | 3 +-
4502 arch/sh/mm/mmap.c | 6 +-
4503 arch/sparc/include/asm/cache.h | 4 +-
4504 arch/sparc/include/asm/thread_info_64.h | 9 +-
4505 arch/sparc/kernel/process_32.c | 6 +-
4506 arch/sparc/kernel/process_64.c | 4 +-
4507 arch/sparc/kernel/ptrace_64.c | 14 +
4508 arch/sparc/kernel/sys_sparc_64.c | 8 +-
4509 arch/sparc/kernel/syscalls.S | 8 +-
4510 arch/sparc/kernel/traps_32.c | 8 +-
4511 arch/sparc/kernel/traps_64.c | 28 +-
4512 arch/sparc/kernel/unaligned_64.c | 2 +-
4513 arch/sparc/mm/fault_64.c | 2 +-
4514 arch/sparc/mm/hugetlbpage.c | 3 +-
4515 arch/tile/include/asm/cache.h | 3 +-
4516 arch/tile/mm/hugetlbpage.c | 2 +
4517 arch/um/include/asm/cache.h | 3 +-
4518 arch/unicore32/include/asm/cache.h | 6 +-
4519 arch/x86/Kconfig | 5 +-
4520 arch/x86/ia32/ia32_aout.c | 2 +
4521 arch/x86/include/asm/thread_info.h | 8 +-
4522 arch/x86/kernel/dumpstack.c | 8 +
4523 arch/x86/kernel/entry_32.S | 2 +-
4524 arch/x86/kernel/entry_64.S | 2 +-
4525 arch/x86/kernel/ioport.c | 13 +
4526 arch/x86/kernel/ptrace.c | 14 +
4527 arch/x86/kernel/signal.c | 9 +-
4528 arch/x86/kernel/smpboot.c | 3 +
4529 arch/x86/kernel/sys_i386_32.c | 9 +-
4530 arch/x86/kernel/sys_x86_64.c | 8 +-
4531 arch/x86/kernel/verify_cpu.S | 1 +
4532 arch/x86/kernel/vm86_32.c | 1 +
4533 arch/x86/mm/fault.c | 12 +-
4534 arch/x86/mm/hugetlbpage.c | 15 +-
4535 arch/x86/mm/init.c | 66 +-
4536 arch/x86/net/bpf_jit_comp.c | 126 +-
4537 arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
4538 arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
4539 arch/xtensa/variants/s6000/include/variant/core.h | 3 +-
4540 drivers/cdrom/cdrom.c | 2 +-
4541 drivers/char/Kconfig | 4 +-
4542 drivers/char/genrtc.c | 1 +
4543 drivers/char/mem.c | 17 +
4544 drivers/char/random.c | 14 +
4545 drivers/gpu/drm/drm_info.c | 4 +
4546 drivers/hid/hid-wiimote-debug.c | 2 +-
4547 drivers/media/radio/radio-cadet.c | 2 +-
4548 drivers/message/fusion/mptbase.c | 9 +
4549 drivers/net/bonding/bond_main.c | 1 +
4550 drivers/net/phy/mdio-bitbang.c | 1 +
4551 drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
4552 drivers/pci/proc.c | 9 +
4553 drivers/rtc/rtc-dev.c | 3 +
4554 drivers/tty/sysrq.c | 2 +-
4555 drivers/tty/vt/keyboard.c | 22 +-
4556 drivers/video/logo/logo_linux_clut224.ppm | 2720 ++++++++------------
4557 drivers/xen/xenfs/xenstored.c | 5 +
4558 fs/attr.c | 1 +
4559 fs/autofs4/waitq.c | 9 +
4560 fs/binfmt_aout.c | 7 +
4561 fs/binfmt_elf.c | 3 +-
4562 fs/btrfs/ioctl.c | 6 +-
4563 fs/compat.c | 20 +-
4564 fs/coredump.c | 11 +-
4565 fs/debugfs/inode.c | 4 +
4566 fs/exec.c | 184 ++-
4567 fs/ext2/balloc.c | 4 +-
4568 fs/ext3/balloc.c | 4 +-
4569 fs/fcntl.c | 5 +
4570 fs/file.c | 4 +
4571 fs/filesystems.c | 4 +
4572 fs/fs_struct.c | 13 +-
4573 fs/hugetlbfs/inode.c | 5 +-
4574 fs/namei.c | 218 ++-
4575 fs/namespace.c | 16 +
4576 fs/open.c | 38 +
4577 fs/proc/Kconfig | 10 +-
4578 fs/proc/array.c | 59 +-
4579 fs/proc/base.c | 166 ++-
4580 fs/proc/cmdline.c | 4 +
4581 fs/proc/devices.c | 4 +
4582 fs/proc/fd.c | 17 +-
4583 fs/proc/inode.c | 4 +
4584 fs/proc/kcore.c | 3 +
4585 fs/proc/proc_net.c | 12 +
4586 fs/proc/proc_sysctl.c | 43 +-
4587 fs/proc/root.c | 8 +
4588 fs/proc/task_mmu.c | 75 +-
4589 fs/readdir.c | 19 +
4590 fs/select.c | 2 +
4591 fs/seq_file.c | 12 +-
4592 fs/stat.c | 19 +-
4593 fs/sysfs/dir.c | 12 +
4594 fs/utimes.c | 7 +
4595 fs/xattr.c | 19 +-
4596 grsecurity/Kconfig | 2 +-
4597 grsecurity/gracl_fs.c | 6 +-
4598 include/linux/capability.h | 5 +
4599 include/linux/cred.h | 3 +
4600 include/linux/fs.h | 10 +
4601 include/linux/fsnotify.h | 6 +
4602 include/linux/kallsyms.h | 14 +-
4603 include/linux/kmod.h | 2 +
4604 include/linux/mm.h | 1 +
4605 include/linux/perf_event.h | 13 +-
4606 include/linux/printk.h | 3 +-
4607 include/linux/sched.h | 24 +-
4608 include/linux/security.h | 1 +
4609 include/linux/seq_file.h | 3 +
4610 include/linux/shm.h | 4 +
4611 include/linux/skbuff.h | 3 +
4612 include/linux/slab.h | 9 -
4613 include/linux/sysctl.h | 2 +
4614 include/linux/thread_info.h | 2 +
4615 include/linux/uidgid.h | 5 +
4616 include/linux/vermagic.h | 9 +-
4617 include/uapi/linux/personality.h | 1 +
4618 init/Kconfig | 3 +-
4619 init/main.c | 14 +
4620 ipc/mqueue.c | 1 +
4621 ipc/shm.c | 28 +
4622 kernel/capability.c | 40 +-
4623 kernel/cgroup.c | 2 +-
4624 kernel/compat.c | 1 +
4625 kernel/configs.c | 11 +
4626 kernel/cred.c | 110 +-
4627 kernel/events/core.c | 14 +-
4628 kernel/exit.c | 10 +-
4629 kernel/fork.c | 41 +-
4630 kernel/futex.c | 1 +
4631 kernel/kallsyms.c | 9 +
4632 kernel/kcmp.c | 4 +
4633 kernel/kmod.c | 64 +-
4634 kernel/kprobes.c | 4 +-
4635 kernel/ksysfs.c | 2 +
4636 kernel/locking/lockdep_proc.c | 10 +-
4637 kernel/module.c | 81 +-
4638 kernel/panic.c | 2 +-
4639 kernel/pid.c | 19 +-
4640 kernel/posix-timers.c | 7 +
4641 kernel/printk/printk.c | 5 +
4642 kernel/ptrace.c | 20 +-
4643 kernel/resource.c | 10 +
4644 kernel/sched/core.c | 6 +-
4645 kernel/signal.c | 37 +-
4646 kernel/sys.c | 45 +-
4647 kernel/sysctl.c | 69 +-
4648 kernel/taskstats.c | 6 +
4649 kernel/time.c | 5 +
4650 kernel/time/timekeeping.c | 1 +
4651 kernel/time/timer_list.c | 12 +
4652 kernel/time/timer_stats.c | 10 +-
4653 lib/Kconfig.debug | 5 +-
4654 lib/is_single_threaded.c | 3 +
4655 mm/Kconfig | 4 +-
4656 mm/filemap.c | 1 +
4657 mm/kmemleak.c | 4 +-
4658 mm/mempolicy.c | 12 +-
4659 mm/migrate.c | 3 +-
4660 mm/mlock.c | 3 +
4661 mm/mmap.c | 63 +-
4662 mm/mprotect.c | 8 +
4663 mm/process_vm_access.c | 6 +
4664 mm/slab.c | 2 +-
4665 mm/slub.c | 14 +-
4666 mm/vmalloc.c | 4 +
4667 mm/vmstat.c | 18 +-
4668 net/core/dev_ioctl.c | 4 +
4669 net/core/sock_diag.c | 7 +
4670 net/ipv4/inet_hashtables.c | 5 +
4671 net/ipv4/ip_sockglue.c | 3 +-
4672 net/ipv4/tcp_input.c | 4 +-
4673 net/ipv4/tcp_ipv4.c | 24 +-
4674 net/ipv4/tcp_minisocks.c | 9 +-
4675 net/ipv4/tcp_timer.c | 11 +
4676 net/ipv4/udp.c | 24 +
4677 net/ipv6/tcp_ipv6.c | 23 +-
4678 net/ipv6/udp.c | 4 +
4679 net/netfilter/Kconfig | 10 +
4680 net/netfilter/Makefile | 1 +
4681 net/netfilter/nf_conntrack_core.c | 8 +
4682 net/netrom/af_netrom.c | 1 -
4683 net/phonet/af_phonet.c | 2 +-
4684 net/socket.c | 66 +-
4685 net/sysctl_net.c | 2 +-
4686 net/unix/af_unix.c | 31 +-
4687 security/Kconfig | 341 +++-
4688 security/commoncap.c | 29 +
4689 security/min_addr.c | 2 +
4690 security/tomoyo/mount.c | 4 +
4691 security/yama/Kconfig | 2 +-
4692 229 files changed, 4100 insertions(+), 2025 deletions(-)
4693
4694commit 75586073addae35174967d77e1b985e6b534e3f8
4695Author: Brad Spengler <spender@grsecurity.net>
4696Date: Tue Jul 9 20:57:40 2013 -0400
4697
4698 Commit merge of new files and rejected patches
4699
4700 Signed-off-by: Brad Spengler <spender@grsecurity.net>
4701
4702 arch/arm/include/asm/thread_info.h | 6 +-
4703 arch/arm/kernel/process.c | 4 +-
4704 arch/powerpc/include/asm/thread_info.h | 7 +-
4705 arch/powerpc/mm/slice.c | 2 +-
4706 arch/sparc/kernel/process_64.c | 4 +-
4707 arch/x86/kernel/vm86_32.c | 15 +
4708 fs/coredump.c | 1 +
4709 fs/ext4/balloc.c | 4 +-
4710 fs/namei.c | 7 +
4711 fs/namespace.c | 8 +
4712 fs/pipe.c | 2 +-
4713 fs/proc/inode.c | 13 +
4714 fs/proc/internal.h | 3 +
4715 grsecurity/Kconfig | 1054 +++++++++
4716 grsecurity/Makefile | 38 +
4717 grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++
4718 grsecurity/gracl_alloc.c | 105 +
4719 grsecurity/gracl_cap.c | 110 +
4720 grsecurity/gracl_fs.c | 431 ++++
4721 grsecurity/gracl_ip.c | 387 +++
4722 grsecurity/gracl_learn.c | 207 ++
4723 grsecurity/gracl_res.c | 68 +
4724 grsecurity/gracl_segv.c | 305 +++
4725 grsecurity/gracl_shm.c | 40 +
4726 grsecurity/grsec_chdir.c | 19 +
4727 grsecurity/grsec_chroot.c | 370 +++
4728 grsecurity/grsec_disabled.c | 434 ++++
4729 grsecurity/grsec_exec.c | 187 ++
4730 grsecurity/grsec_fifo.c | 24 +
4731 grsecurity/grsec_fork.c | 23 +
4732 grsecurity/grsec_init.c | 283 +++
4733 grsecurity/grsec_link.c | 58 +
4734 grsecurity/grsec_log.c | 326 +++
4735 grsecurity/grsec_mem.c | 40 +
4736 grsecurity/grsec_mount.c | 62 +
4737 grsecurity/grsec_pax.c | 36 +
4738 grsecurity/grsec_ptrace.c | 30 +
4739 grsecurity/grsec_sig.c | 246 ++
4740 grsecurity/grsec_sock.c | 244 ++
4741 grsecurity/grsec_sysctl.c | 469 ++++
4742 grsecurity/grsec_time.c | 16 +
4743 grsecurity/grsec_tpe.c | 73 +
4744 grsecurity/grsum.c | 61 +
4745 include/linux/gracl.h | 319 +++
4746 include/linux/gralloc.h | 9 +
4747 include/linux/grdefs.h | 140 ++
4748 include/linux/grinternal.h | 227 ++
4749 include/linux/grmsg.h | 112 +
4750 include/linux/grsecurity.h | 241 ++
4751 include/linux/grsock.h | 19 +
4752 include/linux/netfilter/xt_gradm.h | 9 +
4753 include/linux/proc_fs.h | 13 +
4754 include/linux/sched.h | 48 +-
4755 include/trace/events/fs.h | 53 +
4756 kernel/kmod.c | 7 +-
4757 kernel/panic.c | 2 +-
4758 kernel/posix-timers.c | 1 +
4759 kernel/time/timekeeping.c | 2 +
4760 lib/Kconfig.debug | 2 +-
4761 lib/vsprintf.c | 31 +
4762 localversion-grsec | 1 +
4763 mm/mmap.c | 13 +-
4764 mm/shmem.c | 2 +-
4765 net/core/net-procfs.c | 5 +
4766 net/ipv6/udp.c | 3 +
4767 net/netfilter/xt_gradm.c | 51 +
4768 66 files changed, 11184 insertions(+), 21 deletions(-)
4769
4770commit 0100435c11a01cfbedea13ac5aebd38fb03309b4
4771Author: Brad Spengler <spender@grsecurity.net>
4772Date: Sat Jan 25 17:32:18 2014 -0500
4773
4774 Initial import of pax-linux-3.13-test2.patch
4775
4776 Documentation/dontdiff | 47 +-
4777 Documentation/kernel-parameters.txt | 23 +
4778 Makefile | 102 +-
4779 arch/alpha/include/asm/atomic.h | 10 +
4780 arch/alpha/include/asm/elf.h | 7 +
4781 arch/alpha/include/asm/pgalloc.h | 6 +
4782 arch/alpha/include/asm/pgtable.h | 11 +
4783 arch/alpha/kernel/module.c | 2 +-
4784 arch/alpha/kernel/osf_sys.c | 8 +-
4785 arch/alpha/mm/fault.c | 141 +-
4786 arch/arm/Kconfig | 2 +-
4787 arch/arm/include/asm/atomic.h | 442 ++-
4788 arch/arm/include/asm/cache.h | 5 +-
4789 arch/arm/include/asm/cacheflush.h | 2 +-
4790 arch/arm/include/asm/checksum.h | 14 +-
4791 arch/arm/include/asm/cmpxchg.h | 2 +
4792 arch/arm/include/asm/domain.h | 33 +-
4793 arch/arm/include/asm/elf.h | 13 +-
4794 arch/arm/include/asm/fncpy.h | 2 +
4795 arch/arm/include/asm/futex.h | 10 +
4796 arch/arm/include/asm/kmap_types.h | 2 +-
4797 arch/arm/include/asm/mach/dma.h | 2 +-
4798 arch/arm/include/asm/mach/map.h | 7 +-
4799 arch/arm/include/asm/outercache.h | 2 +-
4800 arch/arm/include/asm/page.h | 2 +-
4801 arch/arm/include/asm/pgalloc.h | 22 +-
4802 arch/arm/include/asm/pgtable-2level-hwdef.h | 5 +
4803 arch/arm/include/asm/pgtable-2level.h | 3 +
4804 arch/arm/include/asm/pgtable-3level-hwdef.h | 1 +
4805 arch/arm/include/asm/pgtable-3level.h | 2 +
4806 arch/arm/include/asm/pgtable.h | 54 +-
4807 arch/arm/include/asm/proc-fns.h | 2 +-
4808 arch/arm/include/asm/psci.h | 2 +-
4809 arch/arm/include/asm/smp.h | 2 +-
4810 arch/arm/include/asm/thread_info.h | 6 +-
4811 arch/arm/include/asm/uaccess.h | 95 +-
4812 arch/arm/include/uapi/asm/ptrace.h | 2 +-
4813 arch/arm/kernel/armksyms.c | 8 +-
4814 arch/arm/kernel/entry-armv.S | 110 +-
4815 arch/arm/kernel/entry-common.S | 40 +-
4816 arch/arm/kernel/entry-header.S | 60 +
4817 arch/arm/kernel/fiq.c | 3 +
4818 arch/arm/kernel/head.S | 6 +-
4819 arch/arm/kernel/module.c | 31 +-
4820 arch/arm/kernel/patch.c | 2 +
4821 arch/arm/kernel/process.c | 42 +-
4822 arch/arm/kernel/psci.c | 2 +-
4823 arch/arm/kernel/setup.c | 22 +-
4824 arch/arm/kernel/signal.c | 35 +-
4825 arch/arm/kernel/smp.c | 2 +-
4826 arch/arm/kernel/traps.c | 8 +-
4827 arch/arm/kernel/vmlinux.lds.S | 24 +-
4828 arch/arm/kvm/arm.c | 8 +-
4829 arch/arm/lib/clear_user.S | 6 +-
4830 arch/arm/lib/copy_from_user.S | 6 +-
4831 arch/arm/lib/copy_page.S | 1 +
4832 arch/arm/lib/copy_to_user.S | 6 +-
4833 arch/arm/lib/csumpartialcopyuser.S | 4 +-
4834 arch/arm/lib/delay.c | 2 +-
4835 arch/arm/lib/uaccess_with_memcpy.c | 4 +-
4836 arch/arm/mach-kirkwood/common.c | 19 +-
4837 arch/arm/mach-omap2/board-n8x0.c | 2 +-
4838 arch/arm/mach-omap2/gpmc.c | 22 +-
4839 arch/arm/mach-omap2/omap-mpuss-lowpower.c | 4 +-
4840 arch/arm/mach-omap2/omap-wakeupgen.c | 2 +-
4841 arch/arm/mach-omap2/omap_device.c | 4 +-
4842 arch/arm/mach-omap2/omap_device.h | 4 +-
4843 arch/arm/mach-omap2/omap_hwmod.c | 4 +-
4844 arch/arm/mach-omap2/wd_timer.c | 6 +-
4845 arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +-
4846 arch/arm/mach-ux500/setup.h | 7 -
4847 arch/arm/mm/Kconfig | 6 +-
4848 arch/arm/mm/alignment.c | 8 +
4849 arch/arm/mm/cache-l2x0.c | 2 +-
4850 arch/arm/mm/context.c | 10 +-
4851 arch/arm/mm/fault.c | 140 +
4852 arch/arm/mm/fault.h | 12 +
4853 arch/arm/mm/init.c | 41 +
4854 arch/arm/mm/ioremap.c | 4 +-
4855 arch/arm/mm/mmap.c | 30 +-
4856 arch/arm/mm/mmu.c | 185 +-
4857 arch/arm/plat-omap/sram.c | 2 +
4858 arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +-
4859 arch/avr32/include/asm/elf.h | 8 +-
4860 arch/avr32/include/asm/kmap_types.h | 4 +-
4861 arch/avr32/mm/fault.c | 27 +
4862 arch/frv/include/asm/atomic.h | 10 +
4863 arch/frv/include/asm/kmap_types.h | 2 +-
4864 arch/frv/mm/elf-fdpic.c | 3 +-
4865 arch/ia64/include/asm/atomic.h | 10 +
4866 arch/ia64/include/asm/elf.h | 7 +
4867 arch/ia64/include/asm/pgalloc.h | 12 +
4868 arch/ia64/include/asm/pgtable.h | 13 +-
4869 arch/ia64/include/asm/spinlock.h | 2 +-
4870 arch/ia64/include/asm/uaccess.h | 26 +-
4871 arch/ia64/kernel/module.c | 48 +-
4872 arch/ia64/kernel/palinfo.c | 2 +-
4873 arch/ia64/kernel/sys_ia64.c | 7 +
4874 arch/ia64/kernel/vmlinux.lds.S | 2 +-
4875 arch/ia64/mm/fault.c | 32 +-
4876 arch/ia64/mm/init.c | 13 +
4877 arch/m32r/lib/usercopy.c | 6 +
4878 arch/mips/include/asm/atomic.h | 728 +++-
4879 arch/mips/include/asm/elf.h | 11 +-
4880 arch/mips/include/asm/exec.h | 2 +-
4881 arch/mips/include/asm/local.h | 57 +
4882 arch/mips/include/asm/page.h | 2 +-
4883 arch/mips/include/asm/pgalloc.h | 5 +
4884 arch/mips/include/asm/smtc_proc.h | 2 +-
4885 arch/mips/kernel/binfmt_elfn32.c | 7 +
4886 arch/mips/kernel/binfmt_elfo32.c | 7 +
4887 arch/mips/kernel/irq.c | 6 +-
4888 arch/mips/kernel/process.c | 12 -
4889 arch/mips/kernel/smtc-proc.c | 6 +-
4890 arch/mips/kernel/smtc.c | 2 +-
4891 arch/mips/kernel/sync-r4k.c | 24 +-
4892 arch/mips/kernel/traps.c | 13 +-
4893 arch/mips/mm/fault.c | 25 +
4894 arch/mips/mm/mmap.c | 51 +-
4895 arch/mips/sgi-ip27/ip27-nmi.c | 6 +-
4896 arch/parisc/include/asm/atomic.h | 10 +
4897 arch/parisc/include/asm/elf.h | 7 +
4898 arch/parisc/include/asm/pgalloc.h | 6 +
4899 arch/parisc/include/asm/pgtable.h | 11 +
4900 arch/parisc/include/asm/uaccess.h | 4 +-
4901 arch/parisc/kernel/module.c | 50 +-
4902 arch/parisc/kernel/sys_parisc.c | 9 +-
4903 arch/parisc/kernel/traps.c | 4 +-
4904 arch/parisc/mm/fault.c | 140 +-
4905 arch/powerpc/include/asm/atomic.h | 10 +
4906 arch/powerpc/include/asm/elf.h | 19 +-
4907 arch/powerpc/include/asm/exec.h | 2 +-
4908 arch/powerpc/include/asm/kmap_types.h | 2 +-
4909 arch/powerpc/include/asm/mman.h | 2 +-
4910 arch/powerpc/include/asm/page.h | 8 +-
4911 arch/powerpc/include/asm/page_64.h | 7 +-
4912 arch/powerpc/include/asm/pgalloc-64.h | 7 +
4913 arch/powerpc/include/asm/pgtable.h | 1 +
4914 arch/powerpc/include/asm/pte-hash32.h | 1 +
4915 arch/powerpc/include/asm/reg.h | 1 +
4916 arch/powerpc/include/asm/smp.h | 2 +-
4917 arch/powerpc/include/asm/uaccess.h | 140 +-
4918 arch/powerpc/kernel/exceptions-64e.S | 4 +-
4919 arch/powerpc/kernel/exceptions-64s.S | 2 +-
4920 arch/powerpc/kernel/module_32.c | 15 +-
4921 arch/powerpc/kernel/process.c | 55 -
4922 arch/powerpc/kernel/signal_32.c | 2 +-
4923 arch/powerpc/kernel/signal_64.c | 2 +-
4924 arch/powerpc/kernel/vdso.c | 5 +-
4925 arch/powerpc/lib/usercopy_64.c | 18 -
4926 arch/powerpc/mm/fault.c | 54 +-
4927 arch/powerpc/mm/mmap.c | 16 +
4928 arch/powerpc/mm/slice.c | 13 +-
4929 arch/powerpc/platforms/cell/spufs/file.c | 4 +-
4930 arch/s390/include/asm/atomic.h | 10 +
4931 arch/s390/include/asm/elf.h | 13 +-
4932 arch/s390/include/asm/exec.h | 2 +-
4933 arch/s390/include/asm/uaccess.h | 15 +-
4934 arch/s390/kernel/module.c | 22 +-
4935 arch/s390/kernel/process.c | 36 -
4936 arch/s390/mm/mmap.c | 24 +
4937 arch/score/include/asm/exec.h | 2 +-
4938 arch/score/kernel/process.c | 5 -
4939 arch/sh/mm/mmap.c | 22 +-
4940 arch/sparc/include/asm/atomic_64.h | 106 +-
4941 arch/sparc/include/asm/cache.h | 2 +-
4942 arch/sparc/include/asm/elf_32.h | 7 +
4943 arch/sparc/include/asm/elf_64.h | 7 +
4944 arch/sparc/include/asm/pgalloc_32.h | 1 +
4945 arch/sparc/include/asm/pgalloc_64.h | 1 +
4946 arch/sparc/include/asm/pgtable_32.h | 15 +-
4947 arch/sparc/include/asm/pgtsrmmu.h | 5 +
4948 arch/sparc/include/asm/spinlock_64.h | 35 +-
4949 arch/sparc/include/asm/thread_info_32.h | 2 +
4950 arch/sparc/include/asm/thread_info_64.h | 2 +
4951 arch/sparc/include/asm/uaccess.h | 1 +
4952 arch/sparc/include/asm/uaccess_32.h | 27 +-
4953 arch/sparc/include/asm/uaccess_64.h | 19 +-
4954 arch/sparc/kernel/Makefile | 2 +-
4955 arch/sparc/kernel/prom_common.c | 2 +-
4956 arch/sparc/kernel/smp_64.c | 12 +-
4957 arch/sparc/kernel/sys_sparc_32.c | 2 +-
4958 arch/sparc/kernel/sys_sparc_64.c | 52 +-
4959 arch/sparc/kernel/traps_64.c | 27 +-
4960 arch/sparc/lib/Makefile | 2 +-
4961 arch/sparc/lib/atomic_64.S | 136 +-
4962 arch/sparc/lib/ksyms.c | 6 +
4963 arch/sparc/mm/Makefile | 2 +-
4964 arch/sparc/mm/fault_32.c | 292 +
4965 arch/sparc/mm/fault_64.c | 486 ++
4966 arch/sparc/mm/hugetlbpage.c | 21 +-
4967 arch/sparc/mm/init_64.c | 10 +-
4968 arch/tile/include/asm/atomic_64.h | 10 +
4969 arch/tile/include/asm/uaccess.h | 4 +-
4970 arch/um/Makefile | 4 +
4971 arch/um/include/asm/kmap_types.h | 2 +-
4972 arch/um/include/asm/page.h | 3 +
4973 arch/um/include/asm/pgtable-3level.h | 1 +
4974 arch/um/kernel/process.c | 16 -
4975 arch/x86/Kconfig | 10 +-
4976 arch/x86/Kconfig.cpu | 6 +-
4977 arch/x86/Kconfig.debug | 4 +-
4978 arch/x86/Makefile | 16 +-
4979 arch/x86/boot/Makefile | 3 +
4980 arch/x86/boot/bitops.h | 4 +-
4981 arch/x86/boot/boot.h | 4 +-
4982 arch/x86/boot/compressed/Makefile | 3 +
4983 arch/x86/boot/compressed/efi_stub_32.S | 16 +-
4984 arch/x86/boot/compressed/head_32.S | 2 +-
4985 arch/x86/boot/compressed/head_64.S | 8 +-
4986 arch/x86/boot/compressed/misc.c | 6 +-
4987 arch/x86/boot/cpucheck.c | 28 +-
4988 arch/x86/boot/header.S | 6 +-
4989 arch/x86/boot/memory.c | 2 +-
4990 arch/x86/boot/video-vesa.c | 1 +
4991 arch/x86/boot/video.c | 2 +-
4992 arch/x86/crypto/aes-x86_64-asm_64.S | 4 +
4993 arch/x86/crypto/aesni-intel_asm.S | 106 +-
4994 arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 +
4995 arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 +
4996 arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 +
4997 arch/x86/crypto/camellia-x86_64-asm_64.S | 7 +
4998 arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 51 +-
4999 arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 25 +-
5000 arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 +
5001 arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 +
5002 arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 +
5003 arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 +
5004 arch/x86/crypto/serpent-avx2-asm_64.S | 9 +
5005 arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 +
5006 arch/x86/crypto/sha1_ssse3_asm.S | 10 +-
5007 arch/x86/crypto/sha256-avx-asm.S | 2 +
5008 arch/x86/crypto/sha256-avx2-asm.S | 2 +
5009 arch/x86/crypto/sha256-ssse3-asm.S | 2 +
5010 arch/x86/crypto/sha512-avx-asm.S | 2 +
5011 arch/x86/crypto/sha512-avx2-asm.S | 2 +
5012 arch/x86/crypto/sha512-ssse3-asm.S | 2 +
5013 arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 25 +-
5014 arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 +
5015 arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
5016 arch/x86/ia32/ia32_signal.c | 14 +-
5017 arch/x86/ia32/ia32entry.S | 173 +-
5018 arch/x86/ia32/sys_ia32.c | 4 +-
5019 arch/x86/include/asm/alternative-asm.h | 39 +
5020 arch/x86/include/asm/alternative.h | 4 +-
5021 arch/x86/include/asm/apic.h | 2 +-
5022 arch/x86/include/asm/apm.h | 4 +-
5023 arch/x86/include/asm/atomic.h | 269 +-
5024 arch/x86/include/asm/atomic64_32.h | 100 +
5025 arch/x86/include/asm/atomic64_64.h | 166 +-
5026 arch/x86/include/asm/bitops.h | 18 +-
5027 arch/x86/include/asm/boot.h | 7 +-
5028 arch/x86/include/asm/cache.h | 5 +-
5029 arch/x86/include/asm/cacheflush.h | 2 +-
5030 arch/x86/include/asm/calling.h | 118 +-
5031 arch/x86/include/asm/checksum_32.h | 12 +-
5032 arch/x86/include/asm/cmpxchg.h | 35 +
5033 arch/x86/include/asm/compat.h | 2 +-
5034 arch/x86/include/asm/cpufeature.h | 16 +-
5035 arch/x86/include/asm/desc.h | 78 +-
5036 arch/x86/include/asm/desc_defs.h | 6 +
5037 arch/x86/include/asm/div64.h | 2 +-
5038 arch/x86/include/asm/elf.h | 31 +-
5039 arch/x86/include/asm/emergency-restart.h | 2 +-
5040 arch/x86/include/asm/fpu-internal.h | 8 +-
5041 arch/x86/include/asm/futex.h | 20 +-
5042 arch/x86/include/asm/hw_irq.h | 4 +-
5043 arch/x86/include/asm/i8259.h | 2 +-
5044 arch/x86/include/asm/io.h | 21 +-
5045 arch/x86/include/asm/irqflags.h | 5 +
5046 arch/x86/include/asm/kprobes.h | 9 +-
5047 arch/x86/include/asm/local.h | 106 +-
5048 arch/x86/include/asm/mman.h | 15 +
5049 arch/x86/include/asm/mmu.h | 16 +-
5050 arch/x86/include/asm/mmu_context.h | 136 +-
5051 arch/x86/include/asm/module.h | 17 +-
5052 arch/x86/include/asm/nmi.h | 6 +-
5053 arch/x86/include/asm/page.h | 1 +
5054 arch/x86/include/asm/page_64.h | 4 +-
5055 arch/x86/include/asm/paravirt.h | 46 +-
5056 arch/x86/include/asm/paravirt_types.h | 15 +-
5057 arch/x86/include/asm/pgalloc.h | 23 +
5058 arch/x86/include/asm/pgtable-2level.h | 2 +
5059 arch/x86/include/asm/pgtable-3level.h | 4 +
5060 arch/x86/include/asm/pgtable.h | 124 +-
5061 arch/x86/include/asm/pgtable_32.h | 14 +-
5062 arch/x86/include/asm/pgtable_32_types.h | 15 +-
5063 arch/x86/include/asm/pgtable_64.h | 19 +-
5064 arch/x86/include/asm/pgtable_64_types.h | 5 +
5065 arch/x86/include/asm/pgtable_types.h | 36 +-
5066 arch/x86/include/asm/preempt.h | 2 +-
5067 arch/x86/include/asm/processor.h | 79 +-
5068 arch/x86/include/asm/ptrace.h | 26 +-
5069 arch/x86/include/asm/realmode.h | 4 +-
5070 arch/x86/include/asm/reboot.h | 10 +-
5071 arch/x86/include/asm/rmwcc.h | 84 +-
5072 arch/x86/include/asm/rwsem.h | 60 +-
5073 arch/x86/include/asm/segment.h | 29 +-
5074 arch/x86/include/asm/smap.h | 64 +-
5075 arch/x86/include/asm/smp.h | 14 +-
5076 arch/x86/include/asm/spinlock.h | 36 +-
5077 arch/x86/include/asm/stackprotector.h | 4 +-
5078 arch/x86/include/asm/stacktrace.h | 32 +-
5079 arch/x86/include/asm/switch_to.h | 4 +-
5080 arch/x86/include/asm/thread_info.h | 83 +-
5081 arch/x86/include/asm/tlbflush.h | 74 +-
5082 arch/x86/include/asm/uaccess.h | 162 +-
5083 arch/x86/include/asm/uaccess_32.h | 24 +-
5084 arch/x86/include/asm/uaccess_64.h | 177 +-
5085 arch/x86/include/asm/word-at-a-time.h | 2 +-
5086 arch/x86/include/asm/x86_init.h | 10 +-
5087 arch/x86/include/asm/xen/page.h | 2 +-
5088 arch/x86/include/asm/xsave.h | 14 +-
5089 arch/x86/include/uapi/asm/e820.h | 2 +-
5090 arch/x86/include/uapi/asm/ptrace-abi.h | 1 -
5091 arch/x86/kernel/Makefile | 2 +-
5092 arch/x86/kernel/acpi/boot.c | 4 +-
5093 arch/x86/kernel/acpi/sleep.c | 4 +
5094 arch/x86/kernel/acpi/wakeup_32.S | 6 +-
5095 arch/x86/kernel/alternative.c | 69 +-
5096 arch/x86/kernel/apic/apic.c | 4 +-
5097 arch/x86/kernel/apic/apic_flat_64.c | 4 +-
5098 arch/x86/kernel/apic/apic_noop.c | 2 +-
5099 arch/x86/kernel/apic/bigsmp_32.c | 2 +-
5100 arch/x86/kernel/apic/es7000_32.c | 5 +-
5101 arch/x86/kernel/apic/io_apic.c | 8 +-
5102 arch/x86/kernel/apic/numaq_32.c | 3 +-
5103 arch/x86/kernel/apic/probe_32.c | 2 +-
5104 arch/x86/kernel/apic/summit_32.c | 2 +-
5105 arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
5106 arch/x86/kernel/apic/x2apic_phys.c | 2 +-
5107 arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
5108 arch/x86/kernel/apm_32.c | 19 +-
5109 arch/x86/kernel/asm-offsets.c | 20 +
5110 arch/x86/kernel/asm-offsets_64.c | 1 +
5111 arch/x86/kernel/cpu/Makefile | 4 -
5112 arch/x86/kernel/cpu/amd.c | 2 +-
5113 arch/x86/kernel/cpu/common.c | 132 +-
5114 arch/x86/kernel/cpu/intel_cacheinfo.c | 48 +-
5115 arch/x86/kernel/cpu/mcheck/mce.c | 31 +-
5116 arch/x86/kernel/cpu/mcheck/p5.c | 3 +
5117 arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
5118 arch/x86/kernel/cpu/mtrr/main.c | 2 +-
5119 arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
5120 arch/x86/kernel/cpu/perf_event.c | 8 +-
5121 arch/x86/kernel/cpu/perf_event_amd_iommu.c | 2 +-
5122 arch/x86/kernel/cpu/perf_event_intel.c | 6 +-
5123 arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +-
5124 arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
5125 arch/x86/kernel/cpuid.c | 2 +-
5126 arch/x86/kernel/crash.c | 4 +-
5127 arch/x86/kernel/crash_dump_64.c | 2 +-
5128 arch/x86/kernel/doublefault.c | 8 +-
5129 arch/x86/kernel/dumpstack.c | 30 +-
5130 arch/x86/kernel/dumpstack_32.c | 34 +-
5131 arch/x86/kernel/dumpstack_64.c | 61 +-
5132 arch/x86/kernel/e820.c | 4 +-
5133 arch/x86/kernel/early_printk.c | 1 +
5134 arch/x86/kernel/entry_32.S | 356 ++-
5135 arch/x86/kernel/entry_64.S | 736 +++-
5136 arch/x86/kernel/ftrace.c | 14 +-
5137 arch/x86/kernel/head64.c | 13 +-
5138 arch/x86/kernel/head_32.S | 228 +-
5139 arch/x86/kernel/head_64.S | 136 +-
5140 arch/x86/kernel/i386_ksyms_32.c | 12 +
5141 arch/x86/kernel/i387.c | 2 +-
5142 arch/x86/kernel/i8259.c | 10 +-
5143 arch/x86/kernel/io_delay.c | 2 +-
5144 arch/x86/kernel/ioport.c | 2 +-
5145 arch/x86/kernel/irq.c | 8 +-
5146 arch/x86/kernel/irq_32.c | 67 +-
5147 arch/x86/kernel/irq_64.c | 2 +-
5148 arch/x86/kernel/jump_label.c | 8 +-
5149 arch/x86/kernel/kgdb.c | 25 +-
5150 arch/x86/kernel/kprobes/core.c | 30 +-
5151 arch/x86/kernel/kprobes/opt.c | 16 +-
5152 arch/x86/kernel/ldt.c | 31 +-
5153 arch/x86/kernel/machine_kexec_32.c | 6 +-
5154 arch/x86/kernel/microcode_core.c | 2 +-
5155 arch/x86/kernel/microcode_intel.c | 4 +-
5156 arch/x86/kernel/module.c | 76 +-
5157 arch/x86/kernel/msr.c | 2 +-
5158 arch/x86/kernel/nmi.c | 19 +-
5159 arch/x86/kernel/nmi_selftest.c | 4 +-
5160 arch/x86/kernel/paravirt-spinlocks.c | 2 +-
5161 arch/x86/kernel/paravirt.c | 43 +-
5162 arch/x86/kernel/pci-calgary_64.c | 2 +-
5163 arch/x86/kernel/pci-iommu_table.c | 2 +-
5164 arch/x86/kernel/pci-swiotlb.c | 2 +-
5165 arch/x86/kernel/process.c | 55 +-
5166 arch/x86/kernel/process_32.c | 29 +-
5167 arch/x86/kernel/process_64.c | 20 +-
5168 arch/x86/kernel/ptrace.c | 25 +-
5169 arch/x86/kernel/pvclock.c | 8 +-
5170 arch/x86/kernel/reboot.c | 42 +-
5171 arch/x86/kernel/reboot_fixups_32.c | 2 +-
5172 arch/x86/kernel/relocate_kernel_64.S | 5 +-
5173 arch/x86/kernel/setup.c | 63 +-
5174 arch/x86/kernel/setup_percpu.c | 29 +-
5175 arch/x86/kernel/signal.c | 15 +-
5176 arch/x86/kernel/smp.c | 2 +-
5177 arch/x86/kernel/smpboot.c | 28 +-
5178 arch/x86/kernel/step.c | 10 +-
5179 arch/x86/kernel/sys_i386_32.c | 184 +
5180 arch/x86/kernel/sys_x86_64.c | 22 +-
5181 arch/x86/kernel/tboot.c | 12 +-
5182 arch/x86/kernel/time.c | 10 +-
5183 arch/x86/kernel/tls.c | 7 +-
5184 arch/x86/kernel/tracepoint.c | 4 +-
5185 arch/x86/kernel/traps.c | 62 +-
5186 arch/x86/kernel/uprobes.c | 4 +-
5187 arch/x86/kernel/vm86_32.c | 6 +-
5188 arch/x86/kernel/vmlinux.lds.S | 147 +-
5189 arch/x86/kernel/vsyscall_64.c | 12 +-
5190 arch/x86/kernel/x8664_ksyms_64.c | 6 +-
5191 arch/x86/kernel/x86_init.c | 6 +-
5192 arch/x86/kernel/xsave.c | 2 +
5193 arch/x86/kvm/cpuid.c | 21 +-
5194 arch/x86/kvm/lapic.c | 2 +-
5195 arch/x86/kvm/paging_tmpl.h | 2 +-
5196 arch/x86/kvm/svm.c | 8 +
5197 arch/x86/kvm/vmx.c | 63 +-
5198 arch/x86/kvm/x86.c | 8 +-
5199 arch/x86/lguest/boot.c | 3 +-
5200 arch/x86/lib/atomic64_386_32.S | 164 +
5201 arch/x86/lib/atomic64_cx8_32.S | 103 +-
5202 arch/x86/lib/checksum_32.S | 100 +-
5203 arch/x86/lib/clear_page_64.S | 5 +-
5204 arch/x86/lib/cmpxchg16b_emu.S | 2 +
5205 arch/x86/lib/copy_page_64.S | 20 +-
5206 arch/x86/lib/copy_user_64.S | 81 +-
5207 arch/x86/lib/copy_user_nocache_64.S | 14 +
5208 arch/x86/lib/csum-copy_64.S | 18 +-
5209 arch/x86/lib/csum-wrappers_64.c | 8 +-
5210 arch/x86/lib/getuser.S | 74 +-
5211 arch/x86/lib/insn.c | 6 +-
5212 arch/x86/lib/iomap_copy_64.S | 2 +
5213 arch/x86/lib/memcpy_64.S | 10 +-
5214 arch/x86/lib/memmove_64.S | 4 +-
5215 arch/x86/lib/memset_64.S | 7 +-
5216 arch/x86/lib/mmx_32.c | 243 +-
5217 arch/x86/lib/msr-reg.S | 2 +
5218 arch/x86/lib/putuser.S | 90 +-
5219 arch/x86/lib/rwlock.S | 42 +
5220 arch/x86/lib/rwsem.S | 6 +-
5221 arch/x86/lib/thunk_64.S | 12 +-
5222 arch/x86/lib/usercopy_32.c | 357 +-
5223 arch/x86/lib/usercopy_64.c | 18 +-
5224 arch/x86/mm/Makefile | 4 +
5225 arch/x86/mm/extable.c | 25 +-
5226 arch/x86/mm/fault.c | 564 ++-
5227 arch/x86/mm/gup.c | 6 +-
5228 arch/x86/mm/highmem_32.c | 4 +
5229 arch/x86/mm/hugetlbpage.c | 30 +-
5230 arch/x86/mm/init.c | 101 +-
5231 arch/x86/mm/init_32.c | 111 +-
5232 arch/x86/mm/init_64.c | 45 +-
5233 arch/x86/mm/iomap_32.c | 4 +
5234 arch/x86/mm/ioremap.c | 15 +-
5235 arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
5236 arch/x86/mm/mmap.c | 36 +-
5237 arch/x86/mm/mmio-mod.c | 10 +-
5238 arch/x86/mm/numa.c | 2 +-
5239 arch/x86/mm/pageattr-test.c | 2 +-
5240 arch/x86/mm/pageattr.c | 33 +-
5241 arch/x86/mm/pat.c | 12 +-
5242 arch/x86/mm/pat_rbtree.c | 2 +-
5243 arch/x86/mm/pf_in.c | 10 +-
5244 arch/x86/mm/pgtable.c | 151 +-
5245 arch/x86/mm/pgtable_32.c | 3 +
5246 arch/x86/mm/physaddr.c | 4 +-
5247 arch/x86/mm/setup_nx.c | 7 +
5248 arch/x86/mm/tlb.c | 4 +
5249 arch/x86/mm/uderef_64.c | 37 +
5250 arch/x86/net/bpf_jit.S | 14 +
5251 arch/x86/net/bpf_jit_comp.c | 38 +-
5252 arch/x86/oprofile/backtrace.c | 8 +-
5253 arch/x86/oprofile/nmi_int.c | 8 +-
5254 arch/x86/oprofile/op_model_amd.c | 8 +-
5255 arch/x86/oprofile/op_model_ppro.c | 7 +-
5256 arch/x86/oprofile/op_x86_model.h | 2 +-
5257 arch/x86/pci/intel_mid_pci.c | 2 +-
5258 arch/x86/pci/irq.c | 8 +-
5259 arch/x86/pci/pcbios.c | 144 +-
5260 arch/x86/platform/efi/efi_32.c | 24 +
5261 arch/x86/platform/efi/efi_64.c | 10 +
5262 arch/x86/platform/efi/efi_stub_32.S | 64 +-
5263 arch/x86/platform/efi/efi_stub_64.S | 8 +
5264 arch/x86/platform/intel-mid/intel-mid.c | 3 +-
5265 arch/x86/platform/olpc/olpc_dt.c | 2 +-
5266 arch/x86/power/cpu.c | 11 +-
5267 arch/x86/realmode/init.c | 10 +-
5268 arch/x86/realmode/rm/Makefile | 3 +
5269 arch/x86/realmode/rm/header.S | 4 +-
5270 arch/x86/realmode/rm/trampoline_32.S | 12 +-
5271 arch/x86/realmode/rm/trampoline_64.S | 3 +-
5272 arch/x86/tools/Makefile | 2 +-
5273 arch/x86/tools/relocs.c | 94 +-
5274 arch/x86/um/tls_32.c | 2 +-
5275 arch/x86/vdso/Makefile | 2 +-
5276 arch/x86/vdso/vdso32-setup.c | 23 +-
5277 arch/x86/vdso/vma.c | 29 +-
5278 arch/x86/xen/enlighten.c | 45 +-
5279 arch/x86/xen/mmu.c | 11 +-
5280 arch/x86/xen/smp.c | 21 +-
5281 arch/x86/xen/xen-asm_32.S | 12 +-
5282 arch/x86/xen/xen-head.S | 11 +
5283 arch/x86/xen/xen-ops.h | 2 -
5284 block/blk-cgroup.c | 4 +-
5285 block/blk-iopoll.c | 2 +-
5286 block/blk-map.c | 2 +-
5287 block/blk-softirq.c | 2 +-
5288 block/bsg.c | 12 +-
5289 block/compat_ioctl.c | 2 +-
5290 block/genhd.c | 9 +-
5291 block/partitions/efi.c | 8 +-
5292 block/scsi_ioctl.c | 29 +-
5293 crypto/cryptd.c | 4 +-
5294 crypto/pcrypt.c | 2 +-
5295 drivers/acpi/apei/apei-internal.h | 2 +-
5296 drivers/acpi/apei/ghes.c | 4 +-
5297 drivers/acpi/bgrt.c | 6 +-
5298 drivers/acpi/blacklist.c | 4 +-
5299 drivers/acpi/processor_idle.c | 2 +-
5300 drivers/acpi/sysfs.c | 4 +-
5301 drivers/ata/libahci.c | 2 +-
5302 drivers/ata/libata-core.c | 12 +-
5303 drivers/ata/libata-scsi.c | 2 +-
5304 drivers/ata/libata.h | 2 +-
5305 drivers/ata/pata_arasan_cf.c | 4 +-
5306 drivers/atm/adummy.c | 2 +-
5307 drivers/atm/ambassador.c | 8 +-
5308 drivers/atm/atmtcp.c | 14 +-
5309 drivers/atm/eni.c | 10 +-
5310 drivers/atm/firestream.c | 8 +-
5311 drivers/atm/fore200e.c | 14 +-
5312 drivers/atm/he.c | 18 +-
5313 drivers/atm/horizon.c | 4 +-
5314 drivers/atm/idt77252.c | 36 +-
5315 drivers/atm/iphase.c | 34 +-
5316 drivers/atm/lanai.c | 12 +-
5317 drivers/atm/nicstar.c | 46 +-
5318 drivers/atm/solos-pci.c | 4 +-
5319 drivers/atm/suni.c | 4 +-
5320 drivers/atm/uPD98402.c | 16 +-
5321 drivers/atm/zatm.c | 6 +-
5322 drivers/base/bus.c | 4 +-
5323 drivers/base/devtmpfs.c | 8 +-
5324 drivers/base/node.c | 2 +-
5325 drivers/base/power/domain.c | 4 +-
5326 drivers/base/power/sysfs.c | 2 +-
5327 drivers/base/power/wakeup.c | 8 +-
5328 drivers/base/syscore.c | 4 +-
5329 drivers/block/cciss.c | 28 +-
5330 drivers/block/cciss.h | 2 +-
5331 drivers/block/cpqarray.c | 28 +-
5332 drivers/block/cpqarray.h | 2 +-
5333 drivers/block/drbd/drbd_int.h | 6 +-
5334 drivers/block/drbd/drbd_main.c | 8 +-
5335 drivers/block/drbd/drbd_nl.c | 4 +-
5336 drivers/block/drbd/drbd_receiver.c | 22 +-
5337 drivers/block/loop.c | 2 +-
5338 drivers/block/null_blk.c | 27 +-
5339 drivers/block/pktcdvd.c | 4 +-
5340 drivers/bluetooth/btwilink.c | 2 +-
5341 drivers/bus/arm-cci.c | 2 +-
5342 drivers/cdrom/cdrom.c | 11 +-
5343 drivers/cdrom/gdrom.c | 1 -
5344 drivers/char/agp/compat_ioctl.c | 2 +-
5345 drivers/char/agp/frontend.c | 4 +-
5346 drivers/char/hpet.c | 2 +-
5347 drivers/char/hw_random/intel-rng.c | 2 +-
5348 drivers/char/ipmi/ipmi_msghandler.c | 8 +-
5349 drivers/char/ipmi/ipmi_si_intf.c | 8 +-
5350 drivers/char/mem.c | 43 +-
5351 drivers/char/nvram.c | 2 +-
5352 drivers/char/pcmcia/synclink_cs.c | 18 +-
5353 drivers/char/random.c | 12 +-
5354 drivers/char/sonypi.c | 9 +-
5355 drivers/char/tpm/tpm_acpi.c | 3 +-
5356 drivers/char/tpm/tpm_eventlog.c | 7 +-
5357 drivers/char/virtio_console.c | 4 +-
5358 drivers/clk/clk-composite.c | 2 +-
5359 drivers/clk/socfpga/clk.c | 9 +-
5360 drivers/cpufreq/acpi-cpufreq.c | 13 +-
5361 drivers/cpufreq/cpufreq.c | 11 +-
5362 drivers/cpufreq/cpufreq_governor.c | 6 +-
5363 drivers/cpufreq/cpufreq_governor.h | 4 +-
5364 drivers/cpufreq/cpufreq_ondemand.c | 10 +-
5365 drivers/cpufreq/cpufreq_stats.c | 2 +-
5366 drivers/cpufreq/intel_pstate.c | 25 +-
5367 drivers/cpufreq/p4-clockmod.c | 12 +-
5368 drivers/cpufreq/sparc-us3-cpufreq.c | 70 +-
5369 drivers/cpufreq/speedstep-centrino.c | 7 +-
5370 drivers/cpuidle/driver.c | 2 +-
5371 drivers/cpuidle/governor.c | 2 +-
5372 drivers/cpuidle/sysfs.c | 2 +-
5373 drivers/crypto/hifn_795x.c | 4 +-
5374 drivers/devfreq/devfreq.c | 4 +-
5375 drivers/dma/sh/shdmac.c | 2 +-
5376 drivers/edac/edac_device.c | 4 +-
5377 drivers/edac/edac_mc_sysfs.c | 12 +-
5378 drivers/edac/edac_pci.c | 4 +-
5379 drivers/edac/edac_pci_sysfs.c | 22 +-
5380 drivers/edac/mce_amd.h | 2 +-
5381 drivers/firewire/core-card.c | 6 +-
5382 drivers/firewire/core-device.c | 2 +-
5383 drivers/firewire/core-transaction.c | 1 +
5384 drivers/firewire/core.h | 1 +
5385 drivers/firmware/dmi-id.c | 2 +-
5386 drivers/firmware/dmi_scan.c | 2 +-
5387 drivers/firmware/efi/cper.c | 8 +-
5388 drivers/firmware/efi/efi.c | 12 +-
5389 drivers/firmware/efi/efivars.c | 2 +-
5390 drivers/firmware/google/memconsole.c | 4 +-
5391 drivers/gpio/gpio-ich.c | 2 +-
5392 drivers/gpio/gpio-vr41xx.c | 2 +-
5393 drivers/gpu/drm/drm_crtc_helper.c | 2 +-
5394 drivers/gpu/drm/drm_drv.c | 4 +-
5395 drivers/gpu/drm/drm_fops.c | 12 +-
5396 drivers/gpu/drm/drm_global.c | 14 +-
5397 drivers/gpu/drm/drm_info.c | 14 +-
5398 drivers/gpu/drm/drm_ioc32.c | 13 +-
5399 drivers/gpu/drm/drm_stub.c | 2 +-
5400 drivers/gpu/drm/drm_sysfs.c | 2 +-
5401 drivers/gpu/drm/i810/i810_drv.h | 4 +-
5402 drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
5403 drivers/gpu/drm/i915/i915_dma.c | 2 +-
5404 drivers/gpu/drm/i915/i915_drv.h | 2 +-
5405 drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +-
5406 drivers/gpu/drm/i915/i915_ioc32.c | 11 +-
5407 drivers/gpu/drm/i915/i915_irq.c | 26 +-
5408 drivers/gpu/drm/i915/intel_display.c | 26 +-
5409 drivers/gpu/drm/mga/mga_drv.h | 4 +-
5410 drivers/gpu/drm/mga/mga_ioc32.c | 11 +-
5411 drivers/gpu/drm/mga/mga_irq.c | 8 +-
5412 drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +-
5413 drivers/gpu/drm/nouveau/nouveau_drm.h | 1 -
5414 drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +-
5415 drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +-
5416 drivers/gpu/drm/qxl/qxl_cmd.c | 12 +-
5417 drivers/gpu/drm/qxl/qxl_debugfs.c | 8 +-
5418 drivers/gpu/drm/qxl/qxl_drv.h | 8 +-
5419 drivers/gpu/drm/qxl/qxl_irq.c | 16 +-
5420 drivers/gpu/drm/qxl/qxl_ttm.c | 38 +-
5421 drivers/gpu/drm/r128/r128_cce.c | 2 +-
5422 drivers/gpu/drm/r128/r128_drv.h | 4 +-
5423 drivers/gpu/drm/r128/r128_ioc32.c | 11 +-
5424 drivers/gpu/drm/r128/r128_irq.c | 4 +-
5425 drivers/gpu/drm/r128/r128_state.c | 4 +-
5426 drivers/gpu/drm/radeon/mkregtable.c | 4 +-
5427 drivers/gpu/drm/radeon/radeon_device.c | 2 +-
5428 drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
5429 drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +-
5430 drivers/gpu/drm/radeon/radeon_irq.c | 6 +-
5431 drivers/gpu/drm/radeon/radeon_state.c | 4 +-
5432 drivers/gpu/drm/radeon/radeon_ttm.c | 61 +-
5433 drivers/gpu/drm/tegra/dc.c | 2 +-
5434 drivers/gpu/drm/ttm/ttm_memory.c | 4 +-
5435 drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +-
5436 drivers/gpu/drm/udl/udl_fb.c | 1 -
5437 drivers/gpu/drm/via/via_drv.h | 4 +-
5438 drivers/gpu/drm/via/via_irq.c | 18 +-
5439 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
5440 drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
5441 drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +-
5442 drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
5443 drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
5444 drivers/gpu/vga/vga_switcheroo.c | 4 +-
5445 drivers/hid/hid-core.c | 4 +-
5446 drivers/hid/uhid.c | 6 +-
5447 drivers/hv/channel.c | 4 +-
5448 drivers/hv/hv.c | 2 +-
5449 drivers/hv/hv_balloon.c | 18 +-
5450 drivers/hv/hyperv_vmbus.h | 2 +-
5451 drivers/hv/vmbus_drv.c | 4 +-
5452 drivers/hwmon/acpi_power_meter.c | 4 +-
5453 drivers/hwmon/applesmc.c | 2 +-
5454 drivers/hwmon/asus_atk0110.c | 10 +-
5455 drivers/hwmon/coretemp.c | 2 +-
5456 drivers/hwmon/ibmaem.c | 2 +-
5457 drivers/hwmon/iio_hwmon.c | 2 +-
5458 drivers/hwmon/nct6775.c | 6 +-
5459 drivers/hwmon/pmbus/pmbus_core.c | 10 +-
5460 drivers/hwmon/sht15.c | 12 +-
5461 drivers/hwmon/via-cputemp.c | 2 +-
5462 drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
5463 drivers/i2c/busses/i2c-diolan-u2c.c | 2 +-
5464 drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
5465 drivers/i2c/i2c-dev.c | 2 +-
5466 drivers/ide/ide-cd.c | 2 +-
5467 drivers/iio/industrialio-core.c | 2 +-
5468 drivers/infiniband/core/cm.c | 32 +-
5469 drivers/infiniband/core/fmr_pool.c | 20 +-
5470 drivers/infiniband/hw/cxgb4/mem.c | 4 +-
5471 drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
5472 drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
5473 drivers/infiniband/hw/mlx4/mad.c | 2 +-
5474 drivers/infiniband/hw/mlx4/mcg.c | 2 +-
5475 drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +-
5476 drivers/infiniband/hw/mthca/mthca_cmd.c | 8 +-
5477 drivers/infiniband/hw/mthca/mthca_main.c | 2 +-
5478 drivers/infiniband/hw/mthca/mthca_mr.c | 6 +-
5479 drivers/infiniband/hw/mthca/mthca_provider.c | 2 +-
5480 drivers/infiniband/hw/nes/nes.c | 4 +-
5481 drivers/infiniband/hw/nes/nes.h | 40 +-
5482 drivers/infiniband/hw/nes/nes_cm.c | 62 +-
5483 drivers/infiniband/hw/nes/nes_mgt.c | 8 +-
5484 drivers/infiniband/hw/nes/nes_nic.c | 40 +-
5485 drivers/infiniband/hw/nes/nes_verbs.c | 10 +-
5486 drivers/infiniband/hw/qib/qib.h | 1 +
5487 drivers/input/gameport/gameport.c | 4 +-
5488 drivers/input/input.c | 4 +-
5489 drivers/input/joystick/sidewinder.c | 1 +
5490 drivers/input/joystick/xpad.c | 4 +-
5491 drivers/input/misc/ims-pcu.c | 4 +-
5492 drivers/input/mouse/psmouse.h | 2 +-
5493 drivers/input/mousedev.c | 2 +-
5494 drivers/input/serio/serio.c | 4 +-
5495 drivers/input/serio/serio_raw.c | 4 +-
5496 drivers/iommu/iommu.c | 2 +-
5497 drivers/iommu/irq_remapping.c | 12 +-
5498 drivers/irqchip/irq-gic.c | 4 +-
5499 drivers/isdn/capi/capi.c | 10 +-
5500 drivers/isdn/gigaset/interface.c | 8 +-
5501 drivers/isdn/gigaset/usb-gigaset.c | 2 +-
5502 drivers/isdn/hardware/avm/b1.c | 4 +-
5503 drivers/isdn/i4l/isdn_common.c | 2 +
5504 drivers/isdn/i4l/isdn_tty.c | 22 +-
5505 drivers/isdn/icn/icn.c | 2 +-
5506 drivers/isdn/mISDN/dsp_cmx.c | 2 +-
5507 drivers/leds/leds-clevo-mail.c | 2 +-
5508 drivers/leds/leds-ss4200.c | 2 +-
5509 drivers/lguest/core.c | 10 +-
5510 drivers/lguest/page_tables.c | 2 +-
5511 drivers/lguest/x86/core.c | 12 +-
5512 drivers/lguest/x86/switcher_32.S | 27 +-
5513 drivers/md/bcache/closure.h | 2 +-
5514 drivers/md/bitmap.c | 2 +-
5515 drivers/md/dm-ioctl.c | 2 +-
5516 drivers/md/dm-raid1.c | 16 +-
5517 drivers/md/dm-stats.c | 6 +-
5518 drivers/md/dm-stripe.c | 10 +-
5519 drivers/md/dm-table.c | 4 +-
5520 drivers/md/dm-thin-metadata.c | 4 +-
5521 drivers/md/dm.c | 16 +-
5522 drivers/md/md.c | 26 +-
5523 drivers/md/md.h | 6 +-
5524 drivers/md/persistent-data/dm-space-map.h | 1 +
5525 drivers/md/raid1.c | 4 +-
5526 drivers/md/raid10.c | 16 +-
5527 drivers/md/raid5.c | 10 +-
5528 drivers/media/dvb-core/dvbdev.c | 2 +-
5529 drivers/media/dvb-frontends/dib3000.h | 2 +-
5530 drivers/media/pci/cx88/cx88-video.c | 6 +-
5531 drivers/media/pci/ivtv/ivtv-driver.c | 2 +-
5532 drivers/media/platform/omap/omap_vout.c | 11 +-
5533 drivers/media/platform/s5p-tv/mixer.h | 2 +-
5534 drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +-
5535 drivers/media/platform/s5p-tv/mixer_reg.c | 2 +-
5536 drivers/media/platform/s5p-tv/mixer_video.c | 24 +-
5537 drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +-
5538 drivers/media/platform/vivi.c | 4 +-
5539 drivers/media/radio/radio-cadet.c | 2 +
5540 drivers/media/radio/radio-maxiradio.c | 2 +-
5541 drivers/media/radio/radio-shark.c | 2 +-
5542 drivers/media/radio/radio-shark2.c | 2 +-
5543 drivers/media/radio/radio-si476x.c | 2 +-
5544 drivers/media/rc/rc-main.c | 4 +-
5545 drivers/media/usb/dvb-usb/cxusb.c | 2 +-
5546 drivers/media/usb/dvb-usb/dw2102.c | 2 +-
5547 drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +-
5548 drivers/media/v4l2-core/v4l2-device.c | 4 +-
5549 drivers/media/v4l2-core/v4l2-ioctl.c | 11 +-
5550 drivers/message/fusion/mptsas.c | 34 +-
5551 drivers/message/fusion/mptscsih.c | 19 +-
5552 drivers/message/i2o/i2o_proc.c | 67 +-
5553 drivers/message/i2o/iop.c | 8 +-
5554 drivers/mfd/janz-cmodio.c | 1 +
5555 drivers/mfd/max8925-i2c.c | 2 +-
5556 drivers/mfd/tps65910.c | 2 +-
5557 drivers/mfd/twl4030-irq.c | 9 +-
5558 drivers/misc/c2port/core.c | 4 +-
5559 drivers/misc/kgdbts.c | 4 +-
5560 drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
5561 drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
5562 drivers/misc/sgi-gru/gruhandles.c | 4 +-
5563 drivers/misc/sgi-gru/gruprocfs.c | 8 +-
5564 drivers/misc/sgi-gru/grutables.h | 154 +-
5565 drivers/misc/sgi-xp/xp.h | 2 +-
5566 drivers/misc/sgi-xp/xpc.h | 3 +-
5567 drivers/misc/sgi-xp/xpc_main.c | 4 +-
5568 drivers/mmc/core/mmc_ops.c | 2 +-
5569 drivers/mmc/host/dw_mmc.h | 2 +-
5570 drivers/mmc/host/mmci.c | 4 +-
5571 drivers/mmc/host/sdhci-s3c.c | 8 +-
5572 drivers/mtd/chips/cfi_cmdset_0020.c | 2 +-
5573 drivers/mtd/nand/denali.c | 1 +
5574 drivers/mtd/nftlmount.c | 1 +
5575 drivers/mtd/sm_ftl.c | 2 +-
5576 drivers/net/bonding/bond_netlink.c | 2 +-
5577 drivers/net/ethernet/8390/ax88796.c | 4 +-
5578 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
5579 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-
5580 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +-
5581 drivers/net/ethernet/broadcom/tg3.h | 1 +
5582 drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
5583 drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 2 +-
5584 drivers/net/ethernet/dec/tulip/de4x5.c | 4 +-
5585 drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
5586 drivers/net/ethernet/faraday/ftgmac100.c | 2 +
5587 drivers/net/ethernet/faraday/ftmac100.c | 2 +
5588 drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
5589 drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
5590 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +-
5591 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +-
5592 .../net/ethernet/qlogic/qlcnic/qlcnic_minidump.c | 2 +-
5593 drivers/net/ethernet/realtek/r8169.c | 8 +-
5594 drivers/net/ethernet/sfc/ptp.c | 2 +-
5595 drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
5596 drivers/net/hyperv/hyperv_net.h | 2 +-
5597 drivers/net/hyperv/rndis_filter.c | 4 +-
5598 drivers/net/ieee802154/fakehard.c | 2 +-
5599 drivers/net/macvlan.c | 18 +-
5600 drivers/net/macvtap.c | 2 +-
5601 drivers/net/ppp/ppp_generic.c | 4 +-
5602 drivers/net/slip/slhc.c | 2 +-
5603 drivers/net/team/team.c | 2 +-
5604 drivers/net/tun.c | 5 +-
5605 drivers/net/usb/hso.c | 23 +-
5606 drivers/net/usb/sierra_net.c | 4 +-
5607 drivers/net/vxlan.c | 2 +-
5608 drivers/net/wimax/i2400m/rx.c | 2 +-
5609 drivers/net/wireless/airo.c | 2 +-
5610 drivers/net/wireless/at76c50x-usb.c | 2 +-
5611 drivers/net/wireless/ath/ath10k/htc.c | 7 +-
5612 drivers/net/wireless/ath/ath10k/htc.h | 4 +-
5613 drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +-
5614 drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +-
5615 drivers/net/wireless/ath/ath9k/hw.h | 4 +-
5616 drivers/net/wireless/b43/phy_lp.c | 2 +-
5617 drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
5618 drivers/net/wireless/iwlwifi/dvm/debugfs.c | 34 +-
5619 drivers/net/wireless/iwlwifi/dvm/main.c | 3 +-
5620 drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +-
5621 drivers/net/wireless/mac80211_hwsim.c | 32 +-
5622 drivers/net/wireless/rndis_wlan.c | 2 +-
5623 drivers/net/wireless/rt2x00/rt2x00.h | 2 +-
5624 drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +-
5625 drivers/net/wireless/ti/wl1251/sdio.c | 12 +-
5626 drivers/net/wireless/ti/wl12xx/main.c | 8 +-
5627 drivers/net/wireless/ti/wl18xx/main.c | 6 +-
5628 drivers/nfc/nfcwilink.c | 2 +-
5629 drivers/oprofile/buffer_sync.c | 8 +-
5630 drivers/oprofile/event_buffer.c | 2 +-
5631 drivers/oprofile/oprof.c | 2 +-
5632 drivers/oprofile/oprofile_files.c | 2 +-
5633 drivers/oprofile/oprofile_stats.c | 10 +-
5634 drivers/oprofile/oprofile_stats.h | 10 +-
5635 drivers/oprofile/oprofilefs.c | 6 +-
5636 drivers/oprofile/timer_int.c | 2 +-
5637 drivers/parport/procfs.c | 4 +-
5638 drivers/pci/hotplug/acpiphp_ibm.c | 4 +-
5639 drivers/pci/hotplug/cpcihp_generic.c | 6 +-
5640 drivers/pci/hotplug/cpcihp_zt5550.c | 14 +-
5641 drivers/pci/hotplug/cpqphp_nvram.c | 4 +
5642 drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
5643 drivers/pci/hotplug/pciehp_core.c | 2 +-
5644 drivers/pci/pci-sysfs.c | 6 +-
5645 drivers/pci/pci.h | 2 +-
5646 drivers/pci/pcie/aspm.c | 6 +-
5647 drivers/pci/probe.c | 2 +-
5648 drivers/platform/chrome/chromeos_laptop.c | 2 +-
5649 drivers/platform/x86/msi-laptop.c | 14 +-
5650 drivers/platform/x86/msi-wmi.c | 2 +-
5651 drivers/platform/x86/sony-laptop.c | 2 +-
5652 drivers/platform/x86/thinkpad_acpi.c | 70 +-
5653 drivers/pnp/pnpbios/bioscalls.c | 14 +-
5654 drivers/pnp/resource.c | 4 +-
5655 drivers/power/pda_power.c | 7 +-
5656 drivers/power/power_supply.h | 4 +-
5657 drivers/power/power_supply_core.c | 7 +-
5658 drivers/power/power_supply_sysfs.c | 6 +-
5659 drivers/powercap/powercap_sys.c | 136 +-
5660 drivers/regulator/core.c | 4 +-
5661 drivers/regulator/max8660.c | 6 +-
5662 drivers/regulator/max8973-regulator.c | 8 +-
5663 drivers/regulator/mc13892-regulator.c | 6 +-
5664 drivers/rtc/rtc-cmos.c | 4 +-
5665 drivers/rtc/rtc-ds1307.c | 2 +-
5666 drivers/rtc/rtc-m48t59.c | 4 +-
5667 drivers/scsi/aic7xxx/aic79xx_pci.c | 18 +-
5668 drivers/scsi/bfa/bfa_fcpim.h | 2 +-
5669 drivers/scsi/bfa/bfa_ioc.h | 4 +-
5670 drivers/scsi/fcoe/fcoe_sysfs.c | 12 +-
5671 drivers/scsi/hosts.c | 4 +-
5672 drivers/scsi/hpsa.c | 30 +-
5673 drivers/scsi/hpsa.h | 2 +-
5674 drivers/scsi/libfc/fc_exch.c | 50 +-
5675 drivers/scsi/libsas/sas_ata.c | 2 +-
5676 drivers/scsi/lpfc/lpfc.h | 8 +-
5677 drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
5678 drivers/scsi/lpfc/lpfc_init.c | 6 +-
5679 drivers/scsi/lpfc/lpfc_scsi.c | 16 +-
5680 drivers/scsi/mpt2sas/mpt2sas_scsih.c | 8 +-
5681 drivers/scsi/pmcraid.c | 20 +-
5682 drivers/scsi/pmcraid.h | 8 +-
5683 drivers/scsi/qla2xxx/qla_attr.c | 4 +-
5684 drivers/scsi/qla2xxx/qla_gbl.h | 4 +-
5685 drivers/scsi/qla2xxx/qla_os.c | 6 +-
5686 drivers/scsi/qla4xxx/ql4_def.h | 2 +-
5687 drivers/scsi/qla4xxx/ql4_os.c | 6 +-
5688 drivers/scsi/scsi.c | 2 +-
5689 drivers/scsi/scsi_lib.c | 6 +-
5690 drivers/scsi/scsi_sysfs.c | 2 +-
5691 drivers/scsi/scsi_tgt_lib.c | 2 +-
5692 drivers/scsi/scsi_transport_fc.c | 8 +-
5693 drivers/scsi/scsi_transport_iscsi.c | 6 +-
5694 drivers/scsi/scsi_transport_srp.c | 6 +-
5695 drivers/scsi/sd.c | 2 +-
5696 drivers/scsi/sg.c | 2 +-
5697 drivers/spi/spi.c | 2 +-
5698 drivers/staging/android/timed_output.c | 6 +-
5699 drivers/staging/gdm724x/gdm_tty.c | 2 +-
5700 drivers/staging/lustre/lnet/selftest/brw_test.c | 12 +-
5701 drivers/staging/lustre/lnet/selftest/framework.c | 4 -
5702 drivers/staging/lustre/lnet/selftest/ping_test.c | 14 +-
5703 drivers/staging/lustre/lustre/include/lustre_dlm.h | 2 +-
5704 drivers/staging/lustre/lustre/include/obd.h | 2 +-
5705 .../lustre/lustre/libcfs/linux/linux-proc.c | 6 +-
5706 drivers/staging/media/solo6x10/solo6x10-core.c | 2 +-
5707 drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +-
5708 drivers/staging/media/solo6x10/solo6x10.h | 2 +-
5709 drivers/staging/octeon/ethernet-rx.c | 12 +-
5710 drivers/staging/octeon/ethernet.c | 8 +-
5711 drivers/staging/rtl8188eu/include/hal_intf.h | 2 +-
5712 drivers/staging/rtl8188eu/include/rtw_io.h | 2 +-
5713 drivers/staging/rtl8712/rtl871x_io.h | 2 +-
5714 drivers/staging/sbe-2t3e3/netdev.c | 2 +-
5715 drivers/staging/usbip/vhci.h | 2 +-
5716 drivers/staging/usbip/vhci_hcd.c | 6 +-
5717 drivers/staging/usbip/vhci_rx.c | 2 +-
5718 drivers/staging/vt6655/hostap.c | 7 +-
5719 drivers/staging/vt6656/hostap.c | 7 +-
5720 drivers/target/sbp/sbp_target.c | 4 +-
5721 drivers/target/target_core_device.c | 2 +-
5722 drivers/target/target_core_transport.c | 2 +-
5723 drivers/tty/cyclades.c | 6 +-
5724 drivers/tty/hvc/hvc_console.c | 14 +-
5725 drivers/tty/hvc/hvcs.c | 21 +-
5726 drivers/tty/hvc/hvsi.c | 12 +-
5727 drivers/tty/hvc/hvsi_lib.c | 4 +-
5728 drivers/tty/ipwireless/tty.c | 27 +-
5729 drivers/tty/moxa.c | 2 +-
5730 drivers/tty/n_gsm.c | 4 +-
5731 drivers/tty/n_tty.c | 5 +-
5732 drivers/tty/pty.c | 4 +-
5733 drivers/tty/rocket.c | 6 +-
5734 drivers/tty/serial/ioc4_serial.c | 6 +-
5735 drivers/tty/serial/kgdboc.c | 32 +-
5736 drivers/tty/serial/msm_serial.c | 4 +-
5737 drivers/tty/serial/samsung.c | 9 +-
5738 drivers/tty/serial/serial_core.c | 8 +-
5739 drivers/tty/synclink.c | 34 +-
5740 drivers/tty/synclink_gt.c | 28 +-
5741 drivers/tty/synclinkmp.c | 34 +-
5742 drivers/tty/tty_io.c | 2 +-
5743 drivers/tty/tty_ldisc.c | 8 +-
5744 drivers/tty/tty_port.c | 22 +-
5745 drivers/uio/uio.c | 15 +-
5746 drivers/usb/atm/cxacru.c | 2 +-
5747 drivers/usb/atm/usbatm.c | 24 +-
5748 drivers/usb/core/devices.c | 6 +-
5749 drivers/usb/core/devio.c | 10 +-
5750 drivers/usb/core/hcd.c | 4 +-
5751 drivers/usb/core/message.c | 6 +-
5752 drivers/usb/core/sysfs.c | 2 +-
5753 drivers/usb/core/usb.c | 2 +-
5754 drivers/usb/dwc3/gadget.c | 2 -
5755 drivers/usb/early/ehci-dbgp.c | 16 +-
5756 drivers/usb/gadget/u_serial.c | 22 +-
5757 drivers/usb/host/ehci-hub.c | 4 +-
5758 drivers/usb/misc/appledisplay.c | 4 +-
5759 drivers/usb/serial/console.c | 8 +-
5760 drivers/usb/storage/usb.h | 2 +-
5761 drivers/usb/wusbcore/wa-hc.h | 4 +-
5762 drivers/usb/wusbcore/wa-xfer.c | 2 +-
5763 drivers/vfio/vfio.c | 2 +-
5764 drivers/vhost/vringh.c | 2 +-
5765 drivers/video/aty/aty128fb.c | 2 +-
5766 drivers/video/aty/atyfb_base.c | 8 +-
5767 drivers/video/aty/mach64_cursor.c | 5 +-
5768 drivers/video/backlight/kb3886_bl.c | 2 +-
5769 drivers/video/fb_defio.c | 6 +-
5770 drivers/video/fbmem.c | 6 +-
5771 drivers/video/hyperv_fb.c | 4 +-
5772 drivers/video/i810/i810_accel.c | 1 +
5773 drivers/video/mb862xx/mb862xxfb_accel.c | 16 +-
5774 drivers/video/nvidia/nvidia.c | 27 +-
5775 drivers/video/omap2/dss/display.c | 8 +-
5776 drivers/video/s1d13xxxfb.c | 6 +-
5777 drivers/video/smscufx.c | 4 +-
5778 drivers/video/udlfb.c | 36 +-
5779 drivers/video/uvesafb.c | 53 +-
5780 drivers/video/vesafb.c | 58 +-
5781 drivers/video/via/via_clock.h | 2 +-
5782 fs/9p/vfs_addr.c | 2 +-
5783 fs/9p/vfs_inode.c | 2 +-
5784 fs/Kconfig.binfmt | 2 +-
5785 fs/afs/inode.c | 4 +-
5786 fs/aio.c | 2 +-
5787 fs/autofs4/waitq.c | 2 +-
5788 fs/befs/endian.h | 6 +-
5789 fs/binfmt_aout.c | 23 +-
5790 fs/binfmt_elf.c | 678 +++-
5791 fs/binfmt_flat.c | 6 +
5792 fs/bio.c | 6 +-
5793 fs/block_dev.c | 2 +-
5794 fs/btrfs/ctree.c | 9 +-
5795 fs/btrfs/delayed-inode.c | 6 +-
5796 fs/btrfs/delayed-inode.h | 4 +-
5797 fs/btrfs/super.c | 2 +-
5798 fs/buffer.c | 2 +-
5799 fs/cachefiles/bind.c | 6 +-
5800 fs/cachefiles/daemon.c | 8 +-
5801 fs/cachefiles/internal.h | 12 +-
5802 fs/cachefiles/namei.c | 2 +-
5803 fs/cachefiles/proc.c | 12 +-
5804 fs/cachefiles/rdwr.c | 2 +-
5805 fs/ceph/dir.c | 2 +-
5806 fs/ceph/super.c | 4 +-
5807 fs/cifs/cifs_debug.c | 12 +-
5808 fs/cifs/cifsfs.c | 8 +-
5809 fs/cifs/cifsglob.h | 54 +-
5810 fs/cifs/file.c | 10 +-
5811 fs/cifs/misc.c | 4 +-
5812 fs/cifs/smb1ops.c | 80 +-
5813 fs/cifs/smb2ops.c | 84 +-
5814 fs/cifs/smb2pdu.c | 3 +-
5815 fs/coda/cache.c | 10 +-
5816 fs/compat.c | 4 +-
5817 fs/compat_binfmt_elf.c | 2 +
5818 fs/compat_ioctl.c | 12 +-
5819 fs/configfs/dir.c | 10 +-
5820 fs/coredump.c | 16 +-
5821 fs/dcache.c | 5 +-
5822 fs/ecryptfs/inode.c | 2 +-
5823 fs/ecryptfs/miscdev.c | 2 +-
5824 fs/exec.c | 362 ++-
5825 fs/ext2/xattr.c | 5 +-
5826 fs/ext3/xattr.c | 5 +-
5827 fs/ext4/ext4.h | 20 +-
5828 fs/ext4/mballoc.c | 44 +-
5829 fs/ext4/mmp.c | 2 +-
5830 fs/ext4/super.c | 4 +-
5831 fs/ext4/xattr.c | 5 +-
5832 fs/fhandle.c | 3 +-
5833 fs/file.c | 4 +-
5834 fs/fs_struct.c | 8 +-
5835 fs/fscache/cookie.c | 40 +-
5836 fs/fscache/internal.h | 200 +-
5837 fs/fscache/object.c | 26 +-
5838 fs/fscache/operation.c | 30 +-
5839 fs/fscache/page.c | 110 +-
5840 fs/fscache/stats.c | 344 +-
5841 fs/fuse/cuse.c | 10 +-
5842 fs/fuse/dev.c | 4 +-
5843 fs/fuse/dir.c | 2 +-
5844 fs/hostfs/hostfs_kern.c | 2 +-
5845 fs/hugetlbfs/inode.c | 13 +-
5846 fs/inode.c | 4 +-
5847 fs/jffs2/erase.c | 3 +-
5848 fs/jffs2/wbuf.c | 3 +-
5849 fs/jfs/super.c | 2 +-
5850 fs/libfs.c | 12 +-
5851 fs/lockd/clntproc.c | 4 +-
5852 fs/locks.c | 8 +-
5853 fs/namei.c | 15 +-
5854 fs/namespace.c | 16 +-
5855 fs/nfs/callback_xdr.c | 2 +-
5856 fs/nfs/inode.c | 6 +-
5857 fs/nfsd/nfs4proc.c | 2 +-
5858 fs/nfsd/nfs4xdr.c | 2 +-
5859 fs/nfsd/nfscache.c | 9 +-
5860 fs/nfsd/vfs.c | 6 +-
5861 fs/nls/nls_base.c | 18 +-
5862 fs/nls/nls_euc-jp.c | 6 +-
5863 fs/nls/nls_koi8-ru.c | 6 +-
5864 fs/notify/fanotify/fanotify_user.c | 4 +-
5865 fs/notify/notification.c | 4 +-
5866 fs/ntfs/dir.c | 2 +-
5867 fs/ntfs/file.c | 2 +-
5868 fs/ntfs/super.c | 6 +-
5869 fs/ocfs2/localalloc.c | 2 +-
5870 fs/ocfs2/ocfs2.h | 10 +-
5871 fs/ocfs2/suballoc.c | 12 +-
5872 fs/ocfs2/super.c | 20 +-
5873 fs/pipe.c | 59 +-
5874 fs/proc/array.c | 20 +
5875 fs/proc/base.c | 4 +-
5876 fs/proc/kcore.c | 32 +-
5877 fs/proc/meminfo.c | 2 +-
5878 fs/proc/nommu.c | 2 +-
5879 fs/proc/proc_sysctl.c | 18 +-
5880 fs/proc/task_mmu.c | 39 +-
5881 fs/proc/task_nommu.c | 4 +-
5882 fs/proc/vmcore.c | 12 +-
5883 fs/qnx6/qnx6.h | 4 +-
5884 fs/quota/netlink.c | 4 +-
5885 fs/read_write.c | 2 +-
5886 fs/reiserfs/do_balan.c | 2 +-
5887 fs/reiserfs/procfs.c | 2 +-
5888 fs/reiserfs/reiserfs.h | 4 +-
5889 fs/seq_file.c | 4 +-
5890 fs/splice.c | 41 +-
5891 fs/sysfs/dir.c | 2 +-
5892 fs/sysfs/file.c | 16 +-
5893 fs/sysfs/symlink.c | 2 +-
5894 fs/sysv/sysv.h | 2 +-
5895 fs/ubifs/io.c | 2 +-
5896 fs/udf/misc.c | 2 +-
5897 fs/ufs/swab.h | 4 +-
5898 fs/xattr.c | 21 +
5899 fs/xattr_acl.c | 4 +-
5900 fs/xfs/xfs_bmap.c | 2 +-
5901 fs/xfs/xfs_dir2_readdir.c | 7 +-
5902 fs/xfs/xfs_ioctl.c | 2 +-
5903 fs/xfs/xfs_iops.c | 2 +-
5904 include/asm-generic/4level-fixup.h | 2 +
5905 include/asm-generic/atomic-long.h | 212 +-
5906 include/asm-generic/atomic.h | 2 +-
5907 include/asm-generic/atomic64.h | 12 +
5908 include/asm-generic/bitops/__fls.h | 2 +-
5909 include/asm-generic/bitops/fls.h | 2 +-
5910 include/asm-generic/bitops/fls64.h | 4 +-
5911 include/asm-generic/cache.h | 4 +-
5912 include/asm-generic/emergency-restart.h | 2 +-
5913 include/asm-generic/kmap_types.h | 4 +-
5914 include/asm-generic/local.h | 13 +
5915 include/asm-generic/pgtable-nopmd.h | 18 +-
5916 include/asm-generic/pgtable-nopud.h | 15 +-
5917 include/asm-generic/pgtable.h | 16 +
5918 include/asm-generic/uaccess.h | 16 +
5919 include/asm-generic/vmlinux.lds.h | 10 +-
5920 include/crypto/algapi.h | 2 +-
5921 include/drm/drmP.h | 15 +-
5922 include/drm/drm_crtc_helper.h | 2 +-
5923 include/drm/i915_pciids.h | 2 +-
5924 include/drm/ttm/ttm_memory.h | 2 +-
5925 include/keys/asymmetric-subtype.h | 2 +-
5926 include/linux/atmdev.h | 4 +-
5927 include/linux/audit.h | 2 +-
5928 include/linux/binfmts.h | 3 +-
5929 include/linux/bitops.h | 6 +-
5930 include/linux/blkdev.h | 2 +-
5931 include/linux/blktrace_api.h | 2 +-
5932 include/linux/cache.h | 8 +
5933 include/linux/cdrom.h | 1 -
5934 include/linux/cleancache.h | 2 +-
5935 include/linux/clk-provider.h | 1 +
5936 include/linux/compat.h | 4 +-
5937 include/linux/compiler-gcc4.h | 20 +
5938 include/linux/compiler.h | 65 +-
5939 include/linux/completion.h | 12 +-
5940 include/linux/configfs.h | 2 +-
5941 include/linux/cpufreq.h | 3 +-
5942 include/linux/cpuidle.h | 5 +-
5943 include/linux/cpumask.h | 12 +-
5944 include/linux/crypto.h | 6 +-
5945 include/linux/ctype.h | 2 +-
5946 include/linux/decompress/mm.h | 2 +-
5947 include/linux/devfreq.h | 2 +-
5948 include/linux/device.h | 7 +-
5949 include/linux/dma-mapping.h | 2 +-
5950 include/linux/dmaengine.h | 4 +-
5951 include/linux/efi.h | 1 +
5952 include/linux/elf.h | 2 +
5953 include/linux/err.h | 4 +-
5954 include/linux/extcon.h | 2 +-
5955 include/linux/fb.h | 2 +-
5956 include/linux/fdtable.h | 2 +-
5957 include/linux/frontswap.h | 2 +-
5958 include/linux/fs.h | 3 +-
5959 include/linux/fs_struct.h | 2 +-
5960 include/linux/fscache-cache.h | 4 +-
5961 include/linux/fscache.h | 2 +-
5962 include/linux/fsnotify.h | 2 +-
5963 include/linux/genhd.h | 4 +-
5964 include/linux/genl_magic_func.h | 2 +-
5965 include/linux/gfp.h | 12 +-
5966 include/linux/highmem.h | 12 +
5967 include/linux/hwmon-sysfs.h | 6 +-
5968 include/linux/i2c.h | 1 +
5969 include/linux/i2o.h | 2 +-
5970 include/linux/if_pppox.h | 2 +-
5971 include/linux/init.h | 12 +-
5972 include/linux/init_task.h | 7 +
5973 include/linux/interrupt.h | 8 +-
5974 include/linux/iommu.h | 2 +-
5975 include/linux/ioport.h | 2 +-
5976 include/linux/irq.h | 3 +-
5977 include/linux/irqchip/arm-gic.h | 4 +-
5978 include/linux/jiffies.h | 12 +-
5979 include/linux/key-type.h | 2 +-
5980 include/linux/kgdb.h | 6 +-
5981 include/linux/kobject.h | 3 +-
5982 include/linux/kobject_ns.h | 2 +-
5983 include/linux/kref.h | 2 +-
5984 include/linux/kvm_host.h | 4 +-
5985 include/linux/libata.h | 2 +-
5986 include/linux/linkage.h | 1 +
5987 include/linux/list.h | 15 +
5988 include/linux/math64.h | 10 +-
5989 include/linux/mempolicy.h | 7 +
5990 include/linux/mm.h | 118 +-
5991 include/linux/mm_types.h | 20 +
5992 include/linux/mmiotrace.h | 4 +-
5993 include/linux/mmzone.h | 2 +-
5994 include/linux/mod_devicetable.h | 6 +-
5995 include/linux/module.h | 60 +-
5996 include/linux/moduleloader.h | 16 +
5997 include/linux/moduleparam.h | 4 +-
5998 include/linux/namei.h | 6 +-
5999 include/linux/net.h | 2 +-
6000 include/linux/netdevice.h | 3 +-
6001 include/linux/netfilter.h | 2 +-
6002 include/linux/netfilter/nfnetlink.h | 2 +-
6003 include/linux/nls.h | 2 +-
6004 include/linux/notifier.h | 3 +-
6005 include/linux/oprofile.h | 4 +-
6006 include/linux/padata.h | 2 +-
6007 include/linux/pci_hotplug.h | 3 +-
6008 include/linux/perf_event.h | 10 +-
6009 include/linux/pipe_fs_i.h | 8 +-
6010 include/linux/pm.h | 1 +
6011 include/linux/pm_domain.h | 2 +-
6012 include/linux/pm_runtime.h | 2 +-
6013 include/linux/pnp.h | 2 +-
6014 include/linux/poison.h | 4 +-
6015 include/linux/power/smartreflex.h | 2 +-
6016 include/linux/ppp-comp.h | 2 +-
6017 include/linux/preempt.h | 19 +
6018 include/linux/proc_ns.h | 2 +-
6019 include/linux/quota.h | 2 +-
6020 include/linux/random.h | 23 +-
6021 include/linux/rculist.h | 20 +-
6022 include/linux/reboot.h | 14 +-
6023 include/linux/regset.h | 3 +-
6024 include/linux/relay.h | 2 +-
6025 include/linux/rio.h | 2 +-
6026 include/linux/rmap.h | 4 +-
6027 include/linux/sched.h | 68 +-
6028 include/linux/sched/sysctl.h | 1 +
6029 include/linux/security.h | 2 -
6030 include/linux/semaphore.h | 2 +-
6031 include/linux/seq_file.h | 1 +
6032 include/linux/skbuff.h | 12 +-
6033 include/linux/slab.h | 48 +-
6034 include/linux/slab_def.h | 14 +-
6035 include/linux/slub_def.h | 2 +-
6036 include/linux/smp.h | 2 +
6037 include/linux/sock_diag.h | 2 +-
6038 include/linux/sonet.h | 2 +-
6039 include/linux/sunrpc/addr.h | 8 +-
6040 include/linux/sunrpc/clnt.h | 2 +-
6041 include/linux/sunrpc/svc.h | 2 +-
6042 include/linux/sunrpc/svc_rdma.h | 18 +-
6043 include/linux/sunrpc/svcauth.h | 2 +-
6044 include/linux/swiotlb.h | 3 +-
6045 include/linux/syscalls.h | 18 +-
6046 include/linux/syscore_ops.h | 2 +-
6047 include/linux/sysctl.h | 6 +-
6048 include/linux/sysfs.h | 9 +-
6049 include/linux/sysrq.h | 3 +-
6050 include/linux/thread_info.h | 7 +
6051 include/linux/tty.h | 4 +-
6052 include/linux/tty_driver.h | 2 +-
6053 include/linux/tty_ldisc.h | 2 +-
6054 include/linux/types.h | 16 +
6055 include/linux/uaccess.h | 6 +-
6056 include/linux/unaligned/access_ok.h | 24 +-
6057 include/linux/usb.h | 4 +-
6058 include/linux/usb/renesas_usbhs.h | 2 +-
6059 include/linux/vermagic.h | 21 +-
6060 include/linux/vga_switcheroo.h | 8 +-
6061 include/linux/vmalloc.h | 7 +-
6062 include/linux/vmstat.h | 24 +-
6063 include/linux/xattr.h | 5 +-
6064 include/linux/zlib.h | 3 +-
6065 include/media/v4l2-dev.h | 2 +-
6066 include/media/v4l2-device.h | 2 +-
6067 include/net/9p/transport.h | 2 +-
6068 include/net/bluetooth/l2cap.h | 2 +-
6069 include/net/caif/cfctrl.h | 6 +-
6070 include/net/flow.h | 2 +-
6071 include/net/genetlink.h | 2 +-
6072 include/net/gro_cells.h | 2 +-
6073 include/net/inet_connection_sock.h | 2 +-
6074 include/net/inetpeer.h | 17 +-
6075 include/net/ip.h | 2 +-
6076 include/net/ip_fib.h | 2 +-
6077 include/net/ip_vs.h | 8 +-
6078 include/net/irda/ircomm_tty.h | 1 +
6079 include/net/iucv/af_iucv.h | 2 +-
6080 include/net/llc_c_ac.h | 2 +-
6081 include/net/llc_c_ev.h | 4 +-
6082 include/net/llc_c_st.h | 2 +-
6083 include/net/llc_s_ac.h | 2 +-
6084 include/net/llc_s_st.h | 2 +-
6085 include/net/mac80211.h | 2 +-
6086 include/net/neighbour.h | 2 +-
6087 include/net/net_namespace.h | 20 +-
6088 include/net/netdma.h | 2 +-
6089 include/net/netlink.h | 2 +-
6090 include/net/netns/conntrack.h | 6 +-
6091 include/net/netns/ipv4.h | 4 +-
6092 include/net/netns/ipv6.h | 4 +-
6093 include/net/ping.h | 2 +-
6094 include/net/protocol.h | 4 +-
6095 include/net/rtnetlink.h | 2 +-
6096 include/net/sctp/checksum.h | 4 +-
6097 include/net/sctp/sm.h | 4 +-
6098 include/net/sctp/structs.h | 2 +-
6099 include/net/sock.h | 8 +-
6100 include/net/tcp.h | 8 +-
6101 include/net/xfrm.h | 13 +-
6102 include/rdma/iw_cm.h | 2 +-
6103 include/scsi/libfc.h | 3 +-
6104 include/scsi/scsi_device.h | 6 +-
6105 include/scsi/scsi_transport_fc.h | 3 +-
6106 include/sound/compress_driver.h | 2 +-
6107 include/sound/soc.h | 4 +-
6108 include/target/target_core_base.h | 2 +-
6109 include/trace/events/irq.h | 4 +-
6110 include/uapi/linux/a.out.h | 8 +
6111 include/uapi/linux/byteorder/little_endian.h | 28 +-
6112 include/uapi/linux/elf.h | 28 +
6113 include/uapi/linux/screen_info.h | 3 +-
6114 include/uapi/linux/swab.h | 6 +-
6115 include/uapi/linux/sysctl.h | 2 -
6116 include/uapi/linux/xattr.h | 4 +
6117 include/video/udlfb.h | 8 +-
6118 include/video/uvesafb.h | 1 +
6119 init/Kconfig | 2 +-
6120 init/Makefile | 3 +
6121 init/do_mounts.c | 14 +-
6122 init/do_mounts.h | 8 +-
6123 init/do_mounts_initrd.c | 30 +-
6124 init/do_mounts_md.c | 6 +-
6125 init/init_task.c | 4 +
6126 init/initramfs.c | 42 +-
6127 init/main.c | 78 +-
6128 ipc/ipc_sysctl.c | 10 +-
6129 ipc/mq_sysctl.c | 2 +-
6130 ipc/msg.c | 11 +-
6131 ipc/sem.c | 11 +-
6132 ipc/shm.c | 17 +-
6133 kernel/acct.c | 2 +-
6134 kernel/audit.c | 10 +-
6135 kernel/auditsc.c | 4 +-
6136 kernel/capability.c | 3 +
6137 kernel/compat.c | 38 +-
6138 kernel/debug/debug_core.c | 16 +-
6139 kernel/debug/kdb/kdb_main.c | 4 +-
6140 kernel/events/core.c | 28 +-
6141 kernel/events/internal.h | 10 +-
6142 kernel/events/uprobes.c | 2 +-
6143 kernel/exit.c | 4 +-
6144 kernel/fork.c | 166 +-
6145 kernel/futex.c | 11 +-
6146 kernel/futex_compat.c | 2 +-
6147 kernel/gcov/base.c | 7 +-
6148 kernel/hrtimer.c | 2 +-
6149 kernel/irq_work.c | 7 +-
6150 kernel/jump_label.c | 5 +
6151 kernel/kallsyms.c | 39 +-
6152 kernel/kexec.c | 3 +-
6153 kernel/kmod.c | 4 +-
6154 kernel/kprobes.c | 4 +-
6155 kernel/ksysfs.c | 2 +-
6156 kernel/locking/lockdep.c | 7 +-
6157 kernel/locking/mutex-debug.c | 12 +-
6158 kernel/locking/mutex-debug.h | 4 +-
6159 kernel/locking/mutex.c | 10 +-
6160 kernel/locking/rtmutex-tester.c | 24 +-
6161 kernel/module.c | 337 +-
6162 kernel/notifier.c | 17 +-
6163 kernel/padata.c | 4 +-
6164 kernel/panic.c | 3 +-
6165 kernel/pid.c | 2 +-
6166 kernel/pid_namespace.c | 2 +-
6167 kernel/posix-cpu-timers.c | 4 +-
6168 kernel/posix-timers.c | 24 +-
6169 kernel/power/process.c | 12 +-
6170 kernel/profile.c | 14 +-
6171 kernel/ptrace.c | 8 +-
6172 kernel/rcu/srcu.c | 4 +-
6173 kernel/rcu/tiny.c | 4 +-
6174 kernel/rcu/torture.c | 56 +-
6175 kernel/rcu/tree.c | 76 +-
6176 kernel/rcu/tree.h | 26 +-
6177 kernel/rcu/tree_plugin.h | 40 +-
6178 kernel/rcu/tree_trace.c | 22 +-
6179 kernel/rcu/update.c | 4 +-
6180 kernel/sched/auto_group.c | 4 +-
6181 kernel/sched/completion.c | 6 +-
6182 kernel/sched/core.c | 43 +-
6183 kernel/sched/fair.c | 4 +-
6184 kernel/sched/sched.h | 2 +-
6185 kernel/signal.c | 12 +-
6186 kernel/smpboot.c | 4 +-
6187 kernel/softirq.c | 14 +-
6188 kernel/sys.c | 10 +-
6189 kernel/sysctl.c | 34 +-
6190 kernel/time/alarmtimer.c | 2 +-
6191 kernel/time/timer_stats.c | 10 +-
6192 kernel/timer.c | 4 +-
6193 kernel/trace/blktrace.c | 6 +-
6194 kernel/trace/ftrace.c | 18 +-
6195 kernel/trace/ring_buffer.c | 76 +-
6196 kernel/trace/trace.c | 2 +-
6197 kernel/trace/trace.h | 2 +-
6198 kernel/trace/trace_clock.c | 4 +-
6199 kernel/trace/trace_events.c | 1 -
6200 kernel/trace/trace_mmiotrace.c | 8 +-
6201 kernel/trace/trace_output.c | 12 +-
6202 kernel/trace/trace_stack.c | 2 +-
6203 kernel/user_namespace.c | 2 +-
6204 kernel/utsname_sysctl.c | 2 +-
6205 kernel/watchdog.c | 2 +-
6206 kernel/workqueue.c | 2 +-
6207 lib/Kconfig.debug | 8 +-
6208 lib/Makefile | 2 +-
6209 lib/bitmap.c | 8 +-
6210 lib/bug.c | 2 +
6211 lib/debugobjects.c | 2 +-
6212 lib/devres.c | 4 +-
6213 lib/div64.c | 4 +-
6214 lib/dma-debug.c | 4 +-
6215 lib/inflate.c | 2 +-
6216 lib/ioremap.c | 4 +-
6217 lib/kobject.c | 4 +-
6218 lib/list_debug.c | 126 +-
6219 lib/percpu-refcount.c | 2 +-
6220 lib/radix-tree.c | 2 +-
6221 lib/strncpy_from_user.c | 2 +-
6222 lib/strnlen_user.c | 2 +-
6223 lib/swiotlb.c | 2 +-
6224 lib/usercopy.c | 6 +
6225 lib/vsprintf.c | 12 +-
6226 mm/Kconfig | 6 +-
6227 mm/backing-dev.c | 4 +-
6228 mm/filemap.c | 10 +-
6229 mm/fremap.c | 5 +
6230 mm/highmem.c | 7 +-
6231 mm/hugetlb.c | 70 +-
6232 mm/internal.h | 3 +-
6233 mm/maccess.c | 4 +-
6234 mm/madvise.c | 41 +
6235 mm/memory-failure.c | 28 +-
6236 mm/memory.c | 424 ++-
6237 mm/mempolicy.c | 25 +
6238 mm/mlock.c | 15 +-
6239 mm/mmap.c | 583 ++-
6240 mm/mprotect.c | 139 +-
6241 mm/mremap.c | 44 +-
6242 mm/nommu.c | 21 +-
6243 mm/page-writeback.c | 2 +-
6244 mm/page_alloc.c | 42 +-
6245 mm/page_io.c | 2 +-
6246 mm/percpu.c | 2 +-
6247 mm/process_vm_access.c | 14 +-
6248 mm/rmap.c | 44 +-
6249 mm/shmem.c | 19 +-
6250 mm/slab.c | 106 +-
6251 mm/slab.h | 15 +-
6252 mm/slab_common.c | 60 +-
6253 mm/slob.c | 206 +-
6254 mm/slub.c | 88 +-
6255 mm/sparse-vmemmap.c | 4 +-
6256 mm/sparse.c | 2 +-
6257 mm/swap.c | 2 +
6258 mm/swapfile.c | 12 +-
6259 mm/util.c | 6 +
6260 mm/vmalloc.c | 75 +-
6261 mm/vmstat.c | 12 +-
6262 net/8021q/vlan.c | 5 +-
6263 net/9p/mod.c | 4 +-
6264 net/9p/trans_fd.c | 2 +-
6265 net/atm/atm_misc.c | 8 +-
6266 net/atm/lec.h | 2 +-
6267 net/atm/proc.c | 6 +-
6268 net/atm/resources.c | 4 +-
6269 net/ax25/sysctl_net_ax25.c | 2 +-
6270 net/batman-adv/bat_iv_ogm.c | 8 +-
6271 net/batman-adv/fragmentation.c | 2 +-
6272 net/batman-adv/soft-interface.c | 6 +-
6273 net/batman-adv/types.h | 6 +-
6274 net/bluetooth/hci_sock.c | 2 +-
6275 net/bluetooth/l2cap_core.c | 6 +-
6276 net/bluetooth/l2cap_sock.c | 12 +-
6277 net/bluetooth/rfcomm/sock.c | 4 +-
6278 net/bluetooth/rfcomm/tty.c | 4 +-
6279 net/bridge/netfilter/ebtables.c | 6 +-
6280 net/caif/cfctrl.c | 11 +-
6281 net/can/af_can.c | 2 +-
6282 net/can/gw.c | 6 +-
6283 net/ceph/messenger.c | 4 +-
6284 net/compat.c | 34 +-
6285 net/core/datagram.c | 2 +-
6286 net/core/dev.c | 16 +-
6287 net/core/flow.c | 8 +-
6288 net/core/iovec.c | 4 +-
6289 net/core/neighbour.c | 2 +-
6290 net/core/net-sysfs.c | 2 +-
6291 net/core/net_namespace.c | 8 +-
6292 net/core/netpoll.c | 4 +-
6293 net/core/rtnetlink.c | 13 +-
6294 net/core/scm.c | 8 +-
6295 net/core/skbuff.c | 8 +-
6296 net/core/sock.c | 28 +-
6297 net/core/sock_diag.c | 9 +-
6298 net/core/sysctl_net_core.c | 20 +-
6299 net/decnet/af_decnet.c | 1 +
6300 net/decnet/sysctl_net_decnet.c | 4 +-
6301 net/ipv4/af_inet.c | 8 +-
6302 net/ipv4/devinet.c | 18 +-
6303 net/ipv4/fib_frontend.c | 6 +-
6304 net/ipv4/fib_semantics.c | 2 +-
6305 net/ipv4/inet_connection_sock.c | 2 +-
6306 net/ipv4/inetpeer.c | 4 +-
6307 net/ipv4/ip_fragment.c | 15 +-
6308 net/ipv4/ip_gre.c | 6 +-
6309 net/ipv4/ip_sockglue.c | 2 +-
6310 net/ipv4/ip_vti.c | 4 +-
6311 net/ipv4/ipconfig.c | 6 +-
6312 net/ipv4/ipip.c | 4 +-
6313 net/ipv4/netfilter/arp_tables.c | 12 +-
6314 net/ipv4/netfilter/ip_tables.c | 12 +-
6315 net/ipv4/ping.c | 14 +-
6316 net/ipv4/raw.c | 14 +-
6317 net/ipv4/route.c | 20 +-
6318 net/ipv4/sysctl_net_ipv4.c | 37 +-
6319 net/ipv4/tcp_input.c | 4 +-
6320 net/ipv4/tcp_probe.c | 2 +-
6321 net/ipv4/udp.c | 10 +-
6322 net/ipv4/xfrm4_policy.c | 18 +-
6323 net/ipv6/addrconf.c | 12 +-
6324 net/ipv6/af_inet6.c | 2 +-
6325 net/ipv6/datagram.c | 2 +-
6326 net/ipv6/icmp.c | 2 +-
6327 net/ipv6/ip6_gre.c | 8 +-
6328 net/ipv6/ip6_tunnel.c | 4 +-
6329 net/ipv6/ip6_vti.c | 4 +-
6330 net/ipv6/ipv6_sockglue.c | 2 +-
6331 net/ipv6/netfilter/ip6_tables.c | 12 +-
6332 net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +-
6333 net/ipv6/output_core.c | 15 +-
6334 net/ipv6/ping.c | 28 +-
6335 net/ipv6/raw.c | 17 +-
6336 net/ipv6/reassembly.c | 13 +-
6337 net/ipv6/route.c | 2 +-
6338 net/ipv6/sit.c | 4 +-
6339 net/ipv6/sysctl_net_ipv6.c | 2 +-
6340 net/ipv6/udp.c | 6 +-
6341 net/ipv6/xfrm6_policy.c | 17 +-
6342 net/irda/ircomm/ircomm_tty.c | 18 +-
6343 net/iucv/af_iucv.c | 4 +-
6344 net/iucv/iucv.c | 2 +-
6345 net/key/af_key.c | 4 +-
6346 net/mac80211/cfg.c | 8 +-
6347 net/mac80211/ieee80211_i.h | 3 +-
6348 net/mac80211/iface.c | 16 +-
6349 net/mac80211/main.c | 2 +-
6350 net/mac80211/pm.c | 6 +-
6351 net/mac80211/rate.c | 2 +-
6352 net/mac80211/rc80211_pid_debugfs.c | 2 +-
6353 net/mac80211/util.c | 4 +-
6354 net/netfilter/ipset/ip_set_core.c | 2 +-
6355 net/netfilter/ipvs/ip_vs_conn.c | 6 +-
6356 net/netfilter/ipvs/ip_vs_core.c | 4 +-
6357 net/netfilter/ipvs/ip_vs_ctl.c | 14 +-
6358 net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
6359 net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
6360 net/netfilter/ipvs/ip_vs_sync.c | 6 +-
6361 net/netfilter/ipvs/ip_vs_xmit.c | 4 +-
6362 net/netfilter/nf_conntrack_acct.c | 2 +-
6363 net/netfilter/nf_conntrack_ecache.c | 2 +-
6364 net/netfilter/nf_conntrack_helper.c | 2 +-
6365 net/netfilter/nf_conntrack_proto.c | 2 +-
6366 net/netfilter/nf_conntrack_proto_dccp.c | 10 +-
6367 net/netfilter/nf_conntrack_standalone.c | 2 +-
6368 net/netfilter/nf_conntrack_timestamp.c | 2 +-
6369 net/netfilter/nf_log.c | 10 +-
6370 net/netfilter/nf_sockopt.c | 4 +-
6371 net/netfilter/nfnetlink_log.c | 4 +-
6372 net/netfilter/xt_statistic.c | 8 +-
6373 net/netlink/af_netlink.c | 4 +-
6374 net/packet/af_packet.c | 8 +-
6375 net/phonet/pep.c | 6 +-
6376 net/phonet/socket.c | 2 +-
6377 net/phonet/sysctl.c | 2 +-
6378 net/rds/cong.c | 6 +-
6379 net/rds/ib.h | 2 +-
6380 net/rds/ib_cm.c | 2 +-
6381 net/rds/ib_recv.c | 4 +-
6382 net/rds/iw.h | 2 +-
6383 net/rds/iw_cm.c | 2 +-
6384 net/rds/iw_recv.c | 4 +-
6385 net/rds/rds.h | 2 +-
6386 net/rds/tcp.c | 2 +-
6387 net/rds/tcp_send.c | 2 +-
6388 net/rxrpc/af_rxrpc.c | 2 +-
6389 net/rxrpc/ar-ack.c | 14 +-
6390 net/rxrpc/ar-call.c | 2 +-
6391 net/rxrpc/ar-connection.c | 2 +-
6392 net/rxrpc/ar-connevent.c | 2 +-
6393 net/rxrpc/ar-input.c | 4 +-
6394 net/rxrpc/ar-internal.h | 8 +-
6395 net/rxrpc/ar-local.c | 2 +-
6396 net/rxrpc/ar-output.c | 4 +-
6397 net/rxrpc/ar-peer.c | 2 +-
6398 net/rxrpc/ar-proc.c | 4 +-
6399 net/rxrpc/ar-transport.c | 2 +-
6400 net/rxrpc/rxkad.c | 4 +-
6401 net/sctp/ipv6.c | 6 +-
6402 net/sctp/protocol.c | 10 +-
6403 net/sctp/sm_sideeffect.c | 2 +-
6404 net/sctp/socket.c | 21 +-
6405 net/sctp/sysctl.c | 8 +-
6406 net/socket.c | 18 +-
6407 net/sunrpc/auth_gss/svcauth_gss.c | 4 +-
6408 net/sunrpc/clnt.c | 4 +-
6409 net/sunrpc/sched.c | 4 +-
6410 net/sunrpc/svc.c | 4 +-
6411 net/sunrpc/svcauth_unix.c | 4 +-
6412 net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
6413 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +-
6414 net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
6415 net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +-
6416 net/tipc/subscr.c | 2 +-
6417 net/unix/sysctl_net_unix.c | 2 +-
6418 net/wireless/wext-core.c | 19 +-
6419 net/xfrm/xfrm_policy.c | 22 +-
6420 net/xfrm/xfrm_state.c | 33 +-
6421 net/xfrm/xfrm_sysctl.c | 2 +-
6422 scripts/Makefile.build | 2 +-
6423 scripts/Makefile.clean | 3 +-
6424 scripts/Makefile.host | 28 +-
6425 scripts/basic/fixdep.c | 12 +-
6426 scripts/gcc-plugin.sh | 17 +
6427 scripts/headers_install.sh | 1 +
6428 scripts/link-vmlinux.sh | 2 +-
6429 scripts/mod/file2alias.c | 14 +-
6430 scripts/mod/modpost.c | 25 +-
6431 scripts/mod/modpost.h | 6 +-
6432 scripts/mod/sumversion.c | 2 +-
6433 scripts/module-common.lds | 4 +
6434 scripts/package/builddeb | 1 +
6435 scripts/pnmtologo.c | 6 +-
6436 scripts/sortextable.h | 6 +-
6437 security/Kconfig | 689 +++-
6438 security/apparmor/lsm.c | 2 +-
6439 security/integrity/ima/ima.h | 4 +-
6440 security/integrity/ima/ima_api.c | 2 +-
6441 security/integrity/ima/ima_fs.c | 4 +-
6442 security/integrity/ima/ima_queue.c | 2 +-
6443 security/keys/compat.c | 2 +-
6444 security/keys/internal.h | 2 +-
6445 security/keys/key.c | 18 +-
6446 security/keys/keyctl.c | 8 +-
6447 security/security.c | 9 +-
6448 security/selinux/avc.c | 6 +-
6449 security/selinux/hooks.c | 11 +-
6450 security/selinux/include/xfrm.h | 2 +-
6451 security/smack/smack_lsm.c | 2 +-
6452 security/tomoyo/tomoyo.c | 2 +-
6453 security/yama/yama_lsm.c | 22 +-
6454 sound/aoa/codecs/onyx.c | 7 +-
6455 sound/aoa/codecs/onyx.h | 1 +
6456 sound/core/oss/pcm_oss.c | 18 +-
6457 sound/core/pcm_compat.c | 2 +-
6458 sound/core/pcm_native.c | 4 +-
6459 sound/core/seq/seq_device.c | 8 +-
6460 sound/core/sound.c | 2 +-
6461 sound/drivers/mts64.c | 14 +-
6462 sound/drivers/opl4/opl4_lib.c | 2 +-
6463 sound/drivers/portman2x4.c | 3 +-
6464 sound/firewire/amdtp.c | 4 +-
6465 sound/firewire/amdtp.h | 2 +-
6466 sound/firewire/isight.c | 10 +-
6467 sound/firewire/scs1x.c | 8 +-
6468 sound/oss/sb_audio.c | 2 +-
6469 sound/oss/swarm_cs4297a.c | 6 +-
6470 sound/pci/hda/hda_codec.c | 8 +-
6471 sound/pci/ymfpci/ymfpci.h | 2 +-
6472 sound/pci/ymfpci/ymfpci_main.c | 12 +-
6473 sound/soc/fsl/fsl_ssi.c | 2 +-
6474 sound/soc/soc-core.c | 6 +-
6475 tools/gcc/.gitignore | 1 +
6476 tools/gcc/Makefile | 45 +
6477 tools/gcc/checker_plugin.c | 172 +
6478 tools/gcc/colorize_plugin.c | 151 +
6479 tools/gcc/constify_plugin.c | 557 ++
6480 tools/gcc/generate_size_overflow_hash.sh | 94 +
6481 tools/gcc/kallocstat_plugin.c | 170 +
6482 tools/gcc/kernexec_plugin.c | 474 ++
6483 tools/gcc/latent_entropy_plugin.c | 335 ++
6484 tools/gcc/size_overflow_hash.data | 5618 ++++++++++++++++++++
6485 tools/gcc/size_overflow_plugin.c | 4072 ++++++++++++++
6486 tools/gcc/stackleak_plugin.c | 327 ++
6487 tools/gcc/structleak_plugin.c | 277 +
6488 tools/lib/lk/Makefile | 2 +-
6489 tools/perf/util/include/asm/alternative-asm.h | 3 +
6490 tools/perf/util/include/linux/compiler.h | 8 +
6491 virt/kvm/kvm_main.c | 44 +-
6492 1716 files changed, 34523 insertions(+), 8024 deletions(-)
6493commit 512ab625d6d34c2f8602a044454bb1366b80b98e
6494Author: Brad Spengler <spender@grsecurity.net>
6495Date: Sat Jan 25 14:54:11 2014 -0500
6496
6497 Fix another compiler error caught by RANDSTRUCT
6498
6499 sound/isa/sb/emu8000_synth.c | 4 ++--
6500 1 files changed, 2 insertions(+), 2 deletions(-)
6501
6502commit 43bd0a97d977b78f2a54045bbf98ee967209c144
6503Author: Brad Spengler <spender@grsecurity.net>
6504Date: Sat Jan 25 14:34:12 2014 -0500
6505
6506 Fix another compiler error caught by RANDSTRUCT
6507
6508 drivers/net/wan/z85230.c | 24 ++++++++++++------------
6509 1 files changed, 12 insertions(+), 12 deletions(-)
6510
6511commit e833f51aa919e2c94bb7ac6979a68cf3f4fcc131
6512Author: Brad Spengler <spender@grsecurity.net>
6513Date: Sat Jan 25 14:30:46 2014 -0500
6514
6515 fix compilation with RANDSTRUCT plugin
6516
6517 sound/drivers/opl4/opl4_seq.c | 4 ++--
6518 1 files changed, 2 insertions(+), 2 deletions(-)
6519
6520commit 743f2ccb4dc72e6366e0cf0b371d37951c67ce0d
6521Author: Brad Spengler <spender@grsecurity.net>
6522Date: Sat Jan 25 14:16:18 2014 -0500
6523
6524 avoid problems by just building our fake field decl node from scratch
6525
6526 tools/gcc/randomize_layout_plugin.c | 10 +++++-----
6527 1 files changed, 5 insertions(+), 5 deletions(-)
6528
6529commit 9345145bb31148c2fb4918fe989d45bbf1219373
6530Author: Brad Spengler <spender@grsecurity.net>
6531Date: Sat Jan 25 13:45:18 2014 -0500
6532
6533 while in non-debug mode, don't emit notes for non-randomized struct types
6534
6535 clear all signs from our fake field decl of being a bitfield
6536
6537 tools/gcc/randomize_layout_plugin.c | 11 +++++++++++
6538 1 files changed, 11 insertions(+), 0 deletions(-)
6539
6540commit 946d2d5cafa4f123f6ee36596f67cf8571e461b4
6541Author: Brad Spengler <spender@grsecurity.net>
6542Date: Sat Jan 25 12:56:05 2014 -0500
6543
6544 revert change to read-only marking of fake struct field
6545
6546 tools/gcc/randomize_layout_plugin.c | 2 +-
6547 1 files changed, 1 insertions(+), 1 deletions(-)
6548
6549commit c947104c6a4c0e05ed6440287ad8872e2cbdb2f3
6550Author: Brad Spengler <spender@grsecurity.net>
6551Date: Sat Jan 25 12:42:48 2014 -0500
6552
6553 Update RANDSTRUCT plugin help
6554
6555 tools/gcc/randomize_layout_plugin.c | 6 ++++--
6556 1 files changed, 4 insertions(+), 2 deletions(-)
6557
6558commit 3757914c9c5d2278f93a3a8dc7d19847c6ee8e3a
6559Author: Brad Spengler <spender@grsecurity.net>
6560Date: Sat Jan 25 12:25:43 2014 -0500
6561
6562 Introduce GRKERNSEC_RANDSTRUCT:
6563 automatic structure layout randomization of pure ops structs
6564 randomization of marked sensitive kernel structures
6565
6566 automatically enabled by GRKERNSEC_CONFIG_AUTO
6567 performance mode is activated if the config priority is set to performance
6568
6569 Documentation/dontdiff | 1 +
6570 Makefile | 12 +-
6571 arch/x86/include/asm/floppy.h | 20 +-
6572 arch/x86/include/asm/paravirt_types.h | 23 +-
6573 arch/x86/include/asm/processor.h | 2 +-
6574 drivers/acpi/acpica/hwxfsleep.c | 11 +-
6575 drivers/block/cciss.h | 30 +-
6576 drivers/block/drbd/drbd_interval.c | 6 +-
6577 drivers/block/smart1,2.h | 40 +-
6578 drivers/gpu/drm/nouveau/nouveau_ttm.c | 30 +-
6579 drivers/gpu/drm/ttm/ttm_bo_manager.c | 10 +-
6580 drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c | 10 +-
6581 drivers/infiniband/hw/ipath/ipath_dma.c | 26 +-
6582 drivers/infiniband/hw/nes/nes_cm.c | 22 +-
6583 drivers/isdn/gigaset/bas-gigaset.c | 32 +-
6584 drivers/isdn/gigaset/ser-gigaset.c | 32 +-
6585 drivers/isdn/gigaset/usb-gigaset.c | 32 +-
6586 drivers/isdn/i4l/isdn_concap.c | 6 +-
6587 drivers/isdn/i4l/isdn_x25iface.c | 16 +-
6588 drivers/misc/sgi-xp/xp_main.c | 12 +-
6589 drivers/net/ethernet/brocade/bna/bna_enet.c | 8 +-
6590 drivers/net/wan/lmc/lmc_media.c | 97 ++--
6591 drivers/scsi/bfa/bfa_fcs.c | 19 +-
6592 drivers/scsi/bfa/bfa_fcs_lport.c | 29 +-
6593 drivers/scsi/bfa/bfa_modules.h | 12 +-
6594 drivers/scsi/hpsa.h | 20 +-
6595 drivers/staging/lustre/lustre/ldlm/ldlm_flock.c | 2 +-
6596 drivers/staging/lustre/lustre/libcfs/module.c | 10 +-
6597 drivers/staging/media/solo6x10/solo6x10-g723.c | 2 +-
6598 drivers/video/matrox/matroxfb_DAC1064.c | 10 +-
6599 drivers/video/matrox/matroxfb_Ti3026.c | 5 +-
6600 fs/mount.h | 4 +-
6601 fs/proc/internal.h | 4 +-
6602 fs/reiserfs/item_ops.c | 24 +-
6603 grsecurity/Kconfig | 31 +-
6604 include/linux/compiler-gcc4.h | 5 +
6605 include/linux/compiler.h | 8 +
6606 include/linux/cred.h | 4 +-
6607 include/linux/dcache.h | 2 +-
6608 include/linux/fs.h | 14 +-
6609 include/linux/fs_struct.h | 2 +-
6610 include/linux/ipc_namespace.h | 2 +-
6611 include/linux/kobject.h | 2 +-
6612 include/linux/mm_types.h | 4 +-
6613 include/linux/module.h | 4 +-
6614 include/linux/mount.h | 2 +-
6615 include/linux/pid_namespace.h | 2 +-
6616 include/linux/proc_ns.h | 2 +-
6617 include/linux/rbtree_augmented.h | 4 +-
6618 include/linux/sched.h | 6 +-
6619 include/linux/sysctl.h | 2 +-
6620 include/linux/tty.h | 2 +-
6621 include/linux/tty_driver.h | 2 +-
6622 include/linux/user_namespace.h | 2 +-
6623 include/linux/utsname.h | 2 +-
6624 include/net/neighbour.h | 2 +-
6625 include/net/net_namespace.h | 2 +-
6626 lib/rbtree.c | 4 +-
6627 net/atm/lec.c | 6 +-
6628 net/atm/mpoa_caches.c | 42 +-
6629 net/decnet/dn_dev.c | 2 +-
6630 net/vmw_vsock/vmci_transport_notify.c | 30 +-
6631 net/vmw_vsock/vmci_transport_notify_qstate.c | 30 +-
6632 net/x25/sysctl_net_x25.c | 2 +-
6633 scripts/Makefile | 2 +
6634 scripts/gen-random-seed.sh | 8 +
6635 sound/core/seq/oss/seq_oss.c | 4 +-
6636 sound/core/seq/seq_midi.c | 4 +-
6637 sound/drivers/opl3/opl3_seq.c | 4 +-
6638 sound/pci/emu10k1/emu10k1_synth.c | 4 +-
6639 sound/synth/emux/emux_seq.c | 14 +-
6640 tools/gcc/.gitignore | 1 +
6641 tools/gcc/Makefile | 2 +
6642 tools/gcc/randomize_layout_plugin.c | 726 +++++++++++++++++++++++
6643 74 files changed, 1222 insertions(+), 390 deletions(-)
6644
6645commit 44ebc77fd9886fdebf8e3942a935cbe2f3272c3d
6646Author: Brad Spengler <spender@grsecurity.net>
6647Date: Sun Jan 19 09:27:31 2014 -0500
6648
6649 add PRNG self-tests
6650
6651 lib/random32.c | 207 +++++++++++++++++++++++++++++++++++++++++++++++++++++---
6652 1 files changed, 197 insertions(+), 10 deletions(-)
6653
6654commit 7780c290ada57bac294c5a7e5b0286dd604920c5
6655Author: Brad Spengler <spender@grsecurity.net>
6656Date: Sun Jan 19 09:00:56 2014 -0500
6657
6658 compile fix
6659
6660 include/linux/random.h | 4 ----
6661 include/uapi/linux/random.h | 2 +-
6662 2 files changed, 1 insertions(+), 5 deletions(-)
6663
6664commit 4c4359a96c7b208513eb3563c90558cd5d2ca1a0
6665Author: Daniel Borkmann <dborkman@redhat.com>
6666Date: Mon Nov 11 12:20:36 2013 +0100
6667
6668 Upstream commit: a98814cef87946d2708812ad9f8b1e03b8366b6f
6669
6670 random32: upgrade taus88 generator to taus113 from errata paper
6671
6672 Since we use prandom*() functions quite often in networking code
6673 i.e. in UDP port selection, netfilter code, etc, upgrade the PRNG
6674 from Pierre L'Ecuyer's original paper "Maximally Equidistributed
6675 Combined Tausworthe Generators", Mathematics of Computation, 65,
6676 213 (1996), 203--213 to the version published in his errata paper [1].
6677
6678 The Tausworthe generator is a maximally-equidistributed generator,
6679 that is fast and has good statistical properties [1].
6680
6681 The version presented there upgrades the 3 state LFSR to a 4 state
6682 LFSR with increased periodicity from about 2^88 to 2^113. The
6683 algorithm is presented in [1] by the very same author who also
6684 designed the original algorithm in [2].
6685
6686 Also, by increasing the state, we make it a bit harder for attackers
6687 to "guess" the PRNGs internal state. See also discussion in [3].
6688
6689 Now, as we use this sort of weak initialization discussed in [3]
6690 only between core_initcall() until late_initcall() time [*] for
6691 prandom32*() users, namely in prandom_init(), it is less relevant
6692 from late_initcall() onwards as we overwrite seeds through
6693 prandom_reseed() anyways with a seed source of higher entropy, that
6694 is, get_random_bytes(). In other words, a exhaustive keysearch of
6695 96 bit would be needed. Now, with the help of this patch, this
6696 state-search increases further to 128 bit. Initialization needs
6697 to make sure that s1 > 1, s2 > 7, s3 > 15, s4 > 127.
6698
6699 taus88 and taus113 algorithm is also part of GSL. I added a test
6700 case in the next patch to verify internal behaviour of this patch
6701 with GSL and ran tests with the dieharder 3.31.1 RNG test suite:
6702
6703 $ dieharder -g 052 -a -m 10 -s 1 -S 4137730333 #taus88
6704 $ dieharder -g 054 -a -m 10 -s 1 -S 4137730333 #taus113
6705
6706 With this seed configuration, in order to compare both, we get
6707 the following differences:
6708
6709 algorithm taus88 taus113
6710 rands/second [**] 1.61e+08 1.37e+08
6711 sts_serial(4, 1st run) WEAK PASSED
6712 sts_serial(9, 2nd run) WEAK PASSED
6713 rgb_lagged_sum(31) WEAK PASSED
6714
6715 We took out diehard_sums test as according to the authors it is
6716 considered broken and unusable [4]. Despite that and the slight
6717 decrease in performance (which is acceptable), taus113 here passes
6718 all 113 tests (only rgb_minimum_distance_5 in WEAK, the rest PASSED).
6719 In general, taus/taus113 is considered "very good" by the authors
6720 of dieharder [5].
6721
6722 The papers [1][2] states a single warm-up step is sufficient by
6723 running quicktaus once on each state to ensure proper initialization
6724 of ~s_{0}:
6725
6726 Our selection of (s) according to Table 1 of [1] row 1 holds the
6727 condition L - k <= r - s, that is,
6728
6729 (32 32 32 32) - (31 29 28 25) <= (25 27 15 22) - (18 2 7 13)
6730
6731 with r = k - q and q = (6 2 13 3) as also stated by the paper.
6732 So according to [2] we are safe with one round of quicktaus for
6733 initialization. However we decided to include the warm-up phase
6734 of the PRNG as done in GSL in every case as a safety net. We also
6735 use the warm up phase to make the output of the RNG easier to
6736 verify by the GSL output.
6737
6738 In prandom_init(), we also mix random_get_entropy() into it, just
6739 like drivers/char/random.c does it, jiffies ^ random_get_entropy().
6740 random-get_entropy() is get_cycles(). xor is entropy preserving so
6741 it is fine if it is not implemented by some architectures.
6742
6743 Note, this PRNG is *not* used for cryptography in the kernel, but
6744 rather as a fast PRNG for various randomizations i.e. in the
6745 networking code, or elsewhere for debugging purposes, for example.
6746
6747 [*]: In order to generate some "sort of pseduo-randomness", since
6748 get_random_bytes() is not yet available for us, we use jiffies and
6749 initialize states s1 - s3 with a simple linear congruential generator
6750 (LCG), that is x <- x * 69069; and derive s2, s3, from the 32bit
6751 initialization from s1. So the above quote from [3] accounts only
6752 for the time from core to late initcall, not afterwards.
6753 [**] Single threaded run on MacBook Air w/ Intel Core i5-3317U
6754
6755 [1] http://www.iro.umontreal.ca/~lecuyer/myftp/papers/tausme2.ps
6756 [2] http://www.iro.umontreal.ca/~lecuyer/myftp/papers/tausme.ps
6757 [3] http://thread.gmane.org/gmane.comp.encryption.general/12103/
6758 [4] http://code.google.com/p/dieharder/source/browse/trunk/libdieharder/diehard_sums.c?spec=svn490&r=490#20
6759 [5] http://www.phy.duke.edu/~rgb/General/dieharder.php
6760
6761 Joint work with Hannes Frederic Sowa.
6762
6763 Cc: Florian Weimer <fweimer@redhat.com>
6764 Cc: Theodore Ts'o <tytso@mit.edu>
6765 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
6766 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
6767 Signed-off-by: David S. Miller <davem@davemloft.net>
6768
6769 Conflicts:
6770
6771 include/linux/random.h
6772
6773 include/linux/random.h | 13 +++++--
6774 lib/random32.c | 80 +++++++++++++++++++++++++++--------------------
6775 2 files changed, 55 insertions(+), 38 deletions(-)
6776
6777commit 53dd59a26859c9b98cadcad65791c951b162e91e
6778Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
6779Date: Mon Nov 11 12:20:33 2013 +0100
6780
6781 Upstream commit: 6d31920246a9fc80be4f16acd27c0bbe8d7b8494
6782
6783 random32: add periodic reseeding
6784
6785 The current Tausworthe PRNG is never reseeded with truly random data after
6786 the first attempt in late_initcall. As this PRNG is used for some critical
6787 random data as e.g. UDP port randomization we should try better and reseed
6788 the PRNG once in a while with truly random data from get_random_bytes().
6789
6790 When we reseed with prandom_seed we now make also sure to throw the first
6791 output away. This suffices the reseeding procedure.
6792
6793 The delay calculation is based on a proposal from Eric Dumazet.
6794
6795 Joint work with Daniel Borkmann.
6796
6797 Cc: Eric Dumazet <eric.dumazet@gmail.com>
6798 Cc: Theodore Ts'o <tytso@mit.edu>
6799 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
6800 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
6801 Signed-off-by: David S. Miller <davem@davemloft.net>
6802
6803 Conflicts:
6804
6805 lib/random32.c
6806
6807 lib/random32.c | 22 ++++++++++++++++++++++
6808 1 files changed, 22 insertions(+), 0 deletions(-)
6809
6810commit 9deef5d021000495e04a730ba1880fb4b8951d45
6811Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
6812Date: Mon Nov 11 12:20:34 2013 +0100
6813
6814 Upstream commit: 4af712e8df998475736f3e2727701bd31e3751a9
6815
6816 random32: add prandom_reseed_late() and call when nonblocking pool becomes initialized
6817
6818 The Tausworthe PRNG is initialized at late_initcall time. At that time the
6819 entropy pool serving get_random_bytes is not filled sufficiently. This
6820 patch adds an additional reseeding step as soon as the nonblocking pool
6821 gets marked as initialized.
6822
6823 On some machines it might be possible that late_initcall gets called after
6824 the pool has been initialized. In this situation we won't reseed again.
6825
6826 (A call to prandom_seed_late blocks later invocations of early reseed
6827 attempts.)
6828
6829 Joint work with Daniel Borkmann.
6830
6831 Cc: Eric Dumazet <eric.dumazet@gmail.com>
6832 Cc: Theodore Ts'o <tytso@mit.edu>
6833 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
6834 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
6835 Acked-by: "Theodore Ts'o" <tytso@mit.edu>
6836 Signed-off-by: David S. Miller <davem@davemloft.net>
6837
6838 Conflicts:
6839
6840 lib/random32.c
6841
6842 drivers/char/random.c | 5 ++++-
6843 include/linux/random.h | 1 +
6844 lib/random32.c | 24 +++++++++++++++++++++++-
6845 3 files changed, 28 insertions(+), 2 deletions(-)
6846
6847commit 7445d45f81df0b84bbb7fc6cc598e6b70522c286
6848Author: Brad Spengler <spender@grsecurity.net>
6849Date: Sat Jan 18 20:43:43 2014 -0500
6850
6851 Since the reworking of recvmsg handlers by Hannes Frederic Sowa,
6852 it should be safe to revert our workaround for large number of
6853 infoleaks the previous interface made possible, restoring some
6854 performance to these syscalls
6855
6856 net/socket.c | 4 ++--
6857 1 files changed, 2 insertions(+), 2 deletions(-)
6858
6859commit 2c18c01da2a59df2cdaa0d99e0ed2f781c3cbf4e
6860Author: Eric Dumazet <edumazet@google.com>
6861Date: Wed Jan 15 06:50:07 2014 -0800
6862
6863 Upstream commit: aee636c4809fa54848ff07a899b326eb1f9987a2
6864
6865 bpf: do not use reciprocal divide
6866
6867 At first Jakub Zawadzki noticed that some divisions by reciprocal_divide
6868 were not correct. (off by one in some cases)
6869 http://www.wireshark.org/~darkjames/reciprocal-buggy.c
6870
6871 He could also show this with BPF:
6872 http://www.wireshark.org/~darkjames/set-and-dump-filter-k-bug.c
6873
6874 The reciprocal divide in linux kernel is not generic enough,
6875 lets remove its use in BPF, as it is not worth the pain with
6876 current cpus.
6877
6878 Signed-off-by: Eric Dumazet <edumazet@google.com>
6879 Reported-by: Jakub Zawadzki <darkjames-ws@darkjames.pl>
6880 Cc: Mircea Gherzan <mgherzan@gmail.com>
6881 Cc: Daniel Borkmann <dxchgb@gmail.com>
6882 Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
6883 Cc: Matt Evans <matt@ozlabs.org>
6884 Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
6885 Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
6886 Cc: David S. Miller <davem@davemloft.net>
6887 Signed-off-by: David S. Miller <davem@davemloft.net>
6888
6889 Conflicts:
6890
6891 arch/x86/net/bpf_jit_comp.c
6892
6893 arch/arm/net/bpf_jit_32.c | 6 +++---
6894 arch/powerpc/net/bpf_jit_comp.c | 7 ++++---
6895 arch/s390/net/bpf_jit_comp.c | 17 ++++++++++++-----
6896 arch/sparc/net/bpf_jit_comp.c | 17 ++++++++++++++---
6897 arch/x86/net/bpf_jit_comp.c | 16 ++++++++++------
6898 net/core/filter.c | 30 ++----------------------------
6899 6 files changed, 45 insertions(+), 48 deletions(-)
6900
6901commit 6986871c84f81084d5c8723538ccefc5c401b31c
6902Author: Jie Liu <jeff.liu@oracle.com>
6903Date: Wed Jan 1 19:28:03 2014 +0800
6904
6905 Upstream commit: bba719b5004234e55737e7074b81b337210c511d
6906
6907 xfs: fix off-by-one error in xfs_attr3_rmt_verify
6908
6909 With CRC check is enabled, if trying to set an attributes value just
6910 equal to the maximum size of XATTR_SIZE_MAX would cause the v3 remote
6911 attr write verification procedure failure, which would yield the back
6912 trace like below:
6913
6914 <snip>
6915 XFS (sda7): Internal error xfs_attr3_rmt_write_verify at line 191 of file fs/xfs/xfs_attr_remote.c
6916 <snip>
6917 Call Trace:
6918 [<ffffffff816f0042>] dump_stack+0x45/0x56
6919 [<ffffffffa0d99c8b>] xfs_error_report+0x3b/0x40 [xfs]
6920 [<ffffffffa0d96edd>] ? _xfs_buf_ioapply+0x6d/0x390 [xfs]
6921 [<ffffffffa0d99ce5>] xfs_corruption_error+0x55/0x80 [xfs]
6922 [<ffffffffa0dbef6b>] xfs_attr3_rmt_write_verify+0x14b/0x1a0 [xfs]
6923 [<ffffffffa0d96edd>] ? _xfs_buf_ioapply+0x6d/0x390 [xfs]
6924 [<ffffffffa0d97315>] ? xfs_bdstrat_cb+0x55/0xb0 [xfs]
6925 [<ffffffffa0d96edd>] _xfs_buf_ioapply+0x6d/0x390 [xfs]
6926 [<ffffffff81184cda>] ? vm_map_ram+0x31a/0x460
6927 [<ffffffff81097230>] ? wake_up_state+0x20/0x20
6928 [<ffffffffa0d97315>] ? xfs_bdstrat_cb+0x55/0xb0 [xfs]
6929 [<ffffffffa0d9726b>] xfs_buf_iorequest+0x6b/0xc0 [xfs]
6930 [<ffffffffa0d97315>] xfs_bdstrat_cb+0x55/0xb0 [xfs]
6931 [<ffffffffa0d97906>] xfs_bwrite+0x46/0x80 [xfs]
6932 [<ffffffffa0dbfa94>] xfs_attr_rmtval_set+0x334/0x490 [xfs]
6933 [<ffffffffa0db84aa>] xfs_attr_leaf_addname+0x24a/0x410 [xfs]
6934 [<ffffffffa0db8893>] xfs_attr_set_int+0x223/0x470 [xfs]
6935 [<ffffffffa0db8b76>] xfs_attr_set+0x96/0xb0 [xfs]
6936 [<ffffffffa0db13b2>] xfs_xattr_set+0x42/0x70 [xfs]
6937 [<ffffffff811df9b2>] generic_setxattr+0x62/0x80
6938 [<ffffffff811e0213>] __vfs_setxattr_noperm+0x63/0x1b0
6939 [<ffffffff81307afe>] ? evm_inode_setxattr+0xe/0x10
6940 [<ffffffff811e0415>] vfs_setxattr+0xb5/0xc0
6941 [<ffffffff811e054e>] setxattr+0x12e/0x1c0
6942 [<ffffffff811c6e82>] ? final_putname+0x22/0x50
6943 [<ffffffff811c708b>] ? putname+0x2b/0x40
6944 [<ffffffff811cc4bf>] ? user_path_at_empty+0x5f/0x90
6945 [<ffffffff811bdfd9>] ? __sb_start_write+0x49/0xe0
6946 [<ffffffff81168589>] ? vm_mmap_pgoff+0x99/0xc0
6947 [<ffffffff811e07df>] SyS_setxattr+0x8f/0xe0
6948 [<ffffffff81700c2d>] system_call_fastpath+0x1a/0x1f
6949
6950 Tests:
6951 setfattr -n user.longxattr -v `perl -e 'print "A"x65536'` testfile
6952
6953 This patch fix it to check the remote EA size is greater than the
6954 XATTR_SIZE_MAX rather than more than or equal to it, because it's
6955 valid if the specified EA value size is equal to the limitation as
6956 per VFS setxattr interface.
6957
6958 Signed-off-by: Jie Liu <jeff.liu@oracle.com>
6959 Reviewed-by: Mark Tinguely <tinguely@sgi.com>
6960 Signed-off-by: Ben Myers <bpm@sgi.com>
6961
6962 (cherry picked from commit 85dd0707f0cad26d60f2dc574d17a5ab948d10f7)
6963
6964 fs/xfs/xfs_attr_remote.c | 2 +-
6965 1 files changed, 1 insertions(+), 1 deletions(-)
6966
6967commit e8aa7f8223cf2bc0893c6bec7ada0b13edc07703
6968Author: Steven Rostedt <rostedt@goodmis.org>
6969Date: Thu Jan 9 21:46:34 2014 -0500
6970
6971 Upstream commit: 3dc91d4338d698ce77832985f9cb183d8eeaf6be
6972
6973 SELinux: Fix possible NULL pointer dereference in selinux_inode_permission()
6974
6975 While running stress tests on adding and deleting ftrace instances I hit
6976 this bug:
6977
6978 BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
6979 IP: selinux_inode_permission+0x85/0x160
6980 PGD 63681067 PUD 7ddbe067 PMD 0
6981 Oops: 0000 [#1] PREEMPT
6982 CPU: 0 PID: 5634 Comm: ftrace-test-mki Not tainted 3.13.0-rc4-test-00033-gd2a6dde-dirty #20
6983 Hardware name: /DG965MQ, BIOS MQ96510J.86A.0372.2006.0605.1717 06/05/2006
6984 task: ffff880078375800 ti: ffff88007ddb0000 task.ti: ffff88007ddb0000
6985 RIP: 0010:[<ffffffff812d8bc5>] [<ffffffff812d8bc5>] selinux_inode_permission+0x85/0x160
6986 RSP: 0018:ffff88007ddb1c48 EFLAGS: 00010246
6987 RAX: 0000000000000000 RBX: 0000000000800000 RCX: ffff88006dd43840
6988 RDX: 0000000000000001 RSI: 0000000000000081 RDI: ffff88006ee46000
6989 RBP: ffff88007ddb1c88 R08: 0000000000000000 R09: ffff88007ddb1c54
6990 R10: 6e6576652f6f6f66 R11: 0000000000000003 R12: 0000000000000000
6991 R13: 0000000000000081 R14: ffff88006ee46000 R15: 0000000000000000
6992 FS: 00007f217b5b6700(0000) GS:ffffffff81e21000(0000) knlGS:0000000000000000
6993 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033^M
6994 CR2: 0000000000000020 CR3: 000000006a0fe000 CR4: 00000000000007f0
6995 Call Trace:
6996 security_inode_permission+0x1c/0x30
6997 __inode_permission+0x41/0xa0
6998 inode_permission+0x18/0x50
6999 link_path_walk+0x66/0x920
7000 path_openat+0xa6/0x6c0
7001 do_filp_open+0x43/0xa0
7002 do_sys_open+0x146/0x240
7003 SyS_open+0x1e/0x20
7004 system_call_fastpath+0x16/0x1b
7005 Code: 84 a1 00 00 00 81 e3 00 20 00 00 89 d8 83 c8 02 40 f6 c6 04 0f 45 d8 40 f6 c6 08 74 71 80 cf 02 49 8b 46 38 4c 8d 4d cc 45 31 c0 <0f> b7 50 20 8b 70 1c 48 8b 41 70 89 d9 8b 78 04 e8 36 cf ff ff
7006 RIP selinux_inode_permission+0x85/0x160
7007 CR2: 0000000000000020
7008
7009 Investigating, I found that the inode->i_security was NULL, and the
7010 dereference of it caused the oops.
7011
7012 in selinux_inode_permission():
7013
7014 isec = inode->i_security;
7015
7016 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
7017
7018 Note, the crash came from stressing the deletion and reading of debugfs
7019 files. I was not able to recreate this via normal files. But I'm not
7020 sure they are safe. It may just be that the race window is much harder
7021 to hit.
7022
7023 What seems to have happened (and what I have traced), is the file is
7024 being opened at the same time the file or directory is being deleted.
7025 As the dentry and inode locks are not held during the path walk, nor is
7026 the inodes ref counts being incremented, there is nothing saving these
7027 structures from being discarded except for an rcu_read_lock().
7028
7029 The rcu_read_lock() protects against freeing of the inode, but it does
7030 not protect freeing of the inode_security_struct. Now if the freeing of
7031 the i_security happens with a call_rcu(), and the i_security field of
7032 the inode is not changed (it gets freed as the inode gets freed) then
7033 there will be no issue here. (Linus Torvalds suggested not setting the
7034 field to NULL such that we do not need to check if it is NULL in the
7035 permission check).
7036
7037 Note, this is a hack, but it fixes the problem at hand. A real fix is
7038 to restructure the destroy_inode() to call all the destructor handlers
7039 from the RCU callback. But that is a major job to do, and requires a
7040 lot of work. For now, we just band-aid this bug with this fix (it
7041 works), and work on a more maintainable solution in the future.
7042
7043 Link: http://lkml.kernel.org/r/20140109101932.0508dec7@gandalf.local.home
7044 Link: http://lkml.kernel.org/r/20140109182756.17abaaa8@gandalf.local.home
7045
7046 Cc: stable@vger.kernel.org
7047 Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
7048 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
7049
7050 security/selinux/hooks.c | 20 ++++++++++++++++++--
7051 security/selinux/include/objsec.h | 5 ++++-
7052 2 files changed, 22 insertions(+), 3 deletions(-)
7053
7054commit e19ed2ef10ac8fb5539ff49890f149230ba504a2
7055Author: Hugh Dickins <hughd@google.com>
7056Date: Sun Jan 12 01:25:21 2014 -0800
7057
7058 Upstream commit: eecc1e426d681351a6026a7d3e7d225f38955b6c
7059
7060 thp: fix copy_page_rep GPF by testing is_huge_zero_pmd once only
7061
7062 We see General Protection Fault on RSI in copy_page_rep: that RSI is
7063 what you get from a NULL struct page pointer.
7064
7065 RIP: 0010:[<ffffffff81154955>] [<ffffffff81154955>] copy_page_rep+0x5/0x10
7066 RSP: 0000:ffff880136e15c00 EFLAGS: 00010286
7067 RAX: ffff880000000000 RBX: ffff880136e14000 RCX: 0000000000000200
7068 RDX: 6db6db6db6db6db7 RSI: db73880000000000 RDI: ffff880dd0c00000
7069 RBP: ffff880136e15c18 R08: 0000000000000200 R09: 000000000005987c
7070 R10: 000000000005987c R11: 0000000000000200 R12: 0000000000000001
7071 R13: ffffea00305aa000 R14: 0000000000000000 R15: 0000000000000000
7072 FS: 00007f195752f700(0000) GS:ffff880c7fc20000(0000) knlGS:0000000000000000
7073 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
7074 CR2: 0000000093010000 CR3: 00000001458e1000 CR4: 00000000000027e0
7075 Call Trace:
7076 copy_user_huge_page+0x93/0xab
7077 do_huge_pmd_wp_page+0x710/0x815
7078 handle_mm_fault+0x15d8/0x1d70
7079 __do_page_fault+0x14d/0x840
7080 do_page_fault+0x2f/0x90
7081 page_fault+0x22/0x30
7082
7083 do_huge_pmd_wp_page() tests is_huge_zero_pmd(orig_pmd) four times: but
7084 since shrink_huge_zero_page() can free the huge_zero_page, and we have
7085 no hold of our own on it here (except where the fourth test holds
7086 page_table_lock and has checked pmd_same), it's possible for it to
7087 answer yes the first time, but no to the second or third test. Change
7088 all those last three to tests for NULL page.
7089
7090 (Note: this is not the same issue as trinity's DEBUG_PAGEALLOC BUG
7091 in copy_page_rep with RSI: ffff88009c422000, reported by Sasha Levin
7092 in https://lkml.org/lkml/2013/3/29/103. I believe that one is due
7093 to the source page being split, and a tail page freed, while copy
7094 is in progress; and not a problem without DEBUG_PAGEALLOC, since
7095 the pmd_same check will prevent a miscopy from being made visible.)
7096
7097 Fixes: 97ae17497e99 ("thp: implement refcounting for huge zero page")
7098 Signed-off-by: Hugh Dickins <hughd@google.com>
7099 Cc: stable@vger.kernel.org # v3.10 v3.11 v3.12
7100 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
7101
7102 mm/huge_memory.c | 6 +++---
7103 1 files changed, 3 insertions(+), 3 deletions(-)
7104
7105commit 49bf1cc12db4954afc0a3e9a4506325a53259c13
7106Author: Christian Engelmayer <cengelma@gmx.at>
7107Date: Sat Jan 11 22:19:30 2014 +0100
7108
7109 Upstream commit: 267d29a69c6af39445f36102a832b25ed483f299
7110
7111 ieee802154: Fix memory leak in ieee802154_add_iface()
7112
7113 Fix a memory leak in the ieee802154_add_iface() error handling path.
7114 Detected by Coverity: CID 710490.
7115
7116 Signed-off-by: Christian Engelmayer <cengelma@gmx.at>
7117 Signed-off-by: David S. Miller <davem@davemloft.net>
7118
7119 net/ieee802154/nl-phy.c | 6 ++++--
7120 1 files changed, 4 insertions(+), 2 deletions(-)
7121
7122commit 4e2493507f0d3a43a3c9562a4e75ae806f993d84
7123Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
7124Date: Mon Jan 13 02:45:22 2014 +0100
7125
7126 Upstream commit: 95f4a45de1a0f172b35451fc52283290adb21f6e
7127
7128 net: avoid reference counter overflows on fib_rules in multicast forwarding
7129
7130 Bob Falken reported that after 4G packets, multicast forwarding stopped
7131 working. This was because of a rule reference counter overflow which
7132 freed the rule as soon as the overflow happend.
7133
7134 This patch solves this by adding the FIB_LOOKUP_NOREF flag to
7135 fib_rules_lookup calls. This is safe even from non-rcu locked sections
7136 as in this case the flag only implies not taking a reference to the rule,
7137 which we don't need at all.
7138
7139 Rules only hold references to the namespace, which are guaranteed to be
7140 available during the call of the non-rcu protected function reg_vif_xmit
7141 because of the interface reference which itself holds a reference to
7142 the net namespace.
7143
7144 Fixes: f0ad0860d01e47 ("ipv4: ipmr: support multiple tables")
7145 Fixes: d1db275dd3f6e4 ("ipv6: ip6mr: support multiple tables")
7146 Reported-by: Bob Falken <NetFestivalHaveFun@gmx.com>
7147 Cc: Patrick McHardy <kaber@trash.net>
7148 Cc: Thomas Graf <tgraf@suug.ch>
7149 Cc: Julian Anastasov <ja@ssi.bg>
7150 Cc: Eric Dumazet <eric.dumazet@gmail.com>
7151 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
7152 Acked-by: Eric Dumazet <edumazet@google.com>
7153 Signed-off-by: David S. Miller <davem@davemloft.net>
7154
7155 net/ipv4/ipmr.c | 7 +++++--
7156 net/ipv6/ip6mr.c | 7 +++++--
7157 2 files changed, 10 insertions(+), 4 deletions(-)
7158
7159commit 427e1a47ccd092da8d3834ec889bbf899bf02994
7160Author: NeilBrown <neilb@suse.de>
7161Date: Mon Jan 6 10:35:34 2014 +1100
7162
7163 Upstream commit: e8b849158508565e0cd6bc80061124afc5879160
7164
7165 md/raid10: fix bug when raid10 recovery fails to recover a block.
7166
7167 commit e875ecea266a543e643b19e44cf472f1412708f9
7168 md/raid10 record bad blocks as needed during recovery.
7169
7170 added code to the "cannot recover this block" path to record a bad
7171 block rather than fail the whole recovery.
7172 Unfortunately this new case was placed *after* r10bio was freed rather
7173 than *before*, yet it still uses r10bio.
7174 This is will crash with a null dereference.
7175
7176 So move the freeing of r10bio down where it is safe.
7177
7178 Cc: stable@vger.kernel.org (v3.1+)
7179 Fixes: e875ecea266a543e643b19e44cf472f1412708f9
7180 Reported-by: Damian Nowak <spam@nowaker.net>
7181 URL: https://bugzilla.kernel.org/show_bug.cgi?id=68181
7182 Signed-off-by: NeilBrown <neilb@suse.de>
7183
7184 drivers/md/raid10.c | 8 ++++----
7185 1 files changed, 4 insertions(+), 4 deletions(-)
7186
7187commit 528bc79bf4b9414269c3468527a1fb93992888ec
7188Author: NeilBrown <neilb@suse.de>
7189Date: Mon Jan 6 13:19:42 2014 +1100
7190
7191 Upstream commit: 1cc03eb93245e63b0b7a7832165efdc52e25b4e6
7192
7193 md/raid5: Fix possible confusion when multiple write errors occur.
7194
7195 commit 5d8c71f9e5fbdd95650be00294d238e27a363b5c
7196 md: raid5 crash during degradation
7197
7198 Fixed a crash in an overly simplistic way which could leave
7199 R5_WriteError or R5_MadeGood set in the stripe cache for devices
7200 for which it is no longer relevant.
7201 When those devices are removed and spares added the flags are still
7202 set and can cause incorrect behaviour.
7203
7204 commit 14a75d3e07c784c004b4b44b34af996b8e4ac453
7205 md/raid5: preferentially read from replacement device if possible.
7206
7207 Fixed the same bug if a more effective way, so we can now revert
7208 the original commit.
7209
7210 Reported-and-tested-by: Alexander Lyakas <alex.bolshoy@gmail.com>
7211 Cc: stable@vger.kernel.org (3.2+ - 3.2 will need a different fix though)
7212 Fixes: 5d8c71f9e5fbdd95650be00294d238e27a363b5c
7213 Signed-off-by: NeilBrown <neilb@suse.de>
7214
7215 drivers/md/raid5.c | 4 ++--
7216 1 files changed, 2 insertions(+), 2 deletions(-)
7217
7218commit 65e365f661bcc034ce8da73be4521dde4088cbc6
7219Author: NeilBrown <neilb@suse.de>
7220Date: Tue Jan 14 10:38:09 2014 +1100
7221
7222 Upstream commit: b50c259e25d9260b9108dc0c2964c26e5ecbe1c1
7223
7224 md/raid10: fix two bugs in handling of known-bad-blocks.
7225
7226 If we discover a bad block when reading we split the request and
7227 potentially read some of it from a different device.
7228
7229 The code path of this has two bugs in RAID10.
7230 1/ we get a spin_lock with _irq, but unlock without _irq!!
7231 2/ The calculation of 'sectors_handled' is wrong, as can be clearly
7232 seen by comparison with raid1.c
7233
7234 This leads to at least 2 warnings and a probable crash is a RAID10
7235 ever had known bad blocks.
7236
7237 Cc: stable@vger.kernel.org (v3.1+)
7238 Fixes: 856e08e23762dfb92ffc68fd0a8d228f9e152160
7239 Reported-by: Damian Nowak <spam@nowaker.net>
7240 URL: https://bugzilla.kernel.org/show_bug.cgi?id=68181
7241 Signed-off-by: NeilBrown <neilb@suse.de>
7242
7243 drivers/md/raid10.c | 4 ++--
7244 1 files changed, 2 insertions(+), 2 deletions(-)
7245
7246commit 648634ea6eaa98407d5cee468eea365addf784d7
7247Author: Andreas Rohner <andreas.rohner@gmx.net>
7248Date: Tue Jan 14 17:56:36 2014 -0800
7249
7250 Upstream commit: 70f2fe3a26248724d8a5019681a869abdaf3e89a
7251
7252 nilfs2: fix segctor bug that causes file system corruption
7253
7254 There is a bug in the function nilfs_segctor_collect, which results in
7255 active data being written to a segment, that is marked as clean. It is
7256 possible, that this segment is selected for a later segment
7257 construction, whereby the old data is overwritten.
7258
7259 The problem shows itself with the following kernel log message:
7260
7261 nilfs_sufile_do_cancel_free: segment 6533 must be clean
7262
7263 Usually a few hours later the file system gets corrupted:
7264
7265 NILFS: bad btree node (blocknr=8748107): level = 0, flags = 0x0, nchildren = 0
7266 NILFS error (device sdc1): nilfs_bmap_last_key: broken bmap (inode number=114660)
7267
7268 The issue can be reproduced with a file system that is nearly full and
7269 with the cleaner running, while some IO intensive task is running.
7270 Although it is quite hard to reproduce.
7271
7272 This is what happens:
7273
7274 1. The cleaner starts the segment construction
7275 2. nilfs_segctor_collect is called
7276 3. sc_stage is on NILFS_ST_SUFILE and segments are freed
7277 4. sc_stage is on NILFS_ST_DAT current segment is full
7278 5. nilfs_segctor_extend_segments is called, which
7279 allocates a new segment
7280 6. The new segment is one of the segments freed in step 3
7281 7. nilfs_sufile_cancel_freev is called and produces an error message
7282 8. Loop around and the collection starts again
7283 9. sc_stage is on NILFS_ST_SUFILE and segments are freed
7284 including the newly allocated segment, which will contain active
7285 data and can be allocated at a later time
7286 10. A few hours later another segment construction allocates the
7287 segment and causes file system corruption
7288
7289 This can be prevented by simply reordering the statements. If
7290 nilfs_sufile_cancel_freev is called before nilfs_segctor_extend_segments
7291 the freed segments are marked as dirty and cannot be allocated any more.
7292
7293 Signed-off-by: Andreas Rohner <andreas.rohner@gmx.net>
7294 Reviewed-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
7295 Tested-by: Andreas Rohner <andreas.rohner@gmx.net>
7296 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
7297 Cc: <stable@vger.kernel.org>
7298 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
7299 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
7300
7301 fs/nilfs2/segment.c | 10 ++++++----
7302 1 files changed, 6 insertions(+), 4 deletions(-)
7303
7304commit 380b201967bbe5769291311e5195a603006d391c
7305Author: Mikulas Patocka <mpatocka@redhat.com>
7306Date: Tue Jan 14 17:56:40 2014 -0800
7307
7308 Upstream commit: 03e5ac2fc3bf6f4140db0371e8bb4243b24e3e02
7309
7310 mm: fix crash when using XFS on loopback
7311
7312 Commit 8456a648cf44 ("slab: use struct page for slab management") causes
7313 a crash in the LVM2 testsuite on PA-RISC (the crashing test is
7314 fsadm.sh). The testsuite doesn't crash on 3.12, crashes on 3.13-rc1 and
7315 later.
7316
7317 Bad Address (null pointer deref?): Code=15 regs=000000413edd89a0 (Addr=000006202224647d)
7318 CPU: 3 PID: 24008 Comm: loop0 Not tainted 3.13.0-rc6 #5
7319 task: 00000001bf3c0048 ti: 000000413edd8000 task.ti: 000000413edd8000
7320
7321 YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI
7322 PSW: 00001000000001101111100100001110 Not tainted
7323 r00-03 000000ff0806f90e 00000000405c8de0 000000004013e6c0 000000413edd83f0
7324 r04-07 00000000405a95e0 0000000000000200 00000001414735f0 00000001bf349e40
7325 r08-11 0000000010fe3d10 0000000000000001 00000040829c7778 000000413efd9000
7326 r12-15 0000000000000000 000000004060d800 0000000010fe3000 0000000010fe3000
7327 r16-19 000000413edd82a0 00000041078ddbc0 0000000000000010 0000000000000001
7328 r20-23 0008f3d0d83a8000 0000000000000000 00000040829c7778 0000000000000080
7329 r24-27 00000001bf349e40 00000001bf349e40 202d66202224640d 00000000405a95e0
7330 r28-31 202d662022246465 000000413edd88f0 000000413edd89a0 0000000000000001
7331 sr00-03 000000000532c000 0000000000000000 0000000000000000 000000000532c000
7332 sr04-07 0000000000000000 0000000000000000 0000000000000000 0000000000000000
7333
7334 IASQ: 0000000000000000 0000000000000000 IAOQ: 00000000401fe42c 00000000401fe430
7335 IIR: 539c0030 ISR: 00000000202d6000 IOR: 000006202224647d
7336 CPU: 3 CR30: 000000413edd8000 CR31: 0000000000000000
7337 ORIG_R28: 00000000405a95e0
7338 IAOQ[0]: vma_interval_tree_iter_first+0x14/0x48
7339 IAOQ[1]: vma_interval_tree_iter_first+0x18/0x48
7340 RP(r2): flush_dcache_page+0x128/0x388
7341 Backtrace:
7342 flush_dcache_page+0x128/0x388
7343 lo_splice_actor+0x90/0x148 [loop]
7344 splice_from_pipe_feed+0xc0/0x1d0
7345 __splice_from_pipe+0xac/0xc0
7346 lo_direct_splice_actor+0x1c/0x70 [loop]
7347 splice_direct_to_actor+0xec/0x228
7348 lo_receive+0xe4/0x298 [loop]
7349 loop_thread+0x478/0x640 [loop]
7350 kthread+0x134/0x168
7351 end_fault_vector+0x20/0x28
7352 xfs_setsize_buftarg+0x0/0x90 [xfs]
7353
7354 Kernel panic - not syncing: Bad Address (null pointer deref?)
7355
7356 Commit 8456a648cf44 changes the page structure so that the slab
7357 subsystem reuses the page->mapping field.
7358
7359 The crash happens in the following way:
7360 * XFS allocates some memory from slab and issues a bio to read data
7361 into it.
7362 * the bio is sent to the loopback device.
7363 * lo_receive creates an actor and calls splice_direct_to_actor.
7364 * lo_splice_actor copies data to the target page.
7365 * lo_splice_actor calls flush_dcache_page because the page may be
7366 mapped by userspace. In that case we need to flush the kernel cache.
7367 * flush_dcache_page asks for the list of userspace mappings, however
7368 that page->mapping field is reused by the slab subsystem for a
7369 different purpose. This causes the crash.
7370
7371 Note that other architectures without coherent caches (sparc, arm, mips)
7372 also call page_mapping from flush_dcache_page, so they may crash in the
7373 same way.
7374
7375 This patch fixes this bug by testing if the page is a slab page in
7376 page_mapping and returning NULL if it is.
7377
7378 The patch also fixes VM_BUG_ON(PageSlab(page)) that could happen in
7379 earlier kernels in the same scenario on architectures without cache
7380 coherence when CONFIG_DEBUG_VM is enabled - so it should be backported
7381 to stable kernels.
7382
7383 In the old kernels, the function page_mapping is placed in
7384 include/linux/mm.h, so you should modify the patch accordingly when
7385 backporting it.
7386
7387 Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
7388 Cc: John David Anglin <dave.anglin@bell.net>]
7389 Cc: Andi Kleen <ak@linux.intel.com>
7390 Cc: Christoph Lameter <cl@linux.com>
7391 Acked-by: Pekka Enberg <penberg@kernel.org>
7392 Reviewed-by: Joonsoo Kim <iamjoonsoo.kim@lge.com>
7393 Cc: Helge Deller <deller@gmx.de>
7394 Cc: <stable@vger.kernel.org>
7395 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
7396 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
7397
7398 mm/util.c | 5 ++++-
7399 1 files changed, 4 insertions(+), 1 deletions(-)
7400
7401commit e71bfbceaa0246366fe3753a893c660f22568bb9
7402Merge: 83b84f4 e8219cf
7403Author: Brad Spengler <spender@grsecurity.net>
7404Date: Sat Jan 18 17:30:14 2014 -0500
7405
7406 Merge branch 'pax-test' into grsec-test
7407
7408commit 83b84f4f7b950eeddc319df9dabeca8df99c19e7
7409Author: Brad Spengler <spender@grsecurity.net>
7410Date: Sat Jan 18 17:30:05 2014 -0500
7411
7412 Revert "Revert recent PaX marking change that broke a significant number"
7413
7414 This reverts commit 59672b779a7ef3857bb9335c668f671ea04c8a19.
7415
7416 fs/binfmt_elf.c | 53 ++++++++++++++++++++++++++++++-----------------------
7417 1 files changed, 30 insertions(+), 23 deletions(-)
7418
7419commit e8219cf65fbb6e3763c4298831239929d1c1f9fa
7420Author: Brad Spengler <spender@grsecurity.net>
7421Date: Sat Jan 18 17:29:19 2014 -0500
7422
7423 Update to pax-linux-3.12.8-test15.patch:
7424 - reworked the interaction between the various PaX control flag mechanisms for better consistency
7425 - fixed type attribute handling in the constify plugin, reported by spender
7426
7427 fs/binfmt_elf.c | 144 +++++++++++++++++++++++-------------------
7428 include/linux/sched.h | 1 +
7429 include/uapi/linux/sysctl.h | 6 --
7430 tools/gcc/constify_plugin.c | 20 +++---
7431 4 files changed, 89 insertions(+), 82 deletions(-)
7432
7433commit 88474da15f3f3f5d93848102d03bb4983b9a0b78
7434Merge: 59672b7 dbe1b0b28
7435Author: Brad Spengler <spender@grsecurity.net>
7436Date: Thu Jan 16 07:00:51 2014 -0500
7437
7438 Merge branch 'pax-test' into grsec-test
7439
7440commit dbe1b0b28973953b8919fbfc479054d527066737
7441Merge: 229fa99 97f15f1
7442Author: Brad Spengler <spender@grsecurity.net>
7443Date: Thu Jan 16 07:00:16 2014 -0500
7444
7445 Update to pax-linux-3.12.8-test14.patch:
7446 - added a generated file to dontdiff, reported by Emese
7447 - removed duplicated code due to a mismerge
7448
7449 Merge branch 'linux-3.12.y' into pax-test
7450
7451 Conflicts:
7452 arch/x86/include/asm/fpu-internal.h
7453
7454commit 59672b779a7ef3857bb9335c668f671ea04c8a19
7455Author: Brad Spengler <spender@grsecurity.net>
7456Date: Thu Dec 26 19:23:25 2013 -0500
7457
7458 Revert recent PaX marking change that broke a significant number
7459 of existing systems. The marking system will be revamped in a later
7460 patch to fix softmode support while making XT markings more usable.
7461
7462 fs/binfmt_elf.c | 53 +++++++++++++++++++++++------------------------------
7463 1 files changed, 23 insertions(+), 30 deletions(-)
7464
7465commit 528d5554e49536241bdf98c59ac3daedf2855a11
7466Merge: f17b6ff 229fa99
7467Author: Brad Spengler <spender@grsecurity.net>
7468Date: Sun Jan 12 07:56:10 2014 -0500
7469
7470 Merge branch 'pax-test' into grsec-test
7471
7472commit 229fa990d096324284db79ed69b336d19df28afb
7473Author: Brad Spengler <spender@grsecurity.net>
7474Date: Sun Jan 12 07:55:36 2014 -0500
7475
7476 update to newer size_overflow hash table
7477
7478 tools/gcc/size_overflow_hash.data | 150 +++++++++++++++++++++----------------
7479 1 files changed, 84 insertions(+), 66 deletions(-)
7480
7481commit f17b6ff4817c57c0aaae76c2c1cf2ee759773292
7482Merge: 93e7728 6e027b9
7483Author: Brad Spengler <spender@grsecurity.net>
7484Date: Sat Jan 11 17:38:57 2014 -0500
7485
7486 Merge branch 'pax-test' into grsec-test
7487
7488commit 6e027b9f1196ed76313c256f8f962afd334d999f
7489Author: Brad Spengler <spender@grsecurity.net>
7490Date: Sat Jan 11 17:38:28 2014 -0500
7491
7492 Update to pax-linux-3.12.7-test12.patch:
7493 - new size overflow plugin and hash table from Emese, should really fix the canon_copy_from_read_buf problem
7494 - fixed incorrent module parameter type in vivi, caught by the size overflow plugin
7495
7496 drivers/media/platform/vivi.c | 4 +-
7497 tools/gcc/size_overflow_hash.data | 120 ++++++++++++++++++------------------
7498 tools/gcc/size_overflow_plugin.c | 64 +++++++++++++-------
7499 3 files changed, 105 insertions(+), 83 deletions(-)
7500
7501commit 93e7728fe0c37e00421e82cc43f8d467d5161751
7502Merge: 41ac3ff eadfb9b
7503Author: Brad Spengler <spender@grsecurity.net>
7504Date: Thu Jan 9 17:47:29 2014 -0500
7505
7506 Merge branch 'pax-test' into grsec-test
7507
7508commit eadfb9b1066d32ee537369fd67683297eb791ed0
7509Merge: bccc569 4301b7a
7510Author: Brad Spengler <spender@grsecurity.net>
7511Date: Thu Jan 9 17:46:48 2014 -0500
7512
7513 Update to pax-linux-3.12.7-test11.patch:
7514 - fixed powerpc compilation, by Purushothama Siddaiah <psiddaiah@mvista.com>
7515 - updated size overflow hash table from Emese, reported by Brian Haslett
7516
7517 Merge branch 'linux-3.12.y' into pax-test
7518
7519 Conflicts:
7520 include/linux/reboot.h
7521 mm/fremap.c
7522 mm/memory-failure.c
7523 scripts/link-vmlinux.sh
7524
7525commit 41ac3ff0c57f5b8bc2e32fd6ee58d618a6c8feec
7526Author: Brad Spengler <spender@grsecurity.net>
7527Date: Wed Jan 8 20:24:27 2014 -0500
7528
7529 zeroing out btime from /proc/stat breaks ps aux, it's the seconds of
7530 uptime for the system, information which is also available elsewhere
7531 (/proc/uptime), so there's no reason to limit it
7532
7533 fs/proc/stat.c | 4 +---
7534 1 files changed, 1 insertions(+), 3 deletions(-)
7535
7536commit a1c966be13a8cfa254a6814c8a79caed3b421f0a
7537Author: Brad Spengler <spender@grsecurity.net>
7538Date: Wed Jan 8 18:13:15 2014 -0500
7539
7540 fix typo
7541
7542 mm/vmstat.c | 2 +-
7543 1 files changed, 1 insertions(+), 1 deletions(-)
7544
7545commit f1b3c3eec89cd91474518f7fbd6ffe11c0cf22c7
7546Author: Brad Spengler <spender@grsecurity.net>
7547Date: Wed Jan 8 18:06:53 2014 -0500
7548
7549 provide a zeroed out /proc/vmstat to unprivileged users instead of
7550 denied access, some poorly-written desktop apps bail out completely
7551 when it can't be opened
7552
7553 mm/vmstat.c | 21 +++++++++++++++------
7554 1 files changed, 15 insertions(+), 6 deletions(-)
7555
7556commit 4e7ac33a7cf3cb6387d69a4d9ba248a2a2c95c52
7557Merge: ecdc265 bccc569
7558Author: Brad Spengler <spender@grsecurity.net>
7559Date: Wed Jan 8 17:55:50 2014 -0500
7560
7561 Merge branch 'pax-test' into grsec-test
7562
7563commit bccc5691fbe71245abd1e39c4387c1c0146bb3fd
7564Author: Brad Spengler <spender@grsecurity.net>
7565Date: Wed Jan 8 17:55:08 2014 -0500
7566
7567 Update to pax-linux-3.12.6-test10.patch:
7568 - removed config reference to EXT4_FS_XATTR, reported by x14sg1 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3904)
7569 - Emese worked around a few intentional overflows that triggered the size overflow plugin
7570 - in cpuset_common_file_read, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=496490) and boris64 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3907)
7571 - in canon_copy_from_read_buf, reported by dwokfur (http://forums.grsecurity.net/viewtopic.php?f=3&t=3905)
7572
7573 drivers/tty/n_tty.c | 2 +-
7574 drivers/usb/core/devio.c | 2 +-
7575 security/Kconfig | 1 -
7576 tools/gcc/size_overflow_plugin.c | 173 ++++++++++++++++++++++++++++++++------
7577 4 files changed, 150 insertions(+), 28 deletions(-)
7578
7579commit ecdc2658f89f545acbfddbcef93c04a5bd3c9ce2
7580Author: Brad Spengler <spender@grsecurity.net>
7581Date: Wed Jan 8 17:46:46 2014 -0500
7582
7583 back out recently-added capability checks to various pci write methods
7584 as they break Xorg radeon drivers
7585
7586 drivers/pci/pci-sysfs.c | 9 ---------
7587 drivers/pci/proc.c | 3 ---
7588 2 files changed, 0 insertions(+), 12 deletions(-)
7589
7590commit 3b9532bcc2f2fda37c6316047764e65d05cfc0d7
7591Author: Brad Spengler <spender@grsecurity.net>
7592Date: Thu Jan 2 17:05:39 2014 -0500
7593
7594 add missing #include
7595
7596 fs/proc/stat.c | 1 +
7597 1 files changed, 1 insertions(+), 0 deletions(-)
7598
7599commit 44c29b5b08a4475bcd7ca653abe5ed172fa1f8a0
7600Author: Brad Spengler <spender@grsecurity.net>
7601Date: Thu Jan 2 17:02:24 2014 -0500
7602
7603 Back off recent PCI BAR restrictions as they break various existing
7604 necessary functionality (Xorg with VMware video driver, etc)
7605
7606 Add CAP_SYS_RAWIO checks instead to code operating off just uid == 0
7607 checks currently
7608
7609 drivers/pci/pci-sysfs.c | 17 +++++++----------
7610 drivers/pci/proc.c | 13 ++-----------
7611 drivers/pci/syscall.c | 4 ----
7612 3 files changed, 9 insertions(+), 25 deletions(-)
7613
7614commit 5d6ce67e5ed3913c105cf2fc7c9db1d6e2a9f84a
7615Author: Brad Spengler <spender@grsecurity.net>
7616Date: Tue Dec 31 10:30:20 2013 -0500
7617
7618 Resolve compatibility with libgtop and recent restriction of
7619 /proc/stat, reported by KacKurx. We now provide a properly-formatted
7620 but zeroed /proc/stat instead of denying unpriv access to the entry
7621
7622 fs/proc/stat.c | 34 ++++++++++++++++++++++++----------
7623 1 files changed, 24 insertions(+), 10 deletions(-)
7624
7625commit fb5263307b4892bbaefc83427412b54c12a4e422
7626Author: Brad Spengler <spender@grsecurity.net>
7627Date: Mon Dec 30 11:19:53 2013 -0500
7628
7629 Restrict access to /proc/interrupts and /proc/stat as suggested by Vasiliy
7630 Kulikov:
7631 http://www.openwall.com/lists/kernel-hardening/2011/11/07/1
7632
7633 fs/proc/interrupts.c | 4 ++++
7634 fs/proc/stat.c | 4 ++++
7635 2 files changed, 8 insertions(+), 0 deletions(-)
7636
7637commit e5f67af1a42dbde9aae812c25e2498b908919689
7638Author: Brad Spengler <spender@grsecurity.net>
7639Date: Mon Dec 30 11:13:49 2013 -0500
7640
7641 Update to phase two of the IPC hardening. I've heard no complaints about
7642 the patch I released, but including it here will generate better information.
7643
7644 grsecurity/Kconfig | 16 ++++++++++------
7645 grsecurity/grsec_ipc.c | 32 +++++++++++++++++++++++++++++---
7646 include/linux/grmsg.h | 2 +-
7647 ipc/util.c | 3 ++-
7648 4 files changed, 42 insertions(+), 11 deletions(-)
7649
7650commit a5a7395ebf9054496b21fd84978daba0a9bfde5d
7651Merge: b07a1fc bfce0d4
7652Author: Brad Spengler <spender@grsecurity.net>
7653Date: Thu Dec 26 19:24:39 2013 -0500
7654
7655 Merge branch 'pax-test' into grsec-test
7656
7657commit bfce0d4c8f94977de165b9a559c531759d031b4b
7658Author: Brad Spengler <spender@grsecurity.net>
7659Date: Thu Dec 26 19:23:25 2013 -0500
7660
7661 Revert recent PaX marking change that broke a significant number
7662 of existing systems. The marking system will be revamped in a later
7663 patch to fix softmode support while making XT markings more usable.
7664
7665 fs/binfmt_elf.c | 53 +++++++++++++++++++++++------------------------------
7666 1 files changed, 23 insertions(+), 30 deletions(-)
7667
7668commit b07a1fc3ab37cf27f8e7b56193a08adfadd569b6
7669Author: Brad Spengler <spender@grsecurity.net>
7670Date: Thu Dec 26 19:20:26 2013 -0500
7671
7672 add missing #include
7673
7674 grsecurity/grsec_mount.c | 1 +
7675 1 files changed, 1 insertions(+), 0 deletions(-)
7676
7677commit 5fbe9de8e020fdf6b911a2368e41ba88df554343
7678Author: Brad Spengler <spender@grsecurity.net>
7679Date: Thu Dec 26 15:51:51 2013 -0500
7680
7681 Update config help to reflect requirements for proper security, similar
7682 to what we mention for GRKERNSEC_KMEM or GRKERNSEC_HIDESYM
7683
7684 grsecurity/Kconfig | 7 ++++++-
7685 1 files changed, 6 insertions(+), 1 deletions(-)
7686
7687commit d26ce94a15a14d44494fd3e307baebc2511a09b8
7688Author: Brad Spengler <spender@grsecurity.net>
7689Date: Thu Dec 26 15:35:31 2013 -0500
7690
7691 Whenever we perform checks against block devices we should also test for
7692 raw character devices provided by CONFIG_RAW_DRIVER. Unlike other OSes,
7693 Linux's raw device support has been obsoleted many years ago and is unlikely
7694 to be present in a given kernel config (modulo an allyesconfig).
7695
7696 grsecurity/gracl.c | 2 +-
7697 grsecurity/grsec_mount.c | 4 +++-
7698 2 files changed, 4 insertions(+), 2 deletions(-)
7699
7700commit 4bbb922e6241dad03e37919f66e9f422743f5b5e
7701Author: Brad Spengler <spender@grsecurity.net>
7702Date: Wed Dec 25 16:37:02 2013 -0500
7703
7704 Add some of the more obscure, config-dependent kernel modification
7705 defenses to GRKERNSEC_KMEM, to be split out into a separate option
7706 if this causes any compatibility problems. From Matthew Garrett:
7707 https://lkml.org/lkml/2013/9/9/532
7708
7709 Also make make hibernation depend on !PAX_MEMORY_SANITIZE and not
7710 the other way around (to produce more secure settings when distro
7711 configs are used as a base)
7712
7713 drivers/acpi/custom_method.c | 4 ++++
7714 drivers/pci/pci-sysfs.c | 12 ++++++++++++
7715 drivers/pci/proc.c | 12 ++++++++++++
7716 drivers/pci/syscall.c | 4 ++++
7717 drivers/platform/x86/asus-wmi.c | 12 ++++++++++++
7718 kernel/power/Kconfig | 2 ++
7719 security/Kconfig | 1 -
7720 7 files changed, 46 insertions(+), 1 deletions(-)
7721
7722commit 3ae9170407e5782e6a7b2bd796b60149864e6c3e
7723Author: Chad Hanson <chanson@trustedcs.com>
7724Date: Mon Dec 23 17:45:01 2013 -0500
7725
7726 Upstream commit: 46d01d63221c3508421dd72ff9c879f61053cffc
7727
7728 selinux: fix broken peer recv check
7729
7730 Fix a broken networking check. Return an error if peer recv fails. If
7731 secmark is active and the packet recv succeeds the peer recv error is
7732 ignored.
7733
7734 Signed-off-by: Chad Hanson <chanson@trustedcs.com>
7735 Cc: stable@vger.kernel.org
7736 Signed-off-by: Paul Moore <pmoore@redhat.com>
7737
7738 security/selinux/hooks.c | 4 +++-
7739 1 files changed, 3 insertions(+), 1 deletions(-)
7740
7741commit c870e769c2d34bff7a0eba239c092bb115bb9d71
7742Author: Oleg Nesterov <oleg@redhat.com>
7743Date: Mon Dec 23 17:45:01 2013 -0500
7744
7745 Upstream commit: c0c1439541f5305b57a83d599af32b74182933fe
7746
7747 selinux: selinux_setprocattr()->ptrace_parent() needs rcu_read_lock()
7748
7749 selinux_setprocattr() does ptrace_parent(p) under task_lock(p),
7750 but task_struct->alloc_lock doesn't pin ->parent or ->ptrace,
7751 this looks confusing and triggers the "suspicious RCU usage"
7752 warning because ptrace_parent() does rcu_dereference_check().
7753
7754 And in theory this is wrong, spin_lock()->preempt_disable()
7755 doesn't necessarily imply rcu_read_lock() we need to access
7756 the ->parent.
7757
7758 Reported-by: Evan McNabb <emcnabb@redhat.com>
7759 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
7760 Cc: stable@vger.kernel.org
7761 Signed-off-by: Paul Moore <pmoore@redhat.com>
7762
7763 security/selinux/hooks.c | 4 ++--
7764 1 files changed, 2 insertions(+), 2 deletions(-)
7765
7766commit 717544da98db68da8cf1b902e33eefc098170128
7767Author: Benjamin LaHaise <bcrl@kvack.org>
7768Date: Sat Dec 21 15:49:28 2013 -0500
7769
7770 Upstream commit: 1881686f842065d2f92ec9c6424830ffc17d23b0
7771
7772 aio: fix kioctx leak introduced by "aio: Fix a trinity splat"
7773
7774 e34ecee2ae791df674dfb466ce40692ca6218e43 reworked the percpu reference
7775 counting to correct a bug trinity found. Unfortunately, the change lead
7776 to kioctxes being leaked because there was no final reference count to
7777 put. Add that reference count back in to fix things.
7778
7779 Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
7780 Cc: stable@vger.kernel.org
7781
7782 fs/aio.c | 3 ++-
7783 1 files changed, 2 insertions(+), 1 deletions(-)
7784
7785commit 21649f0e322166802adf5872f2affc38a0d6eb18
7786Author: Jianguo Wu <wujianguo@huawei.com>
7787Date: Wed Dec 18 17:08:59 2013 -0800
7788
7789 Upstream commit: 98398c32f6687ee1e1f3ae084effb4b75adb0747
7790
7791 mm/hugetlb: check for pte NULL pointer in __page_check_address()
7792
7793 In __page_check_address(), if address's pud is not present,
7794 huge_pte_offset() will return NULL, we should check the return value.
7795
7796 Signed-off-by: Jianguo Wu <wujianguo@huawei.com>
7797 Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
7798 Cc: Mel Gorman <mgorman@suse.de>
7799 Cc: qiuxishi <qiuxishi@huawei.com>
7800 Cc: Hanjun Guo <guohanjun@huawei.com>
7801 Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
7802 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
7803 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
7804
7805 Conflicts:
7806
7807 mm/rmap.c
7808
7809 mm/rmap.c | 4 ++++
7810 1 files changed, 4 insertions(+), 0 deletions(-)
7811
7812commit 184b047d4bc06f058aadb07393270e5d972af3aa
7813Author: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
7814Date: Fri Dec 20 15:10:03 2013 +0200
7815
7816 Upstream commit: ee53664bda169f519ce3c6a22d378f0b946c8178
7817
7818 mm: Fix NULL pointer dereference in madvise(MADV_WILLNEED) support
7819
7820 Sasha Levin found a NULL pointer dereference that is due to a missing
7821 page table lock, which in turn is due to the pmd entry in question being
7822 a transparent huge-table entry.
7823
7824 The code - introduced in commit 1998cc048901 ("mm: make
7825 madvise(MADV_WILLNEED) support swap file prefetch") - correctly checks
7826 for this situation using pmd_none_or_trans_huge_or_clear_bad(), but it
7827 turns out that that function doesn't work correctly.
7828
7829 pmd_none_or_trans_huge_or_clear_bad() expected that pmd_bad() would
7830 trigger if the transparent hugepage bit was set, but it doesn't do that
7831 if pmd_numa() is also set. Note that the NUMA bit only gets set on real
7832 NUMA machines, so people trying to reproduce this on most normal
7833 development systems would never actually trigger this.
7834
7835 Fix it by removing the very subtle (and subtly incorrect) expectation,
7836 and instead just checking pmd_trans_huge() explicitly.
7837
7838 Reported-by: Sasha Levin <sasha.levin@oracle.com>
7839 Acked-by: Andrea Arcangeli <aarcange@redhat.com>
7840 [ Additionally remove the now stale test for pmd_trans_huge() inside the
7841 pmd_bad() case - Linus ]
7842 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
7843
7844 include/asm-generic/pgtable.h | 5 ++---
7845 1 files changed, 2 insertions(+), 3 deletions(-)
7846
7847commit 1d769ef5d57f3bb616929c7e3c600852e20d575e
7848Author: Daniel Borkmann <dborkman@redhat.com>
7849Date: Tue Dec 17 00:38:39 2013 +0100
7850
7851 Upstream commit: b1aac815c0891fe4a55a6b0b715910142227700f
7852
7853 net: inet_diag: zero out uninitialized idiag_{src,dst} fields
7854
7855 Jakub reported while working with nlmon netlink sniffer that parts of
7856 the inet_diag_sockid are not initialized when r->idiag_family != AF_INET6.
7857 That is, fields of r->id.idiag_src[1 ... 3], r->id.idiag_dst[1 ... 3].
7858
7859 In fact, it seems that we can leak 6 * sizeof(u32) byte of kernel [slab]
7860 memory through this. At least, in udp_dump_one(), we allocate a skb in ...
7861
7862 rep = nlmsg_new(sizeof(struct inet_diag_msg) + ..., GFP_KERNEL);
7863
7864 ... and then pass that to inet_sk_diag_fill() that puts the whole struct
7865 inet_diag_msg into the skb, where we only fill out r->id.idiag_src[0],
7866 r->id.idiag_dst[0] and leave the rest untouched:
7867
7868 r->id.idiag_src[0] = inet->inet_rcv_saddr;
7869 r->id.idiag_dst[0] = inet->inet_daddr;
7870
7871 struct inet_diag_msg embeds struct inet_diag_sockid that is correctly /
7872 fully filled out in IPv6 case, but for IPv4 not.
7873
7874 So just zero them out by using plain memset (for this little amount of
7875 bytes it's probably not worth the extra check for idiag_family == AF_INET).
7876
7877 Similarly, fix also other places where we fill that out.
7878
7879 Reported-by: Jakub Zawadzki <darkjames-ws@darkjames.pl>
7880 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
7881 Signed-off-by: David S. Miller <davem@davemloft.net>
7882
7883 Conflicts:
7884
7885 net/ipv4/inet_diag.c
7886
7887 net/ipv4/inet_diag.c | 16 ++++++++++++++++
7888 1 files changed, 16 insertions(+), 0 deletions(-)
7889
7890commit 11093b2d02f7bba2c9085b2d2d020b9ee34f8737
7891Author: Wenliang Fan <fanwlexca@gmail.com>
7892Date: Tue Dec 17 11:25:28 2013 +0800
7893
7894 Upstream commit: e9db5c21d3646a6454fcd04938dd215ac3ab620a
7895
7896 drivers/net/hamradio: Integer overflow in hdlcdrv_ioctl()
7897
7898 The local variable 'bi' comes from userspace. If userspace passed a
7899 large number to 'bi.data.calibrate', there would be an integer overflow
7900 in the following line:
7901 s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16;
7902
7903 Signed-off-by: Wenliang Fan <fanwlexca@gmail.com>
7904 Signed-off-by: David S. Miller <davem@davemloft.net>
7905
7906 drivers/net/hamradio/hdlcdrv.c | 2 ++
7907 1 files changed, 2 insertions(+), 0 deletions(-)
7908
7909commit e162be84a9971452943c1d85a59c866a5486222b
7910Author: Ard Biesheuvel <ard.biesheuvel@linaro.org>
7911Date: Mon Dec 23 18:49:30 2013 +0100
7912
7913 Upstream commit: f60900f2609e893c7f8d0bccc7ada4947dac4cd5
7914
7915 auxvec.h: account for AT_HWCAP2 in AT_VECTOR_SIZE_BASE
7916
7917 Commit 2171364d1a92 ("powerpc: Add HWCAP2 aux entry") introduced a new
7918 AT_ auxv entry type AT_HWCAP2 but failed to update AT_VECTOR_SIZE_BASE
7919 accordingly.
7920
7921 Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
7922 Fixes: 2171364d1a92 (powerpc: Add HWCAP2 aux entry)
7923 Cc: stable@vger.kernel.org
7924 Acked-by: Michael Neuling <michael@neuling.org>
7925 Cc: Nishanth Aravamudan <nacc@linux.vnet.ibm.com>
7926 Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
7927 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
7928
7929 include/linux/auxvec.h | 2 +-
7930 1 files changed, 1 insertions(+), 1 deletions(-)
7931
7932commit a60029d4fb8d62b6dd3617a8ab4031fd79b89fe3
7933Author: Brad Spengler <spender@grsecurity.net>
7934Date: Wed Dec 25 15:11:51 2013 -0500
7935
7936 remove unused 'dentry' variable
7937
7938 fs/xattr.c | 1 -
7939 1 files changed, 0 insertions(+), 1 deletions(-)
7940
7941commit d6e290d23c8c47c19536ed84f403eb81f224ed67
7942Author: Brad Spengler <spender@grsecurity.net>
7943Date: Wed Dec 25 15:03:13 2013 -0500
7944
7945 Add RBAC mediation of *removexattr(), as this has security implications
7946 in the case of PaX with softmode enabled or the rare case of RBAC+SELinux
7947 use.
7948
7949 fs/xattr.c | 18 +++++++++++-------
7950 grsecurity/gracl_fs.c | 6 ++++++
7951 grsecurity/grsec_disabled.c | 6 ++++++
7952 include/linux/grmsg.h | 3 ++-
7953 include/linux/grsecurity.h | 2 ++
7954 5 files changed, 27 insertions(+), 8 deletions(-)
7955
7956commit 848b9c1e52382f446a2db679d6ee68c0a8cbc52e
7957Merge: e45d1dd 846d19a
7958Author: Brad Spengler <spender@grsecurity.net>
7959Date: Sun Dec 22 10:36:48 2013 -0500
7960
7961 Merge branch 'pax-test' into grsec-test
7962
7963commit 846d19aa4207282ce5ac54237517e54324eda092
7964Author: Brad Spengler <spender@grsecurity.net>
7965Date: Sun Dec 22 10:35:16 2013 -0500
7966
7967 Update to pax-linux-3.12.6-test9.patch:
7968 - updated size overflow hash table from spender
7969 - fixed silly code in kvm_clear_guest_page detected by USERCOPY, reported by remnix (http://forums.grsecurity.net/viewtopic.php?f=3&t=3899)
7970
7971 virt/kvm/kvm_main.c | 13 +++++++++++--
7972 1 files changed, 11 insertions(+), 2 deletions(-)
7973
7974commit e45d1ddcd3c8005889acc55fbf9e57171339fbb4
7975Merge: b5c87f6 6754393
7976Author: Brad Spengler <spender@grsecurity.net>
7977Date: Sat Dec 21 07:53:42 2013 -0500
7978
7979 Merge branch 'pax-test' into grsec-test
7980
7981commit 6754393ea42b9fb1d6d8e4635e8364674cee2bbd
7982Author: Brad Spengler <spender@grsecurity.net>
7983Date: Sat Dec 21 07:53:22 2013 -0500
7984
7985 Update size_overflow hash table
7986
7987 tools/gcc/size_overflow_hash.data | 119 +++++++++++++++++++------------------
7988 1 files changed, 60 insertions(+), 59 deletions(-)
7989
7990commit b5c87f632d1cf19639a94c36276f96955221c77a
7991Author: Brad Spengler <spender@grsecurity.net>
7992Date: Fri Dec 20 20:18:56 2013 -0500
7993
7994 compile fix
7995
7996 fs/stat.c | 1 +
7997 1 files changed, 1 insertions(+), 0 deletions(-)
7998
7999commit 47618a93b003d648b5704040d1e502f76de07093
8000Merge: ba0eeed 37eeb47
8001Author: Brad Spengler <spender@grsecurity.net>
8002Date: Fri Dec 20 20:18:18 2013 -0500
8003
8004 Merge branch 'pax-test' into grsec-test
8005
8006commit 37eeb473486a08e3beae62841b19169aef36564d
8007Author: Brad Spengler <spender@grsecurity.net>
8008Date: Fri Dec 20 20:17:46 2013 -0500
8009
8010 Update to pax-linux-3.12.6-test8.patch:
8011 - fixed an inconsistency in handling softmode and user.pax.flags, reported by jacekalex (http://forums.grsecurity.net/viewtopic.php?f=3&t=3877)
8012 - updated size overflow hash table from spender
8013
8014 fs/binfmt_elf.c | 53 ++++++++++++++++++++++++++++++-----------------------
8015 1 files changed, 30 insertions(+), 23 deletions(-)
8016
8017commit ba0eeed0532b602905d87e9bf25aad3664c3f36b
8018Merge: 453a7f1 9dda34c
8019Author: Brad Spengler <spender@grsecurity.net>
8020Date: Fri Dec 20 19:17:33 2013 -0500
8021
8022 Merge branch 'pax-test' into grsec-test
8023
8024commit 9dda34cba200c6eadcbbbccbb4729627fd82e6be
8025Merge: 63ebe2d2 d0266db
8026Author: Brad Spengler <spender@grsecurity.net>
8027Date: Fri Dec 20 19:17:18 2013 -0500
8028
8029 Merge branch 'linux-3.12.y' into pax-test
8030
8031 Conflicts:
8032 arch/x86/boot/Makefile
8033
8034commit 453a7f1e18d89056fa27a9fdc777cea1a6fd7fe5
8035Merge: bb777f5 63ebe2d2
8036Author: Brad Spengler <spender@grsecurity.net>
8037Date: Thu Dec 19 22:48:02 2013 -0500
8038
8039 Merge branch 'pax-test' into grsec-test
8040
8041commit 63ebe2d2adf8f5ebc1639c1b8d8577fbe5813fcd
8042Author: Brad Spengler <spender@grsecurity.net>
8043Date: Thu Dec 19 22:47:35 2013 -0500
8044
8045 add 42 functions to the size_overflow hash table
8046
8047 tools/gcc/size_overflow_hash.data | 59 +++++++++++++++++++++++++++++-------
8048 1 files changed, 47 insertions(+), 12 deletions(-)
8049
8050commit bb777f517e6c2a53909351245d7d2009d8ad4c5b
8051Merge: cc59b1f a03d29c
8052Author: Brad Spengler <spender@grsecurity.net>
8053Date: Thu Dec 19 17:12:01 2013 -0500
8054
8055 Merge branch 'pax-test' into grsec-test
8056
8057commit a03d29c1eead36d4f9eac27b3a5d4b4266360a81
8058Author: Brad Spengler <spender@grsecurity.net>
8059Date: Thu Dec 19 17:11:19 2013 -0500
8060
8061 Update to pax-linux-3.12.5-test7.patch:
8062 - fixed some more size overflow reports
8063 - gratuitous int/uint conversion in expand_files and expand_fdtable, reported by wizeman (http://forums.grsecurity.net/viewtopic.php?f=3&t=3898)
8064 - better fix for the gcc induced intentional overflow in usbdev_read
8065
8066 arch/x86/include/asm/atomic.h | 6 +++---
8067 arch/x86/include/asm/atomic64_32.h | 2 +-
8068 arch/x86/include/asm/atomic64_64.h | 2 +-
8069 drivers/usb/core/devio.c | 2 +-
8070 fs/file.c | 4 ++--
8071 include/asm-generic/atomic-long.h | 2 +-
8072 tools/gcc/size_overflow_hash.data | 3 ---
8073 7 files changed, 9 insertions(+), 12 deletions(-)
8074
8075commit cc59b1fbe8989a6f99d229b34653e40a84d871f4
8076Merge: 44842d2 6ffdbdf
8077Author: Brad Spengler <spender@grsecurity.net>
8078Date: Sun Dec 15 10:40:14 2013 -0500
8079
8080 Merge branch 'pax-test' into grsec-test
8081
8082commit 6ffdbdf295f56e22ce8626b555a03e4d2b8c6a61
8083Author: Brad Spengler <spender@grsecurity.net>
8084Date: Sun Dec 15 10:38:59 2013 -0500
8085
8086 Update to pax-linux-3.12.5-test6.patch:
8087 - Emese fixed a bug in the size overflow plugin resulting in false positives on downcasts from 64 bit variables on i386, reported by Huub Reuver
8088
8089 tools/gcc/size_overflow_plugin.c | 11 ++++++++---
8090 1 files changed, 8 insertions(+), 3 deletions(-)
8091
8092commit 44842d2f32b7fd6f325a90b15bd0a094f08feab9
8093Merge: c2c9b35 f85d978
8094Author: Brad Spengler <spender@grsecurity.net>
8095Date: Sat Dec 14 10:58:46 2013 -0500
8096
8097 Merge branch 'pax-test' into grsec-test
8098
8099commit f85d978a63b7388c6ab97b54808992fe2ee4ac8c
8100Author: Brad Spengler <spender@grsecurity.net>
8101Date: Sat Dec 14 10:58:14 2013 -0500
8102
8103 Update to pax-linux-3.12.5-test5.patch:
8104 - properly fix the use-after-free in sys_remap_file_pages, by Rik van Riel (http://www.spinics.net/lists/linux-mm/msg66710.html)
8105
8106 mm/fremap.c | 10 +++++-----
8107 1 files changed, 5 insertions(+), 5 deletions(-)
8108
8109commit c2c9b35fca510f7e29f80efa2999695448083b52
8110Author: Linus Torvalds <torvalds@linux-foundation.org>
8111Date: Thu Dec 12 09:38:42 2013 -0800
8112
8113 Upstream commit: f12d5bfceb7e1f9051563381ec047f7f13956c3c
8114
8115 futex: fix handling of read-only-mapped hugepages
8116
8117 The hugepage code had the exact same bug that regular pages had in
8118 commit 7485d0d3758e ("futexes: Remove rw parameter from
8119 get_futex_key()").
8120
8121 The regular page case was fixed by commit 9ea71503a8ed ("futex: Fix
8122 regression with read only mappings"), but the transparent hugepage case
8123 (added in a5b338f2b0b1: "thp: update futex compound knowledge") case
8124 remained broken.
8125
8126 Found by Dave Jones and his trinity tool.
8127
8128 Reported-and-tested-by: Dave Jones <davej@fedoraproject.org>
8129 Cc: stable@kernel.org # v2.6.38+
8130 Acked-by: Thomas Gleixner <tglx@linutronix.de>
8131 Cc: Mel Gorman <mgorman@suse.de>
8132 Cc: Darren Hart <dvhart@linux.intel.com>
8133 Cc: Andrea Arcangeli <aarcange@redhat.com>
8134 Cc: Oleg Nesterov <oleg@redhat.com>
8135 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
8136
8137 kernel/futex.c | 2 +-
8138 1 files changed, 1 insertions(+), 1 deletions(-)
8139
8140commit 7fe4be2ce4c49484298f71455cdcac08149985cb
8141Author: Andy Honig <ahonig@google.com>
8142Date: Mon Nov 18 16:09:22 2013 -0800
8143
8144 Upstream commit: 338c7dbadd2671189cec7faf64c84d01071b3f96
8145
8146 KVM: Improve create VCPU parameter (CVE-2013-4587)
8147
8148 In multiple functions the vcpu_id is used as an offset into a bitfield. Ag
8149 malicious user could specify a vcpu_id greater than 255 in order to set or
8150 clear bits in kernel memory. This could be used to elevate priveges in the
8151 kernel. This patch verifies that the vcpu_id provided is less than 255.
8152 The api documentation already specifies that the vcpu_id must be less than
8153 max_vcpus, but this is currently not checked.
8154
8155 Reported-by: Andrew Honig <ahonig@google.com>
8156 Cc: stable@vger.kernel.org
8157 Signed-off-by: Andrew Honig <ahonig@google.com>
8158 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
8159
8160 virt/kvm/kvm_main.c | 3 +++
8161 1 files changed, 3 insertions(+), 0 deletions(-)
8162
8163commit e3a3b7a0010abaf6f28afb8521fcb29cee6b3c4c
8164Author: Andy Honig <ahonig@google.com>
8165Date: Tue Nov 19 14:12:18 2013 -0800
8166
8167 Upstream commit: b963a22e6d1a266a67e9eecc88134713fd54775c
8168
8169 KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367)
8170
8171 Under guest controllable circumstances apic_get_tmcct will execute a
8172 divide by zero and cause a crash. If the guest cpuid support
8173 tsc deadline timers and performs the following sequence of requests
8174 the host will crash.
8175 - Set the mode to periodic
8176 - Set the TMICT to 0
8177 - Set the mode bits to 11 (neither periodic, nor one shot, nor tsc deadline)
8178 - Set the TMICT to non-zero.
8179 Then the lapic_timer.period will be 0, but the TMICT will not be. If the
8180 guest then reads from the TMCCT then the host will perform a divide by 0.
8181
8182 This patch ensures that if the lapic_timer.period is 0, then the division
8183 does not occur.
8184
8185 Reported-by: Andrew Honig <ahonig@google.com>
8186 Cc: stable@vger.kernel.org
8187 Signed-off-by: Andrew Honig <ahonig@google.com>
8188 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
8189
8190 arch/x86/kvm/lapic.c | 3 ++-
8191 1 files changed, 2 insertions(+), 1 deletions(-)
8192
8193commit 2b8e6adf070a8938133e318e9a6e2f633095f038
8194Author: Andy Honig <ahonig@google.com>
8195Date: Wed Nov 20 10:23:22 2013 -0800
8196
8197 Upstream commit: fda4e2e85589191b123d31cdc21fd33ee70f50fd
8198
8199 KVM: x86: Convert vapic synchronization to _cached functions (CVE-2013-6368)
8200
8201 In kvm_lapic_sync_from_vapic and kvm_lapic_sync_to_vapic there is the
8202 potential to corrupt kernel memory if userspace provides an address that
8203 is at the end of a page. This patches concerts those functions to use
8204 kvm_write_guest_cached and kvm_read_guest_cached. It also checks the
8205 vapic_address specified by userspace during ioctl processing and returns
8206 an error to userspace if the address is not a valid GPA.
8207
8208 This is generally not guest triggerable, because the required write is
8209 done by firmware that runs before the guest. Also, it only affects AMD
8210 processors and oldish Intel that do not have the FlexPriority feature
8211 (unless you disable FlexPriority, of course; then newer processors are
8212 also affected).
8213
8214 Fixes: b93463aa59d6 ('KVM: Accelerated apic support')
8215
8216 Reported-by: Andrew Honig <ahonig@google.com>
8217 Cc: stable@vger.kernel.org
8218 Signed-off-by: Andrew Honig <ahonig@google.com>
8219 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
8220
8221 arch/x86/kvm/lapic.c | 27 +++++++++++++++------------
8222 arch/x86/kvm/lapic.h | 4 ++--
8223 arch/x86/kvm/x86.c | 40 +---------------------------------------
8224 3 files changed, 18 insertions(+), 53 deletions(-)
8225
8226commit 6261a034c2cc7f34b4c7663ace10d74f9c1fe479
8227Author: Gleb Natapov <gleb@redhat.com>
8228Date: Thu Dec 12 21:20:08 2013 +0100
8229
8230 Upstream commit: 17d68b763f09a9ce824ae23eb62c9efc57b69271
8231
8232 KVM: x86: fix guest-initiated crash with x2apic (CVE-2013-6376)
8233
8234 A guest can cause a BUG_ON() leading to a host kernel crash.
8235 When the guest writes to the ICR to request an IPI, while in x2apic
8236 mode the following things happen, the destination is read from
8237 ICR2, which is a register that the guest can control.
8238
8239 kvm_irq_delivery_to_apic_fast uses the high 16 bits of ICR2 as the
8240 cluster id. A BUG_ON is triggered, which is a protection against
8241 accessing map->logical_map with an out-of-bounds access and manages
8242 to avoid that anything really unsafe occurs.
8243
8244 The logic in the code is correct from real HW point of view. The problem
8245 is that KVM supports only one cluster with ID 0 in clustered mode, but
8246 the code that has the bug does not take this into account.
8247
8248 Reported-by: Lars Bull <larsbull@google.com>
8249 Cc: stable@vger.kernel.org
8250 Signed-off-by: Gleb Natapov <gleb@redhat.com>
8251 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
8252
8253 arch/x86/kvm/lapic.c | 5 ++++-
8254 1 files changed, 4 insertions(+), 1 deletions(-)
8255
8256commit beb27f127ef300b52f8c20402d053b05bab7f4e3
8257Merge: 82c673f b8daf53
8258Author: Brad Spengler <spender@grsecurity.net>
8259Date: Fri Dec 13 20:11:22 2013 -0500
8260
8261 Merge branch 'pax-test' into grsec-test
8262
8263 Conflicts:
8264 arch/parisc/kernel/sys_parisc.c
8265
8266commit b8daf537ab923daf14f38d283ca5361424154fa8
8267Merge: 7689612 156c758
8268Author: Brad Spengler <spender@grsecurity.net>
8269Date: Fri Dec 13 20:07:08 2013 -0500
8270
8271 Update to pax-linux-3.12.5-test4.patch:
8272 - fixed 32 bit apps executing certain 64 bit ones, reported by Ronny Meeus
8273 - fixed underallocation in __d_alloc that would cause an out-of-bounds read later, reported by Dmitry Vyukov and Kees Cook, not understood by Al Viro
8274 (http://lkml.org/lkml/2013/10/3/493 and http://lkml.org/lkml/2013/10/11/293)
8275 - fixed use-after-free in sys_remap_file_pages, reported by Dmitry Vyukov (http://lkml.org/lkml/2013/9/17/30)
8276 - updated size oveflow plugin from Emese, fixes some false positives reported by Tim Harman and Huub Reuver
8277 - fixed a btrfs bug caught by the size overflow plugin, reported by Jens Binnewies (http://forums.grsecurity.net/viewtopic.php?f=1&t=3887)
8278 turns out that it was fixed upstream already but never marked for stable backport:
8279 - https://bugzilla.kernel.org/show_bug.cgi?id=66661
8280 - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/fs/btrfs/tree-log.c?id=ed9e8af88e2551aaa6bf51d8063a2493e2d71597
8281 - fixed bad interactions between the KERNEXEC plugin and some gcc features, reported by Amadeusz Sławiński (https://bugs.gentoo.org/show_bug.cgi?id=487938)
8282 - the mask register has been changed from r10 (used by DRAP) to r12
8283 - all kernel entry points now allocate a full pt_regs area (it required some non-trivial surgery, some fallout is possible)
8284
8285 Merge branch 'linux-3.12.y' into pax-test
8286
8287 Conflicts:
8288 arch/parisc/kernel/sys_parisc.c
8289 fs/pipe.c
8290
8291commit 82c673fdfd9925cda2e94b67f775be70b8ef4cca
8292Author: Brad Spengler <spender@grsecurity.net>
8293Date: Fri Dec 13 19:39:54 2013 -0500
8294
8295 Fix a use-after-free on fakefs_obj_rw/fakefs_obj_rwx introduced by the recent
8296 atomic reload improvement. These two objects are used only for "files" private
8297 to the kernel which don't exist on any mounted filesystem and have no visible
8298 path. Only the mode field of these objects is ever used, and we would never
8299 attempt to free these objects a second time (due to their being allocated
8300 into the memory manager associated with the initial policy)
8301
8302 In practice this causes bogus auditing messages for / and could potentially
8303 cause a subject without executable shared memory support to permit executable
8304 shared memory (if PaX is disabled on the binary).
8305
8306 Instead just allocate these two special objects with kzalloc at enable time
8307 and free them at disable time.
8308
8309 Thanks to nyt@countercultured.net for the report
8310
8311 grsecurity/gracl_policy.c | 9 +++++++--
8312 1 files changed, 7 insertions(+), 2 deletions(-)
8313
8314commit b0be33b9efb31e2cb745d1b33eee4f89b315d5bf
8315Merge: 4c60da7 7689612
8316Author: Brad Spengler <spender@grsecurity.net>
8317Date: Sun Dec 8 17:07:04 2013 -0500
8318
8319 Merge branch 'pax-test' into grsec-test
8320
8321 Conflicts:
8322 net/ipv4/ping.c
8323
8324commit 7689612bef2f353f37a2fe94ff0ef8c72634b522
8325Merge: 2f004b8 289b6c7
8326Author: Brad Spengler <spender@grsecurity.net>
8327Date: Sun Dec 8 17:05:58 2013 -0500
8328
8329 Merge branch 'linux-3.12.y' into pax-test
8330
8331 Conflicts:
8332 net/compat.c
8333 net/ipv4/ping.c
8334 net/ipv6/sit.c
8335 net/socket.c
8336
8337commit 4c60da771d2fba442fe7831d590277e6fe80e908
8338Author: Brad Spengler <spender@grsecurity.net>
8339Date: Sun Dec 8 16:12:01 2013 -0500
8340
8341 Backport of:
8342
8343 If we allocate less than sizeof(struct attrlist) then we end up
8344 corrupting memory or doing a ZERO_PTR_SIZE dereference.
8345
8346 This can only be triggered with CAP_SYS_ADMIN.
8347
8348 Reported-by: Nico Golde <nico@xxxxxxxxx>
8349 Reported-by: Fabian Yamaguchi <fabs@xxxxxxxxx>
8350 Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
8351
8352 fs/xfs/xfs_ioctl.c | 3 ++-
8353 fs/xfs/xfs_ioctl32.c | 3 ++-
8354 2 files changed, 4 insertions(+), 2 deletions(-)
8355
8356commit bd50af2c306bfe6287631e0e1745cc5d2fbad0c2
8357Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
8358Date: Thu Dec 5 23:29:19 2013 +0100
8359
8360 Upstream commit: 239c78db9c41a8f524cce60507440d72229d73bc
8361
8362 net: clear local_df when passing skb between namespaces
8363
8364 We must clear local_df when passing the skb between namespaces as the
8365 packet is not local to the new namespace any more and thus may not get
8366 fragmented by local rules. Fred Templin noticed that other namespaces
8367 do fragment IPv6 packets while forwarding. Instead they should have send
8368 back a PTB.
8369
8370 The same problem should be present when forwarding DF-IPv4 packets
8371 between namespaces.
8372
8373 Reported-by: Templin, Fred L <Fred.L.Templin@boeing.com>
8374 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
8375 Signed-off-by: David S. Miller <davem@davemloft.net>
8376
8377 net/core/skbuff.c | 1 +
8378 1 files changed, 1 insertions(+), 0 deletions(-)
8379
8380commit 7803212c99050491bd0a2618e039f62c825f82e5
8381Author: Linus Torvalds <torvalds@linux-foundation.org>
8382Date: Mon Dec 2 11:50:37 2013 -0800
8383
8384 Upstream commit: b65502879556d041b45104c6a35abbbba28c8f2d
8385
8386 uio: we cannot mmap unaligned page contents
8387
8388 In commit 7314e613d5ff ("Fix a few incorrectly checked
8389 [io_]remap_pfn_range() calls") the uio driver started more properly
8390 checking the passed-in user mapping arguments against the size of the
8391 actual uio driver data.
8392
8393 That in turn exposed that some driver authors apparently didn't realize
8394 that mmap can only work on a page granularity, and had tried to use it
8395 with smaller mappings, with the new size check catching that out.
8396
8397 So since it's not just the user mmap() arguments that can be confused,
8398 make the uio mmap code also verify that the uio driver has the memory
8399 allocated at page boundaries in order for mmap to work. If the device
8400 memory isn't properly aligned, we return
8401
8402 [ENODEV]
8403 The fildes argument refers to a file whose type is not supported by mmap().
8404
8405 as per the open group documentation on mmap.
8406
8407 Reported-by: Holger Brunck <holger.brunck@keymile.com>
8408 Acked-by: Greg KH <gregkh@linuxfoundation.org>
8409 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
8410
8411 drivers/uio/uio.c | 2 ++
8412 1 files changed, 2 insertions(+), 0 deletions(-)
8413
8414commit e5fb91d26cb825c36042d62373c0a32a176cfe2d
8415Merge: 6b9d9e2 2f004b8
8416Author: Brad Spengler <spender@grsecurity.net>
8417Date: Sun Dec 8 10:18:49 2013 -0500
8418
8419 Merge branch 'pax-test' into grsec-test
8420
8421 Conflicts:
8422 mm/mmap.c
8423
8424commit 2f004b87204d113e467ba360ac8b0a9cbfcf01cb
8425Merge: c04a09b 81605d3
8426Author: Brad Spengler <spender@grsecurity.net>
8427Date: Sun Dec 8 10:16:53 2013 -0500
8428
8429 Update to pax-linux-3.12.3-test2.patch:
8430 - forward port to 3.12.3
8431 - fixed incorrect ACCESS_ONCE accessors in rcutree, reported by mcp
8432 - fixed the usual arm/CONSTIFY fallout, reported by Michael Tremer <michael.tremer@ipfire.org>
8433 - changed the constify plugin to give better error messages
8434 - worked around a gcc induced intentional integer overflow in usbdev_read, reported by quasar366 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3889)
8435 - better fix for http://forums.grsecurity.net/viewtopic.php?f=3&t=3885
8436 - fixed crash under qemu when INVPCID was enabled (say, on -cpu Haswell) but PCID itself wasn't, reported by spender
8437 - updated size overflow plugin from Emese, coverage will increase further
8438
8439 Merge branch 'linux-3.12.y' into pax-test
8440
8441 Conflicts:
8442 kernel/trace/ftrace.c
8443 mm/mmap.c
8444
8445commit 6b9d9e2fe7cd30598a4c22c159ff3b06339e23c8
8446Author: David Herrmann <dh.herrmann@gmail.com>
8447Date: Tue Nov 26 13:58:18 2013 +0100
8448
8449 Upstream commit: 80897aa787ecd58eabb29deab7cbec9249c9b7e6
8450
8451 HID: uhid: fix leak for 64/32 UHID_CREATE
8452
8453 UHID allows short writes so user-space can omit unused fields. We
8454 automatically set them to 0 in the kernel. However, the 64/32 bit
8455 compat-handler didn't do that in the UHID_CREATE fallback. This will
8456 reveal random kernel heap data (of random size, even) to user-space.
8457
8458 Fixes: befde0226a59 ('HID: uhid: make creating devices work on 64/32 systems')
8459
8460 Reported-by: Ben Hutchings <ben@decadent.org.uk>
8461 Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
8462 Cc: stable@vger.kernel.org
8463 Signed-off-by: Jiri Kosina <jkosina@suse.cz>
8464
8465 drivers/hid/uhid.c | 2 +-
8466 1 files changed, 1 insertions(+), 1 deletions(-)
8467
8468commit a06981f0117d614ba4d30f6b5dd6eff7d418ffae
8469Author: Brad Spengler <spender@grsecurity.net>
8470Date: Wed Dec 4 18:15:02 2013 -0500
8471
8472 Don't duplicate __get_dumpable, also make sure we check against
8473 SUID_DUMP_USER, otherwise we wouldn't trigger suid bruteforcing
8474 detection when suid_dumpable was set to 2
8475
8476 fs/coredump.c | 7 +++++--
8477 grsecurity/grsec_sig.c | 14 ++------------
8478 include/linux/grsecurity.h | 2 +-
8479 3 files changed, 8 insertions(+), 15 deletions(-)
8480
8481commit fc706a922b49e3157cac848fb0c8d1dcf4f360bb
8482Merge: 0f023d5 c04a09b
8483Author: Brad Spengler <spender@grsecurity.net>
8484Date: Tue Dec 3 21:41:57 2013 -0500
8485
8486 Merge branch 'pax-test' into grsec-test
8487
8488commit c04a09b7dbfafdbee85e09c224e90ebc665ce4f5
8489Author: Brad Spengler <spender@grsecurity.net>
8490Date: Tue Dec 3 21:41:20 2013 -0500
8491
8492 fix up ACCESS_ONCE -> ACCESS_ONCE_RW, as reported by mcp
8493
8494 kernel/rcutree_plugin.h | 8 ++++----
8495 1 files changed, 4 insertions(+), 4 deletions(-)
8496
8497commit 0f023d59d361b9880155dd8ddb0c1e19a48437c6
8498Author: Brad Spengler <spender@grsecurity.net>
8499Date: Tue Dec 3 19:39:04 2013 -0500
8500
8501 Update documentation for GRKERNSEC_KMEM and GRKERNSEC_IO,
8502 see: http://forums.grsecurity.net/viewtopic.php?f=3&t=3879
8503 The previous info was many years outdated.
8504
8505 Disable KEXEC when GRKERNSEC_KMEM is enabled:
8506 http://mjg59.dreamwidth.org/28746.html
8507
8508 Also workaround the GRKERNSEC_IO incompatibility with Xorg by returning
8509 -ENODEV instead of -EPERM in the cases where CAP_SYS_RAWIO is present
8510
8511 arch/arm/Kconfig | 1 +
8512 arch/ia64/Kconfig | 1 +
8513 arch/mips/Kconfig | 1 +
8514 arch/powerpc/Kconfig | 1 +
8515 arch/tile/Kconfig | 1 +
8516 arch/x86/Kconfig | 1 +
8517 arch/x86/kernel/ioport.c | 12 ++++++------
8518 grsecurity/Kconfig | 27 +++++++++++----------------
8519 8 files changed, 23 insertions(+), 22 deletions(-)
8520
8521commit 9f610c9c398e7e61183feb7fec6b91b9f2223b61
8522Merge: fed624e 1395b8f
8523Author: Brad Spengler <spender@grsecurity.net>
8524Date: Mon Dec 2 17:33:01 2013 -0500
8525
8526 Merge branch 'pax-test' into grsec-test
8527
8528commit 1395b8f8832d179a0c73e890754534c9d5442201
8529Author: Brad Spengler <spender@grsecurity.net>
8530Date: Mon Dec 2 17:31:35 2013 -0500
8531
8532 Forward-ported the following fix from 3.2:
8533 - worked around a false positive int truncation in xlog_grant_push_ail, reported by jorgus (http://forums.grsecurity.net/viewtopic.php?f=3&t=3885)
8534
8535 This caused filesystem corruption in the reported XFS case, problem
8536 introduced with Nov 24th patch (IPA-based size overflow plugin)
8537
8538 arch/x86/include/asm/atomic64_32.h | 2 +-
8539 arch/x86/include/asm/atomic64_64.h | 2 +-
8540 2 files changed, 2 insertions(+), 2 deletions(-)
8541
8542commit fed624ebfd1d08ee6db247733cdb44df0e1be8b0
8543Author: Brad Spengler <spender@grsecurity.net>
8544Date: Mon Dec 2 17:20:00 2013 -0500
8545
8546 Fix qemu -cpu Haswell booting with pax_nouderef on the kernel cmdline
8547
8548 init/main.c | 1 +
8549 1 files changed, 1 insertions(+), 0 deletions(-)
8550
8551commit a72ed588cbbda00d356529507b6bdca56c19d4c3
8552Merge: 3f201fe db6d69f
8553Author: Brad Spengler <spender@grsecurity.net>
8554Date: Sat Nov 30 10:46:15 2013 -0500
8555
8556 Merge branch 'pax-test' into grsec-test
8557
8558 Conflicts:
8559 fs/dcache.c
8560 ipc/shm.c
8561 net/sunrpc/clnt.c
8562
8563commit db6d69f61412f929242423f92d52f4c2c74bab5d
8564Merge: 1f411d7 050dcf4
8565Author: Brad Spengler <spender@grsecurity.net>
8566Date: Sat Nov 30 10:40:33 2013 -0500
8567
8568 Merge branch 'linux-3.12.y' into pax-test
8569
8570commit 3f201fe9a368a4b0339a2f3cf1259b785ae8374c
8571Author: Brad Spengler <spender@grsecurity.net>
8572Date: Tue Nov 26 15:16:48 2013 -0500
8573
8574 Fix null deref on application of the shutdown role, reported by zakalwe
8575
8576 grsecurity/gracl.c | 58 ++++++++++++++++++++++++++++++++++++++++++++-
8577 grsecurity/gracl_policy.c | 58 ++++-----------------------------------------
8578 2 files changed, 62 insertions(+), 54 deletions(-)
8579
8580commit f5648d16a7cc79abe6de7ae62e284fa511bb750a
8581Author: Brad Spengler <spender@grsecurity.net>
8582Date: Tue Nov 26 13:04:07 2013 -0500
8583
8584 Add system library paths to allowed areas for usermode helper calls,
8585 later we will also add checks to ensure the file is owned by root
8586
8587 kernel/kmod.c | 5 +++--
8588 1 files changed, 3 insertions(+), 2 deletions(-)
8589
8590commit c610c1f0f580069a1dc9d58c0eb0bddd33cbc25c
8591Author: Brad Spengler <spender@grsecurity.net>
8592Date: Tue Nov 26 12:59:00 2013 -0500
8593
8594 Fix gr_policy_state -> gr_reload_state typo that clobbered the oldalloc pointer
8595 causing a NULL deref on RBAC reload, reported by zakalwe
8596
8597 grsecurity/gracl_policy.c | 2 +-
8598 1 files changed, 1 insertions(+), 1 deletions(-)
8599
8600commit 4026c926f19d7642c1f89895b556fe2addaef239
8601Author: Al Viro <viro@zeniv.linux.org.uk>
8602Date: Wed Nov 13 07:45:40 2013 -0500
8603
8604 Upstream commit: ede4cebce16f5643c61aedd6d88d9070a1d23a68
8605
8606 prepend_path() needs to reinitialize dentry/vfsmount/mnt on restarts
8607
8608 ... and equivalent is needed in 3.12; it's broken there as well
8609
8610 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
8611
8612 Conflicts:
8613
8614 fs/dcache.c
8615
8616 fs/dcache.c | 10 +++++++---
8617 1 files changed, 7 insertions(+), 3 deletions(-)
8618
8619commit c68d27fa66951166bff79a5c1bcc26985ac3f8bc
8620Merge: 94b560b 1f411d7
8621Author: Brad Spengler <spender@grsecurity.net>
8622Date: Mon Nov 25 23:09:47 2013 -0500
8623
8624 Merge branch 'pax-test' into grsec-test
8625
8626commit 1f411d73c56904d2be9cde1f78aaec7f4554dab1
8627Merge: 5f17cd8 6beb1be
8628Author: Brad Spengler <spender@grsecurity.net>
8629Date: Mon Nov 25 23:09:34 2013 -0500
8630
8631 Merge branch 'linux-3.12.y' into pax-test
8632
8633commit 94b560b0163a20b9eab9ec77b83f0bff853fe601
8634Author: Brad Spengler <spender@grsecurity.net>
8635Date: Mon Nov 25 22:33:33 2013 -0500
8636
8637 compile fix
8638
8639 kernel/kmod.c | 2 +-
8640 1 files changed, 1 insertions(+), 1 deletions(-)
8641
8642commit 58c014d37769d384c2e3c06ce5f60fe54f855b24
8643Merge: 48ac6ac 5f17cd8
8644Author: Brad Spengler <spender@grsecurity.net>
8645Date: Mon Nov 25 22:27:00 2013 -0500
8646
8647 Merge branch 'pax-test' into grsec-test
8648
8649 Conflicts:
8650 arch/arm/mm/fault.c
8651
8652commit 5f17cd87d5c7faf606255f061dd394f6761e38df
8653Author: Brad Spengler <spender@grsecurity.net>
8654Date: Mon Nov 25 22:25:42 2013 -0500
8655
8656 Update to pax-linux-3.12.1-test2.patch:
8657 - made arm/UDEREF violation reports more consistent, reported by acez and spender
8658 - added a bit more amd64 kernel page table hardening
8659 - fixed some constify related compiler errors
8660 - fixed stack trace reports under i386/KERNEXEC, reported by ncopa and minipli
8661 - updated the size overflow hash table
8662
8663 arch/arm/mm/fault.c | 16 ++-
8664 arch/x86/include/asm/paravirt_types.h | 2 +-
8665 arch/x86/kernel/head_64.S | 18 ++-
8666 drivers/gpu/drm/radeon/radeon_ttm.c | 2 +-
8667 drivers/gpu/vga/vga_switcheroo.c | 4 +-
8668 drivers/hwmon/nct6775.c | 6 +-
8669 drivers/staging/lustre/lnet/selftest/brw_test.c | 12 +-
8670 drivers/staging/lustre/lnet/selftest/framework.c | 4 -
8671 drivers/staging/lustre/lnet/selftest/ping_test.c | 14 +-
8672 drivers/staging/lustre/lustre/include/lustre_dlm.h | 2 +-
8673 drivers/staging/lustre/lustre/include/obd.h | 2 +-
8674 .../lustre/lustre/libcfs/linux/linux-proc.c | 6 +-
8675 drivers/staging/rtl8188eu/include/hal_intf.h | 2 +-
8676 drivers/staging/rtl8188eu/include/rtw_io.h | 2 +-
8677 include/linux/hwmon-sysfs.h | 1 +
8678 include/linux/pm.h | 1 +
8679 include/linux/vga_switcheroo.h | 8 +-
8680 net/core/sysctl_net_core.c | 2 +-
8681 scripts/link-vmlinux.sh | 4 +-
8682 sound/soc/soc-core.c | 6 +-
8683 tools/gcc/size_overflow_hash.data | 142 ++++++++++++--------
8684 21 files changed, 145 insertions(+), 111 deletions(-)
8685
8686commit 48ac6ac8a1fd55f2b276bf5326ce52782b7c554f
8687Author: Brad Spengler <spender@grsecurity.net>
8688Date: Mon Nov 25 12:01:21 2013 -0500
8689
8690 Conventions exist for a reason -- systemd knows better though
8691 and decides to put security-sensitive system administration utilities
8692 into /usr/lib/systemd in contrast to *every* other user of usermode
8693 helpers. Work around this stupidity
8694
8695 kernel/kmod.c | 4 ++--
8696 1 files changed, 2 insertions(+), 2 deletions(-)
8697
8698commit 9ed081196dcaa72bae91d5a31329e35bd480d92b
8699Author: Brad Spengler <spender@grsecurity.net>
8700Date: Sun Nov 24 22:49:05 2013 -0500
8701
8702 Revert "HID: multitouch: validate feature report details"
8703
8704 This reverts commit 8aeb7645473b408fc6b2bd78a72671351fc8e684.
8705
8706 drivers/hid/hid-multitouch.c | 25 +++++--------------------
8707 1 files changed, 5 insertions(+), 20 deletions(-)
8708
8709commit 801d69b26655ea7240df45ad14f96054e4d9803a
8710Author: Brad Spengler <spender@grsecurity.net>
8711Date: Sun Nov 24 22:48:49 2013 -0500
8712
8713 Revert "HID: lenovo-tpkbd: validate output report details"
8714
8715 This reverts commit 91bfda18a5711db32c984c632f47fa57458d993a.
8716
8717 drivers/hid/hid-lenovo-tpkbd.c | 5 -----
8718 1 files changed, 0 insertions(+), 5 deletions(-)
8719
8720commit 1f70f596dd47ca9467a06b19ffc341c147ea4a23
8721Author: Brad Spengler <spender@grsecurity.net>
8722Date: Sun Nov 24 22:48:33 2013 -0500
8723
8724 Revert "HID: steelseries: validate output report details"
8725
8726 This reverts commit 0996966348dc3c3f7515567d3245292785d484fc.
8727
8728 drivers/hid/hid-steelseries.c | 5 -----
8729 1 files changed, 0 insertions(+), 5 deletions(-)
8730
8731commit 8101ee4167c83f850cc2366088e3f60d01dcb9f7
8732Author: Brad Spengler <spender@grsecurity.net>
8733Date: Sun Nov 24 22:22:03 2013 -0500
8734
8735 remove __no_const from pv_lock_ops as it's not constified by the plugin
8736
8737 arch/x86/include/asm/paravirt_types.h | 2 +-
8738 1 files changed, 1 insertions(+), 1 deletions(-)
8739
8740commit a94e46e08a9d8236544f881faa9cccecfe9c702b
8741Author: Brad Spengler <spender@grsecurity.net>
8742Date: Sun Nov 24 22:08:33 2013 -0500
8743
8744 add missing header
8745
8746 fs/proc/proc_sysctl.c | 3 +++
8747 1 files changed, 3 insertions(+), 0 deletions(-)
8748
8749commit f0018c34f5ef840fffac10eb60fed9048317832f
8750Author: Brad Spengler <spender@grsecurity.net>
8751Date: Sun Nov 24 22:04:55 2013 -0500
8752
8753 Replace nsown_capable with an ns_capable check against the user_ns associated with the net namespace
8754
8755 fs/proc/proc_sysctl.c | 2 +-
8756 1 files changed, 1 insertions(+), 1 deletions(-)
8757
8758commit 99a6a515bf625395fa31892f46311c3877a3fa93
8759Author: Brad Spengler <spender@grsecurity.net>
8760Date: Sun Nov 24 17:50:21 2013 -0500
8761
8762 remove unnecessary code/comments after new reload method
8763
8764 Signed-off-by: Brad Spengler <spender@grsecurity.net>
8765
8766 grsecurity/gracl.c | 4 ----
8767 grsecurity/gracl_policy.c | 13 -------------
8768 2 files changed, 0 insertions(+), 17 deletions(-)
8769
8770commit 10b6650a259b9a5911a33fc9aaf6677920830eee
8771Author: Brad Spengler <spender@grsecurity.net>
8772Date: Sun Nov 24 16:05:01 2013 -0500
8773
8774 Version bumped to 3.0 (we'd been on 2.9.1 for way too long and numerous features have been added since then)
8775
8776 Introduce new atomic RBAC reload method, developed as part of sponsorship
8777 by EIG
8778
8779 This is accompanied by an updated 3.0 gradm which will use the new reload
8780 method when -R is passed to gradm. The old method will still be available
8781 via gradm -r (which is what a 2.9.1 gradm will continue to use).
8782
8783 The new RBAC reload method is atomic in the sense that at no point in the
8784 reload process will the system not be covered by a coherent full policy.
8785 In contrast to previous reload behavior, it also preserves inherited subjects
8786 and special roles.
8787
8788 The old RBAC reload method has also been made atomic. Both methods have
8789 been updated to perform role_allowed_ip checks only against the IP tagged
8790 to the task at the time its role was first applied or changed. This resolves
8791 long-standing usability problems with the use of role_allowed_ip and matches
8792 the policies created by learning.
8793
8794 Signed-off-by: Brad Spengler <spender@grsecurity.net>
8795
8796 grsecurity/Makefile | 2 +-
8797 grsecurity/gracl.c | 3903 +++++++++++++------------------------------
8798 grsecurity/gracl_alloc.c | 42 +-
8799 grsecurity/gracl_compat.c | 3 +-
8800 grsecurity/gracl_policy.c | 1838 ++++++++++++++++++++
8801 grsecurity/gracl_segv.c | 12 +-
8802 grsecurity/grsec_disabled.c | 7 -
8803 grsecurity/grsec_init.c | 15 -
8804 include/linux/gracl.h | 43 +-
8805 include/linux/grinternal.h | 1 -
8806 include/linux/grsecurity.h | 1 -
8807 include/linux/sched.h | 2 +
8808 12 files changed, 3082 insertions(+), 2787 deletions(-)
8809
8810commit b035ba537ccc7dc58b9643ab58a2f5a7b4e6738e
8811Author: Brad Spengler <spender@grsecurity.net>
8812Date: Sun Nov 24 15:08:28 2013 -0500
8813
8814 compile fix for recent GRKERNSEC_CHROOT_INITRD change
8815
8816 Signed-off-by: Brad Spengler <spender@grsecurity.net>
8817
8818 init/main.c | 12 +++---------
8819 1 files changed, 3 insertions(+), 9 deletions(-)
8820
8821commit a898fff136a97e265c63375a2a03ebd91c9c1286
8822Author: Brad Spengler <spender@grsecurity.net>
8823Date: Sat Nov 23 18:27:37 2013 -0500
8824
8825 Make the recent usermode_helper protection race-free as far as userland is concerned by creating a copy of the path to be executed, then check against that copied path instead of the still-mutable original path
8826
8827 Signed-off-by: Brad Spengler <spender@grsecurity.net>
8828
8829 include/linux/kmod.h | 3 +++
8830 kernel/kmod.c | 13 +++++++++++++
8831 2 files changed, 16 insertions(+), 0 deletions(-)
8832
8833commit 1ae8347eb782c4e961210052e2de554bfdb52980
8834Author: Brad Spengler <spender@grsecurity.net>
8835Date: Sat Nov 23 17:20:15 2013 -0500
8836
8837 Produce a UDEREF message when faulting on kernel access to a non-present page in the userland range. This is purely for consistency of logs, due to there being no domain present to fault based on. An "Unable to handle kernel fault.." oops would already (and still is) generated for these cases, triggering grsec's bruteforce prevention.
8838
8839 Reported by acez on IRC
8840
8841 Signed-off-by: Brad Spengler <spender@grsecurity.net>
8842
8843 arch/arm/mm/fault.c | 11 +++++++++++
8844 1 files changed, 11 insertions(+), 0 deletions(-)
8845
8846commit 71643b46e6b67e76e52153559d0dc4004c402141
8847Author: Brad Spengler <spender@grsecurity.net>
8848Date: Sat Nov 23 16:56:46 2013 -0500
8849
8850 Make GRKERNSEC_CHROOT_INITRD depend on the correct initrd option, Also make sure we mark init as run if no initrd was used. Though this should already be enforced in grsec_chroot.c, this should future-proof the feature a bit in case userland somehow changes drastically.
8851
8852 Conflicts:
8853
8854 init/main.c
8855
8856 Signed-off-by: Brad Spengler <spender@grsecurity.net>
8857
8858 grsecurity/Kconfig | 2 +-
8859 grsecurity/grsec_chroot.c | 2 +-
8860 init/main.c | 15 +++++++++++++++
8861 3 files changed, 17 insertions(+), 2 deletions(-)
8862
8863commit e357e72d769e5c35167e2bf934c722fc825ee2cd
8864Author: Brad Spengler <spender@grsecurity.net>
8865Date: Sat Nov 23 16:33:20 2013 -0500
8866
8867 limit all usermode helper binaries to /sbin, all other attempts will be logged and rejected
8868
8869 Signed-off-by: Brad Spengler <spender@grsecurity.net>
8870
8871 kernel/kmod.c | 8 ++++++++
8872 1 files changed, 8 insertions(+), 0 deletions(-)
8873
8874commit 4ed2dc55aa2344b9ade6cddbe5ee8b51b6239c54
8875Author: Brad Spengler <spender@grsecurity.net>
8876Date: Sat Nov 23 16:02:01 2013 -0500
8877
8878 perform USERCOPY kernel text checks against the linear mapping on amd64 as well
8879
8880 Signed-off-by: Brad Spengler <spender@grsecurity.net>
8881
8882 fs/exec.c | 8 ++++++++
8883 1 files changed, 8 insertions(+), 0 deletions(-)
8884
8885commit 211bbd408a1d7bc2e9ef72df07aa7ce0cbd6c49d
8886Author: Brad Spengler <spender@grsecurity.net>
8887Date: Fri Nov 22 20:31:37 2013 -0500
8888
8889 Revert "Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69"
8890
8891 This reverts commit 8bb32f2682953e1b748a59c4a4363b237c3510df.
8892
8893 It caused errors with traceroute, reported to upstream and fixed with
8894 http://patchwork.ozlabs.org/patch/293614/
8895 But there's no reason for us to maintain this backport as we're
8896 already impervious to recvmsg/msg_name infoleaks
8897
8898 Conflicts:
8899
8900 net/ipv4/ping.c
8901
8902 Signed-off-by: Brad Spengler <spender@grsecurity.net>
8903
8904 net/ieee802154/dgram.c | 3 ++-
8905 net/ipv4/ping.c | 11 +++++++++--
8906 net/ipv4/raw.c | 4 +++-
8907 net/ipv4/udp.c | 7 ++++++-
8908 net/ipv6/raw.c | 4 +++-
8909 net/ipv6/udp.c | 5 ++++-
8910 net/l2tp/l2tp_ip.c | 4 +++-
8911 net/phonet/datagram.c | 9 +++++----
8912 8 files changed, 35 insertions(+), 12 deletions(-)
8913
8914commit 4bd8414bb148cf8681c8f1d2deda5739cafb6917
8915Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
8916Date: Mon Nov 18 07:07:45 2013 +0100
8917
8918 Upstream commit: cf970c002d270c36202bd5b9c2804d3097a52da0
8919
8920 ping: prevent NULL pointer dereference on write to msg_name
8921
8922 A plain read() on a socket does set msg->msg_name to NULL. So check for
8923 NULL pointer first.
8924
8925 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
8926 Signed-off-by: David S. Miller <davem@davemloft.net>
8927 Signed-off-by: Brad Spengler <spender@grsecurity.net>
8928
8929 net/ipv4/ping.c | 34 +++++++++++++++++++---------------
8930 1 files changed, 19 insertions(+), 15 deletions(-)
8931
8932commit ccc6e0dd63fc36c5c7fd1bbe4f8fed6533d188a1
8933Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
8934Date: Mon Nov 18 04:20:45 2013 +0100
8935
8936 Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69
8937
8938 inet: prevent leakage of uninitialized memory to user in recv syscalls
8939
8940 Only update *addr_len when we actually fill in sockaddr, otherwise we
8941 can return uninitialized memory from the stack to the caller in the
8942 recvfrom, recvmmsg and recvmsg syscalls. Drop the the (addr_len == NULL)
8943 checks because we only get called with a valid addr_len pointer either
8944 from sock_common_recvmsg or inet_recvmsg.
8945
8946 If a blocking read waits on a socket which is concurrently shut down we
8947 now return zero and set msg_msgnamelen to 0.
8948
8949 Reported-by: mpb <mpb.mail@gmail.com>
8950 Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
8951 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
8952 Signed-off-by: David S. Miller <davem@davemloft.net>
8953 Signed-off-by: Brad Spengler <spender@grsecurity.net>
8954
8955 net/ieee802154/dgram.c | 3 +--
8956 net/ipv4/ping.c | 19 +++++++------------
8957 net/ipv4/raw.c | 4 +---
8958 net/ipv4/udp.c | 7 +------
8959 net/ipv6/raw.c | 4 +---
8960 net/ipv6/udp.c | 5 +----
8961 net/l2tp/l2tp_ip.c | 4 +---
8962 net/phonet/datagram.c | 9 ++++-----
8963 8 files changed, 17 insertions(+), 38 deletions(-)
8964
8965commit 0db1e136415d5696b2342b953361ef7c3017247d
8966Author: Jeff Layton <jlayton@redhat.com>
8967Date: Wed Nov 13 09:08:21 2013 -0500
8968
8969 Upstream commit: 6d769f1e1420179d1f83cf1a9cdc585b46c28545
8970
8971 nfs: don't retry detect_trunking with RPC_AUTH_UNIX more than once
8972
8973 Currently, when we try to mount and get back NFS4ERR_CLID_IN_USE or
8974 NFS4ERR_WRONGSEC, we create a new rpc_clnt and then try the call again.
8975 There is no guarantee that doing so will work however, so we can end up
8976 retrying the call in an infinite loop.
8977
8978 Worse yet, we create the new client using rpc_clone_client_set_auth,
8979 which creates the new client as a child of the old one. Thus, we can end
8980 up with a *very* long lineage of rpc_clnts. When we go to put all of the
8981 references to them, we can end up with a long call chain that can smash
8982 the stack as each rpc_free_client() call can recurse back into itself.
8983
8984 This patch fixes this by simply ensuring that the SETCLIENTID call will
8985 only be retried in this situation if the last attempt did not use
8986 RPC_AUTH_UNIX.
8987
8988 Note too that with this change, we don't need the (i > 2) check in the
8989 -EACCES case since we now have a more reliable test as to whether we
8990 should reattempt.
8991
8992 Cc: stable@vger.kernel.org # v3.10+
8993 Cc: Chuck Lever <chuck.lever@oracle.com>
8994 Tested-by/Acked-by: Weston Andros Adamson <dros@netapp.com>
8995 Signed-off-by: Jeff Layton <jlayton@redhat.com>
8996 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
8997 Signed-off-by: Brad Spengler <spender@grsecurity.net>
8998
8999 fs/nfs/nfs4state.c | 7 ++++++-
9000 1 files changed, 6 insertions(+), 1 deletions(-)
9001
9002commit 74d59ef1b28635f588c47b270777cd69b0e8291f
9003Author: Trond Myklebust <Trond.Myklebust@netapp.com>
9004Date: Tue Nov 12 17:24:36 2013 -0500
9005
9006 Upstream commit: d07ba8422f1e58be94cc98a1f475946dc1b89f1b
9007
9008 SUNRPC: Avoid deep recursion in rpc_release_client
9009
9010 In cases where an rpc client has a parent hierarchy, then
9011 rpc_free_client may end up calling rpc_release_client() on the
9012 parent, thus recursing back into rpc_free_client. If the hierarchy
9013 is deep enough, then we can get into situations where the stack
9014 simply overflows.
9015
9016 The fix is to have rpc_release_client() loop so that it can take
9017 care of the parent rpc client hierarchy without needing to
9018 recurse.
9019
9020 Reported-by: Jeff Layton <jlayton@redhat.com>
9021 Reported-by: Weston Andros Adamson <dros@netapp.com>
9022 Reported-by: Bruce Fields <bfields@fieldses.org>
9023 Link: http://lkml.kernel.org/r/2C73011F-0939-434C-9E4D-13A1EB1403D7@netapp.com
9024 Cc: stable@vger.kernel.org
9025 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
9026 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9027
9028 net/sunrpc/clnt.c | 29 +++++++++++++++++------------
9029 1 files changed, 17 insertions(+), 12 deletions(-)
9030
9031commit 8ae59cf66f3a302d45578171337df2d8fe35458c
9032Author: Trond Myklebust <Trond.Myklebust@netapp.com>
9033Date: Fri Nov 8 16:03:50 2013 -0500
9034
9035 Upstream commit: a6b31d18b02ff9d7915c5898c9b5ca41a798cd73
9036
9037 SUNRPC: Fix a data corruption issue when retransmitting RPC calls
9038
9039 The following scenario can cause silent data corruption when doing
9040 NFS writes. It has mainly been observed when doing database writes
9041 using O_DIRECT.
9042
9043 1) The RPC client uses sendpage() to do zero-copy of the page data.
9044 2) Due to networking issues, the reply from the server is delayed,
9045 and so the RPC client times out.
9046
9047 3) The client issues a second sendpage of the page data as part of
9048 an RPC call retransmission.
9049
9050 4) The reply to the first transmission arrives from the server
9051 _before_ the client hardware has emptied the TCP socket send
9052 buffer.
9053 5) After processing the reply, the RPC state machine rules that
9054 the call to be done, and triggers the completion callbacks.
9055 6) The application notices the RPC call is done, and reuses the
9056 pages to store something else (e.g. a new write).
9057
9058 7) The client NIC drains the TCP socket send buffer. Since the
9059 page data has now changed, it reads a corrupted version of the
9060 initial RPC call, and puts it on the wire.
9061
9062 This patch fixes the problem in the following manner:
9063
9064 The ordering guarantees of TCP ensure that when the server sends a
9065 reply, then we know that the _first_ transmission has completed. Using
9066 zero-copy in that situation is therefore safe.
9067 If a time out occurs, we then send the retransmission using sendmsg()
9068 (i.e. no zero-copy), We then know that the socket contains a full copy of
9069 the data, and so it will retransmit a faithful reproduction even if the
9070 RPC call completes, and the application reuses the O_DIRECT buffer in
9071 the meantime.
9072
9073 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
9074 Cc: stable@vger.kernel.org
9075 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9076
9077 net/sunrpc/xprtsock.c | 28 +++++++++++++++++++++-------
9078 1 files changed, 21 insertions(+), 7 deletions(-)
9079
9080commit 1a40aeaa23860a26df02c9c8729937b6da2bcdd6
9081Author: Dan Carpenter <dan.carpenter@oracle.com>
9082Date: Thu Nov 14 11:21:10 2013 +0300
9083
9084 Upstream commit: f9a23c84486ed350cce7bb1b2828abd1f6658796
9085
9086 isdnloop: use strlcpy() instead of strcpy()
9087
9088 These strings come from a copy_from_user() and there is no way to be
9089 sure they are NUL terminated.
9090
9091 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
9092 Signed-off-by: David S. Miller <davem@davemloft.net>
9093 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9094
9095 drivers/isdn/isdnloop/isdnloop.c | 8 +++++---
9096 1 files changed, 5 insertions(+), 3 deletions(-)
9097
9098commit a7a1549064b332e878efa22fdebed32035cc8f07
9099Author: Eric Dumazet <edumazet@google.com>
9100Date: Thu Nov 14 13:37:54 2013 -0800
9101
9102 Upstream commit: c9e9042994d37cbc1ee538c500e9da1bb9d1bcdf
9103
9104 ipv4: fix possible seqlock deadlock
9105
9106 ip4_datagram_connect() being called from process context,
9107 it should use IP_INC_STATS() instead of IP_INC_STATS_BH()
9108 otherwise we can deadlock on 32bit arches, or get corruptions of
9109 SNMP counters.
9110
9111 Fixes: 584bdf8cbdf6 ("[IPV4]: Fix "ipOutNoRoutes" counter error for TCP and UDP")
9112 Signed-off-by: Eric Dumazet <edumazet@google.com>
9113 Reported-by: Dave Jones <davej@redhat.com>
9114 Signed-off-by: David S. Miller <davem@davemloft.net>
9115 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9116
9117 net/ipv4/datagram.c | 2 +-
9118 1 files changed, 1 insertions(+), 1 deletions(-)
9119
9120commit 96b7719c933229c8619f8ad207c141dcc70d546e
9121Author: Brad Spengler <spender@grsecurity.net>
9122Date: Thu Nov 14 20:15:51 2013 -0500
9123
9124 GRKERNSEC_HARDEN_IPC should depend on SYSVIPC
9125
9126 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9127
9128 grsecurity/Kconfig | 1 +
9129 1 files changed, 1 insertions(+), 0 deletions(-)
9130
9131commit 0001071fa9ff6ef9370a370bea51bef2f1e3c2ab
9132Author: Brad Spengler <spender@grsecurity.net>
9133Date: Thu Nov 14 19:07:11 2013 -0500
9134
9135 Not necessary since CPU_V6 is the only bool that would select CPU_USE_DOMAINS and that depended on !PAX_KERNEXEC && !PAX_MEMORY_UDEREF, but this helps make it more obvious that while we make use of domains, CPU_USE_DOMAINS is disabled as far as the kernel knows
9136
9137 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9138
9139 arch/arm/mm/Kconfig | 2 +-
9140 1 files changed, 1 insertions(+), 1 deletions(-)
9141
9142commit 05ae94add600530e3ae98f9a153cb6423b91e46a
9143Author: Brad Spengler <spender@grsecurity.net>
9144Date: Thu Nov 14 19:01:59 2013 -0500
9145
9146 Add a new feature: GRKERNSEC_HARDEN_IPC in response to Tim Brown's research on overly-permissive shared memory found in hundreds of areas in Linux distros: http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/
9147
9148 Will let this sit in -test for a while to weed out any app incompatibilities
9149
9150 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9151
9152 grsecurity/Kconfig | 17 +++++++++++++++++
9153 grsecurity/Makefile | 2 +-
9154 grsecurity/grsec_init.c | 4 ++++
9155 grsecurity/grsec_ipc.c | 22 ++++++++++++++++++++++
9156 grsecurity/grsec_sysctl.c | 9 +++++++++
9157 include/linux/grinternal.h | 1 +
9158 include/linux/grmsg.h | 1 +
9159 ipc/util.c | 5 +++++
9160 8 files changed, 60 insertions(+), 1 deletions(-)
9161
9162commit f5be6d902d5b36c0fb40aabb61f686e510a2d887
9163Author: Brad Spengler <spender@grsecurity.net>
9164Date: Mon Nov 11 10:48:10 2013 -0500
9165
9166 Fix the overflowable range check just to be correct. Referenced in http://www.x90c.org/advisories/xadv-2013003_linux_kernel.txt but I believe this to be unexploitable due to bounds checks on 'count' from rw_verify_area() in fs/read_write.c
9167
9168 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9169
9170 drivers/video/arcfb.c | 2 +-
9171 1 files changed, 1 insertions(+), 1 deletions(-)
9172
9173commit e60c412c422f72a52c819465db8b81991d861390
9174Author: Brad Spengler <spender@grsecurity.net>
9175Date: Sun Nov 10 22:01:33 2013 -0500
9176
9177 Add missing include
9178
9179 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9180
9181 fs/proc/proc_sysctl.c | 1 +
9182 1 files changed, 1 insertions(+), 0 deletions(-)
9183
9184commit 17d5ff67a76aab404c8cbe13576d492a7a8b342a
9185Author: Brad Spengler <spender@grsecurity.net>
9186Date: Sun Nov 10 17:50:12 2013 -0500
9187
9188 add an option to handle old ARM userlands to properly toggle the KUSER_HELPERS option: GRKERNSEC_OLD_ARM_USERLAND
9189
9190 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9191
9192 arch/arm/mm/Kconfig | 2 +-
9193 grsecurity/Kconfig | 14 ++++++++++++++
9194 2 files changed, 15 insertions(+), 1 deletions(-)
9195
9196commit b4aa2136272e6b1cdbb285a74ee17471dd679dfa
9197Author: Brad Spengler <spender@grsecurity.net>
9198Date: Sun Nov 10 15:19:27 2013 -0500
9199
9200 On ARM (and other arches) we were defaulting mmap_min_addr to 64K if the LSM-based mmap_min_addr was disabled in config. This caused non-root execs to fail in some cases (via SIGKILL during ELF loading). Fix this by setting a proper default on these architectures like set on the LSM-based mmap_min_addr.
9201
9202 Thanks to acez from IRC for debugging.
9203
9204 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9205
9206 mm/Kconfig | 1 +
9207 1 files changed, 1 insertions(+), 0 deletions(-)
9208
9209commit 197a69f1783917091d60db2a3ffd7ff14d41489d
9210Author: Brad Spengler <spender@grsecurity.net>
9211Date: Sun Nov 10 13:54:25 2013 -0500
9212
9213 Compatibility fix for LXC: Don't require CAP_SYS_ADMIN to modify our own net namespace's sysctl values, use a CAP_NET_ADMIN check within the user namespace of the process performing the modification CAP_SYS_ADMIN is still required for any other sysctl modification, including modification of sysctls of a net namespace other than our own
9214
9215 This allows for LXC containers to not need CAP_SYS_ADMIN to be able to set up their namespace's
9216 networking
9217
9218 Thanks to ncopa from IRC for testing
9219
9220 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9221
9222 fs/proc/proc_sysctl.c | 9 +++++++--
9223 1 files changed, 7 insertions(+), 2 deletions(-)
9224
9225commit 010702a965acb2aea4d81510f99d788ab6564123
9226Author: Brad Spengler <spender@grsecurity.net>
9227Date: Wed Nov 6 16:23:36 2013 -0500
9228
9229 Force on DEBUG_LIST so all users can benefit from safe linking/unlinking
9230
9231 Conflicts:
9232
9233 security/Kconfig
9234
9235 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9236
9237 security/Kconfig | 1 +
9238 1 files changed, 1 insertions(+), 0 deletions(-)
9239
9240commit 09ce0d45a4fc86ca1389260bf28a62f98ccff362
9241Author: Brad Spengler <spender@grsecurity.net>
9242Date: Wed Nov 6 16:19:21 2013 -0500
9243
9244 change DEBUG_LIST WARNs back to BUGs so they can benefit from the kernel bruteforce deterrence
9245
9246 Conflicts:
9247
9248 lib/list_debug.c
9249
9250 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9251
9252 lib/list_debug.c | 65 ++++++++++++++++++++++++++++++++++-------------------
9253 1 files changed, 42 insertions(+), 23 deletions(-)
9254
9255commit 60a1f79d72bdfc2c6aed1be9537559959a0b8b55
9256Author: Jason Wang <jasowang@redhat.com>
9257Date: Fri Nov 1 15:01:10 2013 +0800
9258
9259 Upstream commit: 6f092343855a71e03b8d209815d8c45bf3a27fcd
9260
9261 net: flow_dissector: fail on evil iph->ihl
9262
9263 We don't validate iph->ihl which may lead a dead loop if we meet a IPIP
9264 skb whose iph->ihl is zero. Fix this by failing immediately when iph->ihl
9265 is evil (less than 5).
9266
9267 This issue were introduced by commit ec5efe7946280d1e84603389a1030ccec0a767ae
9268 (rps: support IPIP encapsulation).
9269
9270 Cc: Eric Dumazet <edumazet@google.com>
9271 Cc: Petr Matousek <pmatouse@redhat.com>
9272 Cc: Michael S. Tsirkin <mst@redhat.com>
9273 Cc: Daniel Borkmann <dborkman@redhat.com>
9274 Signed-off-by: Jason Wang <jasowang@redhat.com>
9275 Acked-by: Eric Dumazet <edumazet@google.com>
9276 Signed-off-by: David S. Miller <davem@davemloft.net>
9277 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9278
9279 net/core/flow_dissector.c | 2 +-
9280 1 files changed, 1 insertions(+), 1 deletions(-)
9281
9282commit 9743a1eca0b0172da4ec07bc07fa30fcccb9fba7
9283Author: Linus Torvalds <torvalds@linux-foundation.org>
9284Date: Tue Oct 29 10:21:34 2013 -0700
9285
9286 Fixed a little differently than Linus...
9287
9288 Obfuscated upstream security commit: 7314e613d5ff9f0934f7a0f74ed7973b903315d1
9289
9290 Fix a few incorrectly checked [io_]remap_pfn_range() calls
9291
9292 Nico Golde reports a few straggling uses of [io_]remap_pfn_range() that
9293 really should use the vm_iomap_memory() helper. This trivially converts
9294 two of them to the helper, and comments about why the third one really
9295 needs to continue to use remap_pfn_range(), and adds the missing size
9296 check.
9297
9298 Reported-by: Nico Golde <nico@ngolde.de>
9299 Cc: stable@kernel.org
9300 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org.
9301
9302 Conflicts:
9303
9304 drivers/uio/uio.c
9305 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9306
9307 drivers/uio/uio.c | 6 +++++-
9308 1 files changed, 5 insertions(+), 1 deletions(-)
9309
9310commit 187b4936fbaaafd087556919bae3b719e67536b8
9311Author: Brad Spengler <spender@grsecurity.net>
9312Date: Wed Oct 16 18:36:25 2013 -0400
9313
9314 From: Mathias Krause <minipli@googlemail.com> To: linux-audit@redhat.com Cc: Mathias Krause <minipli@googlemail.com>, Al Viro <viro@zeniv.linux.org.uk>, Eric Paris <eparis@redhat.com> Subject: [PATCH 1/2] audit: fix info leak in AUDIT_GET requests
9315
9316 We leak 4 bytes of kernel stack in response to an AUDIT_GET request as
9317 we miss to initialize the mask member of status_set. Fix that.
9318
9319 Cc: Al Viro <viro@zeniv.linux.org.uk>
9320 Cc: Eric Paris <eparis@redhat.com>
9321 Cc: stable@vger.kernel.org # v2.6.6+
9322 Signed-off-by: Mathias Krause <minipli@googlemail.com>
9323 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9324
9325 kernel/audit.c | 1 +
9326 1 files changed, 1 insertions(+), 0 deletions(-)
9327
9328commit 0e48ab30113de43958987e9f0d20fb816892c090
9329Author: Brad Spengler <spender@grsecurity.net>
9330Date: Wed Oct 16 19:02:32 2013 -0400
9331
9332 add 2nd chunk of audit nlmsg_len() fix from minipli
9333
9334 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9335
9336 kernel/audit.c | 2 +-
9337 1 files changed, 1 insertions(+), 1 deletions(-)
9338
9339commit b5e6b4bcb3a38c94605e9fa68d6c5936438fb0d8
9340Author: Brad Spengler <spender@grsecurity.net>
9341Date: Wed Oct 16 18:37:59 2013 -0400
9342
9343 From: Mathias Krause <minipli@googlemail.com> To: linux-audit@redhat.com Cc: Mathias Krause <minipli@googlemail.com>, Al Viro <viro@zeniv.linux.org.uk>, Eric Paris <eparis@redhat.com> Subject: [PATCH 2/2] audit: use nlmsg_len() to get message payload length
9344
9345 Using the nlmsg_len member of the netlink header to test if the message
9346 is valid is wrong as it includes the size of the netlink header itself.
9347 Thereby allowing to send short netlink messages that pass those checks.
9348
9349 Use nlmsg_len() instead to test for the right message length. The result
9350 of nlmsg_len() is guaranteed to be non-negative as the netlink message
9351 already passed the checks of nlmsg_ok().
9352
9353 Also switch to min_t() to please checkpatch.pl.
9354
9355 Cc: Al Viro <viro@zeniv.linux.org.uk>
9356 Cc: Eric Paris <eparis@redhat.com>
9357 Cc: stable@vger.kernel.org # v2.6.6+ for the 1st hunk, v2.6.23+ for the 2nd
9358
9359 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9360
9361 kernel/audit.c | 2 +-
9362 1 files changed, 1 insertions(+), 1 deletions(-)
9363
9364commit dfb491ad409ee7efadcb00041cd31e9e411efebb
9365Author: Brad Spengler <spender@grsecurity.net>
9366Date: Wed Oct 16 18:41:01 2013 -0400
9367
9368 From: Mathias Krause <minipli@googlemail.com> To: netfilter-devel@vger.kernel.org Cc: Mathias Krause <minipli@googlemail.com>, Pablo Neira Ayuso <pablo@netfilter.org>, Patrick McHardy <kaber@trash.net>, Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>, Bart De Schuymer <bart.de.schuymer@pandora.be> Subject: [PATCH 1/2] netfilter: ebt_ulog: fix info leaks
9369
9370 The ulog messages leak heap bytes by the means of padding bytes and
9371 incompletely filled string arrays. Fix those by memset(0)'ing the
9372 whole struct before filling it.
9373
9374 Cc: Bart De Schuymer <bart.de.schuymer@pandora.be>
9375 Signed-off-by: Mathias Krause <minipli@googlemail.com>
9376
9377 Conflicts:
9378
9379 net/bridge/netfilter/ebt_ulog.c
9380 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9381
9382 net/bridge/netfilter/ebt_ulog.c | 9 +++------
9383 1 files changed, 3 insertions(+), 6 deletions(-)
9384
9385commit 637ef6f911201af0136b794b5b602eb14efb6b7c
9386Author: Brad Spengler <spender@grsecurity.net>
9387Date: Wed Oct 16 18:43:01 2013 -0400
9388
9389 From: Mathias Krause <minipli@googlemail.com> To: netfilter-devel@vger.kernel.org Cc: Mathias Krause <minipli@googlemail.com>, Pablo Neira Ayuso <pablo@netfilter.org>, Patrick McHardy <kaber@trash.net>, Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Subject: [PATCH 2/2] netfilter: ipt_ULOG: fix info leaks
9390
9391 The ulog messages leak heap bytes by the means of padding bytes and
9392 incompletely filled string arrays. Fix those by memset(0)'ing the
9393 whole struct before filling it.
9394
9395 Cc: Pablo Neira Ayuso <pablo@netfilter.org>
9396 Cc: Patrick McHardy <kaber@trash.net>
9397 Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9398 Signed-off-by: Mathias Krause <minipli@googlemail.com>
9399
9400 Conflicts:
9401
9402 net/ipv4/netfilter/ipt_ULOG.c
9403 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9404
9405 net/ipv4/netfilter/ipt_ULOG.c | 7 +------
9406 1 files changed, 1 insertions(+), 6 deletions(-)
9407
9408commit 103af82880576436f1fceafec93da69f0d55d019
9409Author: Brad Spengler <spender@grsecurity.net>
9410Date: Fri Sep 27 21:06:17 2013 -0400
9411
9412 Don't log attempts to create a socket with a family that the kernel doesn't support Further, if the kernel doesn't support the socket family, instead of returning -EACCES, return -EAFNOSUPPORT -- should resolve the need to allow ipv6 sockets in RBAC policy despite a kernel that doesn't support ipv6 observed during a Debian userland update necessitating a policy change
9413
9414 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9415
9416 grsecurity/gracl_ip.c | 7 +++----
9417 net/socket.c | 26 +++++++++++++++-----------
9418 2 files changed, 18 insertions(+), 15 deletions(-)
9419
9420commit 7749496c3667613ea505823948c0f4f4d9c1d90c
9421Author: Brad Spengler <spender@grsecurity.net>
9422Date: Sun Sep 22 18:14:07 2013 -0400
9423
9424 Revert "Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db"
9425
9426 This reverts commit 7a430f97a2f6538693cb8e354c67c874f24c5ebf.
9427
9428 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9429
9430 net/netlink/genetlink.c | 7 -------
9431 1 files changed, 0 insertions(+), 7 deletions(-)
9432
9433commit 4463e68a60d4fb557d37f993f42e3039041550fc
9434Author: Brad Spengler <spender@grsecurity.net>
9435Date: Sun Sep 15 09:19:21 2013 -0400
9436
9437 remove unnecessary check from when protocol was signed
9438
9439 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9440
9441 net/phonet/af_phonet.c | 2 +-
9442 1 files changed, 1 insertions(+), 1 deletions(-)
9443
9444commit efafe8039b3287f73e0abcb4f7be18e83a5c9a2e
9445Author: Brad Spengler <spender@grsecurity.net>
9446Date: Sun Sep 15 08:53:27 2013 -0400
9447
9448 resync with PaX
9449
9450 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9451
9452 security/selinux/hooks.c | 2 ++
9453 1 files changed, 2 insertions(+), 0 deletions(-)
9454
9455commit 79b41d988ecb86d7dd46f3319b50f4c4d46e65a7
9456Author: Brad Spengler <spender@grsecurity.net>
9457Date: Sat Sep 14 21:12:45 2013 -0400
9458
9459 Fix invalid dependency causing warning: warning: (DEBUG_WW_MUTEX_SLOWPATH) selects DEBUG_LOCK_ALLOC which has unmet direct dependencies (DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN)
9460
9461 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9462
9463 lib/Kconfig.debug | 2 +-
9464 1 files changed, 1 insertions(+), 1 deletions(-)
9465
9466commit 0f3840d1103e4bf77d4e2098afc4750bb6440ecc
9467Author: Brad Spengler <spender@grsecurity.net>
9468Date: Sat Sep 14 19:16:48 2013 -0400
9469
9470 Fix a bad git merge, re-applied a previously reverted patch
9471
9472 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9473
9474 arch/x86/include/asm/processor.h | 4 ++--
9475 arch/x86/kernel/cpu/common.c | 2 +-
9476 arch/x86/kernel/process_64.c | 2 +-
9477 arch/x86/kernel/smpboot.c | 2 +-
9478 arch/x86/xen/smp.c | 2 +-
9479 5 files changed, 6 insertions(+), 6 deletions(-)
9480
9481commit c5f66cfeabad4b64a521d1442f7ea9149c011320
9482Author: Brad Spengler <spender@grsecurity.net>
9483Date: Sat Sep 14 16:56:37 2013 -0400
9484
9485 finish porting namei.c
9486
9487 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9488
9489 fs/namei.c | 50 +++++++++++---------------------------------------
9490 1 files changed, 11 insertions(+), 39 deletions(-)
9491
9492commit c264c5b4c33c462b41d224091602fe5c9acb163b
9493Author: Brad Spengler <spender@grsecurity.net>
9494Date: Sat Sep 14 16:44:08 2013 -0400
9495
9496 cred->user -> current_user()
9497
9498 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9499
9500 fs/exec.c | 2 +-
9501 1 files changed, 1 insertions(+), 1 deletions(-)
9502
9503commit af7bdc7d41a1a8b631802772088968ceacd0d6b4
9504Author: Brad Spengler <spender@grsecurity.net>
9505Date: Sat Sep 14 16:36:24 2013 -0400
9506
9507 Fix GRKERNSEC_DENYUSB dependency as reported by Victor Roman of Funtoo Linux
9508
9509 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9510
9511 grsecurity/Kconfig | 3 ++-
9512 1 files changed, 2 insertions(+), 1 deletions(-)
9513
9514commit 00eb4028fcc737e2451332e3177705913c9b1bb1
9515Author: Brad Spengler <spender@grsecurity.net>
9516Date: Thu Sep 5 19:36:23 2013 -0400
9517
9518 fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB
9519
9520 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9521
9522 grsecurity/Kconfig | 3 ++-
9523 1 files changed, 2 insertions(+), 1 deletions(-)
9524
9525commit 7adc4a28e2a0ef38f89bbd648a2e1ba70cad852e
9526Author: Brad Spengler <spender@grsecurity.net>
9527Date: Thu Sep 5 19:17:02 2013 -0400
9528
9529 Allow the deny_new_usb sysctl to be toggled off by a user with CAP_SYS_ADMIN. This allows for more inventive uses of the feature that would be impossible otherwise (like toggling it while the screen is locked, etc)
9530
9531 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9532
9533 grsecurity/grsec_sysctl.c | 4 +---
9534 1 files changed, 1 insertions(+), 3 deletions(-)
9535
9536commit 472e0e1d1516b3002ce1e256dfcd58701358d5f8
9537Author: Brad Spengler <spender@grsecurity.net>
9538Date: Thu Sep 5 18:41:49 2013 -0400
9539
9540 Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for users who know they want the functionality but don't want to bother with modifying init scripts
9541
9542 Also eliminate reset_security_ops() as a ROP target when
9543 SECURITY_SELINUX_DISABLE is disabled as it's the only user
9544
9545 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9546
9547 grsecurity/Kconfig | 17 ++++++++++++++++-
9548 grsecurity/grsec_init.c | 3 +++
9549 grsecurity/grsec_sysctl.c | 2 +-
9550 3 files changed, 20 insertions(+), 2 deletions(-)
9551
9552commit 92745146ec948d5761ac00f98c4a1612c8e6037e
9553Author: Brad Spengler <spender@grsecurity.net>
9554Date: Fri Aug 30 17:11:11 2013 -0400
9555
9556 fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast
9557
9558 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9559
9560 grsecurity/grsec_sysctl.c | 7 ++++---
9561 1 files changed, 4 insertions(+), 3 deletions(-)
9562
9563commit eac5b7076235de7b21757cab257415ab779cc7c8
9564Author: Brad Spengler <spender@grsecurity.net>
9565Date: Wed Aug 28 20:42:39 2013 -0400
9566
9567 add export of gr_handle_new_usb()
9568
9569 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9570
9571 grsecurity/grsec_usb.c | 2 ++
9572 1 files changed, 2 insertions(+), 0 deletions(-)
9573
9574commit 8e4ea40613a9763d1dc128fdf29c0279001b5e04
9575Author: Brad Spengler <spender@grsecurity.net>
9576Date: Wed Aug 28 19:24:47 2013 -0400
9577
9578 Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit Kees' recent findings are motivation enough to publish it
9579
9580 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9581
9582 drivers/usb/core/hub.c | 5 +++++
9583 grsecurity/Kconfig | 20 ++++++++++++++++++++
9584 grsecurity/Makefile | 3 ++-
9585 grsecurity/grsec_init.c | 1 +
9586 grsecurity/grsec_sysctl.c | 11 +++++++++++
9587 grsecurity/grsec_usb.c | 13 +++++++++++++
9588 include/linux/grinternal.h | 1 +
9589 include/linux/grsecurity.h | 2 ++
9590 8 files changed, 55 insertions(+), 1 deletions(-)
9591
9592commit 0996966348dc3c3f7515567d3245292785d484fc
9593Author: Kees Cook <keescook@chromium.org>
9594Date: Wed Aug 14 09:14:34 2013 -0700
9595
9596 HID: steelseries: validate output report details
9597
9598 A HID device could send a malicious output report that would cause the
9599 steelseries HID driver to write beyond the output report allocation
9600 during initialization, causing a heap overflow:
9601
9602 [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410
9603 ...
9604 [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten
9605
9606 CVE-2013-2891
9607
9608 Signed-off-by: Kees Cook <keescook@chromium.org>
9609 Cc: stable@kernel.org
9610 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9611
9612 drivers/hid/hid-steelseries.c | 5 +++++
9613 1 files changed, 5 insertions(+), 0 deletions(-)
9614
9615commit 91bfda18a5711db32c984c632f47fa57458d993a
9616Author: Kees Cook <keescook@chromium.org>
9617Date: Thu Aug 15 23:21:23 2013 -0700
9618
9619 HID: lenovo-tpkbd: validate output report details
9620
9621 A HID device could send a malicious output report that would cause the
9622 lenovo-tpkbd HID driver to write just beyond the output report allocation
9623 during initialization, causing a heap overflow:
9624
9625 [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009
9626 ...
9627 [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
9628
9629 CVE-2013-2894
9630
9631 Signed-off-by: Kees Cook <keescook@chromium.org>
9632 Cc: stable@kernel.org
9633 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9634
9635 drivers/hid/hid-lenovo-tpkbd.c | 5 +++++
9636 1 files changed, 5 insertions(+), 0 deletions(-)
9637
9638commit 8aeb7645473b408fc6b2bd78a72671351fc8e684
9639Author: Kees Cook <keescook@chromium.org>
9640Date: Fri Aug 16 00:11:32 2013 -0700
9641
9642 HID: multitouch: validate feature report details
9643
9644 When working on report indexes, always validate that they are in bounds.
9645 Without this, a HID device could report a malicious feature report that
9646 could trick the driver into a heap overflow:
9647
9648 [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
9649 ...
9650 [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
9651
9652 CVE-2013-2897
9653
9654 Signed-off-by: Kees Cook <keescook@chromium.org>
9655 Cc: stable@kernel.org
9656 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9657
9658 drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++-----
9659 1 files changed, 20 insertions(+), 5 deletions(-)
9660
9661commit 1a624940a4733c04c0f997820c1dcd1eebfcd5bc
9662Author: Brad Spengler <spender@grsecurity.net>
9663Date: Mon Aug 19 22:10:04 2013 -0400
9664
9665 fix bad git merge (call to __cpu_disable_lazy_restore was duplicated) as reported by pipacs
9666
9667 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9668
9669 arch/x86/kernel/smpboot.c | 3 ---
9670 1 files changed, 0 insertions(+), 3 deletions(-)
9671
9672commit acca67efb4aeee03672b5d2947da311dcfc2a1d6
9673Author: Brad Spengler <spender@grsecurity.net>
9674Date: Sat Aug 17 12:00:20 2013 -0400
9675
9676 make kallsyms_lookup_size_offset available to approved source files
9677
9678 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9679
9680 include/linux/kallsyms.h | 3 +++
9681 1 files changed, 3 insertions(+), 0 deletions(-)
9682
9683commit cb33df1c5ce5f74fcb7d4a2f5b2d07d54d4e1fd8
9684Author: Brad Spengler <spender@grsecurity.net>
9685Date: Sat Aug 17 11:18:09 2013 -0400
9686
9687 allow use of kallsyms_lookup_name to approved source files
9688
9689 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9690
9691 include/linux/kallsyms.h | 1 +
9692 1 files changed, 1 insertions(+), 0 deletions(-)
9693
9694commit 72e55282becb58c925f9034fe717cad96f7fc51d
9695Author: Johannes Berg <johannes.berg@intel.com>
9696Date: Tue Aug 13 09:04:05 2013 +0200
9697
9698 Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db
9699
9700 genetlink: fix family dump race
9701
9702 When dumping generic netlink families, only the first dump call
9703 is locked with genl_lock(), which protects the list of families,
9704 and thus subsequent calls can access the data without locking,
9705 racing against family addition/removal. This can cause a crash.
9706 Fix it - the locking needs to be conditional because the first
9707 time around it's already locked.
9708
9709 A similar bug was reported to me on an old kernel (3.4.47) but
9710 the exact scenario that happened there is no longer possible,
9711 on those kernels the first round wasn't locked either. Looking
9712 at the current code I found the race described above, which had
9713 also existed on the old kernel.
9714
9715 Cc: stable@vger.kernel.org
9716 Reported-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
9717 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
9718 Signed-off-by: David S. Miller <davem@davemloft.net>
9719 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9720
9721 net/netlink/genetlink.c | 7 +++++++
9722 1 files changed, 7 insertions(+), 0 deletions(-)
9723
9724commit 2f8d8b1de901cce7ac5a5dc4f3b8731ba58653d9
9725Author: Brad Spengler <spender@grsecurity.net>
9726Date: Sat Aug 17 08:58:34 2013 -0400
9727
9728 Fix two harmless compiler warnings
9729
9730 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9731
9732 arch/arm/kernel/process.c | 4 ++--
9733 fs/exec.c | 2 +-
9734 2 files changed, 3 insertions(+), 3 deletions(-)
9735
9736commit c414e04ef91fca7dfd260ae307272b1b9a29d1bd
9737Author: Brad Spengler <spender@grsecurity.net>
9738Date: Fri Aug 16 22:46:01 2013 -0400
9739
9740 Fix HIDESYM compatibility with kprobes, as reported by feandil at: http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376
9741
9742 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9743
9744 include/linux/kallsyms.h | 2 +-
9745 kernel/kprobes.c | 3 +++
9746 2 files changed, 4 insertions(+), 1 deletions(-)
9747
9748commit b11ccf0d90b1244a91e0422ecd1a1b4918384ff7
9749Author: Brad Spengler <spender@grsecurity.net>
9750Date: Sat Aug 10 09:41:40 2013 -0400
9751
9752 propagate the threadstack offset through to the topdown/bottomup allocators on sparc64 hugepages
9753
9754 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9755
9756 arch/sparc/mm/hugetlbpage.c | 12 ++++++++----
9757 1 files changed, 8 insertions(+), 4 deletions(-)
9758
9759commit 81c244a4d186918eb5bde824945878803fb5aeeb
9760Author: Brad Spengler <spender@grsecurity.net>
9761Date: Mon Aug 5 17:58:42 2013 -0400
9762
9763 Disable RANDKSTACK for a VirtualBox host as mentioned on the gentoo-hardened bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=382793
9764
9765 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9766
9767 security/Kconfig | 2 +-
9768 1 files changed, 1 insertions(+), 1 deletions(-)
9769
9770commit 0f32f992d91442e87628fa805f488c2431930df7
9771Author: Brad Spengler <spender@grsecurity.net>
9772Date: Mon Aug 5 17:26:40 2013 -0400
9773
9774 Move user namespace capability check to shared create_user_ns code so we cover unshare() as well.
9775
9776 Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to
9777 user namespaces!
9778
9779 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9780
9781 kernel/fork.c | 17 -----------------
9782 kernel/user_namespace.c | 15 +++++++++++++++
9783 2 files changed, 15 insertions(+), 17 deletions(-)
9784
9785commit b570e8d61ff1670d0737acd9919316ac32fce732
9786Author: Brad Spengler <spender@grsecurity.net>
9787Date: Mon Aug 5 16:05:41 2013 -0400
9788
9789 silence a warning on older gcc
9790
9791 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9792
9793 grsecurity/gracl.c | 2 +-
9794 1 files changed, 1 insertions(+), 1 deletions(-)
9795
9796commit f580da3b1ddbecc3f65a7957986742bea34c5851
9797Author: Brad Spengler <spender@grsecurity.net>
9798Date: Sat Aug 3 08:31:08 2013 -0400
9799
9800 we only care about mmaps of the beginning of an ELF, filter out all others as suggested by pipacs
9801
9802 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9803
9804 mm/mmap.c | 2 +-
9805 1 files changed, 1 insertions(+), 1 deletions(-)
9806
9807commit a2b23c36d322e9ebea5621652b77ad2569a3826d
9808Author: Brad Spengler <spender@grsecurity.net>
9809Date: Fri Aug 2 23:54:51 2013 -0400
9810
9811 add include
9812
9813 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9814
9815 grsecurity/grsec_log.c | 1 +
9816 1 files changed, 1 insertions(+), 0 deletions(-)
9817
9818commit ecb7724fd1bcd4fa57059d6297d4f74d4ec93fe6
9819Author: Brad Spengler <spender@grsecurity.net>
9820Date: Fri Aug 2 23:49:13 2013 -0400
9821
9822 fix compilation
9823
9824 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9825
9826 include/linux/grinternal.h | 3 ++-
9827 1 files changed, 2 insertions(+), 1 deletions(-)
9828
9829commit a2d7b00383303a5d537e64519dbd31d51645d28e
9830Author: Brad Spengler <spender@grsecurity.net>
9831Date: Fri Aug 2 23:34:35 2013 -0400
9832
9833 Improve PaX reporting (tells when anon mapping is stack or heap) Remove textrel logging option, combine into rwx logging option Enhance RWX logging option to display when PT_GNU_STACK-enabled library is loaded under an MPROTECTed binary Enhance RWX mprotect logging to display stack/heap instead of just anon mapping
9834
9835 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9836
9837 fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++
9838 fs/exec.c | 4 ++++
9839 grsecurity/Kconfig | 21 +++++----------------
9840 grsecurity/grsec_init.c | 4 ----
9841 grsecurity/grsec_log.c | 14 ++++++++++++++
9842 grsecurity/grsec_pax.c | 19 ++++++++++++++-----
9843 grsecurity/grsec_sysctl.c | 9 ---------
9844 include/linux/binfmts.h | 1 +
9845 include/linux/grinternal.h | 2 +-
9846 include/linux/grmsg.h | 3 ++-
9847 include/linux/grsecurity.h | 3 ++-
9848 mm/mmap.c | 7 +++++++
9849 mm/mprotect.c | 2 +-
9850 13 files changed, 88 insertions(+), 38 deletions(-)
9851
9852commit 9513c974076339e5b4ba8974b50fd3e9fe18a0d8
9853Author: Brad Spengler <spender@grsecurity.net>
9854Date: Thu Aug 1 18:52:02 2013 -0400
9855
9856 add missing #define
9857
9858 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9859
9860 grsecurity/gracl.c | 1 +
9861 1 files changed, 1 insertions(+), 0 deletions(-)
9862
9863commit 97af65d0dbfaf8680a7f9a17c45a10892fe907d0
9864Author: Brad Spengler <spender@grsecurity.net>
9865Date: Thu Aug 1 18:43:53 2013 -0400
9866
9867 fix compilation for !COMPAT as reported on the forums
9868
9869 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9870
9871 grsecurity/gracl.c | 195 ++++++++++++++++++++++++++--------------------------
9872 1 files changed, 97 insertions(+), 98 deletions(-)
9873
9874commit b2362a07aecb8b86d3dd5e0696ea6dc546ea3144
9875Author: Brad Spengler <spender@grsecurity.net>
9876Date: Wed Jul 31 17:47:20 2013 -0400
9877
9878 Revert "revert recent PaX change that causes boot failures with 32bit userland"
9879
9880 This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4.
9881
9882 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9883
9884 arch/x86/include/asm/processor.h | 4 ++--
9885 arch/x86/kernel/cpu/common.c | 2 +-
9886 arch/x86/kernel/process_64.c | 2 +-
9887 arch/x86/kernel/smpboot.c | 2 +-
9888 arch/x86/xen/smp.c | 2 +-
9889 5 files changed, 6 insertions(+), 6 deletions(-)
9890
9891commit 9c0a788e099e0a78bb83961bf02d82ac2c32e21c
9892Author: Brad Spengler <spender@grsecurity.net>
9893Date: Wed Jul 31 16:26:58 2013 -0400
9894
9895 compile fix for !COMPAT as mentioned on forums
9896
9897 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9898
9899 grsecurity/gracl.c | 2 ++
9900 1 files changed, 2 insertions(+), 0 deletions(-)
9901
9902commit 1975575638ae15faba25f749a9040345a73e12e1
9903Author: Brad Spengler <spender@grsecurity.net>
9904Date: Tue Jul 30 22:33:14 2013 -0400
9905
9906 perform compat conversion of rlimit infinity
9907
9908 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9909
9910 grsecurity/gracl_compat.c | 10 ++++++++--
9911 1 files changed, 8 insertions(+), 2 deletions(-)
9912
9913commit 1282e76e8da58821760a5519cd7bd2510ad7deaf
9914Author: Brad Spengler <spender@grsecurity.net>
9915Date: Tue Jul 30 22:21:40 2013 -0400
9916
9917 remove debugging
9918
9919 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9920
9921 grsecurity/gracl_compat.c | 44 +++++++++++---------------------------------
9922 1 files changed, 11 insertions(+), 33 deletions(-)
9923
9924commit 6aa728a7c77d5fe62dd0b731e76b518f85db7808
9925Author: Brad Spengler <spender@grsecurity.net>
9926Date: Tue Jul 30 22:20:32 2013 -0400
9927
9928 eliminate compat_dev_t
9929
9930 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9931
9932 include/linux/gracl_compat.h | 4 ++--
9933 1 files changed, 2 insertions(+), 2 deletions(-)
9934
9935commit 176f65b9498eb83576294934d94bb80f3830e99a
9936Author: Brad Spengler <spender@grsecurity.net>
9937Date: Tue Jul 30 22:13:22 2013 -0400
9938
9939 fix compat rlimit size
9940
9941 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9942
9943 grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++-------------
9944 include/linux/gracl_compat.h | 4 +-
9945 2 files changed, 49 insertions(+), 23 deletions(-)
9946
9947commit f039eddf22e143d336421325eb689a76227956b3
9948Author: Brad Spengler <spender@grsecurity.net>
9949Date: Tue Jul 30 21:20:18 2013 -0400
9950
9951 compile fix
9952
9953 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9954
9955 grsecurity/gracl.c | 4 ++--
9956 1 files changed, 2 insertions(+), 2 deletions(-)
9957
9958commit 4594be163c41c9a400f0b377e6c35d8fb5599387
9959Author: Brad Spengler <spender@grsecurity.net>
9960Date: Tue Jul 30 21:14:29 2013 -0400
9961
9962 copy correct pointer size in new compat code
9963
9964 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9965
9966 grsecurity/gracl.c | 8 ++++----
9967 grsecurity/gracl_compat.c | 4 ++--
9968 2 files changed, 6 insertions(+), 6 deletions(-)
9969
9970commit 54a18c9ea152b14381ed3fb4b0a86ef78bd611af
9971Author: Brad Spengler <spender@grsecurity.net>
9972Date: Tue Jul 30 19:15:50 2013 -0400
9973
9974 compile fix
9975
9976 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9977
9978 grsecurity/gracl_compat.c | 6 ++++++
9979 1 files changed, 6 insertions(+), 0 deletions(-)
9980
9981commit 166e0c9ff369a931bec65abda32811bb0b548506
9982Author: Brad Spengler <spender@grsecurity.net>
9983Date: Tue Jul 30 19:12:46 2013 -0400
9984
9985 remove BUILD_BUG_ONs
9986
9987 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9988
9989 grsecurity/gracl_compat.c | 20 --------------------
9990 1 files changed, 0 insertions(+), 20 deletions(-)
9991
9992commit ee1e4712f5b32f43da0130efedbeb158d7f63562
9993Author: Brad Spengler <spender@grsecurity.net>
9994Date: Tue Jul 30 00:18:36 2013 -0400
9995
9996 compile fixes
9997
9998 Signed-off-by: Brad Spengler <spender@grsecurity.net>
9999
10000 grsecurity/gracl_compat.c | 8 ++++----
10001 include/linux/gracl_compat.h | 2 +-
10002 2 files changed, 5 insertions(+), 5 deletions(-)
10003
10004commit a629a151f557380fed415b226fe5e0e234a285eb
10005Author: Brad Spengler <spender@grsecurity.net>
10006Date: Tue Jul 30 00:16:42 2013 -0400
10007
10008 compile fixes
10009
10010 Signed-off-by: Brad Spengler <spender@grsecurity.net>
10011
10012 grsecurity/gracl.c | 4 ++--
10013 grsecurity/gracl_compat.c | 2 +-
10014 2 files changed, 3 insertions(+), 3 deletions(-)
10015
10016commit 218c33ffd6a34fe09037784138dda02b817c1c20
10017Author: Brad Spengler <spender@grsecurity.net>
10018Date: Tue Jul 30 00:13:51 2013 -0400
10019
10020 compile fixes
10021
10022 Signed-off-by: Brad Spengler <spender@grsecurity.net>
10023
10024 grsecurity/gracl.c | 8 ++++----
10025 1 files changed, 4 insertions(+), 4 deletions(-)
10026
10027commit e7291feaff2e3dd3d4d01016419cc1dd16ab9658
10028Author: Brad Spengler <spender@grsecurity.net>
10029Date: Tue Jul 30 00:11:03 2013 -0400
10030
10031 compile fixes
10032
10033 Signed-off-by: Brad Spengler <spender@grsecurity.net>
10034
10035 grsecurity/gracl_compat.c | 3 +++
10036 1 files changed, 3 insertions(+), 0 deletions(-)
10037
10038commit 527c8e008b6729ad595c652119128c0a858c0f7e
10039Author: Brad Spengler <spender@grsecurity.net>
10040Date: Tue Jul 30 00:08:21 2013 -0400
10041
10042 more compile fixes
10043
10044 Signed-off-by: Brad Spengler <spender@grsecurity.net>
10045
10046 grsecurity/gracl.c | 28 ++++++++++++++--------------
10047 1 files changed, 14 insertions(+), 14 deletions(-)
10048
10049commit 0a6c24237be46318780bd5aa0a0c37837336e40a
10050Author: Brad Spengler <spender@grsecurity.net>
10051Date: Mon Jul 29 23:59:50 2013 -0400
10052
10053 more compile fixes
10054
10055 Signed-off-by: Brad Spengler <spender@grsecurity.net>
10056
10057 grsecurity/gracl.c | 10 +++++++++-
10058 1 files changed, 9 insertions(+), 1 deletions(-)
10059
10060commit 0c11bf85db37db5667cfb61caf0c72e8437e4197
10061Author: Brad Spengler <spender@grsecurity.net>
10062Date: Mon Jul 29 23:56:47 2013 -0400
10063
10064 additional compile fixes
10065
10066 Signed-off-by: Brad Spengler <spender@grsecurity.net>
10067
10068 grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++--------
10069 1 files changed, 49 insertions(+), 10 deletions(-)
10070
10071commit c32fb26e578c2b1b98654e72ceeafc58906acf06
10072Author: Brad Spengler <spender@grsecurity.net>
10073Date: Mon Jul 29 23:47:15 2013 -0400
10074
10075 fix typo
10076
10077 Signed-off-by: Brad Spengler <spender@grsecurity.net>
10078
10079 grsecurity/gracl.c | 2 +-
10080 1 files changed, 1 insertions(+), 1 deletions(-)
10081
10082commit 80bb153435dac25476b0da4a61238b229ba2b631
10083Author: Brad Spengler <spender@grsecurity.net>
10084Date: Mon Jul 29 23:46:59 2013 -0400
10085
10086 compile fixes
10087
10088 Signed-off-by: Brad Spengler <spender@grsecurity.net>
10089
10090 grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++-------------
10091 1 files changed, 39 insertions(+), 14 deletions(-)
10092
10093commit d7f8a40e0fc1dc1466a271ac33074b6f90226a1a
10094Author: Brad Spengler <spender@grsecurity.net>
10095Date: Mon Jul 29 23:22:44 2013 -0400
10096
10097 Initial commit of compat RBAC loading Permits 32bit gradm to load policy for a 64bit kernel
10098
10099 Also removed code duplication for copying strings into the kernel
10100
10101 Work performed as part of sponsorship
10102
10103 Signed-off-by: Brad Spengler <spender@grsecurity.net>
10104
10105 grsecurity/Makefile | 4 +
10106 grsecurity/gracl.c | 315 +++++++++++++++++++++++-------------------
10107 grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++
10108 include/linux/gracl_compat.h | 156 +++++++++++++++++++++
10109 4 files changed, 603 insertions(+), 142 deletions(-)
10110
10111commit 00e035016762dfa49b15cf310ab57fc7011fb4dd
10112Author: Brad Spengler <spender@grsecurity.net>
10113Date: Tue Jul 16 20:40:24 2013 -0400
10114
10115 allow viewing of ecryptfs version under SYSFS_RESTRICT
10116
10117 Signed-off-by: Brad Spengler <spender@grsecurity.net>
10118
10119 fs/sysfs/dir.c | 2 +-
10120 1 files changed, 1 insertions(+), 1 deletions(-)
10121
10122commit a144fc9f2f2f6a1d5999b6bd226d964b8b551e31
10123Author: Brad Spengler <spender@grsecurity.net>
10124Date: Sun Jul 14 11:49:17 2013 -0400
10125
10126 Update PaX fix, just return the error
10127
10128 Signed-off-by: Brad Spengler <spender@grsecurity.net>
10129
10130 mm/madvise.c | 11 +++++------
10131 1 files changed, 5 insertions(+), 6 deletions(-)
10132
10133commit 26dd795769f903add193b605f051bed55bf95507
10134Author: Brad Spengler <spender@grsecurity.net>
10135Date: Sun Jul 14 11:36:00 2013 -0400
10136
10137 Fix madvise oops reported by Peter Keel
10138
10139 Signed-off-by: Brad Spengler <spender@grsecurity.net>
10140
10141 mm/madvise.c | 11 ++++++-----
10142 1 files changed, 6 insertions(+), 5 deletions(-)
10143
10144commit c441e54c74284d2dac3aaaf282391f6572239e24
10145Author: Brad Spengler <spender@grsecurity.net>
10146Date: Tue Jul 9 22:04:59 2013 -0400
10147
10148 compile fixes
10149
10150 Signed-off-by: Brad Spengler <spender@grsecurity.net>
10151
10152 fs/exec.c | 2 +-
10153 mm/mmap.c | 4 ++--
10154 2 files changed, 3 insertions(+), 3 deletions(-)
10155
10156commit ecea885713f4d818032182d839c86dc74ac95b04
10157Author: Brad Spengler <spender@grsecurity.net>
10158Date: Sat Sep 14 16:15:10 2013 -0400
10159
10160 Initial port of grsecurity to 3.11 using new git method
10161
10162 Signed-off-by: Brad Spengler <spender@grsecurity.net>
10163
10164 Documentation/kernel-parameters.txt | 4 +
10165 Makefile | 8 +-
10166 arch/alpha/include/asm/cache.h | 4 +-
10167 arch/alpha/kernel/osf_sys.c | 12 +-
10168 arch/arm/include/asm/thread_info.h | 3 +-
10169 arch/arm/kernel/ptrace.c | 9 +
10170 arch/arm/kernel/traps.c | 7 +-
10171 arch/arm/mm/fault.c | 29 +-
10172 arch/arm/mm/mmap.c | 8 +-
10173 arch/avr32/include/asm/cache.h | 4 +-
10174 arch/blackfin/include/asm/cache.h | 3 +-
10175 arch/cris/include/arch-v10/arch/cache.h | 3 +-
10176 arch/cris/include/arch-v32/arch/cache.h | 3 +-
10177 arch/frv/include/asm/cache.h | 3 +-
10178 arch/frv/mm/elf-fdpic.c | 4 +-
10179 arch/hexagon/include/asm/cache.h | 6 +-
10180 arch/ia64/include/asm/cache.h | 3 +-
10181 arch/ia64/kernel/sys_ia64.c | 2 +
10182 arch/ia64/mm/hugetlbpage.c | 2 +
10183 arch/m32r/include/asm/cache.h | 4 +-
10184 arch/m68k/include/asm/cache.h | 4 +-
10185 arch/metag/mm/hugetlbpage.c | 1 +
10186 arch/microblaze/include/asm/cache.h | 3 +-
10187 arch/mips/include/asm/cache.h | 3 +-
10188 arch/mips/include/asm/thread_info.h | 12 +-
10189 arch/mips/kernel/ptrace.c | 9 +
10190 arch/mips/mm/mmap.c | 4 +-
10191 arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +-
10192 arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +-
10193 arch/openrisc/include/asm/cache.h | 4 +-
10194 arch/parisc/include/asm/cache.h | 5 +-
10195 arch/parisc/kernel/sys_parisc.c | 17 +-
10196 arch/powerpc/include/asm/cache.h | 3 +-
10197 arch/powerpc/kernel/process.c | 10 +-
10198 arch/powerpc/kernel/ptrace.c | 14 +
10199 arch/powerpc/kernel/traps.c | 5 +
10200 arch/s390/include/asm/cache.h | 4 +-
10201 arch/score/include/asm/cache.h | 4 +-
10202 arch/sh/include/asm/cache.h | 3 +-
10203 arch/sh/mm/mmap.c | 6 +-
10204 arch/sparc/include/asm/cache.h | 4 +-
10205 arch/sparc/include/asm/thread_info_64.h | 9 +-
10206 arch/sparc/kernel/process_32.c | 6 +-
10207 arch/sparc/kernel/process_64.c | 4 +-
10208 arch/sparc/kernel/ptrace_64.c | 14 +
10209 arch/sparc/kernel/sys_sparc_64.c | 8 +-
10210 arch/sparc/kernel/syscalls.S | 8 +-
10211 arch/sparc/kernel/traps_32.c | 8 +-
10212 arch/sparc/kernel/traps_64.c | 28 +-
10213 arch/sparc/kernel/unaligned_64.c | 2 +-
10214 arch/sparc/mm/fault_64.c | 2 +-
10215 arch/sparc/mm/hugetlbpage.c | 3 +-
10216 arch/tile/include/asm/cache.h | 3 +-
10217 arch/tile/mm/hugetlbpage.c | 2 +
10218 arch/um/defconfig | 1 -
10219 arch/um/include/asm/cache.h | 3 +-
10220 arch/unicore32/include/asm/cache.h | 6 +-
10221 arch/x86/Kconfig | 5 +-
10222 arch/x86/ia32/ia32_aout.c | 2 +
10223 arch/x86/include/asm/thread_info.h | 8 +-
10224 arch/x86/kernel/dumpstack.c | 8 +
10225 arch/x86/kernel/entry_32.S | 2 +-
10226 arch/x86/kernel/entry_64.S | 2 +-
10227 arch/x86/kernel/ioport.c | 13 +
10228 arch/x86/kernel/ptrace.c | 14 +
10229 arch/x86/kernel/signal.c | 9 +-
10230 arch/x86/kernel/smpboot.c | 3 +
10231 arch/x86/kernel/sys_i386_32.c | 9 +-
10232 arch/x86/kernel/sys_x86_64.c | 8 +-
10233 arch/x86/kernel/verify_cpu.S | 1 +
10234 arch/x86/kernel/vm86_32.c | 1 +
10235 arch/x86/mm/fault.c | 12 +-
10236 arch/x86/mm/hugetlbpage.c | 15 +-
10237 arch/x86/mm/init.c | 66 +-
10238 arch/x86/net/bpf_jit_comp.c | 128 +-
10239 arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
10240 arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
10241 arch/xtensa/variants/s6000/include/variant/core.h | 3 +-
10242 drivers/cdrom/cdrom.c | 2 +-
10243 drivers/char/Kconfig | 4 +-
10244 drivers/char/genrtc.c | 1 +
10245 drivers/char/mem.c | 17 +
10246 drivers/char/random.c | 12 +
10247 drivers/gpu/drm/drm_info.c | 4 +
10248 drivers/hid/hid-wiimote-debug.c | 2 +-
10249 drivers/media/radio/radio-cadet.c | 2 +-
10250 drivers/message/fusion/mptbase.c | 9 +
10251 drivers/net/bonding/bond_main.c | 2 +-
10252 drivers/net/phy/mdio-bitbang.c | 1 +
10253 drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
10254 drivers/pci/proc.c | 9 +
10255 drivers/rtc/rtc-dev.c | 3 +
10256 drivers/tty/sysrq.c | 2 +-
10257 drivers/tty/vt/keyboard.c | 22 +-
10258 drivers/video/logo/logo_linux_clut224.ppm | 2720 ++++++++------------
10259 drivers/xen/xenfs/xenstored.c | 5 +
10260 fs/attr.c | 1 +
10261 fs/autofs4/waitq.c | 9 +
10262 fs/binfmt_aout.c | 7 +
10263 fs/binfmt_elf.c | 8 +-
10264 fs/btrfs/ioctl.c | 6 +-
10265 fs/compat.c | 20 +-
10266 fs/coredump.c | 9 +-
10267 fs/debugfs/inode.c | 4 +
10268 fs/exec.c | 184 ++-
10269 fs/ext2/balloc.c | 4 +-
10270 fs/ext3/balloc.c | 4 +-
10271 fs/fcntl.c | 5 +
10272 fs/file.c | 4 +
10273 fs/filesystems.c | 4 +
10274 fs/fs_struct.c | 13 +-
10275 fs/hugetlbfs/inode.c | 5 +-
10276 fs/namei.c | 256 ++-
10277 fs/namespace.c | 16 +
10278 fs/open.c | 38 +
10279 fs/proc/Kconfig | 10 +-
10280 fs/proc/array.c | 59 +-
10281 fs/proc/base.c | 166 ++-
10282 fs/proc/cmdline.c | 4 +
10283 fs/proc/devices.c | 4 +
10284 fs/proc/fd.c | 17 +-
10285 fs/proc/inode.c | 4 +
10286 fs/proc/kcore.c | 3 +
10287 fs/proc/proc_net.c | 12 +
10288 fs/proc/proc_sysctl.c | 43 +-
10289 fs/proc/root.c | 8 +
10290 fs/proc/task_mmu.c | 75 +-
10291 fs/readdir.c | 19 +
10292 fs/select.c | 2 +
10293 fs/seq_file.c | 12 +-
10294 fs/stat.c | 19 +-
10295 fs/sysfs/dir.c | 12 +
10296 fs/utimes.c | 7 +
10297 fs/xattr.c | 19 +-
10298 include/linux/capability.h | 5 +
10299 include/linux/cred.h | 3 +
10300 include/linux/fs.h | 10 +
10301 include/linux/fsnotify.h | 6 +
10302 include/linux/kallsyms.h | 14 +-
10303 include/linux/kmod.h | 2 +
10304 include/linux/mm.h | 1 +
10305 include/linux/perf_event.h | 13 +-
10306 include/linux/printk.h | 3 +-
10307 include/linux/sched.h | 24 +-
10308 include/linux/security.h | 1 +
10309 include/linux/seq_file.h | 3 +
10310 include/linux/shm.h | 4 +
10311 include/linux/skbuff.h | 3 +
10312 include/linux/slab.h | 9 -
10313 include/linux/sysctl.h | 2 +
10314 include/linux/thread_info.h | 2 +
10315 include/linux/uidgid.h | 5 +
10316 include/linux/vermagic.h | 9 +-
10317 include/uapi/linux/personality.h | 1 +
10318 init/Kconfig | 3 +-
10319 init/main.c | 14 +
10320 ipc/mqueue.c | 1 +
10321 ipc/shm.c | 29 +
10322 kernel/capability.c | 40 +-
10323 kernel/cgroup.c | 2 +-
10324 kernel/compat.c | 1 +
10325 kernel/configs.c | 11 +
10326 kernel/cred.c | 110 +-
10327 kernel/events/core.c | 14 +-
10328 kernel/exit.c | 10 +-
10329 kernel/fork.c | 41 +-
10330 kernel/futex.c | 1 +
10331 kernel/kallsyms.c | 9 +
10332 kernel/kcmp.c | 4 +
10333 kernel/kmod.c | 64 +-
10334 kernel/kprobes.c | 4 +-
10335 kernel/ksysfs.c | 2 +
10336 kernel/lockdep_proc.c | 10 +-
10337 kernel/module.c | 81 +-
10338 kernel/panic.c | 2 +-
10339 kernel/pid.c | 19 +-
10340 kernel/posix-timers.c | 7 +
10341 kernel/printk/printk.c | 5 +
10342 kernel/ptrace.c | 20 +-
10343 kernel/resource.c | 10 +
10344 kernel/sched/core.c | 6 +-
10345 kernel/signal.c | 37 +-
10346 kernel/sys.c | 45 +-
10347 kernel/sysctl.c | 69 +-
10348 kernel/taskstats.c | 6 +
10349 kernel/time.c | 5 +
10350 kernel/time/timekeeping.c | 1 +
10351 kernel/time/timer_list.c | 12 +
10352 kernel/time/timer_stats.c | 10 +-
10353 lib/Kconfig.debug | 5 +-
10354 lib/is_single_threaded.c | 3 +
10355 mm/Kconfig | 4 +-
10356 mm/filemap.c | 1 +
10357 mm/kmemleak.c | 4 +-
10358 mm/mempolicy.c | 12 +-
10359 mm/migrate.c | 3 +-
10360 mm/mlock.c | 3 +
10361 mm/mmap.c | 63 +-
10362 mm/mprotect.c | 8 +
10363 mm/process_vm_access.c | 6 +
10364 mm/slab.c | 2 +-
10365 mm/slub.c | 14 +-
10366 mm/vmalloc.c | 4 +
10367 mm/vmstat.c | 18 +-
10368 net/core/dev_ioctl.c | 4 +
10369 net/core/sock_diag.c | 7 +
10370 net/ipv4/inet_hashtables.c | 5 +
10371 net/ipv4/ip_sockglue.c | 3 +-
10372 net/ipv4/tcp_input.c | 4 +-
10373 net/ipv4/tcp_ipv4.c | 24 +-
10374 net/ipv4/tcp_minisocks.c | 9 +-
10375 net/ipv4/tcp_timer.c | 11 +
10376 net/ipv4/udp.c | 24 +
10377 net/ipv6/tcp_ipv6.c | 23 +-
10378 net/ipv6/udp.c | 4 +
10379 net/netfilter/Kconfig | 10 +
10380 net/netfilter/Makefile | 1 +
10381 net/netfilter/nf_conntrack_core.c | 8 +
10382 net/netrom/af_netrom.c | 1 -
10383 net/phonet/af_phonet.c | 2 +-
10384 net/socket.c | 66 +-
10385 net/sysctl_net.c | 2 +-
10386 net/unix/af_unix.c | 31 +-
10387 security/Kconfig | 341 +++-
10388 security/commoncap.c | 29 +
10389 security/min_addr.c | 2 +
10390 security/tomoyo/mount.c | 4 +
10391 security/yama/Kconfig | 2 +-
10392 228 files changed, 4141 insertions(+), 2027 deletions(-)
10393
10394commit 62c18efae524d4cd41939c1d63989d3582b1131a
10395Author: Brad Spengler <spender@grsecurity.net>
10396Date: Tue Jul 9 20:57:40 2013 -0400
10397
10398 Commit merge of new files and rejected patches
10399
10400 Signed-off-by: Brad Spengler <spender@grsecurity.net>
10401
10402 arch/arm/include/asm/thread_info.h | 6 +-
10403 arch/arm/kernel/process.c | 4 +-
10404 arch/powerpc/include/asm/thread_info.h | 7 +-
10405 arch/powerpc/mm/slice.c | 2 +-
10406 arch/sparc/kernel/process_64.c | 4 +-
10407 arch/x86/kernel/vm86_32.c | 15 +
10408 fs/coredump.c | 1 +
10409 fs/ext4/balloc.c | 4 +-
10410 fs/namei.c | 7 +
10411 fs/namespace.c | 8 +
10412 fs/pipe.c | 2 +-
10413 fs/proc/inode.c | 13 +
10414 fs/proc/internal.h | 3 +
10415 grsecurity/Kconfig | 1054 +++++++++
10416 grsecurity/Makefile | 38 +
10417 grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++
10418 grsecurity/gracl_alloc.c | 105 +
10419 grsecurity/gracl_cap.c | 110 +
10420 grsecurity/gracl_fs.c | 431 ++++
10421 grsecurity/gracl_ip.c | 387 +++
10422 grsecurity/gracl_learn.c | 207 ++
10423 grsecurity/gracl_res.c | 68 +
10424 grsecurity/gracl_segv.c | 305 +++
10425 grsecurity/gracl_shm.c | 40 +
10426 grsecurity/grsec_chdir.c | 19 +
10427 grsecurity/grsec_chroot.c | 370 +++
10428 grsecurity/grsec_disabled.c | 434 ++++
10429 grsecurity/grsec_exec.c | 187 ++
10430 grsecurity/grsec_fifo.c | 24 +
10431 grsecurity/grsec_fork.c | 23 +
10432 grsecurity/grsec_init.c | 283 +++
10433 grsecurity/grsec_link.c | 58 +
10434 grsecurity/grsec_log.c | 326 +++
10435 grsecurity/grsec_mem.c | 40 +
10436 grsecurity/grsec_mount.c | 62 +
10437 grsecurity/grsec_pax.c | 36 +
10438 grsecurity/grsec_ptrace.c | 30 +
10439 grsecurity/grsec_sig.c | 246 ++
10440 grsecurity/grsec_sock.c | 244 ++
10441 grsecurity/grsec_sysctl.c | 469 ++++
10442 grsecurity/grsec_time.c | 16 +
10443 grsecurity/grsec_tpe.c | 73 +
10444 grsecurity/grsum.c | 61 +
10445 include/linux/gracl.h | 319 +++
10446 include/linux/gralloc.h | 9 +
10447 include/linux/grdefs.h | 140 ++
10448 include/linux/grinternal.h | 227 ++
10449 include/linux/grmsg.h | 112 +
10450 include/linux/grsecurity.h | 241 ++
10451 include/linux/grsock.h | 19 +
10452 include/linux/netfilter/xt_gradm.h | 9 +
10453 include/linux/proc_fs.h | 13 +
10454 include/linux/sched.h | 48 +-
10455 include/trace/events/fs.h | 53 +
10456 kernel/kmod.c | 7 +-
10457 kernel/panic.c | 2 +-
10458 kernel/posix-timers.c | 1 +
10459 kernel/time/timekeeping.c | 2 +
10460 lib/Kconfig.debug | 2 +-
10461 lib/vsprintf.c | 31 +
10462 localversion-grsec | 1 +
10463 mm/mmap.c | 13 +-
10464 mm/shmem.c | 2 +-
10465 net/core/net-procfs.c | 5 +
10466 net/ipv6/udp.c | 3 +
10467 net/netfilter/xt_gradm.c | 51 +
10468 66 files changed, 11184 insertions(+), 21 deletions(-)
10469
10470commit 718ed34658f4e4716ff3c9e6d098552d357d19f1
10471Author: Brad Spengler <spender@grsecurity.net>
10472Date: Sun Nov 24 20:58:05 2013 -0500
10473
10474 Initial import of pax-linux-3.12.1-test1.patch
10475
10476 Documentation/dontdiff | 46 +-
10477 Documentation/kernel-parameters.txt | 23 +
10478 Makefile | 100 +-
10479 arch/alpha/include/asm/atomic.h | 10 +
10480 arch/alpha/include/asm/elf.h | 7 +
10481 arch/alpha/include/asm/pgalloc.h | 6 +
10482 arch/alpha/include/asm/pgtable.h | 11 +
10483 arch/alpha/kernel/module.c | 2 +-
10484 arch/alpha/kernel/osf_sys.c | 8 +-
10485 arch/alpha/mm/fault.c | 141 +-
10486 arch/arm/Kconfig | 2 +-
10487 arch/arm/include/asm/atomic.h | 444 ++-
10488 arch/arm/include/asm/cache.h | 5 +-
10489 arch/arm/include/asm/cacheflush.h | 2 +-
10490 arch/arm/include/asm/checksum.h | 14 +-
10491 arch/arm/include/asm/cmpxchg.h | 2 +
10492 arch/arm/include/asm/domain.h | 33 +-
10493 arch/arm/include/asm/elf.h | 13 +-
10494 arch/arm/include/asm/fncpy.h | 2 +
10495 arch/arm/include/asm/futex.h | 10 +
10496 arch/arm/include/asm/kmap_types.h | 2 +-
10497 arch/arm/include/asm/mach/dma.h | 2 +-
10498 arch/arm/include/asm/mach/map.h | 7 +-
10499 arch/arm/include/asm/outercache.h | 2 +-
10500 arch/arm/include/asm/page.h | 2 +-
10501 arch/arm/include/asm/pgalloc.h | 22 +-
10502 arch/arm/include/asm/pgtable-2level-hwdef.h | 5 +
10503 arch/arm/include/asm/pgtable-2level.h | 3 +
10504 arch/arm/include/asm/pgtable-3level-hwdef.h | 1 +
10505 arch/arm/include/asm/pgtable-3level.h | 2 +
10506 arch/arm/include/asm/pgtable.h | 54 +-
10507 arch/arm/include/asm/proc-fns.h | 2 +-
10508 arch/arm/include/asm/psci.h | 2 +-
10509 arch/arm/include/asm/smp.h | 2 +-
10510 arch/arm/include/asm/thread_info.h | 6 +-
10511 arch/arm/include/asm/uaccess.h | 95 +-
10512 arch/arm/include/uapi/asm/ptrace.h | 2 +-
10513 arch/arm/kernel/armksyms.c | 8 +-
10514 arch/arm/kernel/entry-armv.S | 110 +-
10515 arch/arm/kernel/entry-common.S | 40 +-
10516 arch/arm/kernel/entry-header.S | 60 +
10517 arch/arm/kernel/fiq.c | 3 +
10518 arch/arm/kernel/head.S | 6 +-
10519 arch/arm/kernel/module.c | 31 +-
10520 arch/arm/kernel/patch.c | 2 +
10521 arch/arm/kernel/process.c | 42 +-
10522 arch/arm/kernel/psci.c | 2 +-
10523 arch/arm/kernel/setup.c | 22 +-
10524 arch/arm/kernel/signal.c | 35 +-
10525 arch/arm/kernel/smp.c | 2 +-
10526 arch/arm/kernel/traps.c | 8 +-
10527 arch/arm/kernel/vmlinux.lds.S | 24 +-
10528 arch/arm/kvm/arm.c | 8 +-
10529 arch/arm/lib/clear_user.S | 6 +-
10530 arch/arm/lib/copy_from_user.S | 6 +-
10531 arch/arm/lib/copy_page.S | 1 +
10532 arch/arm/lib/copy_to_user.S | 6 +-
10533 arch/arm/lib/csumpartialcopyuser.S | 4 +-
10534 arch/arm/lib/delay.c | 2 +-
10535 arch/arm/lib/uaccess_with_memcpy.c | 4 +-
10536 arch/arm/mach-kirkwood/common.c | 19 +-
10537 arch/arm/mach-omap2/board-n8x0.c | 2 +-
10538 arch/arm/mach-omap2/gpmc.c | 22 +-
10539 arch/arm/mach-omap2/omap-mpuss-lowpower.c | 4 +-
10540 arch/arm/mach-omap2/omap-wakeupgen.c | 2 +-
10541 arch/arm/mach-omap2/omap_device.c | 4 +-
10542 arch/arm/mach-omap2/omap_device.h | 4 +-
10543 arch/arm/mach-omap2/omap_hwmod.c | 4 +-
10544 arch/arm/mach-omap2/wd_timer.c | 6 +-
10545 arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +-
10546 arch/arm/mach-ux500/setup.h | 7 -
10547 arch/arm/mm/Kconfig | 6 +-
10548 arch/arm/mm/alignment.c | 8 +
10549 arch/arm/mm/context.c | 10 +-
10550 arch/arm/mm/fault.c | 134 +
10551 arch/arm/mm/fault.h | 12 +
10552 arch/arm/mm/init.c | 41 +
10553 arch/arm/mm/ioremap.c | 4 +-
10554 arch/arm/mm/mmap.c | 30 +-
10555 arch/arm/mm/mmu.c | 185 +-
10556 arch/arm/plat-omap/sram.c | 2 +
10557 arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +-
10558 arch/avr32/include/asm/elf.h | 8 +-
10559 arch/avr32/include/asm/kmap_types.h | 4 +-
10560 arch/avr32/mm/fault.c | 27 +
10561 arch/frv/include/asm/atomic.h | 10 +
10562 arch/frv/include/asm/kmap_types.h | 2 +-
10563 arch/frv/mm/elf-fdpic.c | 3 +-
10564 arch/ia64/include/asm/atomic.h | 10 +
10565 arch/ia64/include/asm/elf.h | 7 +
10566 arch/ia64/include/asm/pgalloc.h | 12 +
10567 arch/ia64/include/asm/pgtable.h | 13 +-
10568 arch/ia64/include/asm/spinlock.h | 2 +-
10569 arch/ia64/include/asm/uaccess.h | 26 +-
10570 arch/ia64/kernel/module.c | 48 +-
10571 arch/ia64/kernel/palinfo.c | 2 +-
10572 arch/ia64/kernel/sys_ia64.c | 7 +
10573 arch/ia64/kernel/vmlinux.lds.S | 2 +-
10574 arch/ia64/mm/fault.c | 32 +-
10575 arch/ia64/mm/init.c | 13 +
10576 arch/m32r/lib/usercopy.c | 6 +
10577 arch/mips/include/asm/atomic.h | 728 ++-
10578 arch/mips/include/asm/elf.h | 11 +-
10579 arch/mips/include/asm/exec.h | 2 +-
10580 arch/mips/include/asm/local.h | 57 +
10581 arch/mips/include/asm/page.h | 2 +-
10582 arch/mips/include/asm/pgalloc.h | 5 +
10583 arch/mips/include/asm/smtc_proc.h | 2 +-
10584 arch/mips/kernel/binfmt_elfn32.c | 7 +
10585 arch/mips/kernel/binfmt_elfo32.c | 7 +
10586 arch/mips/kernel/irq.c | 6 +-
10587 arch/mips/kernel/process.c | 12 -
10588 arch/mips/kernel/smtc-proc.c | 6 +-
10589 arch/mips/kernel/smtc.c | 2 +-
10590 arch/mips/kernel/sync-r4k.c | 24 +-
10591 arch/mips/kernel/traps.c | 13 +-
10592 arch/mips/mm/fault.c | 25 +
10593 arch/mips/mm/mmap.c | 51 +-
10594 arch/mips/sgi-ip27/ip27-nmi.c | 6 +-
10595 arch/parisc/include/asm/atomic.h | 10 +
10596 arch/parisc/include/asm/elf.h | 7 +
10597 arch/parisc/include/asm/pgalloc.h | 6 +
10598 arch/parisc/include/asm/pgtable.h | 11 +
10599 arch/parisc/include/asm/uaccess.h | 4 +-
10600 arch/parisc/kernel/module.c | 50 +-
10601 arch/parisc/kernel/sys_parisc.c | 9 +-
10602 arch/parisc/kernel/traps.c | 4 +-
10603 arch/parisc/mm/fault.c | 140 +-
10604 arch/powerpc/include/asm/atomic.h | 10 +
10605 arch/powerpc/include/asm/elf.h | 19 +-
10606 arch/powerpc/include/asm/exec.h | 2 +-
10607 arch/powerpc/include/asm/kmap_types.h | 2 +-
10608 arch/powerpc/include/asm/mman.h | 2 +-
10609 arch/powerpc/include/asm/page.h | 8 +-
10610 arch/powerpc/include/asm/page_64.h | 7 +-
10611 arch/powerpc/include/asm/pgalloc-64.h | 7 +
10612 arch/powerpc/include/asm/pgtable.h | 1 +
10613 arch/powerpc/include/asm/pte-hash32.h | 1 +
10614 arch/powerpc/include/asm/reg.h | 1 +
10615 arch/powerpc/include/asm/smp.h | 2 +-
10616 arch/powerpc/include/asm/uaccess.h | 140 +-
10617 arch/powerpc/kernel/exceptions-64e.S | 4 +-
10618 arch/powerpc/kernel/exceptions-64s.S | 2 +-
10619 arch/powerpc/kernel/module_32.c | 13 +-
10620 arch/powerpc/kernel/process.c | 55 -
10621 arch/powerpc/kernel/signal_32.c | 2 +-
10622 arch/powerpc/kernel/signal_64.c | 2 +-
10623 arch/powerpc/kernel/vdso.c | 5 +-
10624 arch/powerpc/lib/usercopy_64.c | 18 -
10625 arch/powerpc/mm/fault.c | 54 +-
10626 arch/powerpc/mm/mmap.c | 16 +
10627 arch/powerpc/mm/slice.c | 13 +-
10628 arch/powerpc/platforms/cell/spufs/file.c | 4 +-
10629 arch/s390/include/asm/atomic.h | 10 +
10630 arch/s390/include/asm/elf.h | 13 +-
10631 arch/s390/include/asm/exec.h | 2 +-
10632 arch/s390/include/asm/uaccess.h | 15 +-
10633 arch/s390/kernel/module.c | 22 +-
10634 arch/s390/kernel/process.c | 36 -
10635 arch/s390/mm/mmap.c | 24 +
10636 arch/score/include/asm/exec.h | 2 +-
10637 arch/score/kernel/process.c | 5 -
10638 arch/sh/mm/mmap.c | 22 +-
10639 arch/sparc/include/asm/atomic_64.h | 106 +-
10640 arch/sparc/include/asm/cache.h | 2 +-
10641 arch/sparc/include/asm/elf_32.h | 7 +
10642 arch/sparc/include/asm/elf_64.h | 7 +
10643 arch/sparc/include/asm/pgalloc_32.h | 1 +
10644 arch/sparc/include/asm/pgalloc_64.h | 1 +
10645 arch/sparc/include/asm/pgtable_32.h | 15 +-
10646 arch/sparc/include/asm/pgtsrmmu.h | 5 +
10647 arch/sparc/include/asm/spinlock_64.h | 35 +-
10648 arch/sparc/include/asm/thread_info_32.h | 2 +
10649 arch/sparc/include/asm/thread_info_64.h | 2 +
10650 arch/sparc/include/asm/uaccess.h | 1 +
10651 arch/sparc/include/asm/uaccess_32.h | 27 +-
10652 arch/sparc/include/asm/uaccess_64.h | 19 +-
10653 arch/sparc/kernel/Makefile | 2 +-
10654 arch/sparc/kernel/prom_common.c | 2 +-
10655 arch/sparc/kernel/smp_64.c | 12 +-
10656 arch/sparc/kernel/sys_sparc_32.c | 2 +-
10657 arch/sparc/kernel/sys_sparc_64.c | 52 +-
10658 arch/sparc/kernel/traps_64.c | 27 +-
10659 arch/sparc/lib/Makefile | 2 +-
10660 arch/sparc/lib/atomic_64.S | 136 +-
10661 arch/sparc/lib/ksyms.c | 6 +
10662 arch/sparc/mm/Makefile | 2 +-
10663 arch/sparc/mm/fault_32.c | 292 +
10664 arch/sparc/mm/fault_64.c | 486 ++
10665 arch/sparc/mm/hugetlbpage.c | 21 +-
10666 arch/sparc/mm/init_64.c | 10 +-
10667 arch/tile/include/asm/atomic_64.h | 10 +
10668 arch/tile/include/asm/uaccess.h | 4 +-
10669 arch/um/Makefile | 4 +
10670 arch/um/include/asm/kmap_types.h | 2 +-
10671 arch/um/include/asm/page.h | 3 +
10672 arch/um/include/asm/pgtable-3level.h | 1 +
10673 arch/um/kernel/process.c | 16 -
10674 arch/x86/Kconfig | 10 +-
10675 arch/x86/Kconfig.cpu | 6 +-
10676 arch/x86/Kconfig.debug | 4 +-
10677 arch/x86/Makefile | 16 +-
10678 arch/x86/boot/Makefile | 3 +
10679 arch/x86/boot/bitops.h | 4 +-
10680 arch/x86/boot/boot.h | 4 +-
10681 arch/x86/boot/compressed/Makefile | 3 +
10682 arch/x86/boot/compressed/eboot.c | 2 -
10683 arch/x86/boot/compressed/efi_stub_32.S | 16 +-
10684 arch/x86/boot/compressed/head_32.S | 2 +-
10685 arch/x86/boot/compressed/head_64.S | 8 +-
10686 arch/x86/boot/compressed/misc.c | 6 +-
10687 arch/x86/boot/cpucheck.c | 28 +-
10688 arch/x86/boot/header.S | 6 +-
10689 arch/x86/boot/memory.c | 2 +-
10690 arch/x86/boot/video-vesa.c | 1 +
10691 arch/x86/boot/video.c | 2 +-
10692 arch/x86/crypto/aes-x86_64-asm_64.S | 4 +
10693 arch/x86/crypto/aesni-intel_asm.S | 22 +
10694 arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 +
10695 arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 +
10696 arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 +
10697 arch/x86/crypto/camellia-x86_64-asm_64.S | 7 +
10698 arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 +
10699 arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 9 +
10700 arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 +
10701 arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 +
10702 arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 +
10703 arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 +
10704 arch/x86/crypto/serpent-avx2-asm_64.S | 9 +
10705 arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 +
10706 arch/x86/crypto/sha1_ssse3_asm.S | 2 +
10707 arch/x86/crypto/sha256-avx-asm.S | 2 +
10708 arch/x86/crypto/sha256-avx2-asm.S | 2 +
10709 arch/x86/crypto/sha256-ssse3-asm.S | 2 +
10710 arch/x86/crypto/sha512-avx-asm.S | 2 +
10711 arch/x86/crypto/sha512-avx2-asm.S | 2 +
10712 arch/x86/crypto/sha512-ssse3-asm.S | 2 +
10713 arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 9 +
10714 arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 +
10715 arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
10716 arch/x86/ia32/ia32_signal.c | 14 +-
10717 arch/x86/ia32/ia32entry.S | 157 +-
10718 arch/x86/ia32/sys_ia32.c | 4 +-
10719 arch/x86/include/asm/alternative-asm.h | 39 +
10720 arch/x86/include/asm/alternative.h | 4 +-
10721 arch/x86/include/asm/apic.h | 2 +-
10722 arch/x86/include/asm/apm.h | 4 +-
10723 arch/x86/include/asm/atomic.h | 307 +-
10724 arch/x86/include/asm/atomic64_32.h | 100 +
10725 arch/x86/include/asm/atomic64_64.h | 202 +-
10726 arch/x86/include/asm/bitops.h | 8 +-
10727 arch/x86/include/asm/boot.h | 7 +-
10728 arch/x86/include/asm/cache.h | 5 +-
10729 arch/x86/include/asm/cacheflush.h | 2 +-
10730 arch/x86/include/asm/checksum_32.h | 12 +-
10731 arch/x86/include/asm/cmpxchg.h | 35 +
10732 arch/x86/include/asm/compat.h | 2 +-
10733 arch/x86/include/asm/cpufeature.h | 16 +-
10734 arch/x86/include/asm/desc.h | 74 +-
10735 arch/x86/include/asm/desc_defs.h | 6 +
10736 arch/x86/include/asm/div64.h | 2 +-
10737 arch/x86/include/asm/elf.h | 31 +-
10738 arch/x86/include/asm/emergency-restart.h | 2 +-
10739 arch/x86/include/asm/fpu-internal.h | 8 +-
10740 arch/x86/include/asm/futex.h | 20 +-
10741 arch/x86/include/asm/hw_irq.h | 4 +-
10742 arch/x86/include/asm/i8259.h | 2 +-
10743 arch/x86/include/asm/io.h | 21 +-
10744 arch/x86/include/asm/irqflags.h | 5 +
10745 arch/x86/include/asm/kprobes.h | 9 +-
10746 arch/x86/include/asm/local.h | 142 +-
10747 arch/x86/include/asm/mman.h | 15 +
10748 arch/x86/include/asm/mmu.h | 16 +-
10749 arch/x86/include/asm/mmu_context.h | 136 +-
10750 arch/x86/include/asm/module.h | 17 +-
10751 arch/x86/include/asm/nmi.h | 6 +-
10752 arch/x86/include/asm/page.h | 1 +
10753 arch/x86/include/asm/page_64.h | 4 +-
10754 arch/x86/include/asm/paravirt.h | 46 +-
10755 arch/x86/include/asm/paravirt_types.h | 17 +-
10756 arch/x86/include/asm/pgalloc.h | 23 +
10757 arch/x86/include/asm/pgtable-2level.h | 2 +
10758 arch/x86/include/asm/pgtable-3level.h | 4 +
10759 arch/x86/include/asm/pgtable.h | 124 +-
10760 arch/x86/include/asm/pgtable_32.h | 14 +-
10761 arch/x86/include/asm/pgtable_32_types.h | 15 +-
10762 arch/x86/include/asm/pgtable_64.h | 19 +-
10763 arch/x86/include/asm/pgtable_64_types.h | 5 +
10764 arch/x86/include/asm/pgtable_types.h | 36 +-
10765 arch/x86/include/asm/processor.h | 79 +-
10766 arch/x86/include/asm/ptrace.h | 26 +-
10767 arch/x86/include/asm/realmode.h | 4 +-
10768 arch/x86/include/asm/reboot.h | 10 +-
10769 arch/x86/include/asm/rwsem.h | 60 +-
10770 arch/x86/include/asm/segment.h | 29 +-
10771 arch/x86/include/asm/smap.h | 64 +-
10772 arch/x86/include/asm/smp.h | 14 +-
10773 arch/x86/include/asm/spinlock.h | 36 +-
10774 arch/x86/include/asm/stackprotector.h | 4 +-
10775 arch/x86/include/asm/stacktrace.h | 32 +-
10776 arch/x86/include/asm/switch_to.h | 4 +-
10777 arch/x86/include/asm/thread_info.h | 83 +-
10778 arch/x86/include/asm/tlbflush.h | 74 +-
10779 arch/x86/include/asm/uaccess.h | 108 +-
10780 arch/x86/include/asm/uaccess_32.h | 96 +-
10781 arch/x86/include/asm/uaccess_64.h | 232 +-
10782 arch/x86/include/asm/word-at-a-time.h | 2 +-
10783 arch/x86/include/asm/x86_init.h | 10 +-
10784 arch/x86/include/asm/xen/page.h | 2 +-
10785 arch/x86/include/asm/xsave.h | 14 +-
10786 arch/x86/include/uapi/asm/e820.h | 2 +-
10787 arch/x86/kernel/Makefile | 2 +-
10788 arch/x86/kernel/acpi/boot.c | 4 +-
10789 arch/x86/kernel/acpi/sleep.c | 4 +
10790 arch/x86/kernel/acpi/wakeup_32.S | 6 +-
10791 arch/x86/kernel/alternative.c | 69 +-
10792 arch/x86/kernel/apic/apic.c | 4 +-
10793 arch/x86/kernel/apic/apic_flat_64.c | 4 +-
10794 arch/x86/kernel/apic/apic_noop.c | 2 +-
10795 arch/x86/kernel/apic/bigsmp_32.c | 2 +-
10796 arch/x86/kernel/apic/es7000_32.c | 5 +-
10797 arch/x86/kernel/apic/io_apic.c | 8 +-
10798 arch/x86/kernel/apic/numaq_32.c | 3 +-
10799 arch/x86/kernel/apic/probe_32.c | 2 +-
10800 arch/x86/kernel/apic/summit_32.c | 2 +-
10801 arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
10802 arch/x86/kernel/apic/x2apic_phys.c | 2 +-
10803 arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
10804 arch/x86/kernel/apm_32.c | 19 +-
10805 arch/x86/kernel/asm-offsets.c | 20 +
10806 arch/x86/kernel/asm-offsets_64.c | 1 +
10807 arch/x86/kernel/cpu/Makefile | 4 -
10808 arch/x86/kernel/cpu/amd.c | 2 +-
10809 arch/x86/kernel/cpu/common.c | 130 +-
10810 arch/x86/kernel/cpu/intel_cacheinfo.c | 48 +-
10811 arch/x86/kernel/cpu/mcheck/mce.c | 31 +-
10812 arch/x86/kernel/cpu/mcheck/p5.c | 3 +
10813 arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
10814 arch/x86/kernel/cpu/mtrr/main.c | 2 +-
10815 arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
10816 arch/x86/kernel/cpu/perf_event.c | 8 +-
10817 arch/x86/kernel/cpu/perf_event_amd_iommu.c | 2 +-
10818 arch/x86/kernel/cpu/perf_event_intel.c | 6 +-
10819 arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +-
10820 arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
10821 arch/x86/kernel/cpuid.c | 2 +-
10822 arch/x86/kernel/crash.c | 4 +-
10823 arch/x86/kernel/crash_dump_64.c | 2 +-
10824 arch/x86/kernel/doublefault.c | 8 +-
10825 arch/x86/kernel/dumpstack.c | 30 +-
10826 arch/x86/kernel/dumpstack_32.c | 34 +-
10827 arch/x86/kernel/dumpstack_64.c | 61 +-
10828 arch/x86/kernel/e820.c | 4 +-
10829 arch/x86/kernel/early_printk.c | 1 +
10830 arch/x86/kernel/entry_32.S | 356 +-
10831 arch/x86/kernel/entry_64.S | 666 ++-
10832 arch/x86/kernel/ftrace.c | 14 +-
10833 arch/x86/kernel/head64.c | 13 +-
10834 arch/x86/kernel/head_32.S | 228 +-
10835 arch/x86/kernel/head_64.S | 138 +-
10836 arch/x86/kernel/i386_ksyms_32.c | 12 +
10837 arch/x86/kernel/i387.c | 2 +-
10838 arch/x86/kernel/i8259.c | 10 +-
10839 arch/x86/kernel/io_delay.c | 2 +-
10840 arch/x86/kernel/ioport.c | 2 +-
10841 arch/x86/kernel/irq.c | 8 +-
10842 arch/x86/kernel/irq_32.c | 67 +-
10843 arch/x86/kernel/irq_64.c | 2 +-
10844 arch/x86/kernel/jump_label.c | 6 +-
10845 arch/x86/kernel/kgdb.c | 25 +-
10846 arch/x86/kernel/kprobes/core.c | 30 +-
10847 arch/x86/kernel/kprobes/opt.c | 16 +-
10848 arch/x86/kernel/ldt.c | 31 +-
10849 arch/x86/kernel/machine_kexec_32.c | 6 +-
10850 arch/x86/kernel/microcode_core.c | 2 +-
10851 arch/x86/kernel/microcode_intel.c | 4 +-
10852 arch/x86/kernel/module.c | 76 +-
10853 arch/x86/kernel/msr.c | 2 +-
10854 arch/x86/kernel/nmi.c | 19 +-
10855 arch/x86/kernel/nmi_selftest.c | 4 +-
10856 arch/x86/kernel/paravirt-spinlocks.c | 2 +-
10857 arch/x86/kernel/paravirt.c | 43 +-
10858 arch/x86/kernel/pci-calgary_64.c | 2 +-
10859 arch/x86/kernel/pci-iommu_table.c | 2 +-
10860 arch/x86/kernel/pci-swiotlb.c | 2 +-
10861 arch/x86/kernel/process.c | 55 +-
10862 arch/x86/kernel/process_32.c | 29 +-
10863 arch/x86/kernel/process_64.c | 20 +-
10864 arch/x86/kernel/ptrace.c | 25 +-
10865 arch/x86/kernel/pvclock.c | 8 +-
10866 arch/x86/kernel/reboot.c | 42 +-
10867 arch/x86/kernel/reboot_fixups_32.c | 2 +-
10868 arch/x86/kernel/relocate_kernel_64.S | 5 +-
10869 arch/x86/kernel/setup.c | 63 +-
10870 arch/x86/kernel/setup_percpu.c | 29 +-
10871 arch/x86/kernel/signal.c | 15 +-
10872 arch/x86/kernel/smp.c | 2 +-
10873 arch/x86/kernel/smpboot.c | 28 +-
10874 arch/x86/kernel/step.c | 10 +-
10875 arch/x86/kernel/sys_i386_32.c | 184 +
10876 arch/x86/kernel/sys_x86_64.c | 22 +-
10877 arch/x86/kernel/tboot.c | 12 +-
10878 arch/x86/kernel/time.c | 10 +-
10879 arch/x86/kernel/tls.c | 7 +-
10880 arch/x86/kernel/tracepoint.c | 4 +-
10881 arch/x86/kernel/traps.c | 62 +-
10882 arch/x86/kernel/uprobes.c | 4 +-
10883 arch/x86/kernel/vm86_32.c | 6 +-
10884 arch/x86/kernel/vmlinux.lds.S | 147 +-
10885 arch/x86/kernel/vsyscall_64.c | 12 +-
10886 arch/x86/kernel/x8664_ksyms_64.c | 6 +-
10887 arch/x86/kernel/x86_init.c | 6 +-
10888 arch/x86/kernel/xsave.c | 2 +
10889 arch/x86/kvm/cpuid.c | 21 +-
10890 arch/x86/kvm/lapic.c | 2 +-
10891 arch/x86/kvm/paging_tmpl.h | 2 +-
10892 arch/x86/kvm/svm.c | 8 +
10893 arch/x86/kvm/vmx.c | 63 +-
10894 arch/x86/kvm/x86.c | 8 +-
10895 arch/x86/lguest/boot.c | 3 +-
10896 arch/x86/lib/atomic64_386_32.S | 164 +
10897 arch/x86/lib/atomic64_cx8_32.S | 103 +-
10898 arch/x86/lib/checksum_32.S | 100 +-
10899 arch/x86/lib/clear_page_64.S | 5 +-
10900 arch/x86/lib/cmpxchg16b_emu.S | 2 +
10901 arch/x86/lib/copy_page_64.S | 24 +-
10902 arch/x86/lib/copy_user_64.S | 89 +-
10903 arch/x86/lib/copy_user_nocache_64.S | 22 +-
10904 arch/x86/lib/csum-copy_64.S | 2 +
10905 arch/x86/lib/csum-wrappers_64.c | 8 +-
10906 arch/x86/lib/getuser.S | 74 +-
10907 arch/x86/lib/insn.c | 6 +-
10908 arch/x86/lib/iomap_copy_64.S | 2 +
10909 arch/x86/lib/memcpy_64.S | 22 +-
10910 arch/x86/lib/memmove_64.S | 36 +-
10911 arch/x86/lib/memset_64.S | 11 +-
10912 arch/x86/lib/mmx_32.c | 243 +-
10913 arch/x86/lib/msr-reg.S | 18 +-
10914 arch/x86/lib/putuser.S | 90 +-
10915 arch/x86/lib/rwlock.S | 42 +
10916 arch/x86/lib/rwsem.S | 6 +-
10917 arch/x86/lib/thunk_64.S | 2 +
10918 arch/x86/lib/usercopy_32.c | 359 +-
10919 arch/x86/lib/usercopy_64.c | 18 +-
10920 arch/x86/mm/Makefile | 4 +
10921 arch/x86/mm/extable.c | 25 +-
10922 arch/x86/mm/fault.c | 564 ++-
10923 arch/x86/mm/gup.c | 2 +-
10924 arch/x86/mm/highmem_32.c | 4 +
10925 arch/x86/mm/hugetlbpage.c | 30 +-
10926 arch/x86/mm/init.c | 101 +-
10927 arch/x86/mm/init_32.c | 111 +-
10928 arch/x86/mm/init_64.c | 45 +-
10929 arch/x86/mm/iomap_32.c | 4 +
10930 arch/x86/mm/ioremap.c | 15 +-
10931 arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
10932 arch/x86/mm/mmap.c | 36 +-
10933 arch/x86/mm/mmio-mod.c | 10 +-
10934 arch/x86/mm/numa.c | 2 +-
10935 arch/x86/mm/pageattr-test.c | 2 +-
10936 arch/x86/mm/pageattr.c | 33 +-
10937 arch/x86/mm/pat.c | 12 +-
10938 arch/x86/mm/pat_rbtree.c | 2 +-
10939 arch/x86/mm/pf_in.c | 10 +-
10940 arch/x86/mm/pgtable.c | 139 +-
10941 arch/x86/mm/pgtable_32.c | 3 +
10942 arch/x86/mm/physaddr.c | 4 +-
10943 arch/x86/mm/setup_nx.c | 7 +
10944 arch/x86/mm/tlb.c | 4 +
10945 arch/x86/mm/uderef_64.c | 37 +
10946 arch/x86/net/bpf_jit.S | 14 +
10947 arch/x86/net/bpf_jit_comp.c | 38 +-
10948 arch/x86/oprofile/backtrace.c | 8 +-
10949 arch/x86/oprofile/nmi_int.c | 8 +-
10950 arch/x86/oprofile/op_model_amd.c | 8 +-
10951 arch/x86/oprofile/op_model_ppro.c | 7 +-
10952 arch/x86/oprofile/op_x86_model.h | 2 +-
10953 arch/x86/pci/irq.c | 8 +-
10954 arch/x86/pci/mrst.c | 4 +-
10955 arch/x86/pci/pcbios.c | 144 +-
10956 arch/x86/platform/efi/efi_32.c | 24 +
10957 arch/x86/platform/efi/efi_64.c | 10 +
10958 arch/x86/platform/efi/efi_stub_32.S | 64 +-
10959 arch/x86/platform/efi/efi_stub_64.S | 8 +
10960 arch/x86/platform/mrst/mrst.c | 6 +-
10961 arch/x86/platform/olpc/olpc_dt.c | 2 +-
10962 arch/x86/power/cpu.c | 11 +-
10963 arch/x86/realmode/init.c | 10 +-
10964 arch/x86/realmode/rm/Makefile | 3 +
10965 arch/x86/realmode/rm/header.S | 4 +-
10966 arch/x86/realmode/rm/trampoline_32.S | 12 +-
10967 arch/x86/realmode/rm/trampoline_64.S | 3 +-
10968 arch/x86/tools/Makefile | 2 +-
10969 arch/x86/tools/relocs.c | 94 +-
10970 arch/x86/um/tls_32.c | 2 +-
10971 arch/x86/vdso/Makefile | 2 +-
10972 arch/x86/vdso/vdso32-setup.c | 23 +-
10973 arch/x86/vdso/vma.c | 29 +-
10974 arch/x86/xen/enlighten.c | 45 +-
10975 arch/x86/xen/mmu.c | 11 +-
10976 arch/x86/xen/smp.c | 21 +-
10977 arch/x86/xen/xen-asm_32.S | 12 +-
10978 arch/x86/xen/xen-head.S | 11 +
10979 arch/x86/xen/xen-ops.h | 2 -
10980 block/blk-cgroup.c | 4 +-
10981 block/blk-iopoll.c | 2 +-
10982 block/blk-map.c | 2 +-
10983 block/blk-softirq.c | 2 +-
10984 block/bsg.c | 12 +-
10985 block/compat_ioctl.c | 2 +-
10986 block/genhd.c | 9 +-
10987 block/partitions/efi.c | 8 +-
10988 block/scsi_ioctl.c | 29 +-
10989 crypto/cryptd.c | 4 +-
10990 crypto/pcrypt.c | 2 +-
10991 drivers/acpi/apei/apei-internal.h | 2 +-
10992 drivers/acpi/apei/cper.c | 8 +-
10993 drivers/acpi/apei/ghes.c | 4 +-
10994 drivers/acpi/bgrt.c | 6 +-
10995 drivers/acpi/blacklist.c | 4 +-
10996 drivers/acpi/processor_idle.c | 2 +-
10997 drivers/acpi/sysfs.c | 4 +-
10998 drivers/ata/libahci.c | 2 +-
10999 drivers/ata/libata-core.c | 12 +-
11000 drivers/ata/libata-scsi.c | 2 +-
11001 drivers/ata/libata.h | 2 +-
11002 drivers/ata/pata_arasan_cf.c | 4 +-
11003 drivers/atm/adummy.c | 2 +-
11004 drivers/atm/ambassador.c | 8 +-
11005 drivers/atm/atmtcp.c | 14 +-
11006 drivers/atm/eni.c | 10 +-
11007 drivers/atm/firestream.c | 8 +-
11008 drivers/atm/fore200e.c | 14 +-
11009 drivers/atm/he.c | 18 +-
11010 drivers/atm/horizon.c | 4 +-
11011 drivers/atm/idt77252.c | 36 +-
11012 drivers/atm/iphase.c | 34 +-
11013 drivers/atm/lanai.c | 12 +-
11014 drivers/atm/nicstar.c | 46 +-
11015 drivers/atm/solos-pci.c | 4 +-
11016 drivers/atm/suni.c | 4 +-
11017 drivers/atm/uPD98402.c | 16 +-
11018 drivers/atm/zatm.c | 6 +-
11019 drivers/base/bus.c | 4 +-
11020 drivers/base/devtmpfs.c | 8 +-
11021 drivers/base/node.c | 2 +-
11022 drivers/base/power/domain.c | 4 +-
11023 drivers/base/power/sysfs.c | 2 +-
11024 drivers/base/power/wakeup.c | 8 +-
11025 drivers/base/syscore.c | 4 +-
11026 drivers/block/cciss.c | 28 +-
11027 drivers/block/cciss.h | 2 +-
11028 drivers/block/cpqarray.c | 28 +-
11029 drivers/block/cpqarray.h | 2 +-
11030 drivers/block/drbd/drbd_int.h | 6 +-
11031 drivers/block/drbd/drbd_main.c | 8 +-
11032 drivers/block/drbd/drbd_nl.c | 4 +-
11033 drivers/block/drbd/drbd_receiver.c | 22 +-
11034 drivers/block/loop.c | 2 +-
11035 drivers/block/pktcdvd.c | 4 +-
11036 drivers/bluetooth/btwilink.c | 2 +-
11037 drivers/bus/arm-cci.c | 2 +-
11038 drivers/cdrom/cdrom.c | 11 +-
11039 drivers/cdrom/gdrom.c | 1 -
11040 drivers/char/agp/compat_ioctl.c | 2 +-
11041 drivers/char/agp/frontend.c | 4 +-
11042 drivers/char/hpet.c | 2 +-
11043 drivers/char/hw_random/intel-rng.c | 2 +-
11044 drivers/char/ipmi/ipmi_msghandler.c | 8 +-
11045 drivers/char/ipmi/ipmi_si_intf.c | 8 +-
11046 drivers/char/mem.c | 43 +-
11047 drivers/char/nvram.c | 2 +-
11048 drivers/char/pcmcia/synclink_cs.c | 18 +-
11049 drivers/char/random.c | 10 +-
11050 drivers/char/sonypi.c | 9 +-
11051 drivers/char/tpm/tpm_acpi.c | 3 +-
11052 drivers/char/tpm/tpm_eventlog.c | 7 +-
11053 drivers/char/virtio_console.c | 4 +-
11054 drivers/clk/clk-composite.c | 2 +-
11055 drivers/clk/socfpga/clk.c | 9 +-
11056 drivers/cpufreq/acpi-cpufreq.c | 13 +-
11057 drivers/cpufreq/cpufreq.c | 9 +-
11058 drivers/cpufreq/cpufreq_governor.c | 6 +-
11059 drivers/cpufreq/cpufreq_governor.h | 4 +-
11060 drivers/cpufreq/cpufreq_ondemand.c | 10 +-
11061 drivers/cpufreq/cpufreq_stats.c | 2 +-
11062 drivers/cpufreq/p4-clockmod.c | 12 +-
11063 drivers/cpufreq/sparc-us3-cpufreq.c | 67 +-
11064 drivers/cpufreq/speedstep-centrino.c | 7 +-
11065 drivers/cpuidle/cpuidle.c | 2 +-
11066 drivers/cpuidle/governor.c | 4 +-
11067 drivers/cpuidle/sysfs.c | 2 +-
11068 drivers/crypto/hifn_795x.c | 4 +-
11069 drivers/devfreq/devfreq.c | 4 +-
11070 drivers/dma/sh/shdmac.c | 2 +-
11071 drivers/edac/edac_device.c | 4 +-
11072 drivers/edac/edac_mc_sysfs.c | 12 +-
11073 drivers/edac/edac_pci.c | 4 +-
11074 drivers/edac/edac_pci_sysfs.c | 22 +-
11075 drivers/edac/mce_amd.h | 2 +-
11076 drivers/firewire/core-card.c | 6 +-
11077 drivers/firewire/core-device.c | 2 +-
11078 drivers/firewire/core-transaction.c | 1 +
11079 drivers/firewire/core.h | 1 +
11080 drivers/firmware/dmi-id.c | 2 +-
11081 drivers/firmware/dmi_scan.c | 2 +-
11082 drivers/firmware/efi/efi.c | 12 +-
11083 drivers/firmware/efi/efivars.c | 2 +-
11084 drivers/firmware/google/memconsole.c | 4 +-
11085 drivers/gpio/gpio-ich.c | 2 +-
11086 drivers/gpio/gpio-vr41xx.c | 2 +-
11087 drivers/gpu/drm/drm_crtc_helper.c | 2 +-
11088 drivers/gpu/drm/drm_drv.c | 8 +-
11089 drivers/gpu/drm/drm_fops.c | 16 +-
11090 drivers/gpu/drm/drm_global.c | 14 +-
11091 drivers/gpu/drm/drm_info.c | 14 +-
11092 drivers/gpu/drm/drm_ioc32.c | 13 +-
11093 drivers/gpu/drm/drm_lock.c | 4 +-
11094 drivers/gpu/drm/drm_stub.c | 2 +-
11095 drivers/gpu/drm/drm_sysfs.c | 2 +-
11096 drivers/gpu/drm/i810/i810_dma.c | 8 +-
11097 drivers/gpu/drm/i810/i810_drv.h | 4 +-
11098 drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
11099 drivers/gpu/drm/i915/i915_dma.c | 2 +-
11100 drivers/gpu/drm/i915/i915_drv.h | 2 +-
11101 drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +-
11102 drivers/gpu/drm/i915/i915_ioc32.c | 11 +-
11103 drivers/gpu/drm/i915/i915_irq.c | 20 +-
11104 drivers/gpu/drm/i915/intel_display.c | 26 +-
11105 drivers/gpu/drm/mga/mga_drv.h | 4 +-
11106 drivers/gpu/drm/mga/mga_ioc32.c | 11 +-
11107 drivers/gpu/drm/mga/mga_irq.c | 8 +-
11108 drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +-
11109 drivers/gpu/drm/nouveau/nouveau_drm.h | 1 -
11110 drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +-
11111 drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +-
11112 drivers/gpu/drm/qxl/qxl_cmd.c | 12 +-
11113 drivers/gpu/drm/qxl/qxl_debugfs.c | 8 +-
11114 drivers/gpu/drm/qxl/qxl_drv.h | 8 +-
11115 drivers/gpu/drm/qxl/qxl_irq.c | 16 +-
11116 drivers/gpu/drm/qxl/qxl_ttm.c | 38 +-
11117 drivers/gpu/drm/r128/r128_cce.c | 2 +-
11118 drivers/gpu/drm/r128/r128_drv.h | 4 +-
11119 drivers/gpu/drm/r128/r128_ioc32.c | 11 +-
11120 drivers/gpu/drm/r128/r128_irq.c | 4 +-
11121 drivers/gpu/drm/r128/r128_state.c | 4 +-
11122 drivers/gpu/drm/radeon/mkregtable.c | 4 +-
11123 drivers/gpu/drm/radeon/radeon_device.c | 2 +-
11124 drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
11125 drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +-
11126 drivers/gpu/drm/radeon/radeon_irq.c | 6 +-
11127 drivers/gpu/drm/radeon/radeon_state.c | 4 +-
11128 drivers/gpu/drm/radeon/radeon_ttm.c | 57 +-
11129 drivers/gpu/drm/radeon/rs690.c | 4 +-
11130 drivers/gpu/drm/ttm/ttm_memory.c | 4 +-
11131 drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +-
11132 drivers/gpu/drm/udl/udl_fb.c | 1 -
11133 drivers/gpu/drm/via/via_drv.h | 4 +-
11134 drivers/gpu/drm/via/via_irq.c | 18 +-
11135 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
11136 drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
11137 drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +-
11138 drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
11139 drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
11140 drivers/gpu/host1x/drm/dc.c | 2 +-
11141 drivers/hid/hid-core.c | 4 +-
11142 drivers/hid/uhid.c | 6 +-
11143 drivers/hv/channel.c | 4 +-
11144 drivers/hv/hv.c | 2 +-
11145 drivers/hv/hv_balloon.c | 18 +-
11146 drivers/hv/hyperv_vmbus.h | 2 +-
11147 drivers/hv/vmbus_drv.c | 4 +-
11148 drivers/hwmon/acpi_power_meter.c | 4 +-
11149 drivers/hwmon/applesmc.c | 2 +-
11150 drivers/hwmon/asus_atk0110.c | 10 +-
11151 drivers/hwmon/coretemp.c | 2 +-
11152 drivers/hwmon/ibmaem.c | 2 +-
11153 drivers/hwmon/iio_hwmon.c | 2 +-
11154 drivers/hwmon/pmbus/pmbus_core.c | 10 +-
11155 drivers/hwmon/sht15.c | 12 +-
11156 drivers/hwmon/via-cputemp.c | 2 +-
11157 drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
11158 drivers/i2c/busses/i2c-diolan-u2c.c | 2 +-
11159 drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
11160 drivers/i2c/i2c-dev.c | 2 +-
11161 drivers/ide/ide-cd.c | 2 +-
11162 drivers/iio/industrialio-core.c | 2 +-
11163 drivers/infiniband/core/cm.c | 32 +-
11164 drivers/infiniband/core/fmr_pool.c | 20 +-
11165 drivers/infiniband/hw/cxgb4/mem.c | 4 +-
11166 drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
11167 drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
11168 drivers/infiniband/hw/mlx4/mad.c | 2 +-
11169 drivers/infiniband/hw/mlx4/mcg.c | 2 +-
11170 drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +-
11171 drivers/infiniband/hw/mthca/mthca_cmd.c | 8 +-
11172 drivers/infiniband/hw/mthca/mthca_main.c | 2 +-
11173 drivers/infiniband/hw/mthca/mthca_mr.c | 6 +-
11174 drivers/infiniband/hw/mthca/mthca_provider.c | 2 +-
11175 drivers/infiniband/hw/nes/nes.c | 4 +-
11176 drivers/infiniband/hw/nes/nes.h | 40 +-
11177 drivers/infiniband/hw/nes/nes_cm.c | 62 +-
11178 drivers/infiniband/hw/nes/nes_mgt.c | 8 +-
11179 drivers/infiniband/hw/nes/nes_nic.c | 40 +-
11180 drivers/infiniband/hw/nes/nes_verbs.c | 10 +-
11181 drivers/infiniband/hw/qib/qib.h | 1 +
11182 drivers/input/gameport/gameport.c | 4 +-
11183 drivers/input/input.c | 4 +-
11184 drivers/input/joystick/sidewinder.c | 1 +
11185 drivers/input/joystick/xpad.c | 4 +-
11186 drivers/input/misc/ims-pcu.c | 4 +-
11187 drivers/input/mouse/psmouse.h | 2 +-
11188 drivers/input/mousedev.c | 2 +-
11189 drivers/input/serio/serio.c | 4 +-
11190 drivers/input/serio/serio_raw.c | 4 +-
11191 drivers/iommu/iommu.c | 2 +-
11192 drivers/iommu/irq_remapping.c | 12 +-
11193 drivers/irqchip/irq-gic.c | 4 +-
11194 drivers/isdn/capi/capi.c | 10 +-
11195 drivers/isdn/gigaset/interface.c | 8 +-
11196 drivers/isdn/gigaset/usb-gigaset.c | 2 +-
11197 drivers/isdn/hardware/avm/b1.c | 4 +-
11198 drivers/isdn/i4l/isdn_common.c | 2 +
11199 drivers/isdn/i4l/isdn_tty.c | 22 +-
11200 drivers/isdn/icn/icn.c | 2 +-
11201 drivers/isdn/mISDN/dsp_cmx.c | 2 +-
11202 drivers/leds/leds-clevo-mail.c | 2 +-
11203 drivers/leds/leds-ss4200.c | 2 +-
11204 drivers/lguest/core.c | 10 +-
11205 drivers/lguest/page_tables.c | 2 +-
11206 drivers/lguest/x86/core.c | 12 +-
11207 drivers/lguest/x86/switcher_32.S | 27 +-
11208 drivers/md/bcache/closure.h | 2 +-
11209 drivers/md/bcache/super.c | 2 +-
11210 drivers/md/bitmap.c | 2 +-
11211 drivers/md/dm-ioctl.c | 2 +-
11212 drivers/md/dm-raid1.c | 16 +-
11213 drivers/md/dm-stats.c | 6 +-
11214 drivers/md/dm-stripe.c | 10 +-
11215 drivers/md/dm-table.c | 4 +-
11216 drivers/md/dm-thin-metadata.c | 4 +-
11217 drivers/md/dm.c | 16 +-
11218 drivers/md/md.c | 26 +-
11219 drivers/md/md.h | 6 +-
11220 drivers/md/persistent-data/dm-space-map.h | 1 +
11221 drivers/md/raid1.c | 4 +-
11222 drivers/md/raid10.c | 16 +-
11223 drivers/md/raid5.c | 10 +-
11224 drivers/media/dvb-core/dvbdev.c | 2 +-
11225 drivers/media/dvb-frontends/dib3000.h | 2 +-
11226 drivers/media/pci/cx88/cx88-video.c | 6 +-
11227 drivers/media/pci/ivtv/ivtv-driver.c | 2 +-
11228 drivers/media/platform/omap/omap_vout.c | 11 +-
11229 drivers/media/platform/s5p-tv/mixer.h | 2 +-
11230 drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +-
11231 drivers/media/platform/s5p-tv/mixer_reg.c | 2 +-
11232 drivers/media/platform/s5p-tv/mixer_video.c | 24 +-
11233 drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +-
11234 drivers/media/radio/radio-cadet.c | 2 +
11235 drivers/media/radio/radio-maxiradio.c | 2 +-
11236 drivers/media/radio/radio-shark.c | 2 +-
11237 drivers/media/radio/radio-shark2.c | 2 +-
11238 drivers/media/radio/radio-si476x.c | 2 +-
11239 drivers/media/rc/rc-main.c | 4 +-
11240 drivers/media/usb/dvb-usb/cxusb.c | 2 +-
11241 drivers/media/usb/dvb-usb/dw2102.c | 2 +-
11242 drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +-
11243 drivers/media/v4l2-core/v4l2-device.c | 4 +-
11244 drivers/media/v4l2-core/v4l2-ioctl.c | 11 +-
11245 drivers/message/fusion/mptsas.c | 34 +-
11246 drivers/message/fusion/mptscsih.c | 19 +-
11247 drivers/message/i2o/i2o_proc.c | 67 +-
11248 drivers/message/i2o/iop.c | 8 +-
11249 drivers/mfd/janz-cmodio.c | 1 +
11250 drivers/mfd/max8925-i2c.c | 2 +-
11251 drivers/mfd/tps65910.c | 2 +-
11252 drivers/mfd/twl4030-irq.c | 9 +-
11253 drivers/misc/c2port/core.c | 4 +-
11254 drivers/misc/kgdbts.c | 4 +-
11255 drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
11256 drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
11257 drivers/misc/sgi-gru/gruhandles.c | 4 +-
11258 drivers/misc/sgi-gru/gruprocfs.c | 8 +-
11259 drivers/misc/sgi-gru/grutables.h | 154 +-
11260 drivers/misc/sgi-xp/xp.h | 2 +-
11261 drivers/misc/sgi-xp/xpc.h | 3 +-
11262 drivers/misc/sgi-xp/xpc_main.c | 4 +-
11263 drivers/mmc/core/mmc_ops.c | 2 +-
11264 drivers/mmc/host/dw_mmc.h | 2 +-
11265 drivers/mmc/host/mmci.c | 4 +-
11266 drivers/mmc/host/sdhci-s3c.c | 8 +-
11267 drivers/mtd/chips/cfi_cmdset_0020.c | 2 +-
11268 drivers/mtd/nand/denali.c | 1 +
11269 drivers/mtd/nftlmount.c | 1 +
11270 drivers/mtd/sm_ftl.c | 2 +-
11271 drivers/net/bonding/bond_main.c | 2 +-
11272 drivers/net/ethernet/8390/ax88796.c | 4 +-
11273 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
11274 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-
11275 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +-
11276 drivers/net/ethernet/broadcom/tg3.h | 1 +
11277 drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
11278 drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 2 +-
11279 drivers/net/ethernet/dec/tulip/de4x5.c | 4 +-
11280 drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
11281 drivers/net/ethernet/faraday/ftgmac100.c | 2 +
11282 drivers/net/ethernet/faraday/ftmac100.c | 2 +
11283 drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
11284 drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
11285 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +-
11286 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +-
11287 .../net/ethernet/qlogic/qlcnic/qlcnic_minidump.c | 2 +-
11288 drivers/net/ethernet/realtek/r8169.c | 8 +-
11289 drivers/net/ethernet/sfc/ptp.c | 2 +-
11290 drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
11291 drivers/net/hyperv/hyperv_net.h | 2 +-
11292 drivers/net/hyperv/rndis_filter.c | 4 +-
11293 drivers/net/ieee802154/fakehard.c | 2 +-
11294 drivers/net/macvlan.c | 18 +-
11295 drivers/net/macvtap.c | 2 +-
11296 drivers/net/ppp/ppp_generic.c | 4 +-
11297 drivers/net/slip/slhc.c | 2 +-
11298 drivers/net/team/team.c | 2 +-
11299 drivers/net/tun.c | 5 +-
11300 drivers/net/usb/hso.c | 23 +-
11301 drivers/net/usb/sierra_net.c | 4 +-
11302 drivers/net/vxlan.c | 2 +-
11303 drivers/net/wimax/i2400m/rx.c | 2 +-
11304 drivers/net/wireless/airo.c | 2 +-
11305 drivers/net/wireless/at76c50x-usb.c | 2 +-
11306 drivers/net/wireless/ath/ath10k/htc.c | 7 +-
11307 drivers/net/wireless/ath/ath10k/htc.h | 4 +-
11308 drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +-
11309 drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +-
11310 drivers/net/wireless/ath/ath9k/hw.h | 4 +-
11311 drivers/net/wireless/b43/phy_lp.c | 2 +-
11312 drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
11313 drivers/net/wireless/iwlwifi/dvm/debugfs.c | 34 +-
11314 drivers/net/wireless/iwlwifi/dvm/main.c | 3 +-
11315 drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +-
11316 drivers/net/wireless/mac80211_hwsim.c | 32 +-
11317 drivers/net/wireless/rndis_wlan.c | 2 +-
11318 drivers/net/wireless/rt2x00/rt2x00.h | 2 +-
11319 drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +-
11320 drivers/net/wireless/ti/wl1251/sdio.c | 12 +-
11321 drivers/net/wireless/ti/wl12xx/main.c | 8 +-
11322 drivers/net/wireless/ti/wl18xx/main.c | 6 +-
11323 drivers/nfc/nfcwilink.c | 2 +-
11324 drivers/oprofile/buffer_sync.c | 8 +-
11325 drivers/oprofile/event_buffer.c | 2 +-
11326 drivers/oprofile/oprof.c | 2 +-
11327 drivers/oprofile/oprofile_files.c | 2 +-
11328 drivers/oprofile/oprofile_stats.c | 10 +-
11329 drivers/oprofile/oprofile_stats.h | 10 +-
11330 drivers/oprofile/oprofilefs.c | 6 +-
11331 drivers/oprofile/timer_int.c | 2 +-
11332 drivers/parport/procfs.c | 4 +-
11333 drivers/pci/hotplug/acpiphp_ibm.c | 4 +-
11334 drivers/pci/hotplug/cpcihp_generic.c | 6 +-
11335 drivers/pci/hotplug/cpcihp_zt5550.c | 14 +-
11336 drivers/pci/hotplug/cpqphp_nvram.c | 4 +
11337 drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
11338 drivers/pci/hotplug/pciehp_core.c | 2 +-
11339 drivers/pci/pci-sysfs.c | 6 +-
11340 drivers/pci/pci.h | 2 +-
11341 drivers/pci/pcie/aspm.c | 6 +-
11342 drivers/pci/probe.c | 2 +-
11343 drivers/platform/x86/chromeos_laptop.c | 2 +-
11344 drivers/platform/x86/msi-laptop.c | 14 +-
11345 drivers/platform/x86/msi-wmi.c | 2 +-
11346 drivers/platform/x86/sony-laptop.c | 2 +-
11347 drivers/platform/x86/thinkpad_acpi.c | 70 +-
11348 drivers/pnp/pnpbios/bioscalls.c | 14 +-
11349 drivers/pnp/resource.c | 4 +-
11350 drivers/power/pda_power.c | 7 +-
11351 drivers/power/power_supply.h | 4 +-
11352 drivers/power/power_supply_core.c | 7 +-
11353 drivers/power/power_supply_sysfs.c | 6 +-
11354 drivers/regulator/core.c | 4 +-
11355 drivers/regulator/max8660.c | 6 +-
11356 drivers/regulator/max8973-regulator.c | 8 +-
11357 drivers/regulator/mc13892-regulator.c | 6 +-
11358 drivers/rtc/rtc-cmos.c | 4 +-
11359 drivers/rtc/rtc-ds1307.c | 2 +-
11360 drivers/rtc/rtc-m48t59.c | 4 +-
11361 drivers/scsi/aic7xxx/aic79xx_pci.c | 18 +-
11362 drivers/scsi/bfa/bfa_fcpim.h | 2 +-
11363 drivers/scsi/bfa/bfa_ioc.h | 4 +-
11364 drivers/scsi/fcoe/fcoe_sysfs.c | 12 +-
11365 drivers/scsi/hosts.c | 4 +-
11366 drivers/scsi/hpsa.c | 30 +-
11367 drivers/scsi/hpsa.h | 2 +-
11368 drivers/scsi/libfc/fc_exch.c | 50 +-
11369 drivers/scsi/libsas/sas_ata.c | 2 +-
11370 drivers/scsi/lpfc/lpfc.h | 8 +-
11371 drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
11372 drivers/scsi/lpfc/lpfc_init.c | 6 +-
11373 drivers/scsi/lpfc/lpfc_scsi.c | 16 +-
11374 drivers/scsi/mpt2sas/mpt2sas_scsih.c | 8 +-
11375 drivers/scsi/pmcraid.c | 20 +-
11376 drivers/scsi/pmcraid.h | 8 +-
11377 drivers/scsi/qla2xxx/qla_attr.c | 4 +-
11378 drivers/scsi/qla2xxx/qla_gbl.h | 4 +-
11379 drivers/scsi/qla2xxx/qla_os.c | 6 +-
11380 drivers/scsi/qla4xxx/ql4_def.h | 2 +-
11381 drivers/scsi/qla4xxx/ql4_os.c | 6 +-
11382 drivers/scsi/scsi.c | 2 +-
11383 drivers/scsi/scsi_lib.c | 6 +-
11384 drivers/scsi/scsi_sysfs.c | 2 +-
11385 drivers/scsi/scsi_tgt_lib.c | 2 +-
11386 drivers/scsi/scsi_transport_fc.c | 8 +-
11387 drivers/scsi/scsi_transport_iscsi.c | 6 +-
11388 drivers/scsi/scsi_transport_srp.c | 6 +-
11389 drivers/scsi/sd.c | 2 +-
11390 drivers/scsi/sg.c | 2 +-
11391 drivers/spi/spi.c | 2 +-
11392 drivers/staging/android/timed_output.c | 6 +-
11393 drivers/staging/gdm724x/gdm_tty.c | 2 +-
11394 drivers/staging/media/solo6x10/solo6x10-core.c | 2 +-
11395 drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +-
11396 drivers/staging/media/solo6x10/solo6x10.h | 2 +-
11397 drivers/staging/octeon/ethernet-rx.c | 12 +-
11398 drivers/staging/octeon/ethernet.c | 8 +-
11399 drivers/staging/rtl8712/rtl871x_io.h | 2 +-
11400 drivers/staging/sbe-2t3e3/netdev.c | 2 +-
11401 drivers/staging/usbip/vhci.h | 2 +-
11402 drivers/staging/usbip/vhci_hcd.c | 6 +-
11403 drivers/staging/usbip/vhci_rx.c | 2 +-
11404 drivers/staging/vt6655/hostap.c | 7 +-
11405 drivers/staging/vt6656/hostap.c | 7 +-
11406 drivers/target/sbp/sbp_target.c | 4 +-
11407 drivers/target/target_core_device.c | 2 +-
11408 drivers/target/target_core_transport.c | 2 +-
11409 drivers/tty/cyclades.c | 6 +-
11410 drivers/tty/hvc/hvc_console.c | 14 +-
11411 drivers/tty/hvc/hvcs.c | 21 +-
11412 drivers/tty/hvc/hvsi.c | 12 +-
11413 drivers/tty/hvc/hvsi_lib.c | 6 +-
11414 drivers/tty/ipwireless/tty.c | 27 +-
11415 drivers/tty/moxa.c | 2 +-
11416 drivers/tty/n_gsm.c | 4 +-
11417 drivers/tty/n_tty.c | 3 +-
11418 drivers/tty/pty.c | 4 +-
11419 drivers/tty/rocket.c | 6 +-
11420 drivers/tty/serial/ioc4_serial.c | 6 +-
11421 drivers/tty/serial/kgdboc.c | 32 +-
11422 drivers/tty/serial/msm_serial.c | 4 +-
11423 drivers/tty/serial/samsung.c | 9 +-
11424 drivers/tty/serial/serial_core.c | 8 +-
11425 drivers/tty/synclink.c | 34 +-
11426 drivers/tty/synclink_gt.c | 28 +-
11427 drivers/tty/synclinkmp.c | 34 +-
11428 drivers/tty/tty_io.c | 2 +-
11429 drivers/tty/tty_ldisc.c | 8 +-
11430 drivers/tty/tty_port.c | 22 +-
11431 drivers/uio/uio.c | 15 +-
11432 drivers/usb/atm/cxacru.c | 2 +-
11433 drivers/usb/atm/usbatm.c | 24 +-
11434 drivers/usb/core/devices.c | 6 +-
11435 drivers/usb/core/hcd.c | 4 +-
11436 drivers/usb/core/message.c | 6 +-
11437 drivers/usb/core/sysfs.c | 2 +-
11438 drivers/usb/core/usb.c | 2 +-
11439 drivers/usb/dwc3/gadget.c | 2 -
11440 drivers/usb/early/ehci-dbgp.c | 16 +-
11441 drivers/usb/gadget/u_serial.c | 22 +-
11442 drivers/usb/host/ehci-hub.c | 4 +-
11443 drivers/usb/misc/appledisplay.c | 4 +-
11444 drivers/usb/serial/console.c | 8 +-
11445 drivers/usb/storage/usb.h | 2 +-
11446 drivers/usb/wusbcore/wa-hc.h | 4 +-
11447 drivers/usb/wusbcore/wa-xfer.c | 2 +-
11448 drivers/vfio/vfio.c | 2 +-
11449 drivers/vhost/vringh.c | 2 +-
11450 drivers/video/aty/aty128fb.c | 2 +-
11451 drivers/video/aty/atyfb_base.c | 8 +-
11452 drivers/video/aty/mach64_cursor.c | 5 +-
11453 drivers/video/backlight/kb3886_bl.c | 2 +-
11454 drivers/video/fb_defio.c | 6 +-
11455 drivers/video/fbmem.c | 6 +-
11456 drivers/video/hyperv_fb.c | 4 +-
11457 drivers/video/i810/i810_accel.c | 1 +
11458 drivers/video/mb862xx/mb862xxfb_accel.c | 16 +-
11459 drivers/video/nvidia/nvidia.c | 27 +-
11460 drivers/video/s1d13xxxfb.c | 6 +-
11461 drivers/video/smscufx.c | 4 +-
11462 drivers/video/udlfb.c | 36 +-
11463 drivers/video/uvesafb.c | 53 +-
11464 drivers/video/vesafb.c | 58 +-
11465 drivers/video/via/via_clock.h | 2 +-
11466 fs/9p/vfs_addr.c | 2 +-
11467 fs/9p/vfs_inode.c | 2 +-
11468 fs/Kconfig.binfmt | 2 +-
11469 fs/afs/inode.c | 4 +-
11470 fs/aio.c | 2 +-
11471 fs/autofs4/waitq.c | 2 +-
11472 fs/befs/endian.h | 6 +-
11473 fs/befs/linuxvfs.c | 2 +-
11474 fs/binfmt_aout.c | 23 +-
11475 fs/binfmt_elf.c | 656 ++-
11476 fs/binfmt_flat.c | 6 +
11477 fs/bio.c | 6 +-
11478 fs/block_dev.c | 2 +-
11479 fs/btrfs/ctree.c | 9 +-
11480 fs/btrfs/delayed-inode.c | 6 +-
11481 fs/btrfs/delayed-inode.h | 4 +-
11482 fs/btrfs/super.c | 2 +-
11483 fs/buffer.c | 2 +-
11484 fs/cachefiles/bind.c | 6 +-
11485 fs/cachefiles/daemon.c | 8 +-
11486 fs/cachefiles/internal.h | 12 +-
11487 fs/cachefiles/namei.c | 2 +-
11488 fs/cachefiles/proc.c | 12 +-
11489 fs/cachefiles/rdwr.c | 2 +-
11490 fs/ceph/dir.c | 2 +-
11491 fs/ceph/super.c | 4 +-
11492 fs/cifs/cifs_debug.c | 12 +-
11493 fs/cifs/cifsfs.c | 8 +-
11494 fs/cifs/cifsglob.h | 54 +-
11495 fs/cifs/link.c | 2 +-
11496 fs/cifs/misc.c | 4 +-
11497 fs/cifs/smb1ops.c | 80 +-
11498 fs/cifs/smb2ops.c | 84 +-
11499 fs/cifs/smb2pdu.c | 3 +-
11500 fs/coda/cache.c | 10 +-
11501 fs/compat.c | 4 +-
11502 fs/compat_binfmt_elf.c | 2 +
11503 fs/compat_ioctl.c | 12 +-
11504 fs/configfs/dir.c | 10 +-
11505 fs/coredump.c | 18 +-
11506 fs/dcache.c | 3 +-
11507 fs/ecryptfs/inode.c | 4 +-
11508 fs/ecryptfs/miscdev.c | 2 +-
11509 fs/exec.c | 362 +-
11510 fs/ext2/xattr.c | 5 +-
11511 fs/ext3/xattr.c | 5 +-
11512 fs/ext4/ext4.h | 20 +-
11513 fs/ext4/mballoc.c | 44 +-
11514 fs/ext4/mmp.c | 2 +-
11515 fs/ext4/super.c | 4 +-
11516 fs/ext4/xattr.c | 5 +-
11517 fs/fhandle.c | 3 +-
11518 fs/fs_struct.c | 8 +-
11519 fs/fscache/cookie.c | 40 +-
11520 fs/fscache/internal.h | 200 +-
11521 fs/fscache/object.c | 26 +-
11522 fs/fscache/operation.c | 30 +-
11523 fs/fscache/page.c | 110 +-
11524 fs/fscache/stats.c | 344 +-
11525 fs/fuse/cuse.c | 10 +-
11526 fs/fuse/dev.c | 4 +-
11527 fs/fuse/dir.c | 2 +-
11528 fs/gfs2/inode.c | 2 +-
11529 fs/hostfs/hostfs_kern.c | 2 +-
11530 fs/hugetlbfs/inode.c | 13 +-
11531 fs/inode.c | 4 +-
11532 fs/jffs2/erase.c | 3 +-
11533 fs/jffs2/wbuf.c | 3 +-
11534 fs/jfs/super.c | 2 +-
11535 fs/libfs.c | 10 +-
11536 fs/lockd/clntproc.c | 4 +-
11537 fs/locks.c | 8 +-
11538 fs/namei.c | 15 +-
11539 fs/namespace.c | 16 +-
11540 fs/nfs/callback_xdr.c | 2 +-
11541 fs/nfs/inode.c | 6 +-
11542 fs/nfsd/nfs4proc.c | 2 +-
11543 fs/nfsd/nfs4xdr.c | 6 +-
11544 fs/nfsd/nfscache.c | 9 +-
11545 fs/nfsd/vfs.c | 6 +-
11546 fs/nls/nls_base.c | 18 +-
11547 fs/nls/nls_euc-jp.c | 6 +-
11548 fs/nls/nls_koi8-ru.c | 6 +-
11549 fs/notify/fanotify/fanotify_user.c | 4 +-
11550 fs/notify/notification.c | 4 +-
11551 fs/ntfs/dir.c | 2 +-
11552 fs/ntfs/file.c | 2 +-
11553 fs/ntfs/super.c | 6 +-
11554 fs/ocfs2/localalloc.c | 2 +-
11555 fs/ocfs2/ocfs2.h | 10 +-
11556 fs/ocfs2/suballoc.c | 12 +-
11557 fs/ocfs2/super.c | 20 +-
11558 fs/pipe.c | 61 +-
11559 fs/proc/array.c | 20 +
11560 fs/proc/base.c | 4 +-
11561 fs/proc/kcore.c | 32 +-
11562 fs/proc/meminfo.c | 2 +-
11563 fs/proc/nommu.c | 2 +-
11564 fs/proc/proc_sysctl.c | 18 +-
11565 fs/proc/self.c | 2 +-
11566 fs/proc/task_mmu.c | 39 +-
11567 fs/proc/task_nommu.c | 4 +-
11568 fs/proc/vmcore.c | 12 +-
11569 fs/qnx6/qnx6.h | 4 +-
11570 fs/quota/netlink.c | 4 +-
11571 fs/read_write.c | 2 +-
11572 fs/reiserfs/do_balan.c | 2 +-
11573 fs/reiserfs/procfs.c | 2 +-
11574 fs/reiserfs/reiserfs.h | 4 +-
11575 fs/seq_file.c | 4 +-
11576 fs/splice.c | 41 +-
11577 fs/sysfs/bin.c | 6 +-
11578 fs/sysfs/dir.c | 2 +-
11579 fs/sysfs/file.c | 10 +-
11580 fs/sysfs/symlink.c | 2 +-
11581 fs/sysv/sysv.h | 2 +-
11582 fs/ubifs/io.c | 2 +-
11583 fs/udf/misc.c | 2 +-
11584 fs/ufs/swab.h | 4 +-
11585 fs/xattr.c | 21 +
11586 fs/xattr_acl.c | 4 +-
11587 fs/xfs/xfs_bmap.c | 2 +-
11588 fs/xfs/xfs_dir2_readdir.c | 7 +-
11589 fs/xfs/xfs_ioctl.c | 2 +-
11590 fs/xfs/xfs_iops.c | 2 +-
11591 include/asm-generic/4level-fixup.h | 2 +
11592 include/asm-generic/atomic-long.h | 210 +
11593 include/asm-generic/atomic.h | 2 +-
11594 include/asm-generic/atomic64.h | 12 +
11595 include/asm-generic/cache.h | 4 +-
11596 include/asm-generic/emergency-restart.h | 2 +-
11597 include/asm-generic/kmap_types.h | 4 +-
11598 include/asm-generic/local.h | 13 +
11599 include/asm-generic/pgtable-nopmd.h | 18 +-
11600 include/asm-generic/pgtable-nopud.h | 15 +-
11601 include/asm-generic/pgtable.h | 16 +
11602 include/asm-generic/uaccess.h | 16 +
11603 include/asm-generic/vmlinux.lds.h | 10 +-
11604 include/crypto/algapi.h | 2 +-
11605 include/drm/drmP.h | 17 +-
11606 include/drm/drm_crtc_helper.h | 2 +-
11607 include/drm/i915_pciids.h | 2 +-
11608 include/drm/ttm/ttm_memory.h | 2 +-
11609 include/keys/asymmetric-subtype.h | 2 +-
11610 include/linux/atmdev.h | 4 +-
11611 include/linux/audit.h | 2 +-
11612 include/linux/binfmts.h | 3 +-
11613 include/linux/bitops.h | 4 +-
11614 include/linux/blkdev.h | 2 +-
11615 include/linux/blktrace_api.h | 2 +-
11616 include/linux/cache.h | 8 +
11617 include/linux/cdrom.h | 1 -
11618 include/linux/cleancache.h | 2 +-
11619 include/linux/clk-provider.h | 1 +
11620 include/linux/compat.h | 4 +-
11621 include/linux/compiler-gcc4.h | 20 +
11622 include/linux/compiler.h | 65 +-
11623 include/linux/completion.h | 12 +-
11624 include/linux/configfs.h | 2 +-
11625 include/linux/cpufreq.h | 3 +-
11626 include/linux/cpuidle.h | 5 +-
11627 include/linux/cpumask.h | 12 +-
11628 include/linux/crypto.h | 6 +-
11629 include/linux/ctype.h | 2 +-
11630 include/linux/decompress/mm.h | 2 +-
11631 include/linux/devfreq.h | 2 +-
11632 include/linux/device.h | 7 +-
11633 include/linux/dma-mapping.h | 2 +-
11634 include/linux/dmaengine.h | 4 +-
11635 include/linux/efi.h | 1 +
11636 include/linux/elf.h | 2 +
11637 include/linux/err.h | 4 +-
11638 include/linux/extcon.h | 2 +-
11639 include/linux/fb.h | 2 +-
11640 include/linux/fdtable.h | 2 +-
11641 include/linux/frontswap.h | 2 +-
11642 include/linux/fs.h | 3 +-
11643 include/linux/fs_struct.h | 2 +-
11644 include/linux/fscache-cache.h | 4 +-
11645 include/linux/fscache.h | 2 +-
11646 include/linux/fsnotify.h | 2 +-
11647 include/linux/genhd.h | 4 +-
11648 include/linux/genl_magic_func.h | 2 +-
11649 include/linux/gfp.h | 12 +-
11650 include/linux/highmem.h | 12 +
11651 include/linux/hwmon-sysfs.h | 5 +-
11652 include/linux/i2c.h | 1 +
11653 include/linux/i2o.h | 2 +-
11654 include/linux/if_pppox.h | 2 +-
11655 include/linux/init.h | 12 +-
11656 include/linux/init_task.h | 7 +
11657 include/linux/interrupt.h | 8 +-
11658 include/linux/iommu.h | 2 +-
11659 include/linux/ioport.h | 2 +-
11660 include/linux/irq.h | 3 +-
11661 include/linux/irqchip/arm-gic.h | 4 +-
11662 include/linux/jiffies.h | 12 +-
11663 include/linux/key-type.h | 2 +-
11664 include/linux/kgdb.h | 6 +-
11665 include/linux/kobject.h | 3 +-
11666 include/linux/kobject_ns.h | 2 +-
11667 include/linux/kref.h | 2 +-
11668 include/linux/kvm_host.h | 4 +-
11669 include/linux/libata.h | 2 +-
11670 include/linux/linkage.h | 1 +
11671 include/linux/list.h | 15 +
11672 include/linux/math64.h | 10 +-
11673 include/linux/mempolicy.h | 7 +
11674 include/linux/mm.h | 118 +-
11675 include/linux/mm_types.h | 20 +
11676 include/linux/mmiotrace.h | 4 +-
11677 include/linux/mmzone.h | 2 +-
11678 include/linux/mod_devicetable.h | 6 +-
11679 include/linux/module.h | 60 +-
11680 include/linux/moduleloader.h | 16 +
11681 include/linux/moduleparam.h | 4 +-
11682 include/linux/namei.h | 6 +-
11683 include/linux/net.h | 2 +-
11684 include/linux/netdevice.h | 3 +-
11685 include/linux/netfilter.h | 2 +-
11686 include/linux/netfilter/ipset/ip_set.h | 2 +-
11687 include/linux/netfilter/nfnetlink.h | 2 +-
11688 include/linux/nls.h | 2 +-
11689 include/linux/notifier.h | 3 +-
11690 include/linux/oprofile.h | 4 +-
11691 include/linux/pci_hotplug.h | 3 +-
11692 include/linux/perf_event.h | 10 +-
11693 include/linux/pipe_fs_i.h | 8 +-
11694 include/linux/platform_data/usb-ehci-s5p.h | 2 +-
11695 include/linux/platform_data/usb-ohci-exynos.h | 2 +-
11696 include/linux/pm_domain.h | 2 +-
11697 include/linux/pm_runtime.h | 2 +-
11698 include/linux/pnp.h | 2 +-
11699 include/linux/poison.h | 4 +-
11700 include/linux/power/smartreflex.h | 2 +-
11701 include/linux/ppp-comp.h | 2 +-
11702 include/linux/preempt.h | 19 +
11703 include/linux/proc_ns.h | 2 +-
11704 include/linux/quota.h | 2 +-
11705 include/linux/random.h | 19 +-
11706 include/linux/rculist.h | 16 +
11707 include/linux/reboot.h | 14 +-
11708 include/linux/regset.h | 3 +-
11709 include/linux/relay.h | 2 +-
11710 include/linux/rio.h | 2 +-
11711 include/linux/rmap.h | 4 +-
11712 include/linux/sched.h | 67 +-
11713 include/linux/sched/sysctl.h | 1 +
11714 include/linux/security.h | 2 -
11715 include/linux/semaphore.h | 2 +-
11716 include/linux/seq_file.h | 1 +
11717 include/linux/skbuff.h | 12 +-
11718 include/linux/slab.h | 48 +-
11719 include/linux/slab_def.h | 14 +-
11720 include/linux/slub_def.h | 2 +-
11721 include/linux/smp.h | 2 +
11722 include/linux/sock_diag.h | 2 +-
11723 include/linux/sonet.h | 2 +-
11724 include/linux/sunrpc/addr.h | 8 +-
11725 include/linux/sunrpc/clnt.h | 2 +-
11726 include/linux/sunrpc/svc.h | 2 +-
11727 include/linux/sunrpc/svc_rdma.h | 18 +-
11728 include/linux/sunrpc/svcauth.h | 2 +-
11729 include/linux/swiotlb.h | 3 +-
11730 include/linux/syscalls.h | 18 +-
11731 include/linux/syscore_ops.h | 2 +-
11732 include/linux/sysctl.h | 6 +-
11733 include/linux/sysfs.h | 9 +-
11734 include/linux/sysrq.h | 3 +-
11735 include/linux/thread_info.h | 7 +
11736 include/linux/tty.h | 4 +-
11737 include/linux/tty_driver.h | 2 +-
11738 include/linux/tty_ldisc.h | 2 +-
11739 include/linux/types.h | 16 +
11740 include/linux/uaccess.h | 6 +-
11741 include/linux/unaligned/access_ok.h | 24 +-
11742 include/linux/usb.h | 4 +-
11743 include/linux/usb/renesas_usbhs.h | 2 +-
11744 include/linux/vermagic.h | 21 +-
11745 include/linux/vmalloc.h | 9 +-
11746 include/linux/vmstat.h | 20 +-
11747 include/linux/xattr.h | 5 +-
11748 include/linux/zlib.h | 3 +-
11749 include/media/v4l2-dev.h | 2 +-
11750 include/media/v4l2-device.h | 2 +-
11751 include/net/9p/transport.h | 2 +-
11752 include/net/bluetooth/l2cap.h | 2 +-
11753 include/net/caif/cfctrl.h | 6 +-
11754 include/net/flow.h | 2 +-
11755 include/net/genetlink.h | 2 +-
11756 include/net/gro_cells.h | 2 +-
11757 include/net/inet_connection_sock.h | 2 +-
11758 include/net/inetpeer.h | 17 +-
11759 include/net/ip.h | 2 +-
11760 include/net/ip_fib.h | 2 +-
11761 include/net/ip_vs.h | 8 +-
11762 include/net/irda/ircomm_tty.h | 1 +
11763 include/net/iucv/af_iucv.h | 2 +-
11764 include/net/llc_c_ac.h | 2 +-
11765 include/net/llc_c_ev.h | 4 +-
11766 include/net/llc_c_st.h | 2 +-
11767 include/net/llc_s_ac.h | 2 +-
11768 include/net/llc_s_st.h | 2 +-
11769 include/net/mac80211.h | 2 +-
11770 include/net/neighbour.h | 2 +-
11771 include/net/net_namespace.h | 20 +-
11772 include/net/netdma.h | 2 +-
11773 include/net/netlink.h | 2 +-
11774 include/net/netns/conntrack.h | 6 +-
11775 include/net/netns/ipv4.h | 4 +-
11776 include/net/netns/ipv6.h | 4 +-
11777 include/net/ping.h | 2 +-
11778 include/net/protocol.h | 4 +-
11779 include/net/rtnetlink.h | 2 +-
11780 include/net/sctp/sm.h | 4 +-
11781 include/net/sctp/structs.h | 2 +-
11782 include/net/sock.h | 6 +-
11783 include/net/tcp.h | 8 +-
11784 include/net/xfrm.h | 13 +-
11785 include/rdma/iw_cm.h | 2 +-
11786 include/scsi/libfc.h | 3 +-
11787 include/scsi/scsi_device.h | 6 +-
11788 include/scsi/scsi_transport_fc.h | 3 +-
11789 include/sound/compress_driver.h | 2 +-
11790 include/sound/soc.h | 4 +-
11791 include/target/target_core_base.h | 2 +-
11792 include/trace/events/irq.h | 4 +-
11793 include/uapi/linux/a.out.h | 8 +
11794 include/uapi/linux/byteorder/little_endian.h | 28 +-
11795 include/uapi/linux/elf.h | 28 +
11796 include/uapi/linux/screen_info.h | 3 +-
11797 include/uapi/linux/swab.h | 6 +-
11798 include/uapi/linux/sysctl.h | 6 +-
11799 include/uapi/linux/xattr.h | 4 +
11800 include/video/udlfb.h | 8 +-
11801 include/video/uvesafb.h | 1 +
11802 init/Kconfig | 2 +-
11803 init/Makefile | 3 +
11804 init/do_mounts.c | 14 +-
11805 init/do_mounts.h | 8 +-
11806 init/do_mounts_initrd.c | 30 +-
11807 init/do_mounts_md.c | 6 +-
11808 init/init_task.c | 4 +
11809 init/initramfs.c | 42 +-
11810 init/main.c | 77 +-
11811 ipc/ipc_sysctl.c | 10 +-
11812 ipc/mq_sysctl.c | 2 +-
11813 ipc/msg.c | 11 +-
11814 ipc/sem.c | 11 +-
11815 ipc/shm.c | 17 +-
11816 kernel/acct.c | 2 +-
11817 kernel/audit.c | 10 +-
11818 kernel/auditsc.c | 4 +-
11819 kernel/capability.c | 3 +
11820 kernel/compat.c | 38 +-
11821 kernel/debug/debug_core.c | 16 +-
11822 kernel/debug/kdb/kdb_main.c | 4 +-
11823 kernel/events/core.c | 30 +-
11824 kernel/events/internal.h | 12 +-
11825 kernel/events/uprobes.c | 2 +-
11826 kernel/exit.c | 4 +-
11827 kernel/fork.c | 166 +-
11828 kernel/futex.c | 11 +-
11829 kernel/futex_compat.c | 2 +-
11830 kernel/gcov/base.c | 7 +-
11831 kernel/hrtimer.c | 2 +-
11832 kernel/irq_work.c | 7 +-
11833 kernel/jump_label.c | 5 +
11834 kernel/kallsyms.c | 39 +-
11835 kernel/kexec.c | 3 +-
11836 kernel/kmod.c | 4 +-
11837 kernel/kprobes.c | 8 +-
11838 kernel/ksysfs.c | 2 +-
11839 kernel/lockdep.c | 7 +-
11840 kernel/module.c | 337 +-
11841 kernel/mutex-debug.c | 12 +-
11842 kernel/mutex-debug.h | 4 +-
11843 kernel/mutex.c | 10 +-
11844 kernel/notifier.c | 17 +-
11845 kernel/panic.c | 3 +-
11846 kernel/pid.c | 2 +-
11847 kernel/pid_namespace.c | 2 +-
11848 kernel/posix-cpu-timers.c | 4 +-
11849 kernel/posix-timers.c | 24 +-
11850 kernel/power/process.c | 12 +-
11851 kernel/profile.c | 14 +-
11852 kernel/ptrace.c | 8 +-
11853 kernel/rcupdate.c | 4 +-
11854 kernel/rcutiny.c | 4 +-
11855 kernel/rcutorture.c | 56 +-
11856 kernel/rcutree.c | 76 +-
11857 kernel/rcutree.h | 26 +-
11858 kernel/rcutree_plugin.h | 30 +-
11859 kernel/rcutree_trace.c | 22 +-
11860 kernel/rtmutex-tester.c | 24 +-
11861 kernel/sched/auto_group.c | 4 +-
11862 kernel/sched/core.c | 49 +-
11863 kernel/sched/fair.c | 4 +-
11864 kernel/sched/sched.h | 2 +-
11865 kernel/signal.c | 12 +-
11866 kernel/smpboot.c | 4 +-
11867 kernel/softirq.c | 14 +-
11868 kernel/srcu.c | 4 +-
11869 kernel/sys.c | 10 +-
11870 kernel/sysctl.c | 39 +-
11871 kernel/time/alarmtimer.c | 2 +-
11872 kernel/time/timer_stats.c | 10 +-
11873 kernel/timer.c | 4 +-
11874 kernel/trace/blktrace.c | 6 +-
11875 kernel/trace/ftrace.c | 18 +-
11876 kernel/trace/ring_buffer.c | 76 +-
11877 kernel/trace/trace.c | 2 +-
11878 kernel/trace/trace.h | 2 +-
11879 kernel/trace/trace_clock.c | 4 +-
11880 kernel/trace/trace_events.c | 1 -
11881 kernel/trace/trace_mmiotrace.c | 8 +-
11882 kernel/trace/trace_output.c | 12 +-
11883 kernel/trace/trace_stack.c | 2 +-
11884 kernel/user_namespace.c | 2 +-
11885 kernel/utsname_sysctl.c | 2 +-
11886 kernel/watchdog.c | 2 +-
11887 kernel/workqueue.c | 2 +-
11888 lib/Kconfig.debug | 8 +-
11889 lib/Makefile | 2 +-
11890 lib/bitmap.c | 8 +-
11891 lib/bug.c | 2 +
11892 lib/debugobjects.c | 2 +-
11893 lib/devres.c | 4 +-
11894 lib/div64.c | 4 +-
11895 lib/dma-debug.c | 4 +-
11896 lib/inflate.c | 2 +-
11897 lib/ioremap.c | 4 +-
11898 lib/kobject.c | 4 +-
11899 lib/list_debug.c | 126 +-
11900 lib/percpu-refcount.c | 2 +-
11901 lib/radix-tree.c | 2 +-
11902 lib/strncpy_from_user.c | 2 +-
11903 lib/strnlen_user.c | 2 +-
11904 lib/swiotlb.c | 2 +-
11905 lib/usercopy.c | 6 +
11906 lib/vsprintf.c | 12 +-
11907 mm/Kconfig | 6 +-
11908 mm/backing-dev.c | 4 +-
11909 mm/filemap.c | 10 +-
11910 mm/fremap.c | 5 +
11911 mm/highmem.c | 7 +-
11912 mm/hugetlb.c | 70 +-
11913 mm/internal.h | 3 +-
11914 mm/maccess.c | 4 +-
11915 mm/madvise.c | 41 +
11916 mm/memory-failure.c | 26 +-
11917 mm/memory.c | 424 +-
11918 mm/mempolicy.c | 25 +
11919 mm/mlock.c | 15 +-
11920 mm/mmap.c | 591 ++-
11921 mm/mprotect.c | 139 +-
11922 mm/mremap.c | 44 +-
11923 mm/nommu.c | 21 +-
11924 mm/page-writeback.c | 2 +-
11925 mm/page_alloc.c | 42 +-
11926 mm/page_io.c | 2 +-
11927 mm/percpu.c | 2 +-
11928 mm/process_vm_access.c | 14 +-
11929 mm/rmap.c | 44 +-
11930 mm/shmem.c | 19 +-
11931 mm/slab.c | 108 +-
11932 mm/slab.h | 15 +-
11933 mm/slab_common.c | 60 +-
11934 mm/slob.c | 206 +-
11935 mm/slub.c | 88 +-
11936 mm/sparse-vmemmap.c | 4 +-
11937 mm/sparse.c | 2 +-
11938 mm/swap.c | 2 +
11939 mm/swapfile.c | 12 +-
11940 mm/util.c | 6 +
11941 mm/vmalloc.c | 75 +-
11942 mm/vmstat.c | 12 +-
11943 net/8021q/vlan.c | 5 +-
11944 net/9p/mod.c | 4 +-
11945 net/9p/trans_fd.c | 2 +-
11946 net/atm/atm_misc.c | 8 +-
11947 net/atm/lec.h | 2 +-
11948 net/atm/proc.c | 6 +-
11949 net/atm/resources.c | 4 +-
11950 net/ax25/sysctl_net_ax25.c | 2 +-
11951 net/batman-adv/bat_iv_ogm.c | 8 +-
11952 net/batman-adv/hard-interface.c | 2 +-
11953 net/batman-adv/soft-interface.c | 4 +-
11954 net/batman-adv/types.h | 6 +-
11955 net/batman-adv/unicast.c | 2 +-
11956 net/bluetooth/hci_sock.c | 2 +-
11957 net/bluetooth/l2cap_core.c | 6 +-
11958 net/bluetooth/l2cap_sock.c | 12 +-
11959 net/bluetooth/rfcomm/sock.c | 4 +-
11960 net/bluetooth/rfcomm/tty.c | 4 +-
11961 net/bridge/netfilter/ebtables.c | 6 +-
11962 net/caif/cfctrl.c | 11 +-
11963 net/can/af_can.c | 2 +-
11964 net/can/gw.c | 6 +-
11965 net/ceph/messenger.c | 4 +-
11966 net/compat.c | 34 +-
11967 net/core/datagram.c | 2 +-
11968 net/core/dev.c | 16 +-
11969 net/core/flow.c | 8 +-
11970 net/core/iovec.c | 4 +-
11971 net/core/neighbour.c | 2 +-
11972 net/core/net-sysfs.c | 2 +-
11973 net/core/net_namespace.c | 8 +-
11974 net/core/netpoll.c | 4 +-
11975 net/core/rtnetlink.c | 13 +-
11976 net/core/scm.c | 8 +-
11977 net/core/skbuff.c | 6 +-
11978 net/core/sock.c | 28 +-
11979 net/core/sock_diag.c | 9 +-
11980 net/core/sysctl_net_core.c | 18 +-
11981 net/decnet/af_decnet.c | 1 +
11982 net/decnet/sysctl_net_decnet.c | 4 +-
11983 net/ieee802154/6lowpan.c | 2 +-
11984 net/ipv4/af_inet.c | 8 +-
11985 net/ipv4/devinet.c | 18 +-
11986 net/ipv4/fib_frontend.c | 6 +-
11987 net/ipv4/fib_semantics.c | 2 +-
11988 net/ipv4/inet_connection_sock.c | 2 +-
11989 net/ipv4/inetpeer.c | 4 +-
11990 net/ipv4/ip_fragment.c | 15 +-
11991 net/ipv4/ip_gre.c | 6 +-
11992 net/ipv4/ip_sockglue.c | 2 +-
11993 net/ipv4/ip_vti.c | 4 +-
11994 net/ipv4/ipconfig.c | 6 +-
11995 net/ipv4/ipip.c | 4 +-
11996 net/ipv4/netfilter/arp_tables.c | 12 +-
11997 net/ipv4/netfilter/ip_tables.c | 12 +-
11998 net/ipv4/ping.c | 14 +-
11999 net/ipv4/raw.c | 14 +-
12000 net/ipv4/route.c | 20 +-
12001 net/ipv4/sysctl_net_ipv4.c | 45 +-
12002 net/ipv4/tcp_input.c | 2 +-
12003 net/ipv4/tcp_probe.c | 2 +-
12004 net/ipv4/udp.c | 10 +-
12005 net/ipv4/xfrm4_policy.c | 18 +-
12006 net/ipv6/addrconf.c | 12 +-
12007 net/ipv6/af_inet6.c | 2 +-
12008 net/ipv6/datagram.c | 2 +-
12009 net/ipv6/icmp.c | 2 +-
12010 net/ipv6/ip6_gre.c | 8 +-
12011 net/ipv6/ip6_tunnel.c | 4 +-
12012 net/ipv6/ipv6_sockglue.c | 2 +-
12013 net/ipv6/netfilter/ip6_tables.c | 12 +-
12014 net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +-
12015 net/ipv6/output_core.c | 15 +-
12016 net/ipv6/ping.c | 28 +-
12017 net/ipv6/raw.c | 17 +-
12018 net/ipv6/reassembly.c | 13 +-
12019 net/ipv6/route.c | 2 +-
12020 net/ipv6/sit.c | 4 +-
12021 net/ipv6/sysctl_net_ipv6.c | 2 +-
12022 net/ipv6/udp.c | 6 +-
12023 net/ipv6/xfrm6_policy.c | 17 +-
12024 net/irda/ircomm/ircomm_tty.c | 18 +-
12025 net/iucv/af_iucv.c | 4 +-
12026 net/iucv/iucv.c | 2 +-
12027 net/key/af_key.c | 4 +-
12028 net/mac80211/cfg.c | 8 +-
12029 net/mac80211/ieee80211_i.h | 3 +-
12030 net/mac80211/iface.c | 16 +-
12031 net/mac80211/main.c | 2 +-
12032 net/mac80211/pm.c | 6 +-
12033 net/mac80211/rate.c | 2 +-
12034 net/mac80211/rc80211_pid_debugfs.c | 2 +-
12035 net/mac80211/util.c | 4 +-
12036 net/netfilter/ipset/ip_set_core.c | 2 +-
12037 net/netfilter/ipvs/ip_vs_conn.c | 6 +-
12038 net/netfilter/ipvs/ip_vs_core.c | 4 +-
12039 net/netfilter/ipvs/ip_vs_ctl.c | 14 +-
12040 net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
12041 net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
12042 net/netfilter/ipvs/ip_vs_sync.c | 6 +-
12043 net/netfilter/ipvs/ip_vs_xmit.c | 4 +-
12044 net/netfilter/nf_conntrack_acct.c | 2 +-
12045 net/netfilter/nf_conntrack_ecache.c | 2 +-
12046 net/netfilter/nf_conntrack_helper.c | 2 +-
12047 net/netfilter/nf_conntrack_proto.c | 2 +-
12048 net/netfilter/nf_conntrack_proto_dccp.c | 10 +-
12049 net/netfilter/nf_conntrack_standalone.c | 2 +-
12050 net/netfilter/nf_conntrack_timestamp.c | 2 +-
12051 net/netfilter/nf_log.c | 10 +-
12052 net/netfilter/nf_sockopt.c | 4 +-
12053 net/netfilter/nfnetlink_log.c | 4 +-
12054 net/netfilter/xt_statistic.c | 8 +-
12055 net/netlink/af_netlink.c | 4 +-
12056 net/netlink/genetlink.c | 16 +-
12057 net/packet/af_packet.c | 8 +-
12058 net/phonet/pep.c | 6 +-
12059 net/phonet/socket.c | 2 +-
12060 net/phonet/sysctl.c | 2 +-
12061 net/rds/cong.c | 6 +-
12062 net/rds/ib.h | 2 +-
12063 net/rds/ib_cm.c | 2 +-
12064 net/rds/ib_recv.c | 4 +-
12065 net/rds/iw.h | 2 +-
12066 net/rds/iw_cm.c | 2 +-
12067 net/rds/iw_recv.c | 4 +-
12068 net/rds/rds.h | 2 +-
12069 net/rds/tcp.c | 2 +-
12070 net/rds/tcp_send.c | 2 +-
12071 net/rxrpc/af_rxrpc.c | 2 +-
12072 net/rxrpc/ar-ack.c | 14 +-
12073 net/rxrpc/ar-call.c | 2 +-
12074 net/rxrpc/ar-connection.c | 2 +-
12075 net/rxrpc/ar-connevent.c | 2 +-
12076 net/rxrpc/ar-input.c | 4 +-
12077 net/rxrpc/ar-internal.h | 8 +-
12078 net/rxrpc/ar-local.c | 2 +-
12079 net/rxrpc/ar-output.c | 4 +-
12080 net/rxrpc/ar-peer.c | 2 +-
12081 net/rxrpc/ar-proc.c | 4 +-
12082 net/rxrpc/ar-transport.c | 2 +-
12083 net/rxrpc/rxkad.c | 4 +-
12084 net/sctp/ipv6.c | 6 +-
12085 net/sctp/protocol.c | 10 +-
12086 net/sctp/sm_sideeffect.c | 2 +-
12087 net/sctp/socket.c | 21 +-
12088 net/sctp/sysctl.c | 4 +-
12089 net/socket.c | 18 +-
12090 net/sunrpc/auth_gss/svcauth_gss.c | 4 +-
12091 net/sunrpc/clnt.c | 4 +-
12092 net/sunrpc/sched.c | 4 +-
12093 net/sunrpc/svc.c | 4 +-
12094 net/sunrpc/svcauth_unix.c | 4 +-
12095 net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
12096 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +-
12097 net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
12098 net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +-
12099 net/tipc/link.c | 4 +-
12100 net/tipc/msg.c | 2 +-
12101 net/tipc/subscr.c | 2 +-
12102 net/unix/sysctl_net_unix.c | 2 +-
12103 net/wireless/wext-core.c | 19 +-
12104 net/xfrm/xfrm_policy.c | 22 +-
12105 net/xfrm/xfrm_state.c | 33 +-
12106 net/xfrm/xfrm_sysctl.c | 2 +-
12107 scripts/Makefile.build | 2 +-
12108 scripts/Makefile.clean | 3 +-
12109 scripts/Makefile.host | 28 +-
12110 scripts/basic/fixdep.c | 12 +-
12111 scripts/gcc-plugin.sh | 17 +
12112 scripts/headers_install.sh | 1 +
12113 scripts/link-vmlinux.sh | 2 +-
12114 scripts/mod/file2alias.c | 14 +-
12115 scripts/mod/modpost.c | 25 +-
12116 scripts/mod/modpost.h | 6 +-
12117 scripts/mod/sumversion.c | 2 +-
12118 scripts/module-common.lds | 4 +
12119 scripts/package/builddeb | 1 +
12120 scripts/pnmtologo.c | 6 +-
12121 scripts/sortextable.h | 6 +-
12122 security/Kconfig | 690 ++-
12123 security/apparmor/lsm.c | 2 +-
12124 security/integrity/ima/ima.h | 4 +-
12125 security/integrity/ima/ima_api.c | 2 +-
12126 security/integrity/ima/ima_fs.c | 4 +-
12127 security/integrity/ima/ima_queue.c | 2 +-
12128 security/keys/compat.c | 2 +-
12129 security/keys/internal.h | 2 +-
12130 security/keys/key.c | 18 +-
12131 security/keys/keyctl.c | 8 +-
12132 security/keys/keyring.c | 6 +-
12133 security/security.c | 9 +-
12134 security/selinux/avc.c | 6 +-
12135 security/selinux/hooks.c | 11 +-
12136 security/selinux/include/xfrm.h | 2 +-
12137 security/smack/smack_lsm.c | 2 +-
12138 security/tomoyo/tomoyo.c | 2 +-
12139 security/yama/yama_lsm.c | 22 +-
12140 sound/aoa/codecs/onyx.c | 7 +-
12141 sound/aoa/codecs/onyx.h | 1 +
12142 sound/core/oss/pcm_oss.c | 18 +-
12143 sound/core/pcm_compat.c | 2 +-
12144 sound/core/pcm_native.c | 4 +-
12145 sound/core/seq/seq_device.c | 8 +-
12146 sound/core/sound.c | 2 +-
12147 sound/drivers/mts64.c | 14 +-
12148 sound/drivers/opl4/opl4_lib.c | 2 +-
12149 sound/drivers/portman2x4.c | 3 +-
12150 sound/firewire/amdtp.c | 4 +-
12151 sound/firewire/amdtp.h | 2 +-
12152 sound/firewire/isight.c | 10 +-
12153 sound/firewire/scs1x.c | 8 +-
12154 sound/oss/sb_audio.c | 2 +-
12155 sound/oss/swarm_cs4297a.c | 6 +-
12156 sound/pci/hda/hda_codec.c | 8 +-
12157 sound/pci/ymfpci/ymfpci.h | 2 +-
12158 sound/pci/ymfpci/ymfpci_main.c | 12 +-
12159 sound/soc/fsl/fsl_ssi.c | 2 +-
12160 tools/gcc/.gitignore | 1 +
12161 tools/gcc/Makefile | 45 +
12162 tools/gcc/checker_plugin.c | 172 +
12163 tools/gcc/colorize_plugin.c | 151 +
12164 tools/gcc/constify_plugin.c | 560 ++
12165 tools/gcc/generate_size_overflow_hash.sh | 94 +
12166 tools/gcc/kallocstat_plugin.c | 170 +
12167 tools/gcc/kernexec_plugin.c | 471 ++
12168 tools/gcc/latent_entropy_plugin.c | 335 +
12169 tools/gcc/size_overflow_hash.data | 7613 ++++++++++++++++++++
12170 tools/gcc/size_overflow_plugin.c | 3840 ++++++++++
12171 tools/gcc/stackleak_plugin.c | 327 +
12172 tools/gcc/structleak_plugin.c | 277 +
12173 tools/lib/lk/Makefile | 2 +-
12174 tools/perf/util/include/asm/alternative-asm.h | 3 +
12175 tools/perf/util/include/linux/compiler.h | 8 +
12176 virt/kvm/kvm_main.c | 32 +-
12177 1701 files changed, 36050 insertions(+), 7719 deletions(-)
12178commit 9a7168e3d96ba81ab00bde22d38f7a035cc25466
12179Author: Brad Spengler <spender@grsecurity.net>
12180Date: Sun Nov 24 17:50:21 2013 -0500
12181
12182 remove unnecessary code/comments after new reload method
12183
12184 grsecurity/gracl.c | 4 ----
12185 grsecurity/gracl_policy.c | 13 -------------
12186 2 files changed, 0 insertions(+), 17 deletions(-)
12187
12188commit 4e61142788b54cbbc4e0d3418987ee892b34ee7d
12189Author: Brad Spengler <spender@grsecurity.net>
12190Date: Sun Nov 24 16:05:01 2013 -0500
12191
12192 Version bumped to 3.0 (we'd been on 2.9.1 for way too long and numerous
12193 features have been added since then)
12194
12195 Introduce new atomic RBAC reload method, developed as part of sponsorship
12196 by EIG
12197
12198 This is accompanied by an updated 3.0 gradm which will use the new reload
12199 method when -R is passed to gradm. The old method will still be available
12200 via gradm -r (which is what a 2.9.1 gradm will continue to use).
12201
12202 The new RBAC reload method is atomic in the sense that at no point in the
12203 reload process will the system not be covered by a coherent full policy.
12204 In contrast to previous reload behavior, it also preserves inherited subjects
12205 and special roles.
12206
12207 The old RBAC reload method has also been made atomic. Both methods have
12208 been updated to perform role_allowed_ip checks only against the IP tagged
12209 to the task at the time its role was first applied or changed. This resolves
12210 long-standing usability problems with the use of role_allowed_ip and matches
12211 the policies created by learning.
12212
12213 grsecurity/Makefile | 2 +-
12214 grsecurity/gracl.c | 3903 +++++++++++++------------------------------
12215 grsecurity/gracl_alloc.c | 42 +-
12216 grsecurity/gracl_compat.c | 3 +-
12217 grsecurity/gracl_policy.c | 1838 ++++++++++++++++++++
12218 grsecurity/gracl_segv.c | 12 +-
12219 grsecurity/grsec_disabled.c | 7 -
12220 grsecurity/grsec_init.c | 15 -
12221 include/linux/gracl.h | 43 +-
12222 include/linux/grinternal.h | 1 -
12223 include/linux/grsecurity.h | 1 -
12224 include/linux/sched.h | 2 +
12225 12 files changed, 3082 insertions(+), 2787 deletions(-)
12226
12227commit d8981a4fd03025434a466fd87a0eaea93755bc70
12228Author: Brad Spengler <spender@grsecurity.net>
12229Date: Sun Nov 24 15:08:28 2013 -0500
12230
12231 compile fix for recent GRKERNSEC_CHROOT_INITRD change
12232
12233 init/main.c | 12 +++---------
12234 1 files changed, 3 insertions(+), 9 deletions(-)
12235
12236commit c3f95fe9875bea3eeb61cad1586b3f9b6226a42f
12237Author: Brad Spengler <spender@grsecurity.net>
12238Date: Sat Nov 23 18:27:37 2013 -0500
12239
12240 Make the recent usermode_helper protection race-free as far as userland
12241 is concerned by creating a copy of the path to be executed, then check against
12242 that copied path instead of the still-mutable original path
12243
12244 include/linux/kmod.h | 3 +++
12245 kernel/kmod.c | 13 +++++++++++++
12246 2 files changed, 16 insertions(+), 0 deletions(-)
12247
12248commit ecdd0610bef058fd33fee50b489d949c1a0db07a
12249Author: Brad Spengler <spender@grsecurity.net>
12250Date: Sat Nov 23 17:20:15 2013 -0500
12251
12252 Produce a UDEREF message when faulting on kernel access to a non-present
12253 page in the userland range. This is purely for consistency of logs,
12254 due to there being no domain present to fault based on. An
12255 "Unable to handle kernel fault.." oops would already (and still is)
12256 generated for these cases, triggering grsec's bruteforce prevention.
12257
12258 Reported by acez on IRC
12259
12260 arch/arm/mm/fault.c | 11 +++++++++++
12261 1 files changed, 11 insertions(+), 0 deletions(-)
12262
12263commit 3f4adfade80bba0d865b5c603bd58da555ca4553
12264Author: Brad Spengler <spender@grsecurity.net>
12265Date: Sat Nov 23 16:56:46 2013 -0500
12266
12267 Make GRKERNSEC_CHROOT_INITRD depend on the correct initrd option,
12268 Also make sure we mark init as run if no initrd was used. Though this
12269 should already be enforced in grsec_chroot.c, this should future-proof
12270 the feature a bit in case userland somehow changes drastically.
12271
12272 Conflicts:
12273
12274 init/main.c
12275
12276 grsecurity/Kconfig | 2 +-
12277 grsecurity/grsec_chroot.c | 2 +-
12278 init/main.c | 15 +++++++++++++++
12279 3 files changed, 17 insertions(+), 2 deletions(-)
12280
12281commit d4a9bb63091852b5b49ebd216796b374e5c0dc71
12282Author: Brad Spengler <spender@grsecurity.net>
12283Date: Sat Nov 23 16:33:20 2013 -0500
12284
12285 limit all usermode helper binaries to /sbin, all other attempts will be logged and rejected
12286
12287 kernel/kmod.c | 8 ++++++++
12288 1 files changed, 8 insertions(+), 0 deletions(-)
12289
12290commit e727db195f8bed17c65d050e1772643d730fe565
12291Author: Brad Spengler <spender@grsecurity.net>
12292Date: Sat Nov 23 16:02:01 2013 -0500
12293
12294 perform USERCOPY kernel text checks against the linear mapping on amd64 as well
12295
12296 fs/exec.c | 8 ++++++++
12297 1 files changed, 8 insertions(+), 0 deletions(-)
12298
12299commit 7e0e0cf6d81af9c7901e16345737157fd563ccfb
12300Merge: 2fcc3a5 2d1263b
12301Author: Brad Spengler <spender@grsecurity.net>
12302Date: Fri Nov 22 21:11:44 2013 -0500
12303
12304 Merge branch 'pax-test' into grsec-test
12305
12306commit 2d1263be436ef0c7c964a2028dec3fc7e90205a1
12307Merge: d52f291 e0cd057
12308Author: Brad Spengler <spender@grsecurity.net>
12309Date: Fri Nov 22 21:11:33 2013 -0500
12310
12311 Merge branch 'linux-3.11.y' into pax-test
12312
12313 Conflicts:
12314 drivers/net/ethernet/chelsio/cxgb3/sge.c
12315
12316commit 2fcc3a573d2b676c6cdb1aa0c9f61ce723189972
12317Author: Brad Spengler <spender@grsecurity.net>
12318Date: Fri Nov 22 20:31:37 2013 -0500
12319
12320 Revert "Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69"
12321
12322 This reverts commit 8bb32f2682953e1b748a59c4a4363b237c3510df.
12323
12324 It caused errors with traceroute, reported to upstream and fixed with
12325 http://patchwork.ozlabs.org/patch/293614/
12326 But there's no reason for us to maintain this backport as we're
12327 already impervious to recvmsg/msg_name infoleaks
12328
12329 Conflicts:
12330
12331 net/ipv4/ping.c
12332
12333 net/ieee802154/dgram.c | 3 ++-
12334 net/ipv4/ping.c | 11 +++++++++--
12335 net/ipv4/raw.c | 4 +++-
12336 net/ipv4/udp.c | 7 ++++++-
12337 net/ipv6/raw.c | 4 +++-
12338 net/ipv6/udp.c | 5 ++++-
12339 net/l2tp/l2tp_ip.c | 4 +++-
12340 net/phonet/datagram.c | 9 +++++----
12341 8 files changed, 35 insertions(+), 12 deletions(-)
12342
12343commit 5a0b39755f07014ed0d34a432b89cfbb38b82e0b
12344Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
12345Date: Mon Nov 18 07:07:45 2013 +0100
12346
12347 Upstream commit: cf970c002d270c36202bd5b9c2804d3097a52da0
12348
12349 ping: prevent NULL pointer dereference on write to msg_name
12350
12351 A plain read() on a socket does set msg->msg_name to NULL. So check for
12352 NULL pointer first.
12353
12354 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
12355 Signed-off-by: David S. Miller <davem@davemloft.net>
12356
12357 net/ipv4/ping.c | 34 +++++++++++++++++++---------------
12358 1 files changed, 19 insertions(+), 15 deletions(-)
12359
12360commit 8bb32f2682953e1b748a59c4a4363b237c3510df
12361Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
12362Date: Mon Nov 18 04:20:45 2013 +0100
12363
12364 Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69
12365
12366 inet: prevent leakage of uninitialized memory to user in recv syscalls
12367
12368 Only update *addr_len when we actually fill in sockaddr, otherwise we
12369 can return uninitialized memory from the stack to the caller in the
12370 recvfrom, recvmmsg and recvmsg syscalls. Drop the the (addr_len == NULL)
12371 checks because we only get called with a valid addr_len pointer either
12372 from sock_common_recvmsg or inet_recvmsg.
12373
12374 If a blocking read waits on a socket which is concurrently shut down we
12375 now return zero and set msg_msgnamelen to 0.
12376
12377 Reported-by: mpb <mpb.mail@gmail.com>
12378 Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
12379 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
12380 Signed-off-by: David S. Miller <davem@davemloft.net>
12381
12382 net/ieee802154/dgram.c | 3 +--
12383 net/ipv4/ping.c | 19 +++++++------------
12384 net/ipv4/raw.c | 4 +---
12385 net/ipv4/udp.c | 7 +------
12386 net/ipv6/raw.c | 4 +---
12387 net/ipv6/udp.c | 5 +----
12388 net/l2tp/l2tp_ip.c | 4 +---
12389 net/phonet/datagram.c | 9 ++++-----
12390 8 files changed, 17 insertions(+), 38 deletions(-)
12391
12392commit 642d754081c130a151e7df27e5c07edf2f368106
12393Author: Jeff Layton <jlayton@redhat.com>
12394Date: Wed Nov 13 09:08:21 2013 -0500
12395
12396 Upstream commit: 6d769f1e1420179d1f83cf1a9cdc585b46c28545
12397
12398 nfs: don't retry detect_trunking with RPC_AUTH_UNIX more than once
12399
12400 Currently, when we try to mount and get back NFS4ERR_CLID_IN_USE or
12401 NFS4ERR_WRONGSEC, we create a new rpc_clnt and then try the call again.
12402 There is no guarantee that doing so will work however, so we can end up
12403 retrying the call in an infinite loop.
12404
12405 Worse yet, we create the new client using rpc_clone_client_set_auth,
12406 which creates the new client as a child of the old one. Thus, we can end
12407 up with a *very* long lineage of rpc_clnts. When we go to put all of the
12408 references to them, we can end up with a long call chain that can smash
12409 the stack as each rpc_free_client() call can recurse back into itself.
12410
12411 This patch fixes this by simply ensuring that the SETCLIENTID call will
12412 only be retried in this situation if the last attempt did not use
12413 RPC_AUTH_UNIX.
12414
12415 Note too that with this change, we don't need the (i > 2) check in the
12416 -EACCES case since we now have a more reliable test as to whether we
12417 should reattempt.
12418
12419 Cc: stable@vger.kernel.org # v3.10+
12420 Cc: Chuck Lever <chuck.lever@oracle.com>
12421 Tested-by/Acked-by: Weston Andros Adamson <dros@netapp.com>
12422 Signed-off-by: Jeff Layton <jlayton@redhat.com>
12423 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
12424
12425 fs/nfs/nfs4state.c | 7 ++++++-
12426 1 files changed, 6 insertions(+), 1 deletions(-)
12427
12428commit a96ee20d2e099c56fd89b91ee309551e7b50b8f2
12429Author: Chuck Lever <chuck.lever@oracle.com>
12430Date: Wed Jul 24 12:28:28 2013 -0400
12431
12432 Upstream commit: d688f7b8f62857c252b886fa16e8b38b83cfaf7e
12433
12434 NFS: Use root's credential for lease management when keytab is missing
12435
12436 Commit 05f4c350 "NFS: Discover NFSv4 server trunking when mounting"
12437 Fri Sep 14 17:24:32 2012 introduced Uniform Client String support,
12438 which forces our NFS client to establish a client ID immediately
12439 during a mount operation rather than waiting until a user wants to
12440 open a file.
12441
12442 Normally machine credentials (eg. from a keytab) are used to perform
12443 a mount operation that is protected by Kerberos. Before 05fc350,
12444 SETCLIENTID used a machine credential, or fell back to a regular
12445 user's credential if no keytab is available.
12446
12447 On clients that don't have a keytab, performing SETCLIENTID early
12448 means there's no user credential to fall back on, since no regular
12449 user has kinit'd yet. 05f4c350 seems to have broken the ability
12450 to mount with sec=krb5 on clients that don't have a keytab in
12451 kernels 3.7 - 3.10.
12452
12453 To address this regression, commit 4edaa308 (NFS: Use "krb5i" to
12454 establish NFSv4 state whenever possible), Sat Mar 16 15:56:20 2013,
12455 was merged in 3.10. This commit forces the NFS client to fall back
12456 to AUTH_SYS for lease management operations if no keytab is
12457 available.
12458
12459 Neil Brown noticed that, since root is required to kinit to do a
12460 sec=krb5 mount when a client doesn't have a keytab, we can try to
12461 use root's Kerberos credential before AUTH_SYS.
12462
12463 Now, when determining a principal and flavor to use for lease
12464 management, the NFS client tries in this order:
12465
12466 1. Flavor: AUTH_GSS, krb5i
12467 Principal: service principal (via keytab)
12468
12469 2. Flavor: AUTH_GSS, krb5i
12470 Principal: user principal established for UID 0 (via kinit)
12471
12472 3. Flavor: AUTH_SYS
12473 Principal: UID 0 / GID 0
12474
12475 Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
12476 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
12477
12478 fs/nfs/nfs4state.c | 19 ++++++++++++++++++-
12479 1 files changed, 18 insertions(+), 1 deletions(-)
12480
12481commit 6ebab64904f37af82e950b0c6d321437e810b248
12482Author: Trond Myklebust <Trond.Myklebust@netapp.com>
12483Date: Tue Nov 12 17:24:36 2013 -0500
12484
12485 Upstream commit: d07ba8422f1e58be94cc98a1f475946dc1b89f1b
12486
12487 SUNRPC: Avoid deep recursion in rpc_release_client
12488
12489 In cases where an rpc client has a parent hierarchy, then
12490 rpc_free_client may end up calling rpc_release_client() on the
12491 parent, thus recursing back into rpc_free_client. If the hierarchy
12492 is deep enough, then we can get into situations where the stack
12493 simply overflows.
12494
12495 The fix is to have rpc_release_client() loop so that it can take
12496 care of the parent rpc client hierarchy without needing to
12497 recurse.
12498
12499 Reported-by: Jeff Layton <jlayton@redhat.com>
12500 Reported-by: Weston Andros Adamson <dros@netapp.com>
12501 Reported-by: Bruce Fields <bfields@fieldses.org>
12502 Link: http://lkml.kernel.org/r/2C73011F-0939-434C-9E4D-13A1EB1403D7@netapp.com
12503 Cc: stable@vger.kernel.org
12504 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
12505
12506 net/sunrpc/clnt.c | 29 +++++++++++++++++------------
12507 1 files changed, 17 insertions(+), 12 deletions(-)
12508
12509commit fcb4306973aed105cc6d042077bf31e21b812008
12510Author: Trond Myklebust <Trond.Myklebust@netapp.com>
12511Date: Fri Nov 8 16:03:50 2013 -0500
12512
12513 Upstream commit: a6b31d18b02ff9d7915c5898c9b5ca41a798cd73
12514
12515 SUNRPC: Fix a data corruption issue when retransmitting RPC calls
12516
12517 The following scenario can cause silent data corruption when doing
12518 NFS writes. It has mainly been observed when doing database writes
12519 using O_DIRECT.
12520
12521 1) The RPC client uses sendpage() to do zero-copy of the page data.
12522 2) Due to networking issues, the reply from the server is delayed,
12523 and so the RPC client times out.
12524
12525 3) The client issues a second sendpage of the page data as part of
12526 an RPC call retransmission.
12527
12528 4) The reply to the first transmission arrives from the server
12529 _before_ the client hardware has emptied the TCP socket send
12530 buffer.
12531 5) After processing the reply, the RPC state machine rules that
12532 the call to be done, and triggers the completion callbacks.
12533 6) The application notices the RPC call is done, and reuses the
12534 pages to store something else (e.g. a new write).
12535
12536 7) The client NIC drains the TCP socket send buffer. Since the
12537 page data has now changed, it reads a corrupted version of the
12538 initial RPC call, and puts it on the wire.
12539
12540 This patch fixes the problem in the following manner:
12541
12542 The ordering guarantees of TCP ensure that when the server sends a
12543 reply, then we know that the _first_ transmission has completed. Using
12544 zero-copy in that situation is therefore safe.
12545 If a time out occurs, we then send the retransmission using sendmsg()
12546 (i.e. no zero-copy), We then know that the socket contains a full copy of
12547 the data, and so it will retransmit a faithful reproduction even if the
12548 RPC call completes, and the application reuses the O_DIRECT buffer in
12549 the meantime.
12550
12551 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
12552 Cc: stable@vger.kernel.org
12553
12554 net/sunrpc/xprtsock.c | 28 +++++++++++++++++++++-------
12555 1 files changed, 21 insertions(+), 7 deletions(-)
12556
12557commit 2c59d4080ae744532dbe595f6923dcba72279977
12558Merge: b2b99c6 d52f291
12559Author: Brad Spengler <spender@grsecurity.net>
12560Date: Mon Nov 18 19:07:55 2013 -0500
12561
12562 Merge branch 'pax-test' into grsec-test
12563
12564commit d52f291621da9227cda5fd647e82dfe9bfc11265
12565Author: Brad Spengler <spender@grsecurity.net>
12566Date: Mon Nov 18 19:07:14 2013 -0500
12567
12568 Update to pax-linux-3.11.8-test14.patch:
12569 - fixed a gcc-4.6 crash caused by a recent change in the latent entropy plugin, reported by Marko Randjelovic and mckinney (http://forums.grsecurity.net/viewtopic.php?f=3&t=3878)
12570
12571 mm/page_alloc.c | 2 +-
12572 tools/gcc/latent_entropy_plugin.c | 34 ++++++++++++++++++++++++----------
12573 2 files changed, 25 insertions(+), 11 deletions(-)
12574
12575commit b2b99c6972e345565d561b722de210f071e5e259
12576Author: Brad Spengler <spender@grsecurity.net>
12577Date: Thu Nov 14 20:47:37 2013 -0500
12578
12579 Upstream commit: 0e033e04c2678dbbe74a46b23fffb7bb918c288e
12580
12581 ipv6: fix headroom calculation in udp6_ufo_fragment
12582 Commit 1e2bd517c108816220f262d7954b697af03b5f9c ("udp6: Fix udp
12583 fragmentation for tunnel traffic.") changed the calculation if
12584 there is enough space to include a fragment header in the skb from a
12585 skb->mac_header dervived one to skb_headroom. Because we already peeled
12586 off the skb to transport_header this is wrong. Change this back to check
12587 if we have enough room before the mac_header.
12588
12589 This fixes a panic Saran Neti reported. He used the tbf scheduler which
12590 skb_gso_segments the skb. The offsets get negative and we panic in memcpy
12591 because the skb was erroneously not expanded at the head.
12592
12593 Reported-by: Saran Neti <Saran.Neti@telus.com>
12594 Cc: Pravin B Shelar <pshelar@nicira.com>
12595 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
12596 Signed-off-by: David S. Miller <davem@davemloft.net>
12597
12598 net/ipv6/udp_offload.c | 2 +-
12599 1 files changed, 1 insertions(+), 1 deletions(-)
12600
12601commit 012ee7647e16f464f8d1ad004e28eac2ba778158
12602Author: Dan Carpenter <dan.carpenter@oracle.com>
12603Date: Thu Nov 14 11:21:10 2013 +0300
12604
12605 Upstream commit: f9a23c84486ed350cce7bb1b2828abd1f6658796
12606
12607 isdnloop: use strlcpy() instead of strcpy()
12608
12609 These strings come from a copy_from_user() and there is no way to be
12610 sure they are NUL terminated.
12611
12612 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
12613 Signed-off-by: David S. Miller <davem@davemloft.net>
12614
12615 drivers/isdn/isdnloop/isdnloop.c | 8 +++++---
12616 1 files changed, 5 insertions(+), 3 deletions(-)
12617
12618commit 2a897c9870257c3cd6dd17ec6ff453331dc71a4f
12619Author: Eric Dumazet <edumazet@google.com>
12620Date: Thu Nov 14 13:37:54 2013 -0800
12621
12622 Upstream commit: c9e9042994d37cbc1ee538c500e9da1bb9d1bcdf
12623
12624 ipv4: fix possible seqlock deadlock
12625
12626 ip4_datagram_connect() being called from process context,
12627 it should use IP_INC_STATS() instead of IP_INC_STATS_BH()
12628 otherwise we can deadlock on 32bit arches, or get corruptions of
12629 SNMP counters.
12630
12631 Fixes: 584bdf8cbdf6 ("[IPV4]: Fix "ipOutNoRoutes" counter error for TCP and UDP")
12632 Signed-off-by: Eric Dumazet <edumazet@google.com>
12633 Reported-by: Dave Jones <davej@redhat.com>
12634 Signed-off-by: David S. Miller <davem@davemloft.net>
12635
12636 net/ipv4/datagram.c | 2 +-
12637 1 files changed, 1 insertions(+), 1 deletions(-)
12638
12639commit 1a642170613ae336331f2df38aa8f2c1227d3c96
12640Merge: 60c6423 84d78c7
12641Author: Brad Spengler <spender@grsecurity.net>
12642Date: Thu Nov 14 20:28:51 2013 -0500
12643
12644 Merge branch 'pax-test' into grsec-test
12645
12646commit 84d78c7b2f5d1517e8c9d5ef2ca178c90e80a730
12647Author: Brad Spengler <spender@grsecurity.net>
12648Date: Thu Nov 14 20:28:07 2013 -0500
12649
12650 Update to pax-linux-3.11.8-test13.patch:
12651 - forward port to 3.11.8
12652 - removed some no longer used code from bpf jit
12653 - fixed some atomic_unchecked_t usage in oprofile and uio
12654 - fixed a few incorrect uses of static local variables based on an analysis plugin written by Emese Revfy
12655
12656 arch/x86/include/asm/mmu_context.h | 8 ++++++++
12657 arch/x86/kernel/setup.c | 2 +-
12658 drivers/bluetooth/btwilink.c | 2 +-
12659 drivers/md/dm-table.c | 2 +-
12660 drivers/message/i2o/i2o_proc.c | 16 ++++++++--------
12661 drivers/mfd/max8925-i2c.c | 2 +-
12662 drivers/mfd/tps65910.c | 2 +-
12663 drivers/mtd/chips/cfi_cmdset_0020.c | 2 +-
12664 drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 2 +-
12665 .../net/ethernet/qlogic/qlcnic/qlcnic_minidump.c | 2 +-
12666 drivers/net/wireless/airo.c | 2 +-
12667 drivers/net/wireless/b43/phy_lp.c | 2 +-
12668 drivers/nfc/nfcwilink.c | 2 +-
12669 drivers/oprofile/oprofilefs.c | 4 ++--
12670 drivers/platform/x86/msi-wmi.c | 2 +-
12671 drivers/scsi/aic7xxx/aic79xx_pci.c | 18 +++++-------------
12672 drivers/scsi/mpt2sas/mpt2sas_scsih.c | 8 ++++----
12673 drivers/usb/serial/console.c | 2 +-
12674 include/linux/filter.h | 4 ----
12675 kernel/audit.c | 2 +-
12676 20 files changed, 41 insertions(+), 45 deletions(-)
12677
12678commit 60c642339ceb814688d1fdfa9bf3f9bc4cd0a38c
12679Author: Brad Spengler <spender@grsecurity.net>
12680Date: Thu Nov 14 20:15:51 2013 -0500
12681
12682 GRKERNSEC_HARDEN_IPC should depend on SYSVIPC
12683
12684 grsecurity/Kconfig | 1 +
12685 1 files changed, 1 insertions(+), 0 deletions(-)
12686
12687commit a5bc567fc9cea02e7e0146d4d25bbc25d9903f43
12688Author: Brad Spengler <spender@grsecurity.net>
12689Date: Thu Nov 14 19:07:11 2013 -0500
12690
12691 Not necessary since CPU_V6 is the only bool that would select CPU_USE_DOMAINS
12692 and that depended on !PAX_KERNEXEC && !PAX_MEMORY_UDEREF, but this helps
12693 make it more obvious that while we make use of domains, CPU_USE_DOMAINS is
12694 disabled as far as the kernel knows
12695
12696 arch/arm/mm/Kconfig | 2 +-
12697 1 files changed, 1 insertions(+), 1 deletions(-)
12698
12699commit a2568c19e361c8599fb9bb0a58ba758f5cb40dba
12700Author: Brad Spengler <spender@grsecurity.net>
12701Date: Thu Nov 14 19:01:59 2013 -0500
12702
12703 Add a new feature: GRKERNSEC_HARDEN_IPC in response to Tim Brown's research
12704 on overly-permissive shared memory found in hundreds of areas in Linux
12705 distros:
12706 http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/
12707
12708 Will let this sit in -test for a while to weed out any app incompatibilities
12709
12710 grsecurity/Kconfig | 17 +++++++++++++++++
12711 grsecurity/Makefile | 2 +-
12712 grsecurity/grsec_init.c | 4 ++++
12713 grsecurity/grsec_ipc.c | 22 ++++++++++++++++++++++
12714 grsecurity/grsec_sysctl.c | 9 +++++++++
12715 include/linux/grinternal.h | 1 +
12716 include/linux/grmsg.h | 1 +
12717 ipc/util.c | 5 +++++
12718 8 files changed, 60 insertions(+), 1 deletions(-)
12719
12720commit 27c3b43bd5ad9c9b877016f26192dbc30da54018
12721Merge: 08e883f d0a09ad
12722Author: Brad Spengler <spender@grsecurity.net>
12723Date: Wed Nov 13 22:27:13 2013 -0500
12724
12725 Merge branch 'pax-test' into grsec-test
12726
12727commit d0a09ad6430008135b98da6e1941e98a6110b59e
12728Merge: 4e826ac 02709ef
12729Author: Brad Spengler <spender@grsecurity.net>
12730Date: Wed Nov 13 22:27:03 2013 -0500
12731
12732 Merge branch 'linux-3.11.y' into pax-test
12733
12734commit 08e883f3159b541ec8b2740a4b3f35fb25629fd1
12735Author: Brad Spengler <spender@grsecurity.net>
12736Date: Mon Nov 11 10:48:10 2013 -0500
12737
12738 Fix the overflowable range check just to be correct.
12739 Referenced in http://www.x90c.org/advisories/xadv-2013003_linux_kernel.txt
12740 but I believe this to be unexploitable due to bounds checks on 'count'
12741 from rw_verify_area() in fs/read_write.c
12742
12743 drivers/video/arcfb.c | 2 +-
12744 1 files changed, 1 insertions(+), 1 deletions(-)
12745
12746commit 094c08532f9877a287ffac7a87b05841a56b4e5d
12747Author: Brad Spengler <spender@grsecurity.net>
12748Date: Sun Nov 10 22:01:33 2013 -0500
12749
12750 Add missing include
12751
12752 fs/proc/proc_sysctl.c | 1 +
12753 1 files changed, 1 insertions(+), 0 deletions(-)
12754
12755commit e383790f8252620f52895e202cc057c4318da3f4
12756Author: Brad Spengler <spender@grsecurity.net>
12757Date: Sun Nov 10 17:50:12 2013 -0500
12758
12759 add an option to handle old ARM userlands to properly toggle the KUSER_HELPERS
12760 option: GRKERNSEC_OLD_ARM_USERLAND
12761
12762 arch/arm/mm/Kconfig | 2 +-
12763 grsecurity/Kconfig | 14 ++++++++++++++
12764 2 files changed, 15 insertions(+), 1 deletions(-)
12765
12766commit 9b2775742dbcfcc004f02e5cc6bed6dcd9d73d26
12767Author: Brad Spengler <spender@grsecurity.net>
12768Date: Sun Nov 10 15:19:27 2013 -0500
12769
12770 On ARM (and other arches) we were defaulting mmap_min_addr to 64K if the LSM-based mmap_min_addr
12771 was disabled in config. This caused non-root execs to fail in some cases (via SIGKILL during ELF
12772 loading). Fix this by setting a proper default on these architectures like set on the LSM-based
12773 mmap_min_addr.
12774
12775 Thanks to acez from IRC for debugging.
12776
12777 mm/Kconfig | 1 +
12778 1 files changed, 1 insertions(+), 0 deletions(-)
12779
12780commit 17f832897194f46c4759aa02e048ad5623a04eed
12781Author: Brad Spengler <spender@grsecurity.net>
12782Date: Sun Nov 10 13:54:25 2013 -0500
12783
12784 Compatibility fix for LXC:
12785 Don't require CAP_SYS_ADMIN to modify our own net namespace's sysctl values,
12786 use a CAP_NET_ADMIN check within the user namespace of the process performing the modification
12787 CAP_SYS_ADMIN is still required for any other sysctl modification, including modification
12788 of sysctls of a net namespace other than our own
12789
12790 This allows for LXC containers to not need CAP_SYS_ADMIN to be able to set up their namespace's
12791 networking
12792
12793 Thanks to ncopa from IRC for testing
12794
12795 fs/proc/proc_sysctl.c | 9 +++++++--
12796 1 files changed, 7 insertions(+), 2 deletions(-)
12797
12798commit b374a895f9ecfccbf3c8536a5a1a51b359a66a20
12799Merge: fb281bd 4e826ac
12800Author: Brad Spengler <spender@grsecurity.net>
12801Date: Wed Nov 6 17:27:16 2013 -0500
12802
12803 Merge branch 'pax-test' into grsec-test
12804
12805 Conflicts:
12806 net/l2tp/l2tp_core.c
12807
12808commit 4e826ac763867707352d93b7d23ed86e4c6829cf
12809Merge: e309bfb 39773be
12810Author: Brad Spengler <spender@grsecurity.net>
12811Date: Wed Nov 6 17:26:23 2013 -0500
12812
12813 Merge branch 'linux-3.11.y' into pax-test
12814
12815 Conflicts:
12816 net/compat.c
12817
12818commit fb281bdee5ccb76facfe1172318a867b624011f4
12819Author: Brad Spengler <spender@grsecurity.net>
12820Date: Wed Nov 6 16:23:36 2013 -0500
12821
12822 Force on DEBUG_LIST so all users can benefit from safe linking/unlinking
12823
12824 Conflicts:
12825
12826 security/Kconfig
12827
12828 security/Kconfig | 1 +
12829 1 files changed, 1 insertions(+), 0 deletions(-)
12830
12831commit e249a2a0ee333a6ec0234de20d17670fe0d2b64a
12832Author: Brad Spengler <spender@grsecurity.net>
12833Date: Wed Nov 6 16:19:21 2013 -0500
12834
12835 change DEBUG_LIST WARNs back to BUGs so they can benefit from the kernel
12836 bruteforce deterrence
12837
12838 Conflicts:
12839
12840 lib/list_debug.c
12841
12842 lib/list_debug.c | 65 ++++++++++++++++++++++++++++++++++-------------------
12843 1 files changed, 42 insertions(+), 23 deletions(-)
12844
12845commit 61f8b4eb5c8b11ff11d28372a44d6e0f3b9b68ba
12846Author: Dan Carpenter <dan.carpenter@oracle.com>
12847Date: Tue Oct 29 23:01:43 2013 +0300
12848
12849 Upstream commit: a8b33654b1e3b0c74d4a1fed041c9aae50b3c427
12850
12851 Staging: sb105x: info leak in mp_get_count()
12852
12853 The icount.reserved[] array isn't initialized so it leaks stack
12854 information to userspace.
12855
12856 Reported-by: Nico Golde <nico@ngolde.de>
12857 Reported-by: Fabian Yamaguchi <fabs@goesec.de>
12858 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
12859 Cc: stable@kernel.org
12860 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
12861
12862 drivers/staging/sb105x/sb_pci_mp.c | 2 +-
12863 1 files changed, 1 insertions(+), 1 deletions(-)
12864
12865commit 731cf7d12aa699cc30c18e5fe25b8c72b97df3de
12866Author: Dan Carpenter <dan.carpenter@oracle.com>
12867Date: Tue Oct 29 22:06:04 2013 +0300
12868
12869 Upstream commit: 201f99f170df14ba52ea4c52847779042b7a623b
12870
12871 uml: check length in exitcode_proc_write()
12872
12873 We don't cap the size of buffer from the user so we could write past the
12874 end of the array here. Only root can write to this file.
12875
12876 Reported-by: Nico Golde <nico@ngolde.de>
12877 Reported-by: Fabian Yamaguchi <fabs@goesec.de>
12878 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
12879 Cc: stable@kernel.org
12880 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
12881
12882 arch/um/kernel/exitcode.c | 4 +++-
12883 1 files changed, 3 insertions(+), 1 deletions(-)
12884
12885commit 1285d10ec38f216f3c5de7ce085ce43447c78916
12886Author: Jason Wang <jasowang@redhat.com>
12887Date: Fri Nov 1 15:01:10 2013 +0800
12888
12889 Upstream commit: 6f092343855a71e03b8d209815d8c45bf3a27fcd
12890
12891 net: flow_dissector: fail on evil iph->ihl
12892
12893 We don't validate iph->ihl which may lead a dead loop if we meet a IPIP
12894 skb whose iph->ihl is zero. Fix this by failing immediately when iph->ihl
12895 is evil (less than 5).
12896
12897 This issue were introduced by commit ec5efe7946280d1e84603389a1030ccec0a767ae
12898 (rps: support IPIP encapsulation).
12899
12900 Cc: Eric Dumazet <edumazet@google.com>
12901 Cc: Petr Matousek <pmatouse@redhat.com>
12902 Cc: Michael S. Tsirkin <mst@redhat.com>
12903 Cc: Daniel Borkmann <dborkman@redhat.com>
12904 Signed-off-by: Jason Wang <jasowang@redhat.com>
12905 Acked-by: Eric Dumazet <edumazet@google.com>
12906 Signed-off-by: David S. Miller <davem@davemloft.net>
12907
12908 net/core/flow_dissector.c | 2 +-
12909 1 files changed, 1 insertions(+), 1 deletions(-)
12910
12911commit 3afa8cd39a80620059d7de6c382c853afe1ab4cc
12912Author: Ming Lei <ming.lei@canonical.com>
12913Date: Thu Oct 31 16:34:17 2013 -0700
12914
12915 Upstream commit: 3d77b50c5874b7e923be946ba793644f82336b75
12916
12917 lib/scatterlist.c: don't flush_kernel_dcache_page on slab page
12918
12919 Commit b1adaf65ba03 ("[SCSI] block: add sg buffer copy helper
12920 functions") introduces two sg buffer copy helpers, and calls
12921 flush_kernel_dcache_page() on pages in SG list after these pages are
12922 written to.
12923
12924 Unfortunately, the commit may introduce a potential bug:
12925
12926 - Before sending some SCSI commands, kmalloc() buffer may be passed to
12927 block layper, so flush_kernel_dcache_page() can see a slab page
12928 finally
12929
12930 - According to cachetlb.txt, flush_kernel_dcache_page() is only called
12931 on "a user page", which surely can't be a slab page.
12932
12933 - ARCH's implementation of flush_kernel_dcache_page() may use page
12934 mapping information to do optimization so page_mapping() will see the
12935 slab page, then VM_BUG_ON() is triggered.
12936
12937 Aaro Koskinen reported the bug on ARM/kirkwood when DEBUG_VM is enabled,
12938 and this patch fixes the bug by adding test of '!PageSlab(miter->page)'
12939 before calling flush_kernel_dcache_page().
12940
12941 Signed-off-by: Ming Lei <ming.lei@canonical.com>
12942 Reported-by: Aaro Koskinen <aaro.koskinen@iki.fi>
12943 Tested-by: Simon Baatz <gmbnomis@gmail.com>
12944 Cc: Russell King - ARM Linux <linux@arm.linux.org.uk>
12945 Cc: Will Deacon <will.deacon@arm.com>
12946 Cc: Aaro Koskinen <aaro.koskinen@iki.fi>
12947 Acked-by: Catalin Marinas <catalin.marinas@arm.com>
12948 Cc: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
12949 Cc: Tejun Heo <tj@kernel.org>
12950 Cc: "James E.J. Bottomley" <JBottomley@parallels.com>
12951 Cc: Jens Axboe <axboe@kernel.dk>
12952 Cc: <stable@vger.kernel.org> [3.2+]
12953 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
12954 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
12955
12956 lib/scatterlist.c | 3 ++-
12957 1 files changed, 2 insertions(+), 1 deletions(-)
12958
12959commit 54a2d1367d37e6ff23e91e81e8a293f6db3572c4
12960Author: Dan Carpenter <dan.carpenter@oracle.com>
12961Date: Tue Oct 29 23:01:11 2013 +0300
12962
12963 Upstream commit: 8d1e72250c847fa96498ec029891de4dc638a5ba
12964
12965 Staging: bcm: info leak in ioctl
12966
12967 The DevInfo.u32Reserved[] array isn't initialized so it leaks kernel
12968 information to user space.
12969
12970 Reported-by: Nico Golde <nico@ngolde.de>
12971 Reported-by: Fabian Yamaguchi <fabs@goesec.de>
12972 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
12973 Cc: stable@kernel.org
12974 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
12975
12976 drivers/staging/bcm/Bcmchar.c | 1 +
12977 1 files changed, 1 insertions(+), 0 deletions(-)
12978
12979commit a2ab9d69265a08280241a2f2152e535316d02f53
12980Author: Dan Carpenter <dan.carpenter@oracle.com>
12981Date: Tue Oct 29 22:11:06 2013 +0300
12982
12983 Upstream commit: f856567b930dfcdbc3323261bf77240ccdde01f5
12984
12985 aacraid: missing capable() check in compat ioctl
12986
12987 In commit d496f94d22d1 ('[SCSI] aacraid: fix security weakness') we
12988 added a check on CAP_SYS_RAWIO to the ioctl. The compat ioctls need the
12989 check as well.
12990
12991 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
12992 Cc: stable@kernel.org
12993 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
12994
12995 drivers/scsi/aacraid/linit.c | 2 ++
12996 1 files changed, 2 insertions(+), 0 deletions(-)
12997
12998commit 45be53b2583e3c3d9eb0bad55f22e03ad7943b3e
12999Author: Dan Carpenter <dan.carpenter@oracle.com>
13000Date: Tue Oct 29 23:00:15 2013 +0300
13001
13002 Upstream commit: b5e2f339865fb443107e5b10603e53bbc92dc054
13003
13004 staging: wlags49_h2: buffer overflow setting station name
13005
13006 We need to check the length parameter before doing the memcpy(). I've
13007 actually changed it to strlcpy() as well so that it's NUL terminated.
13008
13009 You need CAP_NET_ADMIN to trigger these so it's not the end of the
13010 world.
13011
13012 Reported-by: Nico Golde <nico@ngolde.de>
13013 Reported-by: Fabian Yamaguchi <fabs@goesec.de>
13014 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
13015 Cc: stable@kernel.org
13016 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13017
13018 drivers/staging/wlags49_h2/wl_priv.c | 9 ++++++---
13019 1 files changed, 6 insertions(+), 3 deletions(-)
13020
13021commit afd645c1684265260b64ec8189cbc2703b91f6ab
13022Author: Dan Carpenter <dan.carpenter@oracle.com>
13023Date: Tue Oct 29 22:07:47 2013 +0300
13024
13025 Upstream commit: c2c65cd2e14ada6de44cb527e7f1990bede24e15
13026
13027 staging: ozwpan: prevent overflow in oz_cdev_write()
13028
13029 We need to check "count" so we don't overflow the ei->data buffer.
13030
13031 Reported-by: Nico Golde <nico@ngolde.de>
13032 Reported-by: Fabian Yamaguchi <fabs@goesec.de>
13033 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
13034 Cc: stable@kernel.org
13035 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13036
13037 drivers/staging/ozwpan/ozcdev.c | 3 +++
13038 1 files changed, 3 insertions(+), 0 deletions(-)
13039
13040commit 4a907baeb462b7e0f50923be5a9d842aec93c97a
13041Author: Linus Torvalds <torvalds@linux-foundation.org>
13042Date: Tue Oct 29 10:21:34 2013 -0700
13043
13044 Fixed a little differently than Linus...
13045
13046 Obfuscated upstream security commit: 7314e613d5ff9f0934f7a0f74ed7973b903315d1
13047
13048 Fix a few incorrectly checked [io_]remap_pfn_range() calls
13049
13050 Nico Golde reports a few straggling uses of [io_]remap_pfn_range() that
13051 really should use the vm_iomap_memory() helper. This trivially converts
13052 two of them to the helper, and comments about why the third one really
13053 needs to continue to use remap_pfn_range(), and adds the missing size
13054 check.
13055
13056 Reported-by: Nico Golde <nico@ngolde.de>
13057 Cc: stable@kernel.org
13058 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org.
13059
13060 Conflicts:
13061
13062 drivers/uio/uio.c
13063
13064 drivers/uio/uio.c | 19 +++++++++++++++++--
13065 drivers/video/au1100fb.c | 26 +-------------------------
13066 drivers/video/au1200fb.c | 23 +----------------------
13067 3 files changed, 19 insertions(+), 49 deletions(-)
13068
13069commit e68e94ddd03cf81d875b30a5e7b0e1bb4682e61f
13070Merge: 0970b16 e309bfb
13071Author: Brad Spengler <spender@grsecurity.net>
13072Date: Sun Oct 27 15:17:05 2013 -0400
13073
13074 Merge branch 'pax-test' into grsec-test
13075
13076commit e309bfbf7b506b2294b30233f7a3299173a75cf7
13077Author: Hugh Dickins <hughd@google.com>
13078Date: Wed Oct 16 13:47:09 2013 -0700
13079
13080 Upstream commit: 57a8f0cdb87da776bf0e4ce7554a9133854fa779
13081
13082 mm: revert mremap pud_free anti-fix
13083
13084 Revert commit 1ecfd533f4c5 ("mm/mremap.c: call pud_free() after fail
13085 calling pmd_alloc()").
13086
13087 The original code was correct: pud_alloc(), pmd_alloc(), pte_alloc_map()
13088 ensure that the pud, pmd, pt is already allocated, and seldom do they
13089 need to allocate; on failure, upper levels are freed if appropriate by
13090 the subsequent do_munmap(). Whereas commit 1ecfd533f4c5 did an
13091 unconditional pud_free() of a most-likely still-in-use pud: saved only
13092 by the near-impossiblity of pmd_alloc() failing.
13093
13094 Signed-off-by: Hugh Dickins <hughd@google.com>
13095 Cc: Chen Gang <gang.chen@asianux.com>
13096 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
13097 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13098
13099 mm/mremap.c | 5 +----
13100 1 files changed, 1 insertions(+), 4 deletions(-)
13101
13102commit 0970b16a9df08b8cca6929b6443f67df432ac3e5
13103Author: Eric Dumazet <edumazet@google.com>
13104Date: Tue Oct 1 21:04:11 2013 -0700
13105
13106 Upstream commit: 80ad1d61e72d626e30ebe8529a0455e660ca4693
13107
13108 net: do not call sock_put() on TIMEWAIT sockets
13109
13110 commit 3ab5aee7fe84 ("net: Convert TCP & DCCP hash tables to use RCU /
13111 hlist_nulls") incorrectly used sock_put() on TIMEWAIT sockets.
13112
13113 We should instead use inet_twsk_put()
13114
13115 Signed-off-by: Eric Dumazet <edumazet@google.com>
13116 Signed-off-by: David S. Miller <davem@davemloft.net>
13117
13118 net/ipv4/inet_hashtables.c | 2 +-
13119 net/ipv6/inet6_hashtables.c | 2 +-
13120 2 files changed, 2 insertions(+), 2 deletions(-)
13121
13122commit ed0c9c47bc3468ad88b45b8ec55d0ad335214d28
13123Author: Andi Kleen <ak@linux.intel.com>
13124Date: Mon Sep 30 13:29:08 2013 -0700
13125
13126 Upstream commit: 58e4e1f6cacddb7823c44bcfb272174553f6c645
13127
13128 igb: Avoid uninitialized advertised variable in eee_set_cur
13129
13130 eee_get_cur assumes that the output data is already zeroed. It can
13131 read-modify-write the advertised field:
13132
13133 if (ipcnfg & E1000_IPCNFG_EEE_100M_AN)
13134 2594 edata->advertised |= ADVERTISED_100baseT_Full;
13135
13136 This is ok for the normal ethtool eee_get call, which always
13137 zeroes the input data before.
13138
13139 But eee_set_cur also calls eee_get_cur and it did not zero the input
13140 field. Later on it then compares agsinst the field, which can contain partial
13141 stack garbage.
13142
13143 Zero the input field in eee_set_cur() too.
13144
13145 Cc: jeffrey.t.kirsher@intel.com
13146 Cc: netdev@vger.kernel.org
13147 Signed-off-by: Andi Kleen <ak@linux.intel.com>
13148 Acked-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
13149 Signed-off-by: David S. Miller <davem@davemloft.net>
13150
13151 drivers/net/ethernet/intel/igb/igb_ethtool.c | 2 ++
13152 1 files changed, 2 insertions(+), 0 deletions(-)
13153
13154commit 651730a8caabce37f78d8e6c84283b96e434d19f
13155Author: Dan Carpenter <dan.carpenter@oracle.com>
13156Date: Thu Oct 3 00:27:20 2013 +0300
13157
13158 Upstream commit: 1661bf364ae9c506bc8795fef70d1532931be1e8
13159
13160 net: heap overflow in __audit_sockaddr()
13161
13162 We need to cap ->msg_namelen or it leads to a buffer overflow when we
13163 to the memcpy() in __audit_sockaddr(). It requires CAP_AUDIT_CONTROL to
13164 exploit this bug.
13165
13166 The call tree is:
13167 ___sys_recvmsg()
13168 move_addr_to_user()
13169 audit_sockaddr()
13170 __audit_sockaddr()
13171
13172 Reported-by: Jüri Aedla <juri.aedla@gmail.com>
13173 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
13174 Signed-off-by: David S. Miller <davem@davemloft.net>
13175
13176 Conflicts:
13177
13178 net/compat.c
13179
13180 net/compat.c | 2 ++
13181 net/socket.c | 24 ++++++++++++++++++++----
13182 2 files changed, 22 insertions(+), 4 deletions(-)
13183
13184commit b52e008aa27ecec1ca4a2d92ffe2fe874c47fcfc
13185Author: Salva Peiró <speiro@ai2.upv.es>
13186Date: Wed Oct 16 12:46:50 2013 +0200
13187
13188 Upstream commit: 2b13d06c9584b4eb773f1e80bbaedab9a1c344e1
13189
13190 wanxl: fix info leak in ioctl
13191
13192 The wanxl_ioctl() code fails to initialize the two padding bytes of
13193 struct sync_serial_settings after the ->loopback member. Add an explicit
13194 memset(0) before filling the structure to avoid the info leak.
13195
13196 Signed-off-by: Salva Peiró <speiro@ai2.upv.es>
13197 Signed-off-by: David S. Miller <davem@davemloft.net>
13198
13199 drivers/net/wan/wanxl.c | 1 +
13200 1 files changed, 1 insertions(+), 0 deletions(-)
13201
13202commit d7e5b4f97fbdd06c03433939efe0e444d877ab4f
13203Author: Geyslan G. Bem <geyslan@gmail.com>
13204Date: Fri Oct 11 16:49:16 2013 -0300
13205
13206 Upstream commit: 3edc8376c06133e3386265a824869cad03a4efd4
13207
13208 ecryptfs: Fix memory leakage in keystore.c
13209
13210 In 'decrypt_pki_encrypted_session_key' function:
13211
13212 Initializes 'payload' pointer and releases it on exit.
13213
13214 Signed-off-by: Geyslan G. Bem <geyslan@gmail.com>
13215 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
13216 Cc: stable@vger.kernel.org # v2.6.28+
13217
13218 fs/ecryptfs/keystore.c | 3 ++-
13219 1 files changed, 2 insertions(+), 1 deletions(-)
13220
13221commit 0ccb7b191245318a36bbd1f59a1846dda72cb738
13222Author: Colin Ian King <colin.king@canonical.com>
13223Date: Thu Oct 24 14:08:07 2013 +0000
13224
13225 Upstream commit: 43b7c6c6a4e3916edd186ceb61be0c67d1e0969e
13226
13227 eCryptfs: fix 32 bit corruption issue
13228
13229 Shifting page->index on 32 bit systems was overflowing, causing
13230 data corruption of > 4GB files. Fix this by casting it first.
13231
13232 https://launchpad.net/bugs/1243636
13233
13234 Signed-off-by: Colin Ian King <colin.king@canonical.com>
13235 Reported-by: Lars Duesing <lars.duesing@camelotsweb.de>
13236 Cc: stable@vger.kernel.org # v3.11+
13237 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
13238
13239 fs/ecryptfs/crypto.c | 2 +-
13240 1 files changed, 1 insertions(+), 1 deletions(-)
13241
13242commit eeb8d56181a3fa3cdfbc106156d4f60cf3a386d4
13243Author: Brad Spengler <spender@grsecurity.net>
13244Date: Sun Oct 27 13:29:49 2013 -0400
13245
13246 This is a replacement patch only for stable which does fix the problems
13247 handled by the following two commits in -net:
13248
13249 "ip_output: do skb ufo init for peeked non ufo skb as well" (e93b7d748be887cd7639b113ba7d7ef792a7efb9)
13250 "ip6_output: do skb ufo init for peeked non ufo skb as well" (c547dbf55d5f8cf615ccc0e7265e98db27d3fb8b)
13251
13252 Three frames are written on a corked udp socket for which the output
13253 netdevice has UFO enabled. If the first and third frame are smaller than
13254 the mtu and the second one is bigger, we enqueue the second frame with
13255 skb_append_datato_frags without initializing the gso fields. This leads
13256 to the third frame appended regulary and thus constructing an invalid skb.
13257
13258 This fixes the problem by always using skb_append_datato_frags as soon
13259 as the first frag got enqueued to the skb without marking the packet
13260 as SKB_GSO_UDP.
13261
13262 The problem with only two frames for ipv6 was fixed by "ipv6: udp
13263 packets following an UFO enqueued packet need also be handled by UFO"
13264 (2811ebac2521ceac84f2bdae402455baa6a7fb47).
13265
13266 Cc: Jiri Pirko <jiri@resnulli.us>
13267 Cc: Eric Dumazet <eric.dumazet@gmail.com>
13268 Cc: David Miller <davem@davemloft.net>
13269 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
13270
13271 include/linux/skbuff.h | 5 +++++
13272 net/ipv4/ip_output.c | 2 +-
13273 net/ipv6/ip6_output.c | 2 +-
13274 3 files changed, 7 insertions(+), 2 deletions(-)
13275
13276commit aead8ff29424c6a5d25eb4614be91a01f9f6af00
13277Merge: 5cf8361 ddadc82
13278Author: Brad Spengler <spender@grsecurity.net>
13279Date: Sat Oct 26 08:42:26 2013 -0400
13280
13281 Merge branch 'pax-test' into grsec-test
13282
13283 Conflicts:
13284 security/Kconfig
13285
13286commit ddadc822a1de40d3992a5c58ca2f970b5fee57ec
13287Author: Brad Spengler <spender@grsecurity.net>
13288Date: Sat Oct 26 08:41:24 2013 -0400
13289
13290 - fixed miscompilation caused by a kernexec plugin related change in copy_user_generic, by Timo Teräs <timo.teras@iki.f> and Natanael Copa <ncopa@alpinelinux.org> (https://github.com/ncopa/linux-stable-grsec/commit/b8bf456d13988fb38cfe248676327f44a2d2ed2e)
13291 - updated config help for latent entropy to reflect recent changes
13292
13293 arch/x86/include/asm/uaccess_64.h | 4 ++--
13294 security/Kconfig | 6 +++---
13295 2 files changed, 5 insertions(+), 5 deletions(-)
13296
13297commit 5cf8361c2a7762aa1cdd3d75655361058ad451ad
13298Author: Johannes Weiner <hannes@cmpxchg.org>
13299Date: Wed Oct 16 13:47:00 2013 -0700
13300
13301 Upstream commit: 84235de394d9775bfaa7fa9762a59d91fef0c1fc
13302
13303 fs: buffer: move allocation failure loop into the allocator
13304
13305 Buffer allocation has a very crude indefinite loop around waking the
13306 flusher threads and performing global NOFS direct reclaim because it can
13307 not handle allocation failures.
13308
13309 The most immediate problem with this is that the allocation may fail due
13310 to a memory cgroup limit, where flushers + direct reclaim might not make
13311 any progress towards resolving the situation at all. Because unlike the
13312 global case, a memory cgroup may not have any cache at all, only
13313 anonymous pages but no swap. This situation will lead to a reclaim
13314 livelock with insane IO from waking the flushers and thrashing unrelated
13315 filesystem cache in a tight loop.
13316
13317 Use __GFP_NOFAIL allocations for buffers for now. This makes sure that
13318 any looping happens in the page allocator, which knows how to
13319 orchestrate kswapd, direct reclaim, and the flushers sensibly. It also
13320 allows memory cgroups to detect allocations that can't handle failure
13321 and will allow them to ultimately bypass the limit if reclaim can not
13322 make progress.
13323
13324 Reported-by: azurIt <azurit@pobox.sk>
13325 Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
13326 Cc: Michal Hocko <mhocko@suse.cz>
13327 Cc: <stable@kernel.org>
13328 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
13329 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13330
13331 fs/buffer.c | 14 ++++++++++++--
13332 mm/memcontrol.c | 2 ++
13333 2 files changed, 14 insertions(+), 2 deletions(-)
13334
13335commit 799326c8683d8d70b2035b1e5ab913c159112b6b
13336Author: Miklos Szeredi <mszeredi@suse.cz>
13337Date: Thu Oct 10 16:48:19 2013 +0200
13338
13339 Upstream commit: 43ae9e3fc70ca0057ae0a24ef5eedff05e3fae06
13340
13341 ext[34]: fix double put in tmpfile
13342
13343 d_tmpfile() already swallowed the inode ref.
13344
13345 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
13346 Cc: stable@vger.kernel.org
13347 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
13348
13349 fs/ext3/namei.c | 5 ++---
13350 fs/ext4/namei.c | 5 ++---
13351 2 files changed, 4 insertions(+), 6 deletions(-)
13352
13353commit 799651db9a3b5b08eac1de0ee05f406df7a9a2e3
13354Author: Jan Klos <honza.klos@gmail.com>
13355Date: Sun Oct 6 21:08:20 2013 +0200
13356
13357 Upstream commit: 2f6c9479633780ba4a3484bba7eba5a721a5cf20
13358
13359 cifs: Fix inability to write files >2GB to SMB2/3 shares
13360
13361 When connecting to SMB2/3 shares, maximum file size is set to non-LFS maximum in superblock. This is due to cap_large_files bit being different for SMB1 and SMB2/3 (where it is just an internal flag that is not negotiated and the SMB1 one corresponds to multichannel capability, so maybe LFS works correctly if server sends 0x08 flag) while capabilities are checked always for the SMB1 bit in cifs_read_super().
13362
13363 The patch fixes this by checking for the correct bit according to the protocol version.
13364
13365 CC: Stable <stable@kernel.org>
13366 Signed-off-by: Jan Klos <honza.klos@gmail.com>
13367 Reviewed-by: Jeff Layton <jlayton@redhat.com>
13368 Signed-off-by: Steve French <smfrench@gmail.com>
13369
13370 fs/cifs/cifsfs.c | 6 ++++--
13371 1 files changed, 4 insertions(+), 2 deletions(-)
13372
13373commit 549fe4c5bb5e67cb1351bb09455b1d77abe5ab22
13374Author: Tim Gardner <tim.gardner@canonical.com>
13375Date: Sun Oct 13 13:29:03 2013 -0600
13376
13377 Upstream commit: 0c26606cbe4937f2228a27bb0c2cad19855be87a
13378
13379 cifs: ntstatus_to_dos_map[] is not terminated
13380
13381 Functions that walk the ntstatus_to_dos_map[] array could
13382 run off the end. For example, ntstatus_to_dos() loops
13383 while ntstatus_to_dos_map[].ntstatus is not 0. Granted,
13384 this is mostly theoretical, but could be used as a DOS attack
13385 if the error code in the SMB header is bogus.
13386
13387 [Might consider adding to stable, as this patch is low risk - Steve]
13388
13389 Reviewed-by: Jeff Layton <jlayton@redhat.com>
13390 Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
13391 Signed-off-by: Steve French <smfrench@gmail.com>
13392
13393 fs/cifs/netmisc.c | 4 +++-
13394 1 files changed, 3 insertions(+), 1 deletions(-)
13395
13396commit ed8c09a96fa260e1864c632e1dd91b1320876305
13397Author: Eric Dumazet <edumazet@google.com>
13398Date: Tue Oct 15 11:54:30 2013 -0700
13399
13400 Upstream commit: c52e2421f7368fd36cbe330d2cf41b10452e39a9
13401
13402 tcp: must unclone packets before mangling them
13403
13404 TCP stack should make sure it owns skbs before mangling them.
13405
13406 We had various crashes using bnx2x, and it turned out gso_size
13407 was cleared right before bnx2x driver was populating TC descriptor
13408 of the _previous_ packet send. TCP stack can sometime retransmit
13409 packets that are still in Qdisc.
13410
13411 Of course we could make bnx2x driver more robust (using
13412 ACCESS_ONCE(shinfo->gso_size) for example), but the bug is TCP stack.
13413
13414 We have identified two points where skb_unclone() was needed.
13415
13416 This patch adds a WARN_ON_ONCE() to warn us if we missed another
13417 fix of this kind.
13418
13419 Kudos to Neal for finding the root cause of this bug. Its visible
13420 using small MSS.
13421
13422 Signed-off-by: Eric Dumazet <edumazet@google.com>
13423 Signed-off-by: Neal Cardwell <ncardwell@google.com>
13424 Cc: Yuchung Cheng <ycheng@google.com>
13425 Signed-off-by: David S. Miller <davem@davemloft.net>
13426
13427 net/ipv4/tcp_output.c | 9 ++++++---
13428 1 files changed, 6 insertions(+), 3 deletions(-)
13429
13430commit e5dcf1772ca2a85952da10a21d0650507dc061d3
13431Author: Dan Carpenter <dan.carpenter@oracle.com>
13432Date: Mon Oct 14 15:28:38 2013 +0300
13433
13434 Upstream commit: 9e5f1721907fcfbd4b575bcafa0314188f7330a5
13435
13436 yam: integer underflow in yam_ioctl()
13437
13438 We cap bitrate at YAM_MAXBITRATE in yam_ioctl(), but it could also be
13439 negative. I don't know the impact of using a negative bitrate but let's
13440 prevent it.
13441
13442 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
13443 Signed-off-by: David S. Miller <davem@davemloft.net>
13444
13445 include/linux/yam.h | 2 +-
13446 1 files changed, 1 insertions(+), 1 deletions(-)
13447
13448commit 1f5d72d633f317248bba25158c326a61394aebf2
13449Merge: 7ca4328 4df1b96
13450Author: Brad Spengler <spender@grsecurity.net>
13451Date: Fri Oct 18 19:36:17 2013 -0400
13452
13453 Merge branch 'pax-test' into grsec-test
13454
13455 Conflicts:
13456 ipc/shm.c
13457
13458commit 4df1b965687831808af2548487e0f35a2ccc5c29
13459Merge: e41125e 5070441
13460Author: Brad Spengler <spender@grsecurity.net>
13461Date: Fri Oct 18 19:35:31 2013 -0400
13462
13463 Merge branch 'linux-3.11.y' into pax-test
13464
13465 Conflicts:
13466 arch/x86/kernel/setup.c
13467
13468commit 7ca43282302f7777ca3ae48d2552dbd0a6cef525
13469Author: Brad Spengler <spender@grsecurity.net>
13470Date: Wed Oct 16 18:35:00 2013 -0400
13471
13472 From: Mathias Krause <minipli@googlemail.com>
13473 To: Evgeniy Polyakov <zbr@ioremap.net>
13474 Cc: Mathias Krause <minipli@googlemail.com>, netdev@vger.kernel.org
13475 Subject: [PATCH 2/4] connector: use nlmsg_len() to check message length
13476
13477 The current code tests the length of the whole netlink message to be
13478 at least as long to fit a cn_msg. This is wrong as nlmsg_len includes
13479 the length of the netlink message header. Use nlmsg_len() instead to
13480 fix this "off-by-NLMSG_HDRLEN" size check.
13481
13482 Cc: stable@vger.kernel.org # v2.6.14+
13483 Signed-off-by: Mathias Krause <minipli@googlemail.com>
13484
13485 drivers/connector/connector.c | 7 ++++---
13486 1 files changed, 4 insertions(+), 3 deletions(-)
13487
13488commit 6c495f94e2f002ed19fb8e265e2746fd6ee08489
13489Author: Brad Spengler <spender@grsecurity.net>
13490Date: Wed Oct 16 18:36:25 2013 -0400
13491
13492 From: Mathias Krause <minipli@googlemail.com>
13493 To: linux-audit@redhat.com
13494 Cc: Mathias Krause <minipli@googlemail.com>, Al Viro <viro@zeniv.linux.org.uk>, Eric Paris <eparis@redhat.com>
13495 Subject: [PATCH 1/2] audit: fix info leak in AUDIT_GET requests
13496
13497 We leak 4 bytes of kernel stack in response to an AUDIT_GET request as
13498 we miss to initialize the mask member of status_set. Fix that.
13499
13500 Cc: Al Viro <viro@zeniv.linux.org.uk>
13501 Cc: Eric Paris <eparis@redhat.com>
13502 Cc: stable@vger.kernel.org # v2.6.6+
13503 Signed-off-by: Mathias Krause <minipli@googlemail.com>
13504
13505 kernel/audit.c | 1 +
13506 1 files changed, 1 insertions(+), 0 deletions(-)
13507
13508commit 9557a8727fd46e68f092dec0830a982e85b231f7
13509Author: Brad Spengler <spender@grsecurity.net>
13510Date: Wed Oct 16 19:02:32 2013 -0400
13511
13512 add 2nd chunk of audit nlmsg_len() fix from minipli
13513
13514 kernel/audit.c | 2 +-
13515 1 files changed, 1 insertions(+), 1 deletions(-)
13516
13517commit ceb5f8bae05f3321af941eddb9d2bbe264e0d2cd
13518Author: Brad Spengler <spender@grsecurity.net>
13519Date: Wed Oct 16 18:37:59 2013 -0400
13520
13521 From: Mathias Krause <minipli@googlemail.com>
13522 To: linux-audit@redhat.com
13523 Cc: Mathias Krause <minipli@googlemail.com>, Al Viro <viro@zeniv.linux.org.uk>, Eric Paris <eparis@redhat.com>
13524 Subject: [PATCH 2/2] audit: use nlmsg_len() to get message payload length
13525
13526 Using the nlmsg_len member of the netlink header to test if the message
13527 is valid is wrong as it includes the size of the netlink header itself.
13528 Thereby allowing to send short netlink messages that pass those checks.
13529
13530 Use nlmsg_len() instead to test for the right message length. The result
13531 of nlmsg_len() is guaranteed to be non-negative as the netlink message
13532 already passed the checks of nlmsg_ok().
13533
13534 Also switch to min_t() to please checkpatch.pl.
13535
13536 Cc: Al Viro <viro@zeniv.linux.org.uk>
13537 Cc: Eric Paris <eparis@redhat.com>
13538 Cc: stable@vger.kernel.org # v2.6.6+ for the 1st hunk, v2.6.23+ for the 2nd
13539
13540 kernel/audit.c | 2 +-
13541 1 files changed, 1 insertions(+), 1 deletions(-)
13542
13543commit 7547b29750381c776dfd47f4b1277a492d5b0f72
13544Author: Brad Spengler <spender@grsecurity.net>
13545Date: Wed Oct 16 18:41:01 2013 -0400
13546
13547 From: Mathias Krause <minipli@googlemail.com>
13548 To: netfilter-devel@vger.kernel.org
13549 Cc: Mathias Krause <minipli@googlemail.com>, Pablo Neira Ayuso <pablo@netfilter.org>, Patrick McHardy <kaber@trash.net>, Jozsef Kadlecsik
13550 <kadlec@blackhole.kfki.hu>, Bart De Schuymer <bart.de.schuymer@pandora.be>
13551 Subject: [PATCH 1/2] netfilter: ebt_ulog: fix info leaks
13552
13553 The ulog messages leak heap bytes by the means of padding bytes and
13554 incompletely filled string arrays. Fix those by memset(0)'ing the
13555 whole struct before filling it.
13556
13557 Cc: Bart De Schuymer <bart.de.schuymer@pandora.be>
13558 Signed-off-by: Mathias Krause <minipli@googlemail.com>
13559
13560 Conflicts:
13561
13562 net/bridge/netfilter/ebt_ulog.c
13563
13564 net/bridge/netfilter/ebt_ulog.c | 9 +++------
13565 1 files changed, 3 insertions(+), 6 deletions(-)
13566
13567commit c1da6a5ba1b529d70214142de4eaa7f1b9d62528
13568Author: Brad Spengler <spender@grsecurity.net>
13569Date: Wed Oct 16 18:43:01 2013 -0400
13570
13571 From: Mathias Krause <minipli@googlemail.com>
13572 To: netfilter-devel@vger.kernel.org
13573 Cc: Mathias Krause <minipli@googlemail.com>, Pablo Neira Ayuso <pablo@netfilter.org>, Patrick McHardy <kaber@trash.net>, Jozsef Kadlecsik
13574 <kadlec@blackhole.kfki.hu>
13575 Subject: [PATCH 2/2] netfilter: ipt_ULOG: fix info leaks
13576
13577 The ulog messages leak heap bytes by the means of padding bytes and
13578 incompletely filled string arrays. Fix those by memset(0)'ing the
13579 whole struct before filling it.
13580
13581 Cc: Pablo Neira Ayuso <pablo@netfilter.org>
13582 Cc: Patrick McHardy <kaber@trash.net>
13583 Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
13584 Signed-off-by: Mathias Krause <minipli@googlemail.com>
13585
13586 Conflicts:
13587
13588 net/ipv4/netfilter/ipt_ULOG.c
13589
13590 net/ipv4/netfilter/ipt_ULOG.c | 7 +------
13591 1 files changed, 1 insertions(+), 6 deletions(-)
13592
13593commit 2965f6e6122325a18e69296ad3817c66ca59b7e3
13594Author: Brad Spengler <spender@grsecurity.net>
13595Date: Wed Oct 16 18:49:45 2013 -0400
13596
13597 From: Mathias Krause <minipli@googlemail.com>
13598 To: "David S. Miller" <davem@davemloft.net>
13599 Cc: Mathias Krause <minipli@googlemail.com>, netdev@vger.kernel.org
13600 Subject: [PATCH net] unix_diag: fix info leak
13601
13602 When filling the netlink message we miss to wipe the pad field,
13603 therefore leak one byte of heap memory to userland. Fix this by
13604 setting pad to 0.
13605
13606 Signed-off-by: Mathias Krause <minipli@googlemail.com>
13607
13608 net/unix/diag.c | 1 +
13609 1 files changed, 1 insertions(+), 0 deletions(-)
13610
13611commit c6bc48165dc213ad8b24fbd872d5c01deb4508bc
13612Author: Mathias Krause <minipli@googlemail.com>
13613Date: Mon Sep 30 22:03:06 2013 +0200
13614
13615 Upstream commit: e727ca82e0e9616ab4844301e6bae60ca7327682
13616
13617 proc connector: fix info leaks
13618
13619 Initialize event_data for all possible message types to prevent leaking
13620 kernel stack contents to userland (up to 20 bytes). Also set the flags
13621 member of the connector message to 0 to prevent leaking two more stack
13622 bytes this way.
13623
13624 Cc: stable@vger.kernel.org # v2.6.15+
13625 Signed-off-by: Mathias Krause <minipli@googlemail.com>
13626 Signed-off-by: David S. Miller <davem@davemloft.net>
13627
13628 drivers/connector/cn_proc.c | 18 ++++++++++++++++++
13629 1 files changed, 18 insertions(+), 0 deletions(-)
13630
13631commit 6398c8e93f1f8fcf80ae2f024a8cca9ea84ccd04
13632Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
13633Date: Wed Oct 9 15:58:29 2013 +0100
13634
13635 Upstream commit: 3c1532df5c1b54b5f6246cdef94eeb73a39fe43a
13636
13637 ARM: 7851/1: check for number of arguments in syscall_get/set_arguments()
13638
13639 In ftrace_syscall_enter(),
13640 syscall_get_arguments(..., 0, n, ...)
13641 if (i == 0) { <handle ORIG_r0> ...; n--;}
13642 memcpy(..., n * sizeof(args[0]));
13643 If 'number of arguments(n)' is zero and 'argument index(i)' is also zero in
13644 syscall_get_arguments(), none of arguments should be copied by memcpy().
13645 Otherwise 'n--' can be a big positive number and unexpected amount of data
13646 will be copied. Tracing system calls which take no argument, say sync(void),
13647 may hit this case and eventually make the system corrupted.
13648 This patch fixes the issue both in syscall_get_arguments() and
13649 syscall_set_arguments().
13650
13651 Cc: <stable@vger.kernel.org>
13652 Acked-by: Will Deacon <will.deacon@arm.com>
13653 Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
13654 Signed-off-by: Will Deacon <will.deacon@arm.com>
13655 Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
13656
13657 arch/arm/include/asm/syscall.h | 6 ++++++
13658 1 files changed, 6 insertions(+), 0 deletions(-)
13659
13660commit c062c6b6774efea3e8b21dc5262f8bf9b34609c2
13661Author: Dave Jones <davej@redhat.com>
13662Date: Thu Oct 10 20:05:35 2013 -0400
13663
13664 Upstream commit: 6e4ea8e33b2057b85d75175dd89b93f5e26de3bc
13665
13666 ext4: fix memory leak in xattr
13667
13668 If we take the 2nd retry path in ext4_expand_extra_isize_ea, we
13669 potentionally return from the function without having freed these
13670 allocations. If we don't do the return, we over-write the previous
13671 allocation pointers, so we leak either way.
13672
13673 Spotted with Coverity.
13674
13675 [ Fixed by tytso to set is and bs to NULL after freeing these
13676 pointers, in case in the retry loop we later end up triggering an
13677 error causing a jump to cleanup, at which point we could have a double
13678 free bug. -- Ted ]
13679
13680 Signed-off-by: Dave Jones <davej@fedoraproject.org>
13681 Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
13682 Reviewed-by: Eric Sandeen <sandeen@redhat.com>
13683 Cc: stable@vger.kernel.org
13684
13685 fs/ext4/xattr.c | 2 ++
13686 1 files changed, 2 insertions(+), 0 deletions(-)
13687
13688commit 224e55268fbd4f81fca479e315c9483df591411d
13689Author: Salva Peiró <speiro@ai2.upv.es>
13690Date: Fri Oct 11 12:50:03 2013 +0300
13691
13692 Upstream commit: 96b340406724d87e4621284ebac5e059d67b2194
13693
13694 farsync: fix info leak in ioctl
13695
13696 The fst_get_iface() code fails to initialize the two padding bytes of
13697 struct sync_serial_settings after the ->loopback member. Add an explicit
13698 memset(0) before filling the structure to avoid the info leak.
13699
13700 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
13701 Signed-off-by: David S. Miller <davem@davemloft.net>
13702
13703 drivers/net/wan/farsync.c | 1 +
13704 1 files changed, 1 insertions(+), 0 deletions(-)
13705
13706commit 2df2f7f9ca7c383331795980a56a2f47a0d0dfd9
13707Author: James Hogan <james.hogan@imgtec.com>
13708Date: Mon Oct 7 12:14:26 2013 +0100
13709
13710 Upstream commit: 8b3c569a3999a8fd5a819f892525ab5520777c92
13711
13712 MIPS: stack protector: Fix per-task canary switch
13713
13714 Commit 1400eb6 (MIPS: r4k,octeon,r2300: stack protector: change canary
13715 per task) was merged in v3.11 and introduced assembly in the MIPS resume
13716 functions to update the value of the current canary in
13717 __stack_chk_guard. However it used PTR_L resulting in a load of the
13718 canary value, instead of PTR_LA to construct its address. The value is
13719 intended to be random but is then treated as an address in the
13720 subsequent LONG_S (store).
13721
13722 This was observed to cause a fault and panic:
13723
13724 CPU 0 Unable to handle kernel paging request at virtual address 139fea20, epc == 8000cc0c, ra == 8034f2a4
13725 Oops[#1]:
13726 ...
13727 $24 : 139fea20 1e1f7cb6
13728 ...
13729 Call Trace:
13730 [<8000cc0c>] resume+0xac/0x118
13731 [<8034f2a4>] __schedule+0x5f8/0x78c
13732 [<8034f4e0>] schedule_preempt_disabled+0x20/0x2c
13733 [<80348eec>] rest_init+0x74/0x84
13734 [<804dc990>] start_kernel+0x43c/0x454
13735 Code: 3c18804b 8f184030 8cb901f8 <af190000> 00c0e021 8cb002f0 8cb102f4 8cb202f8 8cb302fc
13736
13737 This can also be forced by modifying
13738 arch/mips/include/asm/stackprotector.h so that the default
13739 __stack_chk_guard value is more likely to be a bad (or unaligned)
13740 pointer.
13741
13742 Fix it to use PTR_LA instead, to load the address of the canary value,
13743 which the LONG_S can then use to write into it.
13744
13745 Reported-by: bobjones (via #mipslinux on IRC)
13746 Signed-off-by: James Hogan <james.hogan@imgtec.com>
13747 Cc: Ralf Baechle <ralf@linux-mips.org>
13748 Cc: Gregory Fong <gregory.0xf0@gmail.com>
13749 Cc: linux-mips@linux-mips.org
13750 Cc: stable@vger.kernel.org
13751 Patchwork: https://patchwork.linux-mips.org/patch/6026/
13752 Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
13753
13754 arch/mips/kernel/octeon_switch.S | 2 +-
13755 arch/mips/kernel/r2300_switch.S | 2 +-
13756 arch/mips/kernel/r4k_switch.S | 2 +-
13757 3 files changed, 3 insertions(+), 3 deletions(-)
13758
13759commit 4541f6c6871c1cffa3637ccbc817a37d6f093d1c
13760Author: Fan Du <fan.du@windriver.com>
13761Date: Tue Sep 17 15:14:13 2013 +0800
13762
13763 Upstream commit: 33fce60d6a6e137035f8e23a89d7fd55f3a24cda
13764
13765 xfrm: Guard IPsec anti replay window against replay bitmap
13766
13767 For legacy IPsec anti replay mechanism:
13768
13769 bitmap in struct xfrm_replay_state could only provide a 32 bits
13770 window size limit in current design, thus user level parameter
13771 sadb_sa_replay should honor this limit, otherwise misleading
13772 outputs("replay=244") by setkey -D will be:
13773
13774 192.168.25.2 192.168.22.2
13775 esp mode=transport spi=147561170(0x08cb9ad2) reqid=0(0x00000000)
13776 E: aes-cbc 9a8d7468 7655cf0b 719d27be b0ddaac2
13777 A: hmac-sha1 2d2115c2 ebf7c126 1c54f186 3b139b58 264a7331
13778 seq=0x00000000 replay=244 flags=0x00000000 state=mature
13779 created: Sep 17 14:00:00 2013 current: Sep 17 14:00:22 2013
13780 diff: 22(s) hard: 30(s) soft: 26(s)
13781 last: Sep 17 14:00:00 2013 hard: 0(s) soft: 0(s)
13782 current: 1408(bytes) hard: 0(bytes) soft: 0(bytes)
13783 allocated: 22 hard: 0 soft: 0
13784 sadb_seq=1 pid=4854 refcnt=0
13785 192.168.22.2 192.168.25.2
13786 esp mode=transport spi=255302123(0x0f3799eb) reqid=0(0x00000000)
13787 E: aes-cbc 6485d990 f61a6bd5 e5660252 608ad282
13788 A: hmac-sha1 0cca811a eb4fa893 c47ae56c 98f6e413 87379a88
13789 seq=0x00000000 replay=244 flags=0x00000000 state=mature
13790 created: Sep 17 14:00:00 2013 current: Sep 17 14:00:22 2013
13791 diff: 22(s) hard: 30(s) soft: 26(s)
13792 last: Sep 17 14:00:00 2013 hard: 0(s) soft: 0(s)
13793 current: 1408(bytes) hard: 0(bytes) soft: 0(bytes)
13794 allocated: 22 hard: 0 soft: 0
13795 sadb_seq=0 pid=4854 refcnt=0
13796
13797 And also, optimizing xfrm_replay_check window checking by setting the
13798 desirable x->props.replay_window with only doing the comparison once
13799 for all when xfrm_state is first born.
13800
13801 Signed-off-by: Fan Du <fan.du@windriver.com>
13802 Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
13803
13804 net/key/af_key.c | 3 ++-
13805 net/xfrm/xfrm_replay.c | 3 +--
13806 net/xfrm/xfrm_user.c | 3 ++-
13807 3 files changed, 5 insertions(+), 4 deletions(-)
13808
13809commit 3853002f1fb21ca8e23784e9eaeb971eaebc7541
13810Author: Thomas Egerer <thomas.egerer@secunet.com>
13811Date: Thu Sep 19 13:19:19 2013 +0200
13812
13813 Upstream commit: cd808fc9a6c7cd3a4311d9d2cffc4adbeaef5f6c
13814
13815 xfrm: Fix aevent generation for each received packet
13816
13817 If asynchronous events are enabled for a particular netlink socket,
13818 the notify function is called by the advance function. The notify
13819 function creates and dispatches a km_event if a replay timeout occurred,
13820 or at least replay_maxdiff packets have been received since the last
13821 asynchronous event has been sent. The function is supposed to return if
13822 neither of the two events were detected for a state, or replay_maxdiff
13823 is equal to zero.
13824 Replay_maxdiff is initialized in xfrm_state_construct to the value of
13825 the xfrm.sysctl_aevent_rseqth (2 by default), and updated if for a state
13826 if the netlink attribute XFRMA_REPLAY_THRESH is set.
13827 If, however, replay_maxdiff is set to zero, then all of the three notify
13828 implementations perform a break from the switch statement instead of
13829 checking whether a timeout occurred, and -- if not -- return. As a
13830 result an asynchronous event is generated for every replay update of a
13831 state that has a zero replay_maxdiff value.
13832 This patch modifies the notify functions such that they immediately
13833 return if replay_maxdiff has the value zero, unless a timeout occurred.
13834
13835 Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
13836 Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
13837
13838 net/xfrm/xfrm_replay.c | 51 +++++++++++++++++++++++++----------------------
13839 1 files changed, 27 insertions(+), 24 deletions(-)
13840
13841commit dafbbf04fb91cc92c049dcf7cabcc92fd5d29cb8
13842Author: Steffen Klassert <steffen.klassert@secunet.com>
13843Date: Tue Oct 8 10:49:45 2013 +0200
13844
13845 Upstream commit: e7d8f6cb2f8735693396872f4608bbe305e8baee
13846
13847 xfrm: Add refcount handling to queued policies
13848
13849 We need to ensure that policies can't go away as long as the hold timer
13850 is armed, so take a refcont when we arm the timer and drop one if we
13851 delete it.
13852
13853 Bug was introduced with git commit a0073fe18 ("xfrm: Add a state
13854 resolution packet queue")
13855
13856 Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
13857
13858 net/xfrm/xfrm_policy.c | 24 +++++++++++++++++-------
13859 1 files changed, 17 insertions(+), 7 deletions(-)
13860
13861commit b4948dc963442682534b3a039664b564c764e4f8
13862Author: Steffen Klassert <steffen.klassert@secunet.com>
13863Date: Tue Oct 8 10:49:51 2013 +0200
13864
13865 Upstream commit: 2bb53e2557964c2c5368a0392cf3b3b63a288cd0
13866
13867 xfrm: check for a vaild skb in xfrm_policy_queue_process
13868
13869 We might dreference a NULL pointer if the hold_queue is empty,
13870 so add a check to avoid this.
13871
13872 Bug was introduced with git commit a0073fe18 ("xfrm: Add a state
13873 resolution packet queue")
13874
13875 Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
13876
13877 net/xfrm/xfrm_policy.c | 4 ++++
13878 1 files changed, 4 insertions(+), 0 deletions(-)
13879
13880commit fad7f264b264b0b17a307aa16162cb43c7688a30
13881Author: Marc Kleine-Budde <mkl@pengutronix.de>
13882Date: Mon Oct 7 23:19:58 2013 +0200
13883
13884 Upstream commit: c33a39c575068c2ea9bffb22fd6de2df19c74b89
13885
13886 net: vlan: fix nlmsg size calculation in vlan_get_size()
13887
13888 This patch fixes the calculation of the nlmsg size, by adding the missing
13889 nla_total_size().
13890
13891 Cc: Patrick McHardy <kaber@trash.net>
13892 Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
13893 Signed-off-by: David S. Miller <davem@davemloft.net>
13894
13895 net/8021q/vlan_netlink.c | 2 +-
13896 1 files changed, 1 insertions(+), 1 deletions(-)
13897
13898commit 675e5611464fe6b4d41e7d8ba56ed845286b28dd
13899Author: François Cachereul <f.cachereul@alphalink.fr>
13900Date: Wed Oct 2 10:16:02 2013 +0200
13901
13902 Upstream commit: e18503f41f9b12132c95d7c31ca6ee5155e44e5c
13903
13904 l2tp: fix kernel panic when using IPv4-mapped IPv6 addresses
13905
13906 IPv4 mapped addresses cause kernel panic.
13907 The patch juste check whether the IPv6 address is an IPv4 mapped
13908 address. If so, use IPv4 API instead of IPv6.
13909
13910 [ 940.026915] general protection fault: 0000 [#1]
13911 [ 940.026915] Modules linked in: l2tp_ppp l2tp_netlink l2tp_core pppox ppp_generic slhc loop psmouse
13912 [ 940.026915] CPU: 0 PID: 3184 Comm: memcheck-amd64- Not tainted 3.11.0+ #1
13913 [ 940.026915] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
13914 [ 940.026915] task: ffff880007130e20 ti: ffff88000737e000 task.ti: ffff88000737e000
13915 [ 940.026915] RIP: 0010:[<ffffffff81333780>] [<ffffffff81333780>] ip6_xmit+0x276/0x326
13916 [ 940.026915] RSP: 0018:ffff88000737fd28 EFLAGS: 00010286
13917 [ 940.026915] RAX: c748521a75ceff48 RBX: ffff880000c30800 RCX: 0000000000000000
13918 [ 940.026915] RDX: ffff88000075cc4e RSI: 0000000000000028 RDI: ffff8800060e5a40
13919 [ 940.026915] RBP: ffff8800060e5a40 R08: 0000000000000000 R09: ffff88000075cc90
13920 [ 940.026915] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88000737fda0
13921 [ 940.026915] R13: 0000000000000000 R14: 0000000000002000 R15: ffff880005d3b580
13922 [ 940.026915] FS: 00007f163dc5e800(0000) GS:ffffffff81623000(0000) knlGS:0000000000000000
13923 [ 940.026915] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
13924 [ 940.026915] CR2: 00000004032dc940 CR3: 0000000005c25000 CR4: 00000000000006f0
13925 [ 940.026915] Stack:
13926 [ 940.026915] ffff88000075cc4e ffffffff81694e90 ffff880000c30b38 0000000000000020
13927 [ 940.026915] 11000000523c4bac ffff88000737fdb4 0000000000000000 ffff880000c30800
13928 [ 940.026915] ffff880005d3b580 ffff880000c30b38 ffff8800060e5a40 0000000000000020
13929 [ 940.026915] Call Trace:
13930 [ 940.026915] [<ffffffff81356cc3>] ? inet6_csk_xmit+0xa4/0xc4
13931 [ 940.026915] [<ffffffffa0038535>] ? l2tp_xmit_skb+0x503/0x55a [l2tp_core]
13932 [ 940.026915] [<ffffffff812b8d3b>] ? pskb_expand_head+0x161/0x214
13933 [ 940.026915] [<ffffffffa003e91d>] ? pppol2tp_xmit+0xf2/0x143 [l2tp_ppp]
13934 [ 940.026915] [<ffffffffa00292e0>] ? ppp_channel_push+0x36/0x8b [ppp_generic]
13935 [ 940.026915] [<ffffffffa00293fe>] ? ppp_write+0xaf/0xc5 [ppp_generic]
13936 [ 940.026915] [<ffffffff8110ead4>] ? vfs_write+0xa2/0x106
13937 [ 940.026915] [<ffffffff8110edd6>] ? SyS_write+0x56/0x8a
13938 [ 940.026915] [<ffffffff81378ac0>] ? system_call_fastpath+0x16/0x1b
13939 [ 940.026915] Code: 00 49 8b 8f d8 00 00 00 66 83 7c 11 02 00 74 60 49
13940 8b 47 58 48 83 e0 fe 48 8b 80 18 01 00 00 48 85 c0 74 13 48 8b 80 78 02
13941 00 00 <48> ff 40 28 41 8b 57 68 48 01 50 30 48 8b 54 24 08 49 c7 c1 51
13942 [ 940.026915] RIP [<ffffffff81333780>] ip6_xmit+0x276/0x326
13943 [ 940.026915] RSP <ffff88000737fd28>
13944 [ 940.057945] ---[ end trace be8aba9a61c8b7f3 ]---
13945 [ 940.058583] Kernel panic - not syncing: Fatal exception in interrupt
13946
13947 Signed-off-by: François CACHEREUL <f.cachereul@alphalink.fr>
13948 Signed-off-by: David S. Miller <davem@davemloft.net>
13949
13950 net/l2tp/l2tp_core.c | 27 +++++++++++++++++++++++----
13951 net/l2tp/l2tp_core.h | 3 +++
13952 2 files changed, 26 insertions(+), 4 deletions(-)
13953
13954commit 2db6fe58460d400bc8b995fa2328be03e27e55e1
13955Merge: 28f9622 e41125e
13956Author: Brad Spengler <spender@grsecurity.net>
13957Date: Tue Oct 15 10:00:52 2013 -0400
13958
13959 Merge branch 'pax-test' into grsec-test
13960
13961 Conflicts:
13962 arch/sparc/kernel/ds.c
13963 net/sysctl_net.c
13964
13965commit e41125e4742f332cd8cd8cf0c00cb189dba0e037
13966Merge: 740e5ec a145cb9
13967Author: Brad Spengler <spender@grsecurity.net>
13968Date: Tue Oct 15 09:58:29 2013 -0400
13969
13970 Merge branch 'linux-3.11.y' into pax-test
13971
13972commit 28f9622091224541efadf3ae006f0e5651c7fa45
13973Author: Brad Spengler <spender@grsecurity.net>
13974Date: Tue Oct 1 22:48:34 2013 -0400
13975
13976 Fix this strlcpy crap properly
13977
13978 arch/sparc/kernel/ds.c | 7 +++----
13979 1 files changed, 3 insertions(+), 4 deletions(-)
13980
13981commit 837193210e4125fe4e9e554b28d7bc33985f3554
13982Author: David S. Miller <davem@davemloft.net>
13983Date: Fri Sep 27 13:46:04 2013 -0700
13984
13985 Upstream commit: 2bd161a605f1f84a5fc8a4fe8410113a94f79355
13986
13987 sparc64: Fix buggy strlcpy() conversion in ldom_reboot().
13988
13989 Commit 117a0c5fc9c2d06045bd217385b2b39ea426b5a6 ("sparc: kernel: using
13990 strlcpy() instead of strcpy()") added a bug to ldom_reboot in
13991 arch/sparc/kernel/ds.c
13992
13993 - strcpy(full_boot_str + strlen("boot "), boot_command);
13994 + strlcpy(full_boot_str + strlen("boot "), boot_command,
13995 + sizeof(full_boot_str + strlen("boot ")));
13996
13997 That last sizeof() expression evaluates to sizeof(size_t) which is
13998 not what was intended.
13999
14000 Also even the corrected:
14001
14002 sizeof(full_boot_str) + strlen("boot ")
14003
14004 is not right as the destination buffer length is just plain
14005 "sizeof(full_boot_str)" and that's what the final argument
14006 should be.
14007
14008 Signed-off-by: David S. Miller <davem@davemloft.net>
14009
14010 arch/sparc/kernel/ds.c | 2 +-
14011 1 files changed, 1 insertions(+), 1 deletions(-)
14012
14013commit fc25f7a8bc9f268e659f0265bcdb4dcac648c249
14014Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
14015Date: Sun Sep 29 05:40:50 2013 +0200
14016
14017 Upstream commit: 3da812d860755925da890e8c713f2d2e2d7b1bae
14018
14019 ipv6: gre: correct calculation of max_headroom
14020
14021 gre_hlen already accounts for sizeof(struct ipv6_hdr) + gre header,
14022 so initialize max_headroom to zero. Otherwise the
14023
14024 if (encap_limit >= 0) {
14025 max_headroom += 8;
14026 mtu -= 8;
14027 }
14028
14029 increments an uninitialized variable before max_headroom was reset.
14030
14031 Found with coverity: 728539
14032
14033 Cc: Dmitry Kozlov <xeb@mail.ru>
14034 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
14035 Acked-by: Eric Dumazet <edumazet@google.com>
14036 Signed-off-by: David S. Miller <davem@davemloft.net>
14037
14038 Conflicts:
14039
14040 net/ipv6/ip6_gre.c
14041
14042 net/ipv6/ip6_gre.c | 4 ++--
14043 1 files changed, 2 insertions(+), 2 deletions(-)
14044
14045commit 0d68ac550952d0eaf60851497ceee68dbba24516
14046Merge: 64257ad 740e5ec
14047Author: Brad Spengler <spender@grsecurity.net>
14048Date: Tue Oct 1 18:11:52 2013 -0400
14049
14050 Merge branch 'pax-test' into grsec-test
14051
14052 Conflicts:
14053 drivers/hid/hid-core.c
14054 drivers/hid/hid-lg2ff.c
14055 drivers/hid/hid-lg3ff.c
14056 drivers/hid/hid-lg4ff.c
14057 drivers/hid/hid-lgff.c
14058 drivers/hid/hid-logitech-dj.c
14059 drivers/hid/hid-steelseries.c
14060 drivers/hid/hid-zpff.c
14061 include/linux/hid.h
14062
14063commit 740e5ec087969afd43ae0b552b4e05914437ed32
14064Merge: c38c6b0 db20388
14065Author: Brad Spengler <spender@grsecurity.net>
14066Date: Tue Oct 1 17:40:46 2013 -0400
14067
14068 Merge branch 'linux-3.11.y' into pax-test
14069
14070commit 64257ad95c51285d415f93ebdd486fae6bb9415d
14071Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
14072Date: Sat Sep 21 06:27:00 2013 +0200
14073
14074 Upstream commit: 2811ebac2521ceac84f2bdae402455baa6a7fb47
14075
14076 ipv6: udp packets following an UFO enqueued packet need also be handled by UFO
14077
14078 In the following scenario the socket is corked:
14079 If the first UDP packet is larger then the mtu we try to append it to the
14080 write queue via ip6_ufo_append_data. A following packet, which is smaller
14081 than the mtu would be appended to the already queued up gso-skb via
14082 plain ip6_append_data. This causes random memory corruptions.
14083
14084 In ip6_ufo_append_data we also have to be careful to not queue up the
14085 same skb multiple times. So setup the gso frame only when no first skb
14086 is available.
14087
14088 This also fixes a shortcoming where we add the current packet's length to
14089 cork->length but return early because of a packet > mtu with dontfrag set
14090 (instead of sutracting it again).
14091
14092 Found with trinity.
14093
14094 Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
14095 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
14096 Reported-by: Dmitry Vyukov <dvyukov@google.com>
14097 Signed-off-by: David S. Miller <davem@davemloft.net>
14098
14099 net/ipv6/ip6_output.c | 53 ++++++++++++++++++++----------------------------
14100 1 files changed, 22 insertions(+), 31 deletions(-)
14101
14102commit ee4ab63f6dfd57e8c5d67e1e154b86d1139937f6
14103Author: Dan Carpenter <dan.carpenter@oracle.com>
14104Date: Tue Sep 24 15:27:45 2013 -0700
14105
14106 Just a whitespace fix to sync with upstream as we already applied this fix
14107 via Vasiliy Kulikov in 2010. It fell through the cracks upstream
14108
14109 cciss: fix info leak in cciss_ioctl32_passthru()
14110
14111 The arg64 struct has a hole after ->buf_size which isn't cleared. Or if
14112 any of the calls to copy_from_user() fail then that would cause an
14113 information leak as well.
14114
14115 This was assigned CVE-2013-2147.
14116
14117 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
14118 Acked-by: Mike Miller <mike.miller@hp.com>
14119 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
14120 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14121
14122 Conflicts:
14123
14124 drivers/block/cciss.c
14125
14126 drivers/block/cciss.c | 1 -
14127 1 files changed, 0 insertions(+), 1 deletions(-)
14128
14129commit 2a5d630a83f5ddd2ab0ce9cb32a93ad3e1f6dc3e
14130Author: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
14131Date: Tue Sep 24 18:29:11 2013 -0700
14132
14133 Upstream commit: 22356f447ceb8d97a4885792e7d9e4607f712e1b
14134
14135 mm: Place preemption point in do_mlockall() loop
14136
14137 There is a loop in do_mlockall() that lacks a preemption point, which
14138 means that the following can happen on non-preemptible builds of the
14139 kernel. Dave Jones reports:
14140
14141 "My fuzz tester keeps hitting this. Every instance shows the non-irq
14142 stack came in from mlockall. I'm only seeing this on one box, but
14143 that has more ram (8gb) than my other machines, which might explain
14144 it.
14145
14146 INFO: rcu_preempt self-detected stall on CPU { 3} (t=6500 jiffies g=470344 c=470343 q=0)
14147 sending NMI to all CPUs:
14148 NMI backtrace for cpu 3
14149 CPU: 3 PID: 29664 Comm: trinity-child2 Not tainted 3.11.0-rc1+ #32
14150 Call Trace:
14151 lru_add_drain_all+0x15/0x20
14152 SyS_mlockall+0xa5/0x1a0
14153 tracesys+0xdd/0xe2"
14154
14155 This commit addresses this problem by inserting the required preemption
14156 point.
14157
14158 Reported-by: Dave Jones <davej@redhat.com>
14159 Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
14160 Cc: KOSAKI Motohiro <kosaki.motohiro@gmail.com>
14161 Cc: Michel Lespinasse <walken@google.com>
14162 Cc: Andrew Morton <akpm@linux-foundation.org>
14163 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
14164
14165 mm/mlock.c | 1 +
14166 1 files changed, 1 insertions(+), 0 deletions(-)
14167
14168commit 042ecff756f1246abb9c84dd20ad9f6e9c429ed9
14169Author: Brad Spengler <spender@grsecurity.net>
14170Date: Fri Sep 27 21:06:17 2013 -0400
14171
14172 Don't log attempts to create a socket with a family that the kernel doesn't
14173 support
14174 Further, if the kernel doesn't support the socket family, instead of returning
14175 -EACCES, return -EAFNOSUPPORT -- should resolve the need to allow ipv6
14176 sockets in RBAC policy despite a kernel that doesn't support ipv6
14177 observed during a Debian userland update necessitating a policy change
14178
14179 grsecurity/gracl_ip.c | 7 +++----
14180 net/socket.c | 26 +++++++++++++++-----------
14181 2 files changed, 18 insertions(+), 15 deletions(-)
14182
14183commit 55f1e409275973513a3314fe5bfa76a4781c0db7
14184Merge: 2eac654 c38c6b0
14185Author: Brad Spengler <spender@grsecurity.net>
14186Date: Fri Sep 27 20:35:04 2013 -0400
14187
14188 Merge branch 'pax-test' into grsec-test
14189
14190 Conflicts:
14191 drivers/hid/hid-picolcd_core.c
14192
14193commit c38c6b0bbbe53bd528aeeb4a059764abc028c276
14194Merge: 115bf6a a3308b5
14195Author: Brad Spengler <spender@grsecurity.net>
14196Date: Fri Sep 27 20:34:15 2013 -0400
14197
14198 Merge branch 'linux-3.11.y' into pax-test
14199
14200 Conflicts:
14201 arch/x86/ia32/ia32_signal.c
14202 arch/x86/include/asm/checksum_32.h
14203 arch/x86/include/asm/mmu_context.h
14204 arch/x86/kernel/signal.c
14205 arch/x86/lib/csum-wrappers_64.c
14206 include/linux/compat.h
14207
14208commit 2eac65435fdffca548a56e5187840908438fc95c
14209Merge: ba0ebde 115bf6a
14210Author: Brad Spengler <spender@grsecurity.net>
14211Date: Thu Sep 26 20:00:00 2013 -0400
14212
14213 Merge branch 'pax-test' into grsec-test
14214
14215commit 115bf6af0083ea28c751d551a39cfdba1798e9dc
14216Author: Brad Spengler <spender@grsecurity.net>
14217Date: Thu Sep 26 19:59:14 2013 -0400
14218
14219 Update to pax-linux-3.11.1-test10.patch:
14220 - added missing exports for module_alloc_exec/module_free_exec on arm, by Arnaud Fontaine
14221 - fixed potential .exit.text section reference problem with REFCOUNT on arm, reported by Corey Minyard
14222 - fixed REFCOUNT false positive in the new percpu refcount code, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=486040)
14223 - fixed an integer overflow in the ELF loader that happens to be harmless due to another overflow, found by Emese Revfy's new size overflow plugin (not yet released)
14224 - beefed up latent entropy extraction
14225 - latent_entropy itself will be initialized to a compile-time random value (instead of 0)
14226 - entropy will be collected from various irq and softirq handlers
14227
14228 arch/arm/kernel/module.c | 2 ++
14229 arch/arm/kernel/vmlinux.lds.S | 2 +-
14230 block/blk-iopoll.c | 2 +-
14231 block/blk-softirq.c | 2 +-
14232 fs/binfmt_elf.c | 8 +++++---
14233 include/linux/genhd.h | 2 +-
14234 include/linux/random.h | 4 ++--
14235 kernel/hrtimer.c | 2 +-
14236 kernel/rcutiny.c | 2 +-
14237 kernel/rcutree.c | 2 +-
14238 kernel/sched/fair.c | 2 +-
14239 kernel/softirq.c | 4 ++--
14240 kernel/timer.c | 2 +-
14241 lib/percpu-refcount.c | 2 +-
14242 net/core/dev.c | 4 ++--
14243 tools/gcc/latent_entropy_plugin.c | 2 +-
14244 16 files changed, 24 insertions(+), 20 deletions(-)
14245
14246commit ba0ebdedeb2e128654dac48641bdc9d8b34530d6
14247Author: Brad Spengler <spender@grsecurity.net>
14248Date: Sun Sep 22 18:14:07 2013 -0400
14249
14250 Revert "Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db"
14251
14252 This reverts commit 7a430f97a2f6538693cb8e354c67c874f24c5ebf.
14253
14254 net/netlink/genetlink.c | 7 -------
14255 1 files changed, 0 insertions(+), 7 deletions(-)
14256
14257commit ca27c99c4f2df039e21ec15c52824d84e2cd2f35
14258Merge: f1e4228 90db383
14259Author: Brad Spengler <spender@grsecurity.net>
14260Date: Wed Sep 18 17:34:37 2013 -0400
14261
14262 Merge branch 'pax-test' into grsec-test
14263
14264commit 90db383fd7d650172d52229b0116ad7604c9bec1
14265Author: Brad Spengler <spender@grsecurity.net>
14266Date: Wed Sep 18 17:32:42 2013 -0400
14267
14268 Update to pax-linux-3.11.1-test9.patch:
14269 - fixed some arm compile regressions, reported by Arnaud Ebalard and Michael Tremer
14270 - better implementation of __read_only for modules
14271 - fixed a regression and an apparently needed kuser emulation on arm, reported by Arnaud Ebalard
14272
14273 arch/arm/kernel/entry-common.S | 12 ++++++------
14274 arch/arm/mach-omap2/omap-mpuss-lowpower.c | 4 ++--
14275 arch/arm/mm/fault.c | 26 +++++++++++++++++++++++++-
14276 arch/x86/include/asm/cache.h | 4 ----
14277 drivers/bus/arm-cci.c | 2 +-
14278 drivers/clk/socfpga/clk.c | 2 +-
14279 drivers/mmc/host/mmci.c | 4 +++-
14280 drivers/net/ethernet/chelsio/cxgb3/sge.c | 2 +-
14281 include/linux/cache.h | 4 ++++
14282 net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
14283 net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
14284 scripts/module-common.lds | 4 ++++
14285 12 files changed, 49 insertions(+), 19 deletions(-)
14286
14287commit 43fd6b476981f2b72f1fcb7dd4de6b04643e0810
14288Author: Brad Spengler <spender@grsecurity.net>
14289Date: Wed Sep 18 17:32:25 2013 -0400
14290
14291 Revert "mark sctp_af_inet forward declaration as __read_only to fix compile error"
14292
14293 This reverts commit 5e30989102e2d0df166ab6ff915b90f675f8786f.
14294
14295 net/sctp/protocol.c | 2 +-
14296 1 files changed, 1 insertions(+), 1 deletions(-)
14297
14298commit f1e42285e17479067b6cbcffc43916720e6dedd3
14299Merge: 456ca17 5e30989
14300Author: Brad Spengler <spender@grsecurity.net>
14301Date: Mon Sep 16 21:42:34 2013 -0400
14302
14303 Merge branch 'pax-test' into grsec-test
14304
14305commit 5e30989102e2d0df166ab6ff915b90f675f8786f
14306Author: Brad Spengler <spender@grsecurity.net>
14307Date: Mon Sep 16 21:41:44 2013 -0400
14308
14309 mark sctp_af_inet forward declaration as __read_only to fix compile error
14310
14311 net/sctp/protocol.c | 2 +-
14312 1 files changed, 1 insertions(+), 1 deletions(-)
14313
14314commit 456ca176141f10355c1569b29225c9ce4b7db18e
14315Merge: b406eac 5df8f36
14316Author: Brad Spengler <spender@grsecurity.net>
14317Date: Mon Sep 16 20:02:05 2013 -0400
14318
14319 Merge branch 'pax-test' into grsec-test
14320
14321commit 5df8f36fbb39fbd47e04945001d11e52c16fc0b6
14322Author: Brad Spengler <spender@grsecurity.net>
14323Date: Mon Sep 16 20:01:38 2013 -0400
14324
14325 Update to pax-linux-3.11.1-test7.patch:
14326 - fixed arm compile error, reported by Arnaud Ebalard
14327 - fixed NULL deref due to some xfrm constification, reported by marcin1j (http://forums.grsecurity.net/viewtopic.php?f=3&t=3743)
14328 - fixed od_ops constification, fixes cpufreq ondemand on AMD
14329 - latent entropy will now be gathered from module init code as well (i.e., at module load/init time)
14330 - __read_only will now be enforced in modules as well
14331 - removed unneccessary __read_only from ntfs
14332
14333 arch/arm/lib/uaccess_with_memcpy.c | 2 +-
14334 arch/x86/include/asm/cache.h | 4 ++++
14335 drivers/cpufreq/cpufreq_governor.h | 2 +-
14336 drivers/cpufreq/cpufreq_ondemand.c | 2 +-
14337 fs/ntfs/file.c | 4 ++--
14338 include/linux/init.h | 5 -----
14339 include/net/xfrm.h | 5 ++++-
14340 init/main.c | 9 +++------
14341 mm/page_alloc.c | 1 +
14342 net/ipv4/xfrm4_policy.c | 4 ++--
14343 net/ipv6/xfrm6_policy.c | 4 ++--
14344 net/xfrm/xfrm_policy.c | 11 ++---------
14345 12 files changed, 23 insertions(+), 30 deletions(-)
14346
14347commit b406eac579bb3a5faa1c9d73b8af5530f942009a
14348Author: Brad Spengler <spender@grsecurity.net>
14349Date: Mon Sep 16 12:53:22 2013 -0400
14350
14351 Backport commit from https://git.kernel.org/cgit/linux/kernel/git/klassert/ipsec.git/commit/?h=testing&id=4479ff76c43607b680f9349128d8493228b49dce
14352
14353 author Steffen Klassert <steffen.klassert@secunet.com> 2013-09-09 07:39:01 (GMT)
14354 committer Steffen Klassert <steffen.klassert@secunet.com> 2013-09-16 07:39:37 (GMT)
14355
14356 xfrm: Fix replay size checking on async events
14357 We pass the wrong netlink attribute to xfrm_replay_verify_len().
14358 It should be XFRMA_REPLAY_ESN_VAL and not XFRMA_REPLAY_VAL as
14359 we currently doing. This causes memory corruptions if the
14360 replay esn attribute has incorrect length. Fix this by passing
14361 the right attribute to xfrm_replay_verify_len().
14362
14363 Reported-by: Michael Rossberg <michael.rossberg@tu-ilmenau.de>
14364 Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
14365
14366 net/xfrm/xfrm_user.c | 2 +-
14367 1 files changed, 1 insertions(+), 1 deletions(-)
14368
14369commit 9eeb1f53a99068a1f2a77e4d250e334165b789c9
14370Merge: 84843a3 0a0ced6
14371Author: Brad Spengler <spender@grsecurity.net>
14372Date: Sun Sep 15 11:24:30 2013 -0400
14373
14374 Merge branch 'pax-test' into grsec-test
14375
14376 Conflicts:
14377 drivers/net/wireless/ath/ath10k/core.c
14378 drivers/net/wireless/ath/ath10k/htc.c
14379
14380commit 0a0ced69ec737fc1abe5bc1c5a66579a22e9bb1d
14381Author: Brad Spengler <spender@grsecurity.net>
14382Date: Sun Sep 15 11:21:43 2013 -0400
14383
14384 Update to pax-linux-3.11.1-test6.patch:
14385 - forward port to 3.11.1
14386 - fixed some CONSTIFY fallout, reported by spender
14387 - fixed INVPCID on i386, reported by spender
14388 - simplified/consolidated the recent security_ops change
14389
14390 arch/x86/include/asm/mmu_context.h | 4 ++--
14391 arch/x86/include/asm/tlbflush.h | 6 +++---
14392 arch/x86/kernel/cpu/perf_event_amd_iommu.c | 2 +-
14393 drivers/net/wireless/ath/ath10k/core.c | 6 +++---
14394 drivers/net/wireless/ath/ath10k/htc.c | 7 ++++---
14395 include/linux/security.h | 2 --
14396 security/security.c | 3 ---
14397 security/selinux/hooks.c | 5 +++--
14398 8 files changed, 16 insertions(+), 19 deletions(-)
14399
14400commit 84843a394cde0578be728cb5fd34da9859dcf110
14401Author: Brad Spengler <spender@grsecurity.net>
14402Date: Sun Sep 15 09:19:21 2013 -0400
14403
14404 remove unnecessary check from when protocol was signed
14405
14406 net/phonet/af_phonet.c | 2 +-
14407 1 files changed, 1 insertions(+), 1 deletions(-)
14408
14409commit cc7c916cac4c2eb0ec243690627e2b6a13234fef
14410Author: Brad Spengler <spender@grsecurity.net>
14411Date: Sun Sep 15 08:53:27 2013 -0400
14412
14413 resync with PaX
14414
14415 security/selinux/hooks.c | 4 ++--
14416 1 files changed, 2 insertions(+), 2 deletions(-)
14417
14418commit fdeadf7ba061242685e07a2504c6be99161f292c
14419Author: Brad Spengler <spender@grsecurity.net>
14420Date: Sat Sep 14 23:04:53 2013 -0400
14421
14422 Fix constification of ath10k_hif_cb struct located on stack
14423
14424 drivers/net/wireless/ath/ath10k/hif.h | 1 +
14425 drivers/net/wireless/ath/ath10k/htc.c | 2 +-
14426 2 files changed, 2 insertions(+), 1 deletions(-)
14427
14428commit 73c6875760e610cb636f86566a1be7a744d89b82
14429Author: Brad Spengler <spender@grsecurity.net>
14430Date: Sat Sep 14 22:41:06 2013 -0400
14431
14432 use a no_const typedef for ath10k_htc_ops, which is located on the stack
14433
14434 drivers/net/wireless/ath/ath10k/core.c | 6 +++---
14435 drivers/net/wireless/ath/ath10k/htc.h | 1 +
14436 2 files changed, 4 insertions(+), 3 deletions(-)
14437
14438commit bffb0279b95b717c739365a5a25ca0391e7479b1
14439Author: Brad Spengler <spender@grsecurity.net>
14440Date: Sat Sep 14 22:13:46 2013 -0400
14441
14442 fix compilation error under constify
14443
14444 drivers/net/wireless/ath/ath10k/core.c | 6 +++---
14445 1 files changed, 3 insertions(+), 3 deletions(-)
14446
14447commit 1044c726fd98de89a711c6655f811600d4051e46
14448Merge: ffc8003 e39d12a
14449Author: Brad Spengler <spender@grsecurity.net>
14450Date: Sat Sep 14 21:57:25 2013 -0400
14451
14452 Merge branch 'pax-test' into grsec-test
14453
14454commit e39d12a3b877293ba677bf7642c8887144ae1576
14455Author: Brad Spengler <spender@grsecurity.net>
14456Date: Sat Sep 14 21:56:56 2013 -0400
14457
14458 Update to pax-linux-3.11-test5.patch:
14459 - backported 1ecfd533f4c528b0b4cc5bc115c4c47f0b5e4828 (pud leak in alloc_new_pmd)
14460 - build_string doesn't need to account for the null terminator, fix some usage in the kernexec plugin
14461
14462 mm/mremap.c | 5 ++++-
14463 tools/gcc/kernexec_plugin.c | 4 ++--
14464 2 files changed, 6 insertions(+), 3 deletions(-)
14465
14466commit ffc8003e9c6d9a26c92ca83a8cdc48f1bf0d7a4b
14467Author: Brad Spengler <spender@grsecurity.net>
14468Date: Sat Sep 14 21:48:03 2013 -0400
14469
14470 fix compile error introduced by pipacs
14471
14472 security/selinux/hooks.c | 2 ++
14473 1 files changed, 2 insertions(+), 0 deletions(-)
14474
14475commit 874e80f445b1325df45f04cc317f67587e241218
14476Author: Brad Spengler <spender@grsecurity.net>
14477Date: Sat Sep 14 21:12:45 2013 -0400
14478
14479 Fix invalid dependency causing warning:
14480 warning: (DEBUG_WW_MUTEX_SLOWPATH) selects DEBUG_LOCK_ALLOC which has unmet direct dependencies (DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN)
14481
14482 lib/Kconfig.debug | 2 +-
14483 1 files changed, 1 insertions(+), 1 deletions(-)
14484
14485commit 76675229b0398d812bd885c2ea9ebdc66cd5d74a
14486Author: Brad Spengler <spender@grsecurity.net>
14487Date: Sat Sep 14 19:53:56 2013 -0400
14488
14489 change unsigned long descriptor array to u64, for 32bit kernels on Haswell CPUs
14490
14491 arch/x86/include/asm/tlbflush.h | 6 +++---
14492 1 files changed, 3 insertions(+), 3 deletions(-)
14493
14494commit b6dd7c7dd3e78d549c4c0e18f7803aa918d3a838
14495Author: Daniel Borkmann <dborkman@redhat.com>
14496Date: Sat Sep 7 16:44:59 2013 +0200
14497
14498 Upstream commit: a0fb05d1aef0f5df936f80b726d1b3bfd4275f95
14499
14500 net: sctp: fix bug in sctp_poll for SOCK_SELECT_ERR_QUEUE
14501
14502 If we do not add braces around ...
14503
14504 mask |= POLLERR |
14505 sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? POLLPRI : 0;
14506
14507 ... then this condition always evaluates to true as POLLERR is
14508 defined as 8 and binary or'd with whatever result comes out of
14509 sock_flag(). Hence instead of (X | Y) ? A : B, transform it into
14510 X | (Y ? A : B). Unfortunatelty, commit 8facd5fb73 ("net: fix
14511 smatch warnings inside datagram_poll") forgot about SCTP. :-(
14512
14513 Introduced by 7d4c04fc170 ("net: add option to enable error queue
14514 packets waking select").
14515
14516 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
14517 Cc: Jacob Keller <jacob.e.keller@intel.com>
14518 Acked-by: Neil Horman <nhorman@tuxdriver.com>
14519 Acked-by: Vlad Yasevich <vyasevich@gmail.com>
14520 Acked-by: Jacob Keller <jacob.e.keller@intel.com>
14521 Signed-off-by: David S. Miller <davem@davemloft.net>
14522
14523 net/sctp/socket.c | 2 +-
14524 1 files changed, 1 insertions(+), 1 deletions(-)
14525
14526commit 4ad458cf887df99b3de3ce11fb83cd27bd13d986
14527Author: Jason Wang <jasowang@redhat.com>
14528Date: Wed Sep 11 18:09:48 2013 +0800
14529
14530 Upstream commit: 662ca437e714caaab855b12415d6ffd815985bc0
14531
14532 tuntap: correctly handle error in tun_set_iff()
14533
14534 Commit c8d68e6be1c3b242f1c598595830890b65cea64a
14535 (tuntap: multiqueue support) only call free_netdev() on error in
14536 tun_set_iff(). This causes several issues:
14537
14538 - memory of tun security were leaked
14539 - use after free since the flow gc timer was not deleted and the tfile
14540 were not detached
14541
14542 This patch solves the above issues.
14543
14544 Reported-by: Wannes Rombouts <wannes.rombouts@epitech.eu>
14545 Cc: Michael S. Tsirkin <mst@redhat.com>
14546 Signed-off-by: Jason Wang <jasowang@redhat.com>
14547 Acked-by: Michael S. Tsirkin <mst@redhat.com>
14548 Signed-off-by: David S. Miller <davem@davemloft.net>
14549
14550 drivers/net/tun.c | 11 ++++++++---
14551 1 files changed, 8 insertions(+), 3 deletions(-)
14552
14553commit b504140d8590bd67ed481ea84824a9846dde2d74
14554Author: Herbert Xu <herbert@gondor.apana.org.au>
14555Date: Sun Sep 8 14:33:50 2013 +1000
14556
14557 Upstream commit: 77dbd7a95e4a4f15264c333a9e9ab97ee27dc2aa
14558
14559 crypto: api - Fix race condition in larval lookup
14560
14561 crypto_larval_lookup should only return a larval if it created one.
14562 Any larval created by another entity must be processed through
14563 crypto_larval_wait before being returned.
14564
14565 Otherwise this will lead to a larval being killed twice, which
14566 will most likely lead to a crash.
14567
14568 Cc: stable@vger.kernel.org
14569 Reported-by: Kees Cook <keescook@chromium.org>
14570 Tested-by: Kees Cook <keescook@chromium.org>
14571 Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
14572
14573 crypto/api.c | 7 ++++++-
14574 1 files changed, 6 insertions(+), 1 deletions(-)
14575
14576commit f4212fa9ec1c34c59fabc43904e16112b776b6b2
14577Author: Daniel Borkmann <dborkman@redhat.com>
14578Date: Wed Sep 11 16:58:36 2013 +0200
14579
14580 Upstream commit: 95ee62083cb6453e056562d91f597552021e6ae7
14581
14582 net: sctp: fix ipv6 ipsec encryption bug in sctp_v6_xmit
14583
14584 Alan Chester reported an issue with IPv6 on SCTP that IPsec traffic is not
14585 being encrypted, whereas on IPv4 it is. Setting up an AH + ESP transport
14586 does not seem to have the desired effect:
14587
14588 SCTP + IPv4:
14589
14590 22:14:20.809645 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 116)
14591 192.168.0.2 > 192.168.0.5: AH(spi=0x00000042,sumlen=16,seq=0x1): ESP(spi=0x00000044,seq=0x1), length 72
14592 22:14:20.813270 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 340)
14593 192.168.0.5 > 192.168.0.2: AH(spi=0x00000043,sumlen=16,seq=0x1):
14594
14595 SCTP + IPv6:
14596
14597 22:31:19.215029 IP6 (class 0x02, hlim 64, next-header SCTP (132) payload length: 364)
14598 fe80::222:15ff:fe87:7fc.3333 > fe80::92e6:baff:fe0d:5a54.36767: sctp
14599 1) [INIT ACK] [init tag: 747759530] [rwnd: 62464] [OS: 10] [MIS: 10]
14600
14601 Moreover, Alan says:
14602
14603 This problem was seen with both Racoon and Racoon2. Other people have seen
14604 this with OpenSwan. When IPsec is configured to encrypt all upper layer
14605 protocols the SCTP connection does not initialize. After using Wireshark to
14606 follow packets, this is because the SCTP packet leaves Box A unencrypted and
14607 Box B believes all upper layer protocols are to be encrypted so it drops
14608 this packet, causing the SCTP connection to fail to initialize. When IPsec
14609 is configured to encrypt just SCTP, the SCTP packets are observed unencrypted.
14610
14611 In fact, using `socat sctp6-listen:3333 -` on one end and transferring "plaintext"
14612 string on the other end, results in cleartext on the wire where SCTP eventually
14613 does not report any errors, thus in the latter case that Alan reports, the
14614 non-paranoid user might think he's communicating over an encrypted transport on
14615 SCTP although he's not (tcpdump ... -X):
14616
14617 ...
14618 0x0030: 5d70 8e1a 0003 001a 177d eb6c 0000 0000 ]p.......}.l....
14619 0x0040: 0000 0000 706c 6169 6e74 6578 740a 0000 ....plaintext...
14620
14621 Only in /proc/net/xfrm_stat we can see XfrmInTmplMismatch increasing on the
14622 receiver side. Initial follow-up analysis from Alan's bug report was done by
14623 Alexey Dobriyan. Also thanks to Vlad Yasevich for feedback on this.
14624
14625 SCTP has its own implementation of sctp_v6_xmit() not calling inet6_csk_xmit().
14626 This has the implication that it probably never really got updated along with
14627 changes in inet6_csk_xmit() and therefore does not seem to invoke xfrm handlers.
14628
14629 SCTP's IPv4 xmit however, properly calls ip_queue_xmit() to do the work. Since
14630 a call to inet6_csk_xmit() would solve this problem, but result in unecessary
14631 route lookups, let us just use the cached flowi6 instead that we got through
14632 sctp_v6_get_dst(). Since all SCTP packets are being sent through sctp_packet_transmit(),
14633 we do the route lookup / flow caching in sctp_transport_route(), hold it in
14634 tp->dst and skb_dst_set() right after that. If we would alter fl6->daddr in
14635 sctp_v6_xmit() to np->opt->srcrt, we possibly could run into the same effect
14636 of not having xfrm layer pick it up, hence, use fl6_update_dst() in sctp_v6_get_dst()
14637 instead to get the correct source routed dst entry, which we assign to the skb.
14638
14639 Also source address routing example from 625034113 ("sctp: fix sctp to work with
14640 ipv6 source address routing") still works with this patch! Nevertheless, in RFC5095
14641 it is actually 'recommended' to not use that anyway due to traffic amplification [1].
14642 So it seems we're not supposed to do that anyway in sctp_v6_xmit(). Moreover, if
14643 we overwrite the flow destination here, the lower IPv6 layer will be unable to
14644 put the correct destination address into IP header, as routing header is added in
14645 ipv6_push_nfrag_opts() but then probably with wrong final destination. Things aside,
14646 result of this patch is that we do not have any XfrmInTmplMismatch increase plus on
14647 the wire with this patch it now looks like:
14648
14649 SCTP + IPv6:
14650
14651 08:17:47.074080 IP6 2620:52:0:102f:7a2b:cbff:fe27:1b0a > 2620:52:0:102f:213:72ff:fe32:7eba:
14652 AH(spi=0x00005fb4,seq=0x1): ESP(spi=0x00005fb5,seq=0x1), length 72
14653 08:17:47.074264 IP6 2620:52:0:102f:213:72ff:fe32:7eba > 2620:52:0:102f:7a2b:cbff:fe27:1b0a:
14654 AH(spi=0x00003d54,seq=0x1): ESP(spi=0x00003d55,seq=0x1), length 296
14655
14656 This fixes Kernel Bugzilla 24412. This security issue seems to be present since
14657 2.6.18 kernels. Lets just hope some big passive adversary in the wild didn't have
14658 its fun with that. lksctp-tools IPv6 regression test suite passes as well with
14659 this patch.
14660
14661 [1] http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf
14662
14663 Reported-by: Alan Chester <alan.chester@tekelec.com>
14664 Reported-by: Alexey Dobriyan <adobriyan@gmail.com>
14665 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
14666 Cc: Steffen Klassert <steffen.klassert@secunet.com>
14667 Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
14668 Acked-by: Vlad Yasevich <vyasevich@gmail.com>
14669 Signed-off-by: David S. Miller <davem@davemloft.net>
14670
14671 net/sctp/ipv6.c | 42 +++++++++++++-----------------------------
14672 1 files changed, 13 insertions(+), 29 deletions(-)
14673
14674commit 726915e42b1a23b88cd420029003d82208a30006
14675Author: Kees Cook <keescook@chromium.org>
14676Date: Fri Sep 13 14:52:04 2013 -0700
14677
14678 Upstream commit: 35a4a5733b0a8290de39558b82896ab795b108a7
14679
14680 isdn: clean up debug format string usage
14681
14682 Avoid unneeded local string buffers for constructing debug output. Also
14683 cleans up debug calls that contain a single parameter so that they cannot
14684 be accidentally parsed as format strings.
14685
14686 Signed-off-by: Kees Cook <keescook@chromium.org>
14687 Cc: Karsten Keil <isdn@linux-pingi.de>
14688 Cc: David Miller <davem@davemloft.net>
14689 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
14690 Signed-off-by: David S. Miller <davem@davemloft.net>
14691
14692 drivers/isdn/hisax/amd7930_fn.c | 4 +-
14693 drivers/isdn/hisax/avm_pci.c | 4 +-
14694 drivers/isdn/hisax/config.c | 2 +-
14695 drivers/isdn/hisax/diva.c | 4 +-
14696 drivers/isdn/hisax/elsa.c | 2 +-
14697 drivers/isdn/hisax/elsa_ser.c | 2 +-
14698 drivers/isdn/hisax/hfc_pci.c | 2 +-
14699 drivers/isdn/hisax/hfc_sx.c | 2 +-
14700 drivers/isdn/hisax/hscx_irq.c | 4 +-
14701 drivers/isdn/hisax/icc.c | 4 +-
14702 drivers/isdn/hisax/ipacx.c | 8 +++---
14703 drivers/isdn/hisax/isac.c | 4 +-
14704 drivers/isdn/hisax/isar.c | 6 ++--
14705 drivers/isdn/hisax/jade.c | 18 ++++----------
14706 drivers/isdn/hisax/jade_irq.c | 4 +-
14707 drivers/isdn/hisax/l3_1tr6.c | 50 ++++++++++++++-------------------------
14708 drivers/isdn/hisax/netjet.c | 2 +-
14709 drivers/isdn/hisax/q931.c | 6 ++--
14710 drivers/isdn/hisax/w6692.c | 8 +++---
14711 19 files changed, 57 insertions(+), 79 deletions(-)
14712
14713commit 4c90e693066a984f2c3a05bd2b75fe2273906eb3
14714Author: Brad Spengler <spender@grsecurity.net>
14715Date: Sat Sep 14 19:16:48 2013 -0400
14716
14717 Fix a bad git merge, re-applied a previously reverted patch
14718
14719 arch/x86/include/asm/processor.h | 4 ++--
14720 arch/x86/kernel/cpu/common.c | 2 +-
14721 arch/x86/kernel/process_64.c | 2 +-
14722 arch/x86/kernel/smpboot.c | 2 +-
14723 arch/x86/xen/smp.c | 2 +-
14724 5 files changed, 6 insertions(+), 6 deletions(-)
14725
14726commit 5dea4b212b0405d6bcbea57516d77b21035d1178
14727Author: Brad Spengler <spender@grsecurity.net>
14728Date: Sat Sep 14 16:56:37 2013 -0400
14729
14730 finish porting namei.c
14731
14732 fs/namei.c | 50 +++++++++++---------------------------------------
14733 1 files changed, 11 insertions(+), 39 deletions(-)
14734
14735commit a7d5c5e2d0fd4831df19247e41c73c362809b00f
14736Author: Brad Spengler <spender@grsecurity.net>
14737Date: Sat Sep 14 16:44:08 2013 -0400
14738
14739 cred->user -> current_user()
14740
14741 fs/exec.c | 2 +-
14742 1 files changed, 1 insertions(+), 1 deletions(-)
14743
14744commit be3db5fa6532557384fb66d2d9297d77666912cf
14745Author: Brad Spengler <spender@grsecurity.net>
14746Date: Sat Sep 14 16:36:24 2013 -0400
14747
14748 Fix GRKERNSEC_DENYUSB dependency as reported by Victor Roman of Funtoo Linux
14749
14750 grsecurity/Kconfig | 3 ++-
14751 1 files changed, 2 insertions(+), 1 deletions(-)
14752
14753commit ce9afc12137b65991bfc7cce70e28d86bbb76956
14754Author: Daniel Borkmann <dborkman@redhat.com>
14755Date: Tue Sep 3 19:29:12 2013 +0200
14756
14757 Upstream commit: 3a1c756590633c0e86df606e5c618c190926a0df
14758
14759 net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv
14760
14761 In tcp_v6_do_rcv() code, when processing pkt options, we soley work
14762 on our skb clone opt_skb that we've created earlier before entering
14763 tcp_rcv_established() on our way. However, only in condition ...
14764
14765 if (np->rxopt.bits.rxtclass)
14766 np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));
14767
14768 ... we work on skb itself. As we extract every other information out
14769 of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can
14770 already be released by tcp_rcv_established() earlier on. When we try
14771 to access it in ipv6_hdr(), we will dereference freed skb.
14772
14773 [ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for
14774 IP_PKTOPTIONS") ]
14775
14776 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
14777 Cc: Eric Dumazet <eric.dumazet@gmail.com>
14778 Acked-by: Eric Dumazet <edumazet@google.com>
14779 Acked-by: Jiri Benc <jbenc@redhat.com>
14780 Signed-off-by: David S. Miller <davem@davemloft.net>
14781 Signed-off-by: Brad Spengler <spender@grsecurity.net>
14782
14783 net/ipv6/tcp_ipv6.c | 2 +-
14784 1 files changed, 1 insertions(+), 1 deletions(-)
14785
14786commit 84aa149aa0f178516f5784d028522d60d35696c9
14787Author: Brad Spengler <spender@grsecurity.net>
14788Date: Thu Sep 5 19:36:23 2013 -0400
14789
14790 fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB
14791
14792 Signed-off-by: Brad Spengler <spender@grsecurity.net>
14793
14794 grsecurity/Kconfig | 3 ++-
14795 1 files changed, 2 insertions(+), 1 deletions(-)
14796
14797commit 1145b56059535549be226da9891b56ab2d902b2f
14798Author: Brad Spengler <spender@grsecurity.net>
14799Date: Thu Sep 5 19:17:02 2013 -0400
14800
14801 Allow the deny_new_usb sysctl to be toggled off by a user with CAP_SYS_ADMIN. This allows for more inventive uses of the feature that would be impossible otherwise (like toggling it while the screen is locked, etc)
14802
14803 Signed-off-by: Brad Spengler <spender@grsecurity.net>
14804
14805 grsecurity/grsec_sysctl.c | 4 +---
14806 1 files changed, 1 insertions(+), 3 deletions(-)
14807
14808commit cc604c1c66e7034ad7ddc7fb3cec749e0e5828a3
14809Author: Brad Spengler <spender@grsecurity.net>
14810Date: Thu Sep 5 18:41:49 2013 -0400
14811
14812 Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for users who know they want the functionality but don't want to bother with modifying init scripts
14813
14814 Also eliminate reset_security_ops() as a ROP target when
14815 SECURITY_SELINUX_DISABLE is disabled as it's the only user
14816
14817 Signed-off-by: Brad Spengler <spender@grsecurity.net>
14818
14819 grsecurity/Kconfig | 17 ++++++++++++++++-
14820 grsecurity/grsec_init.c | 3 +++
14821 grsecurity/grsec_sysctl.c | 2 +-
14822 3 files changed, 20 insertions(+), 2 deletions(-)
14823
14824commit 06f8e6fe41a0de311b0c94bf853cb2c15aee67d4
14825Author: Brad Spengler <spender@grsecurity.net>
14826Date: Fri Aug 30 17:11:11 2013 -0400
14827
14828 fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast
14829
14830 Signed-off-by: Brad Spengler <spender@grsecurity.net>
14831
14832 grsecurity/grsec_sysctl.c | 7 ++++---
14833 1 files changed, 4 insertions(+), 3 deletions(-)
14834
14835commit 74dc00678ec84a254617b500a2880974dac95220
14836Author: Brad Spengler <spender@grsecurity.net>
14837Date: Wed Aug 28 20:42:39 2013 -0400
14838
14839 add export of gr_handle_new_usb()
14840
14841 Signed-off-by: Brad Spengler <spender@grsecurity.net>
14842
14843 grsecurity/grsec_usb.c | 2 ++
14844 1 files changed, 2 insertions(+), 0 deletions(-)
14845
14846commit f9b60ffe6e67563faa8d207fa6d00bd04252cf4f
14847Author: Brad Spengler <spender@grsecurity.net>
14848Date: Wed Aug 28 19:24:47 2013 -0400
14849
14850 Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit Kees' recent findings are motivation enough to publish it
14851
14852 Signed-off-by: Brad Spengler <spender@grsecurity.net>
14853
14854 drivers/usb/core/hub.c | 5 +++++
14855 grsecurity/Kconfig | 20 ++++++++++++++++++++
14856 grsecurity/Makefile | 3 ++-
14857 grsecurity/grsec_init.c | 1 +
14858 grsecurity/grsec_sysctl.c | 11 +++++++++++
14859 grsecurity/grsec_usb.c | 13 +++++++++++++
14860 include/linux/grinternal.h | 1 +
14861 include/linux/grsecurity.h | 2 ++
14862 8 files changed, 55 insertions(+), 1 deletions(-)
14863
14864commit 889852764d245f44e416da4eb203fda0bd327584
14865Author: Kees Cook <keescook@chromium.org>
14866Date: Wed Aug 14 09:35:07 2013 -0700
14867
14868 HID: zeroplus: validate output report details
14869
14870 The zeroplus HID driver was not checking the size of allocated values
14871 in fields it used. A HID device could send a malicious output report
14872 that would cause the driver to write beyond the output report allocation
14873 during initialization, causing a heap overflow:
14874
14875 [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005
14876 ...
14877 [ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
14878
14879 CVE-2013-2889
14880
14881 Signed-off-by: Kees Cook <keescook@chromium.org>
14882 Cc: stable@kernel.org
14883 Signed-off-by: Brad Spengler <spender@grsecurity.net>
14884
14885 drivers/hid/hid-zpff.c | 14 ++------------
14886 1 files changed, 2 insertions(+), 12 deletions(-)
14887
14888commit f30e932a87f25b53779d1f92b49923f8a2dc9834
14889Author: Kees Cook <keescook@chromium.org>
14890Date: Wed Aug 14 14:36:15 2013 -0700
14891
14892 HID: provide a helper for validating hid reports
14893
14894 Many drivers need to validate the characteristics of their HID report
14895 during initialization to avoid misusing the reports. This adds a common
14896 helper to perform validation of the report, its field count, and the
14897 value count within the fields.
14898
14899 Signed-off-by: Kees Cook <keescook@chromium.org>
14900 Cc: stable@kernel.org
14901 Signed-off-by: Brad Spengler <spender@grsecurity.net>
14902
14903 drivers/hid/hid-core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++
14904 include/linux/hid.h | 4 +++
14905 2 files changed, 54 insertions(+), 0 deletions(-)
14906
14907commit f9eac59133855befee23d0c899e0d0e6ebcd3d44
14908Author: Kees Cook <keescook@chromium.org>
14909Date: Wed Aug 14 09:14:34 2013 -0700
14910
14911 HID: steelseries: validate output report details
14912
14913 A HID device could send a malicious output report that would cause the
14914 steelseries HID driver to write beyond the output report allocation
14915 during initialization, causing a heap overflow:
14916
14917 [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410
14918 ...
14919 [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten
14920
14921 CVE-2013-2891
14922
14923 Signed-off-by: Kees Cook <keescook@chromium.org>
14924 Cc: stable@kernel.org
14925 Signed-off-by: Brad Spengler <spender@grsecurity.net>
14926
14927 drivers/hid/hid-steelseries.c | 5 +++++
14928 1 files changed, 5 insertions(+), 0 deletions(-)
14929
14930commit 9f5ae466957014bc300929374ebb7afdd9d116d6
14931Author: Kees Cook <keescook@chromium.org>
14932Date: Wed Aug 14 08:49:21 2013 -0700
14933
14934 HID: pantherlord: validate output report details
14935
14936 A HID device could send a malicious output report that would cause the
14937 pantherlord HID driver to write beyond the output report allocation
14938 during initialization, causing a heap overflow:
14939
14940 [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003
14941 ...
14942 [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
14943
14944 CVE-2013-2892
14945
14946 Signed-off-by: Kees Cook <keescook@chromium.org>
14947 Cc: stable@kernel.org
14948 Signed-off-by: Brad Spengler <spender@grsecurity.net>
14949
14950 drivers/hid/hid-pl.c | 10 ++++++++--
14951 1 files changed, 8 insertions(+), 2 deletions(-)
14952
14953commit b643b8f8af23488d92f16a817bf16c162d612ce1
14954Author: Kees Cook <keescook@chromium.org>
14955Date: Tue Aug 13 16:49:01 2013 -0700
14956
14957 HID: LG: validate HID output report details
14958
14959 A HID device could send a malicious output report that would cause the
14960 lg, lg3, and lg4 HID drivers to write beyond the output report allocation
14961 during an event, causing a heap overflow:
14962
14963 [ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287
14964 ...
14965 [ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten
14966
14967 Additionally, while lg2 did correctly validate the report details, it was
14968 cleaned up and shortened.
14969
14970 CVE-2013-2893
14971
14972 Signed-off-by: Kees Cook <keescook@chromium.org>
14973 Cc: stable@kernel.org
14974 Signed-off-by: Brad Spengler <spender@grsecurity.net>
14975
14976 drivers/hid/hid-lg2ff.c | 19 +++----------------
14977 drivers/hid/hid-lg3ff.c | 29 ++++++-----------------------
14978 drivers/hid/hid-lg4ff.c | 20 +-------------------
14979 drivers/hid/hid-lgff.c | 17 ++---------------
14980 4 files changed, 12 insertions(+), 73 deletions(-)
14981
14982commit 975723a41239b1befae172e88082ff4422753508
14983Author: Kees Cook <keescook@chromium.org>
14984Date: Thu Aug 15 23:21:23 2013 -0700
14985
14986 HID: lenovo-tpkbd: validate output report details
14987
14988 A HID device could send a malicious output report that would cause the
14989 lenovo-tpkbd HID driver to write just beyond the output report allocation
14990 during initialization, causing a heap overflow:
14991
14992 [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009
14993 ...
14994 [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
14995
14996 CVE-2013-2894
14997
14998 Signed-off-by: Kees Cook <keescook@chromium.org>
14999 Cc: stable@kernel.org
15000 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15001
15002 drivers/hid/hid-lenovo-tpkbd.c | 5 +++++
15003 1 files changed, 5 insertions(+), 0 deletions(-)
15004
15005commit 54b39084efe20a3f10fcb58ee8327d7b6250b7cd
15006Author: Kees Cook <keescook@chromium.org>
15007Date: Thu Aug 15 23:45:03 2013 -0700
15008
15009 HID: logitech-dj: validate output report details
15010
15011 A HID device could send a malicious output report that would cause the
15012 logitech-dj HID driver to leak kernel memory contents to the device, or
15013 trigger a NULL dereference during initialization:
15014
15015 [ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b
15016 ...
15017 [ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
15018 [ 304.781409] IP: [<ffffffff815d50aa>] logi_dj_recv_send_report.isra.11+0x1a/0x90
15019
15020 CVE-2013-2895
15021
15022 Signed-off-by: Kees Cook <keescook@chromium.org>
15023 Cc: stable@kernel.org
15024 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15025
15026 drivers/hid/hid-logitech-dj.c | 12 ++++++++++--
15027 1 files changed, 10 insertions(+), 2 deletions(-)
15028
15029commit 05c3db7daee82d79c628c15b304f8621159e14f3
15030Author: Kees Cook <keescook@chromium.org>
15031Date: Fri Aug 16 00:18:15 2013 -0700
15032
15033 HID: ntrig: validate feature report details
15034
15035 A HID device could send a malicious feature report that would cause the
15036 ntrig HID driver to trigger a NULL dereference during initialization:
15037
15038 [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
15039 ...
15040 [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
15041 [57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
15042
15043 CVE-2013-2896
15044
15045 Signed-off-by: Kees Cook <keescook@chromium.org>
15046 Cc: stable@kernel.org
15047 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15048
15049 drivers/hid/hid-ntrig.c | 3 ++-
15050 1 files changed, 2 insertions(+), 1 deletions(-)
15051
15052commit a79f25f59fdd0abaf4ecfab93017aa49de089498
15053Author: Kees Cook <keescook@chromium.org>
15054Date: Fri Aug 16 00:11:32 2013 -0700
15055
15056 HID: multitouch: validate feature report details
15057
15058 When working on report indexes, always validate that they are in bounds.
15059 Without this, a HID device could report a malicious feature report that
15060 could trick the driver into a heap overflow:
15061
15062 [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
15063 ...
15064 [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
15065
15066 CVE-2013-2897
15067
15068 Signed-off-by: Kees Cook <keescook@chromium.org>
15069 Cc: stable@kernel.org
15070 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15071
15072 drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++-----
15073 1 files changed, 20 insertions(+), 5 deletions(-)
15074
15075commit 6fe8eb06e432f165872d3486fdce0d09de1515b3
15076Author: Kees Cook <keescook@chromium.org>
15077Date: Fri Aug 16 08:12:45 2013 -0700
15078
15079 HID: sensor-hub: validate feature report details
15080
15081 A HID device could send a malicious feature report that would cause the
15082 sensor-hub HID driver to read past the end of heap allocation, leaking
15083 kernel memory contents to the caller.
15084
15085 CVE-2013-2898
15086
15087 Signed-off-by: Kees Cook <keescook@chromium.org>
15088 Cc: stable@kernel.org
15089 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15090
15091 drivers/hid/hid-sensor-hub.c | 3 ++-
15092 1 files changed, 2 insertions(+), 1 deletions(-)
15093
15094commit cd5ea45deb4aae3a6ca7b99e261d771792c2e8bf
15095Author: Kees Cook <keescook@chromium.org>
15096Date: Fri Aug 16 08:05:10 2013 -0700
15097
15098 HID: picolcd_core: validate output report details
15099
15100 A HID device could send a malicious output report that would cause the
15101 picolcd HID driver to trigger a NULL dereference during attr file writing.
15102
15103 CVE-2013-2899
15104
15105 Signed-off-by: Kees Cook <keescook@chromium.org>
15106 Cc: stable@kernel.org
15107 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15108
15109 drivers/hid/hid-picolcd_core.c | 2 +-
15110 1 files changed, 1 insertions(+), 1 deletions(-)
15111
15112commit c147e32922dd91edf1969b8a6eb333aafb4abb79
15113Author: Kees Cook <keescook@chromium.org>
15114Date: Fri Aug 16 08:09:54 2013 -0700
15115
15116 HID: check for NULL field when setting values
15117
15118 Defensively check that the field to be worked on is not NULL.
15119
15120 Signed-off-by: Kees Cook <keescook@chromium.org>
15121 Cc: stable@kernel.org
15122 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15123
15124 drivers/hid/hid-core.c | 7 ++++++-
15125 1 files changed, 6 insertions(+), 1 deletions(-)
15126
15127commit 51b66e0a8cfd2eedb4f3275c7ffc2f7a831b4683
15128Author: Kees Cook <keescook@chromium.org>
15129Date: Wed Aug 28 18:09:18 2013 -0400
15130
15131 http://marc.info/?l=linux-input&m=137772180514608&q=raw
15132
15133 The "Report ID" field of a HID report is used to build indexes of
15134 reports. The kernel's index of these is limited to 256 entries, so any
15135 malicious device that sets a Report ID greater than 255 will trigger
15136 memory corruption on the host:
15137
15138 [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
15139 [ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b
15140
15141 CVE-2013-2888
15142
15143 Signed-off-by: Kees Cook <keescook@chromium.org>
15144 Cc: stable@kernel.org
15145 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15146
15147 drivers/hid/hid-core.c | 10 +++++++---
15148 include/linux/hid.h | 4 +++-
15149 2 files changed, 10 insertions(+), 4 deletions(-)
15150
15151commit 4ab7b9ed96612f5621898cead7163b6eecf30c7c
15152Author: Brad Spengler <spender@grsecurity.net>
15153Date: Mon Aug 19 22:10:04 2013 -0400
15154
15155 fix bad git merge (call to __cpu_disable_lazy_restore was duplicated) as reported by pipacs
15156
15157 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15158
15159 arch/x86/kernel/smpboot.c | 3 ---
15160 1 files changed, 0 insertions(+), 3 deletions(-)
15161
15162commit 8a6f59dd3e43d20d8e999d50001b85ba605a4dac
15163Author: Brad Spengler <spender@grsecurity.net>
15164Date: Sat Aug 17 12:00:20 2013 -0400
15165
15166 make kallsyms_lookup_size_offset available to approved source files
15167
15168 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15169
15170 include/linux/kallsyms.h | 3 +++
15171 1 files changed, 3 insertions(+), 0 deletions(-)
15172
15173commit abde07f6c047c0331f511318cb49a36d49218dfc
15174Author: Brad Spengler <spender@grsecurity.net>
15175Date: Sat Aug 17 11:18:09 2013 -0400
15176
15177 allow use of kallsyms_lookup_name to approved source files
15178
15179 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15180
15181 include/linux/kallsyms.h | 1 +
15182 1 files changed, 1 insertions(+), 0 deletions(-)
15183
15184commit 7a430f97a2f6538693cb8e354c67c874f24c5ebf
15185Author: Johannes Berg <johannes.berg@intel.com>
15186Date: Tue Aug 13 09:04:05 2013 +0200
15187
15188 Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db
15189
15190 genetlink: fix family dump race
15191
15192 When dumping generic netlink families, only the first dump call
15193 is locked with genl_lock(), which protects the list of families,
15194 and thus subsequent calls can access the data without locking,
15195 racing against family addition/removal. This can cause a crash.
15196 Fix it - the locking needs to be conditional because the first
15197 time around it's already locked.
15198
15199 A similar bug was reported to me on an old kernel (3.4.47) but
15200 the exact scenario that happened there is no longer possible,
15201 on those kernels the first round wasn't locked either. Looking
15202 at the current code I found the race described above, which had
15203 also existed on the old kernel.
15204
15205 Cc: stable@vger.kernel.org
15206 Reported-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
15207 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
15208 Signed-off-by: David S. Miller <davem@davemloft.net>
15209 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15210
15211 net/netlink/genetlink.c | 7 +++++++
15212 1 files changed, 7 insertions(+), 0 deletions(-)
15213
15214commit ab0fc298348a3fce6c8aaf4bef11f388b1bf4782
15215Author: Brad Spengler <spender@grsecurity.net>
15216Date: Sat Aug 17 08:58:34 2013 -0400
15217
15218 Fix two harmless compiler warnings
15219
15220 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15221
15222 arch/arm/kernel/process.c | 4 ++--
15223 fs/exec.c | 2 +-
15224 2 files changed, 3 insertions(+), 3 deletions(-)
15225
15226commit d502375416b17270008ebdf11f1c3be7837f7c50
15227Author: Brad Spengler <spender@grsecurity.net>
15228Date: Fri Aug 16 22:46:01 2013 -0400
15229
15230 Fix HIDESYM compatibility with kprobes, as reported by feandil at: http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376
15231
15232 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15233
15234 include/linux/kallsyms.h | 2 +-
15235 kernel/kprobes.c | 3 +++
15236 2 files changed, 4 insertions(+), 1 deletions(-)
15237
15238commit f6c363aba68cccff2815a488a7e9ed68990100d2
15239Author: Brad Spengler <spender@grsecurity.net>
15240Date: Sat Aug 10 09:41:40 2013 -0400
15241
15242 propagate the threadstack offset through to the topdown/bottomup allocators on sparc64 hugepages
15243
15244 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15245
15246 arch/sparc/mm/hugetlbpage.c | 12 ++++++++----
15247 1 files changed, 8 insertions(+), 4 deletions(-)
15248
15249commit 279d4c6643931d6488b2d5f1e7d29db8a3c3a347
15250Author: Brad Spengler <spender@grsecurity.net>
15251Date: Mon Aug 5 17:58:42 2013 -0400
15252
15253 Disable RANDKSTACK for a VirtualBox host as mentioned on the gentoo-hardened bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=382793
15254
15255 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15256
15257 security/Kconfig | 2 +-
15258 1 files changed, 1 insertions(+), 1 deletions(-)
15259
15260commit 55ee7adc9d4cd900fd86a4cfad7e0841b4373ee1
15261Author: Brad Spengler <spender@grsecurity.net>
15262Date: Mon Aug 5 17:26:40 2013 -0400
15263
15264 Move user namespace capability check to shared create_user_ns code so we cover unshare() as well.
15265
15266 Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to
15267 user namespaces!
15268
15269 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15270
15271 kernel/fork.c | 17 -----------------
15272 kernel/user_namespace.c | 15 +++++++++++++++
15273 2 files changed, 15 insertions(+), 17 deletions(-)
15274
15275commit 5c0737b045d057152a39154746d8c8e5d59185ed
15276Author: Brad Spengler <spender@grsecurity.net>
15277Date: Mon Aug 5 16:05:41 2013 -0400
15278
15279 silence a warning on older gcc
15280
15281 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15282
15283 grsecurity/gracl.c | 2 +-
15284 1 files changed, 1 insertions(+), 1 deletions(-)
15285
15286commit b9cb48614b154a4c9a4caec48f5c6a391c7b4eb8
15287Author: Brad Spengler <spender@grsecurity.net>
15288Date: Sat Aug 3 08:31:08 2013 -0400
15289
15290 we only care about mmaps of the beginning of an ELF, filter out all others as suggested by pipacs
15291
15292 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15293
15294 mm/mmap.c | 2 +-
15295 1 files changed, 1 insertions(+), 1 deletions(-)
15296
15297commit abc10b7630ee1a61c18e7b03b3cbbc9849a346c6
15298Author: Brad Spengler <spender@grsecurity.net>
15299Date: Fri Aug 2 23:54:51 2013 -0400
15300
15301 add include
15302
15303 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15304
15305 grsecurity/grsec_log.c | 1 +
15306 1 files changed, 1 insertions(+), 0 deletions(-)
15307
15308commit 448fdce6e5e32cc5dc8f6a649d58104c11cbe2f5
15309Author: Brad Spengler <spender@grsecurity.net>
15310Date: Fri Aug 2 23:49:13 2013 -0400
15311
15312 fix compilation
15313
15314 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15315
15316 include/linux/grinternal.h | 3 ++-
15317 1 files changed, 2 insertions(+), 1 deletions(-)
15318
15319commit d4d49138661d5cb646f0dd012178447380b79956
15320Author: Brad Spengler <spender@grsecurity.net>
15321Date: Fri Aug 2 23:34:35 2013 -0400
15322
15323 Improve PaX reporting (tells when anon mapping is stack or heap) Remove textrel logging option, combine into rwx logging option Enhance RWX logging option to display when PT_GNU_STACK-enabled library is loaded under an MPROTECTed binary Enhance RWX mprotect logging to display stack/heap instead of just anon mapping
15324
15325 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15326
15327 fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++
15328 fs/exec.c | 4 ++++
15329 grsecurity/Kconfig | 21 +++++----------------
15330 grsecurity/grsec_init.c | 4 ----
15331 grsecurity/grsec_log.c | 14 ++++++++++++++
15332 grsecurity/grsec_pax.c | 19 ++++++++++++++-----
15333 grsecurity/grsec_sysctl.c | 9 ---------
15334 include/linux/binfmts.h | 1 +
15335 include/linux/grinternal.h | 2 +-
15336 include/linux/grmsg.h | 3 ++-
15337 include/linux/grsecurity.h | 3 ++-
15338 mm/mmap.c | 7 +++++++
15339 mm/mprotect.c | 2 +-
15340 13 files changed, 88 insertions(+), 38 deletions(-)
15341
15342commit cfa6b85e91c7e8e7f00eeaf1908d22cbec4b0a15
15343Author: Brad Spengler <spender@grsecurity.net>
15344Date: Thu Aug 1 18:52:02 2013 -0400
15345
15346 add missing #define
15347
15348 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15349
15350 grsecurity/gracl.c | 1 +
15351 1 files changed, 1 insertions(+), 0 deletions(-)
15352
15353commit 4a307f7d3ff3ab232c0b6341415088e7618c494e
15354Author: Brad Spengler <spender@grsecurity.net>
15355Date: Thu Aug 1 18:43:53 2013 -0400
15356
15357 fix compilation for !COMPAT as reported on the forums
15358
15359 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15360
15361 grsecurity/gracl.c | 195 ++++++++++++++++++++++++++--------------------------
15362 1 files changed, 97 insertions(+), 98 deletions(-)
15363
15364commit 78011eb5c2454b8afc96b98bd86ac172e589b13c
15365Author: Brad Spengler <spender@grsecurity.net>
15366Date: Wed Jul 31 17:47:20 2013 -0400
15367
15368 Revert "revert recent PaX change that causes boot failures with 32bit userland"
15369
15370 This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4.
15371
15372 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15373
15374 arch/x86/include/asm/processor.h | 4 ++--
15375 arch/x86/kernel/cpu/common.c | 2 +-
15376 arch/x86/kernel/process_64.c | 2 +-
15377 arch/x86/kernel/smpboot.c | 2 +-
15378 arch/x86/xen/smp.c | 2 +-
15379 5 files changed, 6 insertions(+), 6 deletions(-)
15380
15381commit 17cdb36c3bee85c0985f7cc18aa8405fc7838cad
15382Author: Brad Spengler <spender@grsecurity.net>
15383Date: Wed Jul 31 16:26:58 2013 -0400
15384
15385 compile fix for !COMPAT as mentioned on forums
15386
15387 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15388
15389 grsecurity/gracl.c | 2 ++
15390 1 files changed, 2 insertions(+), 0 deletions(-)
15391
15392commit e670dc535e4501fd12d8bf00f1e1306c44266fe7
15393Author: Brad Spengler <spender@grsecurity.net>
15394Date: Tue Jul 30 22:33:14 2013 -0400
15395
15396 perform compat conversion of rlimit infinity
15397
15398 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15399
15400 grsecurity/gracl_compat.c | 10 ++++++++--
15401 1 files changed, 8 insertions(+), 2 deletions(-)
15402
15403commit 2834fe28e69176da6ac4989c6e3dc713faafefe5
15404Author: Brad Spengler <spender@grsecurity.net>
15405Date: Tue Jul 30 22:21:40 2013 -0400
15406
15407 remove debugging
15408
15409 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15410
15411 grsecurity/gracl_compat.c | 44 +++++++++++---------------------------------
15412 1 files changed, 11 insertions(+), 33 deletions(-)
15413
15414commit 2669672647f6955f0e5154596492c73cd4fda330
15415Author: Brad Spengler <spender@grsecurity.net>
15416Date: Tue Jul 30 22:20:32 2013 -0400
15417
15418 eliminate compat_dev_t
15419
15420 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15421
15422 include/linux/gracl_compat.h | 4 ++--
15423 1 files changed, 2 insertions(+), 2 deletions(-)
15424
15425commit 75de5da79f5e03936a79ffe2c827462000001985
15426Author: Brad Spengler <spender@grsecurity.net>
15427Date: Tue Jul 30 22:13:22 2013 -0400
15428
15429 fix compat rlimit size
15430
15431 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15432
15433 grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++-------------
15434 include/linux/gracl_compat.h | 4 +-
15435 2 files changed, 49 insertions(+), 23 deletions(-)
15436
15437commit 9055a8feb8493a30d1ad0fcef25eb496630d223f
15438Author: Brad Spengler <spender@grsecurity.net>
15439Date: Tue Jul 30 21:20:18 2013 -0400
15440
15441 compile fix
15442
15443 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15444
15445 grsecurity/gracl.c | 4 ++--
15446 1 files changed, 2 insertions(+), 2 deletions(-)
15447
15448commit 080577d5a71de3d2700c4c17e1d13c67bc9b6720
15449Author: Brad Spengler <spender@grsecurity.net>
15450Date: Tue Jul 30 21:14:29 2013 -0400
15451
15452 copy correct pointer size in new compat code
15453
15454 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15455
15456 grsecurity/gracl.c | 8 ++++----
15457 grsecurity/gracl_compat.c | 4 ++--
15458 2 files changed, 6 insertions(+), 6 deletions(-)
15459
15460commit 129b6204587740fd082e731a54d00e8a9fc35f8b
15461Author: Brad Spengler <spender@grsecurity.net>
15462Date: Tue Jul 30 19:15:50 2013 -0400
15463
15464 compile fix
15465
15466 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15467
15468 grsecurity/gracl_compat.c | 6 ++++++
15469 1 files changed, 6 insertions(+), 0 deletions(-)
15470
15471commit 1a8481118c2da1cf9610ec5ba9ad950358e8cd3f
15472Author: Brad Spengler <spender@grsecurity.net>
15473Date: Tue Jul 30 19:12:46 2013 -0400
15474
15475 remove BUILD_BUG_ONs
15476
15477 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15478
15479 grsecurity/gracl_compat.c | 20 --------------------
15480 1 files changed, 0 insertions(+), 20 deletions(-)
15481
15482commit 67fc73af0876d311c0d01d3b16fa429f44af12b9
15483Author: Brad Spengler <spender@grsecurity.net>
15484Date: Tue Jul 30 00:18:36 2013 -0400
15485
15486 compile fixes
15487
15488 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15489
15490 grsecurity/gracl_compat.c | 8 ++++----
15491 include/linux/gracl_compat.h | 2 +-
15492 2 files changed, 5 insertions(+), 5 deletions(-)
15493
15494commit 32f9c3609f8d6c5c893c848e0bd76e0d8d3fa096
15495Author: Brad Spengler <spender@grsecurity.net>
15496Date: Tue Jul 30 00:16:42 2013 -0400
15497
15498 compile fixes
15499
15500 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15501
15502 grsecurity/gracl.c | 4 ++--
15503 grsecurity/gracl_compat.c | 2 +-
15504 2 files changed, 3 insertions(+), 3 deletions(-)
15505
15506commit 798adb5cab6c3a8056e1b415e6f34a270f369721
15507Author: Brad Spengler <spender@grsecurity.net>
15508Date: Tue Jul 30 00:13:51 2013 -0400
15509
15510 compile fixes
15511
15512 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15513
15514 grsecurity/gracl.c | 8 ++++----
15515 1 files changed, 4 insertions(+), 4 deletions(-)
15516
15517commit 4d4945ce90d83784634b898f83cb5a7699537733
15518Author: Brad Spengler <spender@grsecurity.net>
15519Date: Tue Jul 30 00:11:03 2013 -0400
15520
15521 compile fixes
15522
15523 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15524
15525 grsecurity/gracl_compat.c | 3 +++
15526 1 files changed, 3 insertions(+), 0 deletions(-)
15527
15528commit 2e0b7505d92a89b872d9ebccae57720e3c00e4a2
15529Author: Brad Spengler <spender@grsecurity.net>
15530Date: Tue Jul 30 00:08:21 2013 -0400
15531
15532 more compile fixes
15533
15534 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15535
15536 grsecurity/gracl.c | 28 ++++++++++++++--------------
15537 1 files changed, 14 insertions(+), 14 deletions(-)
15538
15539commit 6db464f72eff84f77335b69dc2748a3759e151d1
15540Author: Brad Spengler <spender@grsecurity.net>
15541Date: Mon Jul 29 23:59:50 2013 -0400
15542
15543 more compile fixes
15544
15545 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15546
15547 grsecurity/gracl.c | 10 +++++++++-
15548 1 files changed, 9 insertions(+), 1 deletions(-)
15549
15550commit c5c54a2490dd8ec3fcad322d5c64b8cdfc6ce8d7
15551Author: Brad Spengler <spender@grsecurity.net>
15552Date: Mon Jul 29 23:56:47 2013 -0400
15553
15554 additional compile fixes
15555
15556 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15557
15558 grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++--------
15559 1 files changed, 49 insertions(+), 10 deletions(-)
15560
15561commit e78a78dcfc089142273243b54509840d3b50c538
15562Author: Brad Spengler <spender@grsecurity.net>
15563Date: Mon Jul 29 23:47:15 2013 -0400
15564
15565 fix typo
15566
15567 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15568
15569 grsecurity/gracl.c | 2 +-
15570 1 files changed, 1 insertions(+), 1 deletions(-)
15571
15572commit b27005e62bebc09e6604a6f5dc099742bb6b4434
15573Author: Brad Spengler <spender@grsecurity.net>
15574Date: Mon Jul 29 23:46:59 2013 -0400
15575
15576 compile fixes
15577
15578 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15579
15580 grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++-------------
15581 1 files changed, 39 insertions(+), 14 deletions(-)
15582
15583commit 101b84a778c254dfd7399f5bcd6264ff437f1176
15584Author: Brad Spengler <spender@grsecurity.net>
15585Date: Mon Jul 29 23:22:44 2013 -0400
15586
15587 Initial commit of compat RBAC loading Permits 32bit gradm to load policy for a 64bit kernel
15588
15589 Also removed code duplication for copying strings into the kernel
15590
15591 Work performed as part of sponsorship
15592
15593 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15594
15595 grsecurity/Makefile | 4 +
15596 grsecurity/gracl.c | 315 +++++++++++++++++++++++-------------------
15597 grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++
15598 include/linux/gracl_compat.h | 156 +++++++++++++++++++++
15599 4 files changed, 603 insertions(+), 142 deletions(-)
15600
15601commit 9b2b2be730d058a2bac5ded5b51d087aa65eed9e
15602Author: Brad Spengler <spender@grsecurity.net>
15603Date: Tue Jul 16 20:40:24 2013 -0400
15604
15605 allow viewing of ecryptfs version under SYSFS_RESTRICT
15606
15607 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15608
15609 fs/sysfs/dir.c | 2 +-
15610 1 files changed, 1 insertions(+), 1 deletions(-)
15611
15612commit 3e182e4da46de4c6b9a9f45d41030bef19260954
15613Author: Brad Spengler <spender@grsecurity.net>
15614Date: Sun Jul 14 11:49:17 2013 -0400
15615
15616 Update PaX fix, just return the error
15617
15618 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15619
15620 mm/madvise.c | 11 +++++------
15621 1 files changed, 5 insertions(+), 6 deletions(-)
15622
15623commit 0e4d6c92225be5ed70eb4d826d020c1e49fb4870
15624Author: Brad Spengler <spender@grsecurity.net>
15625Date: Sun Jul 14 11:36:00 2013 -0400
15626
15627 Fix madvise oops reported by Peter Keel
15628
15629 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15630
15631 mm/madvise.c | 11 ++++++-----
15632 1 files changed, 6 insertions(+), 5 deletions(-)
15633
15634commit 32537d92b8da84f38bf45eb85b6953f452064936
15635Author: Brad Spengler <spender@grsecurity.net>
15636Date: Tue Jul 9 22:04:59 2013 -0400
15637
15638 compile fixes
15639
15640 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15641
15642 fs/exec.c | 2 +-
15643 mm/mmap.c | 4 ++--
15644 2 files changed, 3 insertions(+), 3 deletions(-)
15645
15646commit a03302441afb0f56cccc9648a5d5e3c4c4d0db70
15647Author: Brad Spengler <spender@grsecurity.net>
15648Date: Sat Sep 14 16:15:10 2013 -0400
15649
15650 Initial port of grsecurity to 3.11 using new git method
15651
15652 Documentation/kernel-parameters.txt | 4 +
15653 Makefile | 8 +-
15654 arch/alpha/include/asm/cache.h | 4 +-
15655 arch/alpha/kernel/osf_sys.c | 12 +-
15656 arch/arm/include/asm/thread_info.h | 3 +-
15657 arch/arm/kernel/ptrace.c | 9 +
15658 arch/arm/kernel/traps.c | 7 +-
15659 arch/arm/mm/fault.c | 29 +-
15660 arch/arm/mm/mmap.c | 8 +-
15661 arch/avr32/include/asm/cache.h | 4 +-
15662 arch/blackfin/include/asm/cache.h | 3 +-
15663 arch/cris/include/arch-v10/arch/cache.h | 3 +-
15664 arch/cris/include/arch-v32/arch/cache.h | 3 +-
15665 arch/frv/include/asm/cache.h | 3 +-
15666 arch/frv/mm/elf-fdpic.c | 4 +-
15667 arch/hexagon/include/asm/cache.h | 6 +-
15668 arch/ia64/include/asm/cache.h | 3 +-
15669 arch/ia64/kernel/sys_ia64.c | 2 +
15670 arch/ia64/mm/hugetlbpage.c | 2 +
15671 arch/m32r/include/asm/cache.h | 4 +-
15672 arch/m68k/include/asm/cache.h | 4 +-
15673 arch/metag/mm/hugetlbpage.c | 1 +
15674 arch/microblaze/include/asm/cache.h | 3 +-
15675 arch/mips/include/asm/cache.h | 3 +-
15676 arch/mips/include/asm/thread_info.h | 12 +-
15677 arch/mips/kernel/ptrace.c | 9 +
15678 arch/mips/mm/mmap.c | 4 +-
15679 arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +-
15680 arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +-
15681 arch/openrisc/include/asm/cache.h | 4 +-
15682 arch/parisc/include/asm/cache.h | 5 +-
15683 arch/parisc/kernel/sys_parisc.c | 17 +-
15684 arch/powerpc/include/asm/cache.h | 3 +-
15685 arch/powerpc/kernel/process.c | 10 +-
15686 arch/powerpc/kernel/ptrace.c | 14 +
15687 arch/powerpc/kernel/traps.c | 5 +
15688 arch/s390/include/asm/cache.h | 4 +-
15689 arch/score/include/asm/cache.h | 4 +-
15690 arch/sh/include/asm/cache.h | 3 +-
15691 arch/sh/mm/mmap.c | 6 +-
15692 arch/sparc/include/asm/cache.h | 4 +-
15693 arch/sparc/include/asm/thread_info_64.h | 9 +-
15694 arch/sparc/kernel/process_32.c | 6 +-
15695 arch/sparc/kernel/process_64.c | 4 +-
15696 arch/sparc/kernel/ptrace_64.c | 14 +
15697 arch/sparc/kernel/sys_sparc_64.c | 8 +-
15698 arch/sparc/kernel/syscalls.S | 8 +-
15699 arch/sparc/kernel/traps_32.c | 8 +-
15700 arch/sparc/kernel/traps_64.c | 28 +-
15701 arch/sparc/kernel/unaligned_64.c | 2 +-
15702 arch/sparc/mm/fault_64.c | 2 +-
15703 arch/sparc/mm/hugetlbpage.c | 3 +-
15704 arch/tile/include/asm/cache.h | 3 +-
15705 arch/tile/mm/hugetlbpage.c | 2 +
15706 arch/um/defconfig | 1 -
15707 arch/um/include/asm/cache.h | 3 +-
15708 arch/unicore32/include/asm/cache.h | 6 +-
15709 arch/x86/Kconfig | 5 +-
15710 arch/x86/ia32/ia32_aout.c | 2 +
15711 arch/x86/include/asm/thread_info.h | 8 +-
15712 arch/x86/kernel/dumpstack.c | 8 +
15713 arch/x86/kernel/entry_32.S | 2 +-
15714 arch/x86/kernel/entry_64.S | 2 +-
15715 arch/x86/kernel/ioport.c | 13 +
15716 arch/x86/kernel/ptrace.c | 14 +
15717 arch/x86/kernel/signal.c | 9 +-
15718 arch/x86/kernel/smpboot.c | 3 +
15719 arch/x86/kernel/sys_i386_32.c | 9 +-
15720 arch/x86/kernel/sys_x86_64.c | 8 +-
15721 arch/x86/kernel/verify_cpu.S | 1 +
15722 arch/x86/kernel/vm86_32.c | 1 +
15723 arch/x86/mm/fault.c | 12 +-
15724 arch/x86/mm/hugetlbpage.c | 15 +-
15725 arch/x86/mm/init.c | 66 +-
15726 arch/x86/net/bpf_jit_comp.c | 128 ++-
15727 arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
15728 arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
15729 arch/xtensa/variants/s6000/include/variant/core.h | 3 +-
15730 drivers/block/cciss.c | 2 +
15731 drivers/block/cpqarray.c | 1 +
15732 drivers/cdrom/cdrom.c | 2 +-
15733 drivers/char/Kconfig | 4 +-
15734 drivers/char/genrtc.c | 1 +
15735 drivers/char/mem.c | 17 +
15736 drivers/char/random.c | 12 +
15737 drivers/gpu/drm/drm_info.c | 4 +
15738 drivers/hid/hid-wiimote-debug.c | 2 +-
15739 drivers/media/radio/radio-cadet.c | 2 +-
15740 drivers/message/fusion/mptbase.c | 9 +
15741 drivers/net/bonding/bond_main.c | 2 +-
15742 drivers/net/phy/mdio-bitbang.c | 1 +
15743 drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
15744 drivers/pci/proc.c | 9 +
15745 drivers/rtc/rtc-dev.c | 3 +
15746 drivers/tty/sysrq.c | 2 +-
15747 drivers/tty/vt/keyboard.c | 22 +-
15748 drivers/video/logo/logo_linux_clut224.ppm | 2000 +++++++++++---------
15749 drivers/xen/xenfs/xenstored.c | 5 +
15750 fs/attr.c | 1 +
15751 fs/autofs4/waitq.c | 9 +
15752 fs/binfmt_aout.c | 7 +
15753 fs/binfmt_elf.c | 8 +-
15754 fs/btrfs/ioctl.c | 6 +-
15755 fs/compat.c | 20 +-
15756 fs/coredump.c | 9 +-
15757 fs/debugfs/inode.c | 4 +
15758 fs/exec.c | 184 ++-
15759 fs/ext2/balloc.c | 4 +-
15760 fs/ext3/balloc.c | 4 +-
15761 fs/fcntl.c | 5 +
15762 fs/file.c | 4 +
15763 fs/filesystems.c | 4 +
15764 fs/fs_struct.c | 13 +-
15765 fs/hugetlbfs/inode.c | 5 +-
15766 fs/namei.c | 256 +++-
15767 fs/namespace.c | 16 +
15768 fs/open.c | 38 +
15769 fs/proc/Kconfig | 10 +-
15770 fs/proc/array.c | 59 +-
15771 fs/proc/base.c | 166 ++-
15772 fs/proc/cmdline.c | 4 +
15773 fs/proc/devices.c | 4 +
15774 fs/proc/fd.c | 17 +-
15775 fs/proc/inode.c | 4 +
15776 fs/proc/kcore.c | 3 +
15777 fs/proc/proc_net.c | 12 +
15778 fs/proc/proc_sysctl.c | 43 +-
15779 fs/proc/root.c | 8 +
15780 fs/proc/task_mmu.c | 75 +-
15781 fs/readdir.c | 19 +
15782 fs/select.c | 2 +
15783 fs/seq_file.c | 12 +-
15784 fs/stat.c | 19 +-
15785 fs/sysfs/dir.c | 12 +
15786 fs/utimes.c | 7 +
15787 fs/xattr.c | 19 +-
15788 include/linux/capability.h | 5 +
15789 include/linux/cred.h | 3 +
15790 include/linux/fs.h | 10 +
15791 include/linux/fsnotify.h | 6 +
15792 include/linux/kallsyms.h | 14 +-
15793 include/linux/kmod.h | 2 +
15794 include/linux/mm.h | 1 +
15795 include/linux/perf_event.h | 13 +-
15796 include/linux/printk.h | 3 +-
15797 include/linux/sched.h | 24 +-
15798 include/linux/security.h | 1 +
15799 include/linux/seq_file.h | 3 +
15800 include/linux/shm.h | 4 +
15801 include/linux/skbuff.h | 3 +
15802 include/linux/slab.h | 9 -
15803 include/linux/sysctl.h | 2 +
15804 include/linux/thread_info.h | 2 +
15805 include/linux/uidgid.h | 5 +
15806 include/linux/vermagic.h | 9 +-
15807 include/uapi/linux/personality.h | 1 +
15808 init/Kconfig | 3 +-
15809 init/main.c | 14 +
15810 ipc/mqueue.c | 1 +
15811 ipc/shm.c | 28 +
15812 kernel/capability.c | 39 +-
15813 kernel/cgroup.c | 2 +-
15814 kernel/compat.c | 1 +
15815 kernel/configs.c | 11 +
15816 kernel/cred.c | 110 ++-
15817 kernel/events/core.c | 14 +-
15818 kernel/exit.c | 10 +-
15819 kernel/fork.c | 41 +-
15820 kernel/futex.c | 1 +
15821 kernel/kallsyms.c | 9 +
15822 kernel/kcmp.c | 4 +
15823 kernel/kmod.c | 64 +-
15824 kernel/kprobes.c | 4 +-
15825 kernel/ksysfs.c | 2 +
15826 kernel/lockdep_proc.c | 10 +-
15827 kernel/module.c | 81 +-
15828 kernel/panic.c | 2 +-
15829 kernel/pid.c | 19 +-
15830 kernel/posix-timers.c | 7 +
15831 kernel/printk/printk.c | 5 +
15832 kernel/ptrace.c | 20 +-
15833 kernel/resource.c | 10 +
15834 kernel/sched/core.c | 6 +-
15835 kernel/signal.c | 37 +-
15836 kernel/sys.c | 45 +-
15837 kernel/sysctl.c | 69 +-
15838 kernel/taskstats.c | 6 +
15839 kernel/time.c | 5 +
15840 kernel/time/timekeeping.c | 1 +
15841 kernel/time/timer_list.c | 12 +
15842 kernel/time/timer_stats.c | 10 +-
15843 lib/Kconfig.debug | 5 +-
15844 lib/is_single_threaded.c | 3 +
15845 mm/Kconfig | 4 +-
15846 mm/filemap.c | 1 +
15847 mm/kmemleak.c | 4 +-
15848 mm/mempolicy.c | 12 +-
15849 mm/migrate.c | 3 +-
15850 mm/mlock.c | 3 +
15851 mm/mmap.c | 63 +-
15852 mm/mprotect.c | 8 +
15853 mm/process_vm_access.c | 6 +
15854 mm/slab.c | 2 +-
15855 mm/slub.c | 14 +-
15856 mm/vmalloc.c | 4 +
15857 mm/vmstat.c | 18 +-
15858 net/core/dev_ioctl.c | 4 +
15859 net/core/sock_diag.c | 7 +
15860 net/ipv4/inet_hashtables.c | 5 +
15861 net/ipv4/ip_sockglue.c | 3 +-
15862 net/ipv4/tcp_input.c | 4 +-
15863 net/ipv4/tcp_ipv4.c | 24 +-
15864 net/ipv4/tcp_minisocks.c | 9 +-
15865 net/ipv4/tcp_timer.c | 11 +
15866 net/ipv4/udp.c | 24 +
15867 net/ipv6/tcp_ipv6.c | 23 +-
15868 net/ipv6/udp.c | 4 +
15869 net/netfilter/Kconfig | 10 +
15870 net/netfilter/Makefile | 1 +
15871 net/netfilter/nf_conntrack_core.c | 8 +
15872 net/netrom/af_netrom.c | 1 -
15873 net/phonet/af_phonet.c | 2 +-
15874 net/sctp/proc.c | 3 +-
15875 net/socket.c | 66 +-
15876 net/sysctl_net.c | 2 +-
15877 net/unix/af_unix.c | 31 +-
15878 security/Kconfig | 341 +++-
15879 security/apparmor/Kconfig | 9 +
15880 security/apparmor/apparmorfs.c | 231 +++
15881 security/commoncap.c | 29 +
15882 security/min_addr.c | 2 +
15883 security/security.c | 2 -
15884 security/selinux/hooks.c | 2 -
15885 security/tomoyo/mount.c | 4 +
15886 security/yama/Kconfig | 2 +-
15887 235 files changed, 4384 insertions(+), 1312 deletions(-)
15888
15889commit a76b033c58b4886552911442f1b89e0cee041dae
15890Author: Brad Spengler <spender@grsecurity.net>
15891Date: Tue Jul 9 20:57:40 2013 -0400
15892
15893 Commit merge of new files and rejected patches
15894
15895 Signed-off-by: Brad Spengler <spender@grsecurity.net>
15896
15897 arch/arm/include/asm/thread_info.h | 6 +-
15898 arch/arm/kernel/process.c | 4 +-
15899 arch/powerpc/include/asm/thread_info.h | 7 +-
15900 arch/powerpc/mm/slice.c | 2 +-
15901 arch/sparc/kernel/process_64.c | 4 +-
15902 arch/x86/kernel/vm86_32.c | 15 +
15903 fs/coredump.c | 1 +
15904 fs/ext4/balloc.c | 4 +-
15905 fs/namei.c | 7 +
15906 fs/namespace.c | 8 +
15907 fs/pipe.c | 2 +-
15908 fs/proc/inode.c | 13 +
15909 fs/proc/internal.h | 3 +
15910 grsecurity/Kconfig | 1054 +++++++++
15911 grsecurity/Makefile | 38 +
15912 grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++
15913 grsecurity/gracl_alloc.c | 105 +
15914 grsecurity/gracl_cap.c | 110 +
15915 grsecurity/gracl_fs.c | 431 ++++
15916 grsecurity/gracl_ip.c | 387 +++
15917 grsecurity/gracl_learn.c | 207 ++
15918 grsecurity/gracl_res.c | 68 +
15919 grsecurity/gracl_segv.c | 305 +++
15920 grsecurity/gracl_shm.c | 40 +
15921 grsecurity/grsec_chdir.c | 19 +
15922 grsecurity/grsec_chroot.c | 370 +++
15923 grsecurity/grsec_disabled.c | 434 ++++
15924 grsecurity/grsec_exec.c | 187 ++
15925 grsecurity/grsec_fifo.c | 24 +
15926 grsecurity/grsec_fork.c | 23 +
15927 grsecurity/grsec_init.c | 283 +++
15928 grsecurity/grsec_link.c | 58 +
15929 grsecurity/grsec_log.c | 326 +++
15930 grsecurity/grsec_mem.c | 40 +
15931 grsecurity/grsec_mount.c | 62 +
15932 grsecurity/grsec_pax.c | 36 +
15933 grsecurity/grsec_ptrace.c | 30 +
15934 grsecurity/grsec_sig.c | 246 ++
15935 grsecurity/grsec_sock.c | 244 ++
15936 grsecurity/grsec_sysctl.c | 469 ++++
15937 grsecurity/grsec_time.c | 16 +
15938 grsecurity/grsec_tpe.c | 73 +
15939 grsecurity/grsum.c | 61 +
15940 include/linux/gracl.h | 319 +++
15941 include/linux/gralloc.h | 9 +
15942 include/linux/grdefs.h | 140 ++
15943 include/linux/grinternal.h | 227 ++
15944 include/linux/grmsg.h | 112 +
15945 include/linux/grsecurity.h | 241 ++
15946 include/linux/grsock.h | 19 +
15947 include/linux/netfilter/xt_gradm.h | 9 +
15948 include/linux/proc_fs.h | 13 +
15949 include/linux/sched.h | 48 +-
15950 include/trace/events/fs.h | 53 +
15951 kernel/kmod.c | 7 +-
15952 kernel/panic.c | 2 +-
15953 kernel/posix-timers.c | 1 +
15954 kernel/time/timekeeping.c | 2 +
15955 lib/Kconfig.debug | 2 +-
15956 lib/vsprintf.c | 31 +
15957 localversion-grsec | 1 +
15958 mm/mmap.c | 13 +-
15959 mm/shmem.c | 2 +-
15960 net/core/net-procfs.c | 5 +
15961 net/ipv6/udp.c | 3 +
15962 net/netfilter/xt_gradm.c | 51 +
15963 66 files changed, 11184 insertions(+), 21 deletions(-)
15964
15965commit d1cf217118e0750f54aca9136d8c6a41f0ae439c
15966Author: Brad Spengler <spender@grsecurity.net>
15967Date: Sat Sep 14 14:36:40 2013 -0400
15968
15969 Initial import of pax-linux-3.11-test4.patch
15970
15971 Documentation/dontdiff | 46 +-
15972 Documentation/kernel-parameters.txt | 23 +
15973 Makefile | 100 +-
15974 arch/alpha/include/asm/atomic.h | 10 +
15975 arch/alpha/include/asm/elf.h | 7 +
15976 arch/alpha/include/asm/pgalloc.h | 6 +
15977 arch/alpha/include/asm/pgtable.h | 11 +
15978 arch/alpha/kernel/module.c | 2 +-
15979 arch/alpha/kernel/osf_sys.c | 8 +-
15980 arch/alpha/mm/fault.c | 141 +-
15981 arch/arm/Kconfig | 2 +-
15982 arch/arm/include/asm/atomic.h | 444 ++-
15983 arch/arm/include/asm/cache.h | 5 +-
15984 arch/arm/include/asm/cacheflush.h | 2 +-
15985 arch/arm/include/asm/checksum.h | 14 +-
15986 arch/arm/include/asm/cmpxchg.h | 2 +
15987 arch/arm/include/asm/domain.h | 33 +-
15988 arch/arm/include/asm/elf.h | 13 +-
15989 arch/arm/include/asm/fncpy.h | 2 +
15990 arch/arm/include/asm/futex.h | 10 +
15991 arch/arm/include/asm/kmap_types.h | 2 +-
15992 arch/arm/include/asm/mach/dma.h | 2 +-
15993 arch/arm/include/asm/mach/map.h | 7 +-
15994 arch/arm/include/asm/outercache.h | 2 +-
15995 arch/arm/include/asm/page.h | 2 +-
15996 arch/arm/include/asm/pgalloc.h | 22 +-
15997 arch/arm/include/asm/pgtable-2level-hwdef.h | 5 +
15998 arch/arm/include/asm/pgtable-2level.h | 3 +
15999 arch/arm/include/asm/pgtable-3level-hwdef.h | 1 +
16000 arch/arm/include/asm/pgtable-3level.h | 2 +
16001 arch/arm/include/asm/pgtable.h | 54 +-
16002 arch/arm/include/asm/proc-fns.h | 2 +-
16003 arch/arm/include/asm/psci.h | 2 +-
16004 arch/arm/include/asm/smp.h | 2 +-
16005 arch/arm/include/asm/thread_info.h | 6 +-
16006 arch/arm/include/asm/uaccess.h | 95 +-
16007 arch/arm/include/uapi/asm/ptrace.h | 2 +-
16008 arch/arm/kernel/armksyms.c | 8 +-
16009 arch/arm/kernel/entry-armv.S | 110 +-
16010 arch/arm/kernel/entry-common.S | 40 +-
16011 arch/arm/kernel/entry-header.S | 60 +
16012 arch/arm/kernel/fiq.c | 3 +
16013 arch/arm/kernel/head.S | 6 +-
16014 arch/arm/kernel/module.c | 29 +-
16015 arch/arm/kernel/patch.c | 2 +
16016 arch/arm/kernel/process.c | 42 +-
16017 arch/arm/kernel/psci.c | 2 +-
16018 arch/arm/kernel/setup.c | 22 +-
16019 arch/arm/kernel/signal.c | 35 +-
16020 arch/arm/kernel/smp.c | 2 +-
16021 arch/arm/kernel/traps.c | 8 +-
16022 arch/arm/kernel/vmlinux.lds.S | 22 +-
16023 arch/arm/kvm/arm.c | 8 +-
16024 arch/arm/lib/clear_user.S | 6 +-
16025 arch/arm/lib/copy_from_user.S | 6 +-
16026 arch/arm/lib/copy_page.S | 1 +
16027 arch/arm/lib/copy_to_user.S | 6 +-
16028 arch/arm/lib/csumpartialcopyuser.S | 4 +-
16029 arch/arm/lib/delay.c | 2 +-
16030 arch/arm/lib/uaccess_with_memcpy.c | 2 +-
16031 arch/arm/mach-kirkwood/common.c | 19 +-
16032 arch/arm/mach-omap2/board-n8x0.c | 2 +-
16033 arch/arm/mach-omap2/gpmc.c | 22 +-
16034 arch/arm/mach-omap2/omap-wakeupgen.c | 2 +-
16035 arch/arm/mach-omap2/omap_device.c | 4 +-
16036 arch/arm/mach-omap2/omap_device.h | 4 +-
16037 arch/arm/mach-omap2/omap_hwmod.c | 4 +-
16038 arch/arm/mach-omap2/wd_timer.c | 6 +-
16039 arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +-
16040 arch/arm/mach-ux500/setup.h | 7 -
16041 arch/arm/mm/Kconfig | 6 +-
16042 arch/arm/mm/alignment.c | 8 +
16043 arch/arm/mm/context.c | 10 +-
16044 arch/arm/mm/fault.c | 104 +
16045 arch/arm/mm/fault.h | 12 +
16046 arch/arm/mm/init.c | 41 +
16047 arch/arm/mm/ioremap.c | 4 +-
16048 arch/arm/mm/mmap.c | 30 +-
16049 arch/arm/mm/mmu.c | 185 +-
16050 arch/arm/plat-omap/sram.c | 2 +
16051 arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +-
16052 arch/avr32/include/asm/elf.h | 8 +-
16053 arch/avr32/include/asm/kmap_types.h | 4 +-
16054 arch/avr32/mm/fault.c | 27 +
16055 arch/frv/include/asm/atomic.h | 10 +
16056 arch/frv/include/asm/kmap_types.h | 2 +-
16057 arch/frv/mm/elf-fdpic.c | 3 +-
16058 arch/ia64/include/asm/atomic.h | 10 +
16059 arch/ia64/include/asm/elf.h | 7 +
16060 arch/ia64/include/asm/pgalloc.h | 12 +
16061 arch/ia64/include/asm/pgtable.h | 13 +-
16062 arch/ia64/include/asm/spinlock.h | 2 +-
16063 arch/ia64/include/asm/uaccess.h | 26 +-
16064 arch/ia64/kernel/module.c | 48 +-
16065 arch/ia64/kernel/palinfo.c | 2 +-
16066 arch/ia64/kernel/sys_ia64.c | 7 +
16067 arch/ia64/kernel/vmlinux.lds.S | 2 +-
16068 arch/ia64/mm/fault.c | 32 +-
16069 arch/ia64/mm/init.c | 13 +
16070 arch/m32r/lib/usercopy.c | 6 +
16071 arch/mips/include/asm/atomic.h | 728 +++-
16072 arch/mips/include/asm/elf.h | 11 +-
16073 arch/mips/include/asm/exec.h | 2 +-
16074 arch/mips/include/asm/local.h | 57 +
16075 arch/mips/include/asm/page.h | 2 +-
16076 arch/mips/include/asm/pgalloc.h | 5 +
16077 arch/mips/include/asm/smtc_proc.h | 2 +-
16078 arch/mips/kernel/binfmt_elfn32.c | 7 +
16079 arch/mips/kernel/binfmt_elfo32.c | 7 +
16080 arch/mips/kernel/irq.c | 6 +-
16081 arch/mips/kernel/process.c | 12 -
16082 arch/mips/kernel/smtc-proc.c | 6 +-
16083 arch/mips/kernel/smtc.c | 2 +-
16084 arch/mips/kernel/sync-r4k.c | 24 +-
16085 arch/mips/kernel/traps.c | 13 +-
16086 arch/mips/mm/fault.c | 25 +
16087 arch/mips/mm/mmap.c | 51 +-
16088 arch/mips/sgi-ip27/ip27-nmi.c | 6 +-
16089 arch/parisc/include/asm/atomic.h | 10 +
16090 arch/parisc/include/asm/elf.h | 7 +
16091 arch/parisc/include/asm/pgalloc.h | 6 +
16092 arch/parisc/include/asm/pgtable.h | 11 +
16093 arch/parisc/include/asm/uaccess.h | 4 +-
16094 arch/parisc/kernel/module.c | 50 +-
16095 arch/parisc/kernel/sys_parisc.c | 9 +-
16096 arch/parisc/kernel/traps.c | 4 +-
16097 arch/parisc/mm/fault.c | 140 +-
16098 arch/powerpc/include/asm/atomic.h | 10 +
16099 arch/powerpc/include/asm/elf.h | 19 +-
16100 arch/powerpc/include/asm/exec.h | 2 +-
16101 arch/powerpc/include/asm/kmap_types.h | 2 +-
16102 arch/powerpc/include/asm/mman.h | 2 +-
16103 arch/powerpc/include/asm/page.h | 8 +-
16104 arch/powerpc/include/asm/page_64.h | 7 +-
16105 arch/powerpc/include/asm/pgalloc-64.h | 7 +
16106 arch/powerpc/include/asm/pgtable.h | 1 +
16107 arch/powerpc/include/asm/pte-hash32.h | 1 +
16108 arch/powerpc/include/asm/reg.h | 1 +
16109 arch/powerpc/include/asm/smp.h | 2 +-
16110 arch/powerpc/include/asm/uaccess.h | 140 +-
16111 arch/powerpc/kernel/exceptions-64e.S | 4 +-
16112 arch/powerpc/kernel/exceptions-64s.S | 2 +-
16113 arch/powerpc/kernel/module_32.c | 13 +-
16114 arch/powerpc/kernel/process.c | 55 -
16115 arch/powerpc/kernel/signal_32.c | 2 +-
16116 arch/powerpc/kernel/signal_64.c | 2 +-
16117 arch/powerpc/kernel/vdso.c | 5 +-
16118 arch/powerpc/lib/usercopy_64.c | 18 -
16119 arch/powerpc/mm/fault.c | 54 +-
16120 arch/powerpc/mm/mmap.c | 16 +
16121 arch/powerpc/mm/slice.c | 13 +-
16122 arch/powerpc/platforms/cell/spufs/file.c | 4 +-
16123 arch/s390/include/asm/atomic.h | 10 +
16124 arch/s390/include/asm/elf.h | 13 +-
16125 arch/s390/include/asm/exec.h | 2 +-
16126 arch/s390/include/asm/uaccess.h | 15 +-
16127 arch/s390/kernel/module.c | 22 +-
16128 arch/s390/kernel/process.c | 36 -
16129 arch/s390/mm/mmap.c | 24 +
16130 arch/score/include/asm/exec.h | 2 +-
16131 arch/score/kernel/process.c | 5 -
16132 arch/sh/mm/mmap.c | 22 +-
16133 arch/sparc/include/asm/atomic_64.h | 106 +-
16134 arch/sparc/include/asm/cache.h | 2 +-
16135 arch/sparc/include/asm/elf_32.h | 7 +
16136 arch/sparc/include/asm/elf_64.h | 7 +
16137 arch/sparc/include/asm/pgalloc_32.h | 1 +
16138 arch/sparc/include/asm/pgalloc_64.h | 1 +
16139 arch/sparc/include/asm/pgtable_32.h | 15 +-
16140 arch/sparc/include/asm/pgtsrmmu.h | 5 +
16141 arch/sparc/include/asm/spinlock_64.h | 35 +-
16142 arch/sparc/include/asm/thread_info_32.h | 2 +
16143 arch/sparc/include/asm/thread_info_64.h | 2 +
16144 arch/sparc/include/asm/uaccess.h | 1 +
16145 arch/sparc/include/asm/uaccess_32.h | 27 +-
16146 arch/sparc/include/asm/uaccess_64.h | 19 +-
16147 arch/sparc/kernel/Makefile | 2 +-
16148 arch/sparc/kernel/prom_common.c | 2 +-
16149 arch/sparc/kernel/smp_64.c | 12 +-
16150 arch/sparc/kernel/sys_sparc_32.c | 2 +-
16151 arch/sparc/kernel/sys_sparc_64.c | 52 +-
16152 arch/sparc/kernel/traps_64.c | 27 +-
16153 arch/sparc/lib/Makefile | 2 +-
16154 arch/sparc/lib/atomic_64.S | 136 +-
16155 arch/sparc/lib/ksyms.c | 6 +
16156 arch/sparc/mm/Makefile | 2 +-
16157 arch/sparc/mm/fault_32.c | 292 +
16158 arch/sparc/mm/fault_64.c | 486 ++
16159 arch/sparc/mm/hugetlbpage.c | 21 +-
16160 arch/sparc/mm/init_64.c | 10 +-
16161 arch/tile/include/asm/atomic_64.h | 10 +
16162 arch/tile/include/asm/uaccess.h | 4 +-
16163 arch/um/Makefile | 4 +
16164 arch/um/include/asm/kmap_types.h | 2 +-
16165 arch/um/include/asm/page.h | 3 +
16166 arch/um/include/asm/pgtable-3level.h | 1 +
16167 arch/um/kernel/process.c | 16 -
16168 arch/x86/Kconfig | 10 +-
16169 arch/x86/Kconfig.cpu | 6 +-
16170 arch/x86/Kconfig.debug | 4 +-
16171 arch/x86/Makefile | 10 +
16172 arch/x86/boot/Makefile | 3 +
16173 arch/x86/boot/bitops.h | 4 +-
16174 arch/x86/boot/boot.h | 4 +-
16175 arch/x86/boot/compressed/Makefile | 3 +
16176 arch/x86/boot/compressed/eboot.c | 2 -
16177 arch/x86/boot/compressed/efi_stub_32.S | 16 +-
16178 arch/x86/boot/compressed/head_32.S | 7 +-
16179 arch/x86/boot/compressed/head_64.S | 8 +-
16180 arch/x86/boot/compressed/misc.c | 4 +-
16181 arch/x86/boot/cpucheck.c | 28 +-
16182 arch/x86/boot/header.S | 6 +-
16183 arch/x86/boot/memory.c | 2 +-
16184 arch/x86/boot/video-vesa.c | 1 +
16185 arch/x86/boot/video.c | 2 +-
16186 arch/x86/crypto/aes-x86_64-asm_64.S | 4 +
16187 arch/x86/crypto/aesni-intel_asm.S | 22 +
16188 arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 +
16189 arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 +
16190 arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 +
16191 arch/x86/crypto/camellia-x86_64-asm_64.S | 7 +
16192 arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 +
16193 arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 9 +
16194 arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 +
16195 arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 +
16196 arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 +
16197 arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 +
16198 arch/x86/crypto/serpent-avx2-asm_64.S | 9 +
16199 arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 +
16200 arch/x86/crypto/sha1_ssse3_asm.S | 2 +
16201 arch/x86/crypto/sha256-avx-asm.S | 2 +
16202 arch/x86/crypto/sha256-avx2-asm.S | 2 +
16203 arch/x86/crypto/sha256-ssse3-asm.S | 2 +
16204 arch/x86/crypto/sha512-avx-asm.S | 2 +
16205 arch/x86/crypto/sha512-avx2-asm.S | 2 +
16206 arch/x86/crypto/sha512-ssse3-asm.S | 2 +
16207 arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 9 +
16208 arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 +
16209 arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
16210 arch/x86/ia32/ia32_signal.c | 16 +-
16211 arch/x86/ia32/ia32entry.S | 157 +-
16212 arch/x86/ia32/sys_ia32.c | 4 +-
16213 arch/x86/include/asm/alternative-asm.h | 39 +
16214 arch/x86/include/asm/alternative.h | 4 +-
16215 arch/x86/include/asm/apic.h | 2 +-
16216 arch/x86/include/asm/apm.h | 4 +-
16217 arch/x86/include/asm/atomic.h | 307 +-
16218 arch/x86/include/asm/atomic64_32.h | 100 +
16219 arch/x86/include/asm/atomic64_64.h | 202 +-
16220 arch/x86/include/asm/bitops.h | 4 +-
16221 arch/x86/include/asm/boot.h | 7 +-
16222 arch/x86/include/asm/cache.h | 5 +-
16223 arch/x86/include/asm/cacheflush.h | 2 +-
16224 arch/x86/include/asm/checksum_32.h | 12 +-
16225 arch/x86/include/asm/cmpxchg.h | 35 +
16226 arch/x86/include/asm/compat.h | 2 +-
16227 arch/x86/include/asm/cpufeature.h | 16 +-
16228 arch/x86/include/asm/desc.h | 74 +-
16229 arch/x86/include/asm/desc_defs.h | 6 +
16230 arch/x86/include/asm/div64.h | 2 +-
16231 arch/x86/include/asm/elf.h | 31 +-
16232 arch/x86/include/asm/emergency-restart.h | 2 +-
16233 arch/x86/include/asm/fpu-internal.h | 8 +-
16234 arch/x86/include/asm/futex.h | 20 +-
16235 arch/x86/include/asm/hw_irq.h | 4 +-
16236 arch/x86/include/asm/i8259.h | 2 +-
16237 arch/x86/include/asm/io.h | 21 +-
16238 arch/x86/include/asm/irqflags.h | 5 +
16239 arch/x86/include/asm/kprobes.h | 9 +-
16240 arch/x86/include/asm/local.h | 142 +-
16241 arch/x86/include/asm/mman.h | 15 +
16242 arch/x86/include/asm/mmu.h | 16 +-
16243 arch/x86/include/asm/mmu_context.h | 128 +-
16244 arch/x86/include/asm/module.h | 17 +-
16245 arch/x86/include/asm/nmi.h | 6 +-
16246 arch/x86/include/asm/page.h | 1 +
16247 arch/x86/include/asm/page_64.h | 4 +-
16248 arch/x86/include/asm/paravirt.h | 46 +-
16249 arch/x86/include/asm/paravirt_types.h | 17 +-
16250 arch/x86/include/asm/pgalloc.h | 23 +
16251 arch/x86/include/asm/pgtable-2level.h | 2 +
16252 arch/x86/include/asm/pgtable-3level.h | 4 +
16253 arch/x86/include/asm/pgtable.h | 124 +-
16254 arch/x86/include/asm/pgtable_32.h | 14 +-
16255 arch/x86/include/asm/pgtable_32_types.h | 15 +-
16256 arch/x86/include/asm/pgtable_64.h | 19 +-
16257 arch/x86/include/asm/pgtable_64_types.h | 5 +
16258 arch/x86/include/asm/pgtable_types.h | 36 +-
16259 arch/x86/include/asm/processor.h | 82 +-
16260 arch/x86/include/asm/ptrace.h | 26 +-
16261 arch/x86/include/asm/realmode.h | 4 +-
16262 arch/x86/include/asm/reboot.h | 10 +-
16263 arch/x86/include/asm/rwsem.h | 60 +-
16264 arch/x86/include/asm/segment.h | 29 +-
16265 arch/x86/include/asm/smap.h | 64 +-
16266 arch/x86/include/asm/smp.h | 14 +-
16267 arch/x86/include/asm/spinlock.h | 36 +-
16268 arch/x86/include/asm/stackprotector.h | 4 +-
16269 arch/x86/include/asm/stacktrace.h | 32 +-
16270 arch/x86/include/asm/switch_to.h | 4 +-
16271 arch/x86/include/asm/thread_info.h | 83 +-
16272 arch/x86/include/asm/tlbflush.h | 74 +-
16273 arch/x86/include/asm/uaccess.h | 112 +-
16274 arch/x86/include/asm/uaccess_32.h | 106 +-
16275 arch/x86/include/asm/uaccess_64.h | 232 +-
16276 arch/x86/include/asm/word-at-a-time.h | 2 +-
16277 arch/x86/include/asm/x86_init.h | 10 +-
16278 arch/x86/include/asm/xsave.h | 14 +-
16279 arch/x86/include/uapi/asm/e820.h | 2 +-
16280 arch/x86/kernel/Makefile | 2 +-
16281 arch/x86/kernel/acpi/boot.c | 4 +-
16282 arch/x86/kernel/acpi/sleep.c | 4 +
16283 arch/x86/kernel/acpi/wakeup_32.S | 6 +-
16284 arch/x86/kernel/alternative.c | 65 +-
16285 arch/x86/kernel/apic/apic.c | 4 +-
16286 arch/x86/kernel/apic/apic_flat_64.c | 4 +-
16287 arch/x86/kernel/apic/apic_noop.c | 2 +-
16288 arch/x86/kernel/apic/bigsmp_32.c | 2 +-
16289 arch/x86/kernel/apic/es7000_32.c | 5 +-
16290 arch/x86/kernel/apic/io_apic.c | 8 +-
16291 arch/x86/kernel/apic/numaq_32.c | 3 +-
16292 arch/x86/kernel/apic/probe_32.c | 2 +-
16293 arch/x86/kernel/apic/summit_32.c | 2 +-
16294 arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
16295 arch/x86/kernel/apic/x2apic_phys.c | 2 +-
16296 arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
16297 arch/x86/kernel/apm_32.c | 19 +-
16298 arch/x86/kernel/asm-offsets.c | 20 +
16299 arch/x86/kernel/asm-offsets_64.c | 1 +
16300 arch/x86/kernel/cpu/Makefile | 4 -
16301 arch/x86/kernel/cpu/amd.c | 2 +-
16302 arch/x86/kernel/cpu/common.c | 130 +-
16303 arch/x86/kernel/cpu/intel_cacheinfo.c | 48 +-
16304 arch/x86/kernel/cpu/mcheck/mce.c | 31 +-
16305 arch/x86/kernel/cpu/mcheck/p5.c | 3 +
16306 arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
16307 arch/x86/kernel/cpu/mtrr/main.c | 2 +-
16308 arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
16309 arch/x86/kernel/cpu/perf_event.c | 8 +-
16310 arch/x86/kernel/cpu/perf_event_intel.c | 6 +-
16311 arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +-
16312 arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
16313 arch/x86/kernel/cpuid.c | 2 +-
16314 arch/x86/kernel/crash.c | 4 +-
16315 arch/x86/kernel/crash_dump_64.c | 2 +-
16316 arch/x86/kernel/doublefault.c | 8 +-
16317 arch/x86/kernel/dumpstack.c | 30 +-
16318 arch/x86/kernel/dumpstack_32.c | 34 +-
16319 arch/x86/kernel/dumpstack_64.c | 61 +-
16320 arch/x86/kernel/e820.c | 4 +-
16321 arch/x86/kernel/early_printk.c | 1 +
16322 arch/x86/kernel/entry_32.S | 356 +-
16323 arch/x86/kernel/entry_64.S | 669 ++-
16324 arch/x86/kernel/ftrace.c | 14 +-
16325 arch/x86/kernel/head64.c | 13 +-
16326 arch/x86/kernel/head_32.S | 228 +-
16327 arch/x86/kernel/head_64.S | 138 +-
16328 arch/x86/kernel/i386_ksyms_32.c | 12 +
16329 arch/x86/kernel/i387.c | 2 +-
16330 arch/x86/kernel/i8259.c | 10 +-
16331 arch/x86/kernel/io_delay.c | 2 +-
16332 arch/x86/kernel/ioport.c | 2 +-
16333 arch/x86/kernel/irq.c | 8 +-
16334 arch/x86/kernel/irq_32.c | 67 +-
16335 arch/x86/kernel/irq_64.c | 2 +-
16336 arch/x86/kernel/kdebugfs.c | 2 +-
16337 arch/x86/kernel/kgdb.c | 25 +-
16338 arch/x86/kernel/kprobes/core.c | 30 +-
16339 arch/x86/kernel/kprobes/opt.c | 16 +-
16340 arch/x86/kernel/ldt.c | 31 +-
16341 arch/x86/kernel/machine_kexec_32.c | 6 +-
16342 arch/x86/kernel/microcode_core.c | 2 +-
16343 arch/x86/kernel/microcode_intel.c | 4 +-
16344 arch/x86/kernel/module.c | 76 +-
16345 arch/x86/kernel/msr.c | 2 +-
16346 arch/x86/kernel/nmi.c | 19 +-
16347 arch/x86/kernel/nmi_selftest.c | 4 +-
16348 arch/x86/kernel/paravirt-spinlocks.c | 2 +-
16349 arch/x86/kernel/paravirt.c | 43 +-
16350 arch/x86/kernel/pci-calgary_64.c | 2 +-
16351 arch/x86/kernel/pci-iommu_table.c | 2 +-
16352 arch/x86/kernel/pci-swiotlb.c | 2 +-
16353 arch/x86/kernel/process.c | 55 +-
16354 arch/x86/kernel/process_32.c | 29 +-
16355 arch/x86/kernel/process_64.c | 20 +-
16356 arch/x86/kernel/ptrace.c | 25 +-
16357 arch/x86/kernel/pvclock.c | 8 +-
16358 arch/x86/kernel/reboot.c | 42 +-
16359 arch/x86/kernel/reboot_fixups_32.c | 2 +-
16360 arch/x86/kernel/relocate_kernel_64.S | 5 +-
16361 arch/x86/kernel/setup.c | 65 +-
16362 arch/x86/kernel/setup_percpu.c | 29 +-
16363 arch/x86/kernel/signal.c | 19 +-
16364 arch/x86/kernel/smp.c | 2 +-
16365 arch/x86/kernel/smpboot.c | 28 +-
16366 arch/x86/kernel/step.c | 10 +-
16367 arch/x86/kernel/sys_i386_32.c | 184 +
16368 arch/x86/kernel/sys_x86_64.c | 22 +-
16369 arch/x86/kernel/tboot.c | 12 +-
16370 arch/x86/kernel/time.c | 10 +-
16371 arch/x86/kernel/tls.c | 7 +-
16372 arch/x86/kernel/tracepoint.c | 4 +-
16373 arch/x86/kernel/traps.c | 62 +-
16374 arch/x86/kernel/uprobes.c | 4 +-
16375 arch/x86/kernel/vm86_32.c | 6 +-
16376 arch/x86/kernel/vmlinux.lds.S | 147 +-
16377 arch/x86/kernel/vsyscall_64.c | 12 +-
16378 arch/x86/kernel/x8664_ksyms_64.c | 6 +-
16379 arch/x86/kernel/x86_init.c | 6 +-
16380 arch/x86/kernel/xsave.c | 2 +
16381 arch/x86/kvm/cpuid.c | 21 +-
16382 arch/x86/kvm/lapic.c | 2 +-
16383 arch/x86/kvm/paging_tmpl.h | 2 +-
16384 arch/x86/kvm/svm.c | 8 +
16385 arch/x86/kvm/vmx.c | 61 +-
16386 arch/x86/kvm/x86.c | 8 +-
16387 arch/x86/lguest/boot.c | 3 +-
16388 arch/x86/lib/atomic64_386_32.S | 164 +
16389 arch/x86/lib/atomic64_cx8_32.S | 103 +-
16390 arch/x86/lib/checksum_32.S | 100 +-
16391 arch/x86/lib/clear_page_64.S | 5 +-
16392 arch/x86/lib/cmpxchg16b_emu.S | 2 +
16393 arch/x86/lib/copy_page_64.S | 24 +-
16394 arch/x86/lib/copy_user_64.S | 89 +-
16395 arch/x86/lib/copy_user_nocache_64.S | 22 +-
16396 arch/x86/lib/csum-copy_64.S | 2 +
16397 arch/x86/lib/csum-wrappers_64.c | 13 +-
16398 arch/x86/lib/getuser.S | 74 +-
16399 arch/x86/lib/insn.c | 6 +-
16400 arch/x86/lib/iomap_copy_64.S | 2 +
16401 arch/x86/lib/memcpy_64.S | 22 +-
16402 arch/x86/lib/memmove_64.S | 36 +-
16403 arch/x86/lib/memset_64.S | 11 +-
16404 arch/x86/lib/mmx_32.c | 243 +-
16405 arch/x86/lib/msr-reg.S | 18 +-
16406 arch/x86/lib/putuser.S | 90 +-
16407 arch/x86/lib/rwlock.S | 42 +
16408 arch/x86/lib/rwsem.S | 6 +-
16409 arch/x86/lib/thunk_64.S | 2 +
16410 arch/x86/lib/usercopy_32.c | 363 +-
16411 arch/x86/lib/usercopy_64.c | 18 +-
16412 arch/x86/mm/Makefile | 4 +
16413 arch/x86/mm/extable.c | 25 +-
16414 arch/x86/mm/fault.c | 571 ++-
16415 arch/x86/mm/gup.c | 2 +-
16416 arch/x86/mm/highmem_32.c | 4 +
16417 arch/x86/mm/hugetlbpage.c | 30 +-
16418 arch/x86/mm/init.c | 101 +-
16419 arch/x86/mm/init_32.c | 111 +-
16420 arch/x86/mm/init_64.c | 45 +-
16421 arch/x86/mm/iomap_32.c | 4 +
16422 arch/x86/mm/ioremap.c | 15 +-
16423 arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
16424 arch/x86/mm/mmap.c | 36 +-
16425 arch/x86/mm/mmio-mod.c | 10 +-
16426 arch/x86/mm/numa.c | 2 +-
16427 arch/x86/mm/pageattr-test.c | 2 +-
16428 arch/x86/mm/pageattr.c | 33 +-
16429 arch/x86/mm/pat.c | 12 +-
16430 arch/x86/mm/pat_rbtree.c | 2 +-
16431 arch/x86/mm/pf_in.c | 10 +-
16432 arch/x86/mm/pgtable.c | 139 +-
16433 arch/x86/mm/pgtable_32.c | 3 +
16434 arch/x86/mm/physaddr.c | 4 +-
16435 arch/x86/mm/setup_nx.c | 7 +
16436 arch/x86/mm/tlb.c | 4 +
16437 arch/x86/mm/uderef_64.c | 37 +
16438 arch/x86/net/bpf_jit.S | 14 +
16439 arch/x86/net/bpf_jit_comp.c | 39 +-
16440 arch/x86/oprofile/backtrace.c | 8 +-
16441 arch/x86/oprofile/nmi_int.c | 8 +-
16442 arch/x86/oprofile/op_model_amd.c | 8 +-
16443 arch/x86/oprofile/op_model_ppro.c | 7 +-
16444 arch/x86/oprofile/op_x86_model.h | 2 +-
16445 arch/x86/pci/irq.c | 8 +-
16446 arch/x86/pci/mrst.c | 4 +-
16447 arch/x86/pci/pcbios.c | 144 +-
16448 arch/x86/platform/efi/efi_32.c | 24 +
16449 arch/x86/platform/efi/efi_64.c | 10 +
16450 arch/x86/platform/efi/efi_stub_32.S | 64 +-
16451 arch/x86/platform/efi/efi_stub_64.S | 8 +
16452 arch/x86/platform/mrst/mrst.c | 6 +-
16453 arch/x86/platform/olpc/olpc_dt.c | 2 +-
16454 arch/x86/power/cpu.c | 11 +-
16455 arch/x86/realmode/init.c | 10 +-
16456 arch/x86/realmode/rm/Makefile | 3 +
16457 arch/x86/realmode/rm/header.S | 4 +-
16458 arch/x86/realmode/rm/trampoline_32.S | 12 +-
16459 arch/x86/realmode/rm/trampoline_64.S | 3 +-
16460 arch/x86/tools/Makefile | 2 +-
16461 arch/x86/tools/relocs.c | 94 +-
16462 arch/x86/um/tls_32.c | 2 +-
16463 arch/x86/vdso/Makefile | 2 +-
16464 arch/x86/vdso/vdso32-setup.c | 23 +-
16465 arch/x86/vdso/vma.c | 29 +-
16466 arch/x86/xen/enlighten.c | 45 +-
16467 arch/x86/xen/mmu.c | 9 +
16468 arch/x86/xen/smp.c | 18 +-
16469 arch/x86/xen/xen-asm_32.S | 12 +-
16470 arch/x86/xen/xen-head.S | 11 +
16471 arch/x86/xen/xen-ops.h | 2 -
16472 block/blk-cgroup.c | 4 +-
16473 block/blk-iopoll.c | 2 +-
16474 block/blk-map.c | 2 +-
16475 block/blk-softirq.c | 2 +-
16476 block/bsg.c | 12 +-
16477 block/compat_ioctl.c | 2 +-
16478 block/genhd.c | 9 +-
16479 block/partitions/efi.c | 8 +-
16480 block/scsi_ioctl.c | 27 +-
16481 crypto/cryptd.c | 4 +-
16482 crypto/pcrypt.c | 2 +-
16483 drivers/acpi/apei/apei-internal.h | 2 +-
16484 drivers/acpi/apei/cper.c | 8 +-
16485 drivers/acpi/apei/ghes.c | 4 +-
16486 drivers/acpi/bgrt.c | 6 +-
16487 drivers/acpi/blacklist.c | 4 +-
16488 drivers/acpi/processor_idle.c | 2 +-
16489 drivers/acpi/sysfs.c | 4 +-
16490 drivers/ata/libahci.c | 2 +-
16491 drivers/ata/libata-core.c | 12 +-
16492 drivers/ata/libata-scsi.c | 2 +-
16493 drivers/ata/libata.h | 2 +-
16494 drivers/ata/pata_arasan_cf.c | 4 +-
16495 drivers/atm/adummy.c | 2 +-
16496 drivers/atm/ambassador.c | 8 +-
16497 drivers/atm/atmtcp.c | 14 +-
16498 drivers/atm/eni.c | 10 +-
16499 drivers/atm/firestream.c | 8 +-
16500 drivers/atm/fore200e.c | 14 +-
16501 drivers/atm/he.c | 18 +-
16502 drivers/atm/horizon.c | 4 +-
16503 drivers/atm/idt77252.c | 36 +-
16504 drivers/atm/iphase.c | 34 +-
16505 drivers/atm/lanai.c | 12 +-
16506 drivers/atm/nicstar.c | 46 +-
16507 drivers/atm/solos-pci.c | 4 +-
16508 drivers/atm/suni.c | 4 +-
16509 drivers/atm/uPD98402.c | 16 +-
16510 drivers/atm/zatm.c | 6 +-
16511 drivers/base/bus.c | 4 +-
16512 drivers/base/devtmpfs.c | 8 +-
16513 drivers/base/node.c | 2 +-
16514 drivers/base/power/domain.c | 4 +-
16515 drivers/base/power/sysfs.c | 2 +-
16516 drivers/base/power/wakeup.c | 8 +-
16517 drivers/base/syscore.c | 4 +-
16518 drivers/block/cciss.c | 28 +-
16519 drivers/block/cciss.h | 2 +-
16520 drivers/block/cpqarray.c | 28 +-
16521 drivers/block/cpqarray.h | 2 +-
16522 drivers/block/drbd/drbd_int.h | 6 +-
16523 drivers/block/drbd/drbd_main.c | 8 +-
16524 drivers/block/drbd/drbd_nl.c | 4 +-
16525 drivers/block/drbd/drbd_receiver.c | 22 +-
16526 drivers/block/loop.c | 2 +-
16527 drivers/block/pktcdvd.c | 2 +-
16528 drivers/cdrom/cdrom.c | 11 +-
16529 drivers/cdrom/gdrom.c | 1 -
16530 drivers/char/agp/compat_ioctl.c | 2 +-
16531 drivers/char/agp/frontend.c | 4 +-
16532 drivers/char/hpet.c | 2 +-
16533 drivers/char/hw_random/intel-rng.c | 2 +-
16534 drivers/char/ipmi/ipmi_msghandler.c | 8 +-
16535 drivers/char/ipmi/ipmi_si_intf.c | 8 +-
16536 drivers/char/mem.c | 43 +-
16537 drivers/char/nvram.c | 2 +-
16538 drivers/char/pcmcia/synclink_cs.c | 18 +-
16539 drivers/char/random.c | 10 +-
16540 drivers/char/sonypi.c | 9 +-
16541 drivers/char/tpm/tpm_acpi.c | 3 +-
16542 drivers/char/tpm/tpm_eventlog.c | 7 +-
16543 drivers/char/virtio_console.c | 4 +-
16544 drivers/clk/clk-composite.c | 2 +-
16545 drivers/clk/socfpga/clk.c | 7 +-
16546 drivers/cpufreq/acpi-cpufreq.c | 20 +-
16547 drivers/cpufreq/cpufreq.c | 9 +-
16548 drivers/cpufreq/cpufreq_governor.c | 6 +-
16549 drivers/cpufreq/cpufreq_governor.h | 2 +-
16550 drivers/cpufreq/cpufreq_ondemand.c | 8 +-
16551 drivers/cpufreq/cpufreq_stats.c | 2 +-
16552 drivers/cpufreq/p4-clockmod.c | 12 +-
16553 drivers/cpufreq/sparc-us3-cpufreq.c | 69 +-
16554 drivers/cpufreq/speedstep-centrino.c | 7 +-
16555 drivers/cpuidle/cpuidle.c | 2 +-
16556 drivers/cpuidle/governor.c | 4 +-
16557 drivers/cpuidle/sysfs.c | 2 +-
16558 drivers/crypto/hifn_795x.c | 4 +-
16559 drivers/devfreq/devfreq.c | 4 +-
16560 drivers/dma/sh/shdma.c | 2 +-
16561 drivers/edac/edac_device.c | 4 +-
16562 drivers/edac/edac_mc_sysfs.c | 12 +-
16563 drivers/edac/edac_pci.c | 4 +-
16564 drivers/edac/edac_pci_sysfs.c | 22 +-
16565 drivers/edac/mce_amd.h | 2 +-
16566 drivers/firewire/core-card.c | 6 +-
16567 drivers/firewire/core-device.c | 2 +-
16568 drivers/firewire/core-transaction.c | 1 +
16569 drivers/firewire/core.h | 1 +
16570 drivers/firmware/dmi-id.c | 2 +-
16571 drivers/firmware/dmi_scan.c | 7 +-
16572 drivers/firmware/efi/efi.c | 12 +-
16573 drivers/firmware/efi/efivars.c | 2 +-
16574 drivers/firmware/google/memconsole.c | 4 +-
16575 drivers/gpio/gpio-ich.c | 2 +-
16576 drivers/gpio/gpio-vr41xx.c | 2 +-
16577 drivers/gpu/drm/drm_crtc_helper.c | 2 +-
16578 drivers/gpu/drm/drm_drv.c | 6 +-
16579 drivers/gpu/drm/drm_fops.c | 18 +-
16580 drivers/gpu/drm/drm_global.c | 14 +-
16581 drivers/gpu/drm/drm_info.c | 14 +-
16582 drivers/gpu/drm/drm_ioc32.c | 13 +-
16583 drivers/gpu/drm/drm_ioctl.c | 2 +-
16584 drivers/gpu/drm/drm_lock.c | 4 +-
16585 drivers/gpu/drm/drm_stub.c | 2 +-
16586 drivers/gpu/drm/drm_sysfs.c | 2 +-
16587 drivers/gpu/drm/i810/i810_dma.c | 8 +-
16588 drivers/gpu/drm/i810/i810_drv.h | 4 +-
16589 drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
16590 drivers/gpu/drm/i915/i915_dma.c | 2 +-
16591 drivers/gpu/drm/i915/i915_drv.h | 2 +-
16592 drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +-
16593 drivers/gpu/drm/i915/i915_ioc32.c | 11 +-
16594 drivers/gpu/drm/i915/i915_irq.c | 24 +-
16595 drivers/gpu/drm/i915/intel_display.c | 26 +-
16596 drivers/gpu/drm/mga/mga_drv.h | 4 +-
16597 drivers/gpu/drm/mga/mga_ioc32.c | 11 +-
16598 drivers/gpu/drm/mga/mga_irq.c | 8 +-
16599 drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +-
16600 drivers/gpu/drm/nouveau/nouveau_drm.h | 1 -
16601 drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +-
16602 drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +-
16603 drivers/gpu/drm/qxl/qxl_ttm.c | 38 +-
16604 drivers/gpu/drm/r128/r128_cce.c | 2 +-
16605 drivers/gpu/drm/r128/r128_drv.h | 4 +-
16606 drivers/gpu/drm/r128/r128_ioc32.c | 11 +-
16607 drivers/gpu/drm/r128/r128_irq.c | 4 +-
16608 drivers/gpu/drm/r128/r128_state.c | 4 +-
16609 drivers/gpu/drm/radeon/mkregtable.c | 4 +-
16610 drivers/gpu/drm/radeon/radeon_device.c | 2 +-
16611 drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
16612 drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +-
16613 drivers/gpu/drm/radeon/radeon_irq.c | 6 +-
16614 drivers/gpu/drm/radeon/radeon_state.c | 4 +-
16615 drivers/gpu/drm/radeon/radeon_ttm.c | 57 +-
16616 drivers/gpu/drm/radeon/rs690.c | 4 +-
16617 drivers/gpu/drm/ttm/ttm_memory.c | 4 +-
16618 drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +-
16619 drivers/gpu/drm/udl/udl_fb.c | 1 -
16620 drivers/gpu/drm/via/via_drv.h | 4 +-
16621 drivers/gpu/drm/via/via_irq.c | 18 +-
16622 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
16623 drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
16624 drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +-
16625 drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
16626 drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
16627 drivers/gpu/host1x/drm/dc.c | 2 +-
16628 drivers/hid/hid-core.c | 4 +-
16629 drivers/hid/uhid.c | 6 +-
16630 drivers/hv/channel.c | 4 +-
16631 drivers/hv/hv.c | 2 +-
16632 drivers/hv/hv_balloon.c | 18 +-
16633 drivers/hv/hyperv_vmbus.h | 2 +-
16634 drivers/hv/vmbus_drv.c | 4 +-
16635 drivers/hwmon/acpi_power_meter.c | 4 +-
16636 drivers/hwmon/applesmc.c | 2 +-
16637 drivers/hwmon/asus_atk0110.c | 10 +-
16638 drivers/hwmon/coretemp.c | 2 +-
16639 drivers/hwmon/ibmaem.c | 2 +-
16640 drivers/hwmon/iio_hwmon.c | 2 +-
16641 drivers/hwmon/pmbus/pmbus_core.c | 10 +-
16642 drivers/hwmon/sht15.c | 12 +-
16643 drivers/hwmon/via-cputemp.c | 2 +-
16644 drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
16645 drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
16646 drivers/i2c/i2c-dev.c | 2 +-
16647 drivers/ide/ide-cd.c | 2 +-
16648 drivers/iio/industrialio-core.c | 2 +-
16649 drivers/infiniband/core/cm.c | 32 +-
16650 drivers/infiniband/core/fmr_pool.c | 20 +-
16651 drivers/infiniband/hw/cxgb4/mem.c | 4 +-
16652 drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
16653 drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
16654 drivers/infiniband/hw/mlx4/mad.c | 2 +-
16655 drivers/infiniband/hw/mlx4/mcg.c | 2 +-
16656 drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +-
16657 drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +-
16658 drivers/infiniband/hw/mthca/mthca_mr.c | 2 +-
16659 drivers/infiniband/hw/nes/nes.c | 4 +-
16660 drivers/infiniband/hw/nes/nes.h | 40 +-
16661 drivers/infiniband/hw/nes/nes_cm.c | 62 +-
16662 drivers/infiniband/hw/nes/nes_mgt.c | 8 +-
16663 drivers/infiniband/hw/nes/nes_nic.c | 40 +-
16664 drivers/infiniband/hw/nes/nes_verbs.c | 10 +-
16665 drivers/infiniband/hw/qib/qib.h | 1 +
16666 drivers/input/gameport/gameport.c | 4 +-
16667 drivers/input/input.c | 4 +-
16668 drivers/input/joystick/sidewinder.c | 1 +
16669 drivers/input/joystick/xpad.c | 4 +-
16670 drivers/input/misc/ims-pcu.c | 4 +-
16671 drivers/input/mouse/psmouse.h | 2 +-
16672 drivers/input/mousedev.c | 2 +-
16673 drivers/input/serio/serio.c | 4 +-
16674 drivers/input/serio/serio_raw.c | 4 +-
16675 drivers/iommu/iommu.c | 2 +-
16676 drivers/iommu/irq_remapping.c | 12 +-
16677 drivers/irqchip/irq-gic.c | 4 +-
16678 drivers/isdn/capi/capi.c | 10 +-
16679 drivers/isdn/gigaset/interface.c | 8 +-
16680 drivers/isdn/gigaset/usb-gigaset.c | 2 +-
16681 drivers/isdn/hardware/avm/b1.c | 4 +-
16682 drivers/isdn/i4l/isdn_common.c | 2 +
16683 drivers/isdn/i4l/isdn_tty.c | 22 +-
16684 drivers/isdn/icn/icn.c | 2 +-
16685 drivers/leds/leds-clevo-mail.c | 2 +-
16686 drivers/leds/leds-ss4200.c | 2 +-
16687 drivers/lguest/core.c | 10 +-
16688 drivers/lguest/page_tables.c | 2 +-
16689 drivers/lguest/x86/core.c | 12 +-
16690 drivers/lguest/x86/switcher_32.S | 27 +-
16691 drivers/md/bcache/closure.h | 2 +-
16692 drivers/md/bcache/super.c | 2 +-
16693 drivers/md/bitmap.c | 2 +-
16694 drivers/md/dm-ioctl.c | 2 +-
16695 drivers/md/dm-raid1.c | 16 +-
16696 drivers/md/dm-stripe.c | 10 +-
16697 drivers/md/dm-table.c | 2 +-
16698 drivers/md/dm-thin-metadata.c | 4 +-
16699 drivers/md/dm.c | 16 +-
16700 drivers/md/md.c | 26 +-
16701 drivers/md/md.h | 6 +-
16702 drivers/md/persistent-data/dm-space-map.h | 1 +
16703 drivers/md/raid1.c | 4 +-
16704 drivers/md/raid10.c | 16 +-
16705 drivers/md/raid5.c | 10 +-
16706 drivers/media/dvb-core/dvbdev.c | 2 +-
16707 drivers/media/dvb-frontends/dib3000.h | 2 +-
16708 drivers/media/pci/cx88/cx88-video.c | 6 +-
16709 drivers/media/pci/ivtv/ivtv-driver.c | 2 +-
16710 drivers/media/platform/omap/omap_vout.c | 11 +-
16711 drivers/media/platform/s5p-tv/mixer.h | 2 +-
16712 drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +-
16713 drivers/media/platform/s5p-tv/mixer_reg.c | 2 +-
16714 drivers/media/platform/s5p-tv/mixer_video.c | 24 +-
16715 drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +-
16716 drivers/media/radio/radio-cadet.c | 2 +
16717 drivers/media/radio/radio-maxiradio.c | 2 +-
16718 drivers/media/radio/radio-shark.c | 2 +-
16719 drivers/media/radio/radio-shark2.c | 2 +-
16720 drivers/media/radio/radio-si476x.c | 2 +-
16721 drivers/media/rc/rc-main.c | 4 +-
16722 drivers/media/usb/dvb-usb/cxusb.c | 2 +-
16723 drivers/media/usb/dvb-usb/dw2102.c | 2 +-
16724 drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +-
16725 drivers/media/v4l2-core/v4l2-device.c | 4 +-
16726 drivers/media/v4l2-core/v4l2-ioctl.c | 11 +-
16727 drivers/message/fusion/mptsas.c | 34 +-
16728 drivers/message/fusion/mptscsih.c | 19 +-
16729 drivers/message/i2o/i2o_proc.c | 51 +-
16730 drivers/message/i2o/iop.c | 8 +-
16731 drivers/mfd/janz-cmodio.c | 1 +
16732 drivers/mfd/twl4030-irq.c | 9 +-
16733 drivers/mfd/twl6030-irq.c | 10 +-
16734 drivers/misc/c2port/core.c | 4 +-
16735 drivers/misc/kgdbts.c | 4 +-
16736 drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
16737 drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
16738 drivers/misc/sgi-gru/gruhandles.c | 4 +-
16739 drivers/misc/sgi-gru/gruprocfs.c | 8 +-
16740 drivers/misc/sgi-gru/grutables.h | 154 +-
16741 drivers/misc/sgi-xp/xp.h | 2 +-
16742 drivers/misc/sgi-xp/xpc.h | 3 +-
16743 drivers/misc/sgi-xp/xpc_main.c | 4 +-
16744 drivers/mmc/core/mmc_ops.c | 2 +-
16745 drivers/mmc/host/dw_mmc.h | 2 +-
16746 drivers/mmc/host/sdhci-s3c.c | 8 +-
16747 drivers/mtd/nand/denali.c | 1 +
16748 drivers/mtd/nftlmount.c | 1 +
16749 drivers/mtd/sm_ftl.c | 2 +-
16750 drivers/net/bonding/bond_main.c | 2 +-
16751 drivers/net/ethernet/8390/ax88796.c | 4 +-
16752 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
16753 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-
16754 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +-
16755 drivers/net/ethernet/broadcom/tg3.h | 1 +
16756 drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
16757 drivers/net/ethernet/dec/tulip/de4x5.c | 4 +-
16758 drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
16759 drivers/net/ethernet/faraday/ftgmac100.c | 2 +
16760 drivers/net/ethernet/faraday/ftmac100.c | 2 +
16761 drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
16762 drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
16763 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +-
16764 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +-
16765 drivers/net/ethernet/realtek/r8169.c | 8 +-
16766 drivers/net/ethernet/sfc/ptp.c | 2 +-
16767 drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
16768 drivers/net/hyperv/hyperv_net.h | 2 +-
16769 drivers/net/hyperv/rndis_filter.c | 4 +-
16770 drivers/net/ieee802154/fakehard.c | 2 +-
16771 drivers/net/macvlan.c | 18 +-
16772 drivers/net/macvtap.c | 2 +-
16773 drivers/net/ppp/ppp_generic.c | 4 +-
16774 drivers/net/slip/slhc.c | 2 +-
16775 drivers/net/team/team.c | 2 +-
16776 drivers/net/tun.c | 5 +-
16777 drivers/net/usb/hso.c | 23 +-
16778 drivers/net/usb/sierra_net.c | 4 +-
16779 drivers/net/vxlan.c | 2 +-
16780 drivers/net/wimax/i2400m/rx.c | 2 +-
16781 drivers/net/wireless/at76c50x-usb.c | 2 +-
16782 drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +-
16783 drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +-
16784 drivers/net/wireless/ath/ath9k/hw.h | 4 +-
16785 drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
16786 drivers/net/wireless/iwlwifi/dvm/debugfs.c | 34 +-
16787 drivers/net/wireless/iwlwifi/dvm/main.c | 3 +-
16788 drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +-
16789 drivers/net/wireless/mac80211_hwsim.c | 32 +-
16790 drivers/net/wireless/rndis_wlan.c | 2 +-
16791 drivers/net/wireless/rt2x00/rt2x00.h | 2 +-
16792 drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +-
16793 drivers/net/wireless/ti/wl1251/sdio.c | 12 +-
16794 drivers/net/wireless/ti/wl12xx/main.c | 8 +-
16795 drivers/net/wireless/ti/wl18xx/main.c | 6 +-
16796 drivers/oprofile/buffer_sync.c | 8 +-
16797 drivers/oprofile/event_buffer.c | 2 +-
16798 drivers/oprofile/oprof.c | 2 +-
16799 drivers/oprofile/oprofile_files.c | 2 +-
16800 drivers/oprofile/oprofile_stats.c | 10 +-
16801 drivers/oprofile/oprofile_stats.h | 10 +-
16802 drivers/oprofile/oprofilefs.c | 2 +-
16803 drivers/oprofile/timer_int.c | 2 +-
16804 drivers/parport/procfs.c | 4 +-
16805 drivers/pci/hotplug/acpiphp_ibm.c | 4 +-
16806 drivers/pci/hotplug/cpcihp_generic.c | 6 +-
16807 drivers/pci/hotplug/cpcihp_zt5550.c | 14 +-
16808 drivers/pci/hotplug/cpqphp_nvram.c | 4 +
16809 drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
16810 drivers/pci/hotplug/pciehp_core.c | 2 +-
16811 drivers/pci/pci-sysfs.c | 6 +-
16812 drivers/pci/pci.h | 2 +-
16813 drivers/pci/pcie/aspm.c | 6 +-
16814 drivers/pci/probe.c | 2 +-
16815 drivers/platform/x86/chromeos_laptop.c | 2 +-
16816 drivers/platform/x86/msi-laptop.c | 14 +-
16817 drivers/platform/x86/sony-laptop.c | 2 +-
16818 drivers/platform/x86/thinkpad_acpi.c | 70 +-
16819 drivers/pnp/pnpbios/bioscalls.c | 14 +-
16820 drivers/pnp/resource.c | 4 +-
16821 drivers/power/pda_power.c | 7 +-
16822 drivers/power/power_supply.h | 4 +-
16823 drivers/power/power_supply_core.c | 7 +-
16824 drivers/power/power_supply_sysfs.c | 6 +-
16825 drivers/regulator/core.c | 4 +-
16826 drivers/regulator/max8660.c | 6 +-
16827 drivers/regulator/max8973-regulator.c | 8 +-
16828 drivers/regulator/mc13892-regulator.c | 6 +-
16829 drivers/rtc/rtc-cmos.c | 4 +-
16830 drivers/rtc/rtc-ds1307.c | 2 +-
16831 drivers/rtc/rtc-m48t59.c | 4 +-
16832 drivers/scsi/bfa/bfa_fcpim.h | 2 +-
16833 drivers/scsi/bfa/bfa_ioc.h | 4 +-
16834 drivers/scsi/fcoe/fcoe_sysfs.c | 12 +-
16835 drivers/scsi/hosts.c | 4 +-
16836 drivers/scsi/hpsa.c | 30 +-
16837 drivers/scsi/hpsa.h | 2 +-
16838 drivers/scsi/libfc/fc_exch.c | 50 +-
16839 drivers/scsi/libsas/sas_ata.c | 2 +-
16840 drivers/scsi/lpfc/lpfc.h | 8 +-
16841 drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
16842 drivers/scsi/lpfc/lpfc_init.c | 6 +-
16843 drivers/scsi/lpfc/lpfc_scsi.c | 16 +-
16844 drivers/scsi/pmcraid.c | 20 +-
16845 drivers/scsi/pmcraid.h | 8 +-
16846 drivers/scsi/qla2xxx/qla_attr.c | 4 +-
16847 drivers/scsi/qla2xxx/qla_gbl.h | 4 +-
16848 drivers/scsi/qla2xxx/qla_os.c | 6 +-
16849 drivers/scsi/qla4xxx/ql4_def.h | 2 +-
16850 drivers/scsi/qla4xxx/ql4_os.c | 6 +-
16851 drivers/scsi/scsi.c | 2 +-
16852 drivers/scsi/scsi_lib.c | 6 +-
16853 drivers/scsi/scsi_sysfs.c | 2 +-
16854 drivers/scsi/scsi_tgt_lib.c | 2 +-
16855 drivers/scsi/scsi_transport_fc.c | 8 +-
16856 drivers/scsi/scsi_transport_iscsi.c | 6 +-
16857 drivers/scsi/scsi_transport_srp.c | 6 +-
16858 drivers/scsi/sd.c | 2 +-
16859 drivers/scsi/sg.c | 2 +-
16860 drivers/spi/spi.c | 2 +-
16861 drivers/staging/android/timed_output.c | 6 +-
16862 drivers/staging/media/solo6x10/solo6x10-core.c | 2 +-
16863 drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +-
16864 drivers/staging/media/solo6x10/solo6x10.h | 2 +-
16865 drivers/staging/octeon/ethernet-rx.c | 12 +-
16866 drivers/staging/octeon/ethernet.c | 8 +-
16867 drivers/staging/rtl8712/rtl871x_io.h | 2 +-
16868 drivers/staging/sbe-2t3e3/netdev.c | 2 +-
16869 drivers/staging/usbip/vhci.h | 2 +-
16870 drivers/staging/usbip/vhci_hcd.c | 6 +-
16871 drivers/staging/usbip/vhci_rx.c | 2 +-
16872 drivers/staging/vt6655/hostap.c | 7 +-
16873 drivers/staging/vt6656/hostap.c | 7 +-
16874 drivers/staging/zcache/tmem.h | 4 +-
16875 drivers/target/sbp/sbp_target.c | 4 +-
16876 drivers/target/target_core_device.c | 2 +-
16877 drivers/target/target_core_transport.c | 2 +-
16878 drivers/tty/cyclades.c | 6 +-
16879 drivers/tty/hvc/hvc_console.c | 14 +-
16880 drivers/tty/hvc/hvcs.c | 21 +-
16881 drivers/tty/hvc/hvsi.c | 12 +-
16882 drivers/tty/hvc/hvsi_lib.c | 6 +-
16883 drivers/tty/ipwireless/tty.c | 27 +-
16884 drivers/tty/moxa.c | 2 +-
16885 drivers/tty/n_gsm.c | 4 +-
16886 drivers/tty/n_tty.c | 3 +-
16887 drivers/tty/pty.c | 4 +-
16888 drivers/tty/rocket.c | 6 +-
16889 drivers/tty/serial/ioc4_serial.c | 6 +-
16890 drivers/tty/serial/kgdboc.c | 32 +-
16891 drivers/tty/serial/msm_serial.c | 4 +-
16892 drivers/tty/serial/samsung.c | 9 +-
16893 drivers/tty/serial/serial_core.c | 8 +-
16894 drivers/tty/synclink.c | 34 +-
16895 drivers/tty/synclink_gt.c | 28 +-
16896 drivers/tty/synclinkmp.c | 34 +-
16897 drivers/tty/tty_io.c | 2 +-
16898 drivers/tty/tty_ldisc.c | 10 +-
16899 drivers/tty/tty_port.c | 22 +-
16900 drivers/uio/uio.c | 21 +-
16901 drivers/usb/atm/cxacru.c | 2 +-
16902 drivers/usb/atm/usbatm.c | 24 +-
16903 drivers/usb/core/devices.c | 6 +-
16904 drivers/usb/core/hcd.c | 4 +-
16905 drivers/usb/core/message.c | 2 +-
16906 drivers/usb/core/sysfs.c | 2 +-
16907 drivers/usb/core/usb.c | 2 +-
16908 drivers/usb/dwc3/gadget.c | 2 -
16909 drivers/usb/early/ehci-dbgp.c | 16 +-
16910 drivers/usb/gadget/u_serial.c | 22 +-
16911 drivers/usb/misc/appledisplay.c | 4 +-
16912 drivers/usb/serial/console.c | 6 +-
16913 drivers/usb/storage/usb.h | 2 +-
16914 drivers/usb/wusbcore/wa-hc.h | 4 +-
16915 drivers/usb/wusbcore/wa-xfer.c | 2 +-
16916 drivers/vfio/vfio.c | 2 +-
16917 drivers/vhost/vringh.c | 2 +-
16918 drivers/video/aty/aty128fb.c | 2 +-
16919 drivers/video/aty/atyfb_base.c | 8 +-
16920 drivers/video/aty/mach64_cursor.c | 5 +-
16921 drivers/video/backlight/kb3886_bl.c | 2 +-
16922 drivers/video/fb_defio.c | 6 +-
16923 drivers/video/fbcmap.c | 3 +-
16924 drivers/video/fbmem.c | 6 +-
16925 drivers/video/hyperv_fb.c | 4 +-
16926 drivers/video/i810/i810_accel.c | 1 +
16927 drivers/video/mb862xx/mb862xxfb_accel.c | 16 +-
16928 drivers/video/nvidia/nvidia.c | 27 +-
16929 drivers/video/s1d13xxxfb.c | 6 +-
16930 drivers/video/smscufx.c | 4 +-
16931 drivers/video/udlfb.c | 36 +-
16932 drivers/video/uvesafb.c | 53 +-
16933 drivers/video/vesafb.c | 58 +-
16934 drivers/video/via/via_clock.h | 2 +-
16935 fs/9p/vfs_addr.c | 2 +-
16936 fs/9p/vfs_inode.c | 2 +-
16937 fs/Kconfig.binfmt | 2 +-
16938 fs/afs/inode.c | 4 +-
16939 fs/aio.c | 12 +-
16940 fs/autofs4/waitq.c | 2 +-
16941 fs/befs/endian.h | 4 +-
16942 fs/befs/linuxvfs.c | 2 +-
16943 fs/binfmt_aout.c | 23 +-
16944 fs/binfmt_elf.c | 648 ++-
16945 fs/binfmt_flat.c | 6 +
16946 fs/bio.c | 6 +-
16947 fs/block_dev.c | 2 +-
16948 fs/btrfs/ctree.c | 9 +-
16949 fs/btrfs/delayed-inode.c | 6 +-
16950 fs/btrfs/delayed-inode.h | 4 +-
16951 fs/btrfs/super.c | 2 +-
16952 fs/buffer.c | 2 +-
16953 fs/cachefiles/bind.c | 6 +-
16954 fs/cachefiles/daemon.c | 8 +-
16955 fs/cachefiles/internal.h | 12 +-
16956 fs/cachefiles/namei.c | 2 +-
16957 fs/cachefiles/proc.c | 12 +-
16958 fs/cachefiles/rdwr.c | 2 +-
16959 fs/ceph/dir.c | 2 +-
16960 fs/ceph/super.c | 4 +-
16961 fs/cifs/cifs_debug.c | 12 +-
16962 fs/cifs/cifsfs.c | 8 +-
16963 fs/cifs/cifsglob.h | 54 +-
16964 fs/cifs/link.c | 2 +-
16965 fs/cifs/misc.c | 4 +-
16966 fs/cifs/smb1ops.c | 80 +-
16967 fs/cifs/smb2ops.c | 84 +-
16968 fs/cifs/smb2pdu.c | 3 +-
16969 fs/coda/cache.c | 10 +-
16970 fs/compat.c | 4 +-
16971 fs/compat_binfmt_elf.c | 2 +
16972 fs/compat_ioctl.c | 12 +-
16973 fs/configfs/dir.c | 10 +-
16974 fs/coredump.c | 18 +-
16975 fs/dcache.c | 3 +-
16976 fs/ecryptfs/inode.c | 4 +-
16977 fs/ecryptfs/miscdev.c | 2 +-
16978 fs/exec.c | 362 +-
16979 fs/ext4/ext4.h | 20 +-
16980 fs/ext4/mballoc.c | 44 +-
16981 fs/ext4/mmp.c | 2 +-
16982 fs/ext4/super.c | 4 +-
16983 fs/fhandle.c | 3 +-
16984 fs/fs_struct.c | 8 +-
16985 fs/fscache/cookie.c | 38 +-
16986 fs/fscache/internal.h | 196 +-
16987 fs/fscache/object.c | 26 +-
16988 fs/fscache/operation.c | 30 +-
16989 fs/fscache/page.c | 110 +-
16990 fs/fscache/stats.c | 344 +-
16991 fs/fuse/cuse.c | 10 +-
16992 fs/fuse/dev.c | 4 +-
16993 fs/fuse/dir.c | 2 +-
16994 fs/gfs2/inode.c | 2 +-
16995 fs/hugetlbfs/inode.c | 13 +-
16996 fs/inode.c | 4 +-
16997 fs/jffs2/erase.c | 3 +-
16998 fs/jffs2/wbuf.c | 3 +-
16999 fs/jfs/super.c | 2 +-
17000 fs/libfs.c | 10 +-
17001 fs/lockd/clntproc.c | 4 +-
17002 fs/locks.c | 8 +-
17003 fs/namei.c | 15 +-
17004 fs/namespace.c | 16 +-
17005 fs/nfs/callback_xdr.c | 2 +-
17006 fs/nfs/inode.c | 6 +-
17007 fs/nfsd/nfs4proc.c | 2 +-
17008 fs/nfsd/nfs4xdr.c | 6 +-
17009 fs/nfsd/nfscache.c | 9 +-
17010 fs/nfsd/vfs.c | 6 +-
17011 fs/nls/nls_base.c | 18 +-
17012 fs/nls/nls_euc-jp.c | 6 +-
17013 fs/nls/nls_koi8-ru.c | 6 +-
17014 fs/notify/fanotify/fanotify_user.c | 4 +-
17015 fs/notify/notification.c | 4 +-
17016 fs/ntfs/dir.c | 2 +-
17017 fs/ntfs/file.c | 6 +-
17018 fs/ntfs/super.c | 6 +-
17019 fs/ocfs2/localalloc.c | 2 +-
17020 fs/ocfs2/ocfs2.h | 10 +-
17021 fs/ocfs2/suballoc.c | 12 +-
17022 fs/ocfs2/super.c | 20 +-
17023 fs/pipe.c | 61 +-
17024 fs/proc/array.c | 20 +
17025 fs/proc/base.c | 4 +-
17026 fs/proc/kcore.c | 32 +-
17027 fs/proc/meminfo.c | 2 +-
17028 fs/proc/nommu.c | 2 +-
17029 fs/proc/proc_sysctl.c | 18 +-
17030 fs/proc/self.c | 2 +-
17031 fs/proc/task_mmu.c | 39 +-
17032 fs/proc/task_nommu.c | 4 +-
17033 fs/proc/vmcore.c | 12 +-
17034 fs/qnx6/qnx6.h | 4 +-
17035 fs/quota/netlink.c | 4 +-
17036 fs/read_write.c | 2 +-
17037 fs/reiserfs/do_balan.c | 2 +-
17038 fs/reiserfs/procfs.c | 2 +-
17039 fs/reiserfs/reiserfs.h | 4 +-
17040 fs/seq_file.c | 2 +-
17041 fs/splice.c | 41 +-
17042 fs/sysfs/bin.c | 6 +-
17043 fs/sysfs/dir.c | 2 +-
17044 fs/sysfs/file.c | 10 +-
17045 fs/sysfs/symlink.c | 2 +-
17046 fs/sysv/sysv.h | 2 +-
17047 fs/ubifs/io.c | 2 +-
17048 fs/udf/misc.c | 2 +-
17049 fs/ufs/swab.h | 4 +-
17050 fs/xattr.c | 21 +
17051 fs/xattr_acl.c | 4 +-
17052 fs/xfs/xfs_bmap.c | 2 +-
17053 fs/xfs/xfs_dir2_sf.c | 7 +-
17054 fs/xfs/xfs_ioctl.c | 2 +-
17055 fs/xfs/xfs_iops.c | 2 +-
17056 include/asm-generic/4level-fixup.h | 2 +
17057 include/asm-generic/atomic-long.h | 210 +
17058 include/asm-generic/atomic.h | 2 +-
17059 include/asm-generic/atomic64.h | 12 +
17060 include/asm-generic/cache.h | 4 +-
17061 include/asm-generic/emergency-restart.h | 2 +-
17062 include/asm-generic/kmap_types.h | 4 +-
17063 include/asm-generic/local.h | 13 +
17064 include/asm-generic/pgtable-nopmd.h | 18 +-
17065 include/asm-generic/pgtable-nopud.h | 15 +-
17066 include/asm-generic/pgtable.h | 16 +
17067 include/asm-generic/uaccess.h | 16 +
17068 include/asm-generic/vmlinux.lds.h | 10 +-
17069 include/crypto/algapi.h | 2 +-
17070 include/drm/drmP.h | 17 +-
17071 include/drm/drm_crtc_helper.h | 2 +-
17072 include/drm/ttm/ttm_memory.h | 2 +-
17073 include/keys/asymmetric-subtype.h | 2 +-
17074 include/linux/atmdev.h | 4 +-
17075 include/linux/binfmts.h | 3 +-
17076 include/linux/blkdev.h | 2 +-
17077 include/linux/blktrace_api.h | 2 +-
17078 include/linux/cache.h | 4 +
17079 include/linux/cdrom.h | 1 -
17080 include/linux/cleancache.h | 2 +-
17081 include/linux/clk-provider.h | 1 +
17082 include/linux/compat.h | 5 +-
17083 include/linux/compiler-gcc4.h | 20 +
17084 include/linux/compiler.h | 65 +-
17085 include/linux/completion.h | 6 +-
17086 include/linux/configfs.h | 2 +-
17087 include/linux/cpufreq.h | 3 +-
17088 include/linux/cpuidle.h | 5 +-
17089 include/linux/cpumask.h | 12 +-
17090 include/linux/crypto.h | 6 +-
17091 include/linux/ctype.h | 2 +-
17092 include/linux/decompress/mm.h | 2 +-
17093 include/linux/devfreq.h | 2 +-
17094 include/linux/device.h | 7 +-
17095 include/linux/dma-mapping.h | 2 +-
17096 include/linux/dmaengine.h | 4 +-
17097 include/linux/efi.h | 1 +
17098 include/linux/elf.h | 2 +
17099 include/linux/err.h | 4 +-
17100 include/linux/extcon.h | 2 +-
17101 include/linux/fb.h | 2 +-
17102 include/linux/fdtable.h | 2 +-
17103 include/linux/filter.h | 4 +
17104 include/linux/frontswap.h | 2 +-
17105 include/linux/fs.h | 3 +-
17106 include/linux/fs_struct.h | 2 +-
17107 include/linux/fscache-cache.h | 4 +-
17108 include/linux/fscache.h | 2 +-
17109 include/linux/fsnotify.h | 2 +-
17110 include/linux/genhd.h | 2 +-
17111 include/linux/genl_magic_func.h | 2 +-
17112 include/linux/gfp.h | 12 +-
17113 include/linux/highmem.h | 12 +
17114 include/linux/hwmon-sysfs.h | 5 +-
17115 include/linux/i2c.h | 1 +
17116 include/linux/i2o.h | 2 +-
17117 include/linux/if_pppox.h | 2 +-
17118 include/linux/init.h | 17 +-
17119 include/linux/init_task.h | 7 +
17120 include/linux/interrupt.h | 8 +-
17121 include/linux/iommu.h | 2 +-
17122 include/linux/ioport.h | 2 +-
17123 include/linux/irq.h | 3 +-
17124 include/linux/irqchip/arm-gic.h | 4 +-
17125 include/linux/key-type.h | 2 +-
17126 include/linux/kgdb.h | 6 +-
17127 include/linux/kobject.h | 3 +-
17128 include/linux/kobject_ns.h | 2 +-
17129 include/linux/kref.h | 2 +-
17130 include/linux/kvm_host.h | 4 +-
17131 include/linux/libata.h | 2 +-
17132 include/linux/linkage.h | 1 +
17133 include/linux/list.h | 15 +
17134 include/linux/math64.h | 8 +-
17135 include/linux/mm.h | 116 +-
17136 include/linux/mm_types.h | 20 +
17137 include/linux/mmiotrace.h | 4 +-
17138 include/linux/mmzone.h | 2 +-
17139 include/linux/mod_devicetable.h | 6 +-
17140 include/linux/module.h | 60 +-
17141 include/linux/moduleloader.h | 16 +
17142 include/linux/moduleparam.h | 4 +-
17143 include/linux/namei.h | 6 +-
17144 include/linux/net.h | 2 +-
17145 include/linux/netdevice.h | 3 +-
17146 include/linux/netfilter.h | 2 +-
17147 include/linux/netfilter/ipset/ip_set.h | 2 +-
17148 include/linux/netfilter/nfnetlink.h | 2 +-
17149 include/linux/nls.h | 2 +-
17150 include/linux/notifier.h | 3 +-
17151 include/linux/oprofile.h | 4 +-
17152 include/linux/pci_hotplug.h | 3 +-
17153 include/linux/perf_event.h | 10 +-
17154 include/linux/pipe_fs_i.h | 8 +-
17155 include/linux/platform_data/usb-ehci-s5p.h | 2 +-
17156 include/linux/platform_data/usb-ohci-exynos.h | 2 +-
17157 include/linux/pm_domain.h | 2 +-
17158 include/linux/pm_runtime.h | 2 +-
17159 include/linux/pnp.h | 2 +-
17160 include/linux/poison.h | 4 +-
17161 include/linux/power/smartreflex.h | 2 +-
17162 include/linux/ppp-comp.h | 2 +-
17163 include/linux/preempt.h | 19 +
17164 include/linux/proc_ns.h | 2 +-
17165 include/linux/random.h | 15 +
17166 include/linux/rculist.h | 16 +
17167 include/linux/reboot.h | 14 +-
17168 include/linux/regset.h | 3 +-
17169 include/linux/relay.h | 2 +-
17170 include/linux/rio.h | 2 +-
17171 include/linux/rmap.h | 4 +-
17172 include/linux/sched.h | 67 +-
17173 include/linux/sched/sysctl.h | 1 +
17174 include/linux/security.h | 2 +-
17175 include/linux/seq_file.h | 1 +
17176 include/linux/signal.h | 1 +
17177 include/linux/skbuff.h | 12 +-
17178 include/linux/slab.h | 48 +-
17179 include/linux/slab_def.h | 32 +-
17180 include/linux/slob_def.h | 4 +-
17181 include/linux/slub_def.h | 8 +-
17182 include/linux/smp.h | 2 +
17183 include/linux/sock_diag.h | 2 +-
17184 include/linux/sonet.h | 2 +-
17185 include/linux/sunrpc/addr.h | 8 +-
17186 include/linux/sunrpc/clnt.h | 2 +-
17187 include/linux/sunrpc/svc.h | 2 +-
17188 include/linux/sunrpc/svc_rdma.h | 18 +-
17189 include/linux/sunrpc/svcauth.h | 2 +-
17190 include/linux/swiotlb.h | 3 +-
17191 include/linux/syscalls.h | 18 +-
17192 include/linux/syscore_ops.h | 2 +-
17193 include/linux/sysctl.h | 6 +-
17194 include/linux/sysfs.h | 9 +-
17195 include/linux/sysrq.h | 3 +-
17196 include/linux/thread_info.h | 7 +
17197 include/linux/tty.h | 4 +-
17198 include/linux/tty_driver.h | 2 +-
17199 include/linux/tty_ldisc.h | 2 +-
17200 include/linux/types.h | 16 +
17201 include/linux/uaccess.h | 6 +-
17202 include/linux/unaligned/access_ok.h | 24 +-
17203 include/linux/usb.h | 4 +-
17204 include/linux/usb/renesas_usbhs.h | 2 +-
17205 include/linux/vermagic.h | 21 +-
17206 include/linux/vmalloc.h | 11 +-
17207 include/linux/vmstat.h | 20 +-
17208 include/linux/xattr.h | 5 +-
17209 include/linux/zlib.h | 3 +-
17210 include/media/v4l2-dev.h | 2 +-
17211 include/media/v4l2-device.h | 2 +-
17212 include/net/9p/transport.h | 2 +-
17213 include/net/bluetooth/l2cap.h | 2 +-
17214 include/net/caif/cfctrl.h | 6 +-
17215 include/net/flow.h | 2 +-
17216 include/net/genetlink.h | 2 +-
17217 include/net/gro_cells.h | 2 +-
17218 include/net/inet_connection_sock.h | 2 +-
17219 include/net/inetpeer.h | 17 +-
17220 include/net/ip.h | 2 +-
17221 include/net/ip_fib.h | 2 +-
17222 include/net/ip_vs.h | 8 +-
17223 include/net/irda/ircomm_tty.h | 1 +
17224 include/net/iucv/af_iucv.h | 2 +-
17225 include/net/llc_c_ac.h | 2 +-
17226 include/net/llc_c_ev.h | 4 +-
17227 include/net/llc_c_st.h | 2 +-
17228 include/net/llc_s_ac.h | 2 +-
17229 include/net/llc_s_st.h | 2 +-
17230 include/net/mac80211.h | 2 +-
17231 include/net/neighbour.h | 2 +-
17232 include/net/net_namespace.h | 18 +-
17233 include/net/netdma.h | 2 +-
17234 include/net/netlink.h | 2 +-
17235 include/net/netns/conntrack.h | 6 +-
17236 include/net/netns/ipv4.h | 2 +-
17237 include/net/netns/ipv6.h | 2 +-
17238 include/net/ping.h | 2 +-
17239 include/net/protocol.h | 4 +-
17240 include/net/rtnetlink.h | 2 +-
17241 include/net/sctp/sm.h | 4 +-
17242 include/net/sctp/structs.h | 2 +-
17243 include/net/sock.h | 6 +-
17244 include/net/tcp.h | 8 +-
17245 include/net/xfrm.h | 8 +-
17246 include/rdma/iw_cm.h | 2 +-
17247 include/scsi/libfc.h | 3 +-
17248 include/scsi/scsi_device.h | 6 +-
17249 include/scsi/scsi_transport_fc.h | 3 +-
17250 include/sound/compress_driver.h | 2 +-
17251 include/sound/soc.h | 4 +-
17252 include/target/target_core_base.h | 2 +-
17253 include/trace/events/irq.h | 4 +-
17254 include/uapi/linux/a.out.h | 8 +
17255 include/uapi/linux/byteorder/little_endian.h | 28 +-
17256 include/uapi/linux/elf.h | 28 +
17257 include/uapi/linux/screen_info.h | 3 +-
17258 include/uapi/linux/swab.h | 6 +-
17259 include/uapi/linux/sysctl.h | 6 +-
17260 include/uapi/linux/xattr.h | 4 +
17261 include/video/udlfb.h | 8 +-
17262 include/video/uvesafb.h | 1 +
17263 init/Kconfig | 2 +-
17264 init/Makefile | 3 +
17265 init/do_mounts.c | 14 +-
17266 init/do_mounts.h | 8 +-
17267 init/do_mounts_initrd.c | 30 +-
17268 init/do_mounts_md.c | 6 +-
17269 init/init_task.c | 4 +
17270 init/initramfs.c | 42 +-
17271 init/main.c | 84 +-
17272 ipc/ipc_sysctl.c | 10 +-
17273 ipc/mq_sysctl.c | 2 +-
17274 ipc/msg.c | 11 +-
17275 ipc/sem.c | 11 +-
17276 ipc/shm.c | 17 +-
17277 kernel/acct.c | 2 +-
17278 kernel/audit.c | 8 +-
17279 kernel/auditsc.c | 4 +-
17280 kernel/capability.c | 3 +
17281 kernel/compat.c | 38 +-
17282 kernel/debug/debug_core.c | 16 +-
17283 kernel/debug/kdb/kdb_main.c | 4 +-
17284 kernel/events/core.c | 30 +-
17285 kernel/events/internal.h | 12 +-
17286 kernel/events/uprobes.c | 2 +-
17287 kernel/exit.c | 4 +-
17288 kernel/fork.c | 170 +-
17289 kernel/futex.c | 11 +-
17290 kernel/futex_compat.c | 2 +-
17291 kernel/gcov/base.c | 7 +-
17292 kernel/hrtimer.c | 2 +-
17293 kernel/irq_work.c | 7 +-
17294 kernel/jump_label.c | 5 +
17295 kernel/kallsyms.c | 39 +-
17296 kernel/kexec.c | 3 +-
17297 kernel/kmod.c | 4 +-
17298 kernel/kprobes.c | 8 +-
17299 kernel/ksysfs.c | 2 +-
17300 kernel/lockdep.c | 7 +-
17301 kernel/module.c | 337 +-
17302 kernel/mutex-debug.c | 12 +-
17303 kernel/mutex-debug.h | 4 +-
17304 kernel/mutex.c | 10 +-
17305 kernel/notifier.c | 17 +-
17306 kernel/panic.c | 3 +-
17307 kernel/pid.c | 2 +-
17308 kernel/pid_namespace.c | 2 +-
17309 kernel/posix-cpu-timers.c | 4 +-
17310 kernel/posix-timers.c | 24 +-
17311 kernel/power/process.c | 12 +-
17312 kernel/profile.c | 14 +-
17313 kernel/ptrace.c | 8 +-
17314 kernel/rcupdate.c | 4 +-
17315 kernel/rcutiny.c | 4 +-
17316 kernel/rcutorture.c | 56 +-
17317 kernel/rcutree.c | 74 +-
17318 kernel/rcutree.h | 24 +-
17319 kernel/rcutree_plugin.h | 20 +-
17320 kernel/rcutree_trace.c | 22 +-
17321 kernel/rtmutex-tester.c | 24 +-
17322 kernel/sched/auto_group.c | 4 +-
17323 kernel/sched/core.c | 49 +-
17324 kernel/sched/fair.c | 4 +-
17325 kernel/sched/sched.h | 2 +-
17326 kernel/signal.c | 32 +-
17327 kernel/smpboot.c | 4 +-
17328 kernel/softirq.c | 14 +-
17329 kernel/srcu.c | 4 +-
17330 kernel/sys.c | 10 +-
17331 kernel/sysctl.c | 39 +-
17332 kernel/time.c | 2 +-
17333 kernel/time/alarmtimer.c | 2 +-
17334 kernel/time/timer_stats.c | 10 +-
17335 kernel/timer.c | 4 +-
17336 kernel/trace/blktrace.c | 6 +-
17337 kernel/trace/ftrace.c | 18 +-
17338 kernel/trace/ring_buffer.c | 76 +-
17339 kernel/trace/trace.c | 2 +-
17340 kernel/trace/trace.h | 2 +-
17341 kernel/trace/trace_clock.c | 4 +-
17342 kernel/trace/trace_events.c | 25 +-
17343 kernel/trace/trace_mmiotrace.c | 8 +-
17344 kernel/trace/trace_output.c | 12 +-
17345 kernel/trace/trace_stack.c | 2 +-
17346 kernel/user_namespace.c | 2 +-
17347 kernel/utsname_sysctl.c | 2 +-
17348 kernel/watchdog.c | 2 +-
17349 kernel/workqueue.c | 2 +-
17350 lib/Kconfig.debug | 8 +-
17351 lib/Makefile | 2 +-
17352 lib/bitmap.c | 8 +-
17353 lib/bug.c | 2 +
17354 lib/debugobjects.c | 2 +-
17355 lib/devres.c | 4 +-
17356 lib/div64.c | 4 +-
17357 lib/dma-debug.c | 4 +-
17358 lib/inflate.c | 2 +-
17359 lib/ioremap.c | 4 +-
17360 lib/kobject.c | 4 +-
17361 lib/list_debug.c | 126 +-
17362 lib/radix-tree.c | 2 +-
17363 lib/strncpy_from_user.c | 2 +-
17364 lib/strnlen_user.c | 2 +-
17365 lib/swiotlb.c | 2 +-
17366 lib/usercopy.c | 6 +
17367 lib/vsprintf.c | 12 +-
17368 mm/Kconfig | 6 +-
17369 mm/backing-dev.c | 4 +-
17370 mm/filemap.c | 10 +-
17371 mm/fremap.c | 5 +
17372 mm/highmem.c | 7 +-
17373 mm/hugetlb.c | 70 +-
17374 mm/internal.h | 3 +-
17375 mm/maccess.c | 4 +-
17376 mm/madvise.c | 41 +
17377 mm/memory-failure.c | 26 +-
17378 mm/memory.c | 424 ++-
17379 mm/mempolicy.c | 25 +
17380 mm/mlock.c | 15 +-
17381 mm/mmap.c | 588 ++-
17382 mm/mprotect.c | 139 +-
17383 mm/mremap.c | 44 +-
17384 mm/nommu.c | 21 +-
17385 mm/page-writeback.c | 2 +-
17386 mm/page_alloc.c | 41 +-
17387 mm/page_io.c | 2 +-
17388 mm/percpu.c | 2 +-
17389 mm/process_vm_access.c | 14 +-
17390 mm/rmap.c | 44 +-
17391 mm/shmem.c | 19 +-
17392 mm/slab.c | 108 +-
17393 mm/slab.h | 15 +-
17394 mm/slab_common.c | 60 +-
17395 mm/slob.c | 206 +-
17396 mm/slub.c | 88 +-
17397 mm/sparse-vmemmap.c | 4 +-
17398 mm/sparse.c | 2 +-
17399 mm/swap.c | 3 +
17400 mm/swapfile.c | 12 +-
17401 mm/util.c | 6 +
17402 mm/vmalloc.c | 77 +-
17403 mm/vmstat.c | 10 +-
17404 net/8021q/vlan.c | 5 +-
17405 net/9p/mod.c | 4 +-
17406 net/9p/trans_fd.c | 2 +-
17407 net/atm/atm_misc.c | 8 +-
17408 net/atm/lec.h | 2 +-
17409 net/atm/proc.c | 6 +-
17410 net/atm/resources.c | 4 +-
17411 net/ax25/sysctl_net_ax25.c | 2 +-
17412 net/batman-adv/bat_iv_ogm.c | 8 +-
17413 net/batman-adv/hard-interface.c | 2 +-
17414 net/batman-adv/soft-interface.c | 4 +-
17415 net/batman-adv/types.h | 6 +-
17416 net/batman-adv/unicast.c | 2 +-
17417 net/bluetooth/hci_sock.c | 2 +-
17418 net/bluetooth/l2cap_core.c | 6 +-
17419 net/bluetooth/l2cap_sock.c | 12 +-
17420 net/bluetooth/rfcomm/sock.c | 4 +-
17421 net/bluetooth/rfcomm/tty.c | 10 +-
17422 net/bridge/netfilter/ebtables.c | 6 +-
17423 net/caif/cfctrl.c | 11 +-
17424 net/can/af_can.c | 2 +-
17425 net/can/gw.c | 6 +-
17426 net/ceph/messenger.c | 4 +-
17427 net/compat.c | 34 +-
17428 net/core/datagram.c | 2 +-
17429 net/core/dev.c | 16 +-
17430 net/core/flow.c | 8 +-
17431 net/core/iovec.c | 4 +-
17432 net/core/neighbour.c | 2 +-
17433 net/core/net-sysfs.c | 2 +-
17434 net/core/net_namespace.c | 8 +-
17435 net/core/netpoll.c | 4 +-
17436 net/core/rtnetlink.c | 13 +-
17437 net/core/scm.c | 8 +-
17438 net/core/skbuff.c | 6 +-
17439 net/core/sock.c | 24 +-
17440 net/core/sock_diag.c | 9 +-
17441 net/core/sysctl_net_core.c | 18 +-
17442 net/decnet/af_decnet.c | 1 +
17443 net/decnet/sysctl_net_decnet.c | 4 +-
17444 net/ieee802154/6lowpan.c | 2 +-
17445 net/ipv4/af_inet.c | 8 +-
17446 net/ipv4/devinet.c | 18 +-
17447 net/ipv4/fib_frontend.c | 6 +-
17448 net/ipv4/fib_semantics.c | 2 +-
17449 net/ipv4/inet_connection_sock.c | 2 +-
17450 net/ipv4/inetpeer.c | 4 +-
17451 net/ipv4/ip_fragment.c | 15 +-
17452 net/ipv4/ip_gre.c | 6 +-
17453 net/ipv4/ip_sockglue.c | 2 +-
17454 net/ipv4/ip_vti.c | 4 +-
17455 net/ipv4/ipconfig.c | 6 +-
17456 net/ipv4/ipip.c | 4 +-
17457 net/ipv4/netfilter/arp_tables.c | 12 +-
17458 net/ipv4/netfilter/ip_tables.c | 12 +-
17459 net/ipv4/ping.c | 14 +-
17460 net/ipv4/raw.c | 14 +-
17461 net/ipv4/route.c | 20 +-
17462 net/ipv4/sysctl_net_ipv4.c | 45 +-
17463 net/ipv4/tcp_input.c | 2 +-
17464 net/ipv4/tcp_probe.c | 2 +-
17465 net/ipv4/udp.c | 10 +-
17466 net/ipv4/xfrm4_policy.c | 14 +-
17467 net/ipv6/addrconf.c | 12 +-
17468 net/ipv6/datagram.c | 2 +-
17469 net/ipv6/icmp.c | 2 +-
17470 net/ipv6/ip6_gre.c | 8 +-
17471 net/ipv6/ip6_tunnel.c | 4 +-
17472 net/ipv6/ipv6_sockglue.c | 2 +-
17473 net/ipv6/netfilter/ip6_tables.c | 12 +-
17474 net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +-
17475 net/ipv6/output_core.c | 15 +-
17476 net/ipv6/ping.c | 28 +-
17477 net/ipv6/raw.c | 19 +-
17478 net/ipv6/reassembly.c | 13 +-
17479 net/ipv6/route.c | 2 +-
17480 net/ipv6/sit.c | 4 +-
17481 net/ipv6/sysctl_net_ipv6.c | 2 +-
17482 net/ipv6/udp.c | 6 +-
17483 net/ipv6/xfrm6_policy.c | 13 +-
17484 net/irda/ircomm/ircomm_tty.c | 18 +-
17485 net/iucv/af_iucv.c | 4 +-
17486 net/iucv/iucv.c | 2 +-
17487 net/key/af_key.c | 4 +-
17488 net/mac80211/cfg.c | 8 +-
17489 net/mac80211/ieee80211_i.h | 3 +-
17490 net/mac80211/iface.c | 16 +-
17491 net/mac80211/main.c | 2 +-
17492 net/mac80211/pm.c | 6 +-
17493 net/mac80211/rate.c | 2 +-
17494 net/mac80211/rc80211_pid_debugfs.c | 2 +-
17495 net/mac80211/util.c | 4 +-
17496 net/netfilter/ipset/ip_set_core.c | 2 +-
17497 net/netfilter/ipvs/ip_vs_conn.c | 6 +-
17498 net/netfilter/ipvs/ip_vs_core.c | 4 +-
17499 net/netfilter/ipvs/ip_vs_ctl.c | 14 +-
17500 net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
17501 net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
17502 net/netfilter/ipvs/ip_vs_sync.c | 6 +-
17503 net/netfilter/ipvs/ip_vs_xmit.c | 4 +-
17504 net/netfilter/nf_conntrack_acct.c | 2 +-
17505 net/netfilter/nf_conntrack_ecache.c | 2 +-
17506 net/netfilter/nf_conntrack_helper.c | 2 +-
17507 net/netfilter/nf_conntrack_proto.c | 2 +-
17508 net/netfilter/nf_conntrack_proto_dccp.c | 10 +-
17509 net/netfilter/nf_conntrack_standalone.c | 2 +-
17510 net/netfilter/nf_conntrack_timestamp.c | 2 +-
17511 net/netfilter/nf_log.c | 10 +-
17512 net/netfilter/nf_sockopt.c | 4 +-
17513 net/netfilter/nfnetlink_log.c | 4 +-
17514 net/netfilter/xt_statistic.c | 8 +-
17515 net/netlink/af_netlink.c | 4 +-
17516 net/netlink/genetlink.c | 16 +-
17517 net/packet/af_packet.c | 12 +-
17518 net/phonet/pep.c | 6 +-
17519 net/phonet/socket.c | 2 +-
17520 net/phonet/sysctl.c | 2 +-
17521 net/rds/cong.c | 6 +-
17522 net/rds/ib.h | 2 +-
17523 net/rds/ib_cm.c | 2 +-
17524 net/rds/ib_recv.c | 4 +-
17525 net/rds/iw.h | 2 +-
17526 net/rds/iw_cm.c | 2 +-
17527 net/rds/iw_recv.c | 4 +-
17528 net/rds/rds.h | 2 +-
17529 net/rds/tcp.c | 2 +-
17530 net/rds/tcp_send.c | 2 +-
17531 net/rxrpc/af_rxrpc.c | 2 +-
17532 net/rxrpc/ar-ack.c | 14 +-
17533 net/rxrpc/ar-call.c | 2 +-
17534 net/rxrpc/ar-connection.c | 2 +-
17535 net/rxrpc/ar-connevent.c | 2 +-
17536 net/rxrpc/ar-input.c | 4 +-
17537 net/rxrpc/ar-internal.h | 8 +-
17538 net/rxrpc/ar-local.c | 2 +-
17539 net/rxrpc/ar-output.c | 4 +-
17540 net/rxrpc/ar-peer.c | 2 +-
17541 net/rxrpc/ar-proc.c | 4 +-
17542 net/rxrpc/ar-transport.c | 2 +-
17543 net/rxrpc/rxkad.c | 4 +-
17544 net/sctp/ipv6.c | 6 +-
17545 net/sctp/protocol.c | 10 +-
17546 net/sctp/sm_sideeffect.c | 2 +-
17547 net/sctp/socket.c | 21 +-
17548 net/sctp/sysctl.c | 4 +-
17549 net/socket.c | 18 +-
17550 net/sunrpc/auth_gss/svcauth_gss.c | 4 +-
17551 net/sunrpc/clnt.c | 4 +-
17552 net/sunrpc/sched.c | 4 +-
17553 net/sunrpc/svc.c | 4 +-
17554 net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
17555 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +-
17556 net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
17557 net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +-
17558 net/tipc/link.c | 4 +-
17559 net/tipc/msg.c | 2 +-
17560 net/tipc/subscr.c | 2 +-
17561 net/unix/sysctl_net_unix.c | 2 +-
17562 net/wireless/wext-core.c | 19 +-
17563 net/xfrm/xfrm_policy.c | 27 +-
17564 net/xfrm/xfrm_state.c | 33 +-
17565 net/xfrm/xfrm_sysctl.c | 2 +-
17566 scripts/Makefile.build | 2 +-
17567 scripts/Makefile.clean | 3 +-
17568 scripts/Makefile.host | 28 +-
17569 scripts/basic/fixdep.c | 12 +-
17570 scripts/gcc-plugin.sh | 17 +
17571 scripts/headers_install.sh | 1 +
17572 scripts/link-vmlinux.sh | 2 +-
17573 scripts/mod/file2alias.c | 14 +-
17574 scripts/mod/modpost.c | 25 +-
17575 scripts/mod/modpost.h | 6 +-
17576 scripts/mod/sumversion.c | 2 +-
17577 scripts/package/builddeb | 1 +
17578 scripts/pnmtologo.c | 6 +-
17579 scripts/sortextable.h | 6 +-
17580 security/Kconfig | 690 +++-
17581 security/apparmor/lsm.c | 2 +-
17582 security/integrity/ima/ima.h | 4 +-
17583 security/integrity/ima/ima_api.c | 2 +-
17584 security/integrity/ima/ima_fs.c | 4 +-
17585 security/integrity/ima/ima_queue.c | 2 +-
17586 security/keys/compat.c | 2 +-
17587 security/keys/internal.h | 2 +-
17588 security/keys/key.c | 18 +-
17589 security/keys/keyctl.c | 8 +-
17590 security/keys/keyring.c | 6 +-
17591 security/security.c | 12 +-
17592 security/selinux/avc.c | 6 +-
17593 security/selinux/hooks.c | 6 +-
17594 security/selinux/include/xfrm.h | 2 +-
17595 security/smack/smack_lsm.c | 2 +-
17596 security/tomoyo/tomoyo.c | 2 +-
17597 security/yama/yama_lsm.c | 22 +-
17598 sound/aoa/codecs/onyx.c | 7 +-
17599 sound/aoa/codecs/onyx.h | 1 +
17600 sound/core/oss/pcm_oss.c | 18 +-
17601 sound/core/pcm_compat.c | 2 +-
17602 sound/core/pcm_native.c | 4 +-
17603 sound/core/seq/seq_device.c | 8 +-
17604 sound/core/sound.c | 2 +-
17605 sound/drivers/mts64.c | 14 +-
17606 sound/drivers/opl4/opl4_lib.c | 2 +-
17607 sound/drivers/portman2x4.c | 3 +-
17608 sound/firewire/amdtp.c | 4 +-
17609 sound/firewire/amdtp.h | 2 +-
17610 sound/firewire/isight.c | 10 +-
17611 sound/firewire/scs1x.c | 8 +-
17612 sound/oss/sb_audio.c | 2 +-
17613 sound/oss/swarm_cs4297a.c | 6 +-
17614 sound/pci/hda/hda_codec.c | 8 +-
17615 sound/pci/ymfpci/ymfpci.h | 2 +-
17616 sound/pci/ymfpci/ymfpci_main.c | 12 +-
17617 sound/soc/fsl/fsl_ssi.c | 2 +-
17618 tools/gcc/.gitignore | 1 +
17619 tools/gcc/Makefile | 45 +
17620 tools/gcc/checker_plugin.c | 172 +
17621 tools/gcc/colorize_plugin.c | 151 +
17622 tools/gcc/constify_plugin.c | 560 ++
17623 tools/gcc/generate_size_overflow_hash.sh | 94 +
17624 tools/gcc/kallocstat_plugin.c | 170 +
17625 tools/gcc/kernexec_plugin.c | 471 ++
17626 tools/gcc/latent_entropy_plugin.c | 321 +
17627 tools/gcc/size_overflow_hash.data | 6350 ++++++++++++++++++++
17628 tools/gcc/size_overflow_plugin.c | 2113 +++++++
17629 tools/gcc/stackleak_plugin.c | 327 +
17630 tools/gcc/structleak_plugin.c | 277 +
17631 tools/lib/lk/Makefile | 2 +-
17632 tools/perf/util/include/asm/alternative-asm.h | 3 +
17633 tools/perf/util/include/linux/compiler.h | 8 +
17634 virt/kvm/kvm_main.c | 32 +-
17635 1664 files changed, 32957 insertions(+), 7636 deletions(-)
17636commit 4c61dba17c53d0a775c77aed0c0ddb15a12daa3c
17637Merge: c3ccfb2 777e08c
17638Author: Brad Spengler <spender@grsecurity.net>
17639Date: Sun Sep 8 19:49:04 2013 -0400
17640
17641 Merge branch 'pax-test' into grsec-test
17642
17643commit 777e08c6a87ef43439f4431d8d458732ca5e17c6
17644Author: Brad Spengler <spender@grsecurity.net>
17645Date: Sun Sep 8 19:47:32 2013 -0400
17646
17647 Update to pax-linux-3.10.11-test26.patch:
17648 - reworked __SC_LONG to care about only int and smaller types, this eliminates size overflow false positives reported by hunger
17649 - fixed an uninitialized read in splice, reported by hunger
17650
17651 fs/splice.c | 1 +
17652 include/linux/syscalls.h | 14 +-
17653 tools/gcc/size_overflow_hash.data | 426 +++++++++++++++++++++----------------
17654 3 files changed, 247 insertions(+), 194 deletions(-)
17655
17656commit 5c3161364270c842d901789faac731f79a9f9cd6
17657Merge: cf9c476 85cdabb
17658Author: Brad Spengler <spender@grsecurity.net>
17659Date: Sun Sep 8 19:24:25 2013 -0400
17660
17661 Merge branch 'linux-3.10.y' into pax-test
17662
17663commit c3ccfb29794a03413095422100ce90d40ef7df0f
17664Author: Jakob Bornecrantz <jakob@vmware.com>
17665Date: Thu Aug 29 02:32:53 2013 +0200
17666
17667 Upstream commit: 6e4dcff3adbf25acb87e74500a58e3c07bdec40f
17668
17669 drm/vmwgfx: Split GMR2_REMAP commands if they are to large
17670
17671 This fixes the piglit test texturing/max-texture-size
17672 causing the VM to die due to a too large SVGA command.
17673
17674 Signed-off-by: Jakob Bornecrantz <jakob@vmware.com>
17675 Reviewed-by: Biran Paul <brianp@vmware.com>
17676 Reviewed-by: Zack Rusin <zackr@vmware.com>
17677 Cc: stable@vger.kernel.org
17678 Signed-off-by: Dave Airlie <airlied@gmail.com>
17679
17680 drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c | 58 +++++++++++++++++++++++-----------
17681 1 files changed, 39 insertions(+), 19 deletions(-)
17682
17683commit d260badf708d6aa16c44f56f54727532dcae826e
17684Author: Daniel Borkmann <dborkman@redhat.com>
17685Date: Tue Sep 3 19:29:12 2013 +0200
17686
17687 Upstream commit: 3a1c756590633c0e86df606e5c618c190926a0df
17688
17689 net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv
17690
17691 In tcp_v6_do_rcv() code, when processing pkt options, we soley work
17692 on our skb clone opt_skb that we've created earlier before entering
17693 tcp_rcv_established() on our way. However, only in condition ...
17694
17695 if (np->rxopt.bits.rxtclass)
17696 np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));
17697
17698 ... we work on skb itself. As we extract every other information out
17699 of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can
17700 already be released by tcp_rcv_established() earlier on. When we try
17701 to access it in ipv6_hdr(), we will dereference freed skb.
17702
17703 [ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for
17704 IP_PKTOPTIONS") ]
17705
17706 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
17707 Cc: Eric Dumazet <eric.dumazet@gmail.com>
17708 Acked-by: Eric Dumazet <edumazet@google.com>
17709 Acked-by: Jiri Benc <jbenc@redhat.com>
17710 Signed-off-by: David S. Miller <davem@davemloft.net>
17711
17712 net/ipv6/tcp_ipv6.c | 2 +-
17713 1 files changed, 1 insertions(+), 1 deletions(-)
17714
17715commit ee3db7a4fb3619d70b8e0c1a8de07402a67e8d31
17716Author: Dan Carpenter <dan.carpenter@oracle.com>
17717Date: Thu Aug 29 11:47:00 2013 +0300
17718
17719 Upstream commit: 0d63c27d9e879a0b54eb405636d60ab12040ca46
17720
17721 mISDN: return -EINVAL on error in dsp_control_req()
17722
17723 If skb->len is too short then we should return an error. Otherwise we
17724 read beyond the end of skb->data for several bytes.
17725
17726 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
17727 Signed-off-by: David S. Miller <davem@davemloft.net>
17728
17729 drivers/isdn/mISDN/dsp_core.c | 4 +++-
17730 1 files changed, 3 insertions(+), 1 deletions(-)
17731
17732commit af7c2bc789c8fe5ef7474f22dacf212be22fd0af
17733Author: Brad Spengler <spender@grsecurity.net>
17734Date: Thu Sep 5 19:36:23 2013 -0400
17735
17736 fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB
17737
17738 grsecurity/Kconfig | 3 ++-
17739 1 files changed, 2 insertions(+), 1 deletions(-)
17740
17741commit da68dbcd96c617923a0aedb177d36b2701f9c858
17742Author: Brad Spengler <spender@grsecurity.net>
17743Date: Thu Sep 5 19:17:02 2013 -0400
17744
17745 Allow the deny_new_usb sysctl to be toggled off by a user with
17746 CAP_SYS_ADMIN. This allows for more inventive uses of the feature
17747 that would be impossible otherwise (like toggling it while the screen is
17748 locked, etc)
17749
17750 grsecurity/grsec_sysctl.c | 4 +---
17751 1 files changed, 1 insertions(+), 3 deletions(-)
17752
17753commit ce0e893adc830ee110f97071cc17e661fb35ae3d
17754Author: Brad Spengler <spender@grsecurity.net>
17755Date: Thu Sep 5 18:41:49 2013 -0400
17756
17757 Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what
17758 GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for
17759 users who know they want the functionality but don't want to bother
17760 with modifying init scripts
17761
17762 Also eliminate reset_security_ops() as a ROP target when
17763 SECURITY_SELINUX_DISABLE is disabled as it's the only user
17764
17765 grsecurity/Kconfig | 17 ++++++++++++++++-
17766 grsecurity/grsec_init.c | 3 +++
17767 grsecurity/grsec_sysctl.c | 2 +-
17768 security/security.c | 4 ++++
17769 4 files changed, 24 insertions(+), 2 deletions(-)
17770
17771commit 0d5ca3a057ae48b5fdccb2f0a7a841a5cc76d3dd
17772Merge: 7ee3899 cf9c476
17773Author: Brad Spengler <spender@grsecurity.net>
17774Date: Sun Sep 1 13:56:57 2013 -0400
17775
17776 Merge branch 'pax-test' into grsec-test
17777
17778commit cf9c47690fa0f3da590de766ea8c6a543984ee3c
17779Author: Brad Spengler <spender@grsecurity.net>
17780Date: Sun Sep 1 13:56:16 2013 -0400
17781
17782 Update to pax-linux-3.10.10-test25.patch:
17783 - fixed a few more REFCOUNT false positives, by Mathias Krause <minipli@googlemail.com>
17784 - got inet_getid and ipv6_select_ident rid of the cmpxchg loop
17785
17786 block/blk-cgroup.c | 4 ++--
17787 drivers/video/hyperv_fb.c | 4 ++--
17788 fs/namespace.c | 4 ++--
17789 include/net/inetpeer.h | 13 +++++--------
17790 kernel/trace/trace_clock.c | 4 ++--
17791 net/ipv6/output_core.c | 15 ++++++---------
17792 net/sunrpc/auth_gss/svcauth_gss.c | 4 ++--
17793 7 files changed, 21 insertions(+), 27 deletions(-)
17794
17795commit 7ee3899312d611b85cadd3eda173f7a3952bb8aa
17796Merge: fd0338c 2bdeae7
17797Author: Brad Spengler <spender@grsecurity.net>
17798Date: Sat Aug 31 22:07:38 2013 -0400
17799
17800 Merge branch 'pax-test' into grsec-test
17801
17802commit 2bdeae76eab5c34e4b88c7090a435b969037a3c1
17803Author: Brad Spengler <spender@grsecurity.net>
17804Date: Sat Aug 31 22:06:55 2013 -0400
17805
17806 Update to pax-linux-3.10.10-test24.patch:
17807 - fixed a REFCOUNT false positive, by Mathias Krause <minipli@googlemail.com>
17808 - fixed a bunch more after a quick audit of atomic_inc_return users
17809
17810 drivers/acpi/apei/ghes.c | 4 ++--
17811 drivers/ata/libata-core.c | 4 ++--
17812 drivers/ata/libata-scsi.c | 2 +-
17813 drivers/ata/libata.h | 2 +-
17814 drivers/block/drbd/drbd_nl.c | 4 ++--
17815 drivers/crypto/hifn_795x.c | 4 ++--
17816 drivers/edac/edac_device.c | 4 ++--
17817 drivers/edac/edac_pci.c | 4 ++--
17818 drivers/firewire/core-card.c | 4 ++--
17819 drivers/hv/hv_balloon.c | 18 +++++++++---------
17820 drivers/infiniband/hw/mlx4/mad.c | 2 +-
17821 drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +-
17822 drivers/input/misc/ims-pcu.c | 4 ++--
17823 drivers/input/serio/serio_raw.c | 4 ++--
17824 drivers/media/pci/ivtv/ivtv-driver.c | 2 +-
17825 drivers/media/radio/radio-maxiradio.c | 2 +-
17826 drivers/media/radio/radio-shark.c | 2 +-
17827 drivers/media/radio/radio-shark2.c | 2 +-
17828 drivers/media/radio/radio-si476x.c | 2 +-
17829 drivers/media/rc/rc-main.c | 4 ++--
17830 drivers/media/v4l2-core/v4l2-device.c | 4 ++--
17831 drivers/net/usb/sierra_net.c | 4 ++--
17832 drivers/pci/hotplug/pciehp_hpc.c | 4 +---
17833 drivers/regulator/core.c | 4 ++--
17834 drivers/scsi/fcoe/fcoe_sysfs.c | 12 ++++++------
17835 drivers/staging/android/timed_output.c | 6 +++---
17836 drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +-
17837 drivers/staging/media/solo6x10/solo6x10.h | 2 +-
17838 drivers/target/sbp/sbp_target.c | 4 ++--
17839 drivers/tty/hvc/hvsi.c | 12 ++++++------
17840 drivers/tty/hvc/hvsi_lib.c | 6 +++---
17841 drivers/tty/serial/ioc4_serial.c | 6 +++---
17842 drivers/tty/serial/msm_serial.c | 4 ++--
17843 drivers/usb/misc/appledisplay.c | 4 ++--
17844 fs/afs/inode.c | 4 ++--
17845 fs/btrfs/delayed-inode.c | 6 +++---
17846 fs/btrfs/delayed-inode.h | 4 ++--
17847 fs/fscache/cookie.c | 4 ++--
17848 include/media/v4l2-device.h | 2 +-
17849 net/ceph/messenger.c | 4 ++--
17850 net/core/netpoll.c | 4 ++--
17851 net/xfrm/xfrm_state.c | 4 ++--
17852 security/selinux/avc.c | 6 +++---
17853 43 files changed, 93 insertions(+), 95 deletions(-)
17854
17855commit fd0338c8877c47789a9cc61f3a26c83e68aa3d37
17856Merge: 1bdf7ec 85099d2
17857Author: Brad Spengler <spender@grsecurity.net>
17858Date: Sat Aug 31 21:07:29 2013 -0400
17859
17860 Merge branch 'pax-test' into grsec-test
17861
17862commit 85099d220fb014b6e4c6ffe18a55b20c61f6daed
17863Author: Brad Spengler <spender@grsecurity.net>
17864Date: Sat Aug 31 21:06:55 2013 -0400
17865
17866 Update to pax-linux-3.10.10-test23.patch:
17867 - added the necessary atomic_unchecked_t conversion for mips
17868 - audited and fixed arm and sparc for proper atomic_unchecked_t usage
17869
17870 arch/arm/kvm/arm.c | 8 ++++----
17871 arch/arm/mm/context.c | 10 +++++-----
17872 arch/mips/kernel/irq.c | 6 +++---
17873 arch/mips/kernel/sync-r4k.c | 24 ++++++++++++------------
17874 arch/mips/sgi-ip27/ip27-nmi.c | 6 +++---
17875 arch/sparc/kernel/smp_64.c | 12 ++++++------
17876 arch/sparc/kernel/traps_64.c | 14 +++++++-------
17877 arch/sparc/mm/init_64.c | 10 +++++-----
17878 8 files changed, 45 insertions(+), 45 deletions(-)
17879
17880commit 1bdf7ec39027ffd7c3099b78ff20c39295448b34
17881Merge: 995a168 38ee86c
17882Author: Brad Spengler <spender@grsecurity.net>
17883Date: Fri Aug 30 19:23:36 2013 -0400
17884
17885 Merge branch 'pax-test' into grsec-test
17886
17887commit 38ee86c05df0f8db582df8776b9f23f317d42bbb
17888Author: Brad Spengler <spender@grsecurity.net>
17889Date: Fri Aug 30 19:23:11 2013 -0400
17890
17891 Update to pax-linux-3.10.10-test22.patch:
17892 - fixed !REFCOUNT/mips compilation, by Corey Minyard <cminyard@mvista.com>
17893 - fixed a few more format strings
17894
17895 arch/mips/include/asm/atomic.h | 20 ++++++++++++++++----
17896 drivers/md/bcache/super.c | 2 +-
17897 drivers/net/wireless/iwlwifi/dvm/main.c | 3 +--
17898 drivers/pci/hotplug/pciehp_hpc.c | 2 +-
17899 drivers/platform/x86/wmi.c | 2 +-
17900 drivers/scsi/sd.c | 2 +-
17901 drivers/vfio/vfio.c | 4 ++--
17902 fs/ntfs/super.c | 6 +++---
17903 include/linux/workqueue.h | 6 +++---
17904 net/mac80211/main.c | 2 +-
17905 sound/pci/hda/hda_codec.c | 8 ++------
17906 11 files changed, 32 insertions(+), 25 deletions(-)
17907
17908commit 995a16841e2097c3a9dfc652e856469679c4a0ba
17909Author: Brad Spengler <spender@grsecurity.net>
17910Date: Fri Aug 30 17:11:11 2013 -0400
17911
17912 fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast
17913
17914 grsecurity/grsec_sysctl.c | 7 ++++---
17915 1 files changed, 4 insertions(+), 3 deletions(-)
17916
17917commit 8ba1cc35ec5216383369ddf3ef2cde5e4aaacb57
17918Merge: be2497c 1052971
17919Author: Brad Spengler <spender@grsecurity.net>
17920Date: Thu Aug 29 20:44:29 2013 -0400
17921
17922 Merge branch 'pax-test' into grsec-test
17923
17924 Conflicts:
17925 include/linux/sched.h
17926
17927commit 10529710192fe7f7d42ad7bb1dfef2143cca8ad2
17928Merge: e902dad 8bf3379
17929Author: Brad Spengler <spender@grsecurity.net>
17930Date: Thu Aug 29 20:39:50 2013 -0400
17931
17932 Update to pax-linux-3.10.10-test21.patch
17933
17934 Merge branch 'linux-3.10.y' into pax-test
17935
17936 Conflicts:
17937 arch/x86/kernel/sys_x86_64.c
17938 arch/x86/mm/mmap.c
17939 include/linux/sched.h
17940
17941commit be2497c1b629a5ad604a8b0ec265ef5d801c7de8
17942Merge: 081c22b e902dad
17943Author: Brad Spengler <spender@grsecurity.net>
17944Date: Wed Aug 28 20:52:44 2013 -0400
17945
17946 Merge branch 'pax-test' into grsec-test
17947
17948commit e902dad6b609a176f58c1b9393b3a98f14bd4b74
17949Author: Brad Spengler <spender@grsecurity.net>
17950Date: Wed Aug 28 20:51:21 2013 -0400
17951
17952 Update to pax-linux-3.10.9-test21.patch:
17953 - removed unnecessary type cast in do_PrefetchAbort, noticed by spender
17954 - since pax_report_refcount_overflow disables preemption inside, no need to do it explicitly in do_ov
17955 - fixed a REFCOUNT false positive in UHID
17956 - inspired by Dan Carpenter's recent fix (http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=909bd5926d474e275599094acad986af79671ac9)
17957 Emese Revfy wrote a gcc plugin to find other instances of the same error, here's the fallout
17958 (come to the 10th H2HC if you want to learn about the magic behind this and other plugins):
17959 - icmpv6_filter: no memory corruption, probably just some logical error in the caller
17960 - dccp_new/dccp_packet/dccp_error: probably remote kernel stack overflow (12 byte network data overwriting a local ptr variable)
17961 - gigaset_brkchars: causes DMA on the kernel stack, some archs don't like it (more of this is to come)
17962 - isdn_ioctl/IIOCDBGVAR: kernel heap address leak (by design), restricted to CAP_SYS_RAWIO now
17963 - __dwc3_gadget_ep_enable: probably forgotten memset, seems harmless
17964 - lowpan_header_create: leaks 3 bytes of a kernel heap address over the network
17965
17966 arch/arm/mm/fault.c | 2 +-
17967 arch/mips/kernel/traps.c | 2 --
17968 drivers/hid/uhid.c | 6 +++---
17969 drivers/isdn/gigaset/usb-gigaset.c | 2 +-
17970 drivers/isdn/i4l/isdn_common.c | 2 ++
17971 drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++--
17972 drivers/usb/dwc3/gadget.c | 2 --
17973 net/ieee802154/6lowpan.c | 2 +-
17974 net/ipv6/raw.c | 2 +-
17975 net/netfilter/nf_conntrack_proto_dccp.c | 6 +++---
17976 10 files changed, 14 insertions(+), 16 deletions(-)
17977
17978commit 081c22b436d4d4ac8c9ef7c3f3b9587cfb02d804
17979Author: Brad Spengler <spender@grsecurity.net>
17980Date: Wed Aug 28 20:42:39 2013 -0400
17981
17982 add export of gr_handle_new_usb()
17983
17984 grsecurity/grsec_usb.c | 2 ++
17985 1 files changed, 2 insertions(+), 0 deletions(-)
17986
17987commit 2e708ca9984ef74536d1d9b1d4e6e73d27561ed6
17988Author: Brad Spengler <spender@grsecurity.net>
17989Date: Wed Aug 28 19:24:47 2013 -0400
17990
17991 Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit
17992 Kees' recent findings are motivation enough to publish it
17993
17994 drivers/usb/core/hub.c | 5 +++++
17995 grsecurity/Kconfig | 20 ++++++++++++++++++++
17996 grsecurity/Makefile | 3 ++-
17997 grsecurity/grsec_init.c | 1 +
17998 grsecurity/grsec_sysctl.c | 11 +++++++++++
17999 grsecurity/grsec_usb.c | 13 +++++++++++++
18000 include/linux/grinternal.h | 1 +
18001 include/linux/grsecurity.h | 2 ++
18002 8 files changed, 55 insertions(+), 1 deletions(-)
18003
18004commit 8044382257ec75a03f3d784ce048ef14e94b90ca
18005Author: Kees Cook <keescook@chromium.org>
18006Date: Wed Aug 14 09:35:07 2013 -0700
18007
18008 HID: zeroplus: validate output report details
18009
18010 The zeroplus HID driver was not checking the size of allocated values
18011 in fields it used. A HID device could send a malicious output report
18012 that would cause the driver to write beyond the output report allocation
18013 during initialization, causing a heap overflow:
18014
18015 [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005
18016 ...
18017 [ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
18018
18019 CVE-2013-2889
18020
18021 Signed-off-by: Kees Cook <keescook@chromium.org>
18022 Cc: stable@kernel.org
18023
18024 drivers/hid/hid-zpff.c | 14 ++------------
18025 1 files changed, 2 insertions(+), 12 deletions(-)
18026
18027commit 1ead832874dde8c45c3d4c8c704f2cd7ad6a328f
18028Author: Kees Cook <keescook@chromium.org>
18029Date: Wed Aug 14 14:36:15 2013 -0700
18030
18031 HID: provide a helper for validating hid reports
18032
18033 Many drivers need to validate the characteristics of their HID report
18034 during initialization to avoid misusing the reports. This adds a common
18035 helper to perform validation of the report, its field count, and the
18036 value count within the fields.
18037
18038 Signed-off-by: Kees Cook <keescook@chromium.org>
18039 Cc: stable@kernel.org
18040
18041 drivers/hid/hid-core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++
18042 include/linux/hid.h | 4 +++
18043 2 files changed, 54 insertions(+), 0 deletions(-)
18044
18045commit 270ba9096ddecdc3cf6c4d76e6892184820116be
18046Author: Kees Cook <keescook@chromium.org>
18047Date: Wed Aug 14 09:14:34 2013 -0700
18048
18049 HID: steelseries: validate output report details
18050
18051 A HID device could send a malicious output report that would cause the
18052 steelseries HID driver to write beyond the output report allocation
18053 during initialization, causing a heap overflow:
18054
18055 [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410
18056 ...
18057 [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten
18058
18059 CVE-2013-2891
18060
18061 Signed-off-by: Kees Cook <keescook@chromium.org>
18062 Cc: stable@kernel.org
18063
18064 drivers/hid/hid-steelseries.c | 5 +++++
18065 1 files changed, 5 insertions(+), 0 deletions(-)
18066
18067commit 366e6cf394366e4bb2598e5d3763c6ca53fb7248
18068Author: Kees Cook <keescook@chromium.org>
18069Date: Wed Aug 14 08:49:21 2013 -0700
18070
18071 HID: pantherlord: validate output report details
18072
18073 A HID device could send a malicious output report that would cause the
18074 pantherlord HID driver to write beyond the output report allocation
18075 during initialization, causing a heap overflow:
18076
18077 [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003
18078 ...
18079 [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
18080
18081 CVE-2013-2892
18082
18083 Signed-off-by: Kees Cook <keescook@chromium.org>
18084 Cc: stable@kernel.org
18085
18086 drivers/hid/hid-pl.c | 10 ++++++++--
18087 1 files changed, 8 insertions(+), 2 deletions(-)
18088
18089commit 60115e8108e508060815bce5ef9504233c81898c
18090Author: Kees Cook <keescook@chromium.org>
18091Date: Tue Aug 13 16:49:01 2013 -0700
18092
18093 HID: LG: validate HID output report details
18094
18095 A HID device could send a malicious output report that would cause the
18096 lg, lg3, and lg4 HID drivers to write beyond the output report allocation
18097 during an event, causing a heap overflow:
18098
18099 [ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287
18100 ...
18101 [ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten
18102
18103 Additionally, while lg2 did correctly validate the report details, it was
18104 cleaned up and shortened.
18105
18106 CVE-2013-2893
18107
18108 Signed-off-by: Kees Cook <keescook@chromium.org>
18109 Cc: stable@kernel.org
18110
18111 drivers/hid/hid-lg2ff.c | 19 +++----------------
18112 drivers/hid/hid-lg3ff.c | 29 ++++++-----------------------
18113 drivers/hid/hid-lg4ff.c | 20 +-------------------
18114 drivers/hid/hid-lgff.c | 17 ++---------------
18115 4 files changed, 12 insertions(+), 73 deletions(-)
18116
18117commit 1814f6ffbd0d5feccce1f03e8cc17882528e8a9f
18118Author: Kees Cook <keescook@chromium.org>
18119Date: Thu Aug 15 23:21:23 2013 -0700
18120
18121 HID: lenovo-tpkbd: validate output report details
18122
18123 A HID device could send a malicious output report that would cause the
18124 lenovo-tpkbd HID driver to write just beyond the output report allocation
18125 during initialization, causing a heap overflow:
18126
18127 [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009
18128 ...
18129 [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
18130
18131 CVE-2013-2894
18132
18133 Signed-off-by: Kees Cook <keescook@chromium.org>
18134 Cc: stable@kernel.org
18135
18136 drivers/hid/hid-lenovo-tpkbd.c | 5 +++++
18137 1 files changed, 5 insertions(+), 0 deletions(-)
18138
18139commit 38627769bb2b9a550e251b2caf1babda7566fb4a
18140Author: Kees Cook <keescook@chromium.org>
18141Date: Thu Aug 15 23:45:03 2013 -0700
18142
18143 HID: logitech-dj: validate output report details
18144
18145 A HID device could send a malicious output report that would cause the
18146 logitech-dj HID driver to leak kernel memory contents to the device, or
18147 trigger a NULL dereference during initialization:
18148
18149 [ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b
18150 ...
18151 [ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
18152 [ 304.781409] IP: [<ffffffff815d50aa>] logi_dj_recv_send_report.isra.11+0x1a/0x90
18153
18154 CVE-2013-2895
18155
18156 Signed-off-by: Kees Cook <keescook@chromium.org>
18157 Cc: stable@kernel.org
18158
18159 drivers/hid/hid-logitech-dj.c | 12 ++++++++++--
18160 1 files changed, 10 insertions(+), 2 deletions(-)
18161
18162commit db334388c9d3f95aeb6aacdcec72169b6edd6f07
18163Author: Kees Cook <keescook@chromium.org>
18164Date: Fri Aug 16 00:18:15 2013 -0700
18165
18166 HID: ntrig: validate feature report details
18167
18168 A HID device could send a malicious feature report that would cause the
18169 ntrig HID driver to trigger a NULL dereference during initialization:
18170
18171 [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
18172 ...
18173 [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
18174 [57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
18175
18176 CVE-2013-2896
18177
18178 Signed-off-by: Kees Cook <keescook@chromium.org>
18179 Cc: stable@kernel.org
18180
18181 drivers/hid/hid-ntrig.c | 3 ++-
18182 1 files changed, 2 insertions(+), 1 deletions(-)
18183
18184commit 86adcfe96ceefd7d64593a493abe07c155bb8f88
18185Author: Kees Cook <keescook@chromium.org>
18186Date: Fri Aug 16 00:11:32 2013 -0700
18187
18188 HID: multitouch: validate feature report details
18189
18190 When working on report indexes, always validate that they are in bounds.
18191 Without this, a HID device could report a malicious feature report that
18192 could trick the driver into a heap overflow:
18193
18194 [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
18195 ...
18196 [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
18197
18198 CVE-2013-2897
18199
18200 Signed-off-by: Kees Cook <keescook@chromium.org>
18201 Cc: stable@kernel.org
18202
18203 drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++-----
18204 1 files changed, 20 insertions(+), 5 deletions(-)
18205
18206commit 813f51e0881e4ea6d221da828b1cced02ad9694d
18207Author: Kees Cook <keescook@chromium.org>
18208Date: Fri Aug 16 08:12:45 2013 -0700
18209
18210 HID: sensor-hub: validate feature report details
18211
18212 A HID device could send a malicious feature report that would cause the
18213 sensor-hub HID driver to read past the end of heap allocation, leaking
18214 kernel memory contents to the caller.
18215
18216 CVE-2013-2898
18217
18218 Signed-off-by: Kees Cook <keescook@chromium.org>
18219 Cc: stable@kernel.org
18220
18221 drivers/hid/hid-sensor-hub.c | 3 ++-
18222 1 files changed, 2 insertions(+), 1 deletions(-)
18223
18224commit 6ed7d602e322c67adcfa3ebe79ca2c4a3376330c
18225Author: Kees Cook <keescook@chromium.org>
18226Date: Fri Aug 16 08:05:10 2013 -0700
18227
18228 HID: picolcd_core: validate output report details
18229
18230 A HID device could send a malicious output report that would cause the
18231 picolcd HID driver to trigger a NULL dereference during attr file writing.
18232
18233 CVE-2013-2899
18234
18235 Signed-off-by: Kees Cook <keescook@chromium.org>
18236 Cc: stable@kernel.org
18237
18238 drivers/hid/hid-picolcd_core.c | 2 +-
18239 1 files changed, 1 insertions(+), 1 deletions(-)
18240
18241commit 95e3cfb5a995dabe45b98cafb77e59d074de151f
18242Author: Kees Cook <keescook@chromium.org>
18243Date: Fri Aug 16 08:09:54 2013 -0700
18244
18245 HID: check for NULL field when setting values
18246
18247 Defensively check that the field to be worked on is not NULL.
18248
18249 Signed-off-by: Kees Cook <keescook@chromium.org>
18250 Cc: stable@kernel.org
18251
18252 drivers/hid/hid-core.c | 7 ++++++-
18253 1 files changed, 6 insertions(+), 1 deletions(-)
18254
18255commit 96a55ce1b2f3af376c400a02059174e79ce4399c
18256Author: Brad Spengler <spender@grsecurity.net>
18257Date: Wed Aug 28 18:09:18 2013 -0400
18258
18259 http://marc.info/?l=linux-input&m=137772180514608&q=raw
18260
18261 From: Kees Cook <keescook@chromium.org>
18262
18263 The "Report ID" field of a HID report is used to build indexes of
18264 reports. The kernel's index of these is limited to 256 entries, so any
18265 malicious device that sets a Report ID greater than 255 will trigger
18266 memory corruption on the host:
18267
18268 [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
18269 [ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b
18270
18271 CVE-2013-2888
18272
18273 Signed-off-by: Kees Cook <keescook@chromium.org>
18274 Cc: stable@kernel.org
18275 ---
18276 drivers/hid/hid-core.c | 10 +++++++---
18277 include/linux/hid.h | 4 +++-
18278 2 files changed, 10 insertions(+), 4 deletions(-)
18279
18280 drivers/hid/hid-core.c | 10 +++++++---
18281 include/linux/hid.h | 4 +++-
18282 2 files changed, 10 insertions(+), 4 deletions(-)
18283
18284commit eb1106eef5f17bfda833ca3cf89e315919173257
18285Author: Dan Carpenter <dan.carpenter@oracle.com>
18286Date: Fri Aug 9 12:52:31 2013 +0300
18287
18288 Upstream commit: 909bd5926d474e275599094acad986af79671ac9
18289
18290 Hostap: copying wrong data prism2_ioctl_giwaplist()
18291
18292 We want the data stored in "addr" and "qual", but the extra ampersands
18293 mean we are copying stack data instead.
18294
18295 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
18296 Cc: stable@vger.kernel.org
18297 Signed-off-by: John W. Linville <linville@tuxdriver.com>
18298
18299 drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++--
18300 1 files changed, 2 insertions(+), 2 deletions(-)
18301
18302commit b12fdddbc01b0d855dd56fa6fea6b4100aae7af4
18303Author: Brad Spengler <spender@grsecurity.net>
18304Date: Wed Aug 28 17:01:21 2013 -0400
18305
18306 fix typo in ipv6 backport
18307
18308 net/ipv6/addrconf.c | 2 +-
18309 1 files changed, 1 insertions(+), 1 deletions(-)
18310
18311commit b42367d45ce67de82c38c5c7cb6f4cf521cca2f4
18312Author: Andy Lutomirski <luto@amacapital.net>
18313Date: Thu Aug 22 11:39:15 2013 -0700
18314
18315 Upstream commit: d661684cf6820331feae71146c35da83d794467e
18316
18317 net: Check the correct namespace when spoofing pid over SCM_RIGHTS
18318
18319 This is a security bug.
18320
18321 The follow-up will fix nsproxy to discourage this type of issue from
18322 happening again.
18323
18324 Cc: stable@vger.kernel.org
18325 Signed-off-by: Andy Lutomirski <luto@amacapital.net>
18326 Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com>
18327 Signed-off-by: David S. Miller <davem@davemloft.net>
18328
18329 net/core/scm.c | 2 +-
18330 1 files changed, 1 insertions(+), 1 deletions(-)
18331
18332commit 10b2e7e1f75d1da2e0bbe0bff04233ea2ec1bed9
18333Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
18334Date: Fri Aug 16 13:02:27 2013 +0200
18335
18336 Upstream commit: 4b08a8f1bd8cb4541c93ec170027b4d0782dab52
18337
18338 ipv6: remove max_addresses check from ipv6_create_tempaddr
18339
18340 Because of the max_addresses check attackers were able to disable privacy
18341 extensions on an interface by creating enough autoconfigured addresses:
18342
18343 <http://seclists.org/oss-sec/2012/q4/292>
18344
18345 But the check is not actually needed: max_addresses protects the
18346 kernel to install too many ipv6 addresses on an interface and guards
18347 addrconf_prefix_rcv to install further addresses as soon as this limit
18348 is reached. We only generate temporary addresses in direct response of
18349 a new address showing up. As soon as we filled up the maximum number of
18350 addresses of an interface, we stop installing more addresses and thus
18351 also stop generating more temp addresses.
18352
18353 Even if the attacker tries to generate a lot of temporary addresses
18354 by announcing a prefix and removing it again (lifetime == 0) we won't
18355 install more temp addresses, because the temporary addresses do count
18356 to the maximum number of addresses, thus we would stop installing new
18357 autoconfigured addresses when the limit is reached.
18358
18359 This patch fixes CVE-2013-0343 (but other layer-2 attacks are still
18360 possible).
18361
18362 Thanks to Ding Tianhong to bring this topic up again.
18363
18364 Cc: Ding Tianhong <dingtianhong@huawei.com>
18365 Cc: George Kargiotakis <kargig@void.gr>
18366 Cc: P J P <ppandit@redhat.com>
18367 Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
18368 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
18369 Acked-by: Ding Tianhong <dingtianhong@huawei.com>
18370 Signed-off-by: David S. Miller <davem@davemloft.net>
18371
18372 Conflicts:
18373
18374 net/ipv6/addrconf.c
18375
18376 net/ipv6/addrconf.c | 10 ++++------
18377 1 files changed, 4 insertions(+), 6 deletions(-)
18378
18379commit 8333e0981469a226a47d0142ff31090a48db95a4
18380Author: David Vrabel <david.vrabel@citrix.com>
18381Date: Thu Aug 15 13:21:06 2013 +0100
18382
18383 Upstream commit: 84ca7a8e45dafb49cd5ca90a343ba033e2885c17
18384
18385 xen/events: initialize local per-cpu mask for all possible events
18386
18387 The sizeof() argument in init_evtchn_cpu_bindings() is incorrect
18388 resulting in only the first 64 (or 32 in 32-bit guests) ports having
18389 their bindings being initialized to VCPU 0.
18390
18391 In most cases this does not cause a problem as request_irq() will set
18392 the irq affinity which will set the correct local per-cpu mask.
18393 However, if the request_irq() is called on a VCPU other than 0, there
18394 is a window between the unmasking of the event and the affinity being
18395 set were an event may be lost because it is not locally unmasked on
18396 any VCPU. If request_irq() is called on VCPU 0 then local irqs are
18397 disabled during the window and the race does not occur.
18398
18399 Fix this by initializing all NR_EVENT_CHANNEL bits in the local
18400 per-cpu masks.
18401
18402 Signed-off-by: David Vrabel <david.vrabel@citrix.com>
18403 Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
18404 CC: stable@vger.kernel.org
18405
18406 drivers/xen/events.c | 2 +-
18407 1 files changed, 1 insertions(+), 1 deletions(-)
18408
18409commit 2a9a83768433937a2b7a97001ba1627156c0efed
18410Author: Roland Dreier <roland@purestorage.com>
18411Date: Mon Aug 5 17:55:01 2013 -0700
18412
18413 Upstream commit: 35dc248383bbab0a7203fca4d722875bc81ef091
18414
18415 [SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a signal
18416
18417 There is a nasty bug in the SCSI SG_IO ioctl that in some circumstances
18418 leads to one process writing data into the address space of some other
18419 random unrelated process if the ioctl is interrupted by a signal.
18420 What happens is the following:
18421
18422 - A process issues an SG_IO ioctl with direction DXFER_FROM_DEV (ie the
18423 underlying SCSI command will transfer data from the SCSI device to
18424 the buffer provided in the ioctl)
18425
18426 - Before the command finishes, a signal is sent to the process waiting
18427 in the ioctl. This will end up waking up the sg_ioctl() code:
18428
18429 result = wait_event_interruptible(sfp->read_wait,
18430 (srp_done(sfp, srp) || sdp->detached));
18431
18432 but neither srp_done() nor sdp->detached is true, so we end up just
18433 setting srp->orphan and returning to userspace:
18434
18435 srp->orphan = 1;
18436 write_unlock_irq(&sfp->rq_list_lock);
18437 return result; /* -ERESTARTSYS because signal hit process */
18438
18439 At this point the original process is done with the ioctl and
18440 blithely goes ahead handling the signal, reissuing the ioctl, etc.
18441
18442 - Eventually, the SCSI command issued by the first ioctl finishes and
18443 ends up in sg_rq_end_io(). At the end of that function, we run through:
18444
18445 write_lock_irqsave(&sfp->rq_list_lock, iflags);
18446 if (unlikely(srp->orphan)) {
18447 if (sfp->keep_orphan)
18448 srp->sg_io_owned = 0;
18449 else
18450 done = 0;
18451 }
18452 srp->done = done;
18453 write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
18454
18455 if (likely(done)) {
18456 /* Now wake up any sg_read() that is waiting for this
18457 * packet.
18458 */
18459 wake_up_interruptible(&sfp->read_wait);
18460 kill_fasync(&sfp->async_qp, SIGPOLL, POLL_IN);
18461 kref_put(&sfp->f_ref, sg_remove_sfp);
18462 } else {
18463 INIT_WORK(&srp->ew.work, sg_rq_end_io_usercontext);
18464 schedule_work(&srp->ew.work);
18465 }
18466
18467 Since srp->orphan *is* set, we set done to 0 (assuming the
18468 userspace app has not set keep_orphan via an SG_SET_KEEP_ORPHAN
18469 ioctl), and therefore we end up scheduling sg_rq_end_io_usercontext()
18470 to run in a workqueue.
18471
18472 - In workqueue context we go through sg_rq_end_io_usercontext() ->
18473 sg_finish_rem_req() -> blk_rq_unmap_user() -> ... ->
18474 bio_uncopy_user() -> __bio_copy_iov() -> copy_to_user().
18475
18476 The key point here is that we are doing copy_to_user() on a
18477 workqueue -- that is, we're on a kernel thread with current->mm
18478 equal to whatever random previous user process was scheduled before
18479 this kernel thread. So we end up copying whatever data the SCSI
18480 command returned to the virtual address of the buffer passed into
18481 the original ioctl, but it's quite likely we do this copying into a
18482 different address space!
18483
18484 As suggested by James Bottomley <James.Bottomley@hansenpartnership.com>,
18485 add a check for current->mm (which is NULL if we're on a kernel thread
18486 without a real userspace address space) in bio_uncopy_user(), and skip
18487 the copy if we're on a kernel thread.
18488
18489 There's no reason that I can think of for any caller of bio_uncopy_user()
18490 to want to do copying on a kernel thread with a random active userspace
18491 address space.
18492
18493 Huge thanks to Costa Sapuntzakis <costa@purestorage.com> for the
18494 original pointer to this bug in the sg code.
18495
18496 Signed-off-by: Roland Dreier <roland@purestorage.com>
18497 Tested-by: David Milburn <dmilburn@redhat.com>
18498 Cc: Jens Axboe <axboe@kernel.dk>
18499 Cc: <stable@vger.kernel.org>
18500 Signed-off-by: James Bottomley <JBottomley@Parallels.com>
18501
18502 fs/bio.c | 20 +++++++++++++++-----
18503 1 files changed, 15 insertions(+), 5 deletions(-)
18504
18505commit e6fe57dee152671afd618d6bc8cbf23155be6c34
18506Merge: cdc8f7d f2095a4
18507Author: Brad Spengler <spender@grsecurity.net>
18508Date: Tue Aug 27 18:13:35 2013 -0400
18509
18510 Merge branch 'pax-test' into grsec-test
18511
18512 Conflicts:
18513 arch/arm/mm/fault.c
18514 security/Kconfig
18515
18516commit f2095a4787f7d332e5919f0bd00f8de6021ad612
18517Author: Brad Spengler <spender@grsecurity.net>
18518Date: Tue Aug 27 18:08:23 2013 -0400
18519
18520 Update to pax-linux-3.10.9-test20.patch:
18521 - removed unnecessary mark_sym_for_renaming calls from the gcc plugins, reported by Emese Revfy
18522 - made some KERNEXEC/UDEREF induced fault handling on arm more robust (IFAR isn't always set on v7), by Corey Minyard <cminyard@mvista.com>
18523 - converted some mips atomic accessor macros to functions in preparation of REFCOUNT support, by Corey Minyard <cminyard@mvista.com>
18524 - __copy_from_user_inatomic on amd64 will now return unsigned long like other userland accessors do
18525 - added REFCOUNT support for mips, by Corey Minyard <cminyard@mvista.com>
18526 - fixed arm compilation with UDEREF disabled, reported by fabled (http://forums.grsecurity.net/viewtopic.php?f=1&t=3720)
18527 - fixed early boot panic due to a INVCPID/PCID mismatch, reported by Patrick McLean (https://bugs.gentoo.org/show_bug.cgi?id=482010)
18528
18529 arch/arm/mm/fault.c | 11 +-
18530 arch/mips/include/asm/atomic.h | 722 +++++++++++++++++++++++++++++++++++--
18531 arch/mips/kernel/traps.c | 14 +-
18532 arch/x86/include/asm/tlbflush.h | 4 +
18533 arch/x86/include/asm/uaccess_64.h | 2 +-
18534 fs/ntfs/file.c | 2 +-
18535 kernel/events/internal.h | 4 +-
18536 kernel/events/uprobes.c | 2 +-
18537 kernel/futex.c | 2 +-
18538 mm/filemap.c | 8 +-
18539 security/Kconfig | 2 +-
18540 tools/gcc/kernexec_plugin.c | 18 +-
18541 tools/gcc/latent_entropy_plugin.c | 26 +-
18542 tools/gcc/size_overflow_plugin.c | 3 +-
18543 14 files changed, 750 insertions(+), 70 deletions(-)
18544
18545commit cdc8f7d7a0d09f5ccec1717d1378ac284b5bb4e9
18546Merge: 5a9ae57 745975e
18547Author: Brad Spengler <spender@grsecurity.net>
18548Date: Mon Aug 26 20:27:33 2013 -0400
18549
18550 Merge branch 'pax-test' into grsec-test
18551
18552commit 745975e3b3b74b64e00e85778f9a22714d1274f2
18553Author: Brad Spengler <spender@grsecurity.net>
18554Date: Mon Aug 26 20:26:33 2013 -0400
18555
18556 Fix compilation when UDEREF is enabled and KERNEXEC is disabled,
18557 as reported by fabled on the forums:
18558 http://forums.grsecurity.net/viewtopic.php?f=1&t=3720
18559
18560 arch/arm/include/asm/pgtable.h | 4 +---
18561 1 files changed, 1 insertions(+), 3 deletions(-)
18562
18563commit 5a9ae577def10802fc8ad6957f05ce2a180dfa36
18564Merge: 486ec00 f68df21
18565Author: Brad Spengler <spender@grsecurity.net>
18566Date: Tue Aug 20 20:15:20 2013 -0400
18567
18568 Merge branch 'pax-test' into grsec-test
18569
18570commit f68df215c8bf7fada2710c14b3f3a0ea53fd9e43
18571Author: Brad Spengler <spender@grsecurity.net>
18572Date: Tue Aug 20 20:14:50 2013 -0400
18573
18574 Update to pax-linux-3.10.9-test18.patch:
18575 - fixed missing export of cpu_pgd, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481786)
18576 - fixed UDEREF regression on !PCID processors, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481790)
18577 - forward port to 3.10.9
18578
18579 arch/x86/kernel/entry_64.S | 18 +++++++++---------
18580 arch/x86/kernel/i386_ksyms_32.c | 4 ++++
18581 arch/x86/kernel/x8664_ksyms_64.c | 4 ++++
18582 3 files changed, 17 insertions(+), 9 deletions(-)
18583
18584commit 486ec00945b5dd8826f625e4af8995c5c8cb2a6f
18585Merge: f47a293 d8fed0e
18586Author: Brad Spengler <spender@grsecurity.net>
18587Date: Tue Aug 20 20:12:47 2013 -0400
18588
18589 Merge branch 'pax-test' into grsec-test
18590
18591commit d8fed0eba89a7607afe296c0caf17bc72311d6e9
18592Merge: f6ace8e 0a4b6d4
18593Author: Brad Spengler <spender@grsecurity.net>
18594Date: Tue Aug 20 20:12:33 2013 -0400
18595
18596 Merge branch 'linux-3.10.y' into pax-test
18597
18598commit f47a293a1440da2a3e2c239d43d636e37ca74f10
18599Merge: f1e8ec7 f6ace8e
18600Author: Brad Spengler <spender@grsecurity.net>
18601Date: Tue Aug 20 18:20:05 2013 -0400
18602
18603 Merge branch 'pax-test' into grsec-test
18604
18605 Conflicts:
18606 arch/arm/kernel/perf_event.c
18607 include/linux/sched.h
18608
18609commit f6ace8e1804aadc296bec38b4c4a2d711b9e7c72
18610Merge: b4fa847 6f54059
18611Author: Brad Spengler <spender@grsecurity.net>
18612Date: Tue Aug 20 18:18:02 2013 -0400
18613
18614 Update to pax-linux-3.10.8-test18.patch
18615
18616 Merge branch 'linux-3.10.y' into pax-test
18617
18618 Conflicts:
18619 arch/x86/kernel/sys_x86_64.c
18620 arch/x86/mm/mmap.c
18621 include/linux/sched.h
18622
18623commit f1e8ec79b6019ca0aa6a6cdde5668c1bbd9f51ca
18624Merge: 6f88011 b4fa847
18625Author: Brad Spengler <spender@grsecurity.net>
18626Date: Tue Aug 20 18:05:12 2013 -0400
18627
18628 Merge branch 'pax-test' into grsec-test
18629
18630commit b4fa84790ec760430818ab9b74a8b5acc6b40e63
18631Author: Brad Spengler <spender@grsecurity.net>
18632Date: Tue Aug 20 18:04:14 2013 -0400
18633
18634 Update to pax-linux-3.10.7-test18.patch:
18635 - reverted constification of zcache, problem reported by Marcin Mirosław (https://bugs.gentoo.org/show_bug.cgi?id=481752)
18636 - fixed a UDEREF resume regression due to the constification of clone_pgd_mask
18637 - fixed suspend/resume regression due to the recent constification of mmu_cr4_features, reported by Mathias Krause
18638
18639 arch/arm/kernel/process.c | 2 +-
18640 arch/x86/include/asm/processor.h | 25 ++-----------------------
18641 arch/x86/kernel/cpu/common.c | 4 ++++
18642 arch/x86/kernel/setup.c | 36 ++++++++++++++++++++++++++++++++++++
18643 drivers/staging/zcache/tmem.c | 4 ++--
18644 drivers/staging/zcache/tmem.h | 6 ++----
18645 6 files changed, 47 insertions(+), 30 deletions(-)
18646
18647commit 6f88011297cb3b1b79ff4d96f8a9b8e2ed5a025f
18648Author: Brad Spengler <spender@grsecurity.net>
18649Date: Mon Aug 19 22:10:04 2013 -0400
18650
18651 fix bad git merge (call to __cpu_disable_lazy_restore was duplicated)
18652 as reported by pipacs
18653
18654 arch/x86/kernel/smpboot.c | 3 ---
18655 1 files changed, 0 insertions(+), 3 deletions(-)
18656
18657commit 07f718e061bc4696b64a98ac1cf56e9ca1275dc3
18658Merge: 6eba999 5de93c8
18659Author: Brad Spengler <spender@grsecurity.net>
18660Date: Sun Aug 18 22:03:19 2013 -0400
18661
18662 Merge branch 'pax-test' into grsec-test
18663
18664commit 5de93c8e2a86865f7a2d62dbcf8702dbf12494db
18665Author: Brad Spengler <spender@grsecurity.net>
18666Date: Sun Aug 18 22:02:47 2013 -0400
18667
18668 Update to pax-linux-3.10.7-test15.patch:
18669 - fixed more PCID fallout, reported by spender, Negres and GBit (http://forums.grsecurity.net/viewtopic.php?f=3&t=3705)
18670 - fixed some new REFCOUNT false positives, caught by inspection
18671
18672 arch/x86/kernel/cpu/common.c | 5 +++--
18673 arch/x86/kernel/entry_64.S | 11 +++++++----
18674 fs/ceph/super.c | 4 ++--
18675 mm/backing-dev.c | 4 ++--
18676 4 files changed, 14 insertions(+), 10 deletions(-)
18677
18678commit 94c119587c76723c1072237b98fff9886ccb7689
18679Author: Brad Spengler <spender@grsecurity.net>
18680Date: Sun Aug 18 20:49:39 2013 -0400
18681
18682 fix pipacs' DEMORGAN typo
18683
18684 arch/x86/include/asm/tlbflush.h | 2 +-
18685 1 files changed, 1 insertions(+), 1 deletions(-)
18686
18687commit 6eba999a3263c2ed3f7e87222a5c9c55315c7f00
18688Merge: df347f6 64a293e
18689Author: Brad Spengler <spender@grsecurity.net>
18690Date: Sun Aug 18 18:13:04 2013 -0400
18691
18692 Merge branch 'pax-test' into grsec-test
18693
18694commit 64a293ebd17bf4a7ce6bd921ed879673e79fe128
18695Author: Brad Spengler <spender@grsecurity.net>
18696Date: Sun Aug 18 18:12:37 2013 -0400
18697
18698 Update to pax-linux-3.10.7-test14.patch:
18699 - fixed compile error introduced by the previous PCID change
18700 - fixed timer_create kernel stack leak, reported by Roman Žilka (https://bugs.gentoo.org/show_bug.cgi?id=470214)
18701
18702 arch/x86/include/asm/tlbflush.h | 2 +-
18703 kernel/posix-timers.c | 2 +-
18704 2 files changed, 2 insertions(+), 2 deletions(-)
18705
18706commit df347f6db6cc0aaa40406d8a8b7284b7c15bc685
18707Merge: d8efbc5 e11b314
18708Author: Brad Spengler <spender@grsecurity.net>
18709Date: Sun Aug 18 08:15:00 2013 -0400
18710
18711 Merge branch 'pax-test' into grsec-test
18712
18713commit e11b314734c5b7317f5468be75305ad812e78c2b
18714Author: Brad Spengler <spender@grsecurity.net>
18715Date: Sun Aug 18 08:14:26 2013 -0400
18716
18717 Update to pax-linux-3.10.7-test13.patch:
18718 - always enable the use of PCID and INVPCID when available in the CPU
18719 - kvm guest kernels can use these features even if the host kernel lacks UDEREF
18720
18721 arch/x86/include/asm/tlbflush.h | 69 ++++++++++++++++++++++----------------
18722 arch/x86/kernel/cpu/common.c | 48 +++++++++++++++++----------
18723 2 files changed, 70 insertions(+), 47 deletions(-)
18724
18725commit d8efbc54f5c8aba589d4d12eed9257a754a67de8
18726Author: Brad Spengler <spender@grsecurity.net>
18727Date: Sat Aug 17 12:00:20 2013 -0400
18728
18729 make kallsyms_lookup_size_offset available to approved source files
18730
18731 include/linux/kallsyms.h | 3 +++
18732 1 files changed, 3 insertions(+), 0 deletions(-)
18733
18734commit 6c8feffa95ce2db280160015027b52bb41a344c8
18735Merge: dbf6930 0bb1c2b
18736Author: Brad Spengler <spender@grsecurity.net>
18737Date: Sat Aug 17 11:57:50 2013 -0400
18738
18739 Merge branch 'pax-test' into grsec-test
18740
18741commit 0bb1c2b2d9ba9a15fb504d47270499e8e2764106
18742Author: Brad Spengler <spender@grsecurity.net>
18743Date: Sat Aug 17 11:56:43 2013 -0400
18744
18745 Update to pax-linux-3.10.7-test12.patch:
18746 - fixed superfluous initializer in __native_flush_tlb_single, reported by Mathias Krause
18747 - fixed some arm compile problems
18748
18749 arch/x86/include/asm/tlbflush.h | 2 +-
18750 drivers/clocksource/bcm_kona_timer.c | 2 +-
18751 kernel/signal.c | 4 ++++
18752 3 files changed, 6 insertions(+), 2 deletions(-)
18753
18754commit dbf69305ad4f8a037aae95af90f9201f556dcb48
18755Author: Brad Spengler <spender@grsecurity.net>
18756Date: Sat Aug 17 11:18:09 2013 -0400
18757
18758 allow use of kallsyms_lookup_name to approved source files
18759
18760 include/linux/kallsyms.h | 1 +
18761 1 files changed, 1 insertions(+), 0 deletions(-)
18762
18763commit a566c5f4dec33f410678c257e95ab6726ce8e4f9
18764Merge: 68bd16f f562e3e
18765Author: Brad Spengler <spender@grsecurity.net>
18766Date: Sat Aug 17 10:35:02 2013 -0400
18767
18768 Merge branch 'pax-test' into grsec-test
18769
18770commit f562e3ef7737ea8d80431a722479b36a12504ace
18771Author: Brad Spengler <spender@grsecurity.net>
18772Date: Sat Aug 17 10:34:51 2013 -0400
18773
18774 add uderef_64.c
18775
18776 arch/x86/mm/uderef_64.c | 37 +++++++++++++++++++++++++++++++++++++
18777 1 files changed, 37 insertions(+), 0 deletions(-)
18778
18779commit 68bd16fce3cf51c4c407e2ac6bc3db0629783622
18780Author: Asbjoern Sloth Toennesen <ast@fiberby.net>
18781Date: Mon Aug 12 16:30:09 2013 +0000
18782
18783 Upstream commit: 3e805ad288c524bb65aad3f1e004402223d3d504
18784
18785 rtnetlink: rtnl_bridge_getlink: Call nlmsg_find_attr() with ifinfomsg header
18786
18787 Fix the iproute2 command `bridge vlan show`, after switching from
18788 rtgenmsg to ifinfomsg.
18789
18790 Let's start with a little history:
18791
18792 Feb 20: Vlad Yasevich got his VLAN-aware bridge patchset included in
18793 the 3.9 merge window.
18794 In the kernel commit 6cbdceeb, he added attribute support to
18795 bridge GETLINK requests sent with rtgenmsg.
18796
18797 Mar 6th: Vlad got this iproute2 reference implementation of the bridge
18798 vlan netlink interface accepted (iproute2 9eff0e5c)
18799
18800 Apr 25th: iproute2 switched from using rtgenmsg to ifinfomsg (63338dca)
18801 http://patchwork.ozlabs.org/patch/239602/
18802 http://marc.info/?t=136680900700007
18803
18804 Apr 28th: Linus released 3.9
18805
18806 Apr 30th: Stephen released iproute2 3.9.0
18807
18808 The `bridge vlan show` command haven't been working since the switch to
18809 ifinfomsg, or in a released version of iproute2. Since the kernel side
18810 only supports rtgenmsg, which iproute2 switched away from just prior to
18811 the iproute2 3.9.0 release.
18812
18813 I haven't been able to find any documentation, about neither rtgenmsg
18814 nor ifinfomsg, and in which situation to use which, but kernel commit
18815 88c5b5ce seams to suggest that ifinfomsg should be used.
18816
18817 Fixing this in kernel will break compatibility, but I doubt that anybody
18818 have been using it due to this bug in the user space reference
18819 implementation, at least not without noticing this bug. That said the
18820 functionality is still fully functional in 3.9, when reversing iproute2
18821 commit 63338dca.
18822
18823 This could also be fixed in iproute2, but thats an ugly patch that would
18824 reintroduce rtgenmsg in iproute2, and from searching in netdev it seams
18825 like rtgenmsg usage is discouraged. I'm assuming that the only reason
18826 that Vlad implemented the kernel side to use rtgenmsg, was because
18827 iproute2 was using it at the time.
18828
18829 Signed-off-by: Asbjoern Sloth Toennesen <ast@fiberby.net>
18830 Reviewed-by: Vlad Yasevich <vyasevich@gmail.com>
18831 Signed-off-by: David S. Miller <davem@davemloft.net>
18832
18833 net/core/rtnetlink.c | 2 +-
18834 1 files changed, 1 insertions(+), 1 deletions(-)
18835
18836commit 8c7bc5bafddddff55ed4687203a977e96f72540a
18837Author: Johannes Berg <johannes.berg@intel.com>
18838Date: Tue Aug 13 09:04:05 2013 +0200
18839
18840 Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db
18841
18842 genetlink: fix family dump race
18843
18844 When dumping generic netlink families, only the first dump call
18845 is locked with genl_lock(), which protects the list of families,
18846 and thus subsequent calls can access the data without locking,
18847 racing against family addition/removal. This can cause a crash.
18848 Fix it - the locking needs to be conditional because the first
18849 time around it's already locked.
18850
18851 A similar bug was reported to me on an old kernel (3.4.47) but
18852 the exact scenario that happened there is no longer possible,
18853 on those kernels the first round wasn't locked either. Looking
18854 at the current code I found the race described above, which had
18855 also existed on the old kernel.
18856
18857 Cc: stable@vger.kernel.org
18858 Reported-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
18859 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
18860 Signed-off-by: David S. Miller <davem@davemloft.net>
18861
18862 net/netlink/genetlink.c | 7 +++++++
18863 1 files changed, 7 insertions(+), 0 deletions(-)
18864
18865commit 0aef405c4f269d1e35abb5393cee4e7d452ed4bb
18866Author: Daniel Borkmann <dborkman@redhat.com>
18867Date: Fri Aug 9 16:25:21 2013 +0200
18868
18869 Upstream commit: 771085d6bf3c52de29fc213e5bad07a82e57c23e
18870
18871 net: sctp: sctp_transport_destroy{, _rcu}: fix potential pointer corruption
18872
18873 Probably this one is quite unlikely to be triggered, but it's more safe
18874 to do the call_rcu() at the end after we have dropped the reference on
18875 the asoc and freed sctp packet chunks. The reason why is because in
18876 sctp_transport_destroy_rcu() the transport is being kfree()'d, and if
18877 we're unlucky enough we could run into corrupted pointers. Probably
18878 that's more of theoretical nature, but it's safer to have this simple fix.
18879
18880 Introduced by commit 8c98653f ("sctp: sctp_close: fix release of bindings
18881 for deferred call_rcu's"). I also did the 8c98653f regression test and
18882 it's fine that way.
18883
18884 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
18885 Acked-by: Vlad Yasevich <vyasevich@gmail.com>
18886 Signed-off-by: David S. Miller <davem@davemloft.net>
18887
18888 net/sctp/transport.c | 4 ++--
18889 1 files changed, 2 insertions(+), 2 deletions(-)
18890
18891commit 3925eab5483946fd746575a46f97bee9d566bb77
18892Author: Stephane Grosjean <s.grosjean@peak-system.com>
18893Date: Fri Aug 9 11:44:06 2013 +0200
18894
18895 Upstream commit: 3c322a56b01695df15c70bfdc2d02e0ccd80654e
18896
18897 can: pcan_usb: fix wrong memcpy() bytes length
18898
18899 Fix possibly wrong memcpy() bytes length since some CAN records received from
18900 PCAN-USB could define a DLC field in range [9..15].
18901 In that case, the real DLC value MUST be used to move forward the record pointer
18902 but, only 8 bytes max. MUST be copied into the data field of the struct
18903 can_frame object of the skb given to the network core.
18904
18905 Cc: linux-stable <stable@vger.kernel.org>
18906 Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
18907 Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
18908 Signed-off-by: David S. Miller <davem@davemloft.net>
18909
18910 drivers/net/can/usb/peak_usb/pcan_usb.c | 2 +-
18911 1 files changed, 1 insertions(+), 1 deletions(-)
18912
18913commit c1ac6642baae4a400d1f87115024d1bb1ef53598
18914Author: Linus Lüssing <linus.luessing@web.de>
18915Date: Tue Aug 6 20:21:15 2013 +0200
18916
18917 Upstream commit: 9d2c9488cedb666bc8206fbdcdc1575e0fbc5929
18918
18919 batman-adv: fix potential kernel paging errors for unicast transmissions
18920
18921 There are several functions which might reallocate skb data. Currently
18922 some places keep reusing their old ethhdr pointer regardless of whether
18923 they became invalid after such a reallocation or not. This potentially
18924 leads to kernel paging errors.
18925
18926 This patch fixes these by refetching the ethdr pointer after the
18927 potential reallocations.
18928
18929 Signed-off-by: Linus Lüssing <linus.luessing@web.de>
18930 Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
18931 Signed-off-by: Antonio Quartulli <ordex@autistici.org>
18932
18933 net/batman-adv/bridge_loop_avoidance.c | 2 ++
18934 net/batman-adv/gateway_client.c | 13 ++++++++++++-
18935 net/batman-adv/gateway_client.h | 3 +--
18936 net/batman-adv/soft-interface.c | 9 ++++++++-
18937 net/batman-adv/unicast.c | 13 ++++++++++---
18938 5 files changed, 33 insertions(+), 7 deletions(-)
18939
18940commit d11ebb55757d366b2e445dea5a96e3ef1b4d22eb
18941Author: Yuchung Cheng <ycheng@google.com>
18942Date: Fri Aug 9 17:21:27 2013 -0700
18943
18944 Upstream commit: 356d7d88e088687b6578ca64601b0a2c9d145296
18945
18946 netfilter: nf_conntrack: fix tcp_in_window for Fast Open
18947
18948 Currently the conntrack checks if the ending sequence of a packet
18949 falls within the observed receive window. However it does so even
18950 if it has not observe any packet from the remote yet and uses an
18951 uninitialized receive window (td_maxwin).
18952
18953 If a connection uses Fast Open to send a SYN-data packet which is
18954 dropped afterward in the network. The subsequent SYNs retransmits
18955 will all fail this check and be discarded, leading to a connection
18956 timeout. This is because the SYN retransmit does not contain data
18957 payload so
18958
18959 end == initial sequence number (isn) + 1
18960 sender->td_end == isn + syn_data_len
18961 receiver->td_maxwin == 0
18962
18963 The fix is to only apply this check after td_maxwin is initialized.
18964
18965 Reported-by: Michael Chan <mcfchan@stanford.edu>
18966 Signed-off-by: Yuchung Cheng <ycheng@google.com>
18967 Acked-by: Eric Dumazet <edumazet@google.com>
18968 Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
18969 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
18970
18971 net/netfilter/nf_conntrack_proto_tcp.c | 12 ++++++++----
18972 1 files changed, 8 insertions(+), 4 deletions(-)
18973
18974commit 94462727d1f151aa2e3f7fbf0dedb19d8545d2ec
18975Author: Dan Carpenter <dan.carpenter@oracle.com>
18976Date: Thu Aug 1 12:36:57 2013 +0300
18977
18978 Upstream commit: e4d091d7bf787cd303383725b8071d0bae76f981
18979
18980 netfilter: nfnetlink_{log,queue}: fix information leaks in netlink message
18981
18982 These structs have a "_pad" member. Also the "phw" structs have an 8
18983 byte "hw_addr[]" array but sometimes only the first 6 bytes are
18984 initialized.
18985
18986 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
18987 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
18988
18989 net/netfilter/nfnetlink_log.c | 6 +++++-
18990 net/netfilter/nfnetlink_queue_core.c | 5 ++++-
18991 2 files changed, 9 insertions(+), 2 deletions(-)
18992
18993commit c5b469d0a0b480a8b2dcac9b4e6532c0ac17f81f
18994Author: Pablo Neira Ayuso <pablo@netfilter.org>
18995Date: Thu Jul 25 10:46:46 2013 +0200
18996
18997 Upstream commit: a206bcb3b02025b23137f3228109d72e0f835c05
18998
18999 netfilter: xt_TCPOPTSTRIP: fix possible off by one access
19000
19001 Fix a possible off by one access since optlen()
19002 touches opt[offset+1] unsafely when i == tcp_hdrlen(skb) - 1.
19003
19004 This patch replaces tcp_hdrlen() by the local variable tcp_hdrlen
19005 that stores the TCP header length, to save some cycles.
19006
19007 Reported-by: Julian Anastasov <ja@ssi.bg>
19008 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
19009
19010 net/netfilter/xt_TCPOPTSTRIP.c | 10 ++++++----
19011 1 files changed, 6 insertions(+), 4 deletions(-)
19012
19013commit 4634def261cf5f635bc60afe8a6ad436b3ec151e
19014Author: Pablo Neira Ayuso <pablo@netfilter.org>
19015Date: Thu Jul 25 10:37:49 2013 +0200
19016
19017 Upstream commit: 71ffe9c77dd7a2b62207953091efa8dafec958dd
19018
19019 netfilter: xt_TCPMSS: fix handling of malformed TCP header and options
19020
19021 Make sure the packet has enough room for the TCP header and
19022 that it is not malformed.
19023
19024 While at it, store tcph->doff*4 in a variable, as it is used
19025 several times.
19026
19027 This patch also fixes a possible off by one in case of malformed
19028 TCP options.
19029
19030 Reported-by: Julian Anastasov <ja@ssi.bg>
19031 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
19032
19033 net/netfilter/xt_TCPMSS.c | 28 ++++++++++++++++------------
19034 1 files changed, 16 insertions(+), 12 deletions(-)
19035
19036commit dc552b7b377b8b0cba23513ee09a2341d6714ae8
19037Author: Dave Jones <davej@redhat.com>
19038Date: Fri Aug 9 11:16:34 2013 -0700
19039
19040 Upstream commit: d06f5187469eee1b2932c02fd093d113cfc60d5e
19041
19042 8139cp: Fix skb leak in rx_status_loop failure path.
19043
19044 Introduced in cf3c4c03060b688cbc389ebc5065ebcce5653e96
19045 ("8139cp: Add dma_mapping_error checking")
19046
19047 Signed-off-by: Dave Jones <davej@redhat.com>
19048 Signed-off-by: David S. Miller <davem@davemloft.net>
19049
19050 drivers/net/ethernet/realtek/8139cp.c | 1 +
19051 1 files changed, 1 insertions(+), 0 deletions(-)
19052
19053commit 227b279491a0bbcc70ca3654f34903282c378600
19054Author: Timo Teräs <timo.teras@iki.fi>
19055Date: Tue Aug 6 13:45:43 2013 +0300
19056
19057 Upstream commit: 77a482bdb2e68d13fae87541b341905ba70d572b
19058
19059 ip_gre: fix ipgre_header to return correct offset
19060
19061 Fix ipgre_header() (header_ops->create) to return the correct
19062 amount of bytes pushed. Most callers of dev_hard_header() seem
19063 to care only if it was success, but af_packet.c uses it as
19064 offset to the skb to copy from userspace only once. In practice
19065 this fixes packet socket sendto()/sendmsg() to gre tunnels.
19066
19067 Regression introduced in c54419321455631079c7d6e60bc732dd0c5914c5
19068 ("GRE: Refactor GRE tunneling code.")
19069
19070 Cc: Pravin B Shelar <pshelar@nicira.com>
19071 Signed-off-by: Timo Teräs <timo.teras@iki.fi>
19072 Acked-by: Eric Dumazet <edumazet@google.com>
19073 Signed-off-by: David S. Miller <davem@davemloft.net>
19074
19075 net/ipv4/ip_gre.c | 2 +-
19076 1 files changed, 1 insertions(+), 1 deletions(-)
19077
19078commit 4b37d11c0ebb440d9335861ce8f1e690a34c10fb
19079Author: Eric Dumazet <edumazet@google.com>
19080Date: Mon Aug 5 11:18:49 2013 -0700
19081
19082 Upstream commit: aab515d7c32a34300312416c50314e755ea6f765
19083
19084 fib_trie: remove potential out of bound access
19085
19086 AddressSanitizer [1] dynamic checker pointed a potential
19087 out of bound access in leaf_walk_rcu()
19088
19089 We could allocate one more slot in tnode_new() to leave the prefetch()
19090 in-place but it looks not worth the pain.
19091
19092 Bug added in commit 82cfbb008572b ("[IPV4] fib_trie: iterator recode")
19093
19094 [1] :
19095 https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel
19096
19097 Reported-by: Andrey Konovalov <andreyknvl@google.com>
19098 Signed-off-by: Eric Dumazet <edumazet@google.com>
19099 Cc: Dmitry Vyukov <dvyukov@google.com>
19100 Signed-off-by: David S. Miller <davem@davemloft.net>
19101
19102 net/ipv4/fib_trie.c | 5 +----
19103 1 files changed, 1 insertions(+), 4 deletions(-)
19104
19105commit 3928184d65fdaf3eef446f0e6c5f305352c1fd02
19106Author: Daniel Borkmann <dborkman@redhat.com>
19107Date: Mon Aug 5 12:49:35 2013 +0200
19108
19109 Upstream commit: 7921895a5e852fc99de347bc0600659997de9298
19110
19111 net: esp{4,6}: fix potential MTU calculation overflows
19112
19113 Commit 91657eafb ("xfrm: take net hdr len into account for esp payload
19114 size calculation") introduced a possible interger overflow in
19115 esp{4,6}_get_mtu() handlers in case of x->props.mode equals
19116 XFRM_MODE_TUNNEL. Thus, the following expression will overflow
19117
19118 unsigned int net_adj;
19119 ...
19120 <case ipv{4,6} XFRM_MODE_TUNNEL>
19121 net_adj = 0;
19122 ...
19123 return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) -
19124 net_adj) & ~(align - 1)) + (net_adj - 2);
19125
19126 where (net_adj - 2) would be evaluated as <foo> + (0 - 2) in an unsigned
19127 context. Fix it by simply removing brackets as those operations here
19128 do not need to have special precedence.
19129
19130 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
19131 Cc: Benjamin Poirier <bpoirier@suse.de>
19132 Cc: Steffen Klassert <steffen.klassert@secunet.com>
19133 Acked-by: Benjamin Poirier <bpoirier@suse.de>
19134 Signed-off-by: David S. Miller <davem@davemloft.net>
19135
19136 net/ipv4/esp4.c | 2 +-
19137 net/ipv6/esp6.c | 2 +-
19138 2 files changed, 2 insertions(+), 2 deletions(-)
19139
19140commit f02bce292d1c2fe610be509c96593e70b3de387b
19141Author: Julia Lawall <Julia.Lawall@lip6.fr>
19142Date: Mon Aug 5 16:47:38 2013 +0200
19143
19144 Upstream commit: d9af2d67e490b48f0d36f448d34e7bab9425f142
19145
19146 net/vmw_vsock/af_vsock.c: drop unneeded semicolon
19147
19148 Drop the semicolon at the end of the list_for_each_entry loop header.
19149
19150 Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
19151 Signed-off-by: David S. Miller <davem@davemloft.net>
19152
19153 net/vmw_vsock/af_vsock.c | 2 +-
19154 1 files changed, 1 insertions(+), 1 deletions(-)
19155
19156commit 4b62f0cbc3f949056e8bbe0af036acfc20e8e049
19157Author: Tiger Yang <tiger.yang@oracle.com>
19158Date: Tue Aug 13 16:00:58 2013 -0700
19159
19160 Upstream commit: c7dd3392ad469e6ba125170ad29f881bed85b678
19161
19162 ocfs2: fix NULL pointer dereference in ocfs2_duplicate_clusters_by_page
19163
19164 Since ocfs2_cow_file_pos will invoke ocfs2_refcount_icow with a NULL as
19165 the struct file pointer, it finally result in a null pointer dereference
19166 in ocfs2_duplicate_clusters_by_page.
19167
19168 This patch replace file pointer with inode pointer in
19169 cow_duplicate_clusters to fix this issue.
19170
19171 [jeff.liu@oracle.com: rebased patch against linux-next tree]
19172 Signed-off-by: Tiger Yang <tiger.yang@oracle.com>
19173 Signed-off-by: Jie Liu <jeff.liu@oracle.com>
19174 Cc: Joel Becker <jlbec@evilplan.org>
19175 Cc: Mark Fasheh <mfasheh@suse.com>
19176 Acked-by: Tao Ma <tm@tao.ma>
19177 Tested-by: David Weber <wb@munzinger.de>
19178 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
19179 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
19180
19181 fs/ocfs2/aops.c | 2 +-
19182 fs/ocfs2/file.c | 6 ++--
19183 fs/ocfs2/move_extents.c | 2 +-
19184 fs/ocfs2/refcounttree.c | 53 +++++++---------------------------------------
19185 fs/ocfs2/refcounttree.h | 6 ++--
19186 5 files changed, 16 insertions(+), 53 deletions(-)
19187
19188commit 433bf493c7472435b328b2bc85b6e54f6dd3d0d3
19189Author: Dan Carpenter <dan.carpenter@oracle.com>
19190Date: Thu Aug 15 15:52:57 2013 +0300
19191
19192 Upstream commit: 15718ea0d844e4816dbd95d57a8a0e3e264ba90e
19193
19194 tun: signedness bug in tun_get_user()
19195
19196 The recent fix d9bf5f1309 "tun: compare with 0 instead of total_len" is
19197 not totally correct. Because "len" and "sizeof()" are size_t type, that
19198 means they are never less than zero.
19199
19200 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
19201 Acked-by: Michael S. Tsirkin <mst@redhat.com>
19202 Acked-by: Neil Horman <nhorman@tuxdriver.com>
19203 Signed-off-by: David S. Miller <davem@davemloft.net>
19204
19205 drivers/net/tun.c | 6 ++++--
19206 1 files changed, 4 insertions(+), 2 deletions(-)
19207
19208commit 26ad267ddda451919357965a0cf271ca24d1bcf2
19209Author: Weiping Pan <wpan@redhat.com>
19210Date: Tue Aug 13 21:46:56 2013 +0800
19211
19212 Upstream commit: d9bf5f130946695063469749bfd190087b7fad39
19213
19214 tun: compare with 0 instead of total_len
19215
19216 Since we set "len = total_len" in the beginning of tun_get_user(),
19217 so we should compare the new len with 0, instead of total_len,
19218 or the if statement always returns false.
19219
19220 Signed-off-by: Weiping Pan <wpan@redhat.com>
19221 Signed-off-by: David S. Miller <davem@davemloft.net>
19222
19223 drivers/net/tun.c | 4 ++--
19224 1 files changed, 2 insertions(+), 2 deletions(-)
19225
19226commit 70023d3ea40fae8b6b6a142a7a5c3db0bcc283f9
19227Author: Guenter Roeck <linux@roeck-us.net>
19228Date: Fri Aug 16 20:50:55 2013 -0700
19229
19230 Upstream commit: 215b28a5308f3d332df2ee09ef11fda45d7e4a92
19231
19232 s390: Fix broken build
19233
19234 Fix this build error:
19235
19236 In file included from fs/exec.c:61:0:
19237 arch/s390/include/asm/tlb.h:35:23: error: expected identifier or '(' before 'unsigned'
19238 arch/s390/include/asm/tlb.h:36:1: warning: no semicolon at end of struct or union [enabled by default]
19239 arch/s390/include/asm/tlb.h: In function 'tlb_gather_mmu':
19240 arch/s390/include/asm/tlb.h:57:5: error: 'struct mmu_gather' has no member named 'end'
19241
19242 Broken due to commit 2b047252d0 ("Fix TLB gather virtual address range
19243 invalidation corner cases").
19244
19245 Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
19246 Cc: stable@vger.kernel.org
19247 Signed-off-by: Guenter Roeck <linux@roeck-us.net>
19248 [ Oh well. We had build testing for ppc amd um, but no s390 - Linus ]
19249 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
19250
19251 arch/s390/include/asm/tlb.h | 2 +-
19252 1 files changed, 1 insertions(+), 1 deletions(-)
19253
19254commit 4e57312c2de2a25ddb181d129dafbc0251062c33
19255Author: Linus Torvalds <torvalds@linux-foundation.org>
19256Date: Thu Aug 15 11:42:25 2013 -0700
19257
19258 Upstream commit: 2b047252d087be7f2ba088b4933cd904f92e6fce
19259
19260 Fix TLB gather virtual address range invalidation corner cases
19261
19262 Ben Tebulin reported:
19263
19264 "Since v3.7.2 on two independent machines a very specific Git
19265 repository fails in 9/10 cases on git-fsck due to an SHA1/memory
19266 failures. This only occurs on a very specific repository and can be
19267 reproduced stably on two independent laptops. Git mailing list ran
19268 out of ideas and for me this looks like some very exotic kernel issue"
19269
19270 and bisected the failure to the backport of commit 53a59fc67f97 ("mm:
19271 limit mmu_gather batching to fix soft lockups on !CONFIG_PREEMPT").
19272
19273 That commit itself is not actually buggy, but what it does is to make it
19274 much more likely to hit the partial TLB invalidation case, since it
19275 introduces a new case in tlb_next_batch() that previously only ever
19276 happened when running out of memory.
19277
19278 The real bug is that the TLB gather virtual memory range setup is subtly
19279 buggered. It was introduced in commit 597e1c3580b7 ("mm/mmu_gather:
19280 enable tlb flush range in generic mmu_gather"), and the range handling
19281 was already fixed at least once in commit e6c495a96ce0 ("mm: fix the TLB
19282 range flushed when __tlb_remove_page() runs out of slots"), but that fix
19283 was not complete.
19284
19285 The problem with the TLB gather virtual address range is that it isn't
19286 set up by the initial tlb_gather_mmu() initialization (which didn't get
19287 the TLB range information), but it is set up ad-hoc later by the
19288 functions that actually flush the TLB. And so any such case that forgot
19289 to update the TLB range entries would potentially miss TLB invalidates.
19290
19291 Rather than try to figure out exactly which particular ad-hoc range
19292 setup was missing (I personally suspect it's the hugetlb case in
19293 zap_huge_pmd(), which didn't have the same logic as zap_pte_range()
19294 did), this patch just gets rid of the problem at the source: make the
19295 TLB range information available to tlb_gather_mmu(), and initialize it
19296 when initializing all the other tlb gather fields.
19297
19298 This makes the patch larger, but conceptually much simpler. And the end
19299 result is much more understandable; even if you want to play games with
19300 partial ranges when invalidating the TLB contents in chunks, now the
19301 range information is always there, and anybody who doesn't want to
19302 bother with it won't introduce subtle bugs.
19303
19304 Ben verified that this fixes his problem.
19305
19306 Reported-bisected-and-tested-by: Ben Tebulin <tebulin@googlemail.com>
19307 Build-testing-by: Stephen Rothwell <sfr@canb.auug.org.au>
19308 Build-testing-by: Richard Weinberger <richard.weinberger@gmail.com>
19309 Reviewed-by: Michal Hocko <mhocko@suse.cz>
19310 Acked-by: Peter Zijlstra <peterz@infradead.org>
19311 Cc: stable@vger.kernel.org
19312 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
19313
19314 arch/arm/include/asm/tlb.h | 7 +++++--
19315 arch/arm64/include/asm/tlb.h | 7 +++++--
19316 arch/ia64/include/asm/tlb.h | 9 ++++++---
19317 arch/s390/include/asm/tlb.h | 8 ++++++--
19318 arch/sh/include/asm/tlb.h | 6 ++++--
19319 arch/um/include/asm/tlb.h | 6 ++++--
19320 fs/exec.c | 4 ++--
19321 include/asm-generic/tlb.h | 2 +-
19322 mm/hugetlb.c | 2 +-
19323 mm/memory.c | 36 +++++++++++++++++++++---------------
19324 mm/mmap.c | 4 ++--
19325 11 files changed, 57 insertions(+), 34 deletions(-)
19326
19327commit 771ed01c6027772eca1a0df8de65043e7f0d94f8
19328Merge: 5568c80 ffceabf
19329Author: Brad Spengler <spender@grsecurity.net>
19330Date: Sat Aug 17 09:11:41 2013 -0400
19331
19332 Merge branch 'pax-test' into grsec-test
19333
19334commit ffceabfcc65c60109ba5fca694d78d4dc7047809
19335Author: Brad Spengler <spender@grsecurity.net>
19336Date: Sat Aug 17 09:10:44 2013 -0400
19337
19338 Update to pax-linux-3.10.7-test11.patch:
19339 - simplified some arm code
19340 - disabled preemption when calling show_regs, reported by Corey Minyard
19341 - added PCID based support for UDEREF on amd64 (blog will have more details)
19342 - requires Westmere/Sandy Bridge/Ivy Bridge/Haswell/etc
19343 - nopcid turns it off
19344 - by default a strong form of UDEREF is used under PCID
19345 - pax_weakuderef switches to the older, less secure UDEREF
19346 - fixed several bugs that would also have manifested under SMAP
19347 - INVPCID is used when available (Haswell)
19348 - added a few more return insn instrumentation in new amd64 crypto code
19349
19350 Documentation/kernel-parameters.txt | 7 +
19351 arch/arm/include/asm/uaccess.h | 3 +
19352 arch/x86/crypto/blowfish-avx2-asm_64.S | 6 +
19353 arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 ++
19354 arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 ++
19355 arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 +
19356 arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 +
19357 arch/x86/crypto/serpent-avx2-asm_64.S | 9 ++
19358 arch/x86/crypto/sha256-avx-asm.S | 2 +
19359 arch/x86/crypto/sha256-avx2-asm.S | 2 +
19360 arch/x86/crypto/sha256-ssse3-asm.S | 2 +
19361 arch/x86/crypto/sha512-avx-asm.S | 2 +
19362 arch/x86/crypto/sha512-avx2-asm.S | 2 +
19363 arch/x86/crypto/sha512-ssse3-asm.S | 2 +
19364 arch/x86/crypto/twofish-avx2-asm_64.S | 8 ++
19365 arch/x86/ia32/ia32_signal.c | 2 +-
19366 arch/x86/ia32/ia32entry.S | 24 ++++-
19367 arch/x86/include/asm/cpufeature.h | 3 +-
19368 arch/x86/include/asm/fpu-internal.h | 2 +
19369 arch/x86/include/asm/futex.h | 4 +
19370 arch/x86/include/asm/mmu_context.h | 80 +++++++++++---
19371 arch/x86/include/asm/pgtable.h | 10 +-
19372 arch/x86/include/asm/processor.h | 15 +++-
19373 arch/x86/include/asm/segment.h | 5 +-
19374 arch/x86/include/asm/smap.h | 64 +++++++++++-
19375 arch/x86/include/asm/tlbflush.h | 63 +++++++++--
19376 arch/x86/include/asm/uaccess.h | 18 +++-
19377 arch/x86/include/asm/xsave.h | 4 +
19378 arch/x86/kernel/cpu/common.c | 38 +++++++
19379 arch/x86/kernel/entry_32.S | 2 +-
19380 arch/x86/kernel/entry_64.S | 152 +++++++++++++++++++++++---
19381 arch/x86/kernel/head_32.S | 2 +-
19382 arch/x86/kernel/head_64.S | 8 +-
19383 arch/x86/kernel/process_64.c | 5 +
19384 arch/x86/kernel/setup.c | 8 +-
19385 arch/x86/kernel/signal.c | 4 +-
19386 arch/x86/kernel/smpboot.c | 15 ++-
19387 arch/x86/lib/copy_user_64.S | 50 +--------
19388 arch/x86/lib/copy_user_nocache_64.S | 2 +
19389 arch/x86/lib/csum-wrappers_64.c | 11 ++-
19390 arch/x86/lib/memcpy_64.S | 4 +-
19391 arch/x86/lib/memmove_64.S | 2 +-
19392 arch/x86/lib/memset_64.S | 4 +-
19393 arch/x86/lib/usercopy_64.c | 5 +-
19394 arch/x86/mm/Makefile | 4 +
19395 arch/x86/mm/fault.c | 29 ++++--
19396 arch/x86/mm/init.c | 7 +-
19397 arch/x86/mm/init_64.c | 9 ++-
19398 arch/x86/mm/pageattr.c | 2 +-
19399 arch/x86/mm/pgtable.c | 3 +
19400 arch/x86/platform/efi/efi_32.c | 2 +-
19401 arch/x86/platform/efi/efi_64.c | 2 +-
19402 arch/x86/realmode/rm/trampoline_64.S | 1 +
19403 fs/exec.c | 2 +
19404 include/asm-generic/uaccess.h | 8 ++
19405 include/linux/compat.h | 1 +
19406 include/linux/preempt.h | 19 +++
19407 include/linux/signal.h | 1 +
19408 include/linux/smp.h | 2 +
19409 init/main.c | 14 ++-
19410 kernel/signal.c | 16 +++
19411 security/Kconfig | 5 +
19412 tools/lib/lk/Makefile | 2 +-
19413 tools/perf/Makefile | 2 +-
19414 64 files changed, 673 insertions(+), 136 deletions(-)
19415
19416commit 5568c8059e78d6d002815409df4e90c83b3b08a8
19417Author: Brad Spengler <spender@grsecurity.net>
19418Date: Sat Aug 17 08:58:34 2013 -0400
19419
19420 Fix two harmless compiler warnings
19421
19422 arch/arm/kernel/process.c | 4 ++--
19423 fs/exec.c | 2 +-
19424 2 files changed, 3 insertions(+), 3 deletions(-)
19425
19426commit e4a41a3eef8c6bdebdbe273cc0fbe372bcb62806
19427Author: Brad Spengler <spender@grsecurity.net>
19428Date: Fri Aug 16 22:55:24 2013 -0400
19429
19430 Upstream commit: c95eb3184ea1a3a2551df57190c81da695e2144b
19431
19432 arch/arm/kernel/perf_event.c | 5 ++++-
19433 1 files changed, 4 insertions(+), 1 deletions(-)
19434
19435commit 3637bc893b57a227b01852fe34685ab237285b10
19436Author: Stephen Boyd <sboyd@codeaurora.org>
19437Date: Wed Aug 7 16:18:08 2013 -0700
19438
19439 Upstream commit: b88a2595b6d8aedbd275c07dfa784657b4f757eb
19440
19441 perf/arm: Fix armpmu_map_hw_event()
19442
19443 Fix constraint check in armpmu_map_hw_event().
19444
19445 Reported-and-tested-by: Vince Weaver <vincent.weaver@maine.edu>
19446 Cc: <stable@kernel.org>
19447 Signed-off-by: Ingo Molnar <mingo@kernel.org>
19448 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
19449
19450 arch/arm/kernel/perf_event.c | 7 ++++++-
19451 1 files changed, 6 insertions(+), 1 deletions(-)
19452
19453commit 11802e1f961a088c39af58d1c1b14d861eedfb35
19454Author: Brad Spengler <spender@grsecurity.net>
19455Date: Fri Aug 16 22:53:30 2013 -0400
19456
19457 More ARM backports
19458
19459 arch/arm/kernel/entry-armv.S | 3 ++-
19460 arch/arm/kernel/fiq.c | 8 ++------
19461 2 files changed, 4 insertions(+), 7 deletions(-)
19462
19463commit bf89938c71ddbd6efb2c2e43bf4f3f99fef623ea
19464Author: Brad Spengler <spender@grsecurity.net>
19465Date: Fri Aug 16 22:46:01 2013 -0400
19466
19467 Fix HIDESYM compatibility with kprobes, as reported by feandil at:
19468 http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376
19469
19470 include/linux/kallsyms.h | 2 +-
19471 kernel/kprobes.c | 3 +++
19472 2 files changed, 4 insertions(+), 1 deletions(-)
19473
19474commit 3d1cf88bbdbe4c0e83dd7d731ecaf1741209d6b7
19475Author: yonghua zheng <younghua.zheng@gmail.com>
19476Date: Tue Aug 13 16:01:03 2013 -0700
19477
19478 fs/proc/task_mmu.c: fix buffer overflow in add_page_map()
19479
19480 Recently we met quite a lot of random kernel panic issues after enabling
19481 CONFIG_PROC_PAGE_MONITOR. After debuggind we found this has something
19482 to do with following bug in pagemap:
19483
19484 In struct pagemapread:
19485
19486 struct pagemapread {
19487 int pos, len;
19488 pagemap_entry_t *buffer;
19489 bool v2;
19490 };
19491
19492 pos is number of PM_ENTRY_BYTES in buffer, but len is the size of
19493 buffer, it is a mistake to compare pos and len in add_page_map() for
19494 checking buffer is full or not, and this can lead to buffer overflow and
19495 random kernel panic issue.
19496
19497 Correct len to be total number of PM_ENTRY_BYTES in buffer.
19498
19499 [akpm@linux-foundation.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition]
19500 Signed-off-by: Yonghua Zheng <younghua.zheng@gmail.com>
19501 Cc: <stable@vger.kernel.org>
19502 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
19503 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
19504
19505 Conflicts:
19506
19507 fs/proc/task_mmu.c
19508
19509 fs/proc/task_mmu.c | 8 ++++----
19510 1 files changed, 4 insertions(+), 4 deletions(-)
19511
19512commit 0a3dac834746de241c10d4978bf61b4f146ba89d
19513Merge: dc19474 e12de30
19514Author: Brad Spengler <spender@grsecurity.net>
19515Date: Fri Aug 16 17:39:01 2013 -0400
19516
19517 Merge branch 'pax-test' into grsec-test
19518
19519commit e12de30aa6b575fc3c9f5cd098dd03623598cb33
19520Author: Brad Spengler <spender@grsecurity.net>
19521Date: Fri Aug 16 17:34:47 2013 -0400
19522
19523 Update to pax-linux-3.10.7-test9.patch:
19524 - Emese fixed a size overflow false positive reported by Sven Vermeulen
19525 - fixed some arm compile problems reported by spender
19526 - added empty unchecked wrappers for local_t accessors on mips, by Corey Minyard <cminyard@mvista.com>
19527 eventually we'll have full REFCOUNT support on mips
19528
19529 arch/arm/kernel/process.c | 5 ++-
19530 arch/arm/mm/Kconfig | 2 +-
19531 arch/arm/mm/fault.c | 3 ++
19532 arch/mips/include/asm/local.h | 57 +++++++++++++++++++++++++++++++++++++++++
19533 mm/internal.h | 2 +-
19534 5 files changed, 65 insertions(+), 4 deletions(-)
19535
19536commit dc19474d0ea6ea3c939544ae5f906067b1784a10
19537Merge: 51b78c0 82266f9
19538Author: Brad Spengler <spender@grsecurity.net>
19539Date: Thu Aug 15 21:47:37 2013 -0400
19540
19541 Merge branch 'pax-test' into grsec-test
19542
19543commit 82266f90a3f87ab5017329fb539aebf94c42253a
19544Author: Brad Spengler <spender@grsecurity.net>
19545Date: Thu Aug 15 21:14:47 2013 -0400
19546
19547 Update to pax-linux-3.10.7-test9.patch
19548
19549 arch/arm/kernel/process.c | 6 ++----
19550 1 files changed, 2 insertions(+), 4 deletions(-)
19551
19552commit 51b78c06d1f41614f593cd36456b4af559e9d7fa
19553Merge: e32d904 cb77ead
19554Author: Brad Spengler <spender@grsecurity.net>
19555Date: Thu Aug 15 20:53:45 2013 -0400
19556
19557 Merge branch 'pax-test' into grsec-test
19558
19559 Conflicts:
19560 security/Kconfig
19561
19562commit cb77ead0eccb5abb75f7e437a3725d0254558ccd
19563Merge: 13675b8 519be45
19564Author: Brad Spengler <spender@grsecurity.net>
19565Date: Thu Aug 15 20:50:47 2013 -0400
19566
19567 Update to pax-linux-3.10.7-test8.patch
19568
19569 Merge branch 'linux-3.10.y' into pax-test
19570
19571commit e32d904b87292288e74e2637b900fd1115687b8e
19572Author: Brad Spengler <spender@grsecurity.net>
19573Date: Sat Aug 10 09:41:40 2013 -0400
19574
19575 propagate the threadstack offset through to the topdown/bottomup allocators
19576 on sparc64 hugepages
19577
19578 arch/sparc/mm/hugetlbpage.c | 12 ++++++++----
19579 1 files changed, 8 insertions(+), 4 deletions(-)
19580
19581commit cefa30759f6c977fff5cc1634ecfbfe0ee44391c
19582Author: Oleg Nesterov <oleg@redhat.com>
19583Date: Thu Aug 8 18:55:32 2013 +0200
19584
19585 Upstream commit: 8742f229b635bf1c1c84a3dfe5e47c814c20b5c8
19586
19587 another local DoS found in reaction to the one I reported,
19588 we don't allow unpriv user ns use so this doesn't matter much to us
19589
19590 userns: limit the maximum depth of user_namespace->parent chain
19591
19592 Ensure that user_namespace->parent chain can't grow too much.
19593 Currently we use the hardroded 32 as limit.
19594
19595 Reported-by: Andy Lutomirski <luto@amacapital.net>
19596 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
19597 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
19598
19599 include/linux/user_namespace.h | 1 +
19600 kernel/user_namespace.c | 4 ++++
19601 2 files changed, 5 insertions(+), 0 deletions(-)
19602
19603commit 223ac007ef18bf3a5095ba0a56675c1f16200149
19604Merge: 1c92de4 13675b8
19605Author: Brad Spengler <spender@grsecurity.net>
19606Date: Thu Aug 8 20:45:24 2013 -0400
19607
19608 Merge branch 'pax-test' into grsec-test
19609
19610 Conflicts:
19611 security/Kconfig
19612
19613commit 13675b848cf02bffd26924b2b84d927095bc253d
19614Author: Brad Spengler <spender@grsecurity.net>
19615Date: Thu Aug 8 20:43:52 2013 -0400
19616
19617 Update to pax-linux-3.10.5-test8.patch:
19618 - Emese fixed a size overflow false positive, reported by markusle (http://forums.grsecurity.net/viewtopic.php?f=3&t=3692)
19619 - fixed the use of PXN for 2-level pages tables on arm, by Corey Minyard <cminyard@mvista.com>
19620 - added PAGEEXEC/XI violation reporting on mips, by Corey Minyard <cminyard@mvista.com>
19621
19622 arch/arm/include/asm/pgtable-2level.h | 4 +++-
19623 arch/arm/mm/proc-v7-2level.S | 3 ---
19624 arch/mips/mm/fault.c | 8 ++++++++
19625 arch/x86/include/asm/processor.h | 3 ++-
19626 include/linux/math64.h | 2 +-
19627 security/Kconfig | 2 --
19628 6 files changed, 14 insertions(+), 8 deletions(-)
19629
19630commit 1c92de4b8811c330af033c31d83c9c45e3d064b2
19631Merge: e65aa3d 1660f49
19632Author: Brad Spengler <spender@grsecurity.net>
19633Date: Mon Aug 5 18:50:45 2013 -0400
19634
19635 Merge branch 'pax-test' into grsec-test
19636
19637commit 1660f496848b8400d263f7920989dae15e72185a
19638Merge: 7f91ba1 dc51cd2
19639Author: Brad Spengler <spender@grsecurity.net>
19640Date: Mon Aug 5 18:50:12 2013 -0400
19641
19642 Update to pax-linux-3.10.5-test7.patch
19643
19644 Merge branch 'linux-3.10.y' into pax-test
19645
19646 Conflicts:
19647 arch/x86/kernel/head_64.S
19648 mm/mempolicy.c
19649
19650commit e65aa3dd447115cb79b4815bc1ceac7b3cacef15
19651Author: Brad Spengler <spender@grsecurity.net>
19652Date: Mon Aug 5 17:58:42 2013 -0400
19653
19654 Disable RANDKSTACK for a VirtualBox host as mentioned on the
19655 gentoo-hardened bugzilla:
19656 https://bugs.gentoo.org/show_bug.cgi?id=382793
19657
19658 security/Kconfig | 2 +-
19659 1 files changed, 1 insertions(+), 1 deletions(-)
19660
19661commit 60d8cffd7740fd1d527790caf9a24a35d8c45858
19662Author: Dan Carpenter <dan.carpenter@oracle.com>
19663Date: Tue Jul 30 13:23:39 2013 +0300
19664
19665 Upstream commit: 8cb3b9c3642c0263d48f31d525bcee7170eedc20
19666
19667 net_sched: info leak in atm_tc_dump_class()
19668
19669 The "pvc" struct has a hole after pvc.sap_family which is not cleared.
19670
19671 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
19672 Reviewed-by: Jiri Pirko <jiri@resnulli.us>
19673 Signed-off-by: David S. Miller <davem@davemloft.net>
19674
19675 net/sched/sch_atm.c | 1 +
19676 1 files changed, 1 insertions(+), 0 deletions(-)
19677
19678commit 50d20ebce56b6e0b9622685930e007e46c7c04bb
19679Author: Daniel Borkmann <dborkman@redhat.com>
19680Date: Fri Aug 2 11:32:43 2013 +0200
19681
19682 Upstream commit: 446266b0c742a2c9ee8f0dce759a0117bce58a86
19683
19684 net: rtm_to_ifaddr: free ifa if ifa_cacheinfo processing fails
19685
19686 Commit 5c766d642 ("ipv4: introduce address lifetime") leaves the ifa
19687 resource that was allocated via inet_alloc_ifa() unfreed when returning
19688 the function with -EINVAL. Thus, free it first via inet_free_ifa().
19689
19690 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
19691 Reviewed-by: Jiri Pirko <jiri@resnulli.us>
19692 Signed-off-by: David S. Miller <davem@davemloft.net>
19693
19694 net/ipv4/devinet.c | 4 +++-
19695 1 files changed, 3 insertions(+), 1 deletions(-)
19696
19697commit 0acaba4eea12097cc59bc61a46ba1ef4a468b260
19698Author: Himanshu Madhani <himanshu.madhani@qlogic.com>
19699Date: Fri Aug 2 23:15:56 2013 -0400
19700
19701 Upstream commit: f91bbcb0b82186b4d5669021b142c263b66505e1
19702
19703 qlcnic: Free up memory in error path.
19704
19705 Signed-off-by: Himanshu Madhani <himanshu.madhani@qlogic.com>
19706 Signed-off-by: Shahed Shaikh <shahed.shaikh@qlogic.com>
19707 Signed-off-by: David S. Miller <davem@davemloft.net>
19708
19709 drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c | 6 +++---
19710 1 files changed, 3 insertions(+), 3 deletions(-)
19711
19712commit 3626ec32c8b24cb38b8db2a1b2f5430bd898408a
19713Author: Shahed Shaikh <shahed.shaikh@qlogic.com>
19714Date: Fri Aug 2 23:15:54 2013 -0400
19715
19716 Upstream commit: 4a99ab56cea66f9f67b9d07ace5cd40a336c8e6f
19717
19718 qlcnic: Fix MAC address filter issue on 82xx adapter
19719
19720 Driver was passing the address of a pointer instead of
19721 the pointer itself.
19722
19723 Signed-off-by: Shahed Shaikh <shahed.shaikh@qlogic.com>
19724 Signed-off-by: David S. Miller <davem@davemloft.net>
19725
19726 drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c | 2 +-
19727 1 files changed, 1 insertions(+), 1 deletions(-)
19728
19729commit 5570df953d6c143e05f1d60d9c23210e60dbbe81
19730Author: Brad Spengler <spender@grsecurity.net>
19731Date: Mon Aug 5 17:26:40 2013 -0400
19732
19733 Move user namespace capability check to shared create_user_ns code so we
19734 cover unshare() as well.
19735
19736 Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to
19737 user namespaces!
19738
19739 kernel/fork.c | 17 -----------------
19740 kernel/user_namespace.c | 24 ++++++++++++++++++++++--
19741 2 files changed, 22 insertions(+), 19 deletions(-)
19742
19743commit 97112fe30de4ca84e79c82ebfa2353b9c9988ca1
19744Author: Brad Spengler <spender@grsecurity.net>
19745Date: Mon Aug 5 16:05:41 2013 -0400
19746
19747 silence a warning on older gcc
19748
19749 grsecurity/gracl.c | 2 +-
19750 1 files changed, 1 insertions(+), 1 deletions(-)
19751
19752commit b8966a5d577e9220fbc63306eee978f819f24e2e
19753Author: Brad Spengler <spender@grsecurity.net>
19754Date: Sat Aug 3 08:31:08 2013 -0400
19755
19756 we only care about mmaps of the beginning of an ELF, filter out
19757 all others as suggested by pipacs
19758
19759 mm/mmap.c | 2 +-
19760 1 files changed, 1 insertions(+), 1 deletions(-)
19761
19762commit 8aea9fe5866dec3c847a34f743f343e18cf1cdcb
19763Author: Brad Spengler <spender@grsecurity.net>
19764Date: Fri Aug 2 23:54:51 2013 -0400
19765
19766 add include
19767
19768 grsecurity/grsec_log.c | 1 +
19769 1 files changed, 1 insertions(+), 0 deletions(-)
19770
19771commit d48425ef8cb3761ab6130e52f1f8e401f5b5a295
19772Author: Brad Spengler <spender@grsecurity.net>
19773Date: Fri Aug 2 23:49:13 2013 -0400
19774
19775 fix compilation
19776
19777 include/linux/grinternal.h | 3 ++-
19778 1 files changed, 2 insertions(+), 1 deletions(-)
19779
19780commit 1704c23fdc55b68f512dc9927940e72237f3f43e
19781Author: Brad Spengler <spender@grsecurity.net>
19782Date: Fri Aug 2 23:34:35 2013 -0400
19783
19784 Improve PaX reporting (tells when anon mapping is stack or heap)
19785 Remove textrel logging option, combine into rwx logging option
19786 Enhance RWX logging option to display when PT_GNU_STACK-enabled library
19787 is loaded under an MPROTECTed binary
19788 Enhance RWX mprotect logging to display stack/heap instead of just
19789 anon mapping
19790
19791 fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++
19792 fs/exec.c | 4 ++++
19793 grsecurity/Kconfig | 21 +++++----------------
19794 grsecurity/grsec_init.c | 4 ----
19795 grsecurity/grsec_log.c | 14 ++++++++++++++
19796 grsecurity/grsec_pax.c | 19 ++++++++++++++-----
19797 grsecurity/grsec_sysctl.c | 9 ---------
19798 include/linux/binfmts.h | 1 +
19799 include/linux/grinternal.h | 2 +-
19800 include/linux/grmsg.h | 3 ++-
19801 include/linux/grsecurity.h | 3 ++-
19802 mm/mmap.c | 7 +++++++
19803 mm/mprotect.c | 2 +-
19804 13 files changed, 88 insertions(+), 38 deletions(-)
19805
19806commit faf81c100c8565524e21c9af780a0ad2ce3fd925
19807Author: Brad Spengler <spender@grsecurity.net>
19808Date: Thu Aug 1 18:52:02 2013 -0400
19809
19810 add missing #define
19811
19812 grsecurity/gracl.c | 1 +
19813 1 files changed, 1 insertions(+), 0 deletions(-)
19814
19815commit e87232d1fcb4da72df971cbc623aac6c9b3871a0
19816Author: Brad Spengler <spender@grsecurity.net>
19817Date: Thu Aug 1 18:43:53 2013 -0400
19818
19819 fix compilation for !COMPAT as reported on the forums
19820
19821 grsecurity/gracl.c | 195 ++++++++++++++++++++++++++--------------------------
19822 1 files changed, 97 insertions(+), 98 deletions(-)
19823
19824commit 65c9b9c6c42939dc55be1b8842e7c2e05733056c
19825Merge: 65019c9 7f91ba1
19826Author: Brad Spengler <spender@grsecurity.net>
19827Date: Wed Jul 31 17:47:31 2013 -0400
19828
19829 Merge branch 'pax-test' into grsec-test
19830
19831commit 65019c9bd05f860437071cbf00e2027fd2d68615
19832Author: Brad Spengler <spender@grsecurity.net>
19833Date: Wed Jul 31 17:47:20 2013 -0400
19834
19835 Revert "revert recent PaX change that causes boot failures with 32bit userland"
19836
19837 This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4.
19838
19839 arch/x86/include/asm/processor.h | 4 ++--
19840 arch/x86/kernel/cpu/common.c | 2 +-
19841 arch/x86/kernel/process_64.c | 2 +-
19842 arch/x86/kernel/smpboot.c | 2 +-
19843 arch/x86/xen/smp.c | 2 +-
19844 5 files changed, 6 insertions(+), 6 deletions(-)
19845
19846commit 7f91ba11122fcaa96fc2dca42bddcd5f8db3b945
19847Author: Brad Spengler <spender@grsecurity.net>
19848Date: Wed Jul 31 17:46:00 2013 -0400
19849
19850 Update to pax-linux-3.10.4-test7.patch:
19851 - added a few more missing format strings
19852 - added reporting of mismatched MPROTECT/EMUTRAMP flags between libraries and the main executable
19853 - reverted the recent amd64 kstack alignment fix, it'll be done the harder way another time
19854 - fixed a UDEREF/i386 regression, __get_user_8 would always fail
19855
19856 arch/x86/include/asm/processor.h | 4 +-
19857 arch/x86/kernel/cpu/common.c | 2 +-
19858 arch/x86/kernel/dumpstack.c | 2 +-
19859 arch/x86/kernel/process_64.c | 2 +-
19860 arch/x86/kernel/reboot_fixups_32.c | 2 +-
19861 arch/x86/kernel/smpboot.c | 2 +-
19862 arch/x86/lib/getuser.S | 4 +-
19863 arch/x86/xen/smp.c | 2 +-
19864 drivers/net/wireless/iwlwifi/dvm/debugfs.c | 8 ++--
19865 drivers/video/backlight/backlight.c | 2 +-
19866 drivers/video/backlight/lcd.c | 2 +-
19867 fs/binfmt_elf.c | 51 +++++++++++++++++++++++++---
19868 fs/exec.c | 50 +++++++++++++--------------
19869 include/linux/sched.h | 2 +
19870 14 files changed, 88 insertions(+), 47 deletions(-)
19871
19872commit 043130da54cb7cc8dc44e0ce889d426e889a0532
19873Author: Brad Spengler <spender@grsecurity.net>
19874Date: Wed Jul 31 16:26:58 2013 -0400
19875
19876 compile fix for !COMPAT as mentioned on forums
19877
19878 grsecurity/gracl.c | 2 ++
19879 1 files changed, 2 insertions(+), 0 deletions(-)
19880
19881commit ed0a195abd4e41c2449a020a53a19c74dc866d78
19882Author: Brad Spengler <spender@grsecurity.net>
19883Date: Tue Jul 30 22:33:14 2013 -0400
19884
19885 perform compat conversion of rlimit infinity
19886
19887 grsecurity/gracl_compat.c | 10 ++++++++--
19888 1 files changed, 8 insertions(+), 2 deletions(-)
19889
19890commit a99c1b9f31678c1c72a63bea65aed1b2d3205259
19891Author: Brad Spengler <spender@grsecurity.net>
19892Date: Tue Jul 30 22:21:40 2013 -0400
19893
19894 remove debugging
19895
19896 grsecurity/gracl_compat.c | 44 +++++++++++---------------------------------
19897 1 files changed, 11 insertions(+), 33 deletions(-)
19898
19899commit e75b3f504692b97960a7530ad0855d91441d79c0
19900Author: Brad Spengler <spender@grsecurity.net>
19901Date: Tue Jul 30 22:20:32 2013 -0400
19902
19903 eliminate compat_dev_t
19904
19905 include/linux/gracl_compat.h | 4 ++--
19906 1 files changed, 2 insertions(+), 2 deletions(-)
19907
19908commit e5abbaf95313066a724e1a843d4fc902a9a6450e
19909Author: Brad Spengler <spender@grsecurity.net>
19910Date: Tue Jul 30 22:13:22 2013 -0400
19911
19912 fix compat rlimit size
19913
19914 grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++-------------
19915 include/linux/gracl_compat.h | 4 +-
19916 2 files changed, 49 insertions(+), 23 deletions(-)
19917
19918commit 877d6c2f8b3518ff39601084560bb33c58d35a1f
19919Author: Brad Spengler <spender@grsecurity.net>
19920Date: Tue Jul 30 21:20:18 2013 -0400
19921
19922 compile fix
19923
19924 grsecurity/gracl.c | 4 ++--
19925 1 files changed, 2 insertions(+), 2 deletions(-)
19926
19927commit a2062eae8d1dc48d338480e599fedee2dc5e2f98
19928Author: Brad Spengler <spender@grsecurity.net>
19929Date: Tue Jul 30 21:14:29 2013 -0400
19930
19931 copy correct pointer size in new compat code
19932
19933 grsecurity/gracl.c | 8 ++++----
19934 grsecurity/gracl_compat.c | 4 ++--
19935 2 files changed, 6 insertions(+), 6 deletions(-)
19936
19937commit 23278a1ee1c7738dd1e7005241394d32b82196e4
19938Author: Brad Spengler <spender@grsecurity.net>
19939Date: Tue Jul 30 19:48:58 2013 -0400
19940
19941 revert recent PaX change that causes boot failures with 32bit userland
19942
19943 arch/x86/include/asm/processor.h | 4 ++--
19944 arch/x86/kernel/cpu/common.c | 2 +-
19945 arch/x86/kernel/process_64.c | 2 +-
19946 arch/x86/kernel/smpboot.c | 2 +-
19947 arch/x86/xen/smp.c | 2 +-
19948 5 files changed, 6 insertions(+), 6 deletions(-)
19949
19950commit ec27f71a813656fea8ab37faecb2b485fe99d08e
19951Merge: 3a11bcf 05f0a61
19952Author: Brad Spengler <spender@grsecurity.net>
19953Date: Tue Jul 30 19:42:21 2013 -0400
19954
19955 Merge branch 'pax-test' into grsec-test
19956
19957commit 05f0a610373fa95df838f97c3fcfb59a3d79c5b8
19958Author: Brad Spengler <spender@grsecurity.net>
19959Date: Tue Jul 30 19:41:44 2013 -0400
19960
19961 Update to pax-linux-3.10.4-test6.patch:
19962 - fixed some size_overflow false positives on i386 caused by __SC_LONG, reported by spender
19963
19964 include/linux/syscalls.h | 8 ++++++--
19965 1 files changed, 6 insertions(+), 2 deletions(-)
19966
19967commit 3a11bcfcc738ed5dbf0d56713db872ed36351a26
19968Author: Brad Spengler <spender@grsecurity.net>
19969Date: Tue Jul 30 19:15:50 2013 -0400
19970
19971 compile fix
19972
19973 grsecurity/gracl_compat.c | 6 ++++++
19974 1 files changed, 6 insertions(+), 0 deletions(-)
19975
19976commit 1dbd99b5cb0b6757eadf22309501e7fdd84f5de7
19977Author: Brad Spengler <spender@grsecurity.net>
19978Date: Tue Jul 30 19:12:46 2013 -0400
19979
19980 remove BUILD_BUG_ONs
19981
19982 grsecurity/gracl_compat.c | 20 --------------------
19983 1 files changed, 0 insertions(+), 20 deletions(-)
19984
19985commit a283b21cbd77622383a1dcb1f7bf1080db3bae88
19986Author: Brad Spengler <spender@grsecurity.net>
19987Date: Tue Jul 30 00:18:36 2013 -0400
19988
19989 compile fixes
19990
19991 grsecurity/gracl_compat.c | 8 ++++----
19992 include/linux/gracl_compat.h | 2 +-
19993 2 files changed, 5 insertions(+), 5 deletions(-)
19994
19995commit 8b744005f8bae565e24c1fd88af77e6e619b9434
19996Author: Brad Spengler <spender@grsecurity.net>
19997Date: Tue Jul 30 00:16:42 2013 -0400
19998
19999 compile fixes
20000
20001 grsecurity/gracl.c | 4 ++--
20002 grsecurity/gracl_compat.c | 2 +-
20003 2 files changed, 3 insertions(+), 3 deletions(-)
20004
20005commit 5cd86afa393bf9bf38c2e9063191709ac2beff2c
20006Author: Brad Spengler <spender@grsecurity.net>
20007Date: Tue Jul 30 00:13:51 2013 -0400
20008
20009 compile fixes
20010
20011 grsecurity/gracl.c | 8 ++++----
20012 1 files changed, 4 insertions(+), 4 deletions(-)
20013
20014commit b93b829afcc98b6108b18d99ff63c53642d0b951
20015Author: Brad Spengler <spender@grsecurity.net>
20016Date: Tue Jul 30 00:11:03 2013 -0400
20017
20018 compile fixes
20019
20020 grsecurity/gracl_compat.c | 3 +++
20021 1 files changed, 3 insertions(+), 0 deletions(-)
20022
20023commit 7da096415fa633c4ad2b1f74bd43d3a58a63b5c0
20024Author: Brad Spengler <spender@grsecurity.net>
20025Date: Tue Jul 30 00:08:21 2013 -0400
20026
20027 more compile fixes
20028
20029 grsecurity/gracl.c | 28 ++++++++++++++--------------
20030 1 files changed, 14 insertions(+), 14 deletions(-)
20031
20032commit 6c1fd80e19f1449b6895f1ed77f23f1245470b3b
20033Author: Brad Spengler <spender@grsecurity.net>
20034Date: Mon Jul 29 23:59:50 2013 -0400
20035
20036 more compile fixes
20037
20038 grsecurity/gracl.c | 10 +++++++++-
20039 1 files changed, 9 insertions(+), 1 deletions(-)
20040
20041commit 89dda536f276dd4bb55fa0f9ea8980ac8b750d29
20042Author: Brad Spengler <spender@grsecurity.net>
20043Date: Mon Jul 29 23:56:47 2013 -0400
20044
20045 additional compile fixes
20046
20047 grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++--------
20048 1 files changed, 49 insertions(+), 10 deletions(-)
20049
20050commit ac695a081d1124fb28bec46814535d34c5e40611
20051Author: Brad Spengler <spender@grsecurity.net>
20052Date: Mon Jul 29 23:47:15 2013 -0400
20053
20054 fix typo
20055
20056 grsecurity/gracl.c | 2 +-
20057 1 files changed, 1 insertions(+), 1 deletions(-)
20058
20059commit d95dd21a8d6d00c5cf34fee3f45dd914b6da6093
20060Author: Brad Spengler <spender@grsecurity.net>
20061Date: Mon Jul 29 23:46:59 2013 -0400
20062
20063 compile fixes
20064
20065 grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++-------------
20066 1 files changed, 39 insertions(+), 14 deletions(-)
20067
20068commit 82631f451cc7432b6c5578cf8d24155473feb25c
20069Author: Brad Spengler <spender@grsecurity.net>
20070Date: Mon Jul 29 23:22:44 2013 -0400
20071
20072 Initial commit of compat RBAC loading
20073 Permits 32bit gradm to load policy for a 64bit kernel
20074
20075 Also removed code duplication for copying strings into the kernel
20076
20077 Work performed as part of sponsorship
20078
20079 grsecurity/Makefile | 4 +
20080 grsecurity/gracl.c | 315 +++++++++++++++++++++++-------------------
20081 grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++
20082 include/linux/gracl_compat.h | 156 +++++++++++++++++++++
20083 4 files changed, 603 insertions(+), 142 deletions(-)
20084
20085commit 84c4a433dfb096e4a1162ee5e68025122c70b421
20086Merge: c9d3ed3 9fe5897
20087Author: Brad Spengler <spender@grsecurity.net>
20088Date: Mon Jul 29 17:08:56 2013 -0400
20089
20090 Merge branch 'pax-test' into grsec-test
20091
20092commit 9fe58978938e357642885866ca48090a7753d403
20093Merge: 8f693ad 6f7bb6b
20094Author: Brad Spengler <spender@grsecurity.net>
20095Date: Mon Jul 29 17:08:43 2013 -0400
20096
20097 Merge branch 'linux-3.10.y' into pax-test
20098
20099commit c9d3ed33c5370bbacfadf86f6a1566828a3d7775
20100Merge: d5e5bfd 8f693ad
20101Author: Brad Spengler <spender@grsecurity.net>
20102Date: Sun Jul 28 10:03:08 2013 -0400
20103
20104 Merge branch 'pax-test' into grsec-test
20105
20106commit 8f693ade9b3e448f92706d34148b00a087637f70
20107Author: Brad Spengler <spender@grsecurity.net>
20108Date: Sun Jul 28 10:02:16 2013 -0400
20109
20110 Update to pax-linux-3.10.3-test5.patch:
20111 - fixed amd64 kstack alignment (caught by some crazy codegen by clang/llvm)
20112 - fixed handling of faulting userland accesses for UDEREF/arm, from spender
20113 - updated the size overflow hash table, from Emese
20114
20115 arch/arm/kernel/entry-armv.S | 3 +-
20116 arch/x86/include/asm/processor.h | 4 +-
20117 arch/x86/kernel/cpu/common.c | 2 +-
20118 arch/x86/kernel/process_64.c | 2 +-
20119 arch/x86/kernel/smpboot.c | 2 +-
20120 arch/x86/xen/smp.c | 2 +-
20121 tools/gcc/size_overflow_hash.data | 553 +++++++++++++++++++++++++++++++++----
20122 7 files changed, 513 insertions(+), 55 deletions(-)
20123
20124commit d5e5bfd6ecc1fc7e86d070df8eb0ce8d0643c558
20125Merge: 19e077b 8a8a0d0
20126Author: Brad Spengler <spender@grsecurity.net>
20127Date: Thu Jul 25 21:05:18 2013 -0400
20128
20129 Merge branch 'pax-test' into grsec-test
20130
20131commit 8a8a0d0b22a86bf65302d03bb6732e42bc0a2e56
20132Author: Brad Spengler <spender@grsecurity.net>
20133Date: Thu Jul 25 21:04:09 2013 -0400
20134
20135 Update to pax-linux-3.10.3-test4.patch:
20136 - introduced per-slab object sanitization, contributed by Mathias Krause and secunet.
20137 this is finer grained sanitization than the existing per-page based approach (which
20138 is still done) at a somewhat higher performance cost. the pax_sanitize_slab command
20139 line option can be used to enable/disable it on boot (it's enabled by default when
20140 CONFIG_PAX_MEMORY_SANITIZE is enabled).
20141
20142 Documentation/kernel-parameters.txt | 4 ++++
20143 fs/buffer.c | 2 +-
20144 fs/dcache.c | 3 ++-
20145 include/linux/slab.h | 7 +++++++
20146 include/linux/slab_def.h | 4 ++++
20147 kernel/fork.c | 2 +-
20148 mm/rmap.c | 6 ++++--
20149 mm/slab.c | 27 +++++++++++++++++++++++++++
20150 mm/slab.h | 12 +++++++++++-
20151 mm/slab_common.c | 14 ++++++++++++++
20152 mm/slob.c | 5 +++++
20153 mm/slub.c | 11 +++++++++++
20154 net/core/skbuff.c | 6 ++++--
20155 security/Kconfig | 23 +++++++++++++++++------
20156 14 files changed, 112 insertions(+), 14 deletions(-)
20157
20158commit 19e077bfff54ca211d0142c07cb6dd88069a390c
20159Merge: 960ec51 c8f7f51
20160Author: Brad Spengler <spender@grsecurity.net>
20161Date: Thu Jul 25 19:53:34 2013 -0400
20162
20163 Merge branch 'pax-test' into grsec-test
20164
20165commit c8f7f51591207b82530214300e86277028919286
20166Merge: d5142e3 81a4648
20167Author: Brad Spengler <spender@grsecurity.net>
20168Date: Thu Jul 25 19:52:29 2013 -0400
20169
20170 Update to pax-linux-3.10.3-test3.patch:
20171 - fixed some compile issues reported by Michael Tremer and spender
20172 - fixed an i386 regression with the lower address space gap on i386, reported by cnu
20173
20174 Merge branch 'linux-3.10.y' into pax-test
20175
20176 Conflicts:
20177 kernel/time/tick-broadcast.c
20178
20179commit 960ec51ab2142544fbae563d4fd5744775408965
20180Author: Al Viro <viro@zeniv.linux.org.uk>
20181Date: Sat Jul 20 03:13:55 2013 +0400
20182
20183 Upstream commit: acfec9a5a892f98461f52ed5770de99a3e571ae2
20184
20185 livelock avoidance in sget()
20186
20187 Eric Sandeen has found a nasty livelock in sget() - take a mount(2) about
20188 to fail. The superblock is on ->fs_supers, ->s_umount is held exclusive,
20189 ->s_active is 1. Along comes two more processes, trying to mount the same
20190 thing; sget() in each is picking that superblock, bumping ->s_count and
20191 trying to grab ->s_umount. ->s_active is 3 now. Original mount(2)
20192 finally gets to deactivate_locked_super() on failure; ->s_active is 2,
20193 superblock is still ->fs_supers because shutdown will *not* happen until
20194 ->s_active hits 0. ->s_umount is dropped and now we have two processes
20195 chasing each other:
20196 s_active = 2, A acquired ->s_umount, B blocked
20197 A sees that the damn thing is stillborn, does deactivate_locked_super()
20198 s_active = 1, A drops ->s_umount, B gets it
20199 A restarts the search and finds the same superblock. And bumps it ->s_active.
20200 s_active = 2, B holds ->s_umount, A blocked on trying to get it
20201 ... and we are in the earlier situation with A and B switched places.
20202
20203 The root cause, of course, is that ->s_active should not grow until we'd
20204 got MS_BORN. Then failing ->mount() will have deactivate_locked_super()
20205 shut the damn thing down. Fortunately, it's easy to do - the key point
20206 is that grab_super() is called only for superblocks currently on ->fs_supers,
20207 so it can bump ->s_count and grab ->s_umount first, then check MS_BORN and
20208 bump ->s_active; we must never increment ->s_count for superblocks past
20209 ->kill_sb(), but grab_super() is never called for those.
20210
20211 The bug is pretty old; we would've caught it by now, if not for accidental
20212 exclusion between sget() for block filesystems; the things like cgroup or
20213 e.g. mtd-based filesystems don't have anything of that sort, so they get
20214 bitten. The right way to deal with that is obviously to fix sget()...
20215
20216 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
20217
20218 fs/super.c | 25 ++++++++++---------------
20219 1 files changed, 10 insertions(+), 15 deletions(-)
20220
20221commit 3540cebbbfa4aef94527ad3e0e49097848147fb9
20222Merge: ab95b58 d5142e3
20223Author: Brad Spengler <spender@grsecurity.net>
20224Date: Sun Jul 21 22:47:46 2013 -0400
20225
20226 Merge branch 'pax-test' into grsec-test
20227
20228commit d5142e31785f8c32c7338c51fcc27313bdd4a84e
20229Merge: f36ae8c 0f4a56e
20230Author: Brad Spengler <spender@grsecurity.net>
20231Date: Sun Jul 21 22:47:34 2013 -0400
20232
20233 Merge branch 'linux-3.10.y' into pax-test
20234
20235commit ab95b5842899d61ff5c30f4582e72029b3155be8
20236Author: Brad Spengler <spender@grsecurity.net>
20237Date: Sun Jul 21 22:28:40 2013 -0400
20238
20239 compile fix with constification reported by Michael Tremer
20240
20241 drivers/gpu/host1x/drm/dc.c | 2 +-
20242 1 files changed, 1 insertions(+), 1 deletions(-)
20243
20244commit 817cd2d1e7a55720326599dd8f542578eef30927
20245Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
20246Date: Fri Jul 12 23:46:33 2013 +0200
20247
20248 Upstream commit: 307f2fb95e9b96b3577916e73d92e104f8f26494
20249
20250 ipv6: only static routes qualify for equal cost multipathing
20251
20252 Static routes in this case are non-expiring routes which did not get
20253 configured by autoconf or by icmpv6 redirects.
20254
20255 To make sure we actually get an ecmp route while searching for the first
20256 one in this fib6_node's leafs, also make sure it matches the ecmp route
20257 assumptions.
20258
20259 v2:
20260 a) Removed RTF_EXPIRE check in dst.from chain. The check of RTF_ADDRCONF
20261 already ensures that this route, even if added again without
20262 RTF_EXPIRES (in case of a RA announcement with infinite timeout),
20263 does not cause the rt6i_nsiblings logic to go wrong if a later RA
20264 updates the expiration time later.
20265
20266 v3:
20267 a) Allow RTF_EXPIRES routes to enter the ecmp route set. We have to do so,
20268 because an pmtu event could update the RTF_EXPIRES flag and we would
20269 not count this route, if another route joins this set. We now filter
20270 only for RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC, which are flags that
20271 don't get changed after rt6_info construction.
20272
20273 Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
20274 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
20275 Signed-off-by: David S. Miller <davem@davemloft.net>
20276
20277 net/ipv6/ip6_fib.c | 15 +++++++++++----
20278 1 files changed, 11 insertions(+), 4 deletions(-)
20279
20280commit 77db8196d51b043e2e2d124094da101b0f01bccb
20281Author: Dan Carpenter <dan.carpenter@oracle.com>
20282Date: Fri Jul 12 09:39:03 2013 +0300
20283
20284 Upstream commit: b2781e1021525649c0b33fffd005ef219da33926
20285
20286 svcrdma: underflow issue in decode_write_list()
20287
20288 My static checker marks everything from ntohl() as untrusted and it
20289 complains we could have an underflow problem doing:
20290
20291 return (u32 *)&ary->wc_array[nchunks];
20292
20293 Also on 32 bit systems the upper bound check could overflow.
20294
20295 Cc: stable@vger.kernel.org
20296 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
20297 Signed-off-by: J. Bruce Fields <bfields@redhat.com>
20298
20299 net/sunrpc/xprtrdma/svc_rdma_marshal.c | 20 ++++++++++++++------
20300 1 files changed, 14 insertions(+), 6 deletions(-)
20301
20302commit 926473317fd7953137ef97835edd36dabc584b01
20303Author: Brad Spengler <spender@grsecurity.net>
20304Date: Wed Jul 17 21:29:02 2013 -0400
20305
20306 add missing asm/pgtable.h include, reported by Michael Tremer
20307
20308 drivers/clk/socfpga/clk.c | 1 +
20309 1 files changed, 1 insertions(+), 0 deletions(-)
20310
20311commit c592ae0001b31932ef1491784dfa374058797c66
20312Author: Brad Spengler <spender@grsecurity.net>
20313Date: Tue Jul 16 20:40:24 2013 -0400
20314
20315 allow viewing of ecryptfs version under SYSFS_RESTRICT
20316
20317 fs/sysfs/dir.c | 2 +-
20318 1 files changed, 1 insertions(+), 1 deletions(-)
20319
20320commit 36db325ef3b07ea8cdb47f549e706e5d71398e14
20321Merge: 9c96441 f36ae8c
20322Author: Brad Spengler <spender@grsecurity.net>
20323Date: Sun Jul 14 19:23:13 2013 -0400
20324
20325 Merge branch 'pax-test' into grsec-test
20326
20327commit f36ae8c741ae32b1caff10825be12c327792c925
20328Author: Brad Spengler <spender@grsecurity.net>
20329Date: Sun Jul 14 19:22:15 2013 -0400
20330
20331 Update to pax-linux-3.10-test2.patch:
20332 - spender fixed a compile regression in a recent arm/UDEREF change, reported by Michael Tremer
20333 - spender fixed arm/KERNEXEC for v5 and older CPUs, reported by Michael Tremer
20334 - spender fixed a new CONSTIFY victim on arm, reported by Michael Tremer
20335 - spender fixed an madvise regression, reported by Peter Keel
20336 - spender fixed a SLAB regression, reported by Thorsten (http://forums.grsecurity.net/viewtopic.php?f=3&t=3614) and Jens (http://forums.grsecurity.net/viewtopic.php?f=1&t=3616)
20337 - fixed a headers_install regression, reported by Mathias Krause
20338 - fixed a SLOB compile regression, reported by Mathias Krause
20339
20340 arch/arm/include/asm/uaccess.h | 4 ++--
20341 arch/arm/mm/mmu.c | 15 +++++++++++++--
20342 drivers/clk/socfpga/clk.c | 6 ++++--
20343 mm/madvise.c | 4 ++--
20344 mm/slab.c | 4 ++--
20345 mm/slob.c | 4 ++--
20346 scripts/headers_install.sh | 2 +-
20347 7 files changed, 26 insertions(+), 13 deletions(-)
20348
20349commit 9c9644156a49637050741d9165df79174e59b0ef
20350Author: Brad Spengler <spender@grsecurity.net>
20351Date: Sun Jul 14 19:19:54 2013 -0400
20352
20353 Fix sparc64 compilation, reported by Blake Self
20354
20355 arch/sparc/kernel/sys_sparc_64.c | 4 ++--
20356 1 files changed, 2 insertions(+), 2 deletions(-)
20357
20358commit 7bcd3db081454768542c3d741bcf32cd61a50cf5
20359Author: Brad Spengler <spender@grsecurity.net>
20360Date: Sun Jul 14 11:49:17 2013 -0400
20361
20362 Update PaX fix, just return the error
20363
20364 mm/madvise.c | 15 +++++++--------
20365 1 files changed, 7 insertions(+), 8 deletions(-)
20366
20367commit a10e377d0eddd37e8a3665b135e546ab03d9d171
20368Author: Brad Spengler <spender@grsecurity.net>
20369Date: Sun Jul 14 11:36:00 2013 -0400
20370
20371 Fix madvise oops reported by Peter Keel
20372
20373 mm/madvise.c | 11 ++++++-----
20374 1 files changed, 6 insertions(+), 5 deletions(-)
20375
20376commit 08c5adca34d408772255b313f90d82c250c1d967
20377Author: Brad Spengler <spender@grsecurity.net>
20378Date: Sun Jul 14 11:26:34 2013 -0400
20379
20380 don't make high vector mapping non-present on old ARM architectures, no
20381 point in emulating some vector entries when the processor doesn't even support XN
20382
20383 arch/arm/mm/mmu.c | 7 +++++--
20384 1 files changed, 5 insertions(+), 2 deletions(-)
20385
20386commit 2b40781d4197a89a003616af584884e36361c5b2
20387Author: Brad Spengler <spender@grsecurity.net>
20388Date: Sun Jul 14 09:51:58 2013 -0400
20389
20390 Temporary compile fix for code incorrectly modifying const data
20391 Wrap a cast version of the code with open/close
20392
20393 Thanks to Michael Tremer for the report
20394
20395 drivers/clk/socfpga/clk.c | 6 ++++--
20396 1 files changed, 4 insertions(+), 2 deletions(-)
20397
20398commit a8258c1b4098c396cd4ea719e20858182feac1c1
20399Author: Brad Spengler <spender@grsecurity.net>
20400Date: Sun Jul 14 09:41:16 2013 -0400
20401
20402 Fix missing right parens in pipacs' "improvement" of my ARM code ;)
20403 Thanks to Michael Tremer for reporting
20404
20405 arch/arm/include/asm/uaccess.h | 4 ++--
20406 1 files changed, 2 insertions(+), 2 deletions(-)
20407
20408commit 8542e1e973be7cc9a009d2ada8033576b2890e6f
20409Merge: 86f446e 2577f8e
20410Author: Brad Spengler <spender@grsecurity.net>
20411Date: Sat Jul 13 20:46:58 2013 -0400
20412
20413 Merge branch 'pax-test' into grsec-test
20414
20415 Conflicts:
20416 mm/memcontrol.c
20417
20418commit 2577f8e4ec41efb347706a59c6838de20f0c90da
20419Merge: 75a36f0 cb5d8be
20420Author: Brad Spengler <spender@grsecurity.net>
20421Date: Sat Jul 13 20:43:42 2013 -0400
20422
20423 Merge branch 'linux-3.10.y' into pax-test
20424
20425 Conflicts:
20426 crypto/algapi.c
20427 drivers/block/nbd.c
20428
20429commit 86f446e9d5c6b475d2e9360cc04f4361ad1b19b8
20430Author: Brad Spengler <spender@grsecurity.net>
20431Date: Fri Jul 12 23:02:11 2013 -0400
20432
20433 we always want the vector page to be noaccess for userland
20434 therefore, when kernexec is disabled, instead of L_PTE_USER | L_PTE_RDONLY
20435 which turns into supervisor rwx, userland rx, we instead omit that entirely,
20436 leaving it as supervisor rwx only
20437
20438 Fixes booting on ARMv5 and earlier, which need to write directly
20439 to the high vector mapping via set_tls when context switching
20440
20441 Thanks to Michael Tremer for the bugreport
20442
20443 arch/arm/mm/mmu.c | 12 ++++++++++--
20444 1 files changed, 10 insertions(+), 2 deletions(-)
20445
20446commit 90cd0827eef656ec884f19c977873fefe2f2e47d
20447Author: Cong Wang <amwang@redhat.com>
20448Date: Sat Jun 29 12:02:59 2013 +0800
20449
20450 Upstream commit: 6c734fb8592f6768170e48e7102cb2f0a1bb9759
20451
20452 gre: fix a regression in ioctl
20453
20454 When testing GRE tunnel, I got:
20455
20456 # ip tunnel show
20457 get tunnel gre0 failed: Invalid argument
20458 get tunnel gre1 failed: Invalid argument
20459
20460 This is a regression introduced by commit c54419321455631079c7d
20461 ("GRE: Refactor GRE tunneling code.") because previously we
20462 only check the parameters for SIOCADDTUNNEL and SIOCCHGTUNNEL,
20463 after that commit, the check is moved for all commands.
20464
20465 So, just check for SIOCADDTUNNEL and SIOCCHGTUNNEL.
20466
20467 After this patch I got:
20468
20469 # ip tunnel show
20470 gre0: gre/ip remote any local any ttl inherit nopmtudisc
20471 gre1: gre/ip remote 192.168.122.101 local 192.168.122.45 ttl inherit
20472
20473 Cc: Pravin B Shelar <pshelar@nicira.com>
20474 Cc: "David S. Miller" <davem@davemloft.net>
20475 Signed-off-by: Cong Wang <amwang@redhat.com>
20476 Signed-off-by: David S. Miller <davem@davemloft.net>
20477
20478 net/ipv4/ip_gre.c | 9 +++++----
20479 1 files changed, 5 insertions(+), 4 deletions(-)
20480
20481commit 50d4e90ec8da630eac8840da9c53b8738a2f98b5
20482Author: Cong Wang <amwang@redhat.com>
20483Date: Sat Jun 29 13:00:57 2013 +0800
20484
20485 Upstream commit: ab6c7a0a43c2eaafa57583822b619b22637b49c7
20486
20487 vti: remove duplicated code to fix a memory leak
20488
20489 vti module allocates dev->tstats twice: in vti_fb_tunnel_init()
20490 and in vti_tunnel_init(), this lead to a memory leak of
20491 dev->tstats.
20492
20493 Just remove the duplicated operations in vti_fb_tunnel_init().
20494
20495 (candidate for -stable)
20496
20497 Cc: Stephen Hemminger <stephen@networkplumber.org>
20498 Cc: Saurabh Mohan <saurabh.mohan@vyatta.com>
20499 Cc: "David S. Miller" <davem@davemloft.net>
20500 Signed-off-by: Cong Wang <amwang@redhat.com>
20501 Acked-by: Stephen Hemminger <stephen@networkplumber.org>
20502 Signed-off-by: David S. Miller <davem@davemloft.net>
20503
20504 net/ipv4/ip_vti.c | 7 -------
20505 1 files changed, 0 insertions(+), 7 deletions(-)
20506
20507commit af9e57897a8fab9bbeceb984bd0aeaedb36aefcd
20508Author: Michal Schmidt <mschmidt@redhat.com>
20509Date: Mon Jul 1 17:23:05 2013 +0200
20510
20511 Upstream commit: 058eec4116935c5640299913e1e0715e87ec622a
20512
20513 bnx2x: remove zeroing of dump data buffer
20514
20515 There is no need to initialize the dump data with zeros.
20516 data is allocated with vzalloc, so it's already zero-filled.
20517
20518 More importantly, the memset is harmful, because dump->len (the length
20519 requested by userspace) can be bigger than the allocated buffer (whose
20520 size is determined by asking the driver's .get_dump_flag method).
20521
20522 Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
20523 Signed-off-by: David S. Miller <davem@davemloft.net>
20524
20525 .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 2 --
20526 1 files changed, 0 insertions(+), 2 deletions(-)
20527
20528commit c771072b72c261f9bddd6734dca6979c1b96e7df
20529Author: Michal Schmidt <mschmidt@redhat.com>
20530Date: Mon Jul 1 17:23:06 2013 +0200
20531
20532 Upstream commit: 5bb680d6cbe36de9d7ba12b05f845c91a8692318
20533
20534 bnx2x: fix dump flag handling
20535
20536 bnx2x interprets the dump flag as an index of a register preset.
20537 It is important to validate the index to avoid out of bounds
20538 memory accesses.
20539
20540 Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
20541 Signed-off-by: David S. Miller <davem@davemloft.net>
20542
20543 .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 3 +++
20544 drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 2 ++
20545 2 files changed, 5 insertions(+), 0 deletions(-)
20546
20547commit aed315c8fad9b2044143b46b239574b1b72135ce
20548Author: Michal Schmidt <mschmidt@redhat.com>
20549Date: Mon Jul 1 17:23:30 2013 +0200
20550
20551 Upstream commit: c590b5e2f05b5e98e614382582b7ae4cddb37599
20552
20553 ethtool: make .get_dump_data() harder to misuse by drivers
20554
20555 As the patch "bnx2x: remove zeroing of dump data buffer" showed,
20556 it is too easy implement .get_dump_data incorrectly in a driver.
20557
20558 Let's make sure drivers cannot get confused by userspace requesting
20559 a too big dump.
20560
20561 Also WARN if the driver sets dump->len to something weird and make
20562 sure the length reported to userspace is the actual length of data
20563 copied to userspace.
20564
20565 Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
20566 Reviewed-by: Ben Hutchings <ben@decadent.org.uk>
20567 Signed-off-by: David S. Miller <davem@davemloft.net>
20568
20569 net/core/ethtool.c | 21 ++++++++++++++++++++-
20570 1 files changed, 20 insertions(+), 1 deletions(-)
20571
20572commit 5c57991e66216e386dcc875d34c33f0edd038569
20573Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
20574Date: Tue Jul 2 09:02:07 2013 +0800
20575
20576 Upstream commit: e1558a93b61962710733dc8c11a2bc765607f1cd
20577
20578 l2tp: add missing .owner to struct pppox_proto
20579
20580 Add missing .owner of struct pppox_proto. This prevents the
20581 module from being removed from underneath its users.
20582
20583 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
20584 Signed-off-by: David S. Miller <davem@davemloft.net>
20585
20586 net/l2tp/l2tp_ppp.c | 3 ++-
20587 1 files changed, 2 insertions(+), 1 deletions(-)
20588
20589commit 4613b8adae32cc774bb727d2ec71f3d0bd7ff1c4
20590Author: Benjamin Herrenschmidt <benh@kernel.crashing.org>
20591Date: Sun Jun 30 14:37:11 2013 +1000
20592
20593 Upstream commit: 7cc47d139f9a815a91bd9e7377063238c69a0423
20594
20595 cxgb3: Missing rtnl lock in error recovery
20596
20597 When exercising error injection on IBM pseries machine, I hit the
20598 following warning:
20599
20600 [ 251.450043] RTAS: event: 89, Type: Platform Error, Severity: 2
20601 [ 253.549822] cxgb3 0006:01:00.0: enabling device (0140 -> 0142)
20602 [ 253.713560] cxgb3 0006:01:00.0: adapter recovering, PEX ERR 0x100
20603 [ 254.895437] RTNL: assertion failed at net/core/dev.c (2031)
20604 [ 254.895467] CPU: 6 PID: 5449 Comm: eehd Tainted: G W 3.10.0-rc7-00157-gea461ab #19
20605 [ 254.895474] Call Trace:
20606 [ 254.895483] [c000000fac56f7d0] [c000000000014dcc] .show_stack+0x7c/0x1f0 (unreliable)
20607 [ 254.895493] [c000000fac56f8a0] [c0000000007ba318] .dump_stack+0x28/0x3c
20608 [ 254.895500] [c000000fac56f910] [c0000000006c0384] .netif_set_real_num_tx_queues+0x224/0x230
20609 [ 254.895515] [c000000fac56f9b0] [d00000000ef35510] .cxgb_open+0x80/0x3f0 [cxgb3]
20610 [ 254.895525] [c000000fac56fa50] [d00000000ef35914] .t3_resume_ports+0x94/0x100 [cxgb3]
20611 [ 254.895533] [c000000fac56fae0] [c00000000005fc8c] .eeh_report_resume+0x8c/0xd0
20612 [ 254.895539] [c000000fac56fb60] [c00000000005e9fc] .eeh_pe_dev_traverse+0x9c/0x190
20613 [ 254.895545] [c000000fac56fc10] [c000000000060000] .eeh_handle_event+0x110/0x330
20614 [ 254.895551] [c000000fac56fca0] [c000000000060350] .eeh_event_handler+0x130/0x1a0
20615 [ 254.895558] [c000000fac56fd30] [c0000000000ad758] .kthread+0xe8/0xf0
20616 [ 254.895566] [c000000fac56fe30] [c00000000000a05c] .ret_from_kernel_thread+0x5c/0x80
20617
20618 It appears that t3_resume_ports() is called with the rtnl_lock held from
20619 the fatal error task but not from the PCI error callbacks. This fixes it.
20620
20621 Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
20622 Signed-off-by: David S. Miller <davem@davemloft.net>
20623
20624 drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 2 ++
20625 1 files changed, 2 insertions(+), 0 deletions(-)
20626
20627commit ea8f4222cddf3250dbcfc7db0437ebf74c352370
20628Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
20629Date: Mon Jul 1 20:21:30 2013 +0200
20630
20631 Upstream commit: 8822b64a0fa64a5dd1dfcf837c5b0be83f8c05d1
20632
20633 ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data
20634
20635 We accidentally call down to ip6_push_pending_frames when uncorking
20636 pending AF_INET data on a ipv6 socket. This results in the following
20637 splat (from Dave Jones):
20638
20639 skbuff: skb_under_panic: text:ffffffff816765f6 len:48 put:40 head:ffff88013deb6df0 data:ffff88013deb6dec tail:0x2c end:0xc0 dev:<NULL>
20640 ------------[ cut here ]------------
20641 kernel BUG at net/core/skbuff.c:126!
20642 invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
20643 Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth
20644 +netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c
20645 CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37
20646 task: ffff8801f52c2520 ti: ffff8801e6430000 task.ti: ffff8801e6430000
20647 RIP: 0010:[<ffffffff816e759c>] [<ffffffff816e759c>] skb_panic+0x63/0x65
20648 RSP: 0018:ffff8801e6431de8 EFLAGS: 00010282
20649 RAX: 0000000000000086 RBX: ffff8802353d3cc0 RCX: 0000000000000006
20650 RDX: 0000000000003b90 RSI: ffff8801f52c2ca0 RDI: ffff8801f52c2520
20651 RBP: ffff8801e6431e08 R08: 0000000000000000 R09: 0000000000000000
20652 R10: 0000000000000001 R11: 0000000000000001 R12: ffff88022ea0c800
20653 R13: ffff88022ea0cdf8 R14: ffff8802353ecb40 R15: ffffffff81cc7800
20654 FS: 00007f5720a10740(0000) GS:ffff880244c00000(0000) knlGS:0000000000000000
20655 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
20656 CR2: 0000000005862000 CR3: 000000022843c000 CR4: 00000000001407e0
20657 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
20658 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
20659 Stack:
20660 ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4
20661 ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6
20662 ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0
20663 Call Trace:
20664 [<ffffffff8159a9aa>] skb_push+0x3a/0x40
20665 [<ffffffff816765f6>] ip6_push_pending_frames+0x1f6/0x4d0
20666 [<ffffffff810b756b>] ? mark_held_locks+0xbb/0x140
20667 [<ffffffff81694919>] udp_v6_push_pending_frames+0x2b9/0x3d0
20668 [<ffffffff81694660>] ? udplite_getfrag+0x20/0x20
20669 [<ffffffff8162092a>] udp_lib_setsockopt+0x1aa/0x1f0
20670 [<ffffffff811cc5e7>] ? fget_light+0x387/0x4f0
20671 [<ffffffff816958a4>] udpv6_setsockopt+0x34/0x40
20672 [<ffffffff815949f4>] sock_common_setsockopt+0x14/0x20
20673 [<ffffffff81593c31>] SyS_setsockopt+0x71/0xd0
20674 [<ffffffff816f5d54>] tracesys+0xdd/0xe2
20675 Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55
20676 RIP [<ffffffff816e759c>] skb_panic+0x63/0x65
20677 RSP <ffff8801e6431de8>
20678
20679 This patch adds a check if the pending data is of address family AF_INET
20680 and directly calls udp_push_ending_frames from udp_v6_push_pending_frames
20681 if that is the case.
20682
20683 This bug was found by Dave Jones with trinity.
20684
20685 (Also move the initialization of fl6 below the AF_INET check, even if
20686 not strictly necessary.)
20687
20688 Cc: Dave Jones <davej@redhat.com>
20689 Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
20690 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
20691 Signed-off-by: David S. Miller <davem@davemloft.net>
20692
20693 include/net/udp.h | 1 +
20694 net/ipv4/udp.c | 3 ++-
20695 net/ipv6/udp.c | 7 ++++++-
20696 3 files changed, 9 insertions(+), 2 deletions(-)
20697
20698commit cd83094a85d9bbd5a67332156407d53cf8835432
20699Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
20700Date: Tue Jul 2 08:04:05 2013 +0200
20701
20702 Upstream commit: 75a493e60ac4bbe2e977e7129d6d8cbb0dd236be
20703
20704 ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size
20705
20706 If the socket had an IPV6_MTU value set, ip6_append_data_mtu lost track
20707 of this when appending the second frame on a corked socket. This results
20708 in the following splat:
20709
20710 [37598.993962] ------------[ cut here ]------------
20711 [37598.994008] kernel BUG at net/core/skbuff.c:2064!
20712 [37598.994008] invalid opcode: 0000 [#1] SMP
20713 [37598.994008] Modules linked in: tcp_lp uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media vfat fat usb_storage fuse ebtable_nat xt_CHECKSUM bridge stp llc ipt_MASQUERADE nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat
20714 +nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi
20715 +scsi_transport_iscsi rfcomm bnep iTCO_wdt iTCO_vendor_support snd_hda_codec_conexant arc4 iwldvm mac80211 snd_hda_intel acpi_cpufreq mperf coretemp snd_hda_codec microcode cdc_wdm cdc_acm
20716 [37598.994008] snd_hwdep cdc_ether snd_seq snd_seq_device usbnet mii joydev btusb snd_pcm bluetooth i2c_i801 e1000e lpc_ich mfd_core ptp iwlwifi pps_core snd_page_alloc mei cfg80211 snd_timer thinkpad_acpi snd tpm_tis soundcore rfkill tpm tpm_bios vhost_net tun macvtap macvlan kvm_intel kvm uinput binfmt_misc
20717 +dm_crypt i915 i2c_algo_bit drm_kms_helper drm i2c_core wmi video
20718 [37598.994008] CPU 0
20719 [37598.994008] Pid: 27320, comm: t2 Not tainted 3.9.6-200.fc18.x86_64 #1 LENOVO 27744PG/27744PG
20720 [37598.994008] RIP: 0010:[<ffffffff815443a5>] [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330
20721 [37598.994008] RSP: 0018:ffff88003670da18 EFLAGS: 00010202
20722 [37598.994008] RAX: ffff88018105c018 RBX: 0000000000000004 RCX: 00000000000006c0
20723 [37598.994008] RDX: ffff88018105a6c0 RSI: ffff88018105a000 RDI: ffff8801e1b0aa00
20724 [37598.994008] RBP: ffff88003670da78 R08: 0000000000000000 R09: ffff88018105c040
20725 [37598.994008] R10: ffff8801e1b0aa00 R11: 0000000000000000 R12: 000000000000fff8
20726 [37598.994008] R13: 00000000000004fc R14: 00000000ffff0504 R15: 0000000000000000
20727 [37598.994008] FS: 00007f28eea59740(0000) GS:ffff88023bc00000(0000) knlGS:0000000000000000
20728 [37598.994008] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
20729 [37598.994008] CR2: 0000003d935789e0 CR3: 00000000365cb000 CR4: 00000000000407f0
20730 [37598.994008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
20731 [37598.994008] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
20732 [37598.994008] Process t2 (pid: 27320, threadinfo ffff88003670c000, task ffff88022c162ee0)
20733 [37598.994008] Stack:
20734 [37598.994008] ffff88022e098a00 ffff88020f973fc0 0000000000000008 00000000000004c8
20735 [37598.994008] ffff88020f973fc0 00000000000004c4 ffff88003670da78 ffff8801e1b0a200
20736 [37598.994008] 0000000000000018 00000000000004c8 ffff88020f973fc0 00000000000004c4
20737 [37598.994008] Call Trace:
20738 [37598.994008] [<ffffffff815fc21f>] ip6_append_data+0xccf/0xfe0
20739 [37598.994008] [<ffffffff8158d9f0>] ? ip_copy_metadata+0x1a0/0x1a0
20740 [37598.994008] [<ffffffff81661f66>] ? _raw_spin_lock_bh+0x16/0x40
20741 [37598.994008] [<ffffffff8161548d>] udpv6_sendmsg+0x1ed/0xc10
20742 [37598.994008] [<ffffffff812a2845>] ? sock_has_perm+0x75/0x90
20743 [37598.994008] [<ffffffff815c3693>] inet_sendmsg+0x63/0xb0
20744 [37598.994008] [<ffffffff812a2973>] ? selinux_socket_sendmsg+0x23/0x30
20745 [37598.994008] [<ffffffff8153a450>] sock_sendmsg+0xb0/0xe0
20746 [37598.994008] [<ffffffff810135d1>] ? __switch_to+0x181/0x4a0
20747 [37598.994008] [<ffffffff8153d97d>] sys_sendto+0x12d/0x180
20748 [37598.994008] [<ffffffff810dfb64>] ? __audit_syscall_entry+0x94/0xf0
20749 [37598.994008] [<ffffffff81020ed1>] ? syscall_trace_enter+0x231/0x240
20750 [37598.994008] [<ffffffff8166a7e7>] tracesys+0xdd/0xe2
20751 [37598.994008] Code: fe 07 00 00 48 c7 c7 04 28 a6 81 89 45 a0 4c 89 4d b8 44 89 5d a8 e8 1b ac b1 ff 44 8b 5d a8 4c 8b 4d b8 8b 45 a0 e9 cf fe ff ff <0f> 0b 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 48
20752 [37598.994008] RIP [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330
20753 [37598.994008] RSP <ffff88003670da18>
20754 [37599.007323] ---[ end trace d69f6a17f8ac8eee ]---
20755
20756 While there, also check if path mtu discovery is activated for this
20757 socket. The logic was adapted from ip6_append_data when first writing
20758 on the corked socket.
20759
20760 This bug was introduced with commit
20761 0c1833797a5a6ec23ea9261d979aa18078720b74 ("ipv6: fix incorrect ipsec
20762 fragment").
20763
20764 v2:
20765 a) Replace IPV6_PMTU_DISC_DO with IPV6_PMTUDISC_PROBE.
20766 b) Don't pass ipv6_pinfo to ip6_append_data_mtu (suggestion by Gao
20767 feng, thanks!).
20768 c) Change mtu to unsigned int, else we get a warning about
20769 non-matching types because of the min()-macro type-check.
20770
20771 Acked-by: Gao feng <gaofeng@cn.fujitsu.com>
20772 Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
20773 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
20774 Signed-off-by: David S. Miller <davem@davemloft.net>
20775
20776 net/ipv6/ip6_output.c | 16 ++++++++++------
20777 1 files changed, 10 insertions(+), 6 deletions(-)
20778
20779commit 23151ca7ca80e58d2616dac7be9fd62943c9a72c
20780Author: Michael S. Tsirkin <mst@redhat.com>
20781Date: Sun Jul 7 14:26:53 2013 +0300
20782
20783 Upstream commit: dd7633ecd553a5e304d349aa6f8eb8a0417098c5
20784
20785 vhost-net: fix use-after-free in vhost_net_flush
20786
20787 vhost_net_ubuf_put_and_wait has a confusing name:
20788 it will actually also free it's argument.
20789 Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01
20790 "vhost-net: flush outstanding DMAs on memory change"
20791 vhost_net_flush tries to use the argument after passing it
20792 to vhost_net_ubuf_put_and_wait, this results
20793 in use after free.
20794 To fix, don't free the argument in vhost_net_ubuf_put_and_wait,
20795 add an new API for callers that want to free ubufs.
20796
20797 Acked-by: Asias He <asias@redhat.com>
20798 Acked-by: Jason Wang <jasowang@redhat.com>
20799 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
20800 Signed-off-by: David S. Miller <davem@davemloft.net>
20801
20802 drivers/vhost/net.c | 9 +++++++--
20803 1 files changed, 7 insertions(+), 2 deletions(-)
20804
20805commit 088806db74ac2f08c106202bc5498585a9ee529f
20806Author: Michal Hocko <mhocko@suse.cz>
20807Date: Mon Jul 8 16:00:29 2013 -0700
20808
20809 Upstream commit: f37a96914d1aea10fed8d9af10251f0b9caea31b
20810
20811 memcg, kmem: fix reference count handling on the error path
20812
20813 mem_cgroup_css_online calls mem_cgroup_put if memcg_init_kmem fails.
20814 This is not correct because only memcg_propagate_kmem takes an
20815 additional reference while mem_cgroup_sockets_init is allowed to fail as
20816 well (although no current implementation fails) but it doesn't take any
20817 reference. This all suggests that it should be memcg_propagate_kmem
20818 that should clean up after itself so this patch moves mem_cgroup_put
20819 over there.
20820
20821 Unfortunately this is not that easy (as pointed out by Li Zefan) because
20822 memcg_kmem_mark_dead marks the group dead (KMEM_ACCOUNTED_DEAD) if it is
20823 marked active (KMEM_ACCOUNTED_ACTIVE) which is the case even if
20824 memcg_propagate_kmem fails so the additional reference is dropped in
20825 that case in kmem_cgroup_destroy which means that the reference would be
20826 dropped two times.
20827
20828 The easiest way then would be to simply remove mem_cgrroup_put from
20829 mem_cgroup_css_online and rely on kmem_cgroup_destroy doing the right
20830 thing.
20831
20832 Signed-off-by: Michal Hocko <mhocko@suse.cz>
20833 Signed-off-by: Li Zefan <lizefan@huawei.com>
20834 Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
20835 Cc: Hugh Dickins <hughd@google.com>
20836 Cc: Tejun Heo <tj@kernel.org>
20837 Cc: Glauber Costa <glommer@openvz.org>
20838 Cc: Johannes Weiner <hannes@cmpxchg.org>
20839 Cc: <stable@vger.kernel.org> [3.8]
20840 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
20841 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
20842
20843 mm/memcontrol.c | 8 --------
20844 1 files changed, 0 insertions(+), 8 deletions(-)
20845
20846commit 08bfb6e700d13886ed722c2236e1ec10f03a95df
20847Author: Michal Hocko <mhocko@suse.cz>
20848Date: Mon Jul 8 16:00:27 2013 -0700
20849
20850 Upstream commit: fa460c2d37870e0a6f94c70e8b76d05ca11b6db0
20851
20852 Revert "memcg: avoid dangling reference count in creation failure"
20853
20854 This reverts commit e4715f01be697a.
20855
20856 mem_cgroup_put is hierarchy aware so mem_cgroup_put(memcg) already drops
20857 an additional reference from all parents so the additional
20858 mem_cgrroup_put(parent) potentially causes use-after-free.
20859
20860 Signed-off-by: Michal Hocko <mhocko@suse.cz>
20861 Signed-off-by: Li Zefan <lizefan@huawei.com>
20862 Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
20863 Cc: Hugh Dickins <hughd@google.com>
20864 Cc: Tejun Heo <tj@kernel.org>
20865 Cc: Glauber Costa <glommer@openvz.org>
20866 Cc: Johannes Weiner <hannes@cmpxchg.org>
20867 Cc: <stable@vger.kernel.org> [3.9+]
20868 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
20869 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
20870
20871 mm/memcontrol.c | 2 --
20872 1 files changed, 0 insertions(+), 2 deletions(-)
20873
20874commit 3267ec559f48327a1836eccecd53215afc5810d0
20875Author: Tyler Hicks <tyhicks@canonical.com>
20876Date: Thu Jun 20 13:13:59 2013 -0700
20877
20878 Upstream commit: 2cb33cac622afde897aa02d3dcd9fbba8bae839e
20879
20880 libceph: Fix NULL pointer dereference in auth client code
20881
20882 A malicious monitor can craft an auth reply message that could cause a
20883 NULL function pointer dereference in the client's kernel.
20884
20885 To prevent this, the auth_none protocol handler needs an empty
20886 ceph_auth_client_ops->build_request() function.
20887
20888 CVE-2013-1059
20889
20890 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
20891 Reported-by: Chanam Park <chanam.park@hkpco.kr>
20892 Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
20893 Reviewed-by: Sage Weil <sage@inktank.com>
20894 Cc: stable@vger.kernel.org
20895
20896 net/ceph/auth_none.c | 6 ++++++
20897 1 files changed, 6 insertions(+), 0 deletions(-)
20898
20899commit cdfeb4049e7cb38702215b2c356ce0407974ac79
20900Author: Eric Paris <eparis@redhat.com>
20901Date: Wed Jul 3 15:08:29 2013 -0700
20902
20903 Upstream commit: b57922b6c76c3ee401bb32fd3f298409dd6e6a53
20904
20905 fork: reorder permissions when violating number of processes limits
20906
20907 When a task is attempting to violate the RLIMIT_NPROC limit we have a
20908 check to see if the task is sufficiently priviledged. The check first
20909 looks at CAP_SYS_ADMIN, then CAP_SYS_RESOURCE, then if the task is uid=0.
20910
20911 A result is that tasks which are allowed by the uid=0 check are first
20912 checked against the security subsystem. This results in the security
20913 subsystem auditting a denial for sys_admin and sys_resource and then the
20914 task passing the uid=0 check.
20915
20916 This patch rearranges the code to first check uid=0, since if we pass that
20917 we shouldn't hit the security system at all. We then check sys_resource,
20918 since it is the smallest capability which will solve the problem. Lastly
20919 we check the fallback everything cap_sysadmin. We don't want to give this
20920 capability many places since it is so powerful.
20921
20922 This will eliminate many of the false positive/needless denial messages we
20923 get when a root task tries to violate the nproc limit. (note that
20924 kthreads count against root, so on a sufficiently large machine we can
20925 actually get past the default limits before any userspace tasks are
20926 launched.)
20927
20928 Signed-off-by: Eric Paris <eparis@redhat.com>
20929 Cc: Al Viro <viro@zeniv.linux.org.uk>
20930 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
20931 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
20932
20933 kernel/fork.c | 4 ++--
20934 1 files changed, 2 insertions(+), 2 deletions(-)
20935
20936commit 08c87e049c8a50707908785d950fd48c334f4c09
20937Author: Chen Gang <gang.chen@asianux.com>
20938Date: Sat Jun 22 13:26:09 2013 +0800
20939
20940 Upstream commit: f118e9abddfae94d7ef88858159d7556e1c2f7f6
20941
20942 arch: sparc: kernel: check the memory length before use strcpy().
20943
20944 For the related next strcpy(), the destination length is less than 512,
20945 but the source maximize length may be 'OPROMMAXPARAM' (4096) which is
20946 more than 512.
20947
20948 One work flow may:
20949 openprom_sunos_ioctl() -> if (cmd == OPROMSETOPT)
20950 getstrings() -> will alloc buffer with size 'OPROMMAXPARAM'.
20951 opromsetopt() -> devide the buffer into 'var' and 'value'
20952 of_set_property() -> pass
20953 prom_setprop() -> pass
20954 ldom_set_var()
20955
20956 And do not mind the additional 4 alignment buffer increasing, since
20957 'sizeof(pkt) - sizeof(pkt.header)' is 4 alignment at least.
20958
20959 Signed-off-by: Chen Gang <gang.chen@asianux.com>
20960 Signed-off-by: David S. Miller <davem@davemloft.net>
20961
20962 arch/sparc/kernel/ds.c | 10 ++++++++++
20963 1 files changed, 10 insertions(+), 0 deletions(-)
20964
20965commit 0f5d7e1171c65a8d4e9186b3656e1206121efb13
20966Author: Brad Spengler <spender@grsecurity.net>
20967Date: Fri Jul 12 20:38:45 2013 -0400
20968
20969 Fix SLAB boot errors due to PAX_USERCOPY reported on the forums
20970
20971 Unlike slub, slab can initally create two of the kmalloc_caches
20972 which will be used later for generic kmallocs of their particular
20973 aligned size (since the later loop in the unified allocator code
20974 skips any already-existing kmalloc_caches)
20975
20976 mm/slab.c | 4 ++--
20977 1 files changed, 2 insertions(+), 2 deletions(-)
20978
20979commit 7afc9d07a4c0a676aa5c4ac2b30882f60be6bae3
20980Author: Brad Spengler <spender@grsecurity.net>
20981Date: Tue Jul 9 22:04:59 2013 -0400
20982
20983 compile fixes
20984
20985 fs/exec.c | 2 +-
20986 mm/mmap.c | 4 ++--
20987 2 files changed, 3 insertions(+), 3 deletions(-)
20988
20989commit e2d027c7e0f106be683c0c72482b8285daefcbe6
20990Author: Brad Spengler <spender@grsecurity.net>
20991Date: Tue Jul 9 20:58:40 2013 -0400
20992
20993 commit successful merges
20994
20995 Documentation/kernel-parameters.txt | 4 +
20996 Makefile | 8 +-
20997 arch/alpha/include/asm/cache.h | 4 +-
20998 arch/alpha/kernel/osf_sys.c | 12 +-
20999 arch/arm/include/asm/thread_info.h | 3 +-
21000 arch/arm/kernel/ptrace.c | 9 +
21001 arch/arm/kernel/traps.c | 7 +-
21002 arch/arm/mm/fault.c | 29 +-
21003 arch/arm/mm/mmap.c | 8 +-
21004 arch/avr32/include/asm/cache.h | 4 +-
21005 arch/blackfin/include/asm/cache.h | 3 +-
21006 arch/cris/include/arch-v10/arch/cache.h | 3 +-
21007 arch/cris/include/arch-v32/arch/cache.h | 3 +-
21008 arch/frv/include/asm/cache.h | 3 +-
21009 arch/frv/mm/elf-fdpic.c | 4 +-
21010 arch/hexagon/include/asm/cache.h | 6 +-
21011 arch/ia64/include/asm/cache.h | 3 +-
21012 arch/ia64/kernel/sys_ia64.c | 2 +
21013 arch/ia64/mm/hugetlbpage.c | 2 +
21014 arch/m32r/include/asm/cache.h | 4 +-
21015 arch/m68k/include/asm/cache.h | 4 +-
21016 arch/metag/mm/hugetlbpage.c | 1 +
21017 arch/microblaze/include/asm/cache.h | 3 +-
21018 arch/mips/include/asm/cache.h | 3 +-
21019 arch/mips/include/asm/thread_info.h | 9 +-
21020 arch/mips/kernel/ptrace.c | 9 +
21021 arch/mips/kernel/scall32-o32.S | 2 +-
21022 arch/mips/kernel/scall64-64.S | 2 +-
21023 arch/mips/kernel/scall64-n32.S | 2 +-
21024 arch/mips/kernel/scall64-o32.S | 2 +-
21025 arch/mips/mm/mmap.c | 4 +-
21026 arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +-
21027 arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +-
21028 arch/openrisc/include/asm/cache.h | 4 +-
21029 arch/parisc/include/asm/cache.h | 5 +-
21030 arch/parisc/kernel/sys_parisc.c | 17 +-
21031 arch/powerpc/include/asm/cache.h | 3 +-
21032 arch/powerpc/kernel/process.c | 10 +-
21033 arch/powerpc/kernel/ptrace.c | 14 +
21034 arch/powerpc/kernel/traps.c | 5 +
21035 arch/s390/include/asm/cache.h | 4 +-
21036 arch/score/include/asm/cache.h | 4 +-
21037 arch/sh/include/asm/cache.h | 3 +-
21038 arch/sh/mm/mmap.c | 6 +-
21039 arch/sparc/include/asm/cache.h | 4 +-
21040 arch/sparc/include/asm/thread_info_64.h | 9 +-
21041 arch/sparc/kernel/process_32.c | 6 +-
21042 arch/sparc/kernel/process_64.c | 4 +-
21043 arch/sparc/kernel/ptrace_64.c | 14 +
21044 arch/sparc/kernel/sys_sparc_64.c | 8 +-
21045 arch/sparc/kernel/syscalls.S | 8 +-
21046 arch/sparc/kernel/traps_32.c | 8 +-
21047 arch/sparc/kernel/traps_64.c | 28 +-
21048 arch/sparc/kernel/unaligned_64.c | 2 +-
21049 arch/sparc/mm/fault_64.c | 2 +-
21050 arch/sparc/mm/hugetlbpage.c | 3 +-
21051 arch/tile/include/asm/cache.h | 3 +-
21052 arch/tile/mm/hugetlbpage.c | 2 +
21053 arch/um/defconfig | 1 -
21054 arch/um/include/asm/cache.h | 3 +-
21055 arch/unicore32/include/asm/cache.h | 6 +-
21056 arch/x86/Kconfig | 5 +-
21057 arch/x86/ia32/ia32_aout.c | 2 +
21058 arch/x86/include/asm/thread_info.h | 8 +-
21059 arch/x86/kernel/dumpstack.c | 8 +
21060 arch/x86/kernel/entry_32.S | 2 +-
21061 arch/x86/kernel/entry_64.S | 2 +-
21062 arch/x86/kernel/ioport.c | 13 +
21063 arch/x86/kernel/ptrace.c | 14 +
21064 arch/x86/kernel/signal.c | 9 +-
21065 arch/x86/kernel/smpboot.c | 3 +
21066 arch/x86/kernel/sys_i386_32.c | 9 +-
21067 arch/x86/kernel/sys_x86_64.c | 8 +-
21068 arch/x86/kernel/verify_cpu.S | 1 +
21069 arch/x86/kernel/vm86_32.c | 1 +
21070 arch/x86/mm/fault.c | 12 +-
21071 arch/x86/mm/hugetlbpage.c | 15 +-
21072 arch/x86/mm/init.c | 66 +-
21073 arch/x86/net/bpf_jit_comp.c | 129 +-
21074 arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
21075 arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
21076 arch/xtensa/variants/s6000/include/variant/core.h | 3 +-
21077 drivers/block/cciss.c | 2 +
21078 drivers/block/cpqarray.c | 1 +
21079 drivers/cdrom/cdrom.c | 4 +-
21080 drivers/char/Kconfig | 4 +-
21081 drivers/char/genrtc.c | 1 +
21082 drivers/char/mem.c | 17 +
21083 drivers/char/mwave/tp3780i.c | 1 +
21084 drivers/char/random.c | 12 +
21085 drivers/gpu/drm/drm_info.c | 4 +
21086 drivers/hid/hid-wiimote-debug.c | 2 +-
21087 drivers/media/radio/radio-cadet.c | 2 +-
21088 drivers/message/fusion/mptbase.c | 9 +
21089 drivers/net/bonding/bond_main.c | 2 +-
21090 drivers/net/phy/mdio-bitbang.c | 1 +
21091 drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
21092 drivers/pci/proc.c | 9 +
21093 drivers/rtc/rtc-dev.c | 3 +
21094 drivers/tty/sysrq.c | 2 +-
21095 drivers/tty/vt/keyboard.c | 22 +-
21096 drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++++------------
21097 drivers/xen/xenfs/xenstored.c | 5 +
21098 fs/attr.c | 1 +
21099 fs/autofs4/waitq.c | 9 +
21100 fs/binfmt_aout.c | 7 +
21101 fs/binfmt_elf.c | 8 +-
21102 fs/btrfs/ioctl.c | 6 +-
21103 fs/compat.c | 20 +-
21104 fs/coredump.c | 9 +-
21105 fs/debugfs/inode.c | 4 +
21106 fs/exec.c | 184 ++-
21107 fs/ext2/balloc.c | 4 +-
21108 fs/ext3/balloc.c | 4 +-
21109 fs/ext4/resize.c | 17 +-
21110 fs/fcntl.c | 5 +
21111 fs/file.c | 4 +
21112 fs/filesystems.c | 4 +
21113 fs/fs_struct.c | 13 +-
21114 fs/hugetlbfs/inode.c | 5 +-
21115 fs/namei.c | 234 ++-
21116 fs/namespace.c | 16 +
21117 fs/notify/fanotify/fanotify_user.c | 1 +
21118 fs/open.c | 38 +
21119 fs/proc/Kconfig | 10 +-
21120 fs/proc/array.c | 59 +-
21121 fs/proc/base.c | 168 ++-
21122 fs/proc/cmdline.c | 4 +
21123 fs/proc/devices.c | 4 +
21124 fs/proc/fd.c | 17 +-
21125 fs/proc/inode.c | 4 +
21126 fs/proc/kcore.c | 3 +
21127 fs/proc/proc_net.c | 12 +
21128 fs/proc/proc_sysctl.c | 43 +-
21129 fs/proc/root.c | 8 +
21130 fs/proc/task_mmu.c | 75 +-
21131 fs/readdir.c | 19 +
21132 fs/select.c | 2 +
21133 fs/seq_file.c | 12 +-
21134 fs/stat.c | 19 +-
21135 fs/sysfs/dir.c | 12 +
21136 fs/utimes.c | 7 +
21137 fs/xattr.c | 19 +-
21138 include/linux/capability.h | 5 +
21139 include/linux/cred.h | 3 +
21140 include/linux/fs.h | 10 +
21141 include/linux/fsnotify.h | 6 +
21142 include/linux/kallsyms.h | 14 +-
21143 include/linux/kmod.h | 2 +
21144 include/linux/mm.h | 1 +
21145 include/linux/perf_event.h | 13 +-
21146 include/linux/printk.h | 3 +-
21147 include/linux/sched.h | 24 +-
21148 include/linux/security.h | 1 +
21149 include/linux/seq_file.h | 3 +
21150 include/linux/shm.h | 4 +
21151 include/linux/skbuff.h | 3 +
21152 include/linux/slab.h | 9 -
21153 include/linux/sysctl.h | 2 +
21154 include/linux/thread_info.h | 2 +
21155 include/linux/uidgid.h | 5 +
21156 include/linux/vermagic.h | 9 +-
21157 include/uapi/linux/personality.h | 1 +
21158 init/Kconfig | 3 +-
21159 init/main.c | 14 +
21160 ipc/mqueue.c | 1 +
21161 ipc/shm.c | 28 +
21162 kernel/capability.c | 39 +-
21163 kernel/cgroup.c | 2 +-
21164 kernel/compat.c | 1 +
21165 kernel/configs.c | 11 +
21166 kernel/cred.c | 110 +-
21167 kernel/events/core.c | 14 +-
21168 kernel/exit.c | 10 +-
21169 kernel/fork.c | 41 +-
21170 kernel/futex.c | 1 +
21171 kernel/kallsyms.c | 9 +
21172 kernel/kcmp.c | 4 +
21173 kernel/kmod.c | 64 +-
21174 kernel/kprobes.c | 4 +-
21175 kernel/ksysfs.c | 2 +
21176 kernel/lockdep_proc.c | 10 +-
21177 kernel/module.c | 81 +-
21178 kernel/panic.c | 2 +-
21179 kernel/pid.c | 19 +-
21180 kernel/posix-timers.c | 7 +
21181 kernel/printk.c | 5 +
21182 kernel/ptrace.c | 20 +-
21183 kernel/resource.c | 10 +
21184 kernel/sched/core.c | 6 +-
21185 kernel/signal.c | 37 +-
21186 kernel/sys.c | 45 +-
21187 kernel/sysctl.c | 70 +-
21188 kernel/taskstats.c | 6 +
21189 kernel/time.c | 5 +
21190 kernel/time/timekeeping.c | 1 +
21191 kernel/time/timer_list.c | 12 +
21192 kernel/time/timer_stats.c | 10 +-
21193 lib/Kconfig.debug | 5 +-
21194 lib/is_single_threaded.c | 3 +
21195 mm/Kconfig | 4 +-
21196 mm/filemap.c | 1 +
21197 mm/kmemleak.c | 4 +-
21198 mm/mempolicy.c | 12 +-
21199 mm/migrate.c | 3 +-
21200 mm/mlock.c | 3 +
21201 mm/mmap.c | 63 +-
21202 mm/mprotect.c | 8 +
21203 mm/process_vm_access.c | 6 +
21204 mm/slab.c | 2 +-
21205 mm/slub.c | 14 +-
21206 mm/vmalloc.c | 4 +
21207 mm/vmstat.c | 18 +-
21208 net/core/dev_ioctl.c | 4 +
21209 net/core/sock_diag.c | 7 +
21210 net/ipv4/inet_hashtables.c | 5 +
21211 net/ipv4/ip_sockglue.c | 3 +-
21212 net/ipv4/tcp_input.c | 4 +-
21213 net/ipv4/tcp_ipv4.c | 24 +-
21214 net/ipv4/tcp_minisocks.c | 9 +-
21215 net/ipv4/tcp_timer.c | 11 +
21216 net/ipv4/udp.c | 24 +
21217 net/ipv6/tcp_ipv6.c | 23 +-
21218 net/ipv6/udp.c | 4 +
21219 net/netfilter/Kconfig | 10 +
21220 net/netfilter/Makefile | 1 +
21221 net/netfilter/nf_conntrack_core.c | 8 +
21222 net/netrom/af_netrom.c | 1 -
21223 net/phonet/af_phonet.c | 2 +-
21224 net/sctp/proc.c | 3 +-
21225 net/socket.c | 66 +-
21226 net/sysctl_net.c | 2 +-
21227 net/unix/af_unix.c | 31 +-
21228 security/Kconfig | 343 +++-
21229 security/apparmor/Kconfig | 9 +
21230 security/apparmor/apparmorfs.c | 231 ++
21231 security/commoncap.c | 29 +
21232 security/min_addr.c | 2 +
21233 security/security.c | 2 -
21234 security/selinux/hooks.c | 2 -
21235 security/tomoyo/mount.c | 4 +
21236 security/yama/Kconfig | 2 +-
21237 242 files changed, 4385 insertions(+), 2042 deletions(-)
21238
21239commit 043a378c0f72ed92cc30182c48abce39867ac93f
21240Author: Brad Spengler <spender@grsecurity.net>
21241Date: Tue Jul 9 20:57:40 2013 -0400
21242
21243 Commit merge of new files and rejected patches
21244
21245 arch/arm/include/asm/thread_info.h | 6 +-
21246 arch/arm/kernel/process.c | 4 +-
21247 arch/powerpc/include/asm/thread_info.h | 7 +-
21248 arch/powerpc/mm/slice.c | 2 +-
21249 arch/sparc/kernel/process_64.c | 4 +-
21250 arch/x86/kernel/vm86_32.c | 15 +
21251 fs/coredump.c | 1 +
21252 fs/ext4/balloc.c | 4 +-
21253 fs/namei.c | 7 +
21254 fs/namespace.c | 8 +
21255 fs/pipe.c | 2 +-
21256 fs/proc/inode.c | 13 +
21257 fs/proc/internal.h | 3 +
21258 grsecurity/Kconfig | 1054 +++++++++
21259 grsecurity/Makefile | 38 +
21260 grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++
21261 grsecurity/gracl_alloc.c | 105 +
21262 grsecurity/gracl_cap.c | 110 +
21263 grsecurity/gracl_fs.c | 431 ++++
21264 grsecurity/gracl_ip.c | 387 +++
21265 grsecurity/gracl_learn.c | 207 ++
21266 grsecurity/gracl_res.c | 68 +
21267 grsecurity/gracl_segv.c | 305 +++
21268 grsecurity/gracl_shm.c | 40 +
21269 grsecurity/grsec_chdir.c | 19 +
21270 grsecurity/grsec_chroot.c | 370 +++
21271 grsecurity/grsec_disabled.c | 434 ++++
21272 grsecurity/grsec_exec.c | 187 ++
21273 grsecurity/grsec_fifo.c | 24 +
21274 grsecurity/grsec_fork.c | 23 +
21275 grsecurity/grsec_init.c | 283 +++
21276 grsecurity/grsec_link.c | 58 +
21277 grsecurity/grsec_log.c | 326 +++
21278 grsecurity/grsec_mem.c | 40 +
21279 grsecurity/grsec_mount.c | 62 +
21280 grsecurity/grsec_pax.c | 36 +
21281 grsecurity/grsec_ptrace.c | 30 +
21282 grsecurity/grsec_sig.c | 246 ++
21283 grsecurity/grsec_sock.c | 244 ++
21284 grsecurity/grsec_sysctl.c | 469 ++++
21285 grsecurity/grsec_time.c | 16 +
21286 grsecurity/grsec_tpe.c | 73 +
21287 grsecurity/grsum.c | 61 +
21288 include/linux/gracl.h | 319 +++
21289 include/linux/gralloc.h | 9 +
21290 include/linux/grdefs.h | 140 ++
21291 include/linux/grinternal.h | 227 ++
21292 include/linux/grmsg.h | 112 +
21293 include/linux/grsecurity.h | 241 ++
21294 include/linux/grsock.h | 19 +
21295 include/linux/netfilter/xt_gradm.h | 9 +
21296 include/linux/proc_fs.h | 13 +
21297 include/linux/sched.h | 48 +-
21298 include/trace/events/fs.h | 53 +
21299 kernel/kmod.c | 7 +-
21300 kernel/panic.c | 2 +-
21301 kernel/posix-timers.c | 1 +
21302 kernel/time/timekeeping.c | 2 +
21303 lib/Kconfig.debug | 2 +-
21304 lib/vsprintf.c | 31 +
21305 localversion-grsec | 1 +
21306 mm/mmap.c | 13 +-
21307 mm/shmem.c | 2 +-
21308 net/core/net-procfs.c | 5 +
21309 net/ipv6/udp.c | 3 +
21310 net/netfilter/xt_gradm.c | 51 +
21311 66 files changed, 11184 insertions(+), 21 deletions(-)
21312
21313commit 75a36f058b5abbc82f9b94ba5576eef4b40cd5d6
21314Author: Brad Spengler <spender@grsecurity.net>
21315Date: Tue Jul 9 17:35:47 2013 -0400
21316
21317 Initial import of pax-linux-3.10-test1.patch
21318
21319 Documentation/dontdiff | 46 +-
21320 Documentation/kernel-parameters.txt | 12 +
21321 Makefile | 100 +-
21322 arch/alpha/include/asm/atomic.h | 10 +
21323 arch/alpha/include/asm/elf.h | 7 +
21324 arch/alpha/include/asm/pgalloc.h | 6 +
21325 arch/alpha/include/asm/pgtable.h | 11 +
21326 arch/alpha/kernel/module.c | 2 +-
21327 arch/alpha/kernel/osf_sys.c | 8 +-
21328 arch/alpha/mm/fault.c | 141 +-
21329 arch/arm/Kconfig | 2 +-
21330 arch/arm/include/asm/atomic.h | 444 ++-
21331 arch/arm/include/asm/cache.h | 5 +-
21332 arch/arm/include/asm/cacheflush.h | 2 +-
21333 arch/arm/include/asm/checksum.h | 14 +-
21334 arch/arm/include/asm/cmpxchg.h | 2 +
21335 arch/arm/include/asm/domain.h | 33 +-
21336 arch/arm/include/asm/elf.h | 13 +-
21337 arch/arm/include/asm/fncpy.h | 2 +
21338 arch/arm/include/asm/futex.h | 10 +
21339 arch/arm/include/asm/kmap_types.h | 2 +-
21340 arch/arm/include/asm/mach/dma.h | 2 +-
21341 arch/arm/include/asm/mach/map.h | 7 +-
21342 arch/arm/include/asm/outercache.h | 2 +-
21343 arch/arm/include/asm/page.h | 2 +-
21344 arch/arm/include/asm/pgalloc.h | 22 +-
21345 arch/arm/include/asm/pgtable-2level-hwdef.h | 5 +
21346 arch/arm/include/asm/pgtable-2level.h | 1 +
21347 arch/arm/include/asm/pgtable-3level-hwdef.h | 2 +
21348 arch/arm/include/asm/pgtable-3level.h | 2 +
21349 arch/arm/include/asm/pgtable.h | 56 +-
21350 arch/arm/include/asm/proc-fns.h | 2 +-
21351 arch/arm/include/asm/processor.h | 5 +-
21352 arch/arm/include/asm/psci.h | 2 +-
21353 arch/arm/include/asm/smp.h | 2 +-
21354 arch/arm/include/asm/thread_info.h | 6 +-
21355 arch/arm/include/asm/uaccess.h | 92 +-
21356 arch/arm/include/uapi/asm/ptrace.h | 2 +-
21357 arch/arm/kernel/armksyms.c | 8 +-
21358 arch/arm/kernel/entry-armv.S | 107 +-
21359 arch/arm/kernel/entry-common.S | 41 +-
21360 arch/arm/kernel/entry-header.S | 60 +
21361 arch/arm/kernel/fiq.c | 2 +
21362 arch/arm/kernel/head.S | 6 +-
21363 arch/arm/kernel/hw_breakpoint.c | 2 +-
21364 arch/arm/kernel/module.c | 29 +-
21365 arch/arm/kernel/patch.c | 2 +
21366 arch/arm/kernel/perf_event_cpu.c | 2 +-
21367 arch/arm/kernel/process.c | 14 +-
21368 arch/arm/kernel/psci.c | 2 +-
21369 arch/arm/kernel/setup.c | 22 +-
21370 arch/arm/kernel/signal.c | 24 +-
21371 arch/arm/kernel/smp.c | 2 +-
21372 arch/arm/kernel/traps.c | 15 +-
21373 arch/arm/kernel/vmlinux.lds.S | 22 +-
21374 arch/arm/lib/clear_user.S | 6 +-
21375 arch/arm/lib/copy_from_user.S | 6 +-
21376 arch/arm/lib/copy_page.S | 1 +
21377 arch/arm/lib/copy_to_user.S | 6 +-
21378 arch/arm/lib/csumpartialcopyuser.S | 4 +-
21379 arch/arm/lib/delay.c | 2 +-
21380 arch/arm/lib/uaccess_with_memcpy.c | 2 +-
21381 arch/arm/mach-kirkwood/common.c | 19 +-
21382 arch/arm/mach-omap2/board-n8x0.c | 2 +-
21383 arch/arm/mach-omap2/gpmc.c | 22 +-
21384 arch/arm/mach-omap2/omap-wakeupgen.c | 2 +-
21385 arch/arm/mach-omap2/omap_device.c | 4 +-
21386 arch/arm/mach-omap2/omap_device.h | 4 +-
21387 arch/arm/mach-omap2/omap_hwmod.c | 4 +-
21388 arch/arm/mach-omap2/wd_timer.c | 6 +-
21389 arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +-
21390 arch/arm/mach-ux500/setup.h | 7 -
21391 arch/arm/mm/Kconfig | 3 +-
21392 arch/arm/mm/alignment.c | 8 +
21393 arch/arm/mm/fault.c | 91 +
21394 arch/arm/mm/fault.h | 12 +
21395 arch/arm/mm/init.c | 41 +
21396 arch/arm/mm/ioremap.c | 4 +-
21397 arch/arm/mm/mmap.c | 30 +-
21398 arch/arm/mm/mmu.c | 187 +-
21399 arch/arm/mm/proc-v7-2level.S | 3 +
21400 arch/arm/plat-omap/sram.c | 2 +
21401 arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +-
21402 arch/arm64/kernel/debug-monitors.c | 2 +-
21403 arch/arm64/kernel/hw_breakpoint.c | 2 +-
21404 arch/avr32/include/asm/elf.h | 8 +-
21405 arch/avr32/include/asm/kmap_types.h | 4 +-
21406 arch/avr32/mm/fault.c | 27 +
21407 arch/frv/include/asm/atomic.h | 10 +
21408 arch/frv/include/asm/kmap_types.h | 2 +-
21409 arch/frv/mm/elf-fdpic.c | 3 +-
21410 arch/ia64/include/asm/atomic.h | 10 +
21411 arch/ia64/include/asm/elf.h | 7 +
21412 arch/ia64/include/asm/pgalloc.h | 12 +
21413 arch/ia64/include/asm/pgtable.h | 13 +-
21414 arch/ia64/include/asm/spinlock.h | 2 +-
21415 arch/ia64/include/asm/uaccess.h | 26 +-
21416 arch/ia64/kernel/err_inject.c | 2 +-
21417 arch/ia64/kernel/mca.c | 2 +-
21418 arch/ia64/kernel/module.c | 48 +-
21419 arch/ia64/kernel/palinfo.c | 2 +-
21420 arch/ia64/kernel/salinfo.c | 2 +-
21421 arch/ia64/kernel/sys_ia64.c | 7 +
21422 arch/ia64/kernel/topology.c | 2 +-
21423 arch/ia64/kernel/vmlinux.lds.S | 2 +-
21424 arch/ia64/mm/fault.c | 32 +-
21425 arch/ia64/mm/init.c | 13 +
21426 arch/m32r/lib/usercopy.c | 6 +
21427 arch/mips/include/asm/atomic.h | 14 +
21428 arch/mips/include/asm/elf.h | 11 +-
21429 arch/mips/include/asm/exec.h | 2 +-
21430 arch/mips/include/asm/page.h | 2 +-
21431 arch/mips/include/asm/pgalloc.h | 5 +
21432 arch/mips/kernel/binfmt_elfn32.c | 7 +
21433 arch/mips/kernel/binfmt_elfo32.c | 7 +
21434 arch/mips/kernel/process.c | 12 -
21435 arch/mips/mm/fault.c | 17 +
21436 arch/mips/mm/mmap.c | 51 +-
21437 arch/parisc/include/asm/atomic.h | 10 +
21438 arch/parisc/include/asm/elf.h | 7 +
21439 arch/parisc/include/asm/pgalloc.h | 6 +
21440 arch/parisc/include/asm/pgtable.h | 11 +
21441 arch/parisc/include/asm/uaccess.h | 4 +-
21442 arch/parisc/kernel/module.c | 50 +-
21443 arch/parisc/kernel/sys_parisc.c | 9 +-
21444 arch/parisc/kernel/traps.c | 4 +-
21445 arch/parisc/mm/fault.c | 140 +-
21446 arch/powerpc/include/asm/atomic.h | 10 +
21447 arch/powerpc/include/asm/elf.h | 19 +-
21448 arch/powerpc/include/asm/exec.h | 2 +-
21449 arch/powerpc/include/asm/kmap_types.h | 2 +-
21450 arch/powerpc/include/asm/mman.h | 2 +-
21451 arch/powerpc/include/asm/page.h | 8 +-
21452 arch/powerpc/include/asm/page_64.h | 7 +-
21453 arch/powerpc/include/asm/pgalloc-64.h | 7 +
21454 arch/powerpc/include/asm/pgtable.h | 1 +
21455 arch/powerpc/include/asm/pte-hash32.h | 1 +
21456 arch/powerpc/include/asm/reg.h | 1 +
21457 arch/powerpc/include/asm/smp.h | 2 +-
21458 arch/powerpc/include/asm/uaccess.h | 140 +-
21459 arch/powerpc/kernel/exceptions-64e.S | 4 +-
21460 arch/powerpc/kernel/exceptions-64s.S | 2 +-
21461 arch/powerpc/kernel/module_32.c | 13 +-
21462 arch/powerpc/kernel/process.c | 55 -
21463 arch/powerpc/kernel/signal_32.c | 2 +-
21464 arch/powerpc/kernel/signal_64.c | 2 +-
21465 arch/powerpc/kernel/sysfs.c | 2 +-
21466 arch/powerpc/kernel/vdso.c | 5 +-
21467 arch/powerpc/lib/usercopy_64.c | 18 -
21468 arch/powerpc/mm/fault.c | 54 +-
21469 arch/powerpc/mm/mmap_64.c | 16 +
21470 arch/powerpc/mm/mmu_context_nohash.c | 2 +-
21471 arch/powerpc/mm/numa.c | 2 +-
21472 arch/powerpc/mm/slice.c | 13 +-
21473 arch/powerpc/platforms/cell/spufs/file.c | 4 +-
21474 arch/powerpc/platforms/powermac/smp.c | 2 +-
21475 arch/s390/include/asm/atomic.h | 10 +
21476 arch/s390/include/asm/elf.h | 13 +-
21477 arch/s390/include/asm/exec.h | 2 +-
21478 arch/s390/include/asm/uaccess.h | 15 +-
21479 arch/s390/kernel/module.c | 22 +-
21480 arch/s390/kernel/process.c | 36 -
21481 arch/s390/mm/mmap.c | 24 +
21482 arch/score/include/asm/exec.h | 2 +-
21483 arch/score/kernel/process.c | 5 -
21484 arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +-
21485 arch/sh/mm/mmap.c | 22 +-
21486 arch/sparc/include/asm/atomic_64.h | 106 +-
21487 arch/sparc/include/asm/cache.h | 2 +-
21488 arch/sparc/include/asm/elf_32.h | 7 +
21489 arch/sparc/include/asm/elf_64.h | 7 +
21490 arch/sparc/include/asm/pgalloc_32.h | 1 +
21491 arch/sparc/include/asm/pgalloc_64.h | 1 +
21492 arch/sparc/include/asm/pgtable_32.h | 15 +-
21493 arch/sparc/include/asm/pgtsrmmu.h | 5 +
21494 arch/sparc/include/asm/spinlock_64.h | 35 +-
21495 arch/sparc/include/asm/thread_info_32.h | 2 +
21496 arch/sparc/include/asm/thread_info_64.h | 2 +
21497 arch/sparc/include/asm/uaccess.h | 1 +
21498 arch/sparc/include/asm/uaccess_32.h | 27 +-
21499 arch/sparc/include/asm/uaccess_64.h | 19 +-
21500 arch/sparc/kernel/Makefile | 2 +-
21501 arch/sparc/kernel/prom_common.c | 2 +-
21502 arch/sparc/kernel/sys_sparc_32.c | 2 +-
21503 arch/sparc/kernel/sys_sparc_64.c | 48 +-
21504 arch/sparc/kernel/sysfs.c | 2 +-
21505 arch/sparc/kernel/traps_64.c | 13 +-
21506 arch/sparc/lib/Makefile | 2 +-
21507 arch/sparc/lib/atomic_64.S | 136 +-
21508 arch/sparc/lib/ksyms.c | 6 +
21509 arch/sparc/mm/Makefile | 2 +-
21510 arch/sparc/mm/fault_32.c | 292 +
21511 arch/sparc/mm/fault_64.c | 486 ++
21512 arch/sparc/mm/hugetlbpage.c | 21 +-
21513 arch/tile/include/asm/atomic_64.h | 10 +
21514 arch/tile/include/asm/uaccess.h | 4 +-
21515 arch/um/Makefile | 4 +
21516 arch/um/include/asm/kmap_types.h | 2 +-
21517 arch/um/include/asm/page.h | 3 +
21518 arch/um/include/asm/pgtable-3level.h | 1 +
21519 arch/um/kernel/process.c | 16 -
21520 arch/x86/Kconfig | 10 +-
21521 arch/x86/Kconfig.cpu | 6 +-
21522 arch/x86/Kconfig.debug | 4 +-
21523 arch/x86/Makefile | 10 +
21524 arch/x86/boot/Makefile | 3 +
21525 arch/x86/boot/bitops.h | 4 +-
21526 arch/x86/boot/boot.h | 4 +-
21527 arch/x86/boot/compressed/Makefile | 3 +
21528 arch/x86/boot/compressed/eboot.c | 2 -
21529 arch/x86/boot/compressed/efi_stub_32.S | 16 +-
21530 arch/x86/boot/compressed/head_32.S | 7 +-
21531 arch/x86/boot/compressed/head_64.S | 8 +-
21532 arch/x86/boot/compressed/misc.c | 4 +-
21533 arch/x86/boot/cpucheck.c | 28 +-
21534 arch/x86/boot/header.S | 6 +-
21535 arch/x86/boot/memory.c | 2 +-
21536 arch/x86/boot/video-vesa.c | 1 +
21537 arch/x86/boot/video.c | 2 +-
21538 arch/x86/crypto/aes-x86_64-asm_64.S | 4 +
21539 arch/x86/crypto/aesni-intel_asm.S | 22 +
21540 arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 +
21541 arch/x86/crypto/camellia-x86_64-asm_64.S | 7 +
21542 arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 +
21543 arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 9 +
21544 arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 +
21545 arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 +
21546 arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 +
21547 arch/x86/crypto/sha1_ssse3_asm.S | 2 +
21548 arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 9 +
21549 arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 +
21550 arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
21551 arch/x86/ia32/ia32_signal.c | 14 +-
21552 arch/x86/ia32/ia32entry.S | 141 +-
21553 arch/x86/ia32/sys_ia32.c | 4 +-
21554 arch/x86/include/asm/alternative-asm.h | 39 +
21555 arch/x86/include/asm/alternative.h | 4 +-
21556 arch/x86/include/asm/apic.h | 2 +-
21557 arch/x86/include/asm/apm.h | 4 +-
21558 arch/x86/include/asm/atomic.h | 307 +-
21559 arch/x86/include/asm/atomic64_32.h | 100 +
21560 arch/x86/include/asm/atomic64_64.h | 202 +-
21561 arch/x86/include/asm/bitops.h | 4 +-
21562 arch/x86/include/asm/boot.h | 7 +-
21563 arch/x86/include/asm/cache.h | 5 +-
21564 arch/x86/include/asm/cacheflush.h | 2 +-
21565 arch/x86/include/asm/checksum_32.h | 12 +-
21566 arch/x86/include/asm/cmpxchg.h | 35 +
21567 arch/x86/include/asm/compat.h | 2 +-
21568 arch/x86/include/asm/cpufeature.h | 4 +-
21569 arch/x86/include/asm/desc.h | 67 +-
21570 arch/x86/include/asm/desc_defs.h | 6 +
21571 arch/x86/include/asm/div64.h | 2 +-
21572 arch/x86/include/asm/elf.h | 31 +-
21573 arch/x86/include/asm/emergency-restart.h | 2 +-
21574 arch/x86/include/asm/fpu-internal.h | 6 +-
21575 arch/x86/include/asm/futex.h | 16 +-
21576 arch/x86/include/asm/hw_irq.h | 4 +-
21577 arch/x86/include/asm/i8259.h | 2 +-
21578 arch/x86/include/asm/io.h | 21 +-
21579 arch/x86/include/asm/irqflags.h | 5 +
21580 arch/x86/include/asm/kprobes.h | 9 +-
21581 arch/x86/include/asm/local.h | 142 +-
21582 arch/x86/include/asm/mman.h | 15 +
21583 arch/x86/include/asm/mmu.h | 16 +-
21584 arch/x86/include/asm/mmu_context.h | 76 +-
21585 arch/x86/include/asm/module.h | 17 +-
21586 arch/x86/include/asm/nmi.h | 6 +-
21587 arch/x86/include/asm/page.h | 1 +
21588 arch/x86/include/asm/page_64.h | 4 +-
21589 arch/x86/include/asm/paravirt.h | 46 +-
21590 arch/x86/include/asm/paravirt_types.h | 17 +-
21591 arch/x86/include/asm/pgalloc.h | 23 +
21592 arch/x86/include/asm/pgtable-2level.h | 2 +
21593 arch/x86/include/asm/pgtable-3level.h | 4 +
21594 arch/x86/include/asm/pgtable.h | 122 +-
21595 arch/x86/include/asm/pgtable_32.h | 14 +-
21596 arch/x86/include/asm/pgtable_32_types.h | 15 +-
21597 arch/x86/include/asm/pgtable_64.h | 19 +-
21598 arch/x86/include/asm/pgtable_64_types.h | 5 +
21599 arch/x86/include/asm/pgtable_types.h | 36 +-
21600 arch/x86/include/asm/processor.h | 39 +-
21601 arch/x86/include/asm/ptrace.h | 26 +-
21602 arch/x86/include/asm/realmode.h | 4 +-
21603 arch/x86/include/asm/reboot.h | 10 +-
21604 arch/x86/include/asm/rwsem.h | 60 +-
21605 arch/x86/include/asm/segment.h | 24 +-
21606 arch/x86/include/asm/smp.h | 14 +-
21607 arch/x86/include/asm/spinlock.h | 36 +-
21608 arch/x86/include/asm/stackprotector.h | 4 +-
21609 arch/x86/include/asm/stacktrace.h | 32 +-
21610 arch/x86/include/asm/switch_to.h | 4 +-
21611 arch/x86/include/asm/thread_info.h | 83 +-
21612 arch/x86/include/asm/uaccess.h | 96 +-
21613 arch/x86/include/asm/uaccess_32.h | 106 +-
21614 arch/x86/include/asm/uaccess_64.h | 232 +-
21615 arch/x86/include/asm/word-at-a-time.h | 2 +-
21616 arch/x86/include/asm/x86_init.h | 10 +-
21617 arch/x86/include/asm/xsave.h | 10 +-
21618 arch/x86/include/uapi/asm/e820.h | 2 +-
21619 arch/x86/kernel/Makefile | 2 +-
21620 arch/x86/kernel/acpi/boot.c | 4 +-
21621 arch/x86/kernel/acpi/sleep.c | 4 +
21622 arch/x86/kernel/acpi/wakeup_32.S | 6 +-
21623 arch/x86/kernel/alternative.c | 65 +-
21624 arch/x86/kernel/apic/apic.c | 4 +-
21625 arch/x86/kernel/apic/apic_flat_64.c | 4 +-
21626 arch/x86/kernel/apic/apic_noop.c | 2 +-
21627 arch/x86/kernel/apic/bigsmp_32.c | 2 +-
21628 arch/x86/kernel/apic/es7000_32.c | 5 +-
21629 arch/x86/kernel/apic/io_apic.c | 8 +-
21630 arch/x86/kernel/apic/numaq_32.c | 3 +-
21631 arch/x86/kernel/apic/probe_32.c | 2 +-
21632 arch/x86/kernel/apic/summit_32.c | 2 +-
21633 arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
21634 arch/x86/kernel/apic/x2apic_phys.c | 2 +-
21635 arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
21636 arch/x86/kernel/apm_32.c | 19 +-
21637 arch/x86/kernel/asm-offsets.c | 20 +
21638 arch/x86/kernel/asm-offsets_64.c | 1 +
21639 arch/x86/kernel/cpu/Makefile | 4 -
21640 arch/x86/kernel/cpu/amd.c | 2 +-
21641 arch/x86/kernel/cpu/common.c | 75 +-
21642 arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +-
21643 arch/x86/kernel/cpu/mcheck/mce.c | 33 +-
21644 arch/x86/kernel/cpu/mcheck/p5.c | 3 +
21645 arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +-
21646 arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
21647 arch/x86/kernel/cpu/mtrr/main.c | 2 +-
21648 arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
21649 arch/x86/kernel/cpu/perf_event.c | 8 +-
21650 arch/x86/kernel/cpu/perf_event_intel.c | 6 +-
21651 arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +-
21652 arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
21653 arch/x86/kernel/cpuid.c | 2 +-
21654 arch/x86/kernel/crash.c | 4 +-
21655 arch/x86/kernel/crash_dump_64.c | 2 +-
21656 arch/x86/kernel/doublefault_32.c | 8 +-
21657 arch/x86/kernel/dumpstack.c | 28 +-
21658 arch/x86/kernel/dumpstack_32.c | 34 +-
21659 arch/x86/kernel/dumpstack_64.c | 61 +-
21660 arch/x86/kernel/e820.c | 4 +-
21661 arch/x86/kernel/early_printk.c | 1 +
21662 arch/x86/kernel/entry_32.S | 354 +-
21663 arch/x86/kernel/entry_64.S | 548 ++-
21664 arch/x86/kernel/ftrace.c | 14 +-
21665 arch/x86/kernel/head64.c | 13 +-
21666 arch/x86/kernel/head_32.S | 237 +-
21667 arch/x86/kernel/head_64.S | 143 +-
21668 arch/x86/kernel/i386_ksyms_32.c | 8 +
21669 arch/x86/kernel/i387.c | 2 +-
21670 arch/x86/kernel/i8259.c | 10 +-
21671 arch/x86/kernel/io_delay.c | 2 +-
21672 arch/x86/kernel/ioport.c | 2 +-
21673 arch/x86/kernel/irq.c | 8 +-
21674 arch/x86/kernel/irq_32.c | 69 +-
21675 arch/x86/kernel/irq_64.c | 2 +-
21676 arch/x86/kernel/kdebugfs.c | 2 +-
21677 arch/x86/kernel/kgdb.c | 25 +-
21678 arch/x86/kernel/kprobes/core.c | 30 +-
21679 arch/x86/kernel/kprobes/opt.c | 16 +-
21680 arch/x86/kernel/kvm.c | 2 +-
21681 arch/x86/kernel/ldt.c | 31 +-
21682 arch/x86/kernel/machine_kexec_32.c | 6 +-
21683 arch/x86/kernel/microcode_core.c | 2 +-
21684 arch/x86/kernel/microcode_intel.c | 4 +-
21685 arch/x86/kernel/module.c | 76 +-
21686 arch/x86/kernel/msr.c | 2 +-
21687 arch/x86/kernel/nmi.c | 19 +-
21688 arch/x86/kernel/nmi_selftest.c | 4 +-
21689 arch/x86/kernel/paravirt-spinlocks.c | 2 +-
21690 arch/x86/kernel/paravirt.c | 43 +-
21691 arch/x86/kernel/pci-calgary_64.c | 2 +-
21692 arch/x86/kernel/pci-iommu_table.c | 2 +-
21693 arch/x86/kernel/pci-swiotlb.c | 2 +-
21694 arch/x86/kernel/process.c | 55 +-
21695 arch/x86/kernel/process_32.c | 29 +-
21696 arch/x86/kernel/process_64.c | 15 +-
21697 arch/x86/kernel/ptrace.c | 25 +-
21698 arch/x86/kernel/pvclock.c | 8 +-
21699 arch/x86/kernel/reboot.c | 44 +-
21700 arch/x86/kernel/relocate_kernel_64.S | 2 +
21701 arch/x86/kernel/setup.c | 21 +-
21702 arch/x86/kernel/setup_percpu.c | 29 +-
21703 arch/x86/kernel/signal.c | 15 +-
21704 arch/x86/kernel/smp.c | 2 +-
21705 arch/x86/kernel/smpboot.c | 15 +-
21706 arch/x86/kernel/step.c | 10 +-
21707 arch/x86/kernel/sys_i386_32.c | 184 +
21708 arch/x86/kernel/sys_x86_64.c | 22 +-
21709 arch/x86/kernel/tboot.c | 14 +-
21710 arch/x86/kernel/time.c | 10 +-
21711 arch/x86/kernel/tls.c | 7 +-
21712 arch/x86/kernel/traps.c | 64 +-
21713 arch/x86/kernel/uprobes.c | 4 +-
21714 arch/x86/kernel/vm86_32.c | 6 +-
21715 arch/x86/kernel/vmlinux.lds.S | 148 +-
21716 arch/x86/kernel/vsyscall_64.c | 12 +-
21717 arch/x86/kernel/x8664_ksyms_64.c | 2 -
21718 arch/x86/kernel/x86_init.c | 8 +-
21719 arch/x86/kernel/xsave.c | 2 +
21720 arch/x86/kvm/cpuid.c | 21 +-
21721 arch/x86/kvm/emulate.c | 4 +-
21722 arch/x86/kvm/lapic.c | 2 +-
21723 arch/x86/kvm/paging_tmpl.h | 2 +-
21724 arch/x86/kvm/svm.c | 8 +
21725 arch/x86/kvm/vmx.c | 61 +-
21726 arch/x86/kvm/x86.c | 8 +-
21727 arch/x86/lguest/boot.c | 3 +-
21728 arch/x86/lib/atomic64_386_32.S | 164 +
21729 arch/x86/lib/atomic64_cx8_32.S | 103 +-
21730 arch/x86/lib/checksum_32.S | 100 +-
21731 arch/x86/lib/clear_page_64.S | 5 +-
21732 arch/x86/lib/cmpxchg16b_emu.S | 2 +
21733 arch/x86/lib/copy_page_64.S | 24 +-
21734 arch/x86/lib/copy_user_64.S | 47 +-
21735 arch/x86/lib/copy_user_nocache_64.S | 20 +-
21736 arch/x86/lib/csum-copy_64.S | 2 +
21737 arch/x86/lib/csum-wrappers_64.c | 4 +-
21738 arch/x86/lib/getuser.S | 70 +-
21739 arch/x86/lib/insn.c | 6 +-
21740 arch/x86/lib/iomap_copy_64.S | 2 +
21741 arch/x86/lib/memcpy_64.S | 18 +-
21742 arch/x86/lib/memmove_64.S | 34 +-
21743 arch/x86/lib/memset_64.S | 7 +-
21744 arch/x86/lib/mmx_32.c | 243 +-
21745 arch/x86/lib/msr-reg.S | 18 +-
21746 arch/x86/lib/putuser.S | 90 +-
21747 arch/x86/lib/rwlock.S | 42 +
21748 arch/x86/lib/rwsem.S | 6 +-
21749 arch/x86/lib/thunk_64.S | 2 +
21750 arch/x86/lib/usercopy_32.c | 363 +-
21751 arch/x86/lib/usercopy_64.c | 13 +-
21752 arch/x86/mm/extable.c | 25 +-
21753 arch/x86/mm/fault.c | 556 ++-
21754 arch/x86/mm/gup.c | 2 +-
21755 arch/x86/mm/highmem_32.c | 4 +
21756 arch/x86/mm/hugetlbpage.c | 30 +-
21757 arch/x86/mm/init.c | 98 +-
21758 arch/x86/mm/init_32.c | 113 +-
21759 arch/x86/mm/init_64.c | 38 +-
21760 arch/x86/mm/iomap_32.c | 4 +
21761 arch/x86/mm/ioremap.c | 15 +-
21762 arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
21763 arch/x86/mm/mmap.c | 41 +-
21764 arch/x86/mm/mmio-mod.c | 10 +-
21765 arch/x86/mm/numa.c | 2 +-
21766 arch/x86/mm/pageattr-test.c | 2 +-
21767 arch/x86/mm/pageattr.c | 33 +-
21768 arch/x86/mm/pat.c | 12 +-
21769 arch/x86/mm/pat_rbtree.c | 2 +-
21770 arch/x86/mm/pf_in.c | 10 +-
21771 arch/x86/mm/pgtable.c | 137 +-
21772 arch/x86/mm/pgtable_32.c | 3 +
21773 arch/x86/mm/physaddr.c | 4 +-
21774 arch/x86/mm/setup_nx.c | 7 +
21775 arch/x86/mm/tlb.c | 4 +
21776 arch/x86/net/bpf_jit.S | 14 +
21777 arch/x86/net/bpf_jit_comp.c | 37 +-
21778 arch/x86/oprofile/backtrace.c | 8 +-
21779 arch/x86/oprofile/nmi_int.c | 8 +-
21780 arch/x86/oprofile/op_model_amd.c | 8 +-
21781 arch/x86/oprofile/op_model_ppro.c | 7 +-
21782 arch/x86/oprofile/op_x86_model.h | 2 +-
21783 arch/x86/pci/amd_bus.c | 2 +-
21784 arch/x86/pci/irq.c | 8 +-
21785 arch/x86/pci/mrst.c | 4 +-
21786 arch/x86/pci/pcbios.c | 144 +-
21787 arch/x86/platform/efi/efi_32.c | 24 +
21788 arch/x86/platform/efi/efi_64.c | 10 +
21789 arch/x86/platform/efi/efi_stub_32.S | 64 +-
21790 arch/x86/platform/efi/efi_stub_64.S | 8 +
21791 arch/x86/platform/mrst/mrst.c | 6 +-
21792 arch/x86/platform/olpc/olpc_dt.c | 2 +-
21793 arch/x86/power/cpu.c | 11 +-
21794 arch/x86/realmode/init.c | 10 +-
21795 arch/x86/realmode/rm/Makefile | 3 +
21796 arch/x86/realmode/rm/header.S | 4 +-
21797 arch/x86/realmode/rm/trampoline_32.S | 12 +-
21798 arch/x86/realmode/rm/trampoline_64.S | 2 +-
21799 arch/x86/tools/Makefile | 2 +-
21800 arch/x86/tools/relocs.c | 94 +-
21801 arch/x86/um/tls_32.c | 2 +-
21802 arch/x86/vdso/Makefile | 2 +-
21803 arch/x86/vdso/vdso32-setup.c | 23 +-
21804 arch/x86/vdso/vma.c | 29 +-
21805 arch/x86/xen/enlighten.c | 47 +-
21806 arch/x86/xen/mmu.c | 9 +
21807 arch/x86/xen/smp.c | 18 +-
21808 arch/x86/xen/xen-asm_32.S | 12 +-
21809 arch/x86/xen/xen-head.S | 11 +
21810 arch/x86/xen/xen-ops.h | 2 -
21811 block/blk-iopoll.c | 4 +-
21812 block/blk-map.c | 2 +-
21813 block/blk-softirq.c | 4 +-
21814 block/bsg.c | 12 +-
21815 block/compat_ioctl.c | 2 +-
21816 block/genhd.c | 11 +-
21817 block/partitions/efi.c | 8 +-
21818 block/scsi_ioctl.c | 27 +-
21819 crypto/algapi.c | 2 +-
21820 crypto/cryptd.c | 4 +-
21821 crypto/pcrypt.c | 6 +-
21822 drivers/acpi/apei/apei-internal.h | 2 +-
21823 drivers/acpi/apei/cper.c | 8 +-
21824 drivers/acpi/bgrt.c | 6 +-
21825 drivers/acpi/blacklist.c | 4 +-
21826 drivers/acpi/ec_sys.c | 12 +-
21827 drivers/acpi/processor_idle.c | 2 +-
21828 drivers/acpi/sysfs.c | 4 +-
21829 drivers/ata/libahci.c | 2 +-
21830 drivers/ata/libata-core.c | 8 +-
21831 drivers/ata/pata_arasan_cf.c | 4 +-
21832 drivers/atm/adummy.c | 2 +-
21833 drivers/atm/ambassador.c | 8 +-
21834 drivers/atm/atmtcp.c | 14 +-
21835 drivers/atm/eni.c | 10 +-
21836 drivers/atm/firestream.c | 8 +-
21837 drivers/atm/fore200e.c | 14 +-
21838 drivers/atm/he.c | 18 +-
21839 drivers/atm/horizon.c | 4 +-
21840 drivers/atm/idt77252.c | 36 +-
21841 drivers/atm/iphase.c | 34 +-
21842 drivers/atm/lanai.c | 12 +-
21843 drivers/atm/nicstar.c | 46 +-
21844 drivers/atm/solos-pci.c | 4 +-
21845 drivers/atm/suni.c | 4 +-
21846 drivers/atm/uPD98402.c | 16 +-
21847 drivers/atm/zatm.c | 6 +-
21848 drivers/base/attribute_container.c | 2 +-
21849 drivers/base/bus.c | 4 +-
21850 drivers/base/devtmpfs.c | 8 +-
21851 drivers/base/node.c | 2 +-
21852 drivers/base/power/domain.c | 4 +-
21853 drivers/base/power/sysfs.c | 2 +-
21854 drivers/base/power/wakeup.c | 8 +-
21855 drivers/base/syscore.c | 4 +-
21856 drivers/block/cciss.c | 28 +-
21857 drivers/block/cciss.h | 2 +-
21858 drivers/block/cpqarray.c | 28 +-
21859 drivers/block/cpqarray.h | 2 +-
21860 drivers/block/drbd/drbd_int.h | 6 +-
21861 drivers/block/drbd/drbd_main.c | 8 +-
21862 drivers/block/drbd/drbd_receiver.c | 22 +-
21863 drivers/block/loop.c | 2 +-
21864 drivers/block/nbd.c | 2 +-
21865 drivers/block/pktcdvd.c | 2 +-
21866 drivers/cdrom/cdrom.c | 11 +-
21867 drivers/cdrom/gdrom.c | 1 -
21868 drivers/char/agp/compat_ioctl.c | 2 +-
21869 drivers/char/agp/frontend.c | 4 +-
21870 drivers/char/hpet.c | 2 +-
21871 drivers/char/hw_random/intel-rng.c | 2 +-
21872 drivers/char/ipmi/ipmi_msghandler.c | 8 +-
21873 drivers/char/ipmi/ipmi_si_intf.c | 8 +-
21874 drivers/char/mem.c | 45 +-
21875 drivers/char/nvram.c | 2 +-
21876 drivers/char/pcmcia/synclink_cs.c | 18 +-
21877 drivers/char/random.c | 10 +-
21878 drivers/char/sonypi.c | 9 +-
21879 drivers/char/tpm/tpm_acpi.c | 3 +-
21880 drivers/char/tpm/tpm_eventlog.c | 7 +-
21881 drivers/char/virtio_console.c | 4 +-
21882 drivers/clk/clk-composite.c | 2 +-
21883 drivers/clocksource/arm_arch_timer.c | 2 +-
21884 drivers/clocksource/metag_generic.c | 2 +-
21885 drivers/cpufreq/acpi-cpufreq.c | 20 +-
21886 drivers/cpufreq/cpufreq.c | 9 +-
21887 drivers/cpufreq/cpufreq_governor.c | 6 +-
21888 drivers/cpufreq/cpufreq_governor.h | 2 +-
21889 drivers/cpufreq/cpufreq_ondemand.c | 8 +-
21890 drivers/cpufreq/cpufreq_stats.c | 2 +-
21891 drivers/cpufreq/p4-clockmod.c | 12 +-
21892 drivers/cpufreq/sparc-us3-cpufreq.c | 69 +-
21893 drivers/cpufreq/speedstep-centrino.c | 7 +-
21894 drivers/cpuidle/cpuidle.c | 2 +-
21895 drivers/cpuidle/governor.c | 4 +-
21896 drivers/cpuidle/sysfs.c | 2 +-
21897 drivers/devfreq/devfreq.c | 6 +-
21898 drivers/dma/sh/shdma.c | 2 +-
21899 drivers/edac/edac_mc_sysfs.c | 12 +-
21900 drivers/edac/edac_pci_sysfs.c | 22 +-
21901 drivers/edac/mce_amd.h | 2 +-
21902 drivers/firewire/core-card.c | 2 +-
21903 drivers/firewire/core-device.c | 2 +-
21904 drivers/firewire/core-transaction.c | 1 +
21905 drivers/firewire/core.h | 1 +
21906 drivers/firmware/dmi-id.c | 2 +-
21907 drivers/firmware/dmi_scan.c | 7 +-
21908 drivers/firmware/efi/efi.c | 12 +-
21909 drivers/firmware/efi/efivars.c | 2 +-
21910 drivers/firmware/google/memconsole.c | 4 +-
21911 drivers/gpio/gpio-ich.c | 2 +-
21912 drivers/gpio/gpio-vr41xx.c | 2 +-
21913 drivers/gpu/drm/drm_crtc_helper.c | 2 +-
21914 drivers/gpu/drm/drm_drv.c | 6 +-
21915 drivers/gpu/drm/drm_fops.c | 18 +-
21916 drivers/gpu/drm/drm_global.c | 14 +-
21917 drivers/gpu/drm/drm_info.c | 14 +-
21918 drivers/gpu/drm/drm_ioc32.c | 13 +-
21919 drivers/gpu/drm/drm_ioctl.c | 2 +-
21920 drivers/gpu/drm/drm_lock.c | 4 +-
21921 drivers/gpu/drm/drm_stub.c | 2 +-
21922 drivers/gpu/drm/drm_sysfs.c | 2 +-
21923 drivers/gpu/drm/i810/i810_dma.c | 8 +-
21924 drivers/gpu/drm/i810/i810_drv.h | 4 +-
21925 drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
21926 drivers/gpu/drm/i915/i915_dma.c | 2 +-
21927 drivers/gpu/drm/i915/i915_drv.h | 4 +-
21928 drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +-
21929 drivers/gpu/drm/i915/i915_ioc32.c | 11 +-
21930 drivers/gpu/drm/i915/i915_irq.c | 22 +-
21931 drivers/gpu/drm/i915/intel_display.c | 26 +-
21932 drivers/gpu/drm/mga/mga_drv.h | 4 +-
21933 drivers/gpu/drm/mga/mga_ioc32.c | 11 +-
21934 drivers/gpu/drm/mga/mga_irq.c | 8 +-
21935 drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +-
21936 drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +-
21937 drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +-
21938 drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +-
21939 drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +-
21940 drivers/gpu/drm/qxl/qxl_ttm.c | 38 +-
21941 drivers/gpu/drm/r128/r128_cce.c | 2 +-
21942 drivers/gpu/drm/r128/r128_drv.h | 4 +-
21943 drivers/gpu/drm/r128/r128_ioc32.c | 11 +-
21944 drivers/gpu/drm/r128/r128_irq.c | 4 +-
21945 drivers/gpu/drm/r128/r128_state.c | 4 +-
21946 drivers/gpu/drm/radeon/mkregtable.c | 4 +-
21947 drivers/gpu/drm/radeon/radeon_device.c | 2 +-
21948 drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
21949 drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +-
21950 drivers/gpu/drm/radeon/radeon_irq.c | 6 +-
21951 drivers/gpu/drm/radeon/radeon_state.c | 4 +-
21952 drivers/gpu/drm/radeon/radeon_ttm.c | 57 +-
21953 drivers/gpu/drm/radeon/rs690.c | 4 +-
21954 drivers/gpu/drm/ttm/ttm_memory.c | 4 +-
21955 drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +-
21956 drivers/gpu/drm/udl/udl_fb.c | 1 -
21957 drivers/gpu/drm/via/via_drv.h | 4 +-
21958 drivers/gpu/drm/via/via_irq.c | 18 +-
21959 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
21960 drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
21961 drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +-
21962 drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
21963 drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
21964 drivers/hid/hid-core.c | 4 +-
21965 drivers/hv/channel.c | 4 +-
21966 drivers/hv/hv.c | 2 +-
21967 drivers/hv/hyperv_vmbus.h | 2 +-
21968 drivers/hv/vmbus_drv.c | 4 +-
21969 drivers/hwmon/acpi_power_meter.c | 4 +-
21970 drivers/hwmon/applesmc.c | 2 +-
21971 drivers/hwmon/asus_atk0110.c | 10 +-
21972 drivers/hwmon/coretemp.c | 2 +-
21973 drivers/hwmon/ibmaem.c | 2 +-
21974 drivers/hwmon/iio_hwmon.c | 2 +-
21975 drivers/hwmon/pmbus/pmbus_core.c | 10 +-
21976 drivers/hwmon/sht15.c | 12 +-
21977 drivers/hwmon/via-cputemp.c | 2 +-
21978 drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
21979 drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
21980 drivers/i2c/i2c-dev.c | 2 +-
21981 drivers/ide/ide-cd.c | 2 +-
21982 drivers/iio/industrialio-core.c | 2 +-
21983 drivers/infiniband/core/cm.c | 32 +-
21984 drivers/infiniband/core/fmr_pool.c | 20 +-
21985 drivers/infiniband/hw/cxgb4/mem.c | 4 +-
21986 drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
21987 drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
21988 drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +-
21989 drivers/infiniband/hw/mthca/mthca_mr.c | 2 +-
21990 drivers/infiniband/hw/nes/nes.c | 4 +-
21991 drivers/infiniband/hw/nes/nes.h | 40 +-
21992 drivers/infiniband/hw/nes/nes_cm.c | 62 +-
21993 drivers/infiniband/hw/nes/nes_mgt.c | 8 +-
21994 drivers/infiniband/hw/nes/nes_nic.c | 40 +-
21995 drivers/infiniband/hw/nes/nes_verbs.c | 10 +-
21996 drivers/infiniband/hw/qib/qib.h | 1 +
21997 drivers/input/gameport/gameport.c | 4 +-
21998 drivers/input/input.c | 4 +-
21999 drivers/input/joystick/sidewinder.c | 1 +
22000 drivers/input/joystick/xpad.c | 4 +-
22001 drivers/input/mouse/psmouse.h | 2 +-
22002 drivers/input/mousedev.c | 2 +-
22003 drivers/input/serio/serio.c | 4 +-
22004 drivers/iommu/iommu.c | 2 +-
22005 drivers/iommu/irq_remapping.c | 12 +-
22006 drivers/irqchip/irq-gic.c | 4 +-
22007 drivers/isdn/capi/capi.c | 10 +-
22008 drivers/isdn/gigaset/interface.c | 8 +-
22009 drivers/isdn/hardware/avm/b1.c | 4 +-
22010 drivers/isdn/i4l/isdn_tty.c | 22 +-
22011 drivers/isdn/icn/icn.c | 2 +-
22012 drivers/leds/leds-clevo-mail.c | 2 +-
22013 drivers/leds/leds-ss4200.c | 2 +-
22014 drivers/lguest/core.c | 10 +-
22015 drivers/lguest/page_tables.c | 2 +-
22016 drivers/lguest/x86/core.c | 12 +-
22017 drivers/lguest/x86/switcher_32.S | 27 +-
22018 drivers/md/bcache/closure.h | 2 +-
22019 drivers/md/bitmap.c | 2 +-
22020 drivers/md/dm-ioctl.c | 2 +-
22021 drivers/md/dm-raid1.c | 16 +-
22022 drivers/md/dm-stripe.c | 10 +-
22023 drivers/md/dm-table.c | 2 +-
22024 drivers/md/dm-thin-metadata.c | 4 +-
22025 drivers/md/dm.c | 16 +-
22026 drivers/md/md.c | 26 +-
22027 drivers/md/md.h | 6 +-
22028 drivers/md/persistent-data/dm-space-map.h | 1 +
22029 drivers/md/raid1.c | 4 +-
22030 drivers/md/raid10.c | 16 +-
22031 drivers/md/raid5.c | 10 +-
22032 drivers/media/dvb-core/dvbdev.c | 2 +-
22033 drivers/media/dvb-frontends/dib3000.h | 2 +-
22034 drivers/media/pci/cx88/cx88-video.c | 6 +-
22035 drivers/media/platform/omap/omap_vout.c | 11 +-
22036 drivers/media/platform/s5p-tv/mixer.h | 2 +-
22037 drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +-
22038 drivers/media/platform/s5p-tv/mixer_reg.c | 2 +-
22039 drivers/media/platform/s5p-tv/mixer_video.c | 24 +-
22040 drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +-
22041 drivers/media/radio/radio-cadet.c | 2 +
22042 drivers/media/usb/dvb-usb/cxusb.c | 2 +-
22043 drivers/media/usb/dvb-usb/dw2102.c | 2 +-
22044 drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +-
22045 drivers/media/v4l2-core/v4l2-ioctl.c | 11 +-
22046 drivers/message/fusion/mptsas.c | 34 +-
22047 drivers/message/fusion/mptscsih.c | 19 +-
22048 drivers/message/i2o/i2o_proc.c | 51 +-
22049 drivers/message/i2o/iop.c | 8 +-
22050 drivers/mfd/janz-cmodio.c | 1 +
22051 drivers/mfd/twl4030-irq.c | 9 +-
22052 drivers/mfd/twl6030-irq.c | 10 +-
22053 drivers/misc/c2port/core.c | 4 +-
22054 drivers/misc/kgdbts.c | 4 +-
22055 drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
22056 drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
22057 drivers/misc/sgi-gru/gruhandles.c | 4 +-
22058 drivers/misc/sgi-gru/gruprocfs.c | 8 +-
22059 drivers/misc/sgi-gru/grutables.h | 154 +-
22060 drivers/misc/sgi-xp/xp.h | 2 +-
22061 drivers/misc/sgi-xp/xpc.h | 3 +-
22062 drivers/misc/sgi-xp/xpc_main.c | 4 +-
22063 drivers/mmc/core/mmc_ops.c | 2 +-
22064 drivers/mmc/host/dw_mmc.h | 2 +-
22065 drivers/mmc/host/sdhci-s3c.c | 8 +-
22066 drivers/mtd/nand/denali.c | 1 +
22067 drivers/mtd/nftlmount.c | 1 +
22068 drivers/mtd/sm_ftl.c | 2 +-
22069 drivers/net/bonding/bond_main.c | 2 +-
22070 drivers/net/ethernet/8390/ax88796.c | 4 +-
22071 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
22072 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-
22073 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +-
22074 drivers/net/ethernet/broadcom/tg3.h | 1 +
22075 drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
22076 drivers/net/ethernet/dec/tulip/de4x5.c | 4 +-
22077 drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
22078 drivers/net/ethernet/faraday/ftgmac100.c | 2 +
22079 drivers/net/ethernet/faraday/ftmac100.c | 2 +
22080 drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
22081 drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
22082 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +-
22083 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +-
22084 drivers/net/ethernet/realtek/r8169.c | 8 +-
22085 drivers/net/ethernet/sfc/ptp.c | 2 +-
22086 drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
22087 drivers/net/hyperv/hyperv_net.h | 2 +-
22088 drivers/net/hyperv/rndis_filter.c | 4 +-
22089 drivers/net/ieee802154/fakehard.c | 2 +-
22090 drivers/net/macvlan.c | 18 +-
22091 drivers/net/macvtap.c | 2 +-
22092 drivers/net/ppp/ppp_generic.c | 4 +-
22093 drivers/net/slip/slhc.c | 2 +-
22094 drivers/net/team/team.c | 2 +-
22095 drivers/net/tun.c | 5 +-
22096 drivers/net/usb/hso.c | 23 +-
22097 drivers/net/vxlan.c | 2 +-
22098 drivers/net/wireless/at76c50x-usb.c | 2 +-
22099 drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +-
22100 drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +-
22101 drivers/net/wireless/ath/ath9k/hw.h | 4 +-
22102 drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
22103 drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +-
22104 drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +-
22105 drivers/net/wireless/mac80211_hwsim.c | 32 +-
22106 drivers/net/wireless/rndis_wlan.c | 2 +-
22107 drivers/net/wireless/rt2x00/rt2x00.h | 2 +-
22108 drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +-
22109 drivers/net/wireless/ti/wl1251/sdio.c | 12 +-
22110 drivers/net/wireless/ti/wl12xx/main.c | 8 +-
22111 drivers/net/wireless/ti/wl18xx/main.c | 6 +-
22112 drivers/oprofile/buffer_sync.c | 8 +-
22113 drivers/oprofile/event_buffer.c | 2 +-
22114 drivers/oprofile/oprof.c | 2 +-
22115 drivers/oprofile/oprofile_files.c | 2 +-
22116 drivers/oprofile/oprofile_stats.c | 10 +-
22117 drivers/oprofile/oprofile_stats.h | 10 +-
22118 drivers/oprofile/oprofilefs.c | 2 +-
22119 drivers/oprofile/timer_int.c | 2 +-
22120 drivers/parport/procfs.c | 4 +-
22121 drivers/pci/hotplug/acpiphp_ibm.c | 4 +-
22122 drivers/pci/hotplug/cpcihp_generic.c | 6 +-
22123 drivers/pci/hotplug/cpcihp_zt5550.c | 14 +-
22124 drivers/pci/hotplug/cpqphp_nvram.c | 4 +
22125 drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
22126 drivers/pci/hotplug/pciehp_core.c | 2 +-
22127 drivers/pci/pci-sysfs.c | 6 +-
22128 drivers/pci/pci.h | 2 +-
22129 drivers/pci/pcie/aspm.c | 6 +-
22130 drivers/pci/probe.c | 2 +-
22131 drivers/platform/x86/chromeos_laptop.c | 2 +-
22132 drivers/platform/x86/msi-laptop.c | 14 +-
22133 drivers/platform/x86/sony-laptop.c | 2 +-
22134 drivers/platform/x86/thinkpad_acpi.c | 70 +-
22135 drivers/pnp/pnpbios/bioscalls.c | 14 +-
22136 drivers/pnp/resource.c | 4 +-
22137 drivers/power/pda_power.c | 7 +-
22138 drivers/power/power_supply.h | 4 +-
22139 drivers/power/power_supply_core.c | 7 +-
22140 drivers/power/power_supply_sysfs.c | 6 +-
22141 drivers/regulator/max8660.c | 6 +-
22142 drivers/regulator/max8973-regulator.c | 8 +-
22143 drivers/regulator/mc13892-regulator.c | 6 +-
22144 drivers/rtc/rtc-cmos.c | 4 +-
22145 drivers/rtc/rtc-ds1307.c | 2 +-
22146 drivers/rtc/rtc-m48t59.c | 4 +-
22147 drivers/scsi/bfa/bfa_fcpim.h | 2 +-
22148 drivers/scsi/bfa/bfa_ioc.h | 4 +-
22149 drivers/scsi/hosts.c | 4 +-
22150 drivers/scsi/hpsa.c | 30 +-
22151 drivers/scsi/hpsa.h | 2 +-
22152 drivers/scsi/libfc/fc_exch.c | 50 +-
22153 drivers/scsi/libsas/sas_ata.c | 2 +-
22154 drivers/scsi/lpfc/lpfc.h | 8 +-
22155 drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
22156 drivers/scsi/lpfc/lpfc_init.c | 6 +-
22157 drivers/scsi/lpfc/lpfc_scsi.c | 16 +-
22158 drivers/scsi/pmcraid.c | 20 +-
22159 drivers/scsi/pmcraid.h | 8 +-
22160 drivers/scsi/qla2xxx/qla_attr.c | 4 +-
22161 drivers/scsi/qla2xxx/qla_gbl.h | 4 +-
22162 drivers/scsi/qla2xxx/qla_os.c | 6 +-
22163 drivers/scsi/qla4xxx/ql4_def.h | 2 +-
22164 drivers/scsi/qla4xxx/ql4_os.c | 6 +-
22165 drivers/scsi/scsi.c | 2 +-
22166 drivers/scsi/scsi_lib.c | 6 +-
22167 drivers/scsi/scsi_sysfs.c | 2 +-
22168 drivers/scsi/scsi_tgt_lib.c | 2 +-
22169 drivers/scsi/scsi_transport_fc.c | 8 +-
22170 drivers/scsi/scsi_transport_iscsi.c | 6 +-
22171 drivers/scsi/scsi_transport_srp.c | 6 +-
22172 drivers/scsi/sd.c | 2 +-
22173 drivers/scsi/sg.c | 2 +-
22174 drivers/spi/spi.c | 2 +-
22175 drivers/staging/media/solo6x10/solo6x10-core.c | 2 +-
22176 drivers/staging/octeon/ethernet-rx.c | 12 +-
22177 drivers/staging/octeon/ethernet.c | 8 +-
22178 drivers/staging/rtl8712/rtl871x_io.h | 2 +-
22179 drivers/staging/sbe-2t3e3/netdev.c | 2 +-
22180 drivers/staging/usbip/vhci.h | 2 +-
22181 drivers/staging/usbip/vhci_hcd.c | 6 +-
22182 drivers/staging/usbip/vhci_rx.c | 2 +-
22183 drivers/staging/vt6655/hostap.c | 7 +-
22184 drivers/staging/vt6656/hostap.c | 7 +-
22185 drivers/staging/zcache/tmem.c | 4 +-
22186 drivers/staging/zcache/tmem.h | 2 +
22187 drivers/target/target_core_device.c | 2 +-
22188 drivers/target/target_core_transport.c | 2 +-
22189 drivers/tty/cyclades.c | 6 +-
22190 drivers/tty/hvc/hvc_console.c | 14 +-
22191 drivers/tty/hvc/hvcs.c | 21 +-
22192 drivers/tty/ipwireless/tty.c | 27 +-
22193 drivers/tty/moxa.c | 2 +-
22194 drivers/tty/n_gsm.c | 4 +-
22195 drivers/tty/n_tty.c | 3 +-
22196 drivers/tty/pty.c | 4 +-
22197 drivers/tty/rocket.c | 6 +-
22198 drivers/tty/serial/kgdboc.c | 32 +-
22199 drivers/tty/serial/samsung.c | 9 +-
22200 drivers/tty/serial/serial_core.c | 8 +-
22201 drivers/tty/synclink.c | 34 +-
22202 drivers/tty/synclink_gt.c | 28 +-
22203 drivers/tty/synclinkmp.c | 34 +-
22204 drivers/tty/tty_io.c | 2 +-
22205 drivers/tty/tty_ldisc.c | 10 +-
22206 drivers/tty/tty_port.c | 22 +-
22207 drivers/uio/uio.c | 21 +-
22208 drivers/usb/atm/cxacru.c | 2 +-
22209 drivers/usb/atm/usbatm.c | 24 +-
22210 drivers/usb/core/devices.c | 6 +-
22211 drivers/usb/core/hcd.c | 4 +-
22212 drivers/usb/core/message.c | 2 +-
22213 drivers/usb/core/sysfs.c | 2 +-
22214 drivers/usb/core/usb.c | 2 +-
22215 drivers/usb/early/ehci-dbgp.c | 16 +-
22216 drivers/usb/gadget/u_serial.c | 22 +-
22217 drivers/usb/serial/console.c | 6 +-
22218 drivers/usb/storage/usb.h | 2 +-
22219 drivers/usb/wusbcore/wa-hc.h | 4 +-
22220 drivers/usb/wusbcore/wa-xfer.c | 2 +-
22221 drivers/vhost/vringh.c | 2 +-
22222 drivers/video/aty/aty128fb.c | 2 +-
22223 drivers/video/aty/atyfb_base.c | 8 +-
22224 drivers/video/aty/mach64_cursor.c | 5 +-
22225 drivers/video/backlight/kb3886_bl.c | 2 +-
22226 drivers/video/fb_defio.c | 6 +-
22227 drivers/video/fbcmap.c | 3 +-
22228 drivers/video/fbmem.c | 6 +-
22229 drivers/video/i810/i810_accel.c | 1 +
22230 drivers/video/mb862xx/mb862xxfb_accel.c | 16 +-
22231 drivers/video/nvidia/nvidia.c | 27 +-
22232 drivers/video/output.c | 2 +-
22233 drivers/video/s1d13xxxfb.c | 6 +-
22234 drivers/video/smscufx.c | 4 +-
22235 drivers/video/udlfb.c | 36 +-
22236 drivers/video/uvesafb.c | 53 +-
22237 drivers/video/vesafb.c | 58 +-
22238 drivers/video/via/via_clock.h | 2 +-
22239 fs/9p/vfs_addr.c | 2 +-
22240 fs/9p/vfs_inode.c | 2 +-
22241 fs/Kconfig.binfmt | 2 +-
22242 fs/aio.c | 12 +-
22243 fs/autofs4/waitq.c | 2 +-
22244 fs/befs/endian.h | 4 +-
22245 fs/befs/linuxvfs.c | 2 +-
22246 fs/binfmt_aout.c | 23 +-
22247 fs/binfmt_elf.c | 607 ++-
22248 fs/binfmt_flat.c | 6 +
22249 fs/bio.c | 6 +-
22250 fs/block_dev.c | 2 +-
22251 fs/btrfs/ctree.c | 9 +-
22252 fs/btrfs/super.c | 2 +-
22253 fs/cachefiles/bind.c | 6 +-
22254 fs/cachefiles/daemon.c | 8 +-
22255 fs/cachefiles/internal.h | 12 +-
22256 fs/cachefiles/namei.c | 2 +-
22257 fs/cachefiles/proc.c | 12 +-
22258 fs/cachefiles/rdwr.c | 2 +-
22259 fs/ceph/dir.c | 2 +-
22260 fs/cifs/cifs_debug.c | 12 +-
22261 fs/cifs/cifsfs.c | 8 +-
22262 fs/cifs/cifsglob.h | 54 +-
22263 fs/cifs/link.c | 2 +-
22264 fs/cifs/misc.c | 4 +-
22265 fs/cifs/smb1ops.c | 80 +-
22266 fs/cifs/smb2ops.c | 84 +-
22267 fs/cifs/smb2pdu.c | 3 +-
22268 fs/coda/cache.c | 10 +-
22269 fs/compat.c | 6 +-
22270 fs/compat_binfmt_elf.c | 2 +
22271 fs/compat_ioctl.c | 12 +-
22272 fs/configfs/dir.c | 10 +-
22273 fs/coredump.c | 24 +-
22274 fs/dcache.c | 2 +-
22275 fs/ecryptfs/inode.c | 4 +-
22276 fs/ecryptfs/miscdev.c | 2 +-
22277 fs/exec.c | 362 ++-
22278 fs/ext4/ext4.h | 20 +-
22279 fs/ext4/mballoc.c | 44 +-
22280 fs/ext4/mmp.c | 2 +-
22281 fs/ext4/super.c | 4 +-
22282 fs/fhandle.c | 3 +-
22283 fs/fs_struct.c | 8 +-
22284 fs/fscache/cookie.c | 36 +-
22285 fs/fscache/internal.h | 196 +-
22286 fs/fscache/object.c | 28 +-
22287 fs/fscache/operation.c | 30 +-
22288 fs/fscache/page.c | 110 +-
22289 fs/fscache/stats.c | 344 +-
22290 fs/fuse/cuse.c | 10 +-
22291 fs/fuse/dev.c | 4 +-
22292 fs/fuse/dir.c | 2 +-
22293 fs/gfs2/inode.c | 2 +-
22294 fs/hugetlbfs/inode.c | 13 +-
22295 fs/inode.c | 4 +-
22296 fs/jffs2/erase.c | 3 +-
22297 fs/jffs2/wbuf.c | 3 +-
22298 fs/jfs/super.c | 2 +-
22299 fs/libfs.c | 10 +-
22300 fs/lockd/clntproc.c | 4 +-
22301 fs/lockd/svc.c | 2 +-
22302 fs/locks.c | 8 +-
22303 fs/namei.c | 15 +-
22304 fs/namespace.c | 10 +-
22305 fs/nfs/callback.c | 4 +-
22306 fs/nfs/callback_xdr.c | 2 +-
22307 fs/nfs/inode.c | 6 +-
22308 fs/nfs/nfs4state.c | 2 +-
22309 fs/nfsd/nfs4proc.c | 2 +-
22310 fs/nfsd/nfs4xdr.c | 6 +-
22311 fs/nfsd/nfscache.c | 9 +-
22312 fs/nfsd/vfs.c | 6 +-
22313 fs/nls/nls_base.c | 18 +-
22314 fs/nls/nls_euc-jp.c | 6 +-
22315 fs/nls/nls_koi8-ru.c | 6 +-
22316 fs/notify/fanotify/fanotify_user.c | 4 +-
22317 fs/notify/notification.c | 4 +-
22318 fs/ntfs/dir.c | 2 +-
22319 fs/ntfs/file.c | 4 +-
22320 fs/ocfs2/localalloc.c | 2 +-
22321 fs/ocfs2/ocfs2.h | 10 +-
22322 fs/ocfs2/suballoc.c | 12 +-
22323 fs/ocfs2/super.c | 20 +-
22324 fs/pipe.c | 61 +-
22325 fs/proc/array.c | 20 +
22326 fs/proc/base.c | 4 +-
22327 fs/proc/kcore.c | 32 +-
22328 fs/proc/meminfo.c | 2 +-
22329 fs/proc/nommu.c | 2 +-
22330 fs/proc/proc_sysctl.c | 18 +-
22331 fs/proc/self.c | 2 +-
22332 fs/proc/task_mmu.c | 39 +-
22333 fs/proc/task_nommu.c | 4 +-
22334 fs/proc/vmcore.c | 12 +-
22335 fs/qnx6/qnx6.h | 4 +-
22336 fs/quota/netlink.c | 4 +-
22337 fs/read_write.c | 2 +-
22338 fs/readdir.c | 2 +-
22339 fs/reiserfs/do_balan.c | 2 +-
22340 fs/reiserfs/procfs.c | 2 +-
22341 fs/reiserfs/reiserfs.h | 4 +-
22342 fs/seq_file.c | 2 +-
22343 fs/splice.c | 40 +-
22344 fs/sysfs/bin.c | 6 +-
22345 fs/sysfs/dir.c | 2 +-
22346 fs/sysfs/file.c | 10 +-
22347 fs/sysfs/symlink.c | 2 +-
22348 fs/sysv/sysv.h | 2 +-
22349 fs/ubifs/io.c | 2 +-
22350 fs/udf/misc.c | 2 +-
22351 fs/ufs/swab.h | 4 +-
22352 fs/xattr.c | 21 +
22353 fs/xattr_acl.c | 4 +-
22354 fs/xfs/xfs_bmap.c | 2 +-
22355 fs/xfs/xfs_dir2_sf.c | 10 +-
22356 fs/xfs/xfs_ioctl.c | 2 +-
22357 fs/xfs/xfs_iops.c | 2 +-
22358 include/asm-generic/4level-fixup.h | 2 +
22359 include/asm-generic/atomic-long.h | 210 +
22360 include/asm-generic/atomic.h | 2 +-
22361 include/asm-generic/atomic64.h | 12 +
22362 include/asm-generic/cache.h | 4 +-
22363 include/asm-generic/emergency-restart.h | 2 +-
22364 include/asm-generic/kmap_types.h | 4 +-
22365 include/asm-generic/local.h | 13 +
22366 include/asm-generic/pgtable-nopmd.h | 18 +-
22367 include/asm-generic/pgtable-nopud.h | 15 +-
22368 include/asm-generic/pgtable.h | 8 +
22369 include/asm-generic/vmlinux.lds.h | 10 +-
22370 include/crypto/algapi.h | 2 +-
22371 include/drm/drmP.h | 17 +-
22372 include/drm/drm_crtc_helper.h | 2 +-
22373 include/drm/ttm/ttm_memory.h | 2 +-
22374 include/keys/asymmetric-subtype.h | 2 +-
22375 include/linux/atmdev.h | 4 +-
22376 include/linux/binfmts.h | 3 +-
22377 include/linux/blkdev.h | 2 +-
22378 include/linux/blktrace_api.h | 2 +-
22379 include/linux/cache.h | 4 +
22380 include/linux/cdrom.h | 1 -
22381 include/linux/cleancache.h | 2 +-
22382 include/linux/clk-provider.h | 1 +
22383 include/linux/compat.h | 4 +-
22384 include/linux/compiler-gcc4.h | 20 +
22385 include/linux/compiler.h | 65 +-
22386 include/linux/completion.h | 6 +-
22387 include/linux/configfs.h | 2 +-
22388 include/linux/cpu.h | 2 +-
22389 include/linux/cpufreq.h | 3 +-
22390 include/linux/cpuidle.h | 5 +-
22391 include/linux/cpumask.h | 12 +-
22392 include/linux/crypto.h | 6 +-
22393 include/linux/ctype.h | 2 +-
22394 include/linux/decompress/mm.h | 2 +-
22395 include/linux/devfreq.h | 2 +-
22396 include/linux/device.h | 7 +-
22397 include/linux/dma-mapping.h | 2 +-
22398 include/linux/dmaengine.h | 4 +-
22399 include/linux/efi.h | 1 +
22400 include/linux/elf.h | 2 +
22401 include/linux/err.h | 4 +-
22402 include/linux/extcon.h | 2 +-
22403 include/linux/fb.h | 2 +-
22404 include/linux/filter.h | 4 +
22405 include/linux/frontswap.h | 2 +-
22406 include/linux/fs.h | 3 +-
22407 include/linux/fs_struct.h | 2 +-
22408 include/linux/fscache-cache.h | 4 +-
22409 include/linux/fscache.h | 2 +-
22410 include/linux/fsnotify.h | 2 +-
22411 include/linux/genhd.h | 2 +-
22412 include/linux/genl_magic_func.h | 2 +-
22413 include/linux/gfp.h | 12 +-
22414 include/linux/highmem.h | 12 +
22415 include/linux/hwmon-sysfs.h | 5 +-
22416 include/linux/i2c.h | 1 +
22417 include/linux/i2o.h | 2 +-
22418 include/linux/if_pppox.h | 2 +-
22419 include/linux/init.h | 33 +-
22420 include/linux/init_task.h | 7 +
22421 include/linux/interrupt.h | 8 +-
22422 include/linux/iommu.h | 2 +-
22423 include/linux/ioport.h | 2 +-
22424 include/linux/irq.h | 3 +-
22425 include/linux/irqchip/arm-gic.h | 4 +-
22426 include/linux/key-type.h | 2 +-
22427 include/linux/kgdb.h | 6 +-
22428 include/linux/kobject.h | 3 +-
22429 include/linux/kobject_ns.h | 2 +-
22430 include/linux/kref.h | 2 +-
22431 include/linux/kvm_host.h | 4 +-
22432 include/linux/libata.h | 2 +-
22433 include/linux/list.h | 15 +
22434 include/linux/math64.h | 6 +-
22435 include/linux/mm.h | 116 +-
22436 include/linux/mm_types.h | 20 +
22437 include/linux/mmiotrace.h | 4 +-
22438 include/linux/mmzone.h | 2 +-
22439 include/linux/mod_devicetable.h | 6 +-
22440 include/linux/module.h | 60 +-
22441 include/linux/moduleloader.h | 16 +
22442 include/linux/moduleparam.h | 4 +-
22443 include/linux/namei.h | 6 +-
22444 include/linux/net.h | 2 +-
22445 include/linux/netdevice.h | 3 +-
22446 include/linux/netfilter.h | 2 +-
22447 include/linux/netfilter/ipset/ip_set.h | 2 +-
22448 include/linux/netfilter/nfnetlink.h | 2 +-
22449 include/linux/nls.h | 2 +-
22450 include/linux/notifier.h | 3 +-
22451 include/linux/oprofile.h | 4 +-
22452 include/linux/pci_hotplug.h | 3 +-
22453 include/linux/perf_event.h | 12 +-
22454 include/linux/pipe_fs_i.h | 8 +-
22455 include/linux/platform_data/usb-ehci-s5p.h | 2 +-
22456 include/linux/platform_data/usb-ohci-exynos.h | 2 +-
22457 include/linux/pm_domain.h | 2 +-
22458 include/linux/pm_runtime.h | 2 +-
22459 include/linux/pnp.h | 2 +-
22460 include/linux/poison.h | 4 +-
22461 include/linux/power/smartreflex.h | 2 +-
22462 include/linux/ppp-comp.h | 2 +-
22463 include/linux/proc_ns.h | 2 +-
22464 include/linux/random.h | 5 +
22465 include/linux/rculist.h | 16 +
22466 include/linux/reboot.h | 14 +-
22467 include/linux/regset.h | 3 +-
22468 include/linux/relay.h | 2 +-
22469 include/linux/rio.h | 2 +-
22470 include/linux/rmap.h | 4 +-
22471 include/linux/sched.h | 65 +-
22472 include/linux/sched/sysctl.h | 1 +
22473 include/linux/seq_file.h | 1 +
22474 include/linux/skbuff.h | 12 +-
22475 include/linux/slab.h | 42 +-
22476 include/linux/slab_def.h | 28 +-
22477 include/linux/slob_def.h | 4 +-
22478 include/linux/slub_def.h | 8 +-
22479 include/linux/sock_diag.h | 2 +-
22480 include/linux/sonet.h | 2 +-
22481 include/linux/sunrpc/addr.h | 8 +-
22482 include/linux/sunrpc/clnt.h | 2 +-
22483 include/linux/sunrpc/svc.h | 2 +-
22484 include/linux/sunrpc/svc_rdma.h | 18 +-
22485 include/linux/sunrpc/svcauth.h | 2 +-
22486 include/linux/swiotlb.h | 3 +-
22487 include/linux/syscalls.h | 10 +-
22488 include/linux/syscore_ops.h | 2 +-
22489 include/linux/sysctl.h | 6 +-
22490 include/linux/sysfs.h | 10 +-
22491 include/linux/sysrq.h | 3 +-
22492 include/linux/thread_info.h | 7 +
22493 include/linux/tty.h | 4 +-
22494 include/linux/tty_driver.h | 2 +-
22495 include/linux/tty_ldisc.h | 2 +-
22496 include/linux/types.h | 16 +
22497 include/linux/uaccess.h | 6 +-
22498 include/linux/unaligned/access_ok.h | 24 +-
22499 include/linux/usb.h | 4 +-
22500 include/linux/usb/renesas_usbhs.h | 2 +-
22501 include/linux/vermagic.h | 21 +-
22502 include/linux/vmalloc.h | 11 +-
22503 include/linux/vmstat.h | 20 +-
22504 include/linux/xattr.h | 5 +-
22505 include/linux/zlib.h | 3 +-
22506 include/media/v4l2-dev.h | 2 +-
22507 include/net/9p/transport.h | 2 +-
22508 include/net/bluetooth/l2cap.h | 2 +-
22509 include/net/caif/cfctrl.h | 6 +-
22510 include/net/flow.h | 2 +-
22511 include/net/genetlink.h | 2 +-
22512 include/net/gro_cells.h | 2 +-
22513 include/net/inet_connection_sock.h | 2 +-
22514 include/net/inetpeer.h | 8 +-
22515 include/net/ip.h | 2 +-
22516 include/net/ip_fib.h | 2 +-
22517 include/net/ip_vs.h | 8 +-
22518 include/net/irda/ircomm_tty.h | 1 +
22519 include/net/iucv/af_iucv.h | 2 +-
22520 include/net/llc_c_ac.h | 2 +-
22521 include/net/llc_c_ev.h | 4 +-
22522 include/net/llc_c_st.h | 2 +-
22523 include/net/llc_s_ac.h | 2 +-
22524 include/net/llc_s_st.h | 2 +-
22525 include/net/mac80211.h | 2 +-
22526 include/net/neighbour.h | 2 +-
22527 include/net/net_namespace.h | 12 +-
22528 include/net/netdma.h | 2 +-
22529 include/net/netlink.h | 2 +-
22530 include/net/netns/conntrack.h | 6 +-
22531 include/net/netns/ipv4.h | 2 +-
22532 include/net/netns/ipv6.h | 2 +-
22533 include/net/protocol.h | 4 +-
22534 include/net/rtnetlink.h | 2 +-
22535 include/net/sctp/sctp.h | 6 +-
22536 include/net/sctp/sm.h | 4 +-
22537 include/net/sctp/structs.h | 2 +-
22538 include/net/sock.h | 6 +-
22539 include/net/tcp.h | 8 +-
22540 include/net/xfrm.h | 8 +-
22541 include/rdma/iw_cm.h | 2 +-
22542 include/scsi/libfc.h | 3 +-
22543 include/scsi/scsi_device.h | 6 +-
22544 include/scsi/scsi_transport_fc.h | 3 +-
22545 include/sound/compress_driver.h | 2 +-
22546 include/sound/soc.h | 4 +-
22547 include/target/target_core_base.h | 2 +-
22548 include/trace/events/irq.h | 4 +-
22549 include/uapi/linux/a.out.h | 8 +
22550 include/uapi/linux/byteorder/little_endian.h | 28 +-
22551 include/uapi/linux/elf.h | 28 +
22552 include/uapi/linux/screen_info.h | 3 +-
22553 include/uapi/linux/swab.h | 6 +-
22554 include/uapi/linux/sysctl.h | 6 +-
22555 include/uapi/linux/xattr.h | 4 +
22556 include/video/udlfb.h | 8 +-
22557 include/video/uvesafb.h | 1 +
22558 init/Kconfig | 2 +-
22559 init/Makefile | 3 +
22560 init/do_mounts.c | 14 +-
22561 init/do_mounts.h | 8 +-
22562 init/do_mounts_initrd.c | 30 +-
22563 init/do_mounts_md.c | 6 +-
22564 init/init_task.c | 4 +
22565 init/initramfs.c | 42 +-
22566 init/main.c | 83 +-
22567 ipc/ipc_sysctl.c | 10 +-
22568 ipc/mq_sysctl.c | 2 +-
22569 ipc/msg.c | 11 +-
22570 ipc/sem.c | 11 +-
22571 ipc/shm.c | 17 +-
22572 kernel/acct.c | 2 +-
22573 kernel/audit.c | 8 +-
22574 kernel/auditfilter.c | 2 +-
22575 kernel/auditsc.c | 4 +-
22576 kernel/capability.c | 3 +
22577 kernel/compat.c | 38 +-
22578 kernel/debug/debug_core.c | 16 +-
22579 kernel/debug/kdb/kdb_main.c | 4 +-
22580 kernel/events/core.c | 30 +-
22581 kernel/events/internal.h | 10 +-
22582 kernel/exit.c | 4 +-
22583 kernel/fork.c | 167 +-
22584 kernel/futex.c | 9 +
22585 kernel/futex_compat.c | 2 +-
22586 kernel/gcov/base.c | 7 +-
22587 kernel/hrtimer.c | 4 +-
22588 kernel/irq_work.c | 7 +-
22589 kernel/jump_label.c | 5 +
22590 kernel/kallsyms.c | 39 +-
22591 kernel/kexec.c | 3 +-
22592 kernel/kmod.c | 4 +-
22593 kernel/kprobes.c | 8 +-
22594 kernel/ksysfs.c | 2 +-
22595 kernel/lockdep.c | 7 +-
22596 kernel/module.c | 337 +-
22597 kernel/mutex-debug.c | 12 +-
22598 kernel/mutex-debug.h | 4 +-
22599 kernel/mutex.c | 11 +-
22600 kernel/notifier.c | 17 +-
22601 kernel/panic.c | 3 +-
22602 kernel/pid.c | 2 +-
22603 kernel/pid_namespace.c | 2 +-
22604 kernel/posix-cpu-timers.c | 4 +-
22605 kernel/posix-timers.c | 22 +-
22606 kernel/power/process.c | 12 +-
22607 kernel/profile.c | 14 +-
22608 kernel/ptrace.c | 8 +-
22609 kernel/rcupdate.c | 4 +-
22610 kernel/rcutiny.c | 4 +-
22611 kernel/rcutiny_plugin.h | 2 +-
22612 kernel/rcutorture.c | 56 +-
22613 kernel/rcutree.c | 76 +-
22614 kernel/rcutree.h | 24 +-
22615 kernel/rcutree_plugin.h | 20 +-
22616 kernel/rcutree_trace.c | 22 +-
22617 kernel/rtmutex-tester.c | 24 +-
22618 kernel/sched/auto_group.c | 4 +-
22619 kernel/sched/core.c | 51 +-
22620 kernel/sched/fair.c | 4 +-
22621 kernel/sched/sched.h | 2 +-
22622 kernel/signal.c | 12 +-
22623 kernel/smp.c | 2 +-
22624 kernel/smpboot.c | 4 +-
22625 kernel/softirq.c | 18 +-
22626 kernel/srcu.c | 4 +-
22627 kernel/sys.c | 10 +-
22628 kernel/sysctl.c | 39 +-
22629 kernel/time.c | 2 +-
22630 kernel/time/alarmtimer.c | 2 +-
22631 kernel/time/tick-broadcast.c | 2 +-
22632 kernel/time/timer_stats.c | 10 +-
22633 kernel/timer.c | 6 +-
22634 kernel/trace/blktrace.c | 6 +-
22635 kernel/trace/ftrace.c | 18 +-
22636 kernel/trace/ring_buffer.c | 76 +-
22637 kernel/trace/trace.c | 2 +-
22638 kernel/trace/trace.h | 2 +-
22639 kernel/trace/trace_events.c | 25 +-
22640 kernel/trace/trace_mmiotrace.c | 8 +-
22641 kernel/trace/trace_output.c | 12 +-
22642 kernel/trace/trace_stack.c | 2 +-
22643 kernel/user_namespace.c | 2 +-
22644 kernel/utsname_sysctl.c | 2 +-
22645 kernel/watchdog.c | 2 +-
22646 kernel/workqueue.c | 2 +-
22647 lib/Kconfig.debug | 8 +-
22648 lib/Makefile | 2 +-
22649 lib/bitmap.c | 8 +-
22650 lib/bug.c | 2 +
22651 lib/debugobjects.c | 2 +-
22652 lib/devres.c | 4 +-
22653 lib/div64.c | 4 +-
22654 lib/dma-debug.c | 4 +-
22655 lib/inflate.c | 2 +-
22656 lib/ioremap.c | 4 +-
22657 lib/kobject.c | 6 +-
22658 lib/list_debug.c | 126 +-
22659 lib/radix-tree.c | 2 +-
22660 lib/strncpy_from_user.c | 2 +-
22661 lib/strnlen_user.c | 2 +-
22662 lib/swiotlb.c | 2 +-
22663 lib/usercopy.c | 6 +
22664 lib/vsprintf.c | 12 +-
22665 mm/Kconfig | 6 +-
22666 mm/backing-dev.c | 4 +-
22667 mm/filemap.c | 2 +-
22668 mm/fremap.c | 5 +
22669 mm/highmem.c | 7 +-
22670 mm/hugetlb.c | 70 +-
22671 mm/internal.h | 1 +
22672 mm/maccess.c | 4 +-
22673 mm/madvise.c | 41 +
22674 mm/memory-failure.c | 26 +-
22675 mm/memory.c | 424 ++-
22676 mm/mempolicy.c | 26 +
22677 mm/mlock.c | 15 +-
22678 mm/mmap.c | 606 ++-
22679 mm/mprotect.c | 139 +-
22680 mm/mremap.c | 44 +-
22681 mm/nommu.c | 21 +-
22682 mm/page-writeback.c | 4 +-
22683 mm/page_alloc.c | 41 +-
22684 mm/page_io.c | 2 +-
22685 mm/percpu.c | 2 +-
22686 mm/process_vm_access.c | 14 +-
22687 mm/rmap.c | 38 +-
22688 mm/shmem.c | 19 +-
22689 mm/slab.c | 79 +-
22690 mm/slab.h | 5 +-
22691 mm/slab_common.c | 46 +-
22692 mm/slob.c | 201 +-
22693 mm/slub.c | 79 +-
22694 mm/sparse-vmemmap.c | 4 +-
22695 mm/sparse.c | 2 +-
22696 mm/swap.c | 3 +
22697 mm/swapfile.c | 12 +-
22698 mm/util.c | 6 +
22699 mm/vmalloc.c | 77 +-
22700 mm/vmstat.c | 12 +-
22701 net/8021q/vlan.c | 5 +-
22702 net/9p/mod.c | 4 +-
22703 net/9p/trans_fd.c | 2 +-
22704 net/atm/atm_misc.c | 8 +-
22705 net/atm/lec.h | 2 +-
22706 net/atm/proc.c | 6 +-
22707 net/atm/resources.c | 4 +-
22708 net/ax25/sysctl_net_ax25.c | 2 +-
22709 net/batman-adv/bat_iv_ogm.c | 8 +-
22710 net/batman-adv/hard-interface.c | 4 +-
22711 net/batman-adv/soft-interface.c | 4 +-
22712 net/batman-adv/types.h | 6 +-
22713 net/batman-adv/unicast.c | 2 +-
22714 net/bluetooth/hci_core.c | 8 +-
22715 net/bluetooth/hci_sock.c | 2 +-
22716 net/bluetooth/l2cap_core.c | 6 +-
22717 net/bluetooth/l2cap_sock.c | 12 +-
22718 net/bluetooth/rfcomm/sock.c | 4 +-
22719 net/bluetooth/rfcomm/tty.c | 10 +-
22720 net/bridge/netfilter/ebtables.c | 6 +-
22721 net/caif/cfctrl.c | 11 +-
22722 net/can/af_can.c | 2 +-
22723 net/can/gw.c | 6 +-
22724 net/compat.c | 34 +-
22725 net/core/datagram.c | 2 +-
22726 net/core/dev.c | 16 +-
22727 net/core/flow.c | 8 +-
22728 net/core/iovec.c | 4 +-
22729 net/core/neighbour.c | 2 +-
22730 net/core/net-sysfs.c | 2 +-
22731 net/core/net_namespace.c | 8 +-
22732 net/core/rtnetlink.c | 13 +-
22733 net/core/scm.c | 8 +-
22734 net/core/sock.c | 24 +-
22735 net/core/sock_diag.c | 9 +-
22736 net/core/sysctl_net_core.c | 18 +-
22737 net/decnet/af_decnet.c | 1 +
22738 net/decnet/sysctl_net_decnet.c | 4 +-
22739 net/ipv4/af_inet.c | 8 +-
22740 net/ipv4/ah4.c | 2 +-
22741 net/ipv4/devinet.c | 18 +-
22742 net/ipv4/esp4.c | 2 +-
22743 net/ipv4/fib_frontend.c | 6 +-
22744 net/ipv4/fib_semantics.c | 2 +-
22745 net/ipv4/inet_connection_sock.c | 2 +-
22746 net/ipv4/inetpeer.c | 4 +-
22747 net/ipv4/ip_fragment.c | 15 +-
22748 net/ipv4/ip_gre.c | 6 +-
22749 net/ipv4/ip_sockglue.c | 2 +-
22750 net/ipv4/ip_vti.c | 4 +-
22751 net/ipv4/ipcomp.c | 2 +-
22752 net/ipv4/ipconfig.c | 6 +-
22753 net/ipv4/ipip.c | 4 +-
22754 net/ipv4/netfilter/arp_tables.c | 12 +-
22755 net/ipv4/netfilter/ip_tables.c | 12 +-
22756 net/ipv4/ping.c | 2 +-
22757 net/ipv4/raw.c | 14 +-
22758 net/ipv4/route.c | 18 +-
22759 net/ipv4/sysctl_net_ipv4.c | 45 +-
22760 net/ipv4/tcp_input.c | 2 +-
22761 net/ipv4/tcp_probe.c | 2 +-
22762 net/ipv4/udp.c | 10 +-
22763 net/ipv4/xfrm4_policy.c | 14 +-
22764 net/ipv6/addrconf.c | 12 +-
22765 net/ipv6/icmp.c | 2 +-
22766 net/ipv6/ip6_gre.c | 8 +-
22767 net/ipv6/ip6_tunnel.c | 4 +-
22768 net/ipv6/ipv6_sockglue.c | 2 +-
22769 net/ipv6/netfilter/ip6_tables.c | 12 +-
22770 net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +-
22771 net/ipv6/raw.c | 19 +-
22772 net/ipv6/reassembly.c | 13 +-
22773 net/ipv6/route.c | 2 +-
22774 net/ipv6/sit.c | 4 +-
22775 net/ipv6/sysctl_net_ipv6.c | 2 +-
22776 net/ipv6/udp.c | 8 +-
22777 net/ipv6/xfrm6_policy.c | 13 +-
22778 net/irda/ircomm/ircomm_tty.c | 18 +-
22779 net/iucv/af_iucv.c | 4 +-
22780 net/iucv/iucv.c | 2 +-
22781 net/key/af_key.c | 4 +-
22782 net/mac80211/cfg.c | 8 +-
22783 net/mac80211/ieee80211_i.h | 3 +-
22784 net/mac80211/iface.c | 16 +-
22785 net/mac80211/main.c | 2 +-
22786 net/mac80211/pm.c | 6 +-
22787 net/mac80211/rate.c | 2 +-
22788 net/mac80211/rc80211_pid_debugfs.c | 2 +-
22789 net/mac80211/util.c | 4 +-
22790 net/netfilter/ipset/ip_set_core.c | 2 +-
22791 net/netfilter/ipvs/ip_vs_conn.c | 6 +-
22792 net/netfilter/ipvs/ip_vs_core.c | 4 +-
22793 net/netfilter/ipvs/ip_vs_ctl.c | 14 +-
22794 net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
22795 net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
22796 net/netfilter/ipvs/ip_vs_sync.c | 6 +-
22797 net/netfilter/ipvs/ip_vs_xmit.c | 4 +-
22798 net/netfilter/nf_conntrack_acct.c | 2 +-
22799 net/netfilter/nf_conntrack_ecache.c | 2 +-
22800 net/netfilter/nf_conntrack_helper.c | 2 +-
22801 net/netfilter/nf_conntrack_proto.c | 2 +-
22802 net/netfilter/nf_conntrack_proto_dccp.c | 4 +-
22803 net/netfilter/nf_conntrack_standalone.c | 2 +-
22804 net/netfilter/nf_conntrack_timestamp.c | 2 +-
22805 net/netfilter/nf_log.c | 10 +-
22806 net/netfilter/nf_sockopt.c | 4 +-
22807 net/netfilter/nfnetlink_log.c | 4 +-
22808 net/netfilter/xt_statistic.c | 8 +-
22809 net/netlink/af_netlink.c | 4 +-
22810 net/netlink/genetlink.c | 16 +-
22811 net/packet/af_packet.c | 12 +-
22812 net/phonet/pep.c | 6 +-
22813 net/phonet/socket.c | 2 +-
22814 net/phonet/sysctl.c | 2 +-
22815 net/rds/cong.c | 6 +-
22816 net/rds/ib.h | 2 +-
22817 net/rds/ib_cm.c | 2 +-
22818 net/rds/ib_recv.c | 4 +-
22819 net/rds/iw.h | 2 +-
22820 net/rds/iw_cm.c | 2 +-
22821 net/rds/iw_recv.c | 4 +-
22822 net/rds/rds.h | 2 +-
22823 net/rds/tcp.c | 2 +-
22824 net/rds/tcp_send.c | 2 +-
22825 net/rxrpc/af_rxrpc.c | 2 +-
22826 net/rxrpc/ar-ack.c | 14 +-
22827 net/rxrpc/ar-call.c | 2 +-
22828 net/rxrpc/ar-connection.c | 2 +-
22829 net/rxrpc/ar-connevent.c | 2 +-
22830 net/rxrpc/ar-input.c | 4 +-
22831 net/rxrpc/ar-internal.h | 8 +-
22832 net/rxrpc/ar-local.c | 2 +-
22833 net/rxrpc/ar-output.c | 4 +-
22834 net/rxrpc/ar-peer.c | 2 +-
22835 net/rxrpc/ar-proc.c | 4 +-
22836 net/rxrpc/ar-transport.c | 2 +-
22837 net/rxrpc/rxkad.c | 4 +-
22838 net/sctp/ipv6.c | 6 +-
22839 net/sctp/protocol.c | 10 +-
22840 net/sctp/sm_sideeffect.c | 2 +-
22841 net/sctp/socket.c | 21 +-
22842 net/sctp/sysctl.c | 4 +-
22843 net/socket.c | 18 +-
22844 net/sunrpc/clnt.c | 4 +-
22845 net/sunrpc/sched.c | 4 +-
22846 net/sunrpc/svc.c | 6 +-
22847 net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
22848 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +-
22849 net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
22850 net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +-
22851 net/tipc/link.c | 6 +-
22852 net/tipc/msg.c | 2 +-
22853 net/tipc/subscr.c | 2 +-
22854 net/unix/sysctl_net_unix.c | 2 +-
22855 net/wireless/wext-core.c | 19 +-
22856 net/xfrm/xfrm_policy.c | 27 +-
22857 net/xfrm/xfrm_state.c | 29 +-
22858 net/xfrm/xfrm_sysctl.c | 2 +-
22859 scripts/Makefile.build | 2 +-
22860 scripts/Makefile.clean | 3 +-
22861 scripts/Makefile.host | 28 +-
22862 scripts/basic/fixdep.c | 12 +-
22863 scripts/gcc-plugin.sh | 17 +
22864 scripts/headers_install.sh | 1 +
22865 scripts/link-vmlinux.sh | 2 +-
22866 scripts/mod/file2alias.c | 14 +-
22867 scripts/mod/modpost.c | 25 +-
22868 scripts/mod/modpost.h | 6 +-
22869 scripts/mod/sumversion.c | 2 +-
22870 scripts/package/builddeb | 1 +
22871 scripts/pnmtologo.c | 6 +-
22872 scripts/sortextable.h | 6 +-
22873 security/Kconfig | 676 +++-
22874 security/apparmor/lsm.c | 2 +-
22875 security/integrity/ima/ima.h | 4 +-
22876 security/integrity/ima/ima_api.c | 2 +-
22877 security/integrity/ima/ima_fs.c | 4 +-
22878 security/integrity/ima/ima_queue.c | 2 +-
22879 security/keys/compat.c | 2 +-
22880 security/keys/internal.h | 2 +-
22881 security/keys/key.c | 18 +-
22882 security/keys/keyctl.c | 8 +-
22883 security/keys/keyring.c | 6 +-
22884 security/security.c | 9 +-
22885 security/selinux/hooks.c | 2 +-
22886 security/selinux/include/xfrm.h | 2 +-
22887 security/smack/smack_lsm.c | 2 +-
22888 security/tomoyo/tomoyo.c | 2 +-
22889 security/yama/yama_lsm.c | 22 +-
22890 sound/aoa/codecs/onyx.c | 7 +-
22891 sound/aoa/codecs/onyx.h | 1 +
22892 sound/core/oss/pcm_oss.c | 18 +-
22893 sound/core/pcm_compat.c | 2 +-
22894 sound/core/pcm_native.c | 4 +-
22895 sound/core/seq/seq_device.c | 8 +-
22896 sound/core/sound.c | 2 +-
22897 sound/drivers/mts64.c | 14 +-
22898 sound/drivers/opl4/opl4_lib.c | 2 +-
22899 sound/drivers/portman2x4.c | 3 +-
22900 sound/firewire/amdtp.c | 4 +-
22901 sound/firewire/amdtp.h | 2 +-
22902 sound/firewire/isight.c | 10 +-
22903 sound/firewire/scs1x.c | 8 +-
22904 sound/oss/sb_audio.c | 2 +-
22905 sound/oss/swarm_cs4297a.c | 6 +-
22906 sound/pci/ymfpci/ymfpci.h | 2 +-
22907 sound/pci/ymfpci/ymfpci_main.c | 12 +-
22908 sound/soc/fsl/fsl_ssi.c | 2 +-
22909 sound/sound_core.c | 2 +-
22910 tools/gcc/.gitignore | 1 +
22911 tools/gcc/Makefile | 45 +
22912 tools/gcc/checker_plugin.c | 172 +
22913 tools/gcc/colorize_plugin.c | 151 +
22914 tools/gcc/constify_plugin.c | 560 ++
22915 tools/gcc/generate_size_overflow_hash.sh | 94 +
22916 tools/gcc/kallocstat_plugin.c | 170 +
22917 tools/gcc/kernexec_plugin.c | 465 ++
22918 tools/gcc/latent_entropy_plugin.c | 327 ++
22919 tools/gcc/size_overflow_hash.data | 5893 ++++++++++++++++++++
22920 tools/gcc/size_overflow_plugin.c | 2114 +++++++
22921 tools/gcc/stackleak_plugin.c | 327 ++
22922 tools/gcc/structleak_plugin.c | 277 +
22923 tools/perf/util/include/asm/alternative-asm.h | 3 +
22924 tools/perf/util/include/linux/compiler.h | 8 +
22925 virt/kvm/kvm_main.c | 32 +-
22926 1607 files changed, 30734 insertions(+), 7318 deletions(-)
22927commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
22928Merge: 0949bd4 fc53d63
22929Author: Brad Spengler <spender@grsecurity.net>
22930Date: Thu Mar 22 19:03:44 2012 -0400
22931
22932 Merge branch 'pax-test' into grsec-test
22933
22934commit fc53d6338964741b368070ec5c935bc579b8c2a6
22935Author: Brad Spengler <spender@grsecurity.net>
22936Date: Thu Mar 22 19:02:45 2012 -0400
22937
22938 Update to pax-linux-3.2.12-test33.patch
22939
22940commit 0949bd46a6455b308f66ad7c993bfee62412db35
22941Author: Brad Spengler <spender@grsecurity.net>
22942Date: Thu Mar 22 16:56:09 2012 -0400
22943
22944 Use current_umask() instead of current->fs->umask
22945
22946commit 22f6432d0fe733619cfcb523782ed7d80c46d645
22947Author: Brad Spengler <spender@grsecurity.net>
22948Date: Wed Mar 21 19:42:42 2012 -0400
22949
22950 compile fix
22951
22952commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
22953Author: Brad Spengler <spender@grsecurity.net>
22954Date: Wed Mar 21 19:34:56 2012 -0400
22955
22956 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
22957 uses of domains with particular hash collisions
22958
22959commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
22960Author: Brad Spengler <spender@grsecurity.net>
22961Date: Tue Mar 20 20:25:49 2012 -0400
22962
22963 zero kernel_role
22964
22965commit b00953b43c69238d181d21121ef1577c988d5f6b
22966Author: Brad Spengler <spender@grsecurity.net>
22967Date: Tue Mar 20 19:29:34 2012 -0400
22968
22969 zero real_root after releasing it
22970
22971commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
22972Merge: b724f59 273f98e
22973Author: Brad Spengler <spender@grsecurity.net>
22974Date: Tue Mar 20 19:11:26 2012 -0400
22975
22976 Merge branch 'pax-test' into grsec-test
22977
22978commit 273f98e58cdac555d3b5dce5c1ca168349f95878
22979Author: Brad Spengler <spender@grsecurity.net>
22980Date: Tue Mar 20 19:10:52 2012 -0400
22981
22982 Temporary workaround for (most) size_overflow plugin false-positives
22983 Increase randomization for brk-managed heap to 21 bits
22984 Update to pax-linux-3.2.12-test32.patch
22985
22986commit b724f59125304460c2af8bd4b02921993afbb5d3
22987Author: Brad Spengler <spender@grsecurity.net>
22988Date: Tue Mar 20 18:58:53 2012 -0400
22989
22990 compile fix
22991
22992commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
22993Author: Brad Spengler <spender@grsecurity.net>
22994Date: Tue Mar 20 18:52:23 2012 -0400
22995
22996 Require default and kernel role
22997
22998commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
22999Author: Brad Spengler <spender@grsecurity.net>
23000Date: Tue Mar 20 18:47:28 2012 -0400
23001
23002 Allow policies without special roles
23003 don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)
23004
23005commit 402ec3d24d66d38403dc543c84851f5e72d39e22
23006Merge: 8e012dc f14661a
23007Author: Brad Spengler <spender@grsecurity.net>
23008Date: Mon Mar 19 18:06:59 2012 -0400
23009
23010 Merge branch 'pax-test' into grsec-test
23011
23012 Conflicts:
23013 fs/namei.c
23014
23015commit f14661aaf202155c97f66626cea0269017bb7775
23016Merge: eae671f 058b017
23017Author: Brad Spengler <spender@grsecurity.net>
23018Date: Mon Mar 19 18:05:44 2012 -0400
23019
23020 Merge branch 'linux-3.2.y' into pax-test
23021
23022commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
23023Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
23024Date: Fri Mar 16 17:08:39 2012 -0700
23025
23026 nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
23027
23028 According to the report from Slicky Devil, nilfs caused kernel oops at
23029 nilfs_load_super_block function during mount after he shrank the
23030 partition without resizing the filesystem:
23031
23032 BUG: unable to handle kernel NULL pointer dereference at 00000048
23033 IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
23034 *pde = 00000000
23035 Oops: 0000 [#1] PREEMPT SMP
23036 ...
23037 Call Trace:
23038 [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
23039 [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
23040 [<c0226636>] mount_fs+0x36/0x180
23041 [<c023d961>] vfs_kern_mount+0x51/0xa0
23042 [<c023ddae>] do_kern_mount+0x3e/0xe0
23043 [<c023f189>] do_mount+0x169/0x700
23044 [<c023fa9b>] sys_mount+0x6b/0xa0
23045 [<c04abd1f>] sysenter_do_call+0x12/0x28
23046 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
23047 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
23048 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
23049 EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
23050 CR2: 0000000000000048
23051
23052 This turned out due to a defect in an error path which runs if the
23053 calculated location of the secondary super block was invalid.
23054
23055 This patch fixes it and eliminates the reported oops.
23056
23057 Reported-by: Slicky Devil <slicky.dvl@gmail.com>
23058 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
23059 Tested-by: Slicky Devil <slicky.dvl@gmail.com>
23060 Cc: <stable@vger.kernel.org> [2.6.30+]
23061 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
23062 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
23063
23064commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
23065Author: Haogang Chen <haogangchen@gmail.com>
23066Date: Fri Mar 16 17:08:38 2012 -0700
23067
23068 nilfs2: clamp ns_r_segments_percentage to [1, 99]
23069
23070 ns_r_segments_percentage is read from the disk. Bogus or malicious
23071 value could cause integer overflow and malfunction due to meaningless
23072 disk usage calculation. This patch reports error when mounting such
23073 bogus volumes.
23074
23075 Signed-off-by: Haogang Chen <haogangchen@gmail.com>
23076 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
23077 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
23078 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
23079
23080commit e1a90645643f9b0194a5984ec8febd06360d5c8b
23081Author: Eric Dumazet <eric.dumazet@gmail.com>
23082Date: Sat Mar 10 09:20:21 2012 +0000
23083
23084 tcp: fix syncookie regression
23085
23086 commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
23087 added a serious regression on synflood handling.
23088
23089 Simon Kirby discovered a successful connection was delayed by 20 seconds
23090 before being responsive.
23091
23092 In my tests, I discovered that xmit frames were lost, and needed ~4
23093 retransmits and a socket dst rebuild before being really sent.
23094
23095 In case of syncookie initiated connection, we use a different path to
23096 initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
23097
23098 As ip_queue_xmit() now depends on inet flow being setup, fix this by
23099 copying the temp flowi4 we use in cookie_v4_check().
23100
23101 Reported-by: Simon Kirby <sim@netnation.com>
23102 Bisected-by: Simon Kirby <sim@netnation.com>
23103 Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
23104 Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
23105 Signed-off-by: David S. Miller <davem@davemloft.net>
23106
23107commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
23108Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
23109Date: Mon Mar 12 02:59:41 2012 +0000
23110
23111 tun: don't hold network namespace by tun sockets
23112
23113 v3: added previously removed sock_put() to the tun_release() callback, because
23114 sk_release_kernel() doesn't drop the socket reference.
23115
23116 v2: sk_release_kernel() used for socket release. Dummy tun_release() is
23117 required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
23118 call.
23119
23120 TUN was designed to destroy it's socket on network namesapce shutdown. But this
23121 will never happen for persistent device, because it's socket holds network
23122 namespace.
23123 This patch removes of holding network namespace by TUN socket and replaces it
23124 by creating socket in init_net and then changing it's net it to desired one. On
23125 shutdown socket is moved back to init_net prior to final put.
23126
23127 Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
23128 Signed-off-by: David S. Miller <davem@davemloft.net>
23129
23130commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
23131Author: Tyler Hicks <tyhicks@canonical.com>
23132Date: Mon Dec 12 10:02:30 2011 -0600
23133
23134 vfs: Correctly set the dir i_mutex lockdep class
23135
23136 9a7aa12f3911853a introduced additional logic around setting the i_mutex
23137 lockdep class for directory inodes. The idea was that some filesystems
23138 may want their own special lockdep class for different directory
23139 inodes and calling unlock_new_inode() should not clobber one of
23140 those special classes.
23141
23142 I believe that the added conditional, around the *negated* return value
23143 of lockdep_match_class(), caused directory inodes to be placed in the
23144 wrong lockdep class.
23145
23146 inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
23147 all inodes. If the filesystem did not change the class during inode
23148 initialization, then the conditional mentioned above was false and the
23149 directory inode was incorrectly left in the non-directory lockdep class.
23150 If the filesystem did set a special lockdep class, then the conditional
23151 mentioned above was true and that class was clobbered with
23152 i_mutex_dir_key.
23153
23154 This patch removes the negation from the conditional so that the i_mutex
23155 lockdep class is properly set for directory inodes. Special classes are
23156 preserved and directory inodes with unmodified classes are set with
23157 i_mutex_dir_key.
23158
23159 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
23160 Reviewed-by: Jan Kara <jack@suse.cz>
23161 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
23162
23163commit 603590b0d2eca61ce26499eac9c563bc567a18c9
23164Author: Jan Kara <jack@suse.cz>
23165Date: Mon Feb 20 17:54:00 2012 +0100
23166
23167 udf: Fix deadlock in udf_release_file()
23168
23169 udf_release_file() can be called from munmap() path with mmap_sem held. Thus
23170 we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
23171 i_mutex is not needed in udf_release_file() anymore since protection by
23172 i_data_sem is enough to protect from races with write and truncate.
23173
23174 Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
23175 Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
23176 Signed-off-by: Jan Kara <jack@suse.cz>
23177 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
23178
23179commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
23180Author: Miklos Szeredi <mszeredi@suse.cz>
23181Date: Tue Mar 6 13:56:33 2012 +0100
23182
23183 vfs: fix double put after complete_walk()
23184
23185 complete_walk() already puts nd->path, no need to do it again at cleanup time.
23186
23187 This would result in Oopses if triggered, apparently the codepath is not too
23188 well exercised.
23189
23190 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
23191 CC: stable@vger.kernel.org
23192 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
23193
23194commit 13885ba2b18400f3ef6540497d30f1af896605e5
23195Author: Miklos Szeredi <mszeredi@suse.cz>
23196Date: Tue Mar 6 13:56:34 2012 +0100
23197
23198 vfs: fix return value from do_last()
23199
23200 complete_walk() returns either ECHILD or ESTALE. do_last() turns this into
23201 ECHILD unconditionally. If not in RCU mode, this error will reach userspace
23202 which is complete nonsense.
23203
23204 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
23205 CC: stable@vger.kernel.org
23206 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
23207
23208 Conflicts:
23209
23210 fs/namei.c
23211
23212commit f5ab7572c99ffb58953eb1070622307e904c3b7f
23213Author: Al Viro <viro@zeniv.linux.org.uk>
23214Date: Sat Mar 10 17:07:28 2012 -0500
23215
23216 restore smp_mb() in unlock_new_inode()
23217
23218 wait_on_inode() doesn't have ->i_lock
23219
23220 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
23221
23222commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
23223Author: David S. Miller <davem@davemloft.net>
23224Date: Tue Mar 13 18:19:51 2012 -0700
23225
23226 sparc32: Add -Av8 to assembler command line.
23227
23228 Newer version of binutils are more strict about specifying the
23229 correct options to enable certain classes of instructions.
23230
23231 The sparc32 build is done for v7 in order to support sun4c systems
23232 which lack hardware integer multiply and divide instructions.
23233
23234 So we have to pass -Av8 when building the assembler routines that
23235 use these instructions and get patched into the kernel when we find
23236 out that we have a v8 capable cpu.
23237
23238 Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
23239 Signed-off-by: David S. Miller <davem@davemloft.net>
23240
23241commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
23242Author: Thomas Gleixner <tglx@linutronix.de>
23243Date: Fri Mar 9 20:55:10 2012 +0100
23244
23245 x86: Derandom delay_tsc for 64 bit
23246
23247 Commit f0fbf0abc093 ("x86: integrate delay functions") converted
23248 delay_tsc() into a random delay generator for 64 bit. The reason is
23249 that it merged the mostly identical versions of delay_32.c and
23250 delay_64.c. Though the subtle difference of the result was:
23251
23252 static void delay_tsc(unsigned long loops)
23253 {
23254 - unsigned bclock, now;
23255 + unsigned long bclock, now;
23256
23257 Now the function uses rdtscl() which returns the lower 32bit of the
23258 TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
23259 bit this fails when the lower 32bit are close to wrap around when
23260 bclock is read, because the following check
23261
23262 if ((now - bclock) >= loops)
23263 break;
23264
23265 evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
23266 because the unsigned long (now - bclock) of these values results in
23267 0xffffffff00000001 which is definitely larger than the loops
23268 value. That explains Tvortkos observation:
23269
23270 "Because I am seeing udelay(500) (_occasionally_) being short, and
23271 that by delaying for some duration between 0us (yep) and 491us."
23272
23273 Make those variables explicitely u32 again, so this works for both 32
23274 and 64 bit.
23275
23276 Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
23277 Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
23278 Cc: stable@vger.kernel.org # >= 2.6.27
23279 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
23280
23281commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
23282Author: Al Viro <viro@ZenIV.linux.org.uk>
23283Date: Thu Mar 8 17:51:19 2012 +0000
23284
23285 aio: fix the "too late munmap()" race
23286
23287 Current code has put_ioctx() called asynchronously from aio_fput_routine();
23288 that's done *after* we have killed the request that used to pin ioctx,
23289 so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
23290 from progressing. As the result, we can end up with async call of
23291 put_ioctx() being the last one and possibly happening during exit_mmap()
23292 or elf_core_dump(), neither of which expects stray munmap() being done
23293 to them...
23294
23295 We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
23296 with that, but that's all we care about - neither io_destroy() nor
23297 exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
23298 does really_put_req(), so the ioctx teardown won't be done until then
23299 and we don't care about the contents of ioctx past that point.
23300
23301 Since actual freeing of these suckers is RCU-delayed, we don't need to
23302 bump ioctx refcount when request goes into list for async removal.
23303 All we need is rcu_read_lock held just over the ->ctx_lock-protected
23304 area in aio_fput_routine().
23305
23306 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
23307 Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
23308 Acked-by: Benjamin LaHaise <bcrl@kvack.org>
23309 Cc: stable@vger.kernel.org
23310 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
23311
23312commit 002124c055afbf09b52226af65621999e8316448
23313Author: Al Viro <viro@ZenIV.linux.org.uk>
23314Date: Wed Mar 7 05:16:35 2012 +0000
23315
23316 aio: fix io_setup/io_destroy race
23317
23318 Have ioctx_alloc() return an extra reference, so that caller would drop it
23319 on success and not bother with re-grabbing it on failure exit. The current
23320 code is obviously broken - io_destroy() from another thread that managed
23321 to guess the address io_setup() would've returned would free ioctx right
23322 under us; gets especially interesting if aio_context_t * we pass to
23323 io_setup() points to PROT_READ mapping, so put_user() fails and we end
23324 up doing io_destroy() on kioctx another thread has just got freed...
23325
23326 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
23327 Acked-by: Benjamin LaHaise <bcrl@kvack.org>
23328 Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
23329 Cc: stable@vger.kernel.org
23330 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
23331
23332commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
23333Author: Dan Carpenter <dan.carpenter@oracle.com>
23334Date: Thu Mar 15 15:17:12 2012 -0700
23335
23336 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
23337
23338 strict_strtoul() writes a long but ->gamma_mode only has space to store an
23339 int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
23340 well. I've changed it to use kstrtouint() instead.
23341
23342 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
23343 Acked-by: Inki Dae <inki.dae@samsung.com>
23344 Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
23345 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
23346 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
23347
23348commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
23349Merge: e4b05b6 eae671f
23350Author: Brad Spengler <spender@grsecurity.net>
23351Date: Fri Mar 16 21:04:27 2012 -0400
23352
23353 Merge branch 'pax-test' into grsec-test
23354
23355 Conflicts:
23356 security/Kconfig
23357
23358commit eae671fafe93f04685c04a089cc13efebc05d600
23359Author: Brad Spengler <spender@grsecurity.net>
23360Date: Fri Mar 16 20:58:01 2012 -0400
23361
23362 Update to pax-linux-3.2.11-test31.patch
23363 Introduction of the size_overflow plugin from Emese Revfy
23364 Many thanks to Emese for her hard work :)
23365
23366commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
23367Merge: e55aa68 258c015
23368Author: Brad Spengler <spender@grsecurity.net>
23369Date: Thu Mar 15 20:59:19 2012 -0400
23370
23371 Merge branch 'pax-test' into grsec-test
23372
23373commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
23374Author: Brad Spengler <spender@grsecurity.net>
23375Date: Thu Mar 15 20:59:05 2012 -0400
23376
23377 fix ARM compilation
23378
23379commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
23380Merge: 8f95ea9 55b7573
23381Author: Brad Spengler <spender@grsecurity.net>
23382Date: Wed Mar 14 19:33:41 2012 -0400
23383
23384 Merge branch 'pax-test' into grsec-test
23385
23386commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
23387Author: Brad Spengler <spender@grsecurity.net>
23388Date: Wed Mar 14 19:33:15 2012 -0400
23389
23390 Update to pax-linux-3.2.10-test28.patch
23391
23392commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
23393Merge: c8786a2 886ac5e
23394Author: Brad Spengler <spender@grsecurity.net>
23395Date: Tue Mar 13 17:38:13 2012 -0400
23396
23397 Merge branch 'pax-test' into grsec-test
23398
23399 Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)
23400
23401commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
23402Author: Brad Spengler <spender@grsecurity.net>
23403Date: Tue Mar 13 17:37:44 2012 -0400
23404
23405 Update to pax-linux-3.2.10-test26.patch
23406
23407commit c8786a2abed5e5327f68efa520c04db99bb6a63a
23408Merge: 219c982 c061fcf
23409Author: Brad Spengler <spender@grsecurity.net>
23410Date: Tue Mar 13 17:25:06 2012 -0400
23411
23412 Merge branch 'pax-test' into grsec-test
23413
23414commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
23415Merge: 89373d2 3f4b3b2
23416Author: Brad Spengler <spender@grsecurity.net>
23417Date: Tue Mar 13 17:25:02 2012 -0400
23418
23419 Merge branch 'linux-3.2.y' into pax-test
23420
23421commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
23422Merge: 54e19a3 89373d2
23423Author: Brad Spengler <spender@grsecurity.net>
23424Date: Mon Mar 12 17:23:57 2012 -0400
23425
23426 Merge branch 'pax-test' into grsec-test
23427
23428commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
23429Merge: a778588 7459f11
23430Author: Brad Spengler <spender@grsecurity.net>
23431Date: Mon Mar 12 17:23:49 2012 -0400
23432
23433 Merge branch 'linux-3.2.y' into pax-test
23434
23435commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
23436Merge: c4650f1 a778588
23437Author: Brad Spengler <spender@grsecurity.net>
23438Date: Mon Mar 12 16:51:25 2012 -0400
23439
23440 Merge branch 'pax-test' into grsec-test
23441
23442commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
23443Author: Brad Spengler <spender@grsecurity.net>
23444Date: Mon Mar 12 16:51:12 2012 -0400
23445
23446 Update to pax-linux-3.2.9-test24.patch
23447
23448commit c4650f14b13f84735fe3de06a1f3ff5776473eff
23449Merge: fb2abee 1015790
23450Author: Brad Spengler <spender@grsecurity.net>
23451Date: Sun Mar 11 21:08:28 2012 -0400
23452
23453 Merge branch 'pax-test' into grsec-test
23454
23455 Conflicts:
23456 security/Kconfig
23457
23458commit 101579028a736c224e590c7e12a7357018c424e1
23459Author: Brad Spengler <spender@grsecurity.net>
23460Date: Sun Mar 11 21:07:27 2012 -0400
23461
23462 Update to pax-linux-3.2.9-test22.patch
23463
23464commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
23465Author: Brad Spengler <spender@grsecurity.net>
23466Date: Sun Mar 11 11:02:17 2012 -0400
23467
23468 Allow 4096 CPUs
23469
23470commit 96bae28cbe6a41d48e3b56e5904814096e956000
23471Author: Brad Spengler <spender@grsecurity.net>
23472Date: Sun Mar 11 10:25:58 2012 -0400
23473
23474 Use a per-cpu 48-bit counter instead of a global atomic64
23475 Initialize each counter to have the cpu number in the lower 16 bits
23476 instead of incrementing the counter each time by 1, perform the increments
23477 above the cpu number so that wrapping/exhausting the counter doesn't corrupt
23478 any state
23479 idea from PaX Team
23480
23481commit b975688101da6e966aebb1bc6b8c5c5983974f9c
23482Author: Brad Spengler <spender@grsecurity.net>
23483Date: Sat Mar 10 20:33:12 2012 -0500
23484
23485 Special vnsec edition! :)
23486 Further reduce argv/env allowance for suid/sgid apps to 512KB
23487 Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
23488 Clear 3GB personality on suid/sgid binaries
23489 Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
23490 with the main purpose of throwing off program stack -> arg/env alignment
23491 Update documentation
23492
23493commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
23494Author: Brad Spengler <spender@grsecurity.net>
23495Date: Sat Mar 10 19:54:47 2012 -0500
23496
23497 Resolve skbuff.h warnings that turn into errors during compilation in
23498 the grsecurity directory with -Werror
23499
23500commit 2023210ad43a944033fcacc660ce410888f562ee
23501Merge: ece4383 5f66adf
23502Author: Brad Spengler <spender@grsecurity.net>
23503Date: Fri Mar 9 19:48:01 2012 -0500
23504
23505 Merge branch 'pax-test' into grsec-test
23506
23507commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
23508Author: Brad Spengler <spender@grsecurity.net>
23509Date: Fri Mar 9 19:47:06 2012 -0500
23510
23511 Add colorize plugin
23512
23513commit ece4383e5e91c92d138c4df84225a70b552f4d69
23514Merge: a366d0e ab4a5a1
23515Author: Brad Spengler <spender@grsecurity.net>
23516Date: Fri Mar 9 17:56:46 2012 -0500
23517
23518 Merge branch 'pax-test' into grsec-test
23519
23520commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
23521Author: Brad Spengler <spender@grsecurity.net>
23522Date: Fri Mar 9 17:56:26 2012 -0500
23523
23524 Update to pax-linux-3.2.9-test21.patch
23525
23526commit a366d0ed963ce93fce10121c1100989d5f064e75
23527Author: Mikulas Patocka <mpatocka@redhat.com>
23528Date: Sun Mar 4 19:52:03 2012 -0500
23529
23530 mm: fix find_vma_prev
23531
23532 Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
23533 management on PA-RISC.
23534
23535 After application of the patch, programs that allocate big arrays on the
23536 stack crash with segfault, for example, this will crash if compiled
23537 without optimization:
23538
23539 int main()
23540 {
23541 char array[200000];
23542 array[199999] = 0;
23543 return 0;
23544 }
23545
23546 The reason is that PA-RISC has up-growing stack and the stack is usually
23547 the last memory area. In the above example, a page fault happens above
23548 the stack.
23549
23550 Previously, if we passed too high address to find_vma_prev, it returned
23551 NULL and stored the last VMA in *pprev. After "simplify find_vma_prev"
23552 change, it stores NULL in *pprev. Consequently, the stack area is not
23553 found and it is not expanded, as it used to be before the change.
23554
23555 This patch restores the old behavior and makes it return the last VMA in
23556 *pprev if the requested address is higher than address of any other VMA.
23557
23558 Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
23559 Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
23560 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
23561
23562commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
23563Author: Hugh Dickins <hughd@google.com>
23564Date: Tue Mar 6 12:28:52 2012 -0800
23565
23566 mmap: EINVAL not ENOMEM when rejecting VM_GROWS
23567
23568 Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
23569 from shared anonymous: hoist the file case's -EINVAL up for both.
23570
23571 Signed-off-by: Hugh Dickins <hughd@google.com>
23572 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
23573
23574commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
23575Author: Al Viro <viro@ZenIV.linux.org.uk>
23576Date: Mon Mar 5 06:38:42 2012 +0000
23577
23578 aout: move setup_arg_pages() prior to reading/mapping the binary
23579
23580 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
23581 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
23582
23583commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
23584Author: Jan Beulich <JBeulich@suse.com>
23585Date: Mon Mar 5 16:49:24 2012 +0000
23586
23587 vsprintf: make %pV handling compatible with kasprintf()
23588
23589 kasprintf() (and potentially other functions that I didn't run across so
23590 far) want to evaluate argument lists twice. Caring to do so for the
23591 primary list is obviously their job, but they can't reasonably be
23592 expected to check the format string for instances of %pV, which however
23593 need special handling too: On architectures like x86-64 (as opposed to
23594 e.g. ix86), using the same argument list twice doesn't produce the
23595 expected results, as an internally managed cursor gets updated during
23596 the first run.
23597
23598 Fix the problem by always acting on a copy of the original list when
23599 handling %pV.
23600
23601 Signed-off-by: Jan Beulich <jbeulich@suse.com>
23602 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
23603
23604commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
23605Author: Al Viro <viro@ZenIV.linux.org.uk>
23606Date: Mon Mar 5 06:39:47 2012 +0000
23607
23608 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
23609
23610 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
23611 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
23612
23613commit a831bd53764695ea680cc1fa3c98759a610ed2ac
23614Author: Christian König <deathsimple@vodafone.de>
23615Date: Tue Feb 28 23:19:20 2012 +0100
23616
23617 drm/radeon: fix uninitialized variable
23618
23619 Without this fix the driver randomly treats
23620 textures as arrays and I'm really wondering
23621 why gcc isn't complaining about it.
23622
23623 Signed-off-by: Christian König <deathsimple@vodafone.de>
23624 Reviewed-by: Jerome Glisse <jglisse@redhat.com>
23625 Signed-off-by: Dave Airlie <airlied@redhat.com>
23626
23627commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
23628Author: H. Peter Anvin <hpa@zytor.com>
23629Date: Fri Mar 2 10:43:48 2012 -0800
23630
23631 regset: Prevent null pointer reference on readonly regsets
23632
23633 The regset common infrastructure assumed that regsets would always
23634 have .get and .set methods, but not necessarily .active methods.
23635 Unfortunately people have since written regsets without .set methods.
23636
23637 Rather than putting in stub functions everywhere, handle regsets with
23638 null .get or .set methods explicitly.
23639
23640 Signed-off-by: H. Peter Anvin <hpa@zytor.com>
23641 Reviewed-by: Oleg Nesterov <oleg@redhat.com>
23642 Acked-by: Roland McGrath <roland@hack.frob.com>
23643 Cc: <stable@vger.kernel.org>
23644 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
23645
23646commit 072ddd99401c79b53c6bf6bff9deb93022124c79
23647Author: Brad Spengler <spender@grsecurity.net>
23648Date: Mon Mar 5 18:12:57 2012 -0500
23649
23650 Fix compiler errors reported on forums
23651
23652commit 1606774b48af24e6f99d99c624c0e447d4b66474
23653Merge: 3127bd5 4ca2ffd
23654Author: Brad Spengler <spender@grsecurity.net>
23655Date: Mon Mar 5 17:31:35 2012 -0500
23656
23657 Merge branch 'pax-test' into grsec-test
23658
23659commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
23660Author: Brad Spengler <spender@grsecurity.net>
23661Date: Mon Mar 5 17:31:21 2012 -0500
23662
23663 Update to pax-linux-3.2.9-test20.patch
23664
23665commit 3127bd581a292966b1057c7433219dac188c3720
23666Author: Brad Spengler <spender@grsecurity.net>
23667Date: Fri Mar 2 21:30:37 2012 -0500
23668
23669 Fix memory leak on logged exec_id check failure in /proc/pid/statm
23670 Thanks to Djalal Harouni for the report
23671
23672commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
23673Merge: 0a56be8 9aa8288
23674Author: Brad Spengler <spender@grsecurity.net>
23675Date: Fri Mar 2 18:38:22 2012 -0500
23676
23677 Merge branch 'pax-test' into grsec-test
23678
23679commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
23680Author: Brad Spengler <spender@grsecurity.net>
23681Date: Fri Mar 2 18:37:43 2012 -0500
23682
23683 Update to pax-linux-3.2.9-test19.patch
23684
23685commit 0a56be884bbd7ce733cac0b879c45383494d73b0
23686Merge: 9e66745 3f5c52a
23687Author: Brad Spengler <spender@grsecurity.net>
23688Date: Thu Mar 1 20:18:01 2012 -0500
23689
23690 Merge branch 'pax-test' into grsec-test
23691
23692commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
23693Author: Brad Spengler <spender@grsecurity.net>
23694Date: Thu Mar 1 20:16:56 2012 -0500
23695
23696 Update to pax-linux-3.2.9-test18.patch
23697
23698commit ae53ec231d12719a36bf871f8c5841020ed692ee
23699Merge: b255baf 44fb317
23700Author: Brad Spengler <spender@grsecurity.net>
23701Date: Thu Mar 1 20:15:31 2012 -0500
23702
23703 Merge branch 'linux-3.2.y' into pax-test
23704
23705commit 9e667456c03eadea2f305be761abe4de9a5877a3
23706Merge: 5e4e200 b255baf
23707Author: Brad Spengler <spender@grsecurity.net>
23708Date: Mon Feb 27 20:53:59 2012 -0500
23709
23710 Merge branch 'pax-test' into grsec-test
23711
23712commit b255baf50365d39b406f43aab2c64745607baaa2
23713Merge: 340ce90 1de504e
23714Author: Brad Spengler <spender@grsecurity.net>
23715Date: Mon Feb 27 20:53:29 2012 -0500
23716
23717 Merge branch 'linux-3.2.y' into pax-test
23718 Update to pax-linux-3.2.8-test17.patch
23719
23720 Conflicts:
23721 arch/x86/include/asm/i387.h
23722 arch/x86/kernel/process_32.c
23723 arch/x86/kernel/traps.c
23724
23725commit 5e4e200ac530452884b625cb75de240e1e98c731
23726Merge: 44306d7 340ce90
23727Author: Brad Spengler <spender@grsecurity.net>
23728Date: Mon Feb 27 18:02:13 2012 -0500
23729
23730 Merge branch 'pax-test' into grsec-test
23731
23732commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
23733Author: Brad Spengler <spender@grsecurity.net>
23734Date: Mon Feb 27 18:01:48 2012 -0500
23735
23736 Update to pax-linux-3.2.7-test17.patch
23737
23738commit 44306d7b3097f77e73040dd25f4f6750751bae7a
23739Merge: 29d0b07 521c411
23740Author: Brad Spengler <spender@grsecurity.net>
23741Date: Sun Feb 26 19:04:15 2012 -0500
23742
23743 Merge branch 'pax-test' into grsec-test
23744
23745 Conflicts:
23746 Makefile
23747
23748commit 521c411bb4ca66ce01146fde8bac9dd22414076d
23749Author: Brad Spengler <spender@grsecurity.net>
23750Date: Sun Feb 26 19:03:33 2012 -0500
23751
23752 Update to pax-linux-3.2.7-test16.patch
23753
23754commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
23755Author: Brad Spengler <spender@grsecurity.net>
23756Date: Sun Feb 26 17:12:44 2012 -0500
23757
23758 fix typo
23759
23760commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
23761Merge: f45b3be caa8f83
23762Author: Brad Spengler <spender@grsecurity.net>
23763Date: Sat Feb 25 20:59:27 2012 -0500
23764
23765 Merge branch 'pax-test' into grsec-test
23766
23767commit caa8f83456c4d0b204beefffaa1d1993f2348d08
23768Author: Brad Spengler <spender@grsecurity.net>
23769Date: Sat Feb 25 20:59:12 2012 -0500
23770
23771 Update to pax-linux-3.2.7-test15.patch
23772
23773commit f45b3be34a345502a302e736af9a65742ddef7cb
23774Merge: 62f35fd 9f1309b
23775Author: Brad Spengler <spender@grsecurity.net>
23776Date: Sat Feb 25 11:40:15 2012 -0500
23777
23778 Merge branch 'pax-test' into grsec-test
23779
23780commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
23781Author: Brad Spengler <spender@grsecurity.net>
23782Date: Sat Feb 25 11:39:57 2012 -0500
23783
23784 Update to pax-linux-3.2.7-test14.patch
23785
23786commit 62f35fdbecc58f2988fe13638d907b87a15776bb
23787Author: Brad Spengler <spender@grsecurity.net>
23788Date: Sat Feb 25 09:08:55 2012 -0500
23789
23790 We could log on attempted exploits of writing /proc/self/mem, but the current
23791 log function declares the access a read, so just swap the ordering for now
23792
23793commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
23794Author: Brad Spengler <spender@grsecurity.net>
23795Date: Sat Feb 25 08:46:14 2012 -0500
23796
23797 Log /proc/pid/mem attempts
23798
23799commit 674471e581893a94d475acac3e3c4496209b3ac9
23800Author: Brad Spengler <spender@grsecurity.net>
23801Date: Sat Feb 25 08:15:00 2012 -0500
23802
23803 Make use of f_version for protecting /proc file structs (fine since we're not a directory
23804 or seq_file)
23805
23806commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
23807Author: Brad Spengler <spender@grsecurity.net>
23808Date: Fri Feb 24 20:02:19 2012 -0500
23809
23810 Fix ia64 compilation
23811
23812commit 50dfea412fd395e0183c2ade368efa525d38b267
23813Merge: 12db845 4c6f99b
23814Author: Brad Spengler <spender@grsecurity.net>
23815Date: Fri Feb 24 19:00:53 2012 -0500
23816
23817 Merge branch 'pax-test' into grsec-test
23818
23819commit 4c6f99bf338e03966356b147d0360cb3b522a44f
23820Author: Brad Spengler <spender@grsecurity.net>
23821Date: Fri Feb 24 19:00:36 2012 -0500
23822
23823 (6:57:09 PM) pipacs: but you can be proactive
23824 (Fix other-arch atomic64/REFCOUNT compilation failures)
23825
23826commit 12db8453f6bb0a756f369c9151668ba1249bc478
23827Author: Brad Spengler <spender@grsecurity.net>
23828Date: Thu Feb 23 21:10:12 2012 -0500
23829
23830 Remove unnecessary copies, as suggested by solar
23831
23832commit cc02cab84368467ea03cb35f861a8a7092d91ab4
23833Author: Brad Spengler <spender@grsecurity.net>
23834Date: Thu Feb 23 20:59:35 2012 -0500
23835
23836 Make global_exec_counter static, as suggested by solar
23837
23838commit e642091a475ebb3a30e81f85e7751233d0c2af43
23839Author: Brad Spengler <spender@grsecurity.net>
23840Date: Thu Feb 23 19:00:26 2012 -0500
23841
23842 sync with stable tree
23843
23844commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
23845Author: Brad Spengler <spender@grsecurity.net>
23846Date: Thu Feb 23 18:48:47 2012 -0500
23847
23848 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
23849 Remove handling of old kludge in chmod/fchmod
23850
23851commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
23852Author: Brad Spengler <spender@grsecurity.net>
23853Date: Thu Feb 23 18:18:49 2012 -0500
23854
23855 Apply umask checks to chmod/fchmod as well, as requested by sponsor
23856 Union the enforced umask with the existing one to produce minimal privilege
23857 Change umask type to u16
23858
23859commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
23860Author: Brad Spengler <spender@grsecurity.net>
23861Date: Wed Feb 22 18:16:11 2012 -0500
23862
23863 Add per-role umask enforcement to RBAC, requested by a sponsor
23864
23865commit ad5ac943fe58199f1cc475912a39edb157acb77b
23866Merge: dda0bb5 41722e3
23867Author: Brad Spengler <spender@grsecurity.net>
23868Date: Mon Feb 20 20:04:42 2012 -0500
23869
23870 Merge branch 'pax-test' into grsec-test
23871
23872commit 41722e342e116d95f3d3556d66c97c888d752d39
23873Author: Brad Spengler <spender@grsecurity.net>
23874Date: Mon Feb 20 20:04:00 2012 -0500
23875
23876 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
23877 KERNEXEC plugin
23878
23879commit dda0bb57137846a476a866c60db2681aaf6052c0
23880Merge: 4fd554e d70927a
23881Author: Brad Spengler <spender@grsecurity.net>
23882Date: Mon Feb 20 20:01:41 2012 -0500
23883
23884 Merge branch 'pax-test' into grsec-test
23885
23886commit d70927afec977d489a54c106a3c3ddc32e953050
23887Merge: 1daebf1 9d0231c
23888Author: Brad Spengler <spender@grsecurity.net>
23889Date: Mon Feb 20 20:01:33 2012 -0500
23890
23891 Merge branch 'linux-3.2.y' into pax-test
23892
23893commit 4fd554e3a097b22c5049fcdc423897477deff5ef
23894Author: Brad Spengler <spender@grsecurity.net>
23895Date: Mon Feb 20 09:17:57 2012 -0500
23896
23897 Fix wrong logic on capability checks for switching roles, broke policies
23898 Thanks to Richard Kojedzinszky for reporting
23899
23900commit 12f97d52ac603f24344f8d71569c412a307e9422
23901Author: Brad Spengler <spender@grsecurity.net>
23902Date: Thu Feb 16 21:20:10 2012 -0500
23903
23904 sparc64 compile fix
23905
23906commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
23907Author: Brad Spengler <spender@grsecurity.net>
23908Date: Thu Feb 16 18:38:32 2012 -0500
23909
23910 Update configuration help and name for GRKERNSEC_PROC_MEMMAP
23911
23912commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
23913Author: Brad Spengler <spender@grsecurity.net>
23914Date: Thu Feb 16 18:18:01 2012 -0500
23915
23916 optimize the check a bit
23917
23918commit 03159050f64989be44ae03be769cbed62a7cd2e5
23919Author: Brad Spengler <spender@grsecurity.net>
23920Date: Thu Feb 16 18:00:45 2012 -0500
23921
23922 smile VUPEN :D
23923 (limit argv+env to 1MB for suid/sgid binaries)
23924
23925commit dd759d8800d225a397e4de49fe729c7d601298d2
23926Author: Brad Spengler <spender@grsecurity.net>
23927Date: Thu Feb 16 17:49:33 2012 -0500
23928
23929 Address Space Protection -> Memory Protections (suggested on IRC for consistency)
23930
23931commit 4de635bda8ebfb85312e3bf851bdbff93de400da
23932Author: Brad Spengler <spender@grsecurity.net>
23933Date: Thu Feb 16 17:45:06 2012 -0500
23934
23935 Change the long long type for exec_id to the proper u64
23936
23937commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
23938Author: Dan Carpenter <dan.carpenter@oracle.com>
23939Date: Thu Feb 9 00:46:47 2012 +0000
23940
23941 isdn: type bug in isdn_net_header()
23942
23943 We use len to store the return value from eth_header(). eth_header()
23944 can return -ETH_HLEN (-14). We want to pass this back instead of
23945 truncating it to 65522 and returning that.
23946
23947 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
23948 Acked-by: Neil Horman <nhorman@tuxdriver.com>
23949 Signed-off-by: David S. Miller <davem@davemloft.net>
23950
23951commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
23952Author: Heiko Carstens <heiko.carstens@de.ibm.com>
23953Date: Sat Feb 4 10:47:10 2012 +0100
23954
23955 exec: fix use-after-free bug in setup_new_exec()
23956
23957 Setting the task name is done within setup_new_exec() by accessing
23958 bprm->filename. However this happens after flush_old_exec().
23959 This may result in a use after free bug, flush_old_exec() may
23960 "complete" vfork_done, which will wake up the parent which in turn
23961 may free the passed in filename.
23962 To fix this add a new tcomm field in struct linux_binprm which
23963 contains the now early generated task name until it is used.
23964
23965 Fixes this bug on s390:
23966
23967 Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
23968 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
23969 Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
23970 Call Trace:
23971 ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
23972 [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
23973 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
23974 [<0000000000282b6c>] do_execve_common+0x410/0x514
23975 [<0000000000282cb6>] do_execve+0x46/0x58
23976 [<00000000005bce58>] kernel_execve+0x28/0x70
23977 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
23978 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
23979 [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
23980 Last Breaking-Event-Address:
23981 [<00000000002830f0>] setup_new_exec+0x2fc/0x374
23982
23983 Kernel panic - not syncing: Fatal exception: panic_on_oops
23984
23985 Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
23986 Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
23987 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
23988
23989commit d758ee9f5230893dabb5aab737b3109684bde196
23990Author: Dan Carpenter <dan.carpenter@oracle.com>
23991Date: Fri Feb 10 09:03:58 2012 +0100
23992
23993 relay: prevent integer overflow in relay_open()
23994
23995 "subbuf_size" and "n_subbufs" come from the user and they need to be
23996 capped to prevent an integer overflow.
23997
23998 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
23999 Cc: stable@kernel.org
24000 Signed-off-by: Jens Axboe <axboe@kernel.dk>
24001
24002commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
24003Merge: b1baadf 1daebf1
24004Author: Brad Spengler <spender@grsecurity.net>
24005Date: Mon Feb 13 17:47:04 2012 -0500
24006
24007 Merge branch 'pax-test' into grsec-test
24008
24009 Conflicts:
24010 fs/proc/base.c
24011
24012commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
24013Merge: 1413df2 c2db2e2
24014Author: Brad Spengler <spender@grsecurity.net>
24015Date: Mon Feb 13 17:45:54 2012 -0500
24016
24017 Merge branch 'linux-3.2.y' into pax-test
24018
24019commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
24020Author: Brad Spengler <spender@grsecurity.net>
24021Date: Sun Feb 12 16:44:05 2012 -0500
24022
24023 add missing declaration
24024
24025commit 3981059c35e8463002517935c28f3d74b8e3703c
24026Author: Brad Spengler <spender@grsecurity.net>
24027Date: Sun Feb 12 16:36:04 2012 -0500
24028
24029 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
24030 in addition to existing checks (this handles the setresuid ruid = euid case)
24031
24032commit 0beab03263c773f463412c350ad9064b44b6ede0
24033Author: Brad Spengler <spender@grsecurity.net>
24034Date: Sun Feb 12 16:13:40 2012 -0500
24035
24036 Revert setreuid changes when RBAC is enabled, breaks freeradius
24037 I'll fix the learning issue Lavish reported a different way through
24038 gradm modifications
24039
24040 This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.
24041
24042commit 0c61cb1cfbbfec7d07647268c922d51434d22621
24043Author: Brad Spengler <spender@grsecurity.net>
24044Date: Sat Feb 11 14:22:46 2012 -0500
24045
24046 copy exec_id on fork
24047
24048commit 000c08e0890630086b2ed04084050ed856a7ec31
24049Author: Brad Spengler <spender@grsecurity.net>
24050Date: Fri Feb 10 20:00:36 2012 -0500
24051
24052 compile fix
24053
24054commit 54b8c8f54484e5ee18040657827158bc4b63bccc
24055Author: Brad Spengler <spender@grsecurity.net>
24056Date: Fri Feb 10 19:19:52 2012 -0500
24057
24058 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
24059 denies reading of sensitive /proc/pid entries where the file descriptor
24060 was opened in a different task than the one performing the read
24061
24062commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
24063Author: Brad Spengler <spender@grsecurity.net>
24064Date: Fri Feb 10 17:43:24 2012 -0500
24065
24066 Remove duplicate signal check
24067
24068commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
24069Merge: 4eba97e 1413df2
24070Author: Brad Spengler <spender@grsecurity.net>
24071Date: Wed Feb 8 19:24:34 2012 -0500
24072
24073 Merge branch 'pax-test' into grsec-test
24074
24075commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
24076Author: Brad Spengler <spender@grsecurity.net>
24077Date: Wed Feb 8 19:24:08 2012 -0500
24078
24079 Merge changes from pax-linux-3.2.4-test11.patch
24080
24081commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
24082Merge: 0e058dd 8dd90a2
24083Author: Brad Spengler <spender@grsecurity.net>
24084Date: Mon Feb 6 17:50:12 2012 -0500
24085
24086 Merge branch 'pax-test' into grsec-test
24087
24088commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
24089Author: Brad Spengler <spender@grsecurity.net>
24090Date: Mon Feb 6 17:49:07 2012 -0500
24091
24092 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free
24093
24094commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
24095Merge: 7e4169c 6133971
24096Author: Brad Spengler <spender@grsecurity.net>
24097Date: Mon Feb 6 17:48:57 2012 -0500
24098
24099 Merge branch 'linux-3.2.y' into pax-test
24100
24101commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
24102Author: Brad Spengler <spender@grsecurity.net>
24103Date: Sun Feb 5 19:24:45 2012 -0500
24104
24105 We now allow configurations with no PaX markings, giving the system no way to override the defaults
24106
24107commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
24108Author: Brad Spengler <spender@grsecurity.net>
24109Date: Sun Feb 5 10:01:23 2012 -0500
24110
24111 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory
24112
24113commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
24114Author: Brad Spengler <spender@grsecurity.net>
24115Date: Sat Feb 4 21:01:16 2012 -0500
24116
24117 Improve security of ptrace-based monitoring/sandboxing
24118 See:
24119 http://article.gmane.org/gmane.linux.kernel.lsm/15156
24120
24121commit ca4ca5a1027b41f9528794e52a53ce9c47926101
24122Author: Brad Spengler <spender@grsecurity.net>
24123Date: Fri Feb 3 20:42:55 2012 -0500
24124
24125 fix typo
24126
24127commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
24128Author: Brad Spengler <spender@grsecurity.net>
24129Date: Fri Feb 3 20:25:38 2012 -0500
24130
24131 Reported by lavish on IRC:
24132 If a suid/sgid binary did not learn any setuid/setgid call during learning,
24133 we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
24134 any restrictions on uid/gid changes. uid and gid can however be changed
24135 within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
24136 euid/egid.
24137
24138 My fix:
24139 POSIX doesn't specify whether unprivileged users can perform the above
24140 setresuid/setresgid as an unprivileged user, though Linux has historically
24141 permitted them. Modify this behavior when RBAC is enabled to require
24142 CAP_SETUID/CAP_SETGID for these operations.
24143
24144 Thanks to Lavish for the report!
24145
24146 Conflicts:
24147
24148 kernel/sys.c
24149
24150commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
24151Merge: ba586eb 7e4169c
24152Author: Brad Spengler <spender@grsecurity.net>
24153Date: Fri Feb 3 20:10:21 2012 -0500
24154
24155 Merge branch 'pax-test' into grsec-test
24156
24157commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
24158Author: Brad Spengler <spender@grsecurity.net>
24159Date: Fri Feb 3 20:10:05 2012 -0500
24160
24161 Merge changes from pax-linux-3.2.4-test9.patch
24162
24163commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
24164Author: Christopher Yeoh <cyeoh@au1.ibm.com>
24165Date: Thu Feb 2 11:34:09 2012 +1030
24166
24167 Fix race in process_vm_rw_core
24168
24169 This fixes the race in process_vm_core found by Oleg (see
24170
24171 http://article.gmane.org/gmane.linux.kernel/1235667/
24172
24173 for details).
24174
24175 This has been updated since I last sent it as the creation of the new
24176 mm_access() function did almost exactly the same thing as parts of the
24177 previous version of this patch did.
24178
24179 In order to use mm_access() even when /proc isn't enabled, we move it to
24180 kernel/fork.c where other related process mm access functions already
24181 are.
24182
24183 Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
24184 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
24185
24186 Conflicts:
24187
24188 fs/proc/base.c
24189 mm/process_vm_access.c
24190
24191commit b9194d60fb9fe579f5c34817ed822abde18939a0
24192Author: Oleg Nesterov <oleg@redhat.com>
24193Date: Tue Jan 31 17:15:11 2012 +0100
24194
24195 proc: make sure mem_open() doesn't pin the target's memory
24196
24197 Once /proc/pid/mem is opened, the memory can't be released until
24198 mem_release() even if its owner exits.
24199
24200 Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
24201 pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
24202 before access_remote_vm(), this verifies that this mm is still alive.
24203
24204 I am not sure what should mem_rw() return if atomic_inc_not_zero()
24205 fails. With this patch it returns zero to match the "mm == NULL" case,
24206 may be it should return -EINVAL like it did before e268337d.
24207
24208 Perhaps it makes sense to add the additional fatal_signal_pending()
24209 check into the main loop, to ensure we do not hold this memory if
24210 the target task was oom-killed.
24211
24212 Cc: stable@kernel.org
24213 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
24214 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
24215
24216commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
24217Author: Oleg Nesterov <oleg@redhat.com>
24218Date: Tue Jan 31 17:14:38 2012 +0100
24219
24220 proc: mem_release() should check mm != NULL
24221
24222 mem_release() can hit mm == NULL, add the necessary check.
24223
24224 Cc: stable@kernel.org
24225 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
24226 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
24227
24228commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
24229Author: Oleg Nesterov <oleg@redhat.com>
24230Date: Tue Jan 31 17:14:54 2012 +0100
24231
24232 note: redisabled mem_write
24233
24234 proc: unify mem_read() and mem_write()
24235
24236 No functional changes, cleanup and preparation.
24237
24238 mem_read() and mem_write() are very similar. Move this code into the
24239 new common helper, mem_rw(), which takes the additional "int write"
24240 argument.
24241
24242 Cc: stable@kernel.org
24243 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
24244 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
24245
24246 Conflicts:
24247
24248 fs/proc/base.c
24249
24250commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
24251Merge: 3903f01 01fee18
24252Author: Brad Spengler <spender@grsecurity.net>
24253Date: Fri Feb 3 19:50:40 2012 -0500
24254
24255 Merge branch 'pax-test' into grsec-test
24256
24257commit 01fee1851aef26b898ccba5312cabf1f919b74cb
24258Author: Brad Spengler <spender@grsecurity.net>
24259Date: Fri Feb 3 19:49:46 2012 -0500
24260
24261 Merge changes from pax-linux-3.2.4-test8.patch
24262
24263commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
24264Merge: 201c0db 141936c
24265Author: Brad Spengler <spender@grsecurity.net>
24266Date: Fri Feb 3 19:49:01 2012 -0500
24267
24268 Merge branch 'linux-3.2.y' into pax-test
24269
24270commit 3903f0172ecadf7a575ba3535402a1506133640a
24271Author: Brad Spengler <spender@grsecurity.net>
24272Date: Mon Jan 30 23:26:44 2012 -0500
24273
24274 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
24275
24276 We'll whitelist required directories for compatibility instead of requiring
24277 that people disable the feature entirely if they use SELinux, fuse, etc
24278
24279 Conflicts:
24280
24281 fs/sysfs/mount.c
24282
24283commit e3618feaa7e63807f1b88c199882075b3ec9bd05
24284Author: Brad Spengler <spender@grsecurity.net>
24285Date: Sun Jan 29 01:12:19 2012 -0500
24286
24287 perform RBAC check if TPE is on but match fails, matches previous behavior
24288
24289commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
24290Author: Brad Spengler <spender@grsecurity.net>
24291Date: Sat Jan 28 13:17:06 2012 -0500
24292
24293 log more information about the reason for a TPE denial for novice users, requested by a sponsor
24294
24295commit efefd67008cbad8a8591e2484410966a300a39a5
24296Author: Brad Spengler <spender@grsecurity.net>
24297Date: Fri Jan 27 19:58:53 2012 -0500
24298
24299 merge upstream sha512 changes
24300
24301commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
24302Author: Brad Spengler <spender@grsecurity.net>
24303Date: Fri Jan 27 19:49:07 2012 -0500
24304
24305 drop lock on error in xfs_readlink
24306
24307 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0
24308
24309commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
24310Author: Li Wang <liwang@nudt.edu.cn>
24311Date: Thu Jan 19 09:44:36 2012 +0800
24312
24313 eCryptfs: Infinite loop due to overflow in ecryptfs_write()
24314
24315 ecryptfs_write() can enter an infinite loop when truncating a file to a
24316 size larger than 4G. This only happens on architectures where size_t is
24317 represented by 32 bits.
24318
24319 This was caused by a size_t overflow due to it incorrectly being used to
24320 store the result of a calculation which uses potentially large values of
24321 type loff_t.
24322
24323 [tyhicks@canonical.com: rewrite subject and commit message]
24324 Signed-off-by: Li Wang <liwang@nudt.edu.cn>
24325 Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
24326 Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
24327 Cc: <stable@vger.kernel.org>
24328 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
24329
24330commit a7607747d0f74f357d78bb796d70635dd05f46e8
24331Author: Tyler Hicks <tyhicks@canonical.com>
24332Date: Thu Jan 19 20:33:44 2012 -0600
24333
24334 eCryptfs: Check inode changes in setattr
24335
24336 Most filesystems call inode_change_ok() very early in ->setattr(), but
24337 eCryptfs didn't call it at all. It allowed the lower filesystem to make
24338 the call in its ->setattr() function. Then, eCryptfs would copy the
24339 appropriate inode attributes from the lower inode to the eCryptfs inode.
24340
24341 This patch changes that and actually calls inode_change_ok() on the
24342 eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
24343 would happen earlier in ecryptfs_setattr(), but there are some possible
24344 inode initialization steps that must happen first.
24345
24346 Since the call was already being made on the lower inode, the change in
24347 functionality should be minimal, except for the case of a file extending
24348 truncate call. In that case, inode_newsize_ok() was never being
24349 called on the eCryptfs inode. Rather than inode_newsize_ok() catching
24350 maximum file size errors early on, eCryptfs would encrypt zeroed pages
24351 and write them to the lower filesystem until the lower filesystem's
24352 write path caught the error in generic_write_checks(). This patch
24353 introduces a new function, called ecryptfs_inode_newsize_ok(), which
24354 checks if the new lower file size is within the appropriate limits when
24355 the truncate operation will be growing the lower file.
24356
24357 In summary this change prevents eCryptfs truncate operations (and the
24358 resulting page encryptions), which would exceed the lower filesystem
24359 limits or FSIZE rlimits, from ever starting.
24360
24361 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
24362 Reviewed-by: Li Wang <liwang@nudt.edu.cn>
24363 Cc: <stable@vger.kernel.org>
24364
24365commit 0d96f190a39505254ace4e9330219aaeda9b64e3
24366Author: Tyler Hicks <tyhicks@canonical.com>
24367Date: Wed Jan 18 18:30:04 2012 -0600
24368
24369 eCryptfs: Make truncate path killable
24370
24371 ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
24372 page, zeroes out the appropriate portions, and then encrypts the page
24373 before writing it to the lower filesystem. It was unkillable and due to
24374 the lack of sparse file support could result in tying up a large portion
24375 of system resources, while encrypting pages of zeros, with no way for
24376 the truncate operation to be stopped from userspace.
24377
24378 This patch adds the ability for ecryptfs_write() to detect a pending
24379 fatal signal and return as gracefully as possible. The intent is to
24380 leave the lower file in a useable state, while still allowing a user to
24381 break out of the encryption loop. If a pending fatal signal is detected,
24382 the eCryptfs inode size is updated to reflect the modified inode size
24383 and then -EINTR is returned.
24384
24385 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
24386 Cc: <stable@vger.kernel.org>
24387
24388commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
24389Author: Tyler Hicks <tyhicks@canonical.com>
24390Date: Tue Jan 24 10:02:22 2012 -0600
24391
24392 eCryptfs: Fix oops when printing debug info in extent crypto functions
24393
24394 If pages passed to the eCryptfs extent-based crypto functions are not
24395 mapped and the module parameter ecryptfs_verbosity=1 was specified at
24396 loading time, a NULL pointer dereference will occur.
24397
24398 Note that this wouldn't happen on a production system, as you wouldn't
24399 pass ecryptfs_verbosity=1 on a production system. It leaks private
24400 information to the system logs and is for debugging only.
24401
24402 The debugging info printed in these messages is no longer very useful
24403 and rather than doing a kmap() in these debugging paths, it will be
24404 better to simply remove the debugging paths completely.
24405
24406 https://launchpad.net/bugs/913651
24407
24408 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
24409 Reported-by: Daniel DeFreez
24410 Cc: <stable@vger.kernel.org>
24411
24412commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
24413Author: Tyler Hicks <tyhicks@canonical.com>
24414Date: Thu Jan 12 11:30:44 2012 +0100
24415
24416 eCryptfs: Sanitize write counts of /dev/ecryptfs
24417
24418 A malicious count value specified when writing to /dev/ecryptfs may
24419 result in a a very large kernel memory allocation.
24420
24421 This patch peeks at the specified packet payload size, adds that to the
24422 size of the packet headers and compares the result with the write count
24423 value. The resulting maximum memory allocation size is approximately 532
24424 bytes.
24425
24426 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
24427 Reported-by: Sasha Levin <levinsasha928@gmail.com>
24428 Cc: <stable@vger.kernel.org>
24429
24430commit 96dcb7282d323813181a1791f51c0ab7696b675b
24431Merge: 6c09fa5 201c0db
24432Author: Brad Spengler <spender@grsecurity.net>
24433Date: Fri Jan 27 19:44:15 2012 -0500
24434
24435 Merge branch 'pax-test' into grsec-test
24436
24437commit 201c0dbf177527367676028151e36d340923f033
24438Author: Brad Spengler <spender@grsecurity.net>
24439Date: Fri Jan 27 19:43:24 2012 -0500
24440
24441 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
24442 on loading modules with empty sections
24443
24444commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
24445Author: Brad Spengler <spender@grsecurity.net>
24446Date: Fri Jan 27 19:42:13 2012 -0500
24447
24448 compile fix
24449
24450commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
24451Author: Brad Spengler <spender@grsecurity.net>
24452Date: Fri Jan 27 19:39:28 2012 -0500
24453
24454 use LSM flags instead of duplicating checks
24455
24456commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
24457Merge: 44b9f11 558718b
24458Author: Brad Spengler <spender@grsecurity.net>
24459Date: Fri Jan 27 18:56:23 2012 -0500
24460
24461 Merge branch 'pax-test' into grsec-test
24462
24463commit 558718b2217beff69edf60f34a6f9893d910e9ac
24464Author: Brad Spengler <spender@grsecurity.net>
24465Date: Fri Jan 27 18:56:04 2012 -0500
24466
24467 Merge changes from pax-linux-3.2.2-test6.patch
24468
24469commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
24470Author: Brad Spengler <spender@grsecurity.net>
24471Date: Fri Jan 27 18:53:55 2012 -0500
24472
24473 don't increase the size of task_struct when unnecessary
24474 change ptrace_readexec log message
24475
24476commit a9c9626e054adb885883aa64f85506852894dd33
24477Author: Brad Spengler <spender@grsecurity.net>
24478Date: Fri Jan 27 18:16:28 2012 -0500
24479
24480 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
24481 the protection applies to all unreadable binaries.
24482
24483commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
24484Merge: 7b3f3af 05a1349
24485Author: Brad Spengler <spender@grsecurity.net>
24486Date: Wed Jan 25 20:52:09 2012 -0500
24487
24488 Merge branch 'pax-test' into grsec-test
24489
24490 Conflicts:
24491 block/scsi_ioctl.c
24492 drivers/scsi/sd.c
24493 fs/proc/base.c
24494
24495commit 05a134966efb9cb9346ad3422888969ffc79ac1d
24496Author: Brad Spengler <spender@grsecurity.net>
24497Date: Wed Jan 25 20:47:36 2012 -0500
24498
24499 Resync with pax-linux-3.2.2-test5.patch
24500
24501commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
24502Merge: c6d443d 3499d64
24503Author: Brad Spengler <spender@grsecurity.net>
24504Date: Wed Jan 25 20:45:16 2012 -0500
24505
24506 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
24507
24508 Conflicts:
24509 ipc/shm.c
24510
24511commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
24512Author: Brad Spengler <spender@grsecurity.net>
24513Date: Tue Jan 24 19:42:01 2012 -0500
24514
24515 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
24516 (may be changed if it breaks some userland), the other has its own
24517 config option
24518
24519 First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
24520 the syscall or /proc/sys.
24521
24522 Second feature requires read access to a suid/sgid binary in order
24523 to ptrace it, preventing infoleaking of binaries in situations where
24524 the admin has specified 4711 or 2711 perms. Feature has been
24525 given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
24526 a sysctl entry of ptrace_readexec
24527
24528commit 11a7bb25c411c9dccfdca5718639b4becdffd388
24529Author: Brad Spengler <spender@grsecurity.net>
24530Date: Sun Jan 22 14:37:10 2012 -0500
24531
24532 Compilation fixes
24533
24534commit cd400e21c7c352baba47d6f375297a7847afb33a
24535Author: Brad Spengler <spender@grsecurity.net>
24536Date: Sun Jan 22 14:20:27 2012 -0500
24537
24538 Initial port of grsecurity 2.2.2 for Linux 3.2.1
24539 Note that the new syscalls added to this kernel for remote process read/write
24540 are subject to ptrace hardening/other relevant RBAC features
24541 /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
24542 as well
24543 pax_track_stack has been removed from support for this kernel -- if you're running this kernel
24544 you should be using a version of gcc with plugin support
24545
24546commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
24547Author: Brad Spengler <spender@grsecurity.net>
24548Date: Sun Jan 22 11:47:31 2012 -0500
24549
24550 Import pax-linux-3.2.1-test5.patch
24551commit bfd7db842f835f9837cd43644459b3a95b0b488d
24552Author: Brad Spengler <spender@grsecurity.net>
24553Date: Sun Jan 22 11:02:02 2012 -0500
24554
24555 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
24556 instead of returning -EACCES
24557 thanks to Wraith from irc for the report
24558
24559commit 873ac13576506cd48ddb527c2540f274e249da50
24560Merge: 34083dd 8a44fcc
24561Author: Brad Spengler <spender@grsecurity.net>
24562Date: Fri Jan 20 18:04:02 2012 -0500
24563
24564 Merge branch 'pax-test' into grsec-test
24565
24566commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
24567Author: Brad Spengler <spender@grsecurity.net>
24568Date: Fri Jan 20 18:02:15 2012 -0500
24569
24570 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
24571 Denies executable shared memory when MPROTECT is active
24572 Fixes ia32 emulation crash on 64bit host introduced in a recent patch
24573
24574commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
24575Author: Brad Spengler <spender@grsecurity.net>
24576Date: Thu Jan 19 20:23:14 2012 -0500
24577
24578 Introduce new GRKERNSEC_SETXID implementation
24579 We're not able to change the credentials of other threads in the process until at most
24580 one syscall after the first thread does it, since we mark the threads as needing rescheduling
24581 and such work occurs on syscall exit.
24582 This does however ensure that we're only modifying the current task's credentials
24583 which upholds RCU expectations
24584
24585 Many thanks to corsac for testing
24586
24587commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
24588Author: Brad Spengler <spender@grsecurity.net>
24589Date: Thu Jan 19 17:42:48 2012 -0500
24590
24591 Simplify backport
24592
24593commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
24594Author: Brad Spengler <spender@grsecurity.net>
24595Date: Thu Jan 19 17:08:16 2012 -0500
24596
24597 Commit the latest silent fix for a local privilege escalation from Linus
24598 Also disable writing to /proc/pid/mem
24599 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc
24600
24601commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
24602Merge: 0394a3f 7e6299b
24603Author: Brad Spengler <spender@grsecurity.net>
24604Date: Wed Jan 18 20:22:09 2012 -0500
24605
24606 Merge branch 'pax-test' into grsec-test
24607
24608commit 7e6299b4733c082dde930375dd207b63237751ec
24609Merge: 83555fb 9bb1282
24610Author: Brad Spengler <spender@grsecurity.net>
24611Date: Wed Jan 18 20:21:37 2012 -0500
24612
24613 Merge branch 'linux-3.1.y' into pax-test
24614
24615commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
24616Author: Jesper Juhl <jj@chaosbits.net>
24617Date: Sun Jan 8 22:44:29 2012 +0100
24618
24619 audit: always follow va_copy() with va_end()
24620
24621 A call to va_copy() should always be followed by a call to va_end() in
24622 the same function. In kernel/autit.c::audit_log_vformat() this is not
24623 always done. This patch makes sure va_end() is always called.
24624
24625 Signed-off-by: Jesper Juhl <jj@chaosbits.net>
24626 Cc: Al Viro <viro@zeniv.linux.org.uk>
24627 Cc: Eric Paris <eparis@redhat.com>
24628 Cc: Andrew Morton <akpm@linux-foundation.org>
24629 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
24630
24631commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
24632Author: Andi Kleen <ak@linux.intel.com>
24633Date: Thu Jan 12 17:20:30 2012 -0800
24634
24635 panic: don't print redundant backtraces on oops
24636
24637 When an oops causes a panic and panic prints another backtrace it's pretty
24638 common to have the original oops data be scrolled away on a 80x50 screen.
24639
24640 The second backtrace is quite redundant and not needed anyways.
24641
24642 So don't print the panic backtrace when oops_in_progress is true.
24643
24644 [akpm@linux-foundation.org: add comment]
24645 Signed-off-by: Andi Kleen <ak@linux.intel.com>
24646 Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
24647 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
24648 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
24649
24650commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
24651Author: Miklos Szeredi <mszeredi@suse.cz>
24652Date: Thu Jan 12 17:59:46 2012 +0100
24653
24654 fsnotify: don't BUG in fsnotify_destroy_mark()
24655
24656 Removing the parent of a watched file results in "kernel BUG at
24657 fs/notify/mark.c:139".
24658
24659 To reproduce
24660
24661 add "-w /tmp/audit/dir/watched_file" to audit.rules
24662 rm -rf /tmp/audit/dir
24663
24664 This is caused by fsnotify_destroy_mark() being called without an
24665 extra reference taken by the caller.
24666
24667 Reported by Francesco Cosoleto here:
24668
24669 https://bugzilla.novell.com/show_bug.cgi?id=689860
24670
24671 Fix by removing the BUG_ON and adding a comment about not accessing mark after
24672 the iput.
24673
24674 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
24675 CC: stable@vger.kernel.org
24676 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
24677
24678commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
24679Author: Paolo Bonzini <pbonzini@redhat.com>
24680Date: Thu Jan 12 16:01:28 2012 +0100
24681
24682 block: fail SCSI passthrough ioctls on partition devices
24683
24684 Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
24685 will pass the command to the underlying block device. This is
24686 well-known, but it is also a large security problem when (via Unix
24687 permissions, ACLs, SELinux or a combination thereof) a program or user
24688 needs to be granted access only to part of the disk.
24689
24690 This patch lets partitions forward a small set of harmless ioctls;
24691 others are logged with printk so that we can see which ioctls are
24692 actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred.
24693 Of course it was being sent to a (partition on a) hard disk, so it would
24694 have failed with ENOTTY and the patch isn't changing anything in
24695 practice. Still, I'm treating it specially to avoid spamming the logs.
24696
24697 In principle, this restriction should include programs running with
24698 CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and
24699 /dev/sdb, it still should not be able to read/write outside the
24700 boundaries of /dev/sda2 independent of the capabilities. However, for
24701 now programs with CAP_SYS_RAWIO will still be allowed to send the
24702 ioctls. Their actions will still be logged.
24703
24704 This patch does not affect the non-libata IDE driver. That driver
24705 however already tests for bd != bd->bd_contains before issuing some
24706 ioctl; it could be restricted further to forbid these ioctls even for
24707 programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
24708
24709 Cc: linux-scsi@vger.kernel.org
24710 Cc: Jens Axboe <axboe@kernel.dk>
24711 Cc: James Bottomley <JBottomley@parallels.com>
24712 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
24713 [ Make it also print the command name when warning - Linus ]
24714 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
24715
24716commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
24717Author: Paolo Bonzini <pbonzini@redhat.com>
24718Date: Thu Jan 12 16:01:27 2012 +0100
24719
24720 block: add and use scsi_blk_cmd_ioctl
24721
24722 Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
24723
24724 The function will then be enhanced to detect partition block devices
24725 and, in that case, subject the ioctls to whitelisting.
24726
24727 Cc: linux-scsi@vger.kernel.org
24728 Cc: Jens Axboe <axboe@kernel.dk>
24729 Cc: James Bottomley <JBottomley@parallels.com>
24730 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
24731 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
24732
24733commit 97a79814903fc350e1d13704ea31528a42705401
24734Author: Kees Cook <keescook@chromium.org>
24735Date: Sat Jan 7 10:41:04 2012 -0800
24736
24737 audit: treat s_id as an untrusted string
24738
24739 The use of s_id should go through the untrusted string path, just to be
24740 extra careful.
24741
24742 Signed-off-by: Kees Cook <keescook@chromium.org>
24743 Acked-by: Mimi Zohar <zohar@us.ibm.com>
24744 Signed-off-by: Eric Paris <eparis@redhat.com>
24745
24746commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
24747Author: Xi Wang <xi.wang@gmail.com>
24748Date: Tue Dec 20 18:39:41 2011 -0500
24749
24750 audit: fix signedness bug in audit_log_execve_info()
24751
24752 In the loop, a size_t "len" is used to hold the return value of
24753 audit_log_single_execve_arg(), which returns -1 on error. In that
24754 case the error handling (len <= 0) will be bypassed since "len" is
24755 unsigned, and the loop continues with (p += len) being wrapped.
24756 Change the type of "len" to signed int to fix the error handling.
24757
24758 size_t len;
24759 ...
24760 for (...) {
24761 len = audit_log_single_execve_arg(...);
24762 if (len <= 0)
24763 break;
24764 p += len;
24765 }
24766
24767 Signed-off-by: Xi Wang <xi.wang@gmail.com>
24768 Signed-off-by: Eric Paris <eparis@redhat.com>
24769
24770commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
24771Author: Dan Carpenter <dan.carpenter@oracle.com>
24772Date: Tue Jan 17 03:28:51 2012 -0300
24773
24774 [media] ds3000: using logical && instead of bitwise &
24775
24776 The intent here was to test if the FE_HAS_LOCK was set. The current
24777 test is equivalent to "if (status) { ..."
24778
24779 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
24780 Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
24781
24782commit 36522330dc59d2fc70c042f3f081d75c32b6259a
24783Author: Brad Spengler <spender@grsecurity.net>
24784Date: Mon Jan 16 13:10:38 2012 -0500
24785
24786 Ignore the 0 signal for protected task RBAC checks
24787
24788commit d513acd55f7a683f6e146a4f570cdb63300479ab
24789Author: Brad Spengler <spender@grsecurity.net>
24790Date: Mon Jan 16 11:56:13 2012 -0500
24791
24792 whitespace cleanup
24793
24794commit ced261c4b82818c700aff8487f647f6f3e5b5122
24795Merge: d48751f 83555fb
24796Author: Brad Spengler <spender@grsecurity.net>
24797Date: Fri Jan 13 20:12:54 2012 -0500
24798
24799 Merge branch 'pax-test' into grsec-test
24800
24801commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
24802Merge: fcd8129 93dad39
24803Author: Brad Spengler <spender@grsecurity.net>
24804Date: Fri Jan 13 20:12:43 2012 -0500
24805
24806 Merge branch 'linux-3.1.y' into pax-test
24807
24808commit d48751f3919ae855fda0ff6c149db82442329253
24809Author: Brad Spengler <spender@grsecurity.net>
24810Date: Wed Jan 11 19:05:47 2012 -0500
24811
24812 Call our own set_user when forcing change to new id
24813
24814commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
24815Merge: e6578ff fcd8129
24816Author: Brad Spengler <spender@grsecurity.net>
24817Date: Tue Jan 10 16:00:10 2012 -0500
24818
24819 Merge branch 'pax-test' into grsec-test
24820
24821commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
24822Author: Brad Spengler <spender@grsecurity.net>
24823Date: Tue Jan 10 15:58:43 2012 -0500
24824
24825 Merge changes from pax-linux-3.1.8-test23.patch
24826
24827commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
24828Merge: 8859ec3 a120549
24829Author: Brad Spengler <spender@grsecurity.net>
24830Date: Fri Jan 6 21:45:56 2012 -0500
24831
24832 Merge branch 'pax-test' into grsec-test
24833
24834commit a12054967a77090de1caa07c41e694a77db4e237
24835Author: Brad Spengler <spender@grsecurity.net>
24836Date: Fri Jan 6 21:45:30 2012 -0500
24837
24838 Merge changes from pax-linux-3.1.8-test22.patch
24839
24840commit 8859ec32f9815c274df65448f9f2960176c380d3
24841Merge: a5016b4 ddd4114
24842Author: Brad Spengler <spender@grsecurity.net>
24843Date: Fri Jan 6 21:26:08 2012 -0500
24844
24845 Merge branch 'pax-test' into grsec-test
24846
24847 Conflicts:
24848 fs/binfmt_elf.c
24849 security/Kconfig
24850
24851commit ddd41147e158a79704983a409b7433eba797cf66
24852Author: Brad Spengler <spender@grsecurity.net>
24853Date: Fri Jan 6 21:12:42 2012 -0500
24854
24855 Resync with PaX patch (whitespace difference)
24856
24857commit 29e569df8205c5f0e043fe4803aa984406c8b118
24858Author: Brad Spengler <spender@grsecurity.net>
24859Date: Fri Jan 6 21:09:47 2012 -0500
24860
24861 Merge changes from pax-linux-3.1.8-test21.patch
24862
24863commit a5016b4f9c09c337b17e063a7f369af1e86d944d
24864Merge: 0124c92 04231d5
24865Author: Brad Spengler <spender@grsecurity.net>
24866Date: Fri Jan 6 18:52:20 2012 -0500
24867
24868 Merge branch 'pax-test' into grsec-test
24869
24870commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
24871Merge: 7bdddeb a919904
24872Author: Brad Spengler <spender@grsecurity.net>
24873Date: Fri Jan 6 18:51:50 2012 -0500
24874
24875 Merge branch 'linux-3.1.y' into pax-test
24876
24877 Conflicts:
24878 include/net/flow.h
24879
24880commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
24881Author: Brad Spengler <spender@grsecurity.net>
24882Date: Fri Jan 6 18:33:05 2012 -0500
24883
24884 Make GRKERNSEC_SETXID option compatible with credential debugging
24885
24886commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
24887Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
24888Date: Wed Dec 28 15:57:11 2011 -0800
24889
24890 mm/mempolicy.c: refix mbind_range() vma issue
24891
24892 commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
24893 slightly incorrect fix.
24894
24895 Why? Think following case.
24896
24897 1. map 4 pages of a file at offset 0
24898
24899 [0123]
24900
24901 2. map 2 pages just after the first mapping of the same file but with
24902 page offset 2
24903
24904 [0123][23]
24905
24906 3. mbind() 2 pages from the first mapping at offset 2.
24907 mbind_range() should treat new vma is,
24908
24909 [0123][23]
24910 |23|
24911 mbind vma
24912
24913 but it does
24914
24915 [0123][23]
24916 |01|
24917 mbind vma
24918
24919 Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
24920
24921 This patch fixes it.
24922
24923 [testcase]
24924 test result - before the patch
24925
24926 case4: 126: test failed. expect '2,4', actual '2,2,2'
24927 case5: passed
24928 case6: passed
24929 case7: passed
24930 case8: passed
24931 case_n: 246: test failed. expect '4,2', actual '1,4'
24932
24933 ------------[ cut here ]------------
24934 kernel BUG at mm/filemap.c:135!
24935 invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
24936
24937 (snip long bug on messages)
24938
24939 test result - after the patch
24940
24941 case4: passed
24942 case5: passed
24943 case6: passed
24944 case7: passed
24945 case8: passed
24946 case_n: passed
24947
24948 source: mbind_vma_test.c
24949 ============================================================
24950 #include <numaif.h>
24951 #include <numa.h>
24952 #include <sys/mman.h>
24953 #include <stdio.h>
24954 #include <unistd.h>
24955 #include <stdlib.h>
24956 #include <string.h>
24957
24958 static unsigned long pagesize;
24959 void* mmap_addr;
24960 struct bitmask *nmask;
24961 char buf[1024];
24962 FILE *file;
24963 char retbuf[10240] = "";
24964 int mapped_fd;
24965
24966 char *rubysrc = "ruby -e '\
24967 pid = %d; \
24968 vstart = 0x%llx; \
24969 vend = 0x%llx; \
24970 s = `pmap -q #{pid}`; \
24971 rary = []; \
24972 s.each_line {|line|; \
24973 ary=line.split(\" \"); \
24974 addr = ary[0].to_i(16); \
24975 if(vstart <= addr && addr < vend) then \
24976 rary.push(ary[1].to_i()/4); \
24977 end; \
24978 }; \
24979 print rary.join(\",\"); \
24980 '";
24981
24982 void init(void)
24983 {
24984 void* addr;
24985 char buf[128];
24986
24987 nmask = numa_allocate_nodemask();
24988 numa_bitmask_setbit(nmask, 0);
24989
24990 pagesize = getpagesize();
24991
24992 sprintf(buf, "%s", "mbind_vma_XXXXXX");
24993 mapped_fd = mkstemp(buf);
24994 if (mapped_fd == -1)
24995 perror("mkstemp "), exit(1);
24996 unlink(buf);
24997
24998 if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
24999 perror("lseek "), exit(1);
25000 if (write(mapped_fd, "\0", 1) < 0)
25001 perror("write "), exit(1);
25002
25003 addr = mmap(NULL, pagesize*8, PROT_NONE,
25004 MAP_SHARED, mapped_fd, 0);
25005 if (addr == MAP_FAILED)
25006 perror("mmap "), exit(1);
25007
25008 if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
25009 perror("mprotect "), exit(1);
25010
25011 mmap_addr = addr + pagesize;
25012
25013 /* make page populate */
25014 memset(mmap_addr, 0, pagesize*6);
25015 }
25016
25017 void fin(void)
25018 {
25019 void* addr = mmap_addr - pagesize;
25020 munmap(addr, pagesize*8);
25021
25022 memset(buf, 0, sizeof(buf));
25023 memset(retbuf, 0, sizeof(retbuf));
25024 }
25025
25026 void mem_bind(int index, int len)
25027 {
25028 int err;
25029
25030 err = mbind(mmap_addr+pagesize*index, pagesize*len,
25031 MPOL_BIND, nmask->maskp, nmask->size, 0);
25032 if (err)
25033 perror("mbind "), exit(err);
25034 }
25035
25036 void mem_interleave(int index, int len)
25037 {
25038 int err;
25039
25040 err = mbind(mmap_addr+pagesize*index, pagesize*len,
25041 MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
25042 if (err)
25043 perror("mbind "), exit(err);
25044 }
25045
25046 void mem_unbind(int index, int len)
25047 {
25048 int err;
25049
25050 err = mbind(mmap_addr+pagesize*index, pagesize*len,
25051 MPOL_DEFAULT, NULL, 0, 0);
25052 if (err)
25053 perror("mbind "), exit(err);
25054 }
25055
25056 void Assert(char *expected, char *value, char *name, int line)
25057 {
25058 if (strcmp(expected, value) == 0) {
25059 fprintf(stderr, "%s: passed\n", name);
25060 return;
25061 }
25062 else {
25063 fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
25064 name, line,
25065 expected, value);
25066 // exit(1);
25067 }
25068 }
25069
25070 /*
25071 AAAA
25072 PPPPPPNNNNNN
25073 might become
25074 PPNNNNNNNNNN
25075 case 4 below
25076 */
25077 void case4(void)
25078 {
25079 init();
25080 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
25081
25082 mem_bind(0, 4);
25083 mem_unbind(2, 2);
25084
25085 file = popen(buf, "r");
25086 fread(retbuf, sizeof(retbuf), 1, file);
25087 Assert("2,4", retbuf, "case4", __LINE__);
25088
25089 fin();
25090 }
25091
25092 /*
25093 AAAA
25094 PPPPPPNNNNNN
25095 might become
25096 PPPPPPPPPPNN
25097 case 5 below
25098 */
25099 void case5(void)
25100 {
25101 init();
25102 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
25103
25104 mem_bind(0, 2);
25105 mem_bind(2, 2);
25106
25107 file = popen(buf, "r");
25108 fread(retbuf, sizeof(retbuf), 1, file);
25109 Assert("4,2", retbuf, "case5", __LINE__);
25110
25111 fin();
25112 }
25113
25114 /*
25115 AAAA
25116 PPPPNNNNXXXX
25117 might become
25118 PPPPPPPPPPPP 6
25119 */
25120 void case6(void)
25121 {
25122 init();
25123 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
25124
25125 mem_bind(0, 2);
25126 mem_bind(4, 2);
25127 mem_bind(2, 2);
25128
25129 file = popen(buf, "r");
25130 fread(retbuf, sizeof(retbuf), 1, file);
25131 Assert("6", retbuf, "case6", __LINE__);
25132
25133 fin();
25134 }
25135
25136 /*
25137 AAAA
25138 PPPPNNNNXXXX
25139 might become
25140 PPPPPPPPXXXX 7
25141 */
25142 void case7(void)
25143 {
25144 init();
25145 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
25146
25147 mem_bind(0, 2);
25148 mem_interleave(4, 2);
25149 mem_bind(2, 2);
25150
25151 file = popen(buf, "r");
25152 fread(retbuf, sizeof(retbuf), 1, file);
25153 Assert("4,2", retbuf, "case7", __LINE__);
25154
25155 fin();
25156 }
25157
25158 /*
25159 AAAA
25160 PPPPNNNNXXXX
25161 might become
25162 PPPPNNNNNNNN 8
25163 */
25164 void case8(void)
25165 {
25166 init();
25167 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
25168
25169 mem_bind(0, 2);
25170 mem_interleave(4, 2);
25171 mem_interleave(2, 2);
25172
25173 file = popen(buf, "r");
25174 fread(retbuf, sizeof(retbuf), 1, file);
25175 Assert("2,4", retbuf, "case8", __LINE__);
25176
25177 fin();
25178 }
25179
25180 void case_n(void)
25181 {
25182 init();
25183 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
25184
25185 /* make redundunt mappings [0][1234][34][7] */
25186 mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
25187 MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
25188
25189 /* Expect to do nothing. */
25190 mem_unbind(2, 2);
25191
25192 file = popen(buf, "r");
25193 fread(retbuf, sizeof(retbuf), 1, file);
25194 Assert("4,2", retbuf, "case_n", __LINE__);
25195
25196 fin();
25197 }
25198
25199 int main(int argc, char** argv)
25200 {
25201 case4();
25202 case5();
25203 case6();
25204 case7();
25205 case8();
25206 case_n();
25207
25208 return 0;
25209 }
25210 =============================================================
25211
25212 Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
25213 Acked-by: Johannes Weiner <hannes@cmpxchg.org>
25214 Cc: Minchan Kim <minchan.kim@gmail.com>
25215 Cc: Caspar Zhang <caspar@casparzhang.com>
25216 Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
25217 Cc: Christoph Lameter <cl@linux.com>
25218 Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
25219 Cc: Mel Gorman <mel@csn.ul.ie>
25220 Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
25221 Cc: <stable@vger.kernel.org> [3.1.x]
25222 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
25223 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
25224
25225commit f3a1082005781777086df235049f8c0b7efe524e
25226Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
25227Date: Tue Dec 27 22:32:41 2011 -0500
25228
25229 packet: fix possible dev refcnt leak when bind fail
25230
25231 If bind is fail when bind is called after set PACKET_FANOUT
25232 sock option, the dev refcnt will leak.
25233
25234 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
25235 Signed-off-by: David S. Miller <davem@davemloft.net>
25236
25237commit 915f8b08dac68839dc7204ee81cf9852fda16d24
25238Author: Haogang Chen <haogangchen@gmail.com>
25239Date: Mon Dec 19 17:11:56 2011 -0800
25240
25241 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
25242
25243 There is a potential integer overflow in nilfs_ioctl_clean_segments().
25244 When a large argv[n].v_nmembs is passed from the userspace, the subsequent
25245 call to vmalloc() will allocate a buffer smaller than expected, which
25246 leads to out-of-bound access in nilfs_ioctl_move_blocks() and
25247 lfs_clean_segments().
25248
25249 The following check does not prevent the overflow because nsegs is also
25250 controlled by the userspace and could be very large.
25251
25252 if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
25253 goto out_free;
25254
25255 This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
25256 returns -EINVAL when overflow.
25257
25258 Signed-off-by: Haogang Chen <haogangchen@gmail.com>
25259 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
25260 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
25261 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
25262
25263commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
25264Author: Kautuk Consul <consul.kautuk@gmail.com>
25265Date: Mon Dec 19 17:12:04 2011 -0800
25266
25267 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
25268
25269 Static storage is not required for the struct vmap_area in
25270 __get_vm_area_node.
25271
25272 Removing "static" to store this variable on the stack instead.
25273
25274 Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
25275 Acked-by: David Rientjes <rientjes@google.com>
25276 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
25277 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
25278
25279commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
25280Author: Michel Lespinasse <walken@google.com>
25281Date: Mon Dec 19 17:12:06 2011 -0800
25282
25283 binary_sysctl(): fix memory leak
25284
25285 binary_sysctl() calls sysctl_getname() which allocates from names_cache
25286 slab usin __getname()
25287
25288 The matching function to free the name is __putname(), and not putname()
25289 which should be used only to match getname() allocations.
25290
25291 This is because when auditing is enabled, putname() calls audit_putname
25292 *instead* (not in addition) to __putname(). Then, if a syscall is in
25293 progress, audit_putname does not release the name - instead, it expects
25294 the name to get released when the syscall completes, but that will happen
25295 only if audit_getname() was called previously, i.e. if the name was
25296 allocated with getname() rather than the naked __getname(). So,
25297 __getname() followed by putname() ends up leaking memory.
25298
25299 Signed-off-by: Michel Lespinasse <walken@google.com>
25300 Acked-by: Al Viro <viro@zeniv.linux.org.uk>
25301 Cc: Christoph Hellwig <hch@infradead.org>
25302 Cc: Eric Paris <eparis@redhat.com>
25303 Cc: <stable@vger.kernel.org>
25304 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
25305 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
25306
25307commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
25308Author: Sean Hefty <sean.hefty@intel.com>
25309Date: Tue Dec 6 21:17:11 2011 +0000
25310
25311 RDMA/cma: Verify private data length
25312
25313 private_data_len is defined as a u8. If the user specifies a large
25314 private_data size (> 220 bytes), we will calculate a total length that
25315 exceeds 255, resulting in private_data_len wrapping back to 0. This
25316 can lead to overwriting random kernel memory. Avoid this by verifying
25317 that the resulting size fits into a u8.
25318
25319 Reported-by: B. Thery <benjamin.thery@bull.net>
25320 Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
25321 Signed-off-by: Sean Hefty <sean.hefty@intel.com>
25322 Signed-off-by: Roland Dreier <roland@purestorage.com>
25323
25324commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
25325Author: Xi Wang <xi.wang@gmail.com>
25326Date: Sun Dec 11 23:40:56 2011 -0800
25327
25328 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
25329
25330 The error check (intr_status < 0) didn't work because intr_status is
25331 a u8. Change its type to signed int.
25332
25333 Signed-off-by: Xi Wang <xi.wang@gmail.com>
25334 Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
25335
25336commit e27f34e383d7863b2528a63b81b23db09781f6b6
25337Author: Xi Wang <xi.wang@gmail.com>
25338Date: Fri Dec 16 12:44:15 2011 +0000
25339
25340 sctp: fix incorrect overflow check on autoclose
25341
25342 Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
25343 limiting the autoclose value. If userspace passes in -1 on 32-bit
25344 platform, the overflow check didn't work and autoclose would be set
25345 to 0xffffffff.
25346
25347 This patch defines a max_autoclose (in seconds) for limiting the value
25348 and exposes it through sysctl, with the following intentions.
25349
25350 1) Avoid overflowing autoclose * HZ.
25351
25352 2) Keep the default autoclose bound consistent across 32- and 64-bit
25353 platforms (INT_MAX / HZ in this patch).
25354
25355 3) Keep the autoclose value consistent between setsockopt() and
25356 getsockopt() calls.
25357
25358 Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
25359 Signed-off-by: Xi Wang <xi.wang@gmail.com>
25360 Signed-off-by: David S. Miller <davem@davemloft.net>
25361
25362commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
25363Author: Xi Wang <xi.wang@gmail.com>
25364Date: Wed Dec 21 05:18:33 2011 -0500
25365
25366 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
25367
25368 Commit e133e737 didn't correctly fix the integer overflow issue.
25369
25370 - unsigned int required_size;
25371 + u64 required_size;
25372 ...
25373 required_size = mode_cmd->pitch * mode_cmd->height;
25374 - if (unlikely(required_size > dev_priv->vram_size)) {
25375 + if (unlikely(required_size > (u64) dev_priv->vram_size)) {
25376
25377 Note that both pitch and height are u32. Their product is still u32 and
25378 would overflow before being assigned to required_size. A correct way is
25379 to convert pitch and height to u64 before the multiplication.
25380
25381 required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
25382
25383 This patch calls the existing vmw_kms_validate_mode_vram() for
25384 validation.
25385
25386 Signed-off-by: Xi Wang <xi.wang@gmail.com>
25387 Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
25388 Signed-off-by: Dave Airlie <airlied@redhat.com>
25389
25390 Conflicts:
25391
25392 drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
25393
25394commit eb8f0bd01fb994c9abc77dc84729794cd841753d
25395Author: Xi Wang <xi.wang@gmail.com>
25396Date: Thu Dec 22 13:35:22 2011 +0000
25397
25398 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
25399
25400 Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
25401 cause a kernel oops due to insufficient bounds checking.
25402
25403 if (count > 1<<30) {
25404 /* Enforce a limit to prevent overflow */
25405 return -EINVAL;
25406 }
25407 count = roundup_pow_of_two(count);
25408 table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
25409
25410 Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
25411
25412 ... + (count * sizeof(struct rps_dev_flow))
25413
25414 where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow
25415 32 bits.
25416
25417 This patch replaces the magic number (1 << 30) with a symbolic bound.
25418
25419 Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
25420 Signed-off-by: Xi Wang <xi.wang@gmail.com>
25421 Signed-off-by: David S. Miller <davem@davemloft.net>
25422
25423commit 648188958672024b616c42c1f6c98c8cfc85619d
25424Author: Xi Wang <xi.wang@gmail.com>
25425Date: Fri Dec 30 10:40:17 2011 -0500
25426
25427 netfilter: ctnetlink: fix timeout calculation
25428
25429 The sanity check (timeout < 0) never works; the dividend is unsigned
25430 and so is the division, which should have been a signed division.
25431
25432 long timeout = (ct->timeout.expires - jiffies) / HZ;
25433 if (timeout < 0)
25434 timeout = 0;
25435
25436 This patch converts the time values to signed for the division.
25437
25438 Signed-off-by: Xi Wang <xi.wang@gmail.com>
25439 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
25440
25441commit ab03a0973cee73f88655ff4981812ad316a6cd59
25442Merge: 76f82df 7bdddeb
25443Author: Brad Spengler <spender@grsecurity.net>
25444Date: Tue Jan 3 17:42:50 2012 -0500
25445
25446 Merge branch 'pax-test' into grsec-test
25447
25448commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
25449Merge: 3e59cb5 55cc81a
25450Author: Brad Spengler <spender@grsecurity.net>
25451Date: Tue Jan 3 17:42:36 2012 -0500
25452
25453 Merge branch 'linux-3.1.y' into pax-test
25454
25455commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
25456Author: Brad Spengler <spender@grsecurity.net>
25457Date: Thu Dec 22 20:15:02 2011 -0500
25458
25459 Only further restrict futex targeting another process -- our modified
25460 permission check also happened to allow a case where a process retaining
25461 uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
25462 being non-zero (reported on forums by ben_w)
25463
25464commit 6b235a4450a5fea41663ec35fa0608988b6078c6
25465Merge: 97c16f0 3e59cb5
25466Author: Brad Spengler <spender@grsecurity.net>
25467Date: Thu Dec 22 19:11:06 2011 -0500
25468
25469 Merge branch 'pax-test' into grsec-test
25470
25471 Conflicts:
25472 fs/hfs/btree.c
25473
25474commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
25475Merge: 285eb4e c26f60b
25476Author: Brad Spengler <spender@grsecurity.net>
25477Date: Thu Dec 22 19:09:57 2011 -0500
25478
25479 Merge branch 'linux-3.1.y' into pax-test
25480
25481 Conflicts:
25482 arch/x86/kernel/process.c
25483
25484commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
25485Author: Brad Spengler <spender@grsecurity.net>
25486Date: Mon Dec 19 21:54:01 2011 -0500
25487
25488 Add new option: "Enforce consistent multithreaded privileges"
25489
25490commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
25491Author: Brad Spengler <spender@grsecurity.net>
25492Date: Wed Dec 7 19:58:31 2011 -0500
25493
25494 Remove harmless duplicate code -- exec_file would be null already so the
25495 second check would never pass.
25496
25497commit 4e3304e94aa72737810bc50169519af157dce4ce
25498Author: Brad Spengler <spender@grsecurity.net>
25499Date: Wed Dec 7 19:50:39 2011 -0500
25500
25501 Revert back to (possibly?) undocumented /proc/pid behavior that gdb
25502 depended on for attaching to a thread. Entries exist in /proc for
25503 threads, but are not visible in a readdir.
25504
25505commit 1bd899335f23815cfe8deac44c6b346398f3b95e
25506Author: Brad Spengler <spender@grsecurity.net>
25507Date: Sun Dec 4 18:03:28 2011 -0500
25508
25509 Put the already-walked path if in RCU-walk mode
25510
25511commit ec7ae36b7159f10649709779443a988662965d66
25512Author: Brad Spengler <spender@grsecurity.net>
25513Date: Sun Dec 4 17:35:21 2011 -0500
25514
25515 Fix memory leak introduced by recent (unpublished) commit
25516 75ab998b94a29d464518d6d501bdde3fbfcbfa14
25517
25518commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
25519Author: Brad Spengler <spender@grsecurity.net>
25520Date: Sun Dec 4 13:56:10 2011 -0500
25521
25522 Explicitly check size copied to userland in override_release to silence gcc
25523
25524commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
25525Author: Brad Spengler <spender@grsecurity.net>
25526Date: Sun Dec 4 13:54:02 2011 -0500
25527
25528 Initialize variable to silence erroneous gcc warning
25529
25530commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
25531Author: Brad Spengler <spender@grsecurity.net>
25532Date: Sun Dec 4 13:47:47 2011 -0500
25533
25534 Future-proof other potential RCU-aware locations where we can log.
25535
25536commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
25537Author: Brad Spengler <spender@grsecurity.net>
25538Date: Sun Dec 4 13:02:54 2011 -0500
25539
25540 Fix freeze reported by 'vs' on the forums. Bug occurred due to
25541 MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used
25542 in generic_permission() was in the task's effective set but disallowed by
25543 RBAC, would block when acquiring locks resulting in the freeze.
25544
25545 Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
25546 as being required when CAP_DAC_OVERRIDE is present (consistent with
25547 older patches).
25548
25549commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
25550Author: Xi Wang <xi.wang@gmail.com>
25551Date: Tue Nov 29 09:26:30 2011 +0000
25552
25553 sctp: better integer overflow check in sctp_auth_create_key()
25554
25555 The check from commit 30c2235c is incomplete and cannot prevent
25556 cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the
25557 left-hand side of the check (INT_MAX - key_len), which is unsigned,
25558 becomes 0xffffffff (UINT_MAX) and bypasses the check.
25559
25560 However this shouldn't be a security issue. The function is called
25561 from the following two code paths:
25562
25563 1) setsockopt()
25564
25565 2) sctp_auth_asoc_set_secret()
25566
25567 In case (1), sca_keylength is never going to exceed 65535 since it's
25568 bounded by a u16 from the user API. As such, the key length will
25569 never overflow.
25570
25571 In case (2), sca_keylength is computed based on the user key (1 short)
25572 and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
25573 will not overflow.
25574
25575 In other words, this overflow check is not really necessary. Just
25576 make it more correct.
25577
25578 Signed-off-by: Xi Wang <xi.wang@gmail.com>
25579 Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
25580 Signed-off-by: David S. Miller <davem@davemloft.net>
25581
25582commit e565e28c3635a1d50f80541fbf6b606d742fec76
25583Author: Josh Boyer <jwboyer@redhat.com>
25584Date: Fri Aug 19 14:50:26 2011 -0400
25585
25586 fs/minix: Verify bitmap block counts before mounting
25587
25588 Newer versions of MINIX can create filesystems that allocate an extra
25589 bitmap block. Mounting of this succeeds, but doing a statfs call will
25590 result in an oops in count_free because of a negative number being used
25591 for the bh index.
25592
25593 Avoid this by verifying the number of allocated blocks at mount time,
25594 erroring out if there are not enough and make statfs ignore the extras
25595 if there are too many.
25596
25597 This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
25598
25599 Signed-off-by: Josh Boyer <jwboyer@redhat.com>
25600 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
25601
25602commit 6e134e398ec1a3f428261680e83df4319e64bed9
25603Author: Julia Lawall <julia@diku.dk>
25604Date: Tue Nov 15 14:53:11 2011 -0800
25605
25606 drivers/gpu/vga/vgaarb.c: add missing kfree
25607
25608 kbuf is a buffer that is local to this function, so all of the error paths
25609 leaving the function should release it.
25610
25611 Signed-off-by: Julia Lawall <julia@diku.dk>
25612 Cc: Jesper Juhl <jj@chaosbits.net>
25613 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
25614 Signed-off-by: Dave Airlie <airlied@redhat.com>
25615
25616commit 2b9057b321e36860e8d63985b5c4e496f254b717
25617Author: Brad Spengler <spender@grsecurity.net>
25618Date: Sat Dec 3 21:33:28 2011 -0500
25619
25620 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch
25621
25622commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
25623Author: Brad Spengler <spender@grsecurity.net>
25624Date: Sat Dec 3 21:29:37 2011 -0500
25625
25626 Import pax-linux-3.1.4-test18.patch
25627
25628commit 285eb4ea45d853ae00426b3315a61c1368080dad
25629Author: Brad Spengler <spender@grsecurity.net>
25630Date: Sat Dec 10 18:33:46 2011 -0500
25631
25632 Import changes from pax-linux-3.1.5-test20.patch
25633
25634commit a6bda918fc90ec1d5c387e978d147ad2044153f1
25635Author: Brad Spengler <spender@grsecurity.net>
25636Date: Thu Dec 8 20:55:54 2011 -0500
25637
25638 Import changes from pax-linux-3.1.4-test19.patch
25639
25640commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
25641Author: Brad Spengler <spender@grsecurity.net>
25642Date: Sat Dec 3 21:29:37 2011 -0500
25643
25644 Import pax-linux-3.1.4-test18.patch
25645commit d92091aac493a547d85ddf1b98bd9aaa8c7112a5
25646Author: Brad Spengler <spender@grsecurity.net>
25647Date: Thu Jul 4 23:05:14 2013 -0400
25648
25649 always enforce a non-zero gap for RAND_THREADSTACK
25650
25651 mm/mmap.c | 2 +-
25652 1 files changed, 1 insertions(+), 1 deletions(-)
25653
25654commit 40d67e38a42d4e94b43b3d7400addc662b9857dc
25655Author: Brad Spengler <spender@grsecurity.net>
25656Date: Thu Jul 4 16:09:28 2013 -0400
25657
25658 fix up file comparisons
25659
25660 grsecurity/gracl_segv.c | 2 +-
25661 grsecurity/grsec_sig.c | 4 ++--
25662 include/linux/grinternal.h | 12 ++++++++++++
25663 3 files changed, 15 insertions(+), 3 deletions(-)
25664
25665commit a1fff2c95162314626dd96bec71d951a8c1c4708
25666Author: Brad Spengler <spender@grsecurity.net>
25667Date: Thu Jul 4 15:33:18 2013 -0400
25668
25669 fix suid binary matching
25670
25671 grsecurity/grsec_sig.c | 2 +-
25672 1 files changed, 1 insertions(+), 1 deletions(-)
25673
25674commit 00131c458eea5200971c8fc326e90fdb6c2d0baa
25675Merge: 37b97a9 47beb61
25676Author: Brad Spengler <spender@grsecurity.net>
25677Date: Thu Jul 4 15:02:31 2013 -0400
25678
25679 Merge branch 'pax-test' into grsec-test
25680
25681commit 47beb61be9d430ab3fdb79a3b1e2099b4cfcf798
25682Author: Brad Spengler <spender@grsecurity.net>
25683Date: Thu Jul 4 15:01:37 2013 -0400
25684
25685 Update to pax-linux-3.9.9-test13.patch:
25686 - hopefully fixed the EFI boot regression (https://bugs.gentoo.org/show_bug.cgi?id=471626)
25687 - fixed some arm compilation issues (http://forums.grsecurity.net/viewtopic.php?f=1&t=3586 and http://forums.grsecurity.net/viewtopic.php?f=1&t=3587)
25688
25689 arch/arm/include/asm/uaccess.h | 20 ++++++++++----------
25690 arch/arm/kernel/armksyms.c | 2 +-
25691 arch/arm/kernel/entry-armv.S | 4 ++--
25692 arch/arm/mm/Kconfig | 2 +-
25693 arch/x86/ia32/ia32entry.S | 4 ++--
25694 arch/x86/include/asm/page.h | 1 +
25695 arch/x86/kernel/entry_32.S | 4 ++--
25696 arch/x86/kernel/entry_64.S | 8 ++++----
25697 arch/x86/kernel/head64.c | 12 ++++++------
25698 arch/x86/kernel/head_64.S | 16 ++++++++++++----
25699 arch/x86/mm/init.c | 8 ++++++++
25700 arch/x86/mm/init_32.c | 6 ------
25701 arch/x86/mm/init_64.c | 6 ------
25702 arch/x86/platform/efi/efi_32.c | 5 +++++
25703 arch/x86/platform/efi/efi_64.c | 10 ++++++++++
25704 15 files changed, 64 insertions(+), 44 deletions(-)
25705
25706commit 89085d2d0643813a62f23d1199a335dc1e129bc0
25707Merge: 963af7f 0adf2e7
25708Author: Brad Spengler <spender@grsecurity.net>
25709Date: Thu Jul 4 14:55:44 2013 -0400
25710
25711 Merge branch 'linux-3.9.y' into pax-test
25712
25713commit 37b97a95e97badc79cc8b6e092f0f94ac24e4ae4
25714Author: Brad Spengler <spender@grsecurity.net>
25715Date: Thu Jul 4 13:46:02 2013 -0400
25716
25717 fix typo
25718
25719 grsecurity/gracl.c | 2 +-
25720 1 files changed, 1 insertions(+), 1 deletions(-)
25721
25722commit 32538dba4959a290a1de81a7f8eeaba99f952aa6
25723Author: Brad Spengler <spender@grsecurity.net>
25724Date: Thu Jul 4 13:29:51 2013 -0400
25725
25726 update log arguments
25727
25728 grsecurity/grsec_sig.c | 3 ++-
25729 1 files changed, 2 insertions(+), 1 deletions(-)
25730
25731commit 5c7ee197d6ecb3ec9b3b9588d2b0cb8541d9fa71
25732Author: Brad Spengler <spender@grsecurity.net>
25733Date: Thu Jul 4 13:20:23 2013 -0400
25734
25735 Update logging of suid exec ban
25736
25737 Conflicts:
25738
25739 grsecurity/grsec_sig.c
25740
25741 grsecurity/grsec_sig.c | 3 +--
25742 include/linux/grmsg.h | 1 +
25743 2 files changed, 2 insertions(+), 2 deletions(-)
25744
25745commit ef808866c070aa1901bd2224521baaf5d145a3a7
25746Author: Brad Spengler <spender@grsecurity.net>
25747Date: Thu Jul 4 12:58:33 2013 -0400
25748
25749 Additional improvements to the user banning code:
25750
25751 Separate the kernel-bruteforcing case from the suid bruteforcing case
25752 In the suid bruteforcing case, only kill existing copies of the bruteforced
25753 binary. Instead of preventing all future execs by this user, prevent them
25754 from executing any suid/sgid binaries for the next 15 minutes.
25755
25756 Kernel case is mostly unchanged from before, except the task trying to change
25757 real uid to the banned user will be terminated instead of failing the setuid
25758 call.
25759
25760 Configuration help has been updated to reflect the new changes.
25761
25762 fs/exec.c | 13 +++++---
25763 grsecurity/Kconfig | 5 ++-
25764 grsecurity/gracl.c | 6 ++--
25765 grsecurity/grsec_sig.c | 76 ++++++++++++++++++++++++++------------------
25766 include/linux/grsecurity.h | 1 -
25767 include/linux/sched.h | 9 +++--
25768 6 files changed, 65 insertions(+), 45 deletions(-)
25769
25770commit 0f0b6c9d67d429364621b8784ef4a048b7e40736
25771Author: Brad Spengler <spender@grsecurity.net>
25772Date: Wed Jul 3 16:14:09 2013 -0400
25773
25774 fix renamed export of csum_partial_copy_from_user, as reported by fabled
25775 on the forums
25776
25777 arch/arm/kernel/armksyms.c | 2 +-
25778 1 files changed, 1 insertions(+), 1 deletions(-)
25779
25780commit 318235973c2a548c3d25562645d6b69f66e85934
25781Author: Brad Spengler <spender@grsecurity.net>
25782Date: Wed Jul 3 16:09:16 2013 -0400
25783
25784 make CPU_USE_DOMAINS depend on !PAX_MEMORY_UDEREF, fixes compile error
25785 reported on the forums by fabled
25786
25787 arch/arm/mm/Kconfig | 2 +-
25788 1 files changed, 1 insertions(+), 1 deletions(-)
25789
25790commit b569a7f60fab7a522d8c142765c8b847bbce8a1e
25791Author: Brad Spengler <spender@grsecurity.net>
25792Date: Wed Jul 3 15:53:12 2013 -0400
25793
25794 Revise the user ban code to kill the process issuing a banned
25795 set*id instead of returning an error. For the sake of keeping
25796 unified user banning between the suid and kernel bruteforce case,
25797 we will apply this killing to the suid bruteforce case, despite
25798 a check just at exec time (that already existed) being sufficient.
25799
25800 Returning an error could enable exploitation of the "failure to check
25801 setuid return value" case which was recently effectively closed
25802 upstream, albeit in a rare situation with a suitable binary and
25803 two colluding users.
25804
25805 Many thanks to stealth for reviewing the user ban code.
25806
25807 grsecurity/gracl.c | 4 ++--
25808 grsecurity/grsec_sig.c | 16 +++++++++++++---
25809 2 files changed, 15 insertions(+), 5 deletions(-)
25810
25811commit 4a0808a0aa34bf3692f9ade0f11f6fbe30418c4f
25812Author: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
25813Date: Fri Jun 28 14:15:15 2013 +0300
25814
25815 Upstream commit: 605c912bb843c024b1ed173dc427cd5c08e5d54d
25816
25817 UBIFS: fix a horrid bug
25818
25819 Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no
25820 mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are
25821 in the middle of 'ubifs_readdir()'.
25822
25823 This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses
25824 it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage,
25825 but this may corrupt memory and lead to all kinds of problems like crashes an
25826 security holes.
25827
25828 This patch fixes the problem by using the 'file->f_version' field, which
25829 '->llseek()' always unconditionally sets to zero. We set it to 1 in
25830 'ubifs_readdir()' and whenever we detect that it became 0, we know there was a
25831 seek and it is time to clear the state saved in 'file->private_data'.
25832
25833 I tested this patch by writing a user-space program which runds readdir and
25834 seek in parallell. I could easily crash the kernel without these patches, but
25835 could not crash it with these patches.
25836
25837 Cc: stable@vger.kernel.org
25838 Reported-by: Al Viro <viro@zeniv.linux.org.uk>
25839 Tested-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
25840 Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
25841 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
25842
25843 fs/ubifs/dir.c | 30 +++++++++++++++++++++++++++---
25844 1 files changed, 27 insertions(+), 3 deletions(-)
25845
25846commit c22280b85088978bd8b45bd23096879459b48008
25847Author: Stephane Eranian <eranian@google.com>
25848Date: Thu Jun 20 11:36:28 2013 +0200
25849
25850 Upstream commit: 2976b10f05bd7f6dab9f9e7524451ddfed656a89
25851
25852 perf: Disable monitoring on setuid processes for regular users
25853
25854 There was a a bug in setup_new_exec(), whereby
25855 the test to disabled perf monitoring was not
25856 correct because the new credentials for the
25857 process were not yet committed and therefore
25858 the get_dumpable() test was never firing.
25859
25860 The patch fixes the problem by moving the
25861 perf_event test until after the credentials
25862 are committed.
25863
25864 Signed-off-by: Stephane Eranian <eranian@google.com>
25865 Tested-by: Jiri Olsa <jolsa@redhat.com>
25866 Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
25867 Cc: <stable@kernel.org>
25868 Signed-off-by: Ingo Molnar <mingo@kernel.org>
25869
25870 fs/exec.c | 16 +++++++++-------
25871 1 files changed, 9 insertions(+), 7 deletions(-)
25872
25873commit 16e6a61c34ae5ed0fbfa9151b24dc6a751cca7c0
25874Author: Brad Spengler <spender@grsecurity.net>
25875Date: Sat Jun 29 13:10:02 2013 -0400
25876
25877 on context switch, make sure we switch DACR when domain support and
25878 KERNEXEC is disabled but UDEREF is enabled
25879
25880 arch/arm/kernel/entry-armv.S | 4 ++--
25881 1 files changed, 2 insertions(+), 2 deletions(-)
25882
25883commit 08d017fa51370921694ce087b28c96fec92993d4
25884Author: Michael S. Tsirkin <mst@redhat.com>
25885Date: Sun Jun 23 17:26:58 2013 +0300
25886
25887 Upstream commit: 4c7ab054ab4f5d63625508ed6f8a607184cae7c2
25888
25889 macvtap: fix recovery from gup errors
25890
25891 get user pages might fail partially in macvtap zero copy
25892 mode. To recover we need to put all pages that we got,
25893 but code used a wrong index resulting in double-free
25894 errors.
25895
25896 Reported-by: Brad Hubbard <bhubbard@redhat.com>
25897 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
25898 Acked-by: Jason Wang <jasowang@redhat.com>
25899 Signed-off-by: David S. Miller <davem@davemloft.net>
25900
25901 drivers/net/macvtap.c | 6 ++++--
25902 1 files changed, 4 insertions(+), 2 deletions(-)
25903
25904commit 8118c60e6478b9d0687c2aa7779e45ac7859b1be
25905Author: Michael S. Tsirkin <mst@redhat.com>
25906Date: Sun Jun 23 17:19:03 2013 +0300
25907
25908 Upstream commit: 7e24bfbe43b545b1689a5f134ed83645b9e34b86
25909
25910 tun: fix recovery from gup errors
25911
25912 get user pages might fail partially in tun zero copy
25913 mode. To recover we need to put all pages that we got,
25914 but code used a wrong index resulting in double-free
25915 errors.
25916
25917 Reported-by: Brad Hubbard <bhubbard@redhat.com>
25918 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
25919 Acked-by: Jason Wang <jasowang@redhat.com>
25920 Acked-by: Neil Horman <nhorman@tuxdriver.com>
25921 Signed-off-by: David S. Miller <davem@davemloft.net>
25922
25923 drivers/net/tun.c | 6 ++++--
25924 1 files changed, 4 insertions(+), 2 deletions(-)
25925
25926commit c71e53d3b87fba6f7ba29a440d4c835f03aadf28
25927Author: Balazs Peter Odor <balazs@obiserver.hu>
25928Date: Sat Jun 22 19:24:43 2013 +0200
25929
25930 Upstream commit: 5aed93875cd88502f04a0d4517b8a2d89a849773
25931
25932 netfilter: nf_nat_sip: fix mangling
25933
25934 In (b20ab9c netfilter: nf_ct_helper: better logging for dropped packets)
25935 there were some missing brackets around the logging information, thus
25936 always returning drop.
25937
25938 Closes https://bugzilla.kernel.org/show_bug.cgi?id=60061
25939
25940 Signed-off-by: Balazs Peter Odor <balazs@obiserver.hu>
25941 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
25942
25943 net/netfilter/nf_nat_sip.c | 3 ++-
25944 1 files changed, 2 insertions(+), 1 deletions(-)
25945
25946commit 87c18924aecb841586b8972fabb20c5b75ca2fc9
25947Author: Anderson Lizardo <anderson.lizardo@openbossa.org>
25948Date: Sun Jun 2 16:30:40 2013 -0400
25949
25950 Upstream commit: 300b962e5244a1ea010df7e88595faa0085b461d
25951
25952 Bluetooth: Fix crash in l2cap_build_cmd() with small MTU
25953
25954 If a too small MTU value is set with ioctl(HCISETACLMTU) or by a bogus
25955 controller, memory corruption happens due to a memcpy() call with
25956 negative length.
25957
25958 Fix this crash on either incoming or outgoing connections with a MTU
25959 smaller than L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE:
25960
25961 [ 46.885433] BUG: unable to handle kernel paging request at f56ad000
25962 [ 46.888037] IP: [<c03d94cd>] memcpy+0x1d/0x40
25963 [ 46.888037] *pdpt = 0000000000ac3001 *pde = 00000000373f8067 *pte = 80000000356ad060
25964 [ 46.888037] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC
25965 [ 46.888037] Modules linked in: hci_vhci bluetooth virtio_balloon i2c_piix4 uhci_hcd usbcore usb_common
25966 [ 46.888037] CPU: 0 PID: 1044 Comm: kworker/u3:0 Not tainted 3.10.0-rc1+ #12
25967 [ 46.888037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
25968 [ 46.888037] Workqueue: hci0 hci_rx_work [bluetooth]
25969 [ 46.888037] task: f59b15b0 ti: f55c4000 task.ti: f55c4000
25970 [ 46.888037] EIP: 0060:[<c03d94cd>] EFLAGS: 00010212 CPU: 0
25971 [ 46.888037] EIP is at memcpy+0x1d/0x40
25972 [ 46.888037] EAX: f56ac1c0 EBX: fffffff8 ECX: 3ffffc6e EDX: f55c5cf2
25973 [ 46.888037] ESI: f55c6b32 EDI: f56ad000 EBP: f55c5c68 ESP: f55c5c5c
25974 [ 46.888037] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
25975 [ 46.888037] CR0: 8005003b CR2: f56ad000 CR3: 3557d000 CR4: 000006f0
25976 [ 46.888037] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
25977 [ 46.888037] DR6: ffff0ff0 DR7: 00000400
25978 [ 46.888037] Stack:
25979 [ 46.888037] fffffff8 00000010 00000003 f55c5cac f8c6a54c ffffffff f8c69eb2 00000000
25980 [ 46.888037] f4783cdc f57f0070 f759c590 1001c580 00000003 0200000a 00000000 f5a88560
25981 [ 46.888037] f5ba2600 f5a88560 00000041 00000000 f55c5d90 f8c6f4c7 00000008 f55c5cf2
25982 [ 46.888037] Call Trace:
25983 [ 46.888037] [<f8c6a54c>] l2cap_send_cmd+0x1cc/0x230 [bluetooth]
25984 [ 46.888037] [<f8c69eb2>] ? l2cap_global_chan_by_psm+0x152/0x1a0 [bluetooth]
25985 [ 46.888037] [<f8c6f4c7>] l2cap_connect+0x3f7/0x540 [bluetooth]
25986 [ 46.888037] [<c019b37b>] ? trace_hardirqs_off+0xb/0x10
25987 [ 46.888037] [<c01a0ff8>] ? mark_held_locks+0x68/0x110
25988 [ 46.888037] [<c064ad20>] ? mutex_lock_nested+0x280/0x360
25989 [ 46.888037] [<c064b9d9>] ? __mutex_unlock_slowpath+0xa9/0x150
25990 [ 46.888037] [<c01a118c>] ? trace_hardirqs_on_caller+0xec/0x1b0
25991 [ 46.888037] [<c064ad08>] ? mutex_lock_nested+0x268/0x360
25992 [ 46.888037] [<c01a125b>] ? trace_hardirqs_on+0xb/0x10
25993 [ 46.888037] [<f8c72f8d>] l2cap_recv_frame+0xb2d/0x1d30 [bluetooth]
25994 [ 46.888037] [<c01a0ff8>] ? mark_held_locks+0x68/0x110
25995 [ 46.888037] [<c064b9d9>] ? __mutex_unlock_slowpath+0xa9/0x150
25996 [ 46.888037] [<c01a118c>] ? trace_hardirqs_on_caller+0xec/0x1b0
25997 [ 46.888037] [<f8c754f1>] l2cap_recv_acldata+0x2a1/0x320 [bluetooth]
25998 [ 46.888037] [<f8c491d8>] hci_rx_work+0x518/0x810 [bluetooth]
25999 [ 46.888037] [<f8c48df2>] ? hci_rx_work+0x132/0x810 [bluetooth]
26000 [ 46.888037] [<c0158979>] process_one_work+0x1a9/0x600
26001 [ 46.888037] [<c01588fb>] ? process_one_work+0x12b/0x600
26002 [ 46.888037] [<c015922e>] ? worker_thread+0x19e/0x320
26003 [ 46.888037] [<c015922e>] ? worker_thread+0x19e/0x320
26004 [ 46.888037] [<c0159187>] worker_thread+0xf7/0x320
26005 [ 46.888037] [<c0159090>] ? rescuer_thread+0x290/0x290
26006 [ 46.888037] [<c01602f8>] kthread+0xa8/0xb0
26007 [ 46.888037] [<c0656777>] ret_from_kernel_thread+0x1b/0x28
26008 [ 46.888037] [<c0160250>] ? flush_kthread_worker+0x120/0x120
26009 [ 46.888037] Code: c3 90 8d 74 26 00 e8 63 fc ff ff eb e8 90 55 89 e5 83 ec 0c 89 5d f4 89 75 f8 89 7d fc 3e 8d 74 26 00 89 cb 89 c7 c1 e9 02 89 d6 <f3> a5 89 d9 83 e1 03 74 02 f3 a4 8b 5d f4 8b 75 f8 8b 7d fc 89
26010 [ 46.888037] EIP: [<c03d94cd>] memcpy+0x1d/0x40 SS:ESP 0068:f55c5c5c
26011 [ 46.888037] CR2: 00000000f56ad000
26012 [ 46.888037] ---[ end trace 0217c1f4d78714a9 ]---
26013
26014 Signed-off-by: Anderson Lizardo <anderson.lizardo@openbossa.org>
26015 Cc: stable@vger.kernel.org
26016 Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
26017 Signed-off-by: John W. Linville <linville@tuxdriver.com>
26018
26019 net/bluetooth/l2cap_core.c | 3 +++
26020 1 files changed, 3 insertions(+), 0 deletions(-)
26021
26022commit b0471b6c1160858fc646d8e94628fd1299f61692
26023Author: Jaganath Kanakkassery <jaganath.k@samsung.com>
26024Date: Fri Jun 21 19:55:11 2013 +0530
26025
26026 Upstream commit: 3f6fa3d489e127ca5a5b298eabac3ff5dbe0e112
26027
26028 Bluetooth: Fix invalid length check in l2cap_information_rsp()
26029
26030 The length check is invalid since the length varies with type of
26031 info response.
26032
26033 This was introduced by the commit cb3b3152b2f5939d67005cff841a1ca748b19888
26034
26035 Because of this, l2cap info rsp is not handled and command reject is sent.
26036
26037 > ACL data: handle 11 flags 0x02 dlen 16
26038 L2CAP(s): Info rsp: type 2 result 0
26039 Extended feature mask 0x00b8
26040 Enhanced Retransmission mode
26041 Streaming mode
26042 FCS Option
26043 Fixed Channels
26044 < ACL data: handle 11 flags 0x00 dlen 10
26045 L2CAP(s): Command rej: reason 0
26046 Command not understood
26047
26048 Cc: stable@vger.kernel.org
26049 Signed-off-by: Jaganath Kanakkassery <jaganath.k@samsung.com>
26050 Signed-off-by: Chan-Yeol Park <chanyeol.park@samsung.com>
26051 Acked-by: Johan Hedberg <johan.hedberg@intel.com>
26052 Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
26053
26054 net/bluetooth/l2cap_core.c | 2 +-
26055 1 files changed, 1 insertions(+), 1 deletions(-)
26056
26057commit 4184af98c360d825e638b268b1a9847232e8d299
26058Author: Eric Dumazet <edumazet@google.com>
26059Date: Wed Jun 26 04:15:07 2013 -0700
26060
26061 Upstream commit: a963a37d384d71ad43b3e9e79d68d42fbe0901f3
26062
26063 ipv6: ip6_sk_dst_check() must not assume ipv6 dst
26064
26065 It's possible to use AF_INET6 sockets and to connect to an IPv4
26066 destination. After this, socket dst cache is a pointer to a rtable,
26067 not rt6_info.
26068
26069 ip6_sk_dst_check() should check the socket dst cache is IPv6, or else
26070 various corruptions/crashes can happen.
26071
26072 Dave Jones can reproduce immediate crash with
26073 trinity -q -l off -n -c sendmsg -c connect
26074
26075 With help from Hannes Frederic Sowa
26076
26077 Reported-by: Dave Jones <davej@redhat.com>
26078 Reported-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
26079 Signed-off-by: Eric Dumazet <edumazet@google.com>
26080 Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
26081 Signed-off-by: David S. Miller <davem@davemloft.net>
26082
26083 net/ipv6/ip6_output.c | 8 +++++++-
26084 1 files changed, 7 insertions(+), 1 deletions(-)
26085
26086commit a9909c4993e8547ebeeafc4a4f5ff8570a941eb2
26087Author: Zefan Li <lizefan@huawei.com>
26088Date: Wed Jun 26 15:29:54 2013 +0800
26089
26090 Upstream commit: 11eb2645cbf38a08ae491bf6c602eea900ec0bb5
26091
26092 dlci: acquire rtnl_lock before calling __dev_get_by_name()
26093
26094 Otherwise the net device returned can be freed at anytime.
26095
26096 Signed-off-by: Li Zefan <lizefan@huawei.com>
26097 Cc: stable@vger.kernel.org
26098 Signed-off-by: David S. Miller <davem@davemloft.net>
26099
26100 drivers/net/wan/dlci.c | 14 +++++++++-----
26101 1 files changed, 9 insertions(+), 5 deletions(-)
26102
26103commit 1fe6f23c9acd14d832d056909ff326bde418e645
26104Author: Zefan Li <lizefan@huawei.com>
26105Date: Wed Jun 26 15:31:58 2013 +0800
26106
26107 Upstream commit: 578a1310f2592ba90c5674bca21c1dbd1adf3f0a
26108
26109 dlci: validate the net device in dlci_del()
26110
26111 We triggered an oops while running trinity with 3.4 kernel:
26112
26113 BUG: unable to handle kernel paging request at 0000000100000d07
26114 IP: [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci]
26115 PGD 640c0d067 PUD 0
26116 Oops: 0000 [#1] PREEMPT SMP
26117 CPU 3
26118 ...
26119 Pid: 7302, comm: trinity-child3 Not tainted 3.4.24.09+ 40 Huawei Technologies Co., Ltd. Tecal RH2285 /BC11BTSA
26120 RIP: 0010:[<ffffffffa0109738>] [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci]
26121 ...
26122 Call Trace:
26123 [<ffffffff8137c5c3>] sock_ioctl+0x153/0x280
26124 [<ffffffff81195494>] do_vfs_ioctl+0xa4/0x5e0
26125 [<ffffffff8118354a>] ? fget_light+0x3ea/0x490
26126 [<ffffffff81195a1f>] sys_ioctl+0x4f/0x80
26127 [<ffffffff81478b69>] system_call_fastpath+0x16/0x1b
26128 ...
26129
26130 It's because the net device is not a dlci device.
26131
26132 Reported-by: Li Jinyue <lijinyue@huawei.com>
26133 Signed-off-by: Li Zefan <lizefan@huawei.com>
26134 Cc: stable@vger.kernel.org
26135 Signed-off-by: David S. Miller <davem@davemloft.net>
26136
26137 drivers/net/wan/dlci.c | 12 ++++++++++++
26138 1 files changed, 12 insertions(+), 0 deletions(-)
26139
26140commit 4d4464407611527ef6b6b5475cfcab6121b3da66
26141Merge: 59571a9 963af7f
26142Author: Brad Spengler <spender@grsecurity.net>
26143Date: Thu Jun 27 18:54:52 2013 -0400
26144
26145 Merge branch 'pax-test' into grsec-test
26146
26147commit 963af7f7f591759b731ce6325ceb583a72fcf423
26148Merge: c51e25a 55db48a
26149Author: Brad Spengler <spender@grsecurity.net>
26150Date: Thu Jun 27 18:54:42 2013 -0400
26151
26152 Merge branch 'linux-3.9.y' into pax-test
26153
26154commit 59571a9db7485f530a1e865a13cacc4c991ec41f
26155Author: Brad Spengler <spender@grsecurity.net>
26156Date: Wed Jun 26 18:39:08 2013 -0400
26157
26158 From: Mathias Krause <minipli@googlemail.com>
26159 To: Steffen Klassert <steffen.klassert@secunet.com>,
26160 "David S. Miller" <davem@davemloft.net>
26161 Cc: Mathias Krause <minipli@googlemail.com>, netdev@vger.kernel.org,
26162 Herbert Xu <herbert@gondor.apana.org.au>
26163 Subject: [PATCH] af_key: fix info leaks in notify messages
26164
26165 key_notify_sa_flush() and key_notify_policy_flush() miss to initialize
26166 the sadb_msg_reserved member of the broadcasted message and thereby
26167 leak 2 bytes of heap memory to listeners. Fix that.
26168
26169 Signed-off-by: Mathias Krause <minipli@googlemail.com>
26170 Cc: Steffen Klassert <steffen.klassert@secunet.com>
26171 Cc: "David S. Miller" <davem@davemloft.net>
26172 Cc: Herbert Xu <herbert@gondor.apana.org.au>
26173
26174 net/key/af_key.c | 2 ++
26175 1 files changed, 2 insertions(+), 0 deletions(-)
26176
26177commit e1dd9fb168b3597f15fd5bd4bc88a7dd4cce5fd9
26178Author: Brad Spengler <spender@grsecurity.net>
26179Date: Wed Jun 26 18:33:06 2013 -0400
26180
26181 update rand_threadstack code to continue the search for a gap if the first
26182 choice doesn't have enough space, instead of returning ENOMEM
26183
26184 mm/mmap.c | 17 ++++++++++-------
26185 1 files changed, 10 insertions(+), 7 deletions(-)
26186
26187commit 87020d4a4d83038d65ff1fd519938840f6888b9e
26188Merge: 2682346 c51e25a
26189Author: Brad Spengler <spender@grsecurity.net>
26190Date: Wed Jun 26 18:25:32 2013 -0400
26191
26192 Merge branch 'pax-test' into grsec-test
26193
26194commit c51e25a23f30a1198076bd085f19b2073caf164d
26195Author: Brad Spengler <spender@grsecurity.net>
26196Date: Wed Jun 26 18:24:54 2013 -0400
26197
26198 Update to pax-linux-3.9.7-test12.patch:
26199 - fixed a regression on PARAVIRT/amd64 kernels
26200 - simplified the recent vm_unmapped_area_info based change
26201
26202 arch/x86/kernel/entry_64.S | 8 ++++----
26203 mm/mmap.c | 22 ++++++++++++----------
26204 2 files changed, 16 insertions(+), 14 deletions(-)
26205
26206commit 26823469a08e59cb67bea18d448d9e8c65f82e08
26207Author: Brad Spengler <spender@grsecurity.net>
26208Date: Tue Jun 25 21:26:51 2013 -0400
26209
26210 re-enable GRKERNSEC_RAND_THREADSTACK now that the generic PaX
26211 vm_unmapped_area code is complete
26212
26213 arch/x86/kernel/sys_i386_32.c | 5 +++++
26214 grsecurity/Kconfig | 2 +-
26215 mm/mmap.c | 11 ++++++++++-
26216 3 files changed, 16 insertions(+), 2 deletions(-)
26217
26218commit bcd93cc348a8faba1716f5cc137a48f25d6a67e7
26219Merge: e58fe8c c4e0704
26220Author: Brad Spengler <spender@grsecurity.net>
26221Date: Tue Jun 25 19:08:52 2013 -0400
26222
26223 Merge branch 'pax-test' into grsec-test
26224
26225 Conflicts:
26226 arch/x86/kernel/sys_i386_32.c
26227
26228commit c4e07040c2c32c9eb2b093e5ae6e5bb050cb7511
26229Author: Brad Spengler <spender@grsecurity.net>
26230Date: Tue Jun 25 19:05:39 2013 -0400
26231
26232 Update to pax-linux-3.9.7-test11.patch:
26233 - fixed some fallout from the recent executable vmalloc changes (http://forums.grsecurity.net/viewtopic.php?t=3562#p13111)
26234 - moved the PaX specific heap-stack gap check code over to the vm_unmapped_area_info based infrastructure
26235 - fixed the recent nested nmi related fixes some more
26236 - fixed a regression in kernel memory initialization on relocatable i386 kernels
26237 - empty_zero_page can be read-only on amd64 as well
26238
26239 arch/arm/mm/mmap.c | 6 --
26240 arch/x86/kernel/entry_64.S | 8 +--
26241 arch/x86/kernel/head_64.S | 1 -
26242 arch/x86/kernel/setup.c | 2 +-
26243 arch/x86/kernel/sys_i386_32.c | 160 ++++++++++++----------------------------
26244 drivers/lguest/core.c | 2 +-
26245 include/linux/mm.h | 6 +-
26246 include/linux/vmalloc.h | 2 +-
26247 mm/mmap.c | 30 +++++++-
26248 9 files changed, 83 insertions(+), 134 deletions(-)
26249
26250commit e58fe8c43f6ee7047ac830ebfa9a70626b7ed11d
26251Author: Brad Spengler <spender@grsecurity.net>
26252Date: Sun Jun 23 14:37:14 2013 -0400
26253
26254 second compile fix, reported by forsaken on forums
26255
26256 include/linux/vmalloc.h | 2 +-
26257 1 files changed, 1 insertions(+), 1 deletions(-)
26258
26259commit 0ee10d89b09b56b46bc242ce760a1d9598276e2f
26260Author: Brad Spengler <spender@grsecurity.net>
26261Date: Sun Jun 23 14:36:35 2013 -0400
26262
26263 compile fix, reported by KDE on forums
26264
26265 kernel/printk.c | 7 -------
26266 1 files changed, 0 insertions(+), 7 deletions(-)
26267
26268commit 1fc9a5e2e267205d28302e1e86ca0da434561111
26269Author: Ben Hutchings <ben@decadent.org.uk>
26270Date: Sun Jun 16 21:27:12 2013 +0100
26271
26272 Upstream commit: b8cb62f82103083a6e8fa5470bfe634a2c06514d
26273
26274 x86/efi: Fix dummy variable buffer allocation
26275
26276 1. Check for allocation failure
26277 2. Clear the buffer contents, as they may actually be written to flash
26278 3. Don't leak the buffer
26279
26280 Compile-tested only.
26281
26282 [ Tested successfully on my buggy ASUS machine - Matt ]
26283
26284 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
26285 Cc: stable@vger.kernel.org
26286 Signed-off-by: Matt Fleming <matt.fleming@intel.com>
26287
26288 arch/x86/platform/efi/efi.c | 7 ++++++-
26289 1 files changed, 6 insertions(+), 1 deletions(-)
26290
26291commit 83e15c8baaa620d8c777e84aa037b4302f0487c5
26292Author: Dave Kleikamp <dave.kleikamp@oracle.com>
26293Date: Tue Jun 18 09:05:36 2013 -0500
26294
26295 Upstream commit: 23a01138efe216f8084cfaa74b0b90dd4b097441
26296
26297 sparc: tsb must be flushed before tlb
26298
26299 This fixes a race where a cpu may re-load a tlb from a stale tsb right
26300 after it has been flushed by a remote function call.
26301
26302 I still see some instability when stressing the system with parallel
26303 kernel builds while creating memory pressure by writing to
26304 /proc/sys/vm/nr_hugepages, but this patch improves the stability
26305 significantly.
26306
26307 Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
26308 Acked-by: Bob Picco <bob.picco@oracle.com>
26309 Signed-off-by: David S. Miller <davem@davemloft.net>
26310
26311 arch/sparc/mm/tlb.c | 2 +-
26312 1 files changed, 1 insertions(+), 1 deletions(-)
26313
26314commit d93b62f6485db9aadda34322a6867868db07f56f
26315Merge: 4ef62f5 71d83e9
26316Author: Brad Spengler <spender@grsecurity.net>
26317Date: Fri Jun 21 16:52:55 2013 -0400
26318
26319 Merge branch 'pax-test' into grsec-test
26320
26321 Conflicts:
26322 security/Kconfig
26323
26324commit 71d83e97c936563913bcfb5a25c45b2021a331eb
26325Author: Brad Spengler <spender@grsecurity.net>
26326Date: Fri Jun 21 16:48:42 2013 -0400
26327
26328 Update to pax-linux-3.9.7-test10.patch:
26329 - fixed a few format string problems uncovered by -Wformat-nonliteral
26330 - another attempt at fixing the nested nmi/cr0.wp problem
26331 - fixed vmalloc when used for allocating executable memory on non-modular kernels, reported by Lorand Kelemen (https://bugs.gentoo.org/show_bug.cgi?id=473866)
26332 - worked around an intentional gcc overflow in nfscache that tripped up the size overflow plugin (https://bugs.gentoo.org/show_bug.cgi?id=472274)
26333 - fixed a locking issue with track_exec_limit reported by spender
26334 - hunger reported a size overflow event in kobj_map that turned out to be a real bug, fix by Tejun Heo (https://patchwork.kernel.org/patch/2676631/)
26335
26336 Documentation/dontdiff | 1 +
26337 arch/x86/boot/compressed/efi_stub_32.S | 16 ++-----
26338 arch/x86/kernel/cpu/mcheck/mce.c | 2 +-
26339 arch/x86/kernel/e820.c | 4 +-
26340 arch/x86/kernel/entry_64.S | 74 ++++++++++++++++++------------
26341 arch/x86/kernel/vmlinux.lds.S | 2 +-
26342 block/genhd.c | 11 +++--
26343 crypto/algapi.c | 2 +-
26344 crypto/pcrypt.c | 6 +-
26345 drivers/base/attribute_container.c | 2 +-
26346 drivers/base/power/sysfs.c | 2 +-
26347 drivers/block/nbd.c | 2 +-
26348 drivers/cdrom/cdrom.c | 2 +-
26349 drivers/char/hw_random/intel-rng.c | 2 +-
26350 drivers/char/mem.c | 2 +-
26351 drivers/devfreq/devfreq.c | 2 +-
26352 drivers/gpu/drm/drm_encoder_slave.c | 6 +--
26353 drivers/gpu/drm/drm_sysfs.c | 2 +-
26354 drivers/gpu/drm/ttm/ttm_memory.c | 4 +-
26355 drivers/iommu/irq_remapping.c | 2 +-
26356 drivers/video/output.c | 2 +-
26357 fs/ext4/mmp.c | 2 +-
26358 fs/ext4/super.c | 2 +-
26359 fs/lockd/svc.c | 2 +-
26360 fs/nfs/callback.c | 4 +-
26361 fs/nfs/nfs4state.c | 2 +-
26362 fs/nfsd/nfscache.c | 3 +-
26363 init/initramfs.c | 2 +-
26364 kernel/rcutree.c | 2 +-
26365 lib/kobject.c | 2 +-
26366 mm/backing-dev.c | 4 +-
26367 mm/mmap.c | 4 +-
26368 mm/slub.c | 2 +-
26369 mm/vmalloc.c | 15 +++----
26370 net/bluetooth/hci_core.c | 8 ++--
26371 net/netfilter/nf_conntrack_proto_dccp.c | 4 +-
26372 net/sunrpc/svc.c | 2 +-
26373 security/Kconfig | 15 +++---
26374 sound/core/sound.c | 2 +-
26375 sound/sound_core.c | 2 +-
26376 40 files changed, 116 insertions(+), 111 deletions(-)
26377
26378commit 4ef62f52ab23ed87aaf0106be3eddf2019bc7d2c
26379Merge: 39efd8f 256eff7
26380Author: Brad Spengler <spender@grsecurity.net>
26381Date: Fri Jun 21 16:45:15 2013 -0400
26382
26383 Merge branch 'pax-test' into grsec-test
26384
26385 Conflicts:
26386 kernel/printk.c
26387
26388commit 256eff7a817d5faa18cd56fb97cc8c25112ec0a6
26389Merge: e6e3059 485f25f
26390Author: Brad Spengler <spender@grsecurity.net>
26391Date: Thu Jun 20 22:14:24 2013 -0400
26392
26393 Merge branch 'linux-3.9.y' into pax-test
26394
26395commit 39efd8f4b9573d1ce31f47cdbea00b6c12054d4d
26396Author: Brad Spengler <spender@grsecurity.net>
26397Date: Tue Jun 18 17:20:18 2013 -0400
26398
26399 add apparmor compat patch
26400
26401 security/apparmor/Kconfig | 9 ++
26402 security/apparmor/apparmorfs.c | 231 ++++++++++++++++++++++++++++++++++++++++
26403 2 files changed, 240 insertions(+), 0 deletions(-)
26404
26405commit 49bee3c5341687504669bf62becf4a419a226ba0
26406Author: Brad Spengler <spender@grsecurity.net>
26407Date: Mon Jun 17 18:48:04 2013 -0400
26408
26409 Revert "Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db"
26410
26411 This reverts commit 066d9226bc6c569d5f420c978b758e0bddd23444.
26412
26413 kernel/sys.c | 29 +++--------------------------
26414 1 files changed, 3 insertions(+), 26 deletions(-)
26415
26416commit bece88b4276babb2039a3e4f3e3b0cdeb8cd8328
26417Author: Al Viro <viro@ZenIV.linux.org.uk>
26418Date: Sun Jun 16 18:06:06 2013 +0100
26419
26420 Upstream commit: 8177a9d79c0e942dcac3312f15585d0344d505a5
26421
26422 lseek(fd, n, SEEK_END) does *not* go to eof - n
26423
26424 When you copy some code, you are supposed to read it. If nothing else,
26425 there's a chance to spot and fix an obvious bug instead of sharing it...
26426
26427 X-Song: "I Got It From Agnes", by Tom Lehrer
26428 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
26429 [ Tom Lehrer? You're dating yourself, Al ]
26430 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
26431
26432 drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 2 +-
26433 drivers/scsi/bfa/bfad_debugfs.c | 2 +-
26434 drivers/scsi/fnic/fnic_debugfs.c | 2 +-
26435 drivers/scsi/lpfc/lpfc_debugfs.c | 2 +-
26436 4 files changed, 4 insertions(+), 4 deletions(-)
26437
26438commit 5a450f1c46f0c84379518aee878993d3f4a331b6
26439Author: Theodore Ts'o <tytso@mit.edu>
26440Date: Thu Jun 6 11:14:31 2013 -0400
26441
26442 Upstream commit: 40c87e7a5404861cef33f6ced9809525a5ee2c50
26443
26444 ext4: verify group number in verify_group_input() before using it
26445
26446 Check the group number for sanity earilier, before calling routines
26447 such as ext4_bg_has_super() or ext4_group_overhead_blocks().
26448
26449 Reported-by: Jonathan Salwan <jonathan.salwan@gmail.com>
26450 Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
26451
26452 fs/ext4/resize.c | 17 +++++++++++------
26453 1 files changed, 11 insertions(+), 6 deletions(-)
26454
26455commit e2700ce1305cc746d2d9000392f00d96fdf28fb8
26456Author: Neil Horman <nhorman@tuxdriver.com>
26457Date: Wed Jun 12 14:26:44 2013 -0400
26458
26459 Upstream commit: c5c7774d7eb4397891edca9ebdf750ba90977a69
26460
26461 sctp: fully initialize sctp_outq in sctp_outq_init
26462
26463 In commit 2f94aabd9f6c925d77aecb3ff020f1cc12ed8f86
26464 (refactor sctp_outq_teardown to insure proper re-initalization)
26465 we modified sctp_outq_teardown to use sctp_outq_init to fully re-initalize the
26466 outq structure. Steve West recently asked me why I removed the q->error = 0
26467 initalization from sctp_outq_teardown. I did so because I was operating under
26468 the impression that sctp_outq_init would properly initalize that value for us,
26469 but it doesn't. sctp_outq_init operates under the assumption that the outq
26470 struct is all 0's (as it is when called from sctp_association_init), but using
26471 it in __sctp_outq_teardown violates that assumption. We should do a memset in
26472 sctp_outq_init to ensure that the entire structure is in a known state there
26473 instead.
26474
26475 Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
26476 Reported-by: "West, Steve (NSN - US/Fort Worth)" <steve.west@nsn.com>
26477 CC: Vlad Yasevich <vyasevich@gmail.com>
26478 CC: netdev@vger.kernel.org
26479 CC: davem@davemloft.net
26480 Acked-by: Vlad Yasevich <vyasevich@gmail.com>
26481 Signed-off-by: David S. Miller <davem@davemloft.net>
26482
26483 Conflicts:
26484
26485 net/sctp/outqueue.c
26486
26487 net/sctp/outqueue.c | 8 ++------
26488 1 files changed, 2 insertions(+), 6 deletions(-)
26489
26490commit e13515ad7a9c7634599a105b2527752e527a905d
26491Author: Saurabh Mohan <saurabh@vyatta.com>
26492Date: Mon Jun 10 17:45:10 2013 -0700
26493
26494 Upstream commit: baafc77b32f647daa7c45825f7af8cdd55d00817
26495
26496 net/ipv4: ip_vti clear skb cb before tunneling.
26497
26498 If users apply shaper to vti tunnel then it will cause a kernel crash. The
26499 problem seems to be due to the vti_tunnel_xmit function not clearing
26500 skb->opt field before passing the packet to xfrm tunneling code.
26501
26502 Signed-off-by: Saurabh Mohan <saurabh@vyatta.com>
26503 Acked-by: Stephen Hemminger <stephen@networkplumber.org>
26504 Signed-off-by: David S. Miller <davem@davemloft.net>
26505
26506 net/ipv4/ip_vti.c | 3 +--
26507 1 files changed, 1 insertions(+), 2 deletions(-)
26508
26509commit e63056a252ed6fc0f16ab158d7c34cb57bd762e4
26510Author: Guillaume Nault <g.nault@alphalink.fr>
26511Date: Wed Jun 12 16:07:36 2013 +0200
26512
26513 Upstream commit: a6f79d0f26704214b5b702bbac525cb72997f984
26514
26515 l2tp: Fix sendmsg() return value
26516
26517 PPPoL2TP sockets should comply with the standard send*() return values
26518 (i.e. return number of bytes sent instead of 0 upon success).
26519
26520 Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
26521 Signed-off-by: David S. Miller <davem@davemloft.net>
26522
26523 net/l2tp/l2tp_ppp.c | 2 +-
26524 1 files changed, 1 insertions(+), 1 deletions(-)
26525
26526commit af361b412e816e894fb42ddff7a0545b7def64c0
26527Author: Guillaume Nault <g.nault@alphalink.fr>
26528Date: Wed Jun 12 16:07:23 2013 +0200
26529
26530 Upstream commit: 55b92b7a11690bc377b5d373872a6b650ae88e64
26531
26532 l2tp: Fix PPP header erasure and memory leak
26533
26534 Copy user data after PPP framing header. This prevents erasure of the
26535 added PPP header and avoids leaking two bytes of uninitialised memory
26536 at the end of skb's data buffer.
26537
26538 Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
26539 Signed-off-by: David S. Miller <davem@davemloft.net>
26540
26541 net/l2tp/l2tp_ppp.c | 4 ++--
26542 1 files changed, 2 insertions(+), 2 deletions(-)
26543
26544commit 1f43aca088c35dda35abf76e08544e534c71fed4
26545Author: Daniel Borkmann <dborkman@redhat.com>
26546Date: Wed Jun 12 16:02:27 2013 +0200
26547
26548 Upstream commit: 2dc85bf323515e59e15dfa858d1472bb25cad0fe
26549
26550 packet: packet_getname_spkt: make sure string is always 0-terminated
26551
26552 uaddr->sa_data is exactly of size 14, which is hard-coded here and
26553 passed as a size argument to strncpy(). A device name can be of size
26554 IFNAMSIZ (== 16), meaning we might leave the destination string
26555 unterminated. Thus, use strlcpy() and also sizeof() while we're
26556 at it. We need to memset the data area beforehand, since strlcpy
26557 does not padd the remaining buffer with zeroes for user space, so
26558 that we do not possibly leak anything.
26559
26560 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
26561 Signed-off-by: David S. Miller <davem@davemloft.net>
26562
26563 net/packet/af_packet.c | 5 ++---
26564 1 files changed, 2 insertions(+), 3 deletions(-)
26565
26566commit d0ae62fae5528bf2a393377f50b8dd9888d1e49f
26567Author: Andy Lutomirski <luto@amacapital.net>
26568Date: Wed Jun 5 19:38:26 2013 +0000
26569
26570 Upstream commit: a7526eb5d06b0084ef12d7b168d008fcf516caab
26571
26572 net: Unbreak compat_sys_{send,recv}msg
26573
26574 I broke them in this commit:
26575
26576 commit 1be374a0518a288147c6a7398792583200a67261
26577 Author: Andy Lutomirski <luto@amacapital.net>
26578 Date: Wed May 22 14:07:44 2013 -0700
26579
26580 net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
26581
26582 This patch adds __sys_sendmsg and __sys_sendmsg as common helpers that accept
26583 MSG_CMSG_COMPAT and blocks MSG_CMSG_COMPAT at the syscall entrypoints. It
26584 also reverts some unnecessary checks in sys_socketcall.
26585
26586 Apparently I was suffering from underscore blindness the first time around.
26587
26588 Signed-off-by: Andy Lutomirski <luto@amacapital.net>
26589 Tested-by: Eric Dumazet <edumazet@google.com>
26590 Signed-off-by: David S. Miller <davem@davemloft.net>
26591
26592 include/linux/socket.h | 3 ++
26593 net/compat.c | 13 +++++++-
26594 net/socket.c | 72 ++++++++++++++++++++++--------------------------
26595 3 files changed, 47 insertions(+), 41 deletions(-)
26596
26597commit b481a366021e5db07a9ea138bc0c1fe598a5ba2f
26598Author: Andy Lutomirski <luto@amacapital.net>
26599Date: Wed May 22 14:07:44 2013 -0700
26600
26601 Upstream commit: 1be374a0518a288147c6a7398792583200a67261
26602
26603 net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
26604
26605 To: linux-kernel@vger.kernel.org
26606 Cc: x86@kernel.org, trinity@vger.kernel.org, Andy Lutomirski <luto@amacapital.net>, netdev@vger.kernel.org, "David S.
26607 Miller" <davem@davemloft.net>
26608 Subject: [PATCH 5/5] net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
26609
26610 MSG_CMSG_COMPAT is (AFAIK) not intended to be part of the API --
26611 it's a hack that steals a bit to indicate to other networking code
26612 that a compat entry was used. So don't allow it from a non-compat
26613 syscall.
26614
26615 This prevents an oops when running this code:
26616
26617 int main()
26618 {
26619 int s;
26620 struct sockaddr_in addr;
26621 struct msghdr *hdr;
26622
26623 char *highpage = mmap((void*)(TASK_SIZE_MAX - 4096), 4096,
26624 PROT_READ | PROT_WRITE,
26625 MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
26626 if (highpage == MAP_FAILED)
26627 err(1, "mmap");
26628
26629 s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
26630 if (s == -1)
26631 err(1, "socket");
26632
26633 addr.sin_family = AF_INET;
26634 addr.sin_port = htons(1);
26635 addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
26636 if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) != 0)
26637 err(1, "connect");
26638
26639 void *evil = highpage + 4096 - COMPAT_MSGHDR_SIZE;
26640 printf("Evil address is %p\n", evil);
26641
26642 if (syscall(__NR_sendmmsg, s, evil, 1, MSG_CMSG_COMPAT) < 0)
26643 err(1, "sendmmsg");
26644
26645 return 0;
26646 }
26647
26648 Cc: David S. Miller <davem@davemloft.net>
26649 Signed-off-by: Andy Lutomirski <luto@amacapital.net>
26650 Signed-off-by: David S. Miller <davem@davemloft.net>
26651
26652 net/socket.c | 33 +++++++++++++++++++++++++++++++--
26653 1 files changed, 31 insertions(+), 2 deletions(-)
26654
26655commit 6ccb09f408cc4ff23adbf68c7d2307f5fffcf88e
26656Author: Kees Cook <keescook@chromium.org>
26657Date: Fri May 10 14:48:21 2013 -0700
26658
26659 Upstream commit: e0e29b683d6784ef59bbc914eac85a04b650e63c
26660
26661 b43: stop format string leaking into error msgs
26662
26663 The module parameter "fwpostfix" is userspace controllable, unfiltered,
26664 and is used to define the firmware filename. b43_do_request_fw() populates
26665 ctx->errors[] on error, containing the firmware filename. b43err()
26666 parses its arguments as a format string. For systems with b43 hardware,
26667 this could lead to a uid-0 to ring-0 escalation.
26668
26669 CVE-2013-2852
26670
26671 Signed-off-by: Kees Cook <keescook@chromium.org>
26672 Cc: stable@vger.kernel.org
26673 Signed-off-by: John W. Linville <linville@tuxdriver.com>
26674
26675 drivers/net/wireless/b43/main.c | 2 +-
26676 1 files changed, 1 insertions(+), 1 deletions(-)
26677
26678commit dfb67a67049ace7b94ad7e2febfac69816d50d85
26679Author: Mark A. Greer <mgreer@animalcreek.com>
26680Date: Wed May 29 12:25:34 2013 -0700
26681
26682 Upstream commit: f873ded213d6d8c36354c0fc903af44da4fd6ac5
26683
26684 mwifiex: debugfs: Fix out of bounds array access
26685
26686 When reading the contents of '/sys/kernel/debug/mwifiex/p2p0/info',
26687 the following panic occurs:
26688
26689 $ cat /sys/kernel/debug/mwifiex/p2p0/info
26690 Unable to handle kernel paging request at virtual address 74706164
26691 pgd = de530000
26692 [74706164] *pgd=00000000
26693 Internal error: Oops: 5 [#1] SMP ARM
26694 Modules linked in: phy_twl4030_usb omap2430 musb_hdrc mwifiex_sdio mwifiex
26695 CPU: 0 PID: 1635 Comm: cat Not tainted 3.10.0-rc1-00010-g1268390 #1
26696 task: de16b6c0 ti: de048000 task.ti: de048000
26697 PC is at strnlen+0xc/0x4c
26698 LR is at string+0x3c/0xf8
26699 pc : [<c02c123c>] lr : [<c02c2d1c>] psr: a0000013
26700 sp : de049e10 ip : c06efba0 fp : de6d2092
26701 r10: bf01a260 r9 : ffffffff r8 : 74706164
26702 r7 : 0000ffff r6 : ffffffff r5 : de6d209c r4 : 00000000
26703 r3 : ff0a0004 r2 : 74706164 r1 : ffffffff r0 : 74706164
26704 Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
26705 Control: 10c5387d Table: 9e530019 DAC: 00000015
26706 Process cat (pid: 1635, stack limit = 0xde048240)
26707 Stack: (0xde049e10 to 0xde04a000)
26708 9e00: de6d2092 00000002 bf01a25e de6d209c
26709 9e20: de049e80 c02c438c 0000000a ff0a0004 ffffffff 00000000 00000000 de049e48
26710 9e40: 00000000 2192df6d ff0a0004 ffffffff 00000000 de6d2092 de049ef8 bef3cc00
26711 9e60: de6b0000 dc358000 de6d2000 00000000 00000003 c02c45a4 bf01790c bf01a254
26712 9e80: 74706164 bf018698 00000000 de59c3c0 de048000 de049f80 00001000 bef3cc00
26713 9ea0: 00000008 00000000 00000000 00000000 00000000 00000000 00000000 00000000
26714 9ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
26715 9ee0: 00000000 00000000 00000000 00000001 00000000 00000000 6669776d 20786569
26716 9f00: 20302e31 2e343128 392e3636 3231702e 00202933 00000000 00000003 c0294898
26717 9f20: 00000000 00000000 00000000 00000000 de59c3c0 c0107c04 de554000 de59c3c0
26718 9f40: 00001000 bef3cc00 de049f80 bef3cc00 de049f80 00000000 00000003 c0108a00
26719 9f60: de048000 de59c3c0 00000000 00000000 de59c3c0 00001000 bef3cc00 c0108b60
26720 9f80: 00000000 00000000 00001000 bef3cc00 00000003 00000003 c0014128 de048000
26721 9fa0: 00000000 c0013f80 00001000 bef3cc00 00000003 bef3cc00 00001000 00000000
26722 9fc0: 00001000 bef3cc00 00000003 00000003 00000001 00000001 00000001 00000003
26723 9fe0: 00000000 bef3cbdc 00011984 b6f1127c 60000010 00000003 18dbdd2c 7f7bfffd
26724 [<c02c123c>] (strnlen+0xc/0x4c) from [<c02c2d1c>] (string+0x3c/0xf8)
26725 [<c02c2d1c>] (string+0x3c/0xf8) from [<c02c438c>] (vsnprintf+0x1e8/0x3e8)
26726 [<c02c438c>] (vsnprintf+0x1e8/0x3e8) from [<c02c45a4>] (sprintf+0x18/0x24)
26727 [<c02c45a4>] (sprintf+0x18/0x24) from [<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex])
26728 [<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) from [<c0108a00>] (vfs_read+0xb0/0x144)
26729 [<c0108a00>] (vfs_read+0xb0/0x144) from [<c0108b60>] (SyS_read+0x44/0x70)
26730 [<c0108b60>] (SyS_read+0x44/0x70) from [<c0013f80>] (ret_fast_syscall+0x0/0x30)
26731 Code: e12fff1e e3510000 e1a02000 0a00000d (e5d03000)
26732 ---[ end trace ca98273dc605a04f ]---
26733
26734 The panic is caused by the mwifiex_info_read() routine assuming that
26735 there can only be four modes (0-3) which is an invalid assumption.
26736 For example, when testing P2P, the mode is '8' (P2P_CLIENT) so the
26737 code accesses data beyond the bounds of the bss_modes[] array which
26738 causes the panic. Fix this by updating bss_modes[] to support the
26739 current list of modes and adding a check to prevent the out-of-bounds
26740 access from occuring in the future when more modes are added.
26741
26742 Signed-off-by: Mark A. Greer <mgreer@animalcreek.com>
26743 Acked-by: Bing Zhao <bzhao@marvell.com>
26744 Signed-off-by: John W. Linville <linville@tuxdriver.com>
26745
26746 drivers/net/wireless/mwifiex/debugfs.c | 22 +++++++++++++++++-----
26747 1 files changed, 17 insertions(+), 5 deletions(-)
26748
26749commit 04152dec6e99ca4c0fc52219f7cf2152dafe6b52
26750Author: Johan Hedberg <johan.hedberg@intel.com>
26751Date: Tue May 28 13:46:30 2013 +0300
26752
26753 Upstream commit: cb3b3152b2f5939d67005cff841a1ca748b19888
26754
26755 Bluetooth: Fix missing length checks for L2CAP signalling PDUs
26756
26757 There has been code in place to check that the L2CAP length header
26758 matches the amount of data received, but many PDU handlers have not been
26759 checking that the data received actually matches that expected by the
26760 specific PDU. This patch adds passing the length header to the specific
26761 handler functions and ensures that those functions fail cleanly in the
26762 case of an incorrect amount of data.
26763
26764 Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
26765 Cc: stable@vger.kernel.org
26766 Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
26767 Signed-off-by: John W. Linville <linville@tuxdriver.com>
26768
26769 net/bluetooth/l2cap_core.c | 70 ++++++++++++++++++++++++++++++++-----------
26770 1 files changed, 52 insertions(+), 18 deletions(-)
26771
26772commit 628be2427afb241b5a1aa24bc5907d05287e1f25
26773Author: Dan Carpenter <dan.carpenter@oracle.com>
26774Date: Mon Jun 3 12:00:49 2013 +0300
26775
26776 Upstream commit: a8241c63517ec0b900695daa9003cddc41c536a1
26777
26778 ipvs: info leak in __ip_vs_get_dest_entries()
26779
26780 The entry struct has a 2 byte hole after ->port and another 4 byte
26781 hole after ->stats.outpkts. You must have CAP_NET_ADMIN in your
26782 namespace to hit this information leak.
26783
26784 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
26785 Acked-by: Julian Anastasov <ja@ssi.bg>
26786 Signed-off-by: Simon Horman <horms@verge.net.au>
26787 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
26788
26789 net/netfilter/ipvs/ip_vs_ctl.c | 1 +
26790 1 files changed, 1 insertions(+), 0 deletions(-)
26791
26792commit 066d9226bc6c569d5f420c978b758e0bddd23444
26793Author: Robin Holt <holt@sgi.com>
26794Date: Wed Jun 12 14:04:37 2013 -0700
26795
26796 Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db
26797
26798 reboot: rigrate shutdown/reboot to boot cpu
26799
26800 We recently noticed that reboot of a 1024 cpu machine takes approx 16
26801 minutes of just stopping the cpus. The slowdown was tracked to commit
26802 f96972f2dc63 ("kernel/sys.c: call disable_nonboot_cpus() in
26803 kernel_restart()").
26804
26805 The current implementation does all the work of hot removing the cpus
26806 before halting the system. We are switching to just migrating to the
26807 boot cpu and then continuing with shutdown/reboot.
26808
26809 This also has the effect of not breaking x86's command line parameter
26810 for specifying the reboot cpu. Note, this code was shamelessly copied
26811 from arch/x86/kernel/reboot.c with bits removed pertaining to the
26812 reboot_cpu command line parameter.
26813
26814 Signed-off-by: Robin Holt <holt@sgi.com>
26815 Tested-by: Shawn Guo <shawn.guo@linaro.org>
26816 Cc: "Srivatsa S. Bhat" <srivatsa.bhat@linux.vnet.ibm.com>
26817 Cc: H. Peter Anvin <hpa@zytor.com>
26818 Cc: Thomas Gleixner <tglx@linutronix.de>
26819 Cc: Ingo Molnar <mingo@elte.hu>
26820 Cc: Russ Anderson <rja@sgi.com>
26821 Cc: Robin Holt <holt@sgi.com>
26822 Cc: Russell King <linux@arm.linux.org.uk>
26823 Cc: Guan Xuetao <gxt@mprc.pku.edu.cn>
26824 Cc: <stable@vger.kernel.org>
26825 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
26826 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
26827
26828 kernel/sys.c | 29 ++++++++++++++++++++++++++---
26829 1 files changed, 26 insertions(+), 3 deletions(-)
26830
26831commit 94e2a91600b07d39825e7059195f35eb611a39a2
26832Merge: 20cc761 e6e3059
26833Author: Brad Spengler <spender@grsecurity.net>
26834Date: Thu Jun 13 16:23:46 2013 -0400
26835
26836 Merge branch 'pax-test' into grsec-test
26837
26838commit e6e3059de5525ebcd55af43b20c9cdbf43b9d30a
26839Merge: c6aadb1 4b73feb
26840Author: Brad Spengler <spender@grsecurity.net>
26841Date: Thu Jun 13 16:23:39 2013 -0400
26842
26843 Merge branch 'linux-3.9.y' into pax-test
26844
26845commit 20cc7613e38cde07adc73179a91d6c15292e8d43
26846Author: Daniel Borkmann <dborkman@redhat.com>
26847Date: Thu Jun 6 15:53:47 2013 +0200
26848
26849 Upstream commit: 1abd165ed757db1afdefaac0a4bc8a70f97d258c
26850
26851 net: sctp: fix NULL pointer dereference in socket destruction
26852
26853 While stress testing sctp sockets, I hit the following panic:
26854
26855 BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
26856 IP: [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
26857 PGD 7cead067 PUD 7ce76067 PMD 0
26858 Oops: 0000 [#1] SMP
26859 Modules linked in: sctp(F) libcrc32c(F) [...]
26860 CPU: 7 PID: 2950 Comm: acc Tainted: GF 3.10.0-rc2+ #1
26861 Hardware name: Dell Inc. PowerEdge T410/0H19HD, BIOS 1.6.3 02/01/2011
26862 task: ffff88007ce0e0c0 ti: ffff88007b568000 task.ti: ffff88007b568000
26863 RIP: 0010:[<ffffffffa0490c4e>] [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
26864 RSP: 0018:ffff88007b569e08 EFLAGS: 00010292
26865 RAX: 0000000000000000 RBX: ffff88007db78a00 RCX: dead000000200200
26866 RDX: ffffffffa049fdb0 RSI: ffff8800379baf38 RDI: 0000000000000000
26867 RBP: ffff88007b569e18 R08: ffff88007c230da0 R09: 0000000000000001
26868 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
26869 R13: ffff880077990d00 R14: 0000000000000084 R15: ffff88007db78a00
26870 FS: 00007fc18ab61700(0000) GS:ffff88007fc60000(0000) knlGS:0000000000000000
26871 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
26872 CR2: 0000000000000020 CR3: 000000007cf9d000 CR4: 00000000000007e0
26873 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
26874 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
26875 Stack:
26876 ffff88007b569e38 ffff88007db78a00 ffff88007b569e38 ffffffffa049fded
26877 ffffffff81abf0c0 ffff88007db78a00 ffff88007b569e58 ffffffff8145b60e
26878 0000000000000000 0000000000000000 ffff88007b569eb8 ffffffff814df36e
26879 Call Trace:
26880 [<ffffffffa049fded>] sctp_destroy_sock+0x3d/0x80 [sctp]
26881 [<ffffffff8145b60e>] sk_common_release+0x1e/0xf0
26882 [<ffffffff814df36e>] inet_create+0x2ae/0x350
26883 [<ffffffff81455a6f>] __sock_create+0x11f/0x240
26884 [<ffffffff81455bf0>] sock_create+0x30/0x40
26885 [<ffffffff8145696c>] SyS_socket+0x4c/0xc0
26886 [<ffffffff815403be>] ? do_page_fault+0xe/0x10
26887 [<ffffffff8153cb32>] ? page_fault+0x22/0x30
26888 [<ffffffff81544e02>] system_call_fastpath+0x16/0x1b
26889 Code: 0c c9 c3 66 2e 0f 1f 84 00 00 00 00 00 e8 fb fe ff ff c9 c3 66 0f
26890 1f 84 00 00 00 00 00 55 48 89 e5 53 48 83 ec 08 66 66 66 66 90 <48>
26891 8b 47 20 48 89 fb c6 47 1c 01 c6 40 12 07 e8 9e 68 01 00 48
26892 RIP [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
26893 RSP <ffff88007b569e08>
26894 CR2: 0000000000000020
26895 ---[ end trace e0d71ec1108c1dd9 ]---
26896
26897 I did not hit this with the lksctp-tools functional tests, but with a
26898 small, multi-threaded test program, that heavily allocates, binds,
26899 listens and waits in accept on sctp sockets, and then randomly kills
26900 some of them (no need for an actual client in this case to hit this).
26901 Then, again, allocating, binding, etc, and then killing child processes.
26902
26903 This panic then only occurs when ``echo 1 > /proc/sys/net/sctp/auth_enable''
26904 is set. The cause for that is actually very simple: in sctp_endpoint_init()
26905 we enter the path of sctp_auth_init_hmacs(). There, we try to allocate
26906 our crypto transforms through crypto_alloc_hash(). In our scenario,
26907 it then can happen that crypto_alloc_hash() fails with -EINTR from
26908 crypto_larval_wait(), thus we bail out and release the socket via
26909 sk_common_release(), sctp_destroy_sock() and hit the NULL pointer
26910 dereference as soon as we try to access members in the endpoint during
26911 sctp_endpoint_free(), since endpoint at that time is still NULL. Now,
26912 if we have that case, we do not need to do any cleanup work and just
26913 leave the destruction handler.
26914
26915 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
26916 Acked-by: Neil Horman <nhorman@tuxdriver.com>
26917 Acked-by: Vlad Yasevich <vyasevich@gmail.com>
26918 Signed-off-by: David S. Miller <davem@davemloft.net>
26919
26920 net/sctp/socket.c | 6 ++++++
26921 1 files changed, 6 insertions(+), 0 deletions(-)
26922
26923commit 386ba837978cc8a1111440bdcd8600f2df4634a4
26924Author: Brad Spengler <spender@grsecurity.net>
26925Date: Wed Jun 12 20:37:48 2013 -0400
26926
26927 fix deadlock when booting i386 kernel without NX
26928
26929 mm/mmap.c | 4 +++-
26930 1 files changed, 3 insertions(+), 1 deletions(-)
26931
26932commit fe96e11acb36fcda9a9e6f6439557db4aa4e8da0
26933Author: Brad Spengler <spender@grsecurity.net>
26934Date: Tue Jun 11 22:18:07 2013 -0400
26935
26936 fix elif / elif defined() typo in recent change
26937
26938 kernel/events/core.c | 2 +-
26939 1 files changed, 1 insertions(+), 1 deletions(-)
26940
26941commit bc43377e1e757cd37a06be0187884a42af718aab
26942Merge: 3cdea63 c6aadb1
26943Author: Brad Spengler <spender@grsecurity.net>
26944Date: Tue Jun 11 18:50:39 2013 -0400
26945
26946 Merge branch 'pax-test' into grsec-test
26947
26948commit c6aadb12ae8dd3d12c2d6b8fbe80d29e514d60c0
26949Author: Brad Spengler <spender@grsecurity.net>
26950Date: Tue Jun 11 18:49:36 2013 -0400
26951
26952 Update to pax-linux-3.9.4-test9.patch:
26953 - fixed a KERNEXEC regression resulting in unusable RAM regions (http://forums.grsecurity.net/viewtopic.php?f=3&t=3506)
26954 - removed a user-triggerable BUG_ON, fixing it properly wasn't worth the effort
26955
26956 arch/x86/kernel/setup.c | 2 +-
26957 mm/mlock.c | 1 -
26958 2 files changed, 1 insertions(+), 2 deletions(-)
26959
26960commit 3cdea63e90607d8d55820b101854091623feedb8
26961Author: Brad Spengler <spender@grsecurity.net>
26962Date: Mon Jun 10 21:21:44 2013 -0400
26963
26964 Fix fanotify infoleak reported by Dan Carpenter at:
26965 https://lkml.org/lkml/2013/6/3/128
26966
26967 Requires CAP_SYS_ADMIN, so this is about as low priority as it gets
26968
26969 fs/notify/fanotify/fanotify_user.c | 1 +
26970 1 files changed, 1 insertions(+), 0 deletions(-)
26971
26972commit 373a2b5df78f82b9d3db72bd6577e29a71591323
26973Author: Brad Spengler <spender@grsecurity.net>
26974Date: Mon Jun 10 21:16:46 2013 -0400
26975
26976 Backport infoleak fix by Dan Carpenter in cpqarray:
26977 https://lkml.org/lkml/2013/6/3/131
26978
26979 drivers/block/cpqarray.c | 1 +
26980 1 files changed, 1 insertions(+), 0 deletions(-)
26981
26982commit 251e84b9b05e063981b20be154c9389862f94759
26983Author: Brad Spengler <spender@grsecurity.net>
26984Date: Mon Jun 10 21:04:17 2013 -0400
26985
26986 Backport 050e4b8fb7cdd7096c987a9cd556029c622c7fe2
26987
26988 drivers/cdrom/cdrom.c | 4 ++--
26989 1 files changed, 2 insertions(+), 2 deletions(-)
26990
26991commit 383d89bf95818b05a485a6e8b118963b5bcbc83e
26992Author: Brad Spengler <spender@grsecurity.net>
26993Date: Mon Jun 10 18:34:32 2013 -0400
26994
26995 change const to __read_only
26996
26997 kernel/sysctl.c | 18 +++++++++---------
26998 1 files changed, 9 insertions(+), 9 deletions(-)
26999
27000commit 8f08f803f605649e63f0857a1b9a9805b629eaa4
27001Author: Brad Spengler <spender@grsecurity.net>
27002Date: Mon Jun 10 17:34:13 2013 -0400
27003
27004 compile fix, make const values const
27005
27006 kernel/sysctl.c | 18 +++++++++---------
27007 1 files changed, 9 insertions(+), 9 deletions(-)
27008
27009commit 6b90c228f6d4a3c2cc9c2b9a6a7ac14534ebd42d
27010Author: Brad Spengler <spender@grsecurity.net>
27011Date: Mon Jun 10 17:37:13 2013 -0400
27012
27013 Backport upstream commit: af733960ca59f7d59ea337e1f633771c9e67101a
27014
27015 drivers/char/mwave/tp3780i.c | 1 +
27016 1 files changed, 1 insertions(+), 0 deletions(-)
27017
27018commit 1c590aa70c95ebd76ba9672aa23d800b81780615
27019Author: Brad Spengler <spender@grsecurity.net>
27020Date: Sun Jun 9 19:50:35 2013 -0400
27021
27022 allow -1 perf_event_paranoid
27023
27024 kernel/sysctl.c | 2 +-
27025 1 files changed, 1 insertions(+), 1 deletions(-)
27026
27027commit defdc4a2bd3efda4af2bb6f3aa8f495fa8078584
27028Merge: 4e85539 117c3fa
27029Author: Brad Spengler <spender@grsecurity.net>
27030Date: Sun Jun 9 17:30:12 2013 -0400
27031
27032 Merge branch 'pax-test' into grsec-test
27033
27034commit 117c3fa8d26c3806103123560f807d99071b60b6
27035Merge: ed9b427 5dd2e98
27036Author: Brad Spengler <spender@grsecurity.net>
27037Date: Sun Jun 9 17:30:00 2013 -0400
27038
27039 Merge branch 'linux-3.9.y' into pax-test
27040
27041commit 4e8553989b0406f15be4a2dccdbc7599cc2b4f42
27042Author: Eric Dumazet <edumazet@google.com>
27043Date: Mon May 13 21:25:52 2013 +0000
27044
27045 Upstream commit: 54d27fcb338bd9c42d1dfc5a39e18f6f9d373c2e
27046
27047 tcp: fix tcp_md5_hash_skb_data()
27048
27049 TCP md5 communications fail [1] for some devices, because sg/crypto code
27050 assume page offsets are below PAGE_SIZE.
27051
27052 This was discovered using mlx4 driver [2], but I suspect loopback
27053 might trigger the same bug now we use order-3 pages in tcp_sendmsg()
27054
27055 [1] Failure is giving following messages.
27056
27057 huh, entered softirq 3 NET_RX ffffffff806ad230 preempt_count 00000100,
27058 exited with 00000101?
27059
27060 [2] mlx4 driver uses order-2 pages to allocate RX frags
27061
27062 Reported-by: Matt Schnall <mischnal@google.com>
27063 Signed-off-by: Eric Dumazet <edumazet@google.com>
27064 Cc: Bernhard Beck <bbeck@google.com>
27065 Signed-off-by: David S. Miller <davem@davemloft.net>
27066
27067 net/ipv4/tcp.c | 7 +++++--
27068 1 files changed, 5 insertions(+), 2 deletions(-)
27069
27070commit 4f1ed254c28a1b3e03c0b0b744c5042661c295eb
27071Author: Eric Dumazet <edumazet@google.com>
27072Date: Fri May 17 04:53:13 2013 +0000
27073
27074 Upstream commit: 284041ef21fdf2e0d216ab6b787bc9072b4eb58a
27075
27076 ipv6: fix possible crashes in ip6_cork_release()
27077
27078 commit 0178b695fd6b4 ("ipv6: Copy cork options in ip6_append_data")
27079 added some code duplication and bad error recovery, leading to potential
27080 crash in ip6_cork_release() as kfree() could be called with garbage.
27081
27082 use kzalloc() to make sure this wont happen.
27083
27084 Signed-off-by: Eric Dumazet <edumazet@google.com>
27085 Signed-off-by: David S. Miller <davem@davemloft.net>
27086 Cc: Herbert Xu <herbert@gondor.apana.org.au>
27087 Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
27088 Cc: Neal Cardwell <ncardwell@google.com>
27089
27090 net/ipv6/ip6_output.c | 2 +-
27091 1 files changed, 1 insertions(+), 1 deletions(-)
27092
27093commit 5771263fe368cd384127dd17d7596a7e1a4e2eec
27094Author: Chen Gang <gang.chen@asianux.com>
27095Date: Thu May 16 23:13:04 2013 +0000
27096
27097 Upstream commit: ff0102ee104847023c36357e2b9f133f3f40d211
27098
27099 net: irda: using kzalloc() instead of kmalloc() to avoid strncpy() issue.
27100
27101 'discovery->data.info' length is 22, NICKNAME_MAX_LEN is 21, so the
27102 strncpy() will always left the last byte of 'discovery->data.info'
27103 uninitialized.
27104
27105 When 'text' length is longer than 21 (NICKNAME_MAX_LEN), if still left
27106 the last byte of 'discovery->data.info' uninitialized, the next
27107 strlen() will cause issue.
27108
27109 Also 'discovery->data' is 'struct irda_device_info' which defined in
27110 "include/uapi/...", it may copy to user mode, so need whole initialized.
27111
27112 All together, need use kzalloc() instead of kmalloc() to initialize all
27113 members firstly.
27114
27115 Signed-off-by: Chen Gang <gang.chen@asianux.com>
27116 Signed-off-by: David S. Miller <davem@davemloft.net>
27117
27118 net/irda/irlap_frame.c | 2 +-
27119 1 files changed, 1 insertions(+), 1 deletions(-)
27120
27121commit c01c9af268cb066f240aec53454b8b74d8d01688
27122Author: Dan Carpenter <dan.carpenter@oracle.com>
27123Date: Sun May 19 08:36:36 2013 +0000
27124
27125 Upstream commit: 25dff94ff9df40d4d663bb6ea3193a7758cc50e5
27126
27127 isdn/kcapi: fix a small underflow
27128
27129 In get_capi_ctr_by_nr() and get_capi_appl_by_nr() the parameter comes
27130 from skb->data. The current code can underflow to one space before the
27131 start of the array.
27132
27133 The sanity check isn't needed in __get_capi_appl_by_nr() but I changed
27134 it to match the others.
27135
27136 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
27137 Signed-off-by: David S. Miller <davem@davemloft.net>
27138
27139 drivers/isdn/capi/kcapi.c | 6 +++---
27140 1 files changed, 3 insertions(+), 3 deletions(-)
27141
27142commit 4a3f12a9df775147b0c4b0277de1aa99eddc5c66
27143Author: Timo Teräs <timo.teras@iki.fi>
27144Date: Wed May 22 01:40:47 2013 +0000
27145
27146 Upstream commit: 497574c72c9922cf20c12aed15313c389f722fa0
27147
27148 xfrm: properly handle invalid states as an error
27149
27150 The error exit path needs err explicitly set. Otherwise it
27151 returns success and the only caller, xfrm_output_resume(),
27152 would oops in skb_dst(skb)->ops derefence as skb_dst(skb) is
27153 NULL.
27154
27155 Bug introduced in commit bb65a9cb (xfrm: removes a superfluous
27156 check and add a statistic).
27157
27158 Signed-off-by: Timo Teräs <timo.teras@iki.fi>
27159 Cc: Li RongQing <roy.qing.li@gmail.com>
27160 Cc: Steffen Klassert <steffen.klassert@secunet.com>
27161 Signed-off-by: David S. Miller <davem@davemloft.net>
27162
27163 net/xfrm/xfrm_output.c | 1 +
27164 1 files changed, 1 insertions(+), 0 deletions(-)
27165
27166commit 61d8e1e848afa93cd971f6d1da875ad98b6ddfbd
27167Author: Jeff Mahoney <jeffm@jeffreymahoney.com>
27168Date: Fri May 31 15:07:52 2013 -0400
27169
27170 Upstream commit: 0bdc7acba56a7ca4232f15f37b16f7ec079385ab
27171
27172 reiserfs: fix spurious multiple-fill in reiserfs_readdir_dentry
27173
27174 After sleeping for filldir(), we check to see if the file system has
27175 changed and research. The next_pos pointer is updated but its value
27176 isn't pushed into the key used for the search itself. As a result,
27177 the search returns the same item that the last cycle of the loop did
27178 and filldir() is called multiple times with the same data.
27179
27180 The end result is that the buffer can contain the same name multiple
27181 times. This can be returned to userspace or used internally in the
27182 xattr code where it can manifest with the following warning:
27183
27184 jdm-20004 reiserfs_delete_xattrs: Couldn't delete all xattrs (-2)
27185
27186 reiserfs_for_each_xattr uses reiserfs_readdir_dentry to iterate over
27187 the xattr names and ends up trying to unlink the same name twice. The
27188 second attempt fails with -ENOENT and the error is returned. At some
27189 point I'll need to add support into reiserfsck to remove the orphaned
27190 directories left behind when this occurs.
27191
27192 The fix is to push the value into the key before researching.
27193
27194 Signed-off-by: Jeff Mahoney <jeffm@suse.com>
27195 Signed-off-by: Jan Kara <jack@suse.cz>
27196
27197 fs/reiserfs/dir.c | 2 ++
27198 1 files changed, 2 insertions(+), 0 deletions(-)
27199
27200commit ca0746bf380eec77d75d1741ac4742ded0e55ec7
27201Author: Jeff Mahoney <jeffm@suse.com>
27202Date: Fri May 31 15:51:17 2013 -0400
27203
27204 Upstream commit: a1457c0ce976bad1356b9b0437f2a5c3ab8a9cfc
27205
27206 reiserfs: fix deadlock with nfs racing on create/lookup
27207
27208 Reiserfs is currently able to be deadlocked by having two NFS clients
27209 where one has removed and recreated a file and another is accessing the
27210 file with an open file handle.
27211
27212 If one client deletes and recreates a file with timing such that the
27213 recreated file obtains the same [dirid, objectid] pair as the original
27214 file while another client accesses the file via file handle, the create
27215 and lookup can race and deadlock if the lookup manages to create the
27216 in-memory inode first.
27217
27218 The create thread, in insert_inode_locked4, will hold the write lock
27219 while waiting on the other inode to be unlocked. The lookup thread,
27220 anywhere in the iget path, will release and reacquire the write lock while
27221 it schedules. If it needs to reacquire the lock while the create thread
27222 has it, it will never be able to make forward progress because it needs
27223 to reacquire the lock before ultimately unlocking the inode.
27224
27225 This patch drops the write lock across the insert_inode_locked4 call so
27226 that the ordering of inode_wait -> write lock is retained. Since this
27227 would have been the case before the BKL push-down, this is safe.
27228
27229 Signed-off-by: Jeff Mahoney <jeffm@suse.com>
27230 Signed-off-by: Jan Kara <jack@suse.cz>
27231
27232 fs/reiserfs/inode.c | 9 +++++++--
27233 1 files changed, 7 insertions(+), 2 deletions(-)
27234
27235commit cd21c0eb4950498be46a07257426c0cea4aa2bf1
27236Author: Jeff Mahoney <jeffm@suse.com>
27237Date: Fri May 31 15:54:17 2013 -0400
27238
27239 Upstream commit: 4a8570112b76a63ad21cfcbe2783f98f7fd5ba1b
27240
27241 reiserfs: fix problems with chowning setuid file w/ xattrs
27242
27243 reiserfs_chown_xattrs() takes the iattr struct passed into ->setattr
27244 and uses it to iterate over all the attrs associated with a file to change
27245 ownership of xattrs (and transfer quota associated with the xattr files).
27246
27247 When the setuid bit is cleared during chown, ATTR_MODE and iattr->ia_mode
27248 are passed to all the xattrs as well. This means that the xattr directory
27249 will have S_IFREG added to its mode bits.
27250
27251 This has been prevented in practice by a missing IS_PRIVATE check
27252 in reiserfs_acl_chmod, which caused a double-lock to occur while holding
27253 the write lock. Since the file system was completely locked up, the
27254 writeout of the corrupted mode never happened.
27255
27256 This patch temporarily clears everything but ATTR_UID|ATTR_GID for the
27257 calls to reiserfs_setattr and adds the missing IS_PRIVATE check.
27258
27259 Signed-off-by: Jeff Mahoney <jeffm@suse.com>
27260 Signed-off-by: Jan Kara <jack@suse.cz>
27261
27262 fs/reiserfs/xattr.c | 14 +++++++++++++-
27263 fs/reiserfs/xattr_acl.c | 3 +++
27264 2 files changed, 16 insertions(+), 1 deletions(-)
27265
27266commit c18cef940310c06bdf86d64d8cb227e56e165300
27267Author: Dave Chinner <dchinner@redhat.com>
27268Date: Mon May 27 16:38:25 2013 +1000
27269
27270 Upstream commit: 2962f5a5dcc56f69cbf62121a7be67cc15d6940b
27271
27272 xfs: kill suid/sgid through the truncate path.
27273
27274 XFS has failed to kill suid/sgid bits correctly when truncating
27275 files of non-zero size since commit c4ed4243 ("xfs: split
27276 xfs_setattr") introduced in the 3.1 kernel. Fix it.
27277
27278 Fix it.
27279
27280 cc: stable kernel <stable@vger.kernel.org>
27281 Signed-off-by: Dave Chinner <dchinner@redhat.com>
27282 Reviewed-by: Brian Foster <bfoster@redhat.com>
27283 Signed-off-by: Ben Myers <bpm@sgi.com>
27284
27285 (cherry picked from commit 56c19e89b38618390addfc743d822f99519055c6)
27286
27287 fs/xfs/xfs_iops.c | 47 ++++++++++++++++++++++++++++++++---------------
27288 1 files changed, 32 insertions(+), 15 deletions(-)
27289
27290commit 8e62c6a0946a4b11a55540094a0ee5d3a222dbcc
27291Author: Trond Myklebust <Trond.Myklebust@netapp.com>
27292Date: Wed May 29 15:36:40 2013 -0400
27293
27294 Upstream commit: f448badd34700ae728a32ba024249626d49c10e1
27295
27296 NFSv4: Fix a thinko in nfs4_try_open_cached
27297
27298 We need to pass the full open mode flags to nfs_may_open() when doing
27299 a delegated open.
27300
27301 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
27302 Cc: stable@vger.kernel.org
27303
27304 fs/nfs/nfs4proc.c | 2 +-
27305 1 files changed, 1 insertions(+), 1 deletions(-)
27306
27307commit c47de62893a9f269be0a272c2840aac1e2a35c68
27308Author: Chen Gang <gang.chen@asianux.com>
27309Date: Thu May 30 01:18:43 2013 +0000
27310
27311 Upstream commit: ea99b1adf22abd62bdcf14b1c9a0a4d3664eefd8
27312
27313 parisc: kernel: using strlcpy() instead of strcpy()
27314
27315 'boot_args' is an input args, and 'boot_command_line' has a fix length.
27316 So use strlcpy() instead of strcpy() to avoid memory overflow.
27317
27318 Signed-off-by: Chen Gang <gang.chen@asianux.com>
27319 Acked-by: Kyle McMartin <kyle@mcmartin.ca>
27320 Signed-off-by: Helge Deller <deller@gmx.de>
27321
27322 arch/parisc/kernel/setup.c | 3 ++-
27323 1 files changed, 2 insertions(+), 1 deletions(-)
27324
27325commit ce869e6f799f95fcac340420ba3612503df80dbf
27326Author: Chen Gang <gang.chen@asianux.com>
27327Date: Mon May 27 04:57:09 2013 +0000
27328
27329 Upstream commit: 3f108de96ba449a8df3d7e3c053bf890fee2cb95
27330
27331 parisc: memory overflow, 'name' length is too short for using
27332
27333 'path.bc[i]' can be asigned by PCI_SLOT() which can '> 10', so sizeof(6
27334 * "%u:" + "%u" + '\0') may be 21.
27335
27336 Since 'name' length is 20, it may be memory overflow.
27337
27338 And 'path.bc[i]' is 'unsigned char' for printing, we can be sure the
27339 max length of 'name' must be less than 28.
27340
27341 So simplify thinking, we can use 28 instead of 20 directly, and do not
27342 think of whether 'patchc.bc[i]' can '> 100'.
27343
27344 Signed-off-by: Chen Gang <gang.chen@asianux.com>
27345 Signed-off-by: Helge Deller <deller@gmx.de>
27346
27347 arch/parisc/kernel/drivers.c | 2 +-
27348 1 files changed, 1 insertions(+), 1 deletions(-)
27349
27350commit 5dc65cd34d442783118a17c518e2daedb90a31d0
27351Author: Brad Spengler <spender@grsecurity.net>
27352Date: Tue Jun 4 17:52:23 2013 -0400
27353
27354 add PERF_HARDEN recommendation
27355
27356 grsecurity/Kconfig | 3 +++
27357 1 files changed, 3 insertions(+), 0 deletions(-)
27358
27359commit 45b0f6e97666ca330b9a69e7fd2d2d9345d9618c
27360Author: Brad Spengler <spender@grsecurity.net>
27361Date: Tue Jun 4 17:22:44 2013 -0400
27362
27363 Introduce new feature: CONFIG_GRKERNSEC_PERF_HARDEN
27364
27365 grsecurity/Kconfig | 19 +++++++++++++++++++
27366 include/linux/perf_event.h | 5 +++++
27367 kernel/events/core.c | 10 +++++++++-
27368 kernel/sysctl.c | 9 ++++++++-
27369 4 files changed, 41 insertions(+), 2 deletions(-)
27370
27371commit 84619a3501fd38285a72d9e963f58d1827beedd6
27372Author: Brad Spengler <spender@grsecurity.net>
27373Date: Sat Jun 1 14:23:31 2013 -0400
27374
27375 remove user-triggerable BUG_ON in do_munlockall()
27376
27377 mm/mlock.c | 1 -
27378 1 files changed, 0 insertions(+), 1 deletions(-)
27379
27380commit f4bcf6087bd7b9a5b9c9021790396865c5362da0
27381Author: Brad Spengler <spender@grsecurity.net>
27382Date: Sat Jun 1 13:44:05 2013 -0400
27383
27384 Upstream commit: cea4dcfdad926a27a18e188720efe0f2c9403456
27385
27386 From: Kees Cook <keescook@chromium.org>
27387 Date: Thu, 23 May 2013 17:32:17 +0000
27388 Subject: iscsi-target: fix heap buffer overflow on error
27389
27390 If a key was larger than 64 bytes, as checked by iscsi_check_key(), the
27391 error response packet, generated by iscsi_add_notunderstood_response(),
27392 would still attempt to copy the entire key into the packet, overflowing
27393 the structure on the heap.
27394
27395 Remote preauthentication kernel memory corruption was possible if a
27396 target was configured and listening on the network.
27397
27398 CVE-2013-2850
27399
27400 Embargo-screwup-by: Kees Cook <keescook@chromium.org>
27401 Cc: stable@vger.kernel.org
27402 Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
27403
27404 drivers/target/iscsi/iscsi_target_parameters.c | 8 +++-----
27405 drivers/target/iscsi/iscsi_target_parameters.h | 4 +++-
27406 2 files changed, 6 insertions(+), 6 deletions(-)
27407
27408commit 2fdc3e0a0ecd44f22d49ea2230638ed650dd5e7e
27409Author: Brad Spengler <spender@grsecurity.net>
27410Date: Sat Jun 1 13:43:26 2013 -0400
27411
27412 Revert "Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters"
27413 Applying upstream fix instead
27414
27415 This reverts commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291.
27416
27417 drivers/target/iscsi/iscsi_target_parameters.c | 5 +++--
27418 1 files changed, 3 insertions(+), 2 deletions(-)
27419
27420commit 8ad50b7b6bbaaec7f07f894c15d76abe801f0769
27421Author: Dan Carpenter <dan.carpenter@oracle.com>
27422Date: Sun May 19 21:52:20 2013 +0300
27423
27424 Upstream commit: e75b61897276c5100e61c9c74fd55ded28f31431
27425
27426 USB: cxacru: potential underflow in cxacru_cm_get_array()
27427
27428 commit 2a0ebf80aa95cc758d4725f74a7016e992606a39 upstream.
27429
27430 The value of "offd" comes off the instance->rcv_buf[] and we used it as
27431 the offset into an array. The problem is that we check the upper bound
27432 but not for negative values.
27433
27434 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
27435 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
27436 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
27437
27438 drivers/usb/atm/cxacru.c | 3 ++-
27439 1 files changed, 2 insertions(+), 1 deletions(-)
27440
27441commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291
27442Author: Brad Spengler <spender@grsecurity.net>
27443Date: Sat Jun 1 11:30:17 2013 -0400
27444
27445 Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters
27446
27447 drivers/target/iscsi/iscsi_target_parameters.c | 5 ++---
27448 1 files changed, 2 insertions(+), 3 deletions(-)
27449
27450commit 8578566969d91678a3d7d5251b4eafc6d7775314
27451Author: Brad Spengler <spender@grsecurity.net>
27452Date: Thu May 30 17:44:15 2013 -0400
27453
27454 Apply compatibility fix to previous RLIMIT_NPROC change
27455 don't enforce the rlimit check at exec time if the user is root
27456 Prevents problems with sudo if root is listed as part of a group
27457 in limits.conf with process limits enforced
27458
27459 kernel/sys.c | 2 +-
27460 1 files changed, 1 insertions(+), 1 deletions(-)
27461
27462commit 0ed0c927ce3db94e2d0c0f328e24a28fe4f143e7
27463Merge: 643b294 ed9b427
27464Author: Brad Spengler <spender@grsecurity.net>
27465Date: Wed May 29 19:19:28 2013 -0400
27466
27467 Merge branch 'pax-test' into grsec-test
27468
27469commit ed9b4276488528d0c3803df1dc0df804238241e0
27470Author: Brad Spengler <spender@grsecurity.net>
27471Date: Wed May 29 19:18:45 2013 -0400
27472
27473 Updated to pax-linux-3.9.4-test8.patch:
27474 - fixed some fallout detected by the checker plugin
27475
27476 arch/x86/kernel/crash_dump_64.c | 2 +-
27477 drivers/base/devtmpfs.c | 6 +++---
27478 drivers/char/agp/compat_ioctl.c | 2 +-
27479 drivers/char/agp/frontend.c | 2 +-
27480 drivers/char/mem.c | 2 +-
27481 drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 ++--
27482 drivers/i2c/i2c-dev.c | 2 +-
27483 drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +++---
27484 drivers/media/v4l2-core/v4l2-ioctl.c | 20 ++++++++++++--------
27485 fs/9p/vfs_addr.c | 2 +-
27486 fs/binfmt_elf.c | 4 ++--
27487 fs/compat_ioctl.c | 4 ++--
27488 fs/exec.c | 2 +-
27489 fs/namespace.c | 8 ++++----
27490 fs/proc/vmcore.c | 12 ++++++++----
27491 fs/read_write.c | 2 +-
27492 include/linux/syscalls.h | 8 ++++----
27493 init/do_mounts_initrd.c | 8 ++++----
27494 init/main.c | 4 ++--
27495 kernel/events/core.c | 2 +-
27496 kernel/events/internal.h | 10 +++++-----
27497 mm/page_io.c | 2 +-
27498 security/keys/internal.h | 2 +-
27499 tools/gcc/checker_plugin.c | 1 +
27500 24 files changed, 63 insertions(+), 54 deletions(-)
27501
27502commit 643b294b41c6adcad1cf107efe4ae52a834e6f15
27503Author: Brad Spengler <spender@grsecurity.net>
27504Date: Wed May 29 18:51:31 2013 -0400
27505
27506 eliminate gcc warning
27507
27508 fs/exec.c | 4 ++--
27509 1 files changed, 2 insertions(+), 2 deletions(-)
27510
27511commit cf6f73059387ffeddb7b1de3e97a3cf588bcef86
27512Author: Brad Spengler <spender@grsecurity.net>
27513Date: Wed May 29 18:30:20 2013 -0400
27514
27515 use BUILD_BUG() instead of BUILD_BUG_ON(1)
27516
27517 arch/x86/net/bpf_jit_comp.c | 4 ++--
27518 1 files changed, 2 insertions(+), 2 deletions(-)
27519
27520commit 5343410354267368e5809f3ad8d9a264f141be18
27521Author: Brad Spengler <spender@grsecurity.net>
27522Date: Wed May 29 17:57:41 2013 -0400
27523
27524 defensively handle additions to the BPF JIT by introducing a BUILD_BUG_ON
27525 for unknown opcodes
27526
27527 arch/x86/net/bpf_jit_comp.c | 11 +++++++----
27528 1 files changed, 7 insertions(+), 4 deletions(-)
27529
27530commit 01f78a604b47c93fb26e8aeb68ef619bb3b8579d
27531Author: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
27532Date: Fri May 24 15:55:11 2013 -0700
27533
27534 Upstream commit: d34883d4e35c0a994e91dd847a82b4c9e0c31d83
27535
27536 mm: mmu_notifier: re-fix freed page still mapped in secondary MMU
27537
27538 Commit 751efd8610d3 ("mmu_notifier_unregister NULL Pointer deref and
27539 multiple ->release()") breaks the fix 3ad3d901bbcf ("mm: mmu_notifier:
27540 fix freed page still mapped in secondary MMU").
27541
27542 Since hlist_for_each_entry_rcu() is changed now, we can not revert that
27543 patch directly, so this patch reverts the commit and simply fix the bug
27544 spotted by that patch
27545
27546 This bug spotted by commit 751efd8610d3 is:
27547
27548 There is a race condition between mmu_notifier_unregister() and
27549 __mmu_notifier_release().
27550
27551 Assume two tasks, one calling mmu_notifier_unregister() as a result
27552 of a filp_close() ->flush() callout (task A), and the other calling
27553 mmu_notifier_release() from an mmput() (task B).
27554
27555 A B
27556 t1 srcu_read_lock()
27557 t2 if (!hlist_unhashed())
27558 t3 srcu_read_unlock()
27559 t4 srcu_read_lock()
27560 t5 hlist_del_init_rcu()
27561 t6 synchronize_srcu()
27562 t7 srcu_read_unlock()
27563 t8 hlist_del_rcu() <--- NULL pointer deref.
27564
27565 This can be fixed by using hlist_del_init_rcu instead of hlist_del_rcu.
27566
27567 The another issue spotted in the commit is "multiple ->release()
27568 callouts", we needn't care it too much because it is really rare (e.g,
27569 can not happen on kvm since mmu-notify is unregistered after
27570 exit_mmap()) and the later call of multiple ->release should be fast
27571 since all the pages have already been released by the first call.
27572 Anyway, this issue should be fixed in a separate patch.
27573
27574 -stable suggestions: Any version that has commit 751efd8610d3 need to be
27575 backported. I find the oldest version has this commit is 3.0-stable.
27576
27577 [akpm@linux-foundation.org: tweak comments]
27578 Signed-off-by: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
27579 Tested-by: Robin Holt <holt@sgi.com>
27580 Cc: <stable@vger.kernel.org>
27581 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
27582 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
27583
27584 mm/mmu_notifier.c | 79 ++++++++++++++++++++++++++---------------------------
27585 1 files changed, 39 insertions(+), 40 deletions(-)
27586
27587commit 163a5539b36247865d39b2bcfa8efc03a62124a6
27588Author: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
27589Date: Fri May 24 15:55:21 2013 -0700
27590
27591 Upstream commit: 7c3425123ddfdc5f48e7913ff59d908789712b18
27592
27593 mm/THP: use pmd_populate() to update the pmd with pgtable_t pointer
27594
27595 We should not use set_pmd_at to update pmd_t with pgtable_t pointer.
27596 set_pmd_at is used to set pmd with huge pte entries and architectures
27597 like ppc64, clear few flags from the pte when saving a new entry.
27598 Without this change we observe bad pte errors like below on ppc64 with
27599 THP enabled.
27600
27601 BUG: Bad page map in process ld mm=0xc000001ee39f4780 pte:7fc3f37848000001 pmd:c000001ec0000000
27602
27603 Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
27604 Cc: Hugh Dickins <hughd@google.com>
27605 Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
27606 Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
27607 Cc: <stable@vger.kernel.org>
27608 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
27609 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
27610
27611 mm/huge_memory.c | 7 ++++++-
27612 1 files changed, 6 insertions(+), 1 deletions(-)
27613
27614commit 3e54faf888d324d5f362dcba16173ea7bba61e8a
27615Author: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
27616Date: Fri May 24 15:55:08 2013 -0700
27617
27618 Upstream commit: 7b92d03c3239f43e5b86c9cc9630f026d36ee995
27619
27620 fat: fix possible overflow for fat_clusters
27621
27622 Intermediate value of fat_clusters can be overflowed on 32bits arch.
27623
27624 Reported-by: Krzysztof Strasburger <strasbur@chkw386.ch.pwr.wroc.pl>
27625 Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
27626 Cc: <stable@vger.kernel.org>
27627 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
27628 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
27629
27630 fs/fat/inode.c | 15 ++++++++++++++-
27631 1 files changed, 14 insertions(+), 1 deletions(-)
27632
27633commit 2d9fc67d9d63641e6bbf389edba8d8514c68655d
27634Author: Jarod Wilson <jarod@redhat.com>
27635Date: Fri May 24 15:55:31 2013 -0700
27636
27637 Upstream commit: 1e7e2e05c179a68aaf8830fe91547a87f4589e53
27638
27639 drivers/char/random.c: fix priming of last_data
27640
27641 Commit ec8f02da9ea5 ("random: prime last_data value per fips
27642 requirements") added priming of last_data per fips requirements.
27643
27644 Unfortuantely, it did so in a way that can lead to multiple threads all
27645 incrementing nbytes, but only one actually doing anything with the extra
27646 data, which leads to some fun random corruption and panics.
27647
27648 The fix is to simply do everything needed to prime last_data in a single
27649 shot, so there's no window for multiple cpus to increment nbytes -- in
27650 fact, we won't even increment or decrement nbytes anymore, we'll just
27651 extract the needed EXTRACT_SIZE one time per pool and then carry on with
27652 the normal routine.
27653
27654 All these changes have been tested across multiple hosts and
27655 architectures where panics were previously encoutered. The code changes
27656 are are strictly limited to areas only touched when when booted in fips
27657 mode.
27658
27659 This change should also go into 3.8-stable, to make the myriads of fips
27660 users on 3.8.x happy.
27661
27662 Signed-off-by: Jarod Wilson <jarod@redhat.com>
27663 Tested-by: Jan Stancek <jstancek@redhat.com>
27664 Tested-by: Jan Stodola <jstodola@redhat.com>
27665 Cc: Herbert Xu <herbert@gondor.apana.org.au>
27666 Acked-by: Neil Horman <nhorman@tuxdriver.com>
27667 Cc: "David S. Miller" <davem@davemloft.net>
27668 Cc: Matt Mackall <mpm@selenic.com>
27669 Cc: "Theodore Ts'o" <tytso@mit.edu>
27670 Cc: <stable@vger.kernel.org>
27671 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
27672 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
27673
27674 drivers/char/random.c | 30 +++++++++++++++---------------
27675 1 files changed, 15 insertions(+), 15 deletions(-)
27676
27677commit 2d74639040ba6ce47f57ec010714ec06529c4b42
27678Author: Jiri Kosina <jkosina@suse.cz>
27679Date: Fri May 24 15:55:33 2013 -0700
27680
27681 Upstream commit: 10b3a32d292c21ea5b3ad5ca5975e88bb20b8d68
27682
27683 random: fix accounting race condition with lockless irq entropy_count update
27684
27685 Commit 902c098a3663 ("random: use lockless techniques in the interrupt
27686 path") turned IRQ path from being spinlock protected into lockless
27687 cmpxchg-retry update.
27688
27689 That commit removed r->lock serialization between crediting entropy bits
27690 from IRQ context and accounting when extracting entropy on userspace
27691 read path, but didn't turn the r->entropy_count reads/updates in
27692 account() to use cmpxchg as well.
27693
27694 It has been observed, that under certain circumstances this leads to
27695 read() on /dev/urandom to return 0 (EOF), as r->entropy_count gets
27696 corrupted and becomes negative, which in turn results in propagating 0
27697 all the way from account() to the actual read() call.
27698
27699 Convert the accounting code to be the proper lockless counterpart of
27700 what has been partially done by 902c098a3663.
27701
27702 Signed-off-by: Jiri Kosina <jkosina@suse.cz>
27703 Cc: Theodore Ts'o <tytso@mit.edu>
27704 Cc: Greg KH <greg@kroah.com>
27705 Cc: <stable@vger.kernel.org>
27706 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
27707 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
27708
27709 drivers/char/random.c | 26 +++++++++++++++++---------
27710 1 files changed, 17 insertions(+), 9 deletions(-)
27711
27712commit 65d05c7ea468c23c175105526dd4f163302a92cf
27713Merge: 1a98d0a 6ce3a135
27714Author: Brad Spengler <spender@grsecurity.net>
27715Date: Sat May 25 07:48:15 2013 -0400
27716
27717 Merge branch 'pax-test' into grsec-test
27718
27719 Conflicts:
27720 arch/x86/kernel/vm86_32.c
27721
27722commit 6ce3a13567ec17c1e72a88871ddf46da61ad5166
27723Merge: 79bdd65 0bfd8ff
27724Author: Brad Spengler <spender@grsecurity.net>
27725Date: Sat May 25 07:46:55 2013 -0400
27726
27727 Merge branch 'linux-3.9.y' into pax-test
27728
27729commit 1a98d0a10ede55ae99fabfb2d67eb536d3de9444
27730Author: Brad Spengler <spender@grsecurity.net>
27731Date: Thu May 23 18:42:23 2013 -0400
27732
27733 use existing local variable
27734
27735 fs/exec.c | 2 +-
27736 1 files changed, 1 insertions(+), 1 deletions(-)
27737
27738commit b2b80ef8586061e32e986b31608717c25d1e7c54
27739Merge: cb45fbd 79bdd65
27740Author: Brad Spengler <spender@grsecurity.net>
27741Date: Thu May 23 17:58:53 2013 -0400
27742
27743 Merge branch 'pax-test' into grsec-test
27744
27745commit 79bdd65dac68267bc1b201c6b4a99966a373c305
27746Author: Brad Spengler <spender@grsecurity.net>
27747Date: Thu May 23 17:57:46 2013 -0400
27748
27749 Update to pax-linux-3.9.3-test7.patch:
27750 - fixed some size overflow related warnings (hash table, attributes)
27751 - fixed a gcc bug/feature exposed by constification, the investigation was prompted by http://rikiji.it/2013/05/10/CVE-2013-2094-x86.html
27752
27753 arch/x86/include/asm/page_64.h | 2 +-
27754 arch/x86/kernel/head64.c | 2 +-
27755 tools/gcc/constify_plugin.c | 48 ++-
27756 tools/gcc/size_overflow_hash.data | 1191 +++++++++++++++++++------------------
27757 4 files changed, 651 insertions(+), 592 deletions(-)
27758
27759commit cb45fbda4967b1b544a754fbdc92d73283379522
27760Merge: 62588fa 57c11b8
27761Author: Brad Spengler <spender@grsecurity.net>
27762Date: Mon May 20 17:32:17 2013 -0400
27763
27764 Merge branch 'pax-test' into grsec-test
27765
27766commit 57c11b85acd841a088aa4df8e60be337880df8cd
27767Merge: 0598b37 4bb0869
27768Author: Brad Spengler <spender@grsecurity.net>
27769Date: Mon May 20 17:32:08 2013 -0400
27770
27771 Merge branch 'linux-3.9.y' into pax-test
27772
27773commit 62588fa72b82a8ff7027f52dc2a05729f41e0f53
27774Merge: e261c7b 0598b37
27775Author: Brad Spengler <spender@grsecurity.net>
27776Date: Fri May 17 22:57:36 2013 -0400
27777
27778 Merge branch 'pax-test' into grsec-test
27779
27780commit 0598b3778624dbc6c3887af025c040dbd6e92ba5
27781Author: Brad Spengler <spender@grsecurity.net>
27782Date: Fri May 17 22:57:07 2013 -0400
27783
27784 Update to pax-linux-3.9.2-test6.patch:
27785 - fixed a gcc assert in the structleak plugin, reported by Emese Revfy
27786 - fixed pfn extraction from pud/pgd entries, reported by ousado
27787
27788 arch/x86/include/asm/pgtable.h | 9 +++++++--
27789 tools/gcc/structleak_plugin.c | 3 ++-
27790 2 files changed, 9 insertions(+), 3 deletions(-)
27791
27792commit e261c7bc611e9127bbb7bd95cddd51524bf255ae
27793Author: Brad Spengler <spender@grsecurity.net>
27794Date: Thu May 16 22:54:12 2013 -0400
27795
27796 add offset to topdown check, fixes compilation
27797
27798 arch/x86/kernel/sys_x86_64.c | 2 +-
27799 1 files changed, 1 insertions(+), 1 deletions(-)
27800
27801commit 455c5ed5279cf546f5d5c3844fb16f17300b2219
27802Author: Brad Spengler <spender@grsecurity.net>
27803Date: Thu May 16 20:57:41 2013 -0400
27804
27805 CONFIG_GRKERNSEC depends on the recently-introduced CONFIG_TTY,
27806 reported by lulzh3ad on irc
27807
27808 security/Kconfig | 1 +
27809 1 files changed, 1 insertions(+), 0 deletions(-)
27810
27811commit 0d4593e84707cdf6deb6b925c18c676a476b1613
27812Merge: 43cd0c0 39a877f
27813Author: Brad Spengler <spender@grsecurity.net>
27814Date: Thu May 16 20:39:11 2013 -0400
27815
27816 Merge branch 'pax-test' into grsec-test
27817
27818commit 39a877f192ed305d88edac10a14a9e8e1e161f3f
27819Author: Brad Spengler <spender@grsecurity.net>
27820Date: Thu May 16 20:37:35 2013 -0400
27821
27822 Update to pax-linux-3.9.2-test105.patch:
27823 - fixed !EFI boot problem, reported by spender
27824 - fixed a few compile warnings
27825 - fixed some more compile errors due to constification
27826 - fixed some arm fallout, reported by Michael Tremer
27827
27828 arch/arm/include/asm/psci.h | 2 +-
27829 arch/arm/kernel/psci.c | 2 +-
27830 arch/x86/kernel/sys_x86_64.c | 3 +--
27831 arch/x86/realmode/init.c | 2 +-
27832 drivers/hwmon/pmbus/pmbus_core.c | 10 +++++-----
27833 drivers/irqchip/irq-gic.c | 2 +-
27834 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +++-
27835 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +++++++++---
27836 drivers/platform/x86/chromeos_laptop.c | 2 +-
27837 fs/jfs/super.c | 4 ++--
27838 include/linux/irqchip/arm-gic.h | 2 ++
27839 include/sound/compress_driver.h | 2 +-
27840 net/mac80211/cfg.c | 4 ++--
27841 sound/soc/fsl/fsl_ssi.c | 2 +-
27842 14 files changed, 31 insertions(+), 22 deletions(-)
27843
27844commit 43cd0c0c7bf3f3331689f88130a8e8ce58fc8540
27845Author: Brad Spengler <spender@grsecurity.net>
27846Date: Thu May 16 20:35:22 2013 -0400
27847
27848 Fix usercopy false positive under gcc 4.1
27849
27850 arch/x86/kernel/signal.c | 9 +++++++--
27851 1 files changed, 7 insertions(+), 2 deletions(-)
27852
27853commit 56a166129d817f6634c8c230e6ec497669bdfaca
27854Author: Amerigo Wang <amwang@redhat.com>
27855Date: Thu May 9 21:56:37 2013 +0000
27856
27857 Upstream commit: 5dbd5068430b8bd1c19387d46d6c1a88b261257f
27858
27859 ipv6,gre: do not leak info to user-space
27860
27861 There is a hole in struct ip6_tnl_parm2, so we have to
27862 zero the struct on stack before copying it to user-space.
27863
27864 Cc: David S. Miller <davem@davemloft.net>
27865 Signed-off-by: Cong Wang <amwang@redhat.com>
27866 Signed-off-by: David S. Miller <davem@davemloft.net>
27867
27868 net/ipv6/ip6_gre.c | 2 ++
27869 1 files changed, 2 insertions(+), 0 deletions(-)
27870
27871commit d6f50dae2653ad912952da40417a8ccbd59c7699
27872Author: Brad Spengler <spender@grsecurity.net>
27873Date: Tue May 14 16:52:35 2013 -0400
27874
27875 disable unprivileged kernel profiling under HIDESYM, rename
27876 the variable to something more appropriate
27877
27878 include/linux/perf_event.h | 8 ++++----
27879 kernel/events/core.c | 6 +++++-
27880 kernel/sysctl.c | 4 ++--
27881 3 files changed, 11 insertions(+), 7 deletions(-)
27882
27883commit 01322c6951bed4eedefbd2178dbd99292b365d99
27884Author: Brad Spengler <spender@grsecurity.net>
27885Date: Mon May 13 17:19:57 2013 -0400
27886
27887 mark GRKERNSEC_RAND_THREADSTACK broken until PaX fixes its
27888 existing stack-heap gap code for the new unified vm_unmapped_area
27889
27890 grsecurity/Kconfig | 2 +-
27891 1 files changed, 1 insertions(+), 1 deletions(-)
27892
27893commit 8e576ddc2196770ba2b86ba8f7b9e76c141d1083
27894Author: Brad Spengler <spender@grsecurity.net>
27895Date: Mon May 13 15:40:32 2013 -0400
27896
27897 fix NX fault on early boot
27898
27899 arch/x86/realmode/init.c | 2 +-
27900 1 files changed, 1 insertions(+), 1 deletions(-)
27901
27902commit 85ce9b6f668f9b02f21d23ae61a1bacc8804f615
27903Author: Brad Spengler <spender@grsecurity.net>
27904Date: Mon May 13 10:48:13 2013 -0400
27905
27906 compile fix, we weren't using %pa anyway and it's now being used
27907 by upstream for physical address printing
27908
27909 lib/vsprintf.c | 3 +--
27910 1 files changed, 1 insertions(+), 2 deletions(-)
27911
27912commit 4eeaeea04d4776b8263f0e9b018edcdbe66c929d
27913Author: Brad Spengler <spender@grsecurity.net>
27914Date: Mon May 13 10:39:52 2013 -0400
27915
27916 compile fix
27917
27918 grsecurity/grsec_chroot.c | 2 +-
27919 1 files changed, 1 insertions(+), 1 deletions(-)
27920
27921commit 155fe84d0b966e41b077781e6b3bc6f6ed5b294b
27922Author: Brad Spengler <spender@grsecurity.net>
27923Date: Mon May 13 10:35:36 2013 -0400
27924
27925 compile fixes
27926
27927 grsecurity/grsec_chroot.c | 2 +-
27928 include/linux/grinternal.h | 8 ++++----
27929 include/linux/grsecurity.h | 4 ++--
27930 3 files changed, 7 insertions(+), 7 deletions(-)
27931
27932commit f92047409f0a843ec0b44033ca4c37e539f9a1d5
27933Author: Brad Spengler <spender@grsecurity.net>
27934Date: Mon May 13 10:27:18 2013 -0400
27935
27936 compile fix
27937
27938 fs/exec.c | 6 +++---
27939 1 files changed, 3 insertions(+), 3 deletions(-)
27940
27941commit 0e4123608755ab6af3f448cca6f6a8a57dbdcff1
27942Author: Brad Spengler <spender@grsecurity.net>
27943Date: Mon May 13 10:23:17 2013 -0400
27944
27945 Initial port of grsecurity for 3.9.2
27946
27947 Documentation/kernel-parameters.txt | 4 +
27948 Makefile | 8 +-
27949 arch/alpha/include/asm/cache.h | 4 +-
27950 arch/alpha/kernel/osf_sys.c | 12 +-
27951 arch/arm/include/asm/thread_info.h | 9 +-
27952 arch/arm/kernel/process.c | 4 +-
27953 arch/arm/kernel/ptrace.c | 9 +
27954 arch/arm/kernel/traps.c | 7 +-
27955 arch/arm/mm/fault.c | 29 +-
27956 arch/arm/mm/mmap.c | 8 +-
27957 arch/avr32/include/asm/cache.h | 4 +-
27958 arch/blackfin/include/asm/cache.h | 3 +-
27959 arch/cris/include/arch-v10/arch/cache.h | 3 +-
27960 arch/cris/include/arch-v32/arch/cache.h | 3 +-
27961 arch/frv/include/asm/cache.h | 3 +-
27962 arch/frv/mm/elf-fdpic.c | 4 +-
27963 arch/hexagon/include/asm/cache.h | 6 +-
27964 arch/ia64/include/asm/cache.h | 3 +-
27965 arch/ia64/kernel/sys_ia64.c | 2 +
27966 arch/ia64/mm/hugetlbpage.c | 2 +
27967 arch/m32r/include/asm/cache.h | 4 +-
27968 arch/m68k/include/asm/cache.h | 4 +-
27969 arch/metag/mm/hugetlbpage.c | 1 +
27970 arch/microblaze/include/asm/cache.h | 3 +-
27971 arch/mips/include/asm/cache.h | 3 +-
27972 arch/mips/include/asm/thread_info.h | 9 +-
27973 arch/mips/kernel/ptrace.c | 9 +
27974 arch/mips/kernel/scall32-o32.S | 2 +-
27975 arch/mips/kernel/scall64-64.S | 2 +-
27976 arch/mips/kernel/scall64-n32.S | 2 +-
27977 arch/mips/kernel/scall64-o32.S | 2 +-
27978 arch/mips/mm/mmap.c | 4 +-
27979 arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +-
27980 arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +-
27981 arch/openrisc/include/asm/cache.h | 4 +-
27982 arch/parisc/include/asm/cache.h | 5 +-
27983 arch/parisc/kernel/sys_parisc.c | 17 +-
27984 arch/powerpc/include/asm/cache.h | 3 +-
27985 arch/powerpc/include/asm/thread_info.h | 8 +-
27986 arch/powerpc/kernel/process.c | 10 +-
27987 arch/powerpc/kernel/ptrace.c | 14 +
27988 arch/powerpc/kernel/traps.c | 5 +
27989 arch/powerpc/mm/slice.c | 8 +-
27990 arch/s390/include/asm/cache.h | 4 +-
27991 arch/score/include/asm/cache.h | 4 +-
27992 arch/sh/include/asm/cache.h | 3 +-
27993 arch/sh/mm/mmap.c | 6 +-
27994 arch/sparc/include/asm/cache.h | 4 +-
27995 arch/sparc/include/asm/thread_info_64.h | 9 +-
27996 arch/sparc/kernel/process_32.c | 6 +-
27997 arch/sparc/kernel/process_64.c | 8 +-
27998 arch/sparc/kernel/ptrace_64.c | 14 +
27999 arch/sparc/kernel/sys_sparc_64.c | 8 +-
28000 arch/sparc/kernel/syscalls.S | 8 +-
28001 arch/sparc/kernel/traps_32.c | 8 +-
28002 arch/sparc/kernel/traps_64.c | 28 +-
28003 arch/sparc/kernel/unaligned_64.c | 2 +-
28004 arch/sparc/mm/fault_64.c | 2 +-
28005 arch/sparc/mm/hugetlbpage.c | 3 +-
28006 arch/tile/include/asm/cache.h | 3 +-
28007 arch/tile/mm/hugetlbpage.c | 2 +
28008 arch/um/defconfig | 1 -
28009 arch/um/include/asm/cache.h | 3 +-
28010 arch/unicore32/include/asm/cache.h | 6 +-
28011 arch/x86/Kconfig | 5 +-
28012 arch/x86/Kconfig.debug | 2 +-
28013 arch/x86/ia32/ia32_aout.c | 2 +
28014 arch/x86/include/asm/thread_info.h | 8 +-
28015 arch/x86/kernel/dumpstack.c | 8 +
28016 arch/x86/kernel/entry_32.S | 2 +-
28017 arch/x86/kernel/entry_64.S | 2 +-
28018 arch/x86/kernel/ioport.c | 13 +
28019 arch/x86/kernel/ptrace.c | 14 +
28020 arch/x86/kernel/smpboot.c | 3 +
28021 arch/x86/kernel/sys_i386_32.c | 14 +-
28022 arch/x86/kernel/sys_x86_64.c | 6 +-
28023 arch/x86/kernel/verify_cpu.S | 1 +
28024 arch/x86/kernel/vm86_32.c | 16 +
28025 arch/x86/mm/fault.c | 12 +-
28026 arch/x86/mm/hugetlbpage.c | 15 +-
28027 arch/x86/mm/init.c | 66 +-
28028 arch/x86/net/bpf_jit_comp.c | 126 +-
28029 arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
28030 arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
28031 arch/xtensa/variants/s6000/include/variant/core.h | 3 +-
28032 drivers/block/cciss.c | 2 +
28033 drivers/char/Kconfig | 4 +-
28034 drivers/char/genrtc.c | 1 +
28035 drivers/char/mem.c | 17 +
28036 drivers/char/random.c | 12 +
28037 drivers/gpu/drm/drm_info.c | 4 +
28038 drivers/hid/hid-wiimote-debug.c | 2 +-
28039 drivers/media/radio/radio-cadet.c | 2 +-
28040 drivers/message/fusion/mptbase.c | 9 +
28041 drivers/net/bonding/bond_main.c | 2 +-
28042 drivers/net/phy/mdio-bitbang.c | 1 +
28043 drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
28044 drivers/pci/proc.c | 9 +
28045 drivers/rtc/rtc-dev.c | 3 +
28046 drivers/tty/sysrq.c | 2 +-
28047 drivers/tty/vt/keyboard.c | 22 +-
28048 drivers/usb/storage/realtek_cr.c | 2 +-
28049 drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++--------
28050 drivers/xen/xenfs/xenstored.c | 5 +
28051 fs/attr.c | 1 +
28052 fs/autofs4/waitq.c | 9 +
28053 fs/binfmt_aout.c | 7 +
28054 fs/binfmt_elf.c | 8 +-
28055 fs/btrfs/ioctl.c | 6 +-
28056 fs/compat.c | 20 +-
28057 fs/coredump.c | 10 +-
28058 fs/debugfs/inode.c | 4 +
28059 fs/exec.c | 181 +-
28060 fs/ext2/balloc.c | 4 +-
28061 fs/ext3/balloc.c | 4 +-
28062 fs/ext4/balloc.c | 4 +-
28063 fs/fcntl.c | 5 +
28064 fs/file.c | 4 +
28065 fs/filesystems.c | 4 +
28066 fs/fs_struct.c | 13 +-
28067 fs/hugetlbfs/inode.c | 5 +-
28068 fs/namei.c | 241 ++-
28069 fs/namespace.c | 24 +
28070 fs/open.c | 38 +
28071 fs/pipe.c | 2 +-
28072 fs/proc/Kconfig | 10 +-
28073 fs/proc/array.c | 59 +-
28074 fs/proc/base.c | 168 +-
28075 fs/proc/cmdline.c | 4 +
28076 fs/proc/devices.c | 4 +
28077 fs/proc/fd.c | 17 +-
28078 fs/proc/inode.c | 17 +
28079 fs/proc/internal.h | 3 +
28080 fs/proc/kcore.c | 3 +
28081 fs/proc/proc_net.c | 12 +
28082 fs/proc/proc_sysctl.c | 43 +-
28083 fs/proc/root.c | 8 +
28084 fs/proc/task_mmu.c | 75 +-
28085 fs/readdir.c | 19 +
28086 fs/select.c | 2 +
28087 fs/seq_file.c | 12 +-
28088 fs/stat.c | 19 +-
28089 fs/sysfs/dir.c | 12 +
28090 fs/utimes.c | 7 +
28091 fs/xattr.c | 19 +-
28092 grsecurity/Kconfig | 1031 +++++
28093 grsecurity/Makefile | 38 +
28094 grsecurity/gracl.c | 4073 ++++++++++++++++++++
28095 grsecurity/gracl_alloc.c | 105 +
28096 grsecurity/gracl_cap.c | 110 +
28097 grsecurity/gracl_fs.c | 431 +++
28098 grsecurity/gracl_ip.c | 387 ++
28099 grsecurity/gracl_learn.c | 207 +
28100 grsecurity/gracl_res.c | 68 +
28101 grsecurity/gracl_segv.c | 305 ++
28102 grsecurity/gracl_shm.c | 40 +
28103 grsecurity/grsec_chdir.c | 19 +
28104 grsecurity/grsec_chroot.c | 370 ++
28105 grsecurity/grsec_disabled.c | 434 +++
28106 grsecurity/grsec_exec.c | 187 +
28107 grsecurity/grsec_fifo.c | 24 +
28108 grsecurity/grsec_fork.c | 23 +
28109 grsecurity/grsec_init.c | 283 ++
28110 grsecurity/grsec_link.c | 58 +
28111 grsecurity/grsec_log.c | 326 ++
28112 grsecurity/grsec_mem.c | 40 +
28113 grsecurity/grsec_mount.c | 62 +
28114 grsecurity/grsec_pax.c | 36 +
28115 grsecurity/grsec_ptrace.c | 30 +
28116 grsecurity/grsec_sig.c | 222 ++
28117 grsecurity/grsec_sock.c | 244 ++
28118 grsecurity/grsec_sysctl.c | 469 +++
28119 grsecurity/grsec_time.c | 16 +
28120 grsecurity/grsec_tpe.c | 73 +
28121 grsecurity/grsum.c | 61 +
28122 include/linux/capability.h | 5 +
28123 include/linux/cred.h | 3 +
28124 include/linux/fs.h | 10 +
28125 include/linux/fsnotify.h | 6 +
28126 include/linux/gracl.h | 319 ++
28127 include/linux/gralloc.h | 9 +
28128 include/linux/grdefs.h | 140 +
28129 include/linux/grinternal.h | 215 +
28130 include/linux/grmsg.h | 111 +
28131 include/linux/grsecurity.h | 242 ++
28132 include/linux/grsock.h | 19 +
28133 include/linux/kallsyms.h | 14 +-
28134 include/linux/kmod.h | 2 +
28135 include/linux/mm.h | 1 +
28136 include/linux/netfilter/xt_gradm.h | 9 +
28137 include/linux/printk.h | 3 +-
28138 include/linux/proc_fs.h | 12 +
28139 include/linux/sched.h | 68 +-
28140 include/linux/security.h | 1 +
28141 include/linux/seq_file.h | 3 +
28142 include/linux/shm.h | 4 +
28143 include/linux/skbuff.h | 3 +
28144 include/linux/slab.h | 9 -
28145 include/linux/sysctl.h | 2 +
28146 include/linux/thread_info.h | 2 +
28147 include/linux/uidgid.h | 5 +
28148 include/linux/vermagic.h | 9 +-
28149 include/net/secure_seq.h | 1 +
28150 include/trace/events/fs.h | 53 +
28151 include/uapi/linux/personality.h | 1 +
28152 init/Kconfig | 3 +-
28153 init/main.c | 14 +
28154 ipc/mqueue.c | 1 +
28155 ipc/shm.c | 28 +
28156 kernel/capability.c | 39 +-
28157 kernel/cgroup.c | 2 +-
28158 kernel/compat.c | 1 +
28159 kernel/configs.c | 11 +
28160 kernel/cred.c | 110 +-
28161 kernel/exit.c | 10 +-
28162 kernel/fork.c | 41 +-
28163 kernel/futex.c | 1 +
28164 kernel/kallsyms.c | 9 +
28165 kernel/kcmp.c | 4 +
28166 kernel/kmod.c | 71 +-
28167 kernel/kprobes.c | 4 +-
28168 kernel/ksysfs.c | 2 +
28169 kernel/lockdep_proc.c | 10 +-
28170 kernel/module.c | 81 +-
28171 kernel/panic.c | 4 +-
28172 kernel/pid.c | 19 +-
28173 kernel/posix-timers.c | 8 +
28174 kernel/printk.c | 13 +-
28175 kernel/ptrace.c | 20 +-
28176 kernel/resource.c | 10 +
28177 kernel/sched/core.c | 6 +-
28178 kernel/signal.c | 37 +-
28179 kernel/sys.c | 45 +-
28180 kernel/sysctl.c | 39 +-
28181 kernel/taskstats.c | 6 +
28182 kernel/time.c | 5 +
28183 kernel/time/timekeeping.c | 3 +
28184 kernel/time/timer_list.c | 12 +
28185 kernel/time/timer_stats.c | 10 +-
28186 lib/Kconfig.debug | 5 +-
28187 lib/is_single_threaded.c | 3 +
28188 lib/vsprintf.c | 35 +-
28189 localversion-grsec | 1 +
28190 mm/Kconfig | 4 +-
28191 mm/filemap.c | 1 +
28192 mm/kmemleak.c | 4 +-
28193 mm/mempolicy.c | 12 +-
28194 mm/migrate.c | 3 +-
28195 mm/mlock.c | 3 +
28196 mm/mmap.c | 64 +-
28197 mm/mprotect.c | 8 +
28198 mm/process_vm_access.c | 6 +
28199 mm/shmem.c | 2 +-
28200 mm/slab.c | 2 +-
28201 mm/slub.c | 14 +-
28202 mm/vmalloc.c | 4 +
28203 mm/vmstat.c | 18 +-
28204 net/8021q/vlan.c | 7 +
28205 net/core/dev_ioctl.c | 4 +
28206 net/core/net-procfs.c | 5 +
28207 net/core/secure_seq.c | 4 +-
28208 net/core/sock_diag.c | 7 +
28209 net/ipv4/af_inet.c | 5 +-
28210 net/ipv4/inet_hashtables.c | 5 +
28211 net/ipv4/ip_sockglue.c | 3 +-
28212 net/ipv4/tcp_input.c | 4 +-
28213 net/ipv4/tcp_ipv4.c | 24 +-
28214 net/ipv4/tcp_minisocks.c | 9 +-
28215 net/ipv4/tcp_timer.c | 11 +
28216 net/ipv4/udp.c | 24 +
28217 net/ipv6/tcp_ipv6.c | 23 +-
28218 net/ipv6/udp.c | 7 +
28219 net/netfilter/Kconfig | 10 +
28220 net/netfilter/Makefile | 1 +
28221 net/netfilter/nf_conntrack_core.c | 8 +
28222 net/netfilter/xt_gradm.c | 51 +
28223 net/netrom/af_netrom.c | 2 +-
28224 net/phonet/af_phonet.c | 2 +-
28225 net/sctp/probe.c | 2 +-
28226 net/sctp/proc.c | 3 +-
28227 net/socket.c | 66 +-
28228 net/sysctl_net.c | 2 +-
28229 net/tipc/link.c | 11 +-
28230 net/unix/af_unix.c | 31 +-
28231 security/Kconfig | 342 ++-
28232 security/commoncap.c | 29 +
28233 security/min_addr.c | 2 +
28234 security/security.c | 2 -
28235 security/selinux/hooks.c | 2 -
28236 security/tomoyo/mount.c | 4 +
28237 security/yama/Kconfig | 2 +-
28238 291 files changed, 15221 insertions(+), 2052 deletions(-)
28239
28240commit 88854c350c899bceca4a94598c42bed44d0dc91b
28241Author: Brad Spengler <spender@grsecurity.net>
28242Date: Mon May 13 07:37:47 2013 -0400
28243
28244 Initial import of pax-linux-3.9.2-test2.patch
28245
28246 Documentation/dontdiff | 45 +-
28247 Documentation/kernel-parameters.txt | 12 +
28248 Makefile | 100 +-
28249 arch/alpha/include/asm/atomic.h | 10 +
28250 arch/alpha/include/asm/elf.h | 7 +
28251 arch/alpha/include/asm/pgalloc.h | 6 +
28252 arch/alpha/include/asm/pgtable.h | 11 +
28253 arch/alpha/kernel/module.c | 2 +-
28254 arch/alpha/kernel/osf_sys.c | 8 +-
28255 arch/alpha/mm/fault.c | 141 +-
28256 arch/arm/Kconfig | 2 +-
28257 arch/arm/include/asm/atomic.h | 421 ++-
28258 arch/arm/include/asm/cache.h | 5 +-
28259 arch/arm/include/asm/cacheflush.h | 2 +-
28260 arch/arm/include/asm/checksum.h | 14 +-
28261 arch/arm/include/asm/cmpxchg.h | 2 +
28262 arch/arm/include/asm/domain.h | 33 +-
28263 arch/arm/include/asm/elf.h | 13 +-
28264 arch/arm/include/asm/fncpy.h | 2 +
28265 arch/arm/include/asm/futex.h | 10 +
28266 arch/arm/include/asm/kmap_types.h | 2 +-
28267 arch/arm/include/asm/mach/dma.h | 2 +-
28268 arch/arm/include/asm/mach/map.h | 7 +-
28269 arch/arm/include/asm/outercache.h | 2 +-
28270 arch/arm/include/asm/page.h | 2 +-
28271 arch/arm/include/asm/pgalloc.h | 22 +-
28272 arch/arm/include/asm/pgtable-2level-hwdef.h | 5 +
28273 arch/arm/include/asm/pgtable-2level.h | 1 +
28274 arch/arm/include/asm/pgtable-3level-hwdef.h | 2 +
28275 arch/arm/include/asm/pgtable-3level.h | 2 +
28276 arch/arm/include/asm/pgtable.h | 56 +-
28277 arch/arm/include/asm/proc-fns.h | 2 +-
28278 arch/arm/include/asm/processor.h | 5 +-
28279 arch/arm/include/asm/smp.h | 2 +-
28280 arch/arm/include/asm/thread_info.h | 6 +-
28281 arch/arm/include/asm/uaccess.h | 92 +-
28282 arch/arm/include/uapi/asm/ptrace.h | 2 +-
28283 arch/arm/kernel/armksyms.c | 6 +-
28284 arch/arm/kernel/entry-armv.S | 107 +-
28285 arch/arm/kernel/entry-common.S | 41 +-
28286 arch/arm/kernel/entry-header.S | 60 +
28287 arch/arm/kernel/fiq.c | 2 +
28288 arch/arm/kernel/head.S | 6 +-
28289 arch/arm/kernel/hw_breakpoint.c | 2 +-
28290 arch/arm/kernel/module.c | 29 +-
28291 arch/arm/kernel/patch.c | 2 +
28292 arch/arm/kernel/perf_event_cpu.c | 2 +-
28293 arch/arm/kernel/process.c | 15 +-
28294 arch/arm/kernel/setup.c | 22 +-
28295 arch/arm/kernel/signal.c | 24 +-
28296 arch/arm/kernel/smp.c | 2 +-
28297 arch/arm/kernel/traps.c | 15 +-
28298 arch/arm/kernel/vmlinux.lds.S | 22 +-
28299 arch/arm/lib/clear_user.S | 6 +-
28300 arch/arm/lib/copy_from_user.S | 6 +-
28301 arch/arm/lib/copy_page.S | 1 +
28302 arch/arm/lib/copy_to_user.S | 6 +-
28303 arch/arm/lib/csumpartialcopyuser.S | 4 +-
28304 arch/arm/lib/delay.c | 2 +-
28305 arch/arm/lib/uaccess_with_memcpy.c | 2 +-
28306 arch/arm/mach-kirkwood/common.c | 19 +-
28307 arch/arm/mach-omap2/board-n8x0.c | 2 +-
28308 arch/arm/mach-omap2/gpmc.c | 22 +-
28309 arch/arm/mach-omap2/omap-wakeupgen.c | 2 +-
28310 arch/arm/mach-omap2/omap_device.c | 4 +-
28311 arch/arm/mach-omap2/omap_device.h | 4 +-
28312 arch/arm/mach-omap2/omap_hwmod.c | 4 +-
28313 arch/arm/mach-omap2/wd_timer.c | 6 +-
28314 arch/arm/mach-ux500/include/mach/setup.h | 7 -
28315 arch/arm/mm/Kconfig | 3 +-
28316 arch/arm/mm/alignment.c | 8 +
28317 arch/arm/mm/fault.c | 91 +
28318 arch/arm/mm/fault.h | 12 +
28319 arch/arm/mm/init.c | 41 +
28320 arch/arm/mm/ioremap.c | 4 +-
28321 arch/arm/mm/mmap.c | 36 +-
28322 arch/arm/mm/mmu.c | 187 +-
28323 arch/arm/mm/proc-v7-2level.S | 3 +
28324 arch/arm/plat-omap/sram.c | 2 +
28325 arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +-
28326 arch/arm64/kernel/debug-monitors.c | 2 +-
28327 arch/arm64/kernel/hw_breakpoint.c | 2 +-
28328 arch/avr32/include/asm/elf.h | 8 +-
28329 arch/avr32/include/asm/kmap_types.h | 4 +-
28330 arch/avr32/mm/fault.c | 27 +
28331 arch/frv/include/asm/atomic.h | 10 +
28332 arch/frv/include/asm/kmap_types.h | 2 +-
28333 arch/frv/mm/elf-fdpic.c | 3 +-
28334 arch/ia64/include/asm/atomic.h | 10 +
28335 arch/ia64/include/asm/elf.h | 7 +
28336 arch/ia64/include/asm/pgalloc.h | 12 +
28337 arch/ia64/include/asm/pgtable.h | 13 +-
28338 arch/ia64/include/asm/spinlock.h | 2 +-
28339 arch/ia64/include/asm/uaccess.h | 26 +-
28340 arch/ia64/kernel/err_inject.c | 2 +-
28341 arch/ia64/kernel/mca.c | 2 +-
28342 arch/ia64/kernel/module.c | 48 +-
28343 arch/ia64/kernel/palinfo.c | 2 +-
28344 arch/ia64/kernel/salinfo.c | 2 +-
28345 arch/ia64/kernel/sys_ia64.c | 7 +
28346 arch/ia64/kernel/topology.c | 2 +-
28347 arch/ia64/kernel/vmlinux.lds.S | 2 +-
28348 arch/ia64/mm/fault.c | 32 +-
28349 arch/ia64/mm/init.c | 13 +
28350 arch/m32r/lib/usercopy.c | 6 +
28351 arch/mips/include/asm/atomic.h | 14 +
28352 arch/mips/include/asm/elf.h | 11 +-
28353 arch/mips/include/asm/exec.h | 2 +-
28354 arch/mips/include/asm/page.h | 2 +-
28355 arch/mips/include/asm/pgalloc.h | 5 +
28356 arch/mips/kernel/binfmt_elfn32.c | 7 +
28357 arch/mips/kernel/binfmt_elfo32.c | 7 +
28358 arch/mips/kernel/process.c | 12 -
28359 arch/mips/mm/fault.c | 17 +
28360 arch/mips/mm/mmap.c | 51 +-
28361 arch/parisc/include/asm/atomic.h | 10 +
28362 arch/parisc/include/asm/elf.h | 7 +
28363 arch/parisc/include/asm/pgalloc.h | 6 +
28364 arch/parisc/include/asm/pgtable.h | 11 +
28365 arch/parisc/include/asm/uaccess.h | 4 +-
28366 arch/parisc/kernel/module.c | 50 +-
28367 arch/parisc/kernel/sys_parisc.c | 9 +-
28368 arch/parisc/kernel/traps.c | 4 +-
28369 arch/parisc/mm/fault.c | 140 +-
28370 arch/powerpc/include/asm/atomic.h | 10 +
28371 arch/powerpc/include/asm/elf.h | 19 +-
28372 arch/powerpc/include/asm/exec.h | 2 +-
28373 arch/powerpc/include/asm/kmap_types.h | 2 +-
28374 arch/powerpc/include/asm/mman.h | 2 +-
28375 arch/powerpc/include/asm/page.h | 8 +-
28376 arch/powerpc/include/asm/page_64.h | 7 +-
28377 arch/powerpc/include/asm/pgalloc-64.h | 7 +
28378 arch/powerpc/include/asm/pgtable.h | 1 +
28379 arch/powerpc/include/asm/pte-hash32.h | 1 +
28380 arch/powerpc/include/asm/reg.h | 1 +
28381 arch/powerpc/include/asm/smp.h | 2 +-
28382 arch/powerpc/include/asm/uaccess.h | 140 +-
28383 arch/powerpc/kernel/exceptions-64e.S | 4 +-
28384 arch/powerpc/kernel/exceptions-64s.S | 2 +-
28385 arch/powerpc/kernel/module_32.c | 13 +-
28386 arch/powerpc/kernel/process.c | 55 -
28387 arch/powerpc/kernel/signal_32.c | 2 +-
28388 arch/powerpc/kernel/signal_64.c | 2 +-
28389 arch/powerpc/kernel/sysfs.c | 2 +-
28390 arch/powerpc/kernel/vdso.c | 5 +-
28391 arch/powerpc/lib/usercopy_64.c | 18 -
28392 arch/powerpc/mm/fault.c | 54 +-
28393 arch/powerpc/mm/mmap_64.c | 16 +
28394 arch/powerpc/mm/mmu_context_nohash.c | 2 +-
28395 arch/powerpc/mm/numa.c | 2 +-
28396 arch/powerpc/mm/slice.c | 23 +-
28397 arch/powerpc/platforms/cell/spufs/file.c | 4 +-
28398 arch/powerpc/platforms/powermac/smp.c | 2 +-
28399 arch/s390/include/asm/atomic.h | 10 +
28400 arch/s390/include/asm/elf.h | 13 +-
28401 arch/s390/include/asm/exec.h | 2 +-
28402 arch/s390/include/asm/uaccess.h | 15 +-
28403 arch/s390/kernel/module.c | 22 +-
28404 arch/s390/kernel/process.c | 36 -
28405 arch/s390/mm/mmap.c | 24 +
28406 arch/score/include/asm/exec.h | 2 +-
28407 arch/score/kernel/process.c | 5 -
28408 arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +-
28409 arch/sh/mm/mmap.c | 22 +-
28410 arch/sparc/include/asm/atomic_64.h | 106 +-
28411 arch/sparc/include/asm/cache.h | 2 +-
28412 arch/sparc/include/asm/elf_32.h | 7 +
28413 arch/sparc/include/asm/elf_64.h | 7 +
28414 arch/sparc/include/asm/pgalloc_32.h | 1 +
28415 arch/sparc/include/asm/pgalloc_64.h | 1 +
28416 arch/sparc/include/asm/pgtable_32.h | 15 +-
28417 arch/sparc/include/asm/pgtsrmmu.h | 5 +
28418 arch/sparc/include/asm/spinlock_64.h | 35 +-
28419 arch/sparc/include/asm/thread_info_32.h | 2 +
28420 arch/sparc/include/asm/thread_info_64.h | 2 +
28421 arch/sparc/include/asm/uaccess.h | 1 +
28422 arch/sparc/include/asm/uaccess_32.h | 27 +-
28423 arch/sparc/include/asm/uaccess_64.h | 19 +-
28424 arch/sparc/kernel/Makefile | 2 +-
28425 arch/sparc/kernel/prom_common.c | 2 +-
28426 arch/sparc/kernel/sys_sparc_32.c | 2 +-
28427 arch/sparc/kernel/sys_sparc_64.c | 48 +-
28428 arch/sparc/kernel/sysfs.c | 2 +-
28429 arch/sparc/kernel/traps_64.c | 13 +-
28430 arch/sparc/kernel/us3_cpufreq.c | 69 +-
28431 arch/sparc/lib/Makefile | 2 +-
28432 arch/sparc/lib/atomic_64.S | 136 +-
28433 arch/sparc/lib/ksyms.c | 6 +
28434 arch/sparc/mm/Makefile | 2 +-
28435 arch/sparc/mm/fault_32.c | 292 ++
28436 arch/sparc/mm/fault_64.c | 486 ++
28437 arch/sparc/mm/hugetlbpage.c | 21 +-
28438 arch/tile/include/asm/atomic_64.h | 10 +
28439 arch/tile/include/asm/uaccess.h | 4 +-
28440 arch/um/Makefile | 4 +
28441 arch/um/include/asm/kmap_types.h | 2 +-
28442 arch/um/include/asm/page.h | 3 +
28443 arch/um/include/asm/pgtable-3level.h | 1 +
28444 arch/um/kernel/process.c | 16 -
28445 arch/x86/Kconfig | 10 +-
28446 arch/x86/Kconfig.cpu | 6 +-
28447 arch/x86/Kconfig.debug | 6 +-
28448 arch/x86/Makefile | 10 +
28449 arch/x86/boot/Makefile | 3 +
28450 arch/x86/boot/bitops.h | 4 +-
28451 arch/x86/boot/boot.h | 4 +-
28452 arch/x86/boot/compressed/Makefile | 3 +
28453 arch/x86/boot/compressed/eboot.c | 2 -
28454 arch/x86/boot/compressed/head_32.S | 7 +-
28455 arch/x86/boot/compressed/head_64.S | 8 +-
28456 arch/x86/boot/compressed/misc.c | 4 +-
28457 arch/x86/boot/cpucheck.c | 28 +-
28458 arch/x86/boot/header.S | 6 +-
28459 arch/x86/boot/memory.c | 2 +-
28460 arch/x86/boot/video-vesa.c | 1 +
28461 arch/x86/boot/video.c | 2 +-
28462 arch/x86/crypto/aes-x86_64-asm_64.S | 4 +
28463 arch/x86/crypto/aesni-intel_asm.S | 21 +
28464 arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 +
28465 arch/x86/crypto/camellia-x86_64-asm_64.S | 7 +
28466 arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 +
28467 arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 7 +
28468 arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 +
28469 arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 7 +
28470 arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 +
28471 arch/x86/crypto/sha1_ssse3_asm.S | 2 +
28472 arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 7 +
28473 arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 +
28474 arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
28475 arch/x86/ia32/ia32_signal.c | 14 +-
28476 arch/x86/ia32/ia32entry.S | 141 +-
28477 arch/x86/ia32/sys_ia32.c | 6 +-
28478 arch/x86/include/asm/alternative-asm.h | 39 +
28479 arch/x86/include/asm/alternative.h | 4 +-
28480 arch/x86/include/asm/apic.h | 2 +-
28481 arch/x86/include/asm/apm.h | 4 +-
28482 arch/x86/include/asm/atomic.h | 307 ++-
28483 arch/x86/include/asm/atomic64_32.h | 100 +
28484 arch/x86/include/asm/atomic64_64.h | 202 +-
28485 arch/x86/include/asm/bitops.h | 4 +-
28486 arch/x86/include/asm/boot.h | 7 +-
28487 arch/x86/include/asm/cache.h | 5 +-
28488 arch/x86/include/asm/cacheflush.h | 2 +-
28489 arch/x86/include/asm/checksum_32.h | 12 +-
28490 arch/x86/include/asm/cmpxchg.h | 35 +
28491 arch/x86/include/asm/compat.h | 2 +-
28492 arch/x86/include/asm/cpufeature.h | 4 +-
28493 arch/x86/include/asm/desc.h | 67 +-
28494 arch/x86/include/asm/desc_defs.h | 6 +
28495 arch/x86/include/asm/div64.h | 2 +-
28496 arch/x86/include/asm/elf.h | 31 +-
28497 arch/x86/include/asm/emergency-restart.h | 2 +-
28498 arch/x86/include/asm/fpu-internal.h | 6 +-
28499 arch/x86/include/asm/futex.h | 16 +-
28500 arch/x86/include/asm/hw_irq.h | 4 +-
28501 arch/x86/include/asm/i8259.h | 2 +-
28502 arch/x86/include/asm/io.h | 21 +-
28503 arch/x86/include/asm/irqflags.h | 5 +
28504 arch/x86/include/asm/kprobes.h | 9 +-
28505 arch/x86/include/asm/local.h | 142 +-
28506 arch/x86/include/asm/mman.h | 15 +
28507 arch/x86/include/asm/mmu.h | 16 +-
28508 arch/x86/include/asm/mmu_context.h | 76 +-
28509 arch/x86/include/asm/module.h | 17 +-
28510 arch/x86/include/asm/nmi.h | 6 +-
28511 arch/x86/include/asm/page_64.h | 2 +-
28512 arch/x86/include/asm/paravirt.h | 46 +-
28513 arch/x86/include/asm/paravirt_types.h | 17 +-
28514 arch/x86/include/asm/pgalloc.h | 23 +
28515 arch/x86/include/asm/pgtable-2level.h | 2 +
28516 arch/x86/include/asm/pgtable-3level.h | 4 +
28517 arch/x86/include/asm/pgtable.h | 113 +-
28518 arch/x86/include/asm/pgtable_32.h | 14 +-
28519 arch/x86/include/asm/pgtable_32_types.h | 15 +-
28520 arch/x86/include/asm/pgtable_64.h | 19 +-
28521 arch/x86/include/asm/pgtable_64_types.h | 5 +
28522 arch/x86/include/asm/pgtable_types.h | 36 +-
28523 arch/x86/include/asm/processor.h | 39 +-
28524 arch/x86/include/asm/ptrace.h | 26 +-
28525 arch/x86/include/asm/realmode.h | 4 +-
28526 arch/x86/include/asm/reboot.h | 10 +-
28527 arch/x86/include/asm/rwsem.h | 60 +-
28528 arch/x86/include/asm/segment.h | 24 +-
28529 arch/x86/include/asm/smp.h | 14 +-
28530 arch/x86/include/asm/spinlock.h | 36 +-
28531 arch/x86/include/asm/stackprotector.h | 4 +-
28532 arch/x86/include/asm/stacktrace.h | 32 +-
28533 arch/x86/include/asm/switch_to.h | 4 +-
28534 arch/x86/include/asm/thread_info.h | 83 +-
28535 arch/x86/include/asm/uaccess.h | 96 +-
28536 arch/x86/include/asm/uaccess_32.h | 106 +-
28537 arch/x86/include/asm/uaccess_64.h | 232 +-
28538 arch/x86/include/asm/word-at-a-time.h | 2 +-
28539 arch/x86/include/asm/x86_init.h | 10 +-
28540 arch/x86/include/asm/xsave.h | 10 +-
28541 arch/x86/include/uapi/asm/e820.h | 2 +-
28542 arch/x86/kernel/Makefile | 2 +-
28543 arch/x86/kernel/acpi/boot.c | 4 +-
28544 arch/x86/kernel/acpi/sleep.c | 4 +
28545 arch/x86/kernel/acpi/wakeup_32.S | 6 +-
28546 arch/x86/kernel/alternative.c | 65 +-
28547 arch/x86/kernel/apic/apic.c | 4 +-
28548 arch/x86/kernel/apic/apic_flat_64.c | 4 +-
28549 arch/x86/kernel/apic/apic_noop.c | 2 +-
28550 arch/x86/kernel/apic/bigsmp_32.c | 2 +-
28551 arch/x86/kernel/apic/es7000_32.c | 5 +-
28552 arch/x86/kernel/apic/io_apic.c | 8 +-
28553 arch/x86/kernel/apic/numaq_32.c | 3 +-
28554 arch/x86/kernel/apic/probe_32.c | 2 +-
28555 arch/x86/kernel/apic/summit_32.c | 2 +-
28556 arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
28557 arch/x86/kernel/apic/x2apic_phys.c | 2 +-
28558 arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
28559 arch/x86/kernel/apm_32.c | 19 +-
28560 arch/x86/kernel/asm-offsets.c | 20 +
28561 arch/x86/kernel/asm-offsets_64.c | 1 +
28562 arch/x86/kernel/cpu/Makefile | 4 -
28563 arch/x86/kernel/cpu/amd.c | 2 +-
28564 arch/x86/kernel/cpu/common.c | 75 +-
28565 arch/x86/kernel/cpu/intel.c | 2 +-
28566 arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +-
28567 arch/x86/kernel/cpu/mcheck/mce.c | 31 +-
28568 arch/x86/kernel/cpu/mcheck/p5.c | 3 +
28569 arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +-
28570 arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
28571 arch/x86/kernel/cpu/mtrr/main.c | 2 +-
28572 arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
28573 arch/x86/kernel/cpu/perf_event.c | 8 +-
28574 arch/x86/kernel/cpu/perf_event_intel.c | 6 +-
28575 arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +-
28576 arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
28577 arch/x86/kernel/cpuid.c | 2 +-
28578 arch/x86/kernel/crash.c | 4 +-
28579 arch/x86/kernel/doublefault_32.c | 8 +-
28580 arch/x86/kernel/dumpstack.c | 30 +-
28581 arch/x86/kernel/dumpstack_32.c | 34 +-
28582 arch/x86/kernel/dumpstack_64.c | 63 +-
28583 arch/x86/kernel/early_printk.c | 1 +
28584 arch/x86/kernel/entry_32.S | 354 ++-
28585 arch/x86/kernel/entry_64.S | 530 ++-
28586 arch/x86/kernel/ftrace.c | 14 +-
28587 arch/x86/kernel/head64.c | 1 -
28588 arch/x86/kernel/head_32.S | 237 +-
28589 arch/x86/kernel/head_64.S | 120 +-
28590 arch/x86/kernel/i386_ksyms_32.c | 8 +
28591 arch/x86/kernel/i387.c | 2 +-
28592 arch/x86/kernel/i8259.c | 10 +-
28593 arch/x86/kernel/io_delay.c | 2 +-
28594 arch/x86/kernel/ioport.c | 2 +-
28595 arch/x86/kernel/irq.c | 8 +-
28596 arch/x86/kernel/irq_32.c | 69 +-
28597 arch/x86/kernel/irq_64.c | 2 +-
28598 arch/x86/kernel/kdebugfs.c | 2 +-
28599 arch/x86/kernel/kgdb.c | 25 +-
28600 arch/x86/kernel/kprobes/core.c | 30 +-
28601 arch/x86/kernel/kprobes/opt.c | 16 +-
28602 arch/x86/kernel/kvm.c | 2 +-
28603 arch/x86/kernel/ldt.c | 31 +-
28604 arch/x86/kernel/machine_kexec_32.c | 6 +-
28605 arch/x86/kernel/microcode_core.c | 2 +-
28606 arch/x86/kernel/microcode_intel.c | 4 +-
28607 arch/x86/kernel/module.c | 76 +-
28608 arch/x86/kernel/msr.c | 2 +-
28609 arch/x86/kernel/nmi.c | 19 +-
28610 arch/x86/kernel/nmi_selftest.c | 4 +-
28611 arch/x86/kernel/paravirt-spinlocks.c | 2 +-
28612 arch/x86/kernel/paravirt.c | 43 +-
28613 arch/x86/kernel/pci-calgary_64.c | 2 +-
28614 arch/x86/kernel/pci-iommu_table.c | 2 +-
28615 arch/x86/kernel/pci-swiotlb.c | 2 +-
28616 arch/x86/kernel/process.c | 57 +-
28617 arch/x86/kernel/process_32.c | 29 +-
28618 arch/x86/kernel/process_64.c | 15 +-
28619 arch/x86/kernel/ptrace.c | 25 +-
28620 arch/x86/kernel/pvclock.c | 8 +-
28621 arch/x86/kernel/reboot.c | 44 +-
28622 arch/x86/kernel/relocate_kernel_64.S | 4 +-
28623 arch/x86/kernel/setup.c | 19 +-
28624 arch/x86/kernel/setup_percpu.c | 29 +-
28625 arch/x86/kernel/signal.c | 15 +-
28626 arch/x86/kernel/smp.c | 2 +-
28627 arch/x86/kernel/smpboot.c | 15 +-
28628 arch/x86/kernel/step.c | 10 +-
28629 arch/x86/kernel/sys_i386_32.c | 248 +
28630 arch/x86/kernel/sys_x86_64.c | 19 +-
28631 arch/x86/kernel/tboot.c | 14 +-
28632 arch/x86/kernel/time.c | 10 +-
28633 arch/x86/kernel/tls.c | 7 +-
28634 arch/x86/kernel/traps.c | 64 +-
28635 arch/x86/kernel/uprobes.c | 2 +-
28636 arch/x86/kernel/vm86_32.c | 6 +-
28637 arch/x86/kernel/vmlinux.lds.S | 148 +-
28638 arch/x86/kernel/vsyscall_64.c | 12 +-
28639 arch/x86/kernel/x8664_ksyms_64.c | 2 -
28640 arch/x86/kernel/x86_init.c | 8 +-
28641 arch/x86/kernel/xsave.c | 2 +
28642 arch/x86/kvm/cpuid.c | 21 +-
28643 arch/x86/kvm/emulate.c | 4 +-
28644 arch/x86/kvm/lapic.c | 2 +-
28645 arch/x86/kvm/paging_tmpl.h | 2 +-
28646 arch/x86/kvm/svm.c | 8 +
28647 arch/x86/kvm/vmx.c | 57 +-
28648 arch/x86/kvm/x86.c | 10 +-
28649 arch/x86/lguest/boot.c | 3 +-
28650 arch/x86/lib/atomic64_386_32.S | 164 +
28651 arch/x86/lib/atomic64_cx8_32.S | 103 +-
28652 arch/x86/lib/checksum_32.S | 100 +-
28653 arch/x86/lib/clear_page_64.S | 5 +-
28654 arch/x86/lib/cmpxchg16b_emu.S | 2 +
28655 arch/x86/lib/copy_page_64.S | 24 +-
28656 arch/x86/lib/copy_user_64.S | 47 +-
28657 arch/x86/lib/copy_user_nocache_64.S | 20 +-
28658 arch/x86/lib/csum-copy_64.S | 2 +
28659 arch/x86/lib/csum-wrappers_64.c | 4 +-
28660 arch/x86/lib/getuser.S | 70 +-
28661 arch/x86/lib/insn.c | 6 +-
28662 arch/x86/lib/iomap_copy_64.S | 2 +
28663 arch/x86/lib/memcpy_64.S | 18 +-
28664 arch/x86/lib/memmove_64.S | 34 +-
28665 arch/x86/lib/memset_64.S | 7 +-
28666 arch/x86/lib/mmx_32.c | 243 +-
28667 arch/x86/lib/msr-reg.S | 18 +-
28668 arch/x86/lib/putuser.S | 90 +-
28669 arch/x86/lib/rwlock.S | 42 +
28670 arch/x86/lib/rwsem.S | 6 +-
28671 arch/x86/lib/thunk_64.S | 2 +
28672 arch/x86/lib/usercopy_32.c | 376 +-
28673 arch/x86/lib/usercopy_64.c | 25 +-
28674 arch/x86/mm/extable.c | 25 +-
28675 arch/x86/mm/fault.c | 556 ++-
28676 arch/x86/mm/gup.c | 2 +-
28677 arch/x86/mm/highmem_32.c | 4 +
28678 arch/x86/mm/hugetlbpage.c | 30 +-
28679 arch/x86/mm/init.c | 90 +-
28680 arch/x86/mm/init_32.c | 119 +-
28681 arch/x86/mm/init_64.c | 44 +-
28682 arch/x86/mm/iomap_32.c | 4 +
28683 arch/x86/mm/ioremap.c | 15 +-
28684 arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
28685 arch/x86/mm/mmap.c | 41 +-
28686 arch/x86/mm/mmio-mod.c | 10 +-
28687 arch/x86/mm/numa.c | 2 +-
28688 arch/x86/mm/pageattr-test.c | 2 +-
28689 arch/x86/mm/pageattr.c | 33 +-
28690 arch/x86/mm/pat.c | 12 +-
28691 arch/x86/mm/pf_in.c | 10 +-
28692 arch/x86/mm/pgtable.c | 137 +-
28693 arch/x86/mm/pgtable_32.c | 3 +
28694 arch/x86/mm/physaddr.c | 4 +-
28695 arch/x86/mm/setup_nx.c | 7 +
28696 arch/x86/mm/tlb.c | 4 +
28697 arch/x86/net/bpf_jit.S | 14 +
28698 arch/x86/net/bpf_jit_comp.c | 37 +-
28699 arch/x86/oprofile/backtrace.c | 8 +-
28700 arch/x86/oprofile/nmi_int.c | 8 +-
28701 arch/x86/oprofile/op_model_amd.c | 8 +-
28702 arch/x86/oprofile/op_model_ppro.c | 7 +-
28703 arch/x86/oprofile/op_x86_model.h | 2 +-
28704 arch/x86/pci/amd_bus.c | 2 +-
28705 arch/x86/pci/irq.c | 8 +-
28706 arch/x86/pci/mrst.c | 4 +-
28707 arch/x86/pci/pcbios.c | 144 +-
28708 arch/x86/platform/efi/efi_32.c | 19 +
28709 arch/x86/platform/efi/efi_stub_32.S | 64 +-
28710 arch/x86/platform/efi/efi_stub_64.S | 8 +
28711 arch/x86/platform/mrst/mrst.c | 6 +-
28712 arch/x86/platform/olpc/olpc_dt.c | 2 +-
28713 arch/x86/power/cpu.c | 4 +-
28714 arch/x86/realmode/init.c | 8 +-
28715 arch/x86/realmode/rm/Makefile | 3 +
28716 arch/x86/realmode/rm/header.S | 4 +-
28717 arch/x86/realmode/rm/trampoline_32.S | 12 +-
28718 arch/x86/realmode/rm/trampoline_64.S | 2 +-
28719 arch/x86/tools/relocs.c | 95 +-
28720 arch/x86/vdso/Makefile | 2 +-
28721 arch/x86/vdso/vdso32-setup.c | 23 +-
28722 arch/x86/vdso/vma.c | 29 +-
28723 arch/x86/xen/enlighten.c | 47 +-
28724 arch/x86/xen/mmu.c | 9 +
28725 arch/x86/xen/smp.c | 18 +-
28726 arch/x86/xen/xen-asm_32.S | 12 +-
28727 arch/x86/xen/xen-head.S | 11 +
28728 arch/x86/xen/xen-ops.h | 2 -
28729 block/blk-iopoll.c | 4 +-
28730 block/blk-map.c | 2 +-
28731 block/blk-softirq.c | 4 +-
28732 block/bsg.c | 12 +-
28733 block/compat_ioctl.c | 2 +-
28734 block/partitions/efi.c | 8 +-
28735 block/scsi_ioctl.c | 27 +-
28736 crypto/cryptd.c | 4 +-
28737 drivers/acpi/apei/apei-internal.h | 2 +-
28738 drivers/acpi/apei/cper.c | 8 +-
28739 drivers/acpi/bgrt.c | 6 +-
28740 drivers/acpi/blacklist.c | 4 +-
28741 drivers/acpi/ec_sys.c | 12 +-
28742 drivers/acpi/processor_idle.c | 2 +-
28743 drivers/acpi/sysfs.c | 4 +-
28744 drivers/ata/libahci.c | 2 +-
28745 drivers/ata/libata-core.c | 8 +-
28746 drivers/ata/pata_arasan_cf.c | 4 +-
28747 drivers/atm/adummy.c | 2 +-
28748 drivers/atm/ambassador.c | 8 +-
28749 drivers/atm/atmtcp.c | 14 +-
28750 drivers/atm/eni.c | 10 +-
28751 drivers/atm/firestream.c | 8 +-
28752 drivers/atm/fore200e.c | 14 +-
28753 drivers/atm/he.c | 18 +-
28754 drivers/atm/horizon.c | 4 +-
28755 drivers/atm/idt77252.c | 36 +-
28756 drivers/atm/iphase.c | 34 +-
28757 drivers/atm/lanai.c | 12 +-
28758 drivers/atm/nicstar.c | 46 +-
28759 drivers/atm/solos-pci.c | 4 +-
28760 drivers/atm/suni.c | 4 +-
28761 drivers/atm/uPD98402.c | 16 +-
28762 drivers/atm/zatm.c | 6 +-
28763 drivers/base/bus.c | 4 +-
28764 drivers/base/devtmpfs.c | 2 +-
28765 drivers/base/node.c | 2 +-
28766 drivers/base/power/domain.c | 4 +-
28767 drivers/base/power/wakeup.c | 8 +-
28768 drivers/base/syscore.c | 4 +-
28769 drivers/block/cciss.c | 28 +-
28770 drivers/block/cciss.h | 2 +-
28771 drivers/block/cpqarray.c | 28 +-
28772 drivers/block/cpqarray.h | 2 +-
28773 drivers/block/drbd/drbd_int.h | 6 +-
28774 drivers/block/drbd/drbd_main.c | 8 +-
28775 drivers/block/drbd/drbd_receiver.c | 22 +-
28776 drivers/block/loop.c | 2 +-
28777 drivers/block/pktcdvd.c | 2 +-
28778 drivers/cdrom/cdrom.c | 9 +-
28779 drivers/cdrom/gdrom.c | 1 -
28780 drivers/char/agp/frontend.c | 2 +-
28781 drivers/char/hpet.c | 2 +-
28782 drivers/char/ipmi/ipmi_msghandler.c | 8 +-
28783 drivers/char/ipmi/ipmi_si_intf.c | 8 +-
28784 drivers/char/mem.c | 41 +-
28785 drivers/char/nvram.c | 2 +-
28786 drivers/char/pcmcia/synclink_cs.c | 18 +-
28787 drivers/char/random.c | 10 +-
28788 drivers/char/sonypi.c | 9 +-
28789 drivers/char/tpm/tpm_acpi.c | 3 +-
28790 drivers/char/tpm/tpm_eventlog.c | 7 +-
28791 drivers/char/virtio_console.c | 4 +-
28792 drivers/clocksource/arm_arch_timer.c | 2 +-
28793 drivers/clocksource/metag_generic.c | 2 +-
28794 drivers/cpufreq/acpi-cpufreq.c | 20 +-
28795 drivers/cpufreq/cpufreq.c | 9 +-
28796 drivers/cpufreq/cpufreq_governor.c | 4 +-
28797 drivers/cpufreq/cpufreq_governor.h | 2 +-
28798 drivers/cpufreq/cpufreq_stats.c | 2 +-
28799 drivers/cpufreq/p4-clockmod.c | 12 +-
28800 drivers/cpufreq/speedstep-centrino.c | 7 +-
28801 drivers/cpuidle/cpuidle.c | 2 +-
28802 drivers/cpuidle/governor.c | 4 +-
28803 drivers/cpuidle/sysfs.c | 2 +-
28804 drivers/devfreq/devfreq.c | 4 +-
28805 drivers/dma/sh/shdma.c | 2 +-
28806 drivers/edac/edac_mc_sysfs.c | 12 +-
28807 drivers/edac/edac_pci_sysfs.c | 22 +-
28808 drivers/edac/mce_amd.h | 2 +-
28809 drivers/firewire/core-card.c | 2 +-
28810 drivers/firewire/core-cdev.c | 3 +-
28811 drivers/firewire/core-device.c | 2 +-
28812 drivers/firewire/core-transaction.c | 1 +
28813 drivers/firewire/core.h | 1 +
28814 drivers/firmware/dmi-id.c | 2 +-
28815 drivers/firmware/dmi_scan.c | 7 +-
28816 drivers/firmware/efivars.c | 4 +-
28817 drivers/firmware/google/memconsole.c | 4 +-
28818 drivers/gpio/gpio-ich.c | 2 +-
28819 drivers/gpio/gpio-vr41xx.c | 2 +-
28820 drivers/gpu/drm/drm_crtc_helper.c | 2 +-
28821 drivers/gpu/drm/drm_drv.c | 6 +-
28822 drivers/gpu/drm/drm_fops.c | 18 +-
28823 drivers/gpu/drm/drm_global.c | 14 +-
28824 drivers/gpu/drm/drm_info.c | 14 +-
28825 drivers/gpu/drm/drm_ioc32.c | 13 +-
28826 drivers/gpu/drm/drm_ioctl.c | 2 +-
28827 drivers/gpu/drm/drm_lock.c | 4 +-
28828 drivers/gpu/drm/drm_stub.c | 2 +-
28829 drivers/gpu/drm/i810/i810_dma.c | 8 +-
28830 drivers/gpu/drm/i810/i810_drv.h | 4 +-
28831 drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
28832 drivers/gpu/drm/i915/i915_dma.c | 2 +-
28833 drivers/gpu/drm/i915/i915_drv.h | 4 +-
28834 drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +-
28835 drivers/gpu/drm/i915/i915_ioc32.c | 11 +-
28836 drivers/gpu/drm/i915/i915_irq.c | 22 +-
28837 drivers/gpu/drm/i915/intel_display.c | 26 +-
28838 drivers/gpu/drm/mga/mga_drv.h | 4 +-
28839 drivers/gpu/drm/mga/mga_ioc32.c | 11 +-
28840 drivers/gpu/drm/mga/mga_irq.c | 8 +-
28841 drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +-
28842 drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +-
28843 drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +-
28844 drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +-
28845 drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +-
28846 drivers/gpu/drm/r128/r128_cce.c | 2 +-
28847 drivers/gpu/drm/r128/r128_drv.h | 4 +-
28848 drivers/gpu/drm/r128/r128_ioc32.c | 11 +-
28849 drivers/gpu/drm/r128/r128_irq.c | 4 +-
28850 drivers/gpu/drm/r128/r128_state.c | 4 +-
28851 drivers/gpu/drm/radeon/mkregtable.c | 4 +-
28852 drivers/gpu/drm/radeon/radeon_device.c | 2 +-
28853 drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
28854 drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +-
28855 drivers/gpu/drm/radeon/radeon_irq.c | 6 +-
28856 drivers/gpu/drm/radeon/radeon_state.c | 4 +-
28857 drivers/gpu/drm/radeon/radeon_ttm.c | 37 +-
28858 drivers/gpu/drm/radeon/rs690.c | 4 +-
28859 drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +-
28860 drivers/gpu/drm/udl/udl_fb.c | 1 -
28861 drivers/gpu/drm/via/via_drv.h | 4 +-
28862 drivers/gpu/drm/via/via_irq.c | 18 +-
28863 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
28864 drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
28865 drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
28866 drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
28867 drivers/hid/hid-core.c | 4 +-
28868 drivers/hv/channel.c | 4 +-
28869 drivers/hv/hv.c | 2 +-
28870 drivers/hv/hyperv_vmbus.h | 2 +-
28871 drivers/hv/vmbus_drv.c | 4 +-
28872 drivers/hwmon/acpi_power_meter.c | 4 +-
28873 drivers/hwmon/applesmc.c | 2 +-
28874 drivers/hwmon/asus_atk0110.c | 10 +-
28875 drivers/hwmon/coretemp.c | 2 +-
28876 drivers/hwmon/ibmaem.c | 2 +-
28877 drivers/hwmon/sht15.c | 12 +-
28878 drivers/hwmon/via-cputemp.c | 2 +-
28879 drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
28880 drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
28881 drivers/ide/ide-cd.c | 2 +-
28882 drivers/iio/industrialio-core.c | 2 +-
28883 drivers/infiniband/core/cm.c | 32 +-
28884 drivers/infiniband/core/fmr_pool.c | 20 +-
28885 drivers/infiniband/hw/cxgb4/mem.c | 4 +-
28886 drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
28887 drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
28888 drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +-
28889 drivers/infiniband/hw/mthca/mthca_mr.c | 2 +-
28890 drivers/infiniband/hw/nes/nes.c | 4 +-
28891 drivers/infiniband/hw/nes/nes.h | 40 +-
28892 drivers/infiniband/hw/nes/nes_cm.c | 62 +-
28893 drivers/infiniband/hw/nes/nes_mgt.c | 8 +-
28894 drivers/infiniband/hw/nes/nes_nic.c | 40 +-
28895 drivers/infiniband/hw/nes/nes_verbs.c | 10 +-
28896 drivers/infiniband/hw/qib/qib.h | 1 +
28897 drivers/input/gameport/gameport.c | 4 +-
28898 drivers/input/input.c | 4 +-
28899 drivers/input/joystick/sidewinder.c | 1 +
28900 drivers/input/joystick/xpad.c | 4 +-
28901 drivers/input/mouse/psmouse.h | 2 +-
28902 drivers/input/mousedev.c | 2 +-
28903 drivers/input/serio/serio.c | 4 +-
28904 drivers/iommu/iommu.c | 2 +-
28905 drivers/iommu/irq_remapping.c | 10 +-
28906 drivers/irqchip/irq-gic.c | 4 +-
28907 drivers/isdn/capi/capi.c | 10 +-
28908 drivers/isdn/gigaset/interface.c | 8 +-
28909 drivers/isdn/hardware/avm/b1.c | 4 +-
28910 drivers/isdn/i4l/isdn_tty.c | 22 +-
28911 drivers/isdn/icn/icn.c | 2 +-
28912 drivers/leds/leds-clevo-mail.c | 2 +-
28913 drivers/leds/leds-ss4200.c | 2 +-
28914 drivers/lguest/core.c | 10 +-
28915 drivers/lguest/page_tables.c | 2 +-
28916 drivers/lguest/x86/core.c | 12 +-
28917 drivers/lguest/x86/switcher_32.S | 27 +-
28918 drivers/md/bitmap.c | 2 +-
28919 drivers/md/dm-ioctl.c | 2 +-
28920 drivers/md/dm-raid1.c | 16 +-
28921 drivers/md/dm-stripe.c | 10 +-
28922 drivers/md/dm-table.c | 2 +-
28923 drivers/md/dm-thin-metadata.c | 4 +-
28924 drivers/md/dm.c | 16 +-
28925 drivers/md/md.c | 26 +-
28926 drivers/md/md.h | 6 +-
28927 drivers/md/persistent-data/dm-space-map.h | 1 +
28928 drivers/md/raid1.c | 4 +-
28929 drivers/md/raid10.c | 16 +-
28930 drivers/md/raid5.c | 10 +-
28931 drivers/media/dvb-core/dvbdev.c | 2 +-
28932 drivers/media/dvb-frontends/dib3000.h | 2 +-
28933 drivers/media/pci/cx88/cx88-video.c | 6 +-
28934 drivers/media/platform/omap/omap_vout.c | 11 +-
28935 drivers/media/platform/s5p-tv/mixer.h | 2 +-
28936 drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +-
28937 drivers/media/platform/s5p-tv/mixer_reg.c | 2 +-
28938 drivers/media/platform/s5p-tv/mixer_video.c | 24 +-
28939 drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +-
28940 drivers/media/radio/radio-cadet.c | 2 +
28941 drivers/media/usb/dvb-usb/cxusb.c | 2 +-
28942 drivers/media/usb/dvb-usb/dw2102.c | 2 +-
28943 drivers/media/v4l2-core/v4l2-ioctl.c | 5 +-
28944 drivers/message/fusion/mptsas.c | 34 +-
28945 drivers/message/fusion/mptscsih.c | 19 +-
28946 drivers/message/i2o/i2o_proc.c | 51 +-
28947 drivers/message/i2o/iop.c | 8 +-
28948 drivers/mfd/janz-cmodio.c | 1 +
28949 drivers/mfd/twl4030-irq.c | 9 +-
28950 drivers/mfd/twl6030-irq.c | 10 +-
28951 drivers/misc/c2port/core.c | 4 +-
28952 drivers/misc/kgdbts.c | 4 +-
28953 drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
28954 drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
28955 drivers/misc/sgi-gru/gruhandles.c | 4 +-
28956 drivers/misc/sgi-gru/gruprocfs.c | 8 +-
28957 drivers/misc/sgi-gru/grutables.h | 154 +-
28958 drivers/misc/sgi-xp/xp.h | 2 +-
28959 drivers/misc/sgi-xp/xpc.h | 3 +-
28960 drivers/misc/sgi-xp/xpc_main.c | 4 +-
28961 drivers/mmc/core/mmc_ops.c | 2 +-
28962 drivers/mmc/host/dw_mmc.h | 2 +-
28963 drivers/mmc/host/sdhci-s3c.c | 8 +-
28964 drivers/mtd/devices/doc2000.c | 2 +-
28965 drivers/mtd/nand/denali.c | 1 +
28966 drivers/mtd/nftlmount.c | 1 +
28967 drivers/mtd/sm_ftl.c | 2 +-
28968 drivers/net/bonding/bond_main.c | 2 +-
28969 drivers/net/ethernet/8390/ax88796.c | 4 +-
28970 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
28971 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-
28972 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +-
28973 drivers/net/ethernet/broadcom/tg3.h | 1 +
28974 drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
28975 drivers/net/ethernet/dec/tulip/de4x5.c | 4 +-
28976 drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
28977 drivers/net/ethernet/faraday/ftgmac100.c | 2 +
28978 drivers/net/ethernet/faraday/ftmac100.c | 2 +
28979 drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
28980 drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
28981 drivers/net/ethernet/realtek/r8169.c | 8 +-
28982 drivers/net/ethernet/sfc/ptp.c | 2 +-
28983 drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
28984 drivers/net/hyperv/hyperv_net.h | 2 +-
28985 drivers/net/hyperv/rndis_filter.c | 4 +-
28986 drivers/net/ieee802154/fakehard.c | 2 +-
28987 drivers/net/macvlan.c | 18 +-
28988 drivers/net/macvtap.c | 2 +-
28989 drivers/net/ppp/ppp_generic.c | 4 +-
28990 drivers/net/slip/slhc.c | 2 +-
28991 drivers/net/team/team.c | 2 +-
28992 drivers/net/tun.c | 5 +-
28993 drivers/net/usb/hso.c | 23 +-
28994 drivers/net/vxlan.c | 2 +-
28995 drivers/net/wireless/at76c50x-usb.c | 2 +-
28996 drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +-
28997 drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +-
28998 drivers/net/wireless/ath/ath9k/hw.h | 4 +-
28999 drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
29000 drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +-
29001 drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +-
29002 drivers/net/wireless/mac80211_hwsim.c | 32 +-
29003 drivers/net/wireless/rndis_wlan.c | 2 +-
29004 drivers/net/wireless/rt2x00/rt2x00.h | 2 +-
29005 drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +-
29006 drivers/net/wireless/ti/wl1251/sdio.c | 12 +-
29007 drivers/net/wireless/ti/wl12xx/main.c | 8 +-
29008 drivers/net/wireless/ti/wl18xx/main.c | 6 +-
29009 drivers/oprofile/buffer_sync.c | 8 +-
29010 drivers/oprofile/event_buffer.c | 2 +-
29011 drivers/oprofile/oprof.c | 2 +-
29012 drivers/oprofile/oprofile_files.c | 2 +-
29013 drivers/oprofile/oprofile_stats.c | 10 +-
29014 drivers/oprofile/oprofile_stats.h | 10 +-
29015 drivers/oprofile/oprofilefs.c | 2 +-
29016 drivers/oprofile/timer_int.c | 2 +-
29017 drivers/parport/procfs.c | 4 +-
29018 drivers/pci/hotplug/acpiphp_ibm.c | 4 +-
29019 drivers/pci/hotplug/cpcihp_generic.c | 6 +-
29020 drivers/pci/hotplug/cpcihp_zt5550.c | 14 +-
29021 drivers/pci/hotplug/cpqphp_nvram.c | 4 +
29022 drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
29023 drivers/pci/hotplug/pciehp_core.c | 2 +-
29024 drivers/pci/pci-sysfs.c | 6 +-
29025 drivers/pci/pci.h | 2 +-
29026 drivers/pci/pcie/aspm.c | 6 +-
29027 drivers/pci/probe.c | 2 +-
29028 drivers/platform/x86/msi-laptop.c | 14 +-
29029 drivers/platform/x86/sony-laptop.c | 2 +-
29030 drivers/platform/x86/thinkpad_acpi.c | 70 +-
29031 drivers/pnp/pnpbios/bioscalls.c | 14 +-
29032 drivers/pnp/resource.c | 4 +-
29033 drivers/power/pda_power.c | 7 +-
29034 drivers/power/power_supply.h | 4 +-
29035 drivers/power/power_supply_core.c | 7 +-
29036 drivers/power/power_supply_sysfs.c | 6 +-
29037 drivers/regulator/max8660.c | 6 +-
29038 drivers/regulator/max8973-regulator.c | 8 +-
29039 drivers/regulator/mc13892-regulator.c | 6 +-
29040 drivers/rtc/rtc-cmos.c | 4 +-
29041 drivers/rtc/rtc-ds1307.c | 2 +-
29042 drivers/rtc/rtc-m48t59.c | 4 +-
29043 drivers/scsi/bfa/bfa_fcpim.h | 2 +-
29044 drivers/scsi/bfa/bfa_ioc.h | 4 +-
29045 drivers/scsi/hosts.c | 4 +-
29046 drivers/scsi/hpsa.c | 30 +-
29047 drivers/scsi/hpsa.h | 2 +-
29048 drivers/scsi/libfc/fc_exch.c | 50 +-
29049 drivers/scsi/libsas/sas_ata.c | 2 +-
29050 drivers/scsi/lpfc/lpfc.h | 8 +-
29051 drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
29052 drivers/scsi/lpfc/lpfc_init.c | 6 +-
29053 drivers/scsi/lpfc/lpfc_scsi.c | 16 +-
29054 drivers/scsi/pmcraid.c | 20 +-
29055 drivers/scsi/pmcraid.h | 8 +-
29056 drivers/scsi/qla2xxx/qla_attr.c | 4 +-
29057 drivers/scsi/qla2xxx/qla_gbl.h | 4 +-
29058 drivers/scsi/qla2xxx/qla_os.c | 6 +-
29059 drivers/scsi/qla4xxx/ql4_def.h | 2 +-
29060 drivers/scsi/qla4xxx/ql4_os.c | 6 +-
29061 drivers/scsi/scsi.c | 2 +-
29062 drivers/scsi/scsi_lib.c | 6 +-
29063 drivers/scsi/scsi_sysfs.c | 2 +-
29064 drivers/scsi/scsi_tgt_lib.c | 2 +-
29065 drivers/scsi/scsi_transport_fc.c | 8 +-
29066 drivers/scsi/scsi_transport_iscsi.c | 6 +-
29067 drivers/scsi/scsi_transport_srp.c | 6 +-
29068 drivers/scsi/sd.c | 2 +-
29069 drivers/scsi/sg.c | 2 +-
29070 drivers/spi/spi.c | 2 +-
29071 drivers/staging/iio/iio_hwmon.c | 2 +-
29072 drivers/staging/octeon/ethernet-rx.c | 12 +-
29073 drivers/staging/octeon/ethernet.c | 8 +-
29074 drivers/staging/rtl8712/rtl871x_io.h | 2 +-
29075 drivers/staging/sbe-2t3e3/netdev.c | 2 +-
29076 drivers/staging/usbip/vhci.h | 2 +-
29077 drivers/staging/usbip/vhci_hcd.c | 6 +-
29078 drivers/staging/usbip/vhci_rx.c | 2 +-
29079 drivers/staging/vt6655/hostap.c | 7 +-
29080 drivers/staging/vt6656/hostap.c | 7 +-
29081 drivers/staging/zcache/tmem.c | 4 +-
29082 drivers/staging/zcache/tmem.h | 2 +
29083 drivers/target/target_core_device.c | 2 +-
29084 drivers/target/target_core_transport.c | 2 +-
29085 drivers/tty/cyclades.c | 6 +-
29086 drivers/tty/hvc/hvc_console.c | 14 +-
29087 drivers/tty/hvc/hvcs.c | 21 +-
29088 drivers/tty/ipwireless/tty.c | 27 +-
29089 drivers/tty/moxa.c | 2 +-
29090 drivers/tty/n_gsm.c | 4 +-
29091 drivers/tty/n_tty.c | 3 +-
29092 drivers/tty/pty.c | 4 +-
29093 drivers/tty/rocket.c | 6 +-
29094 drivers/tty/serial/kgdboc.c | 32 +-
29095 drivers/tty/serial/samsung.c | 9 +-
29096 drivers/tty/serial/serial_core.c | 8 +-
29097 drivers/tty/synclink.c | 34 +-
29098 drivers/tty/synclink_gt.c | 28 +-
29099 drivers/tty/synclinkmp.c | 34 +-
29100 drivers/tty/tty_io.c | 2 +-
29101 drivers/tty/tty_ldisc.c | 10 +-
29102 drivers/tty/tty_port.c | 22 +-
29103 drivers/uio/uio.c | 21 +-
29104 drivers/usb/atm/cxacru.c | 2 +-
29105 drivers/usb/atm/usbatm.c | 24 +-
29106 drivers/usb/core/devices.c | 6 +-
29107 drivers/usb/core/hcd.c | 4 +-
29108 drivers/usb/core/message.c | 2 +-
29109 drivers/usb/core/sysfs.c | 2 +-
29110 drivers/usb/core/usb.c | 2 +-
29111 drivers/usb/early/ehci-dbgp.c | 16 +-
29112 drivers/usb/gadget/u_serial.c | 22 +-
29113 drivers/usb/serial/console.c | 6 +-
29114 drivers/usb/storage/usb.h | 2 +-
29115 drivers/usb/wusbcore/wa-hc.h | 4 +-
29116 drivers/usb/wusbcore/wa-xfer.c | 2 +-
29117 drivers/video/aty/aty128fb.c | 2 +-
29118 drivers/video/aty/atyfb_base.c | 8 +-
29119 drivers/video/aty/mach64_cursor.c | 5 +-
29120 drivers/video/backlight/kb3886_bl.c | 2 +-
29121 drivers/video/fb_defio.c | 6 +-
29122 drivers/video/fbcmap.c | 3 +-
29123 drivers/video/fbmem.c | 6 +-
29124 drivers/video/i810/i810_accel.c | 1 +
29125 drivers/video/mb862xx/mb862xxfb_accel.c | 16 +-
29126 drivers/video/nvidia/nvidia.c | 27 +-
29127 drivers/video/s1d13xxxfb.c | 6 +-
29128 drivers/video/smscufx.c | 4 +-
29129 drivers/video/udlfb.c | 36 +-
29130 drivers/video/uvesafb.c | 53 +-
29131 drivers/video/vesafb.c | 58 +-
29132 drivers/video/via/via_clock.h | 2 +-
29133 fs/9p/vfs_inode.c | 2 +-
29134 fs/Kconfig.binfmt | 2 +-
29135 fs/aio.c | 11 +-
29136 fs/autofs4/waitq.c | 2 +-
29137 fs/befs/endian.h | 4 +-
29138 fs/befs/linuxvfs.c | 2 +-
29139 fs/binfmt_aout.c | 23 +-
29140 fs/binfmt_elf.c | 605 +++-
29141 fs/binfmt_flat.c | 6 +
29142 fs/bio.c | 6 +-
29143 fs/block_dev.c | 2 +-
29144 fs/btrfs/ctree.c | 9 +-
29145 fs/btrfs/super.c | 2 +-
29146 fs/cachefiles/bind.c | 6 +-
29147 fs/cachefiles/daemon.c | 8 +-
29148 fs/cachefiles/internal.h | 12 +-
29149 fs/cachefiles/namei.c | 2 +-
29150 fs/cachefiles/proc.c | 12 +-
29151 fs/cachefiles/rdwr.c | 2 +-
29152 fs/ceph/dir.c | 2 +-
29153 fs/cifs/cifs_debug.c | 12 +-
29154 fs/cifs/cifsfs.c | 8 +-
29155 fs/cifs/cifsglob.h | 54 +-
29156 fs/cifs/link.c | 2 +-
29157 fs/cifs/misc.c | 4 +-
29158 fs/cifs/smb1ops.c | 80 +-
29159 fs/cifs/smb2ops.c | 84 +-
29160 fs/cifs/smb2pdu.c | 3 +-
29161 fs/coda/cache.c | 10 +-
29162 fs/compat.c | 6 +-
29163 fs/compat_binfmt_elf.c | 2 +
29164 fs/compat_ioctl.c | 8 +-
29165 fs/configfs/dir.c | 10 +-
29166 fs/coredump.c | 24 +-
29167 fs/dcache.c | 2 +-
29168 fs/ecryptfs/inode.c | 4 +-
29169 fs/ecryptfs/miscdev.c | 2 +-
29170 fs/ecryptfs/read_write.c | 2 +-
29171 fs/exec.c | 362 ++-
29172 fs/ext4/ext4.h | 20 +-
29173 fs/ext4/mballoc.c | 44 +-
29174 fs/ext4/super.c | 2 +-
29175 fs/fhandle.c | 3 +-
29176 fs/fifo.c | 22 +-
29177 fs/fs_struct.c | 8 +-
29178 fs/fscache/cookie.c | 36 +-
29179 fs/fscache/internal.h | 196 +-
29180 fs/fscache/object.c | 28 +-
29181 fs/fscache/operation.c | 30 +-
29182 fs/fscache/page.c | 110 +-
29183 fs/fscache/stats.c | 344 +-
29184 fs/fuse/cuse.c | 10 +-
29185 fs/fuse/dev.c | 2 +-
29186 fs/fuse/dir.c | 2 +-
29187 fs/gfs2/inode.c | 2 +-
29188 fs/hugetlbfs/inode.c | 13 +-
29189 fs/inode.c | 4 +-
29190 fs/jffs2/erase.c | 3 +-
29191 fs/jffs2/wbuf.c | 3 +-
29192 fs/jfs/super.c | 6 +-
29193 fs/libfs.c | 10 +-
29194 fs/lockd/clntproc.c | 4 +-
29195 fs/locks.c | 8 +-
29196 fs/namei.c | 15 +-
29197 fs/namespace.c | 2 +-
29198 fs/nfs/callback_xdr.c | 2 +-
29199 fs/nfs/inode.c | 6 +-
29200 fs/nfsd/nfs4proc.c | 2 +-
29201 fs/nfsd/nfs4xdr.c | 6 +-
29202 fs/nfsd/nfscache.c | 8 +-
29203 fs/nfsd/vfs.c | 6 +-
29204 fs/nls/nls_base.c | 18 +-
29205 fs/nls/nls_euc-jp.c | 6 +-
29206 fs/nls/nls_koi8-ru.c | 6 +-
29207 fs/notify/fanotify/fanotify_user.c | 4 +-
29208 fs/notify/notification.c | 4 +-
29209 fs/ntfs/dir.c | 2 +-
29210 fs/ntfs/file.c | 4 +-
29211 fs/ocfs2/localalloc.c | 2 +-
29212 fs/ocfs2/ocfs2.h | 10 +-
29213 fs/ocfs2/suballoc.c | 12 +-
29214 fs/ocfs2/super.c | 20 +-
29215 fs/pipe.c | 33 +-
29216 fs/proc/array.c | 20 +
29217 fs/proc/base.c | 4 +-
29218 fs/proc/kcore.c | 32 +-
29219 fs/proc/meminfo.c | 2 +-
29220 fs/proc/nommu.c | 2 +-
29221 fs/proc/proc_sysctl.c | 18 +-
29222 fs/proc/self.c | 2 +-
29223 fs/proc/task_mmu.c | 39 +-
29224 fs/proc/task_nommu.c | 4 +-
29225 fs/qnx6/qnx6.h | 4 +-
29226 fs/quota/netlink.c | 4 +-
29227 fs/readdir.c | 2 +-
29228 fs/reiserfs/do_balan.c | 2 +-
29229 fs/reiserfs/procfs.c | 2 +-
29230 fs/reiserfs/reiserfs.h | 4 +-
29231 fs/seq_file.c | 2 +-
29232 fs/splice.c | 36 +-
29233 fs/sysfs/bin.c | 6 +-
29234 fs/sysfs/dir.c | 2 +-
29235 fs/sysfs/file.c | 10 +-
29236 fs/sysfs/symlink.c | 2 +-
29237 fs/sysv/sysv.h | 2 +-
29238 fs/ubifs/io.c | 2 +-
29239 fs/udf/misc.c | 2 +-
29240 fs/ufs/swab.h | 4 +-
29241 fs/xattr.c | 21 +
29242 fs/xattr_acl.c | 4 +-
29243 fs/xfs/xfs_bmap.c | 2 +-
29244 fs/xfs/xfs_dir2_sf.c | 10 +-
29245 fs/xfs/xfs_ioctl.c | 2 +-
29246 fs/xfs/xfs_iops.c | 2 +-
29247 include/asm-generic/4level-fixup.h | 2 +
29248 include/asm-generic/atomic-long.h | 210 +
29249 include/asm-generic/atomic.h | 2 +-
29250 include/asm-generic/atomic64.h | 12 +
29251 include/asm-generic/cache.h | 4 +-
29252 include/asm-generic/emergency-restart.h | 2 +-
29253 include/asm-generic/kmap_types.h | 4 +-
29254 include/asm-generic/local.h | 13 +
29255 include/asm-generic/pgtable-nopmd.h | 18 +-
29256 include/asm-generic/pgtable-nopud.h | 15 +-
29257 include/asm-generic/pgtable.h | 8 +
29258 include/asm-generic/vmlinux.lds.h | 10 +-
29259 include/crypto/algapi.h | 2 +-
29260 include/drm/drmP.h | 17 +-
29261 include/drm/drm_crtc_helper.h | 2 +-
29262 include/drm/ttm/ttm_memory.h | 2 +-
29263 include/keys/asymmetric-subtype.h | 2 +-
29264 include/linux/atmdev.h | 4 +-
29265 include/linux/binfmts.h | 3 +-
29266 include/linux/blkdev.h | 2 +-
29267 include/linux/blktrace_api.h | 2 +-
29268 include/linux/cache.h | 4 +
29269 include/linux/cdrom.h | 1 -
29270 include/linux/cleancache.h | 2 +-
29271 include/linux/compat.h | 6 +-
29272 include/linux/compiler-gcc4.h | 20 +
29273 include/linux/compiler.h | 65 +-
29274 include/linux/completion.h | 6 +-
29275 include/linux/configfs.h | 2 +-
29276 include/linux/cpu.h | 2 +-
29277 include/linux/cpufreq.h | 3 +-
29278 include/linux/cpuidle.h | 5 +-
29279 include/linux/cpumask.h | 12 +-
29280 include/linux/crypto.h | 6 +-
29281 include/linux/ctype.h | 2 +-
29282 include/linux/decompress/mm.h | 2 +-
29283 include/linux/devfreq.h | 2 +-
29284 include/linux/device.h | 7 +-
29285 include/linux/dma-mapping.h | 2 +-
29286 include/linux/dmaengine.h | 4 +-
29287 include/linux/efi.h | 1 +
29288 include/linux/elf.h | 2 +
29289 include/linux/err.h | 4 +-
29290 include/linux/extcon.h | 2 +-
29291 include/linux/fb.h | 2 +-
29292 include/linux/filter.h | 4 +
29293 include/linux/frontswap.h | 2 +-
29294 include/linux/fs.h | 3 +-
29295 include/linux/fs_struct.h | 2 +-
29296 include/linux/fscache-cache.h | 4 +-
29297 include/linux/fscache.h | 2 +-
29298 include/linux/fsnotify.h | 2 +-
29299 include/linux/ftrace_event.h | 2 +-
29300 include/linux/genhd.h | 2 +-
29301 include/linux/genl_magic_func.h | 2 +-
29302 include/linux/gfp.h | 12 +-
29303 include/linux/highmem.h | 12 +
29304 include/linux/hwmon-sysfs.h | 5 +-
29305 include/linux/i2c.h | 1 +
29306 include/linux/i2o.h | 2 +-
29307 include/linux/if_pppox.h | 2 +-
29308 include/linux/init.h | 33 +-
29309 include/linux/init_task.h | 7 +
29310 include/linux/interrupt.h | 8 +-
29311 include/linux/iommu.h | 2 +-
29312 include/linux/ioport.h | 2 +-
29313 include/linux/irq.h | 3 +-
29314 include/linux/irqchip/arm-gic.h | 2 +-
29315 include/linux/key-type.h | 2 +-
29316 include/linux/kgdb.h | 6 +-
29317 include/linux/kobject.h | 3 +-
29318 include/linux/kobject_ns.h | 2 +-
29319 include/linux/kref.h | 2 +-
29320 include/linux/kvm_host.h | 4 +-
29321 include/linux/libata.h | 2 +-
29322 include/linux/list.h | 15 +
29323 include/linux/math64.h | 6 +-
29324 include/linux/mm.h | 110 +-
29325 include/linux/mm_types.h | 20 +
29326 include/linux/mmiotrace.h | 4 +-
29327 include/linux/mmzone.h | 2 +-
29328 include/linux/mod_devicetable.h | 6 +-
29329 include/linux/module.h | 60 +-
29330 include/linux/moduleloader.h | 16 +
29331 include/linux/moduleparam.h | 4 +-
29332 include/linux/namei.h | 6 +-
29333 include/linux/net.h | 2 +-
29334 include/linux/netdevice.h | 3 +-
29335 include/linux/netfilter.h | 2 +-
29336 include/linux/netfilter/ipset/ip_set.h | 2 +-
29337 include/linux/netfilter/nfnetlink.h | 2 +-
29338 include/linux/nls.h | 2 +-
29339 include/linux/notifier.h | 3 +-
29340 include/linux/oprofile.h | 4 +-
29341 include/linux/pci_hotplug.h | 3 +-
29342 include/linux/perf_event.h | 12 +-
29343 include/linux/pipe_fs_i.h | 6 +-
29344 include/linux/platform_data/usb-ehci-s5p.h | 2 +-
29345 include/linux/platform_data/usb-exynos.h | 2 +-
29346 include/linux/pm_domain.h | 2 +-
29347 include/linux/pm_runtime.h | 2 +-
29348 include/linux/pnp.h | 2 +-
29349 include/linux/poison.h | 4 +-
29350 include/linux/power/smartreflex.h | 2 +-
29351 include/linux/ppp-comp.h | 2 +-
29352 include/linux/proc_fs.h | 2 +-
29353 include/linux/random.h | 5 +
29354 include/linux/rculist.h | 16 +
29355 include/linux/reboot.h | 14 +-
29356 include/linux/regset.h | 3 +-
29357 include/linux/relay.h | 2 +-
29358 include/linux/rio.h | 2 +-
29359 include/linux/rmap.h | 4 +-
29360 include/linux/sched.h | 67 +-
29361 include/linux/sched/sysctl.h | 1 +
29362 include/linux/seq_file.h | 1 +
29363 include/linux/skbuff.h | 12 +-
29364 include/linux/slab.h | 36 +-
29365 include/linux/slab_def.h | 33 +-
29366 include/linux/slob_def.h | 4 +-
29367 include/linux/slub_def.h | 10 +-
29368 include/linux/sock_diag.h | 2 +-
29369 include/linux/sonet.h | 2 +-
29370 include/linux/sunrpc/addr.h | 8 +-
29371 include/linux/sunrpc/clnt.h | 2 +-
29372 include/linux/sunrpc/svc.h | 2 +-
29373 include/linux/sunrpc/svc_rdma.h | 18 +-
29374 include/linux/sunrpc/svcauth.h | 2 +-
29375 include/linux/swiotlb.h | 3 +-
29376 include/linux/syscalls.h | 2 +-
29377 include/linux/syscore_ops.h | 2 +-
29378 include/linux/sysctl.h | 6 +-
29379 include/linux/sysfs.h | 10 +-
29380 include/linux/sysrq.h | 3 +-
29381 include/linux/thread_info.h | 7 +
29382 include/linux/tty.h | 4 +-
29383 include/linux/tty_driver.h | 2 +-
29384 include/linux/tty_ldisc.h | 2 +-
29385 include/linux/types.h | 16 +
29386 include/linux/uaccess.h | 6 +-
29387 include/linux/unaligned/access_ok.h | 24 +-
29388 include/linux/usb.h | 4 +-
29389 include/linux/usb/renesas_usbhs.h | 2 +-
29390 include/linux/vermagic.h | 21 +-
29391 include/linux/vmalloc.h | 11 +-
29392 include/linux/vmstat.h | 20 +-
29393 include/linux/xattr.h | 5 +-
29394 include/linux/zlib.h | 3 +-
29395 include/media/v4l2-dev.h | 2 +-
29396 include/media/v4l2-ioctl.h | 1 -
29397 include/net/9p/transport.h | 2 +-
29398 include/net/bluetooth/l2cap.h | 2 +-
29399 include/net/caif/cfctrl.h | 6 +-
29400 include/net/flow.h | 2 +-
29401 include/net/genetlink.h | 2 +-
29402 include/net/gro_cells.h | 2 +-
29403 include/net/inet_connection_sock.h | 2 +-
29404 include/net/inetpeer.h | 8 +-
29405 include/net/ip.h | 2 +-
29406 include/net/ip_fib.h | 2 +-
29407 include/net/ip_vs.h | 8 +-
29408 include/net/irda/ircomm_tty.h | 1 +
29409 include/net/iucv/af_iucv.h | 2 +-
29410 include/net/llc_c_ac.h | 2 +-
29411 include/net/llc_c_ev.h | 4 +-
29412 include/net/llc_c_st.h | 2 +-
29413 include/net/llc_s_ac.h | 2 +-
29414 include/net/llc_s_st.h | 2 +-
29415 include/net/mac80211.h | 2 +-
29416 include/net/neighbour.h | 2 +-
29417 include/net/net_namespace.h | 12 +-
29418 include/net/netdma.h | 2 +-
29419 include/net/netlink.h | 2 +-
29420 include/net/netns/conntrack.h | 6 +-
29421 include/net/netns/ipv4.h | 2 +-
29422 include/net/protocol.h | 4 +-
29423 include/net/rtnetlink.h | 2 +-
29424 include/net/sctp/sctp.h | 6 +-
29425 include/net/sctp/sm.h | 4 +-
29426 include/net/sctp/structs.h | 2 +-
29427 include/net/sock.h | 6 +-
29428 include/net/tcp.h | 8 +-
29429 include/net/xfrm.h | 8 +-
29430 include/rdma/iw_cm.h | 2 +-
29431 include/scsi/libfc.h | 3 +-
29432 include/scsi/scsi_device.h | 6 +-
29433 include/scsi/scsi_transport_fc.h | 3 +-
29434 include/sound/soc.h | 4 +-
29435 include/target/target_core_base.h | 2 +-
29436 include/trace/events/irq.h | 4 +-
29437 include/uapi/linux/a.out.h | 8 +
29438 include/uapi/linux/byteorder/little_endian.h | 28 +-
29439 include/uapi/linux/elf.h | 28 +
29440 include/uapi/linux/screen_info.h | 3 +-
29441 include/uapi/linux/swab.h | 6 +-
29442 include/uapi/linux/sysctl.h | 6 +-
29443 include/uapi/linux/xattr.h | 4 +
29444 include/video/udlfb.h | 8 +-
29445 include/video/uvesafb.h | 1 +
29446 init/Kconfig | 2 +-
29447 init/Makefile | 3 +
29448 init/do_mounts.c | 14 +-
29449 init/do_mounts.h | 8 +-
29450 init/do_mounts_initrd.c | 22 +-
29451 init/do_mounts_md.c | 6 +-
29452 init/init_task.c | 4 +
29453 init/initramfs.c | 40 +-
29454 init/main.c | 77 +-
29455 ipc/ipc_sysctl.c | 10 +-
29456 ipc/mq_sysctl.c | 2 +-
29457 ipc/msg.c | 11 +-
29458 ipc/sem.c | 11 +-
29459 ipc/shm.c | 17 +-
29460 kernel/acct.c | 2 +-
29461 kernel/audit.c | 8 +-
29462 kernel/auditsc.c | 4 +-
29463 kernel/capability.c | 3 +
29464 kernel/compat.c | 40 +-
29465 kernel/debug/debug_core.c | 16 +-
29466 kernel/debug/kdb/kdb_main.c | 4 +-
29467 kernel/events/core.c | 28 +-
29468 kernel/exit.c | 4 +-
29469 kernel/fork.c | 167 +-
29470 kernel/futex.c | 9 +
29471 kernel/futex_compat.c | 2 +-
29472 kernel/gcov/base.c | 7 +-
29473 kernel/hrtimer.c | 4 +-
29474 kernel/irq_work.c | 7 +-
29475 kernel/jump_label.c | 5 +
29476 kernel/kallsyms.c | 39 +-
29477 kernel/kexec.c | 3 +-
29478 kernel/kmod.c | 4 +-
29479 kernel/kprobes.c | 8 +-
29480 kernel/ksysfs.c | 2 +-
29481 kernel/lockdep.c | 7 +-
29482 kernel/module.c | 337 +-
29483 kernel/mutex-debug.c | 12 +-
29484 kernel/mutex-debug.h | 4 +-
29485 kernel/mutex.c | 7 +-
29486 kernel/notifier.c | 17 +-
29487 kernel/panic.c | 3 +-
29488 kernel/pid.c | 2 +-
29489 kernel/pid_namespace.c | 2 +-
29490 kernel/posix-cpu-timers.c | 4 +-
29491 kernel/posix-timers.c | 20 +-
29492 kernel/power/process.c | 12 +-
29493 kernel/profile.c | 14 +-
29494 kernel/ptrace.c | 8 +-
29495 kernel/rcupdate.c | 4 +-
29496 kernel/rcutiny.c | 4 +-
29497 kernel/rcutiny_plugin.h | 2 +-
29498 kernel/rcutorture.c | 56 +-
29499 kernel/rcutree.c | 68 +-
29500 kernel/rcutree.h | 24 +-
29501 kernel/rcutree_plugin.h | 20 +-
29502 kernel/rcutree_trace.c | 22 +-
29503 kernel/rtmutex-tester.c | 24 +-
29504 kernel/sched/auto_group.c | 4 +-
29505 kernel/sched/core.c | 51 +-
29506 kernel/sched/fair.c | 4 +-
29507 kernel/signal.c | 12 +-
29508 kernel/smp.c | 2 +-
29509 kernel/smpboot.c | 4 +-
29510 kernel/softirq.c | 18 +-
29511 kernel/srcu.c | 4 +-
29512 kernel/sys.c | 10 +-
29513 kernel/sysctl.c | 39 +-
29514 kernel/time.c | 2 +-
29515 kernel/time/alarmtimer.c | 2 +-
29516 kernel/time/tick-broadcast.c | 2 +-
29517 kernel/time/timer_stats.c | 10 +-
29518 kernel/timer.c | 6 +-
29519 kernel/trace/blktrace.c | 6 +-
29520 kernel/trace/ftrace.c | 20 +-
29521 kernel/trace/ring_buffer.c | 76 +-
29522 kernel/trace/trace.c | 8 +-
29523 kernel/trace/trace.h | 2 +-
29524 kernel/trace/trace_events.c | 25 +-
29525 kernel/trace/trace_mmiotrace.c | 8 +-
29526 kernel/trace/trace_output.c | 12 +-
29527 kernel/trace/trace_stack.c | 2 +-
29528 kernel/user_namespace.c | 2 +-
29529 kernel/utsname_sysctl.c | 2 +-
29530 kernel/watchdog.c | 2 +-
29531 lib/Kconfig.debug | 6 +-
29532 lib/Makefile | 2 +-
29533 lib/bitmap.c | 8 +-
29534 lib/bug.c | 2 +
29535 lib/debugobjects.c | 2 +-
29536 lib/devres.c | 4 +-
29537 lib/div64.c | 4 +-
29538 lib/dma-debug.c | 4 +-
29539 lib/inflate.c | 2 +-
29540 lib/ioremap.c | 4 +-
29541 lib/kobject.c | 4 +-
29542 lib/list_debug.c | 126 +-
29543 lib/radix-tree.c | 2 +-
29544 lib/strncpy_from_user.c | 2 +-
29545 lib/strnlen_user.c | 2 +-
29546 lib/swiotlb.c | 2 +-
29547 lib/vsprintf.c | 12 +-
29548 mm/Kconfig | 6 +-
29549 mm/filemap.c | 2 +-
29550 mm/fremap.c | 5 +
29551 mm/highmem.c | 7 +-
29552 mm/hugetlb.c | 70 +-
29553 mm/internal.h | 1 +
29554 mm/maccess.c | 4 +-
29555 mm/madvise.c | 41 +
29556 mm/memory-failure.c | 26 +-
29557 mm/memory.c | 424 ++-
29558 mm/mempolicy.c | 26 +
29559 mm/mlock.c | 16 +-
29560 mm/mmap.c | 576 ++-
29561 mm/mprotect.c | 139 +-
29562 mm/mremap.c | 44 +-
29563 mm/nommu.c | 21 +-
29564 mm/page-writeback.c | 4 +-
29565 mm/page_alloc.c | 41 +-
29566 mm/percpu.c | 2 +-
29567 mm/process_vm_access.c | 14 +-
29568 mm/rmap.c | 38 +-
29569 mm/shmem.c | 19 +-
29570 mm/slab.c | 105 +-
29571 mm/slab.h | 5 +-
29572 mm/slab_common.c | 11 +-
29573 mm/slob.c | 201 +-
29574 mm/slub.c | 99 +-
29575 mm/sparse-vmemmap.c | 4 +-
29576 mm/sparse.c | 2 +-
29577 mm/swap.c | 3 +
29578 mm/swapfile.c | 12 +-
29579 mm/util.c | 6 +
29580 mm/vmalloc.c | 82 +-
29581 mm/vmstat.c | 12 +-
29582 net/8021q/vlan.c | 5 +-
29583 net/9p/mod.c | 4 +-
29584 net/9p/trans_fd.c | 2 +-
29585 net/atm/atm_misc.c | 8 +-
29586 net/atm/lec.h | 2 +-
29587 net/atm/proc.c | 6 +-
29588 net/atm/resources.c | 4 +-
29589 net/ax25/sysctl_net_ax25.c | 2 +-
29590 net/batman-adv/bat_iv_ogm.c | 8 +-
29591 net/batman-adv/hard-interface.c | 4 +-
29592 net/batman-adv/soft-interface.c | 4 +-
29593 net/batman-adv/types.h | 6 +-
29594 net/batman-adv/unicast.c | 2 +-
29595 net/bluetooth/hci_sock.c | 2 +-
29596 net/bluetooth/l2cap_core.c | 6 +-
29597 net/bluetooth/l2cap_sock.c | 12 +-
29598 net/bluetooth/rfcomm/sock.c | 4 +-
29599 net/bluetooth/rfcomm/tty.c | 10 +-
29600 net/bridge/netfilter/ebtables.c | 6 +-
29601 net/caif/cfctrl.c | 11 +-
29602 net/can/af_can.c | 2 +-
29603 net/can/gw.c | 6 +-
29604 net/compat.c | 34 +-
29605 net/core/datagram.c | 2 +-
29606 net/core/dev.c | 16 +-
29607 net/core/flow.c | 8 +-
29608 net/core/iovec.c | 4 +-
29609 net/core/neighbour.c | 2 +-
29610 net/core/net-sysfs.c | 2 +-
29611 net/core/net_namespace.c | 8 +-
29612 net/core/rtnetlink.c | 13 +-
29613 net/core/scm.c | 8 +-
29614 net/core/sock.c | 24 +-
29615 net/core/sock_diag.c | 9 +-
29616 net/core/sysctl_net_core.c | 18 +-
29617 net/decnet/af_decnet.c | 1 +
29618 net/decnet/sysctl_net_decnet.c | 4 +-
29619 net/ipv4/af_inet.c | 8 +-
29620 net/ipv4/ah4.c | 2 +-
29621 net/ipv4/devinet.c | 14 +-
29622 net/ipv4/esp4.c | 2 +-
29623 net/ipv4/fib_frontend.c | 6 +-
29624 net/ipv4/fib_semantics.c | 2 +-
29625 net/ipv4/inet_connection_sock.c | 2 +-
29626 net/ipv4/inetpeer.c | 4 +-
29627 net/ipv4/ip_fragment.c | 15 +-
29628 net/ipv4/ip_gre.c | 6 +-
29629 net/ipv4/ip_sockglue.c | 2 +-
29630 net/ipv4/ip_vti.c | 4 +-
29631 net/ipv4/ipcomp.c | 2 +-
29632 net/ipv4/ipconfig.c | 6 +-
29633 net/ipv4/ipip.c | 4 +-
29634 net/ipv4/netfilter/arp_tables.c | 12 +-
29635 net/ipv4/netfilter/ip_tables.c | 12 +-
29636 net/ipv4/ping.c | 2 +-
29637 net/ipv4/raw.c | 14 +-
29638 net/ipv4/route.c | 18 +-
29639 net/ipv4/sysctl_net_ipv4.c | 45 +-
29640 net/ipv4/tcp_input.c | 2 +-
29641 net/ipv4/tcp_probe.c | 2 +-
29642 net/ipv4/udp.c | 10 +-
29643 net/ipv4/xfrm4_policy.c | 14 +-
29644 net/ipv6/addrconf.c | 6 +-
29645 net/ipv6/icmp.c | 2 +-
29646 net/ipv6/ip6_gre.c | 8 +-
29647 net/ipv6/ip6_tunnel.c | 4 +-
29648 net/ipv6/ipv6_sockglue.c | 2 +-
29649 net/ipv6/netfilter/ip6_tables.c | 12 +-
29650 net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +-
29651 net/ipv6/raw.c | 19 +-
29652 net/ipv6/reassembly.c | 13 +-
29653 net/ipv6/route.c | 2 +-
29654 net/ipv6/sit.c | 4 +-
29655 net/ipv6/sysctl_net_ipv6.c | 2 +-
29656 net/ipv6/udp.c | 8 +-
29657 net/ipv6/xfrm6_policy.c | 13 +-
29658 net/irda/ircomm/ircomm_tty.c | 18 +-
29659 net/iucv/af_iucv.c | 4 +-
29660 net/iucv/iucv.c | 2 +-
29661 net/key/af_key.c | 4 +-
29662 net/mac80211/cfg.c | 8 +-
29663 net/mac80211/ieee80211_i.h | 3 +-
29664 net/mac80211/iface.c | 14 +-
29665 net/mac80211/main.c | 2 +-
29666 net/mac80211/pm.c | 6 +-
29667 net/mac80211/rate.c | 2 +-
29668 net/mac80211/rc80211_pid_debugfs.c | 2 +-
29669 net/mac80211/util.c | 2 +-
29670 net/netfilter/ipset/ip_set_core.c | 2 +-
29671 net/netfilter/ipvs/ip_vs_conn.c | 6 +-
29672 net/netfilter/ipvs/ip_vs_core.c | 4 +-
29673 net/netfilter/ipvs/ip_vs_ctl.c | 14 +-
29674 net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
29675 net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
29676 net/netfilter/ipvs/ip_vs_sync.c | 6 +-
29677 net/netfilter/ipvs/ip_vs_xmit.c | 4 +-
29678 net/netfilter/nf_conntrack_acct.c | 2 +-
29679 net/netfilter/nf_conntrack_ecache.c | 2 +-
29680 net/netfilter/nf_conntrack_helper.c | 2 +-
29681 net/netfilter/nf_conntrack_proto.c | 2 +-
29682 net/netfilter/nf_conntrack_standalone.c | 2 +-
29683 net/netfilter/nf_conntrack_timestamp.c | 2 +-
29684 net/netfilter/nf_log.c | 10 +-
29685 net/netfilter/nf_sockopt.c | 4 +-
29686 net/netfilter/nfnetlink_log.c | 4 +-
29687 net/netfilter/xt_statistic.c | 8 +-
29688 net/netlink/af_netlink.c | 4 +-
29689 net/netlink/genetlink.c | 16 +-
29690 net/packet/af_packet.c | 12 +-
29691 net/phonet/pep.c | 6 +-
29692 net/phonet/socket.c | 2 +-
29693 net/phonet/sysctl.c | 2 +-
29694 net/rds/cong.c | 6 +-
29695 net/rds/ib.h | 2 +-
29696 net/rds/ib_cm.c | 2 +-
29697 net/rds/ib_recv.c | 4 +-
29698 net/rds/iw.h | 2 +-
29699 net/rds/iw_cm.c | 2 +-
29700 net/rds/iw_recv.c | 4 +-
29701 net/rds/rds.h | 2 +-
29702 net/rds/tcp.c | 2 +-
29703 net/rds/tcp_send.c | 2 +-
29704 net/rxrpc/af_rxrpc.c | 2 +-
29705 net/rxrpc/ar-ack.c | 14 +-
29706 net/rxrpc/ar-call.c | 2 +-
29707 net/rxrpc/ar-connection.c | 2 +-
29708 net/rxrpc/ar-connevent.c | 2 +-
29709 net/rxrpc/ar-input.c | 4 +-
29710 net/rxrpc/ar-internal.h | 8 +-
29711 net/rxrpc/ar-local.c | 2 +-
29712 net/rxrpc/ar-output.c | 4 +-
29713 net/rxrpc/ar-peer.c | 2 +-
29714 net/rxrpc/ar-proc.c | 4 +-
29715 net/rxrpc/ar-transport.c | 2 +-
29716 net/rxrpc/rxkad.c | 4 +-
29717 net/sctp/ipv6.c | 6 +-
29718 net/sctp/protocol.c | 10 +-
29719 net/sctp/sm_sideeffect.c | 2 +-
29720 net/sctp/socket.c | 21 +-
29721 net/sctp/sysctl.c | 4 +-
29722 net/socket.c | 18 +-
29723 net/sunrpc/clnt.c | 4 +-
29724 net/sunrpc/sched.c | 4 +-
29725 net/sunrpc/svc.c | 4 +-
29726 net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
29727 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +-
29728 net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
29729 net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +-
29730 net/tipc/link.c | 6 +-
29731 net/tipc/msg.c | 2 +-
29732 net/tipc/subscr.c | 2 +-
29733 net/unix/sysctl_net_unix.c | 2 +-
29734 net/wireless/wext-core.c | 19 +-
29735 net/xfrm/xfrm_policy.c | 27 +-
29736 net/xfrm/xfrm_state.c | 29 +-
29737 net/xfrm/xfrm_sysctl.c | 2 +-
29738 scripts/Makefile.build | 2 +-
29739 scripts/Makefile.clean | 3 +-
29740 scripts/Makefile.host | 28 +-
29741 scripts/basic/fixdep.c | 12 +-
29742 scripts/gcc-plugin.sh | 17 +
29743 scripts/headers_install.pl | 1 +
29744 scripts/link-vmlinux.sh | 2 +-
29745 scripts/mod/file2alias.c | 14 +-
29746 scripts/mod/modpost.c | 25 +-
29747 scripts/mod/modpost.h | 6 +-
29748 scripts/mod/sumversion.c | 2 +-
29749 scripts/package/builddeb | 1 +
29750 scripts/pnmtologo.c | 6 +-
29751 scripts/sortextable.h | 6 +-
29752 security/Kconfig | 675 +++-
29753 security/apparmor/lsm.c | 2 +-
29754 security/integrity/ima/ima.h | 4 +-
29755 security/integrity/ima/ima_api.c | 2 +-
29756 security/integrity/ima/ima_fs.c | 4 +-
29757 security/integrity/ima/ima_queue.c | 2 +-
29758 security/keys/compat.c | 2 +-
29759 security/keys/key.c | 18 +-
29760 security/keys/keyctl.c | 8 +-
29761 security/keys/keyring.c | 6 +-
29762 security/security.c | 9 +-
29763 security/selinux/hooks.c | 2 +-
29764 security/selinux/include/xfrm.h | 2 +-
29765 security/smack/smack_lsm.c | 2 +-
29766 security/tomoyo/tomoyo.c | 2 +-
29767 security/yama/yama_lsm.c | 22 +-
29768 sound/aoa/codecs/onyx.c | 7 +-
29769 sound/aoa/codecs/onyx.h | 1 +
29770 sound/core/oss/pcm_oss.c | 18 +-
29771 sound/core/pcm_compat.c | 2 +-
29772 sound/core/pcm_native.c | 4 +-
29773 sound/core/seq/seq_device.c | 8 +-
29774 sound/drivers/mts64.c | 14 +-
29775 sound/drivers/opl4/opl4_lib.c | 2 +-
29776 sound/drivers/portman2x4.c | 3 +-
29777 sound/firewire/amdtp.c | 4 +-
29778 sound/firewire/amdtp.h | 2 +-
29779 sound/firewire/isight.c | 10 +-
29780 sound/firewire/scs1x.c | 8 +-
29781 sound/oss/sb_audio.c | 2 +-
29782 sound/oss/swarm_cs4297a.c | 6 +-
29783 sound/pci/ymfpci/ymfpci.h | 2 +-
29784 sound/pci/ymfpci/ymfpci_main.c | 12 +-
29785 tools/gcc/.gitignore | 1 +
29786 tools/gcc/Makefile | 45 +
29787 tools/gcc/checker_plugin.c | 171 +
29788 tools/gcc/colorize_plugin.c | 151 +
29789 tools/gcc/constify_plugin.c | 518 ++
29790 tools/gcc/generate_size_overflow_hash.sh | 94 +
29791 tools/gcc/kallocstat_plugin.c | 170 +
29792 tools/gcc/kernexec_plugin.c | 465 ++
29793 tools/gcc/latent_entropy_plugin.c | 327 ++
29794 tools/gcc/size_overflow_hash.data | 5876 ++++++++++++++++++++++
29795 tools/gcc/size_overflow_plugin.c | 2114 ++++++++
29796 tools/gcc/stackleak_plugin.c | 327 ++
29797 tools/gcc/structleak_plugin.c | 276 +
29798 tools/perf/util/include/asm/alternative-asm.h | 3 +
29799 tools/perf/util/include/linux/compiler.h | 8 +
29800 virt/kvm/kvm_main.c | 32 +-
29801 1555 files changed, 30474 insertions(+), 7126 deletions(-)
29802commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
29803Merge: 0949bd4 fc53d63
29804Author: Brad Spengler <spender@grsecurity.net>
29805Date: Thu Mar 22 19:03:44 2012 -0400
29806
29807 Merge branch 'pax-test' into grsec-test
29808
29809commit fc53d6338964741b368070ec5c935bc579b8c2a6
29810Author: Brad Spengler <spender@grsecurity.net>
29811Date: Thu Mar 22 19:02:45 2012 -0400
29812
29813 Update to pax-linux-3.2.12-test33.patch
29814
29815commit 0949bd46a6455b308f66ad7c993bfee62412db35
29816Author: Brad Spengler <spender@grsecurity.net>
29817Date: Thu Mar 22 16:56:09 2012 -0400
29818
29819 Use current_umask() instead of current->fs->umask
29820
29821commit 22f6432d0fe733619cfcb523782ed7d80c46d645
29822Author: Brad Spengler <spender@grsecurity.net>
29823Date: Wed Mar 21 19:42:42 2012 -0400
29824
29825 compile fix
29826
29827commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
29828Author: Brad Spengler <spender@grsecurity.net>
29829Date: Wed Mar 21 19:34:56 2012 -0400
29830
29831 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
29832 uses of domains with particular hash collisions
29833
29834commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
29835Author: Brad Spengler <spender@grsecurity.net>
29836Date: Tue Mar 20 20:25:49 2012 -0400
29837
29838 zero kernel_role
29839
29840commit b00953b43c69238d181d21121ef1577c988d5f6b
29841Author: Brad Spengler <spender@grsecurity.net>
29842Date: Tue Mar 20 19:29:34 2012 -0400
29843
29844 zero real_root after releasing it
29845
29846commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
29847Merge: b724f59 273f98e
29848Author: Brad Spengler <spender@grsecurity.net>
29849Date: Tue Mar 20 19:11:26 2012 -0400
29850
29851 Merge branch 'pax-test' into grsec-test
29852
29853commit 273f98e58cdac555d3b5dce5c1ca168349f95878
29854Author: Brad Spengler <spender@grsecurity.net>
29855Date: Tue Mar 20 19:10:52 2012 -0400
29856
29857 Temporary workaround for (most) size_overflow plugin false-positives
29858 Increase randomization for brk-managed heap to 21 bits
29859 Update to pax-linux-3.2.12-test32.patch
29860
29861commit b724f59125304460c2af8bd4b02921993afbb5d3
29862Author: Brad Spengler <spender@grsecurity.net>
29863Date: Tue Mar 20 18:58:53 2012 -0400
29864
29865 compile fix
29866
29867commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
29868Author: Brad Spengler <spender@grsecurity.net>
29869Date: Tue Mar 20 18:52:23 2012 -0400
29870
29871 Require default and kernel role
29872
29873commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
29874Author: Brad Spengler <spender@grsecurity.net>
29875Date: Tue Mar 20 18:47:28 2012 -0400
29876
29877 Allow policies without special roles
29878 don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)
29879
29880commit 402ec3d24d66d38403dc543c84851f5e72d39e22
29881Merge: 8e012dc f14661a
29882Author: Brad Spengler <spender@grsecurity.net>
29883Date: Mon Mar 19 18:06:59 2012 -0400
29884
29885 Merge branch 'pax-test' into grsec-test
29886
29887 Conflicts:
29888 fs/namei.c
29889
29890commit f14661aaf202155c97f66626cea0269017bb7775
29891Merge: eae671f 058b017
29892Author: Brad Spengler <spender@grsecurity.net>
29893Date: Mon Mar 19 18:05:44 2012 -0400
29894
29895 Merge branch 'linux-3.2.y' into pax-test
29896
29897commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
29898Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
29899Date: Fri Mar 16 17:08:39 2012 -0700
29900
29901 nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
29902
29903 According to the report from Slicky Devil, nilfs caused kernel oops at
29904 nilfs_load_super_block function during mount after he shrank the
29905 partition without resizing the filesystem:
29906
29907 BUG: unable to handle kernel NULL pointer dereference at 00000048
29908 IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
29909 *pde = 00000000
29910 Oops: 0000 [#1] PREEMPT SMP
29911 ...
29912 Call Trace:
29913 [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
29914 [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
29915 [<c0226636>] mount_fs+0x36/0x180
29916 [<c023d961>] vfs_kern_mount+0x51/0xa0
29917 [<c023ddae>] do_kern_mount+0x3e/0xe0
29918 [<c023f189>] do_mount+0x169/0x700
29919 [<c023fa9b>] sys_mount+0x6b/0xa0
29920 [<c04abd1f>] sysenter_do_call+0x12/0x28
29921 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
29922 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
29923 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
29924 EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
29925 CR2: 0000000000000048
29926
29927 This turned out due to a defect in an error path which runs if the
29928 calculated location of the secondary super block was invalid.
29929
29930 This patch fixes it and eliminates the reported oops.
29931
29932 Reported-by: Slicky Devil <slicky.dvl@gmail.com>
29933 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
29934 Tested-by: Slicky Devil <slicky.dvl@gmail.com>
29935 Cc: <stable@vger.kernel.org> [2.6.30+]
29936 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
29937 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
29938
29939commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
29940Author: Haogang Chen <haogangchen@gmail.com>
29941Date: Fri Mar 16 17:08:38 2012 -0700
29942
29943 nilfs2: clamp ns_r_segments_percentage to [1, 99]
29944
29945 ns_r_segments_percentage is read from the disk. Bogus or malicious
29946 value could cause integer overflow and malfunction due to meaningless
29947 disk usage calculation. This patch reports error when mounting such
29948 bogus volumes.
29949
29950 Signed-off-by: Haogang Chen <haogangchen@gmail.com>
29951 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
29952 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
29953 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
29954
29955commit e1a90645643f9b0194a5984ec8febd06360d5c8b
29956Author: Eric Dumazet <eric.dumazet@gmail.com>
29957Date: Sat Mar 10 09:20:21 2012 +0000
29958
29959 tcp: fix syncookie regression
29960
29961 commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
29962 added a serious regression on synflood handling.
29963
29964 Simon Kirby discovered a successful connection was delayed by 20 seconds
29965 before being responsive.
29966
29967 In my tests, I discovered that xmit frames were lost, and needed ~4
29968 retransmits and a socket dst rebuild before being really sent.
29969
29970 In case of syncookie initiated connection, we use a different path to
29971 initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
29972
29973 As ip_queue_xmit() now depends on inet flow being setup, fix this by
29974 copying the temp flowi4 we use in cookie_v4_check().
29975
29976 Reported-by: Simon Kirby <sim@netnation.com>
29977 Bisected-by: Simon Kirby <sim@netnation.com>
29978 Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
29979 Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
29980 Signed-off-by: David S. Miller <davem@davemloft.net>
29981
29982commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
29983Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
29984Date: Mon Mar 12 02:59:41 2012 +0000
29985
29986 tun: don't hold network namespace by tun sockets
29987
29988 v3: added previously removed sock_put() to the tun_release() callback, because
29989 sk_release_kernel() doesn't drop the socket reference.
29990
29991 v2: sk_release_kernel() used for socket release. Dummy tun_release() is
29992 required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
29993 call.
29994
29995 TUN was designed to destroy it's socket on network namesapce shutdown. But this
29996 will never happen for persistent device, because it's socket holds network
29997 namespace.
29998 This patch removes of holding network namespace by TUN socket and replaces it
29999 by creating socket in init_net and then changing it's net it to desired one. On
30000 shutdown socket is moved back to init_net prior to final put.
30001
30002 Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
30003 Signed-off-by: David S. Miller <davem@davemloft.net>
30004
30005commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
30006Author: Tyler Hicks <tyhicks@canonical.com>
30007Date: Mon Dec 12 10:02:30 2011 -0600
30008
30009 vfs: Correctly set the dir i_mutex lockdep class
30010
30011 9a7aa12f3911853a introduced additional logic around setting the i_mutex
30012 lockdep class for directory inodes. The idea was that some filesystems
30013 may want their own special lockdep class for different directory
30014 inodes and calling unlock_new_inode() should not clobber one of
30015 those special classes.
30016
30017 I believe that the added conditional, around the *negated* return value
30018 of lockdep_match_class(), caused directory inodes to be placed in the
30019 wrong lockdep class.
30020
30021 inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
30022 all inodes. If the filesystem did not change the class during inode
30023 initialization, then the conditional mentioned above was false and the
30024 directory inode was incorrectly left in the non-directory lockdep class.
30025 If the filesystem did set a special lockdep class, then the conditional
30026 mentioned above was true and that class was clobbered with
30027 i_mutex_dir_key.
30028
30029 This patch removes the negation from the conditional so that the i_mutex
30030 lockdep class is properly set for directory inodes. Special classes are
30031 preserved and directory inodes with unmodified classes are set with
30032 i_mutex_dir_key.
30033
30034 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
30035 Reviewed-by: Jan Kara <jack@suse.cz>
30036 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
30037
30038commit 603590b0d2eca61ce26499eac9c563bc567a18c9
30039Author: Jan Kara <jack@suse.cz>
30040Date: Mon Feb 20 17:54:00 2012 +0100
30041
30042 udf: Fix deadlock in udf_release_file()
30043
30044 udf_release_file() can be called from munmap() path with mmap_sem held. Thus
30045 we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
30046 i_mutex is not needed in udf_release_file() anymore since protection by
30047 i_data_sem is enough to protect from races with write and truncate.
30048
30049 Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
30050 Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
30051 Signed-off-by: Jan Kara <jack@suse.cz>
30052 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
30053
30054commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
30055Author: Miklos Szeredi <mszeredi@suse.cz>
30056Date: Tue Mar 6 13:56:33 2012 +0100
30057
30058 vfs: fix double put after complete_walk()
30059
30060 complete_walk() already puts nd->path, no need to do it again at cleanup time.
30061
30062 This would result in Oopses if triggered, apparently the codepath is not too
30063 well exercised.
30064
30065 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
30066 CC: stable@vger.kernel.org
30067 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
30068
30069commit 13885ba2b18400f3ef6540497d30f1af896605e5
30070Author: Miklos Szeredi <mszeredi@suse.cz>
30071Date: Tue Mar 6 13:56:34 2012 +0100
30072
30073 vfs: fix return value from do_last()
30074
30075 complete_walk() returns either ECHILD or ESTALE. do_last() turns this into
30076 ECHILD unconditionally. If not in RCU mode, this error will reach userspace
30077 which is complete nonsense.
30078
30079 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
30080 CC: stable@vger.kernel.org
30081 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
30082
30083 Conflicts:
30084
30085 fs/namei.c
30086
30087commit f5ab7572c99ffb58953eb1070622307e904c3b7f
30088Author: Al Viro <viro@zeniv.linux.org.uk>
30089Date: Sat Mar 10 17:07:28 2012 -0500
30090
30091 restore smp_mb() in unlock_new_inode()
30092
30093 wait_on_inode() doesn't have ->i_lock
30094
30095 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
30096
30097commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
30098Author: David S. Miller <davem@davemloft.net>
30099Date: Tue Mar 13 18:19:51 2012 -0700
30100
30101 sparc32: Add -Av8 to assembler command line.
30102
30103 Newer version of binutils are more strict about specifying the
30104 correct options to enable certain classes of instructions.
30105
30106 The sparc32 build is done for v7 in order to support sun4c systems
30107 which lack hardware integer multiply and divide instructions.
30108
30109 So we have to pass -Av8 when building the assembler routines that
30110 use these instructions and get patched into the kernel when we find
30111 out that we have a v8 capable cpu.
30112
30113 Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
30114 Signed-off-by: David S. Miller <davem@davemloft.net>
30115
30116commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
30117Author: Thomas Gleixner <tglx@linutronix.de>
30118Date: Fri Mar 9 20:55:10 2012 +0100
30119
30120 x86: Derandom delay_tsc for 64 bit
30121
30122 Commit f0fbf0abc093 ("x86: integrate delay functions") converted
30123 delay_tsc() into a random delay generator for 64 bit. The reason is
30124 that it merged the mostly identical versions of delay_32.c and
30125 delay_64.c. Though the subtle difference of the result was:
30126
30127 static void delay_tsc(unsigned long loops)
30128 {
30129 - unsigned bclock, now;
30130 + unsigned long bclock, now;
30131
30132 Now the function uses rdtscl() which returns the lower 32bit of the
30133 TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
30134 bit this fails when the lower 32bit are close to wrap around when
30135 bclock is read, because the following check
30136
30137 if ((now - bclock) >= loops)
30138 break;
30139
30140 evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
30141 because the unsigned long (now - bclock) of these values results in
30142 0xffffffff00000001 which is definitely larger than the loops
30143 value. That explains Tvortkos observation:
30144
30145 "Because I am seeing udelay(500) (_occasionally_) being short, and
30146 that by delaying for some duration between 0us (yep) and 491us."
30147
30148 Make those variables explicitely u32 again, so this works for both 32
30149 and 64 bit.
30150
30151 Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
30152 Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
30153 Cc: stable@vger.kernel.org # >= 2.6.27
30154 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
30155
30156commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
30157Author: Al Viro <viro@ZenIV.linux.org.uk>
30158Date: Thu Mar 8 17:51:19 2012 +0000
30159
30160 aio: fix the "too late munmap()" race
30161
30162 Current code has put_ioctx() called asynchronously from aio_fput_routine();
30163 that's done *after* we have killed the request that used to pin ioctx,
30164 so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
30165 from progressing. As the result, we can end up with async call of
30166 put_ioctx() being the last one and possibly happening during exit_mmap()
30167 or elf_core_dump(), neither of which expects stray munmap() being done
30168 to them...
30169
30170 We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
30171 with that, but that's all we care about - neither io_destroy() nor
30172 exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
30173 does really_put_req(), so the ioctx teardown won't be done until then
30174 and we don't care about the contents of ioctx past that point.
30175
30176 Since actual freeing of these suckers is RCU-delayed, we don't need to
30177 bump ioctx refcount when request goes into list for async removal.
30178 All we need is rcu_read_lock held just over the ->ctx_lock-protected
30179 area in aio_fput_routine().
30180
30181 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
30182 Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
30183 Acked-by: Benjamin LaHaise <bcrl@kvack.org>
30184 Cc: stable@vger.kernel.org
30185 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
30186
30187commit 002124c055afbf09b52226af65621999e8316448
30188Author: Al Viro <viro@ZenIV.linux.org.uk>
30189Date: Wed Mar 7 05:16:35 2012 +0000
30190
30191 aio: fix io_setup/io_destroy race
30192
30193 Have ioctx_alloc() return an extra reference, so that caller would drop it
30194 on success and not bother with re-grabbing it on failure exit. The current
30195 code is obviously broken - io_destroy() from another thread that managed
30196 to guess the address io_setup() would've returned would free ioctx right
30197 under us; gets especially interesting if aio_context_t * we pass to
30198 io_setup() points to PROT_READ mapping, so put_user() fails and we end
30199 up doing io_destroy() on kioctx another thread has just got freed...
30200
30201 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
30202 Acked-by: Benjamin LaHaise <bcrl@kvack.org>
30203 Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
30204 Cc: stable@vger.kernel.org
30205 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
30206
30207commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
30208Author: Dan Carpenter <dan.carpenter@oracle.com>
30209Date: Thu Mar 15 15:17:12 2012 -0700
30210
30211 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
30212
30213 strict_strtoul() writes a long but ->gamma_mode only has space to store an
30214 int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
30215 well. I've changed it to use kstrtouint() instead.
30216
30217 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
30218 Acked-by: Inki Dae <inki.dae@samsung.com>
30219 Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
30220 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
30221 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
30222
30223commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
30224Merge: e4b05b6 eae671f
30225Author: Brad Spengler <spender@grsecurity.net>
30226Date: Fri Mar 16 21:04:27 2012 -0400
30227
30228 Merge branch 'pax-test' into grsec-test
30229
30230 Conflicts:
30231 security/Kconfig
30232
30233commit eae671fafe93f04685c04a089cc13efebc05d600
30234Author: Brad Spengler <spender@grsecurity.net>
30235Date: Fri Mar 16 20:58:01 2012 -0400
30236
30237 Update to pax-linux-3.2.11-test31.patch
30238 Introduction of the size_overflow plugin from Emese Revfy
30239 Many thanks to Emese for her hard work :)
30240
30241commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
30242Merge: e55aa68 258c015
30243Author: Brad Spengler <spender@grsecurity.net>
30244Date: Thu Mar 15 20:59:19 2012 -0400
30245
30246 Merge branch 'pax-test' into grsec-test
30247
30248commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
30249Author: Brad Spengler <spender@grsecurity.net>
30250Date: Thu Mar 15 20:59:05 2012 -0400
30251
30252 fix ARM compilation
30253
30254commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
30255Merge: 8f95ea9 55b7573
30256Author: Brad Spengler <spender@grsecurity.net>
30257Date: Wed Mar 14 19:33:41 2012 -0400
30258
30259 Merge branch 'pax-test' into grsec-test
30260
30261commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
30262Author: Brad Spengler <spender@grsecurity.net>
30263Date: Wed Mar 14 19:33:15 2012 -0400
30264
30265 Update to pax-linux-3.2.10-test28.patch
30266
30267commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
30268Merge: c8786a2 886ac5e
30269Author: Brad Spengler <spender@grsecurity.net>
30270Date: Tue Mar 13 17:38:13 2012 -0400
30271
30272 Merge branch 'pax-test' into grsec-test
30273
30274 Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)
30275
30276commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
30277Author: Brad Spengler <spender@grsecurity.net>
30278Date: Tue Mar 13 17:37:44 2012 -0400
30279
30280 Update to pax-linux-3.2.10-test26.patch
30281
30282commit c8786a2abed5e5327f68efa520c04db99bb6a63a
30283Merge: 219c982 c061fcf
30284Author: Brad Spengler <spender@grsecurity.net>
30285Date: Tue Mar 13 17:25:06 2012 -0400
30286
30287 Merge branch 'pax-test' into grsec-test
30288
30289commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
30290Merge: 89373d2 3f4b3b2
30291Author: Brad Spengler <spender@grsecurity.net>
30292Date: Tue Mar 13 17:25:02 2012 -0400
30293
30294 Merge branch 'linux-3.2.y' into pax-test
30295
30296commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
30297Merge: 54e19a3 89373d2
30298Author: Brad Spengler <spender@grsecurity.net>
30299Date: Mon Mar 12 17:23:57 2012 -0400
30300
30301 Merge branch 'pax-test' into grsec-test
30302
30303commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
30304Merge: a778588 7459f11
30305Author: Brad Spengler <spender@grsecurity.net>
30306Date: Mon Mar 12 17:23:49 2012 -0400
30307
30308 Merge branch 'linux-3.2.y' into pax-test
30309
30310commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
30311Merge: c4650f1 a778588
30312Author: Brad Spengler <spender@grsecurity.net>
30313Date: Mon Mar 12 16:51:25 2012 -0400
30314
30315 Merge branch 'pax-test' into grsec-test
30316
30317commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
30318Author: Brad Spengler <spender@grsecurity.net>
30319Date: Mon Mar 12 16:51:12 2012 -0400
30320
30321 Update to pax-linux-3.2.9-test24.patch
30322
30323commit c4650f14b13f84735fe3de06a1f3ff5776473eff
30324Merge: fb2abee 1015790
30325Author: Brad Spengler <spender@grsecurity.net>
30326Date: Sun Mar 11 21:08:28 2012 -0400
30327
30328 Merge branch 'pax-test' into grsec-test
30329
30330 Conflicts:
30331 security/Kconfig
30332
30333commit 101579028a736c224e590c7e12a7357018c424e1
30334Author: Brad Spengler <spender@grsecurity.net>
30335Date: Sun Mar 11 21:07:27 2012 -0400
30336
30337 Update to pax-linux-3.2.9-test22.patch
30338
30339commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
30340Author: Brad Spengler <spender@grsecurity.net>
30341Date: Sun Mar 11 11:02:17 2012 -0400
30342
30343 Allow 4096 CPUs
30344
30345commit 96bae28cbe6a41d48e3b56e5904814096e956000
30346Author: Brad Spengler <spender@grsecurity.net>
30347Date: Sun Mar 11 10:25:58 2012 -0400
30348
30349 Use a per-cpu 48-bit counter instead of a global atomic64
30350 Initialize each counter to have the cpu number in the lower 16 bits
30351 instead of incrementing the counter each time by 1, perform the increments
30352 above the cpu number so that wrapping/exhausting the counter doesn't corrupt
30353 any state
30354 idea from PaX Team
30355
30356commit b975688101da6e966aebb1bc6b8c5c5983974f9c
30357Author: Brad Spengler <spender@grsecurity.net>
30358Date: Sat Mar 10 20:33:12 2012 -0500
30359
30360 Special vnsec edition! :)
30361 Further reduce argv/env allowance for suid/sgid apps to 512KB
30362 Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
30363 Clear 3GB personality on suid/sgid binaries
30364 Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
30365 with the main purpose of throwing off program stack -> arg/env alignment
30366 Update documentation
30367
30368commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
30369Author: Brad Spengler <spender@grsecurity.net>
30370Date: Sat Mar 10 19:54:47 2012 -0500
30371
30372 Resolve skbuff.h warnings that turn into errors during compilation in
30373 the grsecurity directory with -Werror
30374
30375commit 2023210ad43a944033fcacc660ce410888f562ee
30376Merge: ece4383 5f66adf
30377Author: Brad Spengler <spender@grsecurity.net>
30378Date: Fri Mar 9 19:48:01 2012 -0500
30379
30380 Merge branch 'pax-test' into grsec-test
30381
30382commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
30383Author: Brad Spengler <spender@grsecurity.net>
30384Date: Fri Mar 9 19:47:06 2012 -0500
30385
30386 Add colorize plugin
30387
30388commit ece4383e5e91c92d138c4df84225a70b552f4d69
30389Merge: a366d0e ab4a5a1
30390Author: Brad Spengler <spender@grsecurity.net>
30391Date: Fri Mar 9 17:56:46 2012 -0500
30392
30393 Merge branch 'pax-test' into grsec-test
30394
30395commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
30396Author: Brad Spengler <spender@grsecurity.net>
30397Date: Fri Mar 9 17:56:26 2012 -0500
30398
30399 Update to pax-linux-3.2.9-test21.patch
30400
30401commit a366d0ed963ce93fce10121c1100989d5f064e75
30402Author: Mikulas Patocka <mpatocka@redhat.com>
30403Date: Sun Mar 4 19:52:03 2012 -0500
30404
30405 mm: fix find_vma_prev
30406
30407 Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
30408 management on PA-RISC.
30409
30410 After application of the patch, programs that allocate big arrays on the
30411 stack crash with segfault, for example, this will crash if compiled
30412 without optimization:
30413
30414 int main()
30415 {
30416 char array[200000];
30417 array[199999] = 0;
30418 return 0;
30419 }
30420
30421 The reason is that PA-RISC has up-growing stack and the stack is usually
30422 the last memory area. In the above example, a page fault happens above
30423 the stack.
30424
30425 Previously, if we passed too high address to find_vma_prev, it returned
30426 NULL and stored the last VMA in *pprev. After "simplify find_vma_prev"
30427 change, it stores NULL in *pprev. Consequently, the stack area is not
30428 found and it is not expanded, as it used to be before the change.
30429
30430 This patch restores the old behavior and makes it return the last VMA in
30431 *pprev if the requested address is higher than address of any other VMA.
30432
30433 Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
30434 Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
30435 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
30436
30437commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
30438Author: Hugh Dickins <hughd@google.com>
30439Date: Tue Mar 6 12:28:52 2012 -0800
30440
30441 mmap: EINVAL not ENOMEM when rejecting VM_GROWS
30442
30443 Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
30444 from shared anonymous: hoist the file case's -EINVAL up for both.
30445
30446 Signed-off-by: Hugh Dickins <hughd@google.com>
30447 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
30448
30449commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
30450Author: Al Viro <viro@ZenIV.linux.org.uk>
30451Date: Mon Mar 5 06:38:42 2012 +0000
30452
30453 aout: move setup_arg_pages() prior to reading/mapping the binary
30454
30455 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
30456 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
30457
30458commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
30459Author: Jan Beulich <JBeulich@suse.com>
30460Date: Mon Mar 5 16:49:24 2012 +0000
30461
30462 vsprintf: make %pV handling compatible with kasprintf()
30463
30464 kasprintf() (and potentially other functions that I didn't run across so
30465 far) want to evaluate argument lists twice. Caring to do so for the
30466 primary list is obviously their job, but they can't reasonably be
30467 expected to check the format string for instances of %pV, which however
30468 need special handling too: On architectures like x86-64 (as opposed to
30469 e.g. ix86), using the same argument list twice doesn't produce the
30470 expected results, as an internally managed cursor gets updated during
30471 the first run.
30472
30473 Fix the problem by always acting on a copy of the original list when
30474 handling %pV.
30475
30476 Signed-off-by: Jan Beulich <jbeulich@suse.com>
30477 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
30478
30479commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
30480Author: Al Viro <viro@ZenIV.linux.org.uk>
30481Date: Mon Mar 5 06:39:47 2012 +0000
30482
30483 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
30484
30485 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
30486 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
30487
30488commit a831bd53764695ea680cc1fa3c98759a610ed2ac
30489Author: Christian König <deathsimple@vodafone.de>
30490Date: Tue Feb 28 23:19:20 2012 +0100
30491
30492 drm/radeon: fix uninitialized variable
30493
30494 Without this fix the driver randomly treats
30495 textures as arrays and I'm really wondering
30496 why gcc isn't complaining about it.
30497
30498 Signed-off-by: Christian König <deathsimple@vodafone.de>
30499 Reviewed-by: Jerome Glisse <jglisse@redhat.com>
30500 Signed-off-by: Dave Airlie <airlied@redhat.com>
30501
30502commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
30503Author: H. Peter Anvin <hpa@zytor.com>
30504Date: Fri Mar 2 10:43:48 2012 -0800
30505
30506 regset: Prevent null pointer reference on readonly regsets
30507
30508 The regset common infrastructure assumed that regsets would always
30509 have .get and .set methods, but not necessarily .active methods.
30510 Unfortunately people have since written regsets without .set methods.
30511
30512 Rather than putting in stub functions everywhere, handle regsets with
30513 null .get or .set methods explicitly.
30514
30515 Signed-off-by: H. Peter Anvin <hpa@zytor.com>
30516 Reviewed-by: Oleg Nesterov <oleg@redhat.com>
30517 Acked-by: Roland McGrath <roland@hack.frob.com>
30518 Cc: <stable@vger.kernel.org>
30519 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
30520
30521commit 072ddd99401c79b53c6bf6bff9deb93022124c79
30522Author: Brad Spengler <spender@grsecurity.net>
30523Date: Mon Mar 5 18:12:57 2012 -0500
30524
30525 Fix compiler errors reported on forums
30526
30527commit 1606774b48af24e6f99d99c624c0e447d4b66474
30528Merge: 3127bd5 4ca2ffd
30529Author: Brad Spengler <spender@grsecurity.net>
30530Date: Mon Mar 5 17:31:35 2012 -0500
30531
30532 Merge branch 'pax-test' into grsec-test
30533
30534commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
30535Author: Brad Spengler <spender@grsecurity.net>
30536Date: Mon Mar 5 17:31:21 2012 -0500
30537
30538 Update to pax-linux-3.2.9-test20.patch
30539
30540commit 3127bd581a292966b1057c7433219dac188c3720
30541Author: Brad Spengler <spender@grsecurity.net>
30542Date: Fri Mar 2 21:30:37 2012 -0500
30543
30544 Fix memory leak on logged exec_id check failure in /proc/pid/statm
30545 Thanks to Djalal Harouni for the report
30546
30547commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
30548Merge: 0a56be8 9aa8288
30549Author: Brad Spengler <spender@grsecurity.net>
30550Date: Fri Mar 2 18:38:22 2012 -0500
30551
30552 Merge branch 'pax-test' into grsec-test
30553
30554commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
30555Author: Brad Spengler <spender@grsecurity.net>
30556Date: Fri Mar 2 18:37:43 2012 -0500
30557
30558 Update to pax-linux-3.2.9-test19.patch
30559
30560commit 0a56be884bbd7ce733cac0b879c45383494d73b0
30561Merge: 9e66745 3f5c52a
30562Author: Brad Spengler <spender@grsecurity.net>
30563Date: Thu Mar 1 20:18:01 2012 -0500
30564
30565 Merge branch 'pax-test' into grsec-test
30566
30567commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
30568Author: Brad Spengler <spender@grsecurity.net>
30569Date: Thu Mar 1 20:16:56 2012 -0500
30570
30571 Update to pax-linux-3.2.9-test18.patch
30572
30573commit ae53ec231d12719a36bf871f8c5841020ed692ee
30574Merge: b255baf 44fb317
30575Author: Brad Spengler <spender@grsecurity.net>
30576Date: Thu Mar 1 20:15:31 2012 -0500
30577
30578 Merge branch 'linux-3.2.y' into pax-test
30579
30580commit 9e667456c03eadea2f305be761abe4de9a5877a3
30581Merge: 5e4e200 b255baf
30582Author: Brad Spengler <spender@grsecurity.net>
30583Date: Mon Feb 27 20:53:59 2012 -0500
30584
30585 Merge branch 'pax-test' into grsec-test
30586
30587commit b255baf50365d39b406f43aab2c64745607baaa2
30588Merge: 340ce90 1de504e
30589Author: Brad Spengler <spender@grsecurity.net>
30590Date: Mon Feb 27 20:53:29 2012 -0500
30591
30592 Merge branch 'linux-3.2.y' into pax-test
30593 Update to pax-linux-3.2.8-test17.patch
30594
30595 Conflicts:
30596 arch/x86/include/asm/i387.h
30597 arch/x86/kernel/process_32.c
30598 arch/x86/kernel/traps.c
30599
30600commit 5e4e200ac530452884b625cb75de240e1e98c731
30601Merge: 44306d7 340ce90
30602Author: Brad Spengler <spender@grsecurity.net>
30603Date: Mon Feb 27 18:02:13 2012 -0500
30604
30605 Merge branch 'pax-test' into grsec-test
30606
30607commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
30608Author: Brad Spengler <spender@grsecurity.net>
30609Date: Mon Feb 27 18:01:48 2012 -0500
30610
30611 Update to pax-linux-3.2.7-test17.patch
30612
30613commit 44306d7b3097f77e73040dd25f4f6750751bae7a
30614Merge: 29d0b07 521c411
30615Author: Brad Spengler <spender@grsecurity.net>
30616Date: Sun Feb 26 19:04:15 2012 -0500
30617
30618 Merge branch 'pax-test' into grsec-test
30619
30620 Conflicts:
30621 Makefile
30622
30623commit 521c411bb4ca66ce01146fde8bac9dd22414076d
30624Author: Brad Spengler <spender@grsecurity.net>
30625Date: Sun Feb 26 19:03:33 2012 -0500
30626
30627 Update to pax-linux-3.2.7-test16.patch
30628
30629commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
30630Author: Brad Spengler <spender@grsecurity.net>
30631Date: Sun Feb 26 17:12:44 2012 -0500
30632
30633 fix typo
30634
30635commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
30636Merge: f45b3be caa8f83
30637Author: Brad Spengler <spender@grsecurity.net>
30638Date: Sat Feb 25 20:59:27 2012 -0500
30639
30640 Merge branch 'pax-test' into grsec-test
30641
30642commit caa8f83456c4d0b204beefffaa1d1993f2348d08
30643Author: Brad Spengler <spender@grsecurity.net>
30644Date: Sat Feb 25 20:59:12 2012 -0500
30645
30646 Update to pax-linux-3.2.7-test15.patch
30647
30648commit f45b3be34a345502a302e736af9a65742ddef7cb
30649Merge: 62f35fd 9f1309b
30650Author: Brad Spengler <spender@grsecurity.net>
30651Date: Sat Feb 25 11:40:15 2012 -0500
30652
30653 Merge branch 'pax-test' into grsec-test
30654
30655commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
30656Author: Brad Spengler <spender@grsecurity.net>
30657Date: Sat Feb 25 11:39:57 2012 -0500
30658
30659 Update to pax-linux-3.2.7-test14.patch
30660
30661commit 62f35fdbecc58f2988fe13638d907b87a15776bb
30662Author: Brad Spengler <spender@grsecurity.net>
30663Date: Sat Feb 25 09:08:55 2012 -0500
30664
30665 We could log on attempted exploits of writing /proc/self/mem, but the current
30666 log function declares the access a read, so just swap the ordering for now
30667
30668commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
30669Author: Brad Spengler <spender@grsecurity.net>
30670Date: Sat Feb 25 08:46:14 2012 -0500
30671
30672 Log /proc/pid/mem attempts
30673
30674commit 674471e581893a94d475acac3e3c4496209b3ac9
30675Author: Brad Spengler <spender@grsecurity.net>
30676Date: Sat Feb 25 08:15:00 2012 -0500
30677
30678 Make use of f_version for protecting /proc file structs (fine since we're not a directory
30679 or seq_file)
30680
30681commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
30682Author: Brad Spengler <spender@grsecurity.net>
30683Date: Fri Feb 24 20:02:19 2012 -0500
30684
30685 Fix ia64 compilation
30686
30687commit 50dfea412fd395e0183c2ade368efa525d38b267
30688Merge: 12db845 4c6f99b
30689Author: Brad Spengler <spender@grsecurity.net>
30690Date: Fri Feb 24 19:00:53 2012 -0500
30691
30692 Merge branch 'pax-test' into grsec-test
30693
30694commit 4c6f99bf338e03966356b147d0360cb3b522a44f
30695Author: Brad Spengler <spender@grsecurity.net>
30696Date: Fri Feb 24 19:00:36 2012 -0500
30697
30698 (6:57:09 PM) pipacs: but you can be proactive
30699 (Fix other-arch atomic64/REFCOUNT compilation failures)
30700
30701commit 12db8453f6bb0a756f369c9151668ba1249bc478
30702Author: Brad Spengler <spender@grsecurity.net>
30703Date: Thu Feb 23 21:10:12 2012 -0500
30704
30705 Remove unnecessary copies, as suggested by solar
30706
30707commit cc02cab84368467ea03cb35f861a8a7092d91ab4
30708Author: Brad Spengler <spender@grsecurity.net>
30709Date: Thu Feb 23 20:59:35 2012 -0500
30710
30711 Make global_exec_counter static, as suggested by solar
30712
30713commit e642091a475ebb3a30e81f85e7751233d0c2af43
30714Author: Brad Spengler <spender@grsecurity.net>
30715Date: Thu Feb 23 19:00:26 2012 -0500
30716
30717 sync with stable tree
30718
30719commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
30720Author: Brad Spengler <spender@grsecurity.net>
30721Date: Thu Feb 23 18:48:47 2012 -0500
30722
30723 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
30724 Remove handling of old kludge in chmod/fchmod
30725
30726commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
30727Author: Brad Spengler <spender@grsecurity.net>
30728Date: Thu Feb 23 18:18:49 2012 -0500
30729
30730 Apply umask checks to chmod/fchmod as well, as requested by sponsor
30731 Union the enforced umask with the existing one to produce minimal privilege
30732 Change umask type to u16
30733
30734commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
30735Author: Brad Spengler <spender@grsecurity.net>
30736Date: Wed Feb 22 18:16:11 2012 -0500
30737
30738 Add per-role umask enforcement to RBAC, requested by a sponsor
30739
30740commit ad5ac943fe58199f1cc475912a39edb157acb77b
30741Merge: dda0bb5 41722e3
30742Author: Brad Spengler <spender@grsecurity.net>
30743Date: Mon Feb 20 20:04:42 2012 -0500
30744
30745 Merge branch 'pax-test' into grsec-test
30746
30747commit 41722e342e116d95f3d3556d66c97c888d752d39
30748Author: Brad Spengler <spender@grsecurity.net>
30749Date: Mon Feb 20 20:04:00 2012 -0500
30750
30751 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
30752 KERNEXEC plugin
30753
30754commit dda0bb57137846a476a866c60db2681aaf6052c0
30755Merge: 4fd554e d70927a
30756Author: Brad Spengler <spender@grsecurity.net>
30757Date: Mon Feb 20 20:01:41 2012 -0500
30758
30759 Merge branch 'pax-test' into grsec-test
30760
30761commit d70927afec977d489a54c106a3c3ddc32e953050
30762Merge: 1daebf1 9d0231c
30763Author: Brad Spengler <spender@grsecurity.net>
30764Date: Mon Feb 20 20:01:33 2012 -0500
30765
30766 Merge branch 'linux-3.2.y' into pax-test
30767
30768commit 4fd554e3a097b22c5049fcdc423897477deff5ef
30769Author: Brad Spengler <spender@grsecurity.net>
30770Date: Mon Feb 20 09:17:57 2012 -0500
30771
30772 Fix wrong logic on capability checks for switching roles, broke policies
30773 Thanks to Richard Kojedzinszky for reporting
30774
30775commit 12f97d52ac603f24344f8d71569c412a307e9422
30776Author: Brad Spengler <spender@grsecurity.net>
30777Date: Thu Feb 16 21:20:10 2012 -0500
30778
30779 sparc64 compile fix
30780
30781commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
30782Author: Brad Spengler <spender@grsecurity.net>
30783Date: Thu Feb 16 18:38:32 2012 -0500
30784
30785 Update configuration help and name for GRKERNSEC_PROC_MEMMAP
30786
30787commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
30788Author: Brad Spengler <spender@grsecurity.net>
30789Date: Thu Feb 16 18:18:01 2012 -0500
30790
30791 optimize the check a bit
30792
30793commit 03159050f64989be44ae03be769cbed62a7cd2e5
30794Author: Brad Spengler <spender@grsecurity.net>
30795Date: Thu Feb 16 18:00:45 2012 -0500
30796
30797 smile VUPEN :D
30798 (limit argv+env to 1MB for suid/sgid binaries)
30799
30800commit dd759d8800d225a397e4de49fe729c7d601298d2
30801Author: Brad Spengler <spender@grsecurity.net>
30802Date: Thu Feb 16 17:49:33 2012 -0500
30803
30804 Address Space Protection -> Memory Protections (suggested on IRC for consistency)
30805
30806commit 4de635bda8ebfb85312e3bf851bdbff93de400da
30807Author: Brad Spengler <spender@grsecurity.net>
30808Date: Thu Feb 16 17:45:06 2012 -0500
30809
30810 Change the long long type for exec_id to the proper u64
30811
30812commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
30813Author: Dan Carpenter <dan.carpenter@oracle.com>
30814Date: Thu Feb 9 00:46:47 2012 +0000
30815
30816 isdn: type bug in isdn_net_header()
30817
30818 We use len to store the return value from eth_header(). eth_header()
30819 can return -ETH_HLEN (-14). We want to pass this back instead of
30820 truncating it to 65522 and returning that.
30821
30822 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
30823 Acked-by: Neil Horman <nhorman@tuxdriver.com>
30824 Signed-off-by: David S. Miller <davem@davemloft.net>
30825
30826commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
30827Author: Heiko Carstens <heiko.carstens@de.ibm.com>
30828Date: Sat Feb 4 10:47:10 2012 +0100
30829
30830 exec: fix use-after-free bug in setup_new_exec()
30831
30832 Setting the task name is done within setup_new_exec() by accessing
30833 bprm->filename. However this happens after flush_old_exec().
30834 This may result in a use after free bug, flush_old_exec() may
30835 "complete" vfork_done, which will wake up the parent which in turn
30836 may free the passed in filename.
30837 To fix this add a new tcomm field in struct linux_binprm which
30838 contains the now early generated task name until it is used.
30839
30840 Fixes this bug on s390:
30841
30842 Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
30843 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
30844 Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
30845 Call Trace:
30846 ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
30847 [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
30848 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
30849 [<0000000000282b6c>] do_execve_common+0x410/0x514
30850 [<0000000000282cb6>] do_execve+0x46/0x58
30851 [<00000000005bce58>] kernel_execve+0x28/0x70
30852 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
30853 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
30854 [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
30855 Last Breaking-Event-Address:
30856 [<00000000002830f0>] setup_new_exec+0x2fc/0x374
30857
30858 Kernel panic - not syncing: Fatal exception: panic_on_oops
30859
30860 Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
30861 Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
30862 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
30863
30864commit d758ee9f5230893dabb5aab737b3109684bde196
30865Author: Dan Carpenter <dan.carpenter@oracle.com>
30866Date: Fri Feb 10 09:03:58 2012 +0100
30867
30868 relay: prevent integer overflow in relay_open()
30869
30870 "subbuf_size" and "n_subbufs" come from the user and they need to be
30871 capped to prevent an integer overflow.
30872
30873 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
30874 Cc: stable@kernel.org
30875 Signed-off-by: Jens Axboe <axboe@kernel.dk>
30876
30877commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
30878Merge: b1baadf 1daebf1
30879Author: Brad Spengler <spender@grsecurity.net>
30880Date: Mon Feb 13 17:47:04 2012 -0500
30881
30882 Merge branch 'pax-test' into grsec-test
30883
30884 Conflicts:
30885 fs/proc/base.c
30886
30887commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
30888Merge: 1413df2 c2db2e2
30889Author: Brad Spengler <spender@grsecurity.net>
30890Date: Mon Feb 13 17:45:54 2012 -0500
30891
30892 Merge branch 'linux-3.2.y' into pax-test
30893
30894commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
30895Author: Brad Spengler <spender@grsecurity.net>
30896Date: Sun Feb 12 16:44:05 2012 -0500
30897
30898 add missing declaration
30899
30900commit 3981059c35e8463002517935c28f3d74b8e3703c
30901Author: Brad Spengler <spender@grsecurity.net>
30902Date: Sun Feb 12 16:36:04 2012 -0500
30903
30904 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
30905 in addition to existing checks (this handles the setresuid ruid = euid case)
30906
30907commit 0beab03263c773f463412c350ad9064b44b6ede0
30908Author: Brad Spengler <spender@grsecurity.net>
30909Date: Sun Feb 12 16:13:40 2012 -0500
30910
30911 Revert setreuid changes when RBAC is enabled, breaks freeradius
30912 I'll fix the learning issue Lavish reported a different way through
30913 gradm modifications
30914
30915 This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.
30916
30917commit 0c61cb1cfbbfec7d07647268c922d51434d22621
30918Author: Brad Spengler <spender@grsecurity.net>
30919Date: Sat Feb 11 14:22:46 2012 -0500
30920
30921 copy exec_id on fork
30922
30923commit 000c08e0890630086b2ed04084050ed856a7ec31
30924Author: Brad Spengler <spender@grsecurity.net>
30925Date: Fri Feb 10 20:00:36 2012 -0500
30926
30927 compile fix
30928
30929commit 54b8c8f54484e5ee18040657827158bc4b63bccc
30930Author: Brad Spengler <spender@grsecurity.net>
30931Date: Fri Feb 10 19:19:52 2012 -0500
30932
30933 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
30934 denies reading of sensitive /proc/pid entries where the file descriptor
30935 was opened in a different task than the one performing the read
30936
30937commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
30938Author: Brad Spengler <spender@grsecurity.net>
30939Date: Fri Feb 10 17:43:24 2012 -0500
30940
30941 Remove duplicate signal check
30942
30943commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
30944Merge: 4eba97e 1413df2
30945Author: Brad Spengler <spender@grsecurity.net>
30946Date: Wed Feb 8 19:24:34 2012 -0500
30947
30948 Merge branch 'pax-test' into grsec-test
30949
30950commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
30951Author: Brad Spengler <spender@grsecurity.net>
30952Date: Wed Feb 8 19:24:08 2012 -0500
30953
30954 Merge changes from pax-linux-3.2.4-test11.patch
30955
30956commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
30957Merge: 0e058dd 8dd90a2
30958Author: Brad Spengler <spender@grsecurity.net>
30959Date: Mon Feb 6 17:50:12 2012 -0500
30960
30961 Merge branch 'pax-test' into grsec-test
30962
30963commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
30964Author: Brad Spengler <spender@grsecurity.net>
30965Date: Mon Feb 6 17:49:07 2012 -0500
30966
30967 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free
30968
30969commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
30970Merge: 7e4169c 6133971
30971Author: Brad Spengler <spender@grsecurity.net>
30972Date: Mon Feb 6 17:48:57 2012 -0500
30973
30974 Merge branch 'linux-3.2.y' into pax-test
30975
30976commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
30977Author: Brad Spengler <spender@grsecurity.net>
30978Date: Sun Feb 5 19:24:45 2012 -0500
30979
30980 We now allow configurations with no PaX markings, giving the system no way to override the defaults
30981
30982commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
30983Author: Brad Spengler <spender@grsecurity.net>
30984Date: Sun Feb 5 10:01:23 2012 -0500
30985
30986 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory
30987
30988commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
30989Author: Brad Spengler <spender@grsecurity.net>
30990Date: Sat Feb 4 21:01:16 2012 -0500
30991
30992 Improve security of ptrace-based monitoring/sandboxing
30993 See:
30994 http://article.gmane.org/gmane.linux.kernel.lsm/15156
30995
30996commit ca4ca5a1027b41f9528794e52a53ce9c47926101
30997Author: Brad Spengler <spender@grsecurity.net>
30998Date: Fri Feb 3 20:42:55 2012 -0500
30999
31000 fix typo
31001
31002commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
31003Author: Brad Spengler <spender@grsecurity.net>
31004Date: Fri Feb 3 20:25:38 2012 -0500
31005
31006 Reported by lavish on IRC:
31007 If a suid/sgid binary did not learn any setuid/setgid call during learning,
31008 we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
31009 any restrictions on uid/gid changes. uid and gid can however be changed
31010 within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
31011 euid/egid.
31012
31013 My fix:
31014 POSIX doesn't specify whether unprivileged users can perform the above
31015 setresuid/setresgid as an unprivileged user, though Linux has historically
31016 permitted them. Modify this behavior when RBAC is enabled to require
31017 CAP_SETUID/CAP_SETGID for these operations.
31018
31019 Thanks to Lavish for the report!
31020
31021 Conflicts:
31022
31023 kernel/sys.c
31024
31025commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
31026Merge: ba586eb 7e4169c
31027Author: Brad Spengler <spender@grsecurity.net>
31028Date: Fri Feb 3 20:10:21 2012 -0500
31029
31030 Merge branch 'pax-test' into grsec-test
31031
31032commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
31033Author: Brad Spengler <spender@grsecurity.net>
31034Date: Fri Feb 3 20:10:05 2012 -0500
31035
31036 Merge changes from pax-linux-3.2.4-test9.patch
31037
31038commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
31039Author: Christopher Yeoh <cyeoh@au1.ibm.com>
31040Date: Thu Feb 2 11:34:09 2012 +1030
31041
31042 Fix race in process_vm_rw_core
31043
31044 This fixes the race in process_vm_core found by Oleg (see
31045
31046 http://article.gmane.org/gmane.linux.kernel/1235667/
31047
31048 for details).
31049
31050 This has been updated since I last sent it as the creation of the new
31051 mm_access() function did almost exactly the same thing as parts of the
31052 previous version of this patch did.
31053
31054 In order to use mm_access() even when /proc isn't enabled, we move it to
31055 kernel/fork.c where other related process mm access functions already
31056 are.
31057
31058 Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
31059 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
31060
31061 Conflicts:
31062
31063 fs/proc/base.c
31064 mm/process_vm_access.c
31065
31066commit b9194d60fb9fe579f5c34817ed822abde18939a0
31067Author: Oleg Nesterov <oleg@redhat.com>
31068Date: Tue Jan 31 17:15:11 2012 +0100
31069
31070 proc: make sure mem_open() doesn't pin the target's memory
31071
31072 Once /proc/pid/mem is opened, the memory can't be released until
31073 mem_release() even if its owner exits.
31074
31075 Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
31076 pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
31077 before access_remote_vm(), this verifies that this mm is still alive.
31078
31079 I am not sure what should mem_rw() return if atomic_inc_not_zero()
31080 fails. With this patch it returns zero to match the "mm == NULL" case,
31081 may be it should return -EINVAL like it did before e268337d.
31082
31083 Perhaps it makes sense to add the additional fatal_signal_pending()
31084 check into the main loop, to ensure we do not hold this memory if
31085 the target task was oom-killed.
31086
31087 Cc: stable@kernel.org
31088 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
31089 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
31090
31091commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
31092Author: Oleg Nesterov <oleg@redhat.com>
31093Date: Tue Jan 31 17:14:38 2012 +0100
31094
31095 proc: mem_release() should check mm != NULL
31096
31097 mem_release() can hit mm == NULL, add the necessary check.
31098
31099 Cc: stable@kernel.org
31100 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
31101 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
31102
31103commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
31104Author: Oleg Nesterov <oleg@redhat.com>
31105Date: Tue Jan 31 17:14:54 2012 +0100
31106
31107 note: redisabled mem_write
31108
31109 proc: unify mem_read() and mem_write()
31110
31111 No functional changes, cleanup and preparation.
31112
31113 mem_read() and mem_write() are very similar. Move this code into the
31114 new common helper, mem_rw(), which takes the additional "int write"
31115 argument.
31116
31117 Cc: stable@kernel.org
31118 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
31119 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
31120
31121 Conflicts:
31122
31123 fs/proc/base.c
31124
31125commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
31126Merge: 3903f01 01fee18
31127Author: Brad Spengler <spender@grsecurity.net>
31128Date: Fri Feb 3 19:50:40 2012 -0500
31129
31130 Merge branch 'pax-test' into grsec-test
31131
31132commit 01fee1851aef26b898ccba5312cabf1f919b74cb
31133Author: Brad Spengler <spender@grsecurity.net>
31134Date: Fri Feb 3 19:49:46 2012 -0500
31135
31136 Merge changes from pax-linux-3.2.4-test8.patch
31137
31138commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
31139Merge: 201c0db 141936c
31140Author: Brad Spengler <spender@grsecurity.net>
31141Date: Fri Feb 3 19:49:01 2012 -0500
31142
31143 Merge branch 'linux-3.2.y' into pax-test
31144
31145commit 3903f0172ecadf7a575ba3535402a1506133640a
31146Author: Brad Spengler <spender@grsecurity.net>
31147Date: Mon Jan 30 23:26:44 2012 -0500
31148
31149 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
31150
31151 We'll whitelist required directories for compatibility instead of requiring
31152 that people disable the feature entirely if they use SELinux, fuse, etc
31153
31154 Conflicts:
31155
31156 fs/sysfs/mount.c
31157
31158commit e3618feaa7e63807f1b88c199882075b3ec9bd05
31159Author: Brad Spengler <spender@grsecurity.net>
31160Date: Sun Jan 29 01:12:19 2012 -0500
31161
31162 perform RBAC check if TPE is on but match fails, matches previous behavior
31163
31164commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
31165Author: Brad Spengler <spender@grsecurity.net>
31166Date: Sat Jan 28 13:17:06 2012 -0500
31167
31168 log more information about the reason for a TPE denial for novice users, requested by a sponsor
31169
31170commit efefd67008cbad8a8591e2484410966a300a39a5
31171Author: Brad Spengler <spender@grsecurity.net>
31172Date: Fri Jan 27 19:58:53 2012 -0500
31173
31174 merge upstream sha512 changes
31175
31176commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
31177Author: Brad Spengler <spender@grsecurity.net>
31178Date: Fri Jan 27 19:49:07 2012 -0500
31179
31180 drop lock on error in xfs_readlink
31181
31182 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0
31183
31184commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
31185Author: Li Wang <liwang@nudt.edu.cn>
31186Date: Thu Jan 19 09:44:36 2012 +0800
31187
31188 eCryptfs: Infinite loop due to overflow in ecryptfs_write()
31189
31190 ecryptfs_write() can enter an infinite loop when truncating a file to a
31191 size larger than 4G. This only happens on architectures where size_t is
31192 represented by 32 bits.
31193
31194 This was caused by a size_t overflow due to it incorrectly being used to
31195 store the result of a calculation which uses potentially large values of
31196 type loff_t.
31197
31198 [tyhicks@canonical.com: rewrite subject and commit message]
31199 Signed-off-by: Li Wang <liwang@nudt.edu.cn>
31200 Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
31201 Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
31202 Cc: <stable@vger.kernel.org>
31203 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
31204
31205commit a7607747d0f74f357d78bb796d70635dd05f46e8
31206Author: Tyler Hicks <tyhicks@canonical.com>
31207Date: Thu Jan 19 20:33:44 2012 -0600
31208
31209 eCryptfs: Check inode changes in setattr
31210
31211 Most filesystems call inode_change_ok() very early in ->setattr(), but
31212 eCryptfs didn't call it at all. It allowed the lower filesystem to make
31213 the call in its ->setattr() function. Then, eCryptfs would copy the
31214 appropriate inode attributes from the lower inode to the eCryptfs inode.
31215
31216 This patch changes that and actually calls inode_change_ok() on the
31217 eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
31218 would happen earlier in ecryptfs_setattr(), but there are some possible
31219 inode initialization steps that must happen first.
31220
31221 Since the call was already being made on the lower inode, the change in
31222 functionality should be minimal, except for the case of a file extending
31223 truncate call. In that case, inode_newsize_ok() was never being
31224 called on the eCryptfs inode. Rather than inode_newsize_ok() catching
31225 maximum file size errors early on, eCryptfs would encrypt zeroed pages
31226 and write them to the lower filesystem until the lower filesystem's
31227 write path caught the error in generic_write_checks(). This patch
31228 introduces a new function, called ecryptfs_inode_newsize_ok(), which
31229 checks if the new lower file size is within the appropriate limits when
31230 the truncate operation will be growing the lower file.
31231
31232 In summary this change prevents eCryptfs truncate operations (and the
31233 resulting page encryptions), which would exceed the lower filesystem
31234 limits or FSIZE rlimits, from ever starting.
31235
31236 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
31237 Reviewed-by: Li Wang <liwang@nudt.edu.cn>
31238 Cc: <stable@vger.kernel.org>
31239
31240commit 0d96f190a39505254ace4e9330219aaeda9b64e3
31241Author: Tyler Hicks <tyhicks@canonical.com>
31242Date: Wed Jan 18 18:30:04 2012 -0600
31243
31244 eCryptfs: Make truncate path killable
31245
31246 ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
31247 page, zeroes out the appropriate portions, and then encrypts the page
31248 before writing it to the lower filesystem. It was unkillable and due to
31249 the lack of sparse file support could result in tying up a large portion
31250 of system resources, while encrypting pages of zeros, with no way for
31251 the truncate operation to be stopped from userspace.
31252
31253 This patch adds the ability for ecryptfs_write() to detect a pending
31254 fatal signal and return as gracefully as possible. The intent is to
31255 leave the lower file in a useable state, while still allowing a user to
31256 break out of the encryption loop. If a pending fatal signal is detected,
31257 the eCryptfs inode size is updated to reflect the modified inode size
31258 and then -EINTR is returned.
31259
31260 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
31261 Cc: <stable@vger.kernel.org>
31262
31263commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
31264Author: Tyler Hicks <tyhicks@canonical.com>
31265Date: Tue Jan 24 10:02:22 2012 -0600
31266
31267 eCryptfs: Fix oops when printing debug info in extent crypto functions
31268
31269 If pages passed to the eCryptfs extent-based crypto functions are not
31270 mapped and the module parameter ecryptfs_verbosity=1 was specified at
31271 loading time, a NULL pointer dereference will occur.
31272
31273 Note that this wouldn't happen on a production system, as you wouldn't
31274 pass ecryptfs_verbosity=1 on a production system. It leaks private
31275 information to the system logs and is for debugging only.
31276
31277 The debugging info printed in these messages is no longer very useful
31278 and rather than doing a kmap() in these debugging paths, it will be
31279 better to simply remove the debugging paths completely.
31280
31281 https://launchpad.net/bugs/913651
31282
31283 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
31284 Reported-by: Daniel DeFreez
31285 Cc: <stable@vger.kernel.org>
31286
31287commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
31288Author: Tyler Hicks <tyhicks@canonical.com>
31289Date: Thu Jan 12 11:30:44 2012 +0100
31290
31291 eCryptfs: Sanitize write counts of /dev/ecryptfs
31292
31293 A malicious count value specified when writing to /dev/ecryptfs may
31294 result in a a very large kernel memory allocation.
31295
31296 This patch peeks at the specified packet payload size, adds that to the
31297 size of the packet headers and compares the result with the write count
31298 value. The resulting maximum memory allocation size is approximately 532
31299 bytes.
31300
31301 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
31302 Reported-by: Sasha Levin <levinsasha928@gmail.com>
31303 Cc: <stable@vger.kernel.org>
31304
31305commit 96dcb7282d323813181a1791f51c0ab7696b675b
31306Merge: 6c09fa5 201c0db
31307Author: Brad Spengler <spender@grsecurity.net>
31308Date: Fri Jan 27 19:44:15 2012 -0500
31309
31310 Merge branch 'pax-test' into grsec-test
31311
31312commit 201c0dbf177527367676028151e36d340923f033
31313Author: Brad Spengler <spender@grsecurity.net>
31314Date: Fri Jan 27 19:43:24 2012 -0500
31315
31316 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
31317 on loading modules with empty sections
31318
31319commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
31320Author: Brad Spengler <spender@grsecurity.net>
31321Date: Fri Jan 27 19:42:13 2012 -0500
31322
31323 compile fix
31324
31325commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
31326Author: Brad Spengler <spender@grsecurity.net>
31327Date: Fri Jan 27 19:39:28 2012 -0500
31328
31329 use LSM flags instead of duplicating checks
31330
31331commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
31332Merge: 44b9f11 558718b
31333Author: Brad Spengler <spender@grsecurity.net>
31334Date: Fri Jan 27 18:56:23 2012 -0500
31335
31336 Merge branch 'pax-test' into grsec-test
31337
31338commit 558718b2217beff69edf60f34a6f9893d910e9ac
31339Author: Brad Spengler <spender@grsecurity.net>
31340Date: Fri Jan 27 18:56:04 2012 -0500
31341
31342 Merge changes from pax-linux-3.2.2-test6.patch
31343
31344commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
31345Author: Brad Spengler <spender@grsecurity.net>
31346Date: Fri Jan 27 18:53:55 2012 -0500
31347
31348 don't increase the size of task_struct when unnecessary
31349 change ptrace_readexec log message
31350
31351commit a9c9626e054adb885883aa64f85506852894dd33
31352Author: Brad Spengler <spender@grsecurity.net>
31353Date: Fri Jan 27 18:16:28 2012 -0500
31354
31355 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
31356 the protection applies to all unreadable binaries.
31357
31358commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
31359Merge: 7b3f3af 05a1349
31360Author: Brad Spengler <spender@grsecurity.net>
31361Date: Wed Jan 25 20:52:09 2012 -0500
31362
31363 Merge branch 'pax-test' into grsec-test
31364
31365 Conflicts:
31366 block/scsi_ioctl.c
31367 drivers/scsi/sd.c
31368 fs/proc/base.c
31369
31370commit 05a134966efb9cb9346ad3422888969ffc79ac1d
31371Author: Brad Spengler <spender@grsecurity.net>
31372Date: Wed Jan 25 20:47:36 2012 -0500
31373
31374 Resync with pax-linux-3.2.2-test5.patch
31375
31376commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
31377Merge: c6d443d 3499d64
31378Author: Brad Spengler <spender@grsecurity.net>
31379Date: Wed Jan 25 20:45:16 2012 -0500
31380
31381 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
31382
31383 Conflicts:
31384 ipc/shm.c
31385
31386commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
31387Author: Brad Spengler <spender@grsecurity.net>
31388Date: Tue Jan 24 19:42:01 2012 -0500
31389
31390 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
31391 (may be changed if it breaks some userland), the other has its own
31392 config option
31393
31394 First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
31395 the syscall or /proc/sys.
31396
31397 Second feature requires read access to a suid/sgid binary in order
31398 to ptrace it, preventing infoleaking of binaries in situations where
31399 the admin has specified 4711 or 2711 perms. Feature has been
31400 given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
31401 a sysctl entry of ptrace_readexec
31402
31403commit 11a7bb25c411c9dccfdca5718639b4becdffd388
31404Author: Brad Spengler <spender@grsecurity.net>
31405Date: Sun Jan 22 14:37:10 2012 -0500
31406
31407 Compilation fixes
31408
31409commit cd400e21c7c352baba47d6f375297a7847afb33a
31410Author: Brad Spengler <spender@grsecurity.net>
31411Date: Sun Jan 22 14:20:27 2012 -0500
31412
31413 Initial port of grsecurity 2.2.2 for Linux 3.2.1
31414 Note that the new syscalls added to this kernel for remote process read/write
31415 are subject to ptrace hardening/other relevant RBAC features
31416 /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
31417 as well
31418 pax_track_stack has been removed from support for this kernel -- if you're running this kernel
31419 you should be using a version of gcc with plugin support
31420
31421commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
31422Author: Brad Spengler <spender@grsecurity.net>
31423Date: Sun Jan 22 11:47:31 2012 -0500
31424
31425 Import pax-linux-3.2.1-test5.patch
31426commit bfd7db842f835f9837cd43644459b3a95b0b488d
31427Author: Brad Spengler <spender@grsecurity.net>
31428Date: Sun Jan 22 11:02:02 2012 -0500
31429
31430 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
31431 instead of returning -EACCES
31432 thanks to Wraith from irc for the report
31433
31434commit 873ac13576506cd48ddb527c2540f274e249da50
31435Merge: 34083dd 8a44fcc
31436Author: Brad Spengler <spender@grsecurity.net>
31437Date: Fri Jan 20 18:04:02 2012 -0500
31438
31439 Merge branch 'pax-test' into grsec-test
31440
31441commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
31442Author: Brad Spengler <spender@grsecurity.net>
31443Date: Fri Jan 20 18:02:15 2012 -0500
31444
31445 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
31446 Denies executable shared memory when MPROTECT is active
31447 Fixes ia32 emulation crash on 64bit host introduced in a recent patch
31448
31449commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
31450Author: Brad Spengler <spender@grsecurity.net>
31451Date: Thu Jan 19 20:23:14 2012 -0500
31452
31453 Introduce new GRKERNSEC_SETXID implementation
31454 We're not able to change the credentials of other threads in the process until at most
31455 one syscall after the first thread does it, since we mark the threads as needing rescheduling
31456 and such work occurs on syscall exit.
31457 This does however ensure that we're only modifying the current task's credentials
31458 which upholds RCU expectations
31459
31460 Many thanks to corsac for testing
31461
31462commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
31463Author: Brad Spengler <spender@grsecurity.net>
31464Date: Thu Jan 19 17:42:48 2012 -0500
31465
31466 Simplify backport
31467
31468commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
31469Author: Brad Spengler <spender@grsecurity.net>
31470Date: Thu Jan 19 17:08:16 2012 -0500
31471
31472 Commit the latest silent fix for a local privilege escalation from Linus
31473 Also disable writing to /proc/pid/mem
31474 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc
31475
31476commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
31477Merge: 0394a3f 7e6299b
31478Author: Brad Spengler <spender@grsecurity.net>
31479Date: Wed Jan 18 20:22:09 2012 -0500
31480
31481 Merge branch 'pax-test' into grsec-test
31482
31483commit 7e6299b4733c082dde930375dd207b63237751ec
31484Merge: 83555fb 9bb1282
31485Author: Brad Spengler <spender@grsecurity.net>
31486Date: Wed Jan 18 20:21:37 2012 -0500
31487
31488 Merge branch 'linux-3.1.y' into pax-test
31489
31490commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
31491Author: Jesper Juhl <jj@chaosbits.net>
31492Date: Sun Jan 8 22:44:29 2012 +0100
31493
31494 audit: always follow va_copy() with va_end()
31495
31496 A call to va_copy() should always be followed by a call to va_end() in
31497 the same function. In kernel/autit.c::audit_log_vformat() this is not
31498 always done. This patch makes sure va_end() is always called.
31499
31500 Signed-off-by: Jesper Juhl <jj@chaosbits.net>
31501 Cc: Al Viro <viro@zeniv.linux.org.uk>
31502 Cc: Eric Paris <eparis@redhat.com>
31503 Cc: Andrew Morton <akpm@linux-foundation.org>
31504 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
31505
31506commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
31507Author: Andi Kleen <ak@linux.intel.com>
31508Date: Thu Jan 12 17:20:30 2012 -0800
31509
31510 panic: don't print redundant backtraces on oops
31511
31512 When an oops causes a panic and panic prints another backtrace it's pretty
31513 common to have the original oops data be scrolled away on a 80x50 screen.
31514
31515 The second backtrace is quite redundant and not needed anyways.
31516
31517 So don't print the panic backtrace when oops_in_progress is true.
31518
31519 [akpm@linux-foundation.org: add comment]
31520 Signed-off-by: Andi Kleen <ak@linux.intel.com>
31521 Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
31522 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
31523 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
31524
31525commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
31526Author: Miklos Szeredi <mszeredi@suse.cz>
31527Date: Thu Jan 12 17:59:46 2012 +0100
31528
31529 fsnotify: don't BUG in fsnotify_destroy_mark()
31530
31531 Removing the parent of a watched file results in "kernel BUG at
31532 fs/notify/mark.c:139".
31533
31534 To reproduce
31535
31536 add "-w /tmp/audit/dir/watched_file" to audit.rules
31537 rm -rf /tmp/audit/dir
31538
31539 This is caused by fsnotify_destroy_mark() being called without an
31540 extra reference taken by the caller.
31541
31542 Reported by Francesco Cosoleto here:
31543
31544 https://bugzilla.novell.com/show_bug.cgi?id=689860
31545
31546 Fix by removing the BUG_ON and adding a comment about not accessing mark after
31547 the iput.
31548
31549 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
31550 CC: stable@vger.kernel.org
31551 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
31552
31553commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
31554Author: Paolo Bonzini <pbonzini@redhat.com>
31555Date: Thu Jan 12 16:01:28 2012 +0100
31556
31557 block: fail SCSI passthrough ioctls on partition devices
31558
31559 Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
31560 will pass the command to the underlying block device. This is
31561 well-known, but it is also a large security problem when (via Unix
31562 permissions, ACLs, SELinux or a combination thereof) a program or user
31563 needs to be granted access only to part of the disk.
31564
31565 This patch lets partitions forward a small set of harmless ioctls;
31566 others are logged with printk so that we can see which ioctls are
31567 actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred.
31568 Of course it was being sent to a (partition on a) hard disk, so it would
31569 have failed with ENOTTY and the patch isn't changing anything in
31570 practice. Still, I'm treating it specially to avoid spamming the logs.
31571
31572 In principle, this restriction should include programs running with
31573 CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and
31574 /dev/sdb, it still should not be able to read/write outside the
31575 boundaries of /dev/sda2 independent of the capabilities. However, for
31576 now programs with CAP_SYS_RAWIO will still be allowed to send the
31577 ioctls. Their actions will still be logged.
31578
31579 This patch does not affect the non-libata IDE driver. That driver
31580 however already tests for bd != bd->bd_contains before issuing some
31581 ioctl; it could be restricted further to forbid these ioctls even for
31582 programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
31583
31584 Cc: linux-scsi@vger.kernel.org
31585 Cc: Jens Axboe <axboe@kernel.dk>
31586 Cc: James Bottomley <JBottomley@parallels.com>
31587 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
31588 [ Make it also print the command name when warning - Linus ]
31589 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
31590
31591commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
31592Author: Paolo Bonzini <pbonzini@redhat.com>
31593Date: Thu Jan 12 16:01:27 2012 +0100
31594
31595 block: add and use scsi_blk_cmd_ioctl
31596
31597 Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
31598
31599 The function will then be enhanced to detect partition block devices
31600 and, in that case, subject the ioctls to whitelisting.
31601
31602 Cc: linux-scsi@vger.kernel.org
31603 Cc: Jens Axboe <axboe@kernel.dk>
31604 Cc: James Bottomley <JBottomley@parallels.com>
31605 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
31606 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
31607
31608commit 97a79814903fc350e1d13704ea31528a42705401
31609Author: Kees Cook <keescook@chromium.org>
31610Date: Sat Jan 7 10:41:04 2012 -0800
31611
31612 audit: treat s_id as an untrusted string
31613
31614 The use of s_id should go through the untrusted string path, just to be
31615 extra careful.
31616
31617 Signed-off-by: Kees Cook <keescook@chromium.org>
31618 Acked-by: Mimi Zohar <zohar@us.ibm.com>
31619 Signed-off-by: Eric Paris <eparis@redhat.com>
31620
31621commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
31622Author: Xi Wang <xi.wang@gmail.com>
31623Date: Tue Dec 20 18:39:41 2011 -0500
31624
31625 audit: fix signedness bug in audit_log_execve_info()
31626
31627 In the loop, a size_t "len" is used to hold the return value of
31628 audit_log_single_execve_arg(), which returns -1 on error. In that
31629 case the error handling (len <= 0) will be bypassed since "len" is
31630 unsigned, and the loop continues with (p += len) being wrapped.
31631 Change the type of "len" to signed int to fix the error handling.
31632
31633 size_t len;
31634 ...
31635 for (...) {
31636 len = audit_log_single_execve_arg(...);
31637 if (len <= 0)
31638 break;
31639 p += len;
31640 }
31641
31642 Signed-off-by: Xi Wang <xi.wang@gmail.com>
31643 Signed-off-by: Eric Paris <eparis@redhat.com>
31644
31645commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
31646Author: Dan Carpenter <dan.carpenter@oracle.com>
31647Date: Tue Jan 17 03:28:51 2012 -0300
31648
31649 [media] ds3000: using logical && instead of bitwise &
31650
31651 The intent here was to test if the FE_HAS_LOCK was set. The current
31652 test is equivalent to "if (status) { ..."
31653
31654 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
31655 Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
31656
31657commit 36522330dc59d2fc70c042f3f081d75c32b6259a
31658Author: Brad Spengler <spender@grsecurity.net>
31659Date: Mon Jan 16 13:10:38 2012 -0500
31660
31661 Ignore the 0 signal for protected task RBAC checks
31662
31663commit d513acd55f7a683f6e146a4f570cdb63300479ab
31664Author: Brad Spengler <spender@grsecurity.net>
31665Date: Mon Jan 16 11:56:13 2012 -0500
31666
31667 whitespace cleanup
31668
31669commit ced261c4b82818c700aff8487f647f6f3e5b5122
31670Merge: d48751f 83555fb
31671Author: Brad Spengler <spender@grsecurity.net>
31672Date: Fri Jan 13 20:12:54 2012 -0500
31673
31674 Merge branch 'pax-test' into grsec-test
31675
31676commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
31677Merge: fcd8129 93dad39
31678Author: Brad Spengler <spender@grsecurity.net>
31679Date: Fri Jan 13 20:12:43 2012 -0500
31680
31681 Merge branch 'linux-3.1.y' into pax-test
31682
31683commit d48751f3919ae855fda0ff6c149db82442329253
31684Author: Brad Spengler <spender@grsecurity.net>
31685Date: Wed Jan 11 19:05:47 2012 -0500
31686
31687 Call our own set_user when forcing change to new id
31688
31689commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
31690Merge: e6578ff fcd8129
31691Author: Brad Spengler <spender@grsecurity.net>
31692Date: Tue Jan 10 16:00:10 2012 -0500
31693
31694 Merge branch 'pax-test' into grsec-test
31695
31696commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
31697Author: Brad Spengler <spender@grsecurity.net>
31698Date: Tue Jan 10 15:58:43 2012 -0500
31699
31700 Merge changes from pax-linux-3.1.8-test23.patch
31701
31702commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
31703Merge: 8859ec3 a120549
31704Author: Brad Spengler <spender@grsecurity.net>
31705Date: Fri Jan 6 21:45:56 2012 -0500
31706
31707 Merge branch 'pax-test' into grsec-test
31708
31709commit a12054967a77090de1caa07c41e694a77db4e237
31710Author: Brad Spengler <spender@grsecurity.net>
31711Date: Fri Jan 6 21:45:30 2012 -0500
31712
31713 Merge changes from pax-linux-3.1.8-test22.patch
31714
31715commit 8859ec32f9815c274df65448f9f2960176c380d3
31716Merge: a5016b4 ddd4114
31717Author: Brad Spengler <spender@grsecurity.net>
31718Date: Fri Jan 6 21:26:08 2012 -0500
31719
31720 Merge branch 'pax-test' into grsec-test
31721
31722 Conflicts:
31723 fs/binfmt_elf.c
31724 security/Kconfig
31725
31726commit ddd41147e158a79704983a409b7433eba797cf66
31727Author: Brad Spengler <spender@grsecurity.net>
31728Date: Fri Jan 6 21:12:42 2012 -0500
31729
31730 Resync with PaX patch (whitespace difference)
31731
31732commit 29e569df8205c5f0e043fe4803aa984406c8b118
31733Author: Brad Spengler <spender@grsecurity.net>
31734Date: Fri Jan 6 21:09:47 2012 -0500
31735
31736 Merge changes from pax-linux-3.1.8-test21.patch
31737
31738commit a5016b4f9c09c337b17e063a7f369af1e86d944d
31739Merge: 0124c92 04231d5
31740Author: Brad Spengler <spender@grsecurity.net>
31741Date: Fri Jan 6 18:52:20 2012 -0500
31742
31743 Merge branch 'pax-test' into grsec-test
31744
31745commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
31746Merge: 7bdddeb a919904
31747Author: Brad Spengler <spender@grsecurity.net>
31748Date: Fri Jan 6 18:51:50 2012 -0500
31749
31750 Merge branch 'linux-3.1.y' into pax-test
31751
31752 Conflicts:
31753 include/net/flow.h
31754
31755commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
31756Author: Brad Spengler <spender@grsecurity.net>
31757Date: Fri Jan 6 18:33:05 2012 -0500
31758
31759 Make GRKERNSEC_SETXID option compatible with credential debugging
31760
31761commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
31762Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
31763Date: Wed Dec 28 15:57:11 2011 -0800
31764
31765 mm/mempolicy.c: refix mbind_range() vma issue
31766
31767 commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
31768 slightly incorrect fix.
31769
31770 Why? Think following case.
31771
31772 1. map 4 pages of a file at offset 0
31773
31774 [0123]
31775
31776 2. map 2 pages just after the first mapping of the same file but with
31777 page offset 2
31778
31779 [0123][23]
31780
31781 3. mbind() 2 pages from the first mapping at offset 2.
31782 mbind_range() should treat new vma is,
31783
31784 [0123][23]
31785 |23|
31786 mbind vma
31787
31788 but it does
31789
31790 [0123][23]
31791 |01|
31792 mbind vma
31793
31794 Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
31795
31796 This patch fixes it.
31797
31798 [testcase]
31799 test result - before the patch
31800
31801 case4: 126: test failed. expect '2,4', actual '2,2,2'
31802 case5: passed
31803 case6: passed
31804 case7: passed
31805 case8: passed
31806 case_n: 246: test failed. expect '4,2', actual '1,4'
31807
31808 ------------[ cut here ]------------
31809 kernel BUG at mm/filemap.c:135!
31810 invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
31811
31812 (snip long bug on messages)
31813
31814 test result - after the patch
31815
31816 case4: passed
31817 case5: passed
31818 case6: passed
31819 case7: passed
31820 case8: passed
31821 case_n: passed
31822
31823 source: mbind_vma_test.c
31824 ============================================================
31825 #include <numaif.h>
31826 #include <numa.h>
31827 #include <sys/mman.h>
31828 #include <stdio.h>
31829 #include <unistd.h>
31830 #include <stdlib.h>
31831 #include <string.h>
31832
31833 static unsigned long pagesize;
31834 void* mmap_addr;
31835 struct bitmask *nmask;
31836 char buf[1024];
31837 FILE *file;
31838 char retbuf[10240] = "";
31839 int mapped_fd;
31840
31841 char *rubysrc = "ruby -e '\
31842 pid = %d; \
31843 vstart = 0x%llx; \
31844 vend = 0x%llx; \
31845 s = `pmap -q #{pid}`; \
31846 rary = []; \
31847 s.each_line {|line|; \
31848 ary=line.split(\" \"); \
31849 addr = ary[0].to_i(16); \
31850 if(vstart <= addr && addr < vend) then \
31851 rary.push(ary[1].to_i()/4); \
31852 end; \
31853 }; \
31854 print rary.join(\",\"); \
31855 '";
31856
31857 void init(void)
31858 {
31859 void* addr;
31860 char buf[128];
31861
31862 nmask = numa_allocate_nodemask();
31863 numa_bitmask_setbit(nmask, 0);
31864
31865 pagesize = getpagesize();
31866
31867 sprintf(buf, "%s", "mbind_vma_XXXXXX");
31868 mapped_fd = mkstemp(buf);
31869 if (mapped_fd == -1)
31870 perror("mkstemp "), exit(1);
31871 unlink(buf);
31872
31873 if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
31874 perror("lseek "), exit(1);
31875 if (write(mapped_fd, "\0", 1) < 0)
31876 perror("write "), exit(1);
31877
31878 addr = mmap(NULL, pagesize*8, PROT_NONE,
31879 MAP_SHARED, mapped_fd, 0);
31880 if (addr == MAP_FAILED)
31881 perror("mmap "), exit(1);
31882
31883 if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
31884 perror("mprotect "), exit(1);
31885
31886 mmap_addr = addr + pagesize;
31887
31888 /* make page populate */
31889 memset(mmap_addr, 0, pagesize*6);
31890 }
31891
31892 void fin(void)
31893 {
31894 void* addr = mmap_addr - pagesize;
31895 munmap(addr, pagesize*8);
31896
31897 memset(buf, 0, sizeof(buf));
31898 memset(retbuf, 0, sizeof(retbuf));
31899 }
31900
31901 void mem_bind(int index, int len)
31902 {
31903 int err;
31904
31905 err = mbind(mmap_addr+pagesize*index, pagesize*len,
31906 MPOL_BIND, nmask->maskp, nmask->size, 0);
31907 if (err)
31908 perror("mbind "), exit(err);
31909 }
31910
31911 void mem_interleave(int index, int len)
31912 {
31913 int err;
31914
31915 err = mbind(mmap_addr+pagesize*index, pagesize*len,
31916 MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
31917 if (err)
31918 perror("mbind "), exit(err);
31919 }
31920
31921 void mem_unbind(int index, int len)
31922 {
31923 int err;
31924
31925 err = mbind(mmap_addr+pagesize*index, pagesize*len,
31926 MPOL_DEFAULT, NULL, 0, 0);
31927 if (err)
31928 perror("mbind "), exit(err);
31929 }
31930
31931 void Assert(char *expected, char *value, char *name, int line)
31932 {
31933 if (strcmp(expected, value) == 0) {
31934 fprintf(stderr, "%s: passed\n", name);
31935 return;
31936 }
31937 else {
31938 fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
31939 name, line,
31940 expected, value);
31941 // exit(1);
31942 }
31943 }
31944
31945 /*
31946 AAAA
31947 PPPPPPNNNNNN
31948 might become
31949 PPNNNNNNNNNN
31950 case 4 below
31951 */
31952 void case4(void)
31953 {
31954 init();
31955 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
31956
31957 mem_bind(0, 4);
31958 mem_unbind(2, 2);
31959
31960 file = popen(buf, "r");
31961 fread(retbuf, sizeof(retbuf), 1, file);
31962 Assert("2,4", retbuf, "case4", __LINE__);
31963
31964 fin();
31965 }
31966
31967 /*
31968 AAAA
31969 PPPPPPNNNNNN
31970 might become
31971 PPPPPPPPPPNN
31972 case 5 below
31973 */
31974 void case5(void)
31975 {
31976 init();
31977 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
31978
31979 mem_bind(0, 2);
31980 mem_bind(2, 2);
31981
31982 file = popen(buf, "r");
31983 fread(retbuf, sizeof(retbuf), 1, file);
31984 Assert("4,2", retbuf, "case5", __LINE__);
31985
31986 fin();
31987 }
31988
31989 /*
31990 AAAA
31991 PPPPNNNNXXXX
31992 might become
31993 PPPPPPPPPPPP 6
31994 */
31995 void case6(void)
31996 {
31997 init();
31998 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
31999
32000 mem_bind(0, 2);
32001 mem_bind(4, 2);
32002 mem_bind(2, 2);
32003
32004 file = popen(buf, "r");
32005 fread(retbuf, sizeof(retbuf), 1, file);
32006 Assert("6", retbuf, "case6", __LINE__);
32007
32008 fin();
32009 }
32010
32011 /*
32012 AAAA
32013 PPPPNNNNXXXX
32014 might become
32015 PPPPPPPPXXXX 7
32016 */
32017 void case7(void)
32018 {
32019 init();
32020 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
32021
32022 mem_bind(0, 2);
32023 mem_interleave(4, 2);
32024 mem_bind(2, 2);
32025
32026 file = popen(buf, "r");
32027 fread(retbuf, sizeof(retbuf), 1, file);
32028 Assert("4,2", retbuf, "case7", __LINE__);
32029
32030 fin();
32031 }
32032
32033 /*
32034 AAAA
32035 PPPPNNNNXXXX
32036 might become
32037 PPPPNNNNNNNN 8
32038 */
32039 void case8(void)
32040 {
32041 init();
32042 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
32043
32044 mem_bind(0, 2);
32045 mem_interleave(4, 2);
32046 mem_interleave(2, 2);
32047
32048 file = popen(buf, "r");
32049 fread(retbuf, sizeof(retbuf), 1, file);
32050 Assert("2,4", retbuf, "case8", __LINE__);
32051
32052 fin();
32053 }
32054
32055 void case_n(void)
32056 {
32057 init();
32058 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
32059
32060 /* make redundunt mappings [0][1234][34][7] */
32061 mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
32062 MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
32063
32064 /* Expect to do nothing. */
32065 mem_unbind(2, 2);
32066
32067 file = popen(buf, "r");
32068 fread(retbuf, sizeof(retbuf), 1, file);
32069 Assert("4,2", retbuf, "case_n", __LINE__);
32070
32071 fin();
32072 }
32073
32074 int main(int argc, char** argv)
32075 {
32076 case4();
32077 case5();
32078 case6();
32079 case7();
32080 case8();
32081 case_n();
32082
32083 return 0;
32084 }
32085 =============================================================
32086
32087 Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
32088 Acked-by: Johannes Weiner <hannes@cmpxchg.org>
32089 Cc: Minchan Kim <minchan.kim@gmail.com>
32090 Cc: Caspar Zhang <caspar@casparzhang.com>
32091 Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
32092 Cc: Christoph Lameter <cl@linux.com>
32093 Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
32094 Cc: Mel Gorman <mel@csn.ul.ie>
32095 Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
32096 Cc: <stable@vger.kernel.org> [3.1.x]
32097 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
32098 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
32099
32100commit f3a1082005781777086df235049f8c0b7efe524e
32101Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
32102Date: Tue Dec 27 22:32:41 2011 -0500
32103
32104 packet: fix possible dev refcnt leak when bind fail
32105
32106 If bind is fail when bind is called after set PACKET_FANOUT
32107 sock option, the dev refcnt will leak.
32108
32109 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
32110 Signed-off-by: David S. Miller <davem@davemloft.net>
32111
32112commit 915f8b08dac68839dc7204ee81cf9852fda16d24
32113Author: Haogang Chen <haogangchen@gmail.com>
32114Date: Mon Dec 19 17:11:56 2011 -0800
32115
32116 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
32117
32118 There is a potential integer overflow in nilfs_ioctl_clean_segments().
32119 When a large argv[n].v_nmembs is passed from the userspace, the subsequent
32120 call to vmalloc() will allocate a buffer smaller than expected, which
32121 leads to out-of-bound access in nilfs_ioctl_move_blocks() and
32122 lfs_clean_segments().
32123
32124 The following check does not prevent the overflow because nsegs is also
32125 controlled by the userspace and could be very large.
32126
32127 if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
32128 goto out_free;
32129
32130 This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
32131 returns -EINVAL when overflow.
32132
32133 Signed-off-by: Haogang Chen <haogangchen@gmail.com>
32134 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
32135 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
32136 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
32137
32138commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
32139Author: Kautuk Consul <consul.kautuk@gmail.com>
32140Date: Mon Dec 19 17:12:04 2011 -0800
32141
32142 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
32143
32144 Static storage is not required for the struct vmap_area in
32145 __get_vm_area_node.
32146
32147 Removing "static" to store this variable on the stack instead.
32148
32149 Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
32150 Acked-by: David Rientjes <rientjes@google.com>
32151 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
32152 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
32153
32154commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
32155Author: Michel Lespinasse <walken@google.com>
32156Date: Mon Dec 19 17:12:06 2011 -0800
32157
32158 binary_sysctl(): fix memory leak
32159
32160 binary_sysctl() calls sysctl_getname() which allocates from names_cache
32161 slab usin __getname()
32162
32163 The matching function to free the name is __putname(), and not putname()
32164 which should be used only to match getname() allocations.
32165
32166 This is because when auditing is enabled, putname() calls audit_putname
32167 *instead* (not in addition) to __putname(). Then, if a syscall is in
32168 progress, audit_putname does not release the name - instead, it expects
32169 the name to get released when the syscall completes, but that will happen
32170 only if audit_getname() was called previously, i.e. if the name was
32171 allocated with getname() rather than the naked __getname(). So,
32172 __getname() followed by putname() ends up leaking memory.
32173
32174 Signed-off-by: Michel Lespinasse <walken@google.com>
32175 Acked-by: Al Viro <viro@zeniv.linux.org.uk>
32176 Cc: Christoph Hellwig <hch@infradead.org>
32177 Cc: Eric Paris <eparis@redhat.com>
32178 Cc: <stable@vger.kernel.org>
32179 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
32180 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
32181
32182commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
32183Author: Sean Hefty <sean.hefty@intel.com>
32184Date: Tue Dec 6 21:17:11 2011 +0000
32185
32186 RDMA/cma: Verify private data length
32187
32188 private_data_len is defined as a u8. If the user specifies a large
32189 private_data size (> 220 bytes), we will calculate a total length that
32190 exceeds 255, resulting in private_data_len wrapping back to 0. This
32191 can lead to overwriting random kernel memory. Avoid this by verifying
32192 that the resulting size fits into a u8.
32193
32194 Reported-by: B. Thery <benjamin.thery@bull.net>
32195 Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
32196 Signed-off-by: Sean Hefty <sean.hefty@intel.com>
32197 Signed-off-by: Roland Dreier <roland@purestorage.com>
32198
32199commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
32200Author: Xi Wang <xi.wang@gmail.com>
32201Date: Sun Dec 11 23:40:56 2011 -0800
32202
32203 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
32204
32205 The error check (intr_status < 0) didn't work because intr_status is
32206 a u8. Change its type to signed int.
32207
32208 Signed-off-by: Xi Wang <xi.wang@gmail.com>
32209 Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
32210
32211commit e27f34e383d7863b2528a63b81b23db09781f6b6
32212Author: Xi Wang <xi.wang@gmail.com>
32213Date: Fri Dec 16 12:44:15 2011 +0000
32214
32215 sctp: fix incorrect overflow check on autoclose
32216
32217 Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
32218 limiting the autoclose value. If userspace passes in -1 on 32-bit
32219 platform, the overflow check didn't work and autoclose would be set
32220 to 0xffffffff.
32221
32222 This patch defines a max_autoclose (in seconds) for limiting the value
32223 and exposes it through sysctl, with the following intentions.
32224
32225 1) Avoid overflowing autoclose * HZ.
32226
32227 2) Keep the default autoclose bound consistent across 32- and 64-bit
32228 platforms (INT_MAX / HZ in this patch).
32229
32230 3) Keep the autoclose value consistent between setsockopt() and
32231 getsockopt() calls.
32232
32233 Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
32234 Signed-off-by: Xi Wang <xi.wang@gmail.com>
32235 Signed-off-by: David S. Miller <davem@davemloft.net>
32236
32237commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
32238Author: Xi Wang <xi.wang@gmail.com>
32239Date: Wed Dec 21 05:18:33 2011 -0500
32240
32241 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
32242
32243 Commit e133e737 didn't correctly fix the integer overflow issue.
32244
32245 - unsigned int required_size;
32246 + u64 required_size;
32247 ...
32248 required_size = mode_cmd->pitch * mode_cmd->height;
32249 - if (unlikely(required_size > dev_priv->vram_size)) {
32250 + if (unlikely(required_size > (u64) dev_priv->vram_size)) {
32251
32252 Note that both pitch and height are u32. Their product is still u32 and
32253 would overflow before being assigned to required_size. A correct way is
32254 to convert pitch and height to u64 before the multiplication.
32255
32256 required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
32257
32258 This patch calls the existing vmw_kms_validate_mode_vram() for
32259 validation.
32260
32261 Signed-off-by: Xi Wang <xi.wang@gmail.com>
32262 Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
32263 Signed-off-by: Dave Airlie <airlied@redhat.com>
32264
32265 Conflicts:
32266
32267 drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
32268
32269commit eb8f0bd01fb994c9abc77dc84729794cd841753d
32270Author: Xi Wang <xi.wang@gmail.com>
32271Date: Thu Dec 22 13:35:22 2011 +0000
32272
32273 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
32274
32275 Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
32276 cause a kernel oops due to insufficient bounds checking.
32277
32278 if (count > 1<<30) {
32279 /* Enforce a limit to prevent overflow */
32280 return -EINVAL;
32281 }
32282 count = roundup_pow_of_two(count);
32283 table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
32284
32285 Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
32286
32287 ... + (count * sizeof(struct rps_dev_flow))
32288
32289 where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow
32290 32 bits.
32291
32292 This patch replaces the magic number (1 << 30) with a symbolic bound.
32293
32294 Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
32295 Signed-off-by: Xi Wang <xi.wang@gmail.com>
32296 Signed-off-by: David S. Miller <davem@davemloft.net>
32297
32298commit 648188958672024b616c42c1f6c98c8cfc85619d
32299Author: Xi Wang <xi.wang@gmail.com>
32300Date: Fri Dec 30 10:40:17 2011 -0500
32301
32302 netfilter: ctnetlink: fix timeout calculation
32303
32304 The sanity check (timeout < 0) never works; the dividend is unsigned
32305 and so is the division, which should have been a signed division.
32306
32307 long timeout = (ct->timeout.expires - jiffies) / HZ;
32308 if (timeout < 0)
32309 timeout = 0;
32310
32311 This patch converts the time values to signed for the division.
32312
32313 Signed-off-by: Xi Wang <xi.wang@gmail.com>
32314 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
32315
32316commit ab03a0973cee73f88655ff4981812ad316a6cd59
32317Merge: 76f82df 7bdddeb
32318Author: Brad Spengler <spender@grsecurity.net>
32319Date: Tue Jan 3 17:42:50 2012 -0500
32320
32321 Merge branch 'pax-test' into grsec-test
32322
32323commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
32324Merge: 3e59cb5 55cc81a
32325Author: Brad Spengler <spender@grsecurity.net>
32326Date: Tue Jan 3 17:42:36 2012 -0500
32327
32328 Merge branch 'linux-3.1.y' into pax-test
32329
32330commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
32331Author: Brad Spengler <spender@grsecurity.net>
32332Date: Thu Dec 22 20:15:02 2011 -0500
32333
32334 Only further restrict futex targeting another process -- our modified
32335 permission check also happened to allow a case where a process retaining
32336 uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
32337 being non-zero (reported on forums by ben_w)
32338
32339commit 6b235a4450a5fea41663ec35fa0608988b6078c6
32340Merge: 97c16f0 3e59cb5
32341Author: Brad Spengler <spender@grsecurity.net>
32342Date: Thu Dec 22 19:11:06 2011 -0500
32343
32344 Merge branch 'pax-test' into grsec-test
32345
32346 Conflicts:
32347 fs/hfs/btree.c
32348
32349commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
32350Merge: 285eb4e c26f60b
32351Author: Brad Spengler <spender@grsecurity.net>
32352Date: Thu Dec 22 19:09:57 2011 -0500
32353
32354 Merge branch 'linux-3.1.y' into pax-test
32355
32356 Conflicts:
32357 arch/x86/kernel/process.c
32358
32359commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
32360Author: Brad Spengler <spender@grsecurity.net>
32361Date: Mon Dec 19 21:54:01 2011 -0500
32362
32363 Add new option: "Enforce consistent multithreaded privileges"
32364
32365commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
32366Author: Brad Spengler <spender@grsecurity.net>
32367Date: Wed Dec 7 19:58:31 2011 -0500
32368
32369 Remove harmless duplicate code -- exec_file would be null already so the
32370 second check would never pass.
32371
32372commit 4e3304e94aa72737810bc50169519af157dce4ce
32373Author: Brad Spengler <spender@grsecurity.net>
32374Date: Wed Dec 7 19:50:39 2011 -0500
32375
32376 Revert back to (possibly?) undocumented /proc/pid behavior that gdb
32377 depended on for attaching to a thread. Entries exist in /proc for
32378 threads, but are not visible in a readdir.
32379
32380commit 1bd899335f23815cfe8deac44c6b346398f3b95e
32381Author: Brad Spengler <spender@grsecurity.net>
32382Date: Sun Dec 4 18:03:28 2011 -0500
32383
32384 Put the already-walked path if in RCU-walk mode
32385
32386commit ec7ae36b7159f10649709779443a988662965d66
32387Author: Brad Spengler <spender@grsecurity.net>
32388Date: Sun Dec 4 17:35:21 2011 -0500
32389
32390 Fix memory leak introduced by recent (unpublished) commit
32391 75ab998b94a29d464518d6d501bdde3fbfcbfa14
32392
32393commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
32394Author: Brad Spengler <spender@grsecurity.net>
32395Date: Sun Dec 4 13:56:10 2011 -0500
32396
32397 Explicitly check size copied to userland in override_release to silence gcc
32398
32399commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
32400Author: Brad Spengler <spender@grsecurity.net>
32401Date: Sun Dec 4 13:54:02 2011 -0500
32402
32403 Initialize variable to silence erroneous gcc warning
32404
32405commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
32406Author: Brad Spengler <spender@grsecurity.net>
32407Date: Sun Dec 4 13:47:47 2011 -0500
32408
32409 Future-proof other potential RCU-aware locations where we can log.
32410
32411commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
32412Author: Brad Spengler <spender@grsecurity.net>
32413Date: Sun Dec 4 13:02:54 2011 -0500
32414
32415 Fix freeze reported by 'vs' on the forums. Bug occurred due to
32416 MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used
32417 in generic_permission() was in the task's effective set but disallowed by
32418 RBAC, would block when acquiring locks resulting in the freeze.
32419
32420 Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
32421 as being required when CAP_DAC_OVERRIDE is present (consistent with
32422 older patches).
32423
32424commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
32425Author: Xi Wang <xi.wang@gmail.com>
32426Date: Tue Nov 29 09:26:30 2011 +0000
32427
32428 sctp: better integer overflow check in sctp_auth_create_key()
32429
32430 The check from commit 30c2235c is incomplete and cannot prevent
32431 cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the
32432 left-hand side of the check (INT_MAX - key_len), which is unsigned,
32433 becomes 0xffffffff (UINT_MAX) and bypasses the check.
32434
32435 However this shouldn't be a security issue. The function is called
32436 from the following two code paths:
32437
32438 1) setsockopt()
32439
32440 2) sctp_auth_asoc_set_secret()
32441
32442 In case (1), sca_keylength is never going to exceed 65535 since it's
32443 bounded by a u16 from the user API. As such, the key length will
32444 never overflow.
32445
32446 In case (2), sca_keylength is computed based on the user key (1 short)
32447 and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
32448 will not overflow.
32449
32450 In other words, this overflow check is not really necessary. Just
32451 make it more correct.
32452
32453 Signed-off-by: Xi Wang <xi.wang@gmail.com>
32454 Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
32455 Signed-off-by: David S. Miller <davem@davemloft.net>
32456
32457commit e565e28c3635a1d50f80541fbf6b606d742fec76
32458Author: Josh Boyer <jwboyer@redhat.com>
32459Date: Fri Aug 19 14:50:26 2011 -0400
32460
32461 fs/minix: Verify bitmap block counts before mounting
32462
32463 Newer versions of MINIX can create filesystems that allocate an extra
32464 bitmap block. Mounting of this succeeds, but doing a statfs call will
32465 result in an oops in count_free because of a negative number being used
32466 for the bh index.
32467
32468 Avoid this by verifying the number of allocated blocks at mount time,
32469 erroring out if there are not enough and make statfs ignore the extras
32470 if there are too many.
32471
32472 This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
32473
32474 Signed-off-by: Josh Boyer <jwboyer@redhat.com>
32475 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
32476
32477commit 6e134e398ec1a3f428261680e83df4319e64bed9
32478Author: Julia Lawall <julia@diku.dk>
32479Date: Tue Nov 15 14:53:11 2011 -0800
32480
32481 drivers/gpu/vga/vgaarb.c: add missing kfree
32482
32483 kbuf is a buffer that is local to this function, so all of the error paths
32484 leaving the function should release it.
32485
32486 Signed-off-by: Julia Lawall <julia@diku.dk>
32487 Cc: Jesper Juhl <jj@chaosbits.net>
32488 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
32489 Signed-off-by: Dave Airlie <airlied@redhat.com>
32490
32491commit 2b9057b321e36860e8d63985b5c4e496f254b717
32492Author: Brad Spengler <spender@grsecurity.net>
32493Date: Sat Dec 3 21:33:28 2011 -0500
32494
32495 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch
32496
32497commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
32498Author: Brad Spengler <spender@grsecurity.net>
32499Date: Sat Dec 3 21:29:37 2011 -0500
32500
32501 Import pax-linux-3.1.4-test18.patch
32502
32503commit 285eb4ea45d853ae00426b3315a61c1368080dad
32504Author: Brad Spengler <spender@grsecurity.net>
32505Date: Sat Dec 10 18:33:46 2011 -0500
32506
32507 Import changes from pax-linux-3.1.5-test20.patch
32508
32509commit a6bda918fc90ec1d5c387e978d147ad2044153f1
32510Author: Brad Spengler <spender@grsecurity.net>
32511Date: Thu Dec 8 20:55:54 2011 -0500
32512
32513 Import changes from pax-linux-3.1.4-test19.patch
32514
32515commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
32516Author: Brad Spengler <spender@grsecurity.net>
32517Date: Sat Dec 3 21:29:37 2011 -0500
32518
32519 Import pax-linux-3.1.4-test18.patch
32520commit c982acca364cbd7677bad7e53b9c7ecfaa6dfeb7
32521Merge: 814820a 3a59a59
32522Author: Brad Spengler <spender@grsecurity.net>
32523Date: Sun May 12 21:51:18 2013 -0400
32524
32525 Merge branch 'pax-test' into grsec-test
32526
32527 Conflicts:
32528 security/Kconfig
32529
32530commit 3a59a59cf5e1bf88f96b05c64f7969e97f7f051f
32531Author: Brad Spengler <spender@grsecurity.net>
32532Date: Sun May 12 21:50:07 2013 -0400
32533
32534 Update to pax-linux-3.8.13-test24.patch:
32535 - fixed sparc/constification compile error, reported by blake
32536 - UDEREF/amd64 should be a bit more efficient when disabled at boot time
32537 - fixed some unnecessary integer truncations that could trip up the size overflow plugin
32538
32539 arch/arm/kernel/vmlinux.lds.S | 4 ++--
32540 arch/sparc/kernel/us3_cpufreq.c | 4 ++--
32541 arch/x86/ia32/ia32entry.S | 4 ++--
32542 arch/x86/include/asm/pgtable.h | 6 ++++--
32543 arch/x86/include/asm/uaccess.h | 6 +++---
32544 arch/x86/kernel/kprobes-opt.c | 4 ++++
32545 arch/x86/lib/copy_user_nocache_64.S | 2 +-
32546 arch/x86/lib/getuser.S | 8 ++++----
32547 arch/x86/lib/putuser.S | 8 ++++----
32548 arch/x86/mm/fault.c | 6 +++---
32549 drivers/net/slip/slhc.c | 2 +-
32550 drivers/staging/iio/ring_sw.c | 2 +-
32551 fs/binfmt_elf.c | 6 +++---
32552 fs/nfsd/nfscache.c | 2 +-
32553 fs/xattr.c | 21 +++++++++++++++++++++
32554 include/linux/syscalls.h | 2 +-
32555 include/linux/xattr.h | 3 +++
32556 init/main.c | 3 +++
32557 kernel/futex_compat.c | 2 +-
32558 kernel/trace/trace.h | 2 +-
32559 net/socket.c | 2 +-
32560 security/Kconfig | 2 +-
32561 22 files changed, 67 insertions(+), 34 deletions(-)
32562
32563commit 814820abfe5b9a34401d838b2510431a4cd92be9
32564Author: Dan Carpenter <dan.carpenter@oracle.com>
32565Date: Mon May 6 09:31:17 2013 +0000
32566
32567 Upstream commit: 6bf15191f666c5965d212561d7a5c7b78b808dfa
32568
32569 tipc: potential divide by zero in tipc_link_recv_fragment()
32570
32571 The worry here is that fragm_sz could be zero since it comes from
32572 skb->data.
32573
32574 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
32575 Signed-off-by: David S. Miller <davem@davemloft.net>
32576
32577 net/tipc/link.c | 6 ++++--
32578 1 files changed, 4 insertions(+), 2 deletions(-)
32579
32580commit b58503d2784f0a4dbf4d9dbef9bdcc7bf163e3c1
32581Author: Dan Carpenter <dan.carpenter@oracle.com>
32582Date: Mon May 6 08:28:41 2013 +0000
32583
32584 Upstream commit: cb4b102f0ab29fcbaf945c6b1f85ef006cdb8edc
32585
32586 tipc: add a bounds check in link_recv_changeover_msg()
32587
32588 The bearer_id here comes from skb->data and it can be a number from 0 to
32589 7. The problem is that the ->links[] array has only 2 elements so I
32590 have added a range check.
32591
32592 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
32593 Signed-off-by: David S. Miller <davem@davemloft.net>
32594
32595 net/tipc/link.c | 5 ++++-
32596 1 files changed, 4 insertions(+), 1 deletions(-)
32597
32598commit ed0428c4ef6c5498870772f212ac651216eb8d0c
32599Merge: 2452d8d dbf932a
32600Author: Brad Spengler <spender@grsecurity.net>
32601Date: Sun May 12 21:18:25 2013 -0400
32602
32603 Merge branch 'linux-3.8.y' into pax-test
32604
32605 Conflicts:
32606 arch/x86/kernel/cpu/perf_event_intel_uncore.c
32607 arch/x86/mm/init.c
32608
32609commit a113d6ac19303cd76d405df5aef5a4d190e6e7d7
32610Author: Brad Spengler <spender@grsecurity.net>
32611Date: Sun May 12 20:24:01 2013 -0400
32612
32613 compile fix
32614
32615 grsecurity/gracl.c | 1 +
32616 grsecurity/gracl_segv.c | 1 +
32617 2 files changed, 2 insertions(+), 0 deletions(-)
32618
32619commit 1bd664ee9054a28bbcf1dad6f9ffbc9e8500bb00
32620Author: Brad Spengler <spender@grsecurity.net>
32621Date: Sun May 12 18:25:26 2013 -0400
32622
32623 fix btrfs support here as well
32624
32625 grsecurity/gracl_segv.c | 17 +++++++++--------
32626 1 files changed, 9 insertions(+), 8 deletions(-)
32627
32628commit c75e4664fe4d20da1639f70d9def097c4f20856b
32629Author: Brad Spengler <spender@grsecurity.net>
32630Date: Sun May 12 18:12:57 2013 -0400
32631
32632 Fix RBAC compatibility with btrfs compiled as a module, as
32633 reported on the forums by YuHg at:
32634 http://forums.grsecurity.net/viewtopic.php?t=2575&p=12952#p12952
32635
32636 fs/btrfs/inode.c | 11 +----------
32637 grsecurity/gracl.c | 19 ++++++++++---------
32638 grsecurity/gracl_segv.c | 2 +-
32639 grsecurity/grsec_disabled.c | 2 +-
32640 4 files changed, 13 insertions(+), 21 deletions(-)
32641
32642commit e40c5804acc5b83e10d16ca3ba92502a3e5f7f27
32643Author: Brad Spengler <spender@grsecurity.net>
32644Date: Sat May 11 12:12:00 2013 -0400
32645
32646 allow copies just up to the start of kernel code
32647
32648 fs/exec.c | 2 +-
32649 1 files changed, 1 insertions(+), 1 deletions(-)
32650
32651commit 04638852588cf243f865f5a73aa9dab94fab53b7
32652Author: Brad Spengler <spender@grsecurity.net>
32653Date: Fri May 10 16:53:07 2013 -0400
32654
32655 MODULES_EXEC_VADDR is a virtual address
32656
32657 fs/exec.c | 2 +-
32658 1 files changed, 1 insertions(+), 1 deletions(-)
32659
32660commit 017fc58a177b8b3fd9c2a7a4366f3590c9d49435
32661Author: Brad Spengler <spender@grsecurity.net>
32662Date: Fri May 10 16:51:03 2013 -0400
32663
32664 exempt module rx areas from usercopy protection under i386 kernexec
32665 their .rodata will be placed between stext/etext causing copies of
32666 constant strings to trigger usercopy reports/terminations
32667
32668 fs/exec.c | 5 +++++
32669 1 files changed, 5 insertions(+), 0 deletions(-)
32670
32671commit c1b2cc5dd5f5ae5c88402c7acbcb270f8d36a9da
32672Author: Brad Spengler <spender@grsecurity.net>
32673Date: Wed May 8 20:25:52 2013 -0400
32674
32675 User jorgus on the forums:
32676 http://forums.grsecurity.net/viewtopic.php?f=3&t=3446
32677 discovered that the upstreamed version of enforcing RLIMIT_NPROC
32678 at setuid/exec time missed an important corner case:
32679 If RLIMIT_NPROC is set after a setuid occurs and the user's process
32680 limit is reached elsewhere, no enforcement of RLIMIT_NPROC will
32681 happen at exec time for the task with a modified RLIMIT_NPROC.
32682
32683 This patch fixes that.
32684
32685 kernel/sys.c | 7 +++++++
32686 1 files changed, 7 insertions(+), 0 deletions(-)
32687
32688commit 85ffce8c95bd1d9114852f74db8c66ddbc2e77ff
32689Merge: 539fff0 2452d8d
32690Author: Brad Spengler <spender@grsecurity.net>
32691Date: Wed May 8 18:13:41 2013 -0400
32692
32693 Merge branch 'pax-test' into grsec-test
32694
32695commit 2452d8d0416d5c9c32805443dd89e5c9778dea4a
32696Merge: 6c850d8 9c9ab76
32697Author: Brad Spengler <spender@grsecurity.net>
32698Date: Wed May 8 18:13:31 2013 -0400
32699
32700 Merge branch 'linux-3.8.y' into pax-test
32701
32702 Conflicts:
32703 arch/x86/kernel/irq.c
32704 kernel/trace/trace_stack.c
32705
32706commit 539fff0cf95c3dcc02c5e0ac3ef8da4519efdb9a
32707Author: Brad Spengler <spender@grsecurity.net>
32708Date: Tue May 7 21:43:00 2013 -0400
32709
32710 turn counter into a flag
32711
32712 grsecurity/Kconfig | 2 +-
32713 grsecurity/grsec_chroot.c | 8 ++++----
32714 2 files changed, 5 insertions(+), 5 deletions(-)
32715
32716commit 3da48c0f89377e1ef76470d4b19f19df793fdf32
32717Author: Brad Spengler <spender@grsecurity.net>
32718Date: Tue May 7 21:02:39 2013 -0400
32719
32720 add GRKERNSEC_CHROOT_INITRD to work around Plymouth stupidity
32721 useful for Fedora/RHEL users
32722
32723 grsecurity/Kconfig | 10 ++++++++++
32724 grsecurity/grsec_chroot.c | 17 +++++++++++++++--
32725 2 files changed, 25 insertions(+), 2 deletions(-)
32726
32727commit 418102925c0cfb0de51b0a021abaa575e28fafa6
32728Author: Peter Zijlstra <a.p.zijlstra@chello.nl>
32729Date: Fri May 3 14:11:25 2013 +0200
32730
32731 Upstream commit: 7cc23cd6c0c7d7f4bee057607e7ce01568925717
32732
32733 perf/x86/intel/lbr: Demand proper privileges for PERF_SAMPLE_BRANCH_KERNEL
32734
32735 We should always have proper privileges when requesting kernel
32736 data.
32737
32738 Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
32739 Cc: <stable@kernel.org>
32740 Cc: Andi Kleen <ak@linux.intel.com>
32741 Cc: eranian@google.com
32742 Link: http://lkml.kernel.org/r/20130503121256.230745028@chello.nl
32743 [ Fix build error reported by fengguang.wu@intel.com, propagate error code back. ]
32744 Signed-off-by: Ingo Molnar <mingo@kernel.org>
32745 Link: http://lkml.kernel.org/n/tip-v0x9ky3ahzr6nm3c6ilwrili@git.kernel.org
32746
32747 arch/x86/kernel/cpu/perf_event_intel_lbr.c | 13 ++++++++++---
32748 1 files changed, 10 insertions(+), 3 deletions(-)
32749
32750commit f9e1af27cca1722a4c6a801000b5b3b5410401a2
32751Author: Eric Dumazet <edumazet@google.com>
32752Date: Mon Apr 29 05:58:52 2013 +0000
32753
32754 Upstream commit: aebda156a570782a86fc4426842152237a19427d
32755
32756 net: defer net_secret[] initialization
32757
32758 Instead of feeding net_secret[] at boot time, defer the init
32759 at the point first socket is created.
32760
32761 This permits some platforms to use better entropy sources than
32762 the ones available at boot time.
32763
32764 Signed-off-by: Eric Dumazet <edumazet@google.com>
32765 Signed-off-by: David S. Miller <davem@davemloft.net>
32766
32767 include/net/secure_seq.h | 1 +
32768 net/core/secure_seq.c | 4 +---
32769 net/ipv4/af_inet.c | 5 ++++-
32770 3 files changed, 6 insertions(+), 4 deletions(-)
32771
32772commit a9229d75129cd9744a5e486ec99a0fe6aeaf10ac
32773Author: Daniel Borkmann <dborkman@redhat.com>
32774Date: Wed May 1 02:59:23 2013 +0000
32775
32776 Upstream commit: be3e45810bb1ee0bdfa93f6b9532d8c451e50f48
32777
32778 net: sctp: attribute printl with __printf for gcc fmt checks
32779
32780 Let GCC check for format string errors in sctp's probe printl
32781 function. This patch fixes the warning when compiled with W=1:
32782
32783 net/sctp/probe.c:73:2: warning: function might be possible candidate
32784 for 'gnu_printf' format attribute [-Wmissing-format-attribute]
32785
32786 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
32787 Signed-off-by: David S. Miller <davem@davemloft.net>
32788
32789 net/sctp/probe.c | 2 +-
32790 1 files changed, 1 insertions(+), 1 deletions(-)
32791
32792commit 81b98190c66a90f0ed2de4560f542b1dea7664f2
32793Author: Brad Spengler <spender@grsecurity.net>
32794Date: Thu May 2 19:58:54 2013 -0400
32795
32796 remove no-longer-needed vmware 8 compat fix
32797
32798 mm/page_alloc.c | 6 ------
32799 1 files changed, 0 insertions(+), 6 deletions(-)
32800
32801commit a7716a90c1dbe09a8a6d98c74ea2f7fe2a530e94
32802Author: Brad Spengler <spender@grsecurity.net>
32803Date: Thu May 2 19:55:23 2013 -0400
32804
32805 remove unnecessary < 0 check
32806
32807 net/phonet/af_phonet.c | 2 +-
32808 1 files changed, 1 insertions(+), 1 deletions(-)
32809
32810commit a4e8dd5b1cca13c2e4145af75694a04aaa811f3f
32811Author: Brad Spengler <spender@grsecurity.net>
32812Date: Wed May 1 18:30:48 2013 -0400
32813
32814 remove references to CONFIG_X86_WP_WORKS_OK
32815
32816 arch/um/defconfig | 1 -
32817 security/Kconfig | 2 +-
32818 2 files changed, 1 insertions(+), 2 deletions(-)
32819
32820commit 408da6791f93ffe00d26bfe919f1b2218fe0804d
32821Merge: a8dbe8e 6c850d8
32822Author: Brad Spengler <spender@grsecurity.net>
32823Date: Wed May 1 18:28:44 2013 -0400
32824
32825 Merge branch 'pax-test' into grsec-test
32826
32827 Conflicts:
32828 arch/sparc/mm/ultra.S
32829 drivers/tty/tty_io.c
32830
32831commit 6c850d8b76b375e418b6a18a33cc8263f36fabcf
32832Merge: cdbcbef 9fa1d01
32833Author: Brad Spengler <spender@grsecurity.net>
32834Date: Wed May 1 18:25:18 2013 -0400
32835
32836 Merge branch 'linux-3.8.y' into pax-test
32837
32838commit a8dbe8ee7a0a3ace489e2f95d69d33e14d5f0b78
32839Author: Brad Spengler <spender@grsecurity.net>
32840Date: Mon Apr 29 18:44:23 2013 -0400
32841
32842 add module.h to silence compiler warning, thanks to
32843 Sergei Trofimovich
32844
32845 fs/btrfs/inode.c | 1 +
32846 1 files changed, 1 insertions(+), 0 deletions(-)
32847
32848commit 55eba82aca97aa56378e000840c48965557721e8
32849Author: Brad Spengler <spender@grsecurity.net>
32850Date: Mon Apr 29 18:43:03 2013 -0400
32851
32852 compilation fix
32853
32854 kernel/trace/trace.h | 2 +-
32855 1 files changed, 1 insertions(+), 1 deletions(-)
32856
32857commit e3bf912b54af6df7fbebc68b5999554562056c5c
32858Merge: 5b72e37 cdbcbef
32859Author: Brad Spengler <spender@grsecurity.net>
32860Date: Mon Apr 29 18:34:42 2013 -0400
32861
32862 Merge branch 'pax-test' into grsec-test
32863
32864commit cdbcbef45c4f003cbee11e10668a35d424c17c60
32865Author: Brad Spengler <spender@grsecurity.net>
32866Date: Mon Apr 29 18:33:35 2013 -0400
32867
32868 Update to pax-linux-3.8.10-test21.patch:
32869 - removed size overflow coverage of resource_size(), reported at http://forums.grsecurity.net/viewtopic.php?f=3&t=3412
32870 - fixed bad pointer arithmetic in nfsd_cache_update, reported by Jason A. Donenfeld and http://forums.grsecurity.net/viewtopic.php?f=3&t=3438
32871 note that the false positive is not fixed yet
32872 - fixed a few unintended bitmask computations found by a not-yet-public gcc plugin
32873 - fixed the kernel stack leak bug in do_tgkill, found by the size overflow plugin (https://code.google.com/p/chromium/issues/detail?id=223444)
32874 - reverted the nested NMI fix in search for a real one
32875 - simplified the arm_delay_ops constification
32876
32877 arch/arm/include/asm/delay.h | 8 ++++----
32878 arch/arm/lib/delay.c | 17 +++++------------
32879 arch/x86/kernel/entry_64.S | 11 ++++++++++-
32880 arch/x86/kernel/i8259.c | 2 +-
32881 arch/x86/kernel/pci-calgary_64.c | 2 +-
32882 arch/x86/kvm/vmx.c | 4 ++--
32883 drivers/block/pktcdvd.c | 2 +-
32884 fs/btrfs/extent-tree.c | 2 +-
32885 fs/nfsd/nfscache.c | 6 ++++--
32886 kernel/trace/trace.c | 2 +-
32887 tools/gcc/structleak_plugin.c | 4 ++++
32888 11 files changed, 34 insertions(+), 26 deletions(-)
32889
32890commit 5b72e3790fa0e8a16a09c0ef745d8065620a1e74
32891Author: Brad Spengler <spender@grsecurity.net>
32892Date: Fri Apr 26 20:53:06 2013 -0400
32893
32894 don't use file_inode()
32895
32896 drivers/tty/tty_io.c | 2 +-
32897 1 files changed, 1 insertions(+), 1 deletions(-)
32898
32899commit a2df9595fa2e3c7a0c63b1acac75425fd4feb946
32900Author: Jiri Slaby <jslaby@suse.cz>
32901Date: Fri Apr 26 13:48:53 2013 +0200
32902
32903 Upstream commit: 37b7f3c76595e23257f61bd80b223de8658617ee
32904
32905 TTY: fix atime/mtime regression
32906
32907 In commit b0de59b5733d ("TTY: do not update atime/mtime on read/write")
32908 we removed timestamps from tty inodes to fix a security issue and waited
32909 if something breaks. Well, 'w', the utility to find out logged users
32910 and their inactivity time broke. It shows that users are inactive since
32911 the time they logged in.
32912
32913 To revert to the old behaviour while still preventing attackers to
32914 guess the password length, we update the timestamps in one-minute
32915 intervals by this patch.
32916
32917 Signed-off-by: Jiri Slaby <jslaby@suse.cz>
32918 Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
32919 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
32920
32921 Conflicts:
32922
32923 drivers/tty/tty_io.c
32924
32925 drivers/tty/tty_io.c | 15 ++++++++++++++-
32926 1 files changed, 14 insertions(+), 1 deletions(-)
32927
32928commit c9c76fe07da7611a5062dd3234e5d2369e0a78ec
32929Author: Jiri Slaby <jslaby@suse.cz>
32930Date: Fri Feb 15 15:25:05 2013 +0100
32931
32932 Upstream commit: b0de59b5733d
32933
32934 TTY: do not update atime/mtime on read/write
32935
32936 On http://vladz.devzero.fr/013_ptmx-timing.php, we can see how to find
32937 out length of a password using timestamps of /dev/ptmx. It is
32938 documented in "Timing Analysis of Keystrokes and Timing Attacks on
32939 SSH". To avoid that problem, do not update time when reading
32940 from/writing to a TTY.
32941
32942 I am afraid of regressions as this is a behavior we have since 0.97
32943 and apps may expect the time to be current, e.g. for monitoring
32944 whether there was a change on the TTY. Now, there is no change. So
32945 this would better have a lot of testing before it goes upstream.
32946
32947 References: CVE-2013-0160
32948
32949 Signed-off-by: Jiri Slaby <jslaby@suse.cz>
32950 Cc: stable <stable@vger.kernel.org> # after 3.9 is out
32951 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
32952
32953 drivers/tty/tty_io.c | 8 ++------
32954 1 files changed, 2 insertions(+), 6 deletions(-)
32955
32956commit 5344a24e2320d61dbdb88aae04922f0799deefd0
32957Author: Zhao Hongjiang <zhaohongjiang@huawei.com>
32958Date: Fri Apr 26 11:03:53 2013 +0800
32959
32960 Upstream commit: 91d80a84bbc8f28375cca7e65ec666577b4209ad
32961
32962 aio: fix possible invalid memory access when DEBUG is enabled
32963
32964 dprintk() shouldn't access @ring after it's unmapped.
32965
32966 Signed-off-by: Zhao Hongjiang <zhaohongjiang@huawei.com>
32967 Cc: stable@vger.kernel.org
32968 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
32969
32970 fs/aio.c | 2 +-
32971 1 files changed, 1 insertions(+), 1 deletions(-)
32972
32973commit 786841cb279bbd8e458d67e112a1d01a3d4598a7
32974Author: John David Anglin <dave.anglin@bell.net>
32975Date: Tue Apr 23 22:42:07 2013 +0200
32976
32977 Upstream commit: bda079d336cd8183e1d844a265ea87ae3e1bbe78
32978
32979 parisc: use spin_lock_irqsave/spin_unlock_irqrestore for PTE updates
32980
32981 User applications running on SMP kernels have long suffered from instability
32982 and random segmentation faults. This patch improves the situation although
32983 there is more work to be done.
32984
32985 One of the problems is the various routines in pgtable.h that update page table
32986 entries use different locking mechanisms, or no lock at all (set_pte_at). This
32987 change modifies the routines to all use the same lock pa_dbit_lock. This lock
32988 is used for dirty bit updates in the interruption code. The patch also purges
32989 the TLB entries associated with the PTE to ensure that inconsistent values are
32990 not used after the page table entry is updated. The UP and SMP code are now
32991 identical.
32992
32993 The change also includes a minor update to the purge_tlb_entries function in
32994 cache.c to improve its efficiency.
32995
32996 Signed-off-by: John David Anglin <dave.anglin@bell.net>
32997 Cc: Helge Deller <deller@gmx.de>
32998 Signed-off-by: Helge Deller <deller@gmx.de>
32999
33000 arch/parisc/include/asm/pgtable.h | 47 +++++++++++++++++++-----------------
33001 arch/parisc/kernel/cache.c | 5 +---
33002 2 files changed, 26 insertions(+), 26 deletions(-)
33003
33004commit 775a77ad179d4c25bc94e85ef81135cbdffcfdc1
33005Merge: ba54c97 4d05084
33006Author: Brad Spengler <spender@grsecurity.net>
33007Date: Fri Apr 26 18:17:20 2013 -0400
33008
33009 Merge branch 'pax-test' into grsec-test
33010
33011 Conflicts:
33012 arch/x86/kvm/x86.c
33013 include/linux/capability.h
33014
33015commit 4d0508463d0ee3ec4b9eca1ea6bed3be03a3df21
33016Merge: c664779 bb8dd67
33017Author: Brad Spengler <spender@grsecurity.net>
33018Date: Fri Apr 26 18:15:45 2013 -0400
33019
33020 Merge branch 'linux-3.8.y' into pax-test
33021
33022commit ba54c977fe8c3afc4a9efd7afc3f30cf10b02fa2
33023Author: David S. Miller <davem@davemloft.net>
33024Date: Wed Apr 24 16:52:18 2013 -0700
33025
33026 Upstream commit: f0af97070acbad5d6a361f485828223a4faaa0ee
33027
33028 sparc64: Fix missing put_cpu_var() in tlb_batch_add_one() when not batching.
33029
33030 Reported-by: Meelis Roos <mroos@linux.ee>
33031 Signed-off-by: David S. Miller <davem@davemloft.net>
33032
33033 arch/sparc/mm/tlb.c | 3 ++-
33034 1 files changed, 2 insertions(+), 1 deletions(-)
33035
33036commit dc080cfd57c7cdc426f8c6c2da11911ac99959d8
33037Author: David S. Miller <davem@davemloft.net>
33038Date: Fri Apr 19 17:26:26 2013 -0400
33039
33040 Upstream commit: f36391d2790d04993f48da6a45810033a2cdf847
33041
33042 sparc64: Fix race in TLB batch processing.
33043
33044 As reported by Dave Kleikamp, when we emit cross calls to do batched
33045 TLB flush processing we have a race because we do not synchronize on
33046 the sibling cpus completing the cross call.
33047
33048 So meanwhile the TLB batch can be reset (tb->tlb_nr set to zero, etc.)
33049 and either flushes are missed or flushes will flush the wrong
33050 addresses.
33051
33052 Fix this by using generic infrastructure to synchonize on the
33053 completion of the cross call.
33054
33055 This first required getting the flush_tlb_pending() call out from
33056 switch_to() which operates with locks held and interrupts disabled.
33057 The problem is that smp_call_function_many() cannot be invoked with
33058 IRQs disabled and this is explicitly checked for with WARN_ON_ONCE().
33059
33060 We get the batch processing outside of locked IRQ disabled sections by
33061 using some ideas from the powerpc port. Namely, we only batch inside
33062 of arch_{enter,leave}_lazy_mmu_mode() calls. If we're not in such a
33063 region, we flush TLBs synchronously.
33064
33065 1) Get rid of xcall_flush_tlb_pending and per-cpu type
33066 implementations.
33067
33068 2) Do TLB batch cross calls instead via:
33069
33070 smp_call_function_many()
33071 tlb_pending_func()
33072 __flush_tlb_pending()
33073
33074 3) Batch only in lazy mmu sequences:
33075
33076 a) Add 'active' member to struct tlb_batch
33077 b) Define __HAVE_ARCH_ENTER_LAZY_MMU_MODE
33078 c) Set 'active' in arch_enter_lazy_mmu_mode()
33079 d) Run batch and clear 'active' in arch_leave_lazy_mmu_mode()
33080 e) Check 'active' in tlb_batch_add_one() and do a synchronous
33081 flush if it's clear.
33082
33083 4) Add infrastructure for synchronous TLB page flushes.
33084
33085 a) Implement __flush_tlb_page and per-cpu variants, patch
33086 as needed.
33087 b) Likewise for xcall_flush_tlb_page.
33088 c) Implement smp_flush_tlb_page() to invoke the cross-call.
33089 d) Wire up global_flush_tlb_page() to the right routine based
33090 upon CONFIG_SMP
33091
33092 5) It turns out that singleton batches are very common, 2 out of every
33093 3 batch flushes have only a single entry in them.
33094
33095 The batch flush waiting is very expensive, both because of the poll
33096 on sibling cpu completeion, as well as because passing the tlb batch
33097 pointer to the sibling cpus invokes a shared memory dereference.
33098
33099 Therefore, in flush_tlb_pending(), if there is only one entry in
33100 the batch perform a completely asynchronous global_flush_tlb_page()
33101 instead.
33102
33103 Reported-by: Dave Kleikamp <dave.kleikamp@oracle.com>
33104 Signed-off-by: David S. Miller <davem@davemloft.net>
33105 Acked-by: Dave Kleikamp <dave.kleikamp@oracle.com>
33106
33107 arch/sparc/include/asm/pgtable_64.h | 1 +
33108 arch/sparc/include/asm/switch_to_64.h | 3 +-
33109 arch/sparc/include/asm/tlbflush_64.h | 37 +++++++++--
33110 arch/sparc/kernel/smp_64.c | 41 ++++++++++-
33111 arch/sparc/mm/tlb.c | 38 +++++++++-
33112 arch/sparc/mm/tsb.c | 57 ++++++++++++----
33113 arch/sparc/mm/ultra.S | 119 ++++++++++++++++++++++++++-------
33114 7 files changed, 241 insertions(+), 55 deletions(-)
33115
33116commit cd80cc3cfd122295e6ec6db1e5e16e5b7a5d3b59
33117Author: Linus Torvalds <torvalds@linux-foundation.org>
33118Date: Fri Apr 19 15:32:32 2013 +0000
33119
33120 Upstream commit: 83f1b4ba917db5dc5a061a44b3403ddb6e783494
33121
33122 net: fix incorrect credentials passing
33123
33124 Commit 257b5358b32f ("scm: Capture the full credentials of the scm
33125 sender") changed the credentials passing code to pass in the effective
33126 uid/gid instead of the real uid/gid.
33127
33128 Obviously this doesn't matter most of the time (since normally they are
33129 the same), but it results in differences for suid binaries when the wrong
33130 uid/gid ends up being used.
33131
33132 This just undoes that (presumably unintentional) part of the commit.
33133
33134 Reported-by: Andy Lutomirski <luto@amacapital.net>
33135 Cc: Eric W. Biederman <ebiederm@xmission.com>
33136 Cc: Serge E. Hallyn <serge@hallyn.com>
33137 Cc: David S. Miller <davem@davemloft.net>
33138 Cc: stable@vger.kernel.org
33139 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
33140 Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
33141 Signed-off-by: David S. Miller <davem@davemloft.net>
33142
33143 include/net/scm.h | 4 ++--
33144 1 files changed, 2 insertions(+), 2 deletions(-)
33145
33146commit e126225d1fcaa405ff2a7f1518d615cffe42e7d5
33147Author: Brad Spengler <spender@grsecurity.net>
33148Date: Thu Apr 18 19:22:40 2013 -0400
33149
33150 move _etext to only cover kernel code, not read-only data, as reported by Gu1
33151
33152 arch/arm/kernel/vmlinux.lds.S | 4 ++--
33153 1 files changed, 2 insertions(+), 2 deletions(-)
33154
33155commit 98ad6adbc48759e4f9eae435d3e51ba487155685
33156Author: Brad Spengler <spender@grsecurity.net>
33157Date: Thu Apr 18 19:17:24 2013 -0400
33158
33159 add asm/sections.h for USERCOPY change
33160
33161 fs/exec.c | 1 +
33162 1 files changed, 1 insertions(+), 0 deletions(-)
33163
33164commit c403a6c43da1bcac9b1ef2bca9bba0fb84a40f10
33165Author: Dmitry Popov <dp@highloadlab.com>
33166Date: Thu Apr 11 08:55:07 2013 +0000
33167
33168 Upstream commit: d66954a066158781ccf9c13c91d0316970fe57b6
33169
33170 tcp: incoming connections might use wrong route under synflood
33171
33172 There is a bug in cookie_v4_check (net/ipv4/syncookies.c):
33173 flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk),
33174 RT_SCOPE_UNIVERSE, IPPROTO_TCP,
33175 inet_sk_flowi_flags(sk),
33176 (opt && opt->srr) ? opt->faddr : ireq->rmt_addr,
33177 ireq->loc_addr, th->source, th->dest);
33178
33179 Here we do not respect sk->sk_bound_dev_if, therefore wrong dst_entry may be
33180 taken. This dst_entry is used by new socket (get_cookie_sock ->
33181 tcp_v4_syn_recv_sock), so its packets may take the wrong path.
33182
33183 Signed-off-by: Dmitry Popov <dp@highloadlab.com>
33184 Signed-off-by: David S. Miller <davem@davemloft.net>
33185
33186 net/ipv4/syncookies.c | 4 ++--
33187 1 files changed, 2 insertions(+), 2 deletions(-)
33188
33189commit 3600395e8fef3ae712e72f9b68c3609639616df8
33190Author: Thomas Graf <tgraf@suug.ch>
33191Date: Thu Apr 11 10:57:18 2013 +0000
33192
33193 Upstream commit: 50bceae9bd3569d56744882f3012734d48a1d413
33194
33195 tcp: Reallocate headroom if it would overflow csum_start
33196
33197 If a TCP retransmission gets partially ACKed and collapsed multiple
33198 times it is possible for the headroom to grow beyond 64K which will
33199 overflow the 16bit skb->csum_start which is based on the start of
33200 the headroom. It has been observed rarely in the wild with IPoIB due
33201 to the 64K MTU.
33202
33203 Verify if the acking and collapsing resulted in a headroom exceeding
33204 what csum_start can cover and reallocate the headroom if so.
33205
33206 A big thank you to Jim Foraker <foraker1@llnl.gov> and the team at
33207 LLNL for helping out with the investigation and testing.
33208
33209 Reported-by: Jim Foraker <foraker1@llnl.gov>
33210 Signed-off-by: Thomas Graf <tgraf@suug.ch>
33211 Acked-by: Eric Dumazet <edumazet@google.com>
33212 Signed-off-by: David S. Miller <davem@davemloft.net>
33213
33214 net/ipv4/tcp_output.c | 8 ++++++--
33215 1 files changed, 6 insertions(+), 2 deletions(-)
33216
33217commit 4b0b9a5038da806a2b6eba9efc3f3a53c5188a61
33218Author: Ivan Vecera <ivecera@redhat.com>
33219Date: Fri Apr 12 16:49:24 2013 +0200
33220
33221 Upstream commit: f11a869d4e38397ac81f2a3d22e8d2aeb3992b0f
33222
33223 be2net: take care of __vlan_put_tag return value
33224
33225 The driver should use return value of __vlan_put_tag with appropriate
33226 NULL-check instead of old skb pointer.
33227
33228 Signed-off-by: Ivan Vecera <ivecera@redhat.com>
33229 Signed-off-by: David S. Miller <davem@davemloft.net>
33230
33231 drivers/net/ethernet/emulex/benet/be_main.c | 5 +++--
33232 1 files changed, 3 insertions(+), 2 deletions(-)
33233
33234commit 8d3aca40a891f13b9b1e0d957913fa788fd1cc55
33235Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
33236Date: Fri Apr 12 03:17:12 2013 +0000
33237
33238 Upstream commit: 3be8fbab18fbc06b6ff94a56f9c225e29ea64a73
33239
33240 tuntap: fix error return code in tun_set_iff()
33241
33242 Fix to return a negative error code from the error handling
33243 case instead of 0, as returned elsewhere in this function.
33244
33245 [ Bug added in linux-3.8 , commit 4008e97f866db665
33246 ("tuntap: fix ambigious multiqueue API") ]
33247
33248 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
33249 Acked-by: Eric Dumazet <edumazet@google.com>
33250 Signed-off-by: David S. Miller <davem@davemloft.net>
33251
33252 drivers/net/tun.c | 2 +-
33253 1 files changed, 1 insertions(+), 1 deletions(-)
33254
33255commit 42cfd101287e0ffa5e8425ca7dd3c4131a7a601c
33256Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
33257Date: Sat Apr 13 15:49:03 2013 +0000
33258
33259 Upstream commit: 06848c10f720cbc20e3b784c0df24930b7304b93
33260
33261 esp4: fix error return code in esp_output()
33262
33263 Fix to return a negative error code from the error handling
33264 case instead of 0, as returned elsewhere in this function.
33265
33266 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
33267 Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
33268 Signed-off-by: David S. Miller <davem@davemloft.net>
33269
33270 net/ipv4/esp4.c | 6 +++---
33271 1 files changed, 3 insertions(+), 3 deletions(-)
33272
33273commit 2b45b5f52c2a8930f80c62de392a62516c83e225
33274Author: Bjørn Mork <bjorn@mork.no>
33275Date: Tue Apr 16 00:17:07 2013 +0000
33276
33277 Upstream commit: 32b161aa88aa40a83888a995c6e2ef81140219b1
33278
33279 net: cdc_mbim: remove bogus sizeof()
33280
33281 The intention was to test against the constant, not the size of
33282 the constant.
33283
33284 Signed-off-by: Bjørn Mork <bjorn@mork.no>
33285 Signed-off-by: David S. Miller <davem@davemloft.net>
33286
33287 drivers/net/usb/cdc_mbim.c | 2 +-
33288 1 files changed, 1 insertions(+), 1 deletions(-)
33289
33290commit 17d7408795519037a5a1272c7888238e20830bfe
33291Author: Vyacheslav Dubeyko <slava@dubeyko.com>
33292Date: Wed Apr 17 15:58:33 2013 -0700
33293
33294 Upstream commit: 12f267a20aecf8b84a2a9069b9011f1661c779b4
33295
33296 hfsplus: fix potential overflow in hfsplus_file_truncate()
33297
33298 Change a u32 to loff_t hfsplus_file_truncate().
33299
33300 Signed-off-by: Vyacheslav Dubeyko <slava@dubeyko.com>
33301 Cc: Christoph Hellwig <hch@infradead.org>
33302 Cc: Al Viro <viro@zeniv.linux.org.uk>
33303 Cc: Hin-Tak Leung <htl10@users.sourceforge.net>
33304 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
33305 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
33306
33307 fs/hfsplus/extents.c | 2 +-
33308 1 files changed, 1 insertions(+), 1 deletions(-)
33309
33310commit 5c9574e7f16e7a9b3ea9b419c46ddc57110a555b
33311Author: Emese Revfy <re.emese@gmail.com>
33312Date: Wed Apr 17 15:58:36 2013 -0700
33313
33314 Upstream commit: b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f
33315
33316 kernel/signal.c: stop info leak via the tkill and the tgkill syscalls
33317
33318 This fixes a kernel memory contents leak via the tkill and tgkill syscalls
33319 for compat processes.
33320
33321 This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field
33322 when handling signals delivered from tkill.
33323
33324 The place of the infoleak:
33325
33326 int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from)
33327 {
33328 ...
33329 put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr);
33330 ...
33331 }
33332
33333 Signed-off-by: Emese Revfy <re.emese@gmail.com>
33334 Reviewed-by: PaX Team <pageexec@freemail.hu>
33335 Signed-off-by: Kees Cook <keescook@chromium.org>
33336 Cc: Al Viro <viro@zeniv.linux.org.uk>
33337 Cc: Oleg Nesterov <oleg@redhat.com>
33338 Cc: "Eric W. Biederman" <ebiederm@xmission.com>
33339 Cc: Serge Hallyn <serge.hallyn@canonical.com>
33340 Cc: <stable@vger.kernel.org>
33341 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
33342 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
33343
33344 kernel/signal.c | 2 +-
33345 1 files changed, 1 insertions(+), 1 deletions(-)
33346
33347commit 0942d16614b0ef59d50b10151d77ec52fc98c2d0
33348Author: Brad Spengler <spender@grsecurity.net>
33349Date: Wed Apr 17 20:17:00 2013 -0400
33350
33351 Improve PAX_USERCOPY to reject direct copies to/from main kernel text
33352
33353 fs/exec.c | 29 +++++++++++++++++++++++++++--
33354 1 files changed, 27 insertions(+), 2 deletions(-)
33355
33356commit 3cb37d0c0c77dc3928ff8417f982139f95366eba
33357Merge: e87c19f c664779
33358Author: Brad Spengler <spender@grsecurity.net>
33359Date: Wed Apr 17 20:06:08 2013 -0400
33360
33361 Merge branch 'pax-test' into grsec-test
33362
33363commit c664779987cb0c27a242029f0e0db812e3236203
33364Author: Brad Spengler <spender@grsecurity.net>
33365Date: Wed Apr 17 19:54:09 2013 -0400
33366
33367 add intentional_overflow marking for resource_size() as reasoned by:
33368 http://forums.grsecurity.net/viewtopic.php?f=3&t=3412
33369
33370 include/linux/ioport.h | 2 +-
33371 1 files changed, 1 insertions(+), 1 deletions(-)
33372
33373commit e87c19f8312355b8658e5138c16bfa6043a379c8
33374Merge: 802d119 d0c636c
33375Author: Brad Spengler <spender@grsecurity.net>
33376Date: Wed Apr 17 16:57:12 2013 -0400
33377
33378 Merge branch 'pax-test' into grsec-test
33379
33380commit d0c636ceaaf406e606898ce3e770e32fb043ea8a
33381Merge: bc88628 2396403
33382Author: Brad Spengler <spender@grsecurity.net>
33383Date: Wed Apr 17 16:57:01 2013 -0400
33384
33385 Merge branch 'linux-3.8.y' into pax-test
33386
33387 Conflicts:
33388 arch/x86/kernel/paravirt.c
33389
33390commit 802d1193dcb507b2a62a2de0a869a7dbadd66b9b
33391Author: Brad Spengler <spender@grsecurity.net>
33392Date: Sun Apr 14 21:39:51 2013 -0400
33393
33394 move location of RBAC user check on setfsuid until after capability checks
33395 for consistency with other checks
33396
33397 kernel/sys.c | 6 +++---
33398 1 files changed, 3 insertions(+), 3 deletions(-)
33399
33400commit 1a860d7d67051559ab2e6d10f9888649c92904e6
33401Author: Brad Spengler <spender@grsecurity.net>
33402Date: Sun Apr 14 21:34:46 2013 -0400
33403
33404 A denied setfsuid by the RBAC system would result in an abort_creds() being called
33405 with an uninitalized pointer, introduced by a bad forward-port
33406
33407 kernel/sys.c | 6 +++---
33408 1 files changed, 3 insertions(+), 3 deletions(-)
33409
33410commit 9f94b84d0e5e101fe8ea8ebcc8eeb141d8a6edb9
33411Merge: c38d142 bc88628
33412Author: Brad Spengler <spender@grsecurity.net>
33413Date: Sun Apr 14 21:28:33 2013 -0400
33414
33415 Merge branch 'pax-test' into grsec-test
33416
33417 Conflicts:
33418 security/Kconfig
33419
33420commit bc88628a6a8fcccaabb90908640809b0540df225
33421Author: Brad Spengler <spender@grsecurity.net>
33422Date: Sun Apr 14 21:26:41 2013 -0400
33423
33424 Update to pax-linux-3.8.7-test20.patch:
33425 - fixed KERNEXEC and NMI nesting problem reported by stef&hunger
33426 - changed PHYSICAL_ALIGN/START to fix http://forums.grsecurity.net/viewtopic.php?f=3&t=3414
33427 - CONSTIFY depends on KERNEXEC (for the kernel open/close feature)
33428 - fixed CONSTIFY and powerpc interference, reported by John Hardin (https://bugs.gentoo.org/show_bug.cgi?id=456364)
33429
33430 arch/powerpc/include/asm/smp.h | 2 +-
33431 arch/x86/Kconfig | 4 ++--
33432 arch/x86/kernel/entry_64.S | 8 ++++----
33433 security/Kconfig | 2 +-
33434 4 files changed, 8 insertions(+), 8 deletions(-)
33435
33436commit c38d142744489fc4d9be80188b6435a278438fd9
33437Author: Suleiman Souhlal <suleiman@google.com>
33438Date: Sat Apr 13 16:03:06 2013 -0700
33439
33440 Upstream commit: 5b55d708335a9e3e4f61f2dadf7511502205ccd1
33441
33442 vfs: Revert spurious fix to spinning prevention in prune_icache_sb
33443
33444 Revert commit 62a3ddef6181 ("vfs: fix spinning prevention in prune_icache_sb").
33445
33446 This commit doesn't look right: since we are looking at the tail of the
33447 list (sb->s_inode_lru.prev) if we want to skip an inode, we should put
33448 it back at the head of the list instead of the tail, otherwise we will
33449 keep spinning on it.
33450
33451 Discovered when investigating why prune_icache_sb came top in perf
33452 reports of a swapping load.
33453
33454 Signed-off-by: Suleiman Souhlal <suleiman@google.com>
33455 Signed-off-by: Hugh Dickins <hughd@google.com>
33456 Cc: stable@vger.kernel.org # v3.2+
33457 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
33458
33459 fs/inode.c | 2 +-
33460 1 files changed, 1 insertions(+), 1 deletions(-)
33461
33462commit 93019624b80ba59798393942798d7f6ed0c1dbc6
33463Author: Linus Torvalds <torvalds@linux-foundation.org>
33464Date: Sat Apr 13 15:15:30 2013 -0700
33465
33466 Upstream commit: a49b7e82cab0f9b41f483359be83f44fbb6b4979
33467
33468 kobject: fix kset_find_obj() race with concurrent last kobject_put()
33469
33470 Anatol Pomozov identified a race condition that hits module unloading
33471 and re-loading. To quote Anatol:
33472
33473 "This is a race codition that exists between kset_find_obj() and
33474 kobject_put(). kset_find_obj() might return kobject that has refcount
33475 equal to 0 if this kobject is freeing by kobject_put() in other
33476 thread.
33477
33478 Here is timeline for the crash in case if kset_find_obj() searches for
33479 an object tht nobody holds and other thread is doing kobject_put() on
33480 the same kobject:
33481
33482 THREAD A (calls kset_find_obj()) THREAD B (calls kobject_put())
33483 splin_lock()
33484 atomic_dec_return(kobj->kref), counter gets zero here
33485 ... starts kobject cleanup ....
33486 spin_lock() // WAIT thread A in kobj_kset_leave()
33487 iterate over kset->list
33488 atomic_inc(kobj->kref) (counter becomes 1)
33489 spin_unlock()
33490 spin_lock() // taken
33491 // it does not know that thread A increased counter so it
33492 remove obj from list
33493 spin_unlock()
33494 vfree(module) // frees module object with containing kobj
33495
33496 // kobj points to freed memory area!!
33497 kobject_put(kobj) // OOPS!!!!
33498
33499 The race above happens because module.c tries to use kset_find_obj()
33500 when somebody unloads module. The module.c code was introduced in
33501 commit 6494a93d55fa"
33502
33503 Anatol supplied a patch specific for module.c that worked around the
33504 problem by simply not using kset_find_obj() at all, but rather than make
33505 a local band-aid, this just fixes kset_find_obj() to be thread-safe
33506 using the proper model of refusing the get a new reference if the
33507 refcount has already dropped to zero.
33508
33509 See examples of this proper refcount handling not only in the kref
33510 documentation, but in various other equivalent uses of this pattern by
33511 grepping for atomic_inc_not_zero().
33512
33513 [ Side note: the module race does indicate that module loading and
33514 unloading is not properly serialized wrt sysfs information using the
33515 module mutex. That may require further thought, but this is the
33516 correct fix at the kobject layer regardless. ]
33517
33518 Reported-analyzed-and-tested-by: Anatol Pomozov <anatol.pomozov@gmail.com>
33519 Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
33520 Cc: Al Viro <viro@zeniv.linux.org.uk>
33521 Cc: stable@vger.kernel.org
33522 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
33523
33524 lib/kobject.c | 9 ++++++++-
33525 1 files changed, 8 insertions(+), 1 deletions(-)
33526
33527commit 5277b052b5fab36729e1255fb3b12f47a4b12867
33528Author: Dave Hansen <dave@sr71.net>
33529Date: Fri Apr 12 16:23:54 2013 -0700
33530
33531 Upstream commit: 1de14c3c5cbc9bb17e9dcc648cda51c0c85d54b9
33532
33533 x86-32: Fix possible incomplete TLB invalidate with PAE pagetables
33534
33535 This patch attempts to fix:
33536
33537 https://bugzilla.kernel.org/show_bug.cgi?id=56461
33538
33539 The symptom is a crash and messages like this:
33540
33541 chrome: Corrupted page table at address 34a03000
33542 *pdpt = 0000000000000000 *pde = 0000000000000000
33543 Bad pagetable: 000f [#1] PREEMPT SMP
33544
33545 Ingo guesses this got introduced by commit 611ae8e3f520 ("x86/tlb:
33546 enable tlb flush range support for x86") since that code started to free
33547 unused pagetables.
33548
33549 On x86-32 PAE kernels, that new code has the potential to free an entire
33550 PMD page and will clear one of the four page-directory-pointer-table
33551 (aka pgd_t entries).
33552
33553 The hardware aggressively "caches" these top-level entries and invlpg
33554 does not actually affect the CPU's copy. If we clear one we *HAVE* to
33555 do a full TLB flush, otherwise we might continue using a freed pmd page.
33556 (note, we do this properly on the population side in pud_populate()).
33557
33558 This patch tracks whenever we clear one of these entries in the 'struct
33559 mmu_gather', and ensures that we follow up with a full tlb flush.
33560
33561 BTW, I disassembled and checked that:
33562
33563 if (tlb->fullmm == 0)
33564 and
33565 if (!tlb->fullmm && !tlb->need_flush_all)
33566
33567 generate essentially the same code, so there should be zero impact there
33568 to the !PAE case.
33569
33570 Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
33571 Cc: Peter Anvin <hpa@zytor.com>
33572 Cc: Ingo Molnar <mingo@kernel.org>
33573 Cc: Artem S Tashkinov <t.artem@mailcity.com>
33574 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
33575
33576 arch/x86/include/asm/tlb.h | 2 +-
33577 arch/x86/mm/pgtable.c | 7 +++++++
33578 include/asm-generic/tlb.h | 7 ++++++-
33579 mm/memory.c | 1 +
33580 4 files changed, 15 insertions(+), 2 deletions(-)
33581
33582commit 521e573fc77d1783c1d4636dfbb4617a922f043d
33583Merge: 032f626 f807619
33584Author: Brad Spengler <spender@grsecurity.net>
33585Date: Fri Apr 12 19:29:34 2013 -0400
33586
33587 Merge branch 'pax-test' into grsec-test
33588
33589commit f80761993b85df96fc142dfc3a317cadc0f8eae5
33590Author: Brad Spengler <spender@grsecurity.net>
33591Date: Fri Apr 12 19:28:21 2013 -0400
33592
33593 Update to pax-linux-3.8.7-test19.patch:
33594 - fixed STACKLEAK/XEN interference once again, reported by Jason A. Donenfeld
33595 - fixed small typo, reported by mlarm (http://forums.grsecurity.net/viewtopic.php?f=3&t=3411)
33596 - fixed the structleak plugin to compile for gcc 4.5-4.6 as well
33597
33598 Makefile | 2 +-
33599 arch/x86/xen/enlighten.c | 6 +++---
33600 tools/gcc/structleak_plugin.c | 5 +++--
33601 3 files changed, 7 insertions(+), 6 deletions(-)
33602
33603commit 032f626a4ae9bc3196313a2e762650c3d9abdc96
33604Merge: a3a770e 89886f5
33605Author: Brad Spengler <spender@grsecurity.net>
33606Date: Fri Apr 12 18:38:40 2013 -0400
33607
33608 Merge branch 'pax-test' into grsec-test
33609
33610commit 89886f561cc0d1c42a99624ec8c3704711088155
33611Merge: 9123489 531ec28
33612Author: Brad Spengler <spender@grsecurity.net>
33613Date: Fri Apr 12 18:38:30 2013 -0400
33614
33615 Merge branch 'linux-3.8.y' into pax-test
33616
33617commit a3a770e18578841e4fbe2aa0831a22811b4812cf
33618Author: Brad Spengler <spender@grsecurity.net>
33619Date: Thu Apr 11 20:46:20 2013 -0400
33620
33621 Revert "Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot"
33622 Will be fixed with the next PaX patch
33623
33624 This reverts commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7.
33625
33626 security/Kconfig | 2 +-
33627 1 files changed, 1 insertions(+), 1 deletions(-)
33628
33629commit fc98763e4f1f1487928750b26a63098b9e0ed5b1
33630Author: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
33631Date: Fri Mar 29 10:20:56 2013 -0400
33632
33633 Upstream commit: b22227944b8fe92b19150b4c36421e37979d9a16
33634
33635 xen/mmu: On early bootup, flush the TLB when changing RO->RW bits Xen provided pagetables.
33636
33637 Occassionaly on a DL380 G4 the guest would crash quite early with this:
33638
33639 (XEN) d244:v0: unhandled page fault (ec=0003)
33640 (XEN) Pagetable walk from ffffffff84dc7000:
33641 (XEN) L4[0x1ff] = 00000000c3f18067 0000000000001789
33642 (XEN) L3[0x1fe] = 00000000c3f14067 000000000000178d
33643 (XEN) L2[0x026] = 00000000dc8b2067 0000000000004def
33644 (XEN) L1[0x1c7] = 00100000dc8da067 0000000000004dc7
33645 (XEN) domain_crash_sync called from entry.S
33646 (XEN) Domain 244 (vcpu#0) crashed on cpu#3:
33647 (XEN) ----[ Xen-4.1.3OVM x86_64 debug=n Not tainted ]----
33648 (XEN) CPU: 3
33649 (XEN) RIP: e033:[<ffffffff81263f22>]
33650 (XEN) RFLAGS: 0000000000000216 EM: 1 CONTEXT: pv guest
33651 (XEN) rax: 0000000000000000 rbx: ffffffff81785f88 rcx: 000000000000003f
33652 (XEN) rdx: 0000000000000000 rsi: 00000000dc8da063 rdi: ffffffff84dc7000
33653
33654 The offending code shows it to be a loop writting the value zero
33655 (%rax) in the %rdi (the L4 provided by Xen) register:
33656
33657 0: 44 00 00 add %r8b,(%rax)
33658 3: 31 c0 xor %eax,%eax
33659 5: b9 40 00 00 00 mov $0x40,%ecx
33660 a: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1)
33661 11: 00 00
33662 13: ff c9 dec %ecx
33663 15:* 48 89 07 mov %rax,(%rdi) <-- trapping instruction
33664 18: 48 89 47 08 mov %rax,0x8(%rdi)
33665 1c: 48 89 47 10 mov %rax,0x10(%rdi)
33666
33667 which fails. xen_setup_kernel_pagetable recycles some of the Xen's
33668 page-table entries when it has switched over to its Linux page-tables.
33669
33670 Right before try to clear the page, we make a hypercall to change
33671 it from _RO to _RW and that works (otherwise we would hit an BUG()).
33672 And the _RW flag is set for that page:
33673 (XEN) L1[0x1c7] = 001000004885f067 0000000000004dc7
33674
33675 The error code is 3, so PFEC_page_present and PFEC_write_access, so page is
33676 present (correct), and we tried to write to the page, but a violation
33677 occurred. The one theory is that the the page entries in hardware
33678 (which are cached) are not up to date with what we just set. Especially
33679 as we have just done an CR3 write and flushed the multicalls.
33680
33681 This patch does solve the problem by flusing out the TLB page
33682 entry after changing it from _RO to _RW and we don't hit this
33683 issue anymore.
33684
33685 Fixed-Oracle-Bug: 16243091 [ON OCCASIONS VM START GOES INTO
33686 'CRASH' STATE: CLEAR_PAGE+0X12 ON HP DL380 G4]
33687 Reported-and-Tested-by: Saar Maoz <Saar.Maoz@oracle.com>
33688 Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
33689
33690 arch/x86/xen/mmu.c | 12 ++++++++----
33691 1 files changed, 8 insertions(+), 4 deletions(-)
33692
33693commit d56bdc2595e76ca48cbfd695def7f82c3ab80c11
33694Author: Namhyung Kim <namhyung.kim@lge.com>
33695Date: Mon Apr 1 21:46:23 2013 +0900
33696
33697 Upstream commit: 83e03b3fe4daffdebbb42151d5410d730ae50bd1
33698
33699 tracing: Fix double free when function profile init failed
33700
33701 On the failure path, stat->start and stat->pages will refer same page.
33702 So it'll attempt to free the same page again and get kernel panic.
33703
33704 Link: http://lkml.kernel.org/r/1364820385-32027-1-git-send-email-namhyung@kernel.org
33705
33706 Cc: Frederic Weisbecker <fweisbec@gmail.com>
33707 Cc: Namhyung Kim <namhyung.kim@lge.com>
33708 Cc: stable@vger.kernel.org
33709 Signed-off-by: Namhyung Kim <namhyung@kernel.org>
33710 Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
33711
33712 kernel/trace/ftrace.c | 1 -
33713 1 files changed, 0 insertions(+), 1 deletions(-)
33714
33715commit c86b0de9f4c42a7ede40df5af9436e87ccc784bb
33716Author: Neil Horman <nhorman@tuxdriver.com>
33717Date: Tue Apr 9 23:19:00 2013 +0000
33718
33719 Upstream commit: 61a0f6efc8932e9914e1782ff3a027e23c687fc6
33720
33721 e100: Add dma mapping error check
33722
33723 e100 uses pci_map_single, but fails to check for a dma mapping error after its
33724 use, resulting in a stack trace:
33725
33726 [ 46.656594] ------------[ cut here ]------------
33727 [ 46.657004] WARNING: at lib/dma-debug.c:933 check_unmap+0x47b/0x950()
33728 [ 46.657004] Hardware name: To Be Filled By O.E.M.
33729 [ 46.657004] e100 0000:00:0e.0: DMA-API: device driver failed to check map
33730 error[device address=0x000000007a4540fa] [size=90 bytes] [mapped as single]
33731 [ 46.657004] Modules linked in:
33732 [ 46.657004] w83627hf hwmon_vid snd_via82xx ppdev snd_ac97_codec ac97_bus
33733 snd_seq snd_pcm snd_mpu401 snd_mpu401_uart ns558 snd_rawmidi gameport parport_pc
33734 e100 snd_seq_device parport snd_page_alloc snd_timer snd soundcore skge shpchp
33735 k8temp mii edac_core i2c_viapro edac_mce_amd nfsd auth_rpcgss nfs_acl lockd
33736 sunrpc binfmt_misc uinput ata_generic pata_acpi radeon i2c_algo_bit
33737 drm_kms_helper ttm firewire_ohci drm firewire_core pata_via sata_via i2c_core
33738 sata_promise crc_itu_t
33739 [ 46.657004] Pid: 792, comm: ip Not tainted 3.8.0-0.rc6.git0.1.fc19.x86_64 #1
33740 [ 46.657004] Call Trace:
33741 [ 46.657004] <IRQ> [<ffffffff81065ed0>] warn_slowpath_common+0x70/0xa0
33742 [ 46.657004] [<ffffffff81065f4c>] warn_slowpath_fmt+0x4c/0x50
33743 [ 46.657004] [<ffffffff81364cfb>] check_unmap+0x47b/0x950
33744 [ 46.657004] [<ffffffff8136522f>] debug_dma_unmap_page+0x5f/0x70
33745 [ 46.657004] [<ffffffffa030f0f0>] ? e100_tx_clean+0x30/0x210 [e100]
33746 [ 46.657004] [<ffffffffa030f1a8>] e100_tx_clean+0xe8/0x210 [e100]
33747 [ 46.657004] [<ffffffffa030fc6f>] e100_poll+0x56f/0x6c0 [e100]
33748 [ 46.657004] [<ffffffff8159dce1>] ? net_rx_action+0xa1/0x370
33749 [ 46.657004] [<ffffffff8159ddb2>] net_rx_action+0x172/0x370
33750 [ 46.657004] [<ffffffff810703bf>] __do_softirq+0xef/0x3d0
33751 [ 46.657004] [<ffffffff816e4ebc>] call_softirq+0x1c/0x30
33752 [ 46.657004] [<ffffffff8101c485>] do_softirq+0x85/0xc0
33753 [ 46.657004] [<ffffffff81070885>] irq_exit+0xd5/0xe0
33754 [ 46.657004] [<ffffffff816e5756>] do_IRQ+0x56/0xc0
33755 [ 46.657004] [<ffffffff816dacb2>] common_interrupt+0x72/0x72
33756 [ 46.657004] <EOI> [<ffffffff816da1eb>] ?
33757 _raw_spin_unlock_irqrestore+0x3b/0x70
33758 [ 46.657004] [<ffffffff816d124d>] __slab_free+0x58/0x38b
33759 [ 46.657004] [<ffffffff81214424>] ? fsnotify_clear_marks_by_inode+0x34/0x120
33760 [ 46.657004] [<ffffffff811b0417>] ? kmem_cache_free+0x97/0x320
33761 [ 46.657004] [<ffffffff8157fc14>] ? sock_destroy_inode+0x34/0x40
33762 [ 46.657004] [<ffffffff8157fc14>] ? sock_destroy_inode+0x34/0x40
33763 [ 46.657004] [<ffffffff811b0692>] kmem_cache_free+0x312/0x320
33764 [ 46.657004] [<ffffffff8157fc14>] sock_destroy_inode+0x34/0x40
33765 [ 46.657004] [<ffffffff811e8c28>] destroy_inode+0x38/0x60
33766 [ 46.657004] [<ffffffff811e8d5e>] evict+0x10e/0x1a0
33767 [ 46.657004] [<ffffffff811e9605>] iput+0xf5/0x180
33768 [ 46.657004] [<ffffffff811e4338>] dput+0x248/0x310
33769 [ 46.657004] [<ffffffff811ce0e1>] __fput+0x171/0x240
33770 [ 46.657004] [<ffffffff811ce26e>] ____fput+0xe/0x10
33771 [ 46.657004] [<ffffffff8108d54c>] task_work_run+0xac/0xe0
33772 [ 46.657004] [<ffffffff8106c6ed>] do_exit+0x26d/0xc30
33773 [ 46.657004] [<ffffffff8109eccc>] ? finish_task_switch+0x7c/0x120
33774 [ 46.657004] [<ffffffff816dad58>] ? retint_swapgs+0x13/0x1b
33775 [ 46.657004] [<ffffffff8106d139>] do_group_exit+0x49/0xc0
33776 [ 46.657004] [<ffffffff8106d1c4>] sys_exit_group+0x14/0x20
33777 [ 46.657004] [<ffffffff816e3b19>] system_call_fastpath+0x16/0x1b
33778 [ 46.657004] ---[ end trace 4468c44e2156e7d1 ]---
33779 [ 46.657004] Mapped at:
33780 [ 46.657004] [<ffffffff813663d1>] debug_dma_map_page+0x91/0x140
33781 [ 46.657004] [<ffffffffa030e8eb>] e100_xmit_prepare+0x12b/0x1c0 [e100]
33782 [ 46.657004] [<ffffffffa030c924>] e100_exec_cb+0x84/0x140 [e100]
33783 [ 46.657004] [<ffffffffa030e56a>] e100_xmit_frame+0x3a/0x190 [e100]
33784 [ 46.657004] [<ffffffff8159ee89>] dev_hard_start_xmit+0x259/0x6c0
33785
33786 Easy fix, modify the cb paramter to e100_exec_cb to return an error, and do the
33787 dma_mapping_error check in the obvious place
33788
33789 This was reported previously here:
33790 http://article.gmane.org/gmane.linux.network/257893
33791
33792 But nobody stepped up and fixed it.
33793
33794 CC: Josh Boyer <jwboyer@redhat.com>
33795 CC: e1000-devel@lists.sourceforge.net
33796 Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
33797 Reported-by: Michal Jaegermann <michal@harddata.com>
33798 Tested-by: Aaron Brown <aaron.f.brown@intel.com>
33799 Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
33800 Signed-off-by: David S. Miller <davem@davemloft.net>
33801
33802 drivers/net/ethernet/intel/e100.c | 36 +++++++++++++++++++++++++-----------
33803 1 files changed, 25 insertions(+), 11 deletions(-)
33804
33805commit df93708573ce6c512b9a9406a83a6fd4e87ff6a6
33806Author: Trond Myklebust <Trond.Myklebust@netapp.com>
33807Date: Wed Apr 10 12:44:18 2013 -0400
33808
33809 Upstream commit: eb04e0ac198cec3bab407ad220438dfa65c19c67
33810
33811 NFSv4: Doh! Typo in the fix to nfs41_walk_client_list
33812
33813 Make sure that we set the status to 0 on success. Missed in testing
33814 because it never appears when doing multiple mounts to _different_
33815 servers.
33816
33817 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
33818 Cc: <stable@vger.kernel.org> # 3.7.x: 7b1f1fd: NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list
33819
33820 fs/nfs/nfs4client.c | 1 +
33821 1 files changed, 1 insertions(+), 0 deletions(-)
33822
33823commit 0ea7b7294f627588b0b3dc26a8a0ff8e1e27b5ea
33824Author: Yuval Mintz <yuvalmin@broadcom.com>
33825Date: Wed Apr 10 13:34:39 2013 +0300
33826
33827 Upstream commit: fea75645342c7ad574214497a78e562db12dfd7b
33828
33829 bnx2x: Prevent null pointer dereference in AFEX mode
33830
33831 The cnic module is responsible for initializing various bnx2x structs
33832 via callbacks provided by the bnx2x module.
33833 One such struct is the queue object for the FCoE queue.
33834
33835 If a device is working in AFEX mode and its configuration allows FCoE yet
33836 the cnic module is not loaded, it's very likely a null pointer dereference
33837 will occur, as the bnx2x will erroneously access the FCoE's queue object.
33838
33839 Prevent said access until cnic properly registers itself.
33840
33841 Signed-off-by: Yuval Mintz <yuvalmin@broadcom.com>
33842 Signed-off-by: Ariel Elior <ariele@broadcom.com>
33843 Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
33844 Signed-off-by: David S. Miller <davem@davemloft.net>
33845
33846 drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 3 ++-
33847 1 files changed, 2 insertions(+), 1 deletions(-)
33848
33849commit 2908830232725db624aaa052f7ad38d1f98bf541
33850Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
33851Date: Tue Apr 9 14:16:04 2013 +0800
33852
33853 Upstream commit: 3480a2125923e4b7a56d79efc76743089bf273fc
33854
33855 can: gw: use kmem_cache_free() instead of kfree()
33856
33857 Memory allocated by kmem_cache_alloc() should be freed using
33858 kmem_cache_free(), not kfree().
33859
33860 Cc: linux-stable <stable@vger.kernel.org> # >= v3.2
33861 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
33862 Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
33863 Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
33864
33865 net/can/gw.c | 6 +++---
33866 1 files changed, 3 insertions(+), 3 deletions(-)
33867
33868commit d40b572e845a5fb561e3c4a80cc306cd38888a4e
33869Author: Christoph Paasch <christoph.paasch@uclouvain.be>
33870Date: Sun Apr 7 04:53:15 2013 +0000
33871
33872 Upstream commit: 50a75a8914539c5dcd441c5f54d237a666a426fd
33873
33874 ipv6/tcp: Stop processing ICMPv6 redirect messages
33875
33876 Tetja Rediske found that if the host receives an ICMPv6 redirect message
33877 after sending a SYN+ACK, the connection will be reset.
33878
33879 He bisected it down to 093d04d (ipv6: Change skb->data before using
33880 icmpv6_notify() to propagate redirect), but the origin of the bug comes
33881 from ec18d9a26 (ipv6: Add redirect support to all protocol icmp error
33882 handlers.). The bug simply did not trigger prior to 093d04d, because
33883 skb->data did not point to the inner IP header and thus icmpv6_notify
33884 did not call the correct err_handler.
33885
33886 This patch adds the missing "goto out;" in tcp_v6_err. After receiving
33887 an ICMPv6 Redirect, we should not continue processing the ICMP in
33888 tcp_v6_err, as this may trigger the removal of request-socks or setting
33889 sk_err(_soft).
33890
33891 Reported-by: Tetja Rediske <tetja@tetja.de>
33892 Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be>
33893 Acked-by: Eric Dumazet <edumazet@google.com>
33894 Signed-off-by: David S. Miller <davem@davemloft.net>
33895
33896 net/ipv6/tcp_ipv6.c | 1 +
33897 1 files changed, 1 insertions(+), 0 deletions(-)
33898
33899commit c7d5c2524456ef3ea9194840e7a9a75069a46824
33900Author: Brad Spengler <spender@grsecurity.net>
33901Date: Wed Apr 10 20:32:54 2013 -0400
33902
33903 - fixed typo in Makefile reported by mlarm (https://forums.grsecurity.net/viewtopic.php?t=3411)
33904
33905 Makefile | 2 +-
33906 1 files changed, 1 insertions(+), 1 deletions(-)
33907
33908commit acac2380fd97acee4367d2aa24c74322dcf1d22b
33909Author: Trond Myklebust <Trond.Myklebust@netapp.com>
33910Date: Fri Apr 5 16:11:11 2013 -0400
33911
33912 Upstream commit: 7b1f1fd1842e6ede25183c267ae733a7f67f00bc
33913
33914 NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list
33915
33916 It is unsafe to use list_for_each_entry_safe() here, because
33917 when we drop the nn->nfs_client_lock, we pin the _current_ list
33918 entry and ensure that it stays in the list, but we don't do the
33919 same for the _next_ list entry. Use of list_for_each_entry() is
33920 therefore the correct thing to do.
33921
33922 Also fix the refcounting in nfs41_walk_client_list().
33923
33924 Finally, ensure that the nfs_client has finished being initialised
33925 and, in the case of NFSv4.1, that the session is set up.
33926
33927 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
33928 Cc: Chuck Lever <chuck.lever@oracle.com>
33929 Cc: Bryan Schumaker <bjschuma@netapp.com>
33930 Cc: stable@vger.kernel.org [>= 3.7]
33931
33932 fs/nfs/nfs4client.c | 44 ++++++++++++++++++++++++++++----------------
33933 1 files changed, 28 insertions(+), 16 deletions(-)
33934
33935commit a6cf5f387b882ac0ce655b75f623f86c075517be
33936Author: Chuck Lever <chuck.lever@oracle.com>
33937Date: Fri Mar 22 12:52:59 2013 -0400
33938
33939 Upstream commit: a58e0be6f6b3eb2079b0b8fedc9df6fa86869f1e
33940
33941 SUNRPC: Remove extra xprt_put()
33942
33943 While testing error cases where rpc_new_client() fails, I saw
33944 some oopses.
33945
33946 If rpc_new_client() fails, it already invokes xprt_put(). Thus
33947 __rpc_clone_client() does not need to invoke it again.
33948
33949 Introduced by commit 1b63a751 "SUNRPC: Refactor rpc_clone_client()"
33950 Fri Sep 14, 2012.
33951
33952 Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
33953 Cc: stable@vger.kernel.org [>=3.7]
33954 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
33955
33956 net/sunrpc/clnt.c | 4 +---
33957 1 files changed, 1 insertions(+), 3 deletions(-)
33958
33959commit a744b307c1f65ceb100412dc18cdd7ecc9a8ae00
33960Author: Trond Myklebust <Trond.Myklebust@netapp.com>
33961Date: Fri Apr 5 14:13:21 2013 -0400
33962
33963 Upstream commit: f05c124a70a4953a66acbd6d6c601ea1eb5d0fa7
33964
33965 SUNRPC: Fix a potential memory leak in rpc_new_client
33966
33967 If the call to rpciod_up() fails, we currently leak a reference to the
33968 struct rpc_xprt.
33969 As part of the fix, we also remove the redundant check for xprt!=NULL.
33970 This is already taken care of by the callers.
33971
33972 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
33973
33974 net/sunrpc/clnt.c | 7 ++-----
33975 1 files changed, 2 insertions(+), 5 deletions(-)
33976
33977commit 43b9f1b9b8380984c5c100978bd33e8f16da06ac
33978Author: Brad Spengler <spender@grsecurity.net>
33979Date: Wed Apr 10 19:16:05 2013 -0400
33980
33981 From https://lkml.org/lkml/2013/4/8/469:
33982 [PATCH] rtnetlink: call nlmsg_parse() with correct header length
33983
33984 net/core/rtnetlink.c | 4 ++--
33985 1 files changed, 2 insertions(+), 2 deletions(-)
33986
33987commit 9529169b8c405874fd543b785f53c74fa0501c2a
33988Author: Christopher Harvey <charvey@matrox.com>
33989Date: Fri Apr 5 10:51:15 2013 -0400
33990
33991 Upstream commit: 1812a3db0874be1d1524086da9e84397b800f546
33992
33993 drm/mgag200: Index 24 in extended CRTC registers is 24 in hex, not decimal.
33994
33995 This change properly enables the "requester" in G200ER cards that is
33996 responsible for getting pixels out of memory and clocking them out to
33997 the screen.
33998
33999 Signed-off-by: Christopher Harvey <charvey@matrox.com>
34000 Cc: stable@vger.kernel.org
34001 Signed-off-by: Dave Airlie <airlied@redhat.com>
34002
34003 drivers/gpu/drm/mgag200/mgag200_mode.c | 13 +++----------
34004 1 files changed, 3 insertions(+), 10 deletions(-)
34005
34006commit 07c42243c7b01e2a7a9d168ad491e28b9ef9082a
34007Author: Al Viro <viro@zeniv.linux.org.uk>
34008Date: Thu Mar 28 13:30:23 2013 -0400
34009
34010 Upstream commit: 52f21999c7b921a0390708b66ed286282c2e4bee
34011
34012 ecryptfs: close rmmod race
34013
34014 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
34015
34016 fs/ecryptfs/miscdev.c | 14 ++------------
34017 1 files changed, 2 insertions(+), 12 deletions(-)
34018
34019commit 2800bdcf9cd642b967e5fdc2a15c1c4aefbadd9b
34020Author: Brad Spengler <spender@grsecurity.net>
34021Date: Wed Apr 10 19:03:45 2013 -0400
34022
34023 Backport overflow fix from upstream commit: ccf932042fa7785832d8989ba1369cd7c7f5d7a1
34024
34025 arch/ia64/kernel/palinfo.c | 2 +-
34026 1 files changed, 1 insertions(+), 1 deletions(-)
34027
34028commit 83280e384ae3ceadad30369ced111dc7d4b46085
34029Author: Andrey Vagin <avagin@openvz.org>
34030Date: Tue Apr 9 17:33:29 2013 +0400
34031
34032 Upstream commit: e9c5d8a562f01b211926d70443378eb14b29a676
34033
34034 mnt: release locks on error path in do_loopback
34035
34036 do_loopback calls lock_mount(path) and forget to unlock_mount
34037 if clone_mnt or copy_mnt fails.
34038
34039 [ 77.661566] ================================================
34040 [ 77.662939] [ BUG: lock held when returning to user space! ]
34041 [ 77.664104] 3.9.0-rc5+ #17 Not tainted
34042 [ 77.664982] ------------------------------------------------
34043 [ 77.666488] mount/514 is leaving the kernel with locks still held!
34044 [ 77.668027] 2 locks held by mount/514:
34045 [ 77.668817] #0: (&sb->s_type->i_mutex_key#7){+.+.+.}, at: [<ffffffff811cca22>] lock_mount+0x32/0xe0
34046 [ 77.671755] #1: (&namespace_sem){+++++.}, at: [<ffffffff811cca3a>] lock_mount+0x4a/0xe0
34047
34048 Signed-off-by: Andrey Vagin <avagin@openvz.org>
34049 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
34050
34051 fs/namespace.c | 2 +-
34052 1 files changed, 1 insertions(+), 1 deletions(-)
34053
34054commit 679e536b9d9536d804f049fe942367a596253e6d
34055Author: Alex Williamson <alex.williamson@redhat.com>
34056Date: Tue Mar 26 11:33:16 2013 -0600
34057
34058 Upstream commit: 904c680c7bf016a8619a045850937427f8d7368c
34059
34060 vfio-pci: Fix possible integer overflow
34061
34062 The VFIO_DEVICE_SET_IRQS ioctl takes a start and count parameter, both
34063 of which are unsigned. We attempt to bounds check these, but fail to
34064 account for the case where start is a very large number, allowing
34065 start + count to wrap back into the valid range. Bounds check both
34066 start and start + count.
34067
34068 Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
34069 Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
34070
34071 drivers/vfio/pci/vfio_pci.c | 3 ++-
34072 1 files changed, 2 insertions(+), 1 deletions(-)
34073
34074commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7
34075Author: Brad Spengler <spender@grsecurity.net>
34076Date: Wed Apr 10 18:48:45 2013 -0400
34077
34078 Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot
34079
34080 security/Kconfig | 2 +-
34081 1 files changed, 1 insertions(+), 1 deletions(-)
34082
34083commit b5261a6384ee42499b29495aaae40b271e77d394
34084Author: Brad Spengler <spender@grsecurity.net>
34085Date: Tue Apr 9 17:30:45 2013 -0400
34086
34087 some undefined behavior fixups
34088
34089 grsecurity/gracl.c | 4 ++--
34090 grsecurity/gracl_ip.c | 10 +++++-----
34091 grsecurity/gracl_segv.c | 4 ++--
34092 3 files changed, 9 insertions(+), 9 deletions(-)
34093
34094commit 9f83caa35e78be1f3e753586ab217555c3b21ff4
34095Author: Brad Spengler <spender@grsecurity.net>
34096Date: Tue Apr 9 17:28:54 2013 -0400
34097
34098 don't whine about denied ipv6 when it's not enabled
34099
34100 grsecurity/gracl_ip.c | 3 +++
34101 1 files changed, 3 insertions(+), 0 deletions(-)
34102
34103commit 5a02f8bc96bd0c31f9ff09e63f9d85d560b8be61
34104Merge: 97bca88 9123489
34105Author: Brad Spengler <spender@grsecurity.net>
34106Date: Tue Apr 9 17:18:45 2013 -0400
34107
34108 Merge branch 'pax-test' into grsec-test
34109
34110commit 9123489428c58668a89f316db6619739cbdd2c2a
34111Author: Brad Spengler <spender@grsecurity.net>
34112Date: Tue Apr 9 17:17:46 2013 -0400
34113
34114 Update to pax-linux-3.8.6-test18.patch:
34115 - new size overflow plugin from Emese to work around a gcc optimization
34116 resulting in an intentional overflow, reported by Carlos Carvalho
34117 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3409)
34118
34119 tools/gcc/size_overflow_plugin.c | 68 ++++++++++++++++++++++++++++++++++++-
34120 1 files changed, 66 insertions(+), 2 deletions(-)
34121
34122commit 97bca8889e0f1e853f16b7026c39c6729a8587ab
34123Merge: 675a41e e9d6073
34124Author: Brad Spengler <spender@grsecurity.net>
34125Date: Mon Apr 8 21:32:59 2013 -0400
34126
34127 Merge branch 'pax-test' into grsec-test
34128
34129 Conflicts:
34130 arch/sparc/kernel/us3_cpufreq.c
34131
34132commit e9d6073f15010ccace0b6b0f0a19ed63cf1adeef
34133Author: Brad Spengler <spender@grsecurity.net>
34134Date: Mon Apr 8 21:19:03 2013 -0400
34135
34136 Update to pax-linux-3.8.6-test17.patch:
34137 - fixed ia64/ppc/sparc compilation by spender
34138 - improved the STRUCTLEAK gcc plugin to cover a few more cases (credit to stef for the bugreport)
34139
34140 arch/ia64/include/asm/uaccess.h | 2 -
34141 arch/powerpc/include/asm/uaccess.h | 2 -
34142 arch/sparc/include/asm/uaccess.h | 7 ----
34143 arch/sparc/kernel/prom_common.c | 2 +-
34144 arch/sparc/kernel/us3_cpufreq.c | 69 ++++++++++--------------------------
34145 tools/gcc/structleak_plugin.c | 15 ++++----
34146 6 files changed, 28 insertions(+), 69 deletions(-)
34147
34148commit 675a41e42a636dcb1e97bffe0f0fa6262242e64b
34149Author: Brad Spengler <spender@grsecurity.net>
34150Date: Sun Apr 7 12:00:50 2013 -0400
34151
34152 fix similar leaks in sys_recvfrom as fixed in recvmsg, already handled by the new structleak plugin
34153
34154 net/socket.c | 2 +-
34155 1 files changed, 1 insertions(+), 1 deletions(-)
34156
34157commit 5a216624a06429488f24ce47db093da042f90e48
34158Author: Brad Spengler <spender@grsecurity.net>
34159Date: Sat Apr 6 13:22:24 2013 -0400
34160
34161 fix typo
34162
34163 arch/sparc/kernel/us3_cpufreq.c | 5 +----
34164 1 files changed, 1 insertions(+), 4 deletions(-)
34165
34166commit e476ca18d21788898cd3acd1b57049971a2fb70f
34167Author: Brad Spengler <spender@grsecurity.net>
34168Date: Sat Apr 6 13:16:13 2013 -0400
34169
34170 properly fix cpufreq_driver for ultrasparc III with constification
34171
34172 arch/sparc/kernel/us3_cpufreq.c | 35 +++++++++++++++++------------------
34173 1 files changed, 17 insertions(+), 18 deletions(-)
34174
34175commit 3ef64a33c8a38d17db7d1e6ff13d9036c75598ae
34176Author: Brad Spengler <spender@grsecurity.net>
34177Date: Sat Apr 6 12:58:48 2013 -0400
34178
34179 mark prom_sparc_ops __initconst
34180
34181 arch/sparc/kernel/prom_common.c | 2 +-
34182 1 files changed, 1 insertions(+), 1 deletions(-)
34183
34184commit daaa8e290cb1eb08e86c6d3f0fb1a8270d897439
34185Author: Brad Spengler <spender@grsecurity.net>
34186Date: Sat Apr 6 12:53:16 2013 -0400
34187
34188 fix ia64/powerpc/sparc compilation
34189
34190 arch/ia64/include/asm/uaccess.h | 2 --
34191 arch/powerpc/include/asm/uaccess.h | 2 --
34192 arch/sparc/include/asm/uaccess.h | 7 -------
34193 3 files changed, 0 insertions(+), 11 deletions(-)
34194
34195commit 4a0cd3af0fd8788bd1c84de775743c8ae51e9a39
34196Author: Johannes Berg <johannes.berg@intel.com>
34197Date: Tue Mar 19 20:26:57 2013 +0100
34198
34199 Upstream commit: ce1eadda6badef9e4e3460097ede674fca47383d
34200
34201 cfg80211: fix wdev tracing crash
34202
34203 Arend reported a crash in tracing if the driver returns an
34204 ERR_PTR() value from the add_virtual_intf() callback. This
34205 is due to the tracing then still attempting to dereference
34206 the "pointer", fix this by using IS_ERR_OR_NULL().
34207
34208 Reported-by: Arend van Spriel <arend@broadcom.com>
34209 Tested-by: Arend van Spriel <arend@broadcom.com>
34210 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
34211
34212 net/wireless/trace.h | 3 ++-
34213 1 files changed, 2 insertions(+), 1 deletions(-)
34214
34215commit 68e6eafdaf9a3b37c780b3916a35a1961b1559fd
34216Author: Johannes Berg <johannes.berg@intel.com>
34217Date: Mon Mar 25 11:51:14 2013 +0100
34218
34219 Upstream commit: 3fbd45ca8d1c98f3c2582ef8bc70ade42f70947b
34220
34221 mac80211: fix remain-on-channel cancel crash
34222
34223 If a ROC item is canceled just as it expires, the work
34224 struct may be scheduled while it is running (and waiting
34225 for the mutex). This results in it being run after being
34226 freed, which obviously crashes.
34227
34228 To fix this don't free it when aborting is requested but
34229 instead mark it as "to be freed", which makes the work a
34230 no-op and allows freeing it outside.
34231
34232 Cc: stable@vger.kernel.org [3.6+]
34233 Reported-by: Jouni Malinen <j@w1.fi>
34234 Tested-by: Jouni Malinen <j@w1.fi>
34235 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
34236
34237 net/mac80211/cfg.c | 6 ++++--
34238 net/mac80211/ieee80211_i.h | 3 ++-
34239 net/mac80211/offchannel.c | 23 +++++++++++++++++------
34240 3 files changed, 23 insertions(+), 9 deletions(-)
34241
34242commit dd5df32b00e3c2344ba39fe01071e7b67b83e1e4
34243Author: Stone Piao <piaoyun@marvell.com>
34244Date: Fri Mar 29 19:21:21 2013 -0700
34245
34246 Upstream commit: 901ceba4e81e9dd6b4a3c4c37ee22000a6c5c65f
34247
34248 mwifiex: limit channel number not to overflow memory
34249
34250 Limit the channel number in scan request, or the driver scan
34251 config structure memory will be overflowed.
34252
34253 Cc: <stable@vger.kernel.org> # 3.5+
34254 Signed-off-by: Stone Piao <piaoyun@marvell.com>
34255 Signed-off-by: Bing Zhao <bzhao@marvell.com>
34256 Signed-off-by: John W. Linville <linville@tuxdriver.com>
34257
34258 drivers/net/wireless/mwifiex/cfg80211.c | 3 ++-
34259 1 files changed, 2 insertions(+), 1 deletions(-)
34260
34261commit 207c411512bdaf0e4271f93ecac6ca26588da36f
34262Author: Gao feng <gaofeng@cn.fujitsu.com>
34263Date: Thu Mar 21 19:48:41 2013 +0000
34264
34265 Upstream commit: 130549fed828cc34c22624c6195afcf9e7ae56fe
34266
34267 netfilter: reset nf_trace in nf_reset
34268
34269 We forgot to clear the nf_trace of sk_buff in nf_reset,
34270 When we use veth device, this nf_trace information will
34271 be leaked from one net namespace to another net namespace.
34272
34273 Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
34274 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
34275
34276 include/linux/skbuff.h | 3 +++
34277 1 files changed, 3 insertions(+), 0 deletions(-)
34278
34279commit 3b12800d73c763265b2de5f2a7a745d9caa62c6f
34280Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
34281Date: Fri Mar 22 01:28:18 2013 +0000
34282
34283 Upstream commit: 558724a5b2a73ad0c7638e21e8dffc419d267b6c
34284
34285 netfilter: nfnetlink_queue: fix error return code in nfnetlink_queue_init()
34286
34287 Fix to return a negative error code from the error handling
34288 case instead of 0, as returned elsewhere in this function.
34289
34290 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
34291 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
34292
34293 net/netfilter/nfnetlink_queue_core.c | 4 +++-
34294 1 files changed, 3 insertions(+), 1 deletions(-)
34295
34296commit a79feb7d3251eca577d83d7f69eee2b961ab2924
34297Author: Pablo Neira Ayuso <pablo@netfilter.org>
34298Date: Sat Mar 23 16:57:59 2013 +0100
34299
34300 Upstream commit: deadcfc3324410726cd6a663fb4fc46be595abe7
34301
34302 netfilter: nfnetlink_acct: return -EINVAL if object name is empty
34303
34304 If user-space tries to create accounting object with an empty
34305 name, then return -EINVAL.
34306
34307 Reported-by: Michael Zintakis <michael.zintakis@googlemail.com>
34308 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
34309
34310 net/netfilter/nfnetlink_acct.c | 2 ++
34311 1 files changed, 2 insertions(+), 0 deletions(-)
34312
34313commit 1a51dca4fc16538d90a7a4c92b1ffe7e0fd76cf7
34314Author: Matthias Schiffer <mschiffer@universe-factory.net>
34315Date: Sat Mar 30 10:23:12 2013 +0000
34316
34317 Upstream commit: 906b1c394d0906a154fbdc904ca506bceb515756
34318
34319 netfilter: ip6t_NPT: Fix translation for non-multiple of 32 prefix lengths
34320
34321 The bitmask used for the prefix mangling was being calculated
34322 incorrectly, leading to the wrong part of the address being replaced
34323 when the prefix length wasn't a multiple of 32.
34324
34325 Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
34326 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
34327
34328 net/ipv6/netfilter/ip6t_NPT.c | 2 +-
34329 1 files changed, 1 insertions(+), 1 deletions(-)
34330
34331commit 3425de1e3dc22e1602f9c77fe8d258da58416d5e
34332Author: Veaceslav Falico <vfalico@redhat.com>
34333Date: Wed Apr 3 05:46:33 2013 +0000
34334
34335 Upstream commit: 4de79c737b200492195ebc54a887075327e1ec1d
34336
34337 bonding: remove sysfs before removing devices
34338
34339 We have a race condition if we try to rmmod bonding and simultaneously add
34340 a bond master through sysfs. In bonding_exit() we first remove the devices
34341 (through rtnl_link_unregister() ) and only after that we remove the sysfs.
34342 If we manage to add a device through sysfs after that the devices were
34343 removed - we'll end up with that device/sysfs structure and with the module
34344 unloaded.
34345
34346 Fix this by first removing the sysfs and only after that calling
34347 rtnl_link_unregister().
34348
34349 Signed-off-by: Veaceslav Falico <vfalico@redhat.com>
34350 Signed-off-by: David S. Miller <davem@davemloft.net>
34351
34352 drivers/net/bonding/bond_main.c | 2 +-
34353 1 files changed, 1 insertions(+), 1 deletions(-)
34354
34355commit d12cae44a9d12441d81c489178803237219d403d
34356Author: Eric W. Biederman <ebiederm@xmission.com>
34357Date: Wed Apr 3 16:14:47 2013 +0000
34358
34359 Upstream commit: 0e82e7f6dfeec1013339612f74abc2cdd29d43d2
34360
34361 af_unix: If we don't care about credentials coallesce all messages
34362
34363 It was reported that the following LSB test case failed
34364 https://lsbbugs.linuxfoundation.org/attachment.cgi?id=2144 because we
34365 were not coallescing unix stream messages when the application was
34366 expecting us to.
34367
34368 The problem was that the first send was before the socket was accepted
34369 and thus sock->sk_socket was NULL in maybe_add_creds, and the second
34370 send after the socket was accepted had a non-NULL value for sk->socket
34371 and thus we could tell the credentials were not needed so we did not
34372 bother.
34373
34374 The unnecessary credentials on the first message cause
34375 unix_stream_recvmsg to start verifying that all messages had the same
34376 credentials before coallescing and then the coallescing failed because
34377 the second message had no credentials.
34378
34379 Ignoring credentials when we don't care in unix_stream_recvmsg fixes a
34380 long standing pessimization which would fail to coallesce messages when
34381 reading from a unix stream socket if the senders were different even if
34382 we did not care about their credentials.
34383
34384 I have tested this and verified that the in the LSB test case mentioned
34385 above that the messages do coallesce now, while the were failing to
34386 coallesce without this change.
34387
34388 Reported-by: Karel Srot <ksrot@redhat.com>
34389 Reported-by: Ding Tianhong <dingtianhong@huawei.com>
34390 Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
34391 Signed-off-by: David S. Miller <davem@davemloft.net>
34392
34393 net/unix/af_unix.c | 2 +-
34394 1 files changed, 1 insertions(+), 1 deletions(-)
34395
34396commit 126d882492b130da6367f71cdf3ac59bf4f4c1bf
34397Author: Eric W. Biederman <ebiederm@xmission.com>
34398Date: Wed Apr 3 16:13:35 2013 +0000
34399
34400 Upstream commit: 25da0e3e9d3fb2b522bc2a598076735850310eb1
34401
34402 Revert "af_unix: dont send SCM_CREDENTIAL when dest socket is NULL"
34403
34404 This reverts commit 14134f6584212d585b310ce95428014b653dfaf6.
34405
34406 The problem that the above patch was meant to address is that af_unix
34407 messages are not being coallesced because we are sending unnecesarry
34408 credentials. Not sending credentials in maybe_add_creds totally
34409 breaks unconnected unix domain sockets that wish to send credentails
34410 to other sockets.
34411
34412 In practice this break some versions of udev because they receive a
34413 message and the sending uid is bogus so they drop the message.
34414
34415 Reported-by: Sven Joachim <svenjoac@gmx.de>
34416 Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
34417 Signed-off-by: David S. Miller <davem@davemloft.net>
34418
34419 net/unix/af_unix.c | 4 ++--
34420 1 files changed, 2 insertions(+), 2 deletions(-)
34421
34422commit 1295b4f600e8f5ab56af71e5a89e4c0e74e95663
34423Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
34424Date: Wed Mar 20 21:31:42 2013 +0000
34425
34426 Upstream commit: cb0e51d80694fc9964436be1a1a15275e991cb1e
34427
34428 lantiq_etop: use free_netdev(netdev) instead of kfree()
34429
34430 Freeing netdev without free_netdev() leads to net, tx leaks.
34431 And it may lead to dereferencing freed pointer.
34432
34433 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
34434 Signed-off-by: David S. Miller <davem@davemloft.net>
34435
34436 drivers/net/ethernet/lantiq_etop.c | 2 +-
34437 1 files changed, 1 insertions(+), 1 deletions(-)
34438
34439commit 1dcdddf846697fbd0b474e7b12ff92f7b408fe5f
34440Author: Cong Wang <amwang@redhat.com>
34441Date: Fri Mar 22 19:14:07 2013 +0000
34442
34443 Upstream commit: 4a7df340ed1bac190c124c1601bfc10cde9fb4fb
34444
34445 8021q: fix a potential use-after-free
34446
34447 vlan_vid_del() could possibly free ->vlan_info after a RCU grace
34448 period, however, we may still refer to the freed memory area
34449 by 'grp' pointer. Found by code inspection.
34450
34451 This patch moves vlan_vid_del() as behind as possible.
34452
34453 Cc: Patrick McHardy <kaber@trash.net>
34454 Cc: "David S. Miller" <davem@davemloft.net>
34455 Signed-off-by: Cong Wang <amwang@redhat.com>
34456 Acked-by: Eric Dumazet <edumazet@google.com>
34457 Signed-off-by: David S. Miller <davem@davemloft.net>
34458
34459 net/8021q/vlan.c | 7 +++++++
34460 1 files changed, 7 insertions(+), 0 deletions(-)
34461
34462commit fff29c277024a39845d4b535083c8dafc21b45d9
34463Author: Hong zhi guo <honkiko@gmail.com>
34464Date: Sat Mar 23 02:27:50 2013 +0000
34465
34466 Upstream commit: 9b46922e15f4d9d2aedcd320c3b7f7f54d956da7
34467
34468 bridge: fix crash when set mac address of br interface
34469
34470 When I tried to set mac address of a bridge interface to a mac
34471 address which already learned on this bridge, I got system hang.
34472
34473 The cause is straight forward: function br_fdb_change_mac_address
34474 calls fdb_insert with NULL source nbp. Then an fdb lookup is
34475 performed. If an fdb entry is found and it's local, it's OK. But
34476 if it's not local, source is dereferenced for printk without NULL
34477 check.
34478
34479 Signed-off-by: Hong Zhiguo <honkiko@gmail.com>
34480 Signed-off-by: David S. Miller <davem@davemloft.net>
34481
34482 net/bridge/br_fdb.c | 2 +-
34483 1 files changed, 1 insertions(+), 1 deletions(-)
34484
34485commit b72eca0f8495b4b084bcf3eb4fbb425281ba5349
34486Author: Kumar Amit Mehta <gmate.amit@gmail.com>
34487Date: Sat Mar 23 20:10:25 2013 +0000
34488
34489 Upstream commit: 8fe7f99a9e11a43183bc27420309ae105e1fec1a
34490
34491 bnx2x: fix assignment of signed expression to unsigned variable
34492
34493 fix for incorrect assignment of signed expression to unsigned variable.
34494
34495 Signed-off-by: Kumar Amit Mehta <gmate.amit@gmail.com>
34496 Acked-by: Dmitry Kravkov <dmitry@broadcom.com>
34497 Signed-off-by: David S. Miller <davem@davemloft.net>
34498
34499 drivers/net/ethernet/broadcom/bnx2x/bnx2x_dcb.c | 18 +++++++++---------
34500 1 files changed, 9 insertions(+), 9 deletions(-)
34501
34502commit 4d2d5e3694574d8e9d7594bf6111f144dccc873e
34503Author: dingtianhong <dingtianhong@huawei.com>
34504Date: Mon Mar 25 17:02:04 2013 +0000
34505
34506 Upstream commit: 14134f6584212d585b310ce95428014b653dfaf6
34507
34508 af_unix: dont send SCM_CREDENTIAL when dest socket is NULL
34509
34510 SCM_SCREDENTIALS should apply to write() syscalls only either source or destination
34511 socket asserted SOCK_PASSCRED. The original implememtation in maybe_add_creds is wrong,
34512 and breaks several LSB testcases ( i.e. /tset/LSB.os/netowkr/recvfrom/T.recvfrom).
34513
34514 Origionally-authored-by: Karel Srot <ksrot@redhat.com>
34515 Signed-off-by: Ding Tianhong <dingtianhong@huawei.com>
34516 Acked-by: Eric Dumazet <edumazet@google.com>
34517 Signed-off-by: David S. Miller <davem@davemloft.net>
34518
34519 net/unix/af_unix.c | 4 ++--
34520 1 files changed, 2 insertions(+), 2 deletions(-)
34521
34522commit b964e1e61f0f0ccaa380be3342f956c604054bdc
34523Author: Eric W. Biederman <ebiederm@xmission.com>
34524Date: Thu Mar 21 02:30:41 2013 -0700
34525
34526 Upstream commit: eddc0a3abff273842a94784d2d022bbc36dc9015
34527
34528 yama: Better permission check for ptraceme
34529
34530 Change the permission check for yama_ptrace_ptracee to the standard
34531 ptrace permission check, testing if the traceer has CAP_SYS_PTRACE
34532 in the tracees user namespace.
34533
34534 Reviewed-by: Kees Cook <keescook@chromium.org>
34535 Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
34536
34537 security/yama/yama_lsm.c | 4 +---
34538 1 files changed, 1 insertions(+), 3 deletions(-)
34539
34540commit b94e71c7b6abe75989edff18aca2781233fa143b
34541Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
34542Date: Mon Apr 1 11:40:51 2013 +0400
34543
34544 Upstream commit: 2dc958fa2fe6987e7ab106bd97029a09a82fcd8d
34545
34546 ipc: set msg back to -EAGAIN if copy wasn't performed
34547
34548 Make sure that msg pointer is set back to error value in case of
34549 MSG_COPY flag is set and desired message to copy wasn't found. This
34550 garantees that msg is either a error pointer or a copy address.
34551
34552 Otherwise the last message in queue will be freed without unlinking from
34553 the queue (which leads to memory corruption) and the dummy allocated
34554 copy won't be released.
34555
34556 Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
34557 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
34558
34559 ipc/msg.c | 1 +
34560 1 files changed, 1 insertions(+), 0 deletions(-)
34561
34562commit a997fbbe7a37ffd805f4784a18b8e530da6978d1
34563Author: Jan Kara <jack@suse.cz>
34564Date: Fri Mar 29 15:39:16 2013 +0100
34565
34566 Upstream commit: 35e5cbc0af240778e61113286c019837e06aeec6
34567
34568 reiserfs: Fix warning and inode leak when deleting inode with xattrs
34569
34570 After commit 21d8a15a (lookup_one_len: don't accept . and ..) reiserfs
34571 started failing to delete xattrs from inode. This was due to a buggy
34572 test for '.' and '..' in fill_with_dentries() which resulted in passing
34573 '.' and '..' entries to lookup_one_len() in some cases. That returned
34574 error and so we failed to iterate over all xattrs of and inode.
34575
34576 Fix the test in fill_with_dentries() along the lines of the one in
34577 lookup_one_len().
34578
34579 Reported-by: Pawel Zawora <pzawora@gmail.com>
34580 CC: stable@vger.kernel.org
34581 Signed-off-by: Jan Kara <jack@suse.cz>
34582
34583 fs/reiserfs/xattr.c | 4 ++--
34584 1 files changed, 2 insertions(+), 2 deletions(-)
34585
34586commit 9f07957378e0f55abb81da8e23b124a608fbe1cc
34587Author: Paul Bolle <pebolle@tiscali.nl>
34588Date: Wed Apr 3 12:24:45 2013 +0100
34589
34590 Upstream commit: 4e1db26a0b42e2b6e27c05d68adcc01709c2eed2
34591
34592 ARM: 7690/1: mm: fix CONFIG_LPAE typos
34593
34594 CONFIG_LPAE doesn't exist: the correct option is CONFIG_ARM_LPAE, so fix
34595 up the two typos under arch/arm/.
34596
34597 The fix to head.S is slightly scary, but this is just for setting up
34598 an early io-mapping for the serial port when running on a big-endian,
34599 LPAE system. Since these systems don't exist in the wild (at least, I
34600 have no access to one outside of kvmtool, which doesn't provide a serial
34601 port suitable for earlyprintk), then we can revisit the code later if it
34602 causes any problems.
34603
34604 Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
34605 Signed-off-by: Will Deacon <will.deacon@arm.com>
34606 Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
34607
34608 arch/arm/kernel/head.S | 2 +-
34609 arch/arm/kernel/setup.c | 2 +-
34610 2 files changed, 2 insertions(+), 2 deletions(-)
34611
34612commit 984ba346b2d8f158473e9723ba145031368431ed
34613Author: Catalin Marinas <catalin.marinas@arm.com>
34614Date: Tue Mar 26 23:35:04 2013 +0100
34615
34616 Upstream commit: 93dc68876b608da041fe40ed39424b0fcd5aa2fb
34617
34618 ARM: 7684/1: errata: Workaround for Cortex-A15 erratum 798181 (TLBI/DSB operations)
34619
34620 On Cortex-A15 (r0p0..r3p2) the TLBI/DSB are not adequately shooting down
34621 all use of the old entries. This patch implements the erratum workaround
34622 which consists of:
34623
34624 1. Dummy TLBIMVAIS and DSB on the CPU doing the TLBI operation.
34625 2. Send IPI to the CPUs that are running the same mm (and ASID) as the
34626 one being invalidated (or all the online CPUs for global pages).
34627 3. CPU receiving the IPI executes a DMB and CLREX (part of the exception
34628 return code already).
34629
34630 Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
34631 Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
34632
34633 Conflicts:
34634
34635 arch/arm/include/asm/tlbflush.h
34636 arch/arm/kernel/smp_tlb.c
34637 arch/arm/mm/context.c
34638
34639 arch/arm/Kconfig | 10 +++++
34640 arch/arm/include/asm/highmem.h | 7 ++++
34641 arch/arm/include/asm/mmu_context.h | 2 +
34642 arch/arm/include/asm/tlbflush.h | 15 ++++++++
34643 arch/arm/kernel/smp_tlb.c | 66 ++++++++++++++++++++++++++++++++++++
34644 arch/arm/mm/context.c | 6 ++-
34645 6 files changed, 104 insertions(+), 2 deletions(-)
34646
34647commit 9a6ef010c38b3d5471886d2dea6e3c1622e2a286
34648Author: Jan Stancek <jstancek@redhat.com>
34649Date: Thu Apr 4 11:35:10 2013 -0700
34650
34651 Upstream commit: b6a9b7f6b1f21735a7456d534dc0e68e61359d2c
34652
34653 mm: prevent mmap_cache race in find_vma()
34654
34655 find_vma() can be called by multiple threads with read lock
34656 held on mm->mmap_sem and any of them can update mm->mmap_cache.
34657 Prevent compiler from re-fetching mm->mmap_cache, because other
34658 readers could update it in the meantime:
34659
34660 thread 1 thread 2
34661 |
34662 find_vma() | find_vma()
34663 struct vm_area_struct *vma = NULL; |
34664 vma = mm->mmap_cache; |
34665 if (!(vma && vma->vm_end > addr |
34666 && vma->vm_start <= addr)) { |
34667 | mm->mmap_cache = vma;
34668 return vma; |
34669 ^^ compiler may optimize this |
34670 local variable out and re-read |
34671 mm->mmap_cache |
34672
34673 This issue can be reproduced with gcc-4.8.0-1 on s390x by running
34674 mallocstress testcase from LTP, which triggers:
34675
34676 kernel BUG at mm/rmap.c:1088!
34677 Call Trace:
34678 ([<000003d100c57000>] 0x3d100c57000)
34679 [<000000000023a1c0>] do_wp_page+0x2fc/0xa88
34680 [<000000000023baae>] handle_pte_fault+0x41a/0xac8
34681 [<000000000023d832>] handle_mm_fault+0x17a/0x268
34682 [<000000000060507a>] do_protection_exception+0x1e2/0x394
34683 [<0000000000603a04>] pgm_check_handler+0x138/0x13c
34684 [<000003fffcf1f07a>] 0x3fffcf1f07a
34685 Last Breaking-Event-Address:
34686 [<000000000024755e>] page_add_new_anon_rmap+0xc2/0x168
34687
34688 Thanks to Jakub Jelinek for his insight on gcc and helping to
34689 track this down.
34690
34691 Signed-off-by: Jan Stancek <jstancek@redhat.com>
34692 Acked-by: David Rientjes <rientjes@google.com>
34693 Signed-off-by: Hugh Dickins <hughd@google.com>
34694 Cc: stable@vger.kernel.org
34695 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
34696
34697 mm/mmap.c | 2 +-
34698 mm/nommu.c | 2 +-
34699 2 files changed, 2 insertions(+), 2 deletions(-)
34700
34701commit 53f5096daa14967938bc154e6c41f9119863fb36
34702Merge: e988d7c 0a45285
34703Author: Brad Spengler <spender@grsecurity.net>
34704Date: Fri Apr 5 17:32:31 2013 -0400
34705
34706 Merge branch 'pax-test' into grsec-test
34707
34708 Conflicts:
34709 drivers/net/ethernet/broadcom/tg3.c
34710
34711commit 0a452855444d02502df6eb21ef3083cf303f71e1
34712Merge: 0277fa1 00cfbb8
34713Author: Brad Spengler <spender@grsecurity.net>
34714Date: Fri Apr 5 17:31:15 2013 -0400
34715
34716 Update to pax-linux-3.8.6-test16.patch:
34717 - fixed some attribute leakage into userland headers, patch by Mathias Krause
34718 - fixed some of the access_*_vm related breakage that trigger size overflows, reported by Hunger
34719
34720 Merge branch 'linux-3.8.y' into pax-test
34721
34722 Conflicts:
34723 drivers/gpu/drm/i915/intel_display.c
34724
34725commit e988d7c8d946c816a2cb97f0d38048a1584966b8
34726Merge: baec40e 0277fa1
34727Author: Brad Spengler <spender@grsecurity.net>
34728Date: Wed Apr 3 22:05:41 2013 -0400
34729
34730 Merge branch 'pax-test' into grsec-test
34731
34732commit 0277fa123b486cf11420967e4568d7653e225fd3
34733Author: Brad Spengler <spender@grsecurity.net>
34734Date: Wed Apr 3 22:04:48 2013 -0400
34735
34736 Update to pax-linux-3.8.5-test15.patch:
34737 - fixed section mismatch error caused by CONSTIFY (http://forums.grsecurity.net/viewtopic.php?f=3&t=3388 and http://forums.grsecurity.net/viewtopic.php?f=3&t=3391)
34738 - fixed integer type mixup in the cx88 driver (http://forums.grsecurity.net/viewtopic.php?f=3&t=3394)
34739
34740 drivers/media/pci/cx88/cx88-video.c | 6 +++---
34741 include/net/net_namespace.h | 4 ++++
34742 2 files changed, 7 insertions(+), 3 deletions(-)
34743
34744commit baec40e6708fd5ae2000cad6c70c5980c998b91c
34745Author: Brad Spengler <spender@grsecurity.net>
34746Date: Tue Apr 2 19:50:32 2013 -0400
34747
34748 fix compilation as reported on forums for gcc versions lacking plugin
34749 support
34750
34751 include/net/net_namespace.h | 4 ++++
34752 1 files changed, 4 insertions(+), 0 deletions(-)
34753
34754commit f6da5efca8a7edc9d3af02d6c35fddae0d2fd095
34755Merge: 6b69c35 0db9d15
34756Author: Brad Spengler <spender@grsecurity.net>
34757Date: Tue Apr 2 17:47:27 2013 -0400
34758
34759 Merge branch 'pax-test' into grsec-test
34760
34761commit 0db9d156826bdd50510086fde837648a3dfd370e
34762Author: Brad Spengler <spender@grsecurity.net>
34763Date: Tue Apr 2 17:46:05 2013 -0400
34764
34765 Update to pax-linux-3.8.5-test14.patch:
34766 - removed some no longer necessary __size_overflow marks and updated the overflow plugin's hash table
34767
34768 arch/x86/include/asm/uaccess_64.h | 6 +-
34769 include/linux/moduleloader.h | 4 +-
34770 tools/gcc/size_overflow_hash.data | 98 +++++++++++++++++++++----------------
34771 3 files changed, 61 insertions(+), 47 deletions(-)
34772
34773commit 6b69c3589fa97b454a08c28ecfac5a512f610f4d
34774Author: Brad Spengler <spender@grsecurity.net>
34775Date: Tue Apr 2 17:35:06 2013 -0400
34776
34777 remove duplicate compiler.h
34778
34779 include/linux/sysrq.h | 1 -
34780 1 files changed, 0 insertions(+), 1 deletions(-)
34781
34782commit 01e1d503fd2220adaaec0b92ea19441bdff73555
34783Author: Brad Spengler <spender@grsecurity.net>
34784Date: Fri Mar 29 19:53:50 2013 -0400
34785
34786 fix intentional_overflow marking on sys_sendto
34787
34788 include/linux/syscalls.h | 2 +-
34789 net/socket.c | 2 +-
34790 2 files changed, 2 insertions(+), 2 deletions(-)
34791
34792commit cd5ff114d958470f471c63775278e8c05e774630
34793Author: Brad Spengler <spender@grsecurity.net>
34794Date: Fri Mar 29 18:46:16 2013 -0400
34795
34796 fix size_overflow false positive
34797
34798 kernel/futex_compat.c | 2 +-
34799 1 files changed, 1 insertions(+), 1 deletions(-)
34800
34801commit 295ba16cc53df2375261accbedd6575ea327770a
34802Merge: 18340f1 278a989
34803Author: Brad Spengler <spender@grsecurity.net>
34804Date: Fri Mar 29 17:36:18 2013 -0400
34805
34806 Merge branch 'pax-test' into grsec-test
34807
34808 Conflicts:
34809 fs/exec.c
34810 include/linux/thread_info.h
34811
34812commit 278a989c831d62193c7b3d119fe2302babd45d12
34813Author: Brad Spengler <spender@grsecurity.net>
34814Date: Fri Mar 29 17:34:34 2013 -0400
34815
34816 Resync with pax-linux-3.8.5-test13.patch
34817
34818 arch/arm/include/asm/pgtable.h | 3 ++-
34819 arch/arm/lib/delay.c | 1 +
34820 fs/exec.c | 8 ++++----
34821 include/linux/compiler.h | 1 +
34822 include/linux/proc_fs.h | 2 +-
34823 include/linux/thread_info.h | 6 +++---
34824 include/linux/zlib.h | 3 ++-
34825 init/main.c | 4 ++--
34826 kernel/user_namespace.c | 2 +-
34827 lib/list_debug.c | 4 ++--
34828 mm/slab.c | 1 +
34829 mm/slob.c | 1 +
34830 mm/slub.c | 1 +
34831 net/core/sysctl_net_core.c | 3 +--
34832 tools/gcc/constify_plugin.c | 1 +
34833 15 files changed, 24 insertions(+), 17 deletions(-)
34834
34835commit 18340f14bd42d06c60995ab04cf6bb235bcaade6
34836Merge: 05f01ae e8cfeae
34837Author: Brad Spengler <spender@grsecurity.net>
34838Date: Fri Mar 29 17:30:57 2013 -0400
34839
34840 Merge branch 'pax-test' into grsec-test
34841
34842commit e8cfeae7751abb844911a15114dff5c9b2b9fcd9
34843Merge: b461cb7 aa4cfde
34844Author: Brad Spengler <spender@grsecurity.net>
34845Date: Fri Mar 29 17:30:44 2013 -0400
34846
34847 Merge branch 'linux-3.8.y' into pax-test
34848
34849 Conflicts:
34850 drivers/gpu/drm/i915/i915_gem_execbuffer.c
34851 fs/nfsd/vfs.c
34852
34853commit 05f01ae4c3479541586a2387f916a6620889c479
34854Author: Brad Spengler <spender@grsecurity.net>
34855Date: Fri Mar 29 17:05:39 2013 -0400
34856
34857 Another infoleak, up to 128 bytes on the stack in __sys_recvmsg
34858 takes user-provided length, copies up to that amount in a sockaddr_storage
34859 struct on the stack, then takes an upper-bounded-only user-provided length
34860 and copies the sockaddr_storage struct back out to userland, complete with
34861 uninitialized data
34862
34863 net/socket.c | 2 +-
34864 1 files changed, 1 insertions(+), 1 deletions(-)
34865
34866commit eea6ade59490784e83e08ec67322288fcf14cb31
34867Author: Brad Spengler <spender@grsecurity.net>
34868Date: Thu Mar 28 23:07:37 2013 -0400
34869
34870 return a proper error, otherwise we could be accessing uninitialized data
34871 (previous define was a positive value)
34872
34873 drivers/usb/storage/realtek_cr.c | 2 +-
34874 1 files changed, 1 insertions(+), 1 deletions(-)
34875
34876commit 3cc43b90104c3016adb40f412ce2e4b0dcdd4c9e
34877Merge: c3dc9a6 b461cb7
34878Author: Brad Spengler <spender@grsecurity.net>
34879Date: Thu Mar 28 20:54:24 2013 -0400
34880
34881 Merge branch 'pax-test' into grsec-test
34882
34883commit b461cb7b1d85490430ef7896c247794af72c3749
34884Author: Brad Spengler <spender@grsecurity.net>
34885Date: Thu Mar 28 20:54:11 2013 -0400
34886
34887 Add structleak plugin
34888
34889 tools/gcc/structleak_plugin.c | 270 +++++++++++++++++++++++++++++++++++++++++
34890 1 files changed, 270 insertions(+), 0 deletions(-)
34891
34892commit c3dc9a6ef10782894bb11fd088fd712db44d8062
34893Author: Brad Spengler <spender@grsecurity.net>
34894Date: Thu Mar 28 20:53:22 2013 -0400
34895
34896 Enable structleak by default for the security auto-config
34897
34898 security/Kconfig | 11 +++++++----
34899 1 files changed, 7 insertions(+), 4 deletions(-)
34900
34901commit 6568e7348222fbe00256c9d337c4c24ee57e3f7e
34902Merge: d8503a3 74bec16
34903Author: Brad Spengler <spender@grsecurity.net>
34904Date: Thu Mar 28 20:47:10 2013 -0400
34905
34906 Merge branch 'pax-test' into grsec-test
34907
34908commit 74bec16b657147a5575b1f14f4423a717ba317a6
34909Author: Brad Spengler <spender@grsecurity.net>
34910Date: Thu Mar 28 20:46:13 2013 -0400
34911
34912 Update to pax-linux-3.8.4-test13.patch:
34913 - fixed bug with the old PAGEEXEC method and hugetlb, reported by Alex Efros (https://bugs.gentoo.org/show_bug.cgi?id=437722)
34914 - added a new gcc plugin to plug (pun intended) some of the kernel stack leaks to userland
34915
34916 Makefile | 5 +++-
34917 arch/x86/include/asm/compat.h | 2 +-
34918 arch/x86/mm/fault.c | 3 +-
34919 fs/binfmt_elf.c | 2 +-
34920 include/linux/compiler.h | 42 ++++++++++++++--------------------------
34921 security/Kconfig | 16 +++++++++++++++
34922 tools/gcc/Makefile | 2 +
34923 tools/gcc/constify_plugin.c | 7 +++++-
34924 8 files changed, 47 insertions(+), 32 deletions(-)
34925
34926commit d8503a3a35d68b9ba1615d29335aef3f70d51465
34927Author: Brad Spengler <spender@grsecurity.net>
34928Date: Thu Mar 28 20:02:40 2013 -0400
34929
34930 Fix 8-byte stack infoleak in ia32_rt_sigpending
34931 User controls length, kernel only performs check on the upper bound, will
34932 fill in any amount less than sizeof(sigset_t) via a copy_to_user under
34933 KERNEL_DS in sys_rt_sigpending, then will copy the full size of compat_sigset_t
34934 regardless of whether the sigset_t content copied into it has been initialized
34935 or not
34936
34937 arch/x86/ia32/sys_ia32.c | 2 +-
34938 1 files changed, 1 insertions(+), 1 deletions(-)
34939
34940commit 46a9f4b871ebf298ee67cc3f799dbd6c2382022b
34941Author: Brad Spengler <spender@grsecurity.net>
34942Date: Tue Mar 26 21:05:05 2013 -0400
34943
34944 commit 814d9d4f9164c3d778dadd093a54bb55d9a0c576
34945 Author: J. Bruce Fields <bfields@redhat.com>
34946 Date: Tue Mar 26 14:11:13 2013 -0400
34947
34948 nfsd4: reject "negative" acl lengths
34949
34950 Since we only enforce an upper bound, not a lower bound, a "negative"
34951 length can get through here.
34952
34953 The symptom seen was a warning when we attempt to a kmalloc with an
34954 excessive size.
34955
34956 Reported-by: Toralf Förster <toralf.foerster@gmx.de>
34957 Signed-off-by: J. Bruce Fields <bfields@redhat.com>
34958
34959 fs/nfsd/nfs4xdr.c | 2 +-
34960 1 files changed, 1 insertions(+), 1 deletions(-)
34961
34962commit 2cf84a1843bfdf9298e2a1dc8df4e52d11a1af89
34963Author: Jeff Layton <jlayton@redhat.com>
34964Date: Mon Mar 11 09:52:19 2013 -0400
34965
34966 Upstream commit: f853c616883a8de966873a1dab283f1369e275a1
34967
34968 cifs: ignore everything in SPNEGO blob after mechTypes
34969
34970 We've had several reports of people attempting to mount Windows 8 shares
34971 and getting failures with a return code of -EINVAL. The default sec=
34972 mode changed recently to sec=ntlmssp. With that, we expect and parse a
34973 SPNEGO blob from the server in the NEGOTIATE reply.
34974
34975 The current decode_negTokenInit function first parses all of the
34976 mechTypes and then tries to parse the rest of the negTokenInit reply.
34977 The parser however currently expects a mechListMIC or nothing to follow the
34978 mechTypes, but Windows 8 puts a mechToken field there instead to carry
34979 some info for the new NegoEx stuff.
34980
34981 In practice, we don't do anything with the fields after the mechTypes
34982 anyway so I don't see any real benefit in continuing to parse them.
34983 This patch just has the kernel ignore the fields after the mechTypes.
34984 We'll probably need to reinstate some of this if we ever want to support
34985 NegoEx.
34986
34987 Reported-by: Jason Burgess <jason@jacknife2.dns2go.com>
34988 Reported-by: Yan Li <elliot.li.tech@gmail.com>
34989 Signed-off-by: Jeff Layton <jlayton@redhat.com>
34990 Cc: <stable@vger.kernel.org>
34991 Signed-off-by: Steve French <sfrench@us.ibm.com>
34992
34993 fs/cifs/asn1.c | 53 +++++------------------------------------------------
34994 1 files changed, 5 insertions(+), 48 deletions(-)
34995
34996commit 0b1c6223105a05d5a84e39a5e951868e37610e1c
34997Merge: 93ff726 0deb54c
34998Author: Brad Spengler <spender@grsecurity.net>
34999Date: Mon Mar 25 18:35:15 2013 -0400
35000
35001 Merge branch 'pax-test' into grsec-test
35002
35003commit 0deb54c1f47145aef38f4d2bf0b7de3e9fbab959
35004Author: Brad Spengler <spender@grsecurity.net>
35005Date: Mon Mar 25 18:35:05 2013 -0400
35006
35007 fix typo
35008
35009 arch/x86/mm/ioremap.c | 2 +-
35010 1 files changed, 1 insertions(+), 1 deletions(-)
35011
35012commit 93ff72680353534d4b0b213aecb61f1fc2f9a152
35013Merge: be9f8b8 f95e53a
35014Author: Brad Spengler <spender@grsecurity.net>
35015Date: Mon Mar 25 18:30:06 2013 -0400
35016
35017 Merge branch 'pax-test' into grsec-test
35018
35019commit f95e53abadb6e4665866e4502ff9f518514193e1
35020Author: Brad Spengler <spender@grsecurity.net>
35021Date: Mon Mar 25 18:29:25 2013 -0400
35022
35023 Update to pax-linux-3.8.4-test12.patch:
35024
35025 - fixed perf compilation reported by Michael Tremer
35026 - fixed USERCOPY reports triggered by SCTP, reported by mcp
35027 - last fix for aslr gap accounting, promise (thanks to spender)
35028
35029 arch/x86/mm/ioremap.c | 3 +++
35030 fs/binfmt_elf.c | 5 ++---
35031 mm/mmap.c | 2 +-
35032 net/sctp/socket.c | 19 +++++++++++++++----
35033 tools/perf/util/include/linux/compiler.h | 8 ++++++++
35034 5 files changed, 29 insertions(+), 8 deletions(-)
35035
35036commit be9f8b82b0d8a21d7515fb6e44a907623381c5df
35037Author: Brad Spengler <spender@grsecurity.net>
35038Date: Mon Mar 25 16:48:34 2013 -0400
35039
35040 From: Al Viro <viro@ZenIV.linux.org.uk>
35041 To: Brad Spengler <spender@grsecurity.net>
35042 Cc: Linus Torvalds <torvalds@linux-foundation.org>
35043
35044 Umm... I see what you are describing, and AFAICS you are correct; let me
35045 see if I am misreading your analysis:
35046 * vfsmount_lock may act fair; A holding it shared, with B spinning
35047 on attempt to take it exclusive may lead to C spinning on attempt to take
35048 it shared.
35049 * path_is_under() tries get rename_lock while holding vfsmount_lock
35050 shared.
35051 * d_path() et.al. try to take vfsmount_lock shared, while holding
35052 rename_lock.
35053
35054 All true and yes, it's a bug (I'd probably classify it as a livelock, but
35055 that doesn't make any real difference). There are three possible solutions,
35056 AFAICS:
35057 1) two-liner in path_is_under() replacing the use of vfsmount_lock
35058 with that of namespace_sem; trivial, but results in function unexpectedly
35059 blocking. The current callers are fine with that, but it's a trouble
35060 waiting to happen.
35061 2) replace write_seqlock() in prepend_path() callers with
35062 read_seqbegin/read_seqretry loops; bigger and more brittle, since unlike
35063 is_subdir() we need more than just ->d_parent not pointing to something
35064 freed - we also care about ->d_name.len being in sync with ->d_name.name.
35065 It probably can be worked around, but...
35066
35067 3) declare that rename_lock nests inside vfsmount_lock and let
35068 the callers of prepend_path() take vfsmount_lock(). I'd probably prefer
35069 that one...
35070
35071 Nest rename_lock inside vfsmount_lock
35072
35073 ... lest we get livelocks between path_is_under() and d_path() and friends.
35074
35075 [ add grsec-specific bits, thanks to Alexey Vlasov for his patience in reproducing
35076 the issue ]
35077
35078 Spotted-by: Brad Spengler <spender@grsecurity.net>
35079 Cc: stable@vger.kernel.org
35080 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
35081
35082 fs/dcache.c | 16 +++++++++++-----
35083 grsecurity/gracl.c | 20 ++++++++++----------
35084 2 files changed, 21 insertions(+), 15 deletions(-)
35085
35086commit d9253ae96e0e88510ae7b8adb8ab3ef089be6dee
35087Author: Linus Torvalds <torvalds@linux-foundation.org>
35088Date: Fri Mar 22 11:44:04 2013 -0700
35089
35090 Upstream commit: 51f0885e5415b4cc6535e9cdcc5145bfbc134353
35091
35092 vfs,proc: guarantee unique inodes in /proc
35093
35094 Dave Jones found another /proc issue with his Trinity tool: thanks to
35095 the namespace model, we can have multiple /proc dentries that point to
35096 the same inode, aliasing directories in /proc/<pid>/net/ for example.
35097
35098 This ends up being a total disaster, because it acts like hardlinked
35099 directories, and causes locking problems. We rely on the topological
35100 sort of the inodes pointed to by dentries, and if we have aliased
35101 directories, that odering becomes unreliable.
35102
35103 In short: don't do this. Multiple dentries with the same (directory)
35104 inode is just a bad idea, and the namespace code should never have
35105 exposed things this way. But we're kind of stuck with it.
35106
35107 This solves things by just always allocating a new inode during /proc
35108 dentry lookup, instead of using "iget_locked()" to look up existing
35109 inodes by superblock and number. That actually simplies the code a bit,
35110 at the cost of potentially doing more inode [de]allocations.
35111
35112 That said, the inode lookup wasn't free either (and did a lot of locking
35113 of inodes), so it is probably not that noticeable. We could easily keep
35114 the old lookup model for non-directory entries, but rather than try to
35115 be excessively clever this just implements the minimal and simplest
35116 workaround for the problem.
35117
35118 Reported-and-tested-by: Dave Jones <davej@redhat.com>
35119 Analyzed-by: Al Viro <viro@zeniv.linux.org.uk>
35120 Cc: stable@vger.kernel.org
35121 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
35122
35123 Conflicts:
35124
35125 fs/proc/inode.c
35126
35127 fs/proc/inode.c | 9 +++------
35128 1 files changed, 3 insertions(+), 6 deletions(-)
35129
35130commit 399d3bbdb82db765c86118ae5a0bf1d2d17762fb
35131Author: Vladimir Davydov <vdavydov@parallels.com>
35132Date: Fri Mar 22 15:04:51 2013 -0700
35133
35134 Upstream commit: 38d78e587d4960d0db94add518d27ee74bad2301
35135
35136 mqueue: sys_mq_open: do not call mnt_drop_write() if read-only
35137
35138 mnt_drop_write() must be called only if mnt_want_write() succeeded,
35139 otherwise the mnt_writers counter will diverge.
35140
35141 mnt_writers counters are used to check if remounting FS as read-only is
35142 OK, so after an extra mnt_drop_write() call, it would be impossible to
35143 remount mqueue FS as read-only. Besides, on umount a warning would be
35144 printed like this one:
35145
35146 =====================================
35147 [ BUG: bad unlock balance detected! ]
35148 3.9.0-rc3 #5 Not tainted
35149 -------------------------------------
35150 a.out/12486 is trying to release lock (sb_writers) at:
35151 mnt_drop_write+0x1f/0x30
35152 but there are no more locks to release!
35153
35154 Signed-off-by: Vladimir Davydov <vdavydov@parallels.com>
35155 Cc: Doug Ledford <dledford@redhat.com>
35156 Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
35157 Cc: "Eric W. Biederman" <ebiederm@xmission.com>
35158 Cc: Al Viro <viro@zeniv.linux.org.uk>
35159 Cc: <stable@vger.kernel.org>
35160 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
35161 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
35162
35163 ipc/mqueue.c | 3 ++-
35164 1 files changed, 2 insertions(+), 1 deletions(-)
35165
35166commit d3859c71e2ec174b6f3e5cbe06d3011cdddaa59e
35167Author: Brad Spengler <spender@grsecurity.net>
35168Date: Sat Mar 23 13:02:32 2013 -0400
35169
35170 Don't use constify plugin if not enabled in config,
35171 reported by Alexey Vlasov
35172
35173 Makefile | 2 +-
35174 1 files changed, 1 insertions(+), 1 deletions(-)
35175
35176commit 3afb82e020593249ac394e9859397c3e0ef5341c
35177Author: Brad Spengler <spender@grsecurity.net>
35178Date: Sat Mar 23 12:50:13 2013 -0400
35179
35180 oded 0day #2
35181 http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
35182 slide 20
35183
35184 drivers/net/ethernet/broadcom/tg3.c | 6 ++++--
35185 1 files changed, 4 insertions(+), 2 deletions(-)
35186
35187commit 4cc4b98b29faff2530540be16e0fcd8a74800b06
35188Author: Brad Spengler <spender@grsecurity.net>
35189Date: Sat Mar 23 12:15:50 2013 -0400
35190
35191 oded 0day #1
35192 http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
35193 slide 18
35194
35195 drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
35196 1 files changed, 1 insertions(+), 1 deletions(-)
35197
35198commit 8a3292af6fdae4b88b49a2a4ef96eee145b4d479
35199Author: Brad Spengler <spender@grsecurity.net>
35200Date: Sat Mar 23 12:13:12 2013 -0400
35201
35202 remove warning on accessing this /proc entry, HIDESYM already caught the infoleak
35203
35204 drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
35205 1 files changed, 1 insertions(+), 1 deletions(-)
35206
35207commit 44cb11a9470f72157601d0ad4d572d111f90f504
35208Author: Brad Spengler <spender@grsecurity.net>
35209Date: Fri Mar 22 18:11:42 2013 -0400
35210
35211 use VM_DONTDUMP
35212
35213 fs/binfmt_elf.c | 2 +-
35214 1 files changed, 1 insertions(+), 1 deletions(-)
35215
35216commit 92dd7f850ae63e3ddc3d262f2b7134cf54b51abb
35217Author: Brad Spengler <spender@grsecurity.net>
35218Date: Fri Mar 22 17:53:09 2013 -0400
35219
35220 fix recent RLIMIT_AS changes (due to vm_flags typo)
35221
35222 Conflicts:
35223
35224 fs/binfmt_elf.c
35225
35226 fs/binfmt_elf.c | 2 +-
35227 mm/mmap.c | 2 +-
35228 2 files changed, 2 insertions(+), 2 deletions(-)
35229
35230commit fd5f0d92b0fbec02029dad124501a9c80e527a32
35231Author: Brad Spengler <spender@grsecurity.net>
35232Date: Fri Mar 22 17:08:48 2013 -0400
35233
35234 complete_walk drops rcu-walk mode, no need for our own dropping
35235 method outside of generic_permission
35236
35237 fs/namei.c | 30 ------------------------------
35238 1 files changed, 0 insertions(+), 30 deletions(-)
35239
35240commit b49ab1c73edb6442eec609b26bba4d850b3111b6
35241Merge: 5e9a707 783ade9
35242Author: Brad Spengler <spender@grsecurity.net>
35243Date: Thu Mar 21 21:56:28 2013 -0400
35244
35245 Merge branch 'pax-test' into grsec-test
35246
35247commit 783ade9f97f0f736e3c83275b7c9fcb2d6e9d9c4
35248Author: Brad Spengler <spender@grsecurity.net>
35249Date: Thu Mar 21 21:55:31 2013 -0400
35250
35251 Update to pax-linux-3.8.3-test11.patch:
35252 - rewrote the ASLR gap accounting code once again
35253 - fixed ptrace compat bug found by the size overflow plugin
35254
35255 fs/binfmt_elf.c | 25 ++++++++++++-------------
35256 fs/exec.c | 7 ++-----
35257 include/linux/compat.h | 2 +-
35258 include/linux/mm.h | 5 +++++
35259 include/linux/mm_types.h | 2 +-
35260 kernel/ptrace.c | 2 +-
35261 mm/mmap.c | 15 ++++++++++-----
35262 7 files changed, 32 insertions(+), 26 deletions(-)
35263
35264commit 5e9a7077d935b2279f25428c5d32fd53cbbfb92a
35265Author: Brad Spengler <spender@grsecurity.net>
35266Date: Thu Mar 21 19:37:33 2013 -0400
35267
35268 Make the constify plugin usage actually depend on the introduced config option
35269 (it was still forced on)
35270
35271 tools/gcc/Makefile | 2 +-
35272 1 files changed, 1 insertions(+), 1 deletions(-)
35273
35274commit 1974b4f58d9d729c80ac1987785446115304a54c
35275Author: Brad Spengler <spender@grsecurity.net>
35276Date: Thu Mar 21 16:12:38 2013 -0400
35277
35278 fix failed merge
35279
35280 arch/arm/mm/fault.c | 15 +++------------
35281 1 files changed, 3 insertions(+), 12 deletions(-)
35282
35283commit 675a8ab4a8fe8315df348735a37a302a7535224c
35284Author: Brad Spengler <spender@grsecurity.net>
35285Date: Wed Mar 20 23:36:14 2013 -0400
35286
35287 From c4dab66c31612717f798e1e8ff11b57253a81a31 Mon Sep 17 00:00:00 2001
35288 From: Kees Cook <keescook@chromium.org>
35289 Date: Sun, 10 Mar 2013 20:09:31 +0000
35290 Subject: drm/i915: bounds check execbuffer relocation count
35291
35292 It is possible to wrap the counter used to allocate the buffer for
35293 relocation copies. This could lead to heap writing overflows.
35294
35295 CVE-2013-0913
35296
35297 Signed-off-by: Kees Cook <keescook@chromium.org>
35298 Reported-by: Pinkie Pie
35299 Cc: stable@vger.kernel.org
35300
35301 drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++---
35302 1 files changed, 8 insertions(+), 3 deletions(-)
35303
35304commit ddeac12cbb9076bffd51c544e03463f94c9eaa39
35305Author: Andy Honig <ahonig@google.com>
35306Date: Wed Feb 20 14:48:10 2013 -0800
35307
35308 Upstream commit: 0b79459b482e85cb7426aa7da683a9f2c97aeae1
35309
35310 KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797)
35311
35312 There is a potential use after free issue with the handling of
35313 MSR_KVM_SYSTEM_TIME. If the guest specifies a GPA in a movable or removable
35314 memory such as frame buffers then KVM might continue to write to that
35315 address even after it's removed via KVM_SET_USER_MEMORY_REGION. KVM pins
35316 the page in memory so it's unlikely to cause an issue, but if the user
35317 space component re-purposes the memory previously used for the guest, then
35318 the guest will be able to corrupt that memory.
35319
35320 Tested: Tested against kvmclock unit test
35321
35322 Signed-off-by: Andrew Honig <ahonig@google.com>
35323 Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
35324
35325 arch/x86/include/asm/kvm_host.h | 4 +-
35326 arch/x86/kvm/x86.c | 47 ++++++++++++++++----------------------
35327 2 files changed, 22 insertions(+), 29 deletions(-)
35328
35329commit 0bcac31b57c381001feb69fd6ec8069e61e03432
35330Author: Andy Honig <ahonig@google.com>
35331Date: Mon Mar 11 09:34:52 2013 -0700
35332
35333 Upstream commit: c300aa64ddf57d9c5d9c898a64b36877345dd4a9
35334
35335 KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796)
35336
35337 If the guest sets the GPA of the time_page so that the request to update the
35338 time straddles a page then KVM will write onto an incorrect page. The
35339 write is done byusing kmap atomic to get a pointer to the page for the time
35340 structure and then performing a memcpy to that page starting at an offset
35341 that the guest controls. Well behaved guests always provide a 32-byte aligned
35342 address, however a malicious guest could use this to corrupt host kernel
35343 memory.
35344
35345 Tested: Tested against kvmclock unit test.
35346
35347 Signed-off-by: Andrew Honig <ahonig@google.com>
35348 Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
35349
35350 arch/x86/kvm/x86.c | 5 +++++
35351 1 files changed, 5 insertions(+), 0 deletions(-)
35352
35353commit 695c59887e4ec10b0b695ab4f645d1226c433be0
35354Author: Andy Honig <ahonig@google.com>
35355Date: Wed Feb 20 14:49:16 2013 -0800
35356
35357 Upstream commit: a2c118bfab8bc6b8bb213abfc35201e441693d55
35358
35359 KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798)
35360
35361 If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows
35362 that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate
35363 that request. ioapic_read_indirect contains an
35364 ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in
35365 non-debug builds. In recent kernels this allows a guest to cause a kernel
35366 oops by reading invalid memory. In older kernels (pre-3.3) this allows a
35367 guest to read from large ranges of host memory.
35368
35369 Tested: tested against apic unit tests.
35370
35371 Signed-off-by: Andrew Honig <ahonig@google.com>
35372 Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
35373
35374 virt/kvm/ioapic.c | 7 +++++--
35375 1 files changed, 5 insertions(+), 2 deletions(-)
35376
35377commit c77e4017f6f372ac09751b6fcd85c35781dc2d9e
35378Merge: aec3cd4 c522e3a
35379Author: Brad Spengler <spender@grsecurity.net>
35380Date: Wed Mar 20 19:38:25 2013 -0400
35381
35382 Merge branch 'pax-test' into grsec-test
35383
35384commit c522e3a2167ff5e18996e55ca8cca5ca6f6d29e3
35385Merge: c57d855 405acc3
35386Author: Brad Spengler <spender@grsecurity.net>
35387Date: Wed Mar 20 19:38:11 2013 -0400
35388
35389 Merge branch 'linux-3.8.y' into pax-test
35390
35391commit aec3cd4d2bd54673b155d9ae3fb9c44becc790d1
35392Author: Brad Spengler <spender@grsecurity.net>
35393Date: Tue Mar 19 19:56:04 2013 -0400
35394
35395 include linux/compiler.h
35396
35397 include/linux/zlib.h | 1 +
35398 1 files changed, 1 insertions(+), 0 deletions(-)
35399
35400commit 1f1109e97bc609218e52e4bb57683d3b23cf2e8e
35401Author: Brad Spengler <spender@grsecurity.net>
35402Date: Tue Mar 19 18:42:20 2013 -0400
35403
35404 fix missing sock_release()
35405
35406 net/irda/af_irda.c | 6 ++++--
35407 1 files changed, 4 insertions(+), 2 deletions(-)
35408
35409commit dd65c05cd24faf8946d4941434a553ee285c35a3
35410Author: Brad Spengler <spender@grsecurity.net>
35411Date: Tue Mar 19 18:36:17 2013 -0400
35412
35413 fix mpt fusion infoleak
35414
35415 drivers/message/fusion/mptbase.c | 4 ++++
35416 1 files changed, 4 insertions(+), 0 deletions(-)
35417
35418commit e297b4f150b769efdc4c547d3caf1e3c0f24735f
35419Author: Brad Spengler <spender@grsecurity.net>
35420Date: Tue Mar 19 18:33:45 2013 -0400
35421
35422 Fix size_overflow false positive reported by slashbeast
35423
35424 include/linux/zlib.h | 2 +-
35425 1 files changed, 1 insertions(+), 1 deletions(-)
35426
35427commit 5b9982733764361c7102c2b1a9cbe42e5bf4f4be
35428Author: Brad Spengler <spender@grsecurity.net>
35429Date: Tue Mar 19 17:35:36 2013 -0400
35430
35431 fix up failed merge
35432
35433 arch/arm/mm/fault.c | 9 ++-------
35434 1 files changed, 2 insertions(+), 7 deletions(-)
35435
35436commit a1bdc34d1d882da3abf47923a760e5b0bbdaf0bd
35437Author: Brad Spengler <spender@grsecurity.net>
35438Date: Tue Mar 19 17:34:36 2013 -0400
35439
35440 update documentation on consequences of building without gcc plugin support
35441
35442 Makefile | 2 +-
35443 1 files changed, 1 insertions(+), 1 deletions(-)
35444
35445commit f49ae0f6c3bbedf6b3817ee2b1b232e0da7fa537
35446Author: Brad Spengler <spender@grsecurity.net>
35447Date: Tue Mar 19 17:18:13 2013 -0400
35448
35449 fix compilation failure associated with the latent entropy plugin and lack of gcc plugin support reported on the forums
35450
35451 init/main.c | 4 ++--
35452 1 files changed, 2 insertions(+), 2 deletions(-)
35453
35454commit f00195c633f91cfbd8c1f530d2c371b713026e20
35455Author: Brad Spengler <spender@grsecurity.net>
35456Date: Mon Mar 18 22:27:33 2013 -0400
35457
35458 Fix compile error reported by KDE on the forums
35459
35460 kernel/user_namespace.c | 2 +-
35461 1 files changed, 1 insertions(+), 1 deletions(-)
35462
35463commit 2979c6ee78aabb4421873ea53581380c6bb6ed05
35464Merge: 0949569 c57d855
35465Author: Brad Spengler <spender@grsecurity.net>
35466Date: Mon Mar 18 22:20:46 2013 -0400
35467
35468 Merge branch 'pax-test' into grsec-test
35469
35470 Conflicts:
35471 arch/arm/mm/fault.c
35472 arch/x86/mm/fault.c
35473 fs/exec.c
35474
35475commit c57d8557f5f2d77c2c7fa1f58316819a5e1f9293
35476Author: Brad Spengler <spender@grsecurity.net>
35477Date: Mon Mar 18 21:22:03 2013 -0400
35478
35479 Update to pax-linux-3.8.2-test9.patch:
35480 arm changes from spender
35481 - removed userland access to the vectors page
35482 - removed obsolete sigreturn trampoline handling
35483 - added emulation for __kuser_get_tls
35484 - fixed missing uderef instrumentation in unaligned memory accessors (failed safe)
35485 - fixed recent sysfs/power_supply attr breakage reported by Steven Allen
35486 - hopefully fixed the remaining issues with aslr_gap accounting (http://forums.grsecurity.net/viewtopic.php?f=3&t=2960)
35487 - changed debian packager rules to include the compiler plugins, from Tyler Coumbes <coumbes@gmail.com>
35488 - fixed the sa_restorer leak discovered and reported by Emese Revfy (CVE-2013-0914, google chromium bug #177956)
35489 - new size overflow plugin from Emese that instruments a whole lot more code due to tracking function return values
35490 and more type casts as well. this found the above mentioned sa_restorer leak and would have protected against CVE-2013-0913.
35491
35492 arch/arm/kernel/process.c | 5 +-
35493 arch/arm/kernel/signal.c | 24 +-
35494 arch/arm/kernel/traps.c | 7 -
35495 arch/arm/mm/alignment.c | 8 +
35496 arch/arm/mm/fault.c | 23 +-
35497 arch/arm/mm/mmu.c | 2 +-
35498 arch/x86/include/asm/bitops.h | 2 +-
35499 arch/x86/include/asm/desc.h | 2 +-
35500 arch/x86/include/asm/div64.h | 2 +-
35501 arch/x86/include/asm/io.h | 8 +-
35502 arch/x86/include/asm/paravirt.h | 2 +-
35503 arch/x86/kernel/cpu/perf_event_intel_uncore.c | 16 +-
35504 arch/x86/kernel/setup_percpu.c | 2 +-
35505 arch/x86/mm/fault.c | 4 +-
35506 arch/x86/mm/numa.c | 2 +-
35507 arch/x86/mm/physaddr.c | 4 +-
35508 drivers/ata/libahci.c | 2 +-
35509 drivers/gpu/drm/i915/i915_gem_execbuffer.c | 2 +-
35510 drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +-
35511 drivers/infiniband/hw/mthca/mthca_mr.c | 2 +-
35512 drivers/lguest/page_tables.c | 2 +-
35513 drivers/net/wireless/at76c50x-usb.c | 2 +-
35514 drivers/oprofile/oprofile_files.c | 2 +-
35515 drivers/power/power_supply_core.c | 1 +
35516 drivers/usb/core/message.c | 2 +-
35517 fs/befs/endian.h | 4 +-
35518 fs/binfmt_elf.c | 5 +-
35519 fs/exec.c | 4 +-
35520 fs/qnx6/qnx6.h | 4 +-
35521 fs/sysv/sysv.h | 2 +-
35522 fs/ubifs/io.c | 2 +-
35523 fs/ufs/swab.h | 4 +-
35524 include/linux/compat.h | 4 +-
35525 include/linux/completion.h | 6 +-
35526 include/linux/cpumask.h | 12 +-
35527 include/linux/ctype.h | 2 +-
35528 include/linux/err.h | 4 +-
35529 include/linux/math64.h | 6 +-
35530 include/linux/sched.h | 2 +-
35531 include/linux/unaligned/access_ok.h | 12 +-
35532 include/linux/usb.h | 2 +-
35533 include/uapi/linux/byteorder/little_endian.h | 4 +-
35534 include/uapi/linux/swab.h | 6 +-
35535 kernel/sched/core.c | 6 +-
35536 kernel/signal.c | 3 +
35537 kernel/time.c | 2 +-
35538 kernel/timer.c | 2 +-
35539 lib/div64.c | 4 +-
35540 mm/page-writeback.c | 2 +-
35541 net/socket.c | 2 +
35542 scripts/package/builddeb | 1 +
35543 tools/gcc/size_overflow_hash.data | 8869 +++++++++++++++----------
35544 tools/gcc/size_overflow_plugin.c | 1072 ++--
35545 53 files changed, 6227 insertions(+), 3951 deletions(-)
35546
35547commit 09495691bb31f11ec14d9127429f9a0f3f716f22
35548Author: Brad Spengler <spender@grsecurity.net>
35549Date: Sun Mar 17 20:51:50 2013 -0400
35550
35551 fix typo
35552
35553 grsecurity/gracl.c | 2 +-
35554 1 files changed, 1 insertions(+), 1 deletions(-)
35555
35556commit deb85b00d0f9f886e264e116313f298401ec5c59
35557Author: Brad Spengler <spender@grsecurity.net>
35558Date: Sun Mar 17 20:03:33 2013 -0400
35559
35560 Call update_rlimit_cpu to immediately change RLIMIT_CPU on the task
35561 with a subject applied to it with RES_CPU. Otherwise, the limit will only
35562 begin to be applied at fork time.
35563
35564 Thanks to Bjornar Ness for the report.
35565
35566 grsecurity/gracl.c | 4 ++++
35567 1 files changed, 4 insertions(+), 0 deletions(-)
35568
35569commit 2126421f123513f604ceef2b23ba9ed516de7e58
35570Author: Brad Spengler <spender@grsecurity.net>
35571Date: Sat Mar 16 22:07:43 2013 -0400
35572
35573 Move inode auditing prior to our refcnt dropping
35574
35575 fs/namei.c | 2 +-
35576 1 files changed, 1 insertions(+), 1 deletions(-)
35577
35578commit 4d4e665885aab4bacfe662ad6d2190fc9d817146
35579Author: Brad Spengler <spender@grsecurity.net>
35580Date: Sat Mar 16 22:00:30 2013 -0400
35581
35582 Drop reference on completed path walked in RCU mode or when violating
35583 the chroot fchdir check inside a chroot -- possible culprit for a reported
35584 vfsmount_lock hang during unmount
35585
35586 fs/namei.c | 8 ++++++--
35587 1 files changed, 6 insertions(+), 2 deletions(-)
35588
35589commit 53a8a413f45340ee176dd36dd283de3a1ebb7417
35590Author: Brad Spengler <spender@grsecurity.net>
35591Date: Sat Mar 16 16:43:45 2013 -0400
35592
35593 add user_arg_ptr back to exec.c
35594
35595 fs/exec.c | 12 ++++++++++++
35596 1 files changed, 12 insertions(+), 0 deletions(-)
35597
35598commit 83d285953c7e75db388c7f65be5cf1e16fcedec8
35599Author: Brad Spengler <spender@grsecurity.net>
35600Date: Sat Mar 16 11:22:36 2013 -0400
35601
35602 Don't globally include compat.h -- with the new X32 support it
35603 changes some definitions involving ELF binaries resulting in invalid
35604 coredumps, as reported by KDE on the forums:
35605 http://forums.grsecurity.net/viewtopic.php?f=3&t=3310
35606 Thanks to the PaX Team for debugging
35607
35608 fs/exec.c | 3 +++
35609 grsecurity/grsec_exec.c | 13 +++++++++++++
35610 include/linux/grsecurity.h | 15 ---------------
35611 3 files changed, 16 insertions(+), 15 deletions(-)
35612
35613commit 67a94583659cf6c583fbbb023ec2a8ed471ba94a
35614Author: Brad Spengler <spender@grsecurity.net>
35615Date: Thu Mar 14 20:59:26 2013 -0400
35616
35617 Add peer information to /proc/net/unix from Kenan Kalajdzic:
35618 http://marc.info/?l=linux-netdev&m=126745636809191&w=2
35619
35620 We use a "P" prefix to the inode number instead of "peer=". This
35621 additional information can be used, for instance, to find what processes
35622 are connected to MySQL's unix domain socket.
35623
35624 net/unix/af_unix.c | 12 +++++++++---
35625 1 files changed, 9 insertions(+), 3 deletions(-)
35626
35627commit 1cd623d11a462d151ea8a5cace4521e1724911a3
35628Author: Oliver Neukum <oneukum@suse.de>
35629Date: Tue Mar 12 14:52:42 2013 +0100
35630
35631 Upstream commit: c0f5ecee4e741667b2493c742b60b6218d40b3aa
35632
35633 USB: cdc-wdm: fix buffer overflow
35634
35635 The buffer for responses must not overflow.
35636 If this would happen, set a flag, drop the data and return
35637 an error after user space has read all remaining data.
35638
35639 Signed-off-by: Oliver Neukum <oliver@neukum.org>
35640 CC: stable@kernel.org
35641 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
35642
35643 drivers/usb/class/cdc-wdm.c | 23 ++++++++++++++++++++---
35644 1 files changed, 20 insertions(+), 3 deletions(-)
35645
35646commit 3e9e7beb379eaf424d0634c0c556e47c07d367fc
35647Merge: 9cdf9bc db4cb92
35648Author: Brad Spengler <spender@grsecurity.net>
35649Date: Thu Mar 14 20:23:14 2013 -0400
35650
35651 Merge branch 'pax-test' into grsec-test
35652
35653 Conflicts:
35654 security/keys/compat.c
35655
35656commit db4cb924546e3fec3a59f78d056f48176eaf7100
35657Author: Brad Spengler <spender@grsecurity.net>
35658Date: Thu Mar 14 20:22:24 2013 -0400
35659
35660 Update to pax-linux-3.8.2-test8.patch
35661
35662 arch/arm/include/asm/cache.h | 2 ++
35663 arch/arm/mach-omap2/gpmc.c | 22 ++++++++++++----------
35664 arch/arm/mach-omap2/omap_device.c | 4 ++--
35665 arch/arm/mach-omap2/omap_device.h | 4 ++--
35666 arch/arm/plat-orion/include/plat/addr-map.h | 2 +-
35667 5 files changed, 19 insertions(+), 15 deletions(-)
35668
35669commit 5e72fcce7c468d29168c64c72c18ff5ff0d3b4ae
35670Merge: 3c865f9 1a45c31
35671Author: Brad Spengler <spender@grsecurity.net>
35672Date: Thu Mar 14 20:20:54 2013 -0400
35673
35674 Merge branch 'linux-3.8.y' into pax-test
35675
35676 Conflicts:
35677 arch/arm/include/asm/delay.h
35678 arch/arm/include/asm/pgtable.h
35679 arch/arm/lib/delay.c
35680 security/keys/compat.c
35681
35682commit 9cdf9bccf22d6a6741e4152bb5d32335beb8caf1
35683Author: Al Viro <viro@ZenIV.linux.org.uk>
35684Date: Tue Mar 12 02:59:49 2013 +0000
35685
35686 Upstream commit: a930d8790552658140d7d0d2e316af4f0d76a512
35687
35688 vfs: fix pipe counter breakage
35689
35690 If you open a pipe for neither read nor write, the pipe code will not
35691 add any usage counters to the pipe, causing the 'struct pipe_inode_info"
35692 to be potentially released early.
35693
35694 That doesn't normally matter, since you cannot actually use the pipe,
35695 but the pipe release code - particularly fasync handling - still expects
35696 the actual pipe infrastructure to all be there. And rather than adding
35697 NULL pointer checks, let's just disallow this case, the same way we
35698 already do for the named pipe ("fifo") case.
35699
35700 This is ancient going back to pre-2.4 days, and until trinity, nobody
35701 naver noticed.
35702
35703 Reported-by: Dave Jones <davej@redhat.com>
35704 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
35705
35706 fs/pipe.c | 3 +++
35707 1 files changed, 3 insertions(+), 0 deletions(-)
35708
35709commit c11fa4be226659a40a6c73f0fa09fee074fba1b2
35710Author: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
35711Date: Mon Feb 25 10:20:36 2013 -0500
35712
35713 Upstream commit: 8aec0f5d4137532de14e6554fd5dd201ff3a3c49
35714
35715 Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys
35716
35717 Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to
35718 compat_process_vm_rw() shows that the compatibility code requires an
35719 explicit "access_ok()" check before calling
35720 compat_rw_copy_check_uvector(). The same difference seems to appear when
35721 we compare fs/read_write.c:do_readv_writev() to
35722 fs/compat.c:compat_do_readv_writev().
35723
35724 This subtle difference between the compat and non-compat requirements
35725 should probably be debated, as it seems to be error-prone. In fact,
35726 there are two others sites that use this function in the Linux kernel,
35727 and they both seem to get it wrong:
35728
35729 Now shifting our attention to fs/aio.c, we see that aio_setup_iocb()
35730 also ends up calling compat_rw_copy_check_uvector() through
35731 aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to
35732 be missing. Same situation for
35733 security/keys/compat.c:compat_keyctl_instantiate_key_iov().
35734
35735 I propose that we add the access_ok() check directly into
35736 compat_rw_copy_check_uvector(), so callers don't have to worry about it,
35737 and it therefore makes the compat call code similar to its non-compat
35738 counterpart. Place the access_ok() check in the same location where
35739 copy_from_user() can trigger a -EFAULT error in the non-compat code, so
35740 the ABI behaviors are alike on both compat and non-compat.
35741
35742 While we are here, fix compat_do_readv_writev() so it checks for
35743 compat_rw_copy_check_uvector() negative return values.
35744
35745 And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error
35746 handling.
35747
35748 Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
35749 Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
35750 Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
35751 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
35752
35753 Conflicts:
35754
35755 security/keys/compat.c
35756
35757 fs/compat.c | 15 +++++++--------
35758 mm/process_vm_access.c | 8 --------
35759 security/keys/compat.c | 3 ++-
35760 3 files changed, 9 insertions(+), 17 deletions(-)
35761
35762commit 13487f197ab2d5bc76156224c24c45a44bbd6a11
35763Author: Brad Spengler <spender@grsecurity.net>
35764Date: Mon Mar 11 18:38:38 2013 -0400
35765
35766 Fix leak of signal handler addresses across execve, found by Emese Revfy
35767
35768 kernel/signal.c | 3 +++
35769 1 files changed, 3 insertions(+), 0 deletions(-)
35770
35771commit 79b130c4b11c7940daf2b33d653a17666331c634
35772Merge: 6480ce9 3c865f9
35773Author: Brad Spengler <spender@grsecurity.net>
35774Date: Sun Mar 10 20:04:03 2013 -0400
35775
35776 Merge branch 'pax-test' into grsec-test
35777
35778commit 3c865f9184c6fd56c634bce0096cfc8039d5c43d
35779Author: Brad Spengler <spender@grsecurity.net>
35780Date: Sun Mar 10 20:03:12 2013 -0400
35781
35782 Update to pax-linux-3.8.2-test7.patch:
35783 - fixed gcc asserts reported by KDE (http://forums.grsecurity.net/viewtopic.php?f=3&t=3342)
35784 - adjusted RLIMIT_AS accounting for the extra ASLR gap mappings, reported by Alexander Stoll (https://bugs.gentoo.org/show_bug.cgi?id=459268)
35785
35786 fs/binfmt_elf.c | 3 ++-
35787 fs/exec.c | 3 +++
35788 include/linux/mm_types.h | 2 +-
35789 init/main.c | 4 ++--
35790 mm/mmap.c | 2 +-
35791 mm/page_alloc.c | 4 ++--
35792 tools/gcc/latent_entropy_plugin.c | 11 +++++++----
35793 7 files changed, 18 insertions(+), 11 deletions(-)
35794
35795commit 6480ce919bd7d68ba14f3194e4bdd7b61bc8e491
35796Merge: 4a5305e 25b3569
35797Author: Brad Spengler <spender@grsecurity.net>
35798Date: Sun Mar 10 10:41:16 2013 -0400
35799
35800 Merge branch 'pax-test' into grsec-test
35801
35802commit 25b356980568bed9958315bb5a551fdc610055ed
35803Author: Brad Spengler <spender@grsecurity.net>
35804Date: Sun Mar 10 10:40:48 2013 -0400
35805
35806 Update to pax-linux-3.8.2-test6.patch:
35807 - fixed a KERNEXEC false positive on arm reported by Gu1
35808 - fixed various compile errors reported by x14sg1 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3340)
35809 - fixed too strict mmap parameter checking on i386, reported by browndav (http://forums.grsecurity.net/viewtopic.php?f=1&t=3339)
35810 - added fix from spender for some namespace breakage reported by zakalwe
35811 - small latent entropy improvement: pass pax_extra_latent_entropy to the kernel to extract entropy from RAM content during boot
35812
35813 Documentation/kernel-parameters.txt | 5 +++++
35814 arch/arm/kernel/patch.c | 2 ++
35815 arch/x86/kernel/sys_i386_32.c | 5 +++--
35816 drivers/acpi/blacklist.c | 2 +-
35817 drivers/video/aty/mach64_cursor.c | 1 +
35818 init/main.c | 4 ----
35819 mm/page_alloc.c | 27 +++++++++++++++++++++++++++
35820 net/ipv4/ip_fragment.c | 2 +-
35821 security/Kconfig | 5 +++++
35822 tools/gcc/latent_entropy_plugin.c | 7 +++++--
35823 10 files changed, 50 insertions(+), 10 deletions(-)
35824
35825commit 4a5305eb7b6c5e49c332feeca9b6bfead9ab917f
35826Author: Brad Spengler <spender@grsecurity.net>
35827Date: Sat Mar 9 11:19:06 2013 -0500
35828
35829 From: Mathias Krause <minipli@googlemail.com>
35830 To: "David S. Miller" <davem@davemloft.net>
35831 Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>,
35832 Stephen Hemminger <stephen@networkplumber.org>
35833 Subject: [PATCH 1/3] bridge: fix mdb info leaks
35834 Date: Sat, 9 Mar 2013 16:52:19 +0100
35835
35836 The bridging code discloses heap and stack bytes via the RTM_GETMDB
35837 netlink interface and via the notify messages send to group RTNLGRP_MDB
35838 afer a successful add/del.
35839
35840 Fix both cases by initializing all unset members/padding bytes with
35841 memset(0).
35842
35843 Cc: Stephen Hemminger <stephen@networkplumber.org>
35844 Signed-off-by: Mathias Krause <minipli@googlemail.com>
35845
35846 From: Mathias Krause <minipli@googlemail.com>
35847 To: "David S. Miller" <davem@davemloft.net>
35848 Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>
35849 Subject: [PATCH 2/3] rtnl: fix info leak on RTM_GETLINK request for VF devices
35850 Date: Sat, 9 Mar 2013 16:52:20 +0100
35851
35852 Initialize the mac address buffer with 0 as the driver specific function
35853 will probably not fill the whole buffer. In fact, all in-kernel drivers
35854 fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible
35855 bytes. Therefore we currently leak 26 bytes of stack memory to userland
35856 via the netlink interface.
35857
35858 Signed-off-by: Mathias Krause <minipli@googlemail.com>
35859
35860 From: Mathias Krause <minipli@googlemail.com>
35861 To: "David S. Miller" <davem@davemloft.net>
35862 Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>
35863 Subject: [PATCH 3/3] dcbnl: fix various netlink info leaks
35864 Date: Sat, 9 Mar 2013 16:52:21 +0100
35865
35866 The dcb netlink interface leaks stack memory in various places:
35867 * perm_addr[] buffer is only filled at max with 12 of the 32 bytes but
35868 copied completely,
35869 * no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand,
35870 so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes
35871 for ieee_pfc structs, etc.,
35872 * the same is true for CEE -- no in-kernel driver fills the whole
35873 struct,
35874
35875 Prevent all of the above stack info leaks by properly initializing the
35876 buffers/structures involved.
35877
35878 Signed-off-by: Mathias Krause <minipli@googlemail.com>
35879
35880 net/bridge/br_mdb.c | 4 ++++
35881 net/core/rtnetlink.c | 1 +
35882 net/dcb/dcbnl.c | 8 ++++++++
35883 3 files changed, 13 insertions(+), 0 deletions(-)
35884
35885commit 601dd446f896e3a362f706943df18a68d50420a1
35886Author: Brad Spengler <spender@grsecurity.net>
35887Date: Sat Mar 9 09:35:25 2013 -0500
35888
35889 add open/close wrappers in __patch_text() as reported by Gu1 on IRC
35890
35891 arch/arm/kernel/patch.c | 2 ++
35892 1 files changed, 2 insertions(+), 0 deletions(-)
35893
35894commit ae39966fd85a493e9079b357e3faa62245a41222
35895Author: Peter Hurley <peter@hurleysoftware.com>
35896Date: Fri Mar 8 12:43:27 2013 -0800
35897
35898 Upstream commit: 88b9e456b1649722673ffa147914299799dc9041
35899
35900 ipc: don't allocate a copy larger than max
35901
35902 When MSG_COPY is set, a duplicate message must be allocated for the copy
35903 before locking the queue. However, the copy could not be larger than was
35904 sent which is limited to msg_ctlmax.
35905
35906 Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
35907 Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
35908 Cc: <stable@vger.kernel.org>
35909 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
35910 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
35911
35912 ipc/msg.c | 6 ++++--
35913 1 files changed, 4 insertions(+), 2 deletions(-)
35914
35915commit 61240e99650ea3e540a03a3e994349c5086f166b
35916Author: Peter Hurley <peter@hurleysoftware.com>
35917Date: Fri Mar 8 12:43:26 2013 -0800
35918
35919 Upstream commit: e1082f45f1e2bbf6e25f6b614fc6616ebf709d19
35920
35921 ipc: fix potential oops when src msg > 4k w/ MSG_COPY
35922
35923 If the src msg is > 4k, then dest->next points to the
35924 next allocated segment; resetting it just prior to dereferencing
35925 is bad.
35926
35927 Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
35928 Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
35929 Cc: <stable@vger.kernel.org>
35930 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
35931 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
35932
35933 ipc/msgutil.c | 3 ---
35934 1 files changed, 0 insertions(+), 3 deletions(-)
35935
35936commit 51727f602a267f34fb2e0dc9557f1714028d51a2
35937Author: Brad Spengler <spender@grsecurity.net>
35938Date: Fri Mar 8 22:14:06 2013 -0500
35939
35940 add missing 'else' in recent constify fixups
35941
35942 net/ipv4/ip_fragment.c | 2 +-
35943 1 files changed, 1 insertions(+), 1 deletions(-)
35944
35945commit a38c1a640729b3d8e584d1ab98e908c221bc12cf
35946Merge: 1580bb3 47c3f47
35947Author: Brad Spengler <spender@grsecurity.net>
35948Date: Fri Mar 8 18:18:37 2013 -0500
35949
35950 Merge branch 'pax-test' into grsec-test
35951
35952commit 47c3f47ba4f874f5c72e4c04b76b6b92e44daebe
35953Author: Brad Spengler <spender@grsecurity.net>
35954Date: Fri Mar 8 18:17:22 2013 -0500
35955
35956 Update to pax-linux-3.8.2-test5.patch:
35957 - fixed some fallout after the last round of constification changes, reported by several people
35958
35959 arch/arm/common/gic.c | 4 ++--
35960 arch/arm/include/asm/hardware/gic.h | 3 ++-
35961 arch/x86/include/asm/nmi.h | 2 +-
35962 arch/x86/kernel/nmi.c | 2 +-
35963 arch/x86/pci/irq.c | 2 +-
35964 drivers/base/power/domain.c | 4 ++--
35965 drivers/cpufreq/cpufreq_governor.c | 4 ++--
35966 drivers/mfd/twl4030-irq.c | 1 +
35967 drivers/video/vesafb.c | 7 +++++--
35968 include/linux/irq.h | 1 +
35969 include/linux/pm_domain.h | 2 +-
35970 kernel/sched/core.c | 4 ++++
35971 lib/Kconfig.debug | 4 ++--
35972 net/core/sysctl_net_core.c | 2 +-
35973 net/decnet/af_decnet.c | 1 +
35974 net/ipv4/devinet.c | 2 +-
35975 net/ipv4/ip_fragment.c | 2 +-
35976 net/ipv4/route.c | 2 +-
35977 net/ipv4/sysctl_net_ipv4.c | 2 +-
35978 net/ipv6/netfilter/nf_conntrack_reasm.c | 2 +-
35979 net/ipv6/reassembly.c | 2 +-
35980 scripts/sortextable.h | 6 +++---
35981 22 files changed, 36 insertions(+), 25 deletions(-)
35982
35983commit 1580bb38b4db0bf2a46316599815e8b234edad81
35984Author: Brad Spengler <spender@grsecurity.net>
35985Date: Thu Mar 7 22:02:59 2013 -0500
35986
35987 add an additional open/close wrapper
35988
35989 kernel/sched/core.c | 2 ++
35990 1 files changed, 2 insertions(+), 0 deletions(-)
35991
35992commit 21622672d28d58e0d93a805cd1f9650a894a752a
35993Author: Brad Spengler <spender@grsecurity.net>
35994Date: Thu Mar 7 21:58:24 2013 -0500
35995
35996 fix oops at shutdown with new constify code
35997
35998 kernel/sched/core.c | 2 ++
35999 1 files changed, 2 insertions(+), 0 deletions(-)
36000
36001commit f6b9ab9fcc747bb1b14a4857d59e6681936220ec
36002Author: Brad Spengler <spender@grsecurity.net>
36003Date: Thu Mar 7 21:18:44 2013 -0500
36004
36005 Add PAX_CONSTIFY_PLUGIN, which we previously enabled unconditionally
36006 it currently conflicts with some lock debugging options, so made as an
36007 option to allow for debugging when necessary
36008
36009 Makefile | 2 --
36010 lib/Kconfig.debug | 6 +++---
36011 security/Kconfig | 18 ++++++++++++++++++
36012 3 files changed, 21 insertions(+), 5 deletions(-)
36013
36014commit 0885b00b8373a1597b69c38032a0c9eee279303b
36015Author: Brad Spengler <spender@grsecurity.net>
36016Date: Thu Mar 7 20:55:19 2013 -0500
36017
36018 disable DEBUG_LOCK_ALLOC, as it conflicts with the new constify
36019
36020 lib/Kconfig.debug | 2 +-
36021 1 files changed, 1 insertions(+), 1 deletions(-)
36022
36023commit c8a2617165e7127a54f293cbf57d22d50dd83abd
36024Author: Brad Spengler <spender@grsecurity.net>
36025Date: Thu Mar 7 20:30:41 2013 -0500
36026
36027 Fix error:
36028 drivers/video/vesafb.c:502:3: error: assignment of member ‘fb_pan_display’ in read-only object
36029 with cast and proper kernexec accessors
36030
36031 drivers/video/vesafb.c | 7 +++++--
36032 1 files changed, 5 insertions(+), 2 deletions(-)
36033
36034commit 99f2814d3e2a6db25985edc47c7e09c4a2d8c408
36035Author: Brad Spengler <spender@grsecurity.net>
36036Date: Thu Mar 7 20:20:28 2013 -0500
36037
36038 fix typo
36039
36040 grsecurity/gracl.c | 2 +-
36041 1 files changed, 1 insertions(+), 1 deletions(-)
36042
36043commit 399674de6c42bbcae2d01b082d6d9ce9d183b000
36044Author: Brad Spengler <spender@grsecurity.net>
36045Date: Thu Mar 7 20:12:17 2013 -0500
36046
36047 fix compilation error -- no reason for task_pid_nr to not take a const task ptr
36048
36049 include/linux/sched.h | 2 +-
36050 1 files changed, 1 insertions(+), 1 deletions(-)
36051
36052commit a6c239eacf683f9dd2aeebb1b1adb71e5eedbd9f
36053Author: Kees Cook <keescook@chromium.org>
36054Date: Mon Feb 25 21:32:25 2013 +0000
36055
36056 Upstream commit: e70ab977991964a5a7ad1182799451d067e62669
36057
36058 proc connector: reject unprivileged listener bumps
36059
36060 While PROC_CN_MCAST_LISTEN/IGNORE is entirely advisory, it was possible
36061 for an unprivileged user to turn off notifications for all listeners by
36062 sending PROC_CN_MCAST_IGNORE. Instead, require the same privileges as
36063 required for a multicast bind.
36064
36065 Signed-off-by: Kees Cook <keescook@chromium.org>
36066 Cc: Evgeniy Polyakov <zbr@ioremap.net>
36067 Cc: Matt Helsley <matthltc@us.ibm.com>
36068 Cc: stable@vger.kernel.org
36069 Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
36070 Acked-by: Matt Helsley <matthltc@us.ibm.com>
36071 Signed-off-by: David S. Miller <davem@davemloft.net>
36072
36073 drivers/connector/cn_proc.c | 8 ++++++++
36074 1 files changed, 8 insertions(+), 0 deletions(-)
36075
36076commit ac6014ded57101e3e608941555ff507e20c1ece3
36077Author: Dan Carpenter <dan.carpenter@oracle.com>
36078Date: Tue Feb 26 19:15:02 2013 +0000
36079
36080 Upstream commit: 90c7881ecee1f08e0a49172cf61371cf2509ee4a
36081
36082 irda: small read beyond end of array in debug code
36083
36084 charset comes from skb->data. It's a number in the 0-255 range.
36085 If we have debugging turned on then this could cause a read beyond
36086 the end of the array.
36087
36088 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
36089 Signed-off-by: David S. Miller <davem@davemloft.net>
36090
36091 net/irda/iriap.c | 7 +++++--
36092 1 files changed, 5 insertions(+), 2 deletions(-)
36093
36094commit e60bd2aad9bfdb68731cc888eae14a7600bd2ffe
36095Author: Guenter Roeck <linux@roeck-us.net>
36096Date: Wed Feb 27 10:57:31 2013 +0000
36097
36098 Upstream commit: 726bc6b092da4c093eb74d13c07184b18c1af0f1
36099
36100 net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS
36101
36102 Building sctp may fail with:
36103
36104 In function ‘copy_from_user’,
36105 inlined from ‘sctp_getsockopt_assoc_stats’ at
36106 net/sctp/socket.c:5656:20:
36107 arch/x86/include/asm/uaccess_32.h:211:26: error: call to
36108 ‘copy_from_user_overflow’ declared with attribute error: copy_from_user()
36109 buffer size is not provably correct
36110
36111 if built with W=1 due to a missing parameter size validation
36112 before the call to copy_from_user.
36113
36114 Signed-off-by: Guenter Roeck <linux@roeck-us.net>
36115 Acked-by: Vlad Yasevich <vyasevich@gmail.com>
36116 Signed-off-by: David S. Miller <davem@davemloft.net>
36117
36118 net/sctp/socket.c | 6 +++---
36119 1 files changed, 3 insertions(+), 3 deletions(-)
36120
36121commit be49e0ae9a4d0e8daa831d7d8d6f3a56beda3e3c
36122Author: Guillaume Nault <g.nault@alphalink.fr>
36123Date: Fri Mar 1 05:02:02 2013 +0000
36124
36125 Upstream commit: 8b82547e33e85fc24d4d172a93c796de1fefa81a
36126
36127 l2tp: Restore socket refcount when sendmsg succeeds
36128
36129 The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket
36130 reference counter after successful transmissions. Any successful
36131 sendmsg() call from userspace will then increase the reference counter
36132 forever, thus preventing the kernel's session and tunnel data from
36133 being freed later on.
36134
36135 The problem only happens when writing directly on L2TP sockets.
36136 PPP sockets attached to L2TP are unaffected as the PPP subsystem
36137 uses pppol2tp_xmit() which symmetrically increase/decrease reference
36138 counters.
36139
36140 This patch adds the missing call to sock_put() before returning from
36141 pppol2tp_sendmsg().
36142
36143 Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
36144 Signed-off-by: David S. Miller <davem@davemloft.net>
36145
36146 net/l2tp/l2tp_ppp.c | 1 +
36147 1 files changed, 1 insertions(+), 0 deletions(-)
36148
36149commit 98a9a5f981f5deda4059a255c1196886f2f27e2f
36150Author: Cong Wang <amwang@redhat.com>
36151Date: Sun Mar 3 16:18:11 2013 +0000
36152
36153 Upstream commit: ece6b0a2b25652d684a7ced4ae680a863af041e0
36154
36155 rds: limit the size allocated by rds_message_alloc()
36156
36157 Dave Jones reported the following bug:
36158
36159 "When fed mangled socket data, rds will trust what userspace gives it,
36160 and tries to allocate enormous amounts of memory larger than what
36161 kmalloc can satisfy."
36162
36163 WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0()
36164 Hardware name: GA-MA78GM-S2H
36165 Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s
36166 Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65
36167 Call Trace:
36168 [<ffffffff81044155>] warn_slowpath_common+0x75/0xa0
36169 [<ffffffff8104419a>] warn_slowpath_null+0x1a/0x20
36170 [<ffffffff811444ad>] __alloc_pages_nodemask+0xa0d/0xbe0
36171 [<ffffffff8100a196>] ? native_sched_clock+0x26/0x90
36172 [<ffffffff810b2128>] ? trace_hardirqs_off_caller+0x28/0xc0
36173 [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
36174 [<ffffffff811861f8>] alloc_pages_current+0xb8/0x180
36175 [<ffffffff8113eaaa>] __get_free_pages+0x2a/0x80
36176 [<ffffffff811934fe>] kmalloc_order_trace+0x3e/0x1a0
36177 [<ffffffff81193955>] __kmalloc+0x2f5/0x3a0
36178 [<ffffffff8104df0c>] ? local_bh_enable_ip+0x7c/0xf0
36179 [<ffffffffa0401ab3>] rds_message_alloc+0x23/0xb0 [rds]
36180 [<ffffffffa04043a1>] rds_sendmsg+0x2b1/0x990 [rds]
36181 [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
36182 [<ffffffff81564620>] sock_sendmsg+0xb0/0xe0
36183 [<ffffffff810b2052>] ? get_lock_stats+0x22/0x70
36184 [<ffffffff810b24be>] ? put_lock_stats.isra.23+0xe/0x40
36185 [<ffffffff81567f30>] sys_sendto+0x130/0x180
36186 [<ffffffff810b872d>] ? trace_hardirqs_on+0xd/0x10
36187 [<ffffffff816c547b>] ? _raw_spin_unlock_irq+0x3b/0x60
36188 [<ffffffff816cd767>] ? sysret_check+0x1b/0x56
36189 [<ffffffff810b8695>] ? trace_hardirqs_on_caller+0x115/0x1a0
36190 [<ffffffff81341d8e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
36191 [<ffffffff816cd742>] system_call_fastpath+0x16/0x1b
36192 ---[ end trace eed6ae990d018c8b ]---
36193
36194 Reported-by: Dave Jones <davej@redhat.com>
36195 Cc: Dave Jones <davej@redhat.com>
36196 Cc: David S. Miller <davem@davemloft.net>
36197 Cc: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
36198 Signed-off-by: Cong Wang <amwang@redhat.com>
36199 Acked-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
36200 Signed-off-by: David S. Miller <davem@davemloft.net>
36201
36202 net/rds/message.c | 3 +++
36203 1 files changed, 3 insertions(+), 0 deletions(-)
36204
36205commit b46df323e01c63c62fdb82cf2c47e4386f5a0499
36206Author: Cong Wang <amwang@redhat.com>
36207Date: Sun Mar 3 16:28:27 2013 +0000
36208
36209 Upstream commit: 3f736868b47687d1336fe88185560b22bb92021e
36210
36211 sctp: use KMALLOC_MAX_SIZE instead of its own MAX_KMALLOC_SIZE
36212
36213 Don't definite its own MAX_KMALLOC_SIZE, use the one
36214 defined in mm.
36215
36216 Cc: Vlad Yasevich <vyasevich@gmail.com>
36217 Cc: Sridhar Samudrala <sri@us.ibm.com>
36218 Cc: Neil Horman <nhorman@tuxdriver.com>
36219 Cc: David S. Miller <davem@davemloft.net>
36220 Signed-off-by: Cong Wang <amwang@redhat.com>
36221 Acked-by: Neil Horman <nhorman@tuxdriver.com>
36222 Signed-off-by: David S. Miller <davem@davemloft.net>
36223
36224 net/sctp/ssnmap.c | 8 +++-----
36225 1 files changed, 3 insertions(+), 5 deletions(-)
36226
36227commit 4295a024e812f903fc580c81de5e81cc149503fa
36228Author: Brad Spengler <spender@grsecurity.net>
36229Date: Thu Mar 7 17:57:49 2013 -0500
36230
36231 Upstream commit: https://lkml.org/lkml/2013/3/6/535
36232
36233 security/keys/process_keys.c | 2 +-
36234 1 files changed, 1 insertions(+), 1 deletions(-)
36235
36236commit 33edd486a9899a145a15586d7134636b0300aaee
36237Merge: 4eeeaf3 a2a2094
36238Author: Brad Spengler <spender@grsecurity.net>
36239Date: Thu Mar 7 17:53:00 2013 -0500
36240
36241 Merge branch 'pax-test' into grsec-test
36242
36243 Conflicts:
36244 arch/arm/include/asm/domain.h
36245
36246commit a2a20947f5e1332e474160a39af520738b3c8c19
36247Author: Brad Spengler <spender@grsecurity.net>
36248Date: Thu Mar 7 17:51:04 2013 -0500
36249
36250 Update to pax-linux-3.8.2-test4.patch:
36251 fixed arm compilation problems reported by Michael Tremer
36252 - the constify plugin got smarter that enabled, with some additional patching,
36253 the elimination of about half the static function pointers on amd64/allmod
36254 (up from about 18%), depending on the kernel config it can be even more (70%)
36255
36256 Documentation/dontdiff | 2 +
36257 arch/arm/include/asm/domain.h | 1 +
36258 arch/x86/include/asm/i8259.h | 2 +-
36259 arch/x86/include/asm/nmi.h | 4 +-
36260 arch/x86/kernel/acpi/boot.c | 4 +-
36261 arch/x86/kernel/apic/apic_noop.c | 2 +-
36262 arch/x86/kernel/apic/es7000_32.c | 2 +-
36263 arch/x86/kernel/apic/io_apic.c | 10 +-
36264 arch/x86/kernel/cpu/mcheck/mce.c | 2 +-
36265 arch/x86/kernel/cpu/perf_event.c | 6 +-
36266 arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +-
36267 arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
36268 arch/x86/kernel/i8259.c | 6 +-
36269 arch/x86/kernel/io_delay.c | 2 +-
36270 arch/x86/kernel/nmi.c | 6 +-
36271 arch/x86/kernel/nmi_selftest.c | 4 +-
36272 arch/x86/kernel/pci-swiotlb.c | 2 +-
36273 arch/x86/oprofile/nmi_int.c | 8 +-
36274 arch/x86/oprofile/op_model_amd.c | 8 +-
36275 arch/x86/oprofile/op_model_ppro.c | 7 +-
36276 arch/x86/oprofile/op_x86_model.h | 2 +-
36277 arch/x86/pci/irq.c | 6 +-
36278 drivers/acpi/apei/apei-internal.h | 2 +-
36279 drivers/acpi/bgrt.c | 6 +-
36280 drivers/acpi/blacklist.c | 2 +-
36281 drivers/acpi/processor_idle.c | 2 +-
36282 drivers/acpi/sysfs.c | 4 +-
36283 drivers/base/bus.c | 4 +-
36284 drivers/base/node.c | 2 +-
36285 drivers/base/syscore.c | 4 +-
36286 drivers/block/drbd/drbd_receiver.c | 4 +-
36287 drivers/char/random.c | 2 +-
36288 drivers/cpufreq/acpi-cpufreq.c | 20 ++-
36289 drivers/cpufreq/cpufreq.c | 7 +-
36290 drivers/cpufreq/cpufreq_governor.c | 4 +-
36291 drivers/cpufreq/cpufreq_governor.h | 2 +-
36292 drivers/cpufreq/p4-clockmod.c | 12 +-
36293 drivers/cpufreq/speedstep-centrino.c | 7 +-
36294 drivers/cpuidle/cpuidle.c | 2 +-
36295 drivers/cpuidle/governor.c | 4 +-
36296 drivers/cpuidle/sysfs.c | 2 +-
36297 drivers/devfreq/devfreq.c | 4 +-
36298 drivers/edac/edac_mc_sysfs.c | 2 +-
36299 drivers/edac/edac_pci_sysfs.c | 2 +-
36300 drivers/firewire/core-device.c | 2 +-
36301 drivers/firmware/dmi-id.c | 2 +-
36302 drivers/firmware/efivars.c | 2 +-
36303 drivers/firmware/google/memconsole.c | 4 +-
36304 drivers/gpio/gpio-ich.c | 2 +-
36305 drivers/gpu/drm/drm_drv.c | 2 +-
36306 drivers/gpu/drm/drm_ioc32.c | 9 +-
36307 drivers/gpu/drm/i915/i915_ioc32.c | 11 +-
36308 drivers/gpu/drm/i915/intel_display.c | 26 ++-
36309 drivers/gpu/drm/mga/mga_ioc32.c | 11 +-
36310 drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +-
36311 drivers/gpu/drm/r128/r128_ioc32.c | 11 +-
36312 drivers/gpu/drm/radeon/radeon_ioc32.c | 11 +-
36313 drivers/gpu/drm/radeon/radeon_ttm.c | 33 ++--
36314 drivers/gpu/drm/udl/udl_fb.c | 1 -
36315 drivers/hwmon/acpi_power_meter.c | 4 +-
36316 drivers/hwmon/applesmc.c | 2 +-
36317 drivers/hwmon/asus_atk0110.c | 10 +-
36318 drivers/hwmon/ibmaem.c | 2 +-
36319 drivers/hwmon/pmbus/pmbus_core.c | 2 +-
36320 drivers/iio/industrialio-core.c | 2 +-
36321 drivers/input/mouse/psmouse.h | 2 +-
36322 drivers/iommu/iommu.c | 2 +-
36323 drivers/leds/leds-clevo-mail.c | 2 +-
36324 drivers/leds/leds-ss4200.c | 2 +-
36325 drivers/media/v4l2-core/v4l2-ioctl.c | 5 +-
36326 drivers/mfd/twl4030-irq.c | 8 +-
36327 drivers/mfd/twl6030-irq.c | 10 +-
36328 drivers/misc/c2port/core.c | 4 +-
36329 drivers/mtd/sm_ftl.c | 2 +-
36330 drivers/net/bonding/bond_main.c | 2 +-
36331 drivers/net/macvlan.c | 16 +-
36332 drivers/net/vxlan.c | 2 +-
36333 drivers/pci/hotplug/acpiphp_ibm.c | 4 +-
36334 drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
36335 drivers/pci/hotplug/pciehp_core.c | 2 +-
36336 drivers/pci/pci-sysfs.c | 6 +-
36337 drivers/pci/pci.h | 2 +-
36338 drivers/platform/x86/msi-laptop.c | 14 +-
36339 drivers/platform/x86/sony-laptop.c | 2 +-
36340 drivers/power/power_supply.h | 4 +-
36341 drivers/power/power_supply_core.c | 6 +-
36342 drivers/power/power_supply_sysfs.c | 6 +-
36343 drivers/rtc/rtc-cmos.c | 4 +-
36344 drivers/rtc/rtc-ds1307.c | 2 +-
36345 drivers/rtc/rtc-m48t59.c | 4 +-
36346 drivers/scsi/bfa/bfa.h | 2 +-
36347 drivers/staging/iio/iio_hwmon.c | 2 +-
36348 drivers/usb/storage/usb.h | 2 +-
36349 drivers/video/aty/atyfb_base.c | 8 +-
36350 drivers/video/aty/mach64_cursor.c | 4 +-
36351 drivers/video/backlight/kb3886_bl.c | 2 +-
36352 drivers/video/fb_defio.c | 6 +-
36353 drivers/video/mb862xx/mb862xxfb_accel.c | 16 +-
36354 drivers/video/nvidia/nvidia.c | 27 ++-
36355 drivers/video/s1d13xxxfb.c | 6 +-
36356 drivers/video/smscufx.c | 4 +-
36357 drivers/video/udlfb.c | 4 +-
36358 drivers/video/uvesafb.c | 14 +-
36359 fs/exec.c | 6 +-
36360 fs/ext4/super.c | 2 +-
36361 fs/jfs/super.c | 4 +-
36362 fs/nfs/callback_xdr.c | 2 +-
36363 fs/nfsd/nfs4proc.c | 2 +-
36364 fs/nfsd/nfs4xdr.c | 6 +-
36365 fs/nls/nls_base.c | 18 +-
36366 fs/nls/nls_euc-jp.c | 6 +-
36367 fs/nls/nls_koi8-ru.c | 6 +-
36368 fs/proc/proc_sysctl.c | 18 +-
36369 include/drm/drmP.h | 12 +-
36370 include/keys/asymmetric-subtype.h | 2 +-
36371 include/linux/atmdev.h | 2 +-
36372 include/linux/binfmts.h | 2 +-
36373 include/linux/configfs.h | 2 +-
36374 include/linux/cpufreq.h | 3 +-
36375 include/linux/cpuidle.h | 5 +-
36376 include/linux/devfreq.h | 2 +-
36377 include/linux/device.h | 7 +-
36378 include/linux/extcon.h | 2 +-
36379 include/linux/fb.h | 2 +-
36380 include/linux/fscache.h | 2 +-
36381 include/linux/genl_magic_func.h | 2 +-
36382 include/linux/hwmon-sysfs.h | 5 +-
36383 include/linux/iommu.h | 2 +-
36384 include/linux/irq.h | 2 +-
36385 include/linux/key-type.h | 2 +-
36386 include/linux/kobject.h | 1 +
36387 include/linux/kobject_ns.h | 2 +-
36388 include/linux/list.h | 14 +-
36389 include/linux/mod_devicetable.h | 2 +-
36390 include/linux/module.h | 5 +-
36391 include/linux/net.h | 2 +-
36392 include/linux/netfilter.h | 2 +-
36393 include/linux/nls.h | 2 +-
36394 include/linux/pci_hotplug.h | 3 +-
36395 include/linux/platform_data/usb-exynos.h | 2 +-
36396 include/linux/pnp.h | 2 +-
36397 include/linux/ppp-comp.h | 2 +-
36398 include/linux/rculist.h | 16 ++
36399 include/linux/sched.h | 2 +-
36400 include/linux/sock_diag.h | 2 +-
36401 include/linux/sunrpc/clnt.h | 2 +-
36402 include/linux/sunrpc/svc.h | 2 +-
36403 include/linux/sunrpc/svcauth.h | 2 +-
36404 include/linux/swiotlb.h | 3 +-
36405 include/linux/syscore_ops.h | 2 +-
36406 include/linux/sysctl.h | 6 +-
36407 include/linux/sysfs.h | 10 +-
36408 include/linux/sysrq.h | 1 +
36409 include/linux/xattr.h | 2 +-
36410 include/net/9p/transport.h | 2 +-
36411 include/net/bluetooth/l2cap.h | 2 +-
36412 include/net/genetlink.h | 2 +-
36413 include/net/ip.h | 2 +-
36414 include/net/ip_vs.h | 4 +-
36415 include/net/llc_c_ac.h | 2 +-
36416 include/net/llc_c_ev.h | 4 +-
36417 include/net/llc_c_st.h | 2 +-
36418 include/net/llc_s_ac.h | 2 +-
36419 include/net/llc_s_st.h | 2 +-
36420 include/net/mac80211.h | 2 +-
36421 include/net/net_namespace.h | 2 +-
36422 include/net/netns/conntrack.h | 6 +-
36423 include/net/rtnetlink.h | 2 +-
36424 include/net/sctp/sm.h | 4 +-
36425 include/net/sctp/structs.h | 2 +-
36426 include/net/xfrm.h | 4 +-
36427 ipc/ipc_sysctl.c | 10 +-
36428 ipc/mq_sysctl.c | 2 +-
36429 kernel/kmod.c | 2 +-
36430 kernel/ksysfs.c | 2 +-
36431 kernel/module.c | 4 +-
36432 kernel/pid_namespace.c | 2 +-
36433 kernel/rcutree_plugin.h | 2 +-
36434 kernel/sched/core.c | 39 ++--
36435 kernel/smpboot.c | 4 +-
36436 kernel/softirq.c | 2 +-
36437 kernel/sysctl.c | 2 +-
36438 kernel/utsname_sysctl.c | 2 +-
36439 kernel/watchdog.c | 2 +-
36440 lib/Kconfig.debug | 2 +-
36441 lib/kobject.c | 4 +-
36442 lib/list_debug.c | 57 ++++-
36443 lib/swiotlb.c | 2 +-
36444 mm/hugetlb.c | 16 +-
36445 mm/memory-failure.c | 2 +-
36446 mm/slab_common.c | 2 +-
36447 net/9p/mod.c | 4 +-
36448 net/ax25/sysctl_net_ax25.c | 2 +-
36449 net/core/neighbour.c | 2 +-
36450 net/core/net-sysfs.c | 2 +-
36451 net/core/net_namespace.c | 8 +-
36452 net/core/rtnetlink.c | 11 +-
36453 net/core/sock_diag.c | 9 +-
36454 net/core/sysctl_net_core.c | 15 +-
36455 net/ipv4/af_inet.c | 8 +-
36456 net/ipv4/devinet.c | 12 +-
36457 net/ipv4/inet_connection_sock.c | 2 +-
36458 net/ipv4/ip_fragment.c | 9 +-
36459 net/ipv4/ip_gre.c | 6 +-
36460 net/ipv4/ip_vti.c | 4 +-
36461 net/ipv4/ipip.c | 4 +-
36462 net/ipv4/route.c | 14 +-
36463 net/ipv4/sysctl_net_ipv4.c | 43 ++--
36464 net/ipv6/addrconf.c | 4 +-
36465 net/ipv6/icmp.c | 2 +-
36466 net/ipv6/ip6_gre.c | 6 +-
36467 net/ipv6/ip6_tunnel.c | 4 +-
36468 net/ipv6/netfilter/nf_conntrack_reasm.c | 12 +-
36469 net/ipv6/reassembly.c | 11 +-
36470 net/ipv6/route.c | 2 +-
36471 net/ipv6/sit.c | 4 +-
36472 net/ipv6/sysctl_net_ipv6.c | 2 +-
36473 net/netfilter/ipset/ip_set_core.c | 2 +-
36474 net/netfilter/ipvs/ip_vs_ctl.c | 4 +-
36475 net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
36476 net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
36477 net/netfilter/nf_conntrack_acct.c | 2 +-
36478 net/netfilter/nf_conntrack_ecache.c | 2 +-
36479 net/netfilter/nf_conntrack_helper.c | 2 +-
36480 net/netfilter/nf_conntrack_proto.c | 2 +-
36481 net/netfilter/nf_conntrack_standalone.c | 2 +-
36482 net/netfilter/nf_conntrack_timestamp.c | 2 +-
36483 net/netfilter/nf_log.c | 10 +-
36484 net/netfilter/nf_sockopt.c | 4 +-
36485 net/netlink/genetlink.c | 16 +-
36486 net/phonet/sysctl.c | 2 +-
36487 net/rds/rds.h | 2 +-
36488 net/sctp/ipv6.c | 6 +-
36489 net/sctp/protocol.c | 10 +-
36490 net/sctp/sm_sideeffect.c | 2 +-
36491 net/sctp/sysctl.c | 4 +-
36492 net/sunrpc/clnt.c | 4 +-
36493 net/sunrpc/svc.c | 4 +-
36494 net/unix/sysctl_net_unix.c | 2 +-
36495 net/xfrm/xfrm_policy.c | 11 +-
36496 net/xfrm/xfrm_state.c | 29 ++-
36497 net/xfrm/xfrm_sysctl.c | 2 +-
36498 security/apparmor/lsm.c | 2 +-
36499 security/keys/key.c | 18 +-
36500 security/yama/yama_lsm.c | 22 +-
36501 tools/gcc/Makefile | 4 +-
36502 tools/gcc/constify_plugin.c | 299 +++++++++++++++++++------
36503 tools/gcc/size_overflow_plugin.c | 7 +-
36504 248 files changed, 994 insertions(+), 668 deletions(-)
36505
36506commit 4eeeaf3a560e25d1685f8973ef676b205efaa81b
36507Author: Brad Spengler <spender@grsecurity.net>
36508Date: Wed Mar 6 12:58:21 2013 -0500
36509
36510 Make slab_state __read_only, it's only written to during init
36511
36512 mm/slab_common.c | 2 +-
36513 1 files changed, 1 insertions(+), 1 deletions(-)
36514
36515commit e7067b68d36fb9e0e8818de5d9ce1b4ba19ce24a
36516Author: Brad Spengler <spender@grsecurity.net>
36517Date: Wed Mar 6 12:31:35 2013 -0500
36518
36519 Make two new helper functions:
36520 gr_is_global_root() and gr_is_global_nonroot()
36521
36522 grsecurity/gracl.c | 10 +++++-----
36523 grsecurity/gracl_segv.c | 2 +-
36524 grsecurity/grsec_link.c | 4 ++--
36525 grsecurity/grsec_sig.c | 10 +++++-----
36526 grsecurity/grsec_tpe.c | 6 +++---
36527 include/linux/uidgid.h | 2 ++
36528 6 files changed, 18 insertions(+), 16 deletions(-)
36529
36530commit d45d88eddd4998b280b1e5b5384289ee11ca7088
36531Author: Brad Spengler <spender@grsecurity.net>
36532Date: Wed Mar 6 12:14:41 2013 -0500
36533
36534 convert remaining task->pid to task_pid_nr(task)
36535
36536 grsecurity/gracl.c | 22 +++++++++++-----------
36537 grsecurity/gracl_shm.c | 2 +-
36538 grsecurity/grsec_chroot.c | 4 ++--
36539 grsecurity/grsec_sig.c | 4 ++--
36540 4 files changed, 16 insertions(+), 16 deletions(-)
36541
36542commit c877f2ece03ee2232dd281c1977ae59507297124
36543Author: Brad Spengler <spender@grsecurity.net>
36544Date: Tue Mar 5 17:29:54 2013 -0500
36545
36546 compat-log is only used anymore by vm86-on-64bit and allows unlimited
36547 spamming of the kernel log buffer (and since it includes the changable
36548 process name, can avoid syslog log deduplication)
36549 Turn it off by default
36550
36551 fs/compat.c | 2 +-
36552 1 files changed, 1 insertions(+), 1 deletions(-)
36553
36554commit 7c1964c4b7276889d7967bee70e46918cdca1b14
36555Author: Brad Spengler <spender@grsecurity.net>
36556Date: Mon Mar 4 17:19:10 2013 -0500
36557
36558 fix compilation error reported on IRC and forums when GRKERNSEC_PROC_USERGROUP
36559 is enabled, introduced with recent userns support
36560
36561 init/main.c | 4 ++--
36562 1 files changed, 2 insertions(+), 2 deletions(-)
36563
36564commit c3ce01b94d8dd42b9c7942c0d513b152613e0656
36565Author: Brad Spengler <spender@grsecurity.net>
36566Date: Sun Mar 3 18:46:12 2013 -0500
36567
36568 Prevent TOMOYO from auto-loading modules by unprivileged users
36569 (Only reachable if TOMOYO is actually used)
36570
36571 security/tomoyo/mount.c | 4 ++++
36572 1 files changed, 4 insertions(+), 0 deletions(-)
36573
36574commit 79e142f9455b398759ff9d93d4963a21b98dddda
36575Author: Brad Spengler <spender@grsecurity.net>
36576Date: Sun Mar 3 18:28:45 2013 -0500
36577
36578 For now, don't permit any special access to /proc in a user namespace
36579 Later we can go back and allow a userns-uid0 special access to a /proc
36580 with a non-global pid namespace
36581
36582 fs/proc/base.c | 2 +-
36583 1 files changed, 1 insertions(+), 1 deletions(-)
36584
36585commit 8b91fb393049ce5f3c0a86f62247409853fd9700
36586Merge: d931eb8 603ef05
36587Author: Brad Spengler <spender@grsecurity.net>
36588Date: Sun Mar 3 17:42:09 2013 -0500
36589
36590 Merge branch 'pax-test' into grsec-test
36591
36592commit 603ef0579b9c3765d999c1938cb7a120d8c8e00b
36593Author: Brad Spengler <spender@grsecurity.net>
36594Date: Sun Mar 3 17:41:31 2013 -0500
36595
36596 Fix compilation error on ARM reported by Michael Tremer
36597
36598 arch/arm/mach-omap2/wd_timer.c | 6 +++---
36599 1 files changed, 3 insertions(+), 3 deletions(-)
36600
36601commit b4c9ce81fdd7839a150c97873c710c479e788280
36602Author: Brad Spengler <spender@grsecurity.net>
36603Date: Sun Mar 3 17:39:53 2013 -0500
36604
36605 Fix compilation error on ARM reported by Michael Tremer
36606
36607 arch/arm/kernel/armksyms.c | 2 +-
36608 1 files changed, 1 insertions(+), 1 deletions(-)
36609
36610commit d931eb81ab3da46896268fd61373a6aa7bbea930
36611Merge: bfa7f44 5948f93
36612Author: Brad Spengler <spender@grsecurity.net>
36613Date: Sun Mar 3 17:34:36 2013 -0500
36614
36615 Merge branch 'pax-test' into grsec-test
36616
36617commit 5948f930bc1c2d22138c1c76ca7e1bc94b6a3ce0
36618Merge: ab30472 19b00d2
36619Author: Brad Spengler <spender@grsecurity.net>
36620Date: Sun Mar 3 17:34:08 2013 -0500
36621
36622 Merge branch 'linux-3.8.y' into pax-test
36623
36624commit bfa7f445c5d484de51a5828b92ad2ff65053cc87
36625Author: Brad Spengler <spender@grsecurity.net>
36626Date: Sun Mar 3 15:12:12 2013 -0500
36627
36628 Initial support for user namespaces, as we previously didn't allow
36629 the option to be enabled at all.
36630
36631 RBAC will act on the global uids/gids only, so all uids/gids in user
36632 namespaces will be converted
36633
36634 Because Eric Biederman is insulted that I didn't support his
36635 backdoor prior to it receiving proper review. I still have the CAP_SYS_ADMIN
36636 check in for user namespaces, so this is generally irrelevant.
36637
36638 fs/exec.c | 6 +-
36639 fs/proc/base.c | 2 +-
36640 fs/proc/proc_net.c | 4 +-
36641 grsecurity/gracl.c | 128 +++++++++++++++++++++++++++++-------------
36642 grsecurity/gracl_cap.c | 4 +-
36643 grsecurity/gracl_ip.c | 16 +++---
36644 grsecurity/gracl_segv.c | 12 +++-
36645 grsecurity/gracl_shm.c | 4 +-
36646 grsecurity/grsec_disabled.c | 10 ++--
36647 grsecurity/grsec_fifo.c | 6 +-
36648 grsecurity/grsec_init.c | 24 ++++----
36649 grsecurity/grsec_log.c | 3 -
36650 grsecurity/grsec_tpe.c | 6 +-
36651 include/linux/grinternal.h | 12 ++--
36652 include/linux/grsecurity.h | 12 ++--
36653 include/linux/uidgid.h | 3 +
36654 init/Kconfig | 2 -
36655 ipc/shm.c | 2 +-
36656 kernel/cred.c | 5 +-
36657 kernel/kallsyms.c | 2 +-
36658 kernel/kmod.c | 6 +-
36659 kernel/sys.c | 12 ++--
36660 22 files changed, 166 insertions(+), 115 deletions(-)
36661
36662commit 27a8cc1a9f22f95de6fe8740bdc900a160274dff
36663Author: Linus Torvalds <torvalds@linux-foundation.org>
36664Date: Wed Feb 27 08:36:04 2013 -0800
36665
36666 Upstream commit: 09884964335e85e897876d17783c2ad33cf8a2e0
36667
36668 mm: do not grow the stack vma just because of an overrun on preceding vma
36669
36670 The stack vma is designed to grow automatically (marked with VM_GROWSUP
36671 or VM_GROWSDOWN depending on architecture) when an access is made beyond
36672 the existing boundary. However, particularly if you have not limited
36673 your stack at all ("ulimit -s unlimited"), this can cause the stack to
36674 grow even if the access was really just one past *another* segment.
36675
36676 And that's wrong, especially since we first grow the segment, but then
36677 immediately later enforce the stack guard page on the last page of the
36678 segment. So _despite_ first growing the stack segment as a result of
36679 the access, the kernel will then make the access cause a SIGSEGV anyway!
36680
36681 So do the same logic as the guard page check does, and consider an
36682 access to within one page of the next segment to be a bad access, rather
36683 than growing the stack to abut the next segment.
36684
36685 Reported-and-tested-by: Heiko Carstens <heiko.carstens@de.ibm.com>
36686 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
36687
36688 mm/mmap.c | 27 +++++++++++++++++++++++++++
36689 1 files changed, 27 insertions(+), 0 deletions(-)
36690
36691commit 5596211af754867ca825f58e6e0300a8439950fe
36692Author: H. Peter Anvin <hpa@linux.intel.com>
36693Date: Wed Feb 27 12:46:40 2013 -0800
36694
36695 Upstream commit: 7c10093692ed2e6f318387d96b829320aa0ca64c
36696
36697 x86: Make sure we can boot in the case the BDA contains pure garbage
36698
36699 On non-BIOS platforms it is possible that the BIOS data area contains
36700 garbage instead of being zeroed or something equivalent (firmware
36701 people: we are talking of 1.5K here, so please do the sane thing.)
36702
36703 We need on the order of 20-30K of low memory in order to boot, which
36704 may grow up to < 64K in the future. We probably want to avoid the
36705 lowest of the low memory. At the same time, it seems extremely
36706 unlikely that a legitimate EBDA would ever reach down to the 128K
36707 (which would require it to be over half a megabyte in size.) Thus,
36708 pick 128K as the cutoff for "this is insane, ignore." We may still
36709 end up reserving a bunch of extra memory on the low megabyte, but that
36710 is not really a major issue these days. In the worst case we lose
36711 512K of RAM.
36712
36713 This code really should be merged with trim_bios_range() in
36714 arch/x86/kernel/setup.c, but that is a bigger patch for a later merge
36715 window.
36716
36717 Reported-by: Darren Hart <dvhart@linux.intel.com>
36718 Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
36719 Cc: Matt Fleming <matt.fleming@intel.com>
36720 Cc: <stable@vger.kernel.org>
36721 Link: http://lkml.kernel.org/n/tip-oebml055yyfm8yxmria09rja@git.kernel.org
36722
36723 arch/x86/kernel/head.c | 53 ++++++++++++++++++++++++++++++-----------------
36724 1 files changed, 34 insertions(+), 19 deletions(-)
36725
36726commit 10eb1dabfb743fb22dcbcf186bb8d2192d2d55ea
36727Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
36728Date: Wed Feb 27 17:05:46 2013 -0800
36729
36730 Upstream commit: 940da353a83e895ea600cb8ab17dceefb1bcb469
36731
36732 memstick: move the dereference below the NULL test
36733
36734 The dereference should be moved below the NULL test.
36735
36736 spatch with a semantic match is used to found this.
36737 (http://coccinelle.lip6.fr/)
36738
36739 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
36740 Cc: Maxim Levitsky <maximlevitsky@gmail.com>
36741 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
36742 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
36743
36744 drivers/memstick/host/r592.c | 3 ++-
36745 1 files changed, 2 insertions(+), 1 deletions(-)
36746
36747commit 1a63cb1ca50a10748cbf766894ecedf34a89baa3
36748Author: Xi Wang <xi.wang@gmail.com>
36749Date: Wed Feb 27 17:05:21 2013 -0800
36750
36751 Upstream commit: df1778be1a33edffa51d094eeda87c858ded6560
36752
36753 sysctl: fix null checking in bin_dn_node_address()
36754
36755 The null check of `strchr() + 1' is broken, which is always non-null,
36756 leading to OOB read. Instead, check the result of strchr().
36757
36758 Signed-off-by: Xi Wang <xi.wang@gmail.com>
36759 Cc: "Eric W. Biederman" <ebiederm@xmission.com>
36760 Cc: <stable@vger.kernel.org>
36761 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
36762 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
36763
36764 kernel/sysctl_binary.c | 3 ++-
36765 1 files changed, 2 insertions(+), 1 deletions(-)
36766
36767commit 7ca96db0817416fd40761e7437d1939fc0731380
36768Author: Tejun Heo <tj@kernel.org>
36769Date: Wed Feb 27 17:03:34 2013 -0800
36770
36771 Upstream commit: 6cdae7416a1c45c2ce105a78187d9b7e8feb9e24
36772
36773 idr: fix a subtle bug in idr_get_next()
36774
36775 The iteration logic of idr_get_next() is borrowed mostly verbatim from
36776 idr_for_each(). It walks down the tree looking for the slot matching
36777 the current ID. If the matching slot is not found, the ID is
36778 incremented by the distance of single slot at the given level and
36779 repeats.
36780
36781 The implementation assumes that during the whole iteration id is aligned
36782 to the layer boundaries of the level closest to the leaf, which is true
36783 for all iterations starting from zero or an existing element and thus is
36784 fine for idr_for_each().
36785
36786 However, idr_get_next() may be given any point and if the starting id
36787 hits in the middle of a non-existent layer, increment to the next layer
36788 will end up skipping the same offset into it. For example, an IDR with
36789 IDs filled between [64, 127] would look like the following.
36790
36791 [ 0 64 ... ]
36792 /----/ |
36793 | |
36794 NULL [ 64 ... 127 ]
36795
36796 If idr_get_next() is called with 63 as the starting point, it will try
36797 to follow down the pointer from 0. As it is NULL, it will then try to
36798 proceed to the next slot in the same level by adding the slot distance
36799 at that level which is 64 - making the next try 127. It goes around the
36800 loop and finds and returns 127 skipping [64, 126].
36801
36802 Note that this bug also triggers in idr_for_each_entry() loop which
36803 deletes during iteration as deletions can make layers go away leaving
36804 the iteration with unaligned ID into missing layers.
36805
36806 Fix it by ensuring proceeding to the next slot doesn't carry over the
36807 unaligned offset - ie. use round_up(id + 1, slot_distance) instead of
36808 id += slot_distance.
36809
36810 Signed-off-by: Tejun Heo <tj@kernel.org>
36811 Reported-by: David Teigland <teigland@redhat.com>
36812 Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
36813 Cc: <stable@vger.kernel.org>
36814 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
36815 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
36816
36817 lib/idr.c | 9 ++++++++-
36818 1 files changed, 8 insertions(+), 1 deletions(-)
36819
36820commit 745362f28034f54242ba2e64eaa7374ab9869613
36821Author: Brad Spengler <spender@grsecurity.net>
36822Date: Fri Mar 1 20:31:42 2013 -0500
36823
36824 Fix dentry use-after-free after failed complete_walk() with RBAC enabled
36825 Many thanks to zakalwe from #grsecurity for the report and debugging help
36826
36827 fs/namei.c | 8 +++-----
36828 1 files changed, 3 insertions(+), 5 deletions(-)
36829
36830commit b53b3b14330920c6f7cfb74c8508a3026e1be620
36831Author: Brad Spengler <spender@grsecurity.net>
36832Date: Thu Feb 28 18:29:26 2013 -0500
36833
36834 Fix bad git merge
36835
36836 fs/namespace.c | 8 --------
36837 1 files changed, 0 insertions(+), 8 deletions(-)
36838
36839commit 71886f69ea10fa22e593dba1bdbe5c0334c6fede
36840Merge: 1cce1dd ab30472
36841Author: Brad Spengler <spender@grsecurity.net>
36842Date: Thu Feb 28 17:45:14 2013 -0500
36843
36844 Merge branch 'pax-test' into grsec-test
36845
36846 Conflicts:
36847 net/core/sock_diag.c
36848
36849commit ab3047280e1dfb43f1b301a296123757b4ac4f6e
36850Merge: 4b61d21 4c91a0e
36851Author: Brad Spengler <spender@grsecurity.net>
36852Date: Thu Feb 28 17:43:56 2013 -0500
36853
36854 Merge branch 'linux-3.8.y' into pax-test
36855
36856commit 1cce1ddd17c584c80465521834c3faf1a7c607d7
36857Author: Brad Spengler <spender@grsecurity.net>
36858Date: Wed Feb 27 22:20:22 2013 -0500
36859
36860 add compiler.h to sysrq.h to fix compilation problem reported by micu on forums
36861
36862 include/linux/sysrq.h | 1 +
36863 1 files changed, 1 insertions(+), 0 deletions(-)
36864
36865commit 9f1e7fe130803fde83eb903b575335f59cd2bd18
36866Author: Brad Spengler <spender@grsecurity.net>
36867Date: Wed Feb 27 17:52:31 2013 -0500
36868
36869 declare check_syslog_permissions() earlier in file, fix bug in syslog_action_restricted() in upstream kernel
36870
36871 kernel/printk.c | 12 +++++++-----
36872 1 files changed, 7 insertions(+), 5 deletions(-)
36873
36874commit 11dd499888fa76f3466821ce4daa5e0c55e43d39
36875Author: Brad Spengler <spender@grsecurity.net>
36876Date: Wed Feb 27 17:23:46 2013 -0500
36877
36878 Fix upstream vulnerability from addition of a /dev/kmsg device
36879 while neglecting to add the same set of existing permission checks
36880 from do_syslog. This bit both dmesg_restrict and GRKERNSEC_DMESG.
36881 A temporary workaround without this patch would be to
36882 chmod 0600 /dev/kmsg (and is likely a good idea anyway).
36883
36884 Notified in #grsecurity IRC by Jason A. Donenfeld and Petr Matousek
36885 Initially reported to Redhat bugzilla by Christian Kujau:
36886 https://bugzilla.redhat.com/show_bug.cgi?id=903192
36887
36888 kernel/printk.c | 4 ++++
36889 1 files changed, 4 insertions(+), 0 deletions(-)
36890
36891commit 66c04806f5660988c3cb4855e60de294e77e3d0e
36892Author: David Howells <dhowells@redhat.com>
36893Date: Thu Feb 21 12:00:25 2013 +0000
36894
36895 Upstream commit: fe9453a1dcb5fb146f9653267e78f4a558066f6f
36896
36897 KEYS: Revert one application of "Fix unreachable code" patch
36898
36899 A patch to fix some unreachable code in search_my_process_keyrings() got
36900 applied twice by two different routes upstream as commits e67eab39bee2
36901 and b010520ab3d2 (both "fix unreachable code").
36902
36903 Unfortunately, the second application removed something it shouldn't
36904 have and this wasn't detected by GIT. This is due to the patch not
36905 having sufficient lines of context to distinguish the two places of
36906 application.
36907
36908 The effect of this is relatively minor: inside the kernel, the keyring
36909 search routines may search multiple keyrings and then prioritise the
36910 errors if no keys or negative keys are found in any of them. With the
36911 extra deletion, the presence of a negative key in the thread keyring
36912 (causing ENOKEY) is incorrectly overridden by an error searching the
36913 process keyring.
36914
36915 So revert the second application of the patch.
36916
36917 Signed-off-by: David Howells <dhowells@redhat.com>
36918 Cc: Jiri Kosina <jkosina@suse.cz>
36919 Cc: Andrew Morton <akpm@linux-foundation.org>
36920 Cc: stable@vger.kernel.org
36921 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
36922
36923 security/keys/process_keys.c | 2 ++
36924 1 files changed, 2 insertions(+), 0 deletions(-)
36925
36926commit 954b0c8a95b08c09c3d15ec38106ce403bf714da
36927Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
36928Date: Thu Feb 21 16:42:43 2013 -0800
36929
36930 Upstream commit: 49deb4bc227cb9db5b8ebf9434367f8bed057c7a
36931
36932 configfs: move the dereference below the NULL test
36933
36934 The dereference should be moved below the NULL test.
36935
36936 spatch with a semantic match is used to found this.
36937 (http://coccinelle.lip6.fr/)
36938
36939 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
36940 Cc: Joel Becker <jlbec@evilplan.org>
36941 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
36942 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
36943
36944 fs/configfs/dir.c | 5 +++--
36945 1 files changed, 3 insertions(+), 2 deletions(-)
36946
36947commit d16d42c4fdc8baca5816d75b4a115102bf3d3423
36948Author: Nicolas Pitre <nicolas.pitre@linaro.org>
36949Date: Sun Feb 24 20:06:09 2013 -0500
36950
36951 Upstream commit: a883b70d8e0a88278c0a1f80753b4dc99962b541
36952
36953 tty vt: fix character insertion overflow
36954
36955 Commit 81732c3b2fed ("tty vt: Fix line garbage in virtual console on
36956 command line edition") broke insert_char() in multiple ways. Then
36957 commit b1a925f44a3a ("tty vt: Fix a regression in command line edition")
36958 partially fixed it. However, the buffer being moved is still too large
36959 and overflowing beyond the end of the current line, corrupting existing
36960 characters on the next line.
36961
36962 Example test case:
36963
36964 echo -e "abc\nde\x1b[A\x1b[4h \x1b[4l\x1b[B"
36965
36966 Expected result:
36967
36968 ab c
36969 de
36970
36971 Current result:
36972
36973 ab c
36974 e
36975
36976 Needless to say that this is very annoying when inserting words in the
36977 middle of paragraphs with certain text editors.
36978
36979 Signed-off-by: Nicolas Pitre <nico@linaro.org>
36980 Cc: Jean-François Moine <moinejf@free.fr>
36981 Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
36982 Cc: <stable@vger.kernel.org>
36983 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
36984
36985 drivers/tty/vt/vt.c | 2 +-
36986 1 files changed, 1 insertions(+), 1 deletions(-)
36987
36988commit 6cda35071669b4aabde081bd039e0ffea36f997a
36989Author: Robin Holt <holt@sgi.com>
36990Date: Fri Feb 22 16:35:34 2013 -0800
36991
36992 Upstream commit: 751efd8610d3d7d67b7bdf7f62646edea7365dd7
36993
36994 mmu_notifier_unregister NULL Pointer deref and multiple ->release() callouts
36995
36996 There is a race condition between mmu_notifier_unregister() and
36997 __mmu_notifier_release().
36998
36999 Assume two tasks, one calling mmu_notifier_unregister() as a result of a
37000 filp_close() ->flush() callout (task A), and the other calling
37001 mmu_notifier_release() from an mmput() (task B).
37002
37003 A B
37004 t1 srcu_read_lock()
37005 t2 if (!hlist_unhashed())
37006 t3 srcu_read_unlock()
37007 t4 srcu_read_lock()
37008 t5 hlist_del_init_rcu()
37009 t6 synchronize_srcu()
37010 t7 srcu_read_unlock()
37011 t8 hlist_del_rcu() <--- NULL pointer deref.
37012
37013 Additionally, the list traversal in __mmu_notifier_release() is not
37014 protected by the by the mmu_notifier_mm->hlist_lock which can result in
37015 callouts to the ->release() notifier from both mmu_notifier_unregister()
37016 and __mmu_notifier_release().
37017
37018 -stable suggestions:
37019
37020 The stable trees prior to 3.7.y need commits 21a92735f660 and
37021 70400303ce0c cherry-picked in that order prior to cherry-picking this
37022 commit. The 3.7.y tree already has those two commits.
37023
37024 Signed-off-by: Robin Holt <holt@sgi.com>
37025 Cc: Andrea Arcangeli <aarcange@redhat.com>
37026 Cc: Wanpeng Li <liwanp@linux.vnet.ibm.com>
37027 Cc: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
37028 Cc: Avi Kivity <avi@redhat.com>
37029 Cc: Hugh Dickins <hughd@google.com>
37030 Cc: Marcelo Tosatti <mtosatti@redhat.com>
37031 Cc: Sagi Grimberg <sagig@mellanox.co.il>
37032 Cc: Haggai Eran <haggaie@mellanox.com>
37033 Cc: <stable@vger.kernel.org>
37034 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
37035 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
37036
37037 mm/mmu_notifier.c | 82 +++++++++++++++++++++++++++--------------------------
37038 1 files changed, 42 insertions(+), 40 deletions(-)
37039
37040commit bf5167ed78ba6131c6874887f714bda50c2cab83
37041Author: Mike Galbraith <bitbucket@online.de>
37042Date: Mon Jan 28 12:19:25 2013 +0100
37043
37044 Upstream commit: e0a79f529d5ba2507486d498b25da40911d95cf6
37045
37046 sched: Fix select_idle_sibling() bouncing cow syndrome
37047
37048 If the previous CPU is cache affine and idle, select it.
37049
37050 The current implementation simply traverses the sd_llc domain,
37051 taking the first idle CPU encountered, which walks buddy pairs
37052 hand in hand over the package, inflicting excruciating pain.
37053
37054 1 tbench pair (worst case) in a 10 core + SMT package:
37055
37056 pre 15.22 MB/sec 1 procs
37057 post 252.01 MB/sec 1 procs
37058
37059 Signed-off-by: Mike Galbraith <bitbucket@online.de>
37060 Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
37061 Link: http://lkml.kernel.org/r/1359371965.5783.127.camel@marge.simpson.net
37062 Signed-off-by: Ingo Molnar <mingo@kernel.org>
37063
37064 kernel/sched/fair.c | 21 +++++++--------------
37065 1 files changed, 7 insertions(+), 14 deletions(-)
37066
37067commit cf7c2d257836fdcb5d51ad142cbc56ac12f7a37c
37068Author: Eric W. Biederman <ebiederm@xmission.com>
37069Date: Fri Dec 28 18:58:39 2012 -0800
37070
37071 Upstream commit: c61a2810a2161986353705b44d9503e6bb079f4f
37072
37073 userns: Avoid recursion in put_user_ns
37074
37075 When freeing a deeply nested user namespace free_user_ns calls
37076 put_user_ns on it's parent which may in turn call free_user_ns again.
37077 When -fno-optimize-sibling-calls is passed to gcc one stack frame per
37078 user namespace is left on the stack, potentially overflowing the
37079 kernel stack. CONFIG_FRAME_POINTER forces -fno-optimize-sibling-calls
37080 so we can't count on gcc to optimize this code.
37081
37082 Remove struct kref and use a plain atomic_t. Making the code more
37083 flexible and easier to comprehend. Make the loop in free_user_ns
37084 explict to guarantee that the stack does not overflow with
37085 CONFIG_FRAME_POINTER enabled.
37086
37087 I have tested this fix with a simple program that uses unshare to
37088 create a deeply nested user namespace structure and then calls exit.
37089 With 1000 nesteuser namespaces before this change running my test
37090 program causes the kernel to die a horrible death. With 10,000,000
37091 nested user namespaces after this change my test program runs to
37092 completion and causes no harm.
37093
37094 Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
37095 Pointed-out-by: Vasily Kulikov <segoon@openwall.com>
37096 Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
37097
37098 include/linux/user_namespace.h | 10 +++++-----
37099 kernel/user.c | 4 +---
37100 kernel/user_namespace.c | 17 +++++++++--------
37101 3 files changed, 15 insertions(+), 16 deletions(-)
37102
37103commit 81501c7106ccc186c94806f4db954626295b5ebe
37104Author: Brad Spengler <spender@grsecurity.net>
37105Date: Tue Feb 26 17:12:30 2013 -0500
37106
37107 Pass the same flags to kern_path_create as the original function
37108
37109 fs/namei.c | 4 ++--
37110 1 files changed, 2 insertions(+), 2 deletions(-)
37111
37112commit a677c8eee35afe48868f92c7d6745bfe809cd481
37113Author: Al Viro <viro@zeniv.linux.org.uk>
37114Date: Fri Feb 22 22:45:42 2013 -0500
37115
37116 Upstream commit: 9b40bc90abd126bcc5da5658059b8e72e285e559
37117
37118 get rid of unprotected dereferencing of mnt->mnt_ns
37119
37120 It's safe only under namespace_sem or vfsmount_lock; all places
37121 in fs/namespace.c that want mnt->mnt_ns->user_ns actually want to use
37122 current->nsproxy->mnt_ns->user_ns (note the calls of check_mnt() in
37123 there).
37124
37125 Cc: stable@vger.kernel.org
37126 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
37127
37128 fs/namespace.c | 29 +++++++++++++++++------------
37129 1 files changed, 17 insertions(+), 12 deletions(-)
37130
37131commit 89298124d0c96dc34a60377e7a1308f8f532ff75
37132Author: Greg Thelen <gthelen@google.com>
37133Date: Fri Feb 22 16:36:01 2013 -0800
37134
37135 Upstream fix: 5f00110f7273f9ff04ac69a5f85bb535a4fd0987
37136
37137 tmpfs: fix use-after-free of mempolicy object
37138
37139 The tmpfs remount logic preserves filesystem mempolicy if the mpol=M
37140 option is not specified in the remount request. A new policy can be
37141 specified if mpol=M is given.
37142
37143 Before this patch remounting an mpol bound tmpfs without specifying
37144 mpol= mount option in the remount request would set the filesystem's
37145 mempolicy object to a freed mempolicy object.
37146
37147 To reproduce the problem boot a DEBUG_PAGEALLOC kernel and run:
37148 # mkdir /tmp/x
37149
37150 # mount -t tmpfs -o size=100M,mpol=interleave nodev /tmp/x
37151
37152 # grep /tmp/x /proc/mounts
37153 nodev /tmp/x tmpfs rw,relatime,size=102400k,mpol=interleave:0-3 0 0
37154
37155 # mount -o remount,size=200M nodev /tmp/x
37156
37157 # grep /tmp/x /proc/mounts
37158 nodev /tmp/x tmpfs rw,relatime,size=204800k,mpol=??? 0 0
37159 # note ? garbage in mpol=... output above
37160
37161 # dd if=/dev/zero of=/tmp/x/f count=1
37162 # panic here
37163
37164 Panic:
37165 BUG: unable to handle kernel NULL pointer dereference at (null)
37166 IP: [< (null)>] (null)
37167 [...]
37168 Oops: 0010 [#1] SMP DEBUG_PAGEALLOC
37169 Call Trace:
37170 mpol_shared_policy_init+0xa5/0x160
37171 shmem_get_inode+0x209/0x270
37172 shmem_mknod+0x3e/0xf0
37173 shmem_create+0x18/0x20
37174 vfs_create+0xb5/0x130
37175 do_last+0x9a1/0xea0
37176 path_openat+0xb3/0x4d0
37177 do_filp_open+0x42/0xa0
37178 do_sys_open+0xfe/0x1e0
37179 compat_sys_open+0x1b/0x20
37180 cstar_dispatch+0x7/0x1f
37181
37182 Non-debug kernels will not crash immediately because referencing the
37183 dangling mpol will not cause a fault. Instead the filesystem will
37184 reference a freed mempolicy object, which will cause unpredictable
37185 behavior.
37186
37187 The problem boils down to a dropped mpol reference below if
37188 shmem_parse_options() does not allocate a new mpol:
37189
37190 config = *sbinfo
37191 shmem_parse_options(data, &config, true)
37192 mpol_put(sbinfo->mpol)
37193 sbinfo->mpol = config.mpol /* BUG: saves unreferenced mpol */
37194
37195 This patch avoids the crash by not releasing the mempolicy if
37196 shmem_parse_options() doesn't create a new mpol.
37197
37198 How far back does this issue go? I see it in both 2.6.36 and 3.3. I did
37199 not look back further.
37200
37201 Signed-off-by: Greg Thelen <gthelen@google.com>
37202 Acked-by: Hugh Dickins <hughd@google.com>
37203 Cc: <stable@vger.kernel.org>
37204 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
37205 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
37206
37207 mm/shmem.c | 10 ++++++++--
37208 1 files changed, 8 insertions(+), 2 deletions(-)
37209
37210commit 614943c76d9e49f12f3e1154f1dea80dc4bb2743
37211Author: Brad Spengler <spender@grsecurity.net>
37212Date: Sat Feb 23 11:08:05 2013 -0500
37213
37214 Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY
37215 with a family greater or equal then AF_MAX -- the array size of
37216 sock_diag_handlers[]. The current code does not test for this
37217 condition therefore is vulnerable to an out-of-bound access opening
37218 doors for a privilege escalation.
37219
37220 Signed-off-by: Mathias Krause <minipli@googlemail.com>
37221
37222 The sock_diag_lock_handler() and sock_diag_unlock_handler() actually
37223 make the code less readable. Get rid of them and make the lock usage
37224 and access to sock_diag_handlers[] clear on the first sight.
37225
37226 Signed-off-by: Mathias Krause <minipli@googlemail.com>
37227
37228 net/core/sock_diag.c | 27 ++++++++++-----------------
37229 1 files changed, 10 insertions(+), 17 deletions(-)
37230
37231commit e8d44970f8ac5ceda7b0e3f2c2ab33cefb800990
37232Author: Brad Spengler <spender@grsecurity.net>
37233Date: Sat Feb 23 10:58:52 2013 -0500
37234
37235 Fix compilation failure reported by Hinnerk van Bruinehsen when CPU_USE_DOMAINS is not defined
37236
37237 arch/arm/include/asm/domain.h | 1 +
37238 1 files changed, 1 insertions(+), 0 deletions(-)
37239
37240commit 7b729586eb81f344fdedf0942fab0acc738a6725
37241Author: Brad Spengler <spender@grsecurity.net>
37242Date: Fri Feb 22 19:02:51 2013 -0500
37243
37244 Add back capability check for user namespaces. They have not seen enough proper review and needlessly exposes additional attack surface for all users.
37245
37246 kernel/fork.c | 17 +++++++++++++++++
37247 1 files changed, 17 insertions(+), 0 deletions(-)
37248
37249commit fadc560d0c486af88da83177735f5515e88acdcc
37250Author: Brad Spengler <spender@grsecurity.net>
37251Date: Thu Feb 21 23:06:48 2013 -0500
37252
37253 put is_hugetlbfs_mnt inside ifdefs
37254
37255 grsecurity/gracl.c | 2 ++
37256 1 files changed, 2 insertions(+), 0 deletions(-)
37257
37258commit 8252176922d405484f986eb2cc350b7cd3ae586e
37259Author: Brad Spengler <spender@grsecurity.net>
37260Date: Thu Feb 21 23:02:07 2013 -0500
37261
37262 remove unused label
37263
37264 kernel/module.c | 1 -
37265 1 files changed, 0 insertions(+), 1 deletions(-)
37266
37267commit dad4a980f0b625059e215d13da728aa7fd02a374
37268Author: Brad Spengler <spender@grsecurity.net>
37269Date: Thu Feb 21 23:00:52 2013 -0500
37270
37271 compile fix
37272
37273 fs/open.c | 2 +-
37274 1 files changed, 1 insertions(+), 1 deletions(-)
37275
37276commit 13e3266c41b98a40f3d8a4a7fb8ee5c0983156b7
37277Author: Brad Spengler <spender@grsecurity.net>
37278Date: Thu Feb 21 22:57:49 2013 -0500
37279
37280 remove kmalloc_array_error for the same reasons as kcalloc_error
37281
37282 include/linux/slab.h | 9 ---------
37283 1 files changed, 0 insertions(+), 9 deletions(-)
37284
37285commit 0c24df0e81ae880c4523cc78ff91609b9aa6133a
37286Author: Brad Spengler <spender@grsecurity.net>
37287Date: Thu Feb 21 22:49:35 2013 -0500
37288
37289 Initial port of grsecurity for Linux 3.8
37290
37291 Documentation/kernel-parameters.txt | 4 +
37292 Makefile | 10 +-
37293 arch/alpha/include/asm/cache.h | 4 +-
37294 arch/alpha/kernel/osf_sys.c | 14 +-
37295 arch/arm/include/asm/cache.h | 2 +
37296 arch/arm/include/asm/thread_info.h | 9 +-
37297 arch/arm/kernel/process.c | 4 +-
37298 arch/arm/kernel/ptrace.c | 9 +
37299 arch/arm/kernel/traps.c | 7 +-
37300 arch/arm/mm/fault.c | 27 +-
37301 arch/arm/mm/mmap.c | 6 +-
37302 arch/avr32/include/asm/cache.h | 4 +-
37303 arch/blackfin/include/asm/cache.h | 3 +-
37304 arch/cris/include/arch-v10/arch/cache.h | 3 +-
37305 arch/cris/include/arch-v32/arch/cache.h | 3 +-
37306 arch/frv/include/asm/cache.h | 3 +-
37307 arch/frv/mm/elf-fdpic.c | 7 +-
37308 arch/hexagon/include/asm/cache.h | 6 +-
37309 arch/ia64/include/asm/cache.h | 3 +-
37310 arch/ia64/kernel/sys_ia64.c | 3 +-
37311 arch/ia64/mm/hugetlbpage.c | 3 +-
37312 arch/m32r/include/asm/cache.h | 4 +-
37313 arch/m68k/include/asm/cache.h | 4 +-
37314 arch/microblaze/include/asm/cache.h | 3 +-
37315 arch/mips/include/asm/cache.h | 3 +-
37316 arch/mips/include/asm/thread_info.h | 9 +-
37317 arch/mips/kernel/ptrace.c | 9 +
37318 arch/mips/kernel/scall32-o32.S | 2 +-
37319 arch/mips/kernel/scall64-64.S | 2 +-
37320 arch/mips/kernel/scall64-n32.S | 2 +-
37321 arch/mips/kernel/scall64-o32.S | 2 +-
37322 arch/mips/mm/mmap.c | 3 +-
37323 arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +-
37324 arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +-
37325 arch/openrisc/include/asm/cache.h | 4 +-
37326 arch/parisc/include/asm/cache.h | 5 +-
37327 arch/parisc/kernel/sys_parisc.c | 19 +-
37328 arch/powerpc/include/asm/cache.h | 3 +-
37329 arch/powerpc/include/asm/thread_info.h | 8 +-
37330 arch/powerpc/kernel/process.c | 10 +-
37331 arch/powerpc/kernel/ptrace.c | 14 +
37332 arch/powerpc/kernel/traps.c | 5 +
37333 arch/powerpc/mm/slice.c | 8 +-
37334 arch/s390/include/asm/cache.h | 4 +-
37335 arch/score/include/asm/cache.h | 4 +-
37336 arch/sh/include/asm/cache.h | 3 +-
37337 arch/sh/mm/mmap.c | 6 +-
37338 arch/sparc/include/asm/cache.h | 4 +-
37339 arch/sparc/include/asm/thread_info_64.h | 9 +-
37340 arch/sparc/kernel/process_32.c | 6 +-
37341 arch/sparc/kernel/process_64.c | 8 +-
37342 arch/sparc/kernel/ptrace_64.c | 14 +
37343 arch/sparc/kernel/sys_sparc_64.c | 6 +-
37344 arch/sparc/kernel/syscalls.S | 8 +-
37345 arch/sparc/kernel/traps_32.c | 8 +-
37346 arch/sparc/kernel/traps_64.c | 28 +-
37347 arch/sparc/kernel/unaligned_64.c | 2 +-
37348 arch/sparc/mm/fault_64.c | 2 +-
37349 arch/sparc/mm/hugetlbpage.c | 3 +-
37350 arch/tile/include/asm/cache.h | 3 +-
37351 arch/um/include/asm/cache.h | 3 +-
37352 arch/unicore32/include/asm/cache.h | 6 +-
37353 arch/x86/Kconfig | 5 +-
37354 arch/x86/Kconfig.debug | 2 +-
37355 arch/x86/ia32/ia32_aout.c | 2 +
37356 arch/x86/include/asm/thread_info.h | 8 +-
37357 arch/x86/kernel/dumpstack.c | 8 +
37358 arch/x86/kernel/entry_32.S | 2 +-
37359 arch/x86/kernel/entry_64.S | 2 +-
37360 arch/x86/kernel/ioport.c | 13 +
37361 arch/x86/kernel/ptrace.c | 14 +
37362 arch/x86/kernel/smpboot.c | 3 +
37363 arch/x86/kernel/sys_i386_32.c | 14 +-
37364 arch/x86/kernel/sys_x86_64.c | 3 +-
37365 arch/x86/kernel/verify_cpu.S | 1 +
37366 arch/x86/kernel/vm86_32.c | 16 +
37367 arch/x86/mm/fault.c | 12 +-
37368 arch/x86/mm/hugetlbpage.c | 3 +-
37369 arch/x86/mm/init.c | 66 +-
37370 arch/x86/net/bpf_jit_comp.c | 126 +-
37371 arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
37372 arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
37373 arch/xtensa/variants/s6000/include/variant/core.h | 3 +-
37374 crypto/ablkcipher.c | 12 +-
37375 crypto/aead.c | 9 +-
37376 crypto/ahash.c | 2 +-
37377 crypto/blkcipher.c | 6 +-
37378 crypto/crypto_user.c | 38 +-
37379 crypto/pcompress.c | 3 +-
37380 crypto/rng.c | 2 +-
37381 crypto/shash.c | 3 +-
37382 drivers/block/cciss.c | 2 +
37383 drivers/char/Kconfig | 4 +-
37384 drivers/char/genrtc.c | 1 +
37385 drivers/char/mem.c | 17 +
37386 drivers/char/random.c | 12 +
37387 drivers/gpu/drm/drm_info.c | 4 +
37388 drivers/hid/hid-wiimote-debug.c | 2 +-
37389 drivers/media/radio/radio-cadet.c | 2 +-
37390 drivers/message/fusion/mptbase.c | 5 +
37391 drivers/net/phy/mdio-bitbang.c | 1 +
37392 drivers/pci/proc.c | 9 +
37393 drivers/rtc/rtc-dev.c | 3 +
37394 drivers/tty/sysrq.c | 2 +-
37395 drivers/tty/vt/keyboard.c | 22 +-
37396 drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++--------
37397 drivers/xen/xenfs/xenstored.c | 5 +
37398 fs/attr.c | 1 +
37399 fs/autofs4/waitq.c | 9 +
37400 fs/binfmt_aout.c | 7 +
37401 fs/binfmt_elf.c | 6 +
37402 fs/btrfs/inode.c | 10 +-
37403 fs/btrfs/ioctl.c | 6 +-
37404 fs/compat.c | 18 +
37405 fs/coredump.c | 10 +-
37406 fs/debugfs/inode.c | 4 +
37407 fs/exec.c | 155 +-
37408 fs/ext2/balloc.c | 4 +-
37409 fs/ext3/balloc.c | 4 +-
37410 fs/ext4/balloc.c | 4 +-
37411 fs/fcntl.c | 5 +
37412 fs/file.c | 4 +
37413 fs/filesystems.c | 5 +
37414 fs/fs_struct.c | 26 +-
37415 fs/hugetlbfs/inode.c | 5 +-
37416 fs/namei.c | 269 ++-
37417 fs/namespace.c | 24 +
37418 fs/open.c | 38 +
37419 fs/pipe.c | 2 +-
37420 fs/proc/Kconfig | 10 +-
37421 fs/proc/array.c | 59 +-
37422 fs/proc/base.c | 168 +-
37423 fs/proc/cmdline.c | 4 +
37424 fs/proc/devices.c | 4 +
37425 fs/proc/fd.c | 17 +-
37426 fs/proc/inode.c | 17 +
37427 fs/proc/internal.h | 3 +
37428 fs/proc/kcore.c | 3 +
37429 fs/proc/proc_net.c | 12 +
37430 fs/proc/proc_sysctl.c | 43 +-
37431 fs/proc/root.c | 8 +
37432 fs/proc/task_mmu.c | 75 +-
37433 fs/readdir.c | 19 +
37434 fs/select.c | 2 +
37435 fs/seq_file.c | 12 +-
37436 fs/stat.c | 19 +-
37437 fs/sysfs/dir.c | 12 +
37438 fs/utimes.c | 7 +
37439 fs/xattr.c | 19 +-
37440 grsecurity/Kconfig | 1021 +++++
37441 grsecurity/Makefile | 38 +
37442 grsecurity/gracl.c | 4017 ++++++++++++++++++++
37443 grsecurity/gracl_alloc.c | 105 +
37444 grsecurity/gracl_cap.c | 110 +
37445 grsecurity/gracl_fs.c | 431 +++
37446 grsecurity/gracl_ip.c | 384 ++
37447 grsecurity/gracl_learn.c | 207 +
37448 grsecurity/gracl_res.c | 68 +
37449 grsecurity/gracl_segv.c | 299 ++
37450 grsecurity/gracl_shm.c | 40 +
37451 grsecurity/grsec_chdir.c | 19 +
37452 grsecurity/grsec_chroot.c | 357 ++
37453 grsecurity/grsec_disabled.c | 434 +++
37454 grsecurity/grsec_exec.c | 174 +
37455 grsecurity/grsec_fifo.c | 24 +
37456 grsecurity/grsec_fork.c | 23 +
37457 grsecurity/grsec_init.c | 283 ++
37458 grsecurity/grsec_link.c | 58 +
37459 grsecurity/grsec_log.c | 329 ++
37460 grsecurity/grsec_mem.c | 40 +
37461 grsecurity/grsec_mount.c | 62 +
37462 grsecurity/grsec_pax.c | 36 +
37463 grsecurity/grsec_ptrace.c | 30 +
37464 grsecurity/grsec_sig.c | 222 ++
37465 grsecurity/grsec_sock.c | 244 ++
37466 grsecurity/grsec_sysctl.c | 469 +++
37467 grsecurity/grsec_time.c | 16 +
37468 grsecurity/grsec_tpe.c | 73 +
37469 grsecurity/grsum.c | 61 +
37470 include/linux/capability.h | 5 +
37471 include/linux/cred.h | 3 +
37472 include/linux/fs.h | 10 +
37473 include/linux/fsnotify.h | 6 +
37474 include/linux/gracl.h | 319 ++
37475 include/linux/gralloc.h | 9 +
37476 include/linux/grdefs.h | 140 +
37477 include/linux/grinternal.h | 215 ++
37478 include/linux/grmsg.h | 111 +
37479 include/linux/grsecurity.h | 257 ++
37480 include/linux/grsock.h | 19 +
37481 include/linux/kallsyms.h | 14 +-
37482 include/linux/kmod.h | 2 +
37483 include/linux/netfilter/xt_gradm.h | 9 +
37484 include/linux/printk.h | 3 +-
37485 include/linux/proc_fs.h | 12 +
37486 include/linux/sched.h | 66 +-
37487 include/linux/security.h | 1 +
37488 include/linux/seq_file.h | 3 +
37489 include/linux/shm.h | 4 +
37490 include/linux/sysctl.h | 2 +
37491 include/linux/thread_info.h | 2 +
37492 include/linux/vermagic.h | 9 +-
37493 include/trace/events/fs.h | 53 +
37494 include/uapi/linux/personality.h | 1 +
37495 init/Kconfig | 5 +-
37496 init/main.c | 14 +
37497 ipc/mqueue.c | 1 +
37498 ipc/shm.c | 28 +
37499 kernel/capability.c | 39 +-
37500 kernel/cgroup.c | 2 +-
37501 kernel/compat.c | 1 +
37502 kernel/configs.c | 11 +
37503 kernel/cred.c | 109 +-
37504 kernel/exit.c | 10 +-
37505 kernel/fork.c | 24 +-
37506 kernel/futex.c | 1 +
37507 kernel/kallsyms.c | 9 +
37508 kernel/kcmp.c | 4 +
37509 kernel/kmod.c | 71 +-
37510 kernel/kprobes.c | 4 +-
37511 kernel/ksysfs.c | 2 +
37512 kernel/lockdep_proc.c | 10 +-
37513 kernel/module.c | 80 +-
37514 kernel/panic.c | 4 +-
37515 kernel/pid.c | 19 +-
37516 kernel/posix-timers.c | 8 +
37517 kernel/printk.c | 5 +
37518 kernel/ptrace.c | 20 +-
37519 kernel/resource.c | 10 +
37520 kernel/sched/core.c | 6 +-
37521 kernel/signal.c | 37 +-
37522 kernel/sys.c | 38 +-
37523 kernel/sysctl.c | 39 +-
37524 kernel/taskstats.c | 6 +
37525 kernel/time.c | 5 +
37526 kernel/time/timekeeping.c | 3 +
37527 kernel/time/timer_list.c | 12 +
37528 kernel/time/timer_stats.c | 10 +-
37529 lib/Kconfig.debug | 5 +-
37530 lib/is_single_threaded.c | 3 +
37531 lib/vsprintf.c | 35 +-
37532 localversion-grsec | 1 +
37533 mm/Kconfig | 4 +-
37534 mm/filemap.c | 1 +
37535 mm/kmemleak.c | 4 +-
37536 mm/mempolicy.c | 12 +-
37537 mm/migrate.c | 3 +-
37538 mm/mlock.c | 3 +
37539 mm/mmap.c | 62 +-
37540 mm/mprotect.c | 8 +
37541 mm/page_alloc.c | 6 +
37542 mm/process_vm_access.c | 6 +
37543 mm/shmem.c | 2 +-
37544 mm/slab.c | 2 +-
37545 mm/slub.c | 14 +-
37546 mm/vmalloc.c | 4 +
37547 mm/vmstat.c | 18 +-
37548 net/core/dev.c | 9 +
37549 net/core/sock_diag.c | 7 +
37550 net/ipv4/inet_hashtables.c | 5 +
37551 net/ipv4/ip_sockglue.c | 3 +-
37552 net/ipv4/tcp_input.c | 4 +-
37553 net/ipv4/tcp_ipv4.c | 24 +-
37554 net/ipv4/tcp_minisocks.c | 9 +-
37555 net/ipv4/tcp_timer.c | 11 +
37556 net/ipv4/udp.c | 24 +
37557 net/ipv6/tcp_ipv6.c | 23 +-
37558 net/ipv6/udp.c | 7 +
37559 net/netfilter/Kconfig | 10 +
37560 net/netfilter/Makefile | 1 +
37561 net/netfilter/nf_conntrack_core.c | 8 +
37562 net/netfilter/xt_gradm.c | 51 +
37563 net/netrom/af_netrom.c | 2 +-
37564 net/phonet/af_phonet.c | 4 +-
37565 net/sctp/proc.c | 3 +-
37566 net/socket.c | 62 +-
37567 net/sysctl_net.c | 2 +-
37568 net/unix/af_unix.c | 19 +
37569 security/Kconfig | 320 ++-
37570 security/apparmor/lsm.c | 2 +-
37571 security/commoncap.c | 29 +
37572 security/min_addr.c | 2 +
37573 security/security.c | 2 -
37574 security/selinux/hooks.c | 2 -
37575 security/yama/Kconfig | 2 +-
37576 tools/gcc/Makefile | 2 +-
37577 286 files changed, 15083 insertions(+), 2067 deletions(-)
37578
37579commit 4b61d2188de70da9dc9b3e67fc0565077370eb27
37580Author: Brad Spengler <spender@grsecurity.net>
37581Date: Wed Feb 20 21:00:42 2013 -0500
37582
37583 Initial import of pax-linux-3.8-test3.patch
37584
37585 Documentation/dontdiff | 43 +-
37586 Documentation/kernel-parameters.txt | 7 +
37587 Makefile | 97 +-
37588 arch/alpha/include/asm/atomic.h | 10 +
37589 arch/alpha/include/asm/elf.h | 7 +
37590 arch/alpha/include/asm/pgalloc.h | 6 +
37591 arch/alpha/include/asm/pgtable.h | 11 +
37592 arch/alpha/kernel/module.c | 2 +-
37593 arch/alpha/kernel/osf_sys.c | 10 +-
37594 arch/alpha/mm/fault.c | 141 +-
37595 arch/arm/Kconfig | 2 +-
37596 arch/arm/include/asm/atomic.h | 421 +++-
37597 arch/arm/include/asm/cache.h | 3 +-
37598 arch/arm/include/asm/cacheflush.h | 2 +-
37599 arch/arm/include/asm/checksum.h | 14 +-
37600 arch/arm/include/asm/cmpxchg.h | 2 +
37601 arch/arm/include/asm/delay.h | 8 +-
37602 arch/arm/include/asm/domain.h | 32 +-
37603 arch/arm/include/asm/elf.h | 13 +-
37604 arch/arm/include/asm/fncpy.h | 2 +
37605 arch/arm/include/asm/futex.h | 10 +
37606 arch/arm/include/asm/kmap_types.h | 2 +-
37607 arch/arm/include/asm/mach/dma.h | 2 +-
37608 arch/arm/include/asm/mach/map.h | 7 +-
37609 arch/arm/include/asm/outercache.h | 2 +-
37610 arch/arm/include/asm/page.h | 2 +-
37611 arch/arm/include/asm/pgalloc.h | 22 +-
37612 arch/arm/include/asm/pgtable-2level-hwdef.h | 5 +
37613 arch/arm/include/asm/pgtable-2level.h | 1 +
37614 arch/arm/include/asm/pgtable-3level-hwdef.h | 4 +
37615 arch/arm/include/asm/pgtable-3level.h | 2 +
37616 arch/arm/include/asm/pgtable.h | 56 +-
37617 arch/arm/include/asm/proc-fns.h | 2 +-
37618 arch/arm/include/asm/processor.h | 5 +-
37619 arch/arm/include/asm/smp.h | 2 +-
37620 arch/arm/include/asm/thread_info.h | 6 +-
37621 arch/arm/include/asm/uaccess.h | 92 +-
37622 arch/arm/include/uapi/asm/ptrace.h | 2 +-
37623 arch/arm/kernel/armksyms.c | 4 +-
37624 arch/arm/kernel/entry-armv.S | 107 +-
37625 arch/arm/kernel/entry-common.S | 41 +-
37626 arch/arm/kernel/entry-header.S | 60 +
37627 arch/arm/kernel/fiq.c | 2 +
37628 arch/arm/kernel/head.S | 6 +-
37629 arch/arm/kernel/hw_breakpoint.c | 2 +-
37630 arch/arm/kernel/module.c | 29 +-
37631 arch/arm/kernel/perf_event_cpu.c | 2 +-
37632 arch/arm/kernel/process.c | 10 +-
37633 arch/arm/kernel/setup.c | 22 +-
37634 arch/arm/kernel/smp.c | 2 +-
37635 arch/arm/kernel/traps.c | 8 +-
37636 arch/arm/kernel/vmlinux.lds.S | 20 +-
37637 arch/arm/lib/clear_user.S | 6 +-
37638 arch/arm/lib/copy_from_user.S | 6 +-
37639 arch/arm/lib/copy_page.S | 1 +
37640 arch/arm/lib/copy_to_user.S | 6 +-
37641 arch/arm/lib/csumpartialcopyuser.S | 4 +-
37642 arch/arm/lib/delay.c | 14 +-
37643 arch/arm/lib/uaccess_with_memcpy.c | 2 +-
37644 arch/arm/mach-kirkwood/common.c | 19 +-
37645 arch/arm/mach-omap2/board-n8x0.c | 2 +-
37646 arch/arm/mach-omap2/omap-wakeupgen.c | 2 +-
37647 arch/arm/mach-omap2/omap_hwmod.c | 4 +-
37648 arch/arm/mach-ux500/include/mach/setup.h | 7 -
37649 arch/arm/mm/Kconfig | 3 +-
37650 arch/arm/mm/fault.c | 78 +
37651 arch/arm/mm/fault.h | 12 +
37652 arch/arm/mm/init.c | 41 +
37653 arch/arm/mm/ioremap.c | 4 +-
37654 arch/arm/mm/mmap.c | 36 +-
37655 arch/arm/mm/mmu.c | 186 +-
37656 arch/arm/mm/proc-v7-2level.S | 3 +
37657 arch/arm/plat-omap/sram.c | 2 +
37658 arch/arm/plat-orion/include/plat/addr-map.h | 2 +-
37659 arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +-
37660 arch/arm64/kernel/debug-monitors.c | 2 +-
37661 arch/arm64/kernel/hw_breakpoint.c | 2 +-
37662 arch/avr32/include/asm/elf.h | 8 +-
37663 arch/avr32/include/asm/kmap_types.h | 4 +-
37664 arch/avr32/mm/fault.c | 27 +
37665 arch/frv/include/asm/atomic.h | 10 +
37666 arch/frv/include/asm/kmap_types.h | 2 +-
37667 arch/frv/mm/elf-fdpic.c | 7 +-
37668 arch/ia64/include/asm/atomic.h | 10 +
37669 arch/ia64/include/asm/elf.h | 7 +
37670 arch/ia64/include/asm/pgalloc.h | 12 +
37671 arch/ia64/include/asm/pgtable.h | 13 +-
37672 arch/ia64/include/asm/spinlock.h | 2 +-
37673 arch/ia64/include/asm/uaccess.h | 28 +-
37674 arch/ia64/kernel/err_inject.c | 2 +-
37675 arch/ia64/kernel/mca.c | 2 +-
37676 arch/ia64/kernel/module.c | 48 +-
37677 arch/ia64/kernel/palinfo.c | 2 +-
37678 arch/ia64/kernel/salinfo.c | 2 +-
37679 arch/ia64/kernel/sys_ia64.c | 13 +-
37680 arch/ia64/kernel/topology.c | 2 +-
37681 arch/ia64/kernel/vmlinux.lds.S | 2 +-
37682 arch/ia64/mm/fault.c | 32 +-
37683 arch/ia64/mm/hugetlbpage.c | 2 +-
37684 arch/ia64/mm/init.c | 13 +
37685 arch/m32r/lib/usercopy.c | 6 +
37686 arch/mips/include/asm/atomic.h | 14 +
37687 arch/mips/include/asm/elf.h | 11 +-
37688 arch/mips/include/asm/exec.h | 2 +-
37689 arch/mips/include/asm/page.h | 2 +-
37690 arch/mips/include/asm/pgalloc.h | 5 +
37691 arch/mips/kernel/binfmt_elfn32.c | 7 +
37692 arch/mips/kernel/binfmt_elfo32.c | 7 +
37693 arch/mips/kernel/process.c | 12 -
37694 arch/mips/mm/fault.c | 17 +
37695 arch/mips/mm/mmap.c | 51 +-
37696 arch/parisc/include/asm/atomic.h | 10 +
37697 arch/parisc/include/asm/elf.h | 7 +
37698 arch/parisc/include/asm/pgalloc.h | 6 +
37699 arch/parisc/include/asm/pgtable.h | 11 +
37700 arch/parisc/include/asm/uaccess.h | 4 +-
37701 arch/parisc/kernel/module.c | 50 +-
37702 arch/parisc/kernel/sys_parisc.c | 6 +-
37703 arch/parisc/kernel/traps.c | 4 +-
37704 arch/parisc/mm/fault.c | 140 +-
37705 arch/powerpc/include/asm/atomic.h | 10 +
37706 arch/powerpc/include/asm/elf.h | 19 +-
37707 arch/powerpc/include/asm/exec.h | 2 +-
37708 arch/powerpc/include/asm/kmap_types.h | 2 +-
37709 arch/powerpc/include/asm/mman.h | 2 +-
37710 arch/powerpc/include/asm/page.h | 8 +-
37711 arch/powerpc/include/asm/page_64.h | 7 +-
37712 arch/powerpc/include/asm/pgalloc-64.h | 7 +
37713 arch/powerpc/include/asm/pgtable.h | 1 +
37714 arch/powerpc/include/asm/pte-hash32.h | 1 +
37715 arch/powerpc/include/asm/reg.h | 1 +
37716 arch/powerpc/include/asm/uaccess.h | 142 +-
37717 arch/powerpc/kernel/exceptions-64e.S | 4 +-
37718 arch/powerpc/kernel/exceptions-64s.S | 2 +-
37719 arch/powerpc/kernel/module_32.c | 13 +-
37720 arch/powerpc/kernel/process.c | 55 -
37721 arch/powerpc/kernel/signal_32.c | 2 +-
37722 arch/powerpc/kernel/signal_64.c | 2 +-
37723 arch/powerpc/kernel/sysfs.c | 2 +-
37724 arch/powerpc/kernel/vdso.c | 5 +-
37725 arch/powerpc/lib/usercopy_64.c | 18 -
37726 arch/powerpc/mm/fault.c | 54 +-
37727 arch/powerpc/mm/mmap_64.c | 16 +
37728 arch/powerpc/mm/mmu_context_nohash.c | 2 +-
37729 arch/powerpc/mm/numa.c | 2 +-
37730 arch/powerpc/mm/slice.c | 23 +-
37731 arch/powerpc/platforms/powermac/smp.c | 2 +-
37732 arch/s390/include/asm/atomic.h | 10 +
37733 arch/s390/include/asm/elf.h | 13 +-
37734 arch/s390/include/asm/exec.h | 2 +-
37735 arch/s390/include/asm/uaccess.h | 15 +-
37736 arch/s390/kernel/module.c | 22 +-
37737 arch/s390/kernel/process.c | 36 -
37738 arch/s390/mm/mmap.c | 24 +
37739 arch/score/include/asm/exec.h | 2 +-
37740 arch/score/kernel/process.c | 5 -
37741 arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +-
37742 arch/sh/mm/mmap.c | 22 +-
37743 arch/sparc/include/asm/atomic_64.h | 106 +-
37744 arch/sparc/include/asm/cache.h | 2 +-
37745 arch/sparc/include/asm/elf_32.h | 7 +
37746 arch/sparc/include/asm/elf_64.h | 7 +
37747 arch/sparc/include/asm/pgalloc_32.h | 1 +
37748 arch/sparc/include/asm/pgalloc_64.h | 1 +
37749 arch/sparc/include/asm/pgtable_32.h | 15 +-
37750 arch/sparc/include/asm/pgtsrmmu.h | 5 +
37751 arch/sparc/include/asm/spinlock_64.h | 35 +-
37752 arch/sparc/include/asm/thread_info_32.h | 2 +
37753 arch/sparc/include/asm/thread_info_64.h | 2 +
37754 arch/sparc/include/asm/uaccess.h | 8 +
37755 arch/sparc/include/asm/uaccess_32.h | 27 +-
37756 arch/sparc/include/asm/uaccess_64.h | 19 +-
37757 arch/sparc/kernel/Makefile | 2 +-
37758 arch/sparc/kernel/sys_sparc_32.c | 2 +-
37759 arch/sparc/kernel/sys_sparc_64.c | 48 +-
37760 arch/sparc/kernel/sysfs.c | 2 +-
37761 arch/sparc/kernel/traps_64.c | 13 +-
37762 arch/sparc/lib/Makefile | 2 +-
37763 arch/sparc/lib/atomic_64.S | 136 +-
37764 arch/sparc/lib/ksyms.c | 6 +
37765 arch/sparc/mm/Makefile | 2 +-
37766 arch/sparc/mm/fault_32.c | 292 ++
37767 arch/sparc/mm/fault_64.c | 486 +++
37768 arch/sparc/mm/hugetlbpage.c | 21 +-
37769 arch/tile/include/asm/atomic_64.h | 10 +
37770 arch/tile/include/asm/uaccess.h | 4 +-
37771 arch/um/Makefile | 4 +
37772 arch/um/include/asm/kmap_types.h | 2 +-
37773 arch/um/include/asm/page.h | 3 +
37774 arch/um/include/asm/pgtable-3level.h | 1 +
37775 arch/um/kernel/process.c | 16 -
37776 arch/x86/Kconfig | 10 +-
37777 arch/x86/Kconfig.cpu | 6 +-
37778 arch/x86/Kconfig.debug | 6 +-
37779 arch/x86/Makefile | 10 +
37780 arch/x86/boot/Makefile | 3 +
37781 arch/x86/boot/bitops.h | 4 +-
37782 arch/x86/boot/boot.h | 4 +-
37783 arch/x86/boot/compressed/Makefile | 3 +
37784 arch/x86/boot/compressed/eboot.c | 2 -
37785 arch/x86/boot/compressed/head_32.S | 7 +-
37786 arch/x86/boot/compressed/head_64.S | 4 +-
37787 arch/x86/boot/compressed/misc.c | 4 +-
37788 arch/x86/boot/cpucheck.c | 28 +-
37789 arch/x86/boot/header.S | 6 +-
37790 arch/x86/boot/memory.c | 2 +-
37791 arch/x86/boot/video-vesa.c | 1 +
37792 arch/x86/boot/video.c | 2 +-
37793 arch/x86/crypto/aes-x86_64-asm_64.S | 4 +
37794 arch/x86/crypto/aesni-intel_asm.S | 31 +
37795 arch/x86/crypto/blowfish-x86_64-asm_64.S | 8 +
37796 arch/x86/crypto/camellia-x86_64-asm_64.S | 8 +
37797 arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 8 +
37798 arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 8 +
37799 arch/x86/crypto/salsa20-x86_64-asm_64.S | 5 +
37800 arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 8 +
37801 arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 5 +
37802 arch/x86/crypto/sha1_ssse3_asm.S | 3 +
37803 arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 8 +
37804 arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 5 +
37805 arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
37806 arch/x86/ia32/ia32_signal.c | 14 +-
37807 arch/x86/ia32/ia32entry.S | 141 +-
37808 arch/x86/ia32/sys_ia32.c | 12 +-
37809 arch/x86/include/asm/alternative-asm.h | 39 +
37810 arch/x86/include/asm/alternative.h | 4 +-
37811 arch/x86/include/asm/apic.h | 2 +-
37812 arch/x86/include/asm/apm.h | 4 +-
37813 arch/x86/include/asm/atomic.h | 307 ++-
37814 arch/x86/include/asm/atomic64_32.h | 100 +
37815 arch/x86/include/asm/atomic64_64.h | 202 ++-
37816 arch/x86/include/asm/bitops.h | 2 +-
37817 arch/x86/include/asm/boot.h | 7 +-
37818 arch/x86/include/asm/cache.h | 5 +-
37819 arch/x86/include/asm/cacheflush.h | 2 +-
37820 arch/x86/include/asm/checksum_32.h | 12 +-
37821 arch/x86/include/asm/cmpxchg.h | 35 +
37822 arch/x86/include/asm/cpufeature.h | 4 +-
37823 arch/x86/include/asm/desc.h | 65 +-
37824 arch/x86/include/asm/desc_defs.h | 6 +
37825 arch/x86/include/asm/elf.h | 31 +-
37826 arch/x86/include/asm/emergency-restart.h | 2 +-
37827 arch/x86/include/asm/fpu-internal.h | 6 +-
37828 arch/x86/include/asm/futex.h | 16 +-
37829 arch/x86/include/asm/hw_irq.h | 4 +-
37830 arch/x86/include/asm/io.h | 13 +-
37831 arch/x86/include/asm/irqflags.h | 5 +
37832 arch/x86/include/asm/kprobes.h | 9 +-
37833 arch/x86/include/asm/local.h | 142 +-
37834 arch/x86/include/asm/mman.h | 15 +
37835 arch/x86/include/asm/mmu.h | 16 +-
37836 arch/x86/include/asm/mmu_context.h | 76 +-
37837 arch/x86/include/asm/module.h | 17 +-
37838 arch/x86/include/asm/page_64_types.h | 2 +-
37839 arch/x86/include/asm/paravirt.h | 44 +-
37840 arch/x86/include/asm/paravirt_types.h | 17 +-
37841 arch/x86/include/asm/pgalloc.h | 23 +
37842 arch/x86/include/asm/pgtable-2level.h | 2 +
37843 arch/x86/include/asm/pgtable-3level.h | 4 +
37844 arch/x86/include/asm/pgtable.h | 110 +-
37845 arch/x86/include/asm/pgtable_32.h | 14 +-
37846 arch/x86/include/asm/pgtable_32_types.h | 15 +-
37847 arch/x86/include/asm/pgtable_64.h | 19 +-
37848 arch/x86/include/asm/pgtable_64_types.h | 5 +
37849 arch/x86/include/asm/pgtable_types.h | 36 +-
37850 arch/x86/include/asm/processor.h | 39 +-
37851 arch/x86/include/asm/ptrace.h | 26 +-
37852 arch/x86/include/asm/realmode.h | 4 +-
37853 arch/x86/include/asm/reboot.h | 10 +-
37854 arch/x86/include/asm/rwsem.h | 60 +-
37855 arch/x86/include/asm/segment.h | 24 +-
37856 arch/x86/include/asm/smp.h | 14 +-
37857 arch/x86/include/asm/spinlock.h | 36 +-
37858 arch/x86/include/asm/stackprotector.h | 4 +-
37859 arch/x86/include/asm/stacktrace.h | 32 +-
37860 arch/x86/include/asm/switch_to.h | 4 +-
37861 arch/x86/include/asm/thread_info.h | 83 +-
37862 arch/x86/include/asm/uaccess.h | 96 +-
37863 arch/x86/include/asm/uaccess_32.h | 106 +-
37864 arch/x86/include/asm/uaccess_64.h | 232 +-
37865 arch/x86/include/asm/word-at-a-time.h | 2 +-
37866 arch/x86/include/asm/x86_init.h | 10 +-
37867 arch/x86/include/asm/xsave.h | 10 +-
37868 arch/x86/include/uapi/asm/e820.h | 2 +-
37869 arch/x86/kernel/Makefile | 2 +-
37870 arch/x86/kernel/acpi/sleep.c | 4 +
37871 arch/x86/kernel/acpi/wakeup_32.S | 6 +-
37872 arch/x86/kernel/alternative.c | 65 +-
37873 arch/x86/kernel/apic/apic.c | 6 +-
37874 arch/x86/kernel/apic/apic_flat_64.c | 4 +-
37875 arch/x86/kernel/apic/bigsmp_32.c | 2 +-
37876 arch/x86/kernel/apic/es7000_32.c | 5 +-
37877 arch/x86/kernel/apic/io_apic.c | 8 +-
37878 arch/x86/kernel/apic/numaq_32.c | 3 +-
37879 arch/x86/kernel/apic/probe_32.c | 2 +-
37880 arch/x86/kernel/apic/summit_32.c | 2 +-
37881 arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
37882 arch/x86/kernel/apic/x2apic_phys.c | 2 +-
37883 arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
37884 arch/x86/kernel/apm_32.c | 19 +-
37885 arch/x86/kernel/asm-offsets.c | 20 +
37886 arch/x86/kernel/asm-offsets_64.c | 1 +
37887 arch/x86/kernel/cpu/Makefile | 4 -
37888 arch/x86/kernel/cpu/amd.c | 2 +-
37889 arch/x86/kernel/cpu/common.c | 75 +-
37890 arch/x86/kernel/cpu/intel.c | 2 +-
37891 arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +-
37892 arch/x86/kernel/cpu/mcheck/mce.c | 29 +-
37893 arch/x86/kernel/cpu/mcheck/p5.c | 3 +
37894 arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +-
37895 arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
37896 arch/x86/kernel/cpu/mtrr/main.c | 2 +-
37897 arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
37898 arch/x86/kernel/cpu/perf_event.c | 4 +-
37899 arch/x86/kernel/cpu/perf_event_intel.c | 6 +-
37900 arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +-
37901 arch/x86/kernel/cpuid.c | 2 +-
37902 arch/x86/kernel/crash.c | 4 +-
37903 arch/x86/kernel/doublefault_32.c | 8 +-
37904 arch/x86/kernel/dumpstack.c | 30 +-
37905 arch/x86/kernel/dumpstack_32.c | 34 +-
37906 arch/x86/kernel/dumpstack_64.c | 63 +-
37907 arch/x86/kernel/early_printk.c | 1 +
37908 arch/x86/kernel/entry_32.S | 354 ++-
37909 arch/x86/kernel/entry_64.S | 512 +++-
37910 arch/x86/kernel/ftrace.c | 14 +-
37911 arch/x86/kernel/head32.c | 4 +-
37912 arch/x86/kernel/head_32.S | 237 ++-
37913 arch/x86/kernel/head_64.S | 158 +-
37914 arch/x86/kernel/i386_ksyms_32.c | 8 +
37915 arch/x86/kernel/i387.c | 2 +-
37916 arch/x86/kernel/i8259.c | 2 +-
37917 arch/x86/kernel/ioport.c | 2 +-
37918 arch/x86/kernel/irq.c | 10 +-
37919 arch/x86/kernel/irq_32.c | 69 +-
37920 arch/x86/kernel/irq_64.c | 2 +-
37921 arch/x86/kernel/kdebugfs.c | 2 +-
37922 arch/x86/kernel/kgdb.c | 25 +-
37923 arch/x86/kernel/kprobes-opt.c | 12 +-
37924 arch/x86/kernel/kprobes.c | 30 +-
37925 arch/x86/kernel/kvm.c | 2 +-
37926 arch/x86/kernel/ldt.c | 31 +-
37927 arch/x86/kernel/machine_kexec_32.c | 6 +-
37928 arch/x86/kernel/microcode_core.c | 2 +-
37929 arch/x86/kernel/microcode_intel.c | 4 +-
37930 arch/x86/kernel/module.c | 76 +-
37931 arch/x86/kernel/msr.c | 2 +-
37932 arch/x86/kernel/nmi.c | 11 +
37933 arch/x86/kernel/paravirt-spinlocks.c | 2 +-
37934 arch/x86/kernel/paravirt.c | 43 +-
37935 arch/x86/kernel/pci-iommu_table.c | 2 +-
37936 arch/x86/kernel/process.c | 57 +-
37937 arch/x86/kernel/process_32.c | 29 +-
37938 arch/x86/kernel/process_64.c | 15 +-
37939 arch/x86/kernel/ptrace.c | 25 +-
37940 arch/x86/kernel/pvclock.c | 8 +-
37941 arch/x86/kernel/reboot.c | 44 +-
37942 arch/x86/kernel/relocate_kernel_64.S | 4 +-
37943 arch/x86/kernel/setup.c | 14 +-
37944 arch/x86/kernel/setup_percpu.c | 27 +-
37945 arch/x86/kernel/signal.c | 15 +-
37946 arch/x86/kernel/smp.c | 2 +-
37947 arch/x86/kernel/smpboot.c | 15 +-
37948 arch/x86/kernel/step.c | 10 +-
37949 arch/x86/kernel/sys_i386_32.c | 247 ++
37950 arch/x86/kernel/sys_x86_64.c | 19 +-
37951 arch/x86/kernel/tboot.c | 14 +-
37952 arch/x86/kernel/time.c | 10 +-
37953 arch/x86/kernel/tls.c | 7 +-
37954 arch/x86/kernel/traps.c | 64 +-
37955 arch/x86/kernel/uprobes.c | 2 +-
37956 arch/x86/kernel/vm86_32.c | 6 +-
37957 arch/x86/kernel/vmlinux.lds.S | 148 +-
37958 arch/x86/kernel/vsyscall_64.c | 12 +-
37959 arch/x86/kernel/x8664_ksyms_64.c | 2 -
37960 arch/x86/kernel/x86_init.c | 8 +-
37961 arch/x86/kernel/xsave.c | 2 +
37962 arch/x86/kvm/cpuid.c | 21 +-
37963 arch/x86/kvm/emulate.c | 4 +-
37964 arch/x86/kvm/lapic.c | 2 +-
37965 arch/x86/kvm/paging_tmpl.h | 2 +-
37966 arch/x86/kvm/svm.c | 8 +
37967 arch/x86/kvm/vmx.c | 47 +-
37968 arch/x86/kvm/x86.c | 10 +-
37969 arch/x86/lguest/boot.c | 3 +-
37970 arch/x86/lib/atomic64_386_32.S | 164 +
37971 arch/x86/lib/atomic64_cx8_32.S | 103 +-
37972 arch/x86/lib/checksum_32.S | 100 +-
37973 arch/x86/lib/clear_page_64.S | 5 +-
37974 arch/x86/lib/cmpxchg16b_emu.S | 2 +
37975 arch/x86/lib/copy_page_64.S | 24 +-
37976 arch/x86/lib/copy_user_64.S | 47 +-
37977 arch/x86/lib/copy_user_nocache_64.S | 20 +-
37978 arch/x86/lib/csum-copy_64.S | 2 +
37979 arch/x86/lib/csum-wrappers_64.c | 4 +-
37980 arch/x86/lib/getuser.S | 68 +-
37981 arch/x86/lib/insn.c | 6 +-
37982 arch/x86/lib/iomap_copy_64.S | 2 +
37983 arch/x86/lib/memcpy_64.S | 18 +-
37984 arch/x86/lib/memmove_64.S | 34 +-
37985 arch/x86/lib/memset_64.S | 7 +-
37986 arch/x86/lib/mmx_32.c | 243 +-
37987 arch/x86/lib/msr-reg.S | 18 +-
37988 arch/x86/lib/putuser.S | 90 +-
37989 arch/x86/lib/rwlock.S | 42 +
37990 arch/x86/lib/rwsem.S | 6 +-
37991 arch/x86/lib/thunk_64.S | 2 +
37992 arch/x86/lib/usercopy_32.c | 376 ++-
37993 arch/x86/lib/usercopy_64.c | 25 +-
37994 arch/x86/mm/extable.c | 25 +-
37995 arch/x86/mm/fault.c | 555 +++-
37996 arch/x86/mm/gup.c | 2 +-
37997 arch/x86/mm/highmem_32.c | 4 +
37998 arch/x86/mm/hugetlbpage.c | 30 +-
37999 arch/x86/mm/init.c | 92 +-
38000 arch/x86/mm/init_32.c | 122 +-
38001 arch/x86/mm/init_64.c | 48 +-
38002 arch/x86/mm/iomap_32.c | 4 +
38003 arch/x86/mm/ioremap.c | 12 +-
38004 arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
38005 arch/x86/mm/mmap.c | 41 +-
38006 arch/x86/mm/mmio-mod.c | 10 +-
38007 arch/x86/mm/pageattr-test.c | 2 +-
38008 arch/x86/mm/pageattr.c | 33 +-
38009 arch/x86/mm/pat.c | 12 +-
38010 arch/x86/mm/pf_in.c | 10 +-
38011 arch/x86/mm/pgtable.c | 137 +-
38012 arch/x86/mm/pgtable_32.c | 3 +
38013 arch/x86/mm/setup_nx.c | 7 +
38014 arch/x86/mm/tlb.c | 4 +
38015 arch/x86/net/bpf_jit.S | 14 +
38016 arch/x86/net/bpf_jit_comp.c | 37 +-
38017 arch/x86/oprofile/backtrace.c | 8 +-
38018 arch/x86/pci/amd_bus.c | 2 +-
38019 arch/x86/pci/mrst.c | 4 +-
38020 arch/x86/pci/pcbios.c | 144 +-
38021 arch/x86/platform/efi/efi_32.c | 19 +
38022 arch/x86/platform/efi/efi_stub_32.S | 64 +-
38023 arch/x86/platform/efi/efi_stub_64.S | 8 +
38024 arch/x86/platform/mrst/mrst.c | 6 +-
38025 arch/x86/platform/olpc/olpc_dt.c | 2 +-
38026 arch/x86/power/cpu.c | 4 +-
38027 arch/x86/realmode/init.c | 8 +-
38028 arch/x86/realmode/rm/Makefile | 3 +
38029 arch/x86/realmode/rm/header.S | 4 +-
38030 arch/x86/realmode/rm/trampoline_32.S | 12 +-
38031 arch/x86/realmode/rm/trampoline_64.S | 2 +-
38032 arch/x86/tools/relocs.c | 95 +-
38033 arch/x86/vdso/Makefile | 2 +-
38034 arch/x86/vdso/vdso32-setup.c | 23 +-
38035 arch/x86/vdso/vma.c | 29 +-
38036 arch/x86/xen/enlighten.c | 47 +-
38037 arch/x86/xen/mmu.c | 9 +
38038 arch/x86/xen/smp.c | 18 +-
38039 arch/x86/xen/xen-asm_32.S | 12 +-
38040 arch/x86/xen/xen-head.S | 11 +
38041 arch/x86/xen/xen-ops.h | 2 -
38042 block/blk-iopoll.c | 4 +-
38043 block/blk-map.c | 2 +-
38044 block/blk-softirq.c | 4 +-
38045 block/bsg.c | 12 +-
38046 block/compat_ioctl.c | 2 +-
38047 block/partitions/efi.c | 8 +-
38048 block/scsi_ioctl.c | 27 +-
38049 crypto/cryptd.c | 4 +-
38050 drivers/acpi/apei/cper.c | 8 +-
38051 drivers/acpi/ec_sys.c | 12 +-
38052 drivers/acpi/processor_driver.c | 2 +-
38053 drivers/ata/libata-core.c | 8 +-
38054 drivers/ata/pata_arasan_cf.c | 4 +-
38055 drivers/atm/adummy.c | 2 +-
38056 drivers/atm/ambassador.c | 8 +-
38057 drivers/atm/atmtcp.c | 14 +-
38058 drivers/atm/eni.c | 10 +-
38059 drivers/atm/firestream.c | 8 +-
38060 drivers/atm/fore200e.c | 14 +-
38061 drivers/atm/he.c | 18 +-
38062 drivers/atm/horizon.c | 4 +-
38063 drivers/atm/idt77252.c | 36 +-
38064 drivers/atm/iphase.c | 34 +-
38065 drivers/atm/lanai.c | 12 +-
38066 drivers/atm/nicstar.c | 46 +-
38067 drivers/atm/solos-pci.c | 4 +-
38068 drivers/atm/suni.c | 4 +-
38069 drivers/atm/uPD98402.c | 16 +-
38070 drivers/atm/zatm.c | 6 +-
38071 drivers/base/devtmpfs.c | 2 +-
38072 drivers/base/power/wakeup.c | 8 +-
38073 drivers/block/cciss.c | 28 +-
38074 drivers/block/cciss.h | 2 +-
38075 drivers/block/cpqarray.c | 28 +-
38076 drivers/block/cpqarray.h | 2 +-
38077 drivers/block/drbd/drbd_int.h | 6 +-
38078 drivers/block/drbd/drbd_main.c | 8 +-
38079 drivers/block/drbd/drbd_receiver.c | 18 +-
38080 drivers/block/loop.c | 2 +-
38081 drivers/cdrom/cdrom.c | 9 +-
38082 drivers/cdrom/gdrom.c | 1 -
38083 drivers/char/agp/frontend.c | 2 +-
38084 drivers/char/hpet.c | 2 +-
38085 drivers/char/ipmi/ipmi_msghandler.c | 8 +-
38086 drivers/char/ipmi/ipmi_si_intf.c | 8 +-
38087 drivers/char/mem.c | 41 +-
38088 drivers/char/nvram.c | 2 +-
38089 drivers/char/pcmcia/synclink_cs.c | 18 +-
38090 drivers/char/random.c | 8 +-
38091 drivers/char/sonypi.c | 9 +-
38092 drivers/char/tpm/tpm.c | 2 +-
38093 drivers/char/tpm/tpm_acpi.c | 3 +-
38094 drivers/char/tpm/tpm_eventlog.c | 7 +-
38095 drivers/char/virtio_console.c | 4 +-
38096 drivers/clocksource/arm_generic.c | 2 +-
38097 drivers/cpufreq/cpufreq.c | 2 +-
38098 drivers/cpufreq/cpufreq_stats.c | 2 +-
38099 drivers/dma/sh/shdma.c | 2 +-
38100 drivers/edac/edac_pci_sysfs.c | 20 +-
38101 drivers/edac/mce_amd.h | 2 +-
38102 drivers/firewire/core-card.c | 2 +-
38103 drivers/firewire/core-cdev.c | 3 +-
38104 drivers/firewire/core-transaction.c | 1 +
38105 drivers/firewire/core.h | 1 +
38106 drivers/firmware/dmi_scan.c | 7 +-
38107 drivers/firmware/efivars.c | 2 +-
38108 drivers/gpio/gpio-vr41xx.c | 2 +-
38109 drivers/gpu/drm/drm_crtc_helper.c | 2 +-
38110 drivers/gpu/drm/drm_drv.c | 4 +-
38111 drivers/gpu/drm/drm_fops.c | 18 +-
38112 drivers/gpu/drm/drm_global.c | 14 +-
38113 drivers/gpu/drm/drm_info.c | 14 +-
38114 drivers/gpu/drm/drm_ioc32.c | 4 +-
38115 drivers/gpu/drm/drm_ioctl.c | 2 +-
38116 drivers/gpu/drm/drm_lock.c | 4 +-
38117 drivers/gpu/drm/drm_stub.c | 2 +-
38118 drivers/gpu/drm/i810/i810_dma.c | 8 +-
38119 drivers/gpu/drm/i810/i810_drv.h | 4 +-
38120 drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
38121 drivers/gpu/drm/i915/i915_dma.c | 2 +-
38122 drivers/gpu/drm/i915/i915_drv.h | 6 +-
38123 drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +-
38124 drivers/gpu/drm/i915/i915_irq.c | 22 +-
38125 drivers/gpu/drm/i915/intel_display.c | 9 +-
38126 drivers/gpu/drm/mga/mga_drv.h | 4 +-
38127 drivers/gpu/drm/mga/mga_irq.c | 8 +-
38128 drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +-
38129 drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +-
38130 drivers/gpu/drm/nouveau/nouveau_fence.h | 2 +-
38131 drivers/gpu/drm/nouveau/nouveau_gem.c | 2 +-
38132 drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +-
38133 drivers/gpu/drm/r128/r128_cce.c | 2 +-
38134 drivers/gpu/drm/r128/r128_drv.h | 4 +-
38135 drivers/gpu/drm/r128/r128_irq.c | 4 +-
38136 drivers/gpu/drm/r128/r128_state.c | 4 +-
38137 drivers/gpu/drm/radeon/mkregtable.c | 4 +-
38138 drivers/gpu/drm/radeon/radeon_device.c | 2 +-
38139 drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
38140 drivers/gpu/drm/radeon/radeon_ioc32.c | 2 +-
38141 drivers/gpu/drm/radeon/radeon_irq.c | 6 +-
38142 drivers/gpu/drm/radeon/radeon_state.c | 4 +-
38143 drivers/gpu/drm/radeon/radeon_ttm.c | 4 +-
38144 drivers/gpu/drm/radeon/rs690.c | 4 +-
38145 drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +-
38146 drivers/gpu/drm/via/via_drv.h | 4 +-
38147 drivers/gpu/drm/via/via_irq.c | 18 +-
38148 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
38149 drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
38150 drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
38151 drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
38152 drivers/hid/hid-core.c | 4 +-
38153 drivers/hv/channel.c | 4 +-
38154 drivers/hv/hv.c | 2 +-
38155 drivers/hv/hyperv_vmbus.h | 2 +-
38156 drivers/hv/vmbus_drv.c | 4 +-
38157 drivers/hwmon/coretemp.c | 2 +-
38158 drivers/hwmon/sht15.c | 12 +-
38159 drivers/hwmon/via-cputemp.c | 2 +-
38160 drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
38161 drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
38162 drivers/ide/ide-cd.c | 2 +-
38163 drivers/infiniband/core/cm.c | 32 +-
38164 drivers/infiniband/core/fmr_pool.c | 20 +-
38165 drivers/infiniband/hw/cxgb4/mem.c | 4 +-
38166 drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
38167 drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
38168 drivers/infiniband/hw/nes/nes.c | 4 +-
38169 drivers/infiniband/hw/nes/nes.h | 40 +-
38170 drivers/infiniband/hw/nes/nes_cm.c | 62 +-
38171 drivers/infiniband/hw/nes/nes_mgt.c | 8 +-
38172 drivers/infiniband/hw/nes/nes_nic.c | 40 +-
38173 drivers/infiniband/hw/nes/nes_verbs.c | 10 +-
38174 drivers/infiniband/hw/qib/qib.h | 1 +
38175 drivers/input/gameport/gameport.c | 4 +-
38176 drivers/input/input.c | 4 +-
38177 drivers/input/joystick/sidewinder.c | 1 +
38178 drivers/input/joystick/xpad.c | 4 +-
38179 drivers/input/mousedev.c | 2 +-
38180 drivers/input/serio/serio.c | 4 +-
38181 drivers/isdn/capi/capi.c | 10 +-
38182 drivers/isdn/gigaset/interface.c | 8 +-
38183 drivers/isdn/hardware/avm/b1.c | 4 +-
38184 drivers/isdn/i4l/isdn_tty.c | 22 +-
38185 drivers/isdn/icn/icn.c | 2 +-
38186 drivers/lguest/core.c | 10 +-
38187 drivers/lguest/x86/core.c | 12 +-
38188 drivers/lguest/x86/switcher_32.S | 27 +-
38189 drivers/md/bitmap.c | 2 +-
38190 drivers/md/dm-ioctl.c | 2 +-
38191 drivers/md/dm-raid1.c | 16 +-
38192 drivers/md/dm-stripe.c | 10 +-
38193 drivers/md/dm-table.c | 2 +-
38194 drivers/md/dm-thin-metadata.c | 4 +-
38195 drivers/md/dm.c | 16 +-
38196 drivers/md/md.c | 26 +-
38197 drivers/md/md.h | 6 +-
38198 drivers/md/persistent-data/dm-space-map.h | 1 +
38199 drivers/md/raid1.c | 4 +-
38200 drivers/md/raid10.c | 16 +-
38201 drivers/md/raid5.c | 10 +-
38202 drivers/media/dvb-core/dvbdev.c | 2 +-
38203 drivers/media/dvb-frontends/dib3000.h | 2 +-
38204 drivers/media/platform/omap/omap_vout.c | 11 +-
38205 drivers/media/platform/s5p-tv/mixer.h | 2 +-
38206 drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +-
38207 drivers/media/platform/s5p-tv/mixer_reg.c | 2 +-
38208 drivers/media/platform/s5p-tv/mixer_video.c | 24 +-
38209 drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +-
38210 drivers/media/radio/radio-cadet.c | 2 +
38211 drivers/media/usb/dvb-usb/cxusb.c | 2 +-
38212 drivers/media/usb/dvb-usb/dw2102.c | 2 +-
38213 drivers/message/fusion/mptsas.c | 34 +-
38214 drivers/message/fusion/mptscsih.c | 19 +-
38215 drivers/message/i2o/i2o_proc.c | 51 +-
38216 drivers/message/i2o/iop.c | 8 +-
38217 drivers/mfd/janz-cmodio.c | 1 +
38218 drivers/misc/kgdbts.c | 4 +-
38219 drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
38220 drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
38221 drivers/misc/sgi-gru/gruhandles.c | 4 +-
38222 drivers/misc/sgi-gru/gruprocfs.c | 8 +-
38223 drivers/misc/sgi-gru/grutables.h | 154 +-
38224 drivers/misc/sgi-xp/xp.h | 2 +-
38225 drivers/misc/sgi-xp/xpc.h | 3 +-
38226 drivers/misc/sgi-xp/xpc_main.c | 4 +-
38227 drivers/mmc/core/mmc_ops.c | 2 +-
38228 drivers/mmc/host/dw_mmc.h | 2 +-
38229 drivers/mmc/host/sdhci-s3c.c | 8 +-
38230 drivers/mtd/devices/doc2000.c | 2 +-
38231 drivers/mtd/nand/denali.c | 1 +
38232 drivers/mtd/nftlmount.c | 1 +
38233 drivers/net/ethernet/8390/ax88796.c | 4 +-
38234 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
38235 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-
38236 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +-
38237 drivers/net/ethernet/broadcom/tg3.h | 1 +
38238 drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
38239 drivers/net/ethernet/dec/tulip/de4x5.c | 4 +-
38240 drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
38241 drivers/net/ethernet/faraday/ftgmac100.c | 2 +
38242 drivers/net/ethernet/faraday/ftmac100.c | 2 +
38243 drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
38244 drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
38245 drivers/net/ethernet/realtek/r8169.c | 8 +-
38246 drivers/net/ethernet/sfc/ptp.c | 2 +-
38247 drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
38248 drivers/net/hyperv/hyperv_net.h | 2 +-
38249 drivers/net/hyperv/rndis_filter.c | 4 +-
38250 drivers/net/ieee802154/fakehard.c | 2 +-
38251 drivers/net/macvlan.c | 2 +-
38252 drivers/net/macvtap.c | 2 +-
38253 drivers/net/ppp/ppp_generic.c | 4 +-
38254 drivers/net/team/team.c | 2 +-
38255 drivers/net/tun.c | 5 +-
38256 drivers/net/usb/hso.c | 23 +-
38257 drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +-
38258 drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +-
38259 drivers/net/wireless/ath/ath9k/hw.h | 4 +-
38260 drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
38261 drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +-
38262 drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +-
38263 drivers/net/wireless/mac80211_hwsim.c | 32 +-
38264 drivers/net/wireless/rndis_wlan.c | 2 +-
38265 drivers/net/wireless/rt2x00/rt2x00.h | 2 +-
38266 drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +-
38267 drivers/net/wireless/ti/wl1251/sdio.c | 12 +-
38268 drivers/net/wireless/ti/wl12xx/main.c | 8 +-
38269 drivers/net/wireless/ti/wl18xx/main.c | 6 +-
38270 drivers/oprofile/buffer_sync.c | 8 +-
38271 drivers/oprofile/event_buffer.c | 2 +-
38272 drivers/oprofile/oprof.c | 2 +-
38273 drivers/oprofile/oprofile_stats.c | 10 +-
38274 drivers/oprofile/oprofile_stats.h | 10 +-
38275 drivers/oprofile/oprofilefs.c | 2 +-
38276 drivers/oprofile/timer_int.c | 2 +-
38277 drivers/parport/procfs.c | 4 +-
38278 drivers/pci/hotplug/cpcihp_generic.c | 6 +-
38279 drivers/pci/hotplug/cpcihp_zt5550.c | 14 +-
38280 drivers/pci/hotplug/cpqphp_nvram.c | 4 +
38281 drivers/pci/pcie/aspm.c | 6 +-
38282 drivers/pci/probe.c | 2 +-
38283 drivers/platform/x86/thinkpad_acpi.c | 70 +-
38284 drivers/pnp/pnpbios/bioscalls.c | 14 +-
38285 drivers/pnp/resource.c | 4 +-
38286 drivers/power/pda_power.c | 7 +-
38287 drivers/regulator/max8660.c | 6 +-
38288 drivers/regulator/max8973-regulator.c | 8 +-
38289 drivers/regulator/mc13892-regulator.c | 6 +-
38290 drivers/scsi/bfa/bfa.h | 2 +-
38291 drivers/scsi/bfa/bfa_fcpim.h | 2 +-
38292 drivers/scsi/bfa/bfa_ioc.h | 4 +-
38293 drivers/scsi/hosts.c | 4 +-
38294 drivers/scsi/hpsa.c | 30 +-
38295 drivers/scsi/hpsa.h | 2 +-
38296 drivers/scsi/libfc/fc_exch.c | 50 +-
38297 drivers/scsi/libsas/sas_ata.c | 2 +-
38298 drivers/scsi/lpfc/lpfc.h | 8 +-
38299 drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
38300 drivers/scsi/lpfc/lpfc_init.c | 6 +-
38301 drivers/scsi/lpfc/lpfc_scsi.c | 16 +-
38302 drivers/scsi/pmcraid.c | 20 +-
38303 drivers/scsi/pmcraid.h | 8 +-
38304 drivers/scsi/qla2xxx/qla_attr.c | 4 +-
38305 drivers/scsi/qla2xxx/qla_gbl.h | 4 +-
38306 drivers/scsi/qla2xxx/qla_os.c | 6 +-
38307 drivers/scsi/qla4xxx/ql4_def.h | 2 +-
38308 drivers/scsi/qla4xxx/ql4_os.c | 6 +-
38309 drivers/scsi/scsi.c | 2 +-
38310 drivers/scsi/scsi_lib.c | 6 +-
38311 drivers/scsi/scsi_sysfs.c | 2 +-
38312 drivers/scsi/scsi_tgt_lib.c | 2 +-
38313 drivers/scsi/scsi_transport_fc.c | 8 +-
38314 drivers/scsi/scsi_transport_iscsi.c | 6 +-
38315 drivers/scsi/scsi_transport_srp.c | 6 +-
38316 drivers/scsi/sd.c | 2 +-
38317 drivers/scsi/sg.c | 2 +-
38318 drivers/spi/spi.c | 2 +-
38319 drivers/staging/octeon/ethernet-rx.c | 12 +-
38320 drivers/staging/octeon/ethernet.c | 8 +-
38321 drivers/staging/ramster/tmem.c | 54 +-
38322 drivers/staging/rtl8712/rtl871x_io.h | 2 +-
38323 drivers/staging/sbe-2t3e3/netdev.c | 2 +-
38324 drivers/staging/usbip/vhci.h | 2 +-
38325 drivers/staging/usbip/vhci_hcd.c | 6 +-
38326 drivers/staging/usbip/vhci_rx.c | 2 +-
38327 drivers/staging/vt6655/hostap.c | 7 +-
38328 drivers/staging/vt6656/hostap.c | 7 +-
38329 drivers/staging/zcache/tmem.c | 4 +-
38330 drivers/staging/zcache/tmem.h | 2 +
38331 drivers/target/target_core_device.c | 2 +-
38332 drivers/target/target_core_transport.c | 2 +-
38333 drivers/tty/cyclades.c | 6 +-
38334 drivers/tty/hvc/hvc_console.c | 14 +-
38335 drivers/tty/hvc/hvcs.c | 21 +-
38336 drivers/tty/ipwireless/tty.c | 27 +-
38337 drivers/tty/moxa.c | 2 +-
38338 drivers/tty/n_gsm.c | 4 +-
38339 drivers/tty/n_tty.c | 3 +-
38340 drivers/tty/pty.c | 4 +-
38341 drivers/tty/rocket.c | 6 +-
38342 drivers/tty/serial/kgdboc.c | 32 +-
38343 drivers/tty/serial/samsung.c | 9 +-
38344 drivers/tty/serial/serial_core.c | 8 +-
38345 drivers/tty/synclink.c | 34 +-
38346 drivers/tty/synclink_gt.c | 28 +-
38347 drivers/tty/synclinkmp.c | 34 +-
38348 drivers/tty/tty_io.c | 2 +-
38349 drivers/tty/tty_ldisc.c | 10 +-
38350 drivers/tty/tty_port.c | 22 +-
38351 drivers/uio/uio.c | 21 +-
38352 drivers/usb/atm/cxacru.c | 2 +-
38353 drivers/usb/atm/usbatm.c | 24 +-
38354 drivers/usb/core/devices.c | 6 +-
38355 drivers/usb/core/hcd.c | 4 +-
38356 drivers/usb/core/sysfs.c | 2 +-
38357 drivers/usb/core/usb.c | 2 +-
38358 drivers/usb/early/ehci-dbgp.c | 16 +-
38359 drivers/usb/gadget/u_serial.c | 22 +-
38360 drivers/usb/serial/console.c | 6 +-
38361 drivers/usb/wusbcore/wa-hc.h | 4 +-
38362 drivers/usb/wusbcore/wa-xfer.c | 2 +-
38363 drivers/video/aty/aty128fb.c | 2 +-
38364 drivers/video/fbcmap.c | 3 +-
38365 drivers/video/fbmem.c | 6 +-
38366 drivers/video/i810/i810_accel.c | 1 +
38367 drivers/video/udlfb.c | 32 +-
38368 drivers/video/uvesafb.c | 39 +-
38369 drivers/video/vesafb.c | 51 +-
38370 drivers/video/via/via_clock.h | 2 +-
38371 fs/9p/vfs_inode.c | 2 +-
38372 fs/Kconfig.binfmt | 2 +-
38373 fs/aio.c | 11 +-
38374 fs/autofs4/waitq.c | 2 +-
38375 fs/befs/linuxvfs.c | 2 +-
38376 fs/binfmt_aout.c | 23 +-
38377 fs/binfmt_elf.c | 604 ++++-
38378 fs/binfmt_flat.c | 6 +
38379 fs/bio.c | 6 +-
38380 fs/block_dev.c | 2 +-
38381 fs/btrfs/ctree.c | 9 +-
38382 fs/btrfs/relocation.c | 2 +-
38383 fs/btrfs/super.c | 2 +-
38384 fs/cachefiles/bind.c | 6 +-
38385 fs/cachefiles/daemon.c | 8 +-
38386 fs/cachefiles/internal.h | 12 +-
38387 fs/cachefiles/namei.c | 2 +-
38388 fs/cachefiles/proc.c | 12 +-
38389 fs/cachefiles/rdwr.c | 2 +-
38390 fs/ceph/dir.c | 2 +-
38391 fs/cifs/cifs_debug.c | 12 +-
38392 fs/cifs/cifsfs.c | 8 +-
38393 fs/cifs/cifsglob.h | 54 +-
38394 fs/cifs/link.c | 2 +-
38395 fs/cifs/misc.c | 4 +-
38396 fs/cifs/smb1ops.c | 80 +-
38397 fs/cifs/smb2ops.c | 84 +-
38398 fs/cifs/smb2pdu.c | 3 +-
38399 fs/coda/cache.c | 10 +-
38400 fs/compat.c | 6 +-
38401 fs/compat_binfmt_elf.c | 2 +
38402 fs/compat_ioctl.c | 8 +-
38403 fs/configfs/dir.c | 10 +-
38404 fs/coredump.c | 24 +-
38405 fs/dcache.c | 2 +-
38406 fs/ecryptfs/inode.c | 4 +-
38407 fs/ecryptfs/miscdev.c | 2 +-
38408 fs/ecryptfs/read_write.c | 4 +-
38409 fs/exec.c | 356 ++-
38410 fs/ext4/ext4.h | 20 +-
38411 fs/ext4/mballoc.c | 44 +-
38412 fs/fhandle.c | 3 +-
38413 fs/fifo.c | 22 +-
38414 fs/fs_struct.c | 8 +-
38415 fs/fscache/cookie.c | 36 +-
38416 fs/fscache/internal.h | 196 +-
38417 fs/fscache/object.c | 28 +-
38418 fs/fscache/operation.c | 30 +-
38419 fs/fscache/page.c | 110 +-
38420 fs/fscache/stats.c | 344 +-
38421 fs/fuse/cuse.c | 10 +-
38422 fs/fuse/dev.c | 2 +-
38423 fs/fuse/dir.c | 2 +-
38424 fs/gfs2/inode.c | 2 +-
38425 fs/hugetlbfs/inode.c | 13 +-
38426 fs/inode.c | 4 +-
38427 fs/jffs2/erase.c | 3 +-
38428 fs/jffs2/wbuf.c | 3 +-
38429 fs/jfs/super.c | 2 +-
38430 fs/libfs.c | 10 +-
38431 fs/lockd/clntproc.c | 4 +-
38432 fs/locks.c | 8 +-
38433 fs/namei.c | 15 +-
38434 fs/namespace.c | 2 +-
38435 fs/nfs/inode.c | 6 +-
38436 fs/nfsd/vfs.c | 6 +-
38437 fs/notify/fanotify/fanotify_user.c | 4 +-
38438 fs/notify/notification.c | 4 +-
38439 fs/ntfs/dir.c | 2 +-
38440 fs/ntfs/file.c | 4 +-
38441 fs/ocfs2/localalloc.c | 2 +-
38442 fs/ocfs2/ocfs2.h | 10 +-
38443 fs/ocfs2/suballoc.c | 12 +-
38444 fs/ocfs2/super.c | 20 +-
38445 fs/pipe.c | 33 +-
38446 fs/proc/array.c | 20 +
38447 fs/proc/kcore.c | 32 +-
38448 fs/proc/meminfo.c | 2 +-
38449 fs/proc/nommu.c | 2 +-
38450 fs/proc/self.c | 2 +-
38451 fs/proc/task_mmu.c | 39 +-
38452 fs/proc/task_nommu.c | 4 +-
38453 fs/quota/netlink.c | 4 +-
38454 fs/readdir.c | 2 +-
38455 fs/reiserfs/do_balan.c | 2 +-
38456 fs/reiserfs/procfs.c | 2 +-
38457 fs/reiserfs/reiserfs.h | 4 +-
38458 fs/seq_file.c | 2 +-
38459 fs/splice.c | 36 +-
38460 fs/sysfs/file.c | 10 +-
38461 fs/sysfs/symlink.c | 2 +-
38462 fs/udf/misc.c | 2 +-
38463 fs/xattr_acl.c | 4 +-
38464 fs/xfs/xfs_bmap.c | 2 +-
38465 fs/xfs/xfs_dir2_sf.c | 10 +-
38466 fs/xfs/xfs_ioctl.c | 2 +-
38467 fs/xfs/xfs_iops.c | 2 +-
38468 include/asm-generic/4level-fixup.h | 2 +
38469 include/asm-generic/atomic-long.h | 210 ++
38470 include/asm-generic/atomic.h | 2 +-
38471 include/asm-generic/atomic64.h | 12 +
38472 include/asm-generic/cache.h | 4 +-
38473 include/asm-generic/emergency-restart.h | 2 +-
38474 include/asm-generic/kmap_types.h | 4 +-
38475 include/asm-generic/local.h | 13 +
38476 include/asm-generic/pgtable-nopmd.h | 18 +-
38477 include/asm-generic/pgtable-nopud.h | 15 +-
38478 include/asm-generic/pgtable.h | 8 +
38479 include/asm-generic/vmlinux.lds.h | 10 +-
38480 include/crypto/algapi.h | 2 +-
38481 include/drm/drmP.h | 5 +-
38482 include/drm/drm_crtc_helper.h | 2 +-
38483 include/drm/ttm/ttm_memory.h | 2 +-
38484 include/linux/atmdev.h | 2 +-
38485 include/linux/binfmts.h | 1 +
38486 include/linux/blkdev.h | 2 +-
38487 include/linux/blktrace_api.h | 2 +-
38488 include/linux/cache.h | 4 +
38489 include/linux/cdrom.h | 1 -
38490 include/linux/cleancache.h | 2 +-
38491 include/linux/compiler-gcc4.h | 20 +
38492 include/linux/compiler.h | 72 +-
38493 include/linux/cpu.h | 2 +-
38494 include/linux/crypto.h | 6 +-
38495 include/linux/decompress/mm.h | 2 +-
38496 include/linux/dma-mapping.h | 2 +-
38497 include/linux/dmaengine.h | 4 +-
38498 include/linux/efi.h | 1 +
38499 include/linux/elf.h | 2 +
38500 include/linux/filter.h | 4 +
38501 include/linux/frontswap.h | 2 +-
38502 include/linux/fs.h | 3 +-
38503 include/linux/fs_struct.h | 2 +-
38504 include/linux/fscache-cache.h | 4 +-
38505 include/linux/fsnotify.h | 2 +-
38506 include/linux/ftrace_event.h | 2 +-
38507 include/linux/genhd.h | 2 +-
38508 include/linux/gfp.h | 12 +-
38509 include/linux/highmem.h | 12 +
38510 include/linux/i2c.h | 1 +
38511 include/linux/i2o.h | 2 +-
38512 include/linux/if_pppox.h | 2 +-
38513 include/linux/init.h | 33 +-
38514 include/linux/init_task.h | 7 +
38515 include/linux/interrupt.h | 8 +-
38516 include/linux/kgdb.h | 6 +-
38517 include/linux/kobject.h | 2 +-
38518 include/linux/kref.h | 2 +-
38519 include/linux/kvm_host.h | 4 +-
38520 include/linux/libata.h | 2 +-
38521 include/linux/list.h | 3 +
38522 include/linux/mm.h | 91 +-
38523 include/linux/mm_types.h | 22 +-
38524 include/linux/mmiotrace.h | 4 +-
38525 include/linux/mmzone.h | 2 +-
38526 include/linux/mod_devicetable.h | 4 +-
38527 include/linux/module.h | 55 +-
38528 include/linux/moduleloader.h | 18 +-
38529 include/linux/moduleparam.h | 4 +-
38530 include/linux/namei.h | 6 +-
38531 include/linux/netdevice.h | 3 +-
38532 include/linux/netfilter/ipset/ip_set.h | 2 +-
38533 include/linux/netfilter/nfnetlink.h | 2 +-
38534 include/linux/notifier.h | 3 +-
38535 include/linux/oprofile.h | 4 +-
38536 include/linux/perf_event.h | 10 +-
38537 include/linux/pipe_fs_i.h | 6 +-
38538 include/linux/platform_data/usb-ehci-s5p.h | 2 +-
38539 include/linux/pm_runtime.h | 2 +-
38540 include/linux/poison.h | 4 +-
38541 include/linux/power/smartreflex.h | 2 +-
38542 include/linux/random.h | 5 +
38543 include/linux/reboot.h | 14 +-
38544 include/linux/regset.h | 3 +-
38545 include/linux/relay.h | 2 +-
38546 include/linux/rio.h | 2 +-
38547 include/linux/rmap.h | 4 +-
38548 include/linux/sched.h | 64 +-
38549 include/linux/seq_file.h | 1 +
38550 include/linux/skbuff.h | 12 +-
38551 include/linux/slab.h | 36 +-
38552 include/linux/slab_def.h | 33 +-
38553 include/linux/slob_def.h | 4 +-
38554 include/linux/slub_def.h | 10 +-
38555 include/linux/sonet.h | 2 +-
38556 include/linux/sunrpc/clnt.h | 8 +-
38557 include/linux/sunrpc/svc_rdma.h | 18 +-
38558 include/linux/sysrq.h | 2 +-
38559 include/linux/thread_info.h | 7 +
38560 include/linux/tty.h | 4 +-
38561 include/linux/tty_driver.h | 2 +-
38562 include/linux/tty_ldisc.h | 2 +-
38563 include/linux/types.h | 16 +
38564 include/linux/uaccess.h | 6 +-
38565 include/linux/unaligned/access_ok.h | 12 +-
38566 include/linux/usb.h | 2 +-
38567 include/linux/usb/renesas_usbhs.h | 2 +-
38568 include/linux/vermagic.h | 21 +-
38569 include/linux/vmalloc.h | 11 +-
38570 include/linux/vmstat.h | 20 +-
38571 include/media/v4l2-dev.h | 2 +-
38572 include/media/v4l2-ioctl.h | 1 -
38573 include/net/caif/cfctrl.h | 6 +-
38574 include/net/flow.h | 2 +-
38575 include/net/gro_cells.h | 6 +-
38576 include/net/inet_connection_sock.h | 2 +-
38577 include/net/inetpeer.h | 8 +-
38578 include/net/ip_fib.h | 2 +-
38579 include/net/ip_vs.h | 4 +-
38580 include/net/irda/ircomm_tty.h | 1 +
38581 include/net/iucv/af_iucv.h | 2 +-
38582 include/net/neighbour.h | 2 +-
38583 include/net/net_namespace.h | 6 +-
38584 include/net/netdma.h | 2 +-
38585 include/net/netlink.h | 2 +-
38586 include/net/netns/ipv4.h | 2 +-
38587 include/net/protocol.h | 4 +-
38588 include/net/sctp/sctp.h | 6 +-
38589 include/net/sctp/structs.h | 4 +-
38590 include/net/sock.h | 6 +-
38591 include/net/tcp.h | 8 +-
38592 include/net/xfrm.h | 4 +-
38593 include/rdma/iw_cm.h | 2 +-
38594 include/scsi/libfc.h | 3 +-
38595 include/scsi/scsi_device.h | 6 +-
38596 include/scsi/scsi_transport_fc.h | 3 +-
38597 include/sound/soc.h | 4 +-
38598 include/target/target_core_base.h | 2 +-
38599 include/trace/events/irq.h | 4 +-
38600 include/uapi/linux/a.out.h | 8 +
38601 include/uapi/linux/byteorder/little_endian.h | 24 +-
38602 include/uapi/linux/elf.h | 28 +
38603 include/uapi/linux/screen_info.h | 3 +-
38604 include/uapi/linux/sysctl.h | 6 +-
38605 include/uapi/linux/xattr.h | 4 +
38606 include/video/udlfb.h | 8 +-
38607 include/video/uvesafb.h | 1 +
38608 init/Kconfig | 2 +-
38609 init/Makefile | 3 +
38610 init/do_mounts.c | 14 +-
38611 init/do_mounts.h | 8 +-
38612 init/do_mounts_initrd.c | 22 +-
38613 init/do_mounts_md.c | 6 +-
38614 init/init_task.c | 4 +
38615 init/initramfs.c | 40 +-
38616 init/main.c | 78 +-
38617 ipc/msg.c | 11 +-
38618 ipc/sem.c | 11 +-
38619 ipc/shm.c | 17 +-
38620 kernel/acct.c | 2 +-
38621 kernel/audit.c | 8 +-
38622 kernel/auditsc.c | 4 +-
38623 kernel/capability.c | 3 +
38624 kernel/compat.c | 40 +-
38625 kernel/debug/debug_core.c | 16 +-
38626 kernel/debug/kdb/kdb_main.c | 4 +-
38627 kernel/events/core.c | 28 +-
38628 kernel/exit.c | 4 +-
38629 kernel/fork.c | 167 +-
38630 kernel/futex.c | 9 +
38631 kernel/gcov/base.c | 7 +-
38632 kernel/hrtimer.c | 4 +-
38633 kernel/jump_label.c | 5 +
38634 kernel/kallsyms.c | 39 +-
38635 kernel/kexec.c | 3 +-
38636 kernel/kmod.c | 2 +-
38637 kernel/kprobes.c | 8 +-
38638 kernel/lockdep.c | 7 +-
38639 kernel/module.c | 333 ++-
38640 kernel/mutex-debug.c | 12 +-
38641 kernel/mutex-debug.h | 4 +-
38642 kernel/mutex.c | 7 +-
38643 kernel/notifier.c | 17 +-
38644 kernel/panic.c | 3 +-
38645 kernel/pid.c | 2 +-
38646 kernel/posix-cpu-timers.c | 4 +-
38647 kernel/posix-timers.c | 20 +-
38648 kernel/power/process.c | 12 +-
38649 kernel/profile.c | 14 +-
38650 kernel/ptrace.c | 6 +-
38651 kernel/rcutiny.c | 4 +-
38652 kernel/rcutiny_plugin.h | 2 +-
38653 kernel/rcutorture.c | 56 +-
38654 kernel/rcutree.c | 72 +-
38655 kernel/rcutree.h | 24 +-
38656 kernel/rcutree_plugin.h | 18 +-
38657 kernel/rcutree_trace.c | 22 +-
38658 kernel/rtmutex-tester.c | 24 +-
38659 kernel/sched/auto_group.c | 4 +-
38660 kernel/sched/core.c | 2 +-
38661 kernel/sched/fair.c | 4 +-
38662 kernel/signal.c | 12 +-
38663 kernel/smp.c | 2 +-
38664 kernel/softirq.c | 16 +-
38665 kernel/srcu.c | 6 +-
38666 kernel/stop_machine.c | 2 +-
38667 kernel/sys.c | 12 +-
38668 kernel/sysctl.c | 37 +-
38669 kernel/sysctl_binary.c | 14 +-
38670 kernel/time/alarmtimer.c | 2 +-
38671 kernel/time/tick-broadcast.c | 2 +-
38672 kernel/time/timer_stats.c | 10 +-
38673 kernel/timer.c | 4 +-
38674 kernel/trace/blktrace.c | 6 +-
38675 kernel/trace/ftrace.c | 20 +-
38676 kernel/trace/ring_buffer.c | 76 +-
38677 kernel/trace/trace.c | 6 +-
38678 kernel/trace/trace_events.c | 25 +-
38679 kernel/trace/trace_mmiotrace.c | 8 +-
38680 kernel/trace/trace_output.c | 12 +-
38681 kernel/trace/trace_stack.c | 2 +-
38682 lib/Makefile | 2 +-
38683 lib/bitmap.c | 8 +-
38684 lib/bug.c | 2 +
38685 lib/debugobjects.c | 2 +-
38686 lib/devres.c | 4 +-
38687 lib/dma-debug.c | 4 +-
38688 lib/inflate.c | 2 +-
38689 lib/ioremap.c | 4 +-
38690 lib/list_debug.c | 89 +-
38691 lib/radix-tree.c | 2 +-
38692 lib/strncpy_from_user.c | 2 +-
38693 lib/strnlen_user.c | 2 +-
38694 lib/vsprintf.c | 12 +-
38695 mm/Kconfig | 6 +-
38696 mm/filemap.c | 2 +-
38697 mm/fremap.c | 5 +
38698 mm/highmem.c | 7 +-
38699 mm/hugetlb.c | 54 +
38700 mm/internal.h | 1 +
38701 mm/maccess.c | 4 +-
38702 mm/madvise.c | 41 +
38703 mm/memory-failure.c | 18 +-
38704 mm/memory.c | 404 ++-
38705 mm/mempolicy.c | 26 +
38706 mm/mlock.c | 16 +-
38707 mm/mmap.c | 573 +++-
38708 mm/mprotect.c | 138 +-
38709 mm/mremap.c | 44 +-
38710 mm/nommu.c | 11 +-
38711 mm/page-writeback.c | 2 +-
38712 mm/page_alloc.c | 14 +-
38713 mm/percpu.c | 2 +-
38714 mm/process_vm_access.c | 14 +-
38715 mm/rmap.c | 38 +-
38716 mm/shmem.c | 19 +-
38717 mm/slab.c | 104 +-
38718 mm/slab.h | 5 +-
38719 mm/slab_common.c | 9 +-
38720 mm/slob.c | 200 +-
38721 mm/slub.c | 98 +-
38722 mm/sparse-vmemmap.c | 4 +-
38723 mm/sparse.c | 2 +-
38724 mm/swap.c | 3 +
38725 mm/swapfile.c | 12 +-
38726 mm/util.c | 6 +
38727 mm/vmalloc.c | 82 +-
38728 mm/vmstat.c | 12 +-
38729 net/8021q/vlan.c | 5 +-
38730 net/9p/trans_fd.c | 2 +-
38731 net/atm/atm_misc.c | 8 +-
38732 net/atm/lec.h | 2 +-
38733 net/atm/proc.c | 6 +-
38734 net/atm/resources.c | 4 +-
38735 net/batman-adv/bat_iv_ogm.c | 8 +-
38736 net/batman-adv/hard-interface.c | 4 +-
38737 net/batman-adv/soft-interface.c | 4 +-
38738 net/batman-adv/types.h | 6 +-
38739 net/batman-adv/unicast.c | 2 +-
38740 net/bluetooth/hci_sock.c | 2 +-
38741 net/bluetooth/l2cap_core.c | 6 +-
38742 net/bluetooth/l2cap_sock.c | 12 +-
38743 net/bluetooth/rfcomm/sock.c | 4 +-
38744 net/bluetooth/rfcomm/tty.c | 10 +-
38745 net/bridge/netfilter/ebtables.c | 6 +-
38746 net/caif/cfctrl.c | 11 +-
38747 net/can/af_can.c | 2 +-
38748 net/can/gw.c | 6 +-
38749 net/compat.c | 34 +-
38750 net/core/datagram.c | 2 +-
38751 net/core/dev.c | 16 +-
38752 net/core/flow.c | 8 +-
38753 net/core/iovec.c | 4 +-
38754 net/core/rtnetlink.c | 2 +-
38755 net/core/scm.c | 8 +-
38756 net/core/sock.c | 24 +-
38757 net/decnet/sysctl_net_decnet.c | 4 +-
38758 net/ipv4/ah4.c | 2 +-
38759 net/ipv4/esp4.c | 2 +-
38760 net/ipv4/fib_frontend.c | 6 +-
38761 net/ipv4/fib_semantics.c | 2 +-
38762 net/ipv4/inetpeer.c | 4 +-
38763 net/ipv4/ip_fragment.c | 2 +-
38764 net/ipv4/ip_sockglue.c | 2 +-
38765 net/ipv4/ipcomp.c | 2 +-
38766 net/ipv4/ipconfig.c | 6 +-
38767 net/ipv4/netfilter/arp_tables.c | 12 +-
38768 net/ipv4/netfilter/ip_tables.c | 12 +-
38769 net/ipv4/ping.c | 2 +-
38770 net/ipv4/raw.c | 14 +-
38771 net/ipv4/route.c | 2 +-
38772 net/ipv4/tcp_input.c | 2 +-
38773 net/ipv4/tcp_probe.c | 2 +-
38774 net/ipv4/udp.c | 10 +-
38775 net/ipv6/addrconf.c | 2 +-
38776 net/ipv6/ip6_gre.c | 2 +-
38777 net/ipv6/ipv6_sockglue.c | 2 +-
38778 net/ipv6/netfilter/ip6_tables.c | 12 +-
38779 net/ipv6/raw.c | 19 +-
38780 net/ipv6/udp.c | 8 +-
38781 net/irda/ircomm/ircomm_tty.c | 18 +-
38782 net/iucv/af_iucv.c | 4 +-
38783 net/iucv/iucv.c | 2 +-
38784 net/key/af_key.c | 4 +-
38785 net/mac80211/cfg.c | 4 +-
38786 net/mac80211/ieee80211_i.h | 3 +-
38787 net/mac80211/iface.c | 14 +-
38788 net/mac80211/main.c | 2 +-
38789 net/mac80211/pm.c | 6 +-
38790 net/mac80211/rate.c | 2 +-
38791 net/mac80211/rc80211_pid_debugfs.c | 2 +-
38792 net/mac80211/util.c | 2 +-
38793 net/netfilter/ipvs/ip_vs_conn.c | 6 +-
38794 net/netfilter/ipvs/ip_vs_core.c | 4 +-
38795 net/netfilter/ipvs/ip_vs_ctl.c | 10 +-
38796 net/netfilter/ipvs/ip_vs_sync.c | 6 +-
38797 net/netfilter/ipvs/ip_vs_xmit.c | 4 +-
38798 net/netfilter/nfnetlink_log.c | 4 +-
38799 net/netfilter/xt_statistic.c | 8 +-
38800 net/netlink/af_netlink.c | 4 +-
38801 net/packet/af_packet.c | 12 +-
38802 net/phonet/pep.c | 6 +-
38803 net/phonet/socket.c | 2 +-
38804 net/rds/cong.c | 6 +-
38805 net/rds/ib.h | 2 +-
38806 net/rds/ib_cm.c | 2 +-
38807 net/rds/ib_recv.c | 4 +-
38808 net/rds/iw.h | 2 +-
38809 net/rds/iw_cm.c | 2 +-
38810 net/rds/iw_recv.c | 4 +-
38811 net/rds/tcp.c | 2 +-
38812 net/rds/tcp_send.c | 2 +-
38813 net/rxrpc/af_rxrpc.c | 2 +-
38814 net/rxrpc/ar-ack.c | 14 +-
38815 net/rxrpc/ar-call.c | 2 +-
38816 net/rxrpc/ar-connection.c | 2 +-
38817 net/rxrpc/ar-connevent.c | 2 +-
38818 net/rxrpc/ar-input.c | 4 +-
38819 net/rxrpc/ar-internal.h | 8 +-
38820 net/rxrpc/ar-local.c | 2 +-
38821 net/rxrpc/ar-output.c | 4 +-
38822 net/rxrpc/ar-peer.c | 2 +-
38823 net/rxrpc/ar-proc.c | 4 +-
38824 net/rxrpc/ar-transport.c | 2 +-
38825 net/rxrpc/rxkad.c | 4 +-
38826 net/sctp/ipv6.c | 2 +-
38827 net/sctp/protocol.c | 8 +-
38828 net/sctp/socket.c | 2 +
38829 net/socket.c | 34 +-
38830 net/sunrpc/sched.c | 4 +-
38831 net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
38832 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +-
38833 net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
38834 net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +-
38835 net/tipc/link.c | 6 +-
38836 net/tipc/msg.c | 2 +-
38837 net/tipc/subscr.c | 2 +-
38838 net/wireless/wext-core.c | 19 +-
38839 net/xfrm/xfrm_policy.c | 16 +-
38840 net/xfrm/xfrm_state.c | 4 +-
38841 scripts/Makefile.build | 2 +-
38842 scripts/Makefile.clean | 3 +-
38843 scripts/Makefile.host | 28 +-
38844 scripts/basic/fixdep.c | 12 +-
38845 scripts/gcc-plugin.sh | 17 +
38846 scripts/link-vmlinux.sh | 2 +-
38847 scripts/mod/file2alias.c | 14 +-
38848 scripts/mod/modpost.c | 25 +-
38849 scripts/mod/modpost.h | 6 +-
38850 scripts/mod/sumversion.c | 2 +-
38851 scripts/pnmtologo.c | 6 +-
38852 security/Kconfig | 654 ++++-
38853 security/integrity/ima/ima.h | 4 +-
38854 security/integrity/ima/ima_api.c | 2 +-
38855 security/integrity/ima/ima_fs.c | 4 +-
38856 security/integrity/ima/ima_queue.c | 2 +-
38857 security/keys/compat.c | 2 +-
38858 security/keys/keyctl.c | 8 +-
38859 security/keys/keyring.c | 6 +-
38860 security/security.c | 9 +-
38861 security/selinux/hooks.c | 2 +-
38862 security/selinux/include/xfrm.h | 2 +-
38863 security/smack/smack_lsm.c | 2 +-
38864 security/tomoyo/tomoyo.c | 2 +-
38865 sound/aoa/codecs/onyx.c | 7 +-
38866 sound/aoa/codecs/onyx.h | 1 +
38867 sound/core/oss/pcm_oss.c | 18 +-
38868 sound/core/pcm_compat.c | 2 +-
38869 sound/core/pcm_native.c | 4 +-
38870 sound/core/seq/seq_device.c | 8 +-
38871 sound/drivers/mts64.c | 14 +-
38872 sound/drivers/opl4/opl4_lib.c | 2 +-
38873 sound/drivers/portman2x4.c | 3 +-
38874 sound/firewire/amdtp.c | 4 +-
38875 sound/firewire/amdtp.h | 2 +-
38876 sound/firewire/isight.c | 10 +-
38877 sound/firewire/scs1x.c | 8 +-
38878 sound/oss/sb_audio.c | 2 +-
38879 sound/oss/swarm_cs4297a.c | 6 +-
38880 sound/pci/ymfpci/ymfpci.h | 2 +-
38881 sound/pci/ymfpci/ymfpci_main.c | 12 +-
38882 tools/gcc/.gitignore | 1 +
38883 tools/gcc/Makefile | 43 +
38884 tools/gcc/checker_plugin.c | 171 +
38885 tools/gcc/colorize_plugin.c | 151 +
38886 tools/gcc/constify_plugin.c | 359 +++
38887 tools/gcc/generate_size_overflow_hash.sh | 94 +
38888 tools/gcc/kallocstat_plugin.c | 170 +
38889 tools/gcc/kernexec_plugin.c | 465 +++
38890 tools/gcc/latent_entropy_plugin.c | 321 ++
38891 tools/gcc/size_overflow_hash.data | 3713 ++++++++++++++++++++++
38892 tools/gcc/size_overflow_plugin.c | 1941 +++++++++++
38893 tools/gcc/stackleak_plugin.c | 327 ++
38894 tools/perf/util/include/asm/alternative-asm.h | 3 +
38895 virt/kvm/kvm_main.c | 32 +-
38896 1311 files changed, 26668 insertions(+), 6394 deletions(-)
38897commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
38898Merge: 0949bd4 fc53d63
38899Author: Brad Spengler <spender@grsecurity.net>
38900Date: Thu Mar 22 19:03:44 2012 -0400
38901
38902 Merge branch 'pax-test' into grsec-test
38903
38904commit fc53d6338964741b368070ec5c935bc579b8c2a6
38905Author: Brad Spengler <spender@grsecurity.net>
38906Date: Thu Mar 22 19:02:45 2012 -0400
38907
38908 Update to pax-linux-3.2.12-test33.patch
38909
38910commit 0949bd46a6455b308f66ad7c993bfee62412db35
38911Author: Brad Spengler <spender@grsecurity.net>
38912Date: Thu Mar 22 16:56:09 2012 -0400
38913
38914 Use current_umask() instead of current->fs->umask
38915
38916commit 22f6432d0fe733619cfcb523782ed7d80c46d645
38917Author: Brad Spengler <spender@grsecurity.net>
38918Date: Wed Mar 21 19:42:42 2012 -0400
38919
38920 compile fix
38921
38922commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
38923Author: Brad Spengler <spender@grsecurity.net>
38924Date: Wed Mar 21 19:34:56 2012 -0400
38925
38926 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
38927 uses of domains with particular hash collisions
38928
38929commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
38930Author: Brad Spengler <spender@grsecurity.net>
38931Date: Tue Mar 20 20:25:49 2012 -0400
38932
38933 zero kernel_role
38934
38935commit b00953b43c69238d181d21121ef1577c988d5f6b
38936Author: Brad Spengler <spender@grsecurity.net>
38937Date: Tue Mar 20 19:29:34 2012 -0400
38938
38939 zero real_root after releasing it
38940
38941commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
38942Merge: b724f59 273f98e
38943Author: Brad Spengler <spender@grsecurity.net>
38944Date: Tue Mar 20 19:11:26 2012 -0400
38945
38946 Merge branch 'pax-test' into grsec-test
38947
38948commit 273f98e58cdac555d3b5dce5c1ca168349f95878
38949Author: Brad Spengler <spender@grsecurity.net>
38950Date: Tue Mar 20 19:10:52 2012 -0400
38951
38952 Temporary workaround for (most) size_overflow plugin false-positives
38953 Increase randomization for brk-managed heap to 21 bits
38954 Update to pax-linux-3.2.12-test32.patch
38955
38956commit b724f59125304460c2af8bd4b02921993afbb5d3
38957Author: Brad Spengler <spender@grsecurity.net>
38958Date: Tue Mar 20 18:58:53 2012 -0400
38959
38960 compile fix
38961
38962commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
38963Author: Brad Spengler <spender@grsecurity.net>
38964Date: Tue Mar 20 18:52:23 2012 -0400
38965
38966 Require default and kernel role
38967
38968commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
38969Author: Brad Spengler <spender@grsecurity.net>
38970Date: Tue Mar 20 18:47:28 2012 -0400
38971
38972 Allow policies without special roles
38973 don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)
38974
38975commit 402ec3d24d66d38403dc543c84851f5e72d39e22
38976Merge: 8e012dc f14661a
38977Author: Brad Spengler <spender@grsecurity.net>
38978Date: Mon Mar 19 18:06:59 2012 -0400
38979
38980 Merge branch 'pax-test' into grsec-test
38981
38982 Conflicts:
38983 fs/namei.c
38984
38985commit f14661aaf202155c97f66626cea0269017bb7775
38986Merge: eae671f 058b017
38987Author: Brad Spengler <spender@grsecurity.net>
38988Date: Mon Mar 19 18:05:44 2012 -0400
38989
38990 Merge branch 'linux-3.2.y' into pax-test
38991
38992commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
38993Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
38994Date: Fri Mar 16 17:08:39 2012 -0700
38995
38996 nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
38997
38998 According to the report from Slicky Devil, nilfs caused kernel oops at
38999 nilfs_load_super_block function during mount after he shrank the
39000 partition without resizing the filesystem:
39001
39002 BUG: unable to handle kernel NULL pointer dereference at 00000048
39003 IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
39004 *pde = 00000000
39005 Oops: 0000 [#1] PREEMPT SMP
39006 ...
39007 Call Trace:
39008 [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
39009 [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
39010 [<c0226636>] mount_fs+0x36/0x180
39011 [<c023d961>] vfs_kern_mount+0x51/0xa0
39012 [<c023ddae>] do_kern_mount+0x3e/0xe0
39013 [<c023f189>] do_mount+0x169/0x700
39014 [<c023fa9b>] sys_mount+0x6b/0xa0
39015 [<c04abd1f>] sysenter_do_call+0x12/0x28
39016 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
39017 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
39018 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
39019 EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
39020 CR2: 0000000000000048
39021
39022 This turned out due to a defect in an error path which runs if the
39023 calculated location of the secondary super block was invalid.
39024
39025 This patch fixes it and eliminates the reported oops.
39026
39027 Reported-by: Slicky Devil <slicky.dvl@gmail.com>
39028 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
39029 Tested-by: Slicky Devil <slicky.dvl@gmail.com>
39030 Cc: <stable@vger.kernel.org> [2.6.30+]
39031 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
39032 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
39033
39034commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
39035Author: Haogang Chen <haogangchen@gmail.com>
39036Date: Fri Mar 16 17:08:38 2012 -0700
39037
39038 nilfs2: clamp ns_r_segments_percentage to [1, 99]
39039
39040 ns_r_segments_percentage is read from the disk. Bogus or malicious
39041 value could cause integer overflow and malfunction due to meaningless
39042 disk usage calculation. This patch reports error when mounting such
39043 bogus volumes.
39044
39045 Signed-off-by: Haogang Chen <haogangchen@gmail.com>
39046 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
39047 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
39048 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
39049
39050commit e1a90645643f9b0194a5984ec8febd06360d5c8b
39051Author: Eric Dumazet <eric.dumazet@gmail.com>
39052Date: Sat Mar 10 09:20:21 2012 +0000
39053
39054 tcp: fix syncookie regression
39055
39056 commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
39057 added a serious regression on synflood handling.
39058
39059 Simon Kirby discovered a successful connection was delayed by 20 seconds
39060 before being responsive.
39061
39062 In my tests, I discovered that xmit frames were lost, and needed ~4
39063 retransmits and a socket dst rebuild before being really sent.
39064
39065 In case of syncookie initiated connection, we use a different path to
39066 initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
39067
39068 As ip_queue_xmit() now depends on inet flow being setup, fix this by
39069 copying the temp flowi4 we use in cookie_v4_check().
39070
39071 Reported-by: Simon Kirby <sim@netnation.com>
39072 Bisected-by: Simon Kirby <sim@netnation.com>
39073 Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
39074 Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
39075 Signed-off-by: David S. Miller <davem@davemloft.net>
39076
39077commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
39078Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
39079Date: Mon Mar 12 02:59:41 2012 +0000
39080
39081 tun: don't hold network namespace by tun sockets
39082
39083 v3: added previously removed sock_put() to the tun_release() callback, because
39084 sk_release_kernel() doesn't drop the socket reference.
39085
39086 v2: sk_release_kernel() used for socket release. Dummy tun_release() is
39087 required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
39088 call.
39089
39090 TUN was designed to destroy it's socket on network namesapce shutdown. But this
39091 will never happen for persistent device, because it's socket holds network
39092 namespace.
39093 This patch removes of holding network namespace by TUN socket and replaces it
39094 by creating socket in init_net and then changing it's net it to desired one. On
39095 shutdown socket is moved back to init_net prior to final put.
39096
39097 Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
39098 Signed-off-by: David S. Miller <davem@davemloft.net>
39099
39100commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
39101Author: Tyler Hicks <tyhicks@canonical.com>
39102Date: Mon Dec 12 10:02:30 2011 -0600
39103
39104 vfs: Correctly set the dir i_mutex lockdep class
39105
39106 9a7aa12f3911853a introduced additional logic around setting the i_mutex
39107 lockdep class for directory inodes. The idea was that some filesystems
39108 may want their own special lockdep class for different directory
39109 inodes and calling unlock_new_inode() should not clobber one of
39110 those special classes.
39111
39112 I believe that the added conditional, around the *negated* return value
39113 of lockdep_match_class(), caused directory inodes to be placed in the
39114 wrong lockdep class.
39115
39116 inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
39117 all inodes. If the filesystem did not change the class during inode
39118 initialization, then the conditional mentioned above was false and the
39119 directory inode was incorrectly left in the non-directory lockdep class.
39120 If the filesystem did set a special lockdep class, then the conditional
39121 mentioned above was true and that class was clobbered with
39122 i_mutex_dir_key.
39123
39124 This patch removes the negation from the conditional so that the i_mutex
39125 lockdep class is properly set for directory inodes. Special classes are
39126 preserved and directory inodes with unmodified classes are set with
39127 i_mutex_dir_key.
39128
39129 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
39130 Reviewed-by: Jan Kara <jack@suse.cz>
39131 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
39132
39133commit 603590b0d2eca61ce26499eac9c563bc567a18c9
39134Author: Jan Kara <jack@suse.cz>
39135Date: Mon Feb 20 17:54:00 2012 +0100
39136
39137 udf: Fix deadlock in udf_release_file()
39138
39139 udf_release_file() can be called from munmap() path with mmap_sem held. Thus
39140 we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
39141 i_mutex is not needed in udf_release_file() anymore since protection by
39142 i_data_sem is enough to protect from races with write and truncate.
39143
39144 Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
39145 Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
39146 Signed-off-by: Jan Kara <jack@suse.cz>
39147 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
39148
39149commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
39150Author: Miklos Szeredi <mszeredi@suse.cz>
39151Date: Tue Mar 6 13:56:33 2012 +0100
39152
39153 vfs: fix double put after complete_walk()
39154
39155 complete_walk() already puts nd->path, no need to do it again at cleanup time.
39156
39157 This would result in Oopses if triggered, apparently the codepath is not too
39158 well exercised.
39159
39160 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
39161 CC: stable@vger.kernel.org
39162 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
39163
39164commit 13885ba2b18400f3ef6540497d30f1af896605e5
39165Author: Miklos Szeredi <mszeredi@suse.cz>
39166Date: Tue Mar 6 13:56:34 2012 +0100
39167
39168 vfs: fix return value from do_last()
39169
39170 complete_walk() returns either ECHILD or ESTALE. do_last() turns this into
39171 ECHILD unconditionally. If not in RCU mode, this error will reach userspace
39172 which is complete nonsense.
39173
39174 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
39175 CC: stable@vger.kernel.org
39176 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
39177
39178 Conflicts:
39179
39180 fs/namei.c
39181
39182commit f5ab7572c99ffb58953eb1070622307e904c3b7f
39183Author: Al Viro <viro@zeniv.linux.org.uk>
39184Date: Sat Mar 10 17:07:28 2012 -0500
39185
39186 restore smp_mb() in unlock_new_inode()
39187
39188 wait_on_inode() doesn't have ->i_lock
39189
39190 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
39191
39192commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
39193Author: David S. Miller <davem@davemloft.net>
39194Date: Tue Mar 13 18:19:51 2012 -0700
39195
39196 sparc32: Add -Av8 to assembler command line.
39197
39198 Newer version of binutils are more strict about specifying the
39199 correct options to enable certain classes of instructions.
39200
39201 The sparc32 build is done for v7 in order to support sun4c systems
39202 which lack hardware integer multiply and divide instructions.
39203
39204 So we have to pass -Av8 when building the assembler routines that
39205 use these instructions and get patched into the kernel when we find
39206 out that we have a v8 capable cpu.
39207
39208 Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
39209 Signed-off-by: David S. Miller <davem@davemloft.net>
39210
39211commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
39212Author: Thomas Gleixner <tglx@linutronix.de>
39213Date: Fri Mar 9 20:55:10 2012 +0100
39214
39215 x86: Derandom delay_tsc for 64 bit
39216
39217 Commit f0fbf0abc093 ("x86: integrate delay functions") converted
39218 delay_tsc() into a random delay generator for 64 bit. The reason is
39219 that it merged the mostly identical versions of delay_32.c and
39220 delay_64.c. Though the subtle difference of the result was:
39221
39222 static void delay_tsc(unsigned long loops)
39223 {
39224 - unsigned bclock, now;
39225 + unsigned long bclock, now;
39226
39227 Now the function uses rdtscl() which returns the lower 32bit of the
39228 TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
39229 bit this fails when the lower 32bit are close to wrap around when
39230 bclock is read, because the following check
39231
39232 if ((now - bclock) >= loops)
39233 break;
39234
39235 evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
39236 because the unsigned long (now - bclock) of these values results in
39237 0xffffffff00000001 which is definitely larger than the loops
39238 value. That explains Tvortkos observation:
39239
39240 "Because I am seeing udelay(500) (_occasionally_) being short, and
39241 that by delaying for some duration between 0us (yep) and 491us."
39242
39243 Make those variables explicitely u32 again, so this works for both 32
39244 and 64 bit.
39245
39246 Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
39247 Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
39248 Cc: stable@vger.kernel.org # >= 2.6.27
39249 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
39250
39251commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
39252Author: Al Viro <viro@ZenIV.linux.org.uk>
39253Date: Thu Mar 8 17:51:19 2012 +0000
39254
39255 aio: fix the "too late munmap()" race
39256
39257 Current code has put_ioctx() called asynchronously from aio_fput_routine();
39258 that's done *after* we have killed the request that used to pin ioctx,
39259 so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
39260 from progressing. As the result, we can end up with async call of
39261 put_ioctx() being the last one and possibly happening during exit_mmap()
39262 or elf_core_dump(), neither of which expects stray munmap() being done
39263 to them...
39264
39265 We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
39266 with that, but that's all we care about - neither io_destroy() nor
39267 exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
39268 does really_put_req(), so the ioctx teardown won't be done until then
39269 and we don't care about the contents of ioctx past that point.
39270
39271 Since actual freeing of these suckers is RCU-delayed, we don't need to
39272 bump ioctx refcount when request goes into list for async removal.
39273 All we need is rcu_read_lock held just over the ->ctx_lock-protected
39274 area in aio_fput_routine().
39275
39276 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
39277 Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
39278 Acked-by: Benjamin LaHaise <bcrl@kvack.org>
39279 Cc: stable@vger.kernel.org
39280 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
39281
39282commit 002124c055afbf09b52226af65621999e8316448
39283Author: Al Viro <viro@ZenIV.linux.org.uk>
39284Date: Wed Mar 7 05:16:35 2012 +0000
39285
39286 aio: fix io_setup/io_destroy race
39287
39288 Have ioctx_alloc() return an extra reference, so that caller would drop it
39289 on success and not bother with re-grabbing it on failure exit. The current
39290 code is obviously broken - io_destroy() from another thread that managed
39291 to guess the address io_setup() would've returned would free ioctx right
39292 under us; gets especially interesting if aio_context_t * we pass to
39293 io_setup() points to PROT_READ mapping, so put_user() fails and we end
39294 up doing io_destroy() on kioctx another thread has just got freed...
39295
39296 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
39297 Acked-by: Benjamin LaHaise <bcrl@kvack.org>
39298 Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
39299 Cc: stable@vger.kernel.org
39300 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
39301
39302commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
39303Author: Dan Carpenter <dan.carpenter@oracle.com>
39304Date: Thu Mar 15 15:17:12 2012 -0700
39305
39306 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
39307
39308 strict_strtoul() writes a long but ->gamma_mode only has space to store an
39309 int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
39310 well. I've changed it to use kstrtouint() instead.
39311
39312 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
39313 Acked-by: Inki Dae <inki.dae@samsung.com>
39314 Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
39315 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
39316 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
39317
39318commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
39319Merge: e4b05b6 eae671f
39320Author: Brad Spengler <spender@grsecurity.net>
39321Date: Fri Mar 16 21:04:27 2012 -0400
39322
39323 Merge branch 'pax-test' into grsec-test
39324
39325 Conflicts:
39326 security/Kconfig
39327
39328commit eae671fafe93f04685c04a089cc13efebc05d600
39329Author: Brad Spengler <spender@grsecurity.net>
39330Date: Fri Mar 16 20:58:01 2012 -0400
39331
39332 Update to pax-linux-3.2.11-test31.patch
39333 Introduction of the size_overflow plugin from Emese Revfy
39334 Many thanks to Emese for her hard work :)
39335
39336commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
39337Merge: e55aa68 258c015
39338Author: Brad Spengler <spender@grsecurity.net>
39339Date: Thu Mar 15 20:59:19 2012 -0400
39340
39341 Merge branch 'pax-test' into grsec-test
39342
39343commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
39344Author: Brad Spengler <spender@grsecurity.net>
39345Date: Thu Mar 15 20:59:05 2012 -0400
39346
39347 fix ARM compilation
39348
39349commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
39350Merge: 8f95ea9 55b7573
39351Author: Brad Spengler <spender@grsecurity.net>
39352Date: Wed Mar 14 19:33:41 2012 -0400
39353
39354 Merge branch 'pax-test' into grsec-test
39355
39356commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
39357Author: Brad Spengler <spender@grsecurity.net>
39358Date: Wed Mar 14 19:33:15 2012 -0400
39359
39360 Update to pax-linux-3.2.10-test28.patch
39361
39362commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
39363Merge: c8786a2 886ac5e
39364Author: Brad Spengler <spender@grsecurity.net>
39365Date: Tue Mar 13 17:38:13 2012 -0400
39366
39367 Merge branch 'pax-test' into grsec-test
39368
39369 Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)
39370
39371commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
39372Author: Brad Spengler <spender@grsecurity.net>
39373Date: Tue Mar 13 17:37:44 2012 -0400
39374
39375 Update to pax-linux-3.2.10-test26.patch
39376
39377commit c8786a2abed5e5327f68efa520c04db99bb6a63a
39378Merge: 219c982 c061fcf
39379Author: Brad Spengler <spender@grsecurity.net>
39380Date: Tue Mar 13 17:25:06 2012 -0400
39381
39382 Merge branch 'pax-test' into grsec-test
39383
39384commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
39385Merge: 89373d2 3f4b3b2
39386Author: Brad Spengler <spender@grsecurity.net>
39387Date: Tue Mar 13 17:25:02 2012 -0400
39388
39389 Merge branch 'linux-3.2.y' into pax-test
39390
39391commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
39392Merge: 54e19a3 89373d2
39393Author: Brad Spengler <spender@grsecurity.net>
39394Date: Mon Mar 12 17:23:57 2012 -0400
39395
39396 Merge branch 'pax-test' into grsec-test
39397
39398commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
39399Merge: a778588 7459f11
39400Author: Brad Spengler <spender@grsecurity.net>
39401Date: Mon Mar 12 17:23:49 2012 -0400
39402
39403 Merge branch 'linux-3.2.y' into pax-test
39404
39405commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
39406Merge: c4650f1 a778588
39407Author: Brad Spengler <spender@grsecurity.net>
39408Date: Mon Mar 12 16:51:25 2012 -0400
39409
39410 Merge branch 'pax-test' into grsec-test
39411
39412commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
39413Author: Brad Spengler <spender@grsecurity.net>
39414Date: Mon Mar 12 16:51:12 2012 -0400
39415
39416 Update to pax-linux-3.2.9-test24.patch
39417
39418commit c4650f14b13f84735fe3de06a1f3ff5776473eff
39419Merge: fb2abee 1015790
39420Author: Brad Spengler <spender@grsecurity.net>
39421Date: Sun Mar 11 21:08:28 2012 -0400
39422
39423 Merge branch 'pax-test' into grsec-test
39424
39425 Conflicts:
39426 security/Kconfig
39427
39428commit 101579028a736c224e590c7e12a7357018c424e1
39429Author: Brad Spengler <spender@grsecurity.net>
39430Date: Sun Mar 11 21:07:27 2012 -0400
39431
39432 Update to pax-linux-3.2.9-test22.patch
39433
39434commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
39435Author: Brad Spengler <spender@grsecurity.net>
39436Date: Sun Mar 11 11:02:17 2012 -0400
39437
39438 Allow 4096 CPUs
39439
39440commit 96bae28cbe6a41d48e3b56e5904814096e956000
39441Author: Brad Spengler <spender@grsecurity.net>
39442Date: Sun Mar 11 10:25:58 2012 -0400
39443
39444 Use a per-cpu 48-bit counter instead of a global atomic64
39445 Initialize each counter to have the cpu number in the lower 16 bits
39446 instead of incrementing the counter each time by 1, perform the increments
39447 above the cpu number so that wrapping/exhausting the counter doesn't corrupt
39448 any state
39449 idea from PaX Team
39450
39451commit b975688101da6e966aebb1bc6b8c5c5983974f9c
39452Author: Brad Spengler <spender@grsecurity.net>
39453Date: Sat Mar 10 20:33:12 2012 -0500
39454
39455 Special vnsec edition! :)
39456 Further reduce argv/env allowance for suid/sgid apps to 512KB
39457 Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
39458 Clear 3GB personality on suid/sgid binaries
39459 Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
39460 with the main purpose of throwing off program stack -> arg/env alignment
39461 Update documentation
39462
39463commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
39464Author: Brad Spengler <spender@grsecurity.net>
39465Date: Sat Mar 10 19:54:47 2012 -0500
39466
39467 Resolve skbuff.h warnings that turn into errors during compilation in
39468 the grsecurity directory with -Werror
39469
39470commit 2023210ad43a944033fcacc660ce410888f562ee
39471Merge: ece4383 5f66adf
39472Author: Brad Spengler <spender@grsecurity.net>
39473Date: Fri Mar 9 19:48:01 2012 -0500
39474
39475 Merge branch 'pax-test' into grsec-test
39476
39477commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
39478Author: Brad Spengler <spender@grsecurity.net>
39479Date: Fri Mar 9 19:47:06 2012 -0500
39480
39481 Add colorize plugin
39482
39483commit ece4383e5e91c92d138c4df84225a70b552f4d69
39484Merge: a366d0e ab4a5a1
39485Author: Brad Spengler <spender@grsecurity.net>
39486Date: Fri Mar 9 17:56:46 2012 -0500
39487
39488 Merge branch 'pax-test' into grsec-test
39489
39490commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
39491Author: Brad Spengler <spender@grsecurity.net>
39492Date: Fri Mar 9 17:56:26 2012 -0500
39493
39494 Update to pax-linux-3.2.9-test21.patch
39495
39496commit a366d0ed963ce93fce10121c1100989d5f064e75
39497Author: Mikulas Patocka <mpatocka@redhat.com>
39498Date: Sun Mar 4 19:52:03 2012 -0500
39499
39500 mm: fix find_vma_prev
39501
39502 Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
39503 management on PA-RISC.
39504
39505 After application of the patch, programs that allocate big arrays on the
39506 stack crash with segfault, for example, this will crash if compiled
39507 without optimization:
39508
39509 int main()
39510 {
39511 char array[200000];
39512 array[199999] = 0;
39513 return 0;
39514 }
39515
39516 The reason is that PA-RISC has up-growing stack and the stack is usually
39517 the last memory area. In the above example, a page fault happens above
39518 the stack.
39519
39520 Previously, if we passed too high address to find_vma_prev, it returned
39521 NULL and stored the last VMA in *pprev. After "simplify find_vma_prev"
39522 change, it stores NULL in *pprev. Consequently, the stack area is not
39523 found and it is not expanded, as it used to be before the change.
39524
39525 This patch restores the old behavior and makes it return the last VMA in
39526 *pprev if the requested address is higher than address of any other VMA.
39527
39528 Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
39529 Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
39530 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
39531
39532commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
39533Author: Hugh Dickins <hughd@google.com>
39534Date: Tue Mar 6 12:28:52 2012 -0800
39535
39536 mmap: EINVAL not ENOMEM when rejecting VM_GROWS
39537
39538 Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
39539 from shared anonymous: hoist the file case's -EINVAL up for both.
39540
39541 Signed-off-by: Hugh Dickins <hughd@google.com>
39542 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
39543
39544commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
39545Author: Al Viro <viro@ZenIV.linux.org.uk>
39546Date: Mon Mar 5 06:38:42 2012 +0000
39547
39548 aout: move setup_arg_pages() prior to reading/mapping the binary
39549
39550 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
39551 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
39552
39553commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
39554Author: Jan Beulich <JBeulich@suse.com>
39555Date: Mon Mar 5 16:49:24 2012 +0000
39556
39557 vsprintf: make %pV handling compatible with kasprintf()
39558
39559 kasprintf() (and potentially other functions that I didn't run across so
39560 far) want to evaluate argument lists twice. Caring to do so for the
39561 primary list is obviously their job, but they can't reasonably be
39562 expected to check the format string for instances of %pV, which however
39563 need special handling too: On architectures like x86-64 (as opposed to
39564 e.g. ix86), using the same argument list twice doesn't produce the
39565 expected results, as an internally managed cursor gets updated during
39566 the first run.
39567
39568 Fix the problem by always acting on a copy of the original list when
39569 handling %pV.
39570
39571 Signed-off-by: Jan Beulich <jbeulich@suse.com>
39572 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
39573
39574commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
39575Author: Al Viro <viro@ZenIV.linux.org.uk>
39576Date: Mon Mar 5 06:39:47 2012 +0000
39577
39578 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
39579
39580 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
39581 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
39582
39583commit a831bd53764695ea680cc1fa3c98759a610ed2ac
39584Author: Christian König <deathsimple@vodafone.de>
39585Date: Tue Feb 28 23:19:20 2012 +0100
39586
39587 drm/radeon: fix uninitialized variable
39588
39589 Without this fix the driver randomly treats
39590 textures as arrays and I'm really wondering
39591 why gcc isn't complaining about it.
39592
39593 Signed-off-by: Christian König <deathsimple@vodafone.de>
39594 Reviewed-by: Jerome Glisse <jglisse@redhat.com>
39595 Signed-off-by: Dave Airlie <airlied@redhat.com>
39596
39597commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
39598Author: H. Peter Anvin <hpa@zytor.com>
39599Date: Fri Mar 2 10:43:48 2012 -0800
39600
39601 regset: Prevent null pointer reference on readonly regsets
39602
39603 The regset common infrastructure assumed that regsets would always
39604 have .get and .set methods, but not necessarily .active methods.
39605 Unfortunately people have since written regsets without .set methods.
39606
39607 Rather than putting in stub functions everywhere, handle regsets with
39608 null .get or .set methods explicitly.
39609
39610 Signed-off-by: H. Peter Anvin <hpa@zytor.com>
39611 Reviewed-by: Oleg Nesterov <oleg@redhat.com>
39612 Acked-by: Roland McGrath <roland@hack.frob.com>
39613 Cc: <stable@vger.kernel.org>
39614 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
39615
39616commit 072ddd99401c79b53c6bf6bff9deb93022124c79
39617Author: Brad Spengler <spender@grsecurity.net>
39618Date: Mon Mar 5 18:12:57 2012 -0500
39619
39620 Fix compiler errors reported on forums
39621
39622commit 1606774b48af24e6f99d99c624c0e447d4b66474
39623Merge: 3127bd5 4ca2ffd
39624Author: Brad Spengler <spender@grsecurity.net>
39625Date: Mon Mar 5 17:31:35 2012 -0500
39626
39627 Merge branch 'pax-test' into grsec-test
39628
39629commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
39630Author: Brad Spengler <spender@grsecurity.net>
39631Date: Mon Mar 5 17:31:21 2012 -0500
39632
39633 Update to pax-linux-3.2.9-test20.patch
39634
39635commit 3127bd581a292966b1057c7433219dac188c3720
39636Author: Brad Spengler <spender@grsecurity.net>
39637Date: Fri Mar 2 21:30:37 2012 -0500
39638
39639 Fix memory leak on logged exec_id check failure in /proc/pid/statm
39640 Thanks to Djalal Harouni for the report
39641
39642commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
39643Merge: 0a56be8 9aa8288
39644Author: Brad Spengler <spender@grsecurity.net>
39645Date: Fri Mar 2 18:38:22 2012 -0500
39646
39647 Merge branch 'pax-test' into grsec-test
39648
39649commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
39650Author: Brad Spengler <spender@grsecurity.net>
39651Date: Fri Mar 2 18:37:43 2012 -0500
39652
39653 Update to pax-linux-3.2.9-test19.patch
39654
39655commit 0a56be884bbd7ce733cac0b879c45383494d73b0
39656Merge: 9e66745 3f5c52a
39657Author: Brad Spengler <spender@grsecurity.net>
39658Date: Thu Mar 1 20:18:01 2012 -0500
39659
39660 Merge branch 'pax-test' into grsec-test
39661
39662commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
39663Author: Brad Spengler <spender@grsecurity.net>
39664Date: Thu Mar 1 20:16:56 2012 -0500
39665
39666 Update to pax-linux-3.2.9-test18.patch
39667
39668commit ae53ec231d12719a36bf871f8c5841020ed692ee
39669Merge: b255baf 44fb317
39670Author: Brad Spengler <spender@grsecurity.net>
39671Date: Thu Mar 1 20:15:31 2012 -0500
39672
39673 Merge branch 'linux-3.2.y' into pax-test
39674
39675commit 9e667456c03eadea2f305be761abe4de9a5877a3
39676Merge: 5e4e200 b255baf
39677Author: Brad Spengler <spender@grsecurity.net>
39678Date: Mon Feb 27 20:53:59 2012 -0500
39679
39680 Merge branch 'pax-test' into grsec-test
39681
39682commit b255baf50365d39b406f43aab2c64745607baaa2
39683Merge: 340ce90 1de504e
39684Author: Brad Spengler <spender@grsecurity.net>
39685Date: Mon Feb 27 20:53:29 2012 -0500
39686
39687 Merge branch 'linux-3.2.y' into pax-test
39688 Update to pax-linux-3.2.8-test17.patch
39689
39690 Conflicts:
39691 arch/x86/include/asm/i387.h
39692 arch/x86/kernel/process_32.c
39693 arch/x86/kernel/traps.c
39694
39695commit 5e4e200ac530452884b625cb75de240e1e98c731
39696Merge: 44306d7 340ce90
39697Author: Brad Spengler <spender@grsecurity.net>
39698Date: Mon Feb 27 18:02:13 2012 -0500
39699
39700 Merge branch 'pax-test' into grsec-test
39701
39702commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
39703Author: Brad Spengler <spender@grsecurity.net>
39704Date: Mon Feb 27 18:01:48 2012 -0500
39705
39706 Update to pax-linux-3.2.7-test17.patch
39707
39708commit 44306d7b3097f77e73040dd25f4f6750751bae7a
39709Merge: 29d0b07 521c411
39710Author: Brad Spengler <spender@grsecurity.net>
39711Date: Sun Feb 26 19:04:15 2012 -0500
39712
39713 Merge branch 'pax-test' into grsec-test
39714
39715 Conflicts:
39716 Makefile
39717
39718commit 521c411bb4ca66ce01146fde8bac9dd22414076d
39719Author: Brad Spengler <spender@grsecurity.net>
39720Date: Sun Feb 26 19:03:33 2012 -0500
39721
39722 Update to pax-linux-3.2.7-test16.patch
39723
39724commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
39725Author: Brad Spengler <spender@grsecurity.net>
39726Date: Sun Feb 26 17:12:44 2012 -0500
39727
39728 fix typo
39729
39730commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
39731Merge: f45b3be caa8f83
39732Author: Brad Spengler <spender@grsecurity.net>
39733Date: Sat Feb 25 20:59:27 2012 -0500
39734
39735 Merge branch 'pax-test' into grsec-test
39736
39737commit caa8f83456c4d0b204beefffaa1d1993f2348d08
39738Author: Brad Spengler <spender@grsecurity.net>
39739Date: Sat Feb 25 20:59:12 2012 -0500
39740
39741 Update to pax-linux-3.2.7-test15.patch
39742
39743commit f45b3be34a345502a302e736af9a65742ddef7cb
39744Merge: 62f35fd 9f1309b
39745Author: Brad Spengler <spender@grsecurity.net>
39746Date: Sat Feb 25 11:40:15 2012 -0500
39747
39748 Merge branch 'pax-test' into grsec-test
39749
39750commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
39751Author: Brad Spengler <spender@grsecurity.net>
39752Date: Sat Feb 25 11:39:57 2012 -0500
39753
39754 Update to pax-linux-3.2.7-test14.patch
39755
39756commit 62f35fdbecc58f2988fe13638d907b87a15776bb
39757Author: Brad Spengler <spender@grsecurity.net>
39758Date: Sat Feb 25 09:08:55 2012 -0500
39759
39760 We could log on attempted exploits of writing /proc/self/mem, but the current
39761 log function declares the access a read, so just swap the ordering for now
39762
39763commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
39764Author: Brad Spengler <spender@grsecurity.net>
39765Date: Sat Feb 25 08:46:14 2012 -0500
39766
39767 Log /proc/pid/mem attempts
39768
39769commit 674471e581893a94d475acac3e3c4496209b3ac9
39770Author: Brad Spengler <spender@grsecurity.net>
39771Date: Sat Feb 25 08:15:00 2012 -0500
39772
39773 Make use of f_version for protecting /proc file structs (fine since we're not a directory
39774 or seq_file)
39775
39776commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
39777Author: Brad Spengler <spender@grsecurity.net>
39778Date: Fri Feb 24 20:02:19 2012 -0500
39779
39780 Fix ia64 compilation
39781
39782commit 50dfea412fd395e0183c2ade368efa525d38b267
39783Merge: 12db845 4c6f99b
39784Author: Brad Spengler <spender@grsecurity.net>
39785Date: Fri Feb 24 19:00:53 2012 -0500
39786
39787 Merge branch 'pax-test' into grsec-test
39788
39789commit 4c6f99bf338e03966356b147d0360cb3b522a44f
39790Author: Brad Spengler <spender@grsecurity.net>
39791Date: Fri Feb 24 19:00:36 2012 -0500
39792
39793 (6:57:09 PM) pipacs: but you can be proactive
39794 (Fix other-arch atomic64/REFCOUNT compilation failures)
39795
39796commit 12db8453f6bb0a756f369c9151668ba1249bc478
39797Author: Brad Spengler <spender@grsecurity.net>
39798Date: Thu Feb 23 21:10:12 2012 -0500
39799
39800 Remove unnecessary copies, as suggested by solar
39801
39802commit cc02cab84368467ea03cb35f861a8a7092d91ab4
39803Author: Brad Spengler <spender@grsecurity.net>
39804Date: Thu Feb 23 20:59:35 2012 -0500
39805
39806 Make global_exec_counter static, as suggested by solar
39807
39808commit e642091a475ebb3a30e81f85e7751233d0c2af43
39809Author: Brad Spengler <spender@grsecurity.net>
39810Date: Thu Feb 23 19:00:26 2012 -0500
39811
39812 sync with stable tree
39813
39814commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
39815Author: Brad Spengler <spender@grsecurity.net>
39816Date: Thu Feb 23 18:48:47 2012 -0500
39817
39818 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
39819 Remove handling of old kludge in chmod/fchmod
39820
39821commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
39822Author: Brad Spengler <spender@grsecurity.net>
39823Date: Thu Feb 23 18:18:49 2012 -0500
39824
39825 Apply umask checks to chmod/fchmod as well, as requested by sponsor
39826 Union the enforced umask with the existing one to produce minimal privilege
39827 Change umask type to u16
39828
39829commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
39830Author: Brad Spengler <spender@grsecurity.net>
39831Date: Wed Feb 22 18:16:11 2012 -0500
39832
39833 Add per-role umask enforcement to RBAC, requested by a sponsor
39834
39835commit ad5ac943fe58199f1cc475912a39edb157acb77b
39836Merge: dda0bb5 41722e3
39837Author: Brad Spengler <spender@grsecurity.net>
39838Date: Mon Feb 20 20:04:42 2012 -0500
39839
39840 Merge branch 'pax-test' into grsec-test
39841
39842commit 41722e342e116d95f3d3556d66c97c888d752d39
39843Author: Brad Spengler <spender@grsecurity.net>
39844Date: Mon Feb 20 20:04:00 2012 -0500
39845
39846 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
39847 KERNEXEC plugin
39848
39849commit dda0bb57137846a476a866c60db2681aaf6052c0
39850Merge: 4fd554e d70927a
39851Author: Brad Spengler <spender@grsecurity.net>
39852Date: Mon Feb 20 20:01:41 2012 -0500
39853
39854 Merge branch 'pax-test' into grsec-test
39855
39856commit d70927afec977d489a54c106a3c3ddc32e953050
39857Merge: 1daebf1 9d0231c
39858Author: Brad Spengler <spender@grsecurity.net>
39859Date: Mon Feb 20 20:01:33 2012 -0500
39860
39861 Merge branch 'linux-3.2.y' into pax-test
39862
39863commit 4fd554e3a097b22c5049fcdc423897477deff5ef
39864Author: Brad Spengler <spender@grsecurity.net>
39865Date: Mon Feb 20 09:17:57 2012 -0500
39866
39867 Fix wrong logic on capability checks for switching roles, broke policies
39868 Thanks to Richard Kojedzinszky for reporting
39869
39870commit 12f97d52ac603f24344f8d71569c412a307e9422
39871Author: Brad Spengler <spender@grsecurity.net>
39872Date: Thu Feb 16 21:20:10 2012 -0500
39873
39874 sparc64 compile fix
39875
39876commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
39877Author: Brad Spengler <spender@grsecurity.net>
39878Date: Thu Feb 16 18:38:32 2012 -0500
39879
39880 Update configuration help and name for GRKERNSEC_PROC_MEMMAP
39881
39882commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
39883Author: Brad Spengler <spender@grsecurity.net>
39884Date: Thu Feb 16 18:18:01 2012 -0500
39885
39886 optimize the check a bit
39887
39888commit 03159050f64989be44ae03be769cbed62a7cd2e5
39889Author: Brad Spengler <spender@grsecurity.net>
39890Date: Thu Feb 16 18:00:45 2012 -0500
39891
39892 smile VUPEN :D
39893 (limit argv+env to 1MB for suid/sgid binaries)
39894
39895commit dd759d8800d225a397e4de49fe729c7d601298d2
39896Author: Brad Spengler <spender@grsecurity.net>
39897Date: Thu Feb 16 17:49:33 2012 -0500
39898
39899 Address Space Protection -> Memory Protections (suggested on IRC for consistency)
39900
39901commit 4de635bda8ebfb85312e3bf851bdbff93de400da
39902Author: Brad Spengler <spender@grsecurity.net>
39903Date: Thu Feb 16 17:45:06 2012 -0500
39904
39905 Change the long long type for exec_id to the proper u64
39906
39907commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
39908Author: Dan Carpenter <dan.carpenter@oracle.com>
39909Date: Thu Feb 9 00:46:47 2012 +0000
39910
39911 isdn: type bug in isdn_net_header()
39912
39913 We use len to store the return value from eth_header(). eth_header()
39914 can return -ETH_HLEN (-14). We want to pass this back instead of
39915 truncating it to 65522 and returning that.
39916
39917 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
39918 Acked-by: Neil Horman <nhorman@tuxdriver.com>
39919 Signed-off-by: David S. Miller <davem@davemloft.net>
39920
39921commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
39922Author: Heiko Carstens <heiko.carstens@de.ibm.com>
39923Date: Sat Feb 4 10:47:10 2012 +0100
39924
39925 exec: fix use-after-free bug in setup_new_exec()
39926
39927 Setting the task name is done within setup_new_exec() by accessing
39928 bprm->filename. However this happens after flush_old_exec().
39929 This may result in a use after free bug, flush_old_exec() may
39930 "complete" vfork_done, which will wake up the parent which in turn
39931 may free the passed in filename.
39932 To fix this add a new tcomm field in struct linux_binprm which
39933 contains the now early generated task name until it is used.
39934
39935 Fixes this bug on s390:
39936
39937 Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
39938 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
39939 Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
39940 Call Trace:
39941 ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
39942 [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
39943 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
39944 [<0000000000282b6c>] do_execve_common+0x410/0x514
39945 [<0000000000282cb6>] do_execve+0x46/0x58
39946 [<00000000005bce58>] kernel_execve+0x28/0x70
39947 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
39948 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
39949 [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
39950 Last Breaking-Event-Address:
39951 [<00000000002830f0>] setup_new_exec+0x2fc/0x374
39952
39953 Kernel panic - not syncing: Fatal exception: panic_on_oops
39954
39955 Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
39956 Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
39957 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
39958
39959commit d758ee9f5230893dabb5aab737b3109684bde196
39960Author: Dan Carpenter <dan.carpenter@oracle.com>
39961Date: Fri Feb 10 09:03:58 2012 +0100
39962
39963 relay: prevent integer overflow in relay_open()
39964
39965 "subbuf_size" and "n_subbufs" come from the user and they need to be
39966 capped to prevent an integer overflow.
39967
39968 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
39969 Cc: stable@kernel.org
39970 Signed-off-by: Jens Axboe <axboe@kernel.dk>
39971
39972commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
39973Merge: b1baadf 1daebf1
39974Author: Brad Spengler <spender@grsecurity.net>
39975Date: Mon Feb 13 17:47:04 2012 -0500
39976
39977 Merge branch 'pax-test' into grsec-test
39978
39979 Conflicts:
39980 fs/proc/base.c
39981
39982commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
39983Merge: 1413df2 c2db2e2
39984Author: Brad Spengler <spender@grsecurity.net>
39985Date: Mon Feb 13 17:45:54 2012 -0500
39986
39987 Merge branch 'linux-3.2.y' into pax-test
39988
39989commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
39990Author: Brad Spengler <spender@grsecurity.net>
39991Date: Sun Feb 12 16:44:05 2012 -0500
39992
39993 add missing declaration
39994
39995commit 3981059c35e8463002517935c28f3d74b8e3703c
39996Author: Brad Spengler <spender@grsecurity.net>
39997Date: Sun Feb 12 16:36:04 2012 -0500
39998
39999 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
40000 in addition to existing checks (this handles the setresuid ruid = euid case)
40001
40002commit 0beab03263c773f463412c350ad9064b44b6ede0
40003Author: Brad Spengler <spender@grsecurity.net>
40004Date: Sun Feb 12 16:13:40 2012 -0500
40005
40006 Revert setreuid changes when RBAC is enabled, breaks freeradius
40007 I'll fix the learning issue Lavish reported a different way through
40008 gradm modifications
40009
40010 This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.
40011
40012commit 0c61cb1cfbbfec7d07647268c922d51434d22621
40013Author: Brad Spengler <spender@grsecurity.net>
40014Date: Sat Feb 11 14:22:46 2012 -0500
40015
40016 copy exec_id on fork
40017
40018commit 000c08e0890630086b2ed04084050ed856a7ec31
40019Author: Brad Spengler <spender@grsecurity.net>
40020Date: Fri Feb 10 20:00:36 2012 -0500
40021
40022 compile fix
40023
40024commit 54b8c8f54484e5ee18040657827158bc4b63bccc
40025Author: Brad Spengler <spender@grsecurity.net>
40026Date: Fri Feb 10 19:19:52 2012 -0500
40027
40028 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
40029 denies reading of sensitive /proc/pid entries where the file descriptor
40030 was opened in a different task than the one performing the read
40031
40032commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
40033Author: Brad Spengler <spender@grsecurity.net>
40034Date: Fri Feb 10 17:43:24 2012 -0500
40035
40036 Remove duplicate signal check
40037
40038commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
40039Merge: 4eba97e 1413df2
40040Author: Brad Spengler <spender@grsecurity.net>
40041Date: Wed Feb 8 19:24:34 2012 -0500
40042
40043 Merge branch 'pax-test' into grsec-test
40044
40045commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
40046Author: Brad Spengler <spender@grsecurity.net>
40047Date: Wed Feb 8 19:24:08 2012 -0500
40048
40049 Merge changes from pax-linux-3.2.4-test11.patch
40050
40051commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
40052Merge: 0e058dd 8dd90a2
40053Author: Brad Spengler <spender@grsecurity.net>
40054Date: Mon Feb 6 17:50:12 2012 -0500
40055
40056 Merge branch 'pax-test' into grsec-test
40057
40058commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
40059Author: Brad Spengler <spender@grsecurity.net>
40060Date: Mon Feb 6 17:49:07 2012 -0500
40061
40062 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free
40063
40064commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
40065Merge: 7e4169c 6133971
40066Author: Brad Spengler <spender@grsecurity.net>
40067Date: Mon Feb 6 17:48:57 2012 -0500
40068
40069 Merge branch 'linux-3.2.y' into pax-test
40070
40071commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
40072Author: Brad Spengler <spender@grsecurity.net>
40073Date: Sun Feb 5 19:24:45 2012 -0500
40074
40075 We now allow configurations with no PaX markings, giving the system no way to override the defaults
40076
40077commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
40078Author: Brad Spengler <spender@grsecurity.net>
40079Date: Sun Feb 5 10:01:23 2012 -0500
40080
40081 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory
40082
40083commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
40084Author: Brad Spengler <spender@grsecurity.net>
40085Date: Sat Feb 4 21:01:16 2012 -0500
40086
40087 Improve security of ptrace-based monitoring/sandboxing
40088 See:
40089 http://article.gmane.org/gmane.linux.kernel.lsm/15156
40090
40091commit ca4ca5a1027b41f9528794e52a53ce9c47926101
40092Author: Brad Spengler <spender@grsecurity.net>
40093Date: Fri Feb 3 20:42:55 2012 -0500
40094
40095 fix typo
40096
40097commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
40098Author: Brad Spengler <spender@grsecurity.net>
40099Date: Fri Feb 3 20:25:38 2012 -0500
40100
40101 Reported by lavish on IRC:
40102 If a suid/sgid binary did not learn any setuid/setgid call during learning,
40103 we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
40104 any restrictions on uid/gid changes. uid and gid can however be changed
40105 within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
40106 euid/egid.
40107
40108 My fix:
40109 POSIX doesn't specify whether unprivileged users can perform the above
40110 setresuid/setresgid as an unprivileged user, though Linux has historically
40111 permitted them. Modify this behavior when RBAC is enabled to require
40112 CAP_SETUID/CAP_SETGID for these operations.
40113
40114 Thanks to Lavish for the report!
40115
40116 Conflicts:
40117
40118 kernel/sys.c
40119
40120commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
40121Merge: ba586eb 7e4169c
40122Author: Brad Spengler <spender@grsecurity.net>
40123Date: Fri Feb 3 20:10:21 2012 -0500
40124
40125 Merge branch 'pax-test' into grsec-test
40126
40127commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
40128Author: Brad Spengler <spender@grsecurity.net>
40129Date: Fri Feb 3 20:10:05 2012 -0500
40130
40131 Merge changes from pax-linux-3.2.4-test9.patch
40132
40133commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
40134Author: Christopher Yeoh <cyeoh@au1.ibm.com>
40135Date: Thu Feb 2 11:34:09 2012 +1030
40136
40137 Fix race in process_vm_rw_core
40138
40139 This fixes the race in process_vm_core found by Oleg (see
40140
40141 http://article.gmane.org/gmane.linux.kernel/1235667/
40142
40143 for details).
40144
40145 This has been updated since I last sent it as the creation of the new
40146 mm_access() function did almost exactly the same thing as parts of the
40147 previous version of this patch did.
40148
40149 In order to use mm_access() even when /proc isn't enabled, we move it to
40150 kernel/fork.c where other related process mm access functions already
40151 are.
40152
40153 Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
40154 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
40155
40156 Conflicts:
40157
40158 fs/proc/base.c
40159 mm/process_vm_access.c
40160
40161commit b9194d60fb9fe579f5c34817ed822abde18939a0
40162Author: Oleg Nesterov <oleg@redhat.com>
40163Date: Tue Jan 31 17:15:11 2012 +0100
40164
40165 proc: make sure mem_open() doesn't pin the target's memory
40166
40167 Once /proc/pid/mem is opened, the memory can't be released until
40168 mem_release() even if its owner exits.
40169
40170 Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
40171 pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
40172 before access_remote_vm(), this verifies that this mm is still alive.
40173
40174 I am not sure what should mem_rw() return if atomic_inc_not_zero()
40175 fails. With this patch it returns zero to match the "mm == NULL" case,
40176 may be it should return -EINVAL like it did before e268337d.
40177
40178 Perhaps it makes sense to add the additional fatal_signal_pending()
40179 check into the main loop, to ensure we do not hold this memory if
40180 the target task was oom-killed.
40181
40182 Cc: stable@kernel.org
40183 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
40184 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
40185
40186commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
40187Author: Oleg Nesterov <oleg@redhat.com>
40188Date: Tue Jan 31 17:14:38 2012 +0100
40189
40190 proc: mem_release() should check mm != NULL
40191
40192 mem_release() can hit mm == NULL, add the necessary check.
40193
40194 Cc: stable@kernel.org
40195 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
40196 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
40197
40198commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
40199Author: Oleg Nesterov <oleg@redhat.com>
40200Date: Tue Jan 31 17:14:54 2012 +0100
40201
40202 note: redisabled mem_write
40203
40204 proc: unify mem_read() and mem_write()
40205
40206 No functional changes, cleanup and preparation.
40207
40208 mem_read() and mem_write() are very similar. Move this code into the
40209 new common helper, mem_rw(), which takes the additional "int write"
40210 argument.
40211
40212 Cc: stable@kernel.org
40213 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
40214 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
40215
40216 Conflicts:
40217
40218 fs/proc/base.c
40219
40220commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
40221Merge: 3903f01 01fee18
40222Author: Brad Spengler <spender@grsecurity.net>
40223Date: Fri Feb 3 19:50:40 2012 -0500
40224
40225 Merge branch 'pax-test' into grsec-test
40226
40227commit 01fee1851aef26b898ccba5312cabf1f919b74cb
40228Author: Brad Spengler <spender@grsecurity.net>
40229Date: Fri Feb 3 19:49:46 2012 -0500
40230
40231 Merge changes from pax-linux-3.2.4-test8.patch
40232
40233commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
40234Merge: 201c0db 141936c
40235Author: Brad Spengler <spender@grsecurity.net>
40236Date: Fri Feb 3 19:49:01 2012 -0500
40237
40238 Merge branch 'linux-3.2.y' into pax-test
40239
40240commit 3903f0172ecadf7a575ba3535402a1506133640a
40241Author: Brad Spengler <spender@grsecurity.net>
40242Date: Mon Jan 30 23:26:44 2012 -0500
40243
40244 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
40245
40246 We'll whitelist required directories for compatibility instead of requiring
40247 that people disable the feature entirely if they use SELinux, fuse, etc
40248
40249 Conflicts:
40250
40251 fs/sysfs/mount.c
40252
40253commit e3618feaa7e63807f1b88c199882075b3ec9bd05
40254Author: Brad Spengler <spender@grsecurity.net>
40255Date: Sun Jan 29 01:12:19 2012 -0500
40256
40257 perform RBAC check if TPE is on but match fails, matches previous behavior
40258
40259commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
40260Author: Brad Spengler <spender@grsecurity.net>
40261Date: Sat Jan 28 13:17:06 2012 -0500
40262
40263 log more information about the reason for a TPE denial for novice users, requested by a sponsor
40264
40265commit efefd67008cbad8a8591e2484410966a300a39a5
40266Author: Brad Spengler <spender@grsecurity.net>
40267Date: Fri Jan 27 19:58:53 2012 -0500
40268
40269 merge upstream sha512 changes
40270
40271commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
40272Author: Brad Spengler <spender@grsecurity.net>
40273Date: Fri Jan 27 19:49:07 2012 -0500
40274
40275 drop lock on error in xfs_readlink
40276
40277 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0
40278
40279commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
40280Author: Li Wang <liwang@nudt.edu.cn>
40281Date: Thu Jan 19 09:44:36 2012 +0800
40282
40283 eCryptfs: Infinite loop due to overflow in ecryptfs_write()
40284
40285 ecryptfs_write() can enter an infinite loop when truncating a file to a
40286 size larger than 4G. This only happens on architectures where size_t is
40287 represented by 32 bits.
40288
40289 This was caused by a size_t overflow due to it incorrectly being used to
40290 store the result of a calculation which uses potentially large values of
40291 type loff_t.
40292
40293 [tyhicks@canonical.com: rewrite subject and commit message]
40294 Signed-off-by: Li Wang <liwang@nudt.edu.cn>
40295 Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
40296 Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
40297 Cc: <stable@vger.kernel.org>
40298 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
40299
40300commit a7607747d0f74f357d78bb796d70635dd05f46e8
40301Author: Tyler Hicks <tyhicks@canonical.com>
40302Date: Thu Jan 19 20:33:44 2012 -0600
40303
40304 eCryptfs: Check inode changes in setattr
40305
40306 Most filesystems call inode_change_ok() very early in ->setattr(), but
40307 eCryptfs didn't call it at all. It allowed the lower filesystem to make
40308 the call in its ->setattr() function. Then, eCryptfs would copy the
40309 appropriate inode attributes from the lower inode to the eCryptfs inode.
40310
40311 This patch changes that and actually calls inode_change_ok() on the
40312 eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
40313 would happen earlier in ecryptfs_setattr(), but there are some possible
40314 inode initialization steps that must happen first.
40315
40316 Since the call was already being made on the lower inode, the change in
40317 functionality should be minimal, except for the case of a file extending
40318 truncate call. In that case, inode_newsize_ok() was never being
40319 called on the eCryptfs inode. Rather than inode_newsize_ok() catching
40320 maximum file size errors early on, eCryptfs would encrypt zeroed pages
40321 and write them to the lower filesystem until the lower filesystem's
40322 write path caught the error in generic_write_checks(). This patch
40323 introduces a new function, called ecryptfs_inode_newsize_ok(), which
40324 checks if the new lower file size is within the appropriate limits when
40325 the truncate operation will be growing the lower file.
40326
40327 In summary this change prevents eCryptfs truncate operations (and the
40328 resulting page encryptions), which would exceed the lower filesystem
40329 limits or FSIZE rlimits, from ever starting.
40330
40331 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
40332 Reviewed-by: Li Wang <liwang@nudt.edu.cn>
40333 Cc: <stable@vger.kernel.org>
40334
40335commit 0d96f190a39505254ace4e9330219aaeda9b64e3
40336Author: Tyler Hicks <tyhicks@canonical.com>
40337Date: Wed Jan 18 18:30:04 2012 -0600
40338
40339 eCryptfs: Make truncate path killable
40340
40341 ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
40342 page, zeroes out the appropriate portions, and then encrypts the page
40343 before writing it to the lower filesystem. It was unkillable and due to
40344 the lack of sparse file support could result in tying up a large portion
40345 of system resources, while encrypting pages of zeros, with no way for
40346 the truncate operation to be stopped from userspace.
40347
40348 This patch adds the ability for ecryptfs_write() to detect a pending
40349 fatal signal and return as gracefully as possible. The intent is to
40350 leave the lower file in a useable state, while still allowing a user to
40351 break out of the encryption loop. If a pending fatal signal is detected,
40352 the eCryptfs inode size is updated to reflect the modified inode size
40353 and then -EINTR is returned.
40354
40355 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
40356 Cc: <stable@vger.kernel.org>
40357
40358commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
40359Author: Tyler Hicks <tyhicks@canonical.com>
40360Date: Tue Jan 24 10:02:22 2012 -0600
40361
40362 eCryptfs: Fix oops when printing debug info in extent crypto functions
40363
40364 If pages passed to the eCryptfs extent-based crypto functions are not
40365 mapped and the module parameter ecryptfs_verbosity=1 was specified at
40366 loading time, a NULL pointer dereference will occur.
40367
40368 Note that this wouldn't happen on a production system, as you wouldn't
40369 pass ecryptfs_verbosity=1 on a production system. It leaks private
40370 information to the system logs and is for debugging only.
40371
40372 The debugging info printed in these messages is no longer very useful
40373 and rather than doing a kmap() in these debugging paths, it will be
40374 better to simply remove the debugging paths completely.
40375
40376 https://launchpad.net/bugs/913651
40377
40378 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
40379 Reported-by: Daniel DeFreez
40380 Cc: <stable@vger.kernel.org>
40381
40382commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
40383Author: Tyler Hicks <tyhicks@canonical.com>
40384Date: Thu Jan 12 11:30:44 2012 +0100
40385
40386 eCryptfs: Sanitize write counts of /dev/ecryptfs
40387
40388 A malicious count value specified when writing to /dev/ecryptfs may
40389 result in a a very large kernel memory allocation.
40390
40391 This patch peeks at the specified packet payload size, adds that to the
40392 size of the packet headers and compares the result with the write count
40393 value. The resulting maximum memory allocation size is approximately 532
40394 bytes.
40395
40396 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
40397 Reported-by: Sasha Levin <levinsasha928@gmail.com>
40398 Cc: <stable@vger.kernel.org>
40399
40400commit 96dcb7282d323813181a1791f51c0ab7696b675b
40401Merge: 6c09fa5 201c0db
40402Author: Brad Spengler <spender@grsecurity.net>
40403Date: Fri Jan 27 19:44:15 2012 -0500
40404
40405 Merge branch 'pax-test' into grsec-test
40406
40407commit 201c0dbf177527367676028151e36d340923f033
40408Author: Brad Spengler <spender@grsecurity.net>
40409Date: Fri Jan 27 19:43:24 2012 -0500
40410
40411 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
40412 on loading modules with empty sections
40413
40414commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
40415Author: Brad Spengler <spender@grsecurity.net>
40416Date: Fri Jan 27 19:42:13 2012 -0500
40417
40418 compile fix
40419
40420commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
40421Author: Brad Spengler <spender@grsecurity.net>
40422Date: Fri Jan 27 19:39:28 2012 -0500
40423
40424 use LSM flags instead of duplicating checks
40425
40426commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
40427Merge: 44b9f11 558718b
40428Author: Brad Spengler <spender@grsecurity.net>
40429Date: Fri Jan 27 18:56:23 2012 -0500
40430
40431 Merge branch 'pax-test' into grsec-test
40432
40433commit 558718b2217beff69edf60f34a6f9893d910e9ac
40434Author: Brad Spengler <spender@grsecurity.net>
40435Date: Fri Jan 27 18:56:04 2012 -0500
40436
40437 Merge changes from pax-linux-3.2.2-test6.patch
40438
40439commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
40440Author: Brad Spengler <spender@grsecurity.net>
40441Date: Fri Jan 27 18:53:55 2012 -0500
40442
40443 don't increase the size of task_struct when unnecessary
40444 change ptrace_readexec log message
40445
40446commit a9c9626e054adb885883aa64f85506852894dd33
40447Author: Brad Spengler <spender@grsecurity.net>
40448Date: Fri Jan 27 18:16:28 2012 -0500
40449
40450 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
40451 the protection applies to all unreadable binaries.
40452
40453commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
40454Merge: 7b3f3af 05a1349
40455Author: Brad Spengler <spender@grsecurity.net>
40456Date: Wed Jan 25 20:52:09 2012 -0500
40457
40458 Merge branch 'pax-test' into grsec-test
40459
40460 Conflicts:
40461 block/scsi_ioctl.c
40462 drivers/scsi/sd.c
40463 fs/proc/base.c
40464
40465commit 05a134966efb9cb9346ad3422888969ffc79ac1d
40466Author: Brad Spengler <spender@grsecurity.net>
40467Date: Wed Jan 25 20:47:36 2012 -0500
40468
40469 Resync with pax-linux-3.2.2-test5.patch
40470
40471commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
40472Merge: c6d443d 3499d64
40473Author: Brad Spengler <spender@grsecurity.net>
40474Date: Wed Jan 25 20:45:16 2012 -0500
40475
40476 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
40477
40478 Conflicts:
40479 ipc/shm.c
40480
40481commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
40482Author: Brad Spengler <spender@grsecurity.net>
40483Date: Tue Jan 24 19:42:01 2012 -0500
40484
40485 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
40486 (may be changed if it breaks some userland), the other has its own
40487 config option
40488
40489 First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
40490 the syscall or /proc/sys.
40491
40492 Second feature requires read access to a suid/sgid binary in order
40493 to ptrace it, preventing infoleaking of binaries in situations where
40494 the admin has specified 4711 or 2711 perms. Feature has been
40495 given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
40496 a sysctl entry of ptrace_readexec
40497
40498commit 11a7bb25c411c9dccfdca5718639b4becdffd388
40499Author: Brad Spengler <spender@grsecurity.net>
40500Date: Sun Jan 22 14:37:10 2012 -0500
40501
40502 Compilation fixes
40503
40504commit cd400e21c7c352baba47d6f375297a7847afb33a
40505Author: Brad Spengler <spender@grsecurity.net>
40506Date: Sun Jan 22 14:20:27 2012 -0500
40507
40508 Initial port of grsecurity 2.2.2 for Linux 3.2.1
40509 Note that the new syscalls added to this kernel for remote process read/write
40510 are subject to ptrace hardening/other relevant RBAC features
40511 /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
40512 as well
40513 pax_track_stack has been removed from support for this kernel -- if you're running this kernel
40514 you should be using a version of gcc with plugin support
40515
40516commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
40517Author: Brad Spengler <spender@grsecurity.net>
40518Date: Sun Jan 22 11:47:31 2012 -0500
40519
40520 Import pax-linux-3.2.1-test5.patch
40521commit bfd7db842f835f9837cd43644459b3a95b0b488d
40522Author: Brad Spengler <spender@grsecurity.net>
40523Date: Sun Jan 22 11:02:02 2012 -0500
40524
40525 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
40526 instead of returning -EACCES
40527 thanks to Wraith from irc for the report
40528
40529commit 873ac13576506cd48ddb527c2540f274e249da50
40530Merge: 34083dd 8a44fcc
40531Author: Brad Spengler <spender@grsecurity.net>
40532Date: Fri Jan 20 18:04:02 2012 -0500
40533
40534 Merge branch 'pax-test' into grsec-test
40535
40536commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
40537Author: Brad Spengler <spender@grsecurity.net>
40538Date: Fri Jan 20 18:02:15 2012 -0500
40539
40540 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
40541 Denies executable shared memory when MPROTECT is active
40542 Fixes ia32 emulation crash on 64bit host introduced in a recent patch
40543
40544commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
40545Author: Brad Spengler <spender@grsecurity.net>
40546Date: Thu Jan 19 20:23:14 2012 -0500
40547
40548 Introduce new GRKERNSEC_SETXID implementation
40549 We're not able to change the credentials of other threads in the process until at most
40550 one syscall after the first thread does it, since we mark the threads as needing rescheduling
40551 and such work occurs on syscall exit.
40552 This does however ensure that we're only modifying the current task's credentials
40553 which upholds RCU expectations
40554
40555 Many thanks to corsac for testing
40556
40557commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
40558Author: Brad Spengler <spender@grsecurity.net>
40559Date: Thu Jan 19 17:42:48 2012 -0500
40560
40561 Simplify backport
40562
40563commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
40564Author: Brad Spengler <spender@grsecurity.net>
40565Date: Thu Jan 19 17:08:16 2012 -0500
40566
40567 Commit the latest silent fix for a local privilege escalation from Linus
40568 Also disable writing to /proc/pid/mem
40569 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc
40570
40571commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
40572Merge: 0394a3f 7e6299b
40573Author: Brad Spengler <spender@grsecurity.net>
40574Date: Wed Jan 18 20:22:09 2012 -0500
40575
40576 Merge branch 'pax-test' into grsec-test
40577
40578commit 7e6299b4733c082dde930375dd207b63237751ec
40579Merge: 83555fb 9bb1282
40580Author: Brad Spengler <spender@grsecurity.net>
40581Date: Wed Jan 18 20:21:37 2012 -0500
40582
40583 Merge branch 'linux-3.1.y' into pax-test
40584
40585commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
40586Author: Jesper Juhl <jj@chaosbits.net>
40587Date: Sun Jan 8 22:44:29 2012 +0100
40588
40589 audit: always follow va_copy() with va_end()
40590
40591 A call to va_copy() should always be followed by a call to va_end() in
40592 the same function. In kernel/autit.c::audit_log_vformat() this is not
40593 always done. This patch makes sure va_end() is always called.
40594
40595 Signed-off-by: Jesper Juhl <jj@chaosbits.net>
40596 Cc: Al Viro <viro@zeniv.linux.org.uk>
40597 Cc: Eric Paris <eparis@redhat.com>
40598 Cc: Andrew Morton <akpm@linux-foundation.org>
40599 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
40600
40601commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
40602Author: Andi Kleen <ak@linux.intel.com>
40603Date: Thu Jan 12 17:20:30 2012 -0800
40604
40605 panic: don't print redundant backtraces on oops
40606
40607 When an oops causes a panic and panic prints another backtrace it's pretty
40608 common to have the original oops data be scrolled away on a 80x50 screen.
40609
40610 The second backtrace is quite redundant and not needed anyways.
40611
40612 So don't print the panic backtrace when oops_in_progress is true.
40613
40614 [akpm@linux-foundation.org: add comment]
40615 Signed-off-by: Andi Kleen <ak@linux.intel.com>
40616 Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
40617 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
40618 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
40619
40620commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
40621Author: Miklos Szeredi <mszeredi@suse.cz>
40622Date: Thu Jan 12 17:59:46 2012 +0100
40623
40624 fsnotify: don't BUG in fsnotify_destroy_mark()
40625
40626 Removing the parent of a watched file results in "kernel BUG at
40627 fs/notify/mark.c:139".
40628
40629 To reproduce
40630
40631 add "-w /tmp/audit/dir/watched_file" to audit.rules
40632 rm -rf /tmp/audit/dir
40633
40634 This is caused by fsnotify_destroy_mark() being called without an
40635 extra reference taken by the caller.
40636
40637 Reported by Francesco Cosoleto here:
40638
40639 https://bugzilla.novell.com/show_bug.cgi?id=689860
40640
40641 Fix by removing the BUG_ON and adding a comment about not accessing mark after
40642 the iput.
40643
40644 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
40645 CC: stable@vger.kernel.org
40646 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
40647
40648commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
40649Author: Paolo Bonzini <pbonzini@redhat.com>
40650Date: Thu Jan 12 16:01:28 2012 +0100
40651
40652 block: fail SCSI passthrough ioctls on partition devices
40653
40654 Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
40655 will pass the command to the underlying block device. This is
40656 well-known, but it is also a large security problem when (via Unix
40657 permissions, ACLs, SELinux or a combination thereof) a program or user
40658 needs to be granted access only to part of the disk.
40659
40660 This patch lets partitions forward a small set of harmless ioctls;
40661 others are logged with printk so that we can see which ioctls are
40662 actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred.
40663 Of course it was being sent to a (partition on a) hard disk, so it would
40664 have failed with ENOTTY and the patch isn't changing anything in
40665 practice. Still, I'm treating it specially to avoid spamming the logs.
40666
40667 In principle, this restriction should include programs running with
40668 CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and
40669 /dev/sdb, it still should not be able to read/write outside the
40670 boundaries of /dev/sda2 independent of the capabilities. However, for
40671 now programs with CAP_SYS_RAWIO will still be allowed to send the
40672 ioctls. Their actions will still be logged.
40673
40674 This patch does not affect the non-libata IDE driver. That driver
40675 however already tests for bd != bd->bd_contains before issuing some
40676 ioctl; it could be restricted further to forbid these ioctls even for
40677 programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
40678
40679 Cc: linux-scsi@vger.kernel.org
40680 Cc: Jens Axboe <axboe@kernel.dk>
40681 Cc: James Bottomley <JBottomley@parallels.com>
40682 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
40683 [ Make it also print the command name when warning - Linus ]
40684 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
40685
40686commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
40687Author: Paolo Bonzini <pbonzini@redhat.com>
40688Date: Thu Jan 12 16:01:27 2012 +0100
40689
40690 block: add and use scsi_blk_cmd_ioctl
40691
40692 Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
40693
40694 The function will then be enhanced to detect partition block devices
40695 and, in that case, subject the ioctls to whitelisting.
40696
40697 Cc: linux-scsi@vger.kernel.org
40698 Cc: Jens Axboe <axboe@kernel.dk>
40699 Cc: James Bottomley <JBottomley@parallels.com>
40700 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
40701 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
40702
40703commit 97a79814903fc350e1d13704ea31528a42705401
40704Author: Kees Cook <keescook@chromium.org>
40705Date: Sat Jan 7 10:41:04 2012 -0800
40706
40707 audit: treat s_id as an untrusted string
40708
40709 The use of s_id should go through the untrusted string path, just to be
40710 extra careful.
40711
40712 Signed-off-by: Kees Cook <keescook@chromium.org>
40713 Acked-by: Mimi Zohar <zohar@us.ibm.com>
40714 Signed-off-by: Eric Paris <eparis@redhat.com>
40715
40716commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
40717Author: Xi Wang <xi.wang@gmail.com>
40718Date: Tue Dec 20 18:39:41 2011 -0500
40719
40720 audit: fix signedness bug in audit_log_execve_info()
40721
40722 In the loop, a size_t "len" is used to hold the return value of
40723 audit_log_single_execve_arg(), which returns -1 on error. In that
40724 case the error handling (len <= 0) will be bypassed since "len" is
40725 unsigned, and the loop continues with (p += len) being wrapped.
40726 Change the type of "len" to signed int to fix the error handling.
40727
40728 size_t len;
40729 ...
40730 for (...) {
40731 len = audit_log_single_execve_arg(...);
40732 if (len <= 0)
40733 break;
40734 p += len;
40735 }
40736
40737 Signed-off-by: Xi Wang <xi.wang@gmail.com>
40738 Signed-off-by: Eric Paris <eparis@redhat.com>
40739
40740commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
40741Author: Dan Carpenter <dan.carpenter@oracle.com>
40742Date: Tue Jan 17 03:28:51 2012 -0300
40743
40744 [media] ds3000: using logical && instead of bitwise &
40745
40746 The intent here was to test if the FE_HAS_LOCK was set. The current
40747 test is equivalent to "if (status) { ..."
40748
40749 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
40750 Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
40751
40752commit 36522330dc59d2fc70c042f3f081d75c32b6259a
40753Author: Brad Spengler <spender@grsecurity.net>
40754Date: Mon Jan 16 13:10:38 2012 -0500
40755
40756 Ignore the 0 signal for protected task RBAC checks
40757
40758commit d513acd55f7a683f6e146a4f570cdb63300479ab
40759Author: Brad Spengler <spender@grsecurity.net>
40760Date: Mon Jan 16 11:56:13 2012 -0500
40761
40762 whitespace cleanup
40763
40764commit ced261c4b82818c700aff8487f647f6f3e5b5122
40765Merge: d48751f 83555fb
40766Author: Brad Spengler <spender@grsecurity.net>
40767Date: Fri Jan 13 20:12:54 2012 -0500
40768
40769 Merge branch 'pax-test' into grsec-test
40770
40771commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
40772Merge: fcd8129 93dad39
40773Author: Brad Spengler <spender@grsecurity.net>
40774Date: Fri Jan 13 20:12:43 2012 -0500
40775
40776 Merge branch 'linux-3.1.y' into pax-test
40777
40778commit d48751f3919ae855fda0ff6c149db82442329253
40779Author: Brad Spengler <spender@grsecurity.net>
40780Date: Wed Jan 11 19:05:47 2012 -0500
40781
40782 Call our own set_user when forcing change to new id
40783
40784commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
40785Merge: e6578ff fcd8129
40786Author: Brad Spengler <spender@grsecurity.net>
40787Date: Tue Jan 10 16:00:10 2012 -0500
40788
40789 Merge branch 'pax-test' into grsec-test
40790
40791commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
40792Author: Brad Spengler <spender@grsecurity.net>
40793Date: Tue Jan 10 15:58:43 2012 -0500
40794
40795 Merge changes from pax-linux-3.1.8-test23.patch
40796
40797commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
40798Merge: 8859ec3 a120549
40799Author: Brad Spengler <spender@grsecurity.net>
40800Date: Fri Jan 6 21:45:56 2012 -0500
40801
40802 Merge branch 'pax-test' into grsec-test
40803
40804commit a12054967a77090de1caa07c41e694a77db4e237
40805Author: Brad Spengler <spender@grsecurity.net>
40806Date: Fri Jan 6 21:45:30 2012 -0500
40807
40808 Merge changes from pax-linux-3.1.8-test22.patch
40809
40810commit 8859ec32f9815c274df65448f9f2960176c380d3
40811Merge: a5016b4 ddd4114
40812Author: Brad Spengler <spender@grsecurity.net>
40813Date: Fri Jan 6 21:26:08 2012 -0500
40814
40815 Merge branch 'pax-test' into grsec-test
40816
40817 Conflicts:
40818 fs/binfmt_elf.c
40819 security/Kconfig
40820
40821commit ddd41147e158a79704983a409b7433eba797cf66
40822Author: Brad Spengler <spender@grsecurity.net>
40823Date: Fri Jan 6 21:12:42 2012 -0500
40824
40825 Resync with PaX patch (whitespace difference)
40826
40827commit 29e569df8205c5f0e043fe4803aa984406c8b118
40828Author: Brad Spengler <spender@grsecurity.net>
40829Date: Fri Jan 6 21:09:47 2012 -0500
40830
40831 Merge changes from pax-linux-3.1.8-test21.patch
40832
40833commit a5016b4f9c09c337b17e063a7f369af1e86d944d
40834Merge: 0124c92 04231d5
40835Author: Brad Spengler <spender@grsecurity.net>
40836Date: Fri Jan 6 18:52:20 2012 -0500
40837
40838 Merge branch 'pax-test' into grsec-test
40839
40840commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
40841Merge: 7bdddeb a919904
40842Author: Brad Spengler <spender@grsecurity.net>
40843Date: Fri Jan 6 18:51:50 2012 -0500
40844
40845 Merge branch 'linux-3.1.y' into pax-test
40846
40847 Conflicts:
40848 include/net/flow.h
40849
40850commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
40851Author: Brad Spengler <spender@grsecurity.net>
40852Date: Fri Jan 6 18:33:05 2012 -0500
40853
40854 Make GRKERNSEC_SETXID option compatible with credential debugging
40855
40856commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
40857Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
40858Date: Wed Dec 28 15:57:11 2011 -0800
40859
40860 mm/mempolicy.c: refix mbind_range() vma issue
40861
40862 commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
40863 slightly incorrect fix.
40864
40865 Why? Think following case.
40866
40867 1. map 4 pages of a file at offset 0
40868
40869 [0123]
40870
40871 2. map 2 pages just after the first mapping of the same file but with
40872 page offset 2
40873
40874 [0123][23]
40875
40876 3. mbind() 2 pages from the first mapping at offset 2.
40877 mbind_range() should treat new vma is,
40878
40879 [0123][23]
40880 |23|
40881 mbind vma
40882
40883 but it does
40884
40885 [0123][23]
40886 |01|
40887 mbind vma
40888
40889 Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
40890
40891 This patch fixes it.
40892
40893 [testcase]
40894 test result - before the patch
40895
40896 case4: 126: test failed. expect '2,4', actual '2,2,2'
40897 case5: passed
40898 case6: passed
40899 case7: passed
40900 case8: passed
40901 case_n: 246: test failed. expect '4,2', actual '1,4'
40902
40903 ------------[ cut here ]------------
40904 kernel BUG at mm/filemap.c:135!
40905 invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
40906
40907 (snip long bug on messages)
40908
40909 test result - after the patch
40910
40911 case4: passed
40912 case5: passed
40913 case6: passed
40914 case7: passed
40915 case8: passed
40916 case_n: passed
40917
40918 source: mbind_vma_test.c
40919 ============================================================
40920 #include <numaif.h>
40921 #include <numa.h>
40922 #include <sys/mman.h>
40923 #include <stdio.h>
40924 #include <unistd.h>
40925 #include <stdlib.h>
40926 #include <string.h>
40927
40928 static unsigned long pagesize;
40929 void* mmap_addr;
40930 struct bitmask *nmask;
40931 char buf[1024];
40932 FILE *file;
40933 char retbuf[10240] = "";
40934 int mapped_fd;
40935
40936 char *rubysrc = "ruby -e '\
40937 pid = %d; \
40938 vstart = 0x%llx; \
40939 vend = 0x%llx; \
40940 s = `pmap -q #{pid}`; \
40941 rary = []; \
40942 s.each_line {|line|; \
40943 ary=line.split(\" \"); \
40944 addr = ary[0].to_i(16); \
40945 if(vstart <= addr && addr < vend) then \
40946 rary.push(ary[1].to_i()/4); \
40947 end; \
40948 }; \
40949 print rary.join(\",\"); \
40950 '";
40951
40952 void init(void)
40953 {
40954 void* addr;
40955 char buf[128];
40956
40957 nmask = numa_allocate_nodemask();
40958 numa_bitmask_setbit(nmask, 0);
40959
40960 pagesize = getpagesize();
40961
40962 sprintf(buf, "%s", "mbind_vma_XXXXXX");
40963 mapped_fd = mkstemp(buf);
40964 if (mapped_fd == -1)
40965 perror("mkstemp "), exit(1);
40966 unlink(buf);
40967
40968 if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
40969 perror("lseek "), exit(1);
40970 if (write(mapped_fd, "\0", 1) < 0)
40971 perror("write "), exit(1);
40972
40973 addr = mmap(NULL, pagesize*8, PROT_NONE,
40974 MAP_SHARED, mapped_fd, 0);
40975 if (addr == MAP_FAILED)
40976 perror("mmap "), exit(1);
40977
40978 if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
40979 perror("mprotect "), exit(1);
40980
40981 mmap_addr = addr + pagesize;
40982
40983 /* make page populate */
40984 memset(mmap_addr, 0, pagesize*6);
40985 }
40986
40987 void fin(void)
40988 {
40989 void* addr = mmap_addr - pagesize;
40990 munmap(addr, pagesize*8);
40991
40992 memset(buf, 0, sizeof(buf));
40993 memset(retbuf, 0, sizeof(retbuf));
40994 }
40995
40996 void mem_bind(int index, int len)
40997 {
40998 int err;
40999
41000 err = mbind(mmap_addr+pagesize*index, pagesize*len,
41001 MPOL_BIND, nmask->maskp, nmask->size, 0);
41002 if (err)
41003 perror("mbind "), exit(err);
41004 }
41005
41006 void mem_interleave(int index, int len)
41007 {
41008 int err;
41009
41010 err = mbind(mmap_addr+pagesize*index, pagesize*len,
41011 MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
41012 if (err)
41013 perror("mbind "), exit(err);
41014 }
41015
41016 void mem_unbind(int index, int len)
41017 {
41018 int err;
41019
41020 err = mbind(mmap_addr+pagesize*index, pagesize*len,
41021 MPOL_DEFAULT, NULL, 0, 0);
41022 if (err)
41023 perror("mbind "), exit(err);
41024 }
41025
41026 void Assert(char *expected, char *value, char *name, int line)
41027 {
41028 if (strcmp(expected, value) == 0) {
41029 fprintf(stderr, "%s: passed\n", name);
41030 return;
41031 }
41032 else {
41033 fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
41034 name, line,
41035 expected, value);
41036 // exit(1);
41037 }
41038 }
41039
41040 /*
41041 AAAA
41042 PPPPPPNNNNNN
41043 might become
41044 PPNNNNNNNNNN
41045 case 4 below
41046 */
41047 void case4(void)
41048 {
41049 init();
41050 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
41051
41052 mem_bind(0, 4);
41053 mem_unbind(2, 2);
41054
41055 file = popen(buf, "r");
41056 fread(retbuf, sizeof(retbuf), 1, file);
41057 Assert("2,4", retbuf, "case4", __LINE__);
41058
41059 fin();
41060 }
41061
41062 /*
41063 AAAA
41064 PPPPPPNNNNNN
41065 might become
41066 PPPPPPPPPPNN
41067 case 5 below
41068 */
41069 void case5(void)
41070 {
41071 init();
41072 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
41073
41074 mem_bind(0, 2);
41075 mem_bind(2, 2);
41076
41077 file = popen(buf, "r");
41078 fread(retbuf, sizeof(retbuf), 1, file);
41079 Assert("4,2", retbuf, "case5", __LINE__);
41080
41081 fin();
41082 }
41083
41084 /*
41085 AAAA
41086 PPPPNNNNXXXX
41087 might become
41088 PPPPPPPPPPPP 6
41089 */
41090 void case6(void)
41091 {
41092 init();
41093 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
41094
41095 mem_bind(0, 2);
41096 mem_bind(4, 2);
41097 mem_bind(2, 2);
41098
41099 file = popen(buf, "r");
41100 fread(retbuf, sizeof(retbuf), 1, file);
41101 Assert("6", retbuf, "case6", __LINE__);
41102
41103 fin();
41104 }
41105
41106 /*
41107 AAAA
41108 PPPPNNNNXXXX
41109 might become
41110 PPPPPPPPXXXX 7
41111 */
41112 void case7(void)
41113 {
41114 init();
41115 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
41116
41117 mem_bind(0, 2);
41118 mem_interleave(4, 2);
41119 mem_bind(2, 2);
41120
41121 file = popen(buf, "r");
41122 fread(retbuf, sizeof(retbuf), 1, file);
41123 Assert("4,2", retbuf, "case7", __LINE__);
41124
41125 fin();
41126 }
41127
41128 /*
41129 AAAA
41130 PPPPNNNNXXXX
41131 might become
41132 PPPPNNNNNNNN 8
41133 */
41134 void case8(void)
41135 {
41136 init();
41137 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
41138
41139 mem_bind(0, 2);
41140 mem_interleave(4, 2);
41141 mem_interleave(2, 2);
41142
41143 file = popen(buf, "r");
41144 fread(retbuf, sizeof(retbuf), 1, file);
41145 Assert("2,4", retbuf, "case8", __LINE__);
41146
41147 fin();
41148 }
41149
41150 void case_n(void)
41151 {
41152 init();
41153 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
41154
41155 /* make redundunt mappings [0][1234][34][7] */
41156 mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
41157 MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
41158
41159 /* Expect to do nothing. */
41160 mem_unbind(2, 2);
41161
41162 file = popen(buf, "r");
41163 fread(retbuf, sizeof(retbuf), 1, file);
41164 Assert("4,2", retbuf, "case_n", __LINE__);
41165
41166 fin();
41167 }
41168
41169 int main(int argc, char** argv)
41170 {
41171 case4();
41172 case5();
41173 case6();
41174 case7();
41175 case8();
41176 case_n();
41177
41178 return 0;
41179 }
41180 =============================================================
41181
41182 Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
41183 Acked-by: Johannes Weiner <hannes@cmpxchg.org>
41184 Cc: Minchan Kim <minchan.kim@gmail.com>
41185 Cc: Caspar Zhang <caspar@casparzhang.com>
41186 Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
41187 Cc: Christoph Lameter <cl@linux.com>
41188 Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
41189 Cc: Mel Gorman <mel@csn.ul.ie>
41190 Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
41191 Cc: <stable@vger.kernel.org> [3.1.x]
41192 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
41193 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
41194
41195commit f3a1082005781777086df235049f8c0b7efe524e
41196Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
41197Date: Tue Dec 27 22:32:41 2011 -0500
41198
41199 packet: fix possible dev refcnt leak when bind fail
41200
41201 If bind is fail when bind is called after set PACKET_FANOUT
41202 sock option, the dev refcnt will leak.
41203
41204 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
41205 Signed-off-by: David S. Miller <davem@davemloft.net>
41206
41207commit 915f8b08dac68839dc7204ee81cf9852fda16d24
41208Author: Haogang Chen <haogangchen@gmail.com>
41209Date: Mon Dec 19 17:11:56 2011 -0800
41210
41211 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
41212
41213 There is a potential integer overflow in nilfs_ioctl_clean_segments().
41214 When a large argv[n].v_nmembs is passed from the userspace, the subsequent
41215 call to vmalloc() will allocate a buffer smaller than expected, which
41216 leads to out-of-bound access in nilfs_ioctl_move_blocks() and
41217 lfs_clean_segments().
41218
41219 The following check does not prevent the overflow because nsegs is also
41220 controlled by the userspace and could be very large.
41221
41222 if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
41223 goto out_free;
41224
41225 This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
41226 returns -EINVAL when overflow.
41227
41228 Signed-off-by: Haogang Chen <haogangchen@gmail.com>
41229 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
41230 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
41231 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
41232
41233commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
41234Author: Kautuk Consul <consul.kautuk@gmail.com>
41235Date: Mon Dec 19 17:12:04 2011 -0800
41236
41237 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
41238
41239 Static storage is not required for the struct vmap_area in
41240 __get_vm_area_node.
41241
41242 Removing "static" to store this variable on the stack instead.
41243
41244 Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
41245 Acked-by: David Rientjes <rientjes@google.com>
41246 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
41247 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
41248
41249commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
41250Author: Michel Lespinasse <walken@google.com>
41251Date: Mon Dec 19 17:12:06 2011 -0800
41252
41253 binary_sysctl(): fix memory leak
41254
41255 binary_sysctl() calls sysctl_getname() which allocates from names_cache
41256 slab usin __getname()
41257
41258 The matching function to free the name is __putname(), and not putname()
41259 which should be used only to match getname() allocations.
41260
41261 This is because when auditing is enabled, putname() calls audit_putname
41262 *instead* (not in addition) to __putname(). Then, if a syscall is in
41263 progress, audit_putname does not release the name - instead, it expects
41264 the name to get released when the syscall completes, but that will happen
41265 only if audit_getname() was called previously, i.e. if the name was
41266 allocated with getname() rather than the naked __getname(). So,
41267 __getname() followed by putname() ends up leaking memory.
41268
41269 Signed-off-by: Michel Lespinasse <walken@google.com>
41270 Acked-by: Al Viro <viro@zeniv.linux.org.uk>
41271 Cc: Christoph Hellwig <hch@infradead.org>
41272 Cc: Eric Paris <eparis@redhat.com>
41273 Cc: <stable@vger.kernel.org>
41274 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
41275 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
41276
41277commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
41278Author: Sean Hefty <sean.hefty@intel.com>
41279Date: Tue Dec 6 21:17:11 2011 +0000
41280
41281 RDMA/cma: Verify private data length
41282
41283 private_data_len is defined as a u8. If the user specifies a large
41284 private_data size (> 220 bytes), we will calculate a total length that
41285 exceeds 255, resulting in private_data_len wrapping back to 0. This
41286 can lead to overwriting random kernel memory. Avoid this by verifying
41287 that the resulting size fits into a u8.
41288
41289 Reported-by: B. Thery <benjamin.thery@bull.net>
41290 Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
41291 Signed-off-by: Sean Hefty <sean.hefty@intel.com>
41292 Signed-off-by: Roland Dreier <roland@purestorage.com>
41293
41294commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
41295Author: Xi Wang <xi.wang@gmail.com>
41296Date: Sun Dec 11 23:40:56 2011 -0800
41297
41298 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
41299
41300 The error check (intr_status < 0) didn't work because intr_status is
41301 a u8. Change its type to signed int.
41302
41303 Signed-off-by: Xi Wang <xi.wang@gmail.com>
41304 Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
41305
41306commit e27f34e383d7863b2528a63b81b23db09781f6b6
41307Author: Xi Wang <xi.wang@gmail.com>
41308Date: Fri Dec 16 12:44:15 2011 +0000
41309
41310 sctp: fix incorrect overflow check on autoclose
41311
41312 Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
41313 limiting the autoclose value. If userspace passes in -1 on 32-bit
41314 platform, the overflow check didn't work and autoclose would be set
41315 to 0xffffffff.
41316
41317 This patch defines a max_autoclose (in seconds) for limiting the value
41318 and exposes it through sysctl, with the following intentions.
41319
41320 1) Avoid overflowing autoclose * HZ.
41321
41322 2) Keep the default autoclose bound consistent across 32- and 64-bit
41323 platforms (INT_MAX / HZ in this patch).
41324
41325 3) Keep the autoclose value consistent between setsockopt() and
41326 getsockopt() calls.
41327
41328 Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
41329 Signed-off-by: Xi Wang <xi.wang@gmail.com>
41330 Signed-off-by: David S. Miller <davem@davemloft.net>
41331
41332commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
41333Author: Xi Wang <xi.wang@gmail.com>
41334Date: Wed Dec 21 05:18:33 2011 -0500
41335
41336 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
41337
41338 Commit e133e737 didn't correctly fix the integer overflow issue.
41339
41340 - unsigned int required_size;
41341 + u64 required_size;
41342 ...
41343 required_size = mode_cmd->pitch * mode_cmd->height;
41344 - if (unlikely(required_size > dev_priv->vram_size)) {
41345 + if (unlikely(required_size > (u64) dev_priv->vram_size)) {
41346
41347 Note that both pitch and height are u32. Their product is still u32 and
41348 would overflow before being assigned to required_size. A correct way is
41349 to convert pitch and height to u64 before the multiplication.
41350
41351 required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
41352
41353 This patch calls the existing vmw_kms_validate_mode_vram() for
41354 validation.
41355
41356 Signed-off-by: Xi Wang <xi.wang@gmail.com>
41357 Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
41358 Signed-off-by: Dave Airlie <airlied@redhat.com>
41359
41360 Conflicts:
41361
41362 drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
41363
41364commit eb8f0bd01fb994c9abc77dc84729794cd841753d
41365Author: Xi Wang <xi.wang@gmail.com>
41366Date: Thu Dec 22 13:35:22 2011 +0000
41367
41368 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
41369
41370 Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
41371 cause a kernel oops due to insufficient bounds checking.
41372
41373 if (count > 1<<30) {
41374 /* Enforce a limit to prevent overflow */
41375 return -EINVAL;
41376 }
41377 count = roundup_pow_of_two(count);
41378 table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
41379
41380 Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
41381
41382 ... + (count * sizeof(struct rps_dev_flow))
41383
41384 where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow
41385 32 bits.
41386
41387 This patch replaces the magic number (1 << 30) with a symbolic bound.
41388
41389 Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
41390 Signed-off-by: Xi Wang <xi.wang@gmail.com>
41391 Signed-off-by: David S. Miller <davem@davemloft.net>
41392
41393commit 648188958672024b616c42c1f6c98c8cfc85619d
41394Author: Xi Wang <xi.wang@gmail.com>
41395Date: Fri Dec 30 10:40:17 2011 -0500
41396
41397 netfilter: ctnetlink: fix timeout calculation
41398
41399 The sanity check (timeout < 0) never works; the dividend is unsigned
41400 and so is the division, which should have been a signed division.
41401
41402 long timeout = (ct->timeout.expires - jiffies) / HZ;
41403 if (timeout < 0)
41404 timeout = 0;
41405
41406 This patch converts the time values to signed for the division.
41407
41408 Signed-off-by: Xi Wang <xi.wang@gmail.com>
41409 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
41410
41411commit ab03a0973cee73f88655ff4981812ad316a6cd59
41412Merge: 76f82df 7bdddeb
41413Author: Brad Spengler <spender@grsecurity.net>
41414Date: Tue Jan 3 17:42:50 2012 -0500
41415
41416 Merge branch 'pax-test' into grsec-test
41417
41418commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
41419Merge: 3e59cb5 55cc81a
41420Author: Brad Spengler <spender@grsecurity.net>
41421Date: Tue Jan 3 17:42:36 2012 -0500
41422
41423 Merge branch 'linux-3.1.y' into pax-test
41424
41425commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
41426Author: Brad Spengler <spender@grsecurity.net>
41427Date: Thu Dec 22 20:15:02 2011 -0500
41428
41429 Only further restrict futex targeting another process -- our modified
41430 permission check also happened to allow a case where a process retaining
41431 uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
41432 being non-zero (reported on forums by ben_w)
41433
41434commit 6b235a4450a5fea41663ec35fa0608988b6078c6
41435Merge: 97c16f0 3e59cb5
41436Author: Brad Spengler <spender@grsecurity.net>
41437Date: Thu Dec 22 19:11:06 2011 -0500
41438
41439 Merge branch 'pax-test' into grsec-test
41440
41441 Conflicts:
41442 fs/hfs/btree.c
41443
41444commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
41445Merge: 285eb4e c26f60b
41446Author: Brad Spengler <spender@grsecurity.net>
41447Date: Thu Dec 22 19:09:57 2011 -0500
41448
41449 Merge branch 'linux-3.1.y' into pax-test
41450
41451 Conflicts:
41452 arch/x86/kernel/process.c
41453
41454commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
41455Author: Brad Spengler <spender@grsecurity.net>
41456Date: Mon Dec 19 21:54:01 2011 -0500
41457
41458 Add new option: "Enforce consistent multithreaded privileges"
41459
41460commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
41461Author: Brad Spengler <spender@grsecurity.net>
41462Date: Wed Dec 7 19:58:31 2011 -0500
41463
41464 Remove harmless duplicate code -- exec_file would be null already so the
41465 second check would never pass.
41466
41467commit 4e3304e94aa72737810bc50169519af157dce4ce
41468Author: Brad Spengler <spender@grsecurity.net>
41469Date: Wed Dec 7 19:50:39 2011 -0500
41470
41471 Revert back to (possibly?) undocumented /proc/pid behavior that gdb
41472 depended on for attaching to a thread. Entries exist in /proc for
41473 threads, but are not visible in a readdir.
41474
41475commit 1bd899335f23815cfe8deac44c6b346398f3b95e
41476Author: Brad Spengler <spender@grsecurity.net>
41477Date: Sun Dec 4 18:03:28 2011 -0500
41478
41479 Put the already-walked path if in RCU-walk mode
41480
41481commit ec7ae36b7159f10649709779443a988662965d66
41482Author: Brad Spengler <spender@grsecurity.net>
41483Date: Sun Dec 4 17:35:21 2011 -0500
41484
41485 Fix memory leak introduced by recent (unpublished) commit
41486 75ab998b94a29d464518d6d501bdde3fbfcbfa14
41487
41488commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
41489Author: Brad Spengler <spender@grsecurity.net>
41490Date: Sun Dec 4 13:56:10 2011 -0500
41491
41492 Explicitly check size copied to userland in override_release to silence gcc
41493
41494commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
41495Author: Brad Spengler <spender@grsecurity.net>
41496Date: Sun Dec 4 13:54:02 2011 -0500
41497
41498 Initialize variable to silence erroneous gcc warning
41499
41500commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
41501Author: Brad Spengler <spender@grsecurity.net>
41502Date: Sun Dec 4 13:47:47 2011 -0500
41503
41504 Future-proof other potential RCU-aware locations where we can log.
41505
41506commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
41507Author: Brad Spengler <spender@grsecurity.net>
41508Date: Sun Dec 4 13:02:54 2011 -0500
41509
41510 Fix freeze reported by 'vs' on the forums. Bug occurred due to
41511 MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used
41512 in generic_permission() was in the task's effective set but disallowed by
41513 RBAC, would block when acquiring locks resulting in the freeze.
41514
41515 Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
41516 as being required when CAP_DAC_OVERRIDE is present (consistent with
41517 older patches).
41518
41519commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
41520Author: Xi Wang <xi.wang@gmail.com>
41521Date: Tue Nov 29 09:26:30 2011 +0000
41522
41523 sctp: better integer overflow check in sctp_auth_create_key()
41524
41525 The check from commit 30c2235c is incomplete and cannot prevent
41526 cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the
41527 left-hand side of the check (INT_MAX - key_len), which is unsigned,
41528 becomes 0xffffffff (UINT_MAX) and bypasses the check.
41529
41530 However this shouldn't be a security issue. The function is called
41531 from the following two code paths:
41532
41533 1) setsockopt()
41534
41535 2) sctp_auth_asoc_set_secret()
41536
41537 In case (1), sca_keylength is never going to exceed 65535 since it's
41538 bounded by a u16 from the user API. As such, the key length will
41539 never overflow.
41540
41541 In case (2), sca_keylength is computed based on the user key (1 short)
41542 and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
41543 will not overflow.
41544
41545 In other words, this overflow check is not really necessary. Just
41546 make it more correct.
41547
41548 Signed-off-by: Xi Wang <xi.wang@gmail.com>
41549 Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
41550 Signed-off-by: David S. Miller <davem@davemloft.net>
41551
41552commit e565e28c3635a1d50f80541fbf6b606d742fec76
41553Author: Josh Boyer <jwboyer@redhat.com>
41554Date: Fri Aug 19 14:50:26 2011 -0400
41555
41556 fs/minix: Verify bitmap block counts before mounting
41557
41558 Newer versions of MINIX can create filesystems that allocate an extra
41559 bitmap block. Mounting of this succeeds, but doing a statfs call will
41560 result in an oops in count_free because of a negative number being used
41561 for the bh index.
41562
41563 Avoid this by verifying the number of allocated blocks at mount time,
41564 erroring out if there are not enough and make statfs ignore the extras
41565 if there are too many.
41566
41567 This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
41568
41569 Signed-off-by: Josh Boyer <jwboyer@redhat.com>
41570 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
41571
41572commit 6e134e398ec1a3f428261680e83df4319e64bed9
41573Author: Julia Lawall <julia@diku.dk>
41574Date: Tue Nov 15 14:53:11 2011 -0800
41575
41576 drivers/gpu/vga/vgaarb.c: add missing kfree
41577
41578 kbuf is a buffer that is local to this function, so all of the error paths
41579 leaving the function should release it.
41580
41581 Signed-off-by: Julia Lawall <julia@diku.dk>
41582 Cc: Jesper Juhl <jj@chaosbits.net>
41583 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
41584 Signed-off-by: Dave Airlie <airlied@redhat.com>
41585
41586commit 2b9057b321e36860e8d63985b5c4e496f254b717
41587Author: Brad Spengler <spender@grsecurity.net>
41588Date: Sat Dec 3 21:33:28 2011 -0500
41589
41590 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch
41591
41592commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
41593Author: Brad Spengler <spender@grsecurity.net>
41594Date: Sat Dec 3 21:29:37 2011 -0500
41595
41596 Import pax-linux-3.1.4-test18.patch
41597
41598commit 285eb4ea45d853ae00426b3315a61c1368080dad
41599Author: Brad Spengler <spender@grsecurity.net>
41600Date: Sat Dec 10 18:33:46 2011 -0500
41601
41602 Import changes from pax-linux-3.1.5-test20.patch
41603
41604commit a6bda918fc90ec1d5c387e978d147ad2044153f1
41605Author: Brad Spengler <spender@grsecurity.net>
41606Date: Thu Dec 8 20:55:54 2011 -0500
41607
41608 Import changes from pax-linux-3.1.4-test19.patch
41609
41610commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
41611Author: Brad Spengler <spender@grsecurity.net>
41612Date: Sat Dec 3 21:29:37 2011 -0500
41613
41614 Import pax-linux-3.1.4-test18.patch
41615commit 4c61dba17c53d0a775c77aed0c0ddb15a12daa3c
41616Merge: c3ccfb2 777e08c
41617Author: Brad Spengler <spender@grsecurity.net>
41618Date: Sun Sep 8 19:49:04 2013 -0400
41619
41620 Merge branch 'pax-test' into grsec-test
41621
41622commit 777e08c6a87ef43439f4431d8d458732ca5e17c6
41623Author: Brad Spengler <spender@grsecurity.net>
41624Date: Sun Sep 8 19:47:32 2013 -0400
41625
41626 Update to pax-linux-3.10.11-test26.patch:
41627 - reworked __SC_LONG to care about only int and smaller types, this eliminates size overflow false positives reported by hunger
41628 - fixed an uninitialized read in splice, reported by hunger
41629
41630 fs/splice.c | 1 +
41631 include/linux/syscalls.h | 14 +-
41632 tools/gcc/size_overflow_hash.data | 426 +++++++++++++++++++++----------------
41633 3 files changed, 247 insertions(+), 194 deletions(-)
41634
41635commit 5c3161364270c842d901789faac731f79a9f9cd6
41636Merge: cf9c476 85cdabb
41637Author: Brad Spengler <spender@grsecurity.net>
41638Date: Sun Sep 8 19:24:25 2013 -0400
41639
41640 Merge branch 'linux-3.10.y' into pax-test
41641
41642commit c3ccfb29794a03413095422100ce90d40ef7df0f
41643Author: Jakob Bornecrantz <jakob@vmware.com>
41644Date: Thu Aug 29 02:32:53 2013 +0200
41645
41646 Upstream commit: 6e4dcff3adbf25acb87e74500a58e3c07bdec40f
41647
41648 drm/vmwgfx: Split GMR2_REMAP commands if they are to large
41649
41650 This fixes the piglit test texturing/max-texture-size
41651 causing the VM to die due to a too large SVGA command.
41652
41653 Signed-off-by: Jakob Bornecrantz <jakob@vmware.com>
41654 Reviewed-by: Biran Paul <brianp@vmware.com>
41655 Reviewed-by: Zack Rusin <zackr@vmware.com>
41656 Cc: stable@vger.kernel.org
41657 Signed-off-by: Dave Airlie <airlied@gmail.com>
41658
41659 drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c | 58 +++++++++++++++++++++++-----------
41660 1 files changed, 39 insertions(+), 19 deletions(-)
41661
41662commit d260badf708d6aa16c44f56f54727532dcae826e
41663Author: Daniel Borkmann <dborkman@redhat.com>
41664Date: Tue Sep 3 19:29:12 2013 +0200
41665
41666 Upstream commit: 3a1c756590633c0e86df606e5c618c190926a0df
41667
41668 net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv
41669
41670 In tcp_v6_do_rcv() code, when processing pkt options, we soley work
41671 on our skb clone opt_skb that we've created earlier before entering
41672 tcp_rcv_established() on our way. However, only in condition ...
41673
41674 if (np->rxopt.bits.rxtclass)
41675 np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));
41676
41677 ... we work on skb itself. As we extract every other information out
41678 of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can
41679 already be released by tcp_rcv_established() earlier on. When we try
41680 to access it in ipv6_hdr(), we will dereference freed skb.
41681
41682 [ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for
41683 IP_PKTOPTIONS") ]
41684
41685 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
41686 Cc: Eric Dumazet <eric.dumazet@gmail.com>
41687 Acked-by: Eric Dumazet <edumazet@google.com>
41688 Acked-by: Jiri Benc <jbenc@redhat.com>
41689 Signed-off-by: David S. Miller <davem@davemloft.net>
41690
41691 net/ipv6/tcp_ipv6.c | 2 +-
41692 1 files changed, 1 insertions(+), 1 deletions(-)
41693
41694commit ee3db7a4fb3619d70b8e0c1a8de07402a67e8d31
41695Author: Dan Carpenter <dan.carpenter@oracle.com>
41696Date: Thu Aug 29 11:47:00 2013 +0300
41697
41698 Upstream commit: 0d63c27d9e879a0b54eb405636d60ab12040ca46
41699
41700 mISDN: return -EINVAL on error in dsp_control_req()
41701
41702 If skb->len is too short then we should return an error. Otherwise we
41703 read beyond the end of skb->data for several bytes.
41704
41705 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
41706 Signed-off-by: David S. Miller <davem@davemloft.net>
41707
41708 drivers/isdn/mISDN/dsp_core.c | 4 +++-
41709 1 files changed, 3 insertions(+), 1 deletions(-)
41710
41711commit af7c2bc789c8fe5ef7474f22dacf212be22fd0af
41712Author: Brad Spengler <spender@grsecurity.net>
41713Date: Thu Sep 5 19:36:23 2013 -0400
41714
41715 fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB
41716
41717 grsecurity/Kconfig | 3 ++-
41718 1 files changed, 2 insertions(+), 1 deletions(-)
41719
41720commit da68dbcd96c617923a0aedb177d36b2701f9c858
41721Author: Brad Spengler <spender@grsecurity.net>
41722Date: Thu Sep 5 19:17:02 2013 -0400
41723
41724 Allow the deny_new_usb sysctl to be toggled off by a user with
41725 CAP_SYS_ADMIN. This allows for more inventive uses of the feature
41726 that would be impossible otherwise (like toggling it while the screen is
41727 locked, etc)
41728
41729 grsecurity/grsec_sysctl.c | 4 +---
41730 1 files changed, 1 insertions(+), 3 deletions(-)
41731
41732commit ce0e893adc830ee110f97071cc17e661fb35ae3d
41733Author: Brad Spengler <spender@grsecurity.net>
41734Date: Thu Sep 5 18:41:49 2013 -0400
41735
41736 Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what
41737 GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for
41738 users who know they want the functionality but don't want to bother
41739 with modifying init scripts
41740
41741 Also eliminate reset_security_ops() as a ROP target when
41742 SECURITY_SELINUX_DISABLE is disabled as it's the only user
41743
41744 grsecurity/Kconfig | 17 ++++++++++++++++-
41745 grsecurity/grsec_init.c | 3 +++
41746 grsecurity/grsec_sysctl.c | 2 +-
41747 security/security.c | 4 ++++
41748 4 files changed, 24 insertions(+), 2 deletions(-)
41749
41750commit 0d5ca3a057ae48b5fdccb2f0a7a841a5cc76d3dd
41751Merge: 7ee3899 cf9c476
41752Author: Brad Spengler <spender@grsecurity.net>
41753Date: Sun Sep 1 13:56:57 2013 -0400
41754
41755 Merge branch 'pax-test' into grsec-test
41756
41757commit cf9c47690fa0f3da590de766ea8c6a543984ee3c
41758Author: Brad Spengler <spender@grsecurity.net>
41759Date: Sun Sep 1 13:56:16 2013 -0400
41760
41761 Update to pax-linux-3.10.10-test25.patch:
41762 - fixed a few more REFCOUNT false positives, by Mathias Krause <minipli@googlemail.com>
41763 - got inet_getid and ipv6_select_ident rid of the cmpxchg loop
41764
41765 block/blk-cgroup.c | 4 ++--
41766 drivers/video/hyperv_fb.c | 4 ++--
41767 fs/namespace.c | 4 ++--
41768 include/net/inetpeer.h | 13 +++++--------
41769 kernel/trace/trace_clock.c | 4 ++--
41770 net/ipv6/output_core.c | 15 ++++++---------
41771 net/sunrpc/auth_gss/svcauth_gss.c | 4 ++--
41772 7 files changed, 21 insertions(+), 27 deletions(-)
41773
41774commit 7ee3899312d611b85cadd3eda173f7a3952bb8aa
41775Merge: fd0338c 2bdeae7
41776Author: Brad Spengler <spender@grsecurity.net>
41777Date: Sat Aug 31 22:07:38 2013 -0400
41778
41779 Merge branch 'pax-test' into grsec-test
41780
41781commit 2bdeae76eab5c34e4b88c7090a435b969037a3c1
41782Author: Brad Spengler <spender@grsecurity.net>
41783Date: Sat Aug 31 22:06:55 2013 -0400
41784
41785 Update to pax-linux-3.10.10-test24.patch:
41786 - fixed a REFCOUNT false positive, by Mathias Krause <minipli@googlemail.com>
41787 - fixed a bunch more after a quick audit of atomic_inc_return users
41788
41789 drivers/acpi/apei/ghes.c | 4 ++--
41790 drivers/ata/libata-core.c | 4 ++--
41791 drivers/ata/libata-scsi.c | 2 +-
41792 drivers/ata/libata.h | 2 +-
41793 drivers/block/drbd/drbd_nl.c | 4 ++--
41794 drivers/crypto/hifn_795x.c | 4 ++--
41795 drivers/edac/edac_device.c | 4 ++--
41796 drivers/edac/edac_pci.c | 4 ++--
41797 drivers/firewire/core-card.c | 4 ++--
41798 drivers/hv/hv_balloon.c | 18 +++++++++---------
41799 drivers/infiniband/hw/mlx4/mad.c | 2 +-
41800 drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +-
41801 drivers/input/misc/ims-pcu.c | 4 ++--
41802 drivers/input/serio/serio_raw.c | 4 ++--
41803 drivers/media/pci/ivtv/ivtv-driver.c | 2 +-
41804 drivers/media/radio/radio-maxiradio.c | 2 +-
41805 drivers/media/radio/radio-shark.c | 2 +-
41806 drivers/media/radio/radio-shark2.c | 2 +-
41807 drivers/media/radio/radio-si476x.c | 2 +-
41808 drivers/media/rc/rc-main.c | 4 ++--
41809 drivers/media/v4l2-core/v4l2-device.c | 4 ++--
41810 drivers/net/usb/sierra_net.c | 4 ++--
41811 drivers/pci/hotplug/pciehp_hpc.c | 4 +---
41812 drivers/regulator/core.c | 4 ++--
41813 drivers/scsi/fcoe/fcoe_sysfs.c | 12 ++++++------
41814 drivers/staging/android/timed_output.c | 6 +++---
41815 drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +-
41816 drivers/staging/media/solo6x10/solo6x10.h | 2 +-
41817 drivers/target/sbp/sbp_target.c | 4 ++--
41818 drivers/tty/hvc/hvsi.c | 12 ++++++------
41819 drivers/tty/hvc/hvsi_lib.c | 6 +++---
41820 drivers/tty/serial/ioc4_serial.c | 6 +++---
41821 drivers/tty/serial/msm_serial.c | 4 ++--
41822 drivers/usb/misc/appledisplay.c | 4 ++--
41823 fs/afs/inode.c | 4 ++--
41824 fs/btrfs/delayed-inode.c | 6 +++---
41825 fs/btrfs/delayed-inode.h | 4 ++--
41826 fs/fscache/cookie.c | 4 ++--
41827 include/media/v4l2-device.h | 2 +-
41828 net/ceph/messenger.c | 4 ++--
41829 net/core/netpoll.c | 4 ++--
41830 net/xfrm/xfrm_state.c | 4 ++--
41831 security/selinux/avc.c | 6 +++---
41832 43 files changed, 93 insertions(+), 95 deletions(-)
41833
41834commit fd0338c8877c47789a9cc61f3a26c83e68aa3d37
41835Merge: 1bdf7ec 85099d2
41836Author: Brad Spengler <spender@grsecurity.net>
41837Date: Sat Aug 31 21:07:29 2013 -0400
41838
41839 Merge branch 'pax-test' into grsec-test
41840
41841commit 85099d220fb014b6e4c6ffe18a55b20c61f6daed
41842Author: Brad Spengler <spender@grsecurity.net>
41843Date: Sat Aug 31 21:06:55 2013 -0400
41844
41845 Update to pax-linux-3.10.10-test23.patch:
41846 - added the necessary atomic_unchecked_t conversion for mips
41847 - audited and fixed arm and sparc for proper atomic_unchecked_t usage
41848
41849 arch/arm/kvm/arm.c | 8 ++++----
41850 arch/arm/mm/context.c | 10 +++++-----
41851 arch/mips/kernel/irq.c | 6 +++---
41852 arch/mips/kernel/sync-r4k.c | 24 ++++++++++++------------
41853 arch/mips/sgi-ip27/ip27-nmi.c | 6 +++---
41854 arch/sparc/kernel/smp_64.c | 12 ++++++------
41855 arch/sparc/kernel/traps_64.c | 14 +++++++-------
41856 arch/sparc/mm/init_64.c | 10 +++++-----
41857 8 files changed, 45 insertions(+), 45 deletions(-)
41858
41859commit 1bdf7ec39027ffd7c3099b78ff20c39295448b34
41860Merge: 995a168 38ee86c
41861Author: Brad Spengler <spender@grsecurity.net>
41862Date: Fri Aug 30 19:23:36 2013 -0400
41863
41864 Merge branch 'pax-test' into grsec-test
41865
41866commit 38ee86c05df0f8db582df8776b9f23f317d42bbb
41867Author: Brad Spengler <spender@grsecurity.net>
41868Date: Fri Aug 30 19:23:11 2013 -0400
41869
41870 Update to pax-linux-3.10.10-test22.patch:
41871 - fixed !REFCOUNT/mips compilation, by Corey Minyard <cminyard@mvista.com>
41872 - fixed a few more format strings
41873
41874 arch/mips/include/asm/atomic.h | 20 ++++++++++++++++----
41875 drivers/md/bcache/super.c | 2 +-
41876 drivers/net/wireless/iwlwifi/dvm/main.c | 3 +--
41877 drivers/pci/hotplug/pciehp_hpc.c | 2 +-
41878 drivers/platform/x86/wmi.c | 2 +-
41879 drivers/scsi/sd.c | 2 +-
41880 drivers/vfio/vfio.c | 4 ++--
41881 fs/ntfs/super.c | 6 +++---
41882 include/linux/workqueue.h | 6 +++---
41883 net/mac80211/main.c | 2 +-
41884 sound/pci/hda/hda_codec.c | 8 ++------
41885 11 files changed, 32 insertions(+), 25 deletions(-)
41886
41887commit 995a16841e2097c3a9dfc652e856469679c4a0ba
41888Author: Brad Spengler <spender@grsecurity.net>
41889Date: Fri Aug 30 17:11:11 2013 -0400
41890
41891 fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast
41892
41893 grsecurity/grsec_sysctl.c | 7 ++++---
41894 1 files changed, 4 insertions(+), 3 deletions(-)
41895
41896commit 8ba1cc35ec5216383369ddf3ef2cde5e4aaacb57
41897Merge: be2497c 1052971
41898Author: Brad Spengler <spender@grsecurity.net>
41899Date: Thu Aug 29 20:44:29 2013 -0400
41900
41901 Merge branch 'pax-test' into grsec-test
41902
41903 Conflicts:
41904 include/linux/sched.h
41905
41906commit 10529710192fe7f7d42ad7bb1dfef2143cca8ad2
41907Merge: e902dad 8bf3379
41908Author: Brad Spengler <spender@grsecurity.net>
41909Date: Thu Aug 29 20:39:50 2013 -0400
41910
41911 Update to pax-linux-3.10.10-test21.patch
41912
41913 Merge branch 'linux-3.10.y' into pax-test
41914
41915 Conflicts:
41916 arch/x86/kernel/sys_x86_64.c
41917 arch/x86/mm/mmap.c
41918 include/linux/sched.h
41919
41920commit be2497c1b629a5ad604a8b0ec265ef5d801c7de8
41921Merge: 081c22b e902dad
41922Author: Brad Spengler <spender@grsecurity.net>
41923Date: Wed Aug 28 20:52:44 2013 -0400
41924
41925 Merge branch 'pax-test' into grsec-test
41926
41927commit e902dad6b609a176f58c1b9393b3a98f14bd4b74
41928Author: Brad Spengler <spender@grsecurity.net>
41929Date: Wed Aug 28 20:51:21 2013 -0400
41930
41931 Update to pax-linux-3.10.9-test21.patch:
41932 - removed unnecessary type cast in do_PrefetchAbort, noticed by spender
41933 - since pax_report_refcount_overflow disables preemption inside, no need to do it explicitly in do_ov
41934 - fixed a REFCOUNT false positive in UHID
41935 - inspired by Dan Carpenter's recent fix (http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=909bd5926d474e275599094acad986af79671ac9)
41936 Emese Revfy wrote a gcc plugin to find other instances of the same error, here's the fallout
41937 (come to the 10th H2HC if you want to learn about the magic behind this and other plugins):
41938 - icmpv6_filter: no memory corruption, probably just some logical error in the caller
41939 - dccp_new/dccp_packet/dccp_error: probably remote kernel stack overflow (12 byte network data overwriting a local ptr variable)
41940 - gigaset_brkchars: causes DMA on the kernel stack, some archs don't like it (more of this is to come)
41941 - isdn_ioctl/IIOCDBGVAR: kernel heap address leak (by design), restricted to CAP_SYS_RAWIO now
41942 - __dwc3_gadget_ep_enable: probably forgotten memset, seems harmless
41943 - lowpan_header_create: leaks 3 bytes of a kernel heap address over the network
41944
41945 arch/arm/mm/fault.c | 2 +-
41946 arch/mips/kernel/traps.c | 2 --
41947 drivers/hid/uhid.c | 6 +++---
41948 drivers/isdn/gigaset/usb-gigaset.c | 2 +-
41949 drivers/isdn/i4l/isdn_common.c | 2 ++
41950 drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++--
41951 drivers/usb/dwc3/gadget.c | 2 --
41952 net/ieee802154/6lowpan.c | 2 +-
41953 net/ipv6/raw.c | 2 +-
41954 net/netfilter/nf_conntrack_proto_dccp.c | 6 +++---
41955 10 files changed, 14 insertions(+), 16 deletions(-)
41956
41957commit 081c22b436d4d4ac8c9ef7c3f3b9587cfb02d804
41958Author: Brad Spengler <spender@grsecurity.net>
41959Date: Wed Aug 28 20:42:39 2013 -0400
41960
41961 add export of gr_handle_new_usb()
41962
41963 grsecurity/grsec_usb.c | 2 ++
41964 1 files changed, 2 insertions(+), 0 deletions(-)
41965
41966commit 2e708ca9984ef74536d1d9b1d4e6e73d27561ed6
41967Author: Brad Spengler <spender@grsecurity.net>
41968Date: Wed Aug 28 19:24:47 2013 -0400
41969
41970 Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit
41971 Kees' recent findings are motivation enough to publish it
41972
41973 drivers/usb/core/hub.c | 5 +++++
41974 grsecurity/Kconfig | 20 ++++++++++++++++++++
41975 grsecurity/Makefile | 3 ++-
41976 grsecurity/grsec_init.c | 1 +
41977 grsecurity/grsec_sysctl.c | 11 +++++++++++
41978 grsecurity/grsec_usb.c | 13 +++++++++++++
41979 include/linux/grinternal.h | 1 +
41980 include/linux/grsecurity.h | 2 ++
41981 8 files changed, 55 insertions(+), 1 deletions(-)
41982
41983commit 8044382257ec75a03f3d784ce048ef14e94b90ca
41984Author: Kees Cook <keescook@chromium.org>
41985Date: Wed Aug 14 09:35:07 2013 -0700
41986
41987 HID: zeroplus: validate output report details
41988
41989 The zeroplus HID driver was not checking the size of allocated values
41990 in fields it used. A HID device could send a malicious output report
41991 that would cause the driver to write beyond the output report allocation
41992 during initialization, causing a heap overflow:
41993
41994 [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005
41995 ...
41996 [ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
41997
41998 CVE-2013-2889
41999
42000 Signed-off-by: Kees Cook <keescook@chromium.org>
42001 Cc: stable@kernel.org
42002
42003 drivers/hid/hid-zpff.c | 14 ++------------
42004 1 files changed, 2 insertions(+), 12 deletions(-)
42005
42006commit 1ead832874dde8c45c3d4c8c704f2cd7ad6a328f
42007Author: Kees Cook <keescook@chromium.org>
42008Date: Wed Aug 14 14:36:15 2013 -0700
42009
42010 HID: provide a helper for validating hid reports
42011
42012 Many drivers need to validate the characteristics of their HID report
42013 during initialization to avoid misusing the reports. This adds a common
42014 helper to perform validation of the report, its field count, and the
42015 value count within the fields.
42016
42017 Signed-off-by: Kees Cook <keescook@chromium.org>
42018 Cc: stable@kernel.org
42019
42020 drivers/hid/hid-core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++
42021 include/linux/hid.h | 4 +++
42022 2 files changed, 54 insertions(+), 0 deletions(-)
42023
42024commit 270ba9096ddecdc3cf6c4d76e6892184820116be
42025Author: Kees Cook <keescook@chromium.org>
42026Date: Wed Aug 14 09:14:34 2013 -0700
42027
42028 HID: steelseries: validate output report details
42029
42030 A HID device could send a malicious output report that would cause the
42031 steelseries HID driver to write beyond the output report allocation
42032 during initialization, causing a heap overflow:
42033
42034 [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410
42035 ...
42036 [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten
42037
42038 CVE-2013-2891
42039
42040 Signed-off-by: Kees Cook <keescook@chromium.org>
42041 Cc: stable@kernel.org
42042
42043 drivers/hid/hid-steelseries.c | 5 +++++
42044 1 files changed, 5 insertions(+), 0 deletions(-)
42045
42046commit 366e6cf394366e4bb2598e5d3763c6ca53fb7248
42047Author: Kees Cook <keescook@chromium.org>
42048Date: Wed Aug 14 08:49:21 2013 -0700
42049
42050 HID: pantherlord: validate output report details
42051
42052 A HID device could send a malicious output report that would cause the
42053 pantherlord HID driver to write beyond the output report allocation
42054 during initialization, causing a heap overflow:
42055
42056 [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003
42057 ...
42058 [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
42059
42060 CVE-2013-2892
42061
42062 Signed-off-by: Kees Cook <keescook@chromium.org>
42063 Cc: stable@kernel.org
42064
42065 drivers/hid/hid-pl.c | 10 ++++++++--
42066 1 files changed, 8 insertions(+), 2 deletions(-)
42067
42068commit 60115e8108e508060815bce5ef9504233c81898c
42069Author: Kees Cook <keescook@chromium.org>
42070Date: Tue Aug 13 16:49:01 2013 -0700
42071
42072 HID: LG: validate HID output report details
42073
42074 A HID device could send a malicious output report that would cause the
42075 lg, lg3, and lg4 HID drivers to write beyond the output report allocation
42076 during an event, causing a heap overflow:
42077
42078 [ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287
42079 ...
42080 [ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten
42081
42082 Additionally, while lg2 did correctly validate the report details, it was
42083 cleaned up and shortened.
42084
42085 CVE-2013-2893
42086
42087 Signed-off-by: Kees Cook <keescook@chromium.org>
42088 Cc: stable@kernel.org
42089
42090 drivers/hid/hid-lg2ff.c | 19 +++----------------
42091 drivers/hid/hid-lg3ff.c | 29 ++++++-----------------------
42092 drivers/hid/hid-lg4ff.c | 20 +-------------------
42093 drivers/hid/hid-lgff.c | 17 ++---------------
42094 4 files changed, 12 insertions(+), 73 deletions(-)
42095
42096commit 1814f6ffbd0d5feccce1f03e8cc17882528e8a9f
42097Author: Kees Cook <keescook@chromium.org>
42098Date: Thu Aug 15 23:21:23 2013 -0700
42099
42100 HID: lenovo-tpkbd: validate output report details
42101
42102 A HID device could send a malicious output report that would cause the
42103 lenovo-tpkbd HID driver to write just beyond the output report allocation
42104 during initialization, causing a heap overflow:
42105
42106 [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009
42107 ...
42108 [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
42109
42110 CVE-2013-2894
42111
42112 Signed-off-by: Kees Cook <keescook@chromium.org>
42113 Cc: stable@kernel.org
42114
42115 drivers/hid/hid-lenovo-tpkbd.c | 5 +++++
42116 1 files changed, 5 insertions(+), 0 deletions(-)
42117
42118commit 38627769bb2b9a550e251b2caf1babda7566fb4a
42119Author: Kees Cook <keescook@chromium.org>
42120Date: Thu Aug 15 23:45:03 2013 -0700
42121
42122 HID: logitech-dj: validate output report details
42123
42124 A HID device could send a malicious output report that would cause the
42125 logitech-dj HID driver to leak kernel memory contents to the device, or
42126 trigger a NULL dereference during initialization:
42127
42128 [ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b
42129 ...
42130 [ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
42131 [ 304.781409] IP: [<ffffffff815d50aa>] logi_dj_recv_send_report.isra.11+0x1a/0x90
42132
42133 CVE-2013-2895
42134
42135 Signed-off-by: Kees Cook <keescook@chromium.org>
42136 Cc: stable@kernel.org
42137
42138 drivers/hid/hid-logitech-dj.c | 12 ++++++++++--
42139 1 files changed, 10 insertions(+), 2 deletions(-)
42140
42141commit db334388c9d3f95aeb6aacdcec72169b6edd6f07
42142Author: Kees Cook <keescook@chromium.org>
42143Date: Fri Aug 16 00:18:15 2013 -0700
42144
42145 HID: ntrig: validate feature report details
42146
42147 A HID device could send a malicious feature report that would cause the
42148 ntrig HID driver to trigger a NULL dereference during initialization:
42149
42150 [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
42151 ...
42152 [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
42153 [57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
42154
42155 CVE-2013-2896
42156
42157 Signed-off-by: Kees Cook <keescook@chromium.org>
42158 Cc: stable@kernel.org
42159
42160 drivers/hid/hid-ntrig.c | 3 ++-
42161 1 files changed, 2 insertions(+), 1 deletions(-)
42162
42163commit 86adcfe96ceefd7d64593a493abe07c155bb8f88
42164Author: Kees Cook <keescook@chromium.org>
42165Date: Fri Aug 16 00:11:32 2013 -0700
42166
42167 HID: multitouch: validate feature report details
42168
42169 When working on report indexes, always validate that they are in bounds.
42170 Without this, a HID device could report a malicious feature report that
42171 could trick the driver into a heap overflow:
42172
42173 [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
42174 ...
42175 [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
42176
42177 CVE-2013-2897
42178
42179 Signed-off-by: Kees Cook <keescook@chromium.org>
42180 Cc: stable@kernel.org
42181
42182 drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++-----
42183 1 files changed, 20 insertions(+), 5 deletions(-)
42184
42185commit 813f51e0881e4ea6d221da828b1cced02ad9694d
42186Author: Kees Cook <keescook@chromium.org>
42187Date: Fri Aug 16 08:12:45 2013 -0700
42188
42189 HID: sensor-hub: validate feature report details
42190
42191 A HID device could send a malicious feature report that would cause the
42192 sensor-hub HID driver to read past the end of heap allocation, leaking
42193 kernel memory contents to the caller.
42194
42195 CVE-2013-2898
42196
42197 Signed-off-by: Kees Cook <keescook@chromium.org>
42198 Cc: stable@kernel.org
42199
42200 drivers/hid/hid-sensor-hub.c | 3 ++-
42201 1 files changed, 2 insertions(+), 1 deletions(-)
42202
42203commit 6ed7d602e322c67adcfa3ebe79ca2c4a3376330c
42204Author: Kees Cook <keescook@chromium.org>
42205Date: Fri Aug 16 08:05:10 2013 -0700
42206
42207 HID: picolcd_core: validate output report details
42208
42209 A HID device could send a malicious output report that would cause the
42210 picolcd HID driver to trigger a NULL dereference during attr file writing.
42211
42212 CVE-2013-2899
42213
42214 Signed-off-by: Kees Cook <keescook@chromium.org>
42215 Cc: stable@kernel.org
42216
42217 drivers/hid/hid-picolcd_core.c | 2 +-
42218 1 files changed, 1 insertions(+), 1 deletions(-)
42219
42220commit 95e3cfb5a995dabe45b98cafb77e59d074de151f
42221Author: Kees Cook <keescook@chromium.org>
42222Date: Fri Aug 16 08:09:54 2013 -0700
42223
42224 HID: check for NULL field when setting values
42225
42226 Defensively check that the field to be worked on is not NULL.
42227
42228 Signed-off-by: Kees Cook <keescook@chromium.org>
42229 Cc: stable@kernel.org
42230
42231 drivers/hid/hid-core.c | 7 ++++++-
42232 1 files changed, 6 insertions(+), 1 deletions(-)
42233
42234commit 96a55ce1b2f3af376c400a02059174e79ce4399c
42235Author: Brad Spengler <spender@grsecurity.net>
42236Date: Wed Aug 28 18:09:18 2013 -0400
42237
42238 http://marc.info/?l=linux-input&m=137772180514608&q=raw
42239
42240 From: Kees Cook <keescook@chromium.org>
42241
42242 The "Report ID" field of a HID report is used to build indexes of
42243 reports. The kernel's index of these is limited to 256 entries, so any
42244 malicious device that sets a Report ID greater than 255 will trigger
42245 memory corruption on the host:
42246
42247 [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
42248 [ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b
42249
42250 CVE-2013-2888
42251
42252 Signed-off-by: Kees Cook <keescook@chromium.org>
42253 Cc: stable@kernel.org
42254 ---
42255 drivers/hid/hid-core.c | 10 +++++++---
42256 include/linux/hid.h | 4 +++-
42257 2 files changed, 10 insertions(+), 4 deletions(-)
42258
42259 drivers/hid/hid-core.c | 10 +++++++---
42260 include/linux/hid.h | 4 +++-
42261 2 files changed, 10 insertions(+), 4 deletions(-)
42262
42263commit eb1106eef5f17bfda833ca3cf89e315919173257
42264Author: Dan Carpenter <dan.carpenter@oracle.com>
42265Date: Fri Aug 9 12:52:31 2013 +0300
42266
42267 Upstream commit: 909bd5926d474e275599094acad986af79671ac9
42268
42269 Hostap: copying wrong data prism2_ioctl_giwaplist()
42270
42271 We want the data stored in "addr" and "qual", but the extra ampersands
42272 mean we are copying stack data instead.
42273
42274 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
42275 Cc: stable@vger.kernel.org
42276 Signed-off-by: John W. Linville <linville@tuxdriver.com>
42277
42278 drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++--
42279 1 files changed, 2 insertions(+), 2 deletions(-)
42280
42281commit b12fdddbc01b0d855dd56fa6fea6b4100aae7af4
42282Author: Brad Spengler <spender@grsecurity.net>
42283Date: Wed Aug 28 17:01:21 2013 -0400
42284
42285 fix typo in ipv6 backport
42286
42287 net/ipv6/addrconf.c | 2 +-
42288 1 files changed, 1 insertions(+), 1 deletions(-)
42289
42290commit b42367d45ce67de82c38c5c7cb6f4cf521cca2f4
42291Author: Andy Lutomirski <luto@amacapital.net>
42292Date: Thu Aug 22 11:39:15 2013 -0700
42293
42294 Upstream commit: d661684cf6820331feae71146c35da83d794467e
42295
42296 net: Check the correct namespace when spoofing pid over SCM_RIGHTS
42297
42298 This is a security bug.
42299
42300 The follow-up will fix nsproxy to discourage this type of issue from
42301 happening again.
42302
42303 Cc: stable@vger.kernel.org
42304 Signed-off-by: Andy Lutomirski <luto@amacapital.net>
42305 Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com>
42306 Signed-off-by: David S. Miller <davem@davemloft.net>
42307
42308 net/core/scm.c | 2 +-
42309 1 files changed, 1 insertions(+), 1 deletions(-)
42310
42311commit 10b2e7e1f75d1da2e0bbe0bff04233ea2ec1bed9
42312Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
42313Date: Fri Aug 16 13:02:27 2013 +0200
42314
42315 Upstream commit: 4b08a8f1bd8cb4541c93ec170027b4d0782dab52
42316
42317 ipv6: remove max_addresses check from ipv6_create_tempaddr
42318
42319 Because of the max_addresses check attackers were able to disable privacy
42320 extensions on an interface by creating enough autoconfigured addresses:
42321
42322 <http://seclists.org/oss-sec/2012/q4/292>
42323
42324 But the check is not actually needed: max_addresses protects the
42325 kernel to install too many ipv6 addresses on an interface and guards
42326 addrconf_prefix_rcv to install further addresses as soon as this limit
42327 is reached. We only generate temporary addresses in direct response of
42328 a new address showing up. As soon as we filled up the maximum number of
42329 addresses of an interface, we stop installing more addresses and thus
42330 also stop generating more temp addresses.
42331
42332 Even if the attacker tries to generate a lot of temporary addresses
42333 by announcing a prefix and removing it again (lifetime == 0) we won't
42334 install more temp addresses, because the temporary addresses do count
42335 to the maximum number of addresses, thus we would stop installing new
42336 autoconfigured addresses when the limit is reached.
42337
42338 This patch fixes CVE-2013-0343 (but other layer-2 attacks are still
42339 possible).
42340
42341 Thanks to Ding Tianhong to bring this topic up again.
42342
42343 Cc: Ding Tianhong <dingtianhong@huawei.com>
42344 Cc: George Kargiotakis <kargig@void.gr>
42345 Cc: P J P <ppandit@redhat.com>
42346 Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
42347 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
42348 Acked-by: Ding Tianhong <dingtianhong@huawei.com>
42349 Signed-off-by: David S. Miller <davem@davemloft.net>
42350
42351 Conflicts:
42352
42353 net/ipv6/addrconf.c
42354
42355 net/ipv6/addrconf.c | 10 ++++------
42356 1 files changed, 4 insertions(+), 6 deletions(-)
42357
42358commit 8333e0981469a226a47d0142ff31090a48db95a4
42359Author: David Vrabel <david.vrabel@citrix.com>
42360Date: Thu Aug 15 13:21:06 2013 +0100
42361
42362 Upstream commit: 84ca7a8e45dafb49cd5ca90a343ba033e2885c17
42363
42364 xen/events: initialize local per-cpu mask for all possible events
42365
42366 The sizeof() argument in init_evtchn_cpu_bindings() is incorrect
42367 resulting in only the first 64 (or 32 in 32-bit guests) ports having
42368 their bindings being initialized to VCPU 0.
42369
42370 In most cases this does not cause a problem as request_irq() will set
42371 the irq affinity which will set the correct local per-cpu mask.
42372 However, if the request_irq() is called on a VCPU other than 0, there
42373 is a window between the unmasking of the event and the affinity being
42374 set were an event may be lost because it is not locally unmasked on
42375 any VCPU. If request_irq() is called on VCPU 0 then local irqs are
42376 disabled during the window and the race does not occur.
42377
42378 Fix this by initializing all NR_EVENT_CHANNEL bits in the local
42379 per-cpu masks.
42380
42381 Signed-off-by: David Vrabel <david.vrabel@citrix.com>
42382 Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
42383 CC: stable@vger.kernel.org
42384
42385 drivers/xen/events.c | 2 +-
42386 1 files changed, 1 insertions(+), 1 deletions(-)
42387
42388commit 2a9a83768433937a2b7a97001ba1627156c0efed
42389Author: Roland Dreier <roland@purestorage.com>
42390Date: Mon Aug 5 17:55:01 2013 -0700
42391
42392 Upstream commit: 35dc248383bbab0a7203fca4d722875bc81ef091
42393
42394 [SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a signal
42395
42396 There is a nasty bug in the SCSI SG_IO ioctl that in some circumstances
42397 leads to one process writing data into the address space of some other
42398 random unrelated process if the ioctl is interrupted by a signal.
42399 What happens is the following:
42400
42401 - A process issues an SG_IO ioctl with direction DXFER_FROM_DEV (ie the
42402 underlying SCSI command will transfer data from the SCSI device to
42403 the buffer provided in the ioctl)
42404
42405 - Before the command finishes, a signal is sent to the process waiting
42406 in the ioctl. This will end up waking up the sg_ioctl() code:
42407
42408 result = wait_event_interruptible(sfp->read_wait,
42409 (srp_done(sfp, srp) || sdp->detached));
42410
42411 but neither srp_done() nor sdp->detached is true, so we end up just
42412 setting srp->orphan and returning to userspace:
42413
42414 srp->orphan = 1;
42415 write_unlock_irq(&sfp->rq_list_lock);
42416 return result; /* -ERESTARTSYS because signal hit process */
42417
42418 At this point the original process is done with the ioctl and
42419 blithely goes ahead handling the signal, reissuing the ioctl, etc.
42420
42421 - Eventually, the SCSI command issued by the first ioctl finishes and
42422 ends up in sg_rq_end_io(). At the end of that function, we run through:
42423
42424 write_lock_irqsave(&sfp->rq_list_lock, iflags);
42425 if (unlikely(srp->orphan)) {
42426 if (sfp->keep_orphan)
42427 srp->sg_io_owned = 0;
42428 else
42429 done = 0;
42430 }
42431 srp->done = done;
42432 write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
42433
42434 if (likely(done)) {
42435 /* Now wake up any sg_read() that is waiting for this
42436 * packet.
42437 */
42438 wake_up_interruptible(&sfp->read_wait);
42439 kill_fasync(&sfp->async_qp, SIGPOLL, POLL_IN);
42440 kref_put(&sfp->f_ref, sg_remove_sfp);
42441 } else {
42442 INIT_WORK(&srp->ew.work, sg_rq_end_io_usercontext);
42443 schedule_work(&srp->ew.work);
42444 }
42445
42446 Since srp->orphan *is* set, we set done to 0 (assuming the
42447 userspace app has not set keep_orphan via an SG_SET_KEEP_ORPHAN
42448 ioctl), and therefore we end up scheduling sg_rq_end_io_usercontext()
42449 to run in a workqueue.
42450
42451 - In workqueue context we go through sg_rq_end_io_usercontext() ->
42452 sg_finish_rem_req() -> blk_rq_unmap_user() -> ... ->
42453 bio_uncopy_user() -> __bio_copy_iov() -> copy_to_user().
42454
42455 The key point here is that we are doing copy_to_user() on a
42456 workqueue -- that is, we're on a kernel thread with current->mm
42457 equal to whatever random previous user process was scheduled before
42458 this kernel thread. So we end up copying whatever data the SCSI
42459 command returned to the virtual address of the buffer passed into
42460 the original ioctl, but it's quite likely we do this copying into a
42461 different address space!
42462
42463 As suggested by James Bottomley <James.Bottomley@hansenpartnership.com>,
42464 add a check for current->mm (which is NULL if we're on a kernel thread
42465 without a real userspace address space) in bio_uncopy_user(), and skip
42466 the copy if we're on a kernel thread.
42467
42468 There's no reason that I can think of for any caller of bio_uncopy_user()
42469 to want to do copying on a kernel thread with a random active userspace
42470 address space.
42471
42472 Huge thanks to Costa Sapuntzakis <costa@purestorage.com> for the
42473 original pointer to this bug in the sg code.
42474
42475 Signed-off-by: Roland Dreier <roland@purestorage.com>
42476 Tested-by: David Milburn <dmilburn@redhat.com>
42477 Cc: Jens Axboe <axboe@kernel.dk>
42478 Cc: <stable@vger.kernel.org>
42479 Signed-off-by: James Bottomley <JBottomley@Parallels.com>
42480
42481 fs/bio.c | 20 +++++++++++++++-----
42482 1 files changed, 15 insertions(+), 5 deletions(-)
42483
42484commit e6fe57dee152671afd618d6bc8cbf23155be6c34
42485Merge: cdc8f7d f2095a4
42486Author: Brad Spengler <spender@grsecurity.net>
42487Date: Tue Aug 27 18:13:35 2013 -0400
42488
42489 Merge branch 'pax-test' into grsec-test
42490
42491 Conflicts:
42492 arch/arm/mm/fault.c
42493 security/Kconfig
42494
42495commit f2095a4787f7d332e5919f0bd00f8de6021ad612
42496Author: Brad Spengler <spender@grsecurity.net>
42497Date: Tue Aug 27 18:08:23 2013 -0400
42498
42499 Update to pax-linux-3.10.9-test20.patch:
42500 - removed unnecessary mark_sym_for_renaming calls from the gcc plugins, reported by Emese Revfy
42501 - made some KERNEXEC/UDEREF induced fault handling on arm more robust (IFAR isn't always set on v7), by Corey Minyard <cminyard@mvista.com>
42502 - converted some mips atomic accessor macros to functions in preparation of REFCOUNT support, by Corey Minyard <cminyard@mvista.com>
42503 - __copy_from_user_inatomic on amd64 will now return unsigned long like other userland accessors do
42504 - added REFCOUNT support for mips, by Corey Minyard <cminyard@mvista.com>
42505 - fixed arm compilation with UDEREF disabled, reported by fabled (http://forums.grsecurity.net/viewtopic.php?f=1&t=3720)
42506 - fixed early boot panic due to a INVCPID/PCID mismatch, reported by Patrick McLean (https://bugs.gentoo.org/show_bug.cgi?id=482010)
42507
42508 arch/arm/mm/fault.c | 11 +-
42509 arch/mips/include/asm/atomic.h | 722 +++++++++++++++++++++++++++++++++++--
42510 arch/mips/kernel/traps.c | 14 +-
42511 arch/x86/include/asm/tlbflush.h | 4 +
42512 arch/x86/include/asm/uaccess_64.h | 2 +-
42513 fs/ntfs/file.c | 2 +-
42514 kernel/events/internal.h | 4 +-
42515 kernel/events/uprobes.c | 2 +-
42516 kernel/futex.c | 2 +-
42517 mm/filemap.c | 8 +-
42518 security/Kconfig | 2 +-
42519 tools/gcc/kernexec_plugin.c | 18 +-
42520 tools/gcc/latent_entropy_plugin.c | 26 +-
42521 tools/gcc/size_overflow_plugin.c | 3 +-
42522 14 files changed, 750 insertions(+), 70 deletions(-)
42523
42524commit cdc8f7d7a0d09f5ccec1717d1378ac284b5bb4e9
42525Merge: 5a9ae57 745975e
42526Author: Brad Spengler <spender@grsecurity.net>
42527Date: Mon Aug 26 20:27:33 2013 -0400
42528
42529 Merge branch 'pax-test' into grsec-test
42530
42531commit 745975e3b3b74b64e00e85778f9a22714d1274f2
42532Author: Brad Spengler <spender@grsecurity.net>
42533Date: Mon Aug 26 20:26:33 2013 -0400
42534
42535 Fix compilation when UDEREF is enabled and KERNEXEC is disabled,
42536 as reported by fabled on the forums:
42537 http://forums.grsecurity.net/viewtopic.php?f=1&t=3720
42538
42539 arch/arm/include/asm/pgtable.h | 4 +---
42540 1 files changed, 1 insertions(+), 3 deletions(-)
42541
42542commit 5a9ae577def10802fc8ad6957f05ce2a180dfa36
42543Merge: 486ec00 f68df21
42544Author: Brad Spengler <spender@grsecurity.net>
42545Date: Tue Aug 20 20:15:20 2013 -0400
42546
42547 Merge branch 'pax-test' into grsec-test
42548
42549commit f68df215c8bf7fada2710c14b3f3a0ea53fd9e43
42550Author: Brad Spengler <spender@grsecurity.net>
42551Date: Tue Aug 20 20:14:50 2013 -0400
42552
42553 Update to pax-linux-3.10.9-test18.patch:
42554 - fixed missing export of cpu_pgd, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481786)
42555 - fixed UDEREF regression on !PCID processors, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481790)
42556 - forward port to 3.10.9
42557
42558 arch/x86/kernel/entry_64.S | 18 +++++++++---------
42559 arch/x86/kernel/i386_ksyms_32.c | 4 ++++
42560 arch/x86/kernel/x8664_ksyms_64.c | 4 ++++
42561 3 files changed, 17 insertions(+), 9 deletions(-)
42562
42563commit 486ec00945b5dd8826f625e4af8995c5c8cb2a6f
42564Merge: f47a293 d8fed0e
42565Author: Brad Spengler <spender@grsecurity.net>
42566Date: Tue Aug 20 20:12:47 2013 -0400
42567
42568 Merge branch 'pax-test' into grsec-test
42569
42570commit d8fed0eba89a7607afe296c0caf17bc72311d6e9
42571Merge: f6ace8e 0a4b6d4
42572Author: Brad Spengler <spender@grsecurity.net>
42573Date: Tue Aug 20 20:12:33 2013 -0400
42574
42575 Merge branch 'linux-3.10.y' into pax-test
42576
42577commit f47a293a1440da2a3e2c239d43d636e37ca74f10
42578Merge: f1e8ec7 f6ace8e
42579Author: Brad Spengler <spender@grsecurity.net>
42580Date: Tue Aug 20 18:20:05 2013 -0400
42581
42582 Merge branch 'pax-test' into grsec-test
42583
42584 Conflicts:
42585 arch/arm/kernel/perf_event.c
42586 include/linux/sched.h
42587
42588commit f6ace8e1804aadc296bec38b4c4a2d711b9e7c72
42589Merge: b4fa847 6f54059
42590Author: Brad Spengler <spender@grsecurity.net>
42591Date: Tue Aug 20 18:18:02 2013 -0400
42592
42593 Update to pax-linux-3.10.8-test18.patch
42594
42595 Merge branch 'linux-3.10.y' into pax-test
42596
42597 Conflicts:
42598 arch/x86/kernel/sys_x86_64.c
42599 arch/x86/mm/mmap.c
42600 include/linux/sched.h
42601
42602commit f1e8ec79b6019ca0aa6a6cdde5668c1bbd9f51ca
42603Merge: 6f88011 b4fa847
42604Author: Brad Spengler <spender@grsecurity.net>
42605Date: Tue Aug 20 18:05:12 2013 -0400
42606
42607 Merge branch 'pax-test' into grsec-test
42608
42609commit b4fa84790ec760430818ab9b74a8b5acc6b40e63
42610Author: Brad Spengler <spender@grsecurity.net>
42611Date: Tue Aug 20 18:04:14 2013 -0400
42612
42613 Update to pax-linux-3.10.7-test18.patch:
42614 - reverted constification of zcache, problem reported by Marcin Mirosław (https://bugs.gentoo.org/show_bug.cgi?id=481752)
42615 - fixed a UDEREF resume regression due to the constification of clone_pgd_mask
42616 - fixed suspend/resume regression due to the recent constification of mmu_cr4_features, reported by Mathias Krause
42617
42618 arch/arm/kernel/process.c | 2 +-
42619 arch/x86/include/asm/processor.h | 25 ++-----------------------
42620 arch/x86/kernel/cpu/common.c | 4 ++++
42621 arch/x86/kernel/setup.c | 36 ++++++++++++++++++++++++++++++++++++
42622 drivers/staging/zcache/tmem.c | 4 ++--
42623 drivers/staging/zcache/tmem.h | 6 ++----
42624 6 files changed, 47 insertions(+), 30 deletions(-)
42625
42626commit 6f88011297cb3b1b79ff4d96f8a9b8e2ed5a025f
42627Author: Brad Spengler <spender@grsecurity.net>
42628Date: Mon Aug 19 22:10:04 2013 -0400
42629
42630 fix bad git merge (call to __cpu_disable_lazy_restore was duplicated)
42631 as reported by pipacs
42632
42633 arch/x86/kernel/smpboot.c | 3 ---
42634 1 files changed, 0 insertions(+), 3 deletions(-)
42635
42636commit 07f718e061bc4696b64a98ac1cf56e9ca1275dc3
42637Merge: 6eba999 5de93c8
42638Author: Brad Spengler <spender@grsecurity.net>
42639Date: Sun Aug 18 22:03:19 2013 -0400
42640
42641 Merge branch 'pax-test' into grsec-test
42642
42643commit 5de93c8e2a86865f7a2d62dbcf8702dbf12494db
42644Author: Brad Spengler <spender@grsecurity.net>
42645Date: Sun Aug 18 22:02:47 2013 -0400
42646
42647 Update to pax-linux-3.10.7-test15.patch:
42648 - fixed more PCID fallout, reported by spender, Negres and GBit (http://forums.grsecurity.net/viewtopic.php?f=3&t=3705)
42649 - fixed some new REFCOUNT false positives, caught by inspection
42650
42651 arch/x86/kernel/cpu/common.c | 5 +++--
42652 arch/x86/kernel/entry_64.S | 11 +++++++----
42653 fs/ceph/super.c | 4 ++--
42654 mm/backing-dev.c | 4 ++--
42655 4 files changed, 14 insertions(+), 10 deletions(-)
42656
42657commit 94c119587c76723c1072237b98fff9886ccb7689
42658Author: Brad Spengler <spender@grsecurity.net>
42659Date: Sun Aug 18 20:49:39 2013 -0400
42660
42661 fix pipacs' DEMORGAN typo
42662
42663 arch/x86/include/asm/tlbflush.h | 2 +-
42664 1 files changed, 1 insertions(+), 1 deletions(-)
42665
42666commit 6eba999a3263c2ed3f7e87222a5c9c55315c7f00
42667Merge: df347f6 64a293e
42668Author: Brad Spengler <spender@grsecurity.net>
42669Date: Sun Aug 18 18:13:04 2013 -0400
42670
42671 Merge branch 'pax-test' into grsec-test
42672
42673commit 64a293ebd17bf4a7ce6bd921ed879673e79fe128
42674Author: Brad Spengler <spender@grsecurity.net>
42675Date: Sun Aug 18 18:12:37 2013 -0400
42676
42677 Update to pax-linux-3.10.7-test14.patch:
42678 - fixed compile error introduced by the previous PCID change
42679 - fixed timer_create kernel stack leak, reported by Roman Žilka (https://bugs.gentoo.org/show_bug.cgi?id=470214)
42680
42681 arch/x86/include/asm/tlbflush.h | 2 +-
42682 kernel/posix-timers.c | 2 +-
42683 2 files changed, 2 insertions(+), 2 deletions(-)
42684
42685commit df347f6db6cc0aaa40406d8a8b7284b7c15bc685
42686Merge: d8efbc5 e11b314
42687Author: Brad Spengler <spender@grsecurity.net>
42688Date: Sun Aug 18 08:15:00 2013 -0400
42689
42690 Merge branch 'pax-test' into grsec-test
42691
42692commit e11b314734c5b7317f5468be75305ad812e78c2b
42693Author: Brad Spengler <spender@grsecurity.net>
42694Date: Sun Aug 18 08:14:26 2013 -0400
42695
42696 Update to pax-linux-3.10.7-test13.patch:
42697 - always enable the use of PCID and INVPCID when available in the CPU
42698 - kvm guest kernels can use these features even if the host kernel lacks UDEREF
42699
42700 arch/x86/include/asm/tlbflush.h | 69 ++++++++++++++++++++++----------------
42701 arch/x86/kernel/cpu/common.c | 48 +++++++++++++++++----------
42702 2 files changed, 70 insertions(+), 47 deletions(-)
42703
42704commit d8efbc54f5c8aba589d4d12eed9257a754a67de8
42705Author: Brad Spengler <spender@grsecurity.net>
42706Date: Sat Aug 17 12:00:20 2013 -0400
42707
42708 make kallsyms_lookup_size_offset available to approved source files
42709
42710 include/linux/kallsyms.h | 3 +++
42711 1 files changed, 3 insertions(+), 0 deletions(-)
42712
42713commit 6c8feffa95ce2db280160015027b52bb41a344c8
42714Merge: dbf6930 0bb1c2b
42715Author: Brad Spengler <spender@grsecurity.net>
42716Date: Sat Aug 17 11:57:50 2013 -0400
42717
42718 Merge branch 'pax-test' into grsec-test
42719
42720commit 0bb1c2b2d9ba9a15fb504d47270499e8e2764106
42721Author: Brad Spengler <spender@grsecurity.net>
42722Date: Sat Aug 17 11:56:43 2013 -0400
42723
42724 Update to pax-linux-3.10.7-test12.patch:
42725 - fixed superfluous initializer in __native_flush_tlb_single, reported by Mathias Krause
42726 - fixed some arm compile problems
42727
42728 arch/x86/include/asm/tlbflush.h | 2 +-
42729 drivers/clocksource/bcm_kona_timer.c | 2 +-
42730 kernel/signal.c | 4 ++++
42731 3 files changed, 6 insertions(+), 2 deletions(-)
42732
42733commit dbf69305ad4f8a037aae95af90f9201f556dcb48
42734Author: Brad Spengler <spender@grsecurity.net>
42735Date: Sat Aug 17 11:18:09 2013 -0400
42736
42737 allow use of kallsyms_lookup_name to approved source files
42738
42739 include/linux/kallsyms.h | 1 +
42740 1 files changed, 1 insertions(+), 0 deletions(-)
42741
42742commit a566c5f4dec33f410678c257e95ab6726ce8e4f9
42743Merge: 68bd16f f562e3e
42744Author: Brad Spengler <spender@grsecurity.net>
42745Date: Sat Aug 17 10:35:02 2013 -0400
42746
42747 Merge branch 'pax-test' into grsec-test
42748
42749commit f562e3ef7737ea8d80431a722479b36a12504ace
42750Author: Brad Spengler <spender@grsecurity.net>
42751Date: Sat Aug 17 10:34:51 2013 -0400
42752
42753 add uderef_64.c
42754
42755 arch/x86/mm/uderef_64.c | 37 +++++++++++++++++++++++++++++++++++++
42756 1 files changed, 37 insertions(+), 0 deletions(-)
42757
42758commit 68bd16fce3cf51c4c407e2ac6bc3db0629783622
42759Author: Asbjoern Sloth Toennesen <ast@fiberby.net>
42760Date: Mon Aug 12 16:30:09 2013 +0000
42761
42762 Upstream commit: 3e805ad288c524bb65aad3f1e004402223d3d504
42763
42764 rtnetlink: rtnl_bridge_getlink: Call nlmsg_find_attr() with ifinfomsg header
42765
42766 Fix the iproute2 command `bridge vlan show`, after switching from
42767 rtgenmsg to ifinfomsg.
42768
42769 Let's start with a little history:
42770
42771 Feb 20: Vlad Yasevich got his VLAN-aware bridge patchset included in
42772 the 3.9 merge window.
42773 In the kernel commit 6cbdceeb, he added attribute support to
42774 bridge GETLINK requests sent with rtgenmsg.
42775
42776 Mar 6th: Vlad got this iproute2 reference implementation of the bridge
42777 vlan netlink interface accepted (iproute2 9eff0e5c)
42778
42779 Apr 25th: iproute2 switched from using rtgenmsg to ifinfomsg (63338dca)
42780 http://patchwork.ozlabs.org/patch/239602/
42781 http://marc.info/?t=136680900700007
42782
42783 Apr 28th: Linus released 3.9
42784
42785 Apr 30th: Stephen released iproute2 3.9.0
42786
42787 The `bridge vlan show` command haven't been working since the switch to
42788 ifinfomsg, or in a released version of iproute2. Since the kernel side
42789 only supports rtgenmsg, which iproute2 switched away from just prior to
42790 the iproute2 3.9.0 release.
42791
42792 I haven't been able to find any documentation, about neither rtgenmsg
42793 nor ifinfomsg, and in which situation to use which, but kernel commit
42794 88c5b5ce seams to suggest that ifinfomsg should be used.
42795
42796 Fixing this in kernel will break compatibility, but I doubt that anybody
42797 have been using it due to this bug in the user space reference
42798 implementation, at least not without noticing this bug. That said the
42799 functionality is still fully functional in 3.9, when reversing iproute2
42800 commit 63338dca.
42801
42802 This could also be fixed in iproute2, but thats an ugly patch that would
42803 reintroduce rtgenmsg in iproute2, and from searching in netdev it seams
42804 like rtgenmsg usage is discouraged. I'm assuming that the only reason
42805 that Vlad implemented the kernel side to use rtgenmsg, was because
42806 iproute2 was using it at the time.
42807
42808 Signed-off-by: Asbjoern Sloth Toennesen <ast@fiberby.net>
42809 Reviewed-by: Vlad Yasevich <vyasevich@gmail.com>
42810 Signed-off-by: David S. Miller <davem@davemloft.net>
42811
42812 net/core/rtnetlink.c | 2 +-
42813 1 files changed, 1 insertions(+), 1 deletions(-)
42814
42815commit 8c7bc5bafddddff55ed4687203a977e96f72540a
42816Author: Johannes Berg <johannes.berg@intel.com>
42817Date: Tue Aug 13 09:04:05 2013 +0200
42818
42819 Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db
42820
42821 genetlink: fix family dump race
42822
42823 When dumping generic netlink families, only the first dump call
42824 is locked with genl_lock(), which protects the list of families,
42825 and thus subsequent calls can access the data without locking,
42826 racing against family addition/removal. This can cause a crash.
42827 Fix it - the locking needs to be conditional because the first
42828 time around it's already locked.
42829
42830 A similar bug was reported to me on an old kernel (3.4.47) but
42831 the exact scenario that happened there is no longer possible,
42832 on those kernels the first round wasn't locked either. Looking
42833 at the current code I found the race described above, which had
42834 also existed on the old kernel.
42835
42836 Cc: stable@vger.kernel.org
42837 Reported-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
42838 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
42839 Signed-off-by: David S. Miller <davem@davemloft.net>
42840
42841 net/netlink/genetlink.c | 7 +++++++
42842 1 files changed, 7 insertions(+), 0 deletions(-)
42843
42844commit 0aef405c4f269d1e35abb5393cee4e7d452ed4bb
42845Author: Daniel Borkmann <dborkman@redhat.com>
42846Date: Fri Aug 9 16:25:21 2013 +0200
42847
42848 Upstream commit: 771085d6bf3c52de29fc213e5bad07a82e57c23e
42849
42850 net: sctp: sctp_transport_destroy{, _rcu}: fix potential pointer corruption
42851
42852 Probably this one is quite unlikely to be triggered, but it's more safe
42853 to do the call_rcu() at the end after we have dropped the reference on
42854 the asoc and freed sctp packet chunks. The reason why is because in
42855 sctp_transport_destroy_rcu() the transport is being kfree()'d, and if
42856 we're unlucky enough we could run into corrupted pointers. Probably
42857 that's more of theoretical nature, but it's safer to have this simple fix.
42858
42859 Introduced by commit 8c98653f ("sctp: sctp_close: fix release of bindings
42860 for deferred call_rcu's"). I also did the 8c98653f regression test and
42861 it's fine that way.
42862
42863 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
42864 Acked-by: Vlad Yasevich <vyasevich@gmail.com>
42865 Signed-off-by: David S. Miller <davem@davemloft.net>
42866
42867 net/sctp/transport.c | 4 ++--
42868 1 files changed, 2 insertions(+), 2 deletions(-)
42869
42870commit 3925eab5483946fd746575a46f97bee9d566bb77
42871Author: Stephane Grosjean <s.grosjean@peak-system.com>
42872Date: Fri Aug 9 11:44:06 2013 +0200
42873
42874 Upstream commit: 3c322a56b01695df15c70bfdc2d02e0ccd80654e
42875
42876 can: pcan_usb: fix wrong memcpy() bytes length
42877
42878 Fix possibly wrong memcpy() bytes length since some CAN records received from
42879 PCAN-USB could define a DLC field in range [9..15].
42880 In that case, the real DLC value MUST be used to move forward the record pointer
42881 but, only 8 bytes max. MUST be copied into the data field of the struct
42882 can_frame object of the skb given to the network core.
42883
42884 Cc: linux-stable <stable@vger.kernel.org>
42885 Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
42886 Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
42887 Signed-off-by: David S. Miller <davem@davemloft.net>
42888
42889 drivers/net/can/usb/peak_usb/pcan_usb.c | 2 +-
42890 1 files changed, 1 insertions(+), 1 deletions(-)
42891
42892commit c1ac6642baae4a400d1f87115024d1bb1ef53598
42893Author: Linus Lüssing <linus.luessing@web.de>
42894Date: Tue Aug 6 20:21:15 2013 +0200
42895
42896 Upstream commit: 9d2c9488cedb666bc8206fbdcdc1575e0fbc5929
42897
42898 batman-adv: fix potential kernel paging errors for unicast transmissions
42899
42900 There are several functions which might reallocate skb data. Currently
42901 some places keep reusing their old ethhdr pointer regardless of whether
42902 they became invalid after such a reallocation or not. This potentially
42903 leads to kernel paging errors.
42904
42905 This patch fixes these by refetching the ethdr pointer after the
42906 potential reallocations.
42907
42908 Signed-off-by: Linus Lüssing <linus.luessing@web.de>
42909 Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
42910 Signed-off-by: Antonio Quartulli <ordex@autistici.org>
42911
42912 net/batman-adv/bridge_loop_avoidance.c | 2 ++
42913 net/batman-adv/gateway_client.c | 13 ++++++++++++-
42914 net/batman-adv/gateway_client.h | 3 +--
42915 net/batman-adv/soft-interface.c | 9 ++++++++-
42916 net/batman-adv/unicast.c | 13 ++++++++++---
42917 5 files changed, 33 insertions(+), 7 deletions(-)
42918
42919commit d11ebb55757d366b2e445dea5a96e3ef1b4d22eb
42920Author: Yuchung Cheng <ycheng@google.com>
42921Date: Fri Aug 9 17:21:27 2013 -0700
42922
42923 Upstream commit: 356d7d88e088687b6578ca64601b0a2c9d145296
42924
42925 netfilter: nf_conntrack: fix tcp_in_window for Fast Open
42926
42927 Currently the conntrack checks if the ending sequence of a packet
42928 falls within the observed receive window. However it does so even
42929 if it has not observe any packet from the remote yet and uses an
42930 uninitialized receive window (td_maxwin).
42931
42932 If a connection uses Fast Open to send a SYN-data packet which is
42933 dropped afterward in the network. The subsequent SYNs retransmits
42934 will all fail this check and be discarded, leading to a connection
42935 timeout. This is because the SYN retransmit does not contain data
42936 payload so
42937
42938 end == initial sequence number (isn) + 1
42939 sender->td_end == isn + syn_data_len
42940 receiver->td_maxwin == 0
42941
42942 The fix is to only apply this check after td_maxwin is initialized.
42943
42944 Reported-by: Michael Chan <mcfchan@stanford.edu>
42945 Signed-off-by: Yuchung Cheng <ycheng@google.com>
42946 Acked-by: Eric Dumazet <edumazet@google.com>
42947 Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
42948 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
42949
42950 net/netfilter/nf_conntrack_proto_tcp.c | 12 ++++++++----
42951 1 files changed, 8 insertions(+), 4 deletions(-)
42952
42953commit 94462727d1f151aa2e3f7fbf0dedb19d8545d2ec
42954Author: Dan Carpenter <dan.carpenter@oracle.com>
42955Date: Thu Aug 1 12:36:57 2013 +0300
42956
42957 Upstream commit: e4d091d7bf787cd303383725b8071d0bae76f981
42958
42959 netfilter: nfnetlink_{log,queue}: fix information leaks in netlink message
42960
42961 These structs have a "_pad" member. Also the "phw" structs have an 8
42962 byte "hw_addr[]" array but sometimes only the first 6 bytes are
42963 initialized.
42964
42965 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
42966 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
42967
42968 net/netfilter/nfnetlink_log.c | 6 +++++-
42969 net/netfilter/nfnetlink_queue_core.c | 5 ++++-
42970 2 files changed, 9 insertions(+), 2 deletions(-)
42971
42972commit c5b469d0a0b480a8b2dcac9b4e6532c0ac17f81f
42973Author: Pablo Neira Ayuso <pablo@netfilter.org>
42974Date: Thu Jul 25 10:46:46 2013 +0200
42975
42976 Upstream commit: a206bcb3b02025b23137f3228109d72e0f835c05
42977
42978 netfilter: xt_TCPOPTSTRIP: fix possible off by one access
42979
42980 Fix a possible off by one access since optlen()
42981 touches opt[offset+1] unsafely when i == tcp_hdrlen(skb) - 1.
42982
42983 This patch replaces tcp_hdrlen() by the local variable tcp_hdrlen
42984 that stores the TCP header length, to save some cycles.
42985
42986 Reported-by: Julian Anastasov <ja@ssi.bg>
42987 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
42988
42989 net/netfilter/xt_TCPOPTSTRIP.c | 10 ++++++----
42990 1 files changed, 6 insertions(+), 4 deletions(-)
42991
42992commit 4634def261cf5f635bc60afe8a6ad436b3ec151e
42993Author: Pablo Neira Ayuso <pablo@netfilter.org>
42994Date: Thu Jul 25 10:37:49 2013 +0200
42995
42996 Upstream commit: 71ffe9c77dd7a2b62207953091efa8dafec958dd
42997
42998 netfilter: xt_TCPMSS: fix handling of malformed TCP header and options
42999
43000 Make sure the packet has enough room for the TCP header and
43001 that it is not malformed.
43002
43003 While at it, store tcph->doff*4 in a variable, as it is used
43004 several times.
43005
43006 This patch also fixes a possible off by one in case of malformed
43007 TCP options.
43008
43009 Reported-by: Julian Anastasov <ja@ssi.bg>
43010 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
43011
43012 net/netfilter/xt_TCPMSS.c | 28 ++++++++++++++++------------
43013 1 files changed, 16 insertions(+), 12 deletions(-)
43014
43015commit dc552b7b377b8b0cba23513ee09a2341d6714ae8
43016Author: Dave Jones <davej@redhat.com>
43017Date: Fri Aug 9 11:16:34 2013 -0700
43018
43019 Upstream commit: d06f5187469eee1b2932c02fd093d113cfc60d5e
43020
43021 8139cp: Fix skb leak in rx_status_loop failure path.
43022
43023 Introduced in cf3c4c03060b688cbc389ebc5065ebcce5653e96
43024 ("8139cp: Add dma_mapping_error checking")
43025
43026 Signed-off-by: Dave Jones <davej@redhat.com>
43027 Signed-off-by: David S. Miller <davem@davemloft.net>
43028
43029 drivers/net/ethernet/realtek/8139cp.c | 1 +
43030 1 files changed, 1 insertions(+), 0 deletions(-)
43031
43032commit 227b279491a0bbcc70ca3654f34903282c378600
43033Author: Timo Teräs <timo.teras@iki.fi>
43034Date: Tue Aug 6 13:45:43 2013 +0300
43035
43036 Upstream commit: 77a482bdb2e68d13fae87541b341905ba70d572b
43037
43038 ip_gre: fix ipgre_header to return correct offset
43039
43040 Fix ipgre_header() (header_ops->create) to return the correct
43041 amount of bytes pushed. Most callers of dev_hard_header() seem
43042 to care only if it was success, but af_packet.c uses it as
43043 offset to the skb to copy from userspace only once. In practice
43044 this fixes packet socket sendto()/sendmsg() to gre tunnels.
43045
43046 Regression introduced in c54419321455631079c7d6e60bc732dd0c5914c5
43047 ("GRE: Refactor GRE tunneling code.")
43048
43049 Cc: Pravin B Shelar <pshelar@nicira.com>
43050 Signed-off-by: Timo Teräs <timo.teras@iki.fi>
43051 Acked-by: Eric Dumazet <edumazet@google.com>
43052 Signed-off-by: David S. Miller <davem@davemloft.net>
43053
43054 net/ipv4/ip_gre.c | 2 +-
43055 1 files changed, 1 insertions(+), 1 deletions(-)
43056
43057commit 4b37d11c0ebb440d9335861ce8f1e690a34c10fb
43058Author: Eric Dumazet <edumazet@google.com>
43059Date: Mon Aug 5 11:18:49 2013 -0700
43060
43061 Upstream commit: aab515d7c32a34300312416c50314e755ea6f765
43062
43063 fib_trie: remove potential out of bound access
43064
43065 AddressSanitizer [1] dynamic checker pointed a potential
43066 out of bound access in leaf_walk_rcu()
43067
43068 We could allocate one more slot in tnode_new() to leave the prefetch()
43069 in-place but it looks not worth the pain.
43070
43071 Bug added in commit 82cfbb008572b ("[IPV4] fib_trie: iterator recode")
43072
43073 [1] :
43074 https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel
43075
43076 Reported-by: Andrey Konovalov <andreyknvl@google.com>
43077 Signed-off-by: Eric Dumazet <edumazet@google.com>
43078 Cc: Dmitry Vyukov <dvyukov@google.com>
43079 Signed-off-by: David S. Miller <davem@davemloft.net>
43080
43081 net/ipv4/fib_trie.c | 5 +----
43082 1 files changed, 1 insertions(+), 4 deletions(-)
43083
43084commit 3928184d65fdaf3eef446f0e6c5f305352c1fd02
43085Author: Daniel Borkmann <dborkman@redhat.com>
43086Date: Mon Aug 5 12:49:35 2013 +0200
43087
43088 Upstream commit: 7921895a5e852fc99de347bc0600659997de9298
43089
43090 net: esp{4,6}: fix potential MTU calculation overflows
43091
43092 Commit 91657eafb ("xfrm: take net hdr len into account for esp payload
43093 size calculation") introduced a possible interger overflow in
43094 esp{4,6}_get_mtu() handlers in case of x->props.mode equals
43095 XFRM_MODE_TUNNEL. Thus, the following expression will overflow
43096
43097 unsigned int net_adj;
43098 ...
43099 <case ipv{4,6} XFRM_MODE_TUNNEL>
43100 net_adj = 0;
43101 ...
43102 return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) -
43103 net_adj) & ~(align - 1)) + (net_adj - 2);
43104
43105 where (net_adj - 2) would be evaluated as <foo> + (0 - 2) in an unsigned
43106 context. Fix it by simply removing brackets as those operations here
43107 do not need to have special precedence.
43108
43109 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
43110 Cc: Benjamin Poirier <bpoirier@suse.de>
43111 Cc: Steffen Klassert <steffen.klassert@secunet.com>
43112 Acked-by: Benjamin Poirier <bpoirier@suse.de>
43113 Signed-off-by: David S. Miller <davem@davemloft.net>
43114
43115 net/ipv4/esp4.c | 2 +-
43116 net/ipv6/esp6.c | 2 +-
43117 2 files changed, 2 insertions(+), 2 deletions(-)
43118
43119commit f02bce292d1c2fe610be509c96593e70b3de387b
43120Author: Julia Lawall <Julia.Lawall@lip6.fr>
43121Date: Mon Aug 5 16:47:38 2013 +0200
43122
43123 Upstream commit: d9af2d67e490b48f0d36f448d34e7bab9425f142
43124
43125 net/vmw_vsock/af_vsock.c: drop unneeded semicolon
43126
43127 Drop the semicolon at the end of the list_for_each_entry loop header.
43128
43129 Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
43130 Signed-off-by: David S. Miller <davem@davemloft.net>
43131
43132 net/vmw_vsock/af_vsock.c | 2 +-
43133 1 files changed, 1 insertions(+), 1 deletions(-)
43134
43135commit 4b62f0cbc3f949056e8bbe0af036acfc20e8e049
43136Author: Tiger Yang <tiger.yang@oracle.com>
43137Date: Tue Aug 13 16:00:58 2013 -0700
43138
43139 Upstream commit: c7dd3392ad469e6ba125170ad29f881bed85b678
43140
43141 ocfs2: fix NULL pointer dereference in ocfs2_duplicate_clusters_by_page
43142
43143 Since ocfs2_cow_file_pos will invoke ocfs2_refcount_icow with a NULL as
43144 the struct file pointer, it finally result in a null pointer dereference
43145 in ocfs2_duplicate_clusters_by_page.
43146
43147 This patch replace file pointer with inode pointer in
43148 cow_duplicate_clusters to fix this issue.
43149
43150 [jeff.liu@oracle.com: rebased patch against linux-next tree]
43151 Signed-off-by: Tiger Yang <tiger.yang@oracle.com>
43152 Signed-off-by: Jie Liu <jeff.liu@oracle.com>
43153 Cc: Joel Becker <jlbec@evilplan.org>
43154 Cc: Mark Fasheh <mfasheh@suse.com>
43155 Acked-by: Tao Ma <tm@tao.ma>
43156 Tested-by: David Weber <wb@munzinger.de>
43157 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
43158 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
43159
43160 fs/ocfs2/aops.c | 2 +-
43161 fs/ocfs2/file.c | 6 ++--
43162 fs/ocfs2/move_extents.c | 2 +-
43163 fs/ocfs2/refcounttree.c | 53 +++++++---------------------------------------
43164 fs/ocfs2/refcounttree.h | 6 ++--
43165 5 files changed, 16 insertions(+), 53 deletions(-)
43166
43167commit 433bf493c7472435b328b2bc85b6e54f6dd3d0d3
43168Author: Dan Carpenter <dan.carpenter@oracle.com>
43169Date: Thu Aug 15 15:52:57 2013 +0300
43170
43171 Upstream commit: 15718ea0d844e4816dbd95d57a8a0e3e264ba90e
43172
43173 tun: signedness bug in tun_get_user()
43174
43175 The recent fix d9bf5f1309 "tun: compare with 0 instead of total_len" is
43176 not totally correct. Because "len" and "sizeof()" are size_t type, that
43177 means they are never less than zero.
43178
43179 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
43180 Acked-by: Michael S. Tsirkin <mst@redhat.com>
43181 Acked-by: Neil Horman <nhorman@tuxdriver.com>
43182 Signed-off-by: David S. Miller <davem@davemloft.net>
43183
43184 drivers/net/tun.c | 6 ++++--
43185 1 files changed, 4 insertions(+), 2 deletions(-)
43186
43187commit 26ad267ddda451919357965a0cf271ca24d1bcf2
43188Author: Weiping Pan <wpan@redhat.com>
43189Date: Tue Aug 13 21:46:56 2013 +0800
43190
43191 Upstream commit: d9bf5f130946695063469749bfd190087b7fad39
43192
43193 tun: compare with 0 instead of total_len
43194
43195 Since we set "len = total_len" in the beginning of tun_get_user(),
43196 so we should compare the new len with 0, instead of total_len,
43197 or the if statement always returns false.
43198
43199 Signed-off-by: Weiping Pan <wpan@redhat.com>
43200 Signed-off-by: David S. Miller <davem@davemloft.net>
43201
43202 drivers/net/tun.c | 4 ++--
43203 1 files changed, 2 insertions(+), 2 deletions(-)
43204
43205commit 70023d3ea40fae8b6b6a142a7a5c3db0bcc283f9
43206Author: Guenter Roeck <linux@roeck-us.net>
43207Date: Fri Aug 16 20:50:55 2013 -0700
43208
43209 Upstream commit: 215b28a5308f3d332df2ee09ef11fda45d7e4a92
43210
43211 s390: Fix broken build
43212
43213 Fix this build error:
43214
43215 In file included from fs/exec.c:61:0:
43216 arch/s390/include/asm/tlb.h:35:23: error: expected identifier or '(' before 'unsigned'
43217 arch/s390/include/asm/tlb.h:36:1: warning: no semicolon at end of struct or union [enabled by default]
43218 arch/s390/include/asm/tlb.h: In function 'tlb_gather_mmu':
43219 arch/s390/include/asm/tlb.h:57:5: error: 'struct mmu_gather' has no member named 'end'
43220
43221 Broken due to commit 2b047252d0 ("Fix TLB gather virtual address range
43222 invalidation corner cases").
43223
43224 Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
43225 Cc: stable@vger.kernel.org
43226 Signed-off-by: Guenter Roeck <linux@roeck-us.net>
43227 [ Oh well. We had build testing for ppc amd um, but no s390 - Linus ]
43228 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
43229
43230 arch/s390/include/asm/tlb.h | 2 +-
43231 1 files changed, 1 insertions(+), 1 deletions(-)
43232
43233commit 4e57312c2de2a25ddb181d129dafbc0251062c33
43234Author: Linus Torvalds <torvalds@linux-foundation.org>
43235Date: Thu Aug 15 11:42:25 2013 -0700
43236
43237 Upstream commit: 2b047252d087be7f2ba088b4933cd904f92e6fce
43238
43239 Fix TLB gather virtual address range invalidation corner cases
43240
43241 Ben Tebulin reported:
43242
43243 "Since v3.7.2 on two independent machines a very specific Git
43244 repository fails in 9/10 cases on git-fsck due to an SHA1/memory
43245 failures. This only occurs on a very specific repository and can be
43246 reproduced stably on two independent laptops. Git mailing list ran
43247 out of ideas and for me this looks like some very exotic kernel issue"
43248
43249 and bisected the failure to the backport of commit 53a59fc67f97 ("mm:
43250 limit mmu_gather batching to fix soft lockups on !CONFIG_PREEMPT").
43251
43252 That commit itself is not actually buggy, but what it does is to make it
43253 much more likely to hit the partial TLB invalidation case, since it
43254 introduces a new case in tlb_next_batch() that previously only ever
43255 happened when running out of memory.
43256
43257 The real bug is that the TLB gather virtual memory range setup is subtly
43258 buggered. It was introduced in commit 597e1c3580b7 ("mm/mmu_gather:
43259 enable tlb flush range in generic mmu_gather"), and the range handling
43260 was already fixed at least once in commit e6c495a96ce0 ("mm: fix the TLB
43261 range flushed when __tlb_remove_page() runs out of slots"), but that fix
43262 was not complete.
43263
43264 The problem with the TLB gather virtual address range is that it isn't
43265 set up by the initial tlb_gather_mmu() initialization (which didn't get
43266 the TLB range information), but it is set up ad-hoc later by the
43267 functions that actually flush the TLB. And so any such case that forgot
43268 to update the TLB range entries would potentially miss TLB invalidates.
43269
43270 Rather than try to figure out exactly which particular ad-hoc range
43271 setup was missing (I personally suspect it's the hugetlb case in
43272 zap_huge_pmd(), which didn't have the same logic as zap_pte_range()
43273 did), this patch just gets rid of the problem at the source: make the
43274 TLB range information available to tlb_gather_mmu(), and initialize it
43275 when initializing all the other tlb gather fields.
43276
43277 This makes the patch larger, but conceptually much simpler. And the end
43278 result is much more understandable; even if you want to play games with
43279 partial ranges when invalidating the TLB contents in chunks, now the
43280 range information is always there, and anybody who doesn't want to
43281 bother with it won't introduce subtle bugs.
43282
43283 Ben verified that this fixes his problem.
43284
43285 Reported-bisected-and-tested-by: Ben Tebulin <tebulin@googlemail.com>
43286 Build-testing-by: Stephen Rothwell <sfr@canb.auug.org.au>
43287 Build-testing-by: Richard Weinberger <richard.weinberger@gmail.com>
43288 Reviewed-by: Michal Hocko <mhocko@suse.cz>
43289 Acked-by: Peter Zijlstra <peterz@infradead.org>
43290 Cc: stable@vger.kernel.org
43291 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
43292
43293 arch/arm/include/asm/tlb.h | 7 +++++--
43294 arch/arm64/include/asm/tlb.h | 7 +++++--
43295 arch/ia64/include/asm/tlb.h | 9 ++++++---
43296 arch/s390/include/asm/tlb.h | 8 ++++++--
43297 arch/sh/include/asm/tlb.h | 6 ++++--
43298 arch/um/include/asm/tlb.h | 6 ++++--
43299 fs/exec.c | 4 ++--
43300 include/asm-generic/tlb.h | 2 +-
43301 mm/hugetlb.c | 2 +-
43302 mm/memory.c | 36 +++++++++++++++++++++---------------
43303 mm/mmap.c | 4 ++--
43304 11 files changed, 57 insertions(+), 34 deletions(-)
43305
43306commit 771ed01c6027772eca1a0df8de65043e7f0d94f8
43307Merge: 5568c80 ffceabf
43308Author: Brad Spengler <spender@grsecurity.net>
43309Date: Sat Aug 17 09:11:41 2013 -0400
43310
43311 Merge branch 'pax-test' into grsec-test
43312
43313commit ffceabfcc65c60109ba5fca694d78d4dc7047809
43314Author: Brad Spengler <spender@grsecurity.net>
43315Date: Sat Aug 17 09:10:44 2013 -0400
43316
43317 Update to pax-linux-3.10.7-test11.patch:
43318 - simplified some arm code
43319 - disabled preemption when calling show_regs, reported by Corey Minyard
43320 - added PCID based support for UDEREF on amd64 (blog will have more details)
43321 - requires Westmere/Sandy Bridge/Ivy Bridge/Haswell/etc
43322 - nopcid turns it off
43323 - by default a strong form of UDEREF is used under PCID
43324 - pax_weakuderef switches to the older, less secure UDEREF
43325 - fixed several bugs that would also have manifested under SMAP
43326 - INVPCID is used when available (Haswell)
43327 - added a few more return insn instrumentation in new amd64 crypto code
43328
43329 Documentation/kernel-parameters.txt | 7 +
43330 arch/arm/include/asm/uaccess.h | 3 +
43331 arch/x86/crypto/blowfish-avx2-asm_64.S | 6 +
43332 arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 ++
43333 arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 ++
43334 arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 +
43335 arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 +
43336 arch/x86/crypto/serpent-avx2-asm_64.S | 9 ++
43337 arch/x86/crypto/sha256-avx-asm.S | 2 +
43338 arch/x86/crypto/sha256-avx2-asm.S | 2 +
43339 arch/x86/crypto/sha256-ssse3-asm.S | 2 +
43340 arch/x86/crypto/sha512-avx-asm.S | 2 +
43341 arch/x86/crypto/sha512-avx2-asm.S | 2 +
43342 arch/x86/crypto/sha512-ssse3-asm.S | 2 +
43343 arch/x86/crypto/twofish-avx2-asm_64.S | 8 ++
43344 arch/x86/ia32/ia32_signal.c | 2 +-
43345 arch/x86/ia32/ia32entry.S | 24 ++++-
43346 arch/x86/include/asm/cpufeature.h | 3 +-
43347 arch/x86/include/asm/fpu-internal.h | 2 +
43348 arch/x86/include/asm/futex.h | 4 +
43349 arch/x86/include/asm/mmu_context.h | 80 +++++++++++---
43350 arch/x86/include/asm/pgtable.h | 10 +-
43351 arch/x86/include/asm/processor.h | 15 +++-
43352 arch/x86/include/asm/segment.h | 5 +-
43353 arch/x86/include/asm/smap.h | 64 +++++++++++-
43354 arch/x86/include/asm/tlbflush.h | 63 +++++++++--
43355 arch/x86/include/asm/uaccess.h | 18 +++-
43356 arch/x86/include/asm/xsave.h | 4 +
43357 arch/x86/kernel/cpu/common.c | 38 +++++++
43358 arch/x86/kernel/entry_32.S | 2 +-
43359 arch/x86/kernel/entry_64.S | 152 +++++++++++++++++++++++---
43360 arch/x86/kernel/head_32.S | 2 +-
43361 arch/x86/kernel/head_64.S | 8 +-
43362 arch/x86/kernel/process_64.c | 5 +
43363 arch/x86/kernel/setup.c | 8 +-
43364 arch/x86/kernel/signal.c | 4 +-
43365 arch/x86/kernel/smpboot.c | 15 ++-
43366 arch/x86/lib/copy_user_64.S | 50 +--------
43367 arch/x86/lib/copy_user_nocache_64.S | 2 +
43368 arch/x86/lib/csum-wrappers_64.c | 11 ++-
43369 arch/x86/lib/memcpy_64.S | 4 +-
43370 arch/x86/lib/memmove_64.S | 2 +-
43371 arch/x86/lib/memset_64.S | 4 +-
43372 arch/x86/lib/usercopy_64.c | 5 +-
43373 arch/x86/mm/Makefile | 4 +
43374 arch/x86/mm/fault.c | 29 ++++--
43375 arch/x86/mm/init.c | 7 +-
43376 arch/x86/mm/init_64.c | 9 ++-
43377 arch/x86/mm/pageattr.c | 2 +-
43378 arch/x86/mm/pgtable.c | 3 +
43379 arch/x86/platform/efi/efi_32.c | 2 +-
43380 arch/x86/platform/efi/efi_64.c | 2 +-
43381 arch/x86/realmode/rm/trampoline_64.S | 1 +
43382 fs/exec.c | 2 +
43383 include/asm-generic/uaccess.h | 8 ++
43384 include/linux/compat.h | 1 +
43385 include/linux/preempt.h | 19 +++
43386 include/linux/signal.h | 1 +
43387 include/linux/smp.h | 2 +
43388 init/main.c | 14 ++-
43389 kernel/signal.c | 16 +++
43390 security/Kconfig | 5 +
43391 tools/lib/lk/Makefile | 2 +-
43392 tools/perf/Makefile | 2 +-
43393 64 files changed, 673 insertions(+), 136 deletions(-)
43394
43395commit 5568c8059e78d6d002815409df4e90c83b3b08a8
43396Author: Brad Spengler <spender@grsecurity.net>
43397Date: Sat Aug 17 08:58:34 2013 -0400
43398
43399 Fix two harmless compiler warnings
43400
43401 arch/arm/kernel/process.c | 4 ++--
43402 fs/exec.c | 2 +-
43403 2 files changed, 3 insertions(+), 3 deletions(-)
43404
43405commit e4a41a3eef8c6bdebdbe273cc0fbe372bcb62806
43406Author: Brad Spengler <spender@grsecurity.net>
43407Date: Fri Aug 16 22:55:24 2013 -0400
43408
43409 Upstream commit: c95eb3184ea1a3a2551df57190c81da695e2144b
43410
43411 arch/arm/kernel/perf_event.c | 5 ++++-
43412 1 files changed, 4 insertions(+), 1 deletions(-)
43413
43414commit 3637bc893b57a227b01852fe34685ab237285b10
43415Author: Stephen Boyd <sboyd@codeaurora.org>
43416Date: Wed Aug 7 16:18:08 2013 -0700
43417
43418 Upstream commit: b88a2595b6d8aedbd275c07dfa784657b4f757eb
43419
43420 perf/arm: Fix armpmu_map_hw_event()
43421
43422 Fix constraint check in armpmu_map_hw_event().
43423
43424 Reported-and-tested-by: Vince Weaver <vincent.weaver@maine.edu>
43425 Cc: <stable@kernel.org>
43426 Signed-off-by: Ingo Molnar <mingo@kernel.org>
43427 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
43428
43429 arch/arm/kernel/perf_event.c | 7 ++++++-
43430 1 files changed, 6 insertions(+), 1 deletions(-)
43431
43432commit 11802e1f961a088c39af58d1c1b14d861eedfb35
43433Author: Brad Spengler <spender@grsecurity.net>
43434Date: Fri Aug 16 22:53:30 2013 -0400
43435
43436 More ARM backports
43437
43438 arch/arm/kernel/entry-armv.S | 3 ++-
43439 arch/arm/kernel/fiq.c | 8 ++------
43440 2 files changed, 4 insertions(+), 7 deletions(-)
43441
43442commit bf89938c71ddbd6efb2c2e43bf4f3f99fef623ea
43443Author: Brad Spengler <spender@grsecurity.net>
43444Date: Fri Aug 16 22:46:01 2013 -0400
43445
43446 Fix HIDESYM compatibility with kprobes, as reported by feandil at:
43447 http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376
43448
43449 include/linux/kallsyms.h | 2 +-
43450 kernel/kprobes.c | 3 +++
43451 2 files changed, 4 insertions(+), 1 deletions(-)
43452
43453commit 3d1cf88bbdbe4c0e83dd7d731ecaf1741209d6b7
43454Author: yonghua zheng <younghua.zheng@gmail.com>
43455Date: Tue Aug 13 16:01:03 2013 -0700
43456
43457 fs/proc/task_mmu.c: fix buffer overflow in add_page_map()
43458
43459 Recently we met quite a lot of random kernel panic issues after enabling
43460 CONFIG_PROC_PAGE_MONITOR. After debuggind we found this has something
43461 to do with following bug in pagemap:
43462
43463 In struct pagemapread:
43464
43465 struct pagemapread {
43466 int pos, len;
43467 pagemap_entry_t *buffer;
43468 bool v2;
43469 };
43470
43471 pos is number of PM_ENTRY_BYTES in buffer, but len is the size of
43472 buffer, it is a mistake to compare pos and len in add_page_map() for
43473 checking buffer is full or not, and this can lead to buffer overflow and
43474 random kernel panic issue.
43475
43476 Correct len to be total number of PM_ENTRY_BYTES in buffer.
43477
43478 [akpm@linux-foundation.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition]
43479 Signed-off-by: Yonghua Zheng <younghua.zheng@gmail.com>
43480 Cc: <stable@vger.kernel.org>
43481 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
43482 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
43483
43484 Conflicts:
43485
43486 fs/proc/task_mmu.c
43487
43488 fs/proc/task_mmu.c | 8 ++++----
43489 1 files changed, 4 insertions(+), 4 deletions(-)
43490
43491commit 0a3dac834746de241c10d4978bf61b4f146ba89d
43492Merge: dc19474 e12de30
43493Author: Brad Spengler <spender@grsecurity.net>
43494Date: Fri Aug 16 17:39:01 2013 -0400
43495
43496 Merge branch 'pax-test' into grsec-test
43497
43498commit e12de30aa6b575fc3c9f5cd098dd03623598cb33
43499Author: Brad Spengler <spender@grsecurity.net>
43500Date: Fri Aug 16 17:34:47 2013 -0400
43501
43502 Update to pax-linux-3.10.7-test9.patch:
43503 - Emese fixed a size overflow false positive reported by Sven Vermeulen
43504 - fixed some arm compile problems reported by spender
43505 - added empty unchecked wrappers for local_t accessors on mips, by Corey Minyard <cminyard@mvista.com>
43506 eventually we'll have full REFCOUNT support on mips
43507
43508 arch/arm/kernel/process.c | 5 ++-
43509 arch/arm/mm/Kconfig | 2 +-
43510 arch/arm/mm/fault.c | 3 ++
43511 arch/mips/include/asm/local.h | 57 +++++++++++++++++++++++++++++++++++++++++
43512 mm/internal.h | 2 +-
43513 5 files changed, 65 insertions(+), 4 deletions(-)
43514
43515commit dc19474d0ea6ea3c939544ae5f906067b1784a10
43516Merge: 51b78c0 82266f9
43517Author: Brad Spengler <spender@grsecurity.net>
43518Date: Thu Aug 15 21:47:37 2013 -0400
43519
43520 Merge branch 'pax-test' into grsec-test
43521
43522commit 82266f90a3f87ab5017329fb539aebf94c42253a
43523Author: Brad Spengler <spender@grsecurity.net>
43524Date: Thu Aug 15 21:14:47 2013 -0400
43525
43526 Update to pax-linux-3.10.7-test9.patch
43527
43528 arch/arm/kernel/process.c | 6 ++----
43529 1 files changed, 2 insertions(+), 4 deletions(-)
43530
43531commit 51b78c06d1f41614f593cd36456b4af559e9d7fa
43532Merge: e32d904 cb77ead
43533Author: Brad Spengler <spender@grsecurity.net>
43534Date: Thu Aug 15 20:53:45 2013 -0400
43535
43536 Merge branch 'pax-test' into grsec-test
43537
43538 Conflicts:
43539 security/Kconfig
43540
43541commit cb77ead0eccb5abb75f7e437a3725d0254558ccd
43542Merge: 13675b8 519be45
43543Author: Brad Spengler <spender@grsecurity.net>
43544Date: Thu Aug 15 20:50:47 2013 -0400
43545
43546 Update to pax-linux-3.10.7-test8.patch
43547
43548 Merge branch 'linux-3.10.y' into pax-test
43549
43550commit e32d904b87292288e74e2637b900fd1115687b8e
43551Author: Brad Spengler <spender@grsecurity.net>
43552Date: Sat Aug 10 09:41:40 2013 -0400
43553
43554 propagate the threadstack offset through to the topdown/bottomup allocators
43555 on sparc64 hugepages
43556
43557 arch/sparc/mm/hugetlbpage.c | 12 ++++++++----
43558 1 files changed, 8 insertions(+), 4 deletions(-)
43559
43560commit cefa30759f6c977fff5cc1634ecfbfe0ee44391c
43561Author: Oleg Nesterov <oleg@redhat.com>
43562Date: Thu Aug 8 18:55:32 2013 +0200
43563
43564 Upstream commit: 8742f229b635bf1c1c84a3dfe5e47c814c20b5c8
43565
43566 another local DoS found in reaction to the one I reported,
43567 we don't allow unpriv user ns use so this doesn't matter much to us
43568
43569 userns: limit the maximum depth of user_namespace->parent chain
43570
43571 Ensure that user_namespace->parent chain can't grow too much.
43572 Currently we use the hardroded 32 as limit.
43573
43574 Reported-by: Andy Lutomirski <luto@amacapital.net>
43575 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
43576 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
43577
43578 include/linux/user_namespace.h | 1 +
43579 kernel/user_namespace.c | 4 ++++
43580 2 files changed, 5 insertions(+), 0 deletions(-)
43581
43582commit 223ac007ef18bf3a5095ba0a56675c1f16200149
43583Merge: 1c92de4 13675b8
43584Author: Brad Spengler <spender@grsecurity.net>
43585Date: Thu Aug 8 20:45:24 2013 -0400
43586
43587 Merge branch 'pax-test' into grsec-test
43588
43589 Conflicts:
43590 security/Kconfig
43591
43592commit 13675b848cf02bffd26924b2b84d927095bc253d
43593Author: Brad Spengler <spender@grsecurity.net>
43594Date: Thu Aug 8 20:43:52 2013 -0400
43595
43596 Update to pax-linux-3.10.5-test8.patch:
43597 - Emese fixed a size overflow false positive, reported by markusle (http://forums.grsecurity.net/viewtopic.php?f=3&t=3692)
43598 - fixed the use of PXN for 2-level pages tables on arm, by Corey Minyard <cminyard@mvista.com>
43599 - added PAGEEXEC/XI violation reporting on mips, by Corey Minyard <cminyard@mvista.com>
43600
43601 arch/arm/include/asm/pgtable-2level.h | 4 +++-
43602 arch/arm/mm/proc-v7-2level.S | 3 ---
43603 arch/mips/mm/fault.c | 8 ++++++++
43604 arch/x86/include/asm/processor.h | 3 ++-
43605 include/linux/math64.h | 2 +-
43606 security/Kconfig | 2 --
43607 6 files changed, 14 insertions(+), 8 deletions(-)
43608
43609commit 1c92de4b8811c330af033c31d83c9c45e3d064b2
43610Merge: e65aa3d 1660f49
43611Author: Brad Spengler <spender@grsecurity.net>
43612Date: Mon Aug 5 18:50:45 2013 -0400
43613
43614 Merge branch 'pax-test' into grsec-test
43615
43616commit 1660f496848b8400d263f7920989dae15e72185a
43617Merge: 7f91ba1 dc51cd2
43618Author: Brad Spengler <spender@grsecurity.net>
43619Date: Mon Aug 5 18:50:12 2013 -0400
43620
43621 Update to pax-linux-3.10.5-test7.patch
43622
43623 Merge branch 'linux-3.10.y' into pax-test
43624
43625 Conflicts:
43626 arch/x86/kernel/head_64.S
43627 mm/mempolicy.c
43628
43629commit e65aa3dd447115cb79b4815bc1ceac7b3cacef15
43630Author: Brad Spengler <spender@grsecurity.net>
43631Date: Mon Aug 5 17:58:42 2013 -0400
43632
43633 Disable RANDKSTACK for a VirtualBox host as mentioned on the
43634 gentoo-hardened bugzilla:
43635 https://bugs.gentoo.org/show_bug.cgi?id=382793
43636
43637 security/Kconfig | 2 +-
43638 1 files changed, 1 insertions(+), 1 deletions(-)
43639
43640commit 60d8cffd7740fd1d527790caf9a24a35d8c45858
43641Author: Dan Carpenter <dan.carpenter@oracle.com>
43642Date: Tue Jul 30 13:23:39 2013 +0300
43643
43644 Upstream commit: 8cb3b9c3642c0263d48f31d525bcee7170eedc20
43645
43646 net_sched: info leak in atm_tc_dump_class()
43647
43648 The "pvc" struct has a hole after pvc.sap_family which is not cleared.
43649
43650 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
43651 Reviewed-by: Jiri Pirko <jiri@resnulli.us>
43652 Signed-off-by: David S. Miller <davem@davemloft.net>
43653
43654 net/sched/sch_atm.c | 1 +
43655 1 files changed, 1 insertions(+), 0 deletions(-)
43656
43657commit 50d20ebce56b6e0b9622685930e007e46c7c04bb
43658Author: Daniel Borkmann <dborkman@redhat.com>
43659Date: Fri Aug 2 11:32:43 2013 +0200
43660
43661 Upstream commit: 446266b0c742a2c9ee8f0dce759a0117bce58a86
43662
43663 net: rtm_to_ifaddr: free ifa if ifa_cacheinfo processing fails
43664
43665 Commit 5c766d642 ("ipv4: introduce address lifetime") leaves the ifa
43666 resource that was allocated via inet_alloc_ifa() unfreed when returning
43667 the function with -EINVAL. Thus, free it first via inet_free_ifa().
43668
43669 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
43670 Reviewed-by: Jiri Pirko <jiri@resnulli.us>
43671 Signed-off-by: David S. Miller <davem@davemloft.net>
43672
43673 net/ipv4/devinet.c | 4 +++-
43674 1 files changed, 3 insertions(+), 1 deletions(-)
43675
43676commit 0acaba4eea12097cc59bc61a46ba1ef4a468b260
43677Author: Himanshu Madhani <himanshu.madhani@qlogic.com>
43678Date: Fri Aug 2 23:15:56 2013 -0400
43679
43680 Upstream commit: f91bbcb0b82186b4d5669021b142c263b66505e1
43681
43682 qlcnic: Free up memory in error path.
43683
43684 Signed-off-by: Himanshu Madhani <himanshu.madhani@qlogic.com>
43685 Signed-off-by: Shahed Shaikh <shahed.shaikh@qlogic.com>
43686 Signed-off-by: David S. Miller <davem@davemloft.net>
43687
43688 drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c | 6 +++---
43689 1 files changed, 3 insertions(+), 3 deletions(-)
43690
43691commit 3626ec32c8b24cb38b8db2a1b2f5430bd898408a
43692Author: Shahed Shaikh <shahed.shaikh@qlogic.com>
43693Date: Fri Aug 2 23:15:54 2013 -0400
43694
43695 Upstream commit: 4a99ab56cea66f9f67b9d07ace5cd40a336c8e6f
43696
43697 qlcnic: Fix MAC address filter issue on 82xx adapter
43698
43699 Driver was passing the address of a pointer instead of
43700 the pointer itself.
43701
43702 Signed-off-by: Shahed Shaikh <shahed.shaikh@qlogic.com>
43703 Signed-off-by: David S. Miller <davem@davemloft.net>
43704
43705 drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c | 2 +-
43706 1 files changed, 1 insertions(+), 1 deletions(-)
43707
43708commit 5570df953d6c143e05f1d60d9c23210e60dbbe81
43709Author: Brad Spengler <spender@grsecurity.net>
43710Date: Mon Aug 5 17:26:40 2013 -0400
43711
43712 Move user namespace capability check to shared create_user_ns code so we
43713 cover unshare() as well.
43714
43715 Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to
43716 user namespaces!
43717
43718 kernel/fork.c | 17 -----------------
43719 kernel/user_namespace.c | 24 ++++++++++++++++++++++--
43720 2 files changed, 22 insertions(+), 19 deletions(-)
43721
43722commit 97112fe30de4ca84e79c82ebfa2353b9c9988ca1
43723Author: Brad Spengler <spender@grsecurity.net>
43724Date: Mon Aug 5 16:05:41 2013 -0400
43725
43726 silence a warning on older gcc
43727
43728 grsecurity/gracl.c | 2 +-
43729 1 files changed, 1 insertions(+), 1 deletions(-)
43730
43731commit b8966a5d577e9220fbc63306eee978f819f24e2e
43732Author: Brad Spengler <spender@grsecurity.net>
43733Date: Sat Aug 3 08:31:08 2013 -0400
43734
43735 we only care about mmaps of the beginning of an ELF, filter out
43736 all others as suggested by pipacs
43737
43738 mm/mmap.c | 2 +-
43739 1 files changed, 1 insertions(+), 1 deletions(-)
43740
43741commit 8aea9fe5866dec3c847a34f743f343e18cf1cdcb
43742Author: Brad Spengler <spender@grsecurity.net>
43743Date: Fri Aug 2 23:54:51 2013 -0400
43744
43745 add include
43746
43747 grsecurity/grsec_log.c | 1 +
43748 1 files changed, 1 insertions(+), 0 deletions(-)
43749
43750commit d48425ef8cb3761ab6130e52f1f8e401f5b5a295
43751Author: Brad Spengler <spender@grsecurity.net>
43752Date: Fri Aug 2 23:49:13 2013 -0400
43753
43754 fix compilation
43755
43756 include/linux/grinternal.h | 3 ++-
43757 1 files changed, 2 insertions(+), 1 deletions(-)
43758
43759commit 1704c23fdc55b68f512dc9927940e72237f3f43e
43760Author: Brad Spengler <spender@grsecurity.net>
43761Date: Fri Aug 2 23:34:35 2013 -0400
43762
43763 Improve PaX reporting (tells when anon mapping is stack or heap)
43764 Remove textrel logging option, combine into rwx logging option
43765 Enhance RWX logging option to display when PT_GNU_STACK-enabled library
43766 is loaded under an MPROTECTed binary
43767 Enhance RWX mprotect logging to display stack/heap instead of just
43768 anon mapping
43769
43770 fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++
43771 fs/exec.c | 4 ++++
43772 grsecurity/Kconfig | 21 +++++----------------
43773 grsecurity/grsec_init.c | 4 ----
43774 grsecurity/grsec_log.c | 14 ++++++++++++++
43775 grsecurity/grsec_pax.c | 19 ++++++++++++++-----
43776 grsecurity/grsec_sysctl.c | 9 ---------
43777 include/linux/binfmts.h | 1 +
43778 include/linux/grinternal.h | 2 +-
43779 include/linux/grmsg.h | 3 ++-
43780 include/linux/grsecurity.h | 3 ++-
43781 mm/mmap.c | 7 +++++++
43782 mm/mprotect.c | 2 +-
43783 13 files changed, 88 insertions(+), 38 deletions(-)
43784
43785commit faf81c100c8565524e21c9af780a0ad2ce3fd925
43786Author: Brad Spengler <spender@grsecurity.net>
43787Date: Thu Aug 1 18:52:02 2013 -0400
43788
43789 add missing #define
43790
43791 grsecurity/gracl.c | 1 +
43792 1 files changed, 1 insertions(+), 0 deletions(-)
43793
43794commit e87232d1fcb4da72df971cbc623aac6c9b3871a0
43795Author: Brad Spengler <spender@grsecurity.net>
43796Date: Thu Aug 1 18:43:53 2013 -0400
43797
43798 fix compilation for !COMPAT as reported on the forums
43799
43800 grsecurity/gracl.c | 195 ++++++++++++++++++++++++++--------------------------
43801 1 files changed, 97 insertions(+), 98 deletions(-)
43802
43803commit 65c9b9c6c42939dc55be1b8842e7c2e05733056c
43804Merge: 65019c9 7f91ba1
43805Author: Brad Spengler <spender@grsecurity.net>
43806Date: Wed Jul 31 17:47:31 2013 -0400
43807
43808 Merge branch 'pax-test' into grsec-test
43809
43810commit 65019c9bd05f860437071cbf00e2027fd2d68615
43811Author: Brad Spengler <spender@grsecurity.net>
43812Date: Wed Jul 31 17:47:20 2013 -0400
43813
43814 Revert "revert recent PaX change that causes boot failures with 32bit userland"
43815
43816 This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4.
43817
43818 arch/x86/include/asm/processor.h | 4 ++--
43819 arch/x86/kernel/cpu/common.c | 2 +-
43820 arch/x86/kernel/process_64.c | 2 +-
43821 arch/x86/kernel/smpboot.c | 2 +-
43822 arch/x86/xen/smp.c | 2 +-
43823 5 files changed, 6 insertions(+), 6 deletions(-)
43824
43825commit 7f91ba11122fcaa96fc2dca42bddcd5f8db3b945
43826Author: Brad Spengler <spender@grsecurity.net>
43827Date: Wed Jul 31 17:46:00 2013 -0400
43828
43829 Update to pax-linux-3.10.4-test7.patch:
43830 - added a few more missing format strings
43831 - added reporting of mismatched MPROTECT/EMUTRAMP flags between libraries and the main executable
43832 - reverted the recent amd64 kstack alignment fix, it'll be done the harder way another time
43833 - fixed a UDEREF/i386 regression, __get_user_8 would always fail
43834
43835 arch/x86/include/asm/processor.h | 4 +-
43836 arch/x86/kernel/cpu/common.c | 2 +-
43837 arch/x86/kernel/dumpstack.c | 2 +-
43838 arch/x86/kernel/process_64.c | 2 +-
43839 arch/x86/kernel/reboot_fixups_32.c | 2 +-
43840 arch/x86/kernel/smpboot.c | 2 +-
43841 arch/x86/lib/getuser.S | 4 +-
43842 arch/x86/xen/smp.c | 2 +-
43843 drivers/net/wireless/iwlwifi/dvm/debugfs.c | 8 ++--
43844 drivers/video/backlight/backlight.c | 2 +-
43845 drivers/video/backlight/lcd.c | 2 +-
43846 fs/binfmt_elf.c | 51 +++++++++++++++++++++++++---
43847 fs/exec.c | 50 +++++++++++++--------------
43848 include/linux/sched.h | 2 +
43849 14 files changed, 88 insertions(+), 47 deletions(-)
43850
43851commit 043130da54cb7cc8dc44e0ce889d426e889a0532
43852Author: Brad Spengler <spender@grsecurity.net>
43853Date: Wed Jul 31 16:26:58 2013 -0400
43854
43855 compile fix for !COMPAT as mentioned on forums
43856
43857 grsecurity/gracl.c | 2 ++
43858 1 files changed, 2 insertions(+), 0 deletions(-)
43859
43860commit ed0a195abd4e41c2449a020a53a19c74dc866d78
43861Author: Brad Spengler <spender@grsecurity.net>
43862Date: Tue Jul 30 22:33:14 2013 -0400
43863
43864 perform compat conversion of rlimit infinity
43865
43866 grsecurity/gracl_compat.c | 10 ++++++++--
43867 1 files changed, 8 insertions(+), 2 deletions(-)
43868
43869commit a99c1b9f31678c1c72a63bea65aed1b2d3205259
43870Author: Brad Spengler <spender@grsecurity.net>
43871Date: Tue Jul 30 22:21:40 2013 -0400
43872
43873 remove debugging
43874
43875 grsecurity/gracl_compat.c | 44 +++++++++++---------------------------------
43876 1 files changed, 11 insertions(+), 33 deletions(-)
43877
43878commit e75b3f504692b97960a7530ad0855d91441d79c0
43879Author: Brad Spengler <spender@grsecurity.net>
43880Date: Tue Jul 30 22:20:32 2013 -0400
43881
43882 eliminate compat_dev_t
43883
43884 include/linux/gracl_compat.h | 4 ++--
43885 1 files changed, 2 insertions(+), 2 deletions(-)
43886
43887commit e5abbaf95313066a724e1a843d4fc902a9a6450e
43888Author: Brad Spengler <spender@grsecurity.net>
43889Date: Tue Jul 30 22:13:22 2013 -0400
43890
43891 fix compat rlimit size
43892
43893 grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++-------------
43894 include/linux/gracl_compat.h | 4 +-
43895 2 files changed, 49 insertions(+), 23 deletions(-)
43896
43897commit 877d6c2f8b3518ff39601084560bb33c58d35a1f
43898Author: Brad Spengler <spender@grsecurity.net>
43899Date: Tue Jul 30 21:20:18 2013 -0400
43900
43901 compile fix
43902
43903 grsecurity/gracl.c | 4 ++--
43904 1 files changed, 2 insertions(+), 2 deletions(-)
43905
43906commit a2062eae8d1dc48d338480e599fedee2dc5e2f98
43907Author: Brad Spengler <spender@grsecurity.net>
43908Date: Tue Jul 30 21:14:29 2013 -0400
43909
43910 copy correct pointer size in new compat code
43911
43912 grsecurity/gracl.c | 8 ++++----
43913 grsecurity/gracl_compat.c | 4 ++--
43914 2 files changed, 6 insertions(+), 6 deletions(-)
43915
43916commit 23278a1ee1c7738dd1e7005241394d32b82196e4
43917Author: Brad Spengler <spender@grsecurity.net>
43918Date: Tue Jul 30 19:48:58 2013 -0400
43919
43920 revert recent PaX change that causes boot failures with 32bit userland
43921
43922 arch/x86/include/asm/processor.h | 4 ++--
43923 arch/x86/kernel/cpu/common.c | 2 +-
43924 arch/x86/kernel/process_64.c | 2 +-
43925 arch/x86/kernel/smpboot.c | 2 +-
43926 arch/x86/xen/smp.c | 2 +-
43927 5 files changed, 6 insertions(+), 6 deletions(-)
43928
43929commit ec27f71a813656fea8ab37faecb2b485fe99d08e
43930Merge: 3a11bcf 05f0a61
43931Author: Brad Spengler <spender@grsecurity.net>
43932Date: Tue Jul 30 19:42:21 2013 -0400
43933
43934 Merge branch 'pax-test' into grsec-test
43935
43936commit 05f0a610373fa95df838f97c3fcfb59a3d79c5b8
43937Author: Brad Spengler <spender@grsecurity.net>
43938Date: Tue Jul 30 19:41:44 2013 -0400
43939
43940 Update to pax-linux-3.10.4-test6.patch:
43941 - fixed some size_overflow false positives on i386 caused by __SC_LONG, reported by spender
43942
43943 include/linux/syscalls.h | 8 ++++++--
43944 1 files changed, 6 insertions(+), 2 deletions(-)
43945
43946commit 3a11bcfcc738ed5dbf0d56713db872ed36351a26
43947Author: Brad Spengler <spender@grsecurity.net>
43948Date: Tue Jul 30 19:15:50 2013 -0400
43949
43950 compile fix
43951
43952 grsecurity/gracl_compat.c | 6 ++++++
43953 1 files changed, 6 insertions(+), 0 deletions(-)
43954
43955commit 1dbd99b5cb0b6757eadf22309501e7fdd84f5de7
43956Author: Brad Spengler <spender@grsecurity.net>
43957Date: Tue Jul 30 19:12:46 2013 -0400
43958
43959 remove BUILD_BUG_ONs
43960
43961 grsecurity/gracl_compat.c | 20 --------------------
43962 1 files changed, 0 insertions(+), 20 deletions(-)
43963
43964commit a283b21cbd77622383a1dcb1f7bf1080db3bae88
43965Author: Brad Spengler <spender@grsecurity.net>
43966Date: Tue Jul 30 00:18:36 2013 -0400
43967
43968 compile fixes
43969
43970 grsecurity/gracl_compat.c | 8 ++++----
43971 include/linux/gracl_compat.h | 2 +-
43972 2 files changed, 5 insertions(+), 5 deletions(-)
43973
43974commit 8b744005f8bae565e24c1fd88af77e6e619b9434
43975Author: Brad Spengler <spender@grsecurity.net>
43976Date: Tue Jul 30 00:16:42 2013 -0400
43977
43978 compile fixes
43979
43980 grsecurity/gracl.c | 4 ++--
43981 grsecurity/gracl_compat.c | 2 +-
43982 2 files changed, 3 insertions(+), 3 deletions(-)
43983
43984commit 5cd86afa393bf9bf38c2e9063191709ac2beff2c
43985Author: Brad Spengler <spender@grsecurity.net>
43986Date: Tue Jul 30 00:13:51 2013 -0400
43987
43988 compile fixes
43989
43990 grsecurity/gracl.c | 8 ++++----
43991 1 files changed, 4 insertions(+), 4 deletions(-)
43992
43993commit b93b829afcc98b6108b18d99ff63c53642d0b951
43994Author: Brad Spengler <spender@grsecurity.net>
43995Date: Tue Jul 30 00:11:03 2013 -0400
43996
43997 compile fixes
43998
43999 grsecurity/gracl_compat.c | 3 +++
44000 1 files changed, 3 insertions(+), 0 deletions(-)
44001
44002commit 7da096415fa633c4ad2b1f74bd43d3a58a63b5c0
44003Author: Brad Spengler <spender@grsecurity.net>
44004Date: Tue Jul 30 00:08:21 2013 -0400
44005
44006 more compile fixes
44007
44008 grsecurity/gracl.c | 28 ++++++++++++++--------------
44009 1 files changed, 14 insertions(+), 14 deletions(-)
44010
44011commit 6c1fd80e19f1449b6895f1ed77f23f1245470b3b
44012Author: Brad Spengler <spender@grsecurity.net>
44013Date: Mon Jul 29 23:59:50 2013 -0400
44014
44015 more compile fixes
44016
44017 grsecurity/gracl.c | 10 +++++++++-
44018 1 files changed, 9 insertions(+), 1 deletions(-)
44019
44020commit 89dda536f276dd4bb55fa0f9ea8980ac8b750d29
44021Author: Brad Spengler <spender@grsecurity.net>
44022Date: Mon Jul 29 23:56:47 2013 -0400
44023
44024 additional compile fixes
44025
44026 grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++--------
44027 1 files changed, 49 insertions(+), 10 deletions(-)
44028
44029commit ac695a081d1124fb28bec46814535d34c5e40611
44030Author: Brad Spengler <spender@grsecurity.net>
44031Date: Mon Jul 29 23:47:15 2013 -0400
44032
44033 fix typo
44034
44035 grsecurity/gracl.c | 2 +-
44036 1 files changed, 1 insertions(+), 1 deletions(-)
44037
44038commit d95dd21a8d6d00c5cf34fee3f45dd914b6da6093
44039Author: Brad Spengler <spender@grsecurity.net>
44040Date: Mon Jul 29 23:46:59 2013 -0400
44041
44042 compile fixes
44043
44044 grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++-------------
44045 1 files changed, 39 insertions(+), 14 deletions(-)
44046
44047commit 82631f451cc7432b6c5578cf8d24155473feb25c
44048Author: Brad Spengler <spender@grsecurity.net>
44049Date: Mon Jul 29 23:22:44 2013 -0400
44050
44051 Initial commit of compat RBAC loading
44052 Permits 32bit gradm to load policy for a 64bit kernel
44053
44054 Also removed code duplication for copying strings into the kernel
44055
44056 Work performed as part of sponsorship
44057
44058 grsecurity/Makefile | 4 +
44059 grsecurity/gracl.c | 315 +++++++++++++++++++++++-------------------
44060 grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++
44061 include/linux/gracl_compat.h | 156 +++++++++++++++++++++
44062 4 files changed, 603 insertions(+), 142 deletions(-)
44063
44064commit 84c4a433dfb096e4a1162ee5e68025122c70b421
44065Merge: c9d3ed3 9fe5897
44066Author: Brad Spengler <spender@grsecurity.net>
44067Date: Mon Jul 29 17:08:56 2013 -0400
44068
44069 Merge branch 'pax-test' into grsec-test
44070
44071commit 9fe58978938e357642885866ca48090a7753d403
44072Merge: 8f693ad 6f7bb6b
44073Author: Brad Spengler <spender@grsecurity.net>
44074Date: Mon Jul 29 17:08:43 2013 -0400
44075
44076 Merge branch 'linux-3.10.y' into pax-test
44077
44078commit c9d3ed33c5370bbacfadf86f6a1566828a3d7775
44079Merge: d5e5bfd 8f693ad
44080Author: Brad Spengler <spender@grsecurity.net>
44081Date: Sun Jul 28 10:03:08 2013 -0400
44082
44083 Merge branch 'pax-test' into grsec-test
44084
44085commit 8f693ade9b3e448f92706d34148b00a087637f70
44086Author: Brad Spengler <spender@grsecurity.net>
44087Date: Sun Jul 28 10:02:16 2013 -0400
44088
44089 Update to pax-linux-3.10.3-test5.patch:
44090 - fixed amd64 kstack alignment (caught by some crazy codegen by clang/llvm)
44091 - fixed handling of faulting userland accesses for UDEREF/arm, from spender
44092 - updated the size overflow hash table, from Emese
44093
44094 arch/arm/kernel/entry-armv.S | 3 +-
44095 arch/x86/include/asm/processor.h | 4 +-
44096 arch/x86/kernel/cpu/common.c | 2 +-
44097 arch/x86/kernel/process_64.c | 2 +-
44098 arch/x86/kernel/smpboot.c | 2 +-
44099 arch/x86/xen/smp.c | 2 +-
44100 tools/gcc/size_overflow_hash.data | 553 +++++++++++++++++++++++++++++++++----
44101 7 files changed, 513 insertions(+), 55 deletions(-)
44102
44103commit d5e5bfd6ecc1fc7e86d070df8eb0ce8d0643c558
44104Merge: 19e077b 8a8a0d0
44105Author: Brad Spengler <spender@grsecurity.net>
44106Date: Thu Jul 25 21:05:18 2013 -0400
44107
44108 Merge branch 'pax-test' into grsec-test
44109
44110commit 8a8a0d0b22a86bf65302d03bb6732e42bc0a2e56
44111Author: Brad Spengler <spender@grsecurity.net>
44112Date: Thu Jul 25 21:04:09 2013 -0400
44113
44114 Update to pax-linux-3.10.3-test4.patch:
44115 - introduced per-slab object sanitization, contributed by Mathias Krause and secunet.
44116 this is finer grained sanitization than the existing per-page based approach (which
44117 is still done) at a somewhat higher performance cost. the pax_sanitize_slab command
44118 line option can be used to enable/disable it on boot (it's enabled by default when
44119 CONFIG_PAX_MEMORY_SANITIZE is enabled).
44120
44121 Documentation/kernel-parameters.txt | 4 ++++
44122 fs/buffer.c | 2 +-
44123 fs/dcache.c | 3 ++-
44124 include/linux/slab.h | 7 +++++++
44125 include/linux/slab_def.h | 4 ++++
44126 kernel/fork.c | 2 +-
44127 mm/rmap.c | 6 ++++--
44128 mm/slab.c | 27 +++++++++++++++++++++++++++
44129 mm/slab.h | 12 +++++++++++-
44130 mm/slab_common.c | 14 ++++++++++++++
44131 mm/slob.c | 5 +++++
44132 mm/slub.c | 11 +++++++++++
44133 net/core/skbuff.c | 6 ++++--
44134 security/Kconfig | 23 +++++++++++++++++------
44135 14 files changed, 112 insertions(+), 14 deletions(-)
44136
44137commit 19e077bfff54ca211d0142c07cb6dd88069a390c
44138Merge: 960ec51 c8f7f51
44139Author: Brad Spengler <spender@grsecurity.net>
44140Date: Thu Jul 25 19:53:34 2013 -0400
44141
44142 Merge branch 'pax-test' into grsec-test
44143
44144commit c8f7f51591207b82530214300e86277028919286
44145Merge: d5142e3 81a4648
44146Author: Brad Spengler <spender@grsecurity.net>
44147Date: Thu Jul 25 19:52:29 2013 -0400
44148
44149 Update to pax-linux-3.10.3-test3.patch:
44150 - fixed some compile issues reported by Michael Tremer and spender
44151 - fixed an i386 regression with the lower address space gap on i386, reported by cnu
44152
44153 Merge branch 'linux-3.10.y' into pax-test
44154
44155 Conflicts:
44156 kernel/time/tick-broadcast.c
44157
44158commit 960ec51ab2142544fbae563d4fd5744775408965
44159Author: Al Viro <viro@zeniv.linux.org.uk>
44160Date: Sat Jul 20 03:13:55 2013 +0400
44161
44162 Upstream commit: acfec9a5a892f98461f52ed5770de99a3e571ae2
44163
44164 livelock avoidance in sget()
44165
44166 Eric Sandeen has found a nasty livelock in sget() - take a mount(2) about
44167 to fail. The superblock is on ->fs_supers, ->s_umount is held exclusive,
44168 ->s_active is 1. Along comes two more processes, trying to mount the same
44169 thing; sget() in each is picking that superblock, bumping ->s_count and
44170 trying to grab ->s_umount. ->s_active is 3 now. Original mount(2)
44171 finally gets to deactivate_locked_super() on failure; ->s_active is 2,
44172 superblock is still ->fs_supers because shutdown will *not* happen until
44173 ->s_active hits 0. ->s_umount is dropped and now we have two processes
44174 chasing each other:
44175 s_active = 2, A acquired ->s_umount, B blocked
44176 A sees that the damn thing is stillborn, does deactivate_locked_super()
44177 s_active = 1, A drops ->s_umount, B gets it
44178 A restarts the search and finds the same superblock. And bumps it ->s_active.
44179 s_active = 2, B holds ->s_umount, A blocked on trying to get it
44180 ... and we are in the earlier situation with A and B switched places.
44181
44182 The root cause, of course, is that ->s_active should not grow until we'd
44183 got MS_BORN. Then failing ->mount() will have deactivate_locked_super()
44184 shut the damn thing down. Fortunately, it's easy to do - the key point
44185 is that grab_super() is called only for superblocks currently on ->fs_supers,
44186 so it can bump ->s_count and grab ->s_umount first, then check MS_BORN and
44187 bump ->s_active; we must never increment ->s_count for superblocks past
44188 ->kill_sb(), but grab_super() is never called for those.
44189
44190 The bug is pretty old; we would've caught it by now, if not for accidental
44191 exclusion between sget() for block filesystems; the things like cgroup or
44192 e.g. mtd-based filesystems don't have anything of that sort, so they get
44193 bitten. The right way to deal with that is obviously to fix sget()...
44194
44195 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
44196
44197 fs/super.c | 25 ++++++++++---------------
44198 1 files changed, 10 insertions(+), 15 deletions(-)
44199
44200commit 3540cebbbfa4aef94527ad3e0e49097848147fb9
44201Merge: ab95b58 d5142e3
44202Author: Brad Spengler <spender@grsecurity.net>
44203Date: Sun Jul 21 22:47:46 2013 -0400
44204
44205 Merge branch 'pax-test' into grsec-test
44206
44207commit d5142e31785f8c32c7338c51fcc27313bdd4a84e
44208Merge: f36ae8c 0f4a56e
44209Author: Brad Spengler <spender@grsecurity.net>
44210Date: Sun Jul 21 22:47:34 2013 -0400
44211
44212 Merge branch 'linux-3.10.y' into pax-test
44213
44214commit ab95b5842899d61ff5c30f4582e72029b3155be8
44215Author: Brad Spengler <spender@grsecurity.net>
44216Date: Sun Jul 21 22:28:40 2013 -0400
44217
44218 compile fix with constification reported by Michael Tremer
44219
44220 drivers/gpu/host1x/drm/dc.c | 2 +-
44221 1 files changed, 1 insertions(+), 1 deletions(-)
44222
44223commit 817cd2d1e7a55720326599dd8f542578eef30927
44224Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
44225Date: Fri Jul 12 23:46:33 2013 +0200
44226
44227 Upstream commit: 307f2fb95e9b96b3577916e73d92e104f8f26494
44228
44229 ipv6: only static routes qualify for equal cost multipathing
44230
44231 Static routes in this case are non-expiring routes which did not get
44232 configured by autoconf or by icmpv6 redirects.
44233
44234 To make sure we actually get an ecmp route while searching for the first
44235 one in this fib6_node's leafs, also make sure it matches the ecmp route
44236 assumptions.
44237
44238 v2:
44239 a) Removed RTF_EXPIRE check in dst.from chain. The check of RTF_ADDRCONF
44240 already ensures that this route, even if added again without
44241 RTF_EXPIRES (in case of a RA announcement with infinite timeout),
44242 does not cause the rt6i_nsiblings logic to go wrong if a later RA
44243 updates the expiration time later.
44244
44245 v3:
44246 a) Allow RTF_EXPIRES routes to enter the ecmp route set. We have to do so,
44247 because an pmtu event could update the RTF_EXPIRES flag and we would
44248 not count this route, if another route joins this set. We now filter
44249 only for RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC, which are flags that
44250 don't get changed after rt6_info construction.
44251
44252 Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
44253 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
44254 Signed-off-by: David S. Miller <davem@davemloft.net>
44255
44256 net/ipv6/ip6_fib.c | 15 +++++++++++----
44257 1 files changed, 11 insertions(+), 4 deletions(-)
44258
44259commit 77db8196d51b043e2e2d124094da101b0f01bccb
44260Author: Dan Carpenter <dan.carpenter@oracle.com>
44261Date: Fri Jul 12 09:39:03 2013 +0300
44262
44263 Upstream commit: b2781e1021525649c0b33fffd005ef219da33926
44264
44265 svcrdma: underflow issue in decode_write_list()
44266
44267 My static checker marks everything from ntohl() as untrusted and it
44268 complains we could have an underflow problem doing:
44269
44270 return (u32 *)&ary->wc_array[nchunks];
44271
44272 Also on 32 bit systems the upper bound check could overflow.
44273
44274 Cc: stable@vger.kernel.org
44275 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
44276 Signed-off-by: J. Bruce Fields <bfields@redhat.com>
44277
44278 net/sunrpc/xprtrdma/svc_rdma_marshal.c | 20 ++++++++++++++------
44279 1 files changed, 14 insertions(+), 6 deletions(-)
44280
44281commit 926473317fd7953137ef97835edd36dabc584b01
44282Author: Brad Spengler <spender@grsecurity.net>
44283Date: Wed Jul 17 21:29:02 2013 -0400
44284
44285 add missing asm/pgtable.h include, reported by Michael Tremer
44286
44287 drivers/clk/socfpga/clk.c | 1 +
44288 1 files changed, 1 insertions(+), 0 deletions(-)
44289
44290commit c592ae0001b31932ef1491784dfa374058797c66
44291Author: Brad Spengler <spender@grsecurity.net>
44292Date: Tue Jul 16 20:40:24 2013 -0400
44293
44294 allow viewing of ecryptfs version under SYSFS_RESTRICT
44295
44296 fs/sysfs/dir.c | 2 +-
44297 1 files changed, 1 insertions(+), 1 deletions(-)
44298
44299commit 36db325ef3b07ea8cdb47f549e706e5d71398e14
44300Merge: 9c96441 f36ae8c
44301Author: Brad Spengler <spender@grsecurity.net>
44302Date: Sun Jul 14 19:23:13 2013 -0400
44303
44304 Merge branch 'pax-test' into grsec-test
44305
44306commit f36ae8c741ae32b1caff10825be12c327792c925
44307Author: Brad Spengler <spender@grsecurity.net>
44308Date: Sun Jul 14 19:22:15 2013 -0400
44309
44310 Update to pax-linux-3.10-test2.patch:
44311 - spender fixed a compile regression in a recent arm/UDEREF change, reported by Michael Tremer
44312 - spender fixed arm/KERNEXEC for v5 and older CPUs, reported by Michael Tremer
44313 - spender fixed a new CONSTIFY victim on arm, reported by Michael Tremer
44314 - spender fixed an madvise regression, reported by Peter Keel
44315 - spender fixed a SLAB regression, reported by Thorsten (http://forums.grsecurity.net/viewtopic.php?f=3&t=3614) and Jens (http://forums.grsecurity.net/viewtopic.php?f=1&t=3616)
44316 - fixed a headers_install regression, reported by Mathias Krause
44317 - fixed a SLOB compile regression, reported by Mathias Krause
44318
44319 arch/arm/include/asm/uaccess.h | 4 ++--
44320 arch/arm/mm/mmu.c | 15 +++++++++++++--
44321 drivers/clk/socfpga/clk.c | 6 ++++--
44322 mm/madvise.c | 4 ++--
44323 mm/slab.c | 4 ++--
44324 mm/slob.c | 4 ++--
44325 scripts/headers_install.sh | 2 +-
44326 7 files changed, 26 insertions(+), 13 deletions(-)
44327
44328commit 9c9644156a49637050741d9165df79174e59b0ef
44329Author: Brad Spengler <spender@grsecurity.net>
44330Date: Sun Jul 14 19:19:54 2013 -0400
44331
44332 Fix sparc64 compilation, reported by Blake Self
44333
44334 arch/sparc/kernel/sys_sparc_64.c | 4 ++--
44335 1 files changed, 2 insertions(+), 2 deletions(-)
44336
44337commit 7bcd3db081454768542c3d741bcf32cd61a50cf5
44338Author: Brad Spengler <spender@grsecurity.net>
44339Date: Sun Jul 14 11:49:17 2013 -0400
44340
44341 Update PaX fix, just return the error
44342
44343 mm/madvise.c | 15 +++++++--------
44344 1 files changed, 7 insertions(+), 8 deletions(-)
44345
44346commit a10e377d0eddd37e8a3665b135e546ab03d9d171
44347Author: Brad Spengler <spender@grsecurity.net>
44348Date: Sun Jul 14 11:36:00 2013 -0400
44349
44350 Fix madvise oops reported by Peter Keel
44351
44352 mm/madvise.c | 11 ++++++-----
44353 1 files changed, 6 insertions(+), 5 deletions(-)
44354
44355commit 08c5adca34d408772255b313f90d82c250c1d967
44356Author: Brad Spengler <spender@grsecurity.net>
44357Date: Sun Jul 14 11:26:34 2013 -0400
44358
44359 don't make high vector mapping non-present on old ARM architectures, no
44360 point in emulating some vector entries when the processor doesn't even support XN
44361
44362 arch/arm/mm/mmu.c | 7 +++++--
44363 1 files changed, 5 insertions(+), 2 deletions(-)
44364
44365commit 2b40781d4197a89a003616af584884e36361c5b2
44366Author: Brad Spengler <spender@grsecurity.net>
44367Date: Sun Jul 14 09:51:58 2013 -0400
44368
44369 Temporary compile fix for code incorrectly modifying const data
44370 Wrap a cast version of the code with open/close
44371
44372 Thanks to Michael Tremer for the report
44373
44374 drivers/clk/socfpga/clk.c | 6 ++++--
44375 1 files changed, 4 insertions(+), 2 deletions(-)
44376
44377commit a8258c1b4098c396cd4ea719e20858182feac1c1
44378Author: Brad Spengler <spender@grsecurity.net>
44379Date: Sun Jul 14 09:41:16 2013 -0400
44380
44381 Fix missing right parens in pipacs' "improvement" of my ARM code ;)
44382 Thanks to Michael Tremer for reporting
44383
44384 arch/arm/include/asm/uaccess.h | 4 ++--
44385 1 files changed, 2 insertions(+), 2 deletions(-)
44386
44387commit 8542e1e973be7cc9a009d2ada8033576b2890e6f
44388Merge: 86f446e 2577f8e
44389Author: Brad Spengler <spender@grsecurity.net>
44390Date: Sat Jul 13 20:46:58 2013 -0400
44391
44392 Merge branch 'pax-test' into grsec-test
44393
44394 Conflicts:
44395 mm/memcontrol.c
44396
44397commit 2577f8e4ec41efb347706a59c6838de20f0c90da
44398Merge: 75a36f0 cb5d8be
44399Author: Brad Spengler <spender@grsecurity.net>
44400Date: Sat Jul 13 20:43:42 2013 -0400
44401
44402 Merge branch 'linux-3.10.y' into pax-test
44403
44404 Conflicts:
44405 crypto/algapi.c
44406 drivers/block/nbd.c
44407
44408commit 86f446e9d5c6b475d2e9360cc04f4361ad1b19b8
44409Author: Brad Spengler <spender@grsecurity.net>
44410Date: Fri Jul 12 23:02:11 2013 -0400
44411
44412 we always want the vector page to be noaccess for userland
44413 therefore, when kernexec is disabled, instead of L_PTE_USER | L_PTE_RDONLY
44414 which turns into supervisor rwx, userland rx, we instead omit that entirely,
44415 leaving it as supervisor rwx only
44416
44417 Fixes booting on ARMv5 and earlier, which need to write directly
44418 to the high vector mapping via set_tls when context switching
44419
44420 Thanks to Michael Tremer for the bugreport
44421
44422 arch/arm/mm/mmu.c | 12 ++++++++++--
44423 1 files changed, 10 insertions(+), 2 deletions(-)
44424
44425commit 90cd0827eef656ec884f19c977873fefe2f2e47d
44426Author: Cong Wang <amwang@redhat.com>
44427Date: Sat Jun 29 12:02:59 2013 +0800
44428
44429 Upstream commit: 6c734fb8592f6768170e48e7102cb2f0a1bb9759
44430
44431 gre: fix a regression in ioctl
44432
44433 When testing GRE tunnel, I got:
44434
44435 # ip tunnel show
44436 get tunnel gre0 failed: Invalid argument
44437 get tunnel gre1 failed: Invalid argument
44438
44439 This is a regression introduced by commit c54419321455631079c7d
44440 ("GRE: Refactor GRE tunneling code.") because previously we
44441 only check the parameters for SIOCADDTUNNEL and SIOCCHGTUNNEL,
44442 after that commit, the check is moved for all commands.
44443
44444 So, just check for SIOCADDTUNNEL and SIOCCHGTUNNEL.
44445
44446 After this patch I got:
44447
44448 # ip tunnel show
44449 gre0: gre/ip remote any local any ttl inherit nopmtudisc
44450 gre1: gre/ip remote 192.168.122.101 local 192.168.122.45 ttl inherit
44451
44452 Cc: Pravin B Shelar <pshelar@nicira.com>
44453 Cc: "David S. Miller" <davem@davemloft.net>
44454 Signed-off-by: Cong Wang <amwang@redhat.com>
44455 Signed-off-by: David S. Miller <davem@davemloft.net>
44456
44457 net/ipv4/ip_gre.c | 9 +++++----
44458 1 files changed, 5 insertions(+), 4 deletions(-)
44459
44460commit 50d4e90ec8da630eac8840da9c53b8738a2f98b5
44461Author: Cong Wang <amwang@redhat.com>
44462Date: Sat Jun 29 13:00:57 2013 +0800
44463
44464 Upstream commit: ab6c7a0a43c2eaafa57583822b619b22637b49c7
44465
44466 vti: remove duplicated code to fix a memory leak
44467
44468 vti module allocates dev->tstats twice: in vti_fb_tunnel_init()
44469 and in vti_tunnel_init(), this lead to a memory leak of
44470 dev->tstats.
44471
44472 Just remove the duplicated operations in vti_fb_tunnel_init().
44473
44474 (candidate for -stable)
44475
44476 Cc: Stephen Hemminger <stephen@networkplumber.org>
44477 Cc: Saurabh Mohan <saurabh.mohan@vyatta.com>
44478 Cc: "David S. Miller" <davem@davemloft.net>
44479 Signed-off-by: Cong Wang <amwang@redhat.com>
44480 Acked-by: Stephen Hemminger <stephen@networkplumber.org>
44481 Signed-off-by: David S. Miller <davem@davemloft.net>
44482
44483 net/ipv4/ip_vti.c | 7 -------
44484 1 files changed, 0 insertions(+), 7 deletions(-)
44485
44486commit af9e57897a8fab9bbeceb984bd0aeaedb36aefcd
44487Author: Michal Schmidt <mschmidt@redhat.com>
44488Date: Mon Jul 1 17:23:05 2013 +0200
44489
44490 Upstream commit: 058eec4116935c5640299913e1e0715e87ec622a
44491
44492 bnx2x: remove zeroing of dump data buffer
44493
44494 There is no need to initialize the dump data with zeros.
44495 data is allocated with vzalloc, so it's already zero-filled.
44496
44497 More importantly, the memset is harmful, because dump->len (the length
44498 requested by userspace) can be bigger than the allocated buffer (whose
44499 size is determined by asking the driver's .get_dump_flag method).
44500
44501 Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
44502 Signed-off-by: David S. Miller <davem@davemloft.net>
44503
44504 .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 2 --
44505 1 files changed, 0 insertions(+), 2 deletions(-)
44506
44507commit c771072b72c261f9bddd6734dca6979c1b96e7df
44508Author: Michal Schmidt <mschmidt@redhat.com>
44509Date: Mon Jul 1 17:23:06 2013 +0200
44510
44511 Upstream commit: 5bb680d6cbe36de9d7ba12b05f845c91a8692318
44512
44513 bnx2x: fix dump flag handling
44514
44515 bnx2x interprets the dump flag as an index of a register preset.
44516 It is important to validate the index to avoid out of bounds
44517 memory accesses.
44518
44519 Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
44520 Signed-off-by: David S. Miller <davem@davemloft.net>
44521
44522 .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 3 +++
44523 drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 2 ++
44524 2 files changed, 5 insertions(+), 0 deletions(-)
44525
44526commit aed315c8fad9b2044143b46b239574b1b72135ce
44527Author: Michal Schmidt <mschmidt@redhat.com>
44528Date: Mon Jul 1 17:23:30 2013 +0200
44529
44530 Upstream commit: c590b5e2f05b5e98e614382582b7ae4cddb37599
44531
44532 ethtool: make .get_dump_data() harder to misuse by drivers
44533
44534 As the patch "bnx2x: remove zeroing of dump data buffer" showed,
44535 it is too easy implement .get_dump_data incorrectly in a driver.
44536
44537 Let's make sure drivers cannot get confused by userspace requesting
44538 a too big dump.
44539
44540 Also WARN if the driver sets dump->len to something weird and make
44541 sure the length reported to userspace is the actual length of data
44542 copied to userspace.
44543
44544 Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
44545 Reviewed-by: Ben Hutchings <ben@decadent.org.uk>
44546 Signed-off-by: David S. Miller <davem@davemloft.net>
44547
44548 net/core/ethtool.c | 21 ++++++++++++++++++++-
44549 1 files changed, 20 insertions(+), 1 deletions(-)
44550
44551commit 5c57991e66216e386dcc875d34c33f0edd038569
44552Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
44553Date: Tue Jul 2 09:02:07 2013 +0800
44554
44555 Upstream commit: e1558a93b61962710733dc8c11a2bc765607f1cd
44556
44557 l2tp: add missing .owner to struct pppox_proto
44558
44559 Add missing .owner of struct pppox_proto. This prevents the
44560 module from being removed from underneath its users.
44561
44562 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
44563 Signed-off-by: David S. Miller <davem@davemloft.net>
44564
44565 net/l2tp/l2tp_ppp.c | 3 ++-
44566 1 files changed, 2 insertions(+), 1 deletions(-)
44567
44568commit 4613b8adae32cc774bb727d2ec71f3d0bd7ff1c4
44569Author: Benjamin Herrenschmidt <benh@kernel.crashing.org>
44570Date: Sun Jun 30 14:37:11 2013 +1000
44571
44572 Upstream commit: 7cc47d139f9a815a91bd9e7377063238c69a0423
44573
44574 cxgb3: Missing rtnl lock in error recovery
44575
44576 When exercising error injection on IBM pseries machine, I hit the
44577 following warning:
44578
44579 [ 251.450043] RTAS: event: 89, Type: Platform Error, Severity: 2
44580 [ 253.549822] cxgb3 0006:01:00.0: enabling device (0140 -> 0142)
44581 [ 253.713560] cxgb3 0006:01:00.0: adapter recovering, PEX ERR 0x100
44582 [ 254.895437] RTNL: assertion failed at net/core/dev.c (2031)
44583 [ 254.895467] CPU: 6 PID: 5449 Comm: eehd Tainted: G W 3.10.0-rc7-00157-gea461ab #19
44584 [ 254.895474] Call Trace:
44585 [ 254.895483] [c000000fac56f7d0] [c000000000014dcc] .show_stack+0x7c/0x1f0 (unreliable)
44586 [ 254.895493] [c000000fac56f8a0] [c0000000007ba318] .dump_stack+0x28/0x3c
44587 [ 254.895500] [c000000fac56f910] [c0000000006c0384] .netif_set_real_num_tx_queues+0x224/0x230
44588 [ 254.895515] [c000000fac56f9b0] [d00000000ef35510] .cxgb_open+0x80/0x3f0 [cxgb3]
44589 [ 254.895525] [c000000fac56fa50] [d00000000ef35914] .t3_resume_ports+0x94/0x100 [cxgb3]
44590 [ 254.895533] [c000000fac56fae0] [c00000000005fc8c] .eeh_report_resume+0x8c/0xd0
44591 [ 254.895539] [c000000fac56fb60] [c00000000005e9fc] .eeh_pe_dev_traverse+0x9c/0x190
44592 [ 254.895545] [c000000fac56fc10] [c000000000060000] .eeh_handle_event+0x110/0x330
44593 [ 254.895551] [c000000fac56fca0] [c000000000060350] .eeh_event_handler+0x130/0x1a0
44594 [ 254.895558] [c000000fac56fd30] [c0000000000ad758] .kthread+0xe8/0xf0
44595 [ 254.895566] [c000000fac56fe30] [c00000000000a05c] .ret_from_kernel_thread+0x5c/0x80
44596
44597 It appears that t3_resume_ports() is called with the rtnl_lock held from
44598 the fatal error task but not from the PCI error callbacks. This fixes it.
44599
44600 Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
44601 Signed-off-by: David S. Miller <davem@davemloft.net>
44602
44603 drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 2 ++
44604 1 files changed, 2 insertions(+), 0 deletions(-)
44605
44606commit ea8f4222cddf3250dbcfc7db0437ebf74c352370
44607Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
44608Date: Mon Jul 1 20:21:30 2013 +0200
44609
44610 Upstream commit: 8822b64a0fa64a5dd1dfcf837c5b0be83f8c05d1
44611
44612 ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data
44613
44614 We accidentally call down to ip6_push_pending_frames when uncorking
44615 pending AF_INET data on a ipv6 socket. This results in the following
44616 splat (from Dave Jones):
44617
44618 skbuff: skb_under_panic: text:ffffffff816765f6 len:48 put:40 head:ffff88013deb6df0 data:ffff88013deb6dec tail:0x2c end:0xc0 dev:<NULL>
44619 ------------[ cut here ]------------
44620 kernel BUG at net/core/skbuff.c:126!
44621 invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
44622 Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth
44623 +netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c
44624 CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37
44625 task: ffff8801f52c2520 ti: ffff8801e6430000 task.ti: ffff8801e6430000
44626 RIP: 0010:[<ffffffff816e759c>] [<ffffffff816e759c>] skb_panic+0x63/0x65
44627 RSP: 0018:ffff8801e6431de8 EFLAGS: 00010282
44628 RAX: 0000000000000086 RBX: ffff8802353d3cc0 RCX: 0000000000000006
44629 RDX: 0000000000003b90 RSI: ffff8801f52c2ca0 RDI: ffff8801f52c2520
44630 RBP: ffff8801e6431e08 R08: 0000000000000000 R09: 0000000000000000
44631 R10: 0000000000000001 R11: 0000000000000001 R12: ffff88022ea0c800
44632 R13: ffff88022ea0cdf8 R14: ffff8802353ecb40 R15: ffffffff81cc7800
44633 FS: 00007f5720a10740(0000) GS:ffff880244c00000(0000) knlGS:0000000000000000
44634 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
44635 CR2: 0000000005862000 CR3: 000000022843c000 CR4: 00000000001407e0
44636 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
44637 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
44638 Stack:
44639 ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4
44640 ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6
44641 ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0
44642 Call Trace:
44643 [<ffffffff8159a9aa>] skb_push+0x3a/0x40
44644 [<ffffffff816765f6>] ip6_push_pending_frames+0x1f6/0x4d0
44645 [<ffffffff810b756b>] ? mark_held_locks+0xbb/0x140
44646 [<ffffffff81694919>] udp_v6_push_pending_frames+0x2b9/0x3d0
44647 [<ffffffff81694660>] ? udplite_getfrag+0x20/0x20
44648 [<ffffffff8162092a>] udp_lib_setsockopt+0x1aa/0x1f0
44649 [<ffffffff811cc5e7>] ? fget_light+0x387/0x4f0
44650 [<ffffffff816958a4>] udpv6_setsockopt+0x34/0x40
44651 [<ffffffff815949f4>] sock_common_setsockopt+0x14/0x20
44652 [<ffffffff81593c31>] SyS_setsockopt+0x71/0xd0
44653 [<ffffffff816f5d54>] tracesys+0xdd/0xe2
44654 Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55
44655 RIP [<ffffffff816e759c>] skb_panic+0x63/0x65
44656 RSP <ffff8801e6431de8>
44657
44658 This patch adds a check if the pending data is of address family AF_INET
44659 and directly calls udp_push_ending_frames from udp_v6_push_pending_frames
44660 if that is the case.
44661
44662 This bug was found by Dave Jones with trinity.
44663
44664 (Also move the initialization of fl6 below the AF_INET check, even if
44665 not strictly necessary.)
44666
44667 Cc: Dave Jones <davej@redhat.com>
44668 Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
44669 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
44670 Signed-off-by: David S. Miller <davem@davemloft.net>
44671
44672 include/net/udp.h | 1 +
44673 net/ipv4/udp.c | 3 ++-
44674 net/ipv6/udp.c | 7 ++++++-
44675 3 files changed, 9 insertions(+), 2 deletions(-)
44676
44677commit cd83094a85d9bbd5a67332156407d53cf8835432
44678Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
44679Date: Tue Jul 2 08:04:05 2013 +0200
44680
44681 Upstream commit: 75a493e60ac4bbe2e977e7129d6d8cbb0dd236be
44682
44683 ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size
44684
44685 If the socket had an IPV6_MTU value set, ip6_append_data_mtu lost track
44686 of this when appending the second frame on a corked socket. This results
44687 in the following splat:
44688
44689 [37598.993962] ------------[ cut here ]------------
44690 [37598.994008] kernel BUG at net/core/skbuff.c:2064!
44691 [37598.994008] invalid opcode: 0000 [#1] SMP
44692 [37598.994008] Modules linked in: tcp_lp uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media vfat fat usb_storage fuse ebtable_nat xt_CHECKSUM bridge stp llc ipt_MASQUERADE nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat
44693 +nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi
44694 +scsi_transport_iscsi rfcomm bnep iTCO_wdt iTCO_vendor_support snd_hda_codec_conexant arc4 iwldvm mac80211 snd_hda_intel acpi_cpufreq mperf coretemp snd_hda_codec microcode cdc_wdm cdc_acm
44695 [37598.994008] snd_hwdep cdc_ether snd_seq snd_seq_device usbnet mii joydev btusb snd_pcm bluetooth i2c_i801 e1000e lpc_ich mfd_core ptp iwlwifi pps_core snd_page_alloc mei cfg80211 snd_timer thinkpad_acpi snd tpm_tis soundcore rfkill tpm tpm_bios vhost_net tun macvtap macvlan kvm_intel kvm uinput binfmt_misc
44696 +dm_crypt i915 i2c_algo_bit drm_kms_helper drm i2c_core wmi video
44697 [37598.994008] CPU 0
44698 [37598.994008] Pid: 27320, comm: t2 Not tainted 3.9.6-200.fc18.x86_64 #1 LENOVO 27744PG/27744PG
44699 [37598.994008] RIP: 0010:[<ffffffff815443a5>] [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330
44700 [37598.994008] RSP: 0018:ffff88003670da18 EFLAGS: 00010202
44701 [37598.994008] RAX: ffff88018105c018 RBX: 0000000000000004 RCX: 00000000000006c0
44702 [37598.994008] RDX: ffff88018105a6c0 RSI: ffff88018105a000 RDI: ffff8801e1b0aa00
44703 [37598.994008] RBP: ffff88003670da78 R08: 0000000000000000 R09: ffff88018105c040
44704 [37598.994008] R10: ffff8801e1b0aa00 R11: 0000000000000000 R12: 000000000000fff8
44705 [37598.994008] R13: 00000000000004fc R14: 00000000ffff0504 R15: 0000000000000000
44706 [37598.994008] FS: 00007f28eea59740(0000) GS:ffff88023bc00000(0000) knlGS:0000000000000000
44707 [37598.994008] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
44708 [37598.994008] CR2: 0000003d935789e0 CR3: 00000000365cb000 CR4: 00000000000407f0
44709 [37598.994008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
44710 [37598.994008] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
44711 [37598.994008] Process t2 (pid: 27320, threadinfo ffff88003670c000, task ffff88022c162ee0)
44712 [37598.994008] Stack:
44713 [37598.994008] ffff88022e098a00 ffff88020f973fc0 0000000000000008 00000000000004c8
44714 [37598.994008] ffff88020f973fc0 00000000000004c4 ffff88003670da78 ffff8801e1b0a200
44715 [37598.994008] 0000000000000018 00000000000004c8 ffff88020f973fc0 00000000000004c4
44716 [37598.994008] Call Trace:
44717 [37598.994008] [<ffffffff815fc21f>] ip6_append_data+0xccf/0xfe0
44718 [37598.994008] [<ffffffff8158d9f0>] ? ip_copy_metadata+0x1a0/0x1a0
44719 [37598.994008] [<ffffffff81661f66>] ? _raw_spin_lock_bh+0x16/0x40
44720 [37598.994008] [<ffffffff8161548d>] udpv6_sendmsg+0x1ed/0xc10
44721 [37598.994008] [<ffffffff812a2845>] ? sock_has_perm+0x75/0x90
44722 [37598.994008] [<ffffffff815c3693>] inet_sendmsg+0x63/0xb0
44723 [37598.994008] [<ffffffff812a2973>] ? selinux_socket_sendmsg+0x23/0x30
44724 [37598.994008] [<ffffffff8153a450>] sock_sendmsg+0xb0/0xe0
44725 [37598.994008] [<ffffffff810135d1>] ? __switch_to+0x181/0x4a0
44726 [37598.994008] [<ffffffff8153d97d>] sys_sendto+0x12d/0x180
44727 [37598.994008] [<ffffffff810dfb64>] ? __audit_syscall_entry+0x94/0xf0
44728 [37598.994008] [<ffffffff81020ed1>] ? syscall_trace_enter+0x231/0x240
44729 [37598.994008] [<ffffffff8166a7e7>] tracesys+0xdd/0xe2
44730 [37598.994008] Code: fe 07 00 00 48 c7 c7 04 28 a6 81 89 45 a0 4c 89 4d b8 44 89 5d a8 e8 1b ac b1 ff 44 8b 5d a8 4c 8b 4d b8 8b 45 a0 e9 cf fe ff ff <0f> 0b 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 48
44731 [37598.994008] RIP [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330
44732 [37598.994008] RSP <ffff88003670da18>
44733 [37599.007323] ---[ end trace d69f6a17f8ac8eee ]---
44734
44735 While there, also check if path mtu discovery is activated for this
44736 socket. The logic was adapted from ip6_append_data when first writing
44737 on the corked socket.
44738
44739 This bug was introduced with commit
44740 0c1833797a5a6ec23ea9261d979aa18078720b74 ("ipv6: fix incorrect ipsec
44741 fragment").
44742
44743 v2:
44744 a) Replace IPV6_PMTU_DISC_DO with IPV6_PMTUDISC_PROBE.
44745 b) Don't pass ipv6_pinfo to ip6_append_data_mtu (suggestion by Gao
44746 feng, thanks!).
44747 c) Change mtu to unsigned int, else we get a warning about
44748 non-matching types because of the min()-macro type-check.
44749
44750 Acked-by: Gao feng <gaofeng@cn.fujitsu.com>
44751 Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
44752 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
44753 Signed-off-by: David S. Miller <davem@davemloft.net>
44754
44755 net/ipv6/ip6_output.c | 16 ++++++++++------
44756 1 files changed, 10 insertions(+), 6 deletions(-)
44757
44758commit 23151ca7ca80e58d2616dac7be9fd62943c9a72c
44759Author: Michael S. Tsirkin <mst@redhat.com>
44760Date: Sun Jul 7 14:26:53 2013 +0300
44761
44762 Upstream commit: dd7633ecd553a5e304d349aa6f8eb8a0417098c5
44763
44764 vhost-net: fix use-after-free in vhost_net_flush
44765
44766 vhost_net_ubuf_put_and_wait has a confusing name:
44767 it will actually also free it's argument.
44768 Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01
44769 "vhost-net: flush outstanding DMAs on memory change"
44770 vhost_net_flush tries to use the argument after passing it
44771 to vhost_net_ubuf_put_and_wait, this results
44772 in use after free.
44773 To fix, don't free the argument in vhost_net_ubuf_put_and_wait,
44774 add an new API for callers that want to free ubufs.
44775
44776 Acked-by: Asias He <asias@redhat.com>
44777 Acked-by: Jason Wang <jasowang@redhat.com>
44778 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
44779 Signed-off-by: David S. Miller <davem@davemloft.net>
44780
44781 drivers/vhost/net.c | 9 +++++++--
44782 1 files changed, 7 insertions(+), 2 deletions(-)
44783
44784commit 088806db74ac2f08c106202bc5498585a9ee529f
44785Author: Michal Hocko <mhocko@suse.cz>
44786Date: Mon Jul 8 16:00:29 2013 -0700
44787
44788 Upstream commit: f37a96914d1aea10fed8d9af10251f0b9caea31b
44789
44790 memcg, kmem: fix reference count handling on the error path
44791
44792 mem_cgroup_css_online calls mem_cgroup_put if memcg_init_kmem fails.
44793 This is not correct because only memcg_propagate_kmem takes an
44794 additional reference while mem_cgroup_sockets_init is allowed to fail as
44795 well (although no current implementation fails) but it doesn't take any
44796 reference. This all suggests that it should be memcg_propagate_kmem
44797 that should clean up after itself so this patch moves mem_cgroup_put
44798 over there.
44799
44800 Unfortunately this is not that easy (as pointed out by Li Zefan) because
44801 memcg_kmem_mark_dead marks the group dead (KMEM_ACCOUNTED_DEAD) if it is
44802 marked active (KMEM_ACCOUNTED_ACTIVE) which is the case even if
44803 memcg_propagate_kmem fails so the additional reference is dropped in
44804 that case in kmem_cgroup_destroy which means that the reference would be
44805 dropped two times.
44806
44807 The easiest way then would be to simply remove mem_cgrroup_put from
44808 mem_cgroup_css_online and rely on kmem_cgroup_destroy doing the right
44809 thing.
44810
44811 Signed-off-by: Michal Hocko <mhocko@suse.cz>
44812 Signed-off-by: Li Zefan <lizefan@huawei.com>
44813 Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
44814 Cc: Hugh Dickins <hughd@google.com>
44815 Cc: Tejun Heo <tj@kernel.org>
44816 Cc: Glauber Costa <glommer@openvz.org>
44817 Cc: Johannes Weiner <hannes@cmpxchg.org>
44818 Cc: <stable@vger.kernel.org> [3.8]
44819 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
44820 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
44821
44822 mm/memcontrol.c | 8 --------
44823 1 files changed, 0 insertions(+), 8 deletions(-)
44824
44825commit 08bfb6e700d13886ed722c2236e1ec10f03a95df
44826Author: Michal Hocko <mhocko@suse.cz>
44827Date: Mon Jul 8 16:00:27 2013 -0700
44828
44829 Upstream commit: fa460c2d37870e0a6f94c70e8b76d05ca11b6db0
44830
44831 Revert "memcg: avoid dangling reference count in creation failure"
44832
44833 This reverts commit e4715f01be697a.
44834
44835 mem_cgroup_put is hierarchy aware so mem_cgroup_put(memcg) already drops
44836 an additional reference from all parents so the additional
44837 mem_cgrroup_put(parent) potentially causes use-after-free.
44838
44839 Signed-off-by: Michal Hocko <mhocko@suse.cz>
44840 Signed-off-by: Li Zefan <lizefan@huawei.com>
44841 Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
44842 Cc: Hugh Dickins <hughd@google.com>
44843 Cc: Tejun Heo <tj@kernel.org>
44844 Cc: Glauber Costa <glommer@openvz.org>
44845 Cc: Johannes Weiner <hannes@cmpxchg.org>
44846 Cc: <stable@vger.kernel.org> [3.9+]
44847 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
44848 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
44849
44850 mm/memcontrol.c | 2 --
44851 1 files changed, 0 insertions(+), 2 deletions(-)
44852
44853commit 3267ec559f48327a1836eccecd53215afc5810d0
44854Author: Tyler Hicks <tyhicks@canonical.com>
44855Date: Thu Jun 20 13:13:59 2013 -0700
44856
44857 Upstream commit: 2cb33cac622afde897aa02d3dcd9fbba8bae839e
44858
44859 libceph: Fix NULL pointer dereference in auth client code
44860
44861 A malicious monitor can craft an auth reply message that could cause a
44862 NULL function pointer dereference in the client's kernel.
44863
44864 To prevent this, the auth_none protocol handler needs an empty
44865 ceph_auth_client_ops->build_request() function.
44866
44867 CVE-2013-1059
44868
44869 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
44870 Reported-by: Chanam Park <chanam.park@hkpco.kr>
44871 Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
44872 Reviewed-by: Sage Weil <sage@inktank.com>
44873 Cc: stable@vger.kernel.org
44874
44875 net/ceph/auth_none.c | 6 ++++++
44876 1 files changed, 6 insertions(+), 0 deletions(-)
44877
44878commit cdfeb4049e7cb38702215b2c356ce0407974ac79
44879Author: Eric Paris <eparis@redhat.com>
44880Date: Wed Jul 3 15:08:29 2013 -0700
44881
44882 Upstream commit: b57922b6c76c3ee401bb32fd3f298409dd6e6a53
44883
44884 fork: reorder permissions when violating number of processes limits
44885
44886 When a task is attempting to violate the RLIMIT_NPROC limit we have a
44887 check to see if the task is sufficiently priviledged. The check first
44888 looks at CAP_SYS_ADMIN, then CAP_SYS_RESOURCE, then if the task is uid=0.
44889
44890 A result is that tasks which are allowed by the uid=0 check are first
44891 checked against the security subsystem. This results in the security
44892 subsystem auditting a denial for sys_admin and sys_resource and then the
44893 task passing the uid=0 check.
44894
44895 This patch rearranges the code to first check uid=0, since if we pass that
44896 we shouldn't hit the security system at all. We then check sys_resource,
44897 since it is the smallest capability which will solve the problem. Lastly
44898 we check the fallback everything cap_sysadmin. We don't want to give this
44899 capability many places since it is so powerful.
44900
44901 This will eliminate many of the false positive/needless denial messages we
44902 get when a root task tries to violate the nproc limit. (note that
44903 kthreads count against root, so on a sufficiently large machine we can
44904 actually get past the default limits before any userspace tasks are
44905 launched.)
44906
44907 Signed-off-by: Eric Paris <eparis@redhat.com>
44908 Cc: Al Viro <viro@zeniv.linux.org.uk>
44909 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
44910 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
44911
44912 kernel/fork.c | 4 ++--
44913 1 files changed, 2 insertions(+), 2 deletions(-)
44914
44915commit 08c87e049c8a50707908785d950fd48c334f4c09
44916Author: Chen Gang <gang.chen@asianux.com>
44917Date: Sat Jun 22 13:26:09 2013 +0800
44918
44919 Upstream commit: f118e9abddfae94d7ef88858159d7556e1c2f7f6
44920
44921 arch: sparc: kernel: check the memory length before use strcpy().
44922
44923 For the related next strcpy(), the destination length is less than 512,
44924 but the source maximize length may be 'OPROMMAXPARAM' (4096) which is
44925 more than 512.
44926
44927 One work flow may:
44928 openprom_sunos_ioctl() -> if (cmd == OPROMSETOPT)
44929 getstrings() -> will alloc buffer with size 'OPROMMAXPARAM'.
44930 opromsetopt() -> devide the buffer into 'var' and 'value'
44931 of_set_property() -> pass
44932 prom_setprop() -> pass
44933 ldom_set_var()
44934
44935 And do not mind the additional 4 alignment buffer increasing, since
44936 'sizeof(pkt) - sizeof(pkt.header)' is 4 alignment at least.
44937
44938 Signed-off-by: Chen Gang <gang.chen@asianux.com>
44939 Signed-off-by: David S. Miller <davem@davemloft.net>
44940
44941 arch/sparc/kernel/ds.c | 10 ++++++++++
44942 1 files changed, 10 insertions(+), 0 deletions(-)
44943
44944commit 0f5d7e1171c65a8d4e9186b3656e1206121efb13
44945Author: Brad Spengler <spender@grsecurity.net>
44946Date: Fri Jul 12 20:38:45 2013 -0400
44947
44948 Fix SLAB boot errors due to PAX_USERCOPY reported on the forums
44949
44950 Unlike slub, slab can initally create two of the kmalloc_caches
44951 which will be used later for generic kmallocs of their particular
44952 aligned size (since the later loop in the unified allocator code
44953 skips any already-existing kmalloc_caches)
44954
44955 mm/slab.c | 4 ++--
44956 1 files changed, 2 insertions(+), 2 deletions(-)
44957
44958commit 7afc9d07a4c0a676aa5c4ac2b30882f60be6bae3
44959Author: Brad Spengler <spender@grsecurity.net>
44960Date: Tue Jul 9 22:04:59 2013 -0400
44961
44962 compile fixes
44963
44964 fs/exec.c | 2 +-
44965 mm/mmap.c | 4 ++--
44966 2 files changed, 3 insertions(+), 3 deletions(-)
44967
44968commit e2d027c7e0f106be683c0c72482b8285daefcbe6
44969Author: Brad Spengler <spender@grsecurity.net>
44970Date: Tue Jul 9 20:58:40 2013 -0400
44971
44972 commit successful merges
44973
44974 Documentation/kernel-parameters.txt | 4 +
44975 Makefile | 8 +-
44976 arch/alpha/include/asm/cache.h | 4 +-
44977 arch/alpha/kernel/osf_sys.c | 12 +-
44978 arch/arm/include/asm/thread_info.h | 3 +-
44979 arch/arm/kernel/ptrace.c | 9 +
44980 arch/arm/kernel/traps.c | 7 +-
44981 arch/arm/mm/fault.c | 29 +-
44982 arch/arm/mm/mmap.c | 8 +-
44983 arch/avr32/include/asm/cache.h | 4 +-
44984 arch/blackfin/include/asm/cache.h | 3 +-
44985 arch/cris/include/arch-v10/arch/cache.h | 3 +-
44986 arch/cris/include/arch-v32/arch/cache.h | 3 +-
44987 arch/frv/include/asm/cache.h | 3 +-
44988 arch/frv/mm/elf-fdpic.c | 4 +-
44989 arch/hexagon/include/asm/cache.h | 6 +-
44990 arch/ia64/include/asm/cache.h | 3 +-
44991 arch/ia64/kernel/sys_ia64.c | 2 +
44992 arch/ia64/mm/hugetlbpage.c | 2 +
44993 arch/m32r/include/asm/cache.h | 4 +-
44994 arch/m68k/include/asm/cache.h | 4 +-
44995 arch/metag/mm/hugetlbpage.c | 1 +
44996 arch/microblaze/include/asm/cache.h | 3 +-
44997 arch/mips/include/asm/cache.h | 3 +-
44998 arch/mips/include/asm/thread_info.h | 9 +-
44999 arch/mips/kernel/ptrace.c | 9 +
45000 arch/mips/kernel/scall32-o32.S | 2 +-
45001 arch/mips/kernel/scall64-64.S | 2 +-
45002 arch/mips/kernel/scall64-n32.S | 2 +-
45003 arch/mips/kernel/scall64-o32.S | 2 +-
45004 arch/mips/mm/mmap.c | 4 +-
45005 arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +-
45006 arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +-
45007 arch/openrisc/include/asm/cache.h | 4 +-
45008 arch/parisc/include/asm/cache.h | 5 +-
45009 arch/parisc/kernel/sys_parisc.c | 17 +-
45010 arch/powerpc/include/asm/cache.h | 3 +-
45011 arch/powerpc/kernel/process.c | 10 +-
45012 arch/powerpc/kernel/ptrace.c | 14 +
45013 arch/powerpc/kernel/traps.c | 5 +
45014 arch/s390/include/asm/cache.h | 4 +-
45015 arch/score/include/asm/cache.h | 4 +-
45016 arch/sh/include/asm/cache.h | 3 +-
45017 arch/sh/mm/mmap.c | 6 +-
45018 arch/sparc/include/asm/cache.h | 4 +-
45019 arch/sparc/include/asm/thread_info_64.h | 9 +-
45020 arch/sparc/kernel/process_32.c | 6 +-
45021 arch/sparc/kernel/process_64.c | 4 +-
45022 arch/sparc/kernel/ptrace_64.c | 14 +
45023 arch/sparc/kernel/sys_sparc_64.c | 8 +-
45024 arch/sparc/kernel/syscalls.S | 8 +-
45025 arch/sparc/kernel/traps_32.c | 8 +-
45026 arch/sparc/kernel/traps_64.c | 28 +-
45027 arch/sparc/kernel/unaligned_64.c | 2 +-
45028 arch/sparc/mm/fault_64.c | 2 +-
45029 arch/sparc/mm/hugetlbpage.c | 3 +-
45030 arch/tile/include/asm/cache.h | 3 +-
45031 arch/tile/mm/hugetlbpage.c | 2 +
45032 arch/um/defconfig | 1 -
45033 arch/um/include/asm/cache.h | 3 +-
45034 arch/unicore32/include/asm/cache.h | 6 +-
45035 arch/x86/Kconfig | 5 +-
45036 arch/x86/ia32/ia32_aout.c | 2 +
45037 arch/x86/include/asm/thread_info.h | 8 +-
45038 arch/x86/kernel/dumpstack.c | 8 +
45039 arch/x86/kernel/entry_32.S | 2 +-
45040 arch/x86/kernel/entry_64.S | 2 +-
45041 arch/x86/kernel/ioport.c | 13 +
45042 arch/x86/kernel/ptrace.c | 14 +
45043 arch/x86/kernel/signal.c | 9 +-
45044 arch/x86/kernel/smpboot.c | 3 +
45045 arch/x86/kernel/sys_i386_32.c | 9 +-
45046 arch/x86/kernel/sys_x86_64.c | 8 +-
45047 arch/x86/kernel/verify_cpu.S | 1 +
45048 arch/x86/kernel/vm86_32.c | 1 +
45049 arch/x86/mm/fault.c | 12 +-
45050 arch/x86/mm/hugetlbpage.c | 15 +-
45051 arch/x86/mm/init.c | 66 +-
45052 arch/x86/net/bpf_jit_comp.c | 129 +-
45053 arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
45054 arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
45055 arch/xtensa/variants/s6000/include/variant/core.h | 3 +-
45056 drivers/block/cciss.c | 2 +
45057 drivers/block/cpqarray.c | 1 +
45058 drivers/cdrom/cdrom.c | 4 +-
45059 drivers/char/Kconfig | 4 +-
45060 drivers/char/genrtc.c | 1 +
45061 drivers/char/mem.c | 17 +
45062 drivers/char/mwave/tp3780i.c | 1 +
45063 drivers/char/random.c | 12 +
45064 drivers/gpu/drm/drm_info.c | 4 +
45065 drivers/hid/hid-wiimote-debug.c | 2 +-
45066 drivers/media/radio/radio-cadet.c | 2 +-
45067 drivers/message/fusion/mptbase.c | 9 +
45068 drivers/net/bonding/bond_main.c | 2 +-
45069 drivers/net/phy/mdio-bitbang.c | 1 +
45070 drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
45071 drivers/pci/proc.c | 9 +
45072 drivers/rtc/rtc-dev.c | 3 +
45073 drivers/tty/sysrq.c | 2 +-
45074 drivers/tty/vt/keyboard.c | 22 +-
45075 drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++++------------
45076 drivers/xen/xenfs/xenstored.c | 5 +
45077 fs/attr.c | 1 +
45078 fs/autofs4/waitq.c | 9 +
45079 fs/binfmt_aout.c | 7 +
45080 fs/binfmt_elf.c | 8 +-
45081 fs/btrfs/ioctl.c | 6 +-
45082 fs/compat.c | 20 +-
45083 fs/coredump.c | 9 +-
45084 fs/debugfs/inode.c | 4 +
45085 fs/exec.c | 184 ++-
45086 fs/ext2/balloc.c | 4 +-
45087 fs/ext3/balloc.c | 4 +-
45088 fs/ext4/resize.c | 17 +-
45089 fs/fcntl.c | 5 +
45090 fs/file.c | 4 +
45091 fs/filesystems.c | 4 +
45092 fs/fs_struct.c | 13 +-
45093 fs/hugetlbfs/inode.c | 5 +-
45094 fs/namei.c | 234 ++-
45095 fs/namespace.c | 16 +
45096 fs/notify/fanotify/fanotify_user.c | 1 +
45097 fs/open.c | 38 +
45098 fs/proc/Kconfig | 10 +-
45099 fs/proc/array.c | 59 +-
45100 fs/proc/base.c | 168 ++-
45101 fs/proc/cmdline.c | 4 +
45102 fs/proc/devices.c | 4 +
45103 fs/proc/fd.c | 17 +-
45104 fs/proc/inode.c | 4 +
45105 fs/proc/kcore.c | 3 +
45106 fs/proc/proc_net.c | 12 +
45107 fs/proc/proc_sysctl.c | 43 +-
45108 fs/proc/root.c | 8 +
45109 fs/proc/task_mmu.c | 75 +-
45110 fs/readdir.c | 19 +
45111 fs/select.c | 2 +
45112 fs/seq_file.c | 12 +-
45113 fs/stat.c | 19 +-
45114 fs/sysfs/dir.c | 12 +
45115 fs/utimes.c | 7 +
45116 fs/xattr.c | 19 +-
45117 include/linux/capability.h | 5 +
45118 include/linux/cred.h | 3 +
45119 include/linux/fs.h | 10 +
45120 include/linux/fsnotify.h | 6 +
45121 include/linux/kallsyms.h | 14 +-
45122 include/linux/kmod.h | 2 +
45123 include/linux/mm.h | 1 +
45124 include/linux/perf_event.h | 13 +-
45125 include/linux/printk.h | 3 +-
45126 include/linux/sched.h | 24 +-
45127 include/linux/security.h | 1 +
45128 include/linux/seq_file.h | 3 +
45129 include/linux/shm.h | 4 +
45130 include/linux/skbuff.h | 3 +
45131 include/linux/slab.h | 9 -
45132 include/linux/sysctl.h | 2 +
45133 include/linux/thread_info.h | 2 +
45134 include/linux/uidgid.h | 5 +
45135 include/linux/vermagic.h | 9 +-
45136 include/uapi/linux/personality.h | 1 +
45137 init/Kconfig | 3 +-
45138 init/main.c | 14 +
45139 ipc/mqueue.c | 1 +
45140 ipc/shm.c | 28 +
45141 kernel/capability.c | 39 +-
45142 kernel/cgroup.c | 2 +-
45143 kernel/compat.c | 1 +
45144 kernel/configs.c | 11 +
45145 kernel/cred.c | 110 +-
45146 kernel/events/core.c | 14 +-
45147 kernel/exit.c | 10 +-
45148 kernel/fork.c | 41 +-
45149 kernel/futex.c | 1 +
45150 kernel/kallsyms.c | 9 +
45151 kernel/kcmp.c | 4 +
45152 kernel/kmod.c | 64 +-
45153 kernel/kprobes.c | 4 +-
45154 kernel/ksysfs.c | 2 +
45155 kernel/lockdep_proc.c | 10 +-
45156 kernel/module.c | 81 +-
45157 kernel/panic.c | 2 +-
45158 kernel/pid.c | 19 +-
45159 kernel/posix-timers.c | 7 +
45160 kernel/printk.c | 5 +
45161 kernel/ptrace.c | 20 +-
45162 kernel/resource.c | 10 +
45163 kernel/sched/core.c | 6 +-
45164 kernel/signal.c | 37 +-
45165 kernel/sys.c | 45 +-
45166 kernel/sysctl.c | 70 +-
45167 kernel/taskstats.c | 6 +
45168 kernel/time.c | 5 +
45169 kernel/time/timekeeping.c | 1 +
45170 kernel/time/timer_list.c | 12 +
45171 kernel/time/timer_stats.c | 10 +-
45172 lib/Kconfig.debug | 5 +-
45173 lib/is_single_threaded.c | 3 +
45174 mm/Kconfig | 4 +-
45175 mm/filemap.c | 1 +
45176 mm/kmemleak.c | 4 +-
45177 mm/mempolicy.c | 12 +-
45178 mm/migrate.c | 3 +-
45179 mm/mlock.c | 3 +
45180 mm/mmap.c | 63 +-
45181 mm/mprotect.c | 8 +
45182 mm/process_vm_access.c | 6 +
45183 mm/slab.c | 2 +-
45184 mm/slub.c | 14 +-
45185 mm/vmalloc.c | 4 +
45186 mm/vmstat.c | 18 +-
45187 net/core/dev_ioctl.c | 4 +
45188 net/core/sock_diag.c | 7 +
45189 net/ipv4/inet_hashtables.c | 5 +
45190 net/ipv4/ip_sockglue.c | 3 +-
45191 net/ipv4/tcp_input.c | 4 +-
45192 net/ipv4/tcp_ipv4.c | 24 +-
45193 net/ipv4/tcp_minisocks.c | 9 +-
45194 net/ipv4/tcp_timer.c | 11 +
45195 net/ipv4/udp.c | 24 +
45196 net/ipv6/tcp_ipv6.c | 23 +-
45197 net/ipv6/udp.c | 4 +
45198 net/netfilter/Kconfig | 10 +
45199 net/netfilter/Makefile | 1 +
45200 net/netfilter/nf_conntrack_core.c | 8 +
45201 net/netrom/af_netrom.c | 1 -
45202 net/phonet/af_phonet.c | 2 +-
45203 net/sctp/proc.c | 3 +-
45204 net/socket.c | 66 +-
45205 net/sysctl_net.c | 2 +-
45206 net/unix/af_unix.c | 31 +-
45207 security/Kconfig | 343 +++-
45208 security/apparmor/Kconfig | 9 +
45209 security/apparmor/apparmorfs.c | 231 ++
45210 security/commoncap.c | 29 +
45211 security/min_addr.c | 2 +
45212 security/security.c | 2 -
45213 security/selinux/hooks.c | 2 -
45214 security/tomoyo/mount.c | 4 +
45215 security/yama/Kconfig | 2 +-
45216 242 files changed, 4385 insertions(+), 2042 deletions(-)
45217
45218commit 043a378c0f72ed92cc30182c48abce39867ac93f
45219Author: Brad Spengler <spender@grsecurity.net>
45220Date: Tue Jul 9 20:57:40 2013 -0400
45221
45222 Commit merge of new files and rejected patches
45223
45224 arch/arm/include/asm/thread_info.h | 6 +-
45225 arch/arm/kernel/process.c | 4 +-
45226 arch/powerpc/include/asm/thread_info.h | 7 +-
45227 arch/powerpc/mm/slice.c | 2 +-
45228 arch/sparc/kernel/process_64.c | 4 +-
45229 arch/x86/kernel/vm86_32.c | 15 +
45230 fs/coredump.c | 1 +
45231 fs/ext4/balloc.c | 4 +-
45232 fs/namei.c | 7 +
45233 fs/namespace.c | 8 +
45234 fs/pipe.c | 2 +-
45235 fs/proc/inode.c | 13 +
45236 fs/proc/internal.h | 3 +
45237 grsecurity/Kconfig | 1054 +++++++++
45238 grsecurity/Makefile | 38 +
45239 grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++
45240 grsecurity/gracl_alloc.c | 105 +
45241 grsecurity/gracl_cap.c | 110 +
45242 grsecurity/gracl_fs.c | 431 ++++
45243 grsecurity/gracl_ip.c | 387 +++
45244 grsecurity/gracl_learn.c | 207 ++
45245 grsecurity/gracl_res.c | 68 +
45246 grsecurity/gracl_segv.c | 305 +++
45247 grsecurity/gracl_shm.c | 40 +
45248 grsecurity/grsec_chdir.c | 19 +
45249 grsecurity/grsec_chroot.c | 370 +++
45250 grsecurity/grsec_disabled.c | 434 ++++
45251 grsecurity/grsec_exec.c | 187 ++
45252 grsecurity/grsec_fifo.c | 24 +
45253 grsecurity/grsec_fork.c | 23 +
45254 grsecurity/grsec_init.c | 283 +++
45255 grsecurity/grsec_link.c | 58 +
45256 grsecurity/grsec_log.c | 326 +++
45257 grsecurity/grsec_mem.c | 40 +
45258 grsecurity/grsec_mount.c | 62 +
45259 grsecurity/grsec_pax.c | 36 +
45260 grsecurity/grsec_ptrace.c | 30 +
45261 grsecurity/grsec_sig.c | 246 ++
45262 grsecurity/grsec_sock.c | 244 ++
45263 grsecurity/grsec_sysctl.c | 469 ++++
45264 grsecurity/grsec_time.c | 16 +
45265 grsecurity/grsec_tpe.c | 73 +
45266 grsecurity/grsum.c | 61 +
45267 include/linux/gracl.h | 319 +++
45268 include/linux/gralloc.h | 9 +
45269 include/linux/grdefs.h | 140 ++
45270 include/linux/grinternal.h | 227 ++
45271 include/linux/grmsg.h | 112 +
45272 include/linux/grsecurity.h | 241 ++
45273 include/linux/grsock.h | 19 +
45274 include/linux/netfilter/xt_gradm.h | 9 +
45275 include/linux/proc_fs.h | 13 +
45276 include/linux/sched.h | 48 +-
45277 include/trace/events/fs.h | 53 +
45278 kernel/kmod.c | 7 +-
45279 kernel/panic.c | 2 +-
45280 kernel/posix-timers.c | 1 +
45281 kernel/time/timekeeping.c | 2 +
45282 lib/Kconfig.debug | 2 +-
45283 lib/vsprintf.c | 31 +
45284 localversion-grsec | 1 +
45285 mm/mmap.c | 13 +-
45286 mm/shmem.c | 2 +-
45287 net/core/net-procfs.c | 5 +
45288 net/ipv6/udp.c | 3 +
45289 net/netfilter/xt_gradm.c | 51 +
45290 66 files changed, 11184 insertions(+), 21 deletions(-)
45291
45292commit 75a36f058b5abbc82f9b94ba5576eef4b40cd5d6
45293Author: Brad Spengler <spender@grsecurity.net>
45294Date: Tue Jul 9 17:35:47 2013 -0400
45295
45296 Initial import of pax-linux-3.10-test1.patch
45297
45298 Documentation/dontdiff | 46 +-
45299 Documentation/kernel-parameters.txt | 12 +
45300 Makefile | 100 +-
45301 arch/alpha/include/asm/atomic.h | 10 +
45302 arch/alpha/include/asm/elf.h | 7 +
45303 arch/alpha/include/asm/pgalloc.h | 6 +
45304 arch/alpha/include/asm/pgtable.h | 11 +
45305 arch/alpha/kernel/module.c | 2 +-
45306 arch/alpha/kernel/osf_sys.c | 8 +-
45307 arch/alpha/mm/fault.c | 141 +-
45308 arch/arm/Kconfig | 2 +-
45309 arch/arm/include/asm/atomic.h | 444 ++-
45310 arch/arm/include/asm/cache.h | 5 +-
45311 arch/arm/include/asm/cacheflush.h | 2 +-
45312 arch/arm/include/asm/checksum.h | 14 +-
45313 arch/arm/include/asm/cmpxchg.h | 2 +
45314 arch/arm/include/asm/domain.h | 33 +-
45315 arch/arm/include/asm/elf.h | 13 +-
45316 arch/arm/include/asm/fncpy.h | 2 +
45317 arch/arm/include/asm/futex.h | 10 +
45318 arch/arm/include/asm/kmap_types.h | 2 +-
45319 arch/arm/include/asm/mach/dma.h | 2 +-
45320 arch/arm/include/asm/mach/map.h | 7 +-
45321 arch/arm/include/asm/outercache.h | 2 +-
45322 arch/arm/include/asm/page.h | 2 +-
45323 arch/arm/include/asm/pgalloc.h | 22 +-
45324 arch/arm/include/asm/pgtable-2level-hwdef.h | 5 +
45325 arch/arm/include/asm/pgtable-2level.h | 1 +
45326 arch/arm/include/asm/pgtable-3level-hwdef.h | 2 +
45327 arch/arm/include/asm/pgtable-3level.h | 2 +
45328 arch/arm/include/asm/pgtable.h | 56 +-
45329 arch/arm/include/asm/proc-fns.h | 2 +-
45330 arch/arm/include/asm/processor.h | 5 +-
45331 arch/arm/include/asm/psci.h | 2 +-
45332 arch/arm/include/asm/smp.h | 2 +-
45333 arch/arm/include/asm/thread_info.h | 6 +-
45334 arch/arm/include/asm/uaccess.h | 92 +-
45335 arch/arm/include/uapi/asm/ptrace.h | 2 +-
45336 arch/arm/kernel/armksyms.c | 8 +-
45337 arch/arm/kernel/entry-armv.S | 107 +-
45338 arch/arm/kernel/entry-common.S | 41 +-
45339 arch/arm/kernel/entry-header.S | 60 +
45340 arch/arm/kernel/fiq.c | 2 +
45341 arch/arm/kernel/head.S | 6 +-
45342 arch/arm/kernel/hw_breakpoint.c | 2 +-
45343 arch/arm/kernel/module.c | 29 +-
45344 arch/arm/kernel/patch.c | 2 +
45345 arch/arm/kernel/perf_event_cpu.c | 2 +-
45346 arch/arm/kernel/process.c | 14 +-
45347 arch/arm/kernel/psci.c | 2 +-
45348 arch/arm/kernel/setup.c | 22 +-
45349 arch/arm/kernel/signal.c | 24 +-
45350 arch/arm/kernel/smp.c | 2 +-
45351 arch/arm/kernel/traps.c | 15 +-
45352 arch/arm/kernel/vmlinux.lds.S | 22 +-
45353 arch/arm/lib/clear_user.S | 6 +-
45354 arch/arm/lib/copy_from_user.S | 6 +-
45355 arch/arm/lib/copy_page.S | 1 +
45356 arch/arm/lib/copy_to_user.S | 6 +-
45357 arch/arm/lib/csumpartialcopyuser.S | 4 +-
45358 arch/arm/lib/delay.c | 2 +-
45359 arch/arm/lib/uaccess_with_memcpy.c | 2 +-
45360 arch/arm/mach-kirkwood/common.c | 19 +-
45361 arch/arm/mach-omap2/board-n8x0.c | 2 +-
45362 arch/arm/mach-omap2/gpmc.c | 22 +-
45363 arch/arm/mach-omap2/omap-wakeupgen.c | 2 +-
45364 arch/arm/mach-omap2/omap_device.c | 4 +-
45365 arch/arm/mach-omap2/omap_device.h | 4 +-
45366 arch/arm/mach-omap2/omap_hwmod.c | 4 +-
45367 arch/arm/mach-omap2/wd_timer.c | 6 +-
45368 arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +-
45369 arch/arm/mach-ux500/setup.h | 7 -
45370 arch/arm/mm/Kconfig | 3 +-
45371 arch/arm/mm/alignment.c | 8 +
45372 arch/arm/mm/fault.c | 91 +
45373 arch/arm/mm/fault.h | 12 +
45374 arch/arm/mm/init.c | 41 +
45375 arch/arm/mm/ioremap.c | 4 +-
45376 arch/arm/mm/mmap.c | 30 +-
45377 arch/arm/mm/mmu.c | 187 +-
45378 arch/arm/mm/proc-v7-2level.S | 3 +
45379 arch/arm/plat-omap/sram.c | 2 +
45380 arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +-
45381 arch/arm64/kernel/debug-monitors.c | 2 +-
45382 arch/arm64/kernel/hw_breakpoint.c | 2 +-
45383 arch/avr32/include/asm/elf.h | 8 +-
45384 arch/avr32/include/asm/kmap_types.h | 4 +-
45385 arch/avr32/mm/fault.c | 27 +
45386 arch/frv/include/asm/atomic.h | 10 +
45387 arch/frv/include/asm/kmap_types.h | 2 +-
45388 arch/frv/mm/elf-fdpic.c | 3 +-
45389 arch/ia64/include/asm/atomic.h | 10 +
45390 arch/ia64/include/asm/elf.h | 7 +
45391 arch/ia64/include/asm/pgalloc.h | 12 +
45392 arch/ia64/include/asm/pgtable.h | 13 +-
45393 arch/ia64/include/asm/spinlock.h | 2 +-
45394 arch/ia64/include/asm/uaccess.h | 26 +-
45395 arch/ia64/kernel/err_inject.c | 2 +-
45396 arch/ia64/kernel/mca.c | 2 +-
45397 arch/ia64/kernel/module.c | 48 +-
45398 arch/ia64/kernel/palinfo.c | 2 +-
45399 arch/ia64/kernel/salinfo.c | 2 +-
45400 arch/ia64/kernel/sys_ia64.c | 7 +
45401 arch/ia64/kernel/topology.c | 2 +-
45402 arch/ia64/kernel/vmlinux.lds.S | 2 +-
45403 arch/ia64/mm/fault.c | 32 +-
45404 arch/ia64/mm/init.c | 13 +
45405 arch/m32r/lib/usercopy.c | 6 +
45406 arch/mips/include/asm/atomic.h | 14 +
45407 arch/mips/include/asm/elf.h | 11 +-
45408 arch/mips/include/asm/exec.h | 2 +-
45409 arch/mips/include/asm/page.h | 2 +-
45410 arch/mips/include/asm/pgalloc.h | 5 +
45411 arch/mips/kernel/binfmt_elfn32.c | 7 +
45412 arch/mips/kernel/binfmt_elfo32.c | 7 +
45413 arch/mips/kernel/process.c | 12 -
45414 arch/mips/mm/fault.c | 17 +
45415 arch/mips/mm/mmap.c | 51 +-
45416 arch/parisc/include/asm/atomic.h | 10 +
45417 arch/parisc/include/asm/elf.h | 7 +
45418 arch/parisc/include/asm/pgalloc.h | 6 +
45419 arch/parisc/include/asm/pgtable.h | 11 +
45420 arch/parisc/include/asm/uaccess.h | 4 +-
45421 arch/parisc/kernel/module.c | 50 +-
45422 arch/parisc/kernel/sys_parisc.c | 9 +-
45423 arch/parisc/kernel/traps.c | 4 +-
45424 arch/parisc/mm/fault.c | 140 +-
45425 arch/powerpc/include/asm/atomic.h | 10 +
45426 arch/powerpc/include/asm/elf.h | 19 +-
45427 arch/powerpc/include/asm/exec.h | 2 +-
45428 arch/powerpc/include/asm/kmap_types.h | 2 +-
45429 arch/powerpc/include/asm/mman.h | 2 +-
45430 arch/powerpc/include/asm/page.h | 8 +-
45431 arch/powerpc/include/asm/page_64.h | 7 +-
45432 arch/powerpc/include/asm/pgalloc-64.h | 7 +
45433 arch/powerpc/include/asm/pgtable.h | 1 +
45434 arch/powerpc/include/asm/pte-hash32.h | 1 +
45435 arch/powerpc/include/asm/reg.h | 1 +
45436 arch/powerpc/include/asm/smp.h | 2 +-
45437 arch/powerpc/include/asm/uaccess.h | 140 +-
45438 arch/powerpc/kernel/exceptions-64e.S | 4 +-
45439 arch/powerpc/kernel/exceptions-64s.S | 2 +-
45440 arch/powerpc/kernel/module_32.c | 13 +-
45441 arch/powerpc/kernel/process.c | 55 -
45442 arch/powerpc/kernel/signal_32.c | 2 +-
45443 arch/powerpc/kernel/signal_64.c | 2 +-
45444 arch/powerpc/kernel/sysfs.c | 2 +-
45445 arch/powerpc/kernel/vdso.c | 5 +-
45446 arch/powerpc/lib/usercopy_64.c | 18 -
45447 arch/powerpc/mm/fault.c | 54 +-
45448 arch/powerpc/mm/mmap_64.c | 16 +
45449 arch/powerpc/mm/mmu_context_nohash.c | 2 +-
45450 arch/powerpc/mm/numa.c | 2 +-
45451 arch/powerpc/mm/slice.c | 13 +-
45452 arch/powerpc/platforms/cell/spufs/file.c | 4 +-
45453 arch/powerpc/platforms/powermac/smp.c | 2 +-
45454 arch/s390/include/asm/atomic.h | 10 +
45455 arch/s390/include/asm/elf.h | 13 +-
45456 arch/s390/include/asm/exec.h | 2 +-
45457 arch/s390/include/asm/uaccess.h | 15 +-
45458 arch/s390/kernel/module.c | 22 +-
45459 arch/s390/kernel/process.c | 36 -
45460 arch/s390/mm/mmap.c | 24 +
45461 arch/score/include/asm/exec.h | 2 +-
45462 arch/score/kernel/process.c | 5 -
45463 arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +-
45464 arch/sh/mm/mmap.c | 22 +-
45465 arch/sparc/include/asm/atomic_64.h | 106 +-
45466 arch/sparc/include/asm/cache.h | 2 +-
45467 arch/sparc/include/asm/elf_32.h | 7 +
45468 arch/sparc/include/asm/elf_64.h | 7 +
45469 arch/sparc/include/asm/pgalloc_32.h | 1 +
45470 arch/sparc/include/asm/pgalloc_64.h | 1 +
45471 arch/sparc/include/asm/pgtable_32.h | 15 +-
45472 arch/sparc/include/asm/pgtsrmmu.h | 5 +
45473 arch/sparc/include/asm/spinlock_64.h | 35 +-
45474 arch/sparc/include/asm/thread_info_32.h | 2 +
45475 arch/sparc/include/asm/thread_info_64.h | 2 +
45476 arch/sparc/include/asm/uaccess.h | 1 +
45477 arch/sparc/include/asm/uaccess_32.h | 27 +-
45478 arch/sparc/include/asm/uaccess_64.h | 19 +-
45479 arch/sparc/kernel/Makefile | 2 +-
45480 arch/sparc/kernel/prom_common.c | 2 +-
45481 arch/sparc/kernel/sys_sparc_32.c | 2 +-
45482 arch/sparc/kernel/sys_sparc_64.c | 48 +-
45483 arch/sparc/kernel/sysfs.c | 2 +-
45484 arch/sparc/kernel/traps_64.c | 13 +-
45485 arch/sparc/lib/Makefile | 2 +-
45486 arch/sparc/lib/atomic_64.S | 136 +-
45487 arch/sparc/lib/ksyms.c | 6 +
45488 arch/sparc/mm/Makefile | 2 +-
45489 arch/sparc/mm/fault_32.c | 292 +
45490 arch/sparc/mm/fault_64.c | 486 ++
45491 arch/sparc/mm/hugetlbpage.c | 21 +-
45492 arch/tile/include/asm/atomic_64.h | 10 +
45493 arch/tile/include/asm/uaccess.h | 4 +-
45494 arch/um/Makefile | 4 +
45495 arch/um/include/asm/kmap_types.h | 2 +-
45496 arch/um/include/asm/page.h | 3 +
45497 arch/um/include/asm/pgtable-3level.h | 1 +
45498 arch/um/kernel/process.c | 16 -
45499 arch/x86/Kconfig | 10 +-
45500 arch/x86/Kconfig.cpu | 6 +-
45501 arch/x86/Kconfig.debug | 4 +-
45502 arch/x86/Makefile | 10 +
45503 arch/x86/boot/Makefile | 3 +
45504 arch/x86/boot/bitops.h | 4 +-
45505 arch/x86/boot/boot.h | 4 +-
45506 arch/x86/boot/compressed/Makefile | 3 +
45507 arch/x86/boot/compressed/eboot.c | 2 -
45508 arch/x86/boot/compressed/efi_stub_32.S | 16 +-
45509 arch/x86/boot/compressed/head_32.S | 7 +-
45510 arch/x86/boot/compressed/head_64.S | 8 +-
45511 arch/x86/boot/compressed/misc.c | 4 +-
45512 arch/x86/boot/cpucheck.c | 28 +-
45513 arch/x86/boot/header.S | 6 +-
45514 arch/x86/boot/memory.c | 2 +-
45515 arch/x86/boot/video-vesa.c | 1 +
45516 arch/x86/boot/video.c | 2 +-
45517 arch/x86/crypto/aes-x86_64-asm_64.S | 4 +
45518 arch/x86/crypto/aesni-intel_asm.S | 22 +
45519 arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 +
45520 arch/x86/crypto/camellia-x86_64-asm_64.S | 7 +
45521 arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 +
45522 arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 9 +
45523 arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 +
45524 arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 +
45525 arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 +
45526 arch/x86/crypto/sha1_ssse3_asm.S | 2 +
45527 arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 9 +
45528 arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 +
45529 arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
45530 arch/x86/ia32/ia32_signal.c | 14 +-
45531 arch/x86/ia32/ia32entry.S | 141 +-
45532 arch/x86/ia32/sys_ia32.c | 4 +-
45533 arch/x86/include/asm/alternative-asm.h | 39 +
45534 arch/x86/include/asm/alternative.h | 4 +-
45535 arch/x86/include/asm/apic.h | 2 +-
45536 arch/x86/include/asm/apm.h | 4 +-
45537 arch/x86/include/asm/atomic.h | 307 +-
45538 arch/x86/include/asm/atomic64_32.h | 100 +
45539 arch/x86/include/asm/atomic64_64.h | 202 +-
45540 arch/x86/include/asm/bitops.h | 4 +-
45541 arch/x86/include/asm/boot.h | 7 +-
45542 arch/x86/include/asm/cache.h | 5 +-
45543 arch/x86/include/asm/cacheflush.h | 2 +-
45544 arch/x86/include/asm/checksum_32.h | 12 +-
45545 arch/x86/include/asm/cmpxchg.h | 35 +
45546 arch/x86/include/asm/compat.h | 2 +-
45547 arch/x86/include/asm/cpufeature.h | 4 +-
45548 arch/x86/include/asm/desc.h | 67 +-
45549 arch/x86/include/asm/desc_defs.h | 6 +
45550 arch/x86/include/asm/div64.h | 2 +-
45551 arch/x86/include/asm/elf.h | 31 +-
45552 arch/x86/include/asm/emergency-restart.h | 2 +-
45553 arch/x86/include/asm/fpu-internal.h | 6 +-
45554 arch/x86/include/asm/futex.h | 16 +-
45555 arch/x86/include/asm/hw_irq.h | 4 +-
45556 arch/x86/include/asm/i8259.h | 2 +-
45557 arch/x86/include/asm/io.h | 21 +-
45558 arch/x86/include/asm/irqflags.h | 5 +
45559 arch/x86/include/asm/kprobes.h | 9 +-
45560 arch/x86/include/asm/local.h | 142 +-
45561 arch/x86/include/asm/mman.h | 15 +
45562 arch/x86/include/asm/mmu.h | 16 +-
45563 arch/x86/include/asm/mmu_context.h | 76 +-
45564 arch/x86/include/asm/module.h | 17 +-
45565 arch/x86/include/asm/nmi.h | 6 +-
45566 arch/x86/include/asm/page.h | 1 +
45567 arch/x86/include/asm/page_64.h | 4 +-
45568 arch/x86/include/asm/paravirt.h | 46 +-
45569 arch/x86/include/asm/paravirt_types.h | 17 +-
45570 arch/x86/include/asm/pgalloc.h | 23 +
45571 arch/x86/include/asm/pgtable-2level.h | 2 +
45572 arch/x86/include/asm/pgtable-3level.h | 4 +
45573 arch/x86/include/asm/pgtable.h | 122 +-
45574 arch/x86/include/asm/pgtable_32.h | 14 +-
45575 arch/x86/include/asm/pgtable_32_types.h | 15 +-
45576 arch/x86/include/asm/pgtable_64.h | 19 +-
45577 arch/x86/include/asm/pgtable_64_types.h | 5 +
45578 arch/x86/include/asm/pgtable_types.h | 36 +-
45579 arch/x86/include/asm/processor.h | 39 +-
45580 arch/x86/include/asm/ptrace.h | 26 +-
45581 arch/x86/include/asm/realmode.h | 4 +-
45582 arch/x86/include/asm/reboot.h | 10 +-
45583 arch/x86/include/asm/rwsem.h | 60 +-
45584 arch/x86/include/asm/segment.h | 24 +-
45585 arch/x86/include/asm/smp.h | 14 +-
45586 arch/x86/include/asm/spinlock.h | 36 +-
45587 arch/x86/include/asm/stackprotector.h | 4 +-
45588 arch/x86/include/asm/stacktrace.h | 32 +-
45589 arch/x86/include/asm/switch_to.h | 4 +-
45590 arch/x86/include/asm/thread_info.h | 83 +-
45591 arch/x86/include/asm/uaccess.h | 96 +-
45592 arch/x86/include/asm/uaccess_32.h | 106 +-
45593 arch/x86/include/asm/uaccess_64.h | 232 +-
45594 arch/x86/include/asm/word-at-a-time.h | 2 +-
45595 arch/x86/include/asm/x86_init.h | 10 +-
45596 arch/x86/include/asm/xsave.h | 10 +-
45597 arch/x86/include/uapi/asm/e820.h | 2 +-
45598 arch/x86/kernel/Makefile | 2 +-
45599 arch/x86/kernel/acpi/boot.c | 4 +-
45600 arch/x86/kernel/acpi/sleep.c | 4 +
45601 arch/x86/kernel/acpi/wakeup_32.S | 6 +-
45602 arch/x86/kernel/alternative.c | 65 +-
45603 arch/x86/kernel/apic/apic.c | 4 +-
45604 arch/x86/kernel/apic/apic_flat_64.c | 4 +-
45605 arch/x86/kernel/apic/apic_noop.c | 2 +-
45606 arch/x86/kernel/apic/bigsmp_32.c | 2 +-
45607 arch/x86/kernel/apic/es7000_32.c | 5 +-
45608 arch/x86/kernel/apic/io_apic.c | 8 +-
45609 arch/x86/kernel/apic/numaq_32.c | 3 +-
45610 arch/x86/kernel/apic/probe_32.c | 2 +-
45611 arch/x86/kernel/apic/summit_32.c | 2 +-
45612 arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
45613 arch/x86/kernel/apic/x2apic_phys.c | 2 +-
45614 arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
45615 arch/x86/kernel/apm_32.c | 19 +-
45616 arch/x86/kernel/asm-offsets.c | 20 +
45617 arch/x86/kernel/asm-offsets_64.c | 1 +
45618 arch/x86/kernel/cpu/Makefile | 4 -
45619 arch/x86/kernel/cpu/amd.c | 2 +-
45620 arch/x86/kernel/cpu/common.c | 75 +-
45621 arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +-
45622 arch/x86/kernel/cpu/mcheck/mce.c | 33 +-
45623 arch/x86/kernel/cpu/mcheck/p5.c | 3 +
45624 arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +-
45625 arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
45626 arch/x86/kernel/cpu/mtrr/main.c | 2 +-
45627 arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
45628 arch/x86/kernel/cpu/perf_event.c | 8 +-
45629 arch/x86/kernel/cpu/perf_event_intel.c | 6 +-
45630 arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +-
45631 arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
45632 arch/x86/kernel/cpuid.c | 2 +-
45633 arch/x86/kernel/crash.c | 4 +-
45634 arch/x86/kernel/crash_dump_64.c | 2 +-
45635 arch/x86/kernel/doublefault_32.c | 8 +-
45636 arch/x86/kernel/dumpstack.c | 28 +-
45637 arch/x86/kernel/dumpstack_32.c | 34 +-
45638 arch/x86/kernel/dumpstack_64.c | 61 +-
45639 arch/x86/kernel/e820.c | 4 +-
45640 arch/x86/kernel/early_printk.c | 1 +
45641 arch/x86/kernel/entry_32.S | 354 +-
45642 arch/x86/kernel/entry_64.S | 548 ++-
45643 arch/x86/kernel/ftrace.c | 14 +-
45644 arch/x86/kernel/head64.c | 13 +-
45645 arch/x86/kernel/head_32.S | 237 +-
45646 arch/x86/kernel/head_64.S | 143 +-
45647 arch/x86/kernel/i386_ksyms_32.c | 8 +
45648 arch/x86/kernel/i387.c | 2 +-
45649 arch/x86/kernel/i8259.c | 10 +-
45650 arch/x86/kernel/io_delay.c | 2 +-
45651 arch/x86/kernel/ioport.c | 2 +-
45652 arch/x86/kernel/irq.c | 8 +-
45653 arch/x86/kernel/irq_32.c | 69 +-
45654 arch/x86/kernel/irq_64.c | 2 +-
45655 arch/x86/kernel/kdebugfs.c | 2 +-
45656 arch/x86/kernel/kgdb.c | 25 +-
45657 arch/x86/kernel/kprobes/core.c | 30 +-
45658 arch/x86/kernel/kprobes/opt.c | 16 +-
45659 arch/x86/kernel/kvm.c | 2 +-
45660 arch/x86/kernel/ldt.c | 31 +-
45661 arch/x86/kernel/machine_kexec_32.c | 6 +-
45662 arch/x86/kernel/microcode_core.c | 2 +-
45663 arch/x86/kernel/microcode_intel.c | 4 +-
45664 arch/x86/kernel/module.c | 76 +-
45665 arch/x86/kernel/msr.c | 2 +-
45666 arch/x86/kernel/nmi.c | 19 +-
45667 arch/x86/kernel/nmi_selftest.c | 4 +-
45668 arch/x86/kernel/paravirt-spinlocks.c | 2 +-
45669 arch/x86/kernel/paravirt.c | 43 +-
45670 arch/x86/kernel/pci-calgary_64.c | 2 +-
45671 arch/x86/kernel/pci-iommu_table.c | 2 +-
45672 arch/x86/kernel/pci-swiotlb.c | 2 +-
45673 arch/x86/kernel/process.c | 55 +-
45674 arch/x86/kernel/process_32.c | 29 +-
45675 arch/x86/kernel/process_64.c | 15 +-
45676 arch/x86/kernel/ptrace.c | 25 +-
45677 arch/x86/kernel/pvclock.c | 8 +-
45678 arch/x86/kernel/reboot.c | 44 +-
45679 arch/x86/kernel/relocate_kernel_64.S | 2 +
45680 arch/x86/kernel/setup.c | 21 +-
45681 arch/x86/kernel/setup_percpu.c | 29 +-
45682 arch/x86/kernel/signal.c | 15 +-
45683 arch/x86/kernel/smp.c | 2 +-
45684 arch/x86/kernel/smpboot.c | 15 +-
45685 arch/x86/kernel/step.c | 10 +-
45686 arch/x86/kernel/sys_i386_32.c | 184 +
45687 arch/x86/kernel/sys_x86_64.c | 22 +-
45688 arch/x86/kernel/tboot.c | 14 +-
45689 arch/x86/kernel/time.c | 10 +-
45690 arch/x86/kernel/tls.c | 7 +-
45691 arch/x86/kernel/traps.c | 64 +-
45692 arch/x86/kernel/uprobes.c | 4 +-
45693 arch/x86/kernel/vm86_32.c | 6 +-
45694 arch/x86/kernel/vmlinux.lds.S | 148 +-
45695 arch/x86/kernel/vsyscall_64.c | 12 +-
45696 arch/x86/kernel/x8664_ksyms_64.c | 2 -
45697 arch/x86/kernel/x86_init.c | 8 +-
45698 arch/x86/kernel/xsave.c | 2 +
45699 arch/x86/kvm/cpuid.c | 21 +-
45700 arch/x86/kvm/emulate.c | 4 +-
45701 arch/x86/kvm/lapic.c | 2 +-
45702 arch/x86/kvm/paging_tmpl.h | 2 +-
45703 arch/x86/kvm/svm.c | 8 +
45704 arch/x86/kvm/vmx.c | 61 +-
45705 arch/x86/kvm/x86.c | 8 +-
45706 arch/x86/lguest/boot.c | 3 +-
45707 arch/x86/lib/atomic64_386_32.S | 164 +
45708 arch/x86/lib/atomic64_cx8_32.S | 103 +-
45709 arch/x86/lib/checksum_32.S | 100 +-
45710 arch/x86/lib/clear_page_64.S | 5 +-
45711 arch/x86/lib/cmpxchg16b_emu.S | 2 +
45712 arch/x86/lib/copy_page_64.S | 24 +-
45713 arch/x86/lib/copy_user_64.S | 47 +-
45714 arch/x86/lib/copy_user_nocache_64.S | 20 +-
45715 arch/x86/lib/csum-copy_64.S | 2 +
45716 arch/x86/lib/csum-wrappers_64.c | 4 +-
45717 arch/x86/lib/getuser.S | 70 +-
45718 arch/x86/lib/insn.c | 6 +-
45719 arch/x86/lib/iomap_copy_64.S | 2 +
45720 arch/x86/lib/memcpy_64.S | 18 +-
45721 arch/x86/lib/memmove_64.S | 34 +-
45722 arch/x86/lib/memset_64.S | 7 +-
45723 arch/x86/lib/mmx_32.c | 243 +-
45724 arch/x86/lib/msr-reg.S | 18 +-
45725 arch/x86/lib/putuser.S | 90 +-
45726 arch/x86/lib/rwlock.S | 42 +
45727 arch/x86/lib/rwsem.S | 6 +-
45728 arch/x86/lib/thunk_64.S | 2 +
45729 arch/x86/lib/usercopy_32.c | 363 +-
45730 arch/x86/lib/usercopy_64.c | 13 +-
45731 arch/x86/mm/extable.c | 25 +-
45732 arch/x86/mm/fault.c | 556 ++-
45733 arch/x86/mm/gup.c | 2 +-
45734 arch/x86/mm/highmem_32.c | 4 +
45735 arch/x86/mm/hugetlbpage.c | 30 +-
45736 arch/x86/mm/init.c | 98 +-
45737 arch/x86/mm/init_32.c | 113 +-
45738 arch/x86/mm/init_64.c | 38 +-
45739 arch/x86/mm/iomap_32.c | 4 +
45740 arch/x86/mm/ioremap.c | 15 +-
45741 arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
45742 arch/x86/mm/mmap.c | 41 +-
45743 arch/x86/mm/mmio-mod.c | 10 +-
45744 arch/x86/mm/numa.c | 2 +-
45745 arch/x86/mm/pageattr-test.c | 2 +-
45746 arch/x86/mm/pageattr.c | 33 +-
45747 arch/x86/mm/pat.c | 12 +-
45748 arch/x86/mm/pat_rbtree.c | 2 +-
45749 arch/x86/mm/pf_in.c | 10 +-
45750 arch/x86/mm/pgtable.c | 137 +-
45751 arch/x86/mm/pgtable_32.c | 3 +
45752 arch/x86/mm/physaddr.c | 4 +-
45753 arch/x86/mm/setup_nx.c | 7 +
45754 arch/x86/mm/tlb.c | 4 +
45755 arch/x86/net/bpf_jit.S | 14 +
45756 arch/x86/net/bpf_jit_comp.c | 37 +-
45757 arch/x86/oprofile/backtrace.c | 8 +-
45758 arch/x86/oprofile/nmi_int.c | 8 +-
45759 arch/x86/oprofile/op_model_amd.c | 8 +-
45760 arch/x86/oprofile/op_model_ppro.c | 7 +-
45761 arch/x86/oprofile/op_x86_model.h | 2 +-
45762 arch/x86/pci/amd_bus.c | 2 +-
45763 arch/x86/pci/irq.c | 8 +-
45764 arch/x86/pci/mrst.c | 4 +-
45765 arch/x86/pci/pcbios.c | 144 +-
45766 arch/x86/platform/efi/efi_32.c | 24 +
45767 arch/x86/platform/efi/efi_64.c | 10 +
45768 arch/x86/platform/efi/efi_stub_32.S | 64 +-
45769 arch/x86/platform/efi/efi_stub_64.S | 8 +
45770 arch/x86/platform/mrst/mrst.c | 6 +-
45771 arch/x86/platform/olpc/olpc_dt.c | 2 +-
45772 arch/x86/power/cpu.c | 11 +-
45773 arch/x86/realmode/init.c | 10 +-
45774 arch/x86/realmode/rm/Makefile | 3 +
45775 arch/x86/realmode/rm/header.S | 4 +-
45776 arch/x86/realmode/rm/trampoline_32.S | 12 +-
45777 arch/x86/realmode/rm/trampoline_64.S | 2 +-
45778 arch/x86/tools/Makefile | 2 +-
45779 arch/x86/tools/relocs.c | 94 +-
45780 arch/x86/um/tls_32.c | 2 +-
45781 arch/x86/vdso/Makefile | 2 +-
45782 arch/x86/vdso/vdso32-setup.c | 23 +-
45783 arch/x86/vdso/vma.c | 29 +-
45784 arch/x86/xen/enlighten.c | 47 +-
45785 arch/x86/xen/mmu.c | 9 +
45786 arch/x86/xen/smp.c | 18 +-
45787 arch/x86/xen/xen-asm_32.S | 12 +-
45788 arch/x86/xen/xen-head.S | 11 +
45789 arch/x86/xen/xen-ops.h | 2 -
45790 block/blk-iopoll.c | 4 +-
45791 block/blk-map.c | 2 +-
45792 block/blk-softirq.c | 4 +-
45793 block/bsg.c | 12 +-
45794 block/compat_ioctl.c | 2 +-
45795 block/genhd.c | 11 +-
45796 block/partitions/efi.c | 8 +-
45797 block/scsi_ioctl.c | 27 +-
45798 crypto/algapi.c | 2 +-
45799 crypto/cryptd.c | 4 +-
45800 crypto/pcrypt.c | 6 +-
45801 drivers/acpi/apei/apei-internal.h | 2 +-
45802 drivers/acpi/apei/cper.c | 8 +-
45803 drivers/acpi/bgrt.c | 6 +-
45804 drivers/acpi/blacklist.c | 4 +-
45805 drivers/acpi/ec_sys.c | 12 +-
45806 drivers/acpi/processor_idle.c | 2 +-
45807 drivers/acpi/sysfs.c | 4 +-
45808 drivers/ata/libahci.c | 2 +-
45809 drivers/ata/libata-core.c | 8 +-
45810 drivers/ata/pata_arasan_cf.c | 4 +-
45811 drivers/atm/adummy.c | 2 +-
45812 drivers/atm/ambassador.c | 8 +-
45813 drivers/atm/atmtcp.c | 14 +-
45814 drivers/atm/eni.c | 10 +-
45815 drivers/atm/firestream.c | 8 +-
45816 drivers/atm/fore200e.c | 14 +-
45817 drivers/atm/he.c | 18 +-
45818 drivers/atm/horizon.c | 4 +-
45819 drivers/atm/idt77252.c | 36 +-
45820 drivers/atm/iphase.c | 34 +-
45821 drivers/atm/lanai.c | 12 +-
45822 drivers/atm/nicstar.c | 46 +-
45823 drivers/atm/solos-pci.c | 4 +-
45824 drivers/atm/suni.c | 4 +-
45825 drivers/atm/uPD98402.c | 16 +-
45826 drivers/atm/zatm.c | 6 +-
45827 drivers/base/attribute_container.c | 2 +-
45828 drivers/base/bus.c | 4 +-
45829 drivers/base/devtmpfs.c | 8 +-
45830 drivers/base/node.c | 2 +-
45831 drivers/base/power/domain.c | 4 +-
45832 drivers/base/power/sysfs.c | 2 +-
45833 drivers/base/power/wakeup.c | 8 +-
45834 drivers/base/syscore.c | 4 +-
45835 drivers/block/cciss.c | 28 +-
45836 drivers/block/cciss.h | 2 +-
45837 drivers/block/cpqarray.c | 28 +-
45838 drivers/block/cpqarray.h | 2 +-
45839 drivers/block/drbd/drbd_int.h | 6 +-
45840 drivers/block/drbd/drbd_main.c | 8 +-
45841 drivers/block/drbd/drbd_receiver.c | 22 +-
45842 drivers/block/loop.c | 2 +-
45843 drivers/block/nbd.c | 2 +-
45844 drivers/block/pktcdvd.c | 2 +-
45845 drivers/cdrom/cdrom.c | 11 +-
45846 drivers/cdrom/gdrom.c | 1 -
45847 drivers/char/agp/compat_ioctl.c | 2 +-
45848 drivers/char/agp/frontend.c | 4 +-
45849 drivers/char/hpet.c | 2 +-
45850 drivers/char/hw_random/intel-rng.c | 2 +-
45851 drivers/char/ipmi/ipmi_msghandler.c | 8 +-
45852 drivers/char/ipmi/ipmi_si_intf.c | 8 +-
45853 drivers/char/mem.c | 45 +-
45854 drivers/char/nvram.c | 2 +-
45855 drivers/char/pcmcia/synclink_cs.c | 18 +-
45856 drivers/char/random.c | 10 +-
45857 drivers/char/sonypi.c | 9 +-
45858 drivers/char/tpm/tpm_acpi.c | 3 +-
45859 drivers/char/tpm/tpm_eventlog.c | 7 +-
45860 drivers/char/virtio_console.c | 4 +-
45861 drivers/clk/clk-composite.c | 2 +-
45862 drivers/clocksource/arm_arch_timer.c | 2 +-
45863 drivers/clocksource/metag_generic.c | 2 +-
45864 drivers/cpufreq/acpi-cpufreq.c | 20 +-
45865 drivers/cpufreq/cpufreq.c | 9 +-
45866 drivers/cpufreq/cpufreq_governor.c | 6 +-
45867 drivers/cpufreq/cpufreq_governor.h | 2 +-
45868 drivers/cpufreq/cpufreq_ondemand.c | 8 +-
45869 drivers/cpufreq/cpufreq_stats.c | 2 +-
45870 drivers/cpufreq/p4-clockmod.c | 12 +-
45871 drivers/cpufreq/sparc-us3-cpufreq.c | 69 +-
45872 drivers/cpufreq/speedstep-centrino.c | 7 +-
45873 drivers/cpuidle/cpuidle.c | 2 +-
45874 drivers/cpuidle/governor.c | 4 +-
45875 drivers/cpuidle/sysfs.c | 2 +-
45876 drivers/devfreq/devfreq.c | 6 +-
45877 drivers/dma/sh/shdma.c | 2 +-
45878 drivers/edac/edac_mc_sysfs.c | 12 +-
45879 drivers/edac/edac_pci_sysfs.c | 22 +-
45880 drivers/edac/mce_amd.h | 2 +-
45881 drivers/firewire/core-card.c | 2 +-
45882 drivers/firewire/core-device.c | 2 +-
45883 drivers/firewire/core-transaction.c | 1 +
45884 drivers/firewire/core.h | 1 +
45885 drivers/firmware/dmi-id.c | 2 +-
45886 drivers/firmware/dmi_scan.c | 7 +-
45887 drivers/firmware/efi/efi.c | 12 +-
45888 drivers/firmware/efi/efivars.c | 2 +-
45889 drivers/firmware/google/memconsole.c | 4 +-
45890 drivers/gpio/gpio-ich.c | 2 +-
45891 drivers/gpio/gpio-vr41xx.c | 2 +-
45892 drivers/gpu/drm/drm_crtc_helper.c | 2 +-
45893 drivers/gpu/drm/drm_drv.c | 6 +-
45894 drivers/gpu/drm/drm_fops.c | 18 +-
45895 drivers/gpu/drm/drm_global.c | 14 +-
45896 drivers/gpu/drm/drm_info.c | 14 +-
45897 drivers/gpu/drm/drm_ioc32.c | 13 +-
45898 drivers/gpu/drm/drm_ioctl.c | 2 +-
45899 drivers/gpu/drm/drm_lock.c | 4 +-
45900 drivers/gpu/drm/drm_stub.c | 2 +-
45901 drivers/gpu/drm/drm_sysfs.c | 2 +-
45902 drivers/gpu/drm/i810/i810_dma.c | 8 +-
45903 drivers/gpu/drm/i810/i810_drv.h | 4 +-
45904 drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
45905 drivers/gpu/drm/i915/i915_dma.c | 2 +-
45906 drivers/gpu/drm/i915/i915_drv.h | 4 +-
45907 drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +-
45908 drivers/gpu/drm/i915/i915_ioc32.c | 11 +-
45909 drivers/gpu/drm/i915/i915_irq.c | 22 +-
45910 drivers/gpu/drm/i915/intel_display.c | 26 +-
45911 drivers/gpu/drm/mga/mga_drv.h | 4 +-
45912 drivers/gpu/drm/mga/mga_ioc32.c | 11 +-
45913 drivers/gpu/drm/mga/mga_irq.c | 8 +-
45914 drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +-
45915 drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +-
45916 drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +-
45917 drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +-
45918 drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +-
45919 drivers/gpu/drm/qxl/qxl_ttm.c | 38 +-
45920 drivers/gpu/drm/r128/r128_cce.c | 2 +-
45921 drivers/gpu/drm/r128/r128_drv.h | 4 +-
45922 drivers/gpu/drm/r128/r128_ioc32.c | 11 +-
45923 drivers/gpu/drm/r128/r128_irq.c | 4 +-
45924 drivers/gpu/drm/r128/r128_state.c | 4 +-
45925 drivers/gpu/drm/radeon/mkregtable.c | 4 +-
45926 drivers/gpu/drm/radeon/radeon_device.c | 2 +-
45927 drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
45928 drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +-
45929 drivers/gpu/drm/radeon/radeon_irq.c | 6 +-
45930 drivers/gpu/drm/radeon/radeon_state.c | 4 +-
45931 drivers/gpu/drm/radeon/radeon_ttm.c | 57 +-
45932 drivers/gpu/drm/radeon/rs690.c | 4 +-
45933 drivers/gpu/drm/ttm/ttm_memory.c | 4 +-
45934 drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +-
45935 drivers/gpu/drm/udl/udl_fb.c | 1 -
45936 drivers/gpu/drm/via/via_drv.h | 4 +-
45937 drivers/gpu/drm/via/via_irq.c | 18 +-
45938 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
45939 drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
45940 drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +-
45941 drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
45942 drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
45943 drivers/hid/hid-core.c | 4 +-
45944 drivers/hv/channel.c | 4 +-
45945 drivers/hv/hv.c | 2 +-
45946 drivers/hv/hyperv_vmbus.h | 2 +-
45947 drivers/hv/vmbus_drv.c | 4 +-
45948 drivers/hwmon/acpi_power_meter.c | 4 +-
45949 drivers/hwmon/applesmc.c | 2 +-
45950 drivers/hwmon/asus_atk0110.c | 10 +-
45951 drivers/hwmon/coretemp.c | 2 +-
45952 drivers/hwmon/ibmaem.c | 2 +-
45953 drivers/hwmon/iio_hwmon.c | 2 +-
45954 drivers/hwmon/pmbus/pmbus_core.c | 10 +-
45955 drivers/hwmon/sht15.c | 12 +-
45956 drivers/hwmon/via-cputemp.c | 2 +-
45957 drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
45958 drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
45959 drivers/i2c/i2c-dev.c | 2 +-
45960 drivers/ide/ide-cd.c | 2 +-
45961 drivers/iio/industrialio-core.c | 2 +-
45962 drivers/infiniband/core/cm.c | 32 +-
45963 drivers/infiniband/core/fmr_pool.c | 20 +-
45964 drivers/infiniband/hw/cxgb4/mem.c | 4 +-
45965 drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
45966 drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
45967 drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +-
45968 drivers/infiniband/hw/mthca/mthca_mr.c | 2 +-
45969 drivers/infiniband/hw/nes/nes.c | 4 +-
45970 drivers/infiniband/hw/nes/nes.h | 40 +-
45971 drivers/infiniband/hw/nes/nes_cm.c | 62 +-
45972 drivers/infiniband/hw/nes/nes_mgt.c | 8 +-
45973 drivers/infiniband/hw/nes/nes_nic.c | 40 +-
45974 drivers/infiniband/hw/nes/nes_verbs.c | 10 +-
45975 drivers/infiniband/hw/qib/qib.h | 1 +
45976 drivers/input/gameport/gameport.c | 4 +-
45977 drivers/input/input.c | 4 +-
45978 drivers/input/joystick/sidewinder.c | 1 +
45979 drivers/input/joystick/xpad.c | 4 +-
45980 drivers/input/mouse/psmouse.h | 2 +-
45981 drivers/input/mousedev.c | 2 +-
45982 drivers/input/serio/serio.c | 4 +-
45983 drivers/iommu/iommu.c | 2 +-
45984 drivers/iommu/irq_remapping.c | 12 +-
45985 drivers/irqchip/irq-gic.c | 4 +-
45986 drivers/isdn/capi/capi.c | 10 +-
45987 drivers/isdn/gigaset/interface.c | 8 +-
45988 drivers/isdn/hardware/avm/b1.c | 4 +-
45989 drivers/isdn/i4l/isdn_tty.c | 22 +-
45990 drivers/isdn/icn/icn.c | 2 +-
45991 drivers/leds/leds-clevo-mail.c | 2 +-
45992 drivers/leds/leds-ss4200.c | 2 +-
45993 drivers/lguest/core.c | 10 +-
45994 drivers/lguest/page_tables.c | 2 +-
45995 drivers/lguest/x86/core.c | 12 +-
45996 drivers/lguest/x86/switcher_32.S | 27 +-
45997 drivers/md/bcache/closure.h | 2 +-
45998 drivers/md/bitmap.c | 2 +-
45999 drivers/md/dm-ioctl.c | 2 +-
46000 drivers/md/dm-raid1.c | 16 +-
46001 drivers/md/dm-stripe.c | 10 +-
46002 drivers/md/dm-table.c | 2 +-
46003 drivers/md/dm-thin-metadata.c | 4 +-
46004 drivers/md/dm.c | 16 +-
46005 drivers/md/md.c | 26 +-
46006 drivers/md/md.h | 6 +-
46007 drivers/md/persistent-data/dm-space-map.h | 1 +
46008 drivers/md/raid1.c | 4 +-
46009 drivers/md/raid10.c | 16 +-
46010 drivers/md/raid5.c | 10 +-
46011 drivers/media/dvb-core/dvbdev.c | 2 +-
46012 drivers/media/dvb-frontends/dib3000.h | 2 +-
46013 drivers/media/pci/cx88/cx88-video.c | 6 +-
46014 drivers/media/platform/omap/omap_vout.c | 11 +-
46015 drivers/media/platform/s5p-tv/mixer.h | 2 +-
46016 drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +-
46017 drivers/media/platform/s5p-tv/mixer_reg.c | 2 +-
46018 drivers/media/platform/s5p-tv/mixer_video.c | 24 +-
46019 drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +-
46020 drivers/media/radio/radio-cadet.c | 2 +
46021 drivers/media/usb/dvb-usb/cxusb.c | 2 +-
46022 drivers/media/usb/dvb-usb/dw2102.c | 2 +-
46023 drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +-
46024 drivers/media/v4l2-core/v4l2-ioctl.c | 11 +-
46025 drivers/message/fusion/mptsas.c | 34 +-
46026 drivers/message/fusion/mptscsih.c | 19 +-
46027 drivers/message/i2o/i2o_proc.c | 51 +-
46028 drivers/message/i2o/iop.c | 8 +-
46029 drivers/mfd/janz-cmodio.c | 1 +
46030 drivers/mfd/twl4030-irq.c | 9 +-
46031 drivers/mfd/twl6030-irq.c | 10 +-
46032 drivers/misc/c2port/core.c | 4 +-
46033 drivers/misc/kgdbts.c | 4 +-
46034 drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
46035 drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
46036 drivers/misc/sgi-gru/gruhandles.c | 4 +-
46037 drivers/misc/sgi-gru/gruprocfs.c | 8 +-
46038 drivers/misc/sgi-gru/grutables.h | 154 +-
46039 drivers/misc/sgi-xp/xp.h | 2 +-
46040 drivers/misc/sgi-xp/xpc.h | 3 +-
46041 drivers/misc/sgi-xp/xpc_main.c | 4 +-
46042 drivers/mmc/core/mmc_ops.c | 2 +-
46043 drivers/mmc/host/dw_mmc.h | 2 +-
46044 drivers/mmc/host/sdhci-s3c.c | 8 +-
46045 drivers/mtd/nand/denali.c | 1 +
46046 drivers/mtd/nftlmount.c | 1 +
46047 drivers/mtd/sm_ftl.c | 2 +-
46048 drivers/net/bonding/bond_main.c | 2 +-
46049 drivers/net/ethernet/8390/ax88796.c | 4 +-
46050 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
46051 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-
46052 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +-
46053 drivers/net/ethernet/broadcom/tg3.h | 1 +
46054 drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
46055 drivers/net/ethernet/dec/tulip/de4x5.c | 4 +-
46056 drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
46057 drivers/net/ethernet/faraday/ftgmac100.c | 2 +
46058 drivers/net/ethernet/faraday/ftmac100.c | 2 +
46059 drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
46060 drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
46061 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +-
46062 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +-
46063 drivers/net/ethernet/realtek/r8169.c | 8 +-
46064 drivers/net/ethernet/sfc/ptp.c | 2 +-
46065 drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
46066 drivers/net/hyperv/hyperv_net.h | 2 +-
46067 drivers/net/hyperv/rndis_filter.c | 4 +-
46068 drivers/net/ieee802154/fakehard.c | 2 +-
46069 drivers/net/macvlan.c | 18 +-
46070 drivers/net/macvtap.c | 2 +-
46071 drivers/net/ppp/ppp_generic.c | 4 +-
46072 drivers/net/slip/slhc.c | 2 +-
46073 drivers/net/team/team.c | 2 +-
46074 drivers/net/tun.c | 5 +-
46075 drivers/net/usb/hso.c | 23 +-
46076 drivers/net/vxlan.c | 2 +-
46077 drivers/net/wireless/at76c50x-usb.c | 2 +-
46078 drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +-
46079 drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +-
46080 drivers/net/wireless/ath/ath9k/hw.h | 4 +-
46081 drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
46082 drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +-
46083 drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +-
46084 drivers/net/wireless/mac80211_hwsim.c | 32 +-
46085 drivers/net/wireless/rndis_wlan.c | 2 +-
46086 drivers/net/wireless/rt2x00/rt2x00.h | 2 +-
46087 drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +-
46088 drivers/net/wireless/ti/wl1251/sdio.c | 12 +-
46089 drivers/net/wireless/ti/wl12xx/main.c | 8 +-
46090 drivers/net/wireless/ti/wl18xx/main.c | 6 +-
46091 drivers/oprofile/buffer_sync.c | 8 +-
46092 drivers/oprofile/event_buffer.c | 2 +-
46093 drivers/oprofile/oprof.c | 2 +-
46094 drivers/oprofile/oprofile_files.c | 2 +-
46095 drivers/oprofile/oprofile_stats.c | 10 +-
46096 drivers/oprofile/oprofile_stats.h | 10 +-
46097 drivers/oprofile/oprofilefs.c | 2 +-
46098 drivers/oprofile/timer_int.c | 2 +-
46099 drivers/parport/procfs.c | 4 +-
46100 drivers/pci/hotplug/acpiphp_ibm.c | 4 +-
46101 drivers/pci/hotplug/cpcihp_generic.c | 6 +-
46102 drivers/pci/hotplug/cpcihp_zt5550.c | 14 +-
46103 drivers/pci/hotplug/cpqphp_nvram.c | 4 +
46104 drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
46105 drivers/pci/hotplug/pciehp_core.c | 2 +-
46106 drivers/pci/pci-sysfs.c | 6 +-
46107 drivers/pci/pci.h | 2 +-
46108 drivers/pci/pcie/aspm.c | 6 +-
46109 drivers/pci/probe.c | 2 +-
46110 drivers/platform/x86/chromeos_laptop.c | 2 +-
46111 drivers/platform/x86/msi-laptop.c | 14 +-
46112 drivers/platform/x86/sony-laptop.c | 2 +-
46113 drivers/platform/x86/thinkpad_acpi.c | 70 +-
46114 drivers/pnp/pnpbios/bioscalls.c | 14 +-
46115 drivers/pnp/resource.c | 4 +-
46116 drivers/power/pda_power.c | 7 +-
46117 drivers/power/power_supply.h | 4 +-
46118 drivers/power/power_supply_core.c | 7 +-
46119 drivers/power/power_supply_sysfs.c | 6 +-
46120 drivers/regulator/max8660.c | 6 +-
46121 drivers/regulator/max8973-regulator.c | 8 +-
46122 drivers/regulator/mc13892-regulator.c | 6 +-
46123 drivers/rtc/rtc-cmos.c | 4 +-
46124 drivers/rtc/rtc-ds1307.c | 2 +-
46125 drivers/rtc/rtc-m48t59.c | 4 +-
46126 drivers/scsi/bfa/bfa_fcpim.h | 2 +-
46127 drivers/scsi/bfa/bfa_ioc.h | 4 +-
46128 drivers/scsi/hosts.c | 4 +-
46129 drivers/scsi/hpsa.c | 30 +-
46130 drivers/scsi/hpsa.h | 2 +-
46131 drivers/scsi/libfc/fc_exch.c | 50 +-
46132 drivers/scsi/libsas/sas_ata.c | 2 +-
46133 drivers/scsi/lpfc/lpfc.h | 8 +-
46134 drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
46135 drivers/scsi/lpfc/lpfc_init.c | 6 +-
46136 drivers/scsi/lpfc/lpfc_scsi.c | 16 +-
46137 drivers/scsi/pmcraid.c | 20 +-
46138 drivers/scsi/pmcraid.h | 8 +-
46139 drivers/scsi/qla2xxx/qla_attr.c | 4 +-
46140 drivers/scsi/qla2xxx/qla_gbl.h | 4 +-
46141 drivers/scsi/qla2xxx/qla_os.c | 6 +-
46142 drivers/scsi/qla4xxx/ql4_def.h | 2 +-
46143 drivers/scsi/qla4xxx/ql4_os.c | 6 +-
46144 drivers/scsi/scsi.c | 2 +-
46145 drivers/scsi/scsi_lib.c | 6 +-
46146 drivers/scsi/scsi_sysfs.c | 2 +-
46147 drivers/scsi/scsi_tgt_lib.c | 2 +-
46148 drivers/scsi/scsi_transport_fc.c | 8 +-
46149 drivers/scsi/scsi_transport_iscsi.c | 6 +-
46150 drivers/scsi/scsi_transport_srp.c | 6 +-
46151 drivers/scsi/sd.c | 2 +-
46152 drivers/scsi/sg.c | 2 +-
46153 drivers/spi/spi.c | 2 +-
46154 drivers/staging/media/solo6x10/solo6x10-core.c | 2 +-
46155 drivers/staging/octeon/ethernet-rx.c | 12 +-
46156 drivers/staging/octeon/ethernet.c | 8 +-
46157 drivers/staging/rtl8712/rtl871x_io.h | 2 +-
46158 drivers/staging/sbe-2t3e3/netdev.c | 2 +-
46159 drivers/staging/usbip/vhci.h | 2 +-
46160 drivers/staging/usbip/vhci_hcd.c | 6 +-
46161 drivers/staging/usbip/vhci_rx.c | 2 +-
46162 drivers/staging/vt6655/hostap.c | 7 +-
46163 drivers/staging/vt6656/hostap.c | 7 +-
46164 drivers/staging/zcache/tmem.c | 4 +-
46165 drivers/staging/zcache/tmem.h | 2 +
46166 drivers/target/target_core_device.c | 2 +-
46167 drivers/target/target_core_transport.c | 2 +-
46168 drivers/tty/cyclades.c | 6 +-
46169 drivers/tty/hvc/hvc_console.c | 14 +-
46170 drivers/tty/hvc/hvcs.c | 21 +-
46171 drivers/tty/ipwireless/tty.c | 27 +-
46172 drivers/tty/moxa.c | 2 +-
46173 drivers/tty/n_gsm.c | 4 +-
46174 drivers/tty/n_tty.c | 3 +-
46175 drivers/tty/pty.c | 4 +-
46176 drivers/tty/rocket.c | 6 +-
46177 drivers/tty/serial/kgdboc.c | 32 +-
46178 drivers/tty/serial/samsung.c | 9 +-
46179 drivers/tty/serial/serial_core.c | 8 +-
46180 drivers/tty/synclink.c | 34 +-
46181 drivers/tty/synclink_gt.c | 28 +-
46182 drivers/tty/synclinkmp.c | 34 +-
46183 drivers/tty/tty_io.c | 2 +-
46184 drivers/tty/tty_ldisc.c | 10 +-
46185 drivers/tty/tty_port.c | 22 +-
46186 drivers/uio/uio.c | 21 +-
46187 drivers/usb/atm/cxacru.c | 2 +-
46188 drivers/usb/atm/usbatm.c | 24 +-
46189 drivers/usb/core/devices.c | 6 +-
46190 drivers/usb/core/hcd.c | 4 +-
46191 drivers/usb/core/message.c | 2 +-
46192 drivers/usb/core/sysfs.c | 2 +-
46193 drivers/usb/core/usb.c | 2 +-
46194 drivers/usb/early/ehci-dbgp.c | 16 +-
46195 drivers/usb/gadget/u_serial.c | 22 +-
46196 drivers/usb/serial/console.c | 6 +-
46197 drivers/usb/storage/usb.h | 2 +-
46198 drivers/usb/wusbcore/wa-hc.h | 4 +-
46199 drivers/usb/wusbcore/wa-xfer.c | 2 +-
46200 drivers/vhost/vringh.c | 2 +-
46201 drivers/video/aty/aty128fb.c | 2 +-
46202 drivers/video/aty/atyfb_base.c | 8 +-
46203 drivers/video/aty/mach64_cursor.c | 5 +-
46204 drivers/video/backlight/kb3886_bl.c | 2 +-
46205 drivers/video/fb_defio.c | 6 +-
46206 drivers/video/fbcmap.c | 3 +-
46207 drivers/video/fbmem.c | 6 +-
46208 drivers/video/i810/i810_accel.c | 1 +
46209 drivers/video/mb862xx/mb862xxfb_accel.c | 16 +-
46210 drivers/video/nvidia/nvidia.c | 27 +-
46211 drivers/video/output.c | 2 +-
46212 drivers/video/s1d13xxxfb.c | 6 +-
46213 drivers/video/smscufx.c | 4 +-
46214 drivers/video/udlfb.c | 36 +-
46215 drivers/video/uvesafb.c | 53 +-
46216 drivers/video/vesafb.c | 58 +-
46217 drivers/video/via/via_clock.h | 2 +-
46218 fs/9p/vfs_addr.c | 2 +-
46219 fs/9p/vfs_inode.c | 2 +-
46220 fs/Kconfig.binfmt | 2 +-
46221 fs/aio.c | 12 +-
46222 fs/autofs4/waitq.c | 2 +-
46223 fs/befs/endian.h | 4 +-
46224 fs/befs/linuxvfs.c | 2 +-
46225 fs/binfmt_aout.c | 23 +-
46226 fs/binfmt_elf.c | 607 ++-
46227 fs/binfmt_flat.c | 6 +
46228 fs/bio.c | 6 +-
46229 fs/block_dev.c | 2 +-
46230 fs/btrfs/ctree.c | 9 +-
46231 fs/btrfs/super.c | 2 +-
46232 fs/cachefiles/bind.c | 6 +-
46233 fs/cachefiles/daemon.c | 8 +-
46234 fs/cachefiles/internal.h | 12 +-
46235 fs/cachefiles/namei.c | 2 +-
46236 fs/cachefiles/proc.c | 12 +-
46237 fs/cachefiles/rdwr.c | 2 +-
46238 fs/ceph/dir.c | 2 +-
46239 fs/cifs/cifs_debug.c | 12 +-
46240 fs/cifs/cifsfs.c | 8 +-
46241 fs/cifs/cifsglob.h | 54 +-
46242 fs/cifs/link.c | 2 +-
46243 fs/cifs/misc.c | 4 +-
46244 fs/cifs/smb1ops.c | 80 +-
46245 fs/cifs/smb2ops.c | 84 +-
46246 fs/cifs/smb2pdu.c | 3 +-
46247 fs/coda/cache.c | 10 +-
46248 fs/compat.c | 6 +-
46249 fs/compat_binfmt_elf.c | 2 +
46250 fs/compat_ioctl.c | 12 +-
46251 fs/configfs/dir.c | 10 +-
46252 fs/coredump.c | 24 +-
46253 fs/dcache.c | 2 +-
46254 fs/ecryptfs/inode.c | 4 +-
46255 fs/ecryptfs/miscdev.c | 2 +-
46256 fs/exec.c | 362 ++-
46257 fs/ext4/ext4.h | 20 +-
46258 fs/ext4/mballoc.c | 44 +-
46259 fs/ext4/mmp.c | 2 +-
46260 fs/ext4/super.c | 4 +-
46261 fs/fhandle.c | 3 +-
46262 fs/fs_struct.c | 8 +-
46263 fs/fscache/cookie.c | 36 +-
46264 fs/fscache/internal.h | 196 +-
46265 fs/fscache/object.c | 28 +-
46266 fs/fscache/operation.c | 30 +-
46267 fs/fscache/page.c | 110 +-
46268 fs/fscache/stats.c | 344 +-
46269 fs/fuse/cuse.c | 10 +-
46270 fs/fuse/dev.c | 4 +-
46271 fs/fuse/dir.c | 2 +-
46272 fs/gfs2/inode.c | 2 +-
46273 fs/hugetlbfs/inode.c | 13 +-
46274 fs/inode.c | 4 +-
46275 fs/jffs2/erase.c | 3 +-
46276 fs/jffs2/wbuf.c | 3 +-
46277 fs/jfs/super.c | 2 +-
46278 fs/libfs.c | 10 +-
46279 fs/lockd/clntproc.c | 4 +-
46280 fs/lockd/svc.c | 2 +-
46281 fs/locks.c | 8 +-
46282 fs/namei.c | 15 +-
46283 fs/namespace.c | 10 +-
46284 fs/nfs/callback.c | 4 +-
46285 fs/nfs/callback_xdr.c | 2 +-
46286 fs/nfs/inode.c | 6 +-
46287 fs/nfs/nfs4state.c | 2 +-
46288 fs/nfsd/nfs4proc.c | 2 +-
46289 fs/nfsd/nfs4xdr.c | 6 +-
46290 fs/nfsd/nfscache.c | 9 +-
46291 fs/nfsd/vfs.c | 6 +-
46292 fs/nls/nls_base.c | 18 +-
46293 fs/nls/nls_euc-jp.c | 6 +-
46294 fs/nls/nls_koi8-ru.c | 6 +-
46295 fs/notify/fanotify/fanotify_user.c | 4 +-
46296 fs/notify/notification.c | 4 +-
46297 fs/ntfs/dir.c | 2 +-
46298 fs/ntfs/file.c | 4 +-
46299 fs/ocfs2/localalloc.c | 2 +-
46300 fs/ocfs2/ocfs2.h | 10 +-
46301 fs/ocfs2/suballoc.c | 12 +-
46302 fs/ocfs2/super.c | 20 +-
46303 fs/pipe.c | 61 +-
46304 fs/proc/array.c | 20 +
46305 fs/proc/base.c | 4 +-
46306 fs/proc/kcore.c | 32 +-
46307 fs/proc/meminfo.c | 2 +-
46308 fs/proc/nommu.c | 2 +-
46309 fs/proc/proc_sysctl.c | 18 +-
46310 fs/proc/self.c | 2 +-
46311 fs/proc/task_mmu.c | 39 +-
46312 fs/proc/task_nommu.c | 4 +-
46313 fs/proc/vmcore.c | 12 +-
46314 fs/qnx6/qnx6.h | 4 +-
46315 fs/quota/netlink.c | 4 +-
46316 fs/read_write.c | 2 +-
46317 fs/readdir.c | 2 +-
46318 fs/reiserfs/do_balan.c | 2 +-
46319 fs/reiserfs/procfs.c | 2 +-
46320 fs/reiserfs/reiserfs.h | 4 +-
46321 fs/seq_file.c | 2 +-
46322 fs/splice.c | 40 +-
46323 fs/sysfs/bin.c | 6 +-
46324 fs/sysfs/dir.c | 2 +-
46325 fs/sysfs/file.c | 10 +-
46326 fs/sysfs/symlink.c | 2 +-
46327 fs/sysv/sysv.h | 2 +-
46328 fs/ubifs/io.c | 2 +-
46329 fs/udf/misc.c | 2 +-
46330 fs/ufs/swab.h | 4 +-
46331 fs/xattr.c | 21 +
46332 fs/xattr_acl.c | 4 +-
46333 fs/xfs/xfs_bmap.c | 2 +-
46334 fs/xfs/xfs_dir2_sf.c | 10 +-
46335 fs/xfs/xfs_ioctl.c | 2 +-
46336 fs/xfs/xfs_iops.c | 2 +-
46337 include/asm-generic/4level-fixup.h | 2 +
46338 include/asm-generic/atomic-long.h | 210 +
46339 include/asm-generic/atomic.h | 2 +-
46340 include/asm-generic/atomic64.h | 12 +
46341 include/asm-generic/cache.h | 4 +-
46342 include/asm-generic/emergency-restart.h | 2 +-
46343 include/asm-generic/kmap_types.h | 4 +-
46344 include/asm-generic/local.h | 13 +
46345 include/asm-generic/pgtable-nopmd.h | 18 +-
46346 include/asm-generic/pgtable-nopud.h | 15 +-
46347 include/asm-generic/pgtable.h | 8 +
46348 include/asm-generic/vmlinux.lds.h | 10 +-
46349 include/crypto/algapi.h | 2 +-
46350 include/drm/drmP.h | 17 +-
46351 include/drm/drm_crtc_helper.h | 2 +-
46352 include/drm/ttm/ttm_memory.h | 2 +-
46353 include/keys/asymmetric-subtype.h | 2 +-
46354 include/linux/atmdev.h | 4 +-
46355 include/linux/binfmts.h | 3 +-
46356 include/linux/blkdev.h | 2 +-
46357 include/linux/blktrace_api.h | 2 +-
46358 include/linux/cache.h | 4 +
46359 include/linux/cdrom.h | 1 -
46360 include/linux/cleancache.h | 2 +-
46361 include/linux/clk-provider.h | 1 +
46362 include/linux/compat.h | 4 +-
46363 include/linux/compiler-gcc4.h | 20 +
46364 include/linux/compiler.h | 65 +-
46365 include/linux/completion.h | 6 +-
46366 include/linux/configfs.h | 2 +-
46367 include/linux/cpu.h | 2 +-
46368 include/linux/cpufreq.h | 3 +-
46369 include/linux/cpuidle.h | 5 +-
46370 include/linux/cpumask.h | 12 +-
46371 include/linux/crypto.h | 6 +-
46372 include/linux/ctype.h | 2 +-
46373 include/linux/decompress/mm.h | 2 +-
46374 include/linux/devfreq.h | 2 +-
46375 include/linux/device.h | 7 +-
46376 include/linux/dma-mapping.h | 2 +-
46377 include/linux/dmaengine.h | 4 +-
46378 include/linux/efi.h | 1 +
46379 include/linux/elf.h | 2 +
46380 include/linux/err.h | 4 +-
46381 include/linux/extcon.h | 2 +-
46382 include/linux/fb.h | 2 +-
46383 include/linux/filter.h | 4 +
46384 include/linux/frontswap.h | 2 +-
46385 include/linux/fs.h | 3 +-
46386 include/linux/fs_struct.h | 2 +-
46387 include/linux/fscache-cache.h | 4 +-
46388 include/linux/fscache.h | 2 +-
46389 include/linux/fsnotify.h | 2 +-
46390 include/linux/genhd.h | 2 +-
46391 include/linux/genl_magic_func.h | 2 +-
46392 include/linux/gfp.h | 12 +-
46393 include/linux/highmem.h | 12 +
46394 include/linux/hwmon-sysfs.h | 5 +-
46395 include/linux/i2c.h | 1 +
46396 include/linux/i2o.h | 2 +-
46397 include/linux/if_pppox.h | 2 +-
46398 include/linux/init.h | 33 +-
46399 include/linux/init_task.h | 7 +
46400 include/linux/interrupt.h | 8 +-
46401 include/linux/iommu.h | 2 +-
46402 include/linux/ioport.h | 2 +-
46403 include/linux/irq.h | 3 +-
46404 include/linux/irqchip/arm-gic.h | 4 +-
46405 include/linux/key-type.h | 2 +-
46406 include/linux/kgdb.h | 6 +-
46407 include/linux/kobject.h | 3 +-
46408 include/linux/kobject_ns.h | 2 +-
46409 include/linux/kref.h | 2 +-
46410 include/linux/kvm_host.h | 4 +-
46411 include/linux/libata.h | 2 +-
46412 include/linux/list.h | 15 +
46413 include/linux/math64.h | 6 +-
46414 include/linux/mm.h | 116 +-
46415 include/linux/mm_types.h | 20 +
46416 include/linux/mmiotrace.h | 4 +-
46417 include/linux/mmzone.h | 2 +-
46418 include/linux/mod_devicetable.h | 6 +-
46419 include/linux/module.h | 60 +-
46420 include/linux/moduleloader.h | 16 +
46421 include/linux/moduleparam.h | 4 +-
46422 include/linux/namei.h | 6 +-
46423 include/linux/net.h | 2 +-
46424 include/linux/netdevice.h | 3 +-
46425 include/linux/netfilter.h | 2 +-
46426 include/linux/netfilter/ipset/ip_set.h | 2 +-
46427 include/linux/netfilter/nfnetlink.h | 2 +-
46428 include/linux/nls.h | 2 +-
46429 include/linux/notifier.h | 3 +-
46430 include/linux/oprofile.h | 4 +-
46431 include/linux/pci_hotplug.h | 3 +-
46432 include/linux/perf_event.h | 12 +-
46433 include/linux/pipe_fs_i.h | 8 +-
46434 include/linux/platform_data/usb-ehci-s5p.h | 2 +-
46435 include/linux/platform_data/usb-ohci-exynos.h | 2 +-
46436 include/linux/pm_domain.h | 2 +-
46437 include/linux/pm_runtime.h | 2 +-
46438 include/linux/pnp.h | 2 +-
46439 include/linux/poison.h | 4 +-
46440 include/linux/power/smartreflex.h | 2 +-
46441 include/linux/ppp-comp.h | 2 +-
46442 include/linux/proc_ns.h | 2 +-
46443 include/linux/random.h | 5 +
46444 include/linux/rculist.h | 16 +
46445 include/linux/reboot.h | 14 +-
46446 include/linux/regset.h | 3 +-
46447 include/linux/relay.h | 2 +-
46448 include/linux/rio.h | 2 +-
46449 include/linux/rmap.h | 4 +-
46450 include/linux/sched.h | 65 +-
46451 include/linux/sched/sysctl.h | 1 +
46452 include/linux/seq_file.h | 1 +
46453 include/linux/skbuff.h | 12 +-
46454 include/linux/slab.h | 42 +-
46455 include/linux/slab_def.h | 28 +-
46456 include/linux/slob_def.h | 4 +-
46457 include/linux/slub_def.h | 8 +-
46458 include/linux/sock_diag.h | 2 +-
46459 include/linux/sonet.h | 2 +-
46460 include/linux/sunrpc/addr.h | 8 +-
46461 include/linux/sunrpc/clnt.h | 2 +-
46462 include/linux/sunrpc/svc.h | 2 +-
46463 include/linux/sunrpc/svc_rdma.h | 18 +-
46464 include/linux/sunrpc/svcauth.h | 2 +-
46465 include/linux/swiotlb.h | 3 +-
46466 include/linux/syscalls.h | 10 +-
46467 include/linux/syscore_ops.h | 2 +-
46468 include/linux/sysctl.h | 6 +-
46469 include/linux/sysfs.h | 10 +-
46470 include/linux/sysrq.h | 3 +-
46471 include/linux/thread_info.h | 7 +
46472 include/linux/tty.h | 4 +-
46473 include/linux/tty_driver.h | 2 +-
46474 include/linux/tty_ldisc.h | 2 +-
46475 include/linux/types.h | 16 +
46476 include/linux/uaccess.h | 6 +-
46477 include/linux/unaligned/access_ok.h | 24 +-
46478 include/linux/usb.h | 4 +-
46479 include/linux/usb/renesas_usbhs.h | 2 +-
46480 include/linux/vermagic.h | 21 +-
46481 include/linux/vmalloc.h | 11 +-
46482 include/linux/vmstat.h | 20 +-
46483 include/linux/xattr.h | 5 +-
46484 include/linux/zlib.h | 3 +-
46485 include/media/v4l2-dev.h | 2 +-
46486 include/net/9p/transport.h | 2 +-
46487 include/net/bluetooth/l2cap.h | 2 +-
46488 include/net/caif/cfctrl.h | 6 +-
46489 include/net/flow.h | 2 +-
46490 include/net/genetlink.h | 2 +-
46491 include/net/gro_cells.h | 2 +-
46492 include/net/inet_connection_sock.h | 2 +-
46493 include/net/inetpeer.h | 8 +-
46494 include/net/ip.h | 2 +-
46495 include/net/ip_fib.h | 2 +-
46496 include/net/ip_vs.h | 8 +-
46497 include/net/irda/ircomm_tty.h | 1 +
46498 include/net/iucv/af_iucv.h | 2 +-
46499 include/net/llc_c_ac.h | 2 +-
46500 include/net/llc_c_ev.h | 4 +-
46501 include/net/llc_c_st.h | 2 +-
46502 include/net/llc_s_ac.h | 2 +-
46503 include/net/llc_s_st.h | 2 +-
46504 include/net/mac80211.h | 2 +-
46505 include/net/neighbour.h | 2 +-
46506 include/net/net_namespace.h | 12 +-
46507 include/net/netdma.h | 2 +-
46508 include/net/netlink.h | 2 +-
46509 include/net/netns/conntrack.h | 6 +-
46510 include/net/netns/ipv4.h | 2 +-
46511 include/net/netns/ipv6.h | 2 +-
46512 include/net/protocol.h | 4 +-
46513 include/net/rtnetlink.h | 2 +-
46514 include/net/sctp/sctp.h | 6 +-
46515 include/net/sctp/sm.h | 4 +-
46516 include/net/sctp/structs.h | 2 +-
46517 include/net/sock.h | 6 +-
46518 include/net/tcp.h | 8 +-
46519 include/net/xfrm.h | 8 +-
46520 include/rdma/iw_cm.h | 2 +-
46521 include/scsi/libfc.h | 3 +-
46522 include/scsi/scsi_device.h | 6 +-
46523 include/scsi/scsi_transport_fc.h | 3 +-
46524 include/sound/compress_driver.h | 2 +-
46525 include/sound/soc.h | 4 +-
46526 include/target/target_core_base.h | 2 +-
46527 include/trace/events/irq.h | 4 +-
46528 include/uapi/linux/a.out.h | 8 +
46529 include/uapi/linux/byteorder/little_endian.h | 28 +-
46530 include/uapi/linux/elf.h | 28 +
46531 include/uapi/linux/screen_info.h | 3 +-
46532 include/uapi/linux/swab.h | 6 +-
46533 include/uapi/linux/sysctl.h | 6 +-
46534 include/uapi/linux/xattr.h | 4 +
46535 include/video/udlfb.h | 8 +-
46536 include/video/uvesafb.h | 1 +
46537 init/Kconfig | 2 +-
46538 init/Makefile | 3 +
46539 init/do_mounts.c | 14 +-
46540 init/do_mounts.h | 8 +-
46541 init/do_mounts_initrd.c | 30 +-
46542 init/do_mounts_md.c | 6 +-
46543 init/init_task.c | 4 +
46544 init/initramfs.c | 42 +-
46545 init/main.c | 83 +-
46546 ipc/ipc_sysctl.c | 10 +-
46547 ipc/mq_sysctl.c | 2 +-
46548 ipc/msg.c | 11 +-
46549 ipc/sem.c | 11 +-
46550 ipc/shm.c | 17 +-
46551 kernel/acct.c | 2 +-
46552 kernel/audit.c | 8 +-
46553 kernel/auditfilter.c | 2 +-
46554 kernel/auditsc.c | 4 +-
46555 kernel/capability.c | 3 +
46556 kernel/compat.c | 38 +-
46557 kernel/debug/debug_core.c | 16 +-
46558 kernel/debug/kdb/kdb_main.c | 4 +-
46559 kernel/events/core.c | 30 +-
46560 kernel/events/internal.h | 10 +-
46561 kernel/exit.c | 4 +-
46562 kernel/fork.c | 167 +-
46563 kernel/futex.c | 9 +
46564 kernel/futex_compat.c | 2 +-
46565 kernel/gcov/base.c | 7 +-
46566 kernel/hrtimer.c | 4 +-
46567 kernel/irq_work.c | 7 +-
46568 kernel/jump_label.c | 5 +
46569 kernel/kallsyms.c | 39 +-
46570 kernel/kexec.c | 3 +-
46571 kernel/kmod.c | 4 +-
46572 kernel/kprobes.c | 8 +-
46573 kernel/ksysfs.c | 2 +-
46574 kernel/lockdep.c | 7 +-
46575 kernel/module.c | 337 +-
46576 kernel/mutex-debug.c | 12 +-
46577 kernel/mutex-debug.h | 4 +-
46578 kernel/mutex.c | 11 +-
46579 kernel/notifier.c | 17 +-
46580 kernel/panic.c | 3 +-
46581 kernel/pid.c | 2 +-
46582 kernel/pid_namespace.c | 2 +-
46583 kernel/posix-cpu-timers.c | 4 +-
46584 kernel/posix-timers.c | 22 +-
46585 kernel/power/process.c | 12 +-
46586 kernel/profile.c | 14 +-
46587 kernel/ptrace.c | 8 +-
46588 kernel/rcupdate.c | 4 +-
46589 kernel/rcutiny.c | 4 +-
46590 kernel/rcutiny_plugin.h | 2 +-
46591 kernel/rcutorture.c | 56 +-
46592 kernel/rcutree.c | 76 +-
46593 kernel/rcutree.h | 24 +-
46594 kernel/rcutree_plugin.h | 20 +-
46595 kernel/rcutree_trace.c | 22 +-
46596 kernel/rtmutex-tester.c | 24 +-
46597 kernel/sched/auto_group.c | 4 +-
46598 kernel/sched/core.c | 51 +-
46599 kernel/sched/fair.c | 4 +-
46600 kernel/sched/sched.h | 2 +-
46601 kernel/signal.c | 12 +-
46602 kernel/smp.c | 2 +-
46603 kernel/smpboot.c | 4 +-
46604 kernel/softirq.c | 18 +-
46605 kernel/srcu.c | 4 +-
46606 kernel/sys.c | 10 +-
46607 kernel/sysctl.c | 39 +-
46608 kernel/time.c | 2 +-
46609 kernel/time/alarmtimer.c | 2 +-
46610 kernel/time/tick-broadcast.c | 2 +-
46611 kernel/time/timer_stats.c | 10 +-
46612 kernel/timer.c | 6 +-
46613 kernel/trace/blktrace.c | 6 +-
46614 kernel/trace/ftrace.c | 18 +-
46615 kernel/trace/ring_buffer.c | 76 +-
46616 kernel/trace/trace.c | 2 +-
46617 kernel/trace/trace.h | 2 +-
46618 kernel/trace/trace_events.c | 25 +-
46619 kernel/trace/trace_mmiotrace.c | 8 +-
46620 kernel/trace/trace_output.c | 12 +-
46621 kernel/trace/trace_stack.c | 2 +-
46622 kernel/user_namespace.c | 2 +-
46623 kernel/utsname_sysctl.c | 2 +-
46624 kernel/watchdog.c | 2 +-
46625 kernel/workqueue.c | 2 +-
46626 lib/Kconfig.debug | 8 +-
46627 lib/Makefile | 2 +-
46628 lib/bitmap.c | 8 +-
46629 lib/bug.c | 2 +
46630 lib/debugobjects.c | 2 +-
46631 lib/devres.c | 4 +-
46632 lib/div64.c | 4 +-
46633 lib/dma-debug.c | 4 +-
46634 lib/inflate.c | 2 +-
46635 lib/ioremap.c | 4 +-
46636 lib/kobject.c | 6 +-
46637 lib/list_debug.c | 126 +-
46638 lib/radix-tree.c | 2 +-
46639 lib/strncpy_from_user.c | 2 +-
46640 lib/strnlen_user.c | 2 +-
46641 lib/swiotlb.c | 2 +-
46642 lib/usercopy.c | 6 +
46643 lib/vsprintf.c | 12 +-
46644 mm/Kconfig | 6 +-
46645 mm/backing-dev.c | 4 +-
46646 mm/filemap.c | 2 +-
46647 mm/fremap.c | 5 +
46648 mm/highmem.c | 7 +-
46649 mm/hugetlb.c | 70 +-
46650 mm/internal.h | 1 +
46651 mm/maccess.c | 4 +-
46652 mm/madvise.c | 41 +
46653 mm/memory-failure.c | 26 +-
46654 mm/memory.c | 424 ++-
46655 mm/mempolicy.c | 26 +
46656 mm/mlock.c | 15 +-
46657 mm/mmap.c | 606 ++-
46658 mm/mprotect.c | 139 +-
46659 mm/mremap.c | 44 +-
46660 mm/nommu.c | 21 +-
46661 mm/page-writeback.c | 4 +-
46662 mm/page_alloc.c | 41 +-
46663 mm/page_io.c | 2 +-
46664 mm/percpu.c | 2 +-
46665 mm/process_vm_access.c | 14 +-
46666 mm/rmap.c | 38 +-
46667 mm/shmem.c | 19 +-
46668 mm/slab.c | 79 +-
46669 mm/slab.h | 5 +-
46670 mm/slab_common.c | 46 +-
46671 mm/slob.c | 201 +-
46672 mm/slub.c | 79 +-
46673 mm/sparse-vmemmap.c | 4 +-
46674 mm/sparse.c | 2 +-
46675 mm/swap.c | 3 +
46676 mm/swapfile.c | 12 +-
46677 mm/util.c | 6 +
46678 mm/vmalloc.c | 77 +-
46679 mm/vmstat.c | 12 +-
46680 net/8021q/vlan.c | 5 +-
46681 net/9p/mod.c | 4 +-
46682 net/9p/trans_fd.c | 2 +-
46683 net/atm/atm_misc.c | 8 +-
46684 net/atm/lec.h | 2 +-
46685 net/atm/proc.c | 6 +-
46686 net/atm/resources.c | 4 +-
46687 net/ax25/sysctl_net_ax25.c | 2 +-
46688 net/batman-adv/bat_iv_ogm.c | 8 +-
46689 net/batman-adv/hard-interface.c | 4 +-
46690 net/batman-adv/soft-interface.c | 4 +-
46691 net/batman-adv/types.h | 6 +-
46692 net/batman-adv/unicast.c | 2 +-
46693 net/bluetooth/hci_core.c | 8 +-
46694 net/bluetooth/hci_sock.c | 2 +-
46695 net/bluetooth/l2cap_core.c | 6 +-
46696 net/bluetooth/l2cap_sock.c | 12 +-
46697 net/bluetooth/rfcomm/sock.c | 4 +-
46698 net/bluetooth/rfcomm/tty.c | 10 +-
46699 net/bridge/netfilter/ebtables.c | 6 +-
46700 net/caif/cfctrl.c | 11 +-
46701 net/can/af_can.c | 2 +-
46702 net/can/gw.c | 6 +-
46703 net/compat.c | 34 +-
46704 net/core/datagram.c | 2 +-
46705 net/core/dev.c | 16 +-
46706 net/core/flow.c | 8 +-
46707 net/core/iovec.c | 4 +-
46708 net/core/neighbour.c | 2 +-
46709 net/core/net-sysfs.c | 2 +-
46710 net/core/net_namespace.c | 8 +-
46711 net/core/rtnetlink.c | 13 +-
46712 net/core/scm.c | 8 +-
46713 net/core/sock.c | 24 +-
46714 net/core/sock_diag.c | 9 +-
46715 net/core/sysctl_net_core.c | 18 +-
46716 net/decnet/af_decnet.c | 1 +
46717 net/decnet/sysctl_net_decnet.c | 4 +-
46718 net/ipv4/af_inet.c | 8 +-
46719 net/ipv4/ah4.c | 2 +-
46720 net/ipv4/devinet.c | 18 +-
46721 net/ipv4/esp4.c | 2 +-
46722 net/ipv4/fib_frontend.c | 6 +-
46723 net/ipv4/fib_semantics.c | 2 +-
46724 net/ipv4/inet_connection_sock.c | 2 +-
46725 net/ipv4/inetpeer.c | 4 +-
46726 net/ipv4/ip_fragment.c | 15 +-
46727 net/ipv4/ip_gre.c | 6 +-
46728 net/ipv4/ip_sockglue.c | 2 +-
46729 net/ipv4/ip_vti.c | 4 +-
46730 net/ipv4/ipcomp.c | 2 +-
46731 net/ipv4/ipconfig.c | 6 +-
46732 net/ipv4/ipip.c | 4 +-
46733 net/ipv4/netfilter/arp_tables.c | 12 +-
46734 net/ipv4/netfilter/ip_tables.c | 12 +-
46735 net/ipv4/ping.c | 2 +-
46736 net/ipv4/raw.c | 14 +-
46737 net/ipv4/route.c | 18 +-
46738 net/ipv4/sysctl_net_ipv4.c | 45 +-
46739 net/ipv4/tcp_input.c | 2 +-
46740 net/ipv4/tcp_probe.c | 2 +-
46741 net/ipv4/udp.c | 10 +-
46742 net/ipv4/xfrm4_policy.c | 14 +-
46743 net/ipv6/addrconf.c | 12 +-
46744 net/ipv6/icmp.c | 2 +-
46745 net/ipv6/ip6_gre.c | 8 +-
46746 net/ipv6/ip6_tunnel.c | 4 +-
46747 net/ipv6/ipv6_sockglue.c | 2 +-
46748 net/ipv6/netfilter/ip6_tables.c | 12 +-
46749 net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +-
46750 net/ipv6/raw.c | 19 +-
46751 net/ipv6/reassembly.c | 13 +-
46752 net/ipv6/route.c | 2 +-
46753 net/ipv6/sit.c | 4 +-
46754 net/ipv6/sysctl_net_ipv6.c | 2 +-
46755 net/ipv6/udp.c | 8 +-
46756 net/ipv6/xfrm6_policy.c | 13 +-
46757 net/irda/ircomm/ircomm_tty.c | 18 +-
46758 net/iucv/af_iucv.c | 4 +-
46759 net/iucv/iucv.c | 2 +-
46760 net/key/af_key.c | 4 +-
46761 net/mac80211/cfg.c | 8 +-
46762 net/mac80211/ieee80211_i.h | 3 +-
46763 net/mac80211/iface.c | 16 +-
46764 net/mac80211/main.c | 2 +-
46765 net/mac80211/pm.c | 6 +-
46766 net/mac80211/rate.c | 2 +-
46767 net/mac80211/rc80211_pid_debugfs.c | 2 +-
46768 net/mac80211/util.c | 4 +-
46769 net/netfilter/ipset/ip_set_core.c | 2 +-
46770 net/netfilter/ipvs/ip_vs_conn.c | 6 +-
46771 net/netfilter/ipvs/ip_vs_core.c | 4 +-
46772 net/netfilter/ipvs/ip_vs_ctl.c | 14 +-
46773 net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
46774 net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
46775 net/netfilter/ipvs/ip_vs_sync.c | 6 +-
46776 net/netfilter/ipvs/ip_vs_xmit.c | 4 +-
46777 net/netfilter/nf_conntrack_acct.c | 2 +-
46778 net/netfilter/nf_conntrack_ecache.c | 2 +-
46779 net/netfilter/nf_conntrack_helper.c | 2 +-
46780 net/netfilter/nf_conntrack_proto.c | 2 +-
46781 net/netfilter/nf_conntrack_proto_dccp.c | 4 +-
46782 net/netfilter/nf_conntrack_standalone.c | 2 +-
46783 net/netfilter/nf_conntrack_timestamp.c | 2 +-
46784 net/netfilter/nf_log.c | 10 +-
46785 net/netfilter/nf_sockopt.c | 4 +-
46786 net/netfilter/nfnetlink_log.c | 4 +-
46787 net/netfilter/xt_statistic.c | 8 +-
46788 net/netlink/af_netlink.c | 4 +-
46789 net/netlink/genetlink.c | 16 +-
46790 net/packet/af_packet.c | 12 +-
46791 net/phonet/pep.c | 6 +-
46792 net/phonet/socket.c | 2 +-
46793 net/phonet/sysctl.c | 2 +-
46794 net/rds/cong.c | 6 +-
46795 net/rds/ib.h | 2 +-
46796 net/rds/ib_cm.c | 2 +-
46797 net/rds/ib_recv.c | 4 +-
46798 net/rds/iw.h | 2 +-
46799 net/rds/iw_cm.c | 2 +-
46800 net/rds/iw_recv.c | 4 +-
46801 net/rds/rds.h | 2 +-
46802 net/rds/tcp.c | 2 +-
46803 net/rds/tcp_send.c | 2 +-
46804 net/rxrpc/af_rxrpc.c | 2 +-
46805 net/rxrpc/ar-ack.c | 14 +-
46806 net/rxrpc/ar-call.c | 2 +-
46807 net/rxrpc/ar-connection.c | 2 +-
46808 net/rxrpc/ar-connevent.c | 2 +-
46809 net/rxrpc/ar-input.c | 4 +-
46810 net/rxrpc/ar-internal.h | 8 +-
46811 net/rxrpc/ar-local.c | 2 +-
46812 net/rxrpc/ar-output.c | 4 +-
46813 net/rxrpc/ar-peer.c | 2 +-
46814 net/rxrpc/ar-proc.c | 4 +-
46815 net/rxrpc/ar-transport.c | 2 +-
46816 net/rxrpc/rxkad.c | 4 +-
46817 net/sctp/ipv6.c | 6 +-
46818 net/sctp/protocol.c | 10 +-
46819 net/sctp/sm_sideeffect.c | 2 +-
46820 net/sctp/socket.c | 21 +-
46821 net/sctp/sysctl.c | 4 +-
46822 net/socket.c | 18 +-
46823 net/sunrpc/clnt.c | 4 +-
46824 net/sunrpc/sched.c | 4 +-
46825 net/sunrpc/svc.c | 6 +-
46826 net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
46827 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +-
46828 net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
46829 net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +-
46830 net/tipc/link.c | 6 +-
46831 net/tipc/msg.c | 2 +-
46832 net/tipc/subscr.c | 2 +-
46833 net/unix/sysctl_net_unix.c | 2 +-
46834 net/wireless/wext-core.c | 19 +-
46835 net/xfrm/xfrm_policy.c | 27 +-
46836 net/xfrm/xfrm_state.c | 29 +-
46837 net/xfrm/xfrm_sysctl.c | 2 +-
46838 scripts/Makefile.build | 2 +-
46839 scripts/Makefile.clean | 3 +-
46840 scripts/Makefile.host | 28 +-
46841 scripts/basic/fixdep.c | 12 +-
46842 scripts/gcc-plugin.sh | 17 +
46843 scripts/headers_install.sh | 1 +
46844 scripts/link-vmlinux.sh | 2 +-
46845 scripts/mod/file2alias.c | 14 +-
46846 scripts/mod/modpost.c | 25 +-
46847 scripts/mod/modpost.h | 6 +-
46848 scripts/mod/sumversion.c | 2 +-
46849 scripts/package/builddeb | 1 +
46850 scripts/pnmtologo.c | 6 +-
46851 scripts/sortextable.h | 6 +-
46852 security/Kconfig | 676 +++-
46853 security/apparmor/lsm.c | 2 +-
46854 security/integrity/ima/ima.h | 4 +-
46855 security/integrity/ima/ima_api.c | 2 +-
46856 security/integrity/ima/ima_fs.c | 4 +-
46857 security/integrity/ima/ima_queue.c | 2 +-
46858 security/keys/compat.c | 2 +-
46859 security/keys/internal.h | 2 +-
46860 security/keys/key.c | 18 +-
46861 security/keys/keyctl.c | 8 +-
46862 security/keys/keyring.c | 6 +-
46863 security/security.c | 9 +-
46864 security/selinux/hooks.c | 2 +-
46865 security/selinux/include/xfrm.h | 2 +-
46866 security/smack/smack_lsm.c | 2 +-
46867 security/tomoyo/tomoyo.c | 2 +-
46868 security/yama/yama_lsm.c | 22 +-
46869 sound/aoa/codecs/onyx.c | 7 +-
46870 sound/aoa/codecs/onyx.h | 1 +
46871 sound/core/oss/pcm_oss.c | 18 +-
46872 sound/core/pcm_compat.c | 2 +-
46873 sound/core/pcm_native.c | 4 +-
46874 sound/core/seq/seq_device.c | 8 +-
46875 sound/core/sound.c | 2 +-
46876 sound/drivers/mts64.c | 14 +-
46877 sound/drivers/opl4/opl4_lib.c | 2 +-
46878 sound/drivers/portman2x4.c | 3 +-
46879 sound/firewire/amdtp.c | 4 +-
46880 sound/firewire/amdtp.h | 2 +-
46881 sound/firewire/isight.c | 10 +-
46882 sound/firewire/scs1x.c | 8 +-
46883 sound/oss/sb_audio.c | 2 +-
46884 sound/oss/swarm_cs4297a.c | 6 +-
46885 sound/pci/ymfpci/ymfpci.h | 2 +-
46886 sound/pci/ymfpci/ymfpci_main.c | 12 +-
46887 sound/soc/fsl/fsl_ssi.c | 2 +-
46888 sound/sound_core.c | 2 +-
46889 tools/gcc/.gitignore | 1 +
46890 tools/gcc/Makefile | 45 +
46891 tools/gcc/checker_plugin.c | 172 +
46892 tools/gcc/colorize_plugin.c | 151 +
46893 tools/gcc/constify_plugin.c | 560 ++
46894 tools/gcc/generate_size_overflow_hash.sh | 94 +
46895 tools/gcc/kallocstat_plugin.c | 170 +
46896 tools/gcc/kernexec_plugin.c | 465 ++
46897 tools/gcc/latent_entropy_plugin.c | 327 ++
46898 tools/gcc/size_overflow_hash.data | 5893 ++++++++++++++++++++
46899 tools/gcc/size_overflow_plugin.c | 2114 +++++++
46900 tools/gcc/stackleak_plugin.c | 327 ++
46901 tools/gcc/structleak_plugin.c | 277 +
46902 tools/perf/util/include/asm/alternative-asm.h | 3 +
46903 tools/perf/util/include/linux/compiler.h | 8 +
46904 virt/kvm/kvm_main.c | 32 +-
46905 1607 files changed, 30734 insertions(+), 7318 deletions(-)
46906commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
46907Merge: 0949bd4 fc53d63
46908Author: Brad Spengler <spender@grsecurity.net>
46909Date: Thu Mar 22 19:03:44 2012 -0400
46910
46911 Merge branch 'pax-test' into grsec-test
46912
46913commit fc53d6338964741b368070ec5c935bc579b8c2a6
46914Author: Brad Spengler <spender@grsecurity.net>
46915Date: Thu Mar 22 19:02:45 2012 -0400
46916
46917 Update to pax-linux-3.2.12-test33.patch
46918
46919commit 0949bd46a6455b308f66ad7c993bfee62412db35
46920Author: Brad Spengler <spender@grsecurity.net>
46921Date: Thu Mar 22 16:56:09 2012 -0400
46922
46923 Use current_umask() instead of current->fs->umask
46924
46925commit 22f6432d0fe733619cfcb523782ed7d80c46d645
46926Author: Brad Spengler <spender@grsecurity.net>
46927Date: Wed Mar 21 19:42:42 2012 -0400
46928
46929 compile fix
46930
46931commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
46932Author: Brad Spengler <spender@grsecurity.net>
46933Date: Wed Mar 21 19:34:56 2012 -0400
46934
46935 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
46936 uses of domains with particular hash collisions
46937
46938commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
46939Author: Brad Spengler <spender@grsecurity.net>
46940Date: Tue Mar 20 20:25:49 2012 -0400
46941
46942 zero kernel_role
46943
46944commit b00953b43c69238d181d21121ef1577c988d5f6b
46945Author: Brad Spengler <spender@grsecurity.net>
46946Date: Tue Mar 20 19:29:34 2012 -0400
46947
46948 zero real_root after releasing it
46949
46950commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
46951Merge: b724f59 273f98e
46952Author: Brad Spengler <spender@grsecurity.net>
46953Date: Tue Mar 20 19:11:26 2012 -0400
46954
46955 Merge branch 'pax-test' into grsec-test
46956
46957commit 273f98e58cdac555d3b5dce5c1ca168349f95878
46958Author: Brad Spengler <spender@grsecurity.net>
46959Date: Tue Mar 20 19:10:52 2012 -0400
46960
46961 Temporary workaround for (most) size_overflow plugin false-positives
46962 Increase randomization for brk-managed heap to 21 bits
46963 Update to pax-linux-3.2.12-test32.patch
46964
46965commit b724f59125304460c2af8bd4b02921993afbb5d3
46966Author: Brad Spengler <spender@grsecurity.net>
46967Date: Tue Mar 20 18:58:53 2012 -0400
46968
46969 compile fix
46970
46971commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
46972Author: Brad Spengler <spender@grsecurity.net>
46973Date: Tue Mar 20 18:52:23 2012 -0400
46974
46975 Require default and kernel role
46976
46977commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
46978Author: Brad Spengler <spender@grsecurity.net>
46979Date: Tue Mar 20 18:47:28 2012 -0400
46980
46981 Allow policies without special roles
46982 don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)
46983
46984commit 402ec3d24d66d38403dc543c84851f5e72d39e22
46985Merge: 8e012dc f14661a
46986Author: Brad Spengler <spender@grsecurity.net>
46987Date: Mon Mar 19 18:06:59 2012 -0400
46988
46989 Merge branch 'pax-test' into grsec-test
46990
46991 Conflicts:
46992 fs/namei.c
46993
46994commit f14661aaf202155c97f66626cea0269017bb7775
46995Merge: eae671f 058b017
46996Author: Brad Spengler <spender@grsecurity.net>
46997Date: Mon Mar 19 18:05:44 2012 -0400
46998
46999 Merge branch 'linux-3.2.y' into pax-test
47000
47001commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
47002Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
47003Date: Fri Mar 16 17:08:39 2012 -0700
47004
47005 nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
47006
47007 According to the report from Slicky Devil, nilfs caused kernel oops at
47008 nilfs_load_super_block function during mount after he shrank the
47009 partition without resizing the filesystem:
47010
47011 BUG: unable to handle kernel NULL pointer dereference at 00000048
47012 IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
47013 *pde = 00000000
47014 Oops: 0000 [#1] PREEMPT SMP
47015 ...
47016 Call Trace:
47017 [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
47018 [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
47019 [<c0226636>] mount_fs+0x36/0x180
47020 [<c023d961>] vfs_kern_mount+0x51/0xa0
47021 [<c023ddae>] do_kern_mount+0x3e/0xe0
47022 [<c023f189>] do_mount+0x169/0x700
47023 [<c023fa9b>] sys_mount+0x6b/0xa0
47024 [<c04abd1f>] sysenter_do_call+0x12/0x28
47025 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
47026 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
47027 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
47028 EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
47029 CR2: 0000000000000048
47030
47031 This turned out due to a defect in an error path which runs if the
47032 calculated location of the secondary super block was invalid.
47033
47034 This patch fixes it and eliminates the reported oops.
47035
47036 Reported-by: Slicky Devil <slicky.dvl@gmail.com>
47037 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
47038 Tested-by: Slicky Devil <slicky.dvl@gmail.com>
47039 Cc: <stable@vger.kernel.org> [2.6.30+]
47040 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
47041 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
47042
47043commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
47044Author: Haogang Chen <haogangchen@gmail.com>
47045Date: Fri Mar 16 17:08:38 2012 -0700
47046
47047 nilfs2: clamp ns_r_segments_percentage to [1, 99]
47048
47049 ns_r_segments_percentage is read from the disk. Bogus or malicious
47050 value could cause integer overflow and malfunction due to meaningless
47051 disk usage calculation. This patch reports error when mounting such
47052 bogus volumes.
47053
47054 Signed-off-by: Haogang Chen <haogangchen@gmail.com>
47055 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
47056 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
47057 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
47058
47059commit e1a90645643f9b0194a5984ec8febd06360d5c8b
47060Author: Eric Dumazet <eric.dumazet@gmail.com>
47061Date: Sat Mar 10 09:20:21 2012 +0000
47062
47063 tcp: fix syncookie regression
47064
47065 commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
47066 added a serious regression on synflood handling.
47067
47068 Simon Kirby discovered a successful connection was delayed by 20 seconds
47069 before being responsive.
47070
47071 In my tests, I discovered that xmit frames were lost, and needed ~4
47072 retransmits and a socket dst rebuild before being really sent.
47073
47074 In case of syncookie initiated connection, we use a different path to
47075 initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
47076
47077 As ip_queue_xmit() now depends on inet flow being setup, fix this by
47078 copying the temp flowi4 we use in cookie_v4_check().
47079
47080 Reported-by: Simon Kirby <sim@netnation.com>
47081 Bisected-by: Simon Kirby <sim@netnation.com>
47082 Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
47083 Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
47084 Signed-off-by: David S. Miller <davem@davemloft.net>
47085
47086commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
47087Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
47088Date: Mon Mar 12 02:59:41 2012 +0000
47089
47090 tun: don't hold network namespace by tun sockets
47091
47092 v3: added previously removed sock_put() to the tun_release() callback, because
47093 sk_release_kernel() doesn't drop the socket reference.
47094
47095 v2: sk_release_kernel() used for socket release. Dummy tun_release() is
47096 required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
47097 call.
47098
47099 TUN was designed to destroy it's socket on network namesapce shutdown. But this
47100 will never happen for persistent device, because it's socket holds network
47101 namespace.
47102 This patch removes of holding network namespace by TUN socket and replaces it
47103 by creating socket in init_net and then changing it's net it to desired one. On
47104 shutdown socket is moved back to init_net prior to final put.
47105
47106 Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
47107 Signed-off-by: David S. Miller <davem@davemloft.net>
47108
47109commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
47110Author: Tyler Hicks <tyhicks@canonical.com>
47111Date: Mon Dec 12 10:02:30 2011 -0600
47112
47113 vfs: Correctly set the dir i_mutex lockdep class
47114
47115 9a7aa12f3911853a introduced additional logic around setting the i_mutex
47116 lockdep class for directory inodes. The idea was that some filesystems
47117 may want their own special lockdep class for different directory
47118 inodes and calling unlock_new_inode() should not clobber one of
47119 those special classes.
47120
47121 I believe that the added conditional, around the *negated* return value
47122 of lockdep_match_class(), caused directory inodes to be placed in the
47123 wrong lockdep class.
47124
47125 inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
47126 all inodes. If the filesystem did not change the class during inode
47127 initialization, then the conditional mentioned above was false and the
47128 directory inode was incorrectly left in the non-directory lockdep class.
47129 If the filesystem did set a special lockdep class, then the conditional
47130 mentioned above was true and that class was clobbered with
47131 i_mutex_dir_key.
47132
47133 This patch removes the negation from the conditional so that the i_mutex
47134 lockdep class is properly set for directory inodes. Special classes are
47135 preserved and directory inodes with unmodified classes are set with
47136 i_mutex_dir_key.
47137
47138 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
47139 Reviewed-by: Jan Kara <jack@suse.cz>
47140 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
47141
47142commit 603590b0d2eca61ce26499eac9c563bc567a18c9
47143Author: Jan Kara <jack@suse.cz>
47144Date: Mon Feb 20 17:54:00 2012 +0100
47145
47146 udf: Fix deadlock in udf_release_file()
47147
47148 udf_release_file() can be called from munmap() path with mmap_sem held. Thus
47149 we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
47150 i_mutex is not needed in udf_release_file() anymore since protection by
47151 i_data_sem is enough to protect from races with write and truncate.
47152
47153 Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
47154 Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
47155 Signed-off-by: Jan Kara <jack@suse.cz>
47156 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
47157
47158commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
47159Author: Miklos Szeredi <mszeredi@suse.cz>
47160Date: Tue Mar 6 13:56:33 2012 +0100
47161
47162 vfs: fix double put after complete_walk()
47163
47164 complete_walk() already puts nd->path, no need to do it again at cleanup time.
47165
47166 This would result in Oopses if triggered, apparently the codepath is not too
47167 well exercised.
47168
47169 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
47170 CC: stable@vger.kernel.org
47171 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
47172
47173commit 13885ba2b18400f3ef6540497d30f1af896605e5
47174Author: Miklos Szeredi <mszeredi@suse.cz>
47175Date: Tue Mar 6 13:56:34 2012 +0100
47176
47177 vfs: fix return value from do_last()
47178
47179 complete_walk() returns either ECHILD or ESTALE. do_last() turns this into
47180 ECHILD unconditionally. If not in RCU mode, this error will reach userspace
47181 which is complete nonsense.
47182
47183 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
47184 CC: stable@vger.kernel.org
47185 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
47186
47187 Conflicts:
47188
47189 fs/namei.c
47190
47191commit f5ab7572c99ffb58953eb1070622307e904c3b7f
47192Author: Al Viro <viro@zeniv.linux.org.uk>
47193Date: Sat Mar 10 17:07:28 2012 -0500
47194
47195 restore smp_mb() in unlock_new_inode()
47196
47197 wait_on_inode() doesn't have ->i_lock
47198
47199 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
47200
47201commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
47202Author: David S. Miller <davem@davemloft.net>
47203Date: Tue Mar 13 18:19:51 2012 -0700
47204
47205 sparc32: Add -Av8 to assembler command line.
47206
47207 Newer version of binutils are more strict about specifying the
47208 correct options to enable certain classes of instructions.
47209
47210 The sparc32 build is done for v7 in order to support sun4c systems
47211 which lack hardware integer multiply and divide instructions.
47212
47213 So we have to pass -Av8 when building the assembler routines that
47214 use these instructions and get patched into the kernel when we find
47215 out that we have a v8 capable cpu.
47216
47217 Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
47218 Signed-off-by: David S. Miller <davem@davemloft.net>
47219
47220commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
47221Author: Thomas Gleixner <tglx@linutronix.de>
47222Date: Fri Mar 9 20:55:10 2012 +0100
47223
47224 x86: Derandom delay_tsc for 64 bit
47225
47226 Commit f0fbf0abc093 ("x86: integrate delay functions") converted
47227 delay_tsc() into a random delay generator for 64 bit. The reason is
47228 that it merged the mostly identical versions of delay_32.c and
47229 delay_64.c. Though the subtle difference of the result was:
47230
47231 static void delay_tsc(unsigned long loops)
47232 {
47233 - unsigned bclock, now;
47234 + unsigned long bclock, now;
47235
47236 Now the function uses rdtscl() which returns the lower 32bit of the
47237 TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
47238 bit this fails when the lower 32bit are close to wrap around when
47239 bclock is read, because the following check
47240
47241 if ((now - bclock) >= loops)
47242 break;
47243
47244 evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
47245 because the unsigned long (now - bclock) of these values results in
47246 0xffffffff00000001 which is definitely larger than the loops
47247 value. That explains Tvortkos observation:
47248
47249 "Because I am seeing udelay(500) (_occasionally_) being short, and
47250 that by delaying for some duration between 0us (yep) and 491us."
47251
47252 Make those variables explicitely u32 again, so this works for both 32
47253 and 64 bit.
47254
47255 Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
47256 Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
47257 Cc: stable@vger.kernel.org # >= 2.6.27
47258 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
47259
47260commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
47261Author: Al Viro <viro@ZenIV.linux.org.uk>
47262Date: Thu Mar 8 17:51:19 2012 +0000
47263
47264 aio: fix the "too late munmap()" race
47265
47266 Current code has put_ioctx() called asynchronously from aio_fput_routine();
47267 that's done *after* we have killed the request that used to pin ioctx,
47268 so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
47269 from progressing. As the result, we can end up with async call of
47270 put_ioctx() being the last one and possibly happening during exit_mmap()
47271 or elf_core_dump(), neither of which expects stray munmap() being done
47272 to them...
47273
47274 We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
47275 with that, but that's all we care about - neither io_destroy() nor
47276 exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
47277 does really_put_req(), so the ioctx teardown won't be done until then
47278 and we don't care about the contents of ioctx past that point.
47279
47280 Since actual freeing of these suckers is RCU-delayed, we don't need to
47281 bump ioctx refcount when request goes into list for async removal.
47282 All we need is rcu_read_lock held just over the ->ctx_lock-protected
47283 area in aio_fput_routine().
47284
47285 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
47286 Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
47287 Acked-by: Benjamin LaHaise <bcrl@kvack.org>
47288 Cc: stable@vger.kernel.org
47289 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
47290
47291commit 002124c055afbf09b52226af65621999e8316448
47292Author: Al Viro <viro@ZenIV.linux.org.uk>
47293Date: Wed Mar 7 05:16:35 2012 +0000
47294
47295 aio: fix io_setup/io_destroy race
47296
47297 Have ioctx_alloc() return an extra reference, so that caller would drop it
47298 on success and not bother with re-grabbing it on failure exit. The current
47299 code is obviously broken - io_destroy() from another thread that managed
47300 to guess the address io_setup() would've returned would free ioctx right
47301 under us; gets especially interesting if aio_context_t * we pass to
47302 io_setup() points to PROT_READ mapping, so put_user() fails and we end
47303 up doing io_destroy() on kioctx another thread has just got freed...
47304
47305 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
47306 Acked-by: Benjamin LaHaise <bcrl@kvack.org>
47307 Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
47308 Cc: stable@vger.kernel.org
47309 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
47310
47311commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
47312Author: Dan Carpenter <dan.carpenter@oracle.com>
47313Date: Thu Mar 15 15:17:12 2012 -0700
47314
47315 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
47316
47317 strict_strtoul() writes a long but ->gamma_mode only has space to store an
47318 int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
47319 well. I've changed it to use kstrtouint() instead.
47320
47321 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
47322 Acked-by: Inki Dae <inki.dae@samsung.com>
47323 Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
47324 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
47325 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
47326
47327commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
47328Merge: e4b05b6 eae671f
47329Author: Brad Spengler <spender@grsecurity.net>
47330Date: Fri Mar 16 21:04:27 2012 -0400
47331
47332 Merge branch 'pax-test' into grsec-test
47333
47334 Conflicts:
47335 security/Kconfig
47336
47337commit eae671fafe93f04685c04a089cc13efebc05d600
47338Author: Brad Spengler <spender@grsecurity.net>
47339Date: Fri Mar 16 20:58:01 2012 -0400
47340
47341 Update to pax-linux-3.2.11-test31.patch
47342 Introduction of the size_overflow plugin from Emese Revfy
47343 Many thanks to Emese for her hard work :)
47344
47345commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
47346Merge: e55aa68 258c015
47347Author: Brad Spengler <spender@grsecurity.net>
47348Date: Thu Mar 15 20:59:19 2012 -0400
47349
47350 Merge branch 'pax-test' into grsec-test
47351
47352commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
47353Author: Brad Spengler <spender@grsecurity.net>
47354Date: Thu Mar 15 20:59:05 2012 -0400
47355
47356 fix ARM compilation
47357
47358commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
47359Merge: 8f95ea9 55b7573
47360Author: Brad Spengler <spender@grsecurity.net>
47361Date: Wed Mar 14 19:33:41 2012 -0400
47362
47363 Merge branch 'pax-test' into grsec-test
47364
47365commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
47366Author: Brad Spengler <spender@grsecurity.net>
47367Date: Wed Mar 14 19:33:15 2012 -0400
47368
47369 Update to pax-linux-3.2.10-test28.patch
47370
47371commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
47372Merge: c8786a2 886ac5e
47373Author: Brad Spengler <spender@grsecurity.net>
47374Date: Tue Mar 13 17:38:13 2012 -0400
47375
47376 Merge branch 'pax-test' into grsec-test
47377
47378 Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)
47379
47380commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
47381Author: Brad Spengler <spender@grsecurity.net>
47382Date: Tue Mar 13 17:37:44 2012 -0400
47383
47384 Update to pax-linux-3.2.10-test26.patch
47385
47386commit c8786a2abed5e5327f68efa520c04db99bb6a63a
47387Merge: 219c982 c061fcf
47388Author: Brad Spengler <spender@grsecurity.net>
47389Date: Tue Mar 13 17:25:06 2012 -0400
47390
47391 Merge branch 'pax-test' into grsec-test
47392
47393commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
47394Merge: 89373d2 3f4b3b2
47395Author: Brad Spengler <spender@grsecurity.net>
47396Date: Tue Mar 13 17:25:02 2012 -0400
47397
47398 Merge branch 'linux-3.2.y' into pax-test
47399
47400commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
47401Merge: 54e19a3 89373d2
47402Author: Brad Spengler <spender@grsecurity.net>
47403Date: Mon Mar 12 17:23:57 2012 -0400
47404
47405 Merge branch 'pax-test' into grsec-test
47406
47407commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
47408Merge: a778588 7459f11
47409Author: Brad Spengler <spender@grsecurity.net>
47410Date: Mon Mar 12 17:23:49 2012 -0400
47411
47412 Merge branch 'linux-3.2.y' into pax-test
47413
47414commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
47415Merge: c4650f1 a778588
47416Author: Brad Spengler <spender@grsecurity.net>
47417Date: Mon Mar 12 16:51:25 2012 -0400
47418
47419 Merge branch 'pax-test' into grsec-test
47420
47421commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
47422Author: Brad Spengler <spender@grsecurity.net>
47423Date: Mon Mar 12 16:51:12 2012 -0400
47424
47425 Update to pax-linux-3.2.9-test24.patch
47426
47427commit c4650f14b13f84735fe3de06a1f3ff5776473eff
47428Merge: fb2abee 1015790
47429Author: Brad Spengler <spender@grsecurity.net>
47430Date: Sun Mar 11 21:08:28 2012 -0400
47431
47432 Merge branch 'pax-test' into grsec-test
47433
47434 Conflicts:
47435 security/Kconfig
47436
47437commit 101579028a736c224e590c7e12a7357018c424e1
47438Author: Brad Spengler <spender@grsecurity.net>
47439Date: Sun Mar 11 21:07:27 2012 -0400
47440
47441 Update to pax-linux-3.2.9-test22.patch
47442
47443commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
47444Author: Brad Spengler <spender@grsecurity.net>
47445Date: Sun Mar 11 11:02:17 2012 -0400
47446
47447 Allow 4096 CPUs
47448
47449commit 96bae28cbe6a41d48e3b56e5904814096e956000
47450Author: Brad Spengler <spender@grsecurity.net>
47451Date: Sun Mar 11 10:25:58 2012 -0400
47452
47453 Use a per-cpu 48-bit counter instead of a global atomic64
47454 Initialize each counter to have the cpu number in the lower 16 bits
47455 instead of incrementing the counter each time by 1, perform the increments
47456 above the cpu number so that wrapping/exhausting the counter doesn't corrupt
47457 any state
47458 idea from PaX Team
47459
47460commit b975688101da6e966aebb1bc6b8c5c5983974f9c
47461Author: Brad Spengler <spender@grsecurity.net>
47462Date: Sat Mar 10 20:33:12 2012 -0500
47463
47464 Special vnsec edition! :)
47465 Further reduce argv/env allowance for suid/sgid apps to 512KB
47466 Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
47467 Clear 3GB personality on suid/sgid binaries
47468 Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
47469 with the main purpose of throwing off program stack -> arg/env alignment
47470 Update documentation
47471
47472commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
47473Author: Brad Spengler <spender@grsecurity.net>
47474Date: Sat Mar 10 19:54:47 2012 -0500
47475
47476 Resolve skbuff.h warnings that turn into errors during compilation in
47477 the grsecurity directory with -Werror
47478
47479commit 2023210ad43a944033fcacc660ce410888f562ee
47480Merge: ece4383 5f66adf
47481Author: Brad Spengler <spender@grsecurity.net>
47482Date: Fri Mar 9 19:48:01 2012 -0500
47483
47484 Merge branch 'pax-test' into grsec-test
47485
47486commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
47487Author: Brad Spengler <spender@grsecurity.net>
47488Date: Fri Mar 9 19:47:06 2012 -0500
47489
47490 Add colorize plugin
47491
47492commit ece4383e5e91c92d138c4df84225a70b552f4d69
47493Merge: a366d0e ab4a5a1
47494Author: Brad Spengler <spender@grsecurity.net>
47495Date: Fri Mar 9 17:56:46 2012 -0500
47496
47497 Merge branch 'pax-test' into grsec-test
47498
47499commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
47500Author: Brad Spengler <spender@grsecurity.net>
47501Date: Fri Mar 9 17:56:26 2012 -0500
47502
47503 Update to pax-linux-3.2.9-test21.patch
47504
47505commit a366d0ed963ce93fce10121c1100989d5f064e75
47506Author: Mikulas Patocka <mpatocka@redhat.com>
47507Date: Sun Mar 4 19:52:03 2012 -0500
47508
47509 mm: fix find_vma_prev
47510
47511 Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
47512 management on PA-RISC.
47513
47514 After application of the patch, programs that allocate big arrays on the
47515 stack crash with segfault, for example, this will crash if compiled
47516 without optimization:
47517
47518 int main()
47519 {
47520 char array[200000];
47521 array[199999] = 0;
47522 return 0;
47523 }
47524
47525 The reason is that PA-RISC has up-growing stack and the stack is usually
47526 the last memory area. In the above example, a page fault happens above
47527 the stack.
47528
47529 Previously, if we passed too high address to find_vma_prev, it returned
47530 NULL and stored the last VMA in *pprev. After "simplify find_vma_prev"
47531 change, it stores NULL in *pprev. Consequently, the stack area is not
47532 found and it is not expanded, as it used to be before the change.
47533
47534 This patch restores the old behavior and makes it return the last VMA in
47535 *pprev if the requested address is higher than address of any other VMA.
47536
47537 Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
47538 Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
47539 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
47540
47541commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
47542Author: Hugh Dickins <hughd@google.com>
47543Date: Tue Mar 6 12:28:52 2012 -0800
47544
47545 mmap: EINVAL not ENOMEM when rejecting VM_GROWS
47546
47547 Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
47548 from shared anonymous: hoist the file case's -EINVAL up for both.
47549
47550 Signed-off-by: Hugh Dickins <hughd@google.com>
47551 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
47552
47553commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
47554Author: Al Viro <viro@ZenIV.linux.org.uk>
47555Date: Mon Mar 5 06:38:42 2012 +0000
47556
47557 aout: move setup_arg_pages() prior to reading/mapping the binary
47558
47559 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
47560 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
47561
47562commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
47563Author: Jan Beulich <JBeulich@suse.com>
47564Date: Mon Mar 5 16:49:24 2012 +0000
47565
47566 vsprintf: make %pV handling compatible with kasprintf()
47567
47568 kasprintf() (and potentially other functions that I didn't run across so
47569 far) want to evaluate argument lists twice. Caring to do so for the
47570 primary list is obviously their job, but they can't reasonably be
47571 expected to check the format string for instances of %pV, which however
47572 need special handling too: On architectures like x86-64 (as opposed to
47573 e.g. ix86), using the same argument list twice doesn't produce the
47574 expected results, as an internally managed cursor gets updated during
47575 the first run.
47576
47577 Fix the problem by always acting on a copy of the original list when
47578 handling %pV.
47579
47580 Signed-off-by: Jan Beulich <jbeulich@suse.com>
47581 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
47582
47583commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
47584Author: Al Viro <viro@ZenIV.linux.org.uk>
47585Date: Mon Mar 5 06:39:47 2012 +0000
47586
47587 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
47588
47589 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
47590 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
47591
47592commit a831bd53764695ea680cc1fa3c98759a610ed2ac
47593Author: Christian König <deathsimple@vodafone.de>
47594Date: Tue Feb 28 23:19:20 2012 +0100
47595
47596 drm/radeon: fix uninitialized variable
47597
47598 Without this fix the driver randomly treats
47599 textures as arrays and I'm really wondering
47600 why gcc isn't complaining about it.
47601
47602 Signed-off-by: Christian König <deathsimple@vodafone.de>
47603 Reviewed-by: Jerome Glisse <jglisse@redhat.com>
47604 Signed-off-by: Dave Airlie <airlied@redhat.com>
47605
47606commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
47607Author: H. Peter Anvin <hpa@zytor.com>
47608Date: Fri Mar 2 10:43:48 2012 -0800
47609
47610 regset: Prevent null pointer reference on readonly regsets
47611
47612 The regset common infrastructure assumed that regsets would always
47613 have .get and .set methods, but not necessarily .active methods.
47614 Unfortunately people have since written regsets without .set methods.
47615
47616 Rather than putting in stub functions everywhere, handle regsets with
47617 null .get or .set methods explicitly.
47618
47619 Signed-off-by: H. Peter Anvin <hpa@zytor.com>
47620 Reviewed-by: Oleg Nesterov <oleg@redhat.com>
47621 Acked-by: Roland McGrath <roland@hack.frob.com>
47622 Cc: <stable@vger.kernel.org>
47623 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
47624
47625commit 072ddd99401c79b53c6bf6bff9deb93022124c79
47626Author: Brad Spengler <spender@grsecurity.net>
47627Date: Mon Mar 5 18:12:57 2012 -0500
47628
47629 Fix compiler errors reported on forums
47630
47631commit 1606774b48af24e6f99d99c624c0e447d4b66474
47632Merge: 3127bd5 4ca2ffd
47633Author: Brad Spengler <spender@grsecurity.net>
47634Date: Mon Mar 5 17:31:35 2012 -0500
47635
47636 Merge branch 'pax-test' into grsec-test
47637
47638commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
47639Author: Brad Spengler <spender@grsecurity.net>
47640Date: Mon Mar 5 17:31:21 2012 -0500
47641
47642 Update to pax-linux-3.2.9-test20.patch
47643
47644commit 3127bd581a292966b1057c7433219dac188c3720
47645Author: Brad Spengler <spender@grsecurity.net>
47646Date: Fri Mar 2 21:30:37 2012 -0500
47647
47648 Fix memory leak on logged exec_id check failure in /proc/pid/statm
47649 Thanks to Djalal Harouni for the report
47650
47651commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
47652Merge: 0a56be8 9aa8288
47653Author: Brad Spengler <spender@grsecurity.net>
47654Date: Fri Mar 2 18:38:22 2012 -0500
47655
47656 Merge branch 'pax-test' into grsec-test
47657
47658commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
47659Author: Brad Spengler <spender@grsecurity.net>
47660Date: Fri Mar 2 18:37:43 2012 -0500
47661
47662 Update to pax-linux-3.2.9-test19.patch
47663
47664commit 0a56be884bbd7ce733cac0b879c45383494d73b0
47665Merge: 9e66745 3f5c52a
47666Author: Brad Spengler <spender@grsecurity.net>
47667Date: Thu Mar 1 20:18:01 2012 -0500
47668
47669 Merge branch 'pax-test' into grsec-test
47670
47671commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
47672Author: Brad Spengler <spender@grsecurity.net>
47673Date: Thu Mar 1 20:16:56 2012 -0500
47674
47675 Update to pax-linux-3.2.9-test18.patch
47676
47677commit ae53ec231d12719a36bf871f8c5841020ed692ee
47678Merge: b255baf 44fb317
47679Author: Brad Spengler <spender@grsecurity.net>
47680Date: Thu Mar 1 20:15:31 2012 -0500
47681
47682 Merge branch 'linux-3.2.y' into pax-test
47683
47684commit 9e667456c03eadea2f305be761abe4de9a5877a3
47685Merge: 5e4e200 b255baf
47686Author: Brad Spengler <spender@grsecurity.net>
47687Date: Mon Feb 27 20:53:59 2012 -0500
47688
47689 Merge branch 'pax-test' into grsec-test
47690
47691commit b255baf50365d39b406f43aab2c64745607baaa2
47692Merge: 340ce90 1de504e
47693Author: Brad Spengler <spender@grsecurity.net>
47694Date: Mon Feb 27 20:53:29 2012 -0500
47695
47696 Merge branch 'linux-3.2.y' into pax-test
47697 Update to pax-linux-3.2.8-test17.patch
47698
47699 Conflicts:
47700 arch/x86/include/asm/i387.h
47701 arch/x86/kernel/process_32.c
47702 arch/x86/kernel/traps.c
47703
47704commit 5e4e200ac530452884b625cb75de240e1e98c731
47705Merge: 44306d7 340ce90
47706Author: Brad Spengler <spender@grsecurity.net>
47707Date: Mon Feb 27 18:02:13 2012 -0500
47708
47709 Merge branch 'pax-test' into grsec-test
47710
47711commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
47712Author: Brad Spengler <spender@grsecurity.net>
47713Date: Mon Feb 27 18:01:48 2012 -0500
47714
47715 Update to pax-linux-3.2.7-test17.patch
47716
47717commit 44306d7b3097f77e73040dd25f4f6750751bae7a
47718Merge: 29d0b07 521c411
47719Author: Brad Spengler <spender@grsecurity.net>
47720Date: Sun Feb 26 19:04:15 2012 -0500
47721
47722 Merge branch 'pax-test' into grsec-test
47723
47724 Conflicts:
47725 Makefile
47726
47727commit 521c411bb4ca66ce01146fde8bac9dd22414076d
47728Author: Brad Spengler <spender@grsecurity.net>
47729Date: Sun Feb 26 19:03:33 2012 -0500
47730
47731 Update to pax-linux-3.2.7-test16.patch
47732
47733commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
47734Author: Brad Spengler <spender@grsecurity.net>
47735Date: Sun Feb 26 17:12:44 2012 -0500
47736
47737 fix typo
47738
47739commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
47740Merge: f45b3be caa8f83
47741Author: Brad Spengler <spender@grsecurity.net>
47742Date: Sat Feb 25 20:59:27 2012 -0500
47743
47744 Merge branch 'pax-test' into grsec-test
47745
47746commit caa8f83456c4d0b204beefffaa1d1993f2348d08
47747Author: Brad Spengler <spender@grsecurity.net>
47748Date: Sat Feb 25 20:59:12 2012 -0500
47749
47750 Update to pax-linux-3.2.7-test15.patch
47751
47752commit f45b3be34a345502a302e736af9a65742ddef7cb
47753Merge: 62f35fd 9f1309b
47754Author: Brad Spengler <spender@grsecurity.net>
47755Date: Sat Feb 25 11:40:15 2012 -0500
47756
47757 Merge branch 'pax-test' into grsec-test
47758
47759commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
47760Author: Brad Spengler <spender@grsecurity.net>
47761Date: Sat Feb 25 11:39:57 2012 -0500
47762
47763 Update to pax-linux-3.2.7-test14.patch
47764
47765commit 62f35fdbecc58f2988fe13638d907b87a15776bb
47766Author: Brad Spengler <spender@grsecurity.net>
47767Date: Sat Feb 25 09:08:55 2012 -0500
47768
47769 We could log on attempted exploits of writing /proc/self/mem, but the current
47770 log function declares the access a read, so just swap the ordering for now
47771
47772commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
47773Author: Brad Spengler <spender@grsecurity.net>
47774Date: Sat Feb 25 08:46:14 2012 -0500
47775
47776 Log /proc/pid/mem attempts
47777
47778commit 674471e581893a94d475acac3e3c4496209b3ac9
47779Author: Brad Spengler <spender@grsecurity.net>
47780Date: Sat Feb 25 08:15:00 2012 -0500
47781
47782 Make use of f_version for protecting /proc file structs (fine since we're not a directory
47783 or seq_file)
47784
47785commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
47786Author: Brad Spengler <spender@grsecurity.net>
47787Date: Fri Feb 24 20:02:19 2012 -0500
47788
47789 Fix ia64 compilation
47790
47791commit 50dfea412fd395e0183c2ade368efa525d38b267
47792Merge: 12db845 4c6f99b
47793Author: Brad Spengler <spender@grsecurity.net>
47794Date: Fri Feb 24 19:00:53 2012 -0500
47795
47796 Merge branch 'pax-test' into grsec-test
47797
47798commit 4c6f99bf338e03966356b147d0360cb3b522a44f
47799Author: Brad Spengler <spender@grsecurity.net>
47800Date: Fri Feb 24 19:00:36 2012 -0500
47801
47802 (6:57:09 PM) pipacs: but you can be proactive
47803 (Fix other-arch atomic64/REFCOUNT compilation failures)
47804
47805commit 12db8453f6bb0a756f369c9151668ba1249bc478
47806Author: Brad Spengler <spender@grsecurity.net>
47807Date: Thu Feb 23 21:10:12 2012 -0500
47808
47809 Remove unnecessary copies, as suggested by solar
47810
47811commit cc02cab84368467ea03cb35f861a8a7092d91ab4
47812Author: Brad Spengler <spender@grsecurity.net>
47813Date: Thu Feb 23 20:59:35 2012 -0500
47814
47815 Make global_exec_counter static, as suggested by solar
47816
47817commit e642091a475ebb3a30e81f85e7751233d0c2af43
47818Author: Brad Spengler <spender@grsecurity.net>
47819Date: Thu Feb 23 19:00:26 2012 -0500
47820
47821 sync with stable tree
47822
47823commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
47824Author: Brad Spengler <spender@grsecurity.net>
47825Date: Thu Feb 23 18:48:47 2012 -0500
47826
47827 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
47828 Remove handling of old kludge in chmod/fchmod
47829
47830commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
47831Author: Brad Spengler <spender@grsecurity.net>
47832Date: Thu Feb 23 18:18:49 2012 -0500
47833
47834 Apply umask checks to chmod/fchmod as well, as requested by sponsor
47835 Union the enforced umask with the existing one to produce minimal privilege
47836 Change umask type to u16
47837
47838commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
47839Author: Brad Spengler <spender@grsecurity.net>
47840Date: Wed Feb 22 18:16:11 2012 -0500
47841
47842 Add per-role umask enforcement to RBAC, requested by a sponsor
47843
47844commit ad5ac943fe58199f1cc475912a39edb157acb77b
47845Merge: dda0bb5 41722e3
47846Author: Brad Spengler <spender@grsecurity.net>
47847Date: Mon Feb 20 20:04:42 2012 -0500
47848
47849 Merge branch 'pax-test' into grsec-test
47850
47851commit 41722e342e116d95f3d3556d66c97c888d752d39
47852Author: Brad Spengler <spender@grsecurity.net>
47853Date: Mon Feb 20 20:04:00 2012 -0500
47854
47855 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
47856 KERNEXEC plugin
47857
47858commit dda0bb57137846a476a866c60db2681aaf6052c0
47859Merge: 4fd554e d70927a
47860Author: Brad Spengler <spender@grsecurity.net>
47861Date: Mon Feb 20 20:01:41 2012 -0500
47862
47863 Merge branch 'pax-test' into grsec-test
47864
47865commit d70927afec977d489a54c106a3c3ddc32e953050
47866Merge: 1daebf1 9d0231c
47867Author: Brad Spengler <spender@grsecurity.net>
47868Date: Mon Feb 20 20:01:33 2012 -0500
47869
47870 Merge branch 'linux-3.2.y' into pax-test
47871
47872commit 4fd554e3a097b22c5049fcdc423897477deff5ef
47873Author: Brad Spengler <spender@grsecurity.net>
47874Date: Mon Feb 20 09:17:57 2012 -0500
47875
47876 Fix wrong logic on capability checks for switching roles, broke policies
47877 Thanks to Richard Kojedzinszky for reporting
47878
47879commit 12f97d52ac603f24344f8d71569c412a307e9422
47880Author: Brad Spengler <spender@grsecurity.net>
47881Date: Thu Feb 16 21:20:10 2012 -0500
47882
47883 sparc64 compile fix
47884
47885commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
47886Author: Brad Spengler <spender@grsecurity.net>
47887Date: Thu Feb 16 18:38:32 2012 -0500
47888
47889 Update configuration help and name for GRKERNSEC_PROC_MEMMAP
47890
47891commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
47892Author: Brad Spengler <spender@grsecurity.net>
47893Date: Thu Feb 16 18:18:01 2012 -0500
47894
47895 optimize the check a bit
47896
47897commit 03159050f64989be44ae03be769cbed62a7cd2e5
47898Author: Brad Spengler <spender@grsecurity.net>
47899Date: Thu Feb 16 18:00:45 2012 -0500
47900
47901 smile VUPEN :D
47902 (limit argv+env to 1MB for suid/sgid binaries)
47903
47904commit dd759d8800d225a397e4de49fe729c7d601298d2
47905Author: Brad Spengler <spender@grsecurity.net>
47906Date: Thu Feb 16 17:49:33 2012 -0500
47907
47908 Address Space Protection -> Memory Protections (suggested on IRC for consistency)
47909
47910commit 4de635bda8ebfb85312e3bf851bdbff93de400da
47911Author: Brad Spengler <spender@grsecurity.net>
47912Date: Thu Feb 16 17:45:06 2012 -0500
47913
47914 Change the long long type for exec_id to the proper u64
47915
47916commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
47917Author: Dan Carpenter <dan.carpenter@oracle.com>
47918Date: Thu Feb 9 00:46:47 2012 +0000
47919
47920 isdn: type bug in isdn_net_header()
47921
47922 We use len to store the return value from eth_header(). eth_header()
47923 can return -ETH_HLEN (-14). We want to pass this back instead of
47924 truncating it to 65522 and returning that.
47925
47926 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
47927 Acked-by: Neil Horman <nhorman@tuxdriver.com>
47928 Signed-off-by: David S. Miller <davem@davemloft.net>
47929
47930commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
47931Author: Heiko Carstens <heiko.carstens@de.ibm.com>
47932Date: Sat Feb 4 10:47:10 2012 +0100
47933
47934 exec: fix use-after-free bug in setup_new_exec()
47935
47936 Setting the task name is done within setup_new_exec() by accessing
47937 bprm->filename. However this happens after flush_old_exec().
47938 This may result in a use after free bug, flush_old_exec() may
47939 "complete" vfork_done, which will wake up the parent which in turn
47940 may free the passed in filename.
47941 To fix this add a new tcomm field in struct linux_binprm which
47942 contains the now early generated task name until it is used.
47943
47944 Fixes this bug on s390:
47945
47946 Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
47947 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
47948 Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
47949 Call Trace:
47950 ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
47951 [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
47952 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
47953 [<0000000000282b6c>] do_execve_common+0x410/0x514
47954 [<0000000000282cb6>] do_execve+0x46/0x58
47955 [<00000000005bce58>] kernel_execve+0x28/0x70
47956 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
47957 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
47958 [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
47959 Last Breaking-Event-Address:
47960 [<00000000002830f0>] setup_new_exec+0x2fc/0x374
47961
47962 Kernel panic - not syncing: Fatal exception: panic_on_oops
47963
47964 Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
47965 Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
47966 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
47967
47968commit d758ee9f5230893dabb5aab737b3109684bde196
47969Author: Dan Carpenter <dan.carpenter@oracle.com>
47970Date: Fri Feb 10 09:03:58 2012 +0100
47971
47972 relay: prevent integer overflow in relay_open()
47973
47974 "subbuf_size" and "n_subbufs" come from the user and they need to be
47975 capped to prevent an integer overflow.
47976
47977 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
47978 Cc: stable@kernel.org
47979 Signed-off-by: Jens Axboe <axboe@kernel.dk>
47980
47981commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
47982Merge: b1baadf 1daebf1
47983Author: Brad Spengler <spender@grsecurity.net>
47984Date: Mon Feb 13 17:47:04 2012 -0500
47985
47986 Merge branch 'pax-test' into grsec-test
47987
47988 Conflicts:
47989 fs/proc/base.c
47990
47991commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
47992Merge: 1413df2 c2db2e2
47993Author: Brad Spengler <spender@grsecurity.net>
47994Date: Mon Feb 13 17:45:54 2012 -0500
47995
47996 Merge branch 'linux-3.2.y' into pax-test
47997
47998commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
47999Author: Brad Spengler <spender@grsecurity.net>
48000Date: Sun Feb 12 16:44:05 2012 -0500
48001
48002 add missing declaration
48003
48004commit 3981059c35e8463002517935c28f3d74b8e3703c
48005Author: Brad Spengler <spender@grsecurity.net>
48006Date: Sun Feb 12 16:36:04 2012 -0500
48007
48008 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
48009 in addition to existing checks (this handles the setresuid ruid = euid case)
48010
48011commit 0beab03263c773f463412c350ad9064b44b6ede0
48012Author: Brad Spengler <spender@grsecurity.net>
48013Date: Sun Feb 12 16:13:40 2012 -0500
48014
48015 Revert setreuid changes when RBAC is enabled, breaks freeradius
48016 I'll fix the learning issue Lavish reported a different way through
48017 gradm modifications
48018
48019 This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.
48020
48021commit 0c61cb1cfbbfec7d07647268c922d51434d22621
48022Author: Brad Spengler <spender@grsecurity.net>
48023Date: Sat Feb 11 14:22:46 2012 -0500
48024
48025 copy exec_id on fork
48026
48027commit 000c08e0890630086b2ed04084050ed856a7ec31
48028Author: Brad Spengler <spender@grsecurity.net>
48029Date: Fri Feb 10 20:00:36 2012 -0500
48030
48031 compile fix
48032
48033commit 54b8c8f54484e5ee18040657827158bc4b63bccc
48034Author: Brad Spengler <spender@grsecurity.net>
48035Date: Fri Feb 10 19:19:52 2012 -0500
48036
48037 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
48038 denies reading of sensitive /proc/pid entries where the file descriptor
48039 was opened in a different task than the one performing the read
48040
48041commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
48042Author: Brad Spengler <spender@grsecurity.net>
48043Date: Fri Feb 10 17:43:24 2012 -0500
48044
48045 Remove duplicate signal check
48046
48047commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
48048Merge: 4eba97e 1413df2
48049Author: Brad Spengler <spender@grsecurity.net>
48050Date: Wed Feb 8 19:24:34 2012 -0500
48051
48052 Merge branch 'pax-test' into grsec-test
48053
48054commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
48055Author: Brad Spengler <spender@grsecurity.net>
48056Date: Wed Feb 8 19:24:08 2012 -0500
48057
48058 Merge changes from pax-linux-3.2.4-test11.patch
48059
48060commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
48061Merge: 0e058dd 8dd90a2
48062Author: Brad Spengler <spender@grsecurity.net>
48063Date: Mon Feb 6 17:50:12 2012 -0500
48064
48065 Merge branch 'pax-test' into grsec-test
48066
48067commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
48068Author: Brad Spengler <spender@grsecurity.net>
48069Date: Mon Feb 6 17:49:07 2012 -0500
48070
48071 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free
48072
48073commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
48074Merge: 7e4169c 6133971
48075Author: Brad Spengler <spender@grsecurity.net>
48076Date: Mon Feb 6 17:48:57 2012 -0500
48077
48078 Merge branch 'linux-3.2.y' into pax-test
48079
48080commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
48081Author: Brad Spengler <spender@grsecurity.net>
48082Date: Sun Feb 5 19:24:45 2012 -0500
48083
48084 We now allow configurations with no PaX markings, giving the system no way to override the defaults
48085
48086commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
48087Author: Brad Spengler <spender@grsecurity.net>
48088Date: Sun Feb 5 10:01:23 2012 -0500
48089
48090 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory
48091
48092commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
48093Author: Brad Spengler <spender@grsecurity.net>
48094Date: Sat Feb 4 21:01:16 2012 -0500
48095
48096 Improve security of ptrace-based monitoring/sandboxing
48097 See:
48098 http://article.gmane.org/gmane.linux.kernel.lsm/15156
48099
48100commit ca4ca5a1027b41f9528794e52a53ce9c47926101
48101Author: Brad Spengler <spender@grsecurity.net>
48102Date: Fri Feb 3 20:42:55 2012 -0500
48103
48104 fix typo
48105
48106commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
48107Author: Brad Spengler <spender@grsecurity.net>
48108Date: Fri Feb 3 20:25:38 2012 -0500
48109
48110 Reported by lavish on IRC:
48111 If a suid/sgid binary did not learn any setuid/setgid call during learning,
48112 we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
48113 any restrictions on uid/gid changes. uid and gid can however be changed
48114 within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
48115 euid/egid.
48116
48117 My fix:
48118 POSIX doesn't specify whether unprivileged users can perform the above
48119 setresuid/setresgid as an unprivileged user, though Linux has historically
48120 permitted them. Modify this behavior when RBAC is enabled to require
48121 CAP_SETUID/CAP_SETGID for these operations.
48122
48123 Thanks to Lavish for the report!
48124
48125 Conflicts:
48126
48127 kernel/sys.c
48128
48129commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
48130Merge: ba586eb 7e4169c
48131Author: Brad Spengler <spender@grsecurity.net>
48132Date: Fri Feb 3 20:10:21 2012 -0500
48133
48134 Merge branch 'pax-test' into grsec-test
48135
48136commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
48137Author: Brad Spengler <spender@grsecurity.net>
48138Date: Fri Feb 3 20:10:05 2012 -0500
48139
48140 Merge changes from pax-linux-3.2.4-test9.patch
48141
48142commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
48143Author: Christopher Yeoh <cyeoh@au1.ibm.com>
48144Date: Thu Feb 2 11:34:09 2012 +1030
48145
48146 Fix race in process_vm_rw_core
48147
48148 This fixes the race in process_vm_core found by Oleg (see
48149
48150 http://article.gmane.org/gmane.linux.kernel/1235667/
48151
48152 for details).
48153
48154 This has been updated since I last sent it as the creation of the new
48155 mm_access() function did almost exactly the same thing as parts of the
48156 previous version of this patch did.
48157
48158 In order to use mm_access() even when /proc isn't enabled, we move it to
48159 kernel/fork.c where other related process mm access functions already
48160 are.
48161
48162 Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
48163 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
48164
48165 Conflicts:
48166
48167 fs/proc/base.c
48168 mm/process_vm_access.c
48169
48170commit b9194d60fb9fe579f5c34817ed822abde18939a0
48171Author: Oleg Nesterov <oleg@redhat.com>
48172Date: Tue Jan 31 17:15:11 2012 +0100
48173
48174 proc: make sure mem_open() doesn't pin the target's memory
48175
48176 Once /proc/pid/mem is opened, the memory can't be released until
48177 mem_release() even if its owner exits.
48178
48179 Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
48180 pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
48181 before access_remote_vm(), this verifies that this mm is still alive.
48182
48183 I am not sure what should mem_rw() return if atomic_inc_not_zero()
48184 fails. With this patch it returns zero to match the "mm == NULL" case,
48185 may be it should return -EINVAL like it did before e268337d.
48186
48187 Perhaps it makes sense to add the additional fatal_signal_pending()
48188 check into the main loop, to ensure we do not hold this memory if
48189 the target task was oom-killed.
48190
48191 Cc: stable@kernel.org
48192 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
48193 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
48194
48195commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
48196Author: Oleg Nesterov <oleg@redhat.com>
48197Date: Tue Jan 31 17:14:38 2012 +0100
48198
48199 proc: mem_release() should check mm != NULL
48200
48201 mem_release() can hit mm == NULL, add the necessary check.
48202
48203 Cc: stable@kernel.org
48204 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
48205 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
48206
48207commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
48208Author: Oleg Nesterov <oleg@redhat.com>
48209Date: Tue Jan 31 17:14:54 2012 +0100
48210
48211 note: redisabled mem_write
48212
48213 proc: unify mem_read() and mem_write()
48214
48215 No functional changes, cleanup and preparation.
48216
48217 mem_read() and mem_write() are very similar. Move this code into the
48218 new common helper, mem_rw(), which takes the additional "int write"
48219 argument.
48220
48221 Cc: stable@kernel.org
48222 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
48223 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
48224
48225 Conflicts:
48226
48227 fs/proc/base.c
48228
48229commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
48230Merge: 3903f01 01fee18
48231Author: Brad Spengler <spender@grsecurity.net>
48232Date: Fri Feb 3 19:50:40 2012 -0500
48233
48234 Merge branch 'pax-test' into grsec-test
48235
48236commit 01fee1851aef26b898ccba5312cabf1f919b74cb
48237Author: Brad Spengler <spender@grsecurity.net>
48238Date: Fri Feb 3 19:49:46 2012 -0500
48239
48240 Merge changes from pax-linux-3.2.4-test8.patch
48241
48242commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
48243Merge: 201c0db 141936c
48244Author: Brad Spengler <spender@grsecurity.net>
48245Date: Fri Feb 3 19:49:01 2012 -0500
48246
48247 Merge branch 'linux-3.2.y' into pax-test
48248
48249commit 3903f0172ecadf7a575ba3535402a1506133640a
48250Author: Brad Spengler <spender@grsecurity.net>
48251Date: Mon Jan 30 23:26:44 2012 -0500
48252
48253 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
48254
48255 We'll whitelist required directories for compatibility instead of requiring
48256 that people disable the feature entirely if they use SELinux, fuse, etc
48257
48258 Conflicts:
48259
48260 fs/sysfs/mount.c
48261
48262commit e3618feaa7e63807f1b88c199882075b3ec9bd05
48263Author: Brad Spengler <spender@grsecurity.net>
48264Date: Sun Jan 29 01:12:19 2012 -0500
48265
48266 perform RBAC check if TPE is on but match fails, matches previous behavior
48267
48268commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
48269Author: Brad Spengler <spender@grsecurity.net>
48270Date: Sat Jan 28 13:17:06 2012 -0500
48271
48272 log more information about the reason for a TPE denial for novice users, requested by a sponsor
48273
48274commit efefd67008cbad8a8591e2484410966a300a39a5
48275Author: Brad Spengler <spender@grsecurity.net>
48276Date: Fri Jan 27 19:58:53 2012 -0500
48277
48278 merge upstream sha512 changes
48279
48280commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
48281Author: Brad Spengler <spender@grsecurity.net>
48282Date: Fri Jan 27 19:49:07 2012 -0500
48283
48284 drop lock on error in xfs_readlink
48285
48286 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0
48287
48288commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
48289Author: Li Wang <liwang@nudt.edu.cn>
48290Date: Thu Jan 19 09:44:36 2012 +0800
48291
48292 eCryptfs: Infinite loop due to overflow in ecryptfs_write()
48293
48294 ecryptfs_write() can enter an infinite loop when truncating a file to a
48295 size larger than 4G. This only happens on architectures where size_t is
48296 represented by 32 bits.
48297
48298 This was caused by a size_t overflow due to it incorrectly being used to
48299 store the result of a calculation which uses potentially large values of
48300 type loff_t.
48301
48302 [tyhicks@canonical.com: rewrite subject and commit message]
48303 Signed-off-by: Li Wang <liwang@nudt.edu.cn>
48304 Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
48305 Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
48306 Cc: <stable@vger.kernel.org>
48307 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
48308
48309commit a7607747d0f74f357d78bb796d70635dd05f46e8
48310Author: Tyler Hicks <tyhicks@canonical.com>
48311Date: Thu Jan 19 20:33:44 2012 -0600
48312
48313 eCryptfs: Check inode changes in setattr
48314
48315 Most filesystems call inode_change_ok() very early in ->setattr(), but
48316 eCryptfs didn't call it at all. It allowed the lower filesystem to make
48317 the call in its ->setattr() function. Then, eCryptfs would copy the
48318 appropriate inode attributes from the lower inode to the eCryptfs inode.
48319
48320 This patch changes that and actually calls inode_change_ok() on the
48321 eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
48322 would happen earlier in ecryptfs_setattr(), but there are some possible
48323 inode initialization steps that must happen first.
48324
48325 Since the call was already being made on the lower inode, the change in
48326 functionality should be minimal, except for the case of a file extending
48327 truncate call. In that case, inode_newsize_ok() was never being
48328 called on the eCryptfs inode. Rather than inode_newsize_ok() catching
48329 maximum file size errors early on, eCryptfs would encrypt zeroed pages
48330 and write them to the lower filesystem until the lower filesystem's
48331 write path caught the error in generic_write_checks(). This patch
48332 introduces a new function, called ecryptfs_inode_newsize_ok(), which
48333 checks if the new lower file size is within the appropriate limits when
48334 the truncate operation will be growing the lower file.
48335
48336 In summary this change prevents eCryptfs truncate operations (and the
48337 resulting page encryptions), which would exceed the lower filesystem
48338 limits or FSIZE rlimits, from ever starting.
48339
48340 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
48341 Reviewed-by: Li Wang <liwang@nudt.edu.cn>
48342 Cc: <stable@vger.kernel.org>
48343
48344commit 0d96f190a39505254ace4e9330219aaeda9b64e3
48345Author: Tyler Hicks <tyhicks@canonical.com>
48346Date: Wed Jan 18 18:30:04 2012 -0600
48347
48348 eCryptfs: Make truncate path killable
48349
48350 ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
48351 page, zeroes out the appropriate portions, and then encrypts the page
48352 before writing it to the lower filesystem. It was unkillable and due to
48353 the lack of sparse file support could result in tying up a large portion
48354 of system resources, while encrypting pages of zeros, with no way for
48355 the truncate operation to be stopped from userspace.
48356
48357 This patch adds the ability for ecryptfs_write() to detect a pending
48358 fatal signal and return as gracefully as possible. The intent is to
48359 leave the lower file in a useable state, while still allowing a user to
48360 break out of the encryption loop. If a pending fatal signal is detected,
48361 the eCryptfs inode size is updated to reflect the modified inode size
48362 and then -EINTR is returned.
48363
48364 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
48365 Cc: <stable@vger.kernel.org>
48366
48367commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
48368Author: Tyler Hicks <tyhicks@canonical.com>
48369Date: Tue Jan 24 10:02:22 2012 -0600
48370
48371 eCryptfs: Fix oops when printing debug info in extent crypto functions
48372
48373 If pages passed to the eCryptfs extent-based crypto functions are not
48374 mapped and the module parameter ecryptfs_verbosity=1 was specified at
48375 loading time, a NULL pointer dereference will occur.
48376
48377 Note that this wouldn't happen on a production system, as you wouldn't
48378 pass ecryptfs_verbosity=1 on a production system. It leaks private
48379 information to the system logs and is for debugging only.
48380
48381 The debugging info printed in these messages is no longer very useful
48382 and rather than doing a kmap() in these debugging paths, it will be
48383 better to simply remove the debugging paths completely.
48384
48385 https://launchpad.net/bugs/913651
48386
48387 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
48388 Reported-by: Daniel DeFreez
48389 Cc: <stable@vger.kernel.org>
48390
48391commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
48392Author: Tyler Hicks <tyhicks@canonical.com>
48393Date: Thu Jan 12 11:30:44 2012 +0100
48394
48395 eCryptfs: Sanitize write counts of /dev/ecryptfs
48396
48397 A malicious count value specified when writing to /dev/ecryptfs may
48398 result in a a very large kernel memory allocation.
48399
48400 This patch peeks at the specified packet payload size, adds that to the
48401 size of the packet headers and compares the result with the write count
48402 value. The resulting maximum memory allocation size is approximately 532
48403 bytes.
48404
48405 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
48406 Reported-by: Sasha Levin <levinsasha928@gmail.com>
48407 Cc: <stable@vger.kernel.org>
48408
48409commit 96dcb7282d323813181a1791f51c0ab7696b675b
48410Merge: 6c09fa5 201c0db
48411Author: Brad Spengler <spender@grsecurity.net>
48412Date: Fri Jan 27 19:44:15 2012 -0500
48413
48414 Merge branch 'pax-test' into grsec-test
48415
48416commit 201c0dbf177527367676028151e36d340923f033
48417Author: Brad Spengler <spender@grsecurity.net>
48418Date: Fri Jan 27 19:43:24 2012 -0500
48419
48420 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
48421 on loading modules with empty sections
48422
48423commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
48424Author: Brad Spengler <spender@grsecurity.net>
48425Date: Fri Jan 27 19:42:13 2012 -0500
48426
48427 compile fix
48428
48429commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
48430Author: Brad Spengler <spender@grsecurity.net>
48431Date: Fri Jan 27 19:39:28 2012 -0500
48432
48433 use LSM flags instead of duplicating checks
48434
48435commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
48436Merge: 44b9f11 558718b
48437Author: Brad Spengler <spender@grsecurity.net>
48438Date: Fri Jan 27 18:56:23 2012 -0500
48439
48440 Merge branch 'pax-test' into grsec-test
48441
48442commit 558718b2217beff69edf60f34a6f9893d910e9ac
48443Author: Brad Spengler <spender@grsecurity.net>
48444Date: Fri Jan 27 18:56:04 2012 -0500
48445
48446 Merge changes from pax-linux-3.2.2-test6.patch
48447
48448commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
48449Author: Brad Spengler <spender@grsecurity.net>
48450Date: Fri Jan 27 18:53:55 2012 -0500
48451
48452 don't increase the size of task_struct when unnecessary
48453 change ptrace_readexec log message
48454
48455commit a9c9626e054adb885883aa64f85506852894dd33
48456Author: Brad Spengler <spender@grsecurity.net>
48457Date: Fri Jan 27 18:16:28 2012 -0500
48458
48459 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
48460 the protection applies to all unreadable binaries.
48461
48462commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
48463Merge: 7b3f3af 05a1349
48464Author: Brad Spengler <spender@grsecurity.net>
48465Date: Wed Jan 25 20:52:09 2012 -0500
48466
48467 Merge branch 'pax-test' into grsec-test
48468
48469 Conflicts:
48470 block/scsi_ioctl.c
48471 drivers/scsi/sd.c
48472 fs/proc/base.c
48473
48474commit 05a134966efb9cb9346ad3422888969ffc79ac1d
48475Author: Brad Spengler <spender@grsecurity.net>
48476Date: Wed Jan 25 20:47:36 2012 -0500
48477
48478 Resync with pax-linux-3.2.2-test5.patch
48479
48480commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
48481Merge: c6d443d 3499d64
48482Author: Brad Spengler <spender@grsecurity.net>
48483Date: Wed Jan 25 20:45:16 2012 -0500
48484
48485 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
48486
48487 Conflicts:
48488 ipc/shm.c
48489
48490commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
48491Author: Brad Spengler <spender@grsecurity.net>
48492Date: Tue Jan 24 19:42:01 2012 -0500
48493
48494 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
48495 (may be changed if it breaks some userland), the other has its own
48496 config option
48497
48498 First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
48499 the syscall or /proc/sys.
48500
48501 Second feature requires read access to a suid/sgid binary in order
48502 to ptrace it, preventing infoleaking of binaries in situations where
48503 the admin has specified 4711 or 2711 perms. Feature has been
48504 given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
48505 a sysctl entry of ptrace_readexec
48506
48507commit 11a7bb25c411c9dccfdca5718639b4becdffd388
48508Author: Brad Spengler <spender@grsecurity.net>
48509Date: Sun Jan 22 14:37:10 2012 -0500
48510
48511 Compilation fixes
48512
48513commit cd400e21c7c352baba47d6f375297a7847afb33a
48514Author: Brad Spengler <spender@grsecurity.net>
48515Date: Sun Jan 22 14:20:27 2012 -0500
48516
48517 Initial port of grsecurity 2.2.2 for Linux 3.2.1
48518 Note that the new syscalls added to this kernel for remote process read/write
48519 are subject to ptrace hardening/other relevant RBAC features
48520 /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
48521 as well
48522 pax_track_stack has been removed from support for this kernel -- if you're running this kernel
48523 you should be using a version of gcc with plugin support
48524
48525commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
48526Author: Brad Spengler <spender@grsecurity.net>
48527Date: Sun Jan 22 11:47:31 2012 -0500
48528
48529 Import pax-linux-3.2.1-test5.patch
48530commit bfd7db842f835f9837cd43644459b3a95b0b488d
48531Author: Brad Spengler <spender@grsecurity.net>
48532Date: Sun Jan 22 11:02:02 2012 -0500
48533
48534 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
48535 instead of returning -EACCES
48536 thanks to Wraith from irc for the report
48537
48538commit 873ac13576506cd48ddb527c2540f274e249da50
48539Merge: 34083dd 8a44fcc
48540Author: Brad Spengler <spender@grsecurity.net>
48541Date: Fri Jan 20 18:04:02 2012 -0500
48542
48543 Merge branch 'pax-test' into grsec-test
48544
48545commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
48546Author: Brad Spengler <spender@grsecurity.net>
48547Date: Fri Jan 20 18:02:15 2012 -0500
48548
48549 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
48550 Denies executable shared memory when MPROTECT is active
48551 Fixes ia32 emulation crash on 64bit host introduced in a recent patch
48552
48553commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
48554Author: Brad Spengler <spender@grsecurity.net>
48555Date: Thu Jan 19 20:23:14 2012 -0500
48556
48557 Introduce new GRKERNSEC_SETXID implementation
48558 We're not able to change the credentials of other threads in the process until at most
48559 one syscall after the first thread does it, since we mark the threads as needing rescheduling
48560 and such work occurs on syscall exit.
48561 This does however ensure that we're only modifying the current task's credentials
48562 which upholds RCU expectations
48563
48564 Many thanks to corsac for testing
48565
48566commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
48567Author: Brad Spengler <spender@grsecurity.net>
48568Date: Thu Jan 19 17:42:48 2012 -0500
48569
48570 Simplify backport
48571
48572commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
48573Author: Brad Spengler <spender@grsecurity.net>
48574Date: Thu Jan 19 17:08:16 2012 -0500
48575
48576 Commit the latest silent fix for a local privilege escalation from Linus
48577 Also disable writing to /proc/pid/mem
48578 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc
48579
48580commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
48581Merge: 0394a3f 7e6299b
48582Author: Brad Spengler <spender@grsecurity.net>
48583Date: Wed Jan 18 20:22:09 2012 -0500
48584
48585 Merge branch 'pax-test' into grsec-test
48586
48587commit 7e6299b4733c082dde930375dd207b63237751ec
48588Merge: 83555fb 9bb1282
48589Author: Brad Spengler <spender@grsecurity.net>
48590Date: Wed Jan 18 20:21:37 2012 -0500
48591
48592 Merge branch 'linux-3.1.y' into pax-test
48593
48594commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
48595Author: Jesper Juhl <jj@chaosbits.net>
48596Date: Sun Jan 8 22:44:29 2012 +0100
48597
48598 audit: always follow va_copy() with va_end()
48599
48600 A call to va_copy() should always be followed by a call to va_end() in
48601 the same function. In kernel/autit.c::audit_log_vformat() this is not
48602 always done. This patch makes sure va_end() is always called.
48603
48604 Signed-off-by: Jesper Juhl <jj@chaosbits.net>
48605 Cc: Al Viro <viro@zeniv.linux.org.uk>
48606 Cc: Eric Paris <eparis@redhat.com>
48607 Cc: Andrew Morton <akpm@linux-foundation.org>
48608 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
48609
48610commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
48611Author: Andi Kleen <ak@linux.intel.com>
48612Date: Thu Jan 12 17:20:30 2012 -0800
48613
48614 panic: don't print redundant backtraces on oops
48615
48616 When an oops causes a panic and panic prints another backtrace it's pretty
48617 common to have the original oops data be scrolled away on a 80x50 screen.
48618
48619 The second backtrace is quite redundant and not needed anyways.
48620
48621 So don't print the panic backtrace when oops_in_progress is true.
48622
48623 [akpm@linux-foundation.org: add comment]
48624 Signed-off-by: Andi Kleen <ak@linux.intel.com>
48625 Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
48626 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
48627 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
48628
48629commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
48630Author: Miklos Szeredi <mszeredi@suse.cz>
48631Date: Thu Jan 12 17:59:46 2012 +0100
48632
48633 fsnotify: don't BUG in fsnotify_destroy_mark()
48634
48635 Removing the parent of a watched file results in "kernel BUG at
48636 fs/notify/mark.c:139".
48637
48638 To reproduce
48639
48640 add "-w /tmp/audit/dir/watched_file" to audit.rules
48641 rm -rf /tmp/audit/dir
48642
48643 This is caused by fsnotify_destroy_mark() being called without an
48644 extra reference taken by the caller.
48645
48646 Reported by Francesco Cosoleto here:
48647
48648 https://bugzilla.novell.com/show_bug.cgi?id=689860
48649
48650 Fix by removing the BUG_ON and adding a comment about not accessing mark after
48651 the iput.
48652
48653 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
48654 CC: stable@vger.kernel.org
48655 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
48656
48657commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
48658Author: Paolo Bonzini <pbonzini@redhat.com>
48659Date: Thu Jan 12 16:01:28 2012 +0100
48660
48661 block: fail SCSI passthrough ioctls on partition devices
48662
48663 Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
48664 will pass the command to the underlying block device. This is
48665 well-known, but it is also a large security problem when (via Unix
48666 permissions, ACLs, SELinux or a combination thereof) a program or user
48667 needs to be granted access only to part of the disk.
48668
48669 This patch lets partitions forward a small set of harmless ioctls;
48670 others are logged with printk so that we can see which ioctls are
48671 actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred.
48672 Of course it was being sent to a (partition on a) hard disk, so it would
48673 have failed with ENOTTY and the patch isn't changing anything in
48674 practice. Still, I'm treating it specially to avoid spamming the logs.
48675
48676 In principle, this restriction should include programs running with
48677 CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and
48678 /dev/sdb, it still should not be able to read/write outside the
48679 boundaries of /dev/sda2 independent of the capabilities. However, for
48680 now programs with CAP_SYS_RAWIO will still be allowed to send the
48681 ioctls. Their actions will still be logged.
48682
48683 This patch does not affect the non-libata IDE driver. That driver
48684 however already tests for bd != bd->bd_contains before issuing some
48685 ioctl; it could be restricted further to forbid these ioctls even for
48686 programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
48687
48688 Cc: linux-scsi@vger.kernel.org
48689 Cc: Jens Axboe <axboe@kernel.dk>
48690 Cc: James Bottomley <JBottomley@parallels.com>
48691 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
48692 [ Make it also print the command name when warning - Linus ]
48693 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
48694
48695commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
48696Author: Paolo Bonzini <pbonzini@redhat.com>
48697Date: Thu Jan 12 16:01:27 2012 +0100
48698
48699 block: add and use scsi_blk_cmd_ioctl
48700
48701 Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
48702
48703 The function will then be enhanced to detect partition block devices
48704 and, in that case, subject the ioctls to whitelisting.
48705
48706 Cc: linux-scsi@vger.kernel.org
48707 Cc: Jens Axboe <axboe@kernel.dk>
48708 Cc: James Bottomley <JBottomley@parallels.com>
48709 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
48710 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
48711
48712commit 97a79814903fc350e1d13704ea31528a42705401
48713Author: Kees Cook <keescook@chromium.org>
48714Date: Sat Jan 7 10:41:04 2012 -0800
48715
48716 audit: treat s_id as an untrusted string
48717
48718 The use of s_id should go through the untrusted string path, just to be
48719 extra careful.
48720
48721 Signed-off-by: Kees Cook <keescook@chromium.org>
48722 Acked-by: Mimi Zohar <zohar@us.ibm.com>
48723 Signed-off-by: Eric Paris <eparis@redhat.com>
48724
48725commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
48726Author: Xi Wang <xi.wang@gmail.com>
48727Date: Tue Dec 20 18:39:41 2011 -0500
48728
48729 audit: fix signedness bug in audit_log_execve_info()
48730
48731 In the loop, a size_t "len" is used to hold the return value of
48732 audit_log_single_execve_arg(), which returns -1 on error. In that
48733 case the error handling (len <= 0) will be bypassed since "len" is
48734 unsigned, and the loop continues with (p += len) being wrapped.
48735 Change the type of "len" to signed int to fix the error handling.
48736
48737 size_t len;
48738 ...
48739 for (...) {
48740 len = audit_log_single_execve_arg(...);
48741 if (len <= 0)
48742 break;
48743 p += len;
48744 }
48745
48746 Signed-off-by: Xi Wang <xi.wang@gmail.com>
48747 Signed-off-by: Eric Paris <eparis@redhat.com>
48748
48749commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
48750Author: Dan Carpenter <dan.carpenter@oracle.com>
48751Date: Tue Jan 17 03:28:51 2012 -0300
48752
48753 [media] ds3000: using logical && instead of bitwise &
48754
48755 The intent here was to test if the FE_HAS_LOCK was set. The current
48756 test is equivalent to "if (status) { ..."
48757
48758 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
48759 Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
48760
48761commit 36522330dc59d2fc70c042f3f081d75c32b6259a
48762Author: Brad Spengler <spender@grsecurity.net>
48763Date: Mon Jan 16 13:10:38 2012 -0500
48764
48765 Ignore the 0 signal for protected task RBAC checks
48766
48767commit d513acd55f7a683f6e146a4f570cdb63300479ab
48768Author: Brad Spengler <spender@grsecurity.net>
48769Date: Mon Jan 16 11:56:13 2012 -0500
48770
48771 whitespace cleanup
48772
48773commit ced261c4b82818c700aff8487f647f6f3e5b5122
48774Merge: d48751f 83555fb
48775Author: Brad Spengler <spender@grsecurity.net>
48776Date: Fri Jan 13 20:12:54 2012 -0500
48777
48778 Merge branch 'pax-test' into grsec-test
48779
48780commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
48781Merge: fcd8129 93dad39
48782Author: Brad Spengler <spender@grsecurity.net>
48783Date: Fri Jan 13 20:12:43 2012 -0500
48784
48785 Merge branch 'linux-3.1.y' into pax-test
48786
48787commit d48751f3919ae855fda0ff6c149db82442329253
48788Author: Brad Spengler <spender@grsecurity.net>
48789Date: Wed Jan 11 19:05:47 2012 -0500
48790
48791 Call our own set_user when forcing change to new id
48792
48793commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
48794Merge: e6578ff fcd8129
48795Author: Brad Spengler <spender@grsecurity.net>
48796Date: Tue Jan 10 16:00:10 2012 -0500
48797
48798 Merge branch 'pax-test' into grsec-test
48799
48800commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
48801Author: Brad Spengler <spender@grsecurity.net>
48802Date: Tue Jan 10 15:58:43 2012 -0500
48803
48804 Merge changes from pax-linux-3.1.8-test23.patch
48805
48806commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
48807Merge: 8859ec3 a120549
48808Author: Brad Spengler <spender@grsecurity.net>
48809Date: Fri Jan 6 21:45:56 2012 -0500
48810
48811 Merge branch 'pax-test' into grsec-test
48812
48813commit a12054967a77090de1caa07c41e694a77db4e237
48814Author: Brad Spengler <spender@grsecurity.net>
48815Date: Fri Jan 6 21:45:30 2012 -0500
48816
48817 Merge changes from pax-linux-3.1.8-test22.patch
48818
48819commit 8859ec32f9815c274df65448f9f2960176c380d3
48820Merge: a5016b4 ddd4114
48821Author: Brad Spengler <spender@grsecurity.net>
48822Date: Fri Jan 6 21:26:08 2012 -0500
48823
48824 Merge branch 'pax-test' into grsec-test
48825
48826 Conflicts:
48827 fs/binfmt_elf.c
48828 security/Kconfig
48829
48830commit ddd41147e158a79704983a409b7433eba797cf66
48831Author: Brad Spengler <spender@grsecurity.net>
48832Date: Fri Jan 6 21:12:42 2012 -0500
48833
48834 Resync with PaX patch (whitespace difference)
48835
48836commit 29e569df8205c5f0e043fe4803aa984406c8b118
48837Author: Brad Spengler <spender@grsecurity.net>
48838Date: Fri Jan 6 21:09:47 2012 -0500
48839
48840 Merge changes from pax-linux-3.1.8-test21.patch
48841
48842commit a5016b4f9c09c337b17e063a7f369af1e86d944d
48843Merge: 0124c92 04231d5
48844Author: Brad Spengler <spender@grsecurity.net>
48845Date: Fri Jan 6 18:52:20 2012 -0500
48846
48847 Merge branch 'pax-test' into grsec-test
48848
48849commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
48850Merge: 7bdddeb a919904
48851Author: Brad Spengler <spender@grsecurity.net>
48852Date: Fri Jan 6 18:51:50 2012 -0500
48853
48854 Merge branch 'linux-3.1.y' into pax-test
48855
48856 Conflicts:
48857 include/net/flow.h
48858
48859commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
48860Author: Brad Spengler <spender@grsecurity.net>
48861Date: Fri Jan 6 18:33:05 2012 -0500
48862
48863 Make GRKERNSEC_SETXID option compatible with credential debugging
48864
48865commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
48866Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
48867Date: Wed Dec 28 15:57:11 2011 -0800
48868
48869 mm/mempolicy.c: refix mbind_range() vma issue
48870
48871 commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
48872 slightly incorrect fix.
48873
48874 Why? Think following case.
48875
48876 1. map 4 pages of a file at offset 0
48877
48878 [0123]
48879
48880 2. map 2 pages just after the first mapping of the same file but with
48881 page offset 2
48882
48883 [0123][23]
48884
48885 3. mbind() 2 pages from the first mapping at offset 2.
48886 mbind_range() should treat new vma is,
48887
48888 [0123][23]
48889 |23|
48890 mbind vma
48891
48892 but it does
48893
48894 [0123][23]
48895 |01|
48896 mbind vma
48897
48898 Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
48899
48900 This patch fixes it.
48901
48902 [testcase]
48903 test result - before the patch
48904
48905 case4: 126: test failed. expect '2,4', actual '2,2,2'
48906 case5: passed
48907 case6: passed
48908 case7: passed
48909 case8: passed
48910 case_n: 246: test failed. expect '4,2', actual '1,4'
48911
48912 ------------[ cut here ]------------
48913 kernel BUG at mm/filemap.c:135!
48914 invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
48915
48916 (snip long bug on messages)
48917
48918 test result - after the patch
48919
48920 case4: passed
48921 case5: passed
48922 case6: passed
48923 case7: passed
48924 case8: passed
48925 case_n: passed
48926
48927 source: mbind_vma_test.c
48928 ============================================================
48929 #include <numaif.h>
48930 #include <numa.h>
48931 #include <sys/mman.h>
48932 #include <stdio.h>
48933 #include <unistd.h>
48934 #include <stdlib.h>
48935 #include <string.h>
48936
48937 static unsigned long pagesize;
48938 void* mmap_addr;
48939 struct bitmask *nmask;
48940 char buf[1024];
48941 FILE *file;
48942 char retbuf[10240] = "";
48943 int mapped_fd;
48944
48945 char *rubysrc = "ruby -e '\
48946 pid = %d; \
48947 vstart = 0x%llx; \
48948 vend = 0x%llx; \
48949 s = `pmap -q #{pid}`; \
48950 rary = []; \
48951 s.each_line {|line|; \
48952 ary=line.split(\" \"); \
48953 addr = ary[0].to_i(16); \
48954 if(vstart <= addr && addr < vend) then \
48955 rary.push(ary[1].to_i()/4); \
48956 end; \
48957 }; \
48958 print rary.join(\",\"); \
48959 '";
48960
48961 void init(void)
48962 {
48963 void* addr;
48964 char buf[128];
48965
48966 nmask = numa_allocate_nodemask();
48967 numa_bitmask_setbit(nmask, 0);
48968
48969 pagesize = getpagesize();
48970
48971 sprintf(buf, "%s", "mbind_vma_XXXXXX");
48972 mapped_fd = mkstemp(buf);
48973 if (mapped_fd == -1)
48974 perror("mkstemp "), exit(1);
48975 unlink(buf);
48976
48977 if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
48978 perror("lseek "), exit(1);
48979 if (write(mapped_fd, "\0", 1) < 0)
48980 perror("write "), exit(1);
48981
48982 addr = mmap(NULL, pagesize*8, PROT_NONE,
48983 MAP_SHARED, mapped_fd, 0);
48984 if (addr == MAP_FAILED)
48985 perror("mmap "), exit(1);
48986
48987 if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
48988 perror("mprotect "), exit(1);
48989
48990 mmap_addr = addr + pagesize;
48991
48992 /* make page populate */
48993 memset(mmap_addr, 0, pagesize*6);
48994 }
48995
48996 void fin(void)
48997 {
48998 void* addr = mmap_addr - pagesize;
48999 munmap(addr, pagesize*8);
49000
49001 memset(buf, 0, sizeof(buf));
49002 memset(retbuf, 0, sizeof(retbuf));
49003 }
49004
49005 void mem_bind(int index, int len)
49006 {
49007 int err;
49008
49009 err = mbind(mmap_addr+pagesize*index, pagesize*len,
49010 MPOL_BIND, nmask->maskp, nmask->size, 0);
49011 if (err)
49012 perror("mbind "), exit(err);
49013 }
49014
49015 void mem_interleave(int index, int len)
49016 {
49017 int err;
49018
49019 err = mbind(mmap_addr+pagesize*index, pagesize*len,
49020 MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
49021 if (err)
49022 perror("mbind "), exit(err);
49023 }
49024
49025 void mem_unbind(int index, int len)
49026 {
49027 int err;
49028
49029 err = mbind(mmap_addr+pagesize*index, pagesize*len,
49030 MPOL_DEFAULT, NULL, 0, 0);
49031 if (err)
49032 perror("mbind "), exit(err);
49033 }
49034
49035 void Assert(char *expected, char *value, char *name, int line)
49036 {
49037 if (strcmp(expected, value) == 0) {
49038 fprintf(stderr, "%s: passed\n", name);
49039 return;
49040 }
49041 else {
49042 fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
49043 name, line,
49044 expected, value);
49045 // exit(1);
49046 }
49047 }
49048
49049 /*
49050 AAAA
49051 PPPPPPNNNNNN
49052 might become
49053 PPNNNNNNNNNN
49054 case 4 below
49055 */
49056 void case4(void)
49057 {
49058 init();
49059 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
49060
49061 mem_bind(0, 4);
49062 mem_unbind(2, 2);
49063
49064 file = popen(buf, "r");
49065 fread(retbuf, sizeof(retbuf), 1, file);
49066 Assert("2,4", retbuf, "case4", __LINE__);
49067
49068 fin();
49069 }
49070
49071 /*
49072 AAAA
49073 PPPPPPNNNNNN
49074 might become
49075 PPPPPPPPPPNN
49076 case 5 below
49077 */
49078 void case5(void)
49079 {
49080 init();
49081 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
49082
49083 mem_bind(0, 2);
49084 mem_bind(2, 2);
49085
49086 file = popen(buf, "r");
49087 fread(retbuf, sizeof(retbuf), 1, file);
49088 Assert("4,2", retbuf, "case5", __LINE__);
49089
49090 fin();
49091 }
49092
49093 /*
49094 AAAA
49095 PPPPNNNNXXXX
49096 might become
49097 PPPPPPPPPPPP 6
49098 */
49099 void case6(void)
49100 {
49101 init();
49102 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
49103
49104 mem_bind(0, 2);
49105 mem_bind(4, 2);
49106 mem_bind(2, 2);
49107
49108 file = popen(buf, "r");
49109 fread(retbuf, sizeof(retbuf), 1, file);
49110 Assert("6", retbuf, "case6", __LINE__);
49111
49112 fin();
49113 }
49114
49115 /*
49116 AAAA
49117 PPPPNNNNXXXX
49118 might become
49119 PPPPPPPPXXXX 7
49120 */
49121 void case7(void)
49122 {
49123 init();
49124 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
49125
49126 mem_bind(0, 2);
49127 mem_interleave(4, 2);
49128 mem_bind(2, 2);
49129
49130 file = popen(buf, "r");
49131 fread(retbuf, sizeof(retbuf), 1, file);
49132 Assert("4,2", retbuf, "case7", __LINE__);
49133
49134 fin();
49135 }
49136
49137 /*
49138 AAAA
49139 PPPPNNNNXXXX
49140 might become
49141 PPPPNNNNNNNN 8
49142 */
49143 void case8(void)
49144 {
49145 init();
49146 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
49147
49148 mem_bind(0, 2);
49149 mem_interleave(4, 2);
49150 mem_interleave(2, 2);
49151
49152 file = popen(buf, "r");
49153 fread(retbuf, sizeof(retbuf), 1, file);
49154 Assert("2,4", retbuf, "case8", __LINE__);
49155
49156 fin();
49157 }
49158
49159 void case_n(void)
49160 {
49161 init();
49162 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
49163
49164 /* make redundunt mappings [0][1234][34][7] */
49165 mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
49166 MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
49167
49168 /* Expect to do nothing. */
49169 mem_unbind(2, 2);
49170
49171 file = popen(buf, "r");
49172 fread(retbuf, sizeof(retbuf), 1, file);
49173 Assert("4,2", retbuf, "case_n", __LINE__);
49174
49175 fin();
49176 }
49177
49178 int main(int argc, char** argv)
49179 {
49180 case4();
49181 case5();
49182 case6();
49183 case7();
49184 case8();
49185 case_n();
49186
49187 return 0;
49188 }
49189 =============================================================
49190
49191 Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
49192 Acked-by: Johannes Weiner <hannes@cmpxchg.org>
49193 Cc: Minchan Kim <minchan.kim@gmail.com>
49194 Cc: Caspar Zhang <caspar@casparzhang.com>
49195 Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
49196 Cc: Christoph Lameter <cl@linux.com>
49197 Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
49198 Cc: Mel Gorman <mel@csn.ul.ie>
49199 Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
49200 Cc: <stable@vger.kernel.org> [3.1.x]
49201 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
49202 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
49203
49204commit f3a1082005781777086df235049f8c0b7efe524e
49205Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
49206Date: Tue Dec 27 22:32:41 2011 -0500
49207
49208 packet: fix possible dev refcnt leak when bind fail
49209
49210 If bind is fail when bind is called after set PACKET_FANOUT
49211 sock option, the dev refcnt will leak.
49212
49213 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
49214 Signed-off-by: David S. Miller <davem@davemloft.net>
49215
49216commit 915f8b08dac68839dc7204ee81cf9852fda16d24
49217Author: Haogang Chen <haogangchen@gmail.com>
49218Date: Mon Dec 19 17:11:56 2011 -0800
49219
49220 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
49221
49222 There is a potential integer overflow in nilfs_ioctl_clean_segments().
49223 When a large argv[n].v_nmembs is passed from the userspace, the subsequent
49224 call to vmalloc() will allocate a buffer smaller than expected, which
49225 leads to out-of-bound access in nilfs_ioctl_move_blocks() and
49226 lfs_clean_segments().
49227
49228 The following check does not prevent the overflow because nsegs is also
49229 controlled by the userspace and could be very large.
49230
49231 if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
49232 goto out_free;
49233
49234 This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
49235 returns -EINVAL when overflow.
49236
49237 Signed-off-by: Haogang Chen <haogangchen@gmail.com>
49238 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
49239 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
49240 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
49241
49242commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
49243Author: Kautuk Consul <consul.kautuk@gmail.com>
49244Date: Mon Dec 19 17:12:04 2011 -0800
49245
49246 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
49247
49248 Static storage is not required for the struct vmap_area in
49249 __get_vm_area_node.
49250
49251 Removing "static" to store this variable on the stack instead.
49252
49253 Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
49254 Acked-by: David Rientjes <rientjes@google.com>
49255 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
49256 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
49257
49258commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
49259Author: Michel Lespinasse <walken@google.com>
49260Date: Mon Dec 19 17:12:06 2011 -0800
49261
49262 binary_sysctl(): fix memory leak
49263
49264 binary_sysctl() calls sysctl_getname() which allocates from names_cache
49265 slab usin __getname()
49266
49267 The matching function to free the name is __putname(), and not putname()
49268 which should be used only to match getname() allocations.
49269
49270 This is because when auditing is enabled, putname() calls audit_putname
49271 *instead* (not in addition) to __putname(). Then, if a syscall is in
49272 progress, audit_putname does not release the name - instead, it expects
49273 the name to get released when the syscall completes, but that will happen
49274 only if audit_getname() was called previously, i.e. if the name was
49275 allocated with getname() rather than the naked __getname(). So,
49276 __getname() followed by putname() ends up leaking memory.
49277
49278 Signed-off-by: Michel Lespinasse <walken@google.com>
49279 Acked-by: Al Viro <viro@zeniv.linux.org.uk>
49280 Cc: Christoph Hellwig <hch@infradead.org>
49281 Cc: Eric Paris <eparis@redhat.com>
49282 Cc: <stable@vger.kernel.org>
49283 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
49284 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
49285
49286commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
49287Author: Sean Hefty <sean.hefty@intel.com>
49288Date: Tue Dec 6 21:17:11 2011 +0000
49289
49290 RDMA/cma: Verify private data length
49291
49292 private_data_len is defined as a u8. If the user specifies a large
49293 private_data size (> 220 bytes), we will calculate a total length that
49294 exceeds 255, resulting in private_data_len wrapping back to 0. This
49295 can lead to overwriting random kernel memory. Avoid this by verifying
49296 that the resulting size fits into a u8.
49297
49298 Reported-by: B. Thery <benjamin.thery@bull.net>
49299 Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
49300 Signed-off-by: Sean Hefty <sean.hefty@intel.com>
49301 Signed-off-by: Roland Dreier <roland@purestorage.com>
49302
49303commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
49304Author: Xi Wang <xi.wang@gmail.com>
49305Date: Sun Dec 11 23:40:56 2011 -0800
49306
49307 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
49308
49309 The error check (intr_status < 0) didn't work because intr_status is
49310 a u8. Change its type to signed int.
49311
49312 Signed-off-by: Xi Wang <xi.wang@gmail.com>
49313 Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
49314
49315commit e27f34e383d7863b2528a63b81b23db09781f6b6
49316Author: Xi Wang <xi.wang@gmail.com>
49317Date: Fri Dec 16 12:44:15 2011 +0000
49318
49319 sctp: fix incorrect overflow check on autoclose
49320
49321 Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
49322 limiting the autoclose value. If userspace passes in -1 on 32-bit
49323 platform, the overflow check didn't work and autoclose would be set
49324 to 0xffffffff.
49325
49326 This patch defines a max_autoclose (in seconds) for limiting the value
49327 and exposes it through sysctl, with the following intentions.
49328
49329 1) Avoid overflowing autoclose * HZ.
49330
49331 2) Keep the default autoclose bound consistent across 32- and 64-bit
49332 platforms (INT_MAX / HZ in this patch).
49333
49334 3) Keep the autoclose value consistent between setsockopt() and
49335 getsockopt() calls.
49336
49337 Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
49338 Signed-off-by: Xi Wang <xi.wang@gmail.com>
49339 Signed-off-by: David S. Miller <davem@davemloft.net>
49340
49341commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
49342Author: Xi Wang <xi.wang@gmail.com>
49343Date: Wed Dec 21 05:18:33 2011 -0500
49344
49345 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
49346
49347 Commit e133e737 didn't correctly fix the integer overflow issue.
49348
49349 - unsigned int required_size;
49350 + u64 required_size;
49351 ...
49352 required_size = mode_cmd->pitch * mode_cmd->height;
49353 - if (unlikely(required_size > dev_priv->vram_size)) {
49354 + if (unlikely(required_size > (u64) dev_priv->vram_size)) {
49355
49356 Note that both pitch and height are u32. Their product is still u32 and
49357 would overflow before being assigned to required_size. A correct way is
49358 to convert pitch and height to u64 before the multiplication.
49359
49360 required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
49361
49362 This patch calls the existing vmw_kms_validate_mode_vram() for
49363 validation.
49364
49365 Signed-off-by: Xi Wang <xi.wang@gmail.com>
49366 Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
49367 Signed-off-by: Dave Airlie <airlied@redhat.com>
49368
49369 Conflicts:
49370
49371 drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
49372
49373commit eb8f0bd01fb994c9abc77dc84729794cd841753d
49374Author: Xi Wang <xi.wang@gmail.com>
49375Date: Thu Dec 22 13:35:22 2011 +0000
49376
49377 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
49378
49379 Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
49380 cause a kernel oops due to insufficient bounds checking.
49381
49382 if (count > 1<<30) {
49383 /* Enforce a limit to prevent overflow */
49384 return -EINVAL;
49385 }
49386 count = roundup_pow_of_two(count);
49387 table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
49388
49389 Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
49390
49391 ... + (count * sizeof(struct rps_dev_flow))
49392
49393 where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow
49394 32 bits.
49395
49396 This patch replaces the magic number (1 << 30) with a symbolic bound.
49397
49398 Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
49399 Signed-off-by: Xi Wang <xi.wang@gmail.com>
49400 Signed-off-by: David S. Miller <davem@davemloft.net>
49401
49402commit 648188958672024b616c42c1f6c98c8cfc85619d
49403Author: Xi Wang <xi.wang@gmail.com>
49404Date: Fri Dec 30 10:40:17 2011 -0500
49405
49406 netfilter: ctnetlink: fix timeout calculation
49407
49408 The sanity check (timeout < 0) never works; the dividend is unsigned
49409 and so is the division, which should have been a signed division.
49410
49411 long timeout = (ct->timeout.expires - jiffies) / HZ;
49412 if (timeout < 0)
49413 timeout = 0;
49414
49415 This patch converts the time values to signed for the division.
49416
49417 Signed-off-by: Xi Wang <xi.wang@gmail.com>
49418 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
49419
49420commit ab03a0973cee73f88655ff4981812ad316a6cd59
49421Merge: 76f82df 7bdddeb
49422Author: Brad Spengler <spender@grsecurity.net>
49423Date: Tue Jan 3 17:42:50 2012 -0500
49424
49425 Merge branch 'pax-test' into grsec-test
49426
49427commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
49428Merge: 3e59cb5 55cc81a
49429Author: Brad Spengler <spender@grsecurity.net>
49430Date: Tue Jan 3 17:42:36 2012 -0500
49431
49432 Merge branch 'linux-3.1.y' into pax-test
49433
49434commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
49435Author: Brad Spengler <spender@grsecurity.net>
49436Date: Thu Dec 22 20:15:02 2011 -0500
49437
49438 Only further restrict futex targeting another process -- our modified
49439 permission check also happened to allow a case where a process retaining
49440 uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
49441 being non-zero (reported on forums by ben_w)
49442
49443commit 6b235a4450a5fea41663ec35fa0608988b6078c6
49444Merge: 97c16f0 3e59cb5
49445Author: Brad Spengler <spender@grsecurity.net>
49446Date: Thu Dec 22 19:11:06 2011 -0500
49447
49448 Merge branch 'pax-test' into grsec-test
49449
49450 Conflicts:
49451 fs/hfs/btree.c
49452
49453commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
49454Merge: 285eb4e c26f60b
49455Author: Brad Spengler <spender@grsecurity.net>
49456Date: Thu Dec 22 19:09:57 2011 -0500
49457
49458 Merge branch 'linux-3.1.y' into pax-test
49459
49460 Conflicts:
49461 arch/x86/kernel/process.c
49462
49463commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
49464Author: Brad Spengler <spender@grsecurity.net>
49465Date: Mon Dec 19 21:54:01 2011 -0500
49466
49467 Add new option: "Enforce consistent multithreaded privileges"
49468
49469commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
49470Author: Brad Spengler <spender@grsecurity.net>
49471Date: Wed Dec 7 19:58:31 2011 -0500
49472
49473 Remove harmless duplicate code -- exec_file would be null already so the
49474 second check would never pass.
49475
49476commit 4e3304e94aa72737810bc50169519af157dce4ce
49477Author: Brad Spengler <spender@grsecurity.net>
49478Date: Wed Dec 7 19:50:39 2011 -0500
49479
49480 Revert back to (possibly?) undocumented /proc/pid behavior that gdb
49481 depended on for attaching to a thread. Entries exist in /proc for
49482 threads, but are not visible in a readdir.
49483
49484commit 1bd899335f23815cfe8deac44c6b346398f3b95e
49485Author: Brad Spengler <spender@grsecurity.net>
49486Date: Sun Dec 4 18:03:28 2011 -0500
49487
49488 Put the already-walked path if in RCU-walk mode
49489
49490commit ec7ae36b7159f10649709779443a988662965d66
49491Author: Brad Spengler <spender@grsecurity.net>
49492Date: Sun Dec 4 17:35:21 2011 -0500
49493
49494 Fix memory leak introduced by recent (unpublished) commit
49495 75ab998b94a29d464518d6d501bdde3fbfcbfa14
49496
49497commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
49498Author: Brad Spengler <spender@grsecurity.net>
49499Date: Sun Dec 4 13:56:10 2011 -0500
49500
49501 Explicitly check size copied to userland in override_release to silence gcc
49502
49503commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
49504Author: Brad Spengler <spender@grsecurity.net>
49505Date: Sun Dec 4 13:54:02 2011 -0500
49506
49507 Initialize variable to silence erroneous gcc warning
49508
49509commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
49510Author: Brad Spengler <spender@grsecurity.net>
49511Date: Sun Dec 4 13:47:47 2011 -0500
49512
49513 Future-proof other potential RCU-aware locations where we can log.
49514
49515commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
49516Author: Brad Spengler <spender@grsecurity.net>
49517Date: Sun Dec 4 13:02:54 2011 -0500
49518
49519 Fix freeze reported by 'vs' on the forums. Bug occurred due to
49520 MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used
49521 in generic_permission() was in the task's effective set but disallowed by
49522 RBAC, would block when acquiring locks resulting in the freeze.
49523
49524 Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
49525 as being required when CAP_DAC_OVERRIDE is present (consistent with
49526 older patches).
49527
49528commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
49529Author: Xi Wang <xi.wang@gmail.com>
49530Date: Tue Nov 29 09:26:30 2011 +0000
49531
49532 sctp: better integer overflow check in sctp_auth_create_key()
49533
49534 The check from commit 30c2235c is incomplete and cannot prevent
49535 cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the
49536 left-hand side of the check (INT_MAX - key_len), which is unsigned,
49537 becomes 0xffffffff (UINT_MAX) and bypasses the check.
49538
49539 However this shouldn't be a security issue. The function is called
49540 from the following two code paths:
49541
49542 1) setsockopt()
49543
49544 2) sctp_auth_asoc_set_secret()
49545
49546 In case (1), sca_keylength is never going to exceed 65535 since it's
49547 bounded by a u16 from the user API. As such, the key length will
49548 never overflow.
49549
49550 In case (2), sca_keylength is computed based on the user key (1 short)
49551 and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
49552 will not overflow.
49553
49554 In other words, this overflow check is not really necessary. Just
49555 make it more correct.
49556
49557 Signed-off-by: Xi Wang <xi.wang@gmail.com>
49558 Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
49559 Signed-off-by: David S. Miller <davem@davemloft.net>
49560
49561commit e565e28c3635a1d50f80541fbf6b606d742fec76
49562Author: Josh Boyer <jwboyer@redhat.com>
49563Date: Fri Aug 19 14:50:26 2011 -0400
49564
49565 fs/minix: Verify bitmap block counts before mounting
49566
49567 Newer versions of MINIX can create filesystems that allocate an extra
49568 bitmap block. Mounting of this succeeds, but doing a statfs call will
49569 result in an oops in count_free because of a negative number being used
49570 for the bh index.
49571
49572 Avoid this by verifying the number of allocated blocks at mount time,
49573 erroring out if there are not enough and make statfs ignore the extras
49574 if there are too many.
49575
49576 This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
49577
49578 Signed-off-by: Josh Boyer <jwboyer@redhat.com>
49579 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
49580
49581commit 6e134e398ec1a3f428261680e83df4319e64bed9
49582Author: Julia Lawall <julia@diku.dk>
49583Date: Tue Nov 15 14:53:11 2011 -0800
49584
49585 drivers/gpu/vga/vgaarb.c: add missing kfree
49586
49587 kbuf is a buffer that is local to this function, so all of the error paths
49588 leaving the function should release it.
49589
49590 Signed-off-by: Julia Lawall <julia@diku.dk>
49591 Cc: Jesper Juhl <jj@chaosbits.net>
49592 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
49593 Signed-off-by: Dave Airlie <airlied@redhat.com>
49594
49595commit 2b9057b321e36860e8d63985b5c4e496f254b717
49596Author: Brad Spengler <spender@grsecurity.net>
49597Date: Sat Dec 3 21:33:28 2011 -0500
49598
49599 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch
49600
49601commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
49602Author: Brad Spengler <spender@grsecurity.net>
49603Date: Sat Dec 3 21:29:37 2011 -0500
49604
49605 Import pax-linux-3.1.4-test18.patch
49606
49607commit 285eb4ea45d853ae00426b3315a61c1368080dad
49608Author: Brad Spengler <spender@grsecurity.net>
49609Date: Sat Dec 10 18:33:46 2011 -0500
49610
49611 Import changes from pax-linux-3.1.5-test20.patch
49612
49613commit a6bda918fc90ec1d5c387e978d147ad2044153f1
49614Author: Brad Spengler <spender@grsecurity.net>
49615Date: Thu Dec 8 20:55:54 2011 -0500
49616
49617 Import changes from pax-linux-3.1.4-test19.patch
49618
49619commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
49620Author: Brad Spengler <spender@grsecurity.net>
49621Date: Sat Dec 3 21:29:37 2011 -0500
49622
49623 Import pax-linux-3.1.4-test18.patch
49624commit d92091aac493a547d85ddf1b98bd9aaa8c7112a5
49625Author: Brad Spengler <spender@grsecurity.net>
49626Date: Thu Jul 4 23:05:14 2013 -0400
49627
49628 always enforce a non-zero gap for RAND_THREADSTACK
49629
49630 mm/mmap.c | 2 +-
49631 1 files changed, 1 insertions(+), 1 deletions(-)
49632
49633commit 40d67e38a42d4e94b43b3d7400addc662b9857dc
49634Author: Brad Spengler <spender@grsecurity.net>
49635Date: Thu Jul 4 16:09:28 2013 -0400
49636
49637 fix up file comparisons
49638
49639 grsecurity/gracl_segv.c | 2 +-
49640 grsecurity/grsec_sig.c | 4 ++--
49641 include/linux/grinternal.h | 12 ++++++++++++
49642 3 files changed, 15 insertions(+), 3 deletions(-)
49643
49644commit a1fff2c95162314626dd96bec71d951a8c1c4708
49645Author: Brad Spengler <spender@grsecurity.net>
49646Date: Thu Jul 4 15:33:18 2013 -0400
49647
49648 fix suid binary matching
49649
49650 grsecurity/grsec_sig.c | 2 +-
49651 1 files changed, 1 insertions(+), 1 deletions(-)
49652
49653commit 00131c458eea5200971c8fc326e90fdb6c2d0baa
49654Merge: 37b97a9 47beb61
49655Author: Brad Spengler <spender@grsecurity.net>
49656Date: Thu Jul 4 15:02:31 2013 -0400
49657
49658 Merge branch 'pax-test' into grsec-test
49659
49660commit 47beb61be9d430ab3fdb79a3b1e2099b4cfcf798
49661Author: Brad Spengler <spender@grsecurity.net>
49662Date: Thu Jul 4 15:01:37 2013 -0400
49663
49664 Update to pax-linux-3.9.9-test13.patch:
49665 - hopefully fixed the EFI boot regression (https://bugs.gentoo.org/show_bug.cgi?id=471626)
49666 - fixed some arm compilation issues (http://forums.grsecurity.net/viewtopic.php?f=1&t=3586 and http://forums.grsecurity.net/viewtopic.php?f=1&t=3587)
49667
49668 arch/arm/include/asm/uaccess.h | 20 ++++++++++----------
49669 arch/arm/kernel/armksyms.c | 2 +-
49670 arch/arm/kernel/entry-armv.S | 4 ++--
49671 arch/arm/mm/Kconfig | 2 +-
49672 arch/x86/ia32/ia32entry.S | 4 ++--
49673 arch/x86/include/asm/page.h | 1 +
49674 arch/x86/kernel/entry_32.S | 4 ++--
49675 arch/x86/kernel/entry_64.S | 8 ++++----
49676 arch/x86/kernel/head64.c | 12 ++++++------
49677 arch/x86/kernel/head_64.S | 16 ++++++++++++----
49678 arch/x86/mm/init.c | 8 ++++++++
49679 arch/x86/mm/init_32.c | 6 ------
49680 arch/x86/mm/init_64.c | 6 ------
49681 arch/x86/platform/efi/efi_32.c | 5 +++++
49682 arch/x86/platform/efi/efi_64.c | 10 ++++++++++
49683 15 files changed, 64 insertions(+), 44 deletions(-)
49684
49685commit 89085d2d0643813a62f23d1199a335dc1e129bc0
49686Merge: 963af7f 0adf2e7
49687Author: Brad Spengler <spender@grsecurity.net>
49688Date: Thu Jul 4 14:55:44 2013 -0400
49689
49690 Merge branch 'linux-3.9.y' into pax-test
49691
49692commit 37b97a95e97badc79cc8b6e092f0f94ac24e4ae4
49693Author: Brad Spengler <spender@grsecurity.net>
49694Date: Thu Jul 4 13:46:02 2013 -0400
49695
49696 fix typo
49697
49698 grsecurity/gracl.c | 2 +-
49699 1 files changed, 1 insertions(+), 1 deletions(-)
49700
49701commit 32538dba4959a290a1de81a7f8eeaba99f952aa6
49702Author: Brad Spengler <spender@grsecurity.net>
49703Date: Thu Jul 4 13:29:51 2013 -0400
49704
49705 update log arguments
49706
49707 grsecurity/grsec_sig.c | 3 ++-
49708 1 files changed, 2 insertions(+), 1 deletions(-)
49709
49710commit 5c7ee197d6ecb3ec9b3b9588d2b0cb8541d9fa71
49711Author: Brad Spengler <spender@grsecurity.net>
49712Date: Thu Jul 4 13:20:23 2013 -0400
49713
49714 Update logging of suid exec ban
49715
49716 Conflicts:
49717
49718 grsecurity/grsec_sig.c
49719
49720 grsecurity/grsec_sig.c | 3 +--
49721 include/linux/grmsg.h | 1 +
49722 2 files changed, 2 insertions(+), 2 deletions(-)
49723
49724commit ef808866c070aa1901bd2224521baaf5d145a3a7
49725Author: Brad Spengler <spender@grsecurity.net>
49726Date: Thu Jul 4 12:58:33 2013 -0400
49727
49728 Additional improvements to the user banning code:
49729
49730 Separate the kernel-bruteforcing case from the suid bruteforcing case
49731 In the suid bruteforcing case, only kill existing copies of the bruteforced
49732 binary. Instead of preventing all future execs by this user, prevent them
49733 from executing any suid/sgid binaries for the next 15 minutes.
49734
49735 Kernel case is mostly unchanged from before, except the task trying to change
49736 real uid to the banned user will be terminated instead of failing the setuid
49737 call.
49738
49739 Configuration help has been updated to reflect the new changes.
49740
49741 fs/exec.c | 13 +++++---
49742 grsecurity/Kconfig | 5 ++-
49743 grsecurity/gracl.c | 6 ++--
49744 grsecurity/grsec_sig.c | 76 ++++++++++++++++++++++++++------------------
49745 include/linux/grsecurity.h | 1 -
49746 include/linux/sched.h | 9 +++--
49747 6 files changed, 65 insertions(+), 45 deletions(-)
49748
49749commit 0f0b6c9d67d429364621b8784ef4a048b7e40736
49750Author: Brad Spengler <spender@grsecurity.net>
49751Date: Wed Jul 3 16:14:09 2013 -0400
49752
49753 fix renamed export of csum_partial_copy_from_user, as reported by fabled
49754 on the forums
49755
49756 arch/arm/kernel/armksyms.c | 2 +-
49757 1 files changed, 1 insertions(+), 1 deletions(-)
49758
49759commit 318235973c2a548c3d25562645d6b69f66e85934
49760Author: Brad Spengler <spender@grsecurity.net>
49761Date: Wed Jul 3 16:09:16 2013 -0400
49762
49763 make CPU_USE_DOMAINS depend on !PAX_MEMORY_UDEREF, fixes compile error
49764 reported on the forums by fabled
49765
49766 arch/arm/mm/Kconfig | 2 +-
49767 1 files changed, 1 insertions(+), 1 deletions(-)
49768
49769commit b569a7f60fab7a522d8c142765c8b847bbce8a1e
49770Author: Brad Spengler <spender@grsecurity.net>
49771Date: Wed Jul 3 15:53:12 2013 -0400
49772
49773 Revise the user ban code to kill the process issuing a banned
49774 set*id instead of returning an error. For the sake of keeping
49775 unified user banning between the suid and kernel bruteforce case,
49776 we will apply this killing to the suid bruteforce case, despite
49777 a check just at exec time (that already existed) being sufficient.
49778
49779 Returning an error could enable exploitation of the "failure to check
49780 setuid return value" case which was recently effectively closed
49781 upstream, albeit in a rare situation with a suitable binary and
49782 two colluding users.
49783
49784 Many thanks to stealth for reviewing the user ban code.
49785
49786 grsecurity/gracl.c | 4 ++--
49787 grsecurity/grsec_sig.c | 16 +++++++++++++---
49788 2 files changed, 15 insertions(+), 5 deletions(-)
49789
49790commit 4a0808a0aa34bf3692f9ade0f11f6fbe30418c4f
49791Author: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
49792Date: Fri Jun 28 14:15:15 2013 +0300
49793
49794 Upstream commit: 605c912bb843c024b1ed173dc427cd5c08e5d54d
49795
49796 UBIFS: fix a horrid bug
49797
49798 Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no
49799 mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are
49800 in the middle of 'ubifs_readdir()'.
49801
49802 This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses
49803 it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage,
49804 but this may corrupt memory and lead to all kinds of problems like crashes an
49805 security holes.
49806
49807 This patch fixes the problem by using the 'file->f_version' field, which
49808 '->llseek()' always unconditionally sets to zero. We set it to 1 in
49809 'ubifs_readdir()' and whenever we detect that it became 0, we know there was a
49810 seek and it is time to clear the state saved in 'file->private_data'.
49811
49812 I tested this patch by writing a user-space program which runds readdir and
49813 seek in parallell. I could easily crash the kernel without these patches, but
49814 could not crash it with these patches.
49815
49816 Cc: stable@vger.kernel.org
49817 Reported-by: Al Viro <viro@zeniv.linux.org.uk>
49818 Tested-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
49819 Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
49820 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
49821
49822 fs/ubifs/dir.c | 30 +++++++++++++++++++++++++++---
49823 1 files changed, 27 insertions(+), 3 deletions(-)
49824
49825commit c22280b85088978bd8b45bd23096879459b48008
49826Author: Stephane Eranian <eranian@google.com>
49827Date: Thu Jun 20 11:36:28 2013 +0200
49828
49829 Upstream commit: 2976b10f05bd7f6dab9f9e7524451ddfed656a89
49830
49831 perf: Disable monitoring on setuid processes for regular users
49832
49833 There was a a bug in setup_new_exec(), whereby
49834 the test to disabled perf monitoring was not
49835 correct because the new credentials for the
49836 process were not yet committed and therefore
49837 the get_dumpable() test was never firing.
49838
49839 The patch fixes the problem by moving the
49840 perf_event test until after the credentials
49841 are committed.
49842
49843 Signed-off-by: Stephane Eranian <eranian@google.com>
49844 Tested-by: Jiri Olsa <jolsa@redhat.com>
49845 Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
49846 Cc: <stable@kernel.org>
49847 Signed-off-by: Ingo Molnar <mingo@kernel.org>
49848
49849 fs/exec.c | 16 +++++++++-------
49850 1 files changed, 9 insertions(+), 7 deletions(-)
49851
49852commit 16e6a61c34ae5ed0fbfa9151b24dc6a751cca7c0
49853Author: Brad Spengler <spender@grsecurity.net>
49854Date: Sat Jun 29 13:10:02 2013 -0400
49855
49856 on context switch, make sure we switch DACR when domain support and
49857 KERNEXEC is disabled but UDEREF is enabled
49858
49859 arch/arm/kernel/entry-armv.S | 4 ++--
49860 1 files changed, 2 insertions(+), 2 deletions(-)
49861
49862commit 08d017fa51370921694ce087b28c96fec92993d4
49863Author: Michael S. Tsirkin <mst@redhat.com>
49864Date: Sun Jun 23 17:26:58 2013 +0300
49865
49866 Upstream commit: 4c7ab054ab4f5d63625508ed6f8a607184cae7c2
49867
49868 macvtap: fix recovery from gup errors
49869
49870 get user pages might fail partially in macvtap zero copy
49871 mode. To recover we need to put all pages that we got,
49872 but code used a wrong index resulting in double-free
49873 errors.
49874
49875 Reported-by: Brad Hubbard <bhubbard@redhat.com>
49876 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
49877 Acked-by: Jason Wang <jasowang@redhat.com>
49878 Signed-off-by: David S. Miller <davem@davemloft.net>
49879
49880 drivers/net/macvtap.c | 6 ++++--
49881 1 files changed, 4 insertions(+), 2 deletions(-)
49882
49883commit 8118c60e6478b9d0687c2aa7779e45ac7859b1be
49884Author: Michael S. Tsirkin <mst@redhat.com>
49885Date: Sun Jun 23 17:19:03 2013 +0300
49886
49887 Upstream commit: 7e24bfbe43b545b1689a5f134ed83645b9e34b86
49888
49889 tun: fix recovery from gup errors
49890
49891 get user pages might fail partially in tun zero copy
49892 mode. To recover we need to put all pages that we got,
49893 but code used a wrong index resulting in double-free
49894 errors.
49895
49896 Reported-by: Brad Hubbard <bhubbard@redhat.com>
49897 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
49898 Acked-by: Jason Wang <jasowang@redhat.com>
49899 Acked-by: Neil Horman <nhorman@tuxdriver.com>
49900 Signed-off-by: David S. Miller <davem@davemloft.net>
49901
49902 drivers/net/tun.c | 6 ++++--
49903 1 files changed, 4 insertions(+), 2 deletions(-)
49904
49905commit c71e53d3b87fba6f7ba29a440d4c835f03aadf28
49906Author: Balazs Peter Odor <balazs@obiserver.hu>
49907Date: Sat Jun 22 19:24:43 2013 +0200
49908
49909 Upstream commit: 5aed93875cd88502f04a0d4517b8a2d89a849773
49910
49911 netfilter: nf_nat_sip: fix mangling
49912
49913 In (b20ab9c netfilter: nf_ct_helper: better logging for dropped packets)
49914 there were some missing brackets around the logging information, thus
49915 always returning drop.
49916
49917 Closes https://bugzilla.kernel.org/show_bug.cgi?id=60061
49918
49919 Signed-off-by: Balazs Peter Odor <balazs@obiserver.hu>
49920 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
49921
49922 net/netfilter/nf_nat_sip.c | 3 ++-
49923 1 files changed, 2 insertions(+), 1 deletions(-)
49924
49925commit 87c18924aecb841586b8972fabb20c5b75ca2fc9
49926Author: Anderson Lizardo <anderson.lizardo@openbossa.org>
49927Date: Sun Jun 2 16:30:40 2013 -0400
49928
49929 Upstream commit: 300b962e5244a1ea010df7e88595faa0085b461d
49930
49931 Bluetooth: Fix crash in l2cap_build_cmd() with small MTU
49932
49933 If a too small MTU value is set with ioctl(HCISETACLMTU) or by a bogus
49934 controller, memory corruption happens due to a memcpy() call with
49935 negative length.
49936
49937 Fix this crash on either incoming or outgoing connections with a MTU
49938 smaller than L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE:
49939
49940 [ 46.885433] BUG: unable to handle kernel paging request at f56ad000
49941 [ 46.888037] IP: [<c03d94cd>] memcpy+0x1d/0x40
49942 [ 46.888037] *pdpt = 0000000000ac3001 *pde = 00000000373f8067 *pte = 80000000356ad060
49943 [ 46.888037] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC
49944 [ 46.888037] Modules linked in: hci_vhci bluetooth virtio_balloon i2c_piix4 uhci_hcd usbcore usb_common
49945 [ 46.888037] CPU: 0 PID: 1044 Comm: kworker/u3:0 Not tainted 3.10.0-rc1+ #12
49946 [ 46.888037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
49947 [ 46.888037] Workqueue: hci0 hci_rx_work [bluetooth]
49948 [ 46.888037] task: f59b15b0 ti: f55c4000 task.ti: f55c4000
49949 [ 46.888037] EIP: 0060:[<c03d94cd>] EFLAGS: 00010212 CPU: 0
49950 [ 46.888037] EIP is at memcpy+0x1d/0x40
49951 [ 46.888037] EAX: f56ac1c0 EBX: fffffff8 ECX: 3ffffc6e EDX: f55c5cf2
49952 [ 46.888037] ESI: f55c6b32 EDI: f56ad000 EBP: f55c5c68 ESP: f55c5c5c
49953 [ 46.888037] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
49954 [ 46.888037] CR0: 8005003b CR2: f56ad000 CR3: 3557d000 CR4: 000006f0
49955 [ 46.888037] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
49956 [ 46.888037] DR6: ffff0ff0 DR7: 00000400
49957 [ 46.888037] Stack:
49958 [ 46.888037] fffffff8 00000010 00000003 f55c5cac f8c6a54c ffffffff f8c69eb2 00000000
49959 [ 46.888037] f4783cdc f57f0070 f759c590 1001c580 00000003 0200000a 00000000 f5a88560
49960 [ 46.888037] f5ba2600 f5a88560 00000041 00000000 f55c5d90 f8c6f4c7 00000008 f55c5cf2
49961 [ 46.888037] Call Trace:
49962 [ 46.888037] [<f8c6a54c>] l2cap_send_cmd+0x1cc/0x230 [bluetooth]
49963 [ 46.888037] [<f8c69eb2>] ? l2cap_global_chan_by_psm+0x152/0x1a0 [bluetooth]
49964 [ 46.888037] [<f8c6f4c7>] l2cap_connect+0x3f7/0x540 [bluetooth]
49965 [ 46.888037] [<c019b37b>] ? trace_hardirqs_off+0xb/0x10
49966 [ 46.888037] [<c01a0ff8>] ? mark_held_locks+0x68/0x110
49967 [ 46.888037] [<c064ad20>] ? mutex_lock_nested+0x280/0x360
49968 [ 46.888037] [<c064b9d9>] ? __mutex_unlock_slowpath+0xa9/0x150
49969 [ 46.888037] [<c01a118c>] ? trace_hardirqs_on_caller+0xec/0x1b0
49970 [ 46.888037] [<c064ad08>] ? mutex_lock_nested+0x268/0x360
49971 [ 46.888037] [<c01a125b>] ? trace_hardirqs_on+0xb/0x10
49972 [ 46.888037] [<f8c72f8d>] l2cap_recv_frame+0xb2d/0x1d30 [bluetooth]
49973 [ 46.888037] [<c01a0ff8>] ? mark_held_locks+0x68/0x110
49974 [ 46.888037] [<c064b9d9>] ? __mutex_unlock_slowpath+0xa9/0x150
49975 [ 46.888037] [<c01a118c>] ? trace_hardirqs_on_caller+0xec/0x1b0
49976 [ 46.888037] [<f8c754f1>] l2cap_recv_acldata+0x2a1/0x320 [bluetooth]
49977 [ 46.888037] [<f8c491d8>] hci_rx_work+0x518/0x810 [bluetooth]
49978 [ 46.888037] [<f8c48df2>] ? hci_rx_work+0x132/0x810 [bluetooth]
49979 [ 46.888037] [<c0158979>] process_one_work+0x1a9/0x600
49980 [ 46.888037] [<c01588fb>] ? process_one_work+0x12b/0x600
49981 [ 46.888037] [<c015922e>] ? worker_thread+0x19e/0x320
49982 [ 46.888037] [<c015922e>] ? worker_thread+0x19e/0x320
49983 [ 46.888037] [<c0159187>] worker_thread+0xf7/0x320
49984 [ 46.888037] [<c0159090>] ? rescuer_thread+0x290/0x290
49985 [ 46.888037] [<c01602f8>] kthread+0xa8/0xb0
49986 [ 46.888037] [<c0656777>] ret_from_kernel_thread+0x1b/0x28
49987 [ 46.888037] [<c0160250>] ? flush_kthread_worker+0x120/0x120
49988 [ 46.888037] Code: c3 90 8d 74 26 00 e8 63 fc ff ff eb e8 90 55 89 e5 83 ec 0c 89 5d f4 89 75 f8 89 7d fc 3e 8d 74 26 00 89 cb 89 c7 c1 e9 02 89 d6 <f3> a5 89 d9 83 e1 03 74 02 f3 a4 8b 5d f4 8b 75 f8 8b 7d fc 89
49989 [ 46.888037] EIP: [<c03d94cd>] memcpy+0x1d/0x40 SS:ESP 0068:f55c5c5c
49990 [ 46.888037] CR2: 00000000f56ad000
49991 [ 46.888037] ---[ end trace 0217c1f4d78714a9 ]---
49992
49993 Signed-off-by: Anderson Lizardo <anderson.lizardo@openbossa.org>
49994 Cc: stable@vger.kernel.org
49995 Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
49996 Signed-off-by: John W. Linville <linville@tuxdriver.com>
49997
49998 net/bluetooth/l2cap_core.c | 3 +++
49999 1 files changed, 3 insertions(+), 0 deletions(-)
50000
50001commit b0471b6c1160858fc646d8e94628fd1299f61692
50002Author: Jaganath Kanakkassery <jaganath.k@samsung.com>
50003Date: Fri Jun 21 19:55:11 2013 +0530
50004
50005 Upstream commit: 3f6fa3d489e127ca5a5b298eabac3ff5dbe0e112
50006
50007 Bluetooth: Fix invalid length check in l2cap_information_rsp()
50008
50009 The length check is invalid since the length varies with type of
50010 info response.
50011
50012 This was introduced by the commit cb3b3152b2f5939d67005cff841a1ca748b19888
50013
50014 Because of this, l2cap info rsp is not handled and command reject is sent.
50015
50016 > ACL data: handle 11 flags 0x02 dlen 16
50017 L2CAP(s): Info rsp: type 2 result 0
50018 Extended feature mask 0x00b8
50019 Enhanced Retransmission mode
50020 Streaming mode
50021 FCS Option
50022 Fixed Channels
50023 < ACL data: handle 11 flags 0x00 dlen 10
50024 L2CAP(s): Command rej: reason 0
50025 Command not understood
50026
50027 Cc: stable@vger.kernel.org
50028 Signed-off-by: Jaganath Kanakkassery <jaganath.k@samsung.com>
50029 Signed-off-by: Chan-Yeol Park <chanyeol.park@samsung.com>
50030 Acked-by: Johan Hedberg <johan.hedberg@intel.com>
50031 Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
50032
50033 net/bluetooth/l2cap_core.c | 2 +-
50034 1 files changed, 1 insertions(+), 1 deletions(-)
50035
50036commit 4184af98c360d825e638b268b1a9847232e8d299
50037Author: Eric Dumazet <edumazet@google.com>
50038Date: Wed Jun 26 04:15:07 2013 -0700
50039
50040 Upstream commit: a963a37d384d71ad43b3e9e79d68d42fbe0901f3
50041
50042 ipv6: ip6_sk_dst_check() must not assume ipv6 dst
50043
50044 It's possible to use AF_INET6 sockets and to connect to an IPv4
50045 destination. After this, socket dst cache is a pointer to a rtable,
50046 not rt6_info.
50047
50048 ip6_sk_dst_check() should check the socket dst cache is IPv6, or else
50049 various corruptions/crashes can happen.
50050
50051 Dave Jones can reproduce immediate crash with
50052 trinity -q -l off -n -c sendmsg -c connect
50053
50054 With help from Hannes Frederic Sowa
50055
50056 Reported-by: Dave Jones <davej@redhat.com>
50057 Reported-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
50058 Signed-off-by: Eric Dumazet <edumazet@google.com>
50059 Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
50060 Signed-off-by: David S. Miller <davem@davemloft.net>
50061
50062 net/ipv6/ip6_output.c | 8 +++++++-
50063 1 files changed, 7 insertions(+), 1 deletions(-)
50064
50065commit a9909c4993e8547ebeeafc4a4f5ff8570a941eb2
50066Author: Zefan Li <lizefan@huawei.com>
50067Date: Wed Jun 26 15:29:54 2013 +0800
50068
50069 Upstream commit: 11eb2645cbf38a08ae491bf6c602eea900ec0bb5
50070
50071 dlci: acquire rtnl_lock before calling __dev_get_by_name()
50072
50073 Otherwise the net device returned can be freed at anytime.
50074
50075 Signed-off-by: Li Zefan <lizefan@huawei.com>
50076 Cc: stable@vger.kernel.org
50077 Signed-off-by: David S. Miller <davem@davemloft.net>
50078
50079 drivers/net/wan/dlci.c | 14 +++++++++-----
50080 1 files changed, 9 insertions(+), 5 deletions(-)
50081
50082commit 1fe6f23c9acd14d832d056909ff326bde418e645
50083Author: Zefan Li <lizefan@huawei.com>
50084Date: Wed Jun 26 15:31:58 2013 +0800
50085
50086 Upstream commit: 578a1310f2592ba90c5674bca21c1dbd1adf3f0a
50087
50088 dlci: validate the net device in dlci_del()
50089
50090 We triggered an oops while running trinity with 3.4 kernel:
50091
50092 BUG: unable to handle kernel paging request at 0000000100000d07
50093 IP: [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci]
50094 PGD 640c0d067 PUD 0
50095 Oops: 0000 [#1] PREEMPT SMP
50096 CPU 3
50097 ...
50098 Pid: 7302, comm: trinity-child3 Not tainted 3.4.24.09+ 40 Huawei Technologies Co., Ltd. Tecal RH2285 /BC11BTSA
50099 RIP: 0010:[<ffffffffa0109738>] [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci]
50100 ...
50101 Call Trace:
50102 [<ffffffff8137c5c3>] sock_ioctl+0x153/0x280
50103 [<ffffffff81195494>] do_vfs_ioctl+0xa4/0x5e0
50104 [<ffffffff8118354a>] ? fget_light+0x3ea/0x490
50105 [<ffffffff81195a1f>] sys_ioctl+0x4f/0x80
50106 [<ffffffff81478b69>] system_call_fastpath+0x16/0x1b
50107 ...
50108
50109 It's because the net device is not a dlci device.
50110
50111 Reported-by: Li Jinyue <lijinyue@huawei.com>
50112 Signed-off-by: Li Zefan <lizefan@huawei.com>
50113 Cc: stable@vger.kernel.org
50114 Signed-off-by: David S. Miller <davem@davemloft.net>
50115
50116 drivers/net/wan/dlci.c | 12 ++++++++++++
50117 1 files changed, 12 insertions(+), 0 deletions(-)
50118
50119commit 4d4464407611527ef6b6b5475cfcab6121b3da66
50120Merge: 59571a9 963af7f
50121Author: Brad Spengler <spender@grsecurity.net>
50122Date: Thu Jun 27 18:54:52 2013 -0400
50123
50124 Merge branch 'pax-test' into grsec-test
50125
50126commit 963af7f7f591759b731ce6325ceb583a72fcf423
50127Merge: c51e25a 55db48a
50128Author: Brad Spengler <spender@grsecurity.net>
50129Date: Thu Jun 27 18:54:42 2013 -0400
50130
50131 Merge branch 'linux-3.9.y' into pax-test
50132
50133commit 59571a9db7485f530a1e865a13cacc4c991ec41f
50134Author: Brad Spengler <spender@grsecurity.net>
50135Date: Wed Jun 26 18:39:08 2013 -0400
50136
50137 From: Mathias Krause <minipli@googlemail.com>
50138 To: Steffen Klassert <steffen.klassert@secunet.com>,
50139 "David S. Miller" <davem@davemloft.net>
50140 Cc: Mathias Krause <minipli@googlemail.com>, netdev@vger.kernel.org,
50141 Herbert Xu <herbert@gondor.apana.org.au>
50142 Subject: [PATCH] af_key: fix info leaks in notify messages
50143
50144 key_notify_sa_flush() and key_notify_policy_flush() miss to initialize
50145 the sadb_msg_reserved member of the broadcasted message and thereby
50146 leak 2 bytes of heap memory to listeners. Fix that.
50147
50148 Signed-off-by: Mathias Krause <minipli@googlemail.com>
50149 Cc: Steffen Klassert <steffen.klassert@secunet.com>
50150 Cc: "David S. Miller" <davem@davemloft.net>
50151 Cc: Herbert Xu <herbert@gondor.apana.org.au>
50152
50153 net/key/af_key.c | 2 ++
50154 1 files changed, 2 insertions(+), 0 deletions(-)
50155
50156commit e1dd9fb168b3597f15fd5bd4bc88a7dd4cce5fd9
50157Author: Brad Spengler <spender@grsecurity.net>
50158Date: Wed Jun 26 18:33:06 2013 -0400
50159
50160 update rand_threadstack code to continue the search for a gap if the first
50161 choice doesn't have enough space, instead of returning ENOMEM
50162
50163 mm/mmap.c | 17 ++++++++++-------
50164 1 files changed, 10 insertions(+), 7 deletions(-)
50165
50166commit 87020d4a4d83038d65ff1fd519938840f6888b9e
50167Merge: 2682346 c51e25a
50168Author: Brad Spengler <spender@grsecurity.net>
50169Date: Wed Jun 26 18:25:32 2013 -0400
50170
50171 Merge branch 'pax-test' into grsec-test
50172
50173commit c51e25a23f30a1198076bd085f19b2073caf164d
50174Author: Brad Spengler <spender@grsecurity.net>
50175Date: Wed Jun 26 18:24:54 2013 -0400
50176
50177 Update to pax-linux-3.9.7-test12.patch:
50178 - fixed a regression on PARAVIRT/amd64 kernels
50179 - simplified the recent vm_unmapped_area_info based change
50180
50181 arch/x86/kernel/entry_64.S | 8 ++++----
50182 mm/mmap.c | 22 ++++++++++++----------
50183 2 files changed, 16 insertions(+), 14 deletions(-)
50184
50185commit 26823469a08e59cb67bea18d448d9e8c65f82e08
50186Author: Brad Spengler <spender@grsecurity.net>
50187Date: Tue Jun 25 21:26:51 2013 -0400
50188
50189 re-enable GRKERNSEC_RAND_THREADSTACK now that the generic PaX
50190 vm_unmapped_area code is complete
50191
50192 arch/x86/kernel/sys_i386_32.c | 5 +++++
50193 grsecurity/Kconfig | 2 +-
50194 mm/mmap.c | 11 ++++++++++-
50195 3 files changed, 16 insertions(+), 2 deletions(-)
50196
50197commit bcd93cc348a8faba1716f5cc137a48f25d6a67e7
50198Merge: e58fe8c c4e0704
50199Author: Brad Spengler <spender@grsecurity.net>
50200Date: Tue Jun 25 19:08:52 2013 -0400
50201
50202 Merge branch 'pax-test' into grsec-test
50203
50204 Conflicts:
50205 arch/x86/kernel/sys_i386_32.c
50206
50207commit c4e07040c2c32c9eb2b093e5ae6e5bb050cb7511
50208Author: Brad Spengler <spender@grsecurity.net>
50209Date: Tue Jun 25 19:05:39 2013 -0400
50210
50211 Update to pax-linux-3.9.7-test11.patch:
50212 - fixed some fallout from the recent executable vmalloc changes (http://forums.grsecurity.net/viewtopic.php?t=3562#p13111)
50213 - moved the PaX specific heap-stack gap check code over to the vm_unmapped_area_info based infrastructure
50214 - fixed the recent nested nmi related fixes some more
50215 - fixed a regression in kernel memory initialization on relocatable i386 kernels
50216 - empty_zero_page can be read-only on amd64 as well
50217
50218 arch/arm/mm/mmap.c | 6 --
50219 arch/x86/kernel/entry_64.S | 8 +--
50220 arch/x86/kernel/head_64.S | 1 -
50221 arch/x86/kernel/setup.c | 2 +-
50222 arch/x86/kernel/sys_i386_32.c | 160 ++++++++++++----------------------------
50223 drivers/lguest/core.c | 2 +-
50224 include/linux/mm.h | 6 +-
50225 include/linux/vmalloc.h | 2 +-
50226 mm/mmap.c | 30 +++++++-
50227 9 files changed, 83 insertions(+), 134 deletions(-)
50228
50229commit e58fe8c43f6ee7047ac830ebfa9a70626b7ed11d
50230Author: Brad Spengler <spender@grsecurity.net>
50231Date: Sun Jun 23 14:37:14 2013 -0400
50232
50233 second compile fix, reported by forsaken on forums
50234
50235 include/linux/vmalloc.h | 2 +-
50236 1 files changed, 1 insertions(+), 1 deletions(-)
50237
50238commit 0ee10d89b09b56b46bc242ce760a1d9598276e2f
50239Author: Brad Spengler <spender@grsecurity.net>
50240Date: Sun Jun 23 14:36:35 2013 -0400
50241
50242 compile fix, reported by KDE on forums
50243
50244 kernel/printk.c | 7 -------
50245 1 files changed, 0 insertions(+), 7 deletions(-)
50246
50247commit 1fc9a5e2e267205d28302e1e86ca0da434561111
50248Author: Ben Hutchings <ben@decadent.org.uk>
50249Date: Sun Jun 16 21:27:12 2013 +0100
50250
50251 Upstream commit: b8cb62f82103083a6e8fa5470bfe634a2c06514d
50252
50253 x86/efi: Fix dummy variable buffer allocation
50254
50255 1. Check for allocation failure
50256 2. Clear the buffer contents, as they may actually be written to flash
50257 3. Don't leak the buffer
50258
50259 Compile-tested only.
50260
50261 [ Tested successfully on my buggy ASUS machine - Matt ]
50262
50263 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
50264 Cc: stable@vger.kernel.org
50265 Signed-off-by: Matt Fleming <matt.fleming@intel.com>
50266
50267 arch/x86/platform/efi/efi.c | 7 ++++++-
50268 1 files changed, 6 insertions(+), 1 deletions(-)
50269
50270commit 83e15c8baaa620d8c777e84aa037b4302f0487c5
50271Author: Dave Kleikamp <dave.kleikamp@oracle.com>
50272Date: Tue Jun 18 09:05:36 2013 -0500
50273
50274 Upstream commit: 23a01138efe216f8084cfaa74b0b90dd4b097441
50275
50276 sparc: tsb must be flushed before tlb
50277
50278 This fixes a race where a cpu may re-load a tlb from a stale tsb right
50279 after it has been flushed by a remote function call.
50280
50281 I still see some instability when stressing the system with parallel
50282 kernel builds while creating memory pressure by writing to
50283 /proc/sys/vm/nr_hugepages, but this patch improves the stability
50284 significantly.
50285
50286 Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
50287 Acked-by: Bob Picco <bob.picco@oracle.com>
50288 Signed-off-by: David S. Miller <davem@davemloft.net>
50289
50290 arch/sparc/mm/tlb.c | 2 +-
50291 1 files changed, 1 insertions(+), 1 deletions(-)
50292
50293commit d93b62f6485db9aadda34322a6867868db07f56f
50294Merge: 4ef62f5 71d83e9
50295Author: Brad Spengler <spender@grsecurity.net>
50296Date: Fri Jun 21 16:52:55 2013 -0400
50297
50298 Merge branch 'pax-test' into grsec-test
50299
50300 Conflicts:
50301 security/Kconfig
50302
50303commit 71d83e97c936563913bcfb5a25c45b2021a331eb
50304Author: Brad Spengler <spender@grsecurity.net>
50305Date: Fri Jun 21 16:48:42 2013 -0400
50306
50307 Update to pax-linux-3.9.7-test10.patch:
50308 - fixed a few format string problems uncovered by -Wformat-nonliteral
50309 - another attempt at fixing the nested nmi/cr0.wp problem
50310 - fixed vmalloc when used for allocating executable memory on non-modular kernels, reported by Lorand Kelemen (https://bugs.gentoo.org/show_bug.cgi?id=473866)
50311 - worked around an intentional gcc overflow in nfscache that tripped up the size overflow plugin (https://bugs.gentoo.org/show_bug.cgi?id=472274)
50312 - fixed a locking issue with track_exec_limit reported by spender
50313 - hunger reported a size overflow event in kobj_map that turned out to be a real bug, fix by Tejun Heo (https://patchwork.kernel.org/patch/2676631/)
50314
50315 Documentation/dontdiff | 1 +
50316 arch/x86/boot/compressed/efi_stub_32.S | 16 ++-----
50317 arch/x86/kernel/cpu/mcheck/mce.c | 2 +-
50318 arch/x86/kernel/e820.c | 4 +-
50319 arch/x86/kernel/entry_64.S | 74 ++++++++++++++++++------------
50320 arch/x86/kernel/vmlinux.lds.S | 2 +-
50321 block/genhd.c | 11 +++--
50322 crypto/algapi.c | 2 +-
50323 crypto/pcrypt.c | 6 +-
50324 drivers/base/attribute_container.c | 2 +-
50325 drivers/base/power/sysfs.c | 2 +-
50326 drivers/block/nbd.c | 2 +-
50327 drivers/cdrom/cdrom.c | 2 +-
50328 drivers/char/hw_random/intel-rng.c | 2 +-
50329 drivers/char/mem.c | 2 +-
50330 drivers/devfreq/devfreq.c | 2 +-
50331 drivers/gpu/drm/drm_encoder_slave.c | 6 +--
50332 drivers/gpu/drm/drm_sysfs.c | 2 +-
50333 drivers/gpu/drm/ttm/ttm_memory.c | 4 +-
50334 drivers/iommu/irq_remapping.c | 2 +-
50335 drivers/video/output.c | 2 +-
50336 fs/ext4/mmp.c | 2 +-
50337 fs/ext4/super.c | 2 +-
50338 fs/lockd/svc.c | 2 +-
50339 fs/nfs/callback.c | 4 +-
50340 fs/nfs/nfs4state.c | 2 +-
50341 fs/nfsd/nfscache.c | 3 +-
50342 init/initramfs.c | 2 +-
50343 kernel/rcutree.c | 2 +-
50344 lib/kobject.c | 2 +-
50345 mm/backing-dev.c | 4 +-
50346 mm/mmap.c | 4 +-
50347 mm/slub.c | 2 +-
50348 mm/vmalloc.c | 15 +++----
50349 net/bluetooth/hci_core.c | 8 ++--
50350 net/netfilter/nf_conntrack_proto_dccp.c | 4 +-
50351 net/sunrpc/svc.c | 2 +-
50352 security/Kconfig | 15 +++---
50353 sound/core/sound.c | 2 +-
50354 sound/sound_core.c | 2 +-
50355 40 files changed, 116 insertions(+), 111 deletions(-)
50356
50357commit 4ef62f52ab23ed87aaf0106be3eddf2019bc7d2c
50358Merge: 39efd8f 256eff7
50359Author: Brad Spengler <spender@grsecurity.net>
50360Date: Fri Jun 21 16:45:15 2013 -0400
50361
50362 Merge branch 'pax-test' into grsec-test
50363
50364 Conflicts:
50365 kernel/printk.c
50366
50367commit 256eff7a817d5faa18cd56fb97cc8c25112ec0a6
50368Merge: e6e3059 485f25f
50369Author: Brad Spengler <spender@grsecurity.net>
50370Date: Thu Jun 20 22:14:24 2013 -0400
50371
50372 Merge branch 'linux-3.9.y' into pax-test
50373
50374commit 39efd8f4b9573d1ce31f47cdbea00b6c12054d4d
50375Author: Brad Spengler <spender@grsecurity.net>
50376Date: Tue Jun 18 17:20:18 2013 -0400
50377
50378 add apparmor compat patch
50379
50380 security/apparmor/Kconfig | 9 ++
50381 security/apparmor/apparmorfs.c | 231 ++++++++++++++++++++++++++++++++++++++++
50382 2 files changed, 240 insertions(+), 0 deletions(-)
50383
50384commit 49bee3c5341687504669bf62becf4a419a226ba0
50385Author: Brad Spengler <spender@grsecurity.net>
50386Date: Mon Jun 17 18:48:04 2013 -0400
50387
50388 Revert "Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db"
50389
50390 This reverts commit 066d9226bc6c569d5f420c978b758e0bddd23444.
50391
50392 kernel/sys.c | 29 +++--------------------------
50393 1 files changed, 3 insertions(+), 26 deletions(-)
50394
50395commit bece88b4276babb2039a3e4f3e3b0cdeb8cd8328
50396Author: Al Viro <viro@ZenIV.linux.org.uk>
50397Date: Sun Jun 16 18:06:06 2013 +0100
50398
50399 Upstream commit: 8177a9d79c0e942dcac3312f15585d0344d505a5
50400
50401 lseek(fd, n, SEEK_END) does *not* go to eof - n
50402
50403 When you copy some code, you are supposed to read it. If nothing else,
50404 there's a chance to spot and fix an obvious bug instead of sharing it...
50405
50406 X-Song: "I Got It From Agnes", by Tom Lehrer
50407 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
50408 [ Tom Lehrer? You're dating yourself, Al ]
50409 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
50410
50411 drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 2 +-
50412 drivers/scsi/bfa/bfad_debugfs.c | 2 +-
50413 drivers/scsi/fnic/fnic_debugfs.c | 2 +-
50414 drivers/scsi/lpfc/lpfc_debugfs.c | 2 +-
50415 4 files changed, 4 insertions(+), 4 deletions(-)
50416
50417commit 5a450f1c46f0c84379518aee878993d3f4a331b6
50418Author: Theodore Ts'o <tytso@mit.edu>
50419Date: Thu Jun 6 11:14:31 2013 -0400
50420
50421 Upstream commit: 40c87e7a5404861cef33f6ced9809525a5ee2c50
50422
50423 ext4: verify group number in verify_group_input() before using it
50424
50425 Check the group number for sanity earilier, before calling routines
50426 such as ext4_bg_has_super() or ext4_group_overhead_blocks().
50427
50428 Reported-by: Jonathan Salwan <jonathan.salwan@gmail.com>
50429 Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
50430
50431 fs/ext4/resize.c | 17 +++++++++++------
50432 1 files changed, 11 insertions(+), 6 deletions(-)
50433
50434commit e2700ce1305cc746d2d9000392f00d96fdf28fb8
50435Author: Neil Horman <nhorman@tuxdriver.com>
50436Date: Wed Jun 12 14:26:44 2013 -0400
50437
50438 Upstream commit: c5c7774d7eb4397891edca9ebdf750ba90977a69
50439
50440 sctp: fully initialize sctp_outq in sctp_outq_init
50441
50442 In commit 2f94aabd9f6c925d77aecb3ff020f1cc12ed8f86
50443 (refactor sctp_outq_teardown to insure proper re-initalization)
50444 we modified sctp_outq_teardown to use sctp_outq_init to fully re-initalize the
50445 outq structure. Steve West recently asked me why I removed the q->error = 0
50446 initalization from sctp_outq_teardown. I did so because I was operating under
50447 the impression that sctp_outq_init would properly initalize that value for us,
50448 but it doesn't. sctp_outq_init operates under the assumption that the outq
50449 struct is all 0's (as it is when called from sctp_association_init), but using
50450 it in __sctp_outq_teardown violates that assumption. We should do a memset in
50451 sctp_outq_init to ensure that the entire structure is in a known state there
50452 instead.
50453
50454 Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
50455 Reported-by: "West, Steve (NSN - US/Fort Worth)" <steve.west@nsn.com>
50456 CC: Vlad Yasevich <vyasevich@gmail.com>
50457 CC: netdev@vger.kernel.org
50458 CC: davem@davemloft.net
50459 Acked-by: Vlad Yasevich <vyasevich@gmail.com>
50460 Signed-off-by: David S. Miller <davem@davemloft.net>
50461
50462 Conflicts:
50463
50464 net/sctp/outqueue.c
50465
50466 net/sctp/outqueue.c | 8 ++------
50467 1 files changed, 2 insertions(+), 6 deletions(-)
50468
50469commit e13515ad7a9c7634599a105b2527752e527a905d
50470Author: Saurabh Mohan <saurabh@vyatta.com>
50471Date: Mon Jun 10 17:45:10 2013 -0700
50472
50473 Upstream commit: baafc77b32f647daa7c45825f7af8cdd55d00817
50474
50475 net/ipv4: ip_vti clear skb cb before tunneling.
50476
50477 If users apply shaper to vti tunnel then it will cause a kernel crash. The
50478 problem seems to be due to the vti_tunnel_xmit function not clearing
50479 skb->opt field before passing the packet to xfrm tunneling code.
50480
50481 Signed-off-by: Saurabh Mohan <saurabh@vyatta.com>
50482 Acked-by: Stephen Hemminger <stephen@networkplumber.org>
50483 Signed-off-by: David S. Miller <davem@davemloft.net>
50484
50485 net/ipv4/ip_vti.c | 3 +--
50486 1 files changed, 1 insertions(+), 2 deletions(-)
50487
50488commit e63056a252ed6fc0f16ab158d7c34cb57bd762e4
50489Author: Guillaume Nault <g.nault@alphalink.fr>
50490Date: Wed Jun 12 16:07:36 2013 +0200
50491
50492 Upstream commit: a6f79d0f26704214b5b702bbac525cb72997f984
50493
50494 l2tp: Fix sendmsg() return value
50495
50496 PPPoL2TP sockets should comply with the standard send*() return values
50497 (i.e. return number of bytes sent instead of 0 upon success).
50498
50499 Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
50500 Signed-off-by: David S. Miller <davem@davemloft.net>
50501
50502 net/l2tp/l2tp_ppp.c | 2 +-
50503 1 files changed, 1 insertions(+), 1 deletions(-)
50504
50505commit af361b412e816e894fb42ddff7a0545b7def64c0
50506Author: Guillaume Nault <g.nault@alphalink.fr>
50507Date: Wed Jun 12 16:07:23 2013 +0200
50508
50509 Upstream commit: 55b92b7a11690bc377b5d373872a6b650ae88e64
50510
50511 l2tp: Fix PPP header erasure and memory leak
50512
50513 Copy user data after PPP framing header. This prevents erasure of the
50514 added PPP header and avoids leaking two bytes of uninitialised memory
50515 at the end of skb's data buffer.
50516
50517 Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
50518 Signed-off-by: David S. Miller <davem@davemloft.net>
50519
50520 net/l2tp/l2tp_ppp.c | 4 ++--
50521 1 files changed, 2 insertions(+), 2 deletions(-)
50522
50523commit 1f43aca088c35dda35abf76e08544e534c71fed4
50524Author: Daniel Borkmann <dborkman@redhat.com>
50525Date: Wed Jun 12 16:02:27 2013 +0200
50526
50527 Upstream commit: 2dc85bf323515e59e15dfa858d1472bb25cad0fe
50528
50529 packet: packet_getname_spkt: make sure string is always 0-terminated
50530
50531 uaddr->sa_data is exactly of size 14, which is hard-coded here and
50532 passed as a size argument to strncpy(). A device name can be of size
50533 IFNAMSIZ (== 16), meaning we might leave the destination string
50534 unterminated. Thus, use strlcpy() and also sizeof() while we're
50535 at it. We need to memset the data area beforehand, since strlcpy
50536 does not padd the remaining buffer with zeroes for user space, so
50537 that we do not possibly leak anything.
50538
50539 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
50540 Signed-off-by: David S. Miller <davem@davemloft.net>
50541
50542 net/packet/af_packet.c | 5 ++---
50543 1 files changed, 2 insertions(+), 3 deletions(-)
50544
50545commit d0ae62fae5528bf2a393377f50b8dd9888d1e49f
50546Author: Andy Lutomirski <luto@amacapital.net>
50547Date: Wed Jun 5 19:38:26 2013 +0000
50548
50549 Upstream commit: a7526eb5d06b0084ef12d7b168d008fcf516caab
50550
50551 net: Unbreak compat_sys_{send,recv}msg
50552
50553 I broke them in this commit:
50554
50555 commit 1be374a0518a288147c6a7398792583200a67261
50556 Author: Andy Lutomirski <luto@amacapital.net>
50557 Date: Wed May 22 14:07:44 2013 -0700
50558
50559 net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
50560
50561 This patch adds __sys_sendmsg and __sys_sendmsg as common helpers that accept
50562 MSG_CMSG_COMPAT and blocks MSG_CMSG_COMPAT at the syscall entrypoints. It
50563 also reverts some unnecessary checks in sys_socketcall.
50564
50565 Apparently I was suffering from underscore blindness the first time around.
50566
50567 Signed-off-by: Andy Lutomirski <luto@amacapital.net>
50568 Tested-by: Eric Dumazet <edumazet@google.com>
50569 Signed-off-by: David S. Miller <davem@davemloft.net>
50570
50571 include/linux/socket.h | 3 ++
50572 net/compat.c | 13 +++++++-
50573 net/socket.c | 72 ++++++++++++++++++++++--------------------------
50574 3 files changed, 47 insertions(+), 41 deletions(-)
50575
50576commit b481a366021e5db07a9ea138bc0c1fe598a5ba2f
50577Author: Andy Lutomirski <luto@amacapital.net>
50578Date: Wed May 22 14:07:44 2013 -0700
50579
50580 Upstream commit: 1be374a0518a288147c6a7398792583200a67261
50581
50582 net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
50583
50584 To: linux-kernel@vger.kernel.org
50585 Cc: x86@kernel.org, trinity@vger.kernel.org, Andy Lutomirski <luto@amacapital.net>, netdev@vger.kernel.org, "David S.
50586 Miller" <davem@davemloft.net>
50587 Subject: [PATCH 5/5] net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
50588
50589 MSG_CMSG_COMPAT is (AFAIK) not intended to be part of the API --
50590 it's a hack that steals a bit to indicate to other networking code
50591 that a compat entry was used. So don't allow it from a non-compat
50592 syscall.
50593
50594 This prevents an oops when running this code:
50595
50596 int main()
50597 {
50598 int s;
50599 struct sockaddr_in addr;
50600 struct msghdr *hdr;
50601
50602 char *highpage = mmap((void*)(TASK_SIZE_MAX - 4096), 4096,
50603 PROT_READ | PROT_WRITE,
50604 MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
50605 if (highpage == MAP_FAILED)
50606 err(1, "mmap");
50607
50608 s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
50609 if (s == -1)
50610 err(1, "socket");
50611
50612 addr.sin_family = AF_INET;
50613 addr.sin_port = htons(1);
50614 addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
50615 if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) != 0)
50616 err(1, "connect");
50617
50618 void *evil = highpage + 4096 - COMPAT_MSGHDR_SIZE;
50619 printf("Evil address is %p\n", evil);
50620
50621 if (syscall(__NR_sendmmsg, s, evil, 1, MSG_CMSG_COMPAT) < 0)
50622 err(1, "sendmmsg");
50623
50624 return 0;
50625 }
50626
50627 Cc: David S. Miller <davem@davemloft.net>
50628 Signed-off-by: Andy Lutomirski <luto@amacapital.net>
50629 Signed-off-by: David S. Miller <davem@davemloft.net>
50630
50631 net/socket.c | 33 +++++++++++++++++++++++++++++++--
50632 1 files changed, 31 insertions(+), 2 deletions(-)
50633
50634commit 6ccb09f408cc4ff23adbf68c7d2307f5fffcf88e
50635Author: Kees Cook <keescook@chromium.org>
50636Date: Fri May 10 14:48:21 2013 -0700
50637
50638 Upstream commit: e0e29b683d6784ef59bbc914eac85a04b650e63c
50639
50640 b43: stop format string leaking into error msgs
50641
50642 The module parameter "fwpostfix" is userspace controllable, unfiltered,
50643 and is used to define the firmware filename. b43_do_request_fw() populates
50644 ctx->errors[] on error, containing the firmware filename. b43err()
50645 parses its arguments as a format string. For systems with b43 hardware,
50646 this could lead to a uid-0 to ring-0 escalation.
50647
50648 CVE-2013-2852
50649
50650 Signed-off-by: Kees Cook <keescook@chromium.org>
50651 Cc: stable@vger.kernel.org
50652 Signed-off-by: John W. Linville <linville@tuxdriver.com>
50653
50654 drivers/net/wireless/b43/main.c | 2 +-
50655 1 files changed, 1 insertions(+), 1 deletions(-)
50656
50657commit dfb67a67049ace7b94ad7e2febfac69816d50d85
50658Author: Mark A. Greer <mgreer@animalcreek.com>
50659Date: Wed May 29 12:25:34 2013 -0700
50660
50661 Upstream commit: f873ded213d6d8c36354c0fc903af44da4fd6ac5
50662
50663 mwifiex: debugfs: Fix out of bounds array access
50664
50665 When reading the contents of '/sys/kernel/debug/mwifiex/p2p0/info',
50666 the following panic occurs:
50667
50668 $ cat /sys/kernel/debug/mwifiex/p2p0/info
50669 Unable to handle kernel paging request at virtual address 74706164
50670 pgd = de530000
50671 [74706164] *pgd=00000000
50672 Internal error: Oops: 5 [#1] SMP ARM
50673 Modules linked in: phy_twl4030_usb omap2430 musb_hdrc mwifiex_sdio mwifiex
50674 CPU: 0 PID: 1635 Comm: cat Not tainted 3.10.0-rc1-00010-g1268390 #1
50675 task: de16b6c0 ti: de048000 task.ti: de048000
50676 PC is at strnlen+0xc/0x4c
50677 LR is at string+0x3c/0xf8
50678 pc : [<c02c123c>] lr : [<c02c2d1c>] psr: a0000013
50679 sp : de049e10 ip : c06efba0 fp : de6d2092
50680 r10: bf01a260 r9 : ffffffff r8 : 74706164
50681 r7 : 0000ffff r6 : ffffffff r5 : de6d209c r4 : 00000000
50682 r3 : ff0a0004 r2 : 74706164 r1 : ffffffff r0 : 74706164
50683 Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
50684 Control: 10c5387d Table: 9e530019 DAC: 00000015
50685 Process cat (pid: 1635, stack limit = 0xde048240)
50686 Stack: (0xde049e10 to 0xde04a000)
50687 9e00: de6d2092 00000002 bf01a25e de6d209c
50688 9e20: de049e80 c02c438c 0000000a ff0a0004 ffffffff 00000000 00000000 de049e48
50689 9e40: 00000000 2192df6d ff0a0004 ffffffff 00000000 de6d2092 de049ef8 bef3cc00
50690 9e60: de6b0000 dc358000 de6d2000 00000000 00000003 c02c45a4 bf01790c bf01a254
50691 9e80: 74706164 bf018698 00000000 de59c3c0 de048000 de049f80 00001000 bef3cc00
50692 9ea0: 00000008 00000000 00000000 00000000 00000000 00000000 00000000 00000000
50693 9ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
50694 9ee0: 00000000 00000000 00000000 00000001 00000000 00000000 6669776d 20786569
50695 9f00: 20302e31 2e343128 392e3636 3231702e 00202933 00000000 00000003 c0294898
50696 9f20: 00000000 00000000 00000000 00000000 de59c3c0 c0107c04 de554000 de59c3c0
50697 9f40: 00001000 bef3cc00 de049f80 bef3cc00 de049f80 00000000 00000003 c0108a00
50698 9f60: de048000 de59c3c0 00000000 00000000 de59c3c0 00001000 bef3cc00 c0108b60
50699 9f80: 00000000 00000000 00001000 bef3cc00 00000003 00000003 c0014128 de048000
50700 9fa0: 00000000 c0013f80 00001000 bef3cc00 00000003 bef3cc00 00001000 00000000
50701 9fc0: 00001000 bef3cc00 00000003 00000003 00000001 00000001 00000001 00000003
50702 9fe0: 00000000 bef3cbdc 00011984 b6f1127c 60000010 00000003 18dbdd2c 7f7bfffd
50703 [<c02c123c>] (strnlen+0xc/0x4c) from [<c02c2d1c>] (string+0x3c/0xf8)
50704 [<c02c2d1c>] (string+0x3c/0xf8) from [<c02c438c>] (vsnprintf+0x1e8/0x3e8)
50705 [<c02c438c>] (vsnprintf+0x1e8/0x3e8) from [<c02c45a4>] (sprintf+0x18/0x24)
50706 [<c02c45a4>] (sprintf+0x18/0x24) from [<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex])
50707 [<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) from [<c0108a00>] (vfs_read+0xb0/0x144)
50708 [<c0108a00>] (vfs_read+0xb0/0x144) from [<c0108b60>] (SyS_read+0x44/0x70)
50709 [<c0108b60>] (SyS_read+0x44/0x70) from [<c0013f80>] (ret_fast_syscall+0x0/0x30)
50710 Code: e12fff1e e3510000 e1a02000 0a00000d (e5d03000)
50711 ---[ end trace ca98273dc605a04f ]---
50712
50713 The panic is caused by the mwifiex_info_read() routine assuming that
50714 there can only be four modes (0-3) which is an invalid assumption.
50715 For example, when testing P2P, the mode is '8' (P2P_CLIENT) so the
50716 code accesses data beyond the bounds of the bss_modes[] array which
50717 causes the panic. Fix this by updating bss_modes[] to support the
50718 current list of modes and adding a check to prevent the out-of-bounds
50719 access from occuring in the future when more modes are added.
50720
50721 Signed-off-by: Mark A. Greer <mgreer@animalcreek.com>
50722 Acked-by: Bing Zhao <bzhao@marvell.com>
50723 Signed-off-by: John W. Linville <linville@tuxdriver.com>
50724
50725 drivers/net/wireless/mwifiex/debugfs.c | 22 +++++++++++++++++-----
50726 1 files changed, 17 insertions(+), 5 deletions(-)
50727
50728commit 04152dec6e99ca4c0fc52219f7cf2152dafe6b52
50729Author: Johan Hedberg <johan.hedberg@intel.com>
50730Date: Tue May 28 13:46:30 2013 +0300
50731
50732 Upstream commit: cb3b3152b2f5939d67005cff841a1ca748b19888
50733
50734 Bluetooth: Fix missing length checks for L2CAP signalling PDUs
50735
50736 There has been code in place to check that the L2CAP length header
50737 matches the amount of data received, but many PDU handlers have not been
50738 checking that the data received actually matches that expected by the
50739 specific PDU. This patch adds passing the length header to the specific
50740 handler functions and ensures that those functions fail cleanly in the
50741 case of an incorrect amount of data.
50742
50743 Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
50744 Cc: stable@vger.kernel.org
50745 Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
50746 Signed-off-by: John W. Linville <linville@tuxdriver.com>
50747
50748 net/bluetooth/l2cap_core.c | 70 ++++++++++++++++++++++++++++++++-----------
50749 1 files changed, 52 insertions(+), 18 deletions(-)
50750
50751commit 628be2427afb241b5a1aa24bc5907d05287e1f25
50752Author: Dan Carpenter <dan.carpenter@oracle.com>
50753Date: Mon Jun 3 12:00:49 2013 +0300
50754
50755 Upstream commit: a8241c63517ec0b900695daa9003cddc41c536a1
50756
50757 ipvs: info leak in __ip_vs_get_dest_entries()
50758
50759 The entry struct has a 2 byte hole after ->port and another 4 byte
50760 hole after ->stats.outpkts. You must have CAP_NET_ADMIN in your
50761 namespace to hit this information leak.
50762
50763 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
50764 Acked-by: Julian Anastasov <ja@ssi.bg>
50765 Signed-off-by: Simon Horman <horms@verge.net.au>
50766 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
50767
50768 net/netfilter/ipvs/ip_vs_ctl.c | 1 +
50769 1 files changed, 1 insertions(+), 0 deletions(-)
50770
50771commit 066d9226bc6c569d5f420c978b758e0bddd23444
50772Author: Robin Holt <holt@sgi.com>
50773Date: Wed Jun 12 14:04:37 2013 -0700
50774
50775 Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db
50776
50777 reboot: rigrate shutdown/reboot to boot cpu
50778
50779 We recently noticed that reboot of a 1024 cpu machine takes approx 16
50780 minutes of just stopping the cpus. The slowdown was tracked to commit
50781 f96972f2dc63 ("kernel/sys.c: call disable_nonboot_cpus() in
50782 kernel_restart()").
50783
50784 The current implementation does all the work of hot removing the cpus
50785 before halting the system. We are switching to just migrating to the
50786 boot cpu and then continuing with shutdown/reboot.
50787
50788 This also has the effect of not breaking x86's command line parameter
50789 for specifying the reboot cpu. Note, this code was shamelessly copied
50790 from arch/x86/kernel/reboot.c with bits removed pertaining to the
50791 reboot_cpu command line parameter.
50792
50793 Signed-off-by: Robin Holt <holt@sgi.com>
50794 Tested-by: Shawn Guo <shawn.guo@linaro.org>
50795 Cc: "Srivatsa S. Bhat" <srivatsa.bhat@linux.vnet.ibm.com>
50796 Cc: H. Peter Anvin <hpa@zytor.com>
50797 Cc: Thomas Gleixner <tglx@linutronix.de>
50798 Cc: Ingo Molnar <mingo@elte.hu>
50799 Cc: Russ Anderson <rja@sgi.com>
50800 Cc: Robin Holt <holt@sgi.com>
50801 Cc: Russell King <linux@arm.linux.org.uk>
50802 Cc: Guan Xuetao <gxt@mprc.pku.edu.cn>
50803 Cc: <stable@vger.kernel.org>
50804 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
50805 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
50806
50807 kernel/sys.c | 29 ++++++++++++++++++++++++++---
50808 1 files changed, 26 insertions(+), 3 deletions(-)
50809
50810commit 94e2a91600b07d39825e7059195f35eb611a39a2
50811Merge: 20cc761 e6e3059
50812Author: Brad Spengler <spender@grsecurity.net>
50813Date: Thu Jun 13 16:23:46 2013 -0400
50814
50815 Merge branch 'pax-test' into grsec-test
50816
50817commit e6e3059de5525ebcd55af43b20c9cdbf43b9d30a
50818Merge: c6aadb1 4b73feb
50819Author: Brad Spengler <spender@grsecurity.net>
50820Date: Thu Jun 13 16:23:39 2013 -0400
50821
50822 Merge branch 'linux-3.9.y' into pax-test
50823
50824commit 20cc7613e38cde07adc73179a91d6c15292e8d43
50825Author: Daniel Borkmann <dborkman@redhat.com>
50826Date: Thu Jun 6 15:53:47 2013 +0200
50827
50828 Upstream commit: 1abd165ed757db1afdefaac0a4bc8a70f97d258c
50829
50830 net: sctp: fix NULL pointer dereference in socket destruction
50831
50832 While stress testing sctp sockets, I hit the following panic:
50833
50834 BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
50835 IP: [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
50836 PGD 7cead067 PUD 7ce76067 PMD 0
50837 Oops: 0000 [#1] SMP
50838 Modules linked in: sctp(F) libcrc32c(F) [...]
50839 CPU: 7 PID: 2950 Comm: acc Tainted: GF 3.10.0-rc2+ #1
50840 Hardware name: Dell Inc. PowerEdge T410/0H19HD, BIOS 1.6.3 02/01/2011
50841 task: ffff88007ce0e0c0 ti: ffff88007b568000 task.ti: ffff88007b568000
50842 RIP: 0010:[<ffffffffa0490c4e>] [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
50843 RSP: 0018:ffff88007b569e08 EFLAGS: 00010292
50844 RAX: 0000000000000000 RBX: ffff88007db78a00 RCX: dead000000200200
50845 RDX: ffffffffa049fdb0 RSI: ffff8800379baf38 RDI: 0000000000000000
50846 RBP: ffff88007b569e18 R08: ffff88007c230da0 R09: 0000000000000001
50847 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
50848 R13: ffff880077990d00 R14: 0000000000000084 R15: ffff88007db78a00
50849 FS: 00007fc18ab61700(0000) GS:ffff88007fc60000(0000) knlGS:0000000000000000
50850 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
50851 CR2: 0000000000000020 CR3: 000000007cf9d000 CR4: 00000000000007e0
50852 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
50853 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
50854 Stack:
50855 ffff88007b569e38 ffff88007db78a00 ffff88007b569e38 ffffffffa049fded
50856 ffffffff81abf0c0 ffff88007db78a00 ffff88007b569e58 ffffffff8145b60e
50857 0000000000000000 0000000000000000 ffff88007b569eb8 ffffffff814df36e
50858 Call Trace:
50859 [<ffffffffa049fded>] sctp_destroy_sock+0x3d/0x80 [sctp]
50860 [<ffffffff8145b60e>] sk_common_release+0x1e/0xf0
50861 [<ffffffff814df36e>] inet_create+0x2ae/0x350
50862 [<ffffffff81455a6f>] __sock_create+0x11f/0x240
50863 [<ffffffff81455bf0>] sock_create+0x30/0x40
50864 [<ffffffff8145696c>] SyS_socket+0x4c/0xc0
50865 [<ffffffff815403be>] ? do_page_fault+0xe/0x10
50866 [<ffffffff8153cb32>] ? page_fault+0x22/0x30
50867 [<ffffffff81544e02>] system_call_fastpath+0x16/0x1b
50868 Code: 0c c9 c3 66 2e 0f 1f 84 00 00 00 00 00 e8 fb fe ff ff c9 c3 66 0f
50869 1f 84 00 00 00 00 00 55 48 89 e5 53 48 83 ec 08 66 66 66 66 90 <48>
50870 8b 47 20 48 89 fb c6 47 1c 01 c6 40 12 07 e8 9e 68 01 00 48
50871 RIP [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
50872 RSP <ffff88007b569e08>
50873 CR2: 0000000000000020
50874 ---[ end trace e0d71ec1108c1dd9 ]---
50875
50876 I did not hit this with the lksctp-tools functional tests, but with a
50877 small, multi-threaded test program, that heavily allocates, binds,
50878 listens and waits in accept on sctp sockets, and then randomly kills
50879 some of them (no need for an actual client in this case to hit this).
50880 Then, again, allocating, binding, etc, and then killing child processes.
50881
50882 This panic then only occurs when ``echo 1 > /proc/sys/net/sctp/auth_enable''
50883 is set. The cause for that is actually very simple: in sctp_endpoint_init()
50884 we enter the path of sctp_auth_init_hmacs(). There, we try to allocate
50885 our crypto transforms through crypto_alloc_hash(). In our scenario,
50886 it then can happen that crypto_alloc_hash() fails with -EINTR from
50887 crypto_larval_wait(), thus we bail out and release the socket via
50888 sk_common_release(), sctp_destroy_sock() and hit the NULL pointer
50889 dereference as soon as we try to access members in the endpoint during
50890 sctp_endpoint_free(), since endpoint at that time is still NULL. Now,
50891 if we have that case, we do not need to do any cleanup work and just
50892 leave the destruction handler.
50893
50894 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
50895 Acked-by: Neil Horman <nhorman@tuxdriver.com>
50896 Acked-by: Vlad Yasevich <vyasevich@gmail.com>
50897 Signed-off-by: David S. Miller <davem@davemloft.net>
50898
50899 net/sctp/socket.c | 6 ++++++
50900 1 files changed, 6 insertions(+), 0 deletions(-)
50901
50902commit 386ba837978cc8a1111440bdcd8600f2df4634a4
50903Author: Brad Spengler <spender@grsecurity.net>
50904Date: Wed Jun 12 20:37:48 2013 -0400
50905
50906 fix deadlock when booting i386 kernel without NX
50907
50908 mm/mmap.c | 4 +++-
50909 1 files changed, 3 insertions(+), 1 deletions(-)
50910
50911commit fe96e11acb36fcda9a9e6f6439557db4aa4e8da0
50912Author: Brad Spengler <spender@grsecurity.net>
50913Date: Tue Jun 11 22:18:07 2013 -0400
50914
50915 fix elif / elif defined() typo in recent change
50916
50917 kernel/events/core.c | 2 +-
50918 1 files changed, 1 insertions(+), 1 deletions(-)
50919
50920commit bc43377e1e757cd37a06be0187884a42af718aab
50921Merge: 3cdea63 c6aadb1
50922Author: Brad Spengler <spender@grsecurity.net>
50923Date: Tue Jun 11 18:50:39 2013 -0400
50924
50925 Merge branch 'pax-test' into grsec-test
50926
50927commit c6aadb12ae8dd3d12c2d6b8fbe80d29e514d60c0
50928Author: Brad Spengler <spender@grsecurity.net>
50929Date: Tue Jun 11 18:49:36 2013 -0400
50930
50931 Update to pax-linux-3.9.4-test9.patch:
50932 - fixed a KERNEXEC regression resulting in unusable RAM regions (http://forums.grsecurity.net/viewtopic.php?f=3&t=3506)
50933 - removed a user-triggerable BUG_ON, fixing it properly wasn't worth the effort
50934
50935 arch/x86/kernel/setup.c | 2 +-
50936 mm/mlock.c | 1 -
50937 2 files changed, 1 insertions(+), 2 deletions(-)
50938
50939commit 3cdea63e90607d8d55820b101854091623feedb8
50940Author: Brad Spengler <spender@grsecurity.net>
50941Date: Mon Jun 10 21:21:44 2013 -0400
50942
50943 Fix fanotify infoleak reported by Dan Carpenter at:
50944 https://lkml.org/lkml/2013/6/3/128
50945
50946 Requires CAP_SYS_ADMIN, so this is about as low priority as it gets
50947
50948 fs/notify/fanotify/fanotify_user.c | 1 +
50949 1 files changed, 1 insertions(+), 0 deletions(-)
50950
50951commit 373a2b5df78f82b9d3db72bd6577e29a71591323
50952Author: Brad Spengler <spender@grsecurity.net>
50953Date: Mon Jun 10 21:16:46 2013 -0400
50954
50955 Backport infoleak fix by Dan Carpenter in cpqarray:
50956 https://lkml.org/lkml/2013/6/3/131
50957
50958 drivers/block/cpqarray.c | 1 +
50959 1 files changed, 1 insertions(+), 0 deletions(-)
50960
50961commit 251e84b9b05e063981b20be154c9389862f94759
50962Author: Brad Spengler <spender@grsecurity.net>
50963Date: Mon Jun 10 21:04:17 2013 -0400
50964
50965 Backport 050e4b8fb7cdd7096c987a9cd556029c622c7fe2
50966
50967 drivers/cdrom/cdrom.c | 4 ++--
50968 1 files changed, 2 insertions(+), 2 deletions(-)
50969
50970commit 383d89bf95818b05a485a6e8b118963b5bcbc83e
50971Author: Brad Spengler <spender@grsecurity.net>
50972Date: Mon Jun 10 18:34:32 2013 -0400
50973
50974 change const to __read_only
50975
50976 kernel/sysctl.c | 18 +++++++++---------
50977 1 files changed, 9 insertions(+), 9 deletions(-)
50978
50979commit 8f08f803f605649e63f0857a1b9a9805b629eaa4
50980Author: Brad Spengler <spender@grsecurity.net>
50981Date: Mon Jun 10 17:34:13 2013 -0400
50982
50983 compile fix, make const values const
50984
50985 kernel/sysctl.c | 18 +++++++++---------
50986 1 files changed, 9 insertions(+), 9 deletions(-)
50987
50988commit 6b90c228f6d4a3c2cc9c2b9a6a7ac14534ebd42d
50989Author: Brad Spengler <spender@grsecurity.net>
50990Date: Mon Jun 10 17:37:13 2013 -0400
50991
50992 Backport upstream commit: af733960ca59f7d59ea337e1f633771c9e67101a
50993
50994 drivers/char/mwave/tp3780i.c | 1 +
50995 1 files changed, 1 insertions(+), 0 deletions(-)
50996
50997commit 1c590aa70c95ebd76ba9672aa23d800b81780615
50998Author: Brad Spengler <spender@grsecurity.net>
50999Date: Sun Jun 9 19:50:35 2013 -0400
51000
51001 allow -1 perf_event_paranoid
51002
51003 kernel/sysctl.c | 2 +-
51004 1 files changed, 1 insertions(+), 1 deletions(-)
51005
51006commit defdc4a2bd3efda4af2bb6f3aa8f495fa8078584
51007Merge: 4e85539 117c3fa
51008Author: Brad Spengler <spender@grsecurity.net>
51009Date: Sun Jun 9 17:30:12 2013 -0400
51010
51011 Merge branch 'pax-test' into grsec-test
51012
51013commit 117c3fa8d26c3806103123560f807d99071b60b6
51014Merge: ed9b427 5dd2e98
51015Author: Brad Spengler <spender@grsecurity.net>
51016Date: Sun Jun 9 17:30:00 2013 -0400
51017
51018 Merge branch 'linux-3.9.y' into pax-test
51019
51020commit 4e8553989b0406f15be4a2dccdbc7599cc2b4f42
51021Author: Eric Dumazet <edumazet@google.com>
51022Date: Mon May 13 21:25:52 2013 +0000
51023
51024 Upstream commit: 54d27fcb338bd9c42d1dfc5a39e18f6f9d373c2e
51025
51026 tcp: fix tcp_md5_hash_skb_data()
51027
51028 TCP md5 communications fail [1] for some devices, because sg/crypto code
51029 assume page offsets are below PAGE_SIZE.
51030
51031 This was discovered using mlx4 driver [2], but I suspect loopback
51032 might trigger the same bug now we use order-3 pages in tcp_sendmsg()
51033
51034 [1] Failure is giving following messages.
51035
51036 huh, entered softirq 3 NET_RX ffffffff806ad230 preempt_count 00000100,
51037 exited with 00000101?
51038
51039 [2] mlx4 driver uses order-2 pages to allocate RX frags
51040
51041 Reported-by: Matt Schnall <mischnal@google.com>
51042 Signed-off-by: Eric Dumazet <edumazet@google.com>
51043 Cc: Bernhard Beck <bbeck@google.com>
51044 Signed-off-by: David S. Miller <davem@davemloft.net>
51045
51046 net/ipv4/tcp.c | 7 +++++--
51047 1 files changed, 5 insertions(+), 2 deletions(-)
51048
51049commit 4f1ed254c28a1b3e03c0b0b744c5042661c295eb
51050Author: Eric Dumazet <edumazet@google.com>
51051Date: Fri May 17 04:53:13 2013 +0000
51052
51053 Upstream commit: 284041ef21fdf2e0d216ab6b787bc9072b4eb58a
51054
51055 ipv6: fix possible crashes in ip6_cork_release()
51056
51057 commit 0178b695fd6b4 ("ipv6: Copy cork options in ip6_append_data")
51058 added some code duplication and bad error recovery, leading to potential
51059 crash in ip6_cork_release() as kfree() could be called with garbage.
51060
51061 use kzalloc() to make sure this wont happen.
51062
51063 Signed-off-by: Eric Dumazet <edumazet@google.com>
51064 Signed-off-by: David S. Miller <davem@davemloft.net>
51065 Cc: Herbert Xu <herbert@gondor.apana.org.au>
51066 Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
51067 Cc: Neal Cardwell <ncardwell@google.com>
51068
51069 net/ipv6/ip6_output.c | 2 +-
51070 1 files changed, 1 insertions(+), 1 deletions(-)
51071
51072commit 5771263fe368cd384127dd17d7596a7e1a4e2eec
51073Author: Chen Gang <gang.chen@asianux.com>
51074Date: Thu May 16 23:13:04 2013 +0000
51075
51076 Upstream commit: ff0102ee104847023c36357e2b9f133f3f40d211
51077
51078 net: irda: using kzalloc() instead of kmalloc() to avoid strncpy() issue.
51079
51080 'discovery->data.info' length is 22, NICKNAME_MAX_LEN is 21, so the
51081 strncpy() will always left the last byte of 'discovery->data.info'
51082 uninitialized.
51083
51084 When 'text' length is longer than 21 (NICKNAME_MAX_LEN), if still left
51085 the last byte of 'discovery->data.info' uninitialized, the next
51086 strlen() will cause issue.
51087
51088 Also 'discovery->data' is 'struct irda_device_info' which defined in
51089 "include/uapi/...", it may copy to user mode, so need whole initialized.
51090
51091 All together, need use kzalloc() instead of kmalloc() to initialize all
51092 members firstly.
51093
51094 Signed-off-by: Chen Gang <gang.chen@asianux.com>
51095 Signed-off-by: David S. Miller <davem@davemloft.net>
51096
51097 net/irda/irlap_frame.c | 2 +-
51098 1 files changed, 1 insertions(+), 1 deletions(-)
51099
51100commit c01c9af268cb066f240aec53454b8b74d8d01688
51101Author: Dan Carpenter <dan.carpenter@oracle.com>
51102Date: Sun May 19 08:36:36 2013 +0000
51103
51104 Upstream commit: 25dff94ff9df40d4d663bb6ea3193a7758cc50e5
51105
51106 isdn/kcapi: fix a small underflow
51107
51108 In get_capi_ctr_by_nr() and get_capi_appl_by_nr() the parameter comes
51109 from skb->data. The current code can underflow to one space before the
51110 start of the array.
51111
51112 The sanity check isn't needed in __get_capi_appl_by_nr() but I changed
51113 it to match the others.
51114
51115 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
51116 Signed-off-by: David S. Miller <davem@davemloft.net>
51117
51118 drivers/isdn/capi/kcapi.c | 6 +++---
51119 1 files changed, 3 insertions(+), 3 deletions(-)
51120
51121commit 4a3f12a9df775147b0c4b0277de1aa99eddc5c66
51122Author: Timo Teräs <timo.teras@iki.fi>
51123Date: Wed May 22 01:40:47 2013 +0000
51124
51125 Upstream commit: 497574c72c9922cf20c12aed15313c389f722fa0
51126
51127 xfrm: properly handle invalid states as an error
51128
51129 The error exit path needs err explicitly set. Otherwise it
51130 returns success and the only caller, xfrm_output_resume(),
51131 would oops in skb_dst(skb)->ops derefence as skb_dst(skb) is
51132 NULL.
51133
51134 Bug introduced in commit bb65a9cb (xfrm: removes a superfluous
51135 check and add a statistic).
51136
51137 Signed-off-by: Timo Teräs <timo.teras@iki.fi>
51138 Cc: Li RongQing <roy.qing.li@gmail.com>
51139 Cc: Steffen Klassert <steffen.klassert@secunet.com>
51140 Signed-off-by: David S. Miller <davem@davemloft.net>
51141
51142 net/xfrm/xfrm_output.c | 1 +
51143 1 files changed, 1 insertions(+), 0 deletions(-)
51144
51145commit 61d8e1e848afa93cd971f6d1da875ad98b6ddfbd
51146Author: Jeff Mahoney <jeffm@jeffreymahoney.com>
51147Date: Fri May 31 15:07:52 2013 -0400
51148
51149 Upstream commit: 0bdc7acba56a7ca4232f15f37b16f7ec079385ab
51150
51151 reiserfs: fix spurious multiple-fill in reiserfs_readdir_dentry
51152
51153 After sleeping for filldir(), we check to see if the file system has
51154 changed and research. The next_pos pointer is updated but its value
51155 isn't pushed into the key used for the search itself. As a result,
51156 the search returns the same item that the last cycle of the loop did
51157 and filldir() is called multiple times with the same data.
51158
51159 The end result is that the buffer can contain the same name multiple
51160 times. This can be returned to userspace or used internally in the
51161 xattr code where it can manifest with the following warning:
51162
51163 jdm-20004 reiserfs_delete_xattrs: Couldn't delete all xattrs (-2)
51164
51165 reiserfs_for_each_xattr uses reiserfs_readdir_dentry to iterate over
51166 the xattr names and ends up trying to unlink the same name twice. The
51167 second attempt fails with -ENOENT and the error is returned. At some
51168 point I'll need to add support into reiserfsck to remove the orphaned
51169 directories left behind when this occurs.
51170
51171 The fix is to push the value into the key before researching.
51172
51173 Signed-off-by: Jeff Mahoney <jeffm@suse.com>
51174 Signed-off-by: Jan Kara <jack@suse.cz>
51175
51176 fs/reiserfs/dir.c | 2 ++
51177 1 files changed, 2 insertions(+), 0 deletions(-)
51178
51179commit ca0746bf380eec77d75d1741ac4742ded0e55ec7
51180Author: Jeff Mahoney <jeffm@suse.com>
51181Date: Fri May 31 15:51:17 2013 -0400
51182
51183 Upstream commit: a1457c0ce976bad1356b9b0437f2a5c3ab8a9cfc
51184
51185 reiserfs: fix deadlock with nfs racing on create/lookup
51186
51187 Reiserfs is currently able to be deadlocked by having two NFS clients
51188 where one has removed and recreated a file and another is accessing the
51189 file with an open file handle.
51190
51191 If one client deletes and recreates a file with timing such that the
51192 recreated file obtains the same [dirid, objectid] pair as the original
51193 file while another client accesses the file via file handle, the create
51194 and lookup can race and deadlock if the lookup manages to create the
51195 in-memory inode first.
51196
51197 The create thread, in insert_inode_locked4, will hold the write lock
51198 while waiting on the other inode to be unlocked. The lookup thread,
51199 anywhere in the iget path, will release and reacquire the write lock while
51200 it schedules. If it needs to reacquire the lock while the create thread
51201 has it, it will never be able to make forward progress because it needs
51202 to reacquire the lock before ultimately unlocking the inode.
51203
51204 This patch drops the write lock across the insert_inode_locked4 call so
51205 that the ordering of inode_wait -> write lock is retained. Since this
51206 would have been the case before the BKL push-down, this is safe.
51207
51208 Signed-off-by: Jeff Mahoney <jeffm@suse.com>
51209 Signed-off-by: Jan Kara <jack@suse.cz>
51210
51211 fs/reiserfs/inode.c | 9 +++++++--
51212 1 files changed, 7 insertions(+), 2 deletions(-)
51213
51214commit cd21c0eb4950498be46a07257426c0cea4aa2bf1
51215Author: Jeff Mahoney <jeffm@suse.com>
51216Date: Fri May 31 15:54:17 2013 -0400
51217
51218 Upstream commit: 4a8570112b76a63ad21cfcbe2783f98f7fd5ba1b
51219
51220 reiserfs: fix problems with chowning setuid file w/ xattrs
51221
51222 reiserfs_chown_xattrs() takes the iattr struct passed into ->setattr
51223 and uses it to iterate over all the attrs associated with a file to change
51224 ownership of xattrs (and transfer quota associated with the xattr files).
51225
51226 When the setuid bit is cleared during chown, ATTR_MODE and iattr->ia_mode
51227 are passed to all the xattrs as well. This means that the xattr directory
51228 will have S_IFREG added to its mode bits.
51229
51230 This has been prevented in practice by a missing IS_PRIVATE check
51231 in reiserfs_acl_chmod, which caused a double-lock to occur while holding
51232 the write lock. Since the file system was completely locked up, the
51233 writeout of the corrupted mode never happened.
51234
51235 This patch temporarily clears everything but ATTR_UID|ATTR_GID for the
51236 calls to reiserfs_setattr and adds the missing IS_PRIVATE check.
51237
51238 Signed-off-by: Jeff Mahoney <jeffm@suse.com>
51239 Signed-off-by: Jan Kara <jack@suse.cz>
51240
51241 fs/reiserfs/xattr.c | 14 +++++++++++++-
51242 fs/reiserfs/xattr_acl.c | 3 +++
51243 2 files changed, 16 insertions(+), 1 deletions(-)
51244
51245commit c18cef940310c06bdf86d64d8cb227e56e165300
51246Author: Dave Chinner <dchinner@redhat.com>
51247Date: Mon May 27 16:38:25 2013 +1000
51248
51249 Upstream commit: 2962f5a5dcc56f69cbf62121a7be67cc15d6940b
51250
51251 xfs: kill suid/sgid through the truncate path.
51252
51253 XFS has failed to kill suid/sgid bits correctly when truncating
51254 files of non-zero size since commit c4ed4243 ("xfs: split
51255 xfs_setattr") introduced in the 3.1 kernel. Fix it.
51256
51257 Fix it.
51258
51259 cc: stable kernel <stable@vger.kernel.org>
51260 Signed-off-by: Dave Chinner <dchinner@redhat.com>
51261 Reviewed-by: Brian Foster <bfoster@redhat.com>
51262 Signed-off-by: Ben Myers <bpm@sgi.com>
51263
51264 (cherry picked from commit 56c19e89b38618390addfc743d822f99519055c6)
51265
51266 fs/xfs/xfs_iops.c | 47 ++++++++++++++++++++++++++++++++---------------
51267 1 files changed, 32 insertions(+), 15 deletions(-)
51268
51269commit 8e62c6a0946a4b11a55540094a0ee5d3a222dbcc
51270Author: Trond Myklebust <Trond.Myklebust@netapp.com>
51271Date: Wed May 29 15:36:40 2013 -0400
51272
51273 Upstream commit: f448badd34700ae728a32ba024249626d49c10e1
51274
51275 NFSv4: Fix a thinko in nfs4_try_open_cached
51276
51277 We need to pass the full open mode flags to nfs_may_open() when doing
51278 a delegated open.
51279
51280 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
51281 Cc: stable@vger.kernel.org
51282
51283 fs/nfs/nfs4proc.c | 2 +-
51284 1 files changed, 1 insertions(+), 1 deletions(-)
51285
51286commit c47de62893a9f269be0a272c2840aac1e2a35c68
51287Author: Chen Gang <gang.chen@asianux.com>
51288Date: Thu May 30 01:18:43 2013 +0000
51289
51290 Upstream commit: ea99b1adf22abd62bdcf14b1c9a0a4d3664eefd8
51291
51292 parisc: kernel: using strlcpy() instead of strcpy()
51293
51294 'boot_args' is an input args, and 'boot_command_line' has a fix length.
51295 So use strlcpy() instead of strcpy() to avoid memory overflow.
51296
51297 Signed-off-by: Chen Gang <gang.chen@asianux.com>
51298 Acked-by: Kyle McMartin <kyle@mcmartin.ca>
51299 Signed-off-by: Helge Deller <deller@gmx.de>
51300
51301 arch/parisc/kernel/setup.c | 3 ++-
51302 1 files changed, 2 insertions(+), 1 deletions(-)
51303
51304commit ce869e6f799f95fcac340420ba3612503df80dbf
51305Author: Chen Gang <gang.chen@asianux.com>
51306Date: Mon May 27 04:57:09 2013 +0000
51307
51308 Upstream commit: 3f108de96ba449a8df3d7e3c053bf890fee2cb95
51309
51310 parisc: memory overflow, 'name' length is too short for using
51311
51312 'path.bc[i]' can be asigned by PCI_SLOT() which can '> 10', so sizeof(6
51313 * "%u:" + "%u" + '\0') may be 21.
51314
51315 Since 'name' length is 20, it may be memory overflow.
51316
51317 And 'path.bc[i]' is 'unsigned char' for printing, we can be sure the
51318 max length of 'name' must be less than 28.
51319
51320 So simplify thinking, we can use 28 instead of 20 directly, and do not
51321 think of whether 'patchc.bc[i]' can '> 100'.
51322
51323 Signed-off-by: Chen Gang <gang.chen@asianux.com>
51324 Signed-off-by: Helge Deller <deller@gmx.de>
51325
51326 arch/parisc/kernel/drivers.c | 2 +-
51327 1 files changed, 1 insertions(+), 1 deletions(-)
51328
51329commit 5dc65cd34d442783118a17c518e2daedb90a31d0
51330Author: Brad Spengler <spender@grsecurity.net>
51331Date: Tue Jun 4 17:52:23 2013 -0400
51332
51333 add PERF_HARDEN recommendation
51334
51335 grsecurity/Kconfig | 3 +++
51336 1 files changed, 3 insertions(+), 0 deletions(-)
51337
51338commit 45b0f6e97666ca330b9a69e7fd2d2d9345d9618c
51339Author: Brad Spengler <spender@grsecurity.net>
51340Date: Tue Jun 4 17:22:44 2013 -0400
51341
51342 Introduce new feature: CONFIG_GRKERNSEC_PERF_HARDEN
51343
51344 grsecurity/Kconfig | 19 +++++++++++++++++++
51345 include/linux/perf_event.h | 5 +++++
51346 kernel/events/core.c | 10 +++++++++-
51347 kernel/sysctl.c | 9 ++++++++-
51348 4 files changed, 41 insertions(+), 2 deletions(-)
51349
51350commit 84619a3501fd38285a72d9e963f58d1827beedd6
51351Author: Brad Spengler <spender@grsecurity.net>
51352Date: Sat Jun 1 14:23:31 2013 -0400
51353
51354 remove user-triggerable BUG_ON in do_munlockall()
51355
51356 mm/mlock.c | 1 -
51357 1 files changed, 0 insertions(+), 1 deletions(-)
51358
51359commit f4bcf6087bd7b9a5b9c9021790396865c5362da0
51360Author: Brad Spengler <spender@grsecurity.net>
51361Date: Sat Jun 1 13:44:05 2013 -0400
51362
51363 Upstream commit: cea4dcfdad926a27a18e188720efe0f2c9403456
51364
51365 From: Kees Cook <keescook@chromium.org>
51366 Date: Thu, 23 May 2013 17:32:17 +0000
51367 Subject: iscsi-target: fix heap buffer overflow on error
51368
51369 If a key was larger than 64 bytes, as checked by iscsi_check_key(), the
51370 error response packet, generated by iscsi_add_notunderstood_response(),
51371 would still attempt to copy the entire key into the packet, overflowing
51372 the structure on the heap.
51373
51374 Remote preauthentication kernel memory corruption was possible if a
51375 target was configured and listening on the network.
51376
51377 CVE-2013-2850
51378
51379 Embargo-screwup-by: Kees Cook <keescook@chromium.org>
51380 Cc: stable@vger.kernel.org
51381 Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
51382
51383 drivers/target/iscsi/iscsi_target_parameters.c | 8 +++-----
51384 drivers/target/iscsi/iscsi_target_parameters.h | 4 +++-
51385 2 files changed, 6 insertions(+), 6 deletions(-)
51386
51387commit 2fdc3e0a0ecd44f22d49ea2230638ed650dd5e7e
51388Author: Brad Spengler <spender@grsecurity.net>
51389Date: Sat Jun 1 13:43:26 2013 -0400
51390
51391 Revert "Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters"
51392 Applying upstream fix instead
51393
51394 This reverts commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291.
51395
51396 drivers/target/iscsi/iscsi_target_parameters.c | 5 +++--
51397 1 files changed, 3 insertions(+), 2 deletions(-)
51398
51399commit 8ad50b7b6bbaaec7f07f894c15d76abe801f0769
51400Author: Dan Carpenter <dan.carpenter@oracle.com>
51401Date: Sun May 19 21:52:20 2013 +0300
51402
51403 Upstream commit: e75b61897276c5100e61c9c74fd55ded28f31431
51404
51405 USB: cxacru: potential underflow in cxacru_cm_get_array()
51406
51407 commit 2a0ebf80aa95cc758d4725f74a7016e992606a39 upstream.
51408
51409 The value of "offd" comes off the instance->rcv_buf[] and we used it as
51410 the offset into an array. The problem is that we check the upper bound
51411 but not for negative values.
51412
51413 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
51414 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
51415 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
51416
51417 drivers/usb/atm/cxacru.c | 3 ++-
51418 1 files changed, 2 insertions(+), 1 deletions(-)
51419
51420commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291
51421Author: Brad Spengler <spender@grsecurity.net>
51422Date: Sat Jun 1 11:30:17 2013 -0400
51423
51424 Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters
51425
51426 drivers/target/iscsi/iscsi_target_parameters.c | 5 ++---
51427 1 files changed, 2 insertions(+), 3 deletions(-)
51428
51429commit 8578566969d91678a3d7d5251b4eafc6d7775314
51430Author: Brad Spengler <spender@grsecurity.net>
51431Date: Thu May 30 17:44:15 2013 -0400
51432
51433 Apply compatibility fix to previous RLIMIT_NPROC change
51434 don't enforce the rlimit check at exec time if the user is root
51435 Prevents problems with sudo if root is listed as part of a group
51436 in limits.conf with process limits enforced
51437
51438 kernel/sys.c | 2 +-
51439 1 files changed, 1 insertions(+), 1 deletions(-)
51440
51441commit 0ed0c927ce3db94e2d0c0f328e24a28fe4f143e7
51442Merge: 643b294 ed9b427
51443Author: Brad Spengler <spender@grsecurity.net>
51444Date: Wed May 29 19:19:28 2013 -0400
51445
51446 Merge branch 'pax-test' into grsec-test
51447
51448commit ed9b4276488528d0c3803df1dc0df804238241e0
51449Author: Brad Spengler <spender@grsecurity.net>
51450Date: Wed May 29 19:18:45 2013 -0400
51451
51452 Updated to pax-linux-3.9.4-test8.patch:
51453 - fixed some fallout detected by the checker plugin
51454
51455 arch/x86/kernel/crash_dump_64.c | 2 +-
51456 drivers/base/devtmpfs.c | 6 +++---
51457 drivers/char/agp/compat_ioctl.c | 2 +-
51458 drivers/char/agp/frontend.c | 2 +-
51459 drivers/char/mem.c | 2 +-
51460 drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 ++--
51461 drivers/i2c/i2c-dev.c | 2 +-
51462 drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +++---
51463 drivers/media/v4l2-core/v4l2-ioctl.c | 20 ++++++++++++--------
51464 fs/9p/vfs_addr.c | 2 +-
51465 fs/binfmt_elf.c | 4 ++--
51466 fs/compat_ioctl.c | 4 ++--
51467 fs/exec.c | 2 +-
51468 fs/namespace.c | 8 ++++----
51469 fs/proc/vmcore.c | 12 ++++++++----
51470 fs/read_write.c | 2 +-
51471 include/linux/syscalls.h | 8 ++++----
51472 init/do_mounts_initrd.c | 8 ++++----
51473 init/main.c | 4 ++--
51474 kernel/events/core.c | 2 +-
51475 kernel/events/internal.h | 10 +++++-----
51476 mm/page_io.c | 2 +-
51477 security/keys/internal.h | 2 +-
51478 tools/gcc/checker_plugin.c | 1 +
51479 24 files changed, 63 insertions(+), 54 deletions(-)
51480
51481commit 643b294b41c6adcad1cf107efe4ae52a834e6f15
51482Author: Brad Spengler <spender@grsecurity.net>
51483Date: Wed May 29 18:51:31 2013 -0400
51484
51485 eliminate gcc warning
51486
51487 fs/exec.c | 4 ++--
51488 1 files changed, 2 insertions(+), 2 deletions(-)
51489
51490commit cf6f73059387ffeddb7b1de3e97a3cf588bcef86
51491Author: Brad Spengler <spender@grsecurity.net>
51492Date: Wed May 29 18:30:20 2013 -0400
51493
51494 use BUILD_BUG() instead of BUILD_BUG_ON(1)
51495
51496 arch/x86/net/bpf_jit_comp.c | 4 ++--
51497 1 files changed, 2 insertions(+), 2 deletions(-)
51498
51499commit 5343410354267368e5809f3ad8d9a264f141be18
51500Author: Brad Spengler <spender@grsecurity.net>
51501Date: Wed May 29 17:57:41 2013 -0400
51502
51503 defensively handle additions to the BPF JIT by introducing a BUILD_BUG_ON
51504 for unknown opcodes
51505
51506 arch/x86/net/bpf_jit_comp.c | 11 +++++++----
51507 1 files changed, 7 insertions(+), 4 deletions(-)
51508
51509commit 01f78a604b47c93fb26e8aeb68ef619bb3b8579d
51510Author: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
51511Date: Fri May 24 15:55:11 2013 -0700
51512
51513 Upstream commit: d34883d4e35c0a994e91dd847a82b4c9e0c31d83
51514
51515 mm: mmu_notifier: re-fix freed page still mapped in secondary MMU
51516
51517 Commit 751efd8610d3 ("mmu_notifier_unregister NULL Pointer deref and
51518 multiple ->release()") breaks the fix 3ad3d901bbcf ("mm: mmu_notifier:
51519 fix freed page still mapped in secondary MMU").
51520
51521 Since hlist_for_each_entry_rcu() is changed now, we can not revert that
51522 patch directly, so this patch reverts the commit and simply fix the bug
51523 spotted by that patch
51524
51525 This bug spotted by commit 751efd8610d3 is:
51526
51527 There is a race condition between mmu_notifier_unregister() and
51528 __mmu_notifier_release().
51529
51530 Assume two tasks, one calling mmu_notifier_unregister() as a result
51531 of a filp_close() ->flush() callout (task A), and the other calling
51532 mmu_notifier_release() from an mmput() (task B).
51533
51534 A B
51535 t1 srcu_read_lock()
51536 t2 if (!hlist_unhashed())
51537 t3 srcu_read_unlock()
51538 t4 srcu_read_lock()
51539 t5 hlist_del_init_rcu()
51540 t6 synchronize_srcu()
51541 t7 srcu_read_unlock()
51542 t8 hlist_del_rcu() <--- NULL pointer deref.
51543
51544 This can be fixed by using hlist_del_init_rcu instead of hlist_del_rcu.
51545
51546 The another issue spotted in the commit is "multiple ->release()
51547 callouts", we needn't care it too much because it is really rare (e.g,
51548 can not happen on kvm since mmu-notify is unregistered after
51549 exit_mmap()) and the later call of multiple ->release should be fast
51550 since all the pages have already been released by the first call.
51551 Anyway, this issue should be fixed in a separate patch.
51552
51553 -stable suggestions: Any version that has commit 751efd8610d3 need to be
51554 backported. I find the oldest version has this commit is 3.0-stable.
51555
51556 [akpm@linux-foundation.org: tweak comments]
51557 Signed-off-by: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
51558 Tested-by: Robin Holt <holt@sgi.com>
51559 Cc: <stable@vger.kernel.org>
51560 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
51561 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
51562
51563 mm/mmu_notifier.c | 79 ++++++++++++++++++++++++++---------------------------
51564 1 files changed, 39 insertions(+), 40 deletions(-)
51565
51566commit 163a5539b36247865d39b2bcfa8efc03a62124a6
51567Author: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
51568Date: Fri May 24 15:55:21 2013 -0700
51569
51570 Upstream commit: 7c3425123ddfdc5f48e7913ff59d908789712b18
51571
51572 mm/THP: use pmd_populate() to update the pmd with pgtable_t pointer
51573
51574 We should not use set_pmd_at to update pmd_t with pgtable_t pointer.
51575 set_pmd_at is used to set pmd with huge pte entries and architectures
51576 like ppc64, clear few flags from the pte when saving a new entry.
51577 Without this change we observe bad pte errors like below on ppc64 with
51578 THP enabled.
51579
51580 BUG: Bad page map in process ld mm=0xc000001ee39f4780 pte:7fc3f37848000001 pmd:c000001ec0000000
51581
51582 Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
51583 Cc: Hugh Dickins <hughd@google.com>
51584 Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
51585 Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
51586 Cc: <stable@vger.kernel.org>
51587 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
51588 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
51589
51590 mm/huge_memory.c | 7 ++++++-
51591 1 files changed, 6 insertions(+), 1 deletions(-)
51592
51593commit 3e54faf888d324d5f362dcba16173ea7bba61e8a
51594Author: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
51595Date: Fri May 24 15:55:08 2013 -0700
51596
51597 Upstream commit: 7b92d03c3239f43e5b86c9cc9630f026d36ee995
51598
51599 fat: fix possible overflow for fat_clusters
51600
51601 Intermediate value of fat_clusters can be overflowed on 32bits arch.
51602
51603 Reported-by: Krzysztof Strasburger <strasbur@chkw386.ch.pwr.wroc.pl>
51604 Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
51605 Cc: <stable@vger.kernel.org>
51606 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
51607 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
51608
51609 fs/fat/inode.c | 15 ++++++++++++++-
51610 1 files changed, 14 insertions(+), 1 deletions(-)
51611
51612commit 2d9fc67d9d63641e6bbf389edba8d8514c68655d
51613Author: Jarod Wilson <jarod@redhat.com>
51614Date: Fri May 24 15:55:31 2013 -0700
51615
51616 Upstream commit: 1e7e2e05c179a68aaf8830fe91547a87f4589e53
51617
51618 drivers/char/random.c: fix priming of last_data
51619
51620 Commit ec8f02da9ea5 ("random: prime last_data value per fips
51621 requirements") added priming of last_data per fips requirements.
51622
51623 Unfortuantely, it did so in a way that can lead to multiple threads all
51624 incrementing nbytes, but only one actually doing anything with the extra
51625 data, which leads to some fun random corruption and panics.
51626
51627 The fix is to simply do everything needed to prime last_data in a single
51628 shot, so there's no window for multiple cpus to increment nbytes -- in
51629 fact, we won't even increment or decrement nbytes anymore, we'll just
51630 extract the needed EXTRACT_SIZE one time per pool and then carry on with
51631 the normal routine.
51632
51633 All these changes have been tested across multiple hosts and
51634 architectures where panics were previously encoutered. The code changes
51635 are are strictly limited to areas only touched when when booted in fips
51636 mode.
51637
51638 This change should also go into 3.8-stable, to make the myriads of fips
51639 users on 3.8.x happy.
51640
51641 Signed-off-by: Jarod Wilson <jarod@redhat.com>
51642 Tested-by: Jan Stancek <jstancek@redhat.com>
51643 Tested-by: Jan Stodola <jstodola@redhat.com>
51644 Cc: Herbert Xu <herbert@gondor.apana.org.au>
51645 Acked-by: Neil Horman <nhorman@tuxdriver.com>
51646 Cc: "David S. Miller" <davem@davemloft.net>
51647 Cc: Matt Mackall <mpm@selenic.com>
51648 Cc: "Theodore Ts'o" <tytso@mit.edu>
51649 Cc: <stable@vger.kernel.org>
51650 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
51651 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
51652
51653 drivers/char/random.c | 30 +++++++++++++++---------------
51654 1 files changed, 15 insertions(+), 15 deletions(-)
51655
51656commit 2d74639040ba6ce47f57ec010714ec06529c4b42
51657Author: Jiri Kosina <jkosina@suse.cz>
51658Date: Fri May 24 15:55:33 2013 -0700
51659
51660 Upstream commit: 10b3a32d292c21ea5b3ad5ca5975e88bb20b8d68
51661
51662 random: fix accounting race condition with lockless irq entropy_count update
51663
51664 Commit 902c098a3663 ("random: use lockless techniques in the interrupt
51665 path") turned IRQ path from being spinlock protected into lockless
51666 cmpxchg-retry update.
51667
51668 That commit removed r->lock serialization between crediting entropy bits
51669 from IRQ context and accounting when extracting entropy on userspace
51670 read path, but didn't turn the r->entropy_count reads/updates in
51671 account() to use cmpxchg as well.
51672
51673 It has been observed, that under certain circumstances this leads to
51674 read() on /dev/urandom to return 0 (EOF), as r->entropy_count gets
51675 corrupted and becomes negative, which in turn results in propagating 0
51676 all the way from account() to the actual read() call.
51677
51678 Convert the accounting code to be the proper lockless counterpart of
51679 what has been partially done by 902c098a3663.
51680
51681 Signed-off-by: Jiri Kosina <jkosina@suse.cz>
51682 Cc: Theodore Ts'o <tytso@mit.edu>
51683 Cc: Greg KH <greg@kroah.com>
51684 Cc: <stable@vger.kernel.org>
51685 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
51686 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
51687
51688 drivers/char/random.c | 26 +++++++++++++++++---------
51689 1 files changed, 17 insertions(+), 9 deletions(-)
51690
51691commit 65d05c7ea468c23c175105526dd4f163302a92cf
51692Merge: 1a98d0a 6ce3a135
51693Author: Brad Spengler <spender@grsecurity.net>
51694Date: Sat May 25 07:48:15 2013 -0400
51695
51696 Merge branch 'pax-test' into grsec-test
51697
51698 Conflicts:
51699 arch/x86/kernel/vm86_32.c
51700
51701commit 6ce3a13567ec17c1e72a88871ddf46da61ad5166
51702Merge: 79bdd65 0bfd8ff
51703Author: Brad Spengler <spender@grsecurity.net>
51704Date: Sat May 25 07:46:55 2013 -0400
51705
51706 Merge branch 'linux-3.9.y' into pax-test
51707
51708commit 1a98d0a10ede55ae99fabfb2d67eb536d3de9444
51709Author: Brad Spengler <spender@grsecurity.net>
51710Date: Thu May 23 18:42:23 2013 -0400
51711
51712 use existing local variable
51713
51714 fs/exec.c | 2 +-
51715 1 files changed, 1 insertions(+), 1 deletions(-)
51716
51717commit b2b80ef8586061e32e986b31608717c25d1e7c54
51718Merge: cb45fbd 79bdd65
51719Author: Brad Spengler <spender@grsecurity.net>
51720Date: Thu May 23 17:58:53 2013 -0400
51721
51722 Merge branch 'pax-test' into grsec-test
51723
51724commit 79bdd65dac68267bc1b201c6b4a99966a373c305
51725Author: Brad Spengler <spender@grsecurity.net>
51726Date: Thu May 23 17:57:46 2013 -0400
51727
51728 Update to pax-linux-3.9.3-test7.patch:
51729 - fixed some size overflow related warnings (hash table, attributes)
51730 - fixed a gcc bug/feature exposed by constification, the investigation was prompted by http://rikiji.it/2013/05/10/CVE-2013-2094-x86.html
51731
51732 arch/x86/include/asm/page_64.h | 2 +-
51733 arch/x86/kernel/head64.c | 2 +-
51734 tools/gcc/constify_plugin.c | 48 ++-
51735 tools/gcc/size_overflow_hash.data | 1191 +++++++++++++++++++------------------
51736 4 files changed, 651 insertions(+), 592 deletions(-)
51737
51738commit cb45fbda4967b1b544a754fbdc92d73283379522
51739Merge: 62588fa 57c11b8
51740Author: Brad Spengler <spender@grsecurity.net>
51741Date: Mon May 20 17:32:17 2013 -0400
51742
51743 Merge branch 'pax-test' into grsec-test
51744
51745commit 57c11b85acd841a088aa4df8e60be337880df8cd
51746Merge: 0598b37 4bb0869
51747Author: Brad Spengler <spender@grsecurity.net>
51748Date: Mon May 20 17:32:08 2013 -0400
51749
51750 Merge branch 'linux-3.9.y' into pax-test
51751
51752commit 62588fa72b82a8ff7027f52dc2a05729f41e0f53
51753Merge: e261c7b 0598b37
51754Author: Brad Spengler <spender@grsecurity.net>
51755Date: Fri May 17 22:57:36 2013 -0400
51756
51757 Merge branch 'pax-test' into grsec-test
51758
51759commit 0598b3778624dbc6c3887af025c040dbd6e92ba5
51760Author: Brad Spengler <spender@grsecurity.net>
51761Date: Fri May 17 22:57:07 2013 -0400
51762
51763 Update to pax-linux-3.9.2-test6.patch:
51764 - fixed a gcc assert in the structleak plugin, reported by Emese Revfy
51765 - fixed pfn extraction from pud/pgd entries, reported by ousado
51766
51767 arch/x86/include/asm/pgtable.h | 9 +++++++--
51768 tools/gcc/structleak_plugin.c | 3 ++-
51769 2 files changed, 9 insertions(+), 3 deletions(-)
51770
51771commit e261c7bc611e9127bbb7bd95cddd51524bf255ae
51772Author: Brad Spengler <spender@grsecurity.net>
51773Date: Thu May 16 22:54:12 2013 -0400
51774
51775 add offset to topdown check, fixes compilation
51776
51777 arch/x86/kernel/sys_x86_64.c | 2 +-
51778 1 files changed, 1 insertions(+), 1 deletions(-)
51779
51780commit 455c5ed5279cf546f5d5c3844fb16f17300b2219
51781Author: Brad Spengler <spender@grsecurity.net>
51782Date: Thu May 16 20:57:41 2013 -0400
51783
51784 CONFIG_GRKERNSEC depends on the recently-introduced CONFIG_TTY,
51785 reported by lulzh3ad on irc
51786
51787 security/Kconfig | 1 +
51788 1 files changed, 1 insertions(+), 0 deletions(-)
51789
51790commit 0d4593e84707cdf6deb6b925c18c676a476b1613
51791Merge: 43cd0c0 39a877f
51792Author: Brad Spengler <spender@grsecurity.net>
51793Date: Thu May 16 20:39:11 2013 -0400
51794
51795 Merge branch 'pax-test' into grsec-test
51796
51797commit 39a877f192ed305d88edac10a14a9e8e1e161f3f
51798Author: Brad Spengler <spender@grsecurity.net>
51799Date: Thu May 16 20:37:35 2013 -0400
51800
51801 Update to pax-linux-3.9.2-test105.patch:
51802 - fixed !EFI boot problem, reported by spender
51803 - fixed a few compile warnings
51804 - fixed some more compile errors due to constification
51805 - fixed some arm fallout, reported by Michael Tremer
51806
51807 arch/arm/include/asm/psci.h | 2 +-
51808 arch/arm/kernel/psci.c | 2 +-
51809 arch/x86/kernel/sys_x86_64.c | 3 +--
51810 arch/x86/realmode/init.c | 2 +-
51811 drivers/hwmon/pmbus/pmbus_core.c | 10 +++++-----
51812 drivers/irqchip/irq-gic.c | 2 +-
51813 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +++-
51814 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +++++++++---
51815 drivers/platform/x86/chromeos_laptop.c | 2 +-
51816 fs/jfs/super.c | 4 ++--
51817 include/linux/irqchip/arm-gic.h | 2 ++
51818 include/sound/compress_driver.h | 2 +-
51819 net/mac80211/cfg.c | 4 ++--
51820 sound/soc/fsl/fsl_ssi.c | 2 +-
51821 14 files changed, 31 insertions(+), 22 deletions(-)
51822
51823commit 43cd0c0c7bf3f3331689f88130a8e8ce58fc8540
51824Author: Brad Spengler <spender@grsecurity.net>
51825Date: Thu May 16 20:35:22 2013 -0400
51826
51827 Fix usercopy false positive under gcc 4.1
51828
51829 arch/x86/kernel/signal.c | 9 +++++++--
51830 1 files changed, 7 insertions(+), 2 deletions(-)
51831
51832commit 56a166129d817f6634c8c230e6ec497669bdfaca
51833Author: Amerigo Wang <amwang@redhat.com>
51834Date: Thu May 9 21:56:37 2013 +0000
51835
51836 Upstream commit: 5dbd5068430b8bd1c19387d46d6c1a88b261257f
51837
51838 ipv6,gre: do not leak info to user-space
51839
51840 There is a hole in struct ip6_tnl_parm2, so we have to
51841 zero the struct on stack before copying it to user-space.
51842
51843 Cc: David S. Miller <davem@davemloft.net>
51844 Signed-off-by: Cong Wang <amwang@redhat.com>
51845 Signed-off-by: David S. Miller <davem@davemloft.net>
51846
51847 net/ipv6/ip6_gre.c | 2 ++
51848 1 files changed, 2 insertions(+), 0 deletions(-)
51849
51850commit d6f50dae2653ad912952da40417a8ccbd59c7699
51851Author: Brad Spengler <spender@grsecurity.net>
51852Date: Tue May 14 16:52:35 2013 -0400
51853
51854 disable unprivileged kernel profiling under HIDESYM, rename
51855 the variable to something more appropriate
51856
51857 include/linux/perf_event.h | 8 ++++----
51858 kernel/events/core.c | 6 +++++-
51859 kernel/sysctl.c | 4 ++--
51860 3 files changed, 11 insertions(+), 7 deletions(-)
51861
51862commit 01322c6951bed4eedefbd2178dbd99292b365d99
51863Author: Brad Spengler <spender@grsecurity.net>
51864Date: Mon May 13 17:19:57 2013 -0400
51865
51866 mark GRKERNSEC_RAND_THREADSTACK broken until PaX fixes its
51867 existing stack-heap gap code for the new unified vm_unmapped_area
51868
51869 grsecurity/Kconfig | 2 +-
51870 1 files changed, 1 insertions(+), 1 deletions(-)
51871
51872commit 8e576ddc2196770ba2b86ba8f7b9e76c141d1083
51873Author: Brad Spengler <spender@grsecurity.net>
51874Date: Mon May 13 15:40:32 2013 -0400
51875
51876 fix NX fault on early boot
51877
51878 arch/x86/realmode/init.c | 2 +-
51879 1 files changed, 1 insertions(+), 1 deletions(-)
51880
51881commit 85ce9b6f668f9b02f21d23ae61a1bacc8804f615
51882Author: Brad Spengler <spender@grsecurity.net>
51883Date: Mon May 13 10:48:13 2013 -0400
51884
51885 compile fix, we weren't using %pa anyway and it's now being used
51886 by upstream for physical address printing
51887
51888 lib/vsprintf.c | 3 +--
51889 1 files changed, 1 insertions(+), 2 deletions(-)
51890
51891commit 4eeaeea04d4776b8263f0e9b018edcdbe66c929d
51892Author: Brad Spengler <spender@grsecurity.net>
51893Date: Mon May 13 10:39:52 2013 -0400
51894
51895 compile fix
51896
51897 grsecurity/grsec_chroot.c | 2 +-
51898 1 files changed, 1 insertions(+), 1 deletions(-)
51899
51900commit 155fe84d0b966e41b077781e6b3bc6f6ed5b294b
51901Author: Brad Spengler <spender@grsecurity.net>
51902Date: Mon May 13 10:35:36 2013 -0400
51903
51904 compile fixes
51905
51906 grsecurity/grsec_chroot.c | 2 +-
51907 include/linux/grinternal.h | 8 ++++----
51908 include/linux/grsecurity.h | 4 ++--
51909 3 files changed, 7 insertions(+), 7 deletions(-)
51910
51911commit f92047409f0a843ec0b44033ca4c37e539f9a1d5
51912Author: Brad Spengler <spender@grsecurity.net>
51913Date: Mon May 13 10:27:18 2013 -0400
51914
51915 compile fix
51916
51917 fs/exec.c | 6 +++---
51918 1 files changed, 3 insertions(+), 3 deletions(-)
51919
51920commit 0e4123608755ab6af3f448cca6f6a8a57dbdcff1
51921Author: Brad Spengler <spender@grsecurity.net>
51922Date: Mon May 13 10:23:17 2013 -0400
51923
51924 Initial port of grsecurity for 3.9.2
51925
51926 Documentation/kernel-parameters.txt | 4 +
51927 Makefile | 8 +-
51928 arch/alpha/include/asm/cache.h | 4 +-
51929 arch/alpha/kernel/osf_sys.c | 12 +-
51930 arch/arm/include/asm/thread_info.h | 9 +-
51931 arch/arm/kernel/process.c | 4 +-
51932 arch/arm/kernel/ptrace.c | 9 +
51933 arch/arm/kernel/traps.c | 7 +-
51934 arch/arm/mm/fault.c | 29 +-
51935 arch/arm/mm/mmap.c | 8 +-
51936 arch/avr32/include/asm/cache.h | 4 +-
51937 arch/blackfin/include/asm/cache.h | 3 +-
51938 arch/cris/include/arch-v10/arch/cache.h | 3 +-
51939 arch/cris/include/arch-v32/arch/cache.h | 3 +-
51940 arch/frv/include/asm/cache.h | 3 +-
51941 arch/frv/mm/elf-fdpic.c | 4 +-
51942 arch/hexagon/include/asm/cache.h | 6 +-
51943 arch/ia64/include/asm/cache.h | 3 +-
51944 arch/ia64/kernel/sys_ia64.c | 2 +
51945 arch/ia64/mm/hugetlbpage.c | 2 +
51946 arch/m32r/include/asm/cache.h | 4 +-
51947 arch/m68k/include/asm/cache.h | 4 +-
51948 arch/metag/mm/hugetlbpage.c | 1 +
51949 arch/microblaze/include/asm/cache.h | 3 +-
51950 arch/mips/include/asm/cache.h | 3 +-
51951 arch/mips/include/asm/thread_info.h | 9 +-
51952 arch/mips/kernel/ptrace.c | 9 +
51953 arch/mips/kernel/scall32-o32.S | 2 +-
51954 arch/mips/kernel/scall64-64.S | 2 +-
51955 arch/mips/kernel/scall64-n32.S | 2 +-
51956 arch/mips/kernel/scall64-o32.S | 2 +-
51957 arch/mips/mm/mmap.c | 4 +-
51958 arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +-
51959 arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +-
51960 arch/openrisc/include/asm/cache.h | 4 +-
51961 arch/parisc/include/asm/cache.h | 5 +-
51962 arch/parisc/kernel/sys_parisc.c | 17 +-
51963 arch/powerpc/include/asm/cache.h | 3 +-
51964 arch/powerpc/include/asm/thread_info.h | 8 +-
51965 arch/powerpc/kernel/process.c | 10 +-
51966 arch/powerpc/kernel/ptrace.c | 14 +
51967 arch/powerpc/kernel/traps.c | 5 +
51968 arch/powerpc/mm/slice.c | 8 +-
51969 arch/s390/include/asm/cache.h | 4 +-
51970 arch/score/include/asm/cache.h | 4 +-
51971 arch/sh/include/asm/cache.h | 3 +-
51972 arch/sh/mm/mmap.c | 6 +-
51973 arch/sparc/include/asm/cache.h | 4 +-
51974 arch/sparc/include/asm/thread_info_64.h | 9 +-
51975 arch/sparc/kernel/process_32.c | 6 +-
51976 arch/sparc/kernel/process_64.c | 8 +-
51977 arch/sparc/kernel/ptrace_64.c | 14 +
51978 arch/sparc/kernel/sys_sparc_64.c | 8 +-
51979 arch/sparc/kernel/syscalls.S | 8 +-
51980 arch/sparc/kernel/traps_32.c | 8 +-
51981 arch/sparc/kernel/traps_64.c | 28 +-
51982 arch/sparc/kernel/unaligned_64.c | 2 +-
51983 arch/sparc/mm/fault_64.c | 2 +-
51984 arch/sparc/mm/hugetlbpage.c | 3 +-
51985 arch/tile/include/asm/cache.h | 3 +-
51986 arch/tile/mm/hugetlbpage.c | 2 +
51987 arch/um/defconfig | 1 -
51988 arch/um/include/asm/cache.h | 3 +-
51989 arch/unicore32/include/asm/cache.h | 6 +-
51990 arch/x86/Kconfig | 5 +-
51991 arch/x86/Kconfig.debug | 2 +-
51992 arch/x86/ia32/ia32_aout.c | 2 +
51993 arch/x86/include/asm/thread_info.h | 8 +-
51994 arch/x86/kernel/dumpstack.c | 8 +
51995 arch/x86/kernel/entry_32.S | 2 +-
51996 arch/x86/kernel/entry_64.S | 2 +-
51997 arch/x86/kernel/ioport.c | 13 +
51998 arch/x86/kernel/ptrace.c | 14 +
51999 arch/x86/kernel/smpboot.c | 3 +
52000 arch/x86/kernel/sys_i386_32.c | 14 +-
52001 arch/x86/kernel/sys_x86_64.c | 6 +-
52002 arch/x86/kernel/verify_cpu.S | 1 +
52003 arch/x86/kernel/vm86_32.c | 16 +
52004 arch/x86/mm/fault.c | 12 +-
52005 arch/x86/mm/hugetlbpage.c | 15 +-
52006 arch/x86/mm/init.c | 66 +-
52007 arch/x86/net/bpf_jit_comp.c | 126 +-
52008 arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
52009 arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
52010 arch/xtensa/variants/s6000/include/variant/core.h | 3 +-
52011 drivers/block/cciss.c | 2 +
52012 drivers/char/Kconfig | 4 +-
52013 drivers/char/genrtc.c | 1 +
52014 drivers/char/mem.c | 17 +
52015 drivers/char/random.c | 12 +
52016 drivers/gpu/drm/drm_info.c | 4 +
52017 drivers/hid/hid-wiimote-debug.c | 2 +-
52018 drivers/media/radio/radio-cadet.c | 2 +-
52019 drivers/message/fusion/mptbase.c | 9 +
52020 drivers/net/bonding/bond_main.c | 2 +-
52021 drivers/net/phy/mdio-bitbang.c | 1 +
52022 drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
52023 drivers/pci/proc.c | 9 +
52024 drivers/rtc/rtc-dev.c | 3 +
52025 drivers/tty/sysrq.c | 2 +-
52026 drivers/tty/vt/keyboard.c | 22 +-
52027 drivers/usb/storage/realtek_cr.c | 2 +-
52028 drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++--------
52029 drivers/xen/xenfs/xenstored.c | 5 +
52030 fs/attr.c | 1 +
52031 fs/autofs4/waitq.c | 9 +
52032 fs/binfmt_aout.c | 7 +
52033 fs/binfmt_elf.c | 8 +-
52034 fs/btrfs/ioctl.c | 6 +-
52035 fs/compat.c | 20 +-
52036 fs/coredump.c | 10 +-
52037 fs/debugfs/inode.c | 4 +
52038 fs/exec.c | 181 +-
52039 fs/ext2/balloc.c | 4 +-
52040 fs/ext3/balloc.c | 4 +-
52041 fs/ext4/balloc.c | 4 +-
52042 fs/fcntl.c | 5 +
52043 fs/file.c | 4 +
52044 fs/filesystems.c | 4 +
52045 fs/fs_struct.c | 13 +-
52046 fs/hugetlbfs/inode.c | 5 +-
52047 fs/namei.c | 241 ++-
52048 fs/namespace.c | 24 +
52049 fs/open.c | 38 +
52050 fs/pipe.c | 2 +-
52051 fs/proc/Kconfig | 10 +-
52052 fs/proc/array.c | 59 +-
52053 fs/proc/base.c | 168 +-
52054 fs/proc/cmdline.c | 4 +
52055 fs/proc/devices.c | 4 +
52056 fs/proc/fd.c | 17 +-
52057 fs/proc/inode.c | 17 +
52058 fs/proc/internal.h | 3 +
52059 fs/proc/kcore.c | 3 +
52060 fs/proc/proc_net.c | 12 +
52061 fs/proc/proc_sysctl.c | 43 +-
52062 fs/proc/root.c | 8 +
52063 fs/proc/task_mmu.c | 75 +-
52064 fs/readdir.c | 19 +
52065 fs/select.c | 2 +
52066 fs/seq_file.c | 12 +-
52067 fs/stat.c | 19 +-
52068 fs/sysfs/dir.c | 12 +
52069 fs/utimes.c | 7 +
52070 fs/xattr.c | 19 +-
52071 grsecurity/Kconfig | 1031 +++++
52072 grsecurity/Makefile | 38 +
52073 grsecurity/gracl.c | 4073 ++++++++++++++++++++
52074 grsecurity/gracl_alloc.c | 105 +
52075 grsecurity/gracl_cap.c | 110 +
52076 grsecurity/gracl_fs.c | 431 +++
52077 grsecurity/gracl_ip.c | 387 ++
52078 grsecurity/gracl_learn.c | 207 +
52079 grsecurity/gracl_res.c | 68 +
52080 grsecurity/gracl_segv.c | 305 ++
52081 grsecurity/gracl_shm.c | 40 +
52082 grsecurity/grsec_chdir.c | 19 +
52083 grsecurity/grsec_chroot.c | 370 ++
52084 grsecurity/grsec_disabled.c | 434 +++
52085 grsecurity/grsec_exec.c | 187 +
52086 grsecurity/grsec_fifo.c | 24 +
52087 grsecurity/grsec_fork.c | 23 +
52088 grsecurity/grsec_init.c | 283 ++
52089 grsecurity/grsec_link.c | 58 +
52090 grsecurity/grsec_log.c | 326 ++
52091 grsecurity/grsec_mem.c | 40 +
52092 grsecurity/grsec_mount.c | 62 +
52093 grsecurity/grsec_pax.c | 36 +
52094 grsecurity/grsec_ptrace.c | 30 +
52095 grsecurity/grsec_sig.c | 222 ++
52096 grsecurity/grsec_sock.c | 244 ++
52097 grsecurity/grsec_sysctl.c | 469 +++
52098 grsecurity/grsec_time.c | 16 +
52099 grsecurity/grsec_tpe.c | 73 +
52100 grsecurity/grsum.c | 61 +
52101 include/linux/capability.h | 5 +
52102 include/linux/cred.h | 3 +
52103 include/linux/fs.h | 10 +
52104 include/linux/fsnotify.h | 6 +
52105 include/linux/gracl.h | 319 ++
52106 include/linux/gralloc.h | 9 +
52107 include/linux/grdefs.h | 140 +
52108 include/linux/grinternal.h | 215 +
52109 include/linux/grmsg.h | 111 +
52110 include/linux/grsecurity.h | 242 ++
52111 include/linux/grsock.h | 19 +
52112 include/linux/kallsyms.h | 14 +-
52113 include/linux/kmod.h | 2 +
52114 include/linux/mm.h | 1 +
52115 include/linux/netfilter/xt_gradm.h | 9 +
52116 include/linux/printk.h | 3 +-
52117 include/linux/proc_fs.h | 12 +
52118 include/linux/sched.h | 68 +-
52119 include/linux/security.h | 1 +
52120 include/linux/seq_file.h | 3 +
52121 include/linux/shm.h | 4 +
52122 include/linux/skbuff.h | 3 +
52123 include/linux/slab.h | 9 -
52124 include/linux/sysctl.h | 2 +
52125 include/linux/thread_info.h | 2 +
52126 include/linux/uidgid.h | 5 +
52127 include/linux/vermagic.h | 9 +-
52128 include/net/secure_seq.h | 1 +
52129 include/trace/events/fs.h | 53 +
52130 include/uapi/linux/personality.h | 1 +
52131 init/Kconfig | 3 +-
52132 init/main.c | 14 +
52133 ipc/mqueue.c | 1 +
52134 ipc/shm.c | 28 +
52135 kernel/capability.c | 39 +-
52136 kernel/cgroup.c | 2 +-
52137 kernel/compat.c | 1 +
52138 kernel/configs.c | 11 +
52139 kernel/cred.c | 110 +-
52140 kernel/exit.c | 10 +-
52141 kernel/fork.c | 41 +-
52142 kernel/futex.c | 1 +
52143 kernel/kallsyms.c | 9 +
52144 kernel/kcmp.c | 4 +
52145 kernel/kmod.c | 71 +-
52146 kernel/kprobes.c | 4 +-
52147 kernel/ksysfs.c | 2 +
52148 kernel/lockdep_proc.c | 10 +-
52149 kernel/module.c | 81 +-
52150 kernel/panic.c | 4 +-
52151 kernel/pid.c | 19 +-
52152 kernel/posix-timers.c | 8 +
52153 kernel/printk.c | 13 +-
52154 kernel/ptrace.c | 20 +-
52155 kernel/resource.c | 10 +
52156 kernel/sched/core.c | 6 +-
52157 kernel/signal.c | 37 +-
52158 kernel/sys.c | 45 +-
52159 kernel/sysctl.c | 39 +-
52160 kernel/taskstats.c | 6 +
52161 kernel/time.c | 5 +
52162 kernel/time/timekeeping.c | 3 +
52163 kernel/time/timer_list.c | 12 +
52164 kernel/time/timer_stats.c | 10 +-
52165 lib/Kconfig.debug | 5 +-
52166 lib/is_single_threaded.c | 3 +
52167 lib/vsprintf.c | 35 +-
52168 localversion-grsec | 1 +
52169 mm/Kconfig | 4 +-
52170 mm/filemap.c | 1 +
52171 mm/kmemleak.c | 4 +-
52172 mm/mempolicy.c | 12 +-
52173 mm/migrate.c | 3 +-
52174 mm/mlock.c | 3 +
52175 mm/mmap.c | 64 +-
52176 mm/mprotect.c | 8 +
52177 mm/process_vm_access.c | 6 +
52178 mm/shmem.c | 2 +-
52179 mm/slab.c | 2 +-
52180 mm/slub.c | 14 +-
52181 mm/vmalloc.c | 4 +
52182 mm/vmstat.c | 18 +-
52183 net/8021q/vlan.c | 7 +
52184 net/core/dev_ioctl.c | 4 +
52185 net/core/net-procfs.c | 5 +
52186 net/core/secure_seq.c | 4 +-
52187 net/core/sock_diag.c | 7 +
52188 net/ipv4/af_inet.c | 5 +-
52189 net/ipv4/inet_hashtables.c | 5 +
52190 net/ipv4/ip_sockglue.c | 3 +-
52191 net/ipv4/tcp_input.c | 4 +-
52192 net/ipv4/tcp_ipv4.c | 24 +-
52193 net/ipv4/tcp_minisocks.c | 9 +-
52194 net/ipv4/tcp_timer.c | 11 +
52195 net/ipv4/udp.c | 24 +
52196 net/ipv6/tcp_ipv6.c | 23 +-
52197 net/ipv6/udp.c | 7 +
52198 net/netfilter/Kconfig | 10 +
52199 net/netfilter/Makefile | 1 +
52200 net/netfilter/nf_conntrack_core.c | 8 +
52201 net/netfilter/xt_gradm.c | 51 +
52202 net/netrom/af_netrom.c | 2 +-
52203 net/phonet/af_phonet.c | 2 +-
52204 net/sctp/probe.c | 2 +-
52205 net/sctp/proc.c | 3 +-
52206 net/socket.c | 66 +-
52207 net/sysctl_net.c | 2 +-
52208 net/tipc/link.c | 11 +-
52209 net/unix/af_unix.c | 31 +-
52210 security/Kconfig | 342 ++-
52211 security/commoncap.c | 29 +
52212 security/min_addr.c | 2 +
52213 security/security.c | 2 -
52214 security/selinux/hooks.c | 2 -
52215 security/tomoyo/mount.c | 4 +
52216 security/yama/Kconfig | 2 +-
52217 291 files changed, 15221 insertions(+), 2052 deletions(-)
52218
52219commit 88854c350c899bceca4a94598c42bed44d0dc91b
52220Author: Brad Spengler <spender@grsecurity.net>
52221Date: Mon May 13 07:37:47 2013 -0400
52222
52223 Initial import of pax-linux-3.9.2-test2.patch
52224
52225 Documentation/dontdiff | 45 +-
52226 Documentation/kernel-parameters.txt | 12 +
52227 Makefile | 100 +-
52228 arch/alpha/include/asm/atomic.h | 10 +
52229 arch/alpha/include/asm/elf.h | 7 +
52230 arch/alpha/include/asm/pgalloc.h | 6 +
52231 arch/alpha/include/asm/pgtable.h | 11 +
52232 arch/alpha/kernel/module.c | 2 +-
52233 arch/alpha/kernel/osf_sys.c | 8 +-
52234 arch/alpha/mm/fault.c | 141 +-
52235 arch/arm/Kconfig | 2 +-
52236 arch/arm/include/asm/atomic.h | 421 ++-
52237 arch/arm/include/asm/cache.h | 5 +-
52238 arch/arm/include/asm/cacheflush.h | 2 +-
52239 arch/arm/include/asm/checksum.h | 14 +-
52240 arch/arm/include/asm/cmpxchg.h | 2 +
52241 arch/arm/include/asm/domain.h | 33 +-
52242 arch/arm/include/asm/elf.h | 13 +-
52243 arch/arm/include/asm/fncpy.h | 2 +
52244 arch/arm/include/asm/futex.h | 10 +
52245 arch/arm/include/asm/kmap_types.h | 2 +-
52246 arch/arm/include/asm/mach/dma.h | 2 +-
52247 arch/arm/include/asm/mach/map.h | 7 +-
52248 arch/arm/include/asm/outercache.h | 2 +-
52249 arch/arm/include/asm/page.h | 2 +-
52250 arch/arm/include/asm/pgalloc.h | 22 +-
52251 arch/arm/include/asm/pgtable-2level-hwdef.h | 5 +
52252 arch/arm/include/asm/pgtable-2level.h | 1 +
52253 arch/arm/include/asm/pgtable-3level-hwdef.h | 2 +
52254 arch/arm/include/asm/pgtable-3level.h | 2 +
52255 arch/arm/include/asm/pgtable.h | 56 +-
52256 arch/arm/include/asm/proc-fns.h | 2 +-
52257 arch/arm/include/asm/processor.h | 5 +-
52258 arch/arm/include/asm/smp.h | 2 +-
52259 arch/arm/include/asm/thread_info.h | 6 +-
52260 arch/arm/include/asm/uaccess.h | 92 +-
52261 arch/arm/include/uapi/asm/ptrace.h | 2 +-
52262 arch/arm/kernel/armksyms.c | 6 +-
52263 arch/arm/kernel/entry-armv.S | 107 +-
52264 arch/arm/kernel/entry-common.S | 41 +-
52265 arch/arm/kernel/entry-header.S | 60 +
52266 arch/arm/kernel/fiq.c | 2 +
52267 arch/arm/kernel/head.S | 6 +-
52268 arch/arm/kernel/hw_breakpoint.c | 2 +-
52269 arch/arm/kernel/module.c | 29 +-
52270 arch/arm/kernel/patch.c | 2 +
52271 arch/arm/kernel/perf_event_cpu.c | 2 +-
52272 arch/arm/kernel/process.c | 15 +-
52273 arch/arm/kernel/setup.c | 22 +-
52274 arch/arm/kernel/signal.c | 24 +-
52275 arch/arm/kernel/smp.c | 2 +-
52276 arch/arm/kernel/traps.c | 15 +-
52277 arch/arm/kernel/vmlinux.lds.S | 22 +-
52278 arch/arm/lib/clear_user.S | 6 +-
52279 arch/arm/lib/copy_from_user.S | 6 +-
52280 arch/arm/lib/copy_page.S | 1 +
52281 arch/arm/lib/copy_to_user.S | 6 +-
52282 arch/arm/lib/csumpartialcopyuser.S | 4 +-
52283 arch/arm/lib/delay.c | 2 +-
52284 arch/arm/lib/uaccess_with_memcpy.c | 2 +-
52285 arch/arm/mach-kirkwood/common.c | 19 +-
52286 arch/arm/mach-omap2/board-n8x0.c | 2 +-
52287 arch/arm/mach-omap2/gpmc.c | 22 +-
52288 arch/arm/mach-omap2/omap-wakeupgen.c | 2 +-
52289 arch/arm/mach-omap2/omap_device.c | 4 +-
52290 arch/arm/mach-omap2/omap_device.h | 4 +-
52291 arch/arm/mach-omap2/omap_hwmod.c | 4 +-
52292 arch/arm/mach-omap2/wd_timer.c | 6 +-
52293 arch/arm/mach-ux500/include/mach/setup.h | 7 -
52294 arch/arm/mm/Kconfig | 3 +-
52295 arch/arm/mm/alignment.c | 8 +
52296 arch/arm/mm/fault.c | 91 +
52297 arch/arm/mm/fault.h | 12 +
52298 arch/arm/mm/init.c | 41 +
52299 arch/arm/mm/ioremap.c | 4 +-
52300 arch/arm/mm/mmap.c | 36 +-
52301 arch/arm/mm/mmu.c | 187 +-
52302 arch/arm/mm/proc-v7-2level.S | 3 +
52303 arch/arm/plat-omap/sram.c | 2 +
52304 arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +-
52305 arch/arm64/kernel/debug-monitors.c | 2 +-
52306 arch/arm64/kernel/hw_breakpoint.c | 2 +-
52307 arch/avr32/include/asm/elf.h | 8 +-
52308 arch/avr32/include/asm/kmap_types.h | 4 +-
52309 arch/avr32/mm/fault.c | 27 +
52310 arch/frv/include/asm/atomic.h | 10 +
52311 arch/frv/include/asm/kmap_types.h | 2 +-
52312 arch/frv/mm/elf-fdpic.c | 3 +-
52313 arch/ia64/include/asm/atomic.h | 10 +
52314 arch/ia64/include/asm/elf.h | 7 +
52315 arch/ia64/include/asm/pgalloc.h | 12 +
52316 arch/ia64/include/asm/pgtable.h | 13 +-
52317 arch/ia64/include/asm/spinlock.h | 2 +-
52318 arch/ia64/include/asm/uaccess.h | 26 +-
52319 arch/ia64/kernel/err_inject.c | 2 +-
52320 arch/ia64/kernel/mca.c | 2 +-
52321 arch/ia64/kernel/module.c | 48 +-
52322 arch/ia64/kernel/palinfo.c | 2 +-
52323 arch/ia64/kernel/salinfo.c | 2 +-
52324 arch/ia64/kernel/sys_ia64.c | 7 +
52325 arch/ia64/kernel/topology.c | 2 +-
52326 arch/ia64/kernel/vmlinux.lds.S | 2 +-
52327 arch/ia64/mm/fault.c | 32 +-
52328 arch/ia64/mm/init.c | 13 +
52329 arch/m32r/lib/usercopy.c | 6 +
52330 arch/mips/include/asm/atomic.h | 14 +
52331 arch/mips/include/asm/elf.h | 11 +-
52332 arch/mips/include/asm/exec.h | 2 +-
52333 arch/mips/include/asm/page.h | 2 +-
52334 arch/mips/include/asm/pgalloc.h | 5 +
52335 arch/mips/kernel/binfmt_elfn32.c | 7 +
52336 arch/mips/kernel/binfmt_elfo32.c | 7 +
52337 arch/mips/kernel/process.c | 12 -
52338 arch/mips/mm/fault.c | 17 +
52339 arch/mips/mm/mmap.c | 51 +-
52340 arch/parisc/include/asm/atomic.h | 10 +
52341 arch/parisc/include/asm/elf.h | 7 +
52342 arch/parisc/include/asm/pgalloc.h | 6 +
52343 arch/parisc/include/asm/pgtable.h | 11 +
52344 arch/parisc/include/asm/uaccess.h | 4 +-
52345 arch/parisc/kernel/module.c | 50 +-
52346 arch/parisc/kernel/sys_parisc.c | 9 +-
52347 arch/parisc/kernel/traps.c | 4 +-
52348 arch/parisc/mm/fault.c | 140 +-
52349 arch/powerpc/include/asm/atomic.h | 10 +
52350 arch/powerpc/include/asm/elf.h | 19 +-
52351 arch/powerpc/include/asm/exec.h | 2 +-
52352 arch/powerpc/include/asm/kmap_types.h | 2 +-
52353 arch/powerpc/include/asm/mman.h | 2 +-
52354 arch/powerpc/include/asm/page.h | 8 +-
52355 arch/powerpc/include/asm/page_64.h | 7 +-
52356 arch/powerpc/include/asm/pgalloc-64.h | 7 +
52357 arch/powerpc/include/asm/pgtable.h | 1 +
52358 arch/powerpc/include/asm/pte-hash32.h | 1 +
52359 arch/powerpc/include/asm/reg.h | 1 +
52360 arch/powerpc/include/asm/smp.h | 2 +-
52361 arch/powerpc/include/asm/uaccess.h | 140 +-
52362 arch/powerpc/kernel/exceptions-64e.S | 4 +-
52363 arch/powerpc/kernel/exceptions-64s.S | 2 +-
52364 arch/powerpc/kernel/module_32.c | 13 +-
52365 arch/powerpc/kernel/process.c | 55 -
52366 arch/powerpc/kernel/signal_32.c | 2 +-
52367 arch/powerpc/kernel/signal_64.c | 2 +-
52368 arch/powerpc/kernel/sysfs.c | 2 +-
52369 arch/powerpc/kernel/vdso.c | 5 +-
52370 arch/powerpc/lib/usercopy_64.c | 18 -
52371 arch/powerpc/mm/fault.c | 54 +-
52372 arch/powerpc/mm/mmap_64.c | 16 +
52373 arch/powerpc/mm/mmu_context_nohash.c | 2 +-
52374 arch/powerpc/mm/numa.c | 2 +-
52375 arch/powerpc/mm/slice.c | 23 +-
52376 arch/powerpc/platforms/cell/spufs/file.c | 4 +-
52377 arch/powerpc/platforms/powermac/smp.c | 2 +-
52378 arch/s390/include/asm/atomic.h | 10 +
52379 arch/s390/include/asm/elf.h | 13 +-
52380 arch/s390/include/asm/exec.h | 2 +-
52381 arch/s390/include/asm/uaccess.h | 15 +-
52382 arch/s390/kernel/module.c | 22 +-
52383 arch/s390/kernel/process.c | 36 -
52384 arch/s390/mm/mmap.c | 24 +
52385 arch/score/include/asm/exec.h | 2 +-
52386 arch/score/kernel/process.c | 5 -
52387 arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +-
52388 arch/sh/mm/mmap.c | 22 +-
52389 arch/sparc/include/asm/atomic_64.h | 106 +-
52390 arch/sparc/include/asm/cache.h | 2 +-
52391 arch/sparc/include/asm/elf_32.h | 7 +
52392 arch/sparc/include/asm/elf_64.h | 7 +
52393 arch/sparc/include/asm/pgalloc_32.h | 1 +
52394 arch/sparc/include/asm/pgalloc_64.h | 1 +
52395 arch/sparc/include/asm/pgtable_32.h | 15 +-
52396 arch/sparc/include/asm/pgtsrmmu.h | 5 +
52397 arch/sparc/include/asm/spinlock_64.h | 35 +-
52398 arch/sparc/include/asm/thread_info_32.h | 2 +
52399 arch/sparc/include/asm/thread_info_64.h | 2 +
52400 arch/sparc/include/asm/uaccess.h | 1 +
52401 arch/sparc/include/asm/uaccess_32.h | 27 +-
52402 arch/sparc/include/asm/uaccess_64.h | 19 +-
52403 arch/sparc/kernel/Makefile | 2 +-
52404 arch/sparc/kernel/prom_common.c | 2 +-
52405 arch/sparc/kernel/sys_sparc_32.c | 2 +-
52406 arch/sparc/kernel/sys_sparc_64.c | 48 +-
52407 arch/sparc/kernel/sysfs.c | 2 +-
52408 arch/sparc/kernel/traps_64.c | 13 +-
52409 arch/sparc/kernel/us3_cpufreq.c | 69 +-
52410 arch/sparc/lib/Makefile | 2 +-
52411 arch/sparc/lib/atomic_64.S | 136 +-
52412 arch/sparc/lib/ksyms.c | 6 +
52413 arch/sparc/mm/Makefile | 2 +-
52414 arch/sparc/mm/fault_32.c | 292 ++
52415 arch/sparc/mm/fault_64.c | 486 ++
52416 arch/sparc/mm/hugetlbpage.c | 21 +-
52417 arch/tile/include/asm/atomic_64.h | 10 +
52418 arch/tile/include/asm/uaccess.h | 4 +-
52419 arch/um/Makefile | 4 +
52420 arch/um/include/asm/kmap_types.h | 2 +-
52421 arch/um/include/asm/page.h | 3 +
52422 arch/um/include/asm/pgtable-3level.h | 1 +
52423 arch/um/kernel/process.c | 16 -
52424 arch/x86/Kconfig | 10 +-
52425 arch/x86/Kconfig.cpu | 6 +-
52426 arch/x86/Kconfig.debug | 6 +-
52427 arch/x86/Makefile | 10 +
52428 arch/x86/boot/Makefile | 3 +
52429 arch/x86/boot/bitops.h | 4 +-
52430 arch/x86/boot/boot.h | 4 +-
52431 arch/x86/boot/compressed/Makefile | 3 +
52432 arch/x86/boot/compressed/eboot.c | 2 -
52433 arch/x86/boot/compressed/head_32.S | 7 +-
52434 arch/x86/boot/compressed/head_64.S | 8 +-
52435 arch/x86/boot/compressed/misc.c | 4 +-
52436 arch/x86/boot/cpucheck.c | 28 +-
52437 arch/x86/boot/header.S | 6 +-
52438 arch/x86/boot/memory.c | 2 +-
52439 arch/x86/boot/video-vesa.c | 1 +
52440 arch/x86/boot/video.c | 2 +-
52441 arch/x86/crypto/aes-x86_64-asm_64.S | 4 +
52442 arch/x86/crypto/aesni-intel_asm.S | 21 +
52443 arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 +
52444 arch/x86/crypto/camellia-x86_64-asm_64.S | 7 +
52445 arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 +
52446 arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 7 +
52447 arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 +
52448 arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 7 +
52449 arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 +
52450 arch/x86/crypto/sha1_ssse3_asm.S | 2 +
52451 arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 7 +
52452 arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 +
52453 arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
52454 arch/x86/ia32/ia32_signal.c | 14 +-
52455 arch/x86/ia32/ia32entry.S | 141 +-
52456 arch/x86/ia32/sys_ia32.c | 6 +-
52457 arch/x86/include/asm/alternative-asm.h | 39 +
52458 arch/x86/include/asm/alternative.h | 4 +-
52459 arch/x86/include/asm/apic.h | 2 +-
52460 arch/x86/include/asm/apm.h | 4 +-
52461 arch/x86/include/asm/atomic.h | 307 ++-
52462 arch/x86/include/asm/atomic64_32.h | 100 +
52463 arch/x86/include/asm/atomic64_64.h | 202 +-
52464 arch/x86/include/asm/bitops.h | 4 +-
52465 arch/x86/include/asm/boot.h | 7 +-
52466 arch/x86/include/asm/cache.h | 5 +-
52467 arch/x86/include/asm/cacheflush.h | 2 +-
52468 arch/x86/include/asm/checksum_32.h | 12 +-
52469 arch/x86/include/asm/cmpxchg.h | 35 +
52470 arch/x86/include/asm/compat.h | 2 +-
52471 arch/x86/include/asm/cpufeature.h | 4 +-
52472 arch/x86/include/asm/desc.h | 67 +-
52473 arch/x86/include/asm/desc_defs.h | 6 +
52474 arch/x86/include/asm/div64.h | 2 +-
52475 arch/x86/include/asm/elf.h | 31 +-
52476 arch/x86/include/asm/emergency-restart.h | 2 +-
52477 arch/x86/include/asm/fpu-internal.h | 6 +-
52478 arch/x86/include/asm/futex.h | 16 +-
52479 arch/x86/include/asm/hw_irq.h | 4 +-
52480 arch/x86/include/asm/i8259.h | 2 +-
52481 arch/x86/include/asm/io.h | 21 +-
52482 arch/x86/include/asm/irqflags.h | 5 +
52483 arch/x86/include/asm/kprobes.h | 9 +-
52484 arch/x86/include/asm/local.h | 142 +-
52485 arch/x86/include/asm/mman.h | 15 +
52486 arch/x86/include/asm/mmu.h | 16 +-
52487 arch/x86/include/asm/mmu_context.h | 76 +-
52488 arch/x86/include/asm/module.h | 17 +-
52489 arch/x86/include/asm/nmi.h | 6 +-
52490 arch/x86/include/asm/page_64.h | 2 +-
52491 arch/x86/include/asm/paravirt.h | 46 +-
52492 arch/x86/include/asm/paravirt_types.h | 17 +-
52493 arch/x86/include/asm/pgalloc.h | 23 +
52494 arch/x86/include/asm/pgtable-2level.h | 2 +
52495 arch/x86/include/asm/pgtable-3level.h | 4 +
52496 arch/x86/include/asm/pgtable.h | 113 +-
52497 arch/x86/include/asm/pgtable_32.h | 14 +-
52498 arch/x86/include/asm/pgtable_32_types.h | 15 +-
52499 arch/x86/include/asm/pgtable_64.h | 19 +-
52500 arch/x86/include/asm/pgtable_64_types.h | 5 +
52501 arch/x86/include/asm/pgtable_types.h | 36 +-
52502 arch/x86/include/asm/processor.h | 39 +-
52503 arch/x86/include/asm/ptrace.h | 26 +-
52504 arch/x86/include/asm/realmode.h | 4 +-
52505 arch/x86/include/asm/reboot.h | 10 +-
52506 arch/x86/include/asm/rwsem.h | 60 +-
52507 arch/x86/include/asm/segment.h | 24 +-
52508 arch/x86/include/asm/smp.h | 14 +-
52509 arch/x86/include/asm/spinlock.h | 36 +-
52510 arch/x86/include/asm/stackprotector.h | 4 +-
52511 arch/x86/include/asm/stacktrace.h | 32 +-
52512 arch/x86/include/asm/switch_to.h | 4 +-
52513 arch/x86/include/asm/thread_info.h | 83 +-
52514 arch/x86/include/asm/uaccess.h | 96 +-
52515 arch/x86/include/asm/uaccess_32.h | 106 +-
52516 arch/x86/include/asm/uaccess_64.h | 232 +-
52517 arch/x86/include/asm/word-at-a-time.h | 2 +-
52518 arch/x86/include/asm/x86_init.h | 10 +-
52519 arch/x86/include/asm/xsave.h | 10 +-
52520 arch/x86/include/uapi/asm/e820.h | 2 +-
52521 arch/x86/kernel/Makefile | 2 +-
52522 arch/x86/kernel/acpi/boot.c | 4 +-
52523 arch/x86/kernel/acpi/sleep.c | 4 +
52524 arch/x86/kernel/acpi/wakeup_32.S | 6 +-
52525 arch/x86/kernel/alternative.c | 65 +-
52526 arch/x86/kernel/apic/apic.c | 4 +-
52527 arch/x86/kernel/apic/apic_flat_64.c | 4 +-
52528 arch/x86/kernel/apic/apic_noop.c | 2 +-
52529 arch/x86/kernel/apic/bigsmp_32.c | 2 +-
52530 arch/x86/kernel/apic/es7000_32.c | 5 +-
52531 arch/x86/kernel/apic/io_apic.c | 8 +-
52532 arch/x86/kernel/apic/numaq_32.c | 3 +-
52533 arch/x86/kernel/apic/probe_32.c | 2 +-
52534 arch/x86/kernel/apic/summit_32.c | 2 +-
52535 arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
52536 arch/x86/kernel/apic/x2apic_phys.c | 2 +-
52537 arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
52538 arch/x86/kernel/apm_32.c | 19 +-
52539 arch/x86/kernel/asm-offsets.c | 20 +
52540 arch/x86/kernel/asm-offsets_64.c | 1 +
52541 arch/x86/kernel/cpu/Makefile | 4 -
52542 arch/x86/kernel/cpu/amd.c | 2 +-
52543 arch/x86/kernel/cpu/common.c | 75 +-
52544 arch/x86/kernel/cpu/intel.c | 2 +-
52545 arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +-
52546 arch/x86/kernel/cpu/mcheck/mce.c | 31 +-
52547 arch/x86/kernel/cpu/mcheck/p5.c | 3 +
52548 arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +-
52549 arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
52550 arch/x86/kernel/cpu/mtrr/main.c | 2 +-
52551 arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
52552 arch/x86/kernel/cpu/perf_event.c | 8 +-
52553 arch/x86/kernel/cpu/perf_event_intel.c | 6 +-
52554 arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +-
52555 arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
52556 arch/x86/kernel/cpuid.c | 2 +-
52557 arch/x86/kernel/crash.c | 4 +-
52558 arch/x86/kernel/doublefault_32.c | 8 +-
52559 arch/x86/kernel/dumpstack.c | 30 +-
52560 arch/x86/kernel/dumpstack_32.c | 34 +-
52561 arch/x86/kernel/dumpstack_64.c | 63 +-
52562 arch/x86/kernel/early_printk.c | 1 +
52563 arch/x86/kernel/entry_32.S | 354 ++-
52564 arch/x86/kernel/entry_64.S | 530 ++-
52565 arch/x86/kernel/ftrace.c | 14 +-
52566 arch/x86/kernel/head64.c | 1 -
52567 arch/x86/kernel/head_32.S | 237 +-
52568 arch/x86/kernel/head_64.S | 120 +-
52569 arch/x86/kernel/i386_ksyms_32.c | 8 +
52570 arch/x86/kernel/i387.c | 2 +-
52571 arch/x86/kernel/i8259.c | 10 +-
52572 arch/x86/kernel/io_delay.c | 2 +-
52573 arch/x86/kernel/ioport.c | 2 +-
52574 arch/x86/kernel/irq.c | 8 +-
52575 arch/x86/kernel/irq_32.c | 69 +-
52576 arch/x86/kernel/irq_64.c | 2 +-
52577 arch/x86/kernel/kdebugfs.c | 2 +-
52578 arch/x86/kernel/kgdb.c | 25 +-
52579 arch/x86/kernel/kprobes/core.c | 30 +-
52580 arch/x86/kernel/kprobes/opt.c | 16 +-
52581 arch/x86/kernel/kvm.c | 2 +-
52582 arch/x86/kernel/ldt.c | 31 +-
52583 arch/x86/kernel/machine_kexec_32.c | 6 +-
52584 arch/x86/kernel/microcode_core.c | 2 +-
52585 arch/x86/kernel/microcode_intel.c | 4 +-
52586 arch/x86/kernel/module.c | 76 +-
52587 arch/x86/kernel/msr.c | 2 +-
52588 arch/x86/kernel/nmi.c | 19 +-
52589 arch/x86/kernel/nmi_selftest.c | 4 +-
52590 arch/x86/kernel/paravirt-spinlocks.c | 2 +-
52591 arch/x86/kernel/paravirt.c | 43 +-
52592 arch/x86/kernel/pci-calgary_64.c | 2 +-
52593 arch/x86/kernel/pci-iommu_table.c | 2 +-
52594 arch/x86/kernel/pci-swiotlb.c | 2 +-
52595 arch/x86/kernel/process.c | 57 +-
52596 arch/x86/kernel/process_32.c | 29 +-
52597 arch/x86/kernel/process_64.c | 15 +-
52598 arch/x86/kernel/ptrace.c | 25 +-
52599 arch/x86/kernel/pvclock.c | 8 +-
52600 arch/x86/kernel/reboot.c | 44 +-
52601 arch/x86/kernel/relocate_kernel_64.S | 4 +-
52602 arch/x86/kernel/setup.c | 19 +-
52603 arch/x86/kernel/setup_percpu.c | 29 +-
52604 arch/x86/kernel/signal.c | 15 +-
52605 arch/x86/kernel/smp.c | 2 +-
52606 arch/x86/kernel/smpboot.c | 15 +-
52607 arch/x86/kernel/step.c | 10 +-
52608 arch/x86/kernel/sys_i386_32.c | 248 +
52609 arch/x86/kernel/sys_x86_64.c | 19 +-
52610 arch/x86/kernel/tboot.c | 14 +-
52611 arch/x86/kernel/time.c | 10 +-
52612 arch/x86/kernel/tls.c | 7 +-
52613 arch/x86/kernel/traps.c | 64 +-
52614 arch/x86/kernel/uprobes.c | 2 +-
52615 arch/x86/kernel/vm86_32.c | 6 +-
52616 arch/x86/kernel/vmlinux.lds.S | 148 +-
52617 arch/x86/kernel/vsyscall_64.c | 12 +-
52618 arch/x86/kernel/x8664_ksyms_64.c | 2 -
52619 arch/x86/kernel/x86_init.c | 8 +-
52620 arch/x86/kernel/xsave.c | 2 +
52621 arch/x86/kvm/cpuid.c | 21 +-
52622 arch/x86/kvm/emulate.c | 4 +-
52623 arch/x86/kvm/lapic.c | 2 +-
52624 arch/x86/kvm/paging_tmpl.h | 2 +-
52625 arch/x86/kvm/svm.c | 8 +
52626 arch/x86/kvm/vmx.c | 57 +-
52627 arch/x86/kvm/x86.c | 10 +-
52628 arch/x86/lguest/boot.c | 3 +-
52629 arch/x86/lib/atomic64_386_32.S | 164 +
52630 arch/x86/lib/atomic64_cx8_32.S | 103 +-
52631 arch/x86/lib/checksum_32.S | 100 +-
52632 arch/x86/lib/clear_page_64.S | 5 +-
52633 arch/x86/lib/cmpxchg16b_emu.S | 2 +
52634 arch/x86/lib/copy_page_64.S | 24 +-
52635 arch/x86/lib/copy_user_64.S | 47 +-
52636 arch/x86/lib/copy_user_nocache_64.S | 20 +-
52637 arch/x86/lib/csum-copy_64.S | 2 +
52638 arch/x86/lib/csum-wrappers_64.c | 4 +-
52639 arch/x86/lib/getuser.S | 70 +-
52640 arch/x86/lib/insn.c | 6 +-
52641 arch/x86/lib/iomap_copy_64.S | 2 +
52642 arch/x86/lib/memcpy_64.S | 18 +-
52643 arch/x86/lib/memmove_64.S | 34 +-
52644 arch/x86/lib/memset_64.S | 7 +-
52645 arch/x86/lib/mmx_32.c | 243 +-
52646 arch/x86/lib/msr-reg.S | 18 +-
52647 arch/x86/lib/putuser.S | 90 +-
52648 arch/x86/lib/rwlock.S | 42 +
52649 arch/x86/lib/rwsem.S | 6 +-
52650 arch/x86/lib/thunk_64.S | 2 +
52651 arch/x86/lib/usercopy_32.c | 376 +-
52652 arch/x86/lib/usercopy_64.c | 25 +-
52653 arch/x86/mm/extable.c | 25 +-
52654 arch/x86/mm/fault.c | 556 ++-
52655 arch/x86/mm/gup.c | 2 +-
52656 arch/x86/mm/highmem_32.c | 4 +
52657 arch/x86/mm/hugetlbpage.c | 30 +-
52658 arch/x86/mm/init.c | 90 +-
52659 arch/x86/mm/init_32.c | 119 +-
52660 arch/x86/mm/init_64.c | 44 +-
52661 arch/x86/mm/iomap_32.c | 4 +
52662 arch/x86/mm/ioremap.c | 15 +-
52663 arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
52664 arch/x86/mm/mmap.c | 41 +-
52665 arch/x86/mm/mmio-mod.c | 10 +-
52666 arch/x86/mm/numa.c | 2 +-
52667 arch/x86/mm/pageattr-test.c | 2 +-
52668 arch/x86/mm/pageattr.c | 33 +-
52669 arch/x86/mm/pat.c | 12 +-
52670 arch/x86/mm/pf_in.c | 10 +-
52671 arch/x86/mm/pgtable.c | 137 +-
52672 arch/x86/mm/pgtable_32.c | 3 +
52673 arch/x86/mm/physaddr.c | 4 +-
52674 arch/x86/mm/setup_nx.c | 7 +
52675 arch/x86/mm/tlb.c | 4 +
52676 arch/x86/net/bpf_jit.S | 14 +
52677 arch/x86/net/bpf_jit_comp.c | 37 +-
52678 arch/x86/oprofile/backtrace.c | 8 +-
52679 arch/x86/oprofile/nmi_int.c | 8 +-
52680 arch/x86/oprofile/op_model_amd.c | 8 +-
52681 arch/x86/oprofile/op_model_ppro.c | 7 +-
52682 arch/x86/oprofile/op_x86_model.h | 2 +-
52683 arch/x86/pci/amd_bus.c | 2 +-
52684 arch/x86/pci/irq.c | 8 +-
52685 arch/x86/pci/mrst.c | 4 +-
52686 arch/x86/pci/pcbios.c | 144 +-
52687 arch/x86/platform/efi/efi_32.c | 19 +
52688 arch/x86/platform/efi/efi_stub_32.S | 64 +-
52689 arch/x86/platform/efi/efi_stub_64.S | 8 +
52690 arch/x86/platform/mrst/mrst.c | 6 +-
52691 arch/x86/platform/olpc/olpc_dt.c | 2 +-
52692 arch/x86/power/cpu.c | 4 +-
52693 arch/x86/realmode/init.c | 8 +-
52694 arch/x86/realmode/rm/Makefile | 3 +
52695 arch/x86/realmode/rm/header.S | 4 +-
52696 arch/x86/realmode/rm/trampoline_32.S | 12 +-
52697 arch/x86/realmode/rm/trampoline_64.S | 2 +-
52698 arch/x86/tools/relocs.c | 95 +-
52699 arch/x86/vdso/Makefile | 2 +-
52700 arch/x86/vdso/vdso32-setup.c | 23 +-
52701 arch/x86/vdso/vma.c | 29 +-
52702 arch/x86/xen/enlighten.c | 47 +-
52703 arch/x86/xen/mmu.c | 9 +
52704 arch/x86/xen/smp.c | 18 +-
52705 arch/x86/xen/xen-asm_32.S | 12 +-
52706 arch/x86/xen/xen-head.S | 11 +
52707 arch/x86/xen/xen-ops.h | 2 -
52708 block/blk-iopoll.c | 4 +-
52709 block/blk-map.c | 2 +-
52710 block/blk-softirq.c | 4 +-
52711 block/bsg.c | 12 +-
52712 block/compat_ioctl.c | 2 +-
52713 block/partitions/efi.c | 8 +-
52714 block/scsi_ioctl.c | 27 +-
52715 crypto/cryptd.c | 4 +-
52716 drivers/acpi/apei/apei-internal.h | 2 +-
52717 drivers/acpi/apei/cper.c | 8 +-
52718 drivers/acpi/bgrt.c | 6 +-
52719 drivers/acpi/blacklist.c | 4 +-
52720 drivers/acpi/ec_sys.c | 12 +-
52721 drivers/acpi/processor_idle.c | 2 +-
52722 drivers/acpi/sysfs.c | 4 +-
52723 drivers/ata/libahci.c | 2 +-
52724 drivers/ata/libata-core.c | 8 +-
52725 drivers/ata/pata_arasan_cf.c | 4 +-
52726 drivers/atm/adummy.c | 2 +-
52727 drivers/atm/ambassador.c | 8 +-
52728 drivers/atm/atmtcp.c | 14 +-
52729 drivers/atm/eni.c | 10 +-
52730 drivers/atm/firestream.c | 8 +-
52731 drivers/atm/fore200e.c | 14 +-
52732 drivers/atm/he.c | 18 +-
52733 drivers/atm/horizon.c | 4 +-
52734 drivers/atm/idt77252.c | 36 +-
52735 drivers/atm/iphase.c | 34 +-
52736 drivers/atm/lanai.c | 12 +-
52737 drivers/atm/nicstar.c | 46 +-
52738 drivers/atm/solos-pci.c | 4 +-
52739 drivers/atm/suni.c | 4 +-
52740 drivers/atm/uPD98402.c | 16 +-
52741 drivers/atm/zatm.c | 6 +-
52742 drivers/base/bus.c | 4 +-
52743 drivers/base/devtmpfs.c | 2 +-
52744 drivers/base/node.c | 2 +-
52745 drivers/base/power/domain.c | 4 +-
52746 drivers/base/power/wakeup.c | 8 +-
52747 drivers/base/syscore.c | 4 +-
52748 drivers/block/cciss.c | 28 +-
52749 drivers/block/cciss.h | 2 +-
52750 drivers/block/cpqarray.c | 28 +-
52751 drivers/block/cpqarray.h | 2 +-
52752 drivers/block/drbd/drbd_int.h | 6 +-
52753 drivers/block/drbd/drbd_main.c | 8 +-
52754 drivers/block/drbd/drbd_receiver.c | 22 +-
52755 drivers/block/loop.c | 2 +-
52756 drivers/block/pktcdvd.c | 2 +-
52757 drivers/cdrom/cdrom.c | 9 +-
52758 drivers/cdrom/gdrom.c | 1 -
52759 drivers/char/agp/frontend.c | 2 +-
52760 drivers/char/hpet.c | 2 +-
52761 drivers/char/ipmi/ipmi_msghandler.c | 8 +-
52762 drivers/char/ipmi/ipmi_si_intf.c | 8 +-
52763 drivers/char/mem.c | 41 +-
52764 drivers/char/nvram.c | 2 +-
52765 drivers/char/pcmcia/synclink_cs.c | 18 +-
52766 drivers/char/random.c | 10 +-
52767 drivers/char/sonypi.c | 9 +-
52768 drivers/char/tpm/tpm_acpi.c | 3 +-
52769 drivers/char/tpm/tpm_eventlog.c | 7 +-
52770 drivers/char/virtio_console.c | 4 +-
52771 drivers/clocksource/arm_arch_timer.c | 2 +-
52772 drivers/clocksource/metag_generic.c | 2 +-
52773 drivers/cpufreq/acpi-cpufreq.c | 20 +-
52774 drivers/cpufreq/cpufreq.c | 9 +-
52775 drivers/cpufreq/cpufreq_governor.c | 4 +-
52776 drivers/cpufreq/cpufreq_governor.h | 2 +-
52777 drivers/cpufreq/cpufreq_stats.c | 2 +-
52778 drivers/cpufreq/p4-clockmod.c | 12 +-
52779 drivers/cpufreq/speedstep-centrino.c | 7 +-
52780 drivers/cpuidle/cpuidle.c | 2 +-
52781 drivers/cpuidle/governor.c | 4 +-
52782 drivers/cpuidle/sysfs.c | 2 +-
52783 drivers/devfreq/devfreq.c | 4 +-
52784 drivers/dma/sh/shdma.c | 2 +-
52785 drivers/edac/edac_mc_sysfs.c | 12 +-
52786 drivers/edac/edac_pci_sysfs.c | 22 +-
52787 drivers/edac/mce_amd.h | 2 +-
52788 drivers/firewire/core-card.c | 2 +-
52789 drivers/firewire/core-cdev.c | 3 +-
52790 drivers/firewire/core-device.c | 2 +-
52791 drivers/firewire/core-transaction.c | 1 +
52792 drivers/firewire/core.h | 1 +
52793 drivers/firmware/dmi-id.c | 2 +-
52794 drivers/firmware/dmi_scan.c | 7 +-
52795 drivers/firmware/efivars.c | 4 +-
52796 drivers/firmware/google/memconsole.c | 4 +-
52797 drivers/gpio/gpio-ich.c | 2 +-
52798 drivers/gpio/gpio-vr41xx.c | 2 +-
52799 drivers/gpu/drm/drm_crtc_helper.c | 2 +-
52800 drivers/gpu/drm/drm_drv.c | 6 +-
52801 drivers/gpu/drm/drm_fops.c | 18 +-
52802 drivers/gpu/drm/drm_global.c | 14 +-
52803 drivers/gpu/drm/drm_info.c | 14 +-
52804 drivers/gpu/drm/drm_ioc32.c | 13 +-
52805 drivers/gpu/drm/drm_ioctl.c | 2 +-
52806 drivers/gpu/drm/drm_lock.c | 4 +-
52807 drivers/gpu/drm/drm_stub.c | 2 +-
52808 drivers/gpu/drm/i810/i810_dma.c | 8 +-
52809 drivers/gpu/drm/i810/i810_drv.h | 4 +-
52810 drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
52811 drivers/gpu/drm/i915/i915_dma.c | 2 +-
52812 drivers/gpu/drm/i915/i915_drv.h | 4 +-
52813 drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +-
52814 drivers/gpu/drm/i915/i915_ioc32.c | 11 +-
52815 drivers/gpu/drm/i915/i915_irq.c | 22 +-
52816 drivers/gpu/drm/i915/intel_display.c | 26 +-
52817 drivers/gpu/drm/mga/mga_drv.h | 4 +-
52818 drivers/gpu/drm/mga/mga_ioc32.c | 11 +-
52819 drivers/gpu/drm/mga/mga_irq.c | 8 +-
52820 drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +-
52821 drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +-
52822 drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +-
52823 drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +-
52824 drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +-
52825 drivers/gpu/drm/r128/r128_cce.c | 2 +-
52826 drivers/gpu/drm/r128/r128_drv.h | 4 +-
52827 drivers/gpu/drm/r128/r128_ioc32.c | 11 +-
52828 drivers/gpu/drm/r128/r128_irq.c | 4 +-
52829 drivers/gpu/drm/r128/r128_state.c | 4 +-
52830 drivers/gpu/drm/radeon/mkregtable.c | 4 +-
52831 drivers/gpu/drm/radeon/radeon_device.c | 2 +-
52832 drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
52833 drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +-
52834 drivers/gpu/drm/radeon/radeon_irq.c | 6 +-
52835 drivers/gpu/drm/radeon/radeon_state.c | 4 +-
52836 drivers/gpu/drm/radeon/radeon_ttm.c | 37 +-
52837 drivers/gpu/drm/radeon/rs690.c | 4 +-
52838 drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +-
52839 drivers/gpu/drm/udl/udl_fb.c | 1 -
52840 drivers/gpu/drm/via/via_drv.h | 4 +-
52841 drivers/gpu/drm/via/via_irq.c | 18 +-
52842 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
52843 drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
52844 drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
52845 drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
52846 drivers/hid/hid-core.c | 4 +-
52847 drivers/hv/channel.c | 4 +-
52848 drivers/hv/hv.c | 2 +-
52849 drivers/hv/hyperv_vmbus.h | 2 +-
52850 drivers/hv/vmbus_drv.c | 4 +-
52851 drivers/hwmon/acpi_power_meter.c | 4 +-
52852 drivers/hwmon/applesmc.c | 2 +-
52853 drivers/hwmon/asus_atk0110.c | 10 +-
52854 drivers/hwmon/coretemp.c | 2 +-
52855 drivers/hwmon/ibmaem.c | 2 +-
52856 drivers/hwmon/sht15.c | 12 +-
52857 drivers/hwmon/via-cputemp.c | 2 +-
52858 drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
52859 drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
52860 drivers/ide/ide-cd.c | 2 +-
52861 drivers/iio/industrialio-core.c | 2 +-
52862 drivers/infiniband/core/cm.c | 32 +-
52863 drivers/infiniband/core/fmr_pool.c | 20 +-
52864 drivers/infiniband/hw/cxgb4/mem.c | 4 +-
52865 drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
52866 drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
52867 drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +-
52868 drivers/infiniband/hw/mthca/mthca_mr.c | 2 +-
52869 drivers/infiniband/hw/nes/nes.c | 4 +-
52870 drivers/infiniband/hw/nes/nes.h | 40 +-
52871 drivers/infiniband/hw/nes/nes_cm.c | 62 +-
52872 drivers/infiniband/hw/nes/nes_mgt.c | 8 +-
52873 drivers/infiniband/hw/nes/nes_nic.c | 40 +-
52874 drivers/infiniband/hw/nes/nes_verbs.c | 10 +-
52875 drivers/infiniband/hw/qib/qib.h | 1 +
52876 drivers/input/gameport/gameport.c | 4 +-
52877 drivers/input/input.c | 4 +-
52878 drivers/input/joystick/sidewinder.c | 1 +
52879 drivers/input/joystick/xpad.c | 4 +-
52880 drivers/input/mouse/psmouse.h | 2 +-
52881 drivers/input/mousedev.c | 2 +-
52882 drivers/input/serio/serio.c | 4 +-
52883 drivers/iommu/iommu.c | 2 +-
52884 drivers/iommu/irq_remapping.c | 10 +-
52885 drivers/irqchip/irq-gic.c | 4 +-
52886 drivers/isdn/capi/capi.c | 10 +-
52887 drivers/isdn/gigaset/interface.c | 8 +-
52888 drivers/isdn/hardware/avm/b1.c | 4 +-
52889 drivers/isdn/i4l/isdn_tty.c | 22 +-
52890 drivers/isdn/icn/icn.c | 2 +-
52891 drivers/leds/leds-clevo-mail.c | 2 +-
52892 drivers/leds/leds-ss4200.c | 2 +-
52893 drivers/lguest/core.c | 10 +-
52894 drivers/lguest/page_tables.c | 2 +-
52895 drivers/lguest/x86/core.c | 12 +-
52896 drivers/lguest/x86/switcher_32.S | 27 +-
52897 drivers/md/bitmap.c | 2 +-
52898 drivers/md/dm-ioctl.c | 2 +-
52899 drivers/md/dm-raid1.c | 16 +-
52900 drivers/md/dm-stripe.c | 10 +-
52901 drivers/md/dm-table.c | 2 +-
52902 drivers/md/dm-thin-metadata.c | 4 +-
52903 drivers/md/dm.c | 16 +-
52904 drivers/md/md.c | 26 +-
52905 drivers/md/md.h | 6 +-
52906 drivers/md/persistent-data/dm-space-map.h | 1 +
52907 drivers/md/raid1.c | 4 +-
52908 drivers/md/raid10.c | 16 +-
52909 drivers/md/raid5.c | 10 +-
52910 drivers/media/dvb-core/dvbdev.c | 2 +-
52911 drivers/media/dvb-frontends/dib3000.h | 2 +-
52912 drivers/media/pci/cx88/cx88-video.c | 6 +-
52913 drivers/media/platform/omap/omap_vout.c | 11 +-
52914 drivers/media/platform/s5p-tv/mixer.h | 2 +-
52915 drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +-
52916 drivers/media/platform/s5p-tv/mixer_reg.c | 2 +-
52917 drivers/media/platform/s5p-tv/mixer_video.c | 24 +-
52918 drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +-
52919 drivers/media/radio/radio-cadet.c | 2 +
52920 drivers/media/usb/dvb-usb/cxusb.c | 2 +-
52921 drivers/media/usb/dvb-usb/dw2102.c | 2 +-
52922 drivers/media/v4l2-core/v4l2-ioctl.c | 5 +-
52923 drivers/message/fusion/mptsas.c | 34 +-
52924 drivers/message/fusion/mptscsih.c | 19 +-
52925 drivers/message/i2o/i2o_proc.c | 51 +-
52926 drivers/message/i2o/iop.c | 8 +-
52927 drivers/mfd/janz-cmodio.c | 1 +
52928 drivers/mfd/twl4030-irq.c | 9 +-
52929 drivers/mfd/twl6030-irq.c | 10 +-
52930 drivers/misc/c2port/core.c | 4 +-
52931 drivers/misc/kgdbts.c | 4 +-
52932 drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
52933 drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
52934 drivers/misc/sgi-gru/gruhandles.c | 4 +-
52935 drivers/misc/sgi-gru/gruprocfs.c | 8 +-
52936 drivers/misc/sgi-gru/grutables.h | 154 +-
52937 drivers/misc/sgi-xp/xp.h | 2 +-
52938 drivers/misc/sgi-xp/xpc.h | 3 +-
52939 drivers/misc/sgi-xp/xpc_main.c | 4 +-
52940 drivers/mmc/core/mmc_ops.c | 2 +-
52941 drivers/mmc/host/dw_mmc.h | 2 +-
52942 drivers/mmc/host/sdhci-s3c.c | 8 +-
52943 drivers/mtd/devices/doc2000.c | 2 +-
52944 drivers/mtd/nand/denali.c | 1 +
52945 drivers/mtd/nftlmount.c | 1 +
52946 drivers/mtd/sm_ftl.c | 2 +-
52947 drivers/net/bonding/bond_main.c | 2 +-
52948 drivers/net/ethernet/8390/ax88796.c | 4 +-
52949 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
52950 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-
52951 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +-
52952 drivers/net/ethernet/broadcom/tg3.h | 1 +
52953 drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
52954 drivers/net/ethernet/dec/tulip/de4x5.c | 4 +-
52955 drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
52956 drivers/net/ethernet/faraday/ftgmac100.c | 2 +
52957 drivers/net/ethernet/faraday/ftmac100.c | 2 +
52958 drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
52959 drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
52960 drivers/net/ethernet/realtek/r8169.c | 8 +-
52961 drivers/net/ethernet/sfc/ptp.c | 2 +-
52962 drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
52963 drivers/net/hyperv/hyperv_net.h | 2 +-
52964 drivers/net/hyperv/rndis_filter.c | 4 +-
52965 drivers/net/ieee802154/fakehard.c | 2 +-
52966 drivers/net/macvlan.c | 18 +-
52967 drivers/net/macvtap.c | 2 +-
52968 drivers/net/ppp/ppp_generic.c | 4 +-
52969 drivers/net/slip/slhc.c | 2 +-
52970 drivers/net/team/team.c | 2 +-
52971 drivers/net/tun.c | 5 +-
52972 drivers/net/usb/hso.c | 23 +-
52973 drivers/net/vxlan.c | 2 +-
52974 drivers/net/wireless/at76c50x-usb.c | 2 +-
52975 drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +-
52976 drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +-
52977 drivers/net/wireless/ath/ath9k/hw.h | 4 +-
52978 drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
52979 drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +-
52980 drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +-
52981 drivers/net/wireless/mac80211_hwsim.c | 32 +-
52982 drivers/net/wireless/rndis_wlan.c | 2 +-
52983 drivers/net/wireless/rt2x00/rt2x00.h | 2 +-
52984 drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +-
52985 drivers/net/wireless/ti/wl1251/sdio.c | 12 +-
52986 drivers/net/wireless/ti/wl12xx/main.c | 8 +-
52987 drivers/net/wireless/ti/wl18xx/main.c | 6 +-
52988 drivers/oprofile/buffer_sync.c | 8 +-
52989 drivers/oprofile/event_buffer.c | 2 +-
52990 drivers/oprofile/oprof.c | 2 +-
52991 drivers/oprofile/oprofile_files.c | 2 +-
52992 drivers/oprofile/oprofile_stats.c | 10 +-
52993 drivers/oprofile/oprofile_stats.h | 10 +-
52994 drivers/oprofile/oprofilefs.c | 2 +-
52995 drivers/oprofile/timer_int.c | 2 +-
52996 drivers/parport/procfs.c | 4 +-
52997 drivers/pci/hotplug/acpiphp_ibm.c | 4 +-
52998 drivers/pci/hotplug/cpcihp_generic.c | 6 +-
52999 drivers/pci/hotplug/cpcihp_zt5550.c | 14 +-
53000 drivers/pci/hotplug/cpqphp_nvram.c | 4 +
53001 drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
53002 drivers/pci/hotplug/pciehp_core.c | 2 +-
53003 drivers/pci/pci-sysfs.c | 6 +-
53004 drivers/pci/pci.h | 2 +-
53005 drivers/pci/pcie/aspm.c | 6 +-
53006 drivers/pci/probe.c | 2 +-
53007 drivers/platform/x86/msi-laptop.c | 14 +-
53008 drivers/platform/x86/sony-laptop.c | 2 +-
53009 drivers/platform/x86/thinkpad_acpi.c | 70 +-
53010 drivers/pnp/pnpbios/bioscalls.c | 14 +-
53011 drivers/pnp/resource.c | 4 +-
53012 drivers/power/pda_power.c | 7 +-
53013 drivers/power/power_supply.h | 4 +-
53014 drivers/power/power_supply_core.c | 7 +-
53015 drivers/power/power_supply_sysfs.c | 6 +-
53016 drivers/regulator/max8660.c | 6 +-
53017 drivers/regulator/max8973-regulator.c | 8 +-
53018 drivers/regulator/mc13892-regulator.c | 6 +-
53019 drivers/rtc/rtc-cmos.c | 4 +-
53020 drivers/rtc/rtc-ds1307.c | 2 +-
53021 drivers/rtc/rtc-m48t59.c | 4 +-
53022 drivers/scsi/bfa/bfa_fcpim.h | 2 +-
53023 drivers/scsi/bfa/bfa_ioc.h | 4 +-
53024 drivers/scsi/hosts.c | 4 +-
53025 drivers/scsi/hpsa.c | 30 +-
53026 drivers/scsi/hpsa.h | 2 +-
53027 drivers/scsi/libfc/fc_exch.c | 50 +-
53028 drivers/scsi/libsas/sas_ata.c | 2 +-
53029 drivers/scsi/lpfc/lpfc.h | 8 +-
53030 drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
53031 drivers/scsi/lpfc/lpfc_init.c | 6 +-
53032 drivers/scsi/lpfc/lpfc_scsi.c | 16 +-
53033 drivers/scsi/pmcraid.c | 20 +-
53034 drivers/scsi/pmcraid.h | 8 +-
53035 drivers/scsi/qla2xxx/qla_attr.c | 4 +-
53036 drivers/scsi/qla2xxx/qla_gbl.h | 4 +-
53037 drivers/scsi/qla2xxx/qla_os.c | 6 +-
53038 drivers/scsi/qla4xxx/ql4_def.h | 2 +-
53039 drivers/scsi/qla4xxx/ql4_os.c | 6 +-
53040 drivers/scsi/scsi.c | 2 +-
53041 drivers/scsi/scsi_lib.c | 6 +-
53042 drivers/scsi/scsi_sysfs.c | 2 +-
53043 drivers/scsi/scsi_tgt_lib.c | 2 +-
53044 drivers/scsi/scsi_transport_fc.c | 8 +-
53045 drivers/scsi/scsi_transport_iscsi.c | 6 +-
53046 drivers/scsi/scsi_transport_srp.c | 6 +-
53047 drivers/scsi/sd.c | 2 +-
53048 drivers/scsi/sg.c | 2 +-
53049 drivers/spi/spi.c | 2 +-
53050 drivers/staging/iio/iio_hwmon.c | 2 +-
53051 drivers/staging/octeon/ethernet-rx.c | 12 +-
53052 drivers/staging/octeon/ethernet.c | 8 +-
53053 drivers/staging/rtl8712/rtl871x_io.h | 2 +-
53054 drivers/staging/sbe-2t3e3/netdev.c | 2 +-
53055 drivers/staging/usbip/vhci.h | 2 +-
53056 drivers/staging/usbip/vhci_hcd.c | 6 +-
53057 drivers/staging/usbip/vhci_rx.c | 2 +-
53058 drivers/staging/vt6655/hostap.c | 7 +-
53059 drivers/staging/vt6656/hostap.c | 7 +-
53060 drivers/staging/zcache/tmem.c | 4 +-
53061 drivers/staging/zcache/tmem.h | 2 +
53062 drivers/target/target_core_device.c | 2 +-
53063 drivers/target/target_core_transport.c | 2 +-
53064 drivers/tty/cyclades.c | 6 +-
53065 drivers/tty/hvc/hvc_console.c | 14 +-
53066 drivers/tty/hvc/hvcs.c | 21 +-
53067 drivers/tty/ipwireless/tty.c | 27 +-
53068 drivers/tty/moxa.c | 2 +-
53069 drivers/tty/n_gsm.c | 4 +-
53070 drivers/tty/n_tty.c | 3 +-
53071 drivers/tty/pty.c | 4 +-
53072 drivers/tty/rocket.c | 6 +-
53073 drivers/tty/serial/kgdboc.c | 32 +-
53074 drivers/tty/serial/samsung.c | 9 +-
53075 drivers/tty/serial/serial_core.c | 8 +-
53076 drivers/tty/synclink.c | 34 +-
53077 drivers/tty/synclink_gt.c | 28 +-
53078 drivers/tty/synclinkmp.c | 34 +-
53079 drivers/tty/tty_io.c | 2 +-
53080 drivers/tty/tty_ldisc.c | 10 +-
53081 drivers/tty/tty_port.c | 22 +-
53082 drivers/uio/uio.c | 21 +-
53083 drivers/usb/atm/cxacru.c | 2 +-
53084 drivers/usb/atm/usbatm.c | 24 +-
53085 drivers/usb/core/devices.c | 6 +-
53086 drivers/usb/core/hcd.c | 4 +-
53087 drivers/usb/core/message.c | 2 +-
53088 drivers/usb/core/sysfs.c | 2 +-
53089 drivers/usb/core/usb.c | 2 +-
53090 drivers/usb/early/ehci-dbgp.c | 16 +-
53091 drivers/usb/gadget/u_serial.c | 22 +-
53092 drivers/usb/serial/console.c | 6 +-
53093 drivers/usb/storage/usb.h | 2 +-
53094 drivers/usb/wusbcore/wa-hc.h | 4 +-
53095 drivers/usb/wusbcore/wa-xfer.c | 2 +-
53096 drivers/video/aty/aty128fb.c | 2 +-
53097 drivers/video/aty/atyfb_base.c | 8 +-
53098 drivers/video/aty/mach64_cursor.c | 5 +-
53099 drivers/video/backlight/kb3886_bl.c | 2 +-
53100 drivers/video/fb_defio.c | 6 +-
53101 drivers/video/fbcmap.c | 3 +-
53102 drivers/video/fbmem.c | 6 +-
53103 drivers/video/i810/i810_accel.c | 1 +
53104 drivers/video/mb862xx/mb862xxfb_accel.c | 16 +-
53105 drivers/video/nvidia/nvidia.c | 27 +-
53106 drivers/video/s1d13xxxfb.c | 6 +-
53107 drivers/video/smscufx.c | 4 +-
53108 drivers/video/udlfb.c | 36 +-
53109 drivers/video/uvesafb.c | 53 +-
53110 drivers/video/vesafb.c | 58 +-
53111 drivers/video/via/via_clock.h | 2 +-
53112 fs/9p/vfs_inode.c | 2 +-
53113 fs/Kconfig.binfmt | 2 +-
53114 fs/aio.c | 11 +-
53115 fs/autofs4/waitq.c | 2 +-
53116 fs/befs/endian.h | 4 +-
53117 fs/befs/linuxvfs.c | 2 +-
53118 fs/binfmt_aout.c | 23 +-
53119 fs/binfmt_elf.c | 605 +++-
53120 fs/binfmt_flat.c | 6 +
53121 fs/bio.c | 6 +-
53122 fs/block_dev.c | 2 +-
53123 fs/btrfs/ctree.c | 9 +-
53124 fs/btrfs/super.c | 2 +-
53125 fs/cachefiles/bind.c | 6 +-
53126 fs/cachefiles/daemon.c | 8 +-
53127 fs/cachefiles/internal.h | 12 +-
53128 fs/cachefiles/namei.c | 2 +-
53129 fs/cachefiles/proc.c | 12 +-
53130 fs/cachefiles/rdwr.c | 2 +-
53131 fs/ceph/dir.c | 2 +-
53132 fs/cifs/cifs_debug.c | 12 +-
53133 fs/cifs/cifsfs.c | 8 +-
53134 fs/cifs/cifsglob.h | 54 +-
53135 fs/cifs/link.c | 2 +-
53136 fs/cifs/misc.c | 4 +-
53137 fs/cifs/smb1ops.c | 80 +-
53138 fs/cifs/smb2ops.c | 84 +-
53139 fs/cifs/smb2pdu.c | 3 +-
53140 fs/coda/cache.c | 10 +-
53141 fs/compat.c | 6 +-
53142 fs/compat_binfmt_elf.c | 2 +
53143 fs/compat_ioctl.c | 8 +-
53144 fs/configfs/dir.c | 10 +-
53145 fs/coredump.c | 24 +-
53146 fs/dcache.c | 2 +-
53147 fs/ecryptfs/inode.c | 4 +-
53148 fs/ecryptfs/miscdev.c | 2 +-
53149 fs/ecryptfs/read_write.c | 2 +-
53150 fs/exec.c | 362 ++-
53151 fs/ext4/ext4.h | 20 +-
53152 fs/ext4/mballoc.c | 44 +-
53153 fs/ext4/super.c | 2 +-
53154 fs/fhandle.c | 3 +-
53155 fs/fifo.c | 22 +-
53156 fs/fs_struct.c | 8 +-
53157 fs/fscache/cookie.c | 36 +-
53158 fs/fscache/internal.h | 196 +-
53159 fs/fscache/object.c | 28 +-
53160 fs/fscache/operation.c | 30 +-
53161 fs/fscache/page.c | 110 +-
53162 fs/fscache/stats.c | 344 +-
53163 fs/fuse/cuse.c | 10 +-
53164 fs/fuse/dev.c | 2 +-
53165 fs/fuse/dir.c | 2 +-
53166 fs/gfs2/inode.c | 2 +-
53167 fs/hugetlbfs/inode.c | 13 +-
53168 fs/inode.c | 4 +-
53169 fs/jffs2/erase.c | 3 +-
53170 fs/jffs2/wbuf.c | 3 +-
53171 fs/jfs/super.c | 6 +-
53172 fs/libfs.c | 10 +-
53173 fs/lockd/clntproc.c | 4 +-
53174 fs/locks.c | 8 +-
53175 fs/namei.c | 15 +-
53176 fs/namespace.c | 2 +-
53177 fs/nfs/callback_xdr.c | 2 +-
53178 fs/nfs/inode.c | 6 +-
53179 fs/nfsd/nfs4proc.c | 2 +-
53180 fs/nfsd/nfs4xdr.c | 6 +-
53181 fs/nfsd/nfscache.c | 8 +-
53182 fs/nfsd/vfs.c | 6 +-
53183 fs/nls/nls_base.c | 18 +-
53184 fs/nls/nls_euc-jp.c | 6 +-
53185 fs/nls/nls_koi8-ru.c | 6 +-
53186 fs/notify/fanotify/fanotify_user.c | 4 +-
53187 fs/notify/notification.c | 4 +-
53188 fs/ntfs/dir.c | 2 +-
53189 fs/ntfs/file.c | 4 +-
53190 fs/ocfs2/localalloc.c | 2 +-
53191 fs/ocfs2/ocfs2.h | 10 +-
53192 fs/ocfs2/suballoc.c | 12 +-
53193 fs/ocfs2/super.c | 20 +-
53194 fs/pipe.c | 33 +-
53195 fs/proc/array.c | 20 +
53196 fs/proc/base.c | 4 +-
53197 fs/proc/kcore.c | 32 +-
53198 fs/proc/meminfo.c | 2 +-
53199 fs/proc/nommu.c | 2 +-
53200 fs/proc/proc_sysctl.c | 18 +-
53201 fs/proc/self.c | 2 +-
53202 fs/proc/task_mmu.c | 39 +-
53203 fs/proc/task_nommu.c | 4 +-
53204 fs/qnx6/qnx6.h | 4 +-
53205 fs/quota/netlink.c | 4 +-
53206 fs/readdir.c | 2 +-
53207 fs/reiserfs/do_balan.c | 2 +-
53208 fs/reiserfs/procfs.c | 2 +-
53209 fs/reiserfs/reiserfs.h | 4 +-
53210 fs/seq_file.c | 2 +-
53211 fs/splice.c | 36 +-
53212 fs/sysfs/bin.c | 6 +-
53213 fs/sysfs/dir.c | 2 +-
53214 fs/sysfs/file.c | 10 +-
53215 fs/sysfs/symlink.c | 2 +-
53216 fs/sysv/sysv.h | 2 +-
53217 fs/ubifs/io.c | 2 +-
53218 fs/udf/misc.c | 2 +-
53219 fs/ufs/swab.h | 4 +-
53220 fs/xattr.c | 21 +
53221 fs/xattr_acl.c | 4 +-
53222 fs/xfs/xfs_bmap.c | 2 +-
53223 fs/xfs/xfs_dir2_sf.c | 10 +-
53224 fs/xfs/xfs_ioctl.c | 2 +-
53225 fs/xfs/xfs_iops.c | 2 +-
53226 include/asm-generic/4level-fixup.h | 2 +
53227 include/asm-generic/atomic-long.h | 210 +
53228 include/asm-generic/atomic.h | 2 +-
53229 include/asm-generic/atomic64.h | 12 +
53230 include/asm-generic/cache.h | 4 +-
53231 include/asm-generic/emergency-restart.h | 2 +-
53232 include/asm-generic/kmap_types.h | 4 +-
53233 include/asm-generic/local.h | 13 +
53234 include/asm-generic/pgtable-nopmd.h | 18 +-
53235 include/asm-generic/pgtable-nopud.h | 15 +-
53236 include/asm-generic/pgtable.h | 8 +
53237 include/asm-generic/vmlinux.lds.h | 10 +-
53238 include/crypto/algapi.h | 2 +-
53239 include/drm/drmP.h | 17 +-
53240 include/drm/drm_crtc_helper.h | 2 +-
53241 include/drm/ttm/ttm_memory.h | 2 +-
53242 include/keys/asymmetric-subtype.h | 2 +-
53243 include/linux/atmdev.h | 4 +-
53244 include/linux/binfmts.h | 3 +-
53245 include/linux/blkdev.h | 2 +-
53246 include/linux/blktrace_api.h | 2 +-
53247 include/linux/cache.h | 4 +
53248 include/linux/cdrom.h | 1 -
53249 include/linux/cleancache.h | 2 +-
53250 include/linux/compat.h | 6 +-
53251 include/linux/compiler-gcc4.h | 20 +
53252 include/linux/compiler.h | 65 +-
53253 include/linux/completion.h | 6 +-
53254 include/linux/configfs.h | 2 +-
53255 include/linux/cpu.h | 2 +-
53256 include/linux/cpufreq.h | 3 +-
53257 include/linux/cpuidle.h | 5 +-
53258 include/linux/cpumask.h | 12 +-
53259 include/linux/crypto.h | 6 +-
53260 include/linux/ctype.h | 2 +-
53261 include/linux/decompress/mm.h | 2 +-
53262 include/linux/devfreq.h | 2 +-
53263 include/linux/device.h | 7 +-
53264 include/linux/dma-mapping.h | 2 +-
53265 include/linux/dmaengine.h | 4 +-
53266 include/linux/efi.h | 1 +
53267 include/linux/elf.h | 2 +
53268 include/linux/err.h | 4 +-
53269 include/linux/extcon.h | 2 +-
53270 include/linux/fb.h | 2 +-
53271 include/linux/filter.h | 4 +
53272 include/linux/frontswap.h | 2 +-
53273 include/linux/fs.h | 3 +-
53274 include/linux/fs_struct.h | 2 +-
53275 include/linux/fscache-cache.h | 4 +-
53276 include/linux/fscache.h | 2 +-
53277 include/linux/fsnotify.h | 2 +-
53278 include/linux/ftrace_event.h | 2 +-
53279 include/linux/genhd.h | 2 +-
53280 include/linux/genl_magic_func.h | 2 +-
53281 include/linux/gfp.h | 12 +-
53282 include/linux/highmem.h | 12 +
53283 include/linux/hwmon-sysfs.h | 5 +-
53284 include/linux/i2c.h | 1 +
53285 include/linux/i2o.h | 2 +-
53286 include/linux/if_pppox.h | 2 +-
53287 include/linux/init.h | 33 +-
53288 include/linux/init_task.h | 7 +
53289 include/linux/interrupt.h | 8 +-
53290 include/linux/iommu.h | 2 +-
53291 include/linux/ioport.h | 2 +-
53292 include/linux/irq.h | 3 +-
53293 include/linux/irqchip/arm-gic.h | 2 +-
53294 include/linux/key-type.h | 2 +-
53295 include/linux/kgdb.h | 6 +-
53296 include/linux/kobject.h | 3 +-
53297 include/linux/kobject_ns.h | 2 +-
53298 include/linux/kref.h | 2 +-
53299 include/linux/kvm_host.h | 4 +-
53300 include/linux/libata.h | 2 +-
53301 include/linux/list.h | 15 +
53302 include/linux/math64.h | 6 +-
53303 include/linux/mm.h | 110 +-
53304 include/linux/mm_types.h | 20 +
53305 include/linux/mmiotrace.h | 4 +-
53306 include/linux/mmzone.h | 2 +-
53307 include/linux/mod_devicetable.h | 6 +-
53308 include/linux/module.h | 60 +-
53309 include/linux/moduleloader.h | 16 +
53310 include/linux/moduleparam.h | 4 +-
53311 include/linux/namei.h | 6 +-
53312 include/linux/net.h | 2 +-
53313 include/linux/netdevice.h | 3 +-
53314 include/linux/netfilter.h | 2 +-
53315 include/linux/netfilter/ipset/ip_set.h | 2 +-
53316 include/linux/netfilter/nfnetlink.h | 2 +-
53317 include/linux/nls.h | 2 +-
53318 include/linux/notifier.h | 3 +-
53319 include/linux/oprofile.h | 4 +-
53320 include/linux/pci_hotplug.h | 3 +-
53321 include/linux/perf_event.h | 12 +-
53322 include/linux/pipe_fs_i.h | 6 +-
53323 include/linux/platform_data/usb-ehci-s5p.h | 2 +-
53324 include/linux/platform_data/usb-exynos.h | 2 +-
53325 include/linux/pm_domain.h | 2 +-
53326 include/linux/pm_runtime.h | 2 +-
53327 include/linux/pnp.h | 2 +-
53328 include/linux/poison.h | 4 +-
53329 include/linux/power/smartreflex.h | 2 +-
53330 include/linux/ppp-comp.h | 2 +-
53331 include/linux/proc_fs.h | 2 +-
53332 include/linux/random.h | 5 +
53333 include/linux/rculist.h | 16 +
53334 include/linux/reboot.h | 14 +-
53335 include/linux/regset.h | 3 +-
53336 include/linux/relay.h | 2 +-
53337 include/linux/rio.h | 2 +-
53338 include/linux/rmap.h | 4 +-
53339 include/linux/sched.h | 67 +-
53340 include/linux/sched/sysctl.h | 1 +
53341 include/linux/seq_file.h | 1 +
53342 include/linux/skbuff.h | 12 +-
53343 include/linux/slab.h | 36 +-
53344 include/linux/slab_def.h | 33 +-
53345 include/linux/slob_def.h | 4 +-
53346 include/linux/slub_def.h | 10 +-
53347 include/linux/sock_diag.h | 2 +-
53348 include/linux/sonet.h | 2 +-
53349 include/linux/sunrpc/addr.h | 8 +-
53350 include/linux/sunrpc/clnt.h | 2 +-
53351 include/linux/sunrpc/svc.h | 2 +-
53352 include/linux/sunrpc/svc_rdma.h | 18 +-
53353 include/linux/sunrpc/svcauth.h | 2 +-
53354 include/linux/swiotlb.h | 3 +-
53355 include/linux/syscalls.h | 2 +-
53356 include/linux/syscore_ops.h | 2 +-
53357 include/linux/sysctl.h | 6 +-
53358 include/linux/sysfs.h | 10 +-
53359 include/linux/sysrq.h | 3 +-
53360 include/linux/thread_info.h | 7 +
53361 include/linux/tty.h | 4 +-
53362 include/linux/tty_driver.h | 2 +-
53363 include/linux/tty_ldisc.h | 2 +-
53364 include/linux/types.h | 16 +
53365 include/linux/uaccess.h | 6 +-
53366 include/linux/unaligned/access_ok.h | 24 +-
53367 include/linux/usb.h | 4 +-
53368 include/linux/usb/renesas_usbhs.h | 2 +-
53369 include/linux/vermagic.h | 21 +-
53370 include/linux/vmalloc.h | 11 +-
53371 include/linux/vmstat.h | 20 +-
53372 include/linux/xattr.h | 5 +-
53373 include/linux/zlib.h | 3 +-
53374 include/media/v4l2-dev.h | 2 +-
53375 include/media/v4l2-ioctl.h | 1 -
53376 include/net/9p/transport.h | 2 +-
53377 include/net/bluetooth/l2cap.h | 2 +-
53378 include/net/caif/cfctrl.h | 6 +-
53379 include/net/flow.h | 2 +-
53380 include/net/genetlink.h | 2 +-
53381 include/net/gro_cells.h | 2 +-
53382 include/net/inet_connection_sock.h | 2 +-
53383 include/net/inetpeer.h | 8 +-
53384 include/net/ip.h | 2 +-
53385 include/net/ip_fib.h | 2 +-
53386 include/net/ip_vs.h | 8 +-
53387 include/net/irda/ircomm_tty.h | 1 +
53388 include/net/iucv/af_iucv.h | 2 +-
53389 include/net/llc_c_ac.h | 2 +-
53390 include/net/llc_c_ev.h | 4 +-
53391 include/net/llc_c_st.h | 2 +-
53392 include/net/llc_s_ac.h | 2 +-
53393 include/net/llc_s_st.h | 2 +-
53394 include/net/mac80211.h | 2 +-
53395 include/net/neighbour.h | 2 +-
53396 include/net/net_namespace.h | 12 +-
53397 include/net/netdma.h | 2 +-
53398 include/net/netlink.h | 2 +-
53399 include/net/netns/conntrack.h | 6 +-
53400 include/net/netns/ipv4.h | 2 +-
53401 include/net/protocol.h | 4 +-
53402 include/net/rtnetlink.h | 2 +-
53403 include/net/sctp/sctp.h | 6 +-
53404 include/net/sctp/sm.h | 4 +-
53405 include/net/sctp/structs.h | 2 +-
53406 include/net/sock.h | 6 +-
53407 include/net/tcp.h | 8 +-
53408 include/net/xfrm.h | 8 +-
53409 include/rdma/iw_cm.h | 2 +-
53410 include/scsi/libfc.h | 3 +-
53411 include/scsi/scsi_device.h | 6 +-
53412 include/scsi/scsi_transport_fc.h | 3 +-
53413 include/sound/soc.h | 4 +-
53414 include/target/target_core_base.h | 2 +-
53415 include/trace/events/irq.h | 4 +-
53416 include/uapi/linux/a.out.h | 8 +
53417 include/uapi/linux/byteorder/little_endian.h | 28 +-
53418 include/uapi/linux/elf.h | 28 +
53419 include/uapi/linux/screen_info.h | 3 +-
53420 include/uapi/linux/swab.h | 6 +-
53421 include/uapi/linux/sysctl.h | 6 +-
53422 include/uapi/linux/xattr.h | 4 +
53423 include/video/udlfb.h | 8 +-
53424 include/video/uvesafb.h | 1 +
53425 init/Kconfig | 2 +-
53426 init/Makefile | 3 +
53427 init/do_mounts.c | 14 +-
53428 init/do_mounts.h | 8 +-
53429 init/do_mounts_initrd.c | 22 +-
53430 init/do_mounts_md.c | 6 +-
53431 init/init_task.c | 4 +
53432 init/initramfs.c | 40 +-
53433 init/main.c | 77 +-
53434 ipc/ipc_sysctl.c | 10 +-
53435 ipc/mq_sysctl.c | 2 +-
53436 ipc/msg.c | 11 +-
53437 ipc/sem.c | 11 +-
53438 ipc/shm.c | 17 +-
53439 kernel/acct.c | 2 +-
53440 kernel/audit.c | 8 +-
53441 kernel/auditsc.c | 4 +-
53442 kernel/capability.c | 3 +
53443 kernel/compat.c | 40 +-
53444 kernel/debug/debug_core.c | 16 +-
53445 kernel/debug/kdb/kdb_main.c | 4 +-
53446 kernel/events/core.c | 28 +-
53447 kernel/exit.c | 4 +-
53448 kernel/fork.c | 167 +-
53449 kernel/futex.c | 9 +
53450 kernel/futex_compat.c | 2 +-
53451 kernel/gcov/base.c | 7 +-
53452 kernel/hrtimer.c | 4 +-
53453 kernel/irq_work.c | 7 +-
53454 kernel/jump_label.c | 5 +
53455 kernel/kallsyms.c | 39 +-
53456 kernel/kexec.c | 3 +-
53457 kernel/kmod.c | 4 +-
53458 kernel/kprobes.c | 8 +-
53459 kernel/ksysfs.c | 2 +-
53460 kernel/lockdep.c | 7 +-
53461 kernel/module.c | 337 +-
53462 kernel/mutex-debug.c | 12 +-
53463 kernel/mutex-debug.h | 4 +-
53464 kernel/mutex.c | 7 +-
53465 kernel/notifier.c | 17 +-
53466 kernel/panic.c | 3 +-
53467 kernel/pid.c | 2 +-
53468 kernel/pid_namespace.c | 2 +-
53469 kernel/posix-cpu-timers.c | 4 +-
53470 kernel/posix-timers.c | 20 +-
53471 kernel/power/process.c | 12 +-
53472 kernel/profile.c | 14 +-
53473 kernel/ptrace.c | 8 +-
53474 kernel/rcupdate.c | 4 +-
53475 kernel/rcutiny.c | 4 +-
53476 kernel/rcutiny_plugin.h | 2 +-
53477 kernel/rcutorture.c | 56 +-
53478 kernel/rcutree.c | 68 +-
53479 kernel/rcutree.h | 24 +-
53480 kernel/rcutree_plugin.h | 20 +-
53481 kernel/rcutree_trace.c | 22 +-
53482 kernel/rtmutex-tester.c | 24 +-
53483 kernel/sched/auto_group.c | 4 +-
53484 kernel/sched/core.c | 51 +-
53485 kernel/sched/fair.c | 4 +-
53486 kernel/signal.c | 12 +-
53487 kernel/smp.c | 2 +-
53488 kernel/smpboot.c | 4 +-
53489 kernel/softirq.c | 18 +-
53490 kernel/srcu.c | 4 +-
53491 kernel/sys.c | 10 +-
53492 kernel/sysctl.c | 39 +-
53493 kernel/time.c | 2 +-
53494 kernel/time/alarmtimer.c | 2 +-
53495 kernel/time/tick-broadcast.c | 2 +-
53496 kernel/time/timer_stats.c | 10 +-
53497 kernel/timer.c | 6 +-
53498 kernel/trace/blktrace.c | 6 +-
53499 kernel/trace/ftrace.c | 20 +-
53500 kernel/trace/ring_buffer.c | 76 +-
53501 kernel/trace/trace.c | 8 +-
53502 kernel/trace/trace.h | 2 +-
53503 kernel/trace/trace_events.c | 25 +-
53504 kernel/trace/trace_mmiotrace.c | 8 +-
53505 kernel/trace/trace_output.c | 12 +-
53506 kernel/trace/trace_stack.c | 2 +-
53507 kernel/user_namespace.c | 2 +-
53508 kernel/utsname_sysctl.c | 2 +-
53509 kernel/watchdog.c | 2 +-
53510 lib/Kconfig.debug | 6 +-
53511 lib/Makefile | 2 +-
53512 lib/bitmap.c | 8 +-
53513 lib/bug.c | 2 +
53514 lib/debugobjects.c | 2 +-
53515 lib/devres.c | 4 +-
53516 lib/div64.c | 4 +-
53517 lib/dma-debug.c | 4 +-
53518 lib/inflate.c | 2 +-
53519 lib/ioremap.c | 4 +-
53520 lib/kobject.c | 4 +-
53521 lib/list_debug.c | 126 +-
53522 lib/radix-tree.c | 2 +-
53523 lib/strncpy_from_user.c | 2 +-
53524 lib/strnlen_user.c | 2 +-
53525 lib/swiotlb.c | 2 +-
53526 lib/vsprintf.c | 12 +-
53527 mm/Kconfig | 6 +-
53528 mm/filemap.c | 2 +-
53529 mm/fremap.c | 5 +
53530 mm/highmem.c | 7 +-
53531 mm/hugetlb.c | 70 +-
53532 mm/internal.h | 1 +
53533 mm/maccess.c | 4 +-
53534 mm/madvise.c | 41 +
53535 mm/memory-failure.c | 26 +-
53536 mm/memory.c | 424 ++-
53537 mm/mempolicy.c | 26 +
53538 mm/mlock.c | 16 +-
53539 mm/mmap.c | 576 ++-
53540 mm/mprotect.c | 139 +-
53541 mm/mremap.c | 44 +-
53542 mm/nommu.c | 21 +-
53543 mm/page-writeback.c | 4 +-
53544 mm/page_alloc.c | 41 +-
53545 mm/percpu.c | 2 +-
53546 mm/process_vm_access.c | 14 +-
53547 mm/rmap.c | 38 +-
53548 mm/shmem.c | 19 +-
53549 mm/slab.c | 105 +-
53550 mm/slab.h | 5 +-
53551 mm/slab_common.c | 11 +-
53552 mm/slob.c | 201 +-
53553 mm/slub.c | 99 +-
53554 mm/sparse-vmemmap.c | 4 +-
53555 mm/sparse.c | 2 +-
53556 mm/swap.c | 3 +
53557 mm/swapfile.c | 12 +-
53558 mm/util.c | 6 +
53559 mm/vmalloc.c | 82 +-
53560 mm/vmstat.c | 12 +-
53561 net/8021q/vlan.c | 5 +-
53562 net/9p/mod.c | 4 +-
53563 net/9p/trans_fd.c | 2 +-
53564 net/atm/atm_misc.c | 8 +-
53565 net/atm/lec.h | 2 +-
53566 net/atm/proc.c | 6 +-
53567 net/atm/resources.c | 4 +-
53568 net/ax25/sysctl_net_ax25.c | 2 +-
53569 net/batman-adv/bat_iv_ogm.c | 8 +-
53570 net/batman-adv/hard-interface.c | 4 +-
53571 net/batman-adv/soft-interface.c | 4 +-
53572 net/batman-adv/types.h | 6 +-
53573 net/batman-adv/unicast.c | 2 +-
53574 net/bluetooth/hci_sock.c | 2 +-
53575 net/bluetooth/l2cap_core.c | 6 +-
53576 net/bluetooth/l2cap_sock.c | 12 +-
53577 net/bluetooth/rfcomm/sock.c | 4 +-
53578 net/bluetooth/rfcomm/tty.c | 10 +-
53579 net/bridge/netfilter/ebtables.c | 6 +-
53580 net/caif/cfctrl.c | 11 +-
53581 net/can/af_can.c | 2 +-
53582 net/can/gw.c | 6 +-
53583 net/compat.c | 34 +-
53584 net/core/datagram.c | 2 +-
53585 net/core/dev.c | 16 +-
53586 net/core/flow.c | 8 +-
53587 net/core/iovec.c | 4 +-
53588 net/core/neighbour.c | 2 +-
53589 net/core/net-sysfs.c | 2 +-
53590 net/core/net_namespace.c | 8 +-
53591 net/core/rtnetlink.c | 13 +-
53592 net/core/scm.c | 8 +-
53593 net/core/sock.c | 24 +-
53594 net/core/sock_diag.c | 9 +-
53595 net/core/sysctl_net_core.c | 18 +-
53596 net/decnet/af_decnet.c | 1 +
53597 net/decnet/sysctl_net_decnet.c | 4 +-
53598 net/ipv4/af_inet.c | 8 +-
53599 net/ipv4/ah4.c | 2 +-
53600 net/ipv4/devinet.c | 14 +-
53601 net/ipv4/esp4.c | 2 +-
53602 net/ipv4/fib_frontend.c | 6 +-
53603 net/ipv4/fib_semantics.c | 2 +-
53604 net/ipv4/inet_connection_sock.c | 2 +-
53605 net/ipv4/inetpeer.c | 4 +-
53606 net/ipv4/ip_fragment.c | 15 +-
53607 net/ipv4/ip_gre.c | 6 +-
53608 net/ipv4/ip_sockglue.c | 2 +-
53609 net/ipv4/ip_vti.c | 4 +-
53610 net/ipv4/ipcomp.c | 2 +-
53611 net/ipv4/ipconfig.c | 6 +-
53612 net/ipv4/ipip.c | 4 +-
53613 net/ipv4/netfilter/arp_tables.c | 12 +-
53614 net/ipv4/netfilter/ip_tables.c | 12 +-
53615 net/ipv4/ping.c | 2 +-
53616 net/ipv4/raw.c | 14 +-
53617 net/ipv4/route.c | 18 +-
53618 net/ipv4/sysctl_net_ipv4.c | 45 +-
53619 net/ipv4/tcp_input.c | 2 +-
53620 net/ipv4/tcp_probe.c | 2 +-
53621 net/ipv4/udp.c | 10 +-
53622 net/ipv4/xfrm4_policy.c | 14 +-
53623 net/ipv6/addrconf.c | 6 +-
53624 net/ipv6/icmp.c | 2 +-
53625 net/ipv6/ip6_gre.c | 8 +-
53626 net/ipv6/ip6_tunnel.c | 4 +-
53627 net/ipv6/ipv6_sockglue.c | 2 +-
53628 net/ipv6/netfilter/ip6_tables.c | 12 +-
53629 net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +-
53630 net/ipv6/raw.c | 19 +-
53631 net/ipv6/reassembly.c | 13 +-
53632 net/ipv6/route.c | 2 +-
53633 net/ipv6/sit.c | 4 +-
53634 net/ipv6/sysctl_net_ipv6.c | 2 +-
53635 net/ipv6/udp.c | 8 +-
53636 net/ipv6/xfrm6_policy.c | 13 +-
53637 net/irda/ircomm/ircomm_tty.c | 18 +-
53638 net/iucv/af_iucv.c | 4 +-
53639 net/iucv/iucv.c | 2 +-
53640 net/key/af_key.c | 4 +-
53641 net/mac80211/cfg.c | 8 +-
53642 net/mac80211/ieee80211_i.h | 3 +-
53643 net/mac80211/iface.c | 14 +-
53644 net/mac80211/main.c | 2 +-
53645 net/mac80211/pm.c | 6 +-
53646 net/mac80211/rate.c | 2 +-
53647 net/mac80211/rc80211_pid_debugfs.c | 2 +-
53648 net/mac80211/util.c | 2 +-
53649 net/netfilter/ipset/ip_set_core.c | 2 +-
53650 net/netfilter/ipvs/ip_vs_conn.c | 6 +-
53651 net/netfilter/ipvs/ip_vs_core.c | 4 +-
53652 net/netfilter/ipvs/ip_vs_ctl.c | 14 +-
53653 net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
53654 net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
53655 net/netfilter/ipvs/ip_vs_sync.c | 6 +-
53656 net/netfilter/ipvs/ip_vs_xmit.c | 4 +-
53657 net/netfilter/nf_conntrack_acct.c | 2 +-
53658 net/netfilter/nf_conntrack_ecache.c | 2 +-
53659 net/netfilter/nf_conntrack_helper.c | 2 +-
53660 net/netfilter/nf_conntrack_proto.c | 2 +-
53661 net/netfilter/nf_conntrack_standalone.c | 2 +-
53662 net/netfilter/nf_conntrack_timestamp.c | 2 +-
53663 net/netfilter/nf_log.c | 10 +-
53664 net/netfilter/nf_sockopt.c | 4 +-
53665 net/netfilter/nfnetlink_log.c | 4 +-
53666 net/netfilter/xt_statistic.c | 8 +-
53667 net/netlink/af_netlink.c | 4 +-
53668 net/netlink/genetlink.c | 16 +-
53669 net/packet/af_packet.c | 12 +-
53670 net/phonet/pep.c | 6 +-
53671 net/phonet/socket.c | 2 +-
53672 net/phonet/sysctl.c | 2 +-
53673 net/rds/cong.c | 6 +-
53674 net/rds/ib.h | 2 +-
53675 net/rds/ib_cm.c | 2 +-
53676 net/rds/ib_recv.c | 4 +-
53677 net/rds/iw.h | 2 +-
53678 net/rds/iw_cm.c | 2 +-
53679 net/rds/iw_recv.c | 4 +-
53680 net/rds/rds.h | 2 +-
53681 net/rds/tcp.c | 2 +-
53682 net/rds/tcp_send.c | 2 +-
53683 net/rxrpc/af_rxrpc.c | 2 +-
53684 net/rxrpc/ar-ack.c | 14 +-
53685 net/rxrpc/ar-call.c | 2 +-
53686 net/rxrpc/ar-connection.c | 2 +-
53687 net/rxrpc/ar-connevent.c | 2 +-
53688 net/rxrpc/ar-input.c | 4 +-
53689 net/rxrpc/ar-internal.h | 8 +-
53690 net/rxrpc/ar-local.c | 2 +-
53691 net/rxrpc/ar-output.c | 4 +-
53692 net/rxrpc/ar-peer.c | 2 +-
53693 net/rxrpc/ar-proc.c | 4 +-
53694 net/rxrpc/ar-transport.c | 2 +-
53695 net/rxrpc/rxkad.c | 4 +-
53696 net/sctp/ipv6.c | 6 +-
53697 net/sctp/protocol.c | 10 +-
53698 net/sctp/sm_sideeffect.c | 2 +-
53699 net/sctp/socket.c | 21 +-
53700 net/sctp/sysctl.c | 4 +-
53701 net/socket.c | 18 +-
53702 net/sunrpc/clnt.c | 4 +-
53703 net/sunrpc/sched.c | 4 +-
53704 net/sunrpc/svc.c | 4 +-
53705 net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
53706 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +-
53707 net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
53708 net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +-
53709 net/tipc/link.c | 6 +-
53710 net/tipc/msg.c | 2 +-
53711 net/tipc/subscr.c | 2 +-
53712 net/unix/sysctl_net_unix.c | 2 +-
53713 net/wireless/wext-core.c | 19 +-
53714 net/xfrm/xfrm_policy.c | 27 +-
53715 net/xfrm/xfrm_state.c | 29 +-
53716 net/xfrm/xfrm_sysctl.c | 2 +-
53717 scripts/Makefile.build | 2 +-
53718 scripts/Makefile.clean | 3 +-
53719 scripts/Makefile.host | 28 +-
53720 scripts/basic/fixdep.c | 12 +-
53721 scripts/gcc-plugin.sh | 17 +
53722 scripts/headers_install.pl | 1 +
53723 scripts/link-vmlinux.sh | 2 +-
53724 scripts/mod/file2alias.c | 14 +-
53725 scripts/mod/modpost.c | 25 +-
53726 scripts/mod/modpost.h | 6 +-
53727 scripts/mod/sumversion.c | 2 +-
53728 scripts/package/builddeb | 1 +
53729 scripts/pnmtologo.c | 6 +-
53730 scripts/sortextable.h | 6 +-
53731 security/Kconfig | 675 +++-
53732 security/apparmor/lsm.c | 2 +-
53733 security/integrity/ima/ima.h | 4 +-
53734 security/integrity/ima/ima_api.c | 2 +-
53735 security/integrity/ima/ima_fs.c | 4 +-
53736 security/integrity/ima/ima_queue.c | 2 +-
53737 security/keys/compat.c | 2 +-
53738 security/keys/key.c | 18 +-
53739 security/keys/keyctl.c | 8 +-
53740 security/keys/keyring.c | 6 +-
53741 security/security.c | 9 +-
53742 security/selinux/hooks.c | 2 +-
53743 security/selinux/include/xfrm.h | 2 +-
53744 security/smack/smack_lsm.c | 2 +-
53745 security/tomoyo/tomoyo.c | 2 +-
53746 security/yama/yama_lsm.c | 22 +-
53747 sound/aoa/codecs/onyx.c | 7 +-
53748 sound/aoa/codecs/onyx.h | 1 +
53749 sound/core/oss/pcm_oss.c | 18 +-
53750 sound/core/pcm_compat.c | 2 +-
53751 sound/core/pcm_native.c | 4 +-
53752 sound/core/seq/seq_device.c | 8 +-
53753 sound/drivers/mts64.c | 14 +-
53754 sound/drivers/opl4/opl4_lib.c | 2 +-
53755 sound/drivers/portman2x4.c | 3 +-
53756 sound/firewire/amdtp.c | 4 +-
53757 sound/firewire/amdtp.h | 2 +-
53758 sound/firewire/isight.c | 10 +-
53759 sound/firewire/scs1x.c | 8 +-
53760 sound/oss/sb_audio.c | 2 +-
53761 sound/oss/swarm_cs4297a.c | 6 +-
53762 sound/pci/ymfpci/ymfpci.h | 2 +-
53763 sound/pci/ymfpci/ymfpci_main.c | 12 +-
53764 tools/gcc/.gitignore | 1 +
53765 tools/gcc/Makefile | 45 +
53766 tools/gcc/checker_plugin.c | 171 +
53767 tools/gcc/colorize_plugin.c | 151 +
53768 tools/gcc/constify_plugin.c | 518 ++
53769 tools/gcc/generate_size_overflow_hash.sh | 94 +
53770 tools/gcc/kallocstat_plugin.c | 170 +
53771 tools/gcc/kernexec_plugin.c | 465 ++
53772 tools/gcc/latent_entropy_plugin.c | 327 ++
53773 tools/gcc/size_overflow_hash.data | 5876 ++++++++++++++++++++++
53774 tools/gcc/size_overflow_plugin.c | 2114 ++++++++
53775 tools/gcc/stackleak_plugin.c | 327 ++
53776 tools/gcc/structleak_plugin.c | 276 +
53777 tools/perf/util/include/asm/alternative-asm.h | 3 +
53778 tools/perf/util/include/linux/compiler.h | 8 +
53779 virt/kvm/kvm_main.c | 32 +-
53780 1555 files changed, 30474 insertions(+), 7126 deletions(-)
53781commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
53782Merge: 0949bd4 fc53d63
53783Author: Brad Spengler <spender@grsecurity.net>
53784Date: Thu Mar 22 19:03:44 2012 -0400
53785
53786 Merge branch 'pax-test' into grsec-test
53787
53788commit fc53d6338964741b368070ec5c935bc579b8c2a6
53789Author: Brad Spengler <spender@grsecurity.net>
53790Date: Thu Mar 22 19:02:45 2012 -0400
53791
53792 Update to pax-linux-3.2.12-test33.patch
53793
53794commit 0949bd46a6455b308f66ad7c993bfee62412db35
53795Author: Brad Spengler <spender@grsecurity.net>
53796Date: Thu Mar 22 16:56:09 2012 -0400
53797
53798 Use current_umask() instead of current->fs->umask
53799
53800commit 22f6432d0fe733619cfcb523782ed7d80c46d645
53801Author: Brad Spengler <spender@grsecurity.net>
53802Date: Wed Mar 21 19:42:42 2012 -0400
53803
53804 compile fix
53805
53806commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
53807Author: Brad Spengler <spender@grsecurity.net>
53808Date: Wed Mar 21 19:34:56 2012 -0400
53809
53810 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
53811 uses of domains with particular hash collisions
53812
53813commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
53814Author: Brad Spengler <spender@grsecurity.net>
53815Date: Tue Mar 20 20:25:49 2012 -0400
53816
53817 zero kernel_role
53818
53819commit b00953b43c69238d181d21121ef1577c988d5f6b
53820Author: Brad Spengler <spender@grsecurity.net>
53821Date: Tue Mar 20 19:29:34 2012 -0400
53822
53823 zero real_root after releasing it
53824
53825commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
53826Merge: b724f59 273f98e
53827Author: Brad Spengler <spender@grsecurity.net>
53828Date: Tue Mar 20 19:11:26 2012 -0400
53829
53830 Merge branch 'pax-test' into grsec-test
53831
53832commit 273f98e58cdac555d3b5dce5c1ca168349f95878
53833Author: Brad Spengler <spender@grsecurity.net>
53834Date: Tue Mar 20 19:10:52 2012 -0400
53835
53836 Temporary workaround for (most) size_overflow plugin false-positives
53837 Increase randomization for brk-managed heap to 21 bits
53838 Update to pax-linux-3.2.12-test32.patch
53839
53840commit b724f59125304460c2af8bd4b02921993afbb5d3
53841Author: Brad Spengler <spender@grsecurity.net>
53842Date: Tue Mar 20 18:58:53 2012 -0400
53843
53844 compile fix
53845
53846commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
53847Author: Brad Spengler <spender@grsecurity.net>
53848Date: Tue Mar 20 18:52:23 2012 -0400
53849
53850 Require default and kernel role
53851
53852commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
53853Author: Brad Spengler <spender@grsecurity.net>
53854Date: Tue Mar 20 18:47:28 2012 -0400
53855
53856 Allow policies without special roles
53857 don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)
53858
53859commit 402ec3d24d66d38403dc543c84851f5e72d39e22
53860Merge: 8e012dc f14661a
53861Author: Brad Spengler <spender@grsecurity.net>
53862Date: Mon Mar 19 18:06:59 2012 -0400
53863
53864 Merge branch 'pax-test' into grsec-test
53865
53866 Conflicts:
53867 fs/namei.c
53868
53869commit f14661aaf202155c97f66626cea0269017bb7775
53870Merge: eae671f 058b017
53871Author: Brad Spengler <spender@grsecurity.net>
53872Date: Mon Mar 19 18:05:44 2012 -0400
53873
53874 Merge branch 'linux-3.2.y' into pax-test
53875
53876commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
53877Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
53878Date: Fri Mar 16 17:08:39 2012 -0700
53879
53880 nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
53881
53882 According to the report from Slicky Devil, nilfs caused kernel oops at
53883 nilfs_load_super_block function during mount after he shrank the
53884 partition without resizing the filesystem:
53885
53886 BUG: unable to handle kernel NULL pointer dereference at 00000048
53887 IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
53888 *pde = 00000000
53889 Oops: 0000 [#1] PREEMPT SMP
53890 ...
53891 Call Trace:
53892 [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
53893 [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
53894 [<c0226636>] mount_fs+0x36/0x180
53895 [<c023d961>] vfs_kern_mount+0x51/0xa0
53896 [<c023ddae>] do_kern_mount+0x3e/0xe0
53897 [<c023f189>] do_mount+0x169/0x700
53898 [<c023fa9b>] sys_mount+0x6b/0xa0
53899 [<c04abd1f>] sysenter_do_call+0x12/0x28
53900 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
53901 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
53902 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
53903 EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
53904 CR2: 0000000000000048
53905
53906 This turned out due to a defect in an error path which runs if the
53907 calculated location of the secondary super block was invalid.
53908
53909 This patch fixes it and eliminates the reported oops.
53910
53911 Reported-by: Slicky Devil <slicky.dvl@gmail.com>
53912 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
53913 Tested-by: Slicky Devil <slicky.dvl@gmail.com>
53914 Cc: <stable@vger.kernel.org> [2.6.30+]
53915 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
53916 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
53917
53918commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
53919Author: Haogang Chen <haogangchen@gmail.com>
53920Date: Fri Mar 16 17:08:38 2012 -0700
53921
53922 nilfs2: clamp ns_r_segments_percentage to [1, 99]
53923
53924 ns_r_segments_percentage is read from the disk. Bogus or malicious
53925 value could cause integer overflow and malfunction due to meaningless
53926 disk usage calculation. This patch reports error when mounting such
53927 bogus volumes.
53928
53929 Signed-off-by: Haogang Chen <haogangchen@gmail.com>
53930 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
53931 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
53932 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
53933
53934commit e1a90645643f9b0194a5984ec8febd06360d5c8b
53935Author: Eric Dumazet <eric.dumazet@gmail.com>
53936Date: Sat Mar 10 09:20:21 2012 +0000
53937
53938 tcp: fix syncookie regression
53939
53940 commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
53941 added a serious regression on synflood handling.
53942
53943 Simon Kirby discovered a successful connection was delayed by 20 seconds
53944 before being responsive.
53945
53946 In my tests, I discovered that xmit frames were lost, and needed ~4
53947 retransmits and a socket dst rebuild before being really sent.
53948
53949 In case of syncookie initiated connection, we use a different path to
53950 initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
53951
53952 As ip_queue_xmit() now depends on inet flow being setup, fix this by
53953 copying the temp flowi4 we use in cookie_v4_check().
53954
53955 Reported-by: Simon Kirby <sim@netnation.com>
53956 Bisected-by: Simon Kirby <sim@netnation.com>
53957 Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
53958 Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
53959 Signed-off-by: David S. Miller <davem@davemloft.net>
53960
53961commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
53962Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
53963Date: Mon Mar 12 02:59:41 2012 +0000
53964
53965 tun: don't hold network namespace by tun sockets
53966
53967 v3: added previously removed sock_put() to the tun_release() callback, because
53968 sk_release_kernel() doesn't drop the socket reference.
53969
53970 v2: sk_release_kernel() used for socket release. Dummy tun_release() is
53971 required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
53972 call.
53973
53974 TUN was designed to destroy it's socket on network namesapce shutdown. But this
53975 will never happen for persistent device, because it's socket holds network
53976 namespace.
53977 This patch removes of holding network namespace by TUN socket and replaces it
53978 by creating socket in init_net and then changing it's net it to desired one. On
53979 shutdown socket is moved back to init_net prior to final put.
53980
53981 Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
53982 Signed-off-by: David S. Miller <davem@davemloft.net>
53983
53984commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
53985Author: Tyler Hicks <tyhicks@canonical.com>
53986Date: Mon Dec 12 10:02:30 2011 -0600
53987
53988 vfs: Correctly set the dir i_mutex lockdep class
53989
53990 9a7aa12f3911853a introduced additional logic around setting the i_mutex
53991 lockdep class for directory inodes. The idea was that some filesystems
53992 may want their own special lockdep class for different directory
53993 inodes and calling unlock_new_inode() should not clobber one of
53994 those special classes.
53995
53996 I believe that the added conditional, around the *negated* return value
53997 of lockdep_match_class(), caused directory inodes to be placed in the
53998 wrong lockdep class.
53999
54000 inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
54001 all inodes. If the filesystem did not change the class during inode
54002 initialization, then the conditional mentioned above was false and the
54003 directory inode was incorrectly left in the non-directory lockdep class.
54004 If the filesystem did set a special lockdep class, then the conditional
54005 mentioned above was true and that class was clobbered with
54006 i_mutex_dir_key.
54007
54008 This patch removes the negation from the conditional so that the i_mutex
54009 lockdep class is properly set for directory inodes. Special classes are
54010 preserved and directory inodes with unmodified classes are set with
54011 i_mutex_dir_key.
54012
54013 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
54014 Reviewed-by: Jan Kara <jack@suse.cz>
54015 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
54016
54017commit 603590b0d2eca61ce26499eac9c563bc567a18c9
54018Author: Jan Kara <jack@suse.cz>
54019Date: Mon Feb 20 17:54:00 2012 +0100
54020
54021 udf: Fix deadlock in udf_release_file()
54022
54023 udf_release_file() can be called from munmap() path with mmap_sem held. Thus
54024 we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
54025 i_mutex is not needed in udf_release_file() anymore since protection by
54026 i_data_sem is enough to protect from races with write and truncate.
54027
54028 Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
54029 Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
54030 Signed-off-by: Jan Kara <jack@suse.cz>
54031 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
54032
54033commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
54034Author: Miklos Szeredi <mszeredi@suse.cz>
54035Date: Tue Mar 6 13:56:33 2012 +0100
54036
54037 vfs: fix double put after complete_walk()
54038
54039 complete_walk() already puts nd->path, no need to do it again at cleanup time.
54040
54041 This would result in Oopses if triggered, apparently the codepath is not too
54042 well exercised.
54043
54044 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
54045 CC: stable@vger.kernel.org
54046 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
54047
54048commit 13885ba2b18400f3ef6540497d30f1af896605e5
54049Author: Miklos Szeredi <mszeredi@suse.cz>
54050Date: Tue Mar 6 13:56:34 2012 +0100
54051
54052 vfs: fix return value from do_last()
54053
54054 complete_walk() returns either ECHILD or ESTALE. do_last() turns this into
54055 ECHILD unconditionally. If not in RCU mode, this error will reach userspace
54056 which is complete nonsense.
54057
54058 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
54059 CC: stable@vger.kernel.org
54060 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
54061
54062 Conflicts:
54063
54064 fs/namei.c
54065
54066commit f5ab7572c99ffb58953eb1070622307e904c3b7f
54067Author: Al Viro <viro@zeniv.linux.org.uk>
54068Date: Sat Mar 10 17:07:28 2012 -0500
54069
54070 restore smp_mb() in unlock_new_inode()
54071
54072 wait_on_inode() doesn't have ->i_lock
54073
54074 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
54075
54076commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
54077Author: David S. Miller <davem@davemloft.net>
54078Date: Tue Mar 13 18:19:51 2012 -0700
54079
54080 sparc32: Add -Av8 to assembler command line.
54081
54082 Newer version of binutils are more strict about specifying the
54083 correct options to enable certain classes of instructions.
54084
54085 The sparc32 build is done for v7 in order to support sun4c systems
54086 which lack hardware integer multiply and divide instructions.
54087
54088 So we have to pass -Av8 when building the assembler routines that
54089 use these instructions and get patched into the kernel when we find
54090 out that we have a v8 capable cpu.
54091
54092 Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
54093 Signed-off-by: David S. Miller <davem@davemloft.net>
54094
54095commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
54096Author: Thomas Gleixner <tglx@linutronix.de>
54097Date: Fri Mar 9 20:55:10 2012 +0100
54098
54099 x86: Derandom delay_tsc for 64 bit
54100
54101 Commit f0fbf0abc093 ("x86: integrate delay functions") converted
54102 delay_tsc() into a random delay generator for 64 bit. The reason is
54103 that it merged the mostly identical versions of delay_32.c and
54104 delay_64.c. Though the subtle difference of the result was:
54105
54106 static void delay_tsc(unsigned long loops)
54107 {
54108 - unsigned bclock, now;
54109 + unsigned long bclock, now;
54110
54111 Now the function uses rdtscl() which returns the lower 32bit of the
54112 TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
54113 bit this fails when the lower 32bit are close to wrap around when
54114 bclock is read, because the following check
54115
54116 if ((now - bclock) >= loops)
54117 break;
54118
54119 evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
54120 because the unsigned long (now - bclock) of these values results in
54121 0xffffffff00000001 which is definitely larger than the loops
54122 value. That explains Tvortkos observation:
54123
54124 "Because I am seeing udelay(500) (_occasionally_) being short, and
54125 that by delaying for some duration between 0us (yep) and 491us."
54126
54127 Make those variables explicitely u32 again, so this works for both 32
54128 and 64 bit.
54129
54130 Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
54131 Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
54132 Cc: stable@vger.kernel.org # >= 2.6.27
54133 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
54134
54135commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
54136Author: Al Viro <viro@ZenIV.linux.org.uk>
54137Date: Thu Mar 8 17:51:19 2012 +0000
54138
54139 aio: fix the "too late munmap()" race
54140
54141 Current code has put_ioctx() called asynchronously from aio_fput_routine();
54142 that's done *after* we have killed the request that used to pin ioctx,
54143 so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
54144 from progressing. As the result, we can end up with async call of
54145 put_ioctx() being the last one and possibly happening during exit_mmap()
54146 or elf_core_dump(), neither of which expects stray munmap() being done
54147 to them...
54148
54149 We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
54150 with that, but that's all we care about - neither io_destroy() nor
54151 exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
54152 does really_put_req(), so the ioctx teardown won't be done until then
54153 and we don't care about the contents of ioctx past that point.
54154
54155 Since actual freeing of these suckers is RCU-delayed, we don't need to
54156 bump ioctx refcount when request goes into list for async removal.
54157 All we need is rcu_read_lock held just over the ->ctx_lock-protected
54158 area in aio_fput_routine().
54159
54160 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
54161 Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
54162 Acked-by: Benjamin LaHaise <bcrl@kvack.org>
54163 Cc: stable@vger.kernel.org
54164 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
54165
54166commit 002124c055afbf09b52226af65621999e8316448
54167Author: Al Viro <viro@ZenIV.linux.org.uk>
54168Date: Wed Mar 7 05:16:35 2012 +0000
54169
54170 aio: fix io_setup/io_destroy race
54171
54172 Have ioctx_alloc() return an extra reference, so that caller would drop it
54173 on success and not bother with re-grabbing it on failure exit. The current
54174 code is obviously broken - io_destroy() from another thread that managed
54175 to guess the address io_setup() would've returned would free ioctx right
54176 under us; gets especially interesting if aio_context_t * we pass to
54177 io_setup() points to PROT_READ mapping, so put_user() fails and we end
54178 up doing io_destroy() on kioctx another thread has just got freed...
54179
54180 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
54181 Acked-by: Benjamin LaHaise <bcrl@kvack.org>
54182 Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
54183 Cc: stable@vger.kernel.org
54184 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
54185
54186commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
54187Author: Dan Carpenter <dan.carpenter@oracle.com>
54188Date: Thu Mar 15 15:17:12 2012 -0700
54189
54190 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
54191
54192 strict_strtoul() writes a long but ->gamma_mode only has space to store an
54193 int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
54194 well. I've changed it to use kstrtouint() instead.
54195
54196 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
54197 Acked-by: Inki Dae <inki.dae@samsung.com>
54198 Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
54199 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
54200 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
54201
54202commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
54203Merge: e4b05b6 eae671f
54204Author: Brad Spengler <spender@grsecurity.net>
54205Date: Fri Mar 16 21:04:27 2012 -0400
54206
54207 Merge branch 'pax-test' into grsec-test
54208
54209 Conflicts:
54210 security/Kconfig
54211
54212commit eae671fafe93f04685c04a089cc13efebc05d600
54213Author: Brad Spengler <spender@grsecurity.net>
54214Date: Fri Mar 16 20:58:01 2012 -0400
54215
54216 Update to pax-linux-3.2.11-test31.patch
54217 Introduction of the size_overflow plugin from Emese Revfy
54218 Many thanks to Emese for her hard work :)
54219
54220commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
54221Merge: e55aa68 258c015
54222Author: Brad Spengler <spender@grsecurity.net>
54223Date: Thu Mar 15 20:59:19 2012 -0400
54224
54225 Merge branch 'pax-test' into grsec-test
54226
54227commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
54228Author: Brad Spengler <spender@grsecurity.net>
54229Date: Thu Mar 15 20:59:05 2012 -0400
54230
54231 fix ARM compilation
54232
54233commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
54234Merge: 8f95ea9 55b7573
54235Author: Brad Spengler <spender@grsecurity.net>
54236Date: Wed Mar 14 19:33:41 2012 -0400
54237
54238 Merge branch 'pax-test' into grsec-test
54239
54240commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
54241Author: Brad Spengler <spender@grsecurity.net>
54242Date: Wed Mar 14 19:33:15 2012 -0400
54243
54244 Update to pax-linux-3.2.10-test28.patch
54245
54246commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
54247Merge: c8786a2 886ac5e
54248Author: Brad Spengler <spender@grsecurity.net>
54249Date: Tue Mar 13 17:38:13 2012 -0400
54250
54251 Merge branch 'pax-test' into grsec-test
54252
54253 Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)
54254
54255commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
54256Author: Brad Spengler <spender@grsecurity.net>
54257Date: Tue Mar 13 17:37:44 2012 -0400
54258
54259 Update to pax-linux-3.2.10-test26.patch
54260
54261commit c8786a2abed5e5327f68efa520c04db99bb6a63a
54262Merge: 219c982 c061fcf
54263Author: Brad Spengler <spender@grsecurity.net>
54264Date: Tue Mar 13 17:25:06 2012 -0400
54265
54266 Merge branch 'pax-test' into grsec-test
54267
54268commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
54269Merge: 89373d2 3f4b3b2
54270Author: Brad Spengler <spender@grsecurity.net>
54271Date: Tue Mar 13 17:25:02 2012 -0400
54272
54273 Merge branch 'linux-3.2.y' into pax-test
54274
54275commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
54276Merge: 54e19a3 89373d2
54277Author: Brad Spengler <spender@grsecurity.net>
54278Date: Mon Mar 12 17:23:57 2012 -0400
54279
54280 Merge branch 'pax-test' into grsec-test
54281
54282commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
54283Merge: a778588 7459f11
54284Author: Brad Spengler <spender@grsecurity.net>
54285Date: Mon Mar 12 17:23:49 2012 -0400
54286
54287 Merge branch 'linux-3.2.y' into pax-test
54288
54289commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
54290Merge: c4650f1 a778588
54291Author: Brad Spengler <spender@grsecurity.net>
54292Date: Mon Mar 12 16:51:25 2012 -0400
54293
54294 Merge branch 'pax-test' into grsec-test
54295
54296commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
54297Author: Brad Spengler <spender@grsecurity.net>
54298Date: Mon Mar 12 16:51:12 2012 -0400
54299
54300 Update to pax-linux-3.2.9-test24.patch
54301
54302commit c4650f14b13f84735fe3de06a1f3ff5776473eff
54303Merge: fb2abee 1015790
54304Author: Brad Spengler <spender@grsecurity.net>
54305Date: Sun Mar 11 21:08:28 2012 -0400
54306
54307 Merge branch 'pax-test' into grsec-test
54308
54309 Conflicts:
54310 security/Kconfig
54311
54312commit 101579028a736c224e590c7e12a7357018c424e1
54313Author: Brad Spengler <spender@grsecurity.net>
54314Date: Sun Mar 11 21:07:27 2012 -0400
54315
54316 Update to pax-linux-3.2.9-test22.patch
54317
54318commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
54319Author: Brad Spengler <spender@grsecurity.net>
54320Date: Sun Mar 11 11:02:17 2012 -0400
54321
54322 Allow 4096 CPUs
54323
54324commit 96bae28cbe6a41d48e3b56e5904814096e956000
54325Author: Brad Spengler <spender@grsecurity.net>
54326Date: Sun Mar 11 10:25:58 2012 -0400
54327
54328 Use a per-cpu 48-bit counter instead of a global atomic64
54329 Initialize each counter to have the cpu number in the lower 16 bits
54330 instead of incrementing the counter each time by 1, perform the increments
54331 above the cpu number so that wrapping/exhausting the counter doesn't corrupt
54332 any state
54333 idea from PaX Team
54334
54335commit b975688101da6e966aebb1bc6b8c5c5983974f9c
54336Author: Brad Spengler <spender@grsecurity.net>
54337Date: Sat Mar 10 20:33:12 2012 -0500
54338
54339 Special vnsec edition! :)
54340 Further reduce argv/env allowance for suid/sgid apps to 512KB
54341 Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
54342 Clear 3GB personality on suid/sgid binaries
54343 Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
54344 with the main purpose of throwing off program stack -> arg/env alignment
54345 Update documentation
54346
54347commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
54348Author: Brad Spengler <spender@grsecurity.net>
54349Date: Sat Mar 10 19:54:47 2012 -0500
54350
54351 Resolve skbuff.h warnings that turn into errors during compilation in
54352 the grsecurity directory with -Werror
54353
54354commit 2023210ad43a944033fcacc660ce410888f562ee
54355Merge: ece4383 5f66adf
54356Author: Brad Spengler <spender@grsecurity.net>
54357Date: Fri Mar 9 19:48:01 2012 -0500
54358
54359 Merge branch 'pax-test' into grsec-test
54360
54361commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
54362Author: Brad Spengler <spender@grsecurity.net>
54363Date: Fri Mar 9 19:47:06 2012 -0500
54364
54365 Add colorize plugin
54366
54367commit ece4383e5e91c92d138c4df84225a70b552f4d69
54368Merge: a366d0e ab4a5a1
54369Author: Brad Spengler <spender@grsecurity.net>
54370Date: Fri Mar 9 17:56:46 2012 -0500
54371
54372 Merge branch 'pax-test' into grsec-test
54373
54374commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
54375Author: Brad Spengler <spender@grsecurity.net>
54376Date: Fri Mar 9 17:56:26 2012 -0500
54377
54378 Update to pax-linux-3.2.9-test21.patch
54379
54380commit a366d0ed963ce93fce10121c1100989d5f064e75
54381Author: Mikulas Patocka <mpatocka@redhat.com>
54382Date: Sun Mar 4 19:52:03 2012 -0500
54383
54384 mm: fix find_vma_prev
54385
54386 Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
54387 management on PA-RISC.
54388
54389 After application of the patch, programs that allocate big arrays on the
54390 stack crash with segfault, for example, this will crash if compiled
54391 without optimization:
54392
54393 int main()
54394 {
54395 char array[200000];
54396 array[199999] = 0;
54397 return 0;
54398 }
54399
54400 The reason is that PA-RISC has up-growing stack and the stack is usually
54401 the last memory area. In the above example, a page fault happens above
54402 the stack.
54403
54404 Previously, if we passed too high address to find_vma_prev, it returned
54405 NULL and stored the last VMA in *pprev. After "simplify find_vma_prev"
54406 change, it stores NULL in *pprev. Consequently, the stack area is not
54407 found and it is not expanded, as it used to be before the change.
54408
54409 This patch restores the old behavior and makes it return the last VMA in
54410 *pprev if the requested address is higher than address of any other VMA.
54411
54412 Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
54413 Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
54414 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
54415
54416commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
54417Author: Hugh Dickins <hughd@google.com>
54418Date: Tue Mar 6 12:28:52 2012 -0800
54419
54420 mmap: EINVAL not ENOMEM when rejecting VM_GROWS
54421
54422 Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
54423 from shared anonymous: hoist the file case's -EINVAL up for both.
54424
54425 Signed-off-by: Hugh Dickins <hughd@google.com>
54426 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
54427
54428commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
54429Author: Al Viro <viro@ZenIV.linux.org.uk>
54430Date: Mon Mar 5 06:38:42 2012 +0000
54431
54432 aout: move setup_arg_pages() prior to reading/mapping the binary
54433
54434 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
54435 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
54436
54437commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
54438Author: Jan Beulich <JBeulich@suse.com>
54439Date: Mon Mar 5 16:49:24 2012 +0000
54440
54441 vsprintf: make %pV handling compatible with kasprintf()
54442
54443 kasprintf() (and potentially other functions that I didn't run across so
54444 far) want to evaluate argument lists twice. Caring to do so for the
54445 primary list is obviously their job, but they can't reasonably be
54446 expected to check the format string for instances of %pV, which however
54447 need special handling too: On architectures like x86-64 (as opposed to
54448 e.g. ix86), using the same argument list twice doesn't produce the
54449 expected results, as an internally managed cursor gets updated during
54450 the first run.
54451
54452 Fix the problem by always acting on a copy of the original list when
54453 handling %pV.
54454
54455 Signed-off-by: Jan Beulich <jbeulich@suse.com>
54456 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
54457
54458commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
54459Author: Al Viro <viro@ZenIV.linux.org.uk>
54460Date: Mon Mar 5 06:39:47 2012 +0000
54461
54462 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
54463
54464 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
54465 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
54466
54467commit a831bd53764695ea680cc1fa3c98759a610ed2ac
54468Author: Christian König <deathsimple@vodafone.de>
54469Date: Tue Feb 28 23:19:20 2012 +0100
54470
54471 drm/radeon: fix uninitialized variable
54472
54473 Without this fix the driver randomly treats
54474 textures as arrays and I'm really wondering
54475 why gcc isn't complaining about it.
54476
54477 Signed-off-by: Christian König <deathsimple@vodafone.de>
54478 Reviewed-by: Jerome Glisse <jglisse@redhat.com>
54479 Signed-off-by: Dave Airlie <airlied@redhat.com>
54480
54481commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
54482Author: H. Peter Anvin <hpa@zytor.com>
54483Date: Fri Mar 2 10:43:48 2012 -0800
54484
54485 regset: Prevent null pointer reference on readonly regsets
54486
54487 The regset common infrastructure assumed that regsets would always
54488 have .get and .set methods, but not necessarily .active methods.
54489 Unfortunately people have since written regsets without .set methods.
54490
54491 Rather than putting in stub functions everywhere, handle regsets with
54492 null .get or .set methods explicitly.
54493
54494 Signed-off-by: H. Peter Anvin <hpa@zytor.com>
54495 Reviewed-by: Oleg Nesterov <oleg@redhat.com>
54496 Acked-by: Roland McGrath <roland@hack.frob.com>
54497 Cc: <stable@vger.kernel.org>
54498 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
54499
54500commit 072ddd99401c79b53c6bf6bff9deb93022124c79
54501Author: Brad Spengler <spender@grsecurity.net>
54502Date: Mon Mar 5 18:12:57 2012 -0500
54503
54504 Fix compiler errors reported on forums
54505
54506commit 1606774b48af24e6f99d99c624c0e447d4b66474
54507Merge: 3127bd5 4ca2ffd
54508Author: Brad Spengler <spender@grsecurity.net>
54509Date: Mon Mar 5 17:31:35 2012 -0500
54510
54511 Merge branch 'pax-test' into grsec-test
54512
54513commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
54514Author: Brad Spengler <spender@grsecurity.net>
54515Date: Mon Mar 5 17:31:21 2012 -0500
54516
54517 Update to pax-linux-3.2.9-test20.patch
54518
54519commit 3127bd581a292966b1057c7433219dac188c3720
54520Author: Brad Spengler <spender@grsecurity.net>
54521Date: Fri Mar 2 21:30:37 2012 -0500
54522
54523 Fix memory leak on logged exec_id check failure in /proc/pid/statm
54524 Thanks to Djalal Harouni for the report
54525
54526commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
54527Merge: 0a56be8 9aa8288
54528Author: Brad Spengler <spender@grsecurity.net>
54529Date: Fri Mar 2 18:38:22 2012 -0500
54530
54531 Merge branch 'pax-test' into grsec-test
54532
54533commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
54534Author: Brad Spengler <spender@grsecurity.net>
54535Date: Fri Mar 2 18:37:43 2012 -0500
54536
54537 Update to pax-linux-3.2.9-test19.patch
54538
54539commit 0a56be884bbd7ce733cac0b879c45383494d73b0
54540Merge: 9e66745 3f5c52a
54541Author: Brad Spengler <spender@grsecurity.net>
54542Date: Thu Mar 1 20:18:01 2012 -0500
54543
54544 Merge branch 'pax-test' into grsec-test
54545
54546commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
54547Author: Brad Spengler <spender@grsecurity.net>
54548Date: Thu Mar 1 20:16:56 2012 -0500
54549
54550 Update to pax-linux-3.2.9-test18.patch
54551
54552commit ae53ec231d12719a36bf871f8c5841020ed692ee
54553Merge: b255baf 44fb317
54554Author: Brad Spengler <spender@grsecurity.net>
54555Date: Thu Mar 1 20:15:31 2012 -0500
54556
54557 Merge branch 'linux-3.2.y' into pax-test
54558
54559commit 9e667456c03eadea2f305be761abe4de9a5877a3
54560Merge: 5e4e200 b255baf
54561Author: Brad Spengler <spender@grsecurity.net>
54562Date: Mon Feb 27 20:53:59 2012 -0500
54563
54564 Merge branch 'pax-test' into grsec-test
54565
54566commit b255baf50365d39b406f43aab2c64745607baaa2
54567Merge: 340ce90 1de504e
54568Author: Brad Spengler <spender@grsecurity.net>
54569Date: Mon Feb 27 20:53:29 2012 -0500
54570
54571 Merge branch 'linux-3.2.y' into pax-test
54572 Update to pax-linux-3.2.8-test17.patch
54573
54574 Conflicts:
54575 arch/x86/include/asm/i387.h
54576 arch/x86/kernel/process_32.c
54577 arch/x86/kernel/traps.c
54578
54579commit 5e4e200ac530452884b625cb75de240e1e98c731
54580Merge: 44306d7 340ce90
54581Author: Brad Spengler <spender@grsecurity.net>
54582Date: Mon Feb 27 18:02:13 2012 -0500
54583
54584 Merge branch 'pax-test' into grsec-test
54585
54586commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
54587Author: Brad Spengler <spender@grsecurity.net>
54588Date: Mon Feb 27 18:01:48 2012 -0500
54589
54590 Update to pax-linux-3.2.7-test17.patch
54591
54592commit 44306d7b3097f77e73040dd25f4f6750751bae7a
54593Merge: 29d0b07 521c411
54594Author: Brad Spengler <spender@grsecurity.net>
54595Date: Sun Feb 26 19:04:15 2012 -0500
54596
54597 Merge branch 'pax-test' into grsec-test
54598
54599 Conflicts:
54600 Makefile
54601
54602commit 521c411bb4ca66ce01146fde8bac9dd22414076d
54603Author: Brad Spengler <spender@grsecurity.net>
54604Date: Sun Feb 26 19:03:33 2012 -0500
54605
54606 Update to pax-linux-3.2.7-test16.patch
54607
54608commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
54609Author: Brad Spengler <spender@grsecurity.net>
54610Date: Sun Feb 26 17:12:44 2012 -0500
54611
54612 fix typo
54613
54614commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
54615Merge: f45b3be caa8f83
54616Author: Brad Spengler <spender@grsecurity.net>
54617Date: Sat Feb 25 20:59:27 2012 -0500
54618
54619 Merge branch 'pax-test' into grsec-test
54620
54621commit caa8f83456c4d0b204beefffaa1d1993f2348d08
54622Author: Brad Spengler <spender@grsecurity.net>
54623Date: Sat Feb 25 20:59:12 2012 -0500
54624
54625 Update to pax-linux-3.2.7-test15.patch
54626
54627commit f45b3be34a345502a302e736af9a65742ddef7cb
54628Merge: 62f35fd 9f1309b
54629Author: Brad Spengler <spender@grsecurity.net>
54630Date: Sat Feb 25 11:40:15 2012 -0500
54631
54632 Merge branch 'pax-test' into grsec-test
54633
54634commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
54635Author: Brad Spengler <spender@grsecurity.net>
54636Date: Sat Feb 25 11:39:57 2012 -0500
54637
54638 Update to pax-linux-3.2.7-test14.patch
54639
54640commit 62f35fdbecc58f2988fe13638d907b87a15776bb
54641Author: Brad Spengler <spender@grsecurity.net>
54642Date: Sat Feb 25 09:08:55 2012 -0500
54643
54644 We could log on attempted exploits of writing /proc/self/mem, but the current
54645 log function declares the access a read, so just swap the ordering for now
54646
54647commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
54648Author: Brad Spengler <spender@grsecurity.net>
54649Date: Sat Feb 25 08:46:14 2012 -0500
54650
54651 Log /proc/pid/mem attempts
54652
54653commit 674471e581893a94d475acac3e3c4496209b3ac9
54654Author: Brad Spengler <spender@grsecurity.net>
54655Date: Sat Feb 25 08:15:00 2012 -0500
54656
54657 Make use of f_version for protecting /proc file structs (fine since we're not a directory
54658 or seq_file)
54659
54660commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
54661Author: Brad Spengler <spender@grsecurity.net>
54662Date: Fri Feb 24 20:02:19 2012 -0500
54663
54664 Fix ia64 compilation
54665
54666commit 50dfea412fd395e0183c2ade368efa525d38b267
54667Merge: 12db845 4c6f99b
54668Author: Brad Spengler <spender@grsecurity.net>
54669Date: Fri Feb 24 19:00:53 2012 -0500
54670
54671 Merge branch 'pax-test' into grsec-test
54672
54673commit 4c6f99bf338e03966356b147d0360cb3b522a44f
54674Author: Brad Spengler <spender@grsecurity.net>
54675Date: Fri Feb 24 19:00:36 2012 -0500
54676
54677 (6:57:09 PM) pipacs: but you can be proactive
54678 (Fix other-arch atomic64/REFCOUNT compilation failures)
54679
54680commit 12db8453f6bb0a756f369c9151668ba1249bc478
54681Author: Brad Spengler <spender@grsecurity.net>
54682Date: Thu Feb 23 21:10:12 2012 -0500
54683
54684 Remove unnecessary copies, as suggested by solar
54685
54686commit cc02cab84368467ea03cb35f861a8a7092d91ab4
54687Author: Brad Spengler <spender@grsecurity.net>
54688Date: Thu Feb 23 20:59:35 2012 -0500
54689
54690 Make global_exec_counter static, as suggested by solar
54691
54692commit e642091a475ebb3a30e81f85e7751233d0c2af43
54693Author: Brad Spengler <spender@grsecurity.net>
54694Date: Thu Feb 23 19:00:26 2012 -0500
54695
54696 sync with stable tree
54697
54698commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
54699Author: Brad Spengler <spender@grsecurity.net>
54700Date: Thu Feb 23 18:48:47 2012 -0500
54701
54702 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
54703 Remove handling of old kludge in chmod/fchmod
54704
54705commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
54706Author: Brad Spengler <spender@grsecurity.net>
54707Date: Thu Feb 23 18:18:49 2012 -0500
54708
54709 Apply umask checks to chmod/fchmod as well, as requested by sponsor
54710 Union the enforced umask with the existing one to produce minimal privilege
54711 Change umask type to u16
54712
54713commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
54714Author: Brad Spengler <spender@grsecurity.net>
54715Date: Wed Feb 22 18:16:11 2012 -0500
54716
54717 Add per-role umask enforcement to RBAC, requested by a sponsor
54718
54719commit ad5ac943fe58199f1cc475912a39edb157acb77b
54720Merge: dda0bb5 41722e3
54721Author: Brad Spengler <spender@grsecurity.net>
54722Date: Mon Feb 20 20:04:42 2012 -0500
54723
54724 Merge branch 'pax-test' into grsec-test
54725
54726commit 41722e342e116d95f3d3556d66c97c888d752d39
54727Author: Brad Spengler <spender@grsecurity.net>
54728Date: Mon Feb 20 20:04:00 2012 -0500
54729
54730 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
54731 KERNEXEC plugin
54732
54733commit dda0bb57137846a476a866c60db2681aaf6052c0
54734Merge: 4fd554e d70927a
54735Author: Brad Spengler <spender@grsecurity.net>
54736Date: Mon Feb 20 20:01:41 2012 -0500
54737
54738 Merge branch 'pax-test' into grsec-test
54739
54740commit d70927afec977d489a54c106a3c3ddc32e953050
54741Merge: 1daebf1 9d0231c
54742Author: Brad Spengler <spender@grsecurity.net>
54743Date: Mon Feb 20 20:01:33 2012 -0500
54744
54745 Merge branch 'linux-3.2.y' into pax-test
54746
54747commit 4fd554e3a097b22c5049fcdc423897477deff5ef
54748Author: Brad Spengler <spender@grsecurity.net>
54749Date: Mon Feb 20 09:17:57 2012 -0500
54750
54751 Fix wrong logic on capability checks for switching roles, broke policies
54752 Thanks to Richard Kojedzinszky for reporting
54753
54754commit 12f97d52ac603f24344f8d71569c412a307e9422
54755Author: Brad Spengler <spender@grsecurity.net>
54756Date: Thu Feb 16 21:20:10 2012 -0500
54757
54758 sparc64 compile fix
54759
54760commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
54761Author: Brad Spengler <spender@grsecurity.net>
54762Date: Thu Feb 16 18:38:32 2012 -0500
54763
54764 Update configuration help and name for GRKERNSEC_PROC_MEMMAP
54765
54766commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
54767Author: Brad Spengler <spender@grsecurity.net>
54768Date: Thu Feb 16 18:18:01 2012 -0500
54769
54770 optimize the check a bit
54771
54772commit 03159050f64989be44ae03be769cbed62a7cd2e5
54773Author: Brad Spengler <spender@grsecurity.net>
54774Date: Thu Feb 16 18:00:45 2012 -0500
54775
54776 smile VUPEN :D
54777 (limit argv+env to 1MB for suid/sgid binaries)
54778
54779commit dd759d8800d225a397e4de49fe729c7d601298d2
54780Author: Brad Spengler <spender@grsecurity.net>
54781Date: Thu Feb 16 17:49:33 2012 -0500
54782
54783 Address Space Protection -> Memory Protections (suggested on IRC for consistency)
54784
54785commit 4de635bda8ebfb85312e3bf851bdbff93de400da
54786Author: Brad Spengler <spender@grsecurity.net>
54787Date: Thu Feb 16 17:45:06 2012 -0500
54788
54789 Change the long long type for exec_id to the proper u64
54790
54791commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
54792Author: Dan Carpenter <dan.carpenter@oracle.com>
54793Date: Thu Feb 9 00:46:47 2012 +0000
54794
54795 isdn: type bug in isdn_net_header()
54796
54797 We use len to store the return value from eth_header(). eth_header()
54798 can return -ETH_HLEN (-14). We want to pass this back instead of
54799 truncating it to 65522 and returning that.
54800
54801 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
54802 Acked-by: Neil Horman <nhorman@tuxdriver.com>
54803 Signed-off-by: David S. Miller <davem@davemloft.net>
54804
54805commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
54806Author: Heiko Carstens <heiko.carstens@de.ibm.com>
54807Date: Sat Feb 4 10:47:10 2012 +0100
54808
54809 exec: fix use-after-free bug in setup_new_exec()
54810
54811 Setting the task name is done within setup_new_exec() by accessing
54812 bprm->filename. However this happens after flush_old_exec().
54813 This may result in a use after free bug, flush_old_exec() may
54814 "complete" vfork_done, which will wake up the parent which in turn
54815 may free the passed in filename.
54816 To fix this add a new tcomm field in struct linux_binprm which
54817 contains the now early generated task name until it is used.
54818
54819 Fixes this bug on s390:
54820
54821 Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
54822 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
54823 Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
54824 Call Trace:
54825 ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
54826 [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
54827 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
54828 [<0000000000282b6c>] do_execve_common+0x410/0x514
54829 [<0000000000282cb6>] do_execve+0x46/0x58
54830 [<00000000005bce58>] kernel_execve+0x28/0x70
54831 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
54832 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
54833 [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
54834 Last Breaking-Event-Address:
54835 [<00000000002830f0>] setup_new_exec+0x2fc/0x374
54836
54837 Kernel panic - not syncing: Fatal exception: panic_on_oops
54838
54839 Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
54840 Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
54841 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
54842
54843commit d758ee9f5230893dabb5aab737b3109684bde196
54844Author: Dan Carpenter <dan.carpenter@oracle.com>
54845Date: Fri Feb 10 09:03:58 2012 +0100
54846
54847 relay: prevent integer overflow in relay_open()
54848
54849 "subbuf_size" and "n_subbufs" come from the user and they need to be
54850 capped to prevent an integer overflow.
54851
54852 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
54853 Cc: stable@kernel.org
54854 Signed-off-by: Jens Axboe <axboe@kernel.dk>
54855
54856commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
54857Merge: b1baadf 1daebf1
54858Author: Brad Spengler <spender@grsecurity.net>
54859Date: Mon Feb 13 17:47:04 2012 -0500
54860
54861 Merge branch 'pax-test' into grsec-test
54862
54863 Conflicts:
54864 fs/proc/base.c
54865
54866commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
54867Merge: 1413df2 c2db2e2
54868Author: Brad Spengler <spender@grsecurity.net>
54869Date: Mon Feb 13 17:45:54 2012 -0500
54870
54871 Merge branch 'linux-3.2.y' into pax-test
54872
54873commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
54874Author: Brad Spengler <spender@grsecurity.net>
54875Date: Sun Feb 12 16:44:05 2012 -0500
54876
54877 add missing declaration
54878
54879commit 3981059c35e8463002517935c28f3d74b8e3703c
54880Author: Brad Spengler <spender@grsecurity.net>
54881Date: Sun Feb 12 16:36:04 2012 -0500
54882
54883 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
54884 in addition to existing checks (this handles the setresuid ruid = euid case)
54885
54886commit 0beab03263c773f463412c350ad9064b44b6ede0
54887Author: Brad Spengler <spender@grsecurity.net>
54888Date: Sun Feb 12 16:13:40 2012 -0500
54889
54890 Revert setreuid changes when RBAC is enabled, breaks freeradius
54891 I'll fix the learning issue Lavish reported a different way through
54892 gradm modifications
54893
54894 This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.
54895
54896commit 0c61cb1cfbbfec7d07647268c922d51434d22621
54897Author: Brad Spengler <spender@grsecurity.net>
54898Date: Sat Feb 11 14:22:46 2012 -0500
54899
54900 copy exec_id on fork
54901
54902commit 000c08e0890630086b2ed04084050ed856a7ec31
54903Author: Brad Spengler <spender@grsecurity.net>
54904Date: Fri Feb 10 20:00:36 2012 -0500
54905
54906 compile fix
54907
54908commit 54b8c8f54484e5ee18040657827158bc4b63bccc
54909Author: Brad Spengler <spender@grsecurity.net>
54910Date: Fri Feb 10 19:19:52 2012 -0500
54911
54912 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
54913 denies reading of sensitive /proc/pid entries where the file descriptor
54914 was opened in a different task than the one performing the read
54915
54916commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
54917Author: Brad Spengler <spender@grsecurity.net>
54918Date: Fri Feb 10 17:43:24 2012 -0500
54919
54920 Remove duplicate signal check
54921
54922commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
54923Merge: 4eba97e 1413df2
54924Author: Brad Spengler <spender@grsecurity.net>
54925Date: Wed Feb 8 19:24:34 2012 -0500
54926
54927 Merge branch 'pax-test' into grsec-test
54928
54929commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
54930Author: Brad Spengler <spender@grsecurity.net>
54931Date: Wed Feb 8 19:24:08 2012 -0500
54932
54933 Merge changes from pax-linux-3.2.4-test11.patch
54934
54935commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
54936Merge: 0e058dd 8dd90a2
54937Author: Brad Spengler <spender@grsecurity.net>
54938Date: Mon Feb 6 17:50:12 2012 -0500
54939
54940 Merge branch 'pax-test' into grsec-test
54941
54942commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
54943Author: Brad Spengler <spender@grsecurity.net>
54944Date: Mon Feb 6 17:49:07 2012 -0500
54945
54946 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free
54947
54948commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
54949Merge: 7e4169c 6133971
54950Author: Brad Spengler <spender@grsecurity.net>
54951Date: Mon Feb 6 17:48:57 2012 -0500
54952
54953 Merge branch 'linux-3.2.y' into pax-test
54954
54955commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
54956Author: Brad Spengler <spender@grsecurity.net>
54957Date: Sun Feb 5 19:24:45 2012 -0500
54958
54959 We now allow configurations with no PaX markings, giving the system no way to override the defaults
54960
54961commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
54962Author: Brad Spengler <spender@grsecurity.net>
54963Date: Sun Feb 5 10:01:23 2012 -0500
54964
54965 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory
54966
54967commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
54968Author: Brad Spengler <spender@grsecurity.net>
54969Date: Sat Feb 4 21:01:16 2012 -0500
54970
54971 Improve security of ptrace-based monitoring/sandboxing
54972 See:
54973 http://article.gmane.org/gmane.linux.kernel.lsm/15156
54974
54975commit ca4ca5a1027b41f9528794e52a53ce9c47926101
54976Author: Brad Spengler <spender@grsecurity.net>
54977Date: Fri Feb 3 20:42:55 2012 -0500
54978
54979 fix typo
54980
54981commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
54982Author: Brad Spengler <spender@grsecurity.net>
54983Date: Fri Feb 3 20:25:38 2012 -0500
54984
54985 Reported by lavish on IRC:
54986 If a suid/sgid binary did not learn any setuid/setgid call during learning,
54987 we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
54988 any restrictions on uid/gid changes. uid and gid can however be changed
54989 within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
54990 euid/egid.
54991
54992 My fix:
54993 POSIX doesn't specify whether unprivileged users can perform the above
54994 setresuid/setresgid as an unprivileged user, though Linux has historically
54995 permitted them. Modify this behavior when RBAC is enabled to require
54996 CAP_SETUID/CAP_SETGID for these operations.
54997
54998 Thanks to Lavish for the report!
54999
55000 Conflicts:
55001
55002 kernel/sys.c
55003
55004commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
55005Merge: ba586eb 7e4169c
55006Author: Brad Spengler <spender@grsecurity.net>
55007Date: Fri Feb 3 20:10:21 2012 -0500
55008
55009 Merge branch 'pax-test' into grsec-test
55010
55011commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
55012Author: Brad Spengler <spender@grsecurity.net>
55013Date: Fri Feb 3 20:10:05 2012 -0500
55014
55015 Merge changes from pax-linux-3.2.4-test9.patch
55016
55017commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
55018Author: Christopher Yeoh <cyeoh@au1.ibm.com>
55019Date: Thu Feb 2 11:34:09 2012 +1030
55020
55021 Fix race in process_vm_rw_core
55022
55023 This fixes the race in process_vm_core found by Oleg (see
55024
55025 http://article.gmane.org/gmane.linux.kernel/1235667/
55026
55027 for details).
55028
55029 This has been updated since I last sent it as the creation of the new
55030 mm_access() function did almost exactly the same thing as parts of the
55031 previous version of this patch did.
55032
55033 In order to use mm_access() even when /proc isn't enabled, we move it to
55034 kernel/fork.c where other related process mm access functions already
55035 are.
55036
55037 Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
55038 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
55039
55040 Conflicts:
55041
55042 fs/proc/base.c
55043 mm/process_vm_access.c
55044
55045commit b9194d60fb9fe579f5c34817ed822abde18939a0
55046Author: Oleg Nesterov <oleg@redhat.com>
55047Date: Tue Jan 31 17:15:11 2012 +0100
55048
55049 proc: make sure mem_open() doesn't pin the target's memory
55050
55051 Once /proc/pid/mem is opened, the memory can't be released until
55052 mem_release() even if its owner exits.
55053
55054 Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
55055 pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
55056 before access_remote_vm(), this verifies that this mm is still alive.
55057
55058 I am not sure what should mem_rw() return if atomic_inc_not_zero()
55059 fails. With this patch it returns zero to match the "mm == NULL" case,
55060 may be it should return -EINVAL like it did before e268337d.
55061
55062 Perhaps it makes sense to add the additional fatal_signal_pending()
55063 check into the main loop, to ensure we do not hold this memory if
55064 the target task was oom-killed.
55065
55066 Cc: stable@kernel.org
55067 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
55068 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
55069
55070commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
55071Author: Oleg Nesterov <oleg@redhat.com>
55072Date: Tue Jan 31 17:14:38 2012 +0100
55073
55074 proc: mem_release() should check mm != NULL
55075
55076 mem_release() can hit mm == NULL, add the necessary check.
55077
55078 Cc: stable@kernel.org
55079 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
55080 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
55081
55082commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
55083Author: Oleg Nesterov <oleg@redhat.com>
55084Date: Tue Jan 31 17:14:54 2012 +0100
55085
55086 note: redisabled mem_write
55087
55088 proc: unify mem_read() and mem_write()
55089
55090 No functional changes, cleanup and preparation.
55091
55092 mem_read() and mem_write() are very similar. Move this code into the
55093 new common helper, mem_rw(), which takes the additional "int write"
55094 argument.
55095
55096 Cc: stable@kernel.org
55097 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
55098 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
55099
55100 Conflicts:
55101
55102 fs/proc/base.c
55103
55104commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
55105Merge: 3903f01 01fee18
55106Author: Brad Spengler <spender@grsecurity.net>
55107Date: Fri Feb 3 19:50:40 2012 -0500
55108
55109 Merge branch 'pax-test' into grsec-test
55110
55111commit 01fee1851aef26b898ccba5312cabf1f919b74cb
55112Author: Brad Spengler <spender@grsecurity.net>
55113Date: Fri Feb 3 19:49:46 2012 -0500
55114
55115 Merge changes from pax-linux-3.2.4-test8.patch
55116
55117commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
55118Merge: 201c0db 141936c
55119Author: Brad Spengler <spender@grsecurity.net>
55120Date: Fri Feb 3 19:49:01 2012 -0500
55121
55122 Merge branch 'linux-3.2.y' into pax-test
55123
55124commit 3903f0172ecadf7a575ba3535402a1506133640a
55125Author: Brad Spengler <spender@grsecurity.net>
55126Date: Mon Jan 30 23:26:44 2012 -0500
55127
55128 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
55129
55130 We'll whitelist required directories for compatibility instead of requiring
55131 that people disable the feature entirely if they use SELinux, fuse, etc
55132
55133 Conflicts:
55134
55135 fs/sysfs/mount.c
55136
55137commit e3618feaa7e63807f1b88c199882075b3ec9bd05
55138Author: Brad Spengler <spender@grsecurity.net>
55139Date: Sun Jan 29 01:12:19 2012 -0500
55140
55141 perform RBAC check if TPE is on but match fails, matches previous behavior
55142
55143commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
55144Author: Brad Spengler <spender@grsecurity.net>
55145Date: Sat Jan 28 13:17:06 2012 -0500
55146
55147 log more information about the reason for a TPE denial for novice users, requested by a sponsor
55148
55149commit efefd67008cbad8a8591e2484410966a300a39a5
55150Author: Brad Spengler <spender@grsecurity.net>
55151Date: Fri Jan 27 19:58:53 2012 -0500
55152
55153 merge upstream sha512 changes
55154
55155commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
55156Author: Brad Spengler <spender@grsecurity.net>
55157Date: Fri Jan 27 19:49:07 2012 -0500
55158
55159 drop lock on error in xfs_readlink
55160
55161 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0
55162
55163commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
55164Author: Li Wang <liwang@nudt.edu.cn>
55165Date: Thu Jan 19 09:44:36 2012 +0800
55166
55167 eCryptfs: Infinite loop due to overflow in ecryptfs_write()
55168
55169 ecryptfs_write() can enter an infinite loop when truncating a file to a
55170 size larger than 4G. This only happens on architectures where size_t is
55171 represented by 32 bits.
55172
55173 This was caused by a size_t overflow due to it incorrectly being used to
55174 store the result of a calculation which uses potentially large values of
55175 type loff_t.
55176
55177 [tyhicks@canonical.com: rewrite subject and commit message]
55178 Signed-off-by: Li Wang <liwang@nudt.edu.cn>
55179 Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
55180 Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
55181 Cc: <stable@vger.kernel.org>
55182 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
55183
55184commit a7607747d0f74f357d78bb796d70635dd05f46e8
55185Author: Tyler Hicks <tyhicks@canonical.com>
55186Date: Thu Jan 19 20:33:44 2012 -0600
55187
55188 eCryptfs: Check inode changes in setattr
55189
55190 Most filesystems call inode_change_ok() very early in ->setattr(), but
55191 eCryptfs didn't call it at all. It allowed the lower filesystem to make
55192 the call in its ->setattr() function. Then, eCryptfs would copy the
55193 appropriate inode attributes from the lower inode to the eCryptfs inode.
55194
55195 This patch changes that and actually calls inode_change_ok() on the
55196 eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
55197 would happen earlier in ecryptfs_setattr(), but there are some possible
55198 inode initialization steps that must happen first.
55199
55200 Since the call was already being made on the lower inode, the change in
55201 functionality should be minimal, except for the case of a file extending
55202 truncate call. In that case, inode_newsize_ok() was never being
55203 called on the eCryptfs inode. Rather than inode_newsize_ok() catching
55204 maximum file size errors early on, eCryptfs would encrypt zeroed pages
55205 and write them to the lower filesystem until the lower filesystem's
55206 write path caught the error in generic_write_checks(). This patch
55207 introduces a new function, called ecryptfs_inode_newsize_ok(), which
55208 checks if the new lower file size is within the appropriate limits when
55209 the truncate operation will be growing the lower file.
55210
55211 In summary this change prevents eCryptfs truncate operations (and the
55212 resulting page encryptions), which would exceed the lower filesystem
55213 limits or FSIZE rlimits, from ever starting.
55214
55215 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
55216 Reviewed-by: Li Wang <liwang@nudt.edu.cn>
55217 Cc: <stable@vger.kernel.org>
55218
55219commit 0d96f190a39505254ace4e9330219aaeda9b64e3
55220Author: Tyler Hicks <tyhicks@canonical.com>
55221Date: Wed Jan 18 18:30:04 2012 -0600
55222
55223 eCryptfs: Make truncate path killable
55224
55225 ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
55226 page, zeroes out the appropriate portions, and then encrypts the page
55227 before writing it to the lower filesystem. It was unkillable and due to
55228 the lack of sparse file support could result in tying up a large portion
55229 of system resources, while encrypting pages of zeros, with no way for
55230 the truncate operation to be stopped from userspace.
55231
55232 This patch adds the ability for ecryptfs_write() to detect a pending
55233 fatal signal and return as gracefully as possible. The intent is to
55234 leave the lower file in a useable state, while still allowing a user to
55235 break out of the encryption loop. If a pending fatal signal is detected,
55236 the eCryptfs inode size is updated to reflect the modified inode size
55237 and then -EINTR is returned.
55238
55239 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
55240 Cc: <stable@vger.kernel.org>
55241
55242commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
55243Author: Tyler Hicks <tyhicks@canonical.com>
55244Date: Tue Jan 24 10:02:22 2012 -0600
55245
55246 eCryptfs: Fix oops when printing debug info in extent crypto functions
55247
55248 If pages passed to the eCryptfs extent-based crypto functions are not
55249 mapped and the module parameter ecryptfs_verbosity=1 was specified at
55250 loading time, a NULL pointer dereference will occur.
55251
55252 Note that this wouldn't happen on a production system, as you wouldn't
55253 pass ecryptfs_verbosity=1 on a production system. It leaks private
55254 information to the system logs and is for debugging only.
55255
55256 The debugging info printed in these messages is no longer very useful
55257 and rather than doing a kmap() in these debugging paths, it will be
55258 better to simply remove the debugging paths completely.
55259
55260 https://launchpad.net/bugs/913651
55261
55262 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
55263 Reported-by: Daniel DeFreez
55264 Cc: <stable@vger.kernel.org>
55265
55266commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
55267Author: Tyler Hicks <tyhicks@canonical.com>
55268Date: Thu Jan 12 11:30:44 2012 +0100
55269
55270 eCryptfs: Sanitize write counts of /dev/ecryptfs
55271
55272 A malicious count value specified when writing to /dev/ecryptfs may
55273 result in a a very large kernel memory allocation.
55274
55275 This patch peeks at the specified packet payload size, adds that to the
55276 size of the packet headers and compares the result with the write count
55277 value. The resulting maximum memory allocation size is approximately 532
55278 bytes.
55279
55280 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
55281 Reported-by: Sasha Levin <levinsasha928@gmail.com>
55282 Cc: <stable@vger.kernel.org>
55283
55284commit 96dcb7282d323813181a1791f51c0ab7696b675b
55285Merge: 6c09fa5 201c0db
55286Author: Brad Spengler <spender@grsecurity.net>
55287Date: Fri Jan 27 19:44:15 2012 -0500
55288
55289 Merge branch 'pax-test' into grsec-test
55290
55291commit 201c0dbf177527367676028151e36d340923f033
55292Author: Brad Spengler <spender@grsecurity.net>
55293Date: Fri Jan 27 19:43:24 2012 -0500
55294
55295 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
55296 on loading modules with empty sections
55297
55298commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
55299Author: Brad Spengler <spender@grsecurity.net>
55300Date: Fri Jan 27 19:42:13 2012 -0500
55301
55302 compile fix
55303
55304commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
55305Author: Brad Spengler <spender@grsecurity.net>
55306Date: Fri Jan 27 19:39:28 2012 -0500
55307
55308 use LSM flags instead of duplicating checks
55309
55310commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
55311Merge: 44b9f11 558718b
55312Author: Brad Spengler <spender@grsecurity.net>
55313Date: Fri Jan 27 18:56:23 2012 -0500
55314
55315 Merge branch 'pax-test' into grsec-test
55316
55317commit 558718b2217beff69edf60f34a6f9893d910e9ac
55318Author: Brad Spengler <spender@grsecurity.net>
55319Date: Fri Jan 27 18:56:04 2012 -0500
55320
55321 Merge changes from pax-linux-3.2.2-test6.patch
55322
55323commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
55324Author: Brad Spengler <spender@grsecurity.net>
55325Date: Fri Jan 27 18:53:55 2012 -0500
55326
55327 don't increase the size of task_struct when unnecessary
55328 change ptrace_readexec log message
55329
55330commit a9c9626e054adb885883aa64f85506852894dd33
55331Author: Brad Spengler <spender@grsecurity.net>
55332Date: Fri Jan 27 18:16:28 2012 -0500
55333
55334 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
55335 the protection applies to all unreadable binaries.
55336
55337commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
55338Merge: 7b3f3af 05a1349
55339Author: Brad Spengler <spender@grsecurity.net>
55340Date: Wed Jan 25 20:52:09 2012 -0500
55341
55342 Merge branch 'pax-test' into grsec-test
55343
55344 Conflicts:
55345 block/scsi_ioctl.c
55346 drivers/scsi/sd.c
55347 fs/proc/base.c
55348
55349commit 05a134966efb9cb9346ad3422888969ffc79ac1d
55350Author: Brad Spengler <spender@grsecurity.net>
55351Date: Wed Jan 25 20:47:36 2012 -0500
55352
55353 Resync with pax-linux-3.2.2-test5.patch
55354
55355commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
55356Merge: c6d443d 3499d64
55357Author: Brad Spengler <spender@grsecurity.net>
55358Date: Wed Jan 25 20:45:16 2012 -0500
55359
55360 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
55361
55362 Conflicts:
55363 ipc/shm.c
55364
55365commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
55366Author: Brad Spengler <spender@grsecurity.net>
55367Date: Tue Jan 24 19:42:01 2012 -0500
55368
55369 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
55370 (may be changed if it breaks some userland), the other has its own
55371 config option
55372
55373 First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
55374 the syscall or /proc/sys.
55375
55376 Second feature requires read access to a suid/sgid binary in order
55377 to ptrace it, preventing infoleaking of binaries in situations where
55378 the admin has specified 4711 or 2711 perms. Feature has been
55379 given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
55380 a sysctl entry of ptrace_readexec
55381
55382commit 11a7bb25c411c9dccfdca5718639b4becdffd388
55383Author: Brad Spengler <spender@grsecurity.net>
55384Date: Sun Jan 22 14:37:10 2012 -0500
55385
55386 Compilation fixes
55387
55388commit cd400e21c7c352baba47d6f375297a7847afb33a
55389Author: Brad Spengler <spender@grsecurity.net>
55390Date: Sun Jan 22 14:20:27 2012 -0500
55391
55392 Initial port of grsecurity 2.2.2 for Linux 3.2.1
55393 Note that the new syscalls added to this kernel for remote process read/write
55394 are subject to ptrace hardening/other relevant RBAC features
55395 /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
55396 as well
55397 pax_track_stack has been removed from support for this kernel -- if you're running this kernel
55398 you should be using a version of gcc with plugin support
55399
55400commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
55401Author: Brad Spengler <spender@grsecurity.net>
55402Date: Sun Jan 22 11:47:31 2012 -0500
55403
55404 Import pax-linux-3.2.1-test5.patch
55405commit bfd7db842f835f9837cd43644459b3a95b0b488d
55406Author: Brad Spengler <spender@grsecurity.net>
55407Date: Sun Jan 22 11:02:02 2012 -0500
55408
55409 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
55410 instead of returning -EACCES
55411 thanks to Wraith from irc for the report
55412
55413commit 873ac13576506cd48ddb527c2540f274e249da50
55414Merge: 34083dd 8a44fcc
55415Author: Brad Spengler <spender@grsecurity.net>
55416Date: Fri Jan 20 18:04:02 2012 -0500
55417
55418 Merge branch 'pax-test' into grsec-test
55419
55420commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
55421Author: Brad Spengler <spender@grsecurity.net>
55422Date: Fri Jan 20 18:02:15 2012 -0500
55423
55424 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
55425 Denies executable shared memory when MPROTECT is active
55426 Fixes ia32 emulation crash on 64bit host introduced in a recent patch
55427
55428commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
55429Author: Brad Spengler <spender@grsecurity.net>
55430Date: Thu Jan 19 20:23:14 2012 -0500
55431
55432 Introduce new GRKERNSEC_SETXID implementation
55433 We're not able to change the credentials of other threads in the process until at most
55434 one syscall after the first thread does it, since we mark the threads as needing rescheduling
55435 and such work occurs on syscall exit.
55436 This does however ensure that we're only modifying the current task's credentials
55437 which upholds RCU expectations
55438
55439 Many thanks to corsac for testing
55440
55441commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
55442Author: Brad Spengler <spender@grsecurity.net>
55443Date: Thu Jan 19 17:42:48 2012 -0500
55444
55445 Simplify backport
55446
55447commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
55448Author: Brad Spengler <spender@grsecurity.net>
55449Date: Thu Jan 19 17:08:16 2012 -0500
55450
55451 Commit the latest silent fix for a local privilege escalation from Linus
55452 Also disable writing to /proc/pid/mem
55453 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc
55454
55455commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
55456Merge: 0394a3f 7e6299b
55457Author: Brad Spengler <spender@grsecurity.net>
55458Date: Wed Jan 18 20:22:09 2012 -0500
55459
55460 Merge branch 'pax-test' into grsec-test
55461
55462commit 7e6299b4733c082dde930375dd207b63237751ec
55463Merge: 83555fb 9bb1282
55464Author: Brad Spengler <spender@grsecurity.net>
55465Date: Wed Jan 18 20:21:37 2012 -0500
55466
55467 Merge branch 'linux-3.1.y' into pax-test
55468
55469commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
55470Author: Jesper Juhl <jj@chaosbits.net>
55471Date: Sun Jan 8 22:44:29 2012 +0100
55472
55473 audit: always follow va_copy() with va_end()
55474
55475 A call to va_copy() should always be followed by a call to va_end() in
55476 the same function. In kernel/autit.c::audit_log_vformat() this is not
55477 always done. This patch makes sure va_end() is always called.
55478
55479 Signed-off-by: Jesper Juhl <jj@chaosbits.net>
55480 Cc: Al Viro <viro@zeniv.linux.org.uk>
55481 Cc: Eric Paris <eparis@redhat.com>
55482 Cc: Andrew Morton <akpm@linux-foundation.org>
55483 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
55484
55485commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
55486Author: Andi Kleen <ak@linux.intel.com>
55487Date: Thu Jan 12 17:20:30 2012 -0800
55488
55489 panic: don't print redundant backtraces on oops
55490
55491 When an oops causes a panic and panic prints another backtrace it's pretty
55492 common to have the original oops data be scrolled away on a 80x50 screen.
55493
55494 The second backtrace is quite redundant and not needed anyways.
55495
55496 So don't print the panic backtrace when oops_in_progress is true.
55497
55498 [akpm@linux-foundation.org: add comment]
55499 Signed-off-by: Andi Kleen <ak@linux.intel.com>
55500 Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
55501 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
55502 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
55503
55504commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
55505Author: Miklos Szeredi <mszeredi@suse.cz>
55506Date: Thu Jan 12 17:59:46 2012 +0100
55507
55508 fsnotify: don't BUG in fsnotify_destroy_mark()
55509
55510 Removing the parent of a watched file results in "kernel BUG at
55511 fs/notify/mark.c:139".
55512
55513 To reproduce
55514
55515 add "-w /tmp/audit/dir/watched_file" to audit.rules
55516 rm -rf /tmp/audit/dir
55517
55518 This is caused by fsnotify_destroy_mark() being called without an
55519 extra reference taken by the caller.
55520
55521 Reported by Francesco Cosoleto here:
55522
55523 https://bugzilla.novell.com/show_bug.cgi?id=689860
55524
55525 Fix by removing the BUG_ON and adding a comment about not accessing mark after
55526 the iput.
55527
55528 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
55529 CC: stable@vger.kernel.org
55530 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
55531
55532commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
55533Author: Paolo Bonzini <pbonzini@redhat.com>
55534Date: Thu Jan 12 16:01:28 2012 +0100
55535
55536 block: fail SCSI passthrough ioctls on partition devices
55537
55538 Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
55539 will pass the command to the underlying block device. This is
55540 well-known, but it is also a large security problem when (via Unix
55541 permissions, ACLs, SELinux or a combination thereof) a program or user
55542 needs to be granted access only to part of the disk.
55543
55544 This patch lets partitions forward a small set of harmless ioctls;
55545 others are logged with printk so that we can see which ioctls are
55546 actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred.
55547 Of course it was being sent to a (partition on a) hard disk, so it would
55548 have failed with ENOTTY and the patch isn't changing anything in
55549 practice. Still, I'm treating it specially to avoid spamming the logs.
55550
55551 In principle, this restriction should include programs running with
55552 CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and
55553 /dev/sdb, it still should not be able to read/write outside the
55554 boundaries of /dev/sda2 independent of the capabilities. However, for
55555 now programs with CAP_SYS_RAWIO will still be allowed to send the
55556 ioctls. Their actions will still be logged.
55557
55558 This patch does not affect the non-libata IDE driver. That driver
55559 however already tests for bd != bd->bd_contains before issuing some
55560 ioctl; it could be restricted further to forbid these ioctls even for
55561 programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
55562
55563 Cc: linux-scsi@vger.kernel.org
55564 Cc: Jens Axboe <axboe@kernel.dk>
55565 Cc: James Bottomley <JBottomley@parallels.com>
55566 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
55567 [ Make it also print the command name when warning - Linus ]
55568 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
55569
55570commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
55571Author: Paolo Bonzini <pbonzini@redhat.com>
55572Date: Thu Jan 12 16:01:27 2012 +0100
55573
55574 block: add and use scsi_blk_cmd_ioctl
55575
55576 Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
55577
55578 The function will then be enhanced to detect partition block devices
55579 and, in that case, subject the ioctls to whitelisting.
55580
55581 Cc: linux-scsi@vger.kernel.org
55582 Cc: Jens Axboe <axboe@kernel.dk>
55583 Cc: James Bottomley <JBottomley@parallels.com>
55584 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
55585 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
55586
55587commit 97a79814903fc350e1d13704ea31528a42705401
55588Author: Kees Cook <keescook@chromium.org>
55589Date: Sat Jan 7 10:41:04 2012 -0800
55590
55591 audit: treat s_id as an untrusted string
55592
55593 The use of s_id should go through the untrusted string path, just to be
55594 extra careful.
55595
55596 Signed-off-by: Kees Cook <keescook@chromium.org>
55597 Acked-by: Mimi Zohar <zohar@us.ibm.com>
55598 Signed-off-by: Eric Paris <eparis@redhat.com>
55599
55600commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
55601Author: Xi Wang <xi.wang@gmail.com>
55602Date: Tue Dec 20 18:39:41 2011 -0500
55603
55604 audit: fix signedness bug in audit_log_execve_info()
55605
55606 In the loop, a size_t "len" is used to hold the return value of
55607 audit_log_single_execve_arg(), which returns -1 on error. In that
55608 case the error handling (len <= 0) will be bypassed since "len" is
55609 unsigned, and the loop continues with (p += len) being wrapped.
55610 Change the type of "len" to signed int to fix the error handling.
55611
55612 size_t len;
55613 ...
55614 for (...) {
55615 len = audit_log_single_execve_arg(...);
55616 if (len <= 0)
55617 break;
55618 p += len;
55619 }
55620
55621 Signed-off-by: Xi Wang <xi.wang@gmail.com>
55622 Signed-off-by: Eric Paris <eparis@redhat.com>
55623
55624commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
55625Author: Dan Carpenter <dan.carpenter@oracle.com>
55626Date: Tue Jan 17 03:28:51 2012 -0300
55627
55628 [media] ds3000: using logical && instead of bitwise &
55629
55630 The intent here was to test if the FE_HAS_LOCK was set. The current
55631 test is equivalent to "if (status) { ..."
55632
55633 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
55634 Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
55635
55636commit 36522330dc59d2fc70c042f3f081d75c32b6259a
55637Author: Brad Spengler <spender@grsecurity.net>
55638Date: Mon Jan 16 13:10:38 2012 -0500
55639
55640 Ignore the 0 signal for protected task RBAC checks
55641
55642commit d513acd55f7a683f6e146a4f570cdb63300479ab
55643Author: Brad Spengler <spender@grsecurity.net>
55644Date: Mon Jan 16 11:56:13 2012 -0500
55645
55646 whitespace cleanup
55647
55648commit ced261c4b82818c700aff8487f647f6f3e5b5122
55649Merge: d48751f 83555fb
55650Author: Brad Spengler <spender@grsecurity.net>
55651Date: Fri Jan 13 20:12:54 2012 -0500
55652
55653 Merge branch 'pax-test' into grsec-test
55654
55655commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
55656Merge: fcd8129 93dad39
55657Author: Brad Spengler <spender@grsecurity.net>
55658Date: Fri Jan 13 20:12:43 2012 -0500
55659
55660 Merge branch 'linux-3.1.y' into pax-test
55661
55662commit d48751f3919ae855fda0ff6c149db82442329253
55663Author: Brad Spengler <spender@grsecurity.net>
55664Date: Wed Jan 11 19:05:47 2012 -0500
55665
55666 Call our own set_user when forcing change to new id
55667
55668commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
55669Merge: e6578ff fcd8129
55670Author: Brad Spengler <spender@grsecurity.net>
55671Date: Tue Jan 10 16:00:10 2012 -0500
55672
55673 Merge branch 'pax-test' into grsec-test
55674
55675commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
55676Author: Brad Spengler <spender@grsecurity.net>
55677Date: Tue Jan 10 15:58:43 2012 -0500
55678
55679 Merge changes from pax-linux-3.1.8-test23.patch
55680
55681commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
55682Merge: 8859ec3 a120549
55683Author: Brad Spengler <spender@grsecurity.net>
55684Date: Fri Jan 6 21:45:56 2012 -0500
55685
55686 Merge branch 'pax-test' into grsec-test
55687
55688commit a12054967a77090de1caa07c41e694a77db4e237
55689Author: Brad Spengler <spender@grsecurity.net>
55690Date: Fri Jan 6 21:45:30 2012 -0500
55691
55692 Merge changes from pax-linux-3.1.8-test22.patch
55693
55694commit 8859ec32f9815c274df65448f9f2960176c380d3
55695Merge: a5016b4 ddd4114
55696Author: Brad Spengler <spender@grsecurity.net>
55697Date: Fri Jan 6 21:26:08 2012 -0500
55698
55699 Merge branch 'pax-test' into grsec-test
55700
55701 Conflicts:
55702 fs/binfmt_elf.c
55703 security/Kconfig
55704
55705commit ddd41147e158a79704983a409b7433eba797cf66
55706Author: Brad Spengler <spender@grsecurity.net>
55707Date: Fri Jan 6 21:12:42 2012 -0500
55708
55709 Resync with PaX patch (whitespace difference)
55710
55711commit 29e569df8205c5f0e043fe4803aa984406c8b118
55712Author: Brad Spengler <spender@grsecurity.net>
55713Date: Fri Jan 6 21:09:47 2012 -0500
55714
55715 Merge changes from pax-linux-3.1.8-test21.patch
55716
55717commit a5016b4f9c09c337b17e063a7f369af1e86d944d
55718Merge: 0124c92 04231d5
55719Author: Brad Spengler <spender@grsecurity.net>
55720Date: Fri Jan 6 18:52:20 2012 -0500
55721
55722 Merge branch 'pax-test' into grsec-test
55723
55724commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
55725Merge: 7bdddeb a919904
55726Author: Brad Spengler <spender@grsecurity.net>
55727Date: Fri Jan 6 18:51:50 2012 -0500
55728
55729 Merge branch 'linux-3.1.y' into pax-test
55730
55731 Conflicts:
55732 include/net/flow.h
55733
55734commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
55735Author: Brad Spengler <spender@grsecurity.net>
55736Date: Fri Jan 6 18:33:05 2012 -0500
55737
55738 Make GRKERNSEC_SETXID option compatible with credential debugging
55739
55740commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
55741Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
55742Date: Wed Dec 28 15:57:11 2011 -0800
55743
55744 mm/mempolicy.c: refix mbind_range() vma issue
55745
55746 commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
55747 slightly incorrect fix.
55748
55749 Why? Think following case.
55750
55751 1. map 4 pages of a file at offset 0
55752
55753 [0123]
55754
55755 2. map 2 pages just after the first mapping of the same file but with
55756 page offset 2
55757
55758 [0123][23]
55759
55760 3. mbind() 2 pages from the first mapping at offset 2.
55761 mbind_range() should treat new vma is,
55762
55763 [0123][23]
55764 |23|
55765 mbind vma
55766
55767 but it does
55768
55769 [0123][23]
55770 |01|
55771 mbind vma
55772
55773 Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
55774
55775 This patch fixes it.
55776
55777 [testcase]
55778 test result - before the patch
55779
55780 case4: 126: test failed. expect '2,4', actual '2,2,2'
55781 case5: passed
55782 case6: passed
55783 case7: passed
55784 case8: passed
55785 case_n: 246: test failed. expect '4,2', actual '1,4'
55786
55787 ------------[ cut here ]------------
55788 kernel BUG at mm/filemap.c:135!
55789 invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
55790
55791 (snip long bug on messages)
55792
55793 test result - after the patch
55794
55795 case4: passed
55796 case5: passed
55797 case6: passed
55798 case7: passed
55799 case8: passed
55800 case_n: passed
55801
55802 source: mbind_vma_test.c
55803 ============================================================
55804 #include <numaif.h>
55805 #include <numa.h>
55806 #include <sys/mman.h>
55807 #include <stdio.h>
55808 #include <unistd.h>
55809 #include <stdlib.h>
55810 #include <string.h>
55811
55812 static unsigned long pagesize;
55813 void* mmap_addr;
55814 struct bitmask *nmask;
55815 char buf[1024];
55816 FILE *file;
55817 char retbuf[10240] = "";
55818 int mapped_fd;
55819
55820 char *rubysrc = "ruby -e '\
55821 pid = %d; \
55822 vstart = 0x%llx; \
55823 vend = 0x%llx; \
55824 s = `pmap -q #{pid}`; \
55825 rary = []; \
55826 s.each_line {|line|; \
55827 ary=line.split(\" \"); \
55828 addr = ary[0].to_i(16); \
55829 if(vstart <= addr && addr < vend) then \
55830 rary.push(ary[1].to_i()/4); \
55831 end; \
55832 }; \
55833 print rary.join(\",\"); \
55834 '";
55835
55836 void init(void)
55837 {
55838 void* addr;
55839 char buf[128];
55840
55841 nmask = numa_allocate_nodemask();
55842 numa_bitmask_setbit(nmask, 0);
55843
55844 pagesize = getpagesize();
55845
55846 sprintf(buf, "%s", "mbind_vma_XXXXXX");
55847 mapped_fd = mkstemp(buf);
55848 if (mapped_fd == -1)
55849 perror("mkstemp "), exit(1);
55850 unlink(buf);
55851
55852 if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
55853 perror("lseek "), exit(1);
55854 if (write(mapped_fd, "\0", 1) < 0)
55855 perror("write "), exit(1);
55856
55857 addr = mmap(NULL, pagesize*8, PROT_NONE,
55858 MAP_SHARED, mapped_fd, 0);
55859 if (addr == MAP_FAILED)
55860 perror("mmap "), exit(1);
55861
55862 if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
55863 perror("mprotect "), exit(1);
55864
55865 mmap_addr = addr + pagesize;
55866
55867 /* make page populate */
55868 memset(mmap_addr, 0, pagesize*6);
55869 }
55870
55871 void fin(void)
55872 {
55873 void* addr = mmap_addr - pagesize;
55874 munmap(addr, pagesize*8);
55875
55876 memset(buf, 0, sizeof(buf));
55877 memset(retbuf, 0, sizeof(retbuf));
55878 }
55879
55880 void mem_bind(int index, int len)
55881 {
55882 int err;
55883
55884 err = mbind(mmap_addr+pagesize*index, pagesize*len,
55885 MPOL_BIND, nmask->maskp, nmask->size, 0);
55886 if (err)
55887 perror("mbind "), exit(err);
55888 }
55889
55890 void mem_interleave(int index, int len)
55891 {
55892 int err;
55893
55894 err = mbind(mmap_addr+pagesize*index, pagesize*len,
55895 MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
55896 if (err)
55897 perror("mbind "), exit(err);
55898 }
55899
55900 void mem_unbind(int index, int len)
55901 {
55902 int err;
55903
55904 err = mbind(mmap_addr+pagesize*index, pagesize*len,
55905 MPOL_DEFAULT, NULL, 0, 0);
55906 if (err)
55907 perror("mbind "), exit(err);
55908 }
55909
55910 void Assert(char *expected, char *value, char *name, int line)
55911 {
55912 if (strcmp(expected, value) == 0) {
55913 fprintf(stderr, "%s: passed\n", name);
55914 return;
55915 }
55916 else {
55917 fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
55918 name, line,
55919 expected, value);
55920 // exit(1);
55921 }
55922 }
55923
55924 /*
55925 AAAA
55926 PPPPPPNNNNNN
55927 might become
55928 PPNNNNNNNNNN
55929 case 4 below
55930 */
55931 void case4(void)
55932 {
55933 init();
55934 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
55935
55936 mem_bind(0, 4);
55937 mem_unbind(2, 2);
55938
55939 file = popen(buf, "r");
55940 fread(retbuf, sizeof(retbuf), 1, file);
55941 Assert("2,4", retbuf, "case4", __LINE__);
55942
55943 fin();
55944 }
55945
55946 /*
55947 AAAA
55948 PPPPPPNNNNNN
55949 might become
55950 PPPPPPPPPPNN
55951 case 5 below
55952 */
55953 void case5(void)
55954 {
55955 init();
55956 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
55957
55958 mem_bind(0, 2);
55959 mem_bind(2, 2);
55960
55961 file = popen(buf, "r");
55962 fread(retbuf, sizeof(retbuf), 1, file);
55963 Assert("4,2", retbuf, "case5", __LINE__);
55964
55965 fin();
55966 }
55967
55968 /*
55969 AAAA
55970 PPPPNNNNXXXX
55971 might become
55972 PPPPPPPPPPPP 6
55973 */
55974 void case6(void)
55975 {
55976 init();
55977 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
55978
55979 mem_bind(0, 2);
55980 mem_bind(4, 2);
55981 mem_bind(2, 2);
55982
55983 file = popen(buf, "r");
55984 fread(retbuf, sizeof(retbuf), 1, file);
55985 Assert("6", retbuf, "case6", __LINE__);
55986
55987 fin();
55988 }
55989
55990 /*
55991 AAAA
55992 PPPPNNNNXXXX
55993 might become
55994 PPPPPPPPXXXX 7
55995 */
55996 void case7(void)
55997 {
55998 init();
55999 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
56000
56001 mem_bind(0, 2);
56002 mem_interleave(4, 2);
56003 mem_bind(2, 2);
56004
56005 file = popen(buf, "r");
56006 fread(retbuf, sizeof(retbuf), 1, file);
56007 Assert("4,2", retbuf, "case7", __LINE__);
56008
56009 fin();
56010 }
56011
56012 /*
56013 AAAA
56014 PPPPNNNNXXXX
56015 might become
56016 PPPPNNNNNNNN 8
56017 */
56018 void case8(void)
56019 {
56020 init();
56021 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
56022
56023 mem_bind(0, 2);
56024 mem_interleave(4, 2);
56025 mem_interleave(2, 2);
56026
56027 file = popen(buf, "r");
56028 fread(retbuf, sizeof(retbuf), 1, file);
56029 Assert("2,4", retbuf, "case8", __LINE__);
56030
56031 fin();
56032 }
56033
56034 void case_n(void)
56035 {
56036 init();
56037 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
56038
56039 /* make redundunt mappings [0][1234][34][7] */
56040 mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
56041 MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
56042
56043 /* Expect to do nothing. */
56044 mem_unbind(2, 2);
56045
56046 file = popen(buf, "r");
56047 fread(retbuf, sizeof(retbuf), 1, file);
56048 Assert("4,2", retbuf, "case_n", __LINE__);
56049
56050 fin();
56051 }
56052
56053 int main(int argc, char** argv)
56054 {
56055 case4();
56056 case5();
56057 case6();
56058 case7();
56059 case8();
56060 case_n();
56061
56062 return 0;
56063 }
56064 =============================================================
56065
56066 Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
56067 Acked-by: Johannes Weiner <hannes@cmpxchg.org>
56068 Cc: Minchan Kim <minchan.kim@gmail.com>
56069 Cc: Caspar Zhang <caspar@casparzhang.com>
56070 Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
56071 Cc: Christoph Lameter <cl@linux.com>
56072 Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
56073 Cc: Mel Gorman <mel@csn.ul.ie>
56074 Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
56075 Cc: <stable@vger.kernel.org> [3.1.x]
56076 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
56077 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
56078
56079commit f3a1082005781777086df235049f8c0b7efe524e
56080Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
56081Date: Tue Dec 27 22:32:41 2011 -0500
56082
56083 packet: fix possible dev refcnt leak when bind fail
56084
56085 If bind is fail when bind is called after set PACKET_FANOUT
56086 sock option, the dev refcnt will leak.
56087
56088 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
56089 Signed-off-by: David S. Miller <davem@davemloft.net>
56090
56091commit 915f8b08dac68839dc7204ee81cf9852fda16d24
56092Author: Haogang Chen <haogangchen@gmail.com>
56093Date: Mon Dec 19 17:11:56 2011 -0800
56094
56095 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
56096
56097 There is a potential integer overflow in nilfs_ioctl_clean_segments().
56098 When a large argv[n].v_nmembs is passed from the userspace, the subsequent
56099 call to vmalloc() will allocate a buffer smaller than expected, which
56100 leads to out-of-bound access in nilfs_ioctl_move_blocks() and
56101 lfs_clean_segments().
56102
56103 The following check does not prevent the overflow because nsegs is also
56104 controlled by the userspace and could be very large.
56105
56106 if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
56107 goto out_free;
56108
56109 This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
56110 returns -EINVAL when overflow.
56111
56112 Signed-off-by: Haogang Chen <haogangchen@gmail.com>
56113 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
56114 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
56115 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
56116
56117commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
56118Author: Kautuk Consul <consul.kautuk@gmail.com>
56119Date: Mon Dec 19 17:12:04 2011 -0800
56120
56121 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
56122
56123 Static storage is not required for the struct vmap_area in
56124 __get_vm_area_node.
56125
56126 Removing "static" to store this variable on the stack instead.
56127
56128 Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
56129 Acked-by: David Rientjes <rientjes@google.com>
56130 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
56131 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
56132
56133commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
56134Author: Michel Lespinasse <walken@google.com>
56135Date: Mon Dec 19 17:12:06 2011 -0800
56136
56137 binary_sysctl(): fix memory leak
56138
56139 binary_sysctl() calls sysctl_getname() which allocates from names_cache
56140 slab usin __getname()
56141
56142 The matching function to free the name is __putname(), and not putname()
56143 which should be used only to match getname() allocations.
56144
56145 This is because when auditing is enabled, putname() calls audit_putname
56146 *instead* (not in addition) to __putname(). Then, if a syscall is in
56147 progress, audit_putname does not release the name - instead, it expects
56148 the name to get released when the syscall completes, but that will happen
56149 only if audit_getname() was called previously, i.e. if the name was
56150 allocated with getname() rather than the naked __getname(). So,
56151 __getname() followed by putname() ends up leaking memory.
56152
56153 Signed-off-by: Michel Lespinasse <walken@google.com>
56154 Acked-by: Al Viro <viro@zeniv.linux.org.uk>
56155 Cc: Christoph Hellwig <hch@infradead.org>
56156 Cc: Eric Paris <eparis@redhat.com>
56157 Cc: <stable@vger.kernel.org>
56158 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
56159 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
56160
56161commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
56162Author: Sean Hefty <sean.hefty@intel.com>
56163Date: Tue Dec 6 21:17:11 2011 +0000
56164
56165 RDMA/cma: Verify private data length
56166
56167 private_data_len is defined as a u8. If the user specifies a large
56168 private_data size (> 220 bytes), we will calculate a total length that
56169 exceeds 255, resulting in private_data_len wrapping back to 0. This
56170 can lead to overwriting random kernel memory. Avoid this by verifying
56171 that the resulting size fits into a u8.
56172
56173 Reported-by: B. Thery <benjamin.thery@bull.net>
56174 Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
56175 Signed-off-by: Sean Hefty <sean.hefty@intel.com>
56176 Signed-off-by: Roland Dreier <roland@purestorage.com>
56177
56178commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
56179Author: Xi Wang <xi.wang@gmail.com>
56180Date: Sun Dec 11 23:40:56 2011 -0800
56181
56182 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
56183
56184 The error check (intr_status < 0) didn't work because intr_status is
56185 a u8. Change its type to signed int.
56186
56187 Signed-off-by: Xi Wang <xi.wang@gmail.com>
56188 Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
56189
56190commit e27f34e383d7863b2528a63b81b23db09781f6b6
56191Author: Xi Wang <xi.wang@gmail.com>
56192Date: Fri Dec 16 12:44:15 2011 +0000
56193
56194 sctp: fix incorrect overflow check on autoclose
56195
56196 Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
56197 limiting the autoclose value. If userspace passes in -1 on 32-bit
56198 platform, the overflow check didn't work and autoclose would be set
56199 to 0xffffffff.
56200
56201 This patch defines a max_autoclose (in seconds) for limiting the value
56202 and exposes it through sysctl, with the following intentions.
56203
56204 1) Avoid overflowing autoclose * HZ.
56205
56206 2) Keep the default autoclose bound consistent across 32- and 64-bit
56207 platforms (INT_MAX / HZ in this patch).
56208
56209 3) Keep the autoclose value consistent between setsockopt() and
56210 getsockopt() calls.
56211
56212 Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
56213 Signed-off-by: Xi Wang <xi.wang@gmail.com>
56214 Signed-off-by: David S. Miller <davem@davemloft.net>
56215
56216commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
56217Author: Xi Wang <xi.wang@gmail.com>
56218Date: Wed Dec 21 05:18:33 2011 -0500
56219
56220 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
56221
56222 Commit e133e737 didn't correctly fix the integer overflow issue.
56223
56224 - unsigned int required_size;
56225 + u64 required_size;
56226 ...
56227 required_size = mode_cmd->pitch * mode_cmd->height;
56228 - if (unlikely(required_size > dev_priv->vram_size)) {
56229 + if (unlikely(required_size > (u64) dev_priv->vram_size)) {
56230
56231 Note that both pitch and height are u32. Their product is still u32 and
56232 would overflow before being assigned to required_size. A correct way is
56233 to convert pitch and height to u64 before the multiplication.
56234
56235 required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
56236
56237 This patch calls the existing vmw_kms_validate_mode_vram() for
56238 validation.
56239
56240 Signed-off-by: Xi Wang <xi.wang@gmail.com>
56241 Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
56242 Signed-off-by: Dave Airlie <airlied@redhat.com>
56243
56244 Conflicts:
56245
56246 drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
56247
56248commit eb8f0bd01fb994c9abc77dc84729794cd841753d
56249Author: Xi Wang <xi.wang@gmail.com>
56250Date: Thu Dec 22 13:35:22 2011 +0000
56251
56252 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
56253
56254 Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
56255 cause a kernel oops due to insufficient bounds checking.
56256
56257 if (count > 1<<30) {
56258 /* Enforce a limit to prevent overflow */
56259 return -EINVAL;
56260 }
56261 count = roundup_pow_of_two(count);
56262 table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
56263
56264 Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
56265
56266 ... + (count * sizeof(struct rps_dev_flow))
56267
56268 where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow
56269 32 bits.
56270
56271 This patch replaces the magic number (1 << 30) with a symbolic bound.
56272
56273 Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
56274 Signed-off-by: Xi Wang <xi.wang@gmail.com>
56275 Signed-off-by: David S. Miller <davem@davemloft.net>
56276
56277commit 648188958672024b616c42c1f6c98c8cfc85619d
56278Author: Xi Wang <xi.wang@gmail.com>
56279Date: Fri Dec 30 10:40:17 2011 -0500
56280
56281 netfilter: ctnetlink: fix timeout calculation
56282
56283 The sanity check (timeout < 0) never works; the dividend is unsigned
56284 and so is the division, which should have been a signed division.
56285
56286 long timeout = (ct->timeout.expires - jiffies) / HZ;
56287 if (timeout < 0)
56288 timeout = 0;
56289
56290 This patch converts the time values to signed for the division.
56291
56292 Signed-off-by: Xi Wang <xi.wang@gmail.com>
56293 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
56294
56295commit ab03a0973cee73f88655ff4981812ad316a6cd59
56296Merge: 76f82df 7bdddeb
56297Author: Brad Spengler <spender@grsecurity.net>
56298Date: Tue Jan 3 17:42:50 2012 -0500
56299
56300 Merge branch 'pax-test' into grsec-test
56301
56302commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
56303Merge: 3e59cb5 55cc81a
56304Author: Brad Spengler <spender@grsecurity.net>
56305Date: Tue Jan 3 17:42:36 2012 -0500
56306
56307 Merge branch 'linux-3.1.y' into pax-test
56308
56309commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
56310Author: Brad Spengler <spender@grsecurity.net>
56311Date: Thu Dec 22 20:15:02 2011 -0500
56312
56313 Only further restrict futex targeting another process -- our modified
56314 permission check also happened to allow a case where a process retaining
56315 uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
56316 being non-zero (reported on forums by ben_w)
56317
56318commit 6b235a4450a5fea41663ec35fa0608988b6078c6
56319Merge: 97c16f0 3e59cb5
56320Author: Brad Spengler <spender@grsecurity.net>
56321Date: Thu Dec 22 19:11:06 2011 -0500
56322
56323 Merge branch 'pax-test' into grsec-test
56324
56325 Conflicts:
56326 fs/hfs/btree.c
56327
56328commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
56329Merge: 285eb4e c26f60b
56330Author: Brad Spengler <spender@grsecurity.net>
56331Date: Thu Dec 22 19:09:57 2011 -0500
56332
56333 Merge branch 'linux-3.1.y' into pax-test
56334
56335 Conflicts:
56336 arch/x86/kernel/process.c
56337
56338commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
56339Author: Brad Spengler <spender@grsecurity.net>
56340Date: Mon Dec 19 21:54:01 2011 -0500
56341
56342 Add new option: "Enforce consistent multithreaded privileges"
56343
56344commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
56345Author: Brad Spengler <spender@grsecurity.net>
56346Date: Wed Dec 7 19:58:31 2011 -0500
56347
56348 Remove harmless duplicate code -- exec_file would be null already so the
56349 second check would never pass.
56350
56351commit 4e3304e94aa72737810bc50169519af157dce4ce
56352Author: Brad Spengler <spender@grsecurity.net>
56353Date: Wed Dec 7 19:50:39 2011 -0500
56354
56355 Revert back to (possibly?) undocumented /proc/pid behavior that gdb
56356 depended on for attaching to a thread. Entries exist in /proc for
56357 threads, but are not visible in a readdir.
56358
56359commit 1bd899335f23815cfe8deac44c6b346398f3b95e
56360Author: Brad Spengler <spender@grsecurity.net>
56361Date: Sun Dec 4 18:03:28 2011 -0500
56362
56363 Put the already-walked path if in RCU-walk mode
56364
56365commit ec7ae36b7159f10649709779443a988662965d66
56366Author: Brad Spengler <spender@grsecurity.net>
56367Date: Sun Dec 4 17:35:21 2011 -0500
56368
56369 Fix memory leak introduced by recent (unpublished) commit
56370 75ab998b94a29d464518d6d501bdde3fbfcbfa14
56371
56372commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
56373Author: Brad Spengler <spender@grsecurity.net>
56374Date: Sun Dec 4 13:56:10 2011 -0500
56375
56376 Explicitly check size copied to userland in override_release to silence gcc
56377
56378commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
56379Author: Brad Spengler <spender@grsecurity.net>
56380Date: Sun Dec 4 13:54:02 2011 -0500
56381
56382 Initialize variable to silence erroneous gcc warning
56383
56384commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
56385Author: Brad Spengler <spender@grsecurity.net>
56386Date: Sun Dec 4 13:47:47 2011 -0500
56387
56388 Future-proof other potential RCU-aware locations where we can log.
56389
56390commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
56391Author: Brad Spengler <spender@grsecurity.net>
56392Date: Sun Dec 4 13:02:54 2011 -0500
56393
56394 Fix freeze reported by 'vs' on the forums. Bug occurred due to
56395 MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used
56396 in generic_permission() was in the task's effective set but disallowed by
56397 RBAC, would block when acquiring locks resulting in the freeze.
56398
56399 Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
56400 as being required when CAP_DAC_OVERRIDE is present (consistent with
56401 older patches).
56402
56403commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
56404Author: Xi Wang <xi.wang@gmail.com>
56405Date: Tue Nov 29 09:26:30 2011 +0000
56406
56407 sctp: better integer overflow check in sctp_auth_create_key()
56408
56409 The check from commit 30c2235c is incomplete and cannot prevent
56410 cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the
56411 left-hand side of the check (INT_MAX - key_len), which is unsigned,
56412 becomes 0xffffffff (UINT_MAX) and bypasses the check.
56413
56414 However this shouldn't be a security issue. The function is called
56415 from the following two code paths:
56416
56417 1) setsockopt()
56418
56419 2) sctp_auth_asoc_set_secret()
56420
56421 In case (1), sca_keylength is never going to exceed 65535 since it's
56422 bounded by a u16 from the user API. As such, the key length will
56423 never overflow.
56424
56425 In case (2), sca_keylength is computed based on the user key (1 short)
56426 and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
56427 will not overflow.
56428
56429 In other words, this overflow check is not really necessary. Just
56430 make it more correct.
56431
56432 Signed-off-by: Xi Wang <xi.wang@gmail.com>
56433 Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
56434 Signed-off-by: David S. Miller <davem@davemloft.net>
56435
56436commit e565e28c3635a1d50f80541fbf6b606d742fec76
56437Author: Josh Boyer <jwboyer@redhat.com>
56438Date: Fri Aug 19 14:50:26 2011 -0400
56439
56440 fs/minix: Verify bitmap block counts before mounting
56441
56442 Newer versions of MINIX can create filesystems that allocate an extra
56443 bitmap block. Mounting of this succeeds, but doing a statfs call will
56444 result in an oops in count_free because of a negative number being used
56445 for the bh index.
56446
56447 Avoid this by verifying the number of allocated blocks at mount time,
56448 erroring out if there are not enough and make statfs ignore the extras
56449 if there are too many.
56450
56451 This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
56452
56453 Signed-off-by: Josh Boyer <jwboyer@redhat.com>
56454 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
56455
56456commit 6e134e398ec1a3f428261680e83df4319e64bed9
56457Author: Julia Lawall <julia@diku.dk>
56458Date: Tue Nov 15 14:53:11 2011 -0800
56459
56460 drivers/gpu/vga/vgaarb.c: add missing kfree
56461
56462 kbuf is a buffer that is local to this function, so all of the error paths
56463 leaving the function should release it.
56464
56465 Signed-off-by: Julia Lawall <julia@diku.dk>
56466 Cc: Jesper Juhl <jj@chaosbits.net>
56467 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
56468 Signed-off-by: Dave Airlie <airlied@redhat.com>
56469
56470commit 2b9057b321e36860e8d63985b5c4e496f254b717
56471Author: Brad Spengler <spender@grsecurity.net>
56472Date: Sat Dec 3 21:33:28 2011 -0500
56473
56474 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch
56475
56476commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
56477Author: Brad Spengler <spender@grsecurity.net>
56478Date: Sat Dec 3 21:29:37 2011 -0500
56479
56480 Import pax-linux-3.1.4-test18.patch
56481
56482commit 285eb4ea45d853ae00426b3315a61c1368080dad
56483Author: Brad Spengler <spender@grsecurity.net>
56484Date: Sat Dec 10 18:33:46 2011 -0500
56485
56486 Import changes from pax-linux-3.1.5-test20.patch
56487
56488commit a6bda918fc90ec1d5c387e978d147ad2044153f1
56489Author: Brad Spengler <spender@grsecurity.net>
56490Date: Thu Dec 8 20:55:54 2011 -0500
56491
56492 Import changes from pax-linux-3.1.4-test19.patch
56493
56494commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
56495Author: Brad Spengler <spender@grsecurity.net>
56496Date: Sat Dec 3 21:29:37 2011 -0500
56497
56498 Import pax-linux-3.1.4-test18.patch
56499commit c982acca364cbd7677bad7e53b9c7ecfaa6dfeb7
56500Merge: 814820a 3a59a59
56501Author: Brad Spengler <spender@grsecurity.net>
56502Date: Sun May 12 21:51:18 2013 -0400
56503
56504 Merge branch 'pax-test' into grsec-test
56505
56506 Conflicts:
56507 security/Kconfig
56508
56509commit 3a59a59cf5e1bf88f96b05c64f7969e97f7f051f
56510Author: Brad Spengler <spender@grsecurity.net>
56511Date: Sun May 12 21:50:07 2013 -0400
56512
56513 Update to pax-linux-3.8.13-test24.patch:
56514 - fixed sparc/constification compile error, reported by blake
56515 - UDEREF/amd64 should be a bit more efficient when disabled at boot time
56516 - fixed some unnecessary integer truncations that could trip up the size overflow plugin
56517
56518 arch/arm/kernel/vmlinux.lds.S | 4 ++--
56519 arch/sparc/kernel/us3_cpufreq.c | 4 ++--
56520 arch/x86/ia32/ia32entry.S | 4 ++--
56521 arch/x86/include/asm/pgtable.h | 6 ++++--
56522 arch/x86/include/asm/uaccess.h | 6 +++---
56523 arch/x86/kernel/kprobes-opt.c | 4 ++++
56524 arch/x86/lib/copy_user_nocache_64.S | 2 +-
56525 arch/x86/lib/getuser.S | 8 ++++----
56526 arch/x86/lib/putuser.S | 8 ++++----
56527 arch/x86/mm/fault.c | 6 +++---
56528 drivers/net/slip/slhc.c | 2 +-
56529 drivers/staging/iio/ring_sw.c | 2 +-
56530 fs/binfmt_elf.c | 6 +++---
56531 fs/nfsd/nfscache.c | 2 +-
56532 fs/xattr.c | 21 +++++++++++++++++++++
56533 include/linux/syscalls.h | 2 +-
56534 include/linux/xattr.h | 3 +++
56535 init/main.c | 3 +++
56536 kernel/futex_compat.c | 2 +-
56537 kernel/trace/trace.h | 2 +-
56538 net/socket.c | 2 +-
56539 security/Kconfig | 2 +-
56540 22 files changed, 67 insertions(+), 34 deletions(-)
56541
56542commit 814820abfe5b9a34401d838b2510431a4cd92be9
56543Author: Dan Carpenter <dan.carpenter@oracle.com>
56544Date: Mon May 6 09:31:17 2013 +0000
56545
56546 Upstream commit: 6bf15191f666c5965d212561d7a5c7b78b808dfa
56547
56548 tipc: potential divide by zero in tipc_link_recv_fragment()
56549
56550 The worry here is that fragm_sz could be zero since it comes from
56551 skb->data.
56552
56553 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
56554 Signed-off-by: David S. Miller <davem@davemloft.net>
56555
56556 net/tipc/link.c | 6 ++++--
56557 1 files changed, 4 insertions(+), 2 deletions(-)
56558
56559commit b58503d2784f0a4dbf4d9dbef9bdcc7bf163e3c1
56560Author: Dan Carpenter <dan.carpenter@oracle.com>
56561Date: Mon May 6 08:28:41 2013 +0000
56562
56563 Upstream commit: cb4b102f0ab29fcbaf945c6b1f85ef006cdb8edc
56564
56565 tipc: add a bounds check in link_recv_changeover_msg()
56566
56567 The bearer_id here comes from skb->data and it can be a number from 0 to
56568 7. The problem is that the ->links[] array has only 2 elements so I
56569 have added a range check.
56570
56571 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
56572 Signed-off-by: David S. Miller <davem@davemloft.net>
56573
56574 net/tipc/link.c | 5 ++++-
56575 1 files changed, 4 insertions(+), 1 deletions(-)
56576
56577commit ed0428c4ef6c5498870772f212ac651216eb8d0c
56578Merge: 2452d8d dbf932a
56579Author: Brad Spengler <spender@grsecurity.net>
56580Date: Sun May 12 21:18:25 2013 -0400
56581
56582 Merge branch 'linux-3.8.y' into pax-test
56583
56584 Conflicts:
56585 arch/x86/kernel/cpu/perf_event_intel_uncore.c
56586 arch/x86/mm/init.c
56587
56588commit a113d6ac19303cd76d405df5aef5a4d190e6e7d7
56589Author: Brad Spengler <spender@grsecurity.net>
56590Date: Sun May 12 20:24:01 2013 -0400
56591
56592 compile fix
56593
56594 grsecurity/gracl.c | 1 +
56595 grsecurity/gracl_segv.c | 1 +
56596 2 files changed, 2 insertions(+), 0 deletions(-)
56597
56598commit 1bd664ee9054a28bbcf1dad6f9ffbc9e8500bb00
56599Author: Brad Spengler <spender@grsecurity.net>
56600Date: Sun May 12 18:25:26 2013 -0400
56601
56602 fix btrfs support here as well
56603
56604 grsecurity/gracl_segv.c | 17 +++++++++--------
56605 1 files changed, 9 insertions(+), 8 deletions(-)
56606
56607commit c75e4664fe4d20da1639f70d9def097c4f20856b
56608Author: Brad Spengler <spender@grsecurity.net>
56609Date: Sun May 12 18:12:57 2013 -0400
56610
56611 Fix RBAC compatibility with btrfs compiled as a module, as
56612 reported on the forums by YuHg at:
56613 http://forums.grsecurity.net/viewtopic.php?t=2575&p=12952#p12952
56614
56615 fs/btrfs/inode.c | 11 +----------
56616 grsecurity/gracl.c | 19 ++++++++++---------
56617 grsecurity/gracl_segv.c | 2 +-
56618 grsecurity/grsec_disabled.c | 2 +-
56619 4 files changed, 13 insertions(+), 21 deletions(-)
56620
56621commit e40c5804acc5b83e10d16ca3ba92502a3e5f7f27
56622Author: Brad Spengler <spender@grsecurity.net>
56623Date: Sat May 11 12:12:00 2013 -0400
56624
56625 allow copies just up to the start of kernel code
56626
56627 fs/exec.c | 2 +-
56628 1 files changed, 1 insertions(+), 1 deletions(-)
56629
56630commit 04638852588cf243f865f5a73aa9dab94fab53b7
56631Author: Brad Spengler <spender@grsecurity.net>
56632Date: Fri May 10 16:53:07 2013 -0400
56633
56634 MODULES_EXEC_VADDR is a virtual address
56635
56636 fs/exec.c | 2 +-
56637 1 files changed, 1 insertions(+), 1 deletions(-)
56638
56639commit 017fc58a177b8b3fd9c2a7a4366f3590c9d49435
56640Author: Brad Spengler <spender@grsecurity.net>
56641Date: Fri May 10 16:51:03 2013 -0400
56642
56643 exempt module rx areas from usercopy protection under i386 kernexec
56644 their .rodata will be placed between stext/etext causing copies of
56645 constant strings to trigger usercopy reports/terminations
56646
56647 fs/exec.c | 5 +++++
56648 1 files changed, 5 insertions(+), 0 deletions(-)
56649
56650commit c1b2cc5dd5f5ae5c88402c7acbcb270f8d36a9da
56651Author: Brad Spengler <spender@grsecurity.net>
56652Date: Wed May 8 20:25:52 2013 -0400
56653
56654 User jorgus on the forums:
56655 http://forums.grsecurity.net/viewtopic.php?f=3&t=3446
56656 discovered that the upstreamed version of enforcing RLIMIT_NPROC
56657 at setuid/exec time missed an important corner case:
56658 If RLIMIT_NPROC is set after a setuid occurs and the user's process
56659 limit is reached elsewhere, no enforcement of RLIMIT_NPROC will
56660 happen at exec time for the task with a modified RLIMIT_NPROC.
56661
56662 This patch fixes that.
56663
56664 kernel/sys.c | 7 +++++++
56665 1 files changed, 7 insertions(+), 0 deletions(-)
56666
56667commit 85ffce8c95bd1d9114852f74db8c66ddbc2e77ff
56668Merge: 539fff0 2452d8d
56669Author: Brad Spengler <spender@grsecurity.net>
56670Date: Wed May 8 18:13:41 2013 -0400
56671
56672 Merge branch 'pax-test' into grsec-test
56673
56674commit 2452d8d0416d5c9c32805443dd89e5c9778dea4a
56675Merge: 6c850d8 9c9ab76
56676Author: Brad Spengler <spender@grsecurity.net>
56677Date: Wed May 8 18:13:31 2013 -0400
56678
56679 Merge branch 'linux-3.8.y' into pax-test
56680
56681 Conflicts:
56682 arch/x86/kernel/irq.c
56683 kernel/trace/trace_stack.c
56684
56685commit 539fff0cf95c3dcc02c5e0ac3ef8da4519efdb9a
56686Author: Brad Spengler <spender@grsecurity.net>
56687Date: Tue May 7 21:43:00 2013 -0400
56688
56689 turn counter into a flag
56690
56691 grsecurity/Kconfig | 2 +-
56692 grsecurity/grsec_chroot.c | 8 ++++----
56693 2 files changed, 5 insertions(+), 5 deletions(-)
56694
56695commit 3da48c0f89377e1ef76470d4b19f19df793fdf32
56696Author: Brad Spengler <spender@grsecurity.net>
56697Date: Tue May 7 21:02:39 2013 -0400
56698
56699 add GRKERNSEC_CHROOT_INITRD to work around Plymouth stupidity
56700 useful for Fedora/RHEL users
56701
56702 grsecurity/Kconfig | 10 ++++++++++
56703 grsecurity/grsec_chroot.c | 17 +++++++++++++++--
56704 2 files changed, 25 insertions(+), 2 deletions(-)
56705
56706commit 418102925c0cfb0de51b0a021abaa575e28fafa6
56707Author: Peter Zijlstra <a.p.zijlstra@chello.nl>
56708Date: Fri May 3 14:11:25 2013 +0200
56709
56710 Upstream commit: 7cc23cd6c0c7d7f4bee057607e7ce01568925717
56711
56712 perf/x86/intel/lbr: Demand proper privileges for PERF_SAMPLE_BRANCH_KERNEL
56713
56714 We should always have proper privileges when requesting kernel
56715 data.
56716
56717 Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
56718 Cc: <stable@kernel.org>
56719 Cc: Andi Kleen <ak@linux.intel.com>
56720 Cc: eranian@google.com
56721 Link: http://lkml.kernel.org/r/20130503121256.230745028@chello.nl
56722 [ Fix build error reported by fengguang.wu@intel.com, propagate error code back. ]
56723 Signed-off-by: Ingo Molnar <mingo@kernel.org>
56724 Link: http://lkml.kernel.org/n/tip-v0x9ky3ahzr6nm3c6ilwrili@git.kernel.org
56725
56726 arch/x86/kernel/cpu/perf_event_intel_lbr.c | 13 ++++++++++---
56727 1 files changed, 10 insertions(+), 3 deletions(-)
56728
56729commit f9e1af27cca1722a4c6a801000b5b3b5410401a2
56730Author: Eric Dumazet <edumazet@google.com>
56731Date: Mon Apr 29 05:58:52 2013 +0000
56732
56733 Upstream commit: aebda156a570782a86fc4426842152237a19427d
56734
56735 net: defer net_secret[] initialization
56736
56737 Instead of feeding net_secret[] at boot time, defer the init
56738 at the point first socket is created.
56739
56740 This permits some platforms to use better entropy sources than
56741 the ones available at boot time.
56742
56743 Signed-off-by: Eric Dumazet <edumazet@google.com>
56744 Signed-off-by: David S. Miller <davem@davemloft.net>
56745
56746 include/net/secure_seq.h | 1 +
56747 net/core/secure_seq.c | 4 +---
56748 net/ipv4/af_inet.c | 5 ++++-
56749 3 files changed, 6 insertions(+), 4 deletions(-)
56750
56751commit a9229d75129cd9744a5e486ec99a0fe6aeaf10ac
56752Author: Daniel Borkmann <dborkman@redhat.com>
56753Date: Wed May 1 02:59:23 2013 +0000
56754
56755 Upstream commit: be3e45810bb1ee0bdfa93f6b9532d8c451e50f48
56756
56757 net: sctp: attribute printl with __printf for gcc fmt checks
56758
56759 Let GCC check for format string errors in sctp's probe printl
56760 function. This patch fixes the warning when compiled with W=1:
56761
56762 net/sctp/probe.c:73:2: warning: function might be possible candidate
56763 for 'gnu_printf' format attribute [-Wmissing-format-attribute]
56764
56765 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
56766 Signed-off-by: David S. Miller <davem@davemloft.net>
56767
56768 net/sctp/probe.c | 2 +-
56769 1 files changed, 1 insertions(+), 1 deletions(-)
56770
56771commit 81b98190c66a90f0ed2de4560f542b1dea7664f2
56772Author: Brad Spengler <spender@grsecurity.net>
56773Date: Thu May 2 19:58:54 2013 -0400
56774
56775 remove no-longer-needed vmware 8 compat fix
56776
56777 mm/page_alloc.c | 6 ------
56778 1 files changed, 0 insertions(+), 6 deletions(-)
56779
56780commit a7716a90c1dbe09a8a6d98c74ea2f7fe2a530e94
56781Author: Brad Spengler <spender@grsecurity.net>
56782Date: Thu May 2 19:55:23 2013 -0400
56783
56784 remove unnecessary < 0 check
56785
56786 net/phonet/af_phonet.c | 2 +-
56787 1 files changed, 1 insertions(+), 1 deletions(-)
56788
56789commit a4e8dd5b1cca13c2e4145af75694a04aaa811f3f
56790Author: Brad Spengler <spender@grsecurity.net>
56791Date: Wed May 1 18:30:48 2013 -0400
56792
56793 remove references to CONFIG_X86_WP_WORKS_OK
56794
56795 arch/um/defconfig | 1 -
56796 security/Kconfig | 2 +-
56797 2 files changed, 1 insertions(+), 2 deletions(-)
56798
56799commit 408da6791f93ffe00d26bfe919f1b2218fe0804d
56800Merge: a8dbe8e 6c850d8
56801Author: Brad Spengler <spender@grsecurity.net>
56802Date: Wed May 1 18:28:44 2013 -0400
56803
56804 Merge branch 'pax-test' into grsec-test
56805
56806 Conflicts:
56807 arch/sparc/mm/ultra.S
56808 drivers/tty/tty_io.c
56809
56810commit 6c850d8b76b375e418b6a18a33cc8263f36fabcf
56811Merge: cdbcbef 9fa1d01
56812Author: Brad Spengler <spender@grsecurity.net>
56813Date: Wed May 1 18:25:18 2013 -0400
56814
56815 Merge branch 'linux-3.8.y' into pax-test
56816
56817commit a8dbe8ee7a0a3ace489e2f95d69d33e14d5f0b78
56818Author: Brad Spengler <spender@grsecurity.net>
56819Date: Mon Apr 29 18:44:23 2013 -0400
56820
56821 add module.h to silence compiler warning, thanks to
56822 Sergei Trofimovich
56823
56824 fs/btrfs/inode.c | 1 +
56825 1 files changed, 1 insertions(+), 0 deletions(-)
56826
56827commit 55eba82aca97aa56378e000840c48965557721e8
56828Author: Brad Spengler <spender@grsecurity.net>
56829Date: Mon Apr 29 18:43:03 2013 -0400
56830
56831 compilation fix
56832
56833 kernel/trace/trace.h | 2 +-
56834 1 files changed, 1 insertions(+), 1 deletions(-)
56835
56836commit e3bf912b54af6df7fbebc68b5999554562056c5c
56837Merge: 5b72e37 cdbcbef
56838Author: Brad Spengler <spender@grsecurity.net>
56839Date: Mon Apr 29 18:34:42 2013 -0400
56840
56841 Merge branch 'pax-test' into grsec-test
56842
56843commit cdbcbef45c4f003cbee11e10668a35d424c17c60
56844Author: Brad Spengler <spender@grsecurity.net>
56845Date: Mon Apr 29 18:33:35 2013 -0400
56846
56847 Update to pax-linux-3.8.10-test21.patch:
56848 - removed size overflow coverage of resource_size(), reported at http://forums.grsecurity.net/viewtopic.php?f=3&t=3412
56849 - fixed bad pointer arithmetic in nfsd_cache_update, reported by Jason A. Donenfeld and http://forums.grsecurity.net/viewtopic.php?f=3&t=3438
56850 note that the false positive is not fixed yet
56851 - fixed a few unintended bitmask computations found by a not-yet-public gcc plugin
56852 - fixed the kernel stack leak bug in do_tgkill, found by the size overflow plugin (https://code.google.com/p/chromium/issues/detail?id=223444)
56853 - reverted the nested NMI fix in search for a real one
56854 - simplified the arm_delay_ops constification
56855
56856 arch/arm/include/asm/delay.h | 8 ++++----
56857 arch/arm/lib/delay.c | 17 +++++------------
56858 arch/x86/kernel/entry_64.S | 11 ++++++++++-
56859 arch/x86/kernel/i8259.c | 2 +-
56860 arch/x86/kernel/pci-calgary_64.c | 2 +-
56861 arch/x86/kvm/vmx.c | 4 ++--
56862 drivers/block/pktcdvd.c | 2 +-
56863 fs/btrfs/extent-tree.c | 2 +-
56864 fs/nfsd/nfscache.c | 6 ++++--
56865 kernel/trace/trace.c | 2 +-
56866 tools/gcc/structleak_plugin.c | 4 ++++
56867 11 files changed, 34 insertions(+), 26 deletions(-)
56868
56869commit 5b72e3790fa0e8a16a09c0ef745d8065620a1e74
56870Author: Brad Spengler <spender@grsecurity.net>
56871Date: Fri Apr 26 20:53:06 2013 -0400
56872
56873 don't use file_inode()
56874
56875 drivers/tty/tty_io.c | 2 +-
56876 1 files changed, 1 insertions(+), 1 deletions(-)
56877
56878commit a2df9595fa2e3c7a0c63b1acac75425fd4feb946
56879Author: Jiri Slaby <jslaby@suse.cz>
56880Date: Fri Apr 26 13:48:53 2013 +0200
56881
56882 Upstream commit: 37b7f3c76595e23257f61bd80b223de8658617ee
56883
56884 TTY: fix atime/mtime regression
56885
56886 In commit b0de59b5733d ("TTY: do not update atime/mtime on read/write")
56887 we removed timestamps from tty inodes to fix a security issue and waited
56888 if something breaks. Well, 'w', the utility to find out logged users
56889 and their inactivity time broke. It shows that users are inactive since
56890 the time they logged in.
56891
56892 To revert to the old behaviour while still preventing attackers to
56893 guess the password length, we update the timestamps in one-minute
56894 intervals by this patch.
56895
56896 Signed-off-by: Jiri Slaby <jslaby@suse.cz>
56897 Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
56898 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
56899
56900 Conflicts:
56901
56902 drivers/tty/tty_io.c
56903
56904 drivers/tty/tty_io.c | 15 ++++++++++++++-
56905 1 files changed, 14 insertions(+), 1 deletions(-)
56906
56907commit c9c76fe07da7611a5062dd3234e5d2369e0a78ec
56908Author: Jiri Slaby <jslaby@suse.cz>
56909Date: Fri Feb 15 15:25:05 2013 +0100
56910
56911 Upstream commit: b0de59b5733d
56912
56913 TTY: do not update atime/mtime on read/write
56914
56915 On http://vladz.devzero.fr/013_ptmx-timing.php, we can see how to find
56916 out length of a password using timestamps of /dev/ptmx. It is
56917 documented in "Timing Analysis of Keystrokes and Timing Attacks on
56918 SSH". To avoid that problem, do not update time when reading
56919 from/writing to a TTY.
56920
56921 I am afraid of regressions as this is a behavior we have since 0.97
56922 and apps may expect the time to be current, e.g. for monitoring
56923 whether there was a change on the TTY. Now, there is no change. So
56924 this would better have a lot of testing before it goes upstream.
56925
56926 References: CVE-2013-0160
56927
56928 Signed-off-by: Jiri Slaby <jslaby@suse.cz>
56929 Cc: stable <stable@vger.kernel.org> # after 3.9 is out
56930 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
56931
56932 drivers/tty/tty_io.c | 8 ++------
56933 1 files changed, 2 insertions(+), 6 deletions(-)
56934
56935commit 5344a24e2320d61dbdb88aae04922f0799deefd0
56936Author: Zhao Hongjiang <zhaohongjiang@huawei.com>
56937Date: Fri Apr 26 11:03:53 2013 +0800
56938
56939 Upstream commit: 91d80a84bbc8f28375cca7e65ec666577b4209ad
56940
56941 aio: fix possible invalid memory access when DEBUG is enabled
56942
56943 dprintk() shouldn't access @ring after it's unmapped.
56944
56945 Signed-off-by: Zhao Hongjiang <zhaohongjiang@huawei.com>
56946 Cc: stable@vger.kernel.org
56947 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
56948
56949 fs/aio.c | 2 +-
56950 1 files changed, 1 insertions(+), 1 deletions(-)
56951
56952commit 786841cb279bbd8e458d67e112a1d01a3d4598a7
56953Author: John David Anglin <dave.anglin@bell.net>
56954Date: Tue Apr 23 22:42:07 2013 +0200
56955
56956 Upstream commit: bda079d336cd8183e1d844a265ea87ae3e1bbe78
56957
56958 parisc: use spin_lock_irqsave/spin_unlock_irqrestore for PTE updates
56959
56960 User applications running on SMP kernels have long suffered from instability
56961 and random segmentation faults. This patch improves the situation although
56962 there is more work to be done.
56963
56964 One of the problems is the various routines in pgtable.h that update page table
56965 entries use different locking mechanisms, or no lock at all (set_pte_at). This
56966 change modifies the routines to all use the same lock pa_dbit_lock. This lock
56967 is used for dirty bit updates in the interruption code. The patch also purges
56968 the TLB entries associated with the PTE to ensure that inconsistent values are
56969 not used after the page table entry is updated. The UP and SMP code are now
56970 identical.
56971
56972 The change also includes a minor update to the purge_tlb_entries function in
56973 cache.c to improve its efficiency.
56974
56975 Signed-off-by: John David Anglin <dave.anglin@bell.net>
56976 Cc: Helge Deller <deller@gmx.de>
56977 Signed-off-by: Helge Deller <deller@gmx.de>
56978
56979 arch/parisc/include/asm/pgtable.h | 47 +++++++++++++++++++-----------------
56980 arch/parisc/kernel/cache.c | 5 +---
56981 2 files changed, 26 insertions(+), 26 deletions(-)
56982
56983commit 775a77ad179d4c25bc94e85ef81135cbdffcfdc1
56984Merge: ba54c97 4d05084
56985Author: Brad Spengler <spender@grsecurity.net>
56986Date: Fri Apr 26 18:17:20 2013 -0400
56987
56988 Merge branch 'pax-test' into grsec-test
56989
56990 Conflicts:
56991 arch/x86/kvm/x86.c
56992 include/linux/capability.h
56993
56994commit 4d0508463d0ee3ec4b9eca1ea6bed3be03a3df21
56995Merge: c664779 bb8dd67
56996Author: Brad Spengler <spender@grsecurity.net>
56997Date: Fri Apr 26 18:15:45 2013 -0400
56998
56999 Merge branch 'linux-3.8.y' into pax-test
57000
57001commit ba54c977fe8c3afc4a9efd7afc3f30cf10b02fa2
57002Author: David S. Miller <davem@davemloft.net>
57003Date: Wed Apr 24 16:52:18 2013 -0700
57004
57005 Upstream commit: f0af97070acbad5d6a361f485828223a4faaa0ee
57006
57007 sparc64: Fix missing put_cpu_var() in tlb_batch_add_one() when not batching.
57008
57009 Reported-by: Meelis Roos <mroos@linux.ee>
57010 Signed-off-by: David S. Miller <davem@davemloft.net>
57011
57012 arch/sparc/mm/tlb.c | 3 ++-
57013 1 files changed, 2 insertions(+), 1 deletions(-)
57014
57015commit dc080cfd57c7cdc426f8c6c2da11911ac99959d8
57016Author: David S. Miller <davem@davemloft.net>
57017Date: Fri Apr 19 17:26:26 2013 -0400
57018
57019 Upstream commit: f36391d2790d04993f48da6a45810033a2cdf847
57020
57021 sparc64: Fix race in TLB batch processing.
57022
57023 As reported by Dave Kleikamp, when we emit cross calls to do batched
57024 TLB flush processing we have a race because we do not synchronize on
57025 the sibling cpus completing the cross call.
57026
57027 So meanwhile the TLB batch can be reset (tb->tlb_nr set to zero, etc.)
57028 and either flushes are missed or flushes will flush the wrong
57029 addresses.
57030
57031 Fix this by using generic infrastructure to synchonize on the
57032 completion of the cross call.
57033
57034 This first required getting the flush_tlb_pending() call out from
57035 switch_to() which operates with locks held and interrupts disabled.
57036 The problem is that smp_call_function_many() cannot be invoked with
57037 IRQs disabled and this is explicitly checked for with WARN_ON_ONCE().
57038
57039 We get the batch processing outside of locked IRQ disabled sections by
57040 using some ideas from the powerpc port. Namely, we only batch inside
57041 of arch_{enter,leave}_lazy_mmu_mode() calls. If we're not in such a
57042 region, we flush TLBs synchronously.
57043
57044 1) Get rid of xcall_flush_tlb_pending and per-cpu type
57045 implementations.
57046
57047 2) Do TLB batch cross calls instead via:
57048
57049 smp_call_function_many()
57050 tlb_pending_func()
57051 __flush_tlb_pending()
57052
57053 3) Batch only in lazy mmu sequences:
57054
57055 a) Add 'active' member to struct tlb_batch
57056 b) Define __HAVE_ARCH_ENTER_LAZY_MMU_MODE
57057 c) Set 'active' in arch_enter_lazy_mmu_mode()
57058 d) Run batch and clear 'active' in arch_leave_lazy_mmu_mode()
57059 e) Check 'active' in tlb_batch_add_one() and do a synchronous
57060 flush if it's clear.
57061
57062 4) Add infrastructure for synchronous TLB page flushes.
57063
57064 a) Implement __flush_tlb_page and per-cpu variants, patch
57065 as needed.
57066 b) Likewise for xcall_flush_tlb_page.
57067 c) Implement smp_flush_tlb_page() to invoke the cross-call.
57068 d) Wire up global_flush_tlb_page() to the right routine based
57069 upon CONFIG_SMP
57070
57071 5) It turns out that singleton batches are very common, 2 out of every
57072 3 batch flushes have only a single entry in them.
57073
57074 The batch flush waiting is very expensive, both because of the poll
57075 on sibling cpu completeion, as well as because passing the tlb batch
57076 pointer to the sibling cpus invokes a shared memory dereference.
57077
57078 Therefore, in flush_tlb_pending(), if there is only one entry in
57079 the batch perform a completely asynchronous global_flush_tlb_page()
57080 instead.
57081
57082 Reported-by: Dave Kleikamp <dave.kleikamp@oracle.com>
57083 Signed-off-by: David S. Miller <davem@davemloft.net>
57084 Acked-by: Dave Kleikamp <dave.kleikamp@oracle.com>
57085
57086 arch/sparc/include/asm/pgtable_64.h | 1 +
57087 arch/sparc/include/asm/switch_to_64.h | 3 +-
57088 arch/sparc/include/asm/tlbflush_64.h | 37 +++++++++--
57089 arch/sparc/kernel/smp_64.c | 41 ++++++++++-
57090 arch/sparc/mm/tlb.c | 38 +++++++++-
57091 arch/sparc/mm/tsb.c | 57 ++++++++++++----
57092 arch/sparc/mm/ultra.S | 119 ++++++++++++++++++++++++++-------
57093 7 files changed, 241 insertions(+), 55 deletions(-)
57094
57095commit cd80cc3cfd122295e6ec6db1e5e16e5b7a5d3b59
57096Author: Linus Torvalds <torvalds@linux-foundation.org>
57097Date: Fri Apr 19 15:32:32 2013 +0000
57098
57099 Upstream commit: 83f1b4ba917db5dc5a061a44b3403ddb6e783494
57100
57101 net: fix incorrect credentials passing
57102
57103 Commit 257b5358b32f ("scm: Capture the full credentials of the scm
57104 sender") changed the credentials passing code to pass in the effective
57105 uid/gid instead of the real uid/gid.
57106
57107 Obviously this doesn't matter most of the time (since normally they are
57108 the same), but it results in differences for suid binaries when the wrong
57109 uid/gid ends up being used.
57110
57111 This just undoes that (presumably unintentional) part of the commit.
57112
57113 Reported-by: Andy Lutomirski <luto@amacapital.net>
57114 Cc: Eric W. Biederman <ebiederm@xmission.com>
57115 Cc: Serge E. Hallyn <serge@hallyn.com>
57116 Cc: David S. Miller <davem@davemloft.net>
57117 Cc: stable@vger.kernel.org
57118 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
57119 Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
57120 Signed-off-by: David S. Miller <davem@davemloft.net>
57121
57122 include/net/scm.h | 4 ++--
57123 1 files changed, 2 insertions(+), 2 deletions(-)
57124
57125commit e126225d1fcaa405ff2a7f1518d615cffe42e7d5
57126Author: Brad Spengler <spender@grsecurity.net>
57127Date: Thu Apr 18 19:22:40 2013 -0400
57128
57129 move _etext to only cover kernel code, not read-only data, as reported by Gu1
57130
57131 arch/arm/kernel/vmlinux.lds.S | 4 ++--
57132 1 files changed, 2 insertions(+), 2 deletions(-)
57133
57134commit 98ad6adbc48759e4f9eae435d3e51ba487155685
57135Author: Brad Spengler <spender@grsecurity.net>
57136Date: Thu Apr 18 19:17:24 2013 -0400
57137
57138 add asm/sections.h for USERCOPY change
57139
57140 fs/exec.c | 1 +
57141 1 files changed, 1 insertions(+), 0 deletions(-)
57142
57143commit c403a6c43da1bcac9b1ef2bca9bba0fb84a40f10
57144Author: Dmitry Popov <dp@highloadlab.com>
57145Date: Thu Apr 11 08:55:07 2013 +0000
57146
57147 Upstream commit: d66954a066158781ccf9c13c91d0316970fe57b6
57148
57149 tcp: incoming connections might use wrong route under synflood
57150
57151 There is a bug in cookie_v4_check (net/ipv4/syncookies.c):
57152 flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk),
57153 RT_SCOPE_UNIVERSE, IPPROTO_TCP,
57154 inet_sk_flowi_flags(sk),
57155 (opt && opt->srr) ? opt->faddr : ireq->rmt_addr,
57156 ireq->loc_addr, th->source, th->dest);
57157
57158 Here we do not respect sk->sk_bound_dev_if, therefore wrong dst_entry may be
57159 taken. This dst_entry is used by new socket (get_cookie_sock ->
57160 tcp_v4_syn_recv_sock), so its packets may take the wrong path.
57161
57162 Signed-off-by: Dmitry Popov <dp@highloadlab.com>
57163 Signed-off-by: David S. Miller <davem@davemloft.net>
57164
57165 net/ipv4/syncookies.c | 4 ++--
57166 1 files changed, 2 insertions(+), 2 deletions(-)
57167
57168commit 3600395e8fef3ae712e72f9b68c3609639616df8
57169Author: Thomas Graf <tgraf@suug.ch>
57170Date: Thu Apr 11 10:57:18 2013 +0000
57171
57172 Upstream commit: 50bceae9bd3569d56744882f3012734d48a1d413
57173
57174 tcp: Reallocate headroom if it would overflow csum_start
57175
57176 If a TCP retransmission gets partially ACKed and collapsed multiple
57177 times it is possible for the headroom to grow beyond 64K which will
57178 overflow the 16bit skb->csum_start which is based on the start of
57179 the headroom. It has been observed rarely in the wild with IPoIB due
57180 to the 64K MTU.
57181
57182 Verify if the acking and collapsing resulted in a headroom exceeding
57183 what csum_start can cover and reallocate the headroom if so.
57184
57185 A big thank you to Jim Foraker <foraker1@llnl.gov> and the team at
57186 LLNL for helping out with the investigation and testing.
57187
57188 Reported-by: Jim Foraker <foraker1@llnl.gov>
57189 Signed-off-by: Thomas Graf <tgraf@suug.ch>
57190 Acked-by: Eric Dumazet <edumazet@google.com>
57191 Signed-off-by: David S. Miller <davem@davemloft.net>
57192
57193 net/ipv4/tcp_output.c | 8 ++++++--
57194 1 files changed, 6 insertions(+), 2 deletions(-)
57195
57196commit 4b0b9a5038da806a2b6eba9efc3f3a53c5188a61
57197Author: Ivan Vecera <ivecera@redhat.com>
57198Date: Fri Apr 12 16:49:24 2013 +0200
57199
57200 Upstream commit: f11a869d4e38397ac81f2a3d22e8d2aeb3992b0f
57201
57202 be2net: take care of __vlan_put_tag return value
57203
57204 The driver should use return value of __vlan_put_tag with appropriate
57205 NULL-check instead of old skb pointer.
57206
57207 Signed-off-by: Ivan Vecera <ivecera@redhat.com>
57208 Signed-off-by: David S. Miller <davem@davemloft.net>
57209
57210 drivers/net/ethernet/emulex/benet/be_main.c | 5 +++--
57211 1 files changed, 3 insertions(+), 2 deletions(-)
57212
57213commit 8d3aca40a891f13b9b1e0d957913fa788fd1cc55
57214Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
57215Date: Fri Apr 12 03:17:12 2013 +0000
57216
57217 Upstream commit: 3be8fbab18fbc06b6ff94a56f9c225e29ea64a73
57218
57219 tuntap: fix error return code in tun_set_iff()
57220
57221 Fix to return a negative error code from the error handling
57222 case instead of 0, as returned elsewhere in this function.
57223
57224 [ Bug added in linux-3.8 , commit 4008e97f866db665
57225 ("tuntap: fix ambigious multiqueue API") ]
57226
57227 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
57228 Acked-by: Eric Dumazet <edumazet@google.com>
57229 Signed-off-by: David S. Miller <davem@davemloft.net>
57230
57231 drivers/net/tun.c | 2 +-
57232 1 files changed, 1 insertions(+), 1 deletions(-)
57233
57234commit 42cfd101287e0ffa5e8425ca7dd3c4131a7a601c
57235Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
57236Date: Sat Apr 13 15:49:03 2013 +0000
57237
57238 Upstream commit: 06848c10f720cbc20e3b784c0df24930b7304b93
57239
57240 esp4: fix error return code in esp_output()
57241
57242 Fix to return a negative error code from the error handling
57243 case instead of 0, as returned elsewhere in this function.
57244
57245 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
57246 Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
57247 Signed-off-by: David S. Miller <davem@davemloft.net>
57248
57249 net/ipv4/esp4.c | 6 +++---
57250 1 files changed, 3 insertions(+), 3 deletions(-)
57251
57252commit 2b45b5f52c2a8930f80c62de392a62516c83e225
57253Author: Bjørn Mork <bjorn@mork.no>
57254Date: Tue Apr 16 00:17:07 2013 +0000
57255
57256 Upstream commit: 32b161aa88aa40a83888a995c6e2ef81140219b1
57257
57258 net: cdc_mbim: remove bogus sizeof()
57259
57260 The intention was to test against the constant, not the size of
57261 the constant.
57262
57263 Signed-off-by: Bjørn Mork <bjorn@mork.no>
57264 Signed-off-by: David S. Miller <davem@davemloft.net>
57265
57266 drivers/net/usb/cdc_mbim.c | 2 +-
57267 1 files changed, 1 insertions(+), 1 deletions(-)
57268
57269commit 17d7408795519037a5a1272c7888238e20830bfe
57270Author: Vyacheslav Dubeyko <slava@dubeyko.com>
57271Date: Wed Apr 17 15:58:33 2013 -0700
57272
57273 Upstream commit: 12f267a20aecf8b84a2a9069b9011f1661c779b4
57274
57275 hfsplus: fix potential overflow in hfsplus_file_truncate()
57276
57277 Change a u32 to loff_t hfsplus_file_truncate().
57278
57279 Signed-off-by: Vyacheslav Dubeyko <slava@dubeyko.com>
57280 Cc: Christoph Hellwig <hch@infradead.org>
57281 Cc: Al Viro <viro@zeniv.linux.org.uk>
57282 Cc: Hin-Tak Leung <htl10@users.sourceforge.net>
57283 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
57284 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
57285
57286 fs/hfsplus/extents.c | 2 +-
57287 1 files changed, 1 insertions(+), 1 deletions(-)
57288
57289commit 5c9574e7f16e7a9b3ea9b419c46ddc57110a555b
57290Author: Emese Revfy <re.emese@gmail.com>
57291Date: Wed Apr 17 15:58:36 2013 -0700
57292
57293 Upstream commit: b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f
57294
57295 kernel/signal.c: stop info leak via the tkill and the tgkill syscalls
57296
57297 This fixes a kernel memory contents leak via the tkill and tgkill syscalls
57298 for compat processes.
57299
57300 This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field
57301 when handling signals delivered from tkill.
57302
57303 The place of the infoleak:
57304
57305 int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from)
57306 {
57307 ...
57308 put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr);
57309 ...
57310 }
57311
57312 Signed-off-by: Emese Revfy <re.emese@gmail.com>
57313 Reviewed-by: PaX Team <pageexec@freemail.hu>
57314 Signed-off-by: Kees Cook <keescook@chromium.org>
57315 Cc: Al Viro <viro@zeniv.linux.org.uk>
57316 Cc: Oleg Nesterov <oleg@redhat.com>
57317 Cc: "Eric W. Biederman" <ebiederm@xmission.com>
57318 Cc: Serge Hallyn <serge.hallyn@canonical.com>
57319 Cc: <stable@vger.kernel.org>
57320 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
57321 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
57322
57323 kernel/signal.c | 2 +-
57324 1 files changed, 1 insertions(+), 1 deletions(-)
57325
57326commit 0942d16614b0ef59d50b10151d77ec52fc98c2d0
57327Author: Brad Spengler <spender@grsecurity.net>
57328Date: Wed Apr 17 20:17:00 2013 -0400
57329
57330 Improve PAX_USERCOPY to reject direct copies to/from main kernel text
57331
57332 fs/exec.c | 29 +++++++++++++++++++++++++++--
57333 1 files changed, 27 insertions(+), 2 deletions(-)
57334
57335commit 3cb37d0c0c77dc3928ff8417f982139f95366eba
57336Merge: e87c19f c664779
57337Author: Brad Spengler <spender@grsecurity.net>
57338Date: Wed Apr 17 20:06:08 2013 -0400
57339
57340 Merge branch 'pax-test' into grsec-test
57341
57342commit c664779987cb0c27a242029f0e0db812e3236203
57343Author: Brad Spengler <spender@grsecurity.net>
57344Date: Wed Apr 17 19:54:09 2013 -0400
57345
57346 add intentional_overflow marking for resource_size() as reasoned by:
57347 http://forums.grsecurity.net/viewtopic.php?f=3&t=3412
57348
57349 include/linux/ioport.h | 2 +-
57350 1 files changed, 1 insertions(+), 1 deletions(-)
57351
57352commit e87c19f8312355b8658e5138c16bfa6043a379c8
57353Merge: 802d119 d0c636c
57354Author: Brad Spengler <spender@grsecurity.net>
57355Date: Wed Apr 17 16:57:12 2013 -0400
57356
57357 Merge branch 'pax-test' into grsec-test
57358
57359commit d0c636ceaaf406e606898ce3e770e32fb043ea8a
57360Merge: bc88628 2396403
57361Author: Brad Spengler <spender@grsecurity.net>
57362Date: Wed Apr 17 16:57:01 2013 -0400
57363
57364 Merge branch 'linux-3.8.y' into pax-test
57365
57366 Conflicts:
57367 arch/x86/kernel/paravirt.c
57368
57369commit 802d1193dcb507b2a62a2de0a869a7dbadd66b9b
57370Author: Brad Spengler <spender@grsecurity.net>
57371Date: Sun Apr 14 21:39:51 2013 -0400
57372
57373 move location of RBAC user check on setfsuid until after capability checks
57374 for consistency with other checks
57375
57376 kernel/sys.c | 6 +++---
57377 1 files changed, 3 insertions(+), 3 deletions(-)
57378
57379commit 1a860d7d67051559ab2e6d10f9888649c92904e6
57380Author: Brad Spengler <spender@grsecurity.net>
57381Date: Sun Apr 14 21:34:46 2013 -0400
57382
57383 A denied setfsuid by the RBAC system would result in an abort_creds() being called
57384 with an uninitalized pointer, introduced by a bad forward-port
57385
57386 kernel/sys.c | 6 +++---
57387 1 files changed, 3 insertions(+), 3 deletions(-)
57388
57389commit 9f94b84d0e5e101fe8ea8ebcc8eeb141d8a6edb9
57390Merge: c38d142 bc88628
57391Author: Brad Spengler <spender@grsecurity.net>
57392Date: Sun Apr 14 21:28:33 2013 -0400
57393
57394 Merge branch 'pax-test' into grsec-test
57395
57396 Conflicts:
57397 security/Kconfig
57398
57399commit bc88628a6a8fcccaabb90908640809b0540df225
57400Author: Brad Spengler <spender@grsecurity.net>
57401Date: Sun Apr 14 21:26:41 2013 -0400
57402
57403 Update to pax-linux-3.8.7-test20.patch:
57404 - fixed KERNEXEC and NMI nesting problem reported by stef&hunger
57405 - changed PHYSICAL_ALIGN/START to fix http://forums.grsecurity.net/viewtopic.php?f=3&t=3414
57406 - CONSTIFY depends on KERNEXEC (for the kernel open/close feature)
57407 - fixed CONSTIFY and powerpc interference, reported by John Hardin (https://bugs.gentoo.org/show_bug.cgi?id=456364)
57408
57409 arch/powerpc/include/asm/smp.h | 2 +-
57410 arch/x86/Kconfig | 4 ++--
57411 arch/x86/kernel/entry_64.S | 8 ++++----
57412 security/Kconfig | 2 +-
57413 4 files changed, 8 insertions(+), 8 deletions(-)
57414
57415commit c38d142744489fc4d9be80188b6435a278438fd9
57416Author: Suleiman Souhlal <suleiman@google.com>
57417Date: Sat Apr 13 16:03:06 2013 -0700
57418
57419 Upstream commit: 5b55d708335a9e3e4f61f2dadf7511502205ccd1
57420
57421 vfs: Revert spurious fix to spinning prevention in prune_icache_sb
57422
57423 Revert commit 62a3ddef6181 ("vfs: fix spinning prevention in prune_icache_sb").
57424
57425 This commit doesn't look right: since we are looking at the tail of the
57426 list (sb->s_inode_lru.prev) if we want to skip an inode, we should put
57427 it back at the head of the list instead of the tail, otherwise we will
57428 keep spinning on it.
57429
57430 Discovered when investigating why prune_icache_sb came top in perf
57431 reports of a swapping load.
57432
57433 Signed-off-by: Suleiman Souhlal <suleiman@google.com>
57434 Signed-off-by: Hugh Dickins <hughd@google.com>
57435 Cc: stable@vger.kernel.org # v3.2+
57436 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
57437
57438 fs/inode.c | 2 +-
57439 1 files changed, 1 insertions(+), 1 deletions(-)
57440
57441commit 93019624b80ba59798393942798d7f6ed0c1dbc6
57442Author: Linus Torvalds <torvalds@linux-foundation.org>
57443Date: Sat Apr 13 15:15:30 2013 -0700
57444
57445 Upstream commit: a49b7e82cab0f9b41f483359be83f44fbb6b4979
57446
57447 kobject: fix kset_find_obj() race with concurrent last kobject_put()
57448
57449 Anatol Pomozov identified a race condition that hits module unloading
57450 and re-loading. To quote Anatol:
57451
57452 "This is a race codition that exists between kset_find_obj() and
57453 kobject_put(). kset_find_obj() might return kobject that has refcount
57454 equal to 0 if this kobject is freeing by kobject_put() in other
57455 thread.
57456
57457 Here is timeline for the crash in case if kset_find_obj() searches for
57458 an object tht nobody holds and other thread is doing kobject_put() on
57459 the same kobject:
57460
57461 THREAD A (calls kset_find_obj()) THREAD B (calls kobject_put())
57462 splin_lock()
57463 atomic_dec_return(kobj->kref), counter gets zero here
57464 ... starts kobject cleanup ....
57465 spin_lock() // WAIT thread A in kobj_kset_leave()
57466 iterate over kset->list
57467 atomic_inc(kobj->kref) (counter becomes 1)
57468 spin_unlock()
57469 spin_lock() // taken
57470 // it does not know that thread A increased counter so it
57471 remove obj from list
57472 spin_unlock()
57473 vfree(module) // frees module object with containing kobj
57474
57475 // kobj points to freed memory area!!
57476 kobject_put(kobj) // OOPS!!!!
57477
57478 The race above happens because module.c tries to use kset_find_obj()
57479 when somebody unloads module. The module.c code was introduced in
57480 commit 6494a93d55fa"
57481
57482 Anatol supplied a patch specific for module.c that worked around the
57483 problem by simply not using kset_find_obj() at all, but rather than make
57484 a local band-aid, this just fixes kset_find_obj() to be thread-safe
57485 using the proper model of refusing the get a new reference if the
57486 refcount has already dropped to zero.
57487
57488 See examples of this proper refcount handling not only in the kref
57489 documentation, but in various other equivalent uses of this pattern by
57490 grepping for atomic_inc_not_zero().
57491
57492 [ Side note: the module race does indicate that module loading and
57493 unloading is not properly serialized wrt sysfs information using the
57494 module mutex. That may require further thought, but this is the
57495 correct fix at the kobject layer regardless. ]
57496
57497 Reported-analyzed-and-tested-by: Anatol Pomozov <anatol.pomozov@gmail.com>
57498 Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
57499 Cc: Al Viro <viro@zeniv.linux.org.uk>
57500 Cc: stable@vger.kernel.org
57501 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
57502
57503 lib/kobject.c | 9 ++++++++-
57504 1 files changed, 8 insertions(+), 1 deletions(-)
57505
57506commit 5277b052b5fab36729e1255fb3b12f47a4b12867
57507Author: Dave Hansen <dave@sr71.net>
57508Date: Fri Apr 12 16:23:54 2013 -0700
57509
57510 Upstream commit: 1de14c3c5cbc9bb17e9dcc648cda51c0c85d54b9
57511
57512 x86-32: Fix possible incomplete TLB invalidate with PAE pagetables
57513
57514 This patch attempts to fix:
57515
57516 https://bugzilla.kernel.org/show_bug.cgi?id=56461
57517
57518 The symptom is a crash and messages like this:
57519
57520 chrome: Corrupted page table at address 34a03000
57521 *pdpt = 0000000000000000 *pde = 0000000000000000
57522 Bad pagetable: 000f [#1] PREEMPT SMP
57523
57524 Ingo guesses this got introduced by commit 611ae8e3f520 ("x86/tlb:
57525 enable tlb flush range support for x86") since that code started to free
57526 unused pagetables.
57527
57528 On x86-32 PAE kernels, that new code has the potential to free an entire
57529 PMD page and will clear one of the four page-directory-pointer-table
57530 (aka pgd_t entries).
57531
57532 The hardware aggressively "caches" these top-level entries and invlpg
57533 does not actually affect the CPU's copy. If we clear one we *HAVE* to
57534 do a full TLB flush, otherwise we might continue using a freed pmd page.
57535 (note, we do this properly on the population side in pud_populate()).
57536
57537 This patch tracks whenever we clear one of these entries in the 'struct
57538 mmu_gather', and ensures that we follow up with a full tlb flush.
57539
57540 BTW, I disassembled and checked that:
57541
57542 if (tlb->fullmm == 0)
57543 and
57544 if (!tlb->fullmm && !tlb->need_flush_all)
57545
57546 generate essentially the same code, so there should be zero impact there
57547 to the !PAE case.
57548
57549 Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
57550 Cc: Peter Anvin <hpa@zytor.com>
57551 Cc: Ingo Molnar <mingo@kernel.org>
57552 Cc: Artem S Tashkinov <t.artem@mailcity.com>
57553 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
57554
57555 arch/x86/include/asm/tlb.h | 2 +-
57556 arch/x86/mm/pgtable.c | 7 +++++++
57557 include/asm-generic/tlb.h | 7 ++++++-
57558 mm/memory.c | 1 +
57559 4 files changed, 15 insertions(+), 2 deletions(-)
57560
57561commit 521e573fc77d1783c1d4636dfbb4617a922f043d
57562Merge: 032f626 f807619
57563Author: Brad Spengler <spender@grsecurity.net>
57564Date: Fri Apr 12 19:29:34 2013 -0400
57565
57566 Merge branch 'pax-test' into grsec-test
57567
57568commit f80761993b85df96fc142dfc3a317cadc0f8eae5
57569Author: Brad Spengler <spender@grsecurity.net>
57570Date: Fri Apr 12 19:28:21 2013 -0400
57571
57572 Update to pax-linux-3.8.7-test19.patch:
57573 - fixed STACKLEAK/XEN interference once again, reported by Jason A. Donenfeld
57574 - fixed small typo, reported by mlarm (http://forums.grsecurity.net/viewtopic.php?f=3&t=3411)
57575 - fixed the structleak plugin to compile for gcc 4.5-4.6 as well
57576
57577 Makefile | 2 +-
57578 arch/x86/xen/enlighten.c | 6 +++---
57579 tools/gcc/structleak_plugin.c | 5 +++--
57580 3 files changed, 7 insertions(+), 6 deletions(-)
57581
57582commit 032f626a4ae9bc3196313a2e762650c3d9abdc96
57583Merge: a3a770e 89886f5
57584Author: Brad Spengler <spender@grsecurity.net>
57585Date: Fri Apr 12 18:38:40 2013 -0400
57586
57587 Merge branch 'pax-test' into grsec-test
57588
57589commit 89886f561cc0d1c42a99624ec8c3704711088155
57590Merge: 9123489 531ec28
57591Author: Brad Spengler <spender@grsecurity.net>
57592Date: Fri Apr 12 18:38:30 2013 -0400
57593
57594 Merge branch 'linux-3.8.y' into pax-test
57595
57596commit a3a770e18578841e4fbe2aa0831a22811b4812cf
57597Author: Brad Spengler <spender@grsecurity.net>
57598Date: Thu Apr 11 20:46:20 2013 -0400
57599
57600 Revert "Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot"
57601 Will be fixed with the next PaX patch
57602
57603 This reverts commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7.
57604
57605 security/Kconfig | 2 +-
57606 1 files changed, 1 insertions(+), 1 deletions(-)
57607
57608commit fc98763e4f1f1487928750b26a63098b9e0ed5b1
57609Author: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
57610Date: Fri Mar 29 10:20:56 2013 -0400
57611
57612 Upstream commit: b22227944b8fe92b19150b4c36421e37979d9a16
57613
57614 xen/mmu: On early bootup, flush the TLB when changing RO->RW bits Xen provided pagetables.
57615
57616 Occassionaly on a DL380 G4 the guest would crash quite early with this:
57617
57618 (XEN) d244:v0: unhandled page fault (ec=0003)
57619 (XEN) Pagetable walk from ffffffff84dc7000:
57620 (XEN) L4[0x1ff] = 00000000c3f18067 0000000000001789
57621 (XEN) L3[0x1fe] = 00000000c3f14067 000000000000178d
57622 (XEN) L2[0x026] = 00000000dc8b2067 0000000000004def
57623 (XEN) L1[0x1c7] = 00100000dc8da067 0000000000004dc7
57624 (XEN) domain_crash_sync called from entry.S
57625 (XEN) Domain 244 (vcpu#0) crashed on cpu#3:
57626 (XEN) ----[ Xen-4.1.3OVM x86_64 debug=n Not tainted ]----
57627 (XEN) CPU: 3
57628 (XEN) RIP: e033:[<ffffffff81263f22>]
57629 (XEN) RFLAGS: 0000000000000216 EM: 1 CONTEXT: pv guest
57630 (XEN) rax: 0000000000000000 rbx: ffffffff81785f88 rcx: 000000000000003f
57631 (XEN) rdx: 0000000000000000 rsi: 00000000dc8da063 rdi: ffffffff84dc7000
57632
57633 The offending code shows it to be a loop writting the value zero
57634 (%rax) in the %rdi (the L4 provided by Xen) register:
57635
57636 0: 44 00 00 add %r8b,(%rax)
57637 3: 31 c0 xor %eax,%eax
57638 5: b9 40 00 00 00 mov $0x40,%ecx
57639 a: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1)
57640 11: 00 00
57641 13: ff c9 dec %ecx
57642 15:* 48 89 07 mov %rax,(%rdi) <-- trapping instruction
57643 18: 48 89 47 08 mov %rax,0x8(%rdi)
57644 1c: 48 89 47 10 mov %rax,0x10(%rdi)
57645
57646 which fails. xen_setup_kernel_pagetable recycles some of the Xen's
57647 page-table entries when it has switched over to its Linux page-tables.
57648
57649 Right before try to clear the page, we make a hypercall to change
57650 it from _RO to _RW and that works (otherwise we would hit an BUG()).
57651 And the _RW flag is set for that page:
57652 (XEN) L1[0x1c7] = 001000004885f067 0000000000004dc7
57653
57654 The error code is 3, so PFEC_page_present and PFEC_write_access, so page is
57655 present (correct), and we tried to write to the page, but a violation
57656 occurred. The one theory is that the the page entries in hardware
57657 (which are cached) are not up to date with what we just set. Especially
57658 as we have just done an CR3 write and flushed the multicalls.
57659
57660 This patch does solve the problem by flusing out the TLB page
57661 entry after changing it from _RO to _RW and we don't hit this
57662 issue anymore.
57663
57664 Fixed-Oracle-Bug: 16243091 [ON OCCASIONS VM START GOES INTO
57665 'CRASH' STATE: CLEAR_PAGE+0X12 ON HP DL380 G4]
57666 Reported-and-Tested-by: Saar Maoz <Saar.Maoz@oracle.com>
57667 Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
57668
57669 arch/x86/xen/mmu.c | 12 ++++++++----
57670 1 files changed, 8 insertions(+), 4 deletions(-)
57671
57672commit d56bdc2595e76ca48cbfd695def7f82c3ab80c11
57673Author: Namhyung Kim <namhyung.kim@lge.com>
57674Date: Mon Apr 1 21:46:23 2013 +0900
57675
57676 Upstream commit: 83e03b3fe4daffdebbb42151d5410d730ae50bd1
57677
57678 tracing: Fix double free when function profile init failed
57679
57680 On the failure path, stat->start and stat->pages will refer same page.
57681 So it'll attempt to free the same page again and get kernel panic.
57682
57683 Link: http://lkml.kernel.org/r/1364820385-32027-1-git-send-email-namhyung@kernel.org
57684
57685 Cc: Frederic Weisbecker <fweisbec@gmail.com>
57686 Cc: Namhyung Kim <namhyung.kim@lge.com>
57687 Cc: stable@vger.kernel.org
57688 Signed-off-by: Namhyung Kim <namhyung@kernel.org>
57689 Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
57690
57691 kernel/trace/ftrace.c | 1 -
57692 1 files changed, 0 insertions(+), 1 deletions(-)
57693
57694commit c86b0de9f4c42a7ede40df5af9436e87ccc784bb
57695Author: Neil Horman <nhorman@tuxdriver.com>
57696Date: Tue Apr 9 23:19:00 2013 +0000
57697
57698 Upstream commit: 61a0f6efc8932e9914e1782ff3a027e23c687fc6
57699
57700 e100: Add dma mapping error check
57701
57702 e100 uses pci_map_single, but fails to check for a dma mapping error after its
57703 use, resulting in a stack trace:
57704
57705 [ 46.656594] ------------[ cut here ]------------
57706 [ 46.657004] WARNING: at lib/dma-debug.c:933 check_unmap+0x47b/0x950()
57707 [ 46.657004] Hardware name: To Be Filled By O.E.M.
57708 [ 46.657004] e100 0000:00:0e.0: DMA-API: device driver failed to check map
57709 error[device address=0x000000007a4540fa] [size=90 bytes] [mapped as single]
57710 [ 46.657004] Modules linked in:
57711 [ 46.657004] w83627hf hwmon_vid snd_via82xx ppdev snd_ac97_codec ac97_bus
57712 snd_seq snd_pcm snd_mpu401 snd_mpu401_uart ns558 snd_rawmidi gameport parport_pc
57713 e100 snd_seq_device parport snd_page_alloc snd_timer snd soundcore skge shpchp
57714 k8temp mii edac_core i2c_viapro edac_mce_amd nfsd auth_rpcgss nfs_acl lockd
57715 sunrpc binfmt_misc uinput ata_generic pata_acpi radeon i2c_algo_bit
57716 drm_kms_helper ttm firewire_ohci drm firewire_core pata_via sata_via i2c_core
57717 sata_promise crc_itu_t
57718 [ 46.657004] Pid: 792, comm: ip Not tainted 3.8.0-0.rc6.git0.1.fc19.x86_64 #1
57719 [ 46.657004] Call Trace:
57720 [ 46.657004] <IRQ> [<ffffffff81065ed0>] warn_slowpath_common+0x70/0xa0
57721 [ 46.657004] [<ffffffff81065f4c>] warn_slowpath_fmt+0x4c/0x50
57722 [ 46.657004] [<ffffffff81364cfb>] check_unmap+0x47b/0x950
57723 [ 46.657004] [<ffffffff8136522f>] debug_dma_unmap_page+0x5f/0x70
57724 [ 46.657004] [<ffffffffa030f0f0>] ? e100_tx_clean+0x30/0x210 [e100]
57725 [ 46.657004] [<ffffffffa030f1a8>] e100_tx_clean+0xe8/0x210 [e100]
57726 [ 46.657004] [<ffffffffa030fc6f>] e100_poll+0x56f/0x6c0 [e100]
57727 [ 46.657004] [<ffffffff8159dce1>] ? net_rx_action+0xa1/0x370
57728 [ 46.657004] [<ffffffff8159ddb2>] net_rx_action+0x172/0x370
57729 [ 46.657004] [<ffffffff810703bf>] __do_softirq+0xef/0x3d0
57730 [ 46.657004] [<ffffffff816e4ebc>] call_softirq+0x1c/0x30
57731 [ 46.657004] [<ffffffff8101c485>] do_softirq+0x85/0xc0
57732 [ 46.657004] [<ffffffff81070885>] irq_exit+0xd5/0xe0
57733 [ 46.657004] [<ffffffff816e5756>] do_IRQ+0x56/0xc0
57734 [ 46.657004] [<ffffffff816dacb2>] common_interrupt+0x72/0x72
57735 [ 46.657004] <EOI> [<ffffffff816da1eb>] ?
57736 _raw_spin_unlock_irqrestore+0x3b/0x70
57737 [ 46.657004] [<ffffffff816d124d>] __slab_free+0x58/0x38b
57738 [ 46.657004] [<ffffffff81214424>] ? fsnotify_clear_marks_by_inode+0x34/0x120
57739 [ 46.657004] [<ffffffff811b0417>] ? kmem_cache_free+0x97/0x320
57740 [ 46.657004] [<ffffffff8157fc14>] ? sock_destroy_inode+0x34/0x40
57741 [ 46.657004] [<ffffffff8157fc14>] ? sock_destroy_inode+0x34/0x40
57742 [ 46.657004] [<ffffffff811b0692>] kmem_cache_free+0x312/0x320
57743 [ 46.657004] [<ffffffff8157fc14>] sock_destroy_inode+0x34/0x40
57744 [ 46.657004] [<ffffffff811e8c28>] destroy_inode+0x38/0x60
57745 [ 46.657004] [<ffffffff811e8d5e>] evict+0x10e/0x1a0
57746 [ 46.657004] [<ffffffff811e9605>] iput+0xf5/0x180
57747 [ 46.657004] [<ffffffff811e4338>] dput+0x248/0x310
57748 [ 46.657004] [<ffffffff811ce0e1>] __fput+0x171/0x240
57749 [ 46.657004] [<ffffffff811ce26e>] ____fput+0xe/0x10
57750 [ 46.657004] [<ffffffff8108d54c>] task_work_run+0xac/0xe0
57751 [ 46.657004] [<ffffffff8106c6ed>] do_exit+0x26d/0xc30
57752 [ 46.657004] [<ffffffff8109eccc>] ? finish_task_switch+0x7c/0x120
57753 [ 46.657004] [<ffffffff816dad58>] ? retint_swapgs+0x13/0x1b
57754 [ 46.657004] [<ffffffff8106d139>] do_group_exit+0x49/0xc0
57755 [ 46.657004] [<ffffffff8106d1c4>] sys_exit_group+0x14/0x20
57756 [ 46.657004] [<ffffffff816e3b19>] system_call_fastpath+0x16/0x1b
57757 [ 46.657004] ---[ end trace 4468c44e2156e7d1 ]---
57758 [ 46.657004] Mapped at:
57759 [ 46.657004] [<ffffffff813663d1>] debug_dma_map_page+0x91/0x140
57760 [ 46.657004] [<ffffffffa030e8eb>] e100_xmit_prepare+0x12b/0x1c0 [e100]
57761 [ 46.657004] [<ffffffffa030c924>] e100_exec_cb+0x84/0x140 [e100]
57762 [ 46.657004] [<ffffffffa030e56a>] e100_xmit_frame+0x3a/0x190 [e100]
57763 [ 46.657004] [<ffffffff8159ee89>] dev_hard_start_xmit+0x259/0x6c0
57764
57765 Easy fix, modify the cb paramter to e100_exec_cb to return an error, and do the
57766 dma_mapping_error check in the obvious place
57767
57768 This was reported previously here:
57769 http://article.gmane.org/gmane.linux.network/257893
57770
57771 But nobody stepped up and fixed it.
57772
57773 CC: Josh Boyer <jwboyer@redhat.com>
57774 CC: e1000-devel@lists.sourceforge.net
57775 Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
57776 Reported-by: Michal Jaegermann <michal@harddata.com>
57777 Tested-by: Aaron Brown <aaron.f.brown@intel.com>
57778 Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
57779 Signed-off-by: David S. Miller <davem@davemloft.net>
57780
57781 drivers/net/ethernet/intel/e100.c | 36 +++++++++++++++++++++++++-----------
57782 1 files changed, 25 insertions(+), 11 deletions(-)
57783
57784commit df93708573ce6c512b9a9406a83a6fd4e87ff6a6
57785Author: Trond Myklebust <Trond.Myklebust@netapp.com>
57786Date: Wed Apr 10 12:44:18 2013 -0400
57787
57788 Upstream commit: eb04e0ac198cec3bab407ad220438dfa65c19c67
57789
57790 NFSv4: Doh! Typo in the fix to nfs41_walk_client_list
57791
57792 Make sure that we set the status to 0 on success. Missed in testing
57793 because it never appears when doing multiple mounts to _different_
57794 servers.
57795
57796 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
57797 Cc: <stable@vger.kernel.org> # 3.7.x: 7b1f1fd: NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list
57798
57799 fs/nfs/nfs4client.c | 1 +
57800 1 files changed, 1 insertions(+), 0 deletions(-)
57801
57802commit 0ea7b7294f627588b0b3dc26a8a0ff8e1e27b5ea
57803Author: Yuval Mintz <yuvalmin@broadcom.com>
57804Date: Wed Apr 10 13:34:39 2013 +0300
57805
57806 Upstream commit: fea75645342c7ad574214497a78e562db12dfd7b
57807
57808 bnx2x: Prevent null pointer dereference in AFEX mode
57809
57810 The cnic module is responsible for initializing various bnx2x structs
57811 via callbacks provided by the bnx2x module.
57812 One such struct is the queue object for the FCoE queue.
57813
57814 If a device is working in AFEX mode and its configuration allows FCoE yet
57815 the cnic module is not loaded, it's very likely a null pointer dereference
57816 will occur, as the bnx2x will erroneously access the FCoE's queue object.
57817
57818 Prevent said access until cnic properly registers itself.
57819
57820 Signed-off-by: Yuval Mintz <yuvalmin@broadcom.com>
57821 Signed-off-by: Ariel Elior <ariele@broadcom.com>
57822 Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
57823 Signed-off-by: David S. Miller <davem@davemloft.net>
57824
57825 drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 3 ++-
57826 1 files changed, 2 insertions(+), 1 deletions(-)
57827
57828commit 2908830232725db624aaa052f7ad38d1f98bf541
57829Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
57830Date: Tue Apr 9 14:16:04 2013 +0800
57831
57832 Upstream commit: 3480a2125923e4b7a56d79efc76743089bf273fc
57833
57834 can: gw: use kmem_cache_free() instead of kfree()
57835
57836 Memory allocated by kmem_cache_alloc() should be freed using
57837 kmem_cache_free(), not kfree().
57838
57839 Cc: linux-stable <stable@vger.kernel.org> # >= v3.2
57840 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
57841 Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
57842 Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
57843
57844 net/can/gw.c | 6 +++---
57845 1 files changed, 3 insertions(+), 3 deletions(-)
57846
57847commit d40b572e845a5fb561e3c4a80cc306cd38888a4e
57848Author: Christoph Paasch <christoph.paasch@uclouvain.be>
57849Date: Sun Apr 7 04:53:15 2013 +0000
57850
57851 Upstream commit: 50a75a8914539c5dcd441c5f54d237a666a426fd
57852
57853 ipv6/tcp: Stop processing ICMPv6 redirect messages
57854
57855 Tetja Rediske found that if the host receives an ICMPv6 redirect message
57856 after sending a SYN+ACK, the connection will be reset.
57857
57858 He bisected it down to 093d04d (ipv6: Change skb->data before using
57859 icmpv6_notify() to propagate redirect), but the origin of the bug comes
57860 from ec18d9a26 (ipv6: Add redirect support to all protocol icmp error
57861 handlers.). The bug simply did not trigger prior to 093d04d, because
57862 skb->data did not point to the inner IP header and thus icmpv6_notify
57863 did not call the correct err_handler.
57864
57865 This patch adds the missing "goto out;" in tcp_v6_err. After receiving
57866 an ICMPv6 Redirect, we should not continue processing the ICMP in
57867 tcp_v6_err, as this may trigger the removal of request-socks or setting
57868 sk_err(_soft).
57869
57870 Reported-by: Tetja Rediske <tetja@tetja.de>
57871 Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be>
57872 Acked-by: Eric Dumazet <edumazet@google.com>
57873 Signed-off-by: David S. Miller <davem@davemloft.net>
57874
57875 net/ipv6/tcp_ipv6.c | 1 +
57876 1 files changed, 1 insertions(+), 0 deletions(-)
57877
57878commit c7d5c2524456ef3ea9194840e7a9a75069a46824
57879Author: Brad Spengler <spender@grsecurity.net>
57880Date: Wed Apr 10 20:32:54 2013 -0400
57881
57882 - fixed typo in Makefile reported by mlarm (https://forums.grsecurity.net/viewtopic.php?t=3411)
57883
57884 Makefile | 2 +-
57885 1 files changed, 1 insertions(+), 1 deletions(-)
57886
57887commit acac2380fd97acee4367d2aa24c74322dcf1d22b
57888Author: Trond Myklebust <Trond.Myklebust@netapp.com>
57889Date: Fri Apr 5 16:11:11 2013 -0400
57890
57891 Upstream commit: 7b1f1fd1842e6ede25183c267ae733a7f67f00bc
57892
57893 NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list
57894
57895 It is unsafe to use list_for_each_entry_safe() here, because
57896 when we drop the nn->nfs_client_lock, we pin the _current_ list
57897 entry and ensure that it stays in the list, but we don't do the
57898 same for the _next_ list entry. Use of list_for_each_entry() is
57899 therefore the correct thing to do.
57900
57901 Also fix the refcounting in nfs41_walk_client_list().
57902
57903 Finally, ensure that the nfs_client has finished being initialised
57904 and, in the case of NFSv4.1, that the session is set up.
57905
57906 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
57907 Cc: Chuck Lever <chuck.lever@oracle.com>
57908 Cc: Bryan Schumaker <bjschuma@netapp.com>
57909 Cc: stable@vger.kernel.org [>= 3.7]
57910
57911 fs/nfs/nfs4client.c | 44 ++++++++++++++++++++++++++++----------------
57912 1 files changed, 28 insertions(+), 16 deletions(-)
57913
57914commit a6cf5f387b882ac0ce655b75f623f86c075517be
57915Author: Chuck Lever <chuck.lever@oracle.com>
57916Date: Fri Mar 22 12:52:59 2013 -0400
57917
57918 Upstream commit: a58e0be6f6b3eb2079b0b8fedc9df6fa86869f1e
57919
57920 SUNRPC: Remove extra xprt_put()
57921
57922 While testing error cases where rpc_new_client() fails, I saw
57923 some oopses.
57924
57925 If rpc_new_client() fails, it already invokes xprt_put(). Thus
57926 __rpc_clone_client() does not need to invoke it again.
57927
57928 Introduced by commit 1b63a751 "SUNRPC: Refactor rpc_clone_client()"
57929 Fri Sep 14, 2012.
57930
57931 Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
57932 Cc: stable@vger.kernel.org [>=3.7]
57933 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
57934
57935 net/sunrpc/clnt.c | 4 +---
57936 1 files changed, 1 insertions(+), 3 deletions(-)
57937
57938commit a744b307c1f65ceb100412dc18cdd7ecc9a8ae00
57939Author: Trond Myklebust <Trond.Myklebust@netapp.com>
57940Date: Fri Apr 5 14:13:21 2013 -0400
57941
57942 Upstream commit: f05c124a70a4953a66acbd6d6c601ea1eb5d0fa7
57943
57944 SUNRPC: Fix a potential memory leak in rpc_new_client
57945
57946 If the call to rpciod_up() fails, we currently leak a reference to the
57947 struct rpc_xprt.
57948 As part of the fix, we also remove the redundant check for xprt!=NULL.
57949 This is already taken care of by the callers.
57950
57951 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
57952
57953 net/sunrpc/clnt.c | 7 ++-----
57954 1 files changed, 2 insertions(+), 5 deletions(-)
57955
57956commit 43b9f1b9b8380984c5c100978bd33e8f16da06ac
57957Author: Brad Spengler <spender@grsecurity.net>
57958Date: Wed Apr 10 19:16:05 2013 -0400
57959
57960 From https://lkml.org/lkml/2013/4/8/469:
57961 [PATCH] rtnetlink: call nlmsg_parse() with correct header length
57962
57963 net/core/rtnetlink.c | 4 ++--
57964 1 files changed, 2 insertions(+), 2 deletions(-)
57965
57966commit 9529169b8c405874fd543b785f53c74fa0501c2a
57967Author: Christopher Harvey <charvey@matrox.com>
57968Date: Fri Apr 5 10:51:15 2013 -0400
57969
57970 Upstream commit: 1812a3db0874be1d1524086da9e84397b800f546
57971
57972 drm/mgag200: Index 24 in extended CRTC registers is 24 in hex, not decimal.
57973
57974 This change properly enables the "requester" in G200ER cards that is
57975 responsible for getting pixels out of memory and clocking them out to
57976 the screen.
57977
57978 Signed-off-by: Christopher Harvey <charvey@matrox.com>
57979 Cc: stable@vger.kernel.org
57980 Signed-off-by: Dave Airlie <airlied@redhat.com>
57981
57982 drivers/gpu/drm/mgag200/mgag200_mode.c | 13 +++----------
57983 1 files changed, 3 insertions(+), 10 deletions(-)
57984
57985commit 07c42243c7b01e2a7a9d168ad491e28b9ef9082a
57986Author: Al Viro <viro@zeniv.linux.org.uk>
57987Date: Thu Mar 28 13:30:23 2013 -0400
57988
57989 Upstream commit: 52f21999c7b921a0390708b66ed286282c2e4bee
57990
57991 ecryptfs: close rmmod race
57992
57993 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
57994
57995 fs/ecryptfs/miscdev.c | 14 ++------------
57996 1 files changed, 2 insertions(+), 12 deletions(-)
57997
57998commit 2800bdcf9cd642b967e5fdc2a15c1c4aefbadd9b
57999Author: Brad Spengler <spender@grsecurity.net>
58000Date: Wed Apr 10 19:03:45 2013 -0400
58001
58002 Backport overflow fix from upstream commit: ccf932042fa7785832d8989ba1369cd7c7f5d7a1
58003
58004 arch/ia64/kernel/palinfo.c | 2 +-
58005 1 files changed, 1 insertions(+), 1 deletions(-)
58006
58007commit 83280e384ae3ceadad30369ced111dc7d4b46085
58008Author: Andrey Vagin <avagin@openvz.org>
58009Date: Tue Apr 9 17:33:29 2013 +0400
58010
58011 Upstream commit: e9c5d8a562f01b211926d70443378eb14b29a676
58012
58013 mnt: release locks on error path in do_loopback
58014
58015 do_loopback calls lock_mount(path) and forget to unlock_mount
58016 if clone_mnt or copy_mnt fails.
58017
58018 [ 77.661566] ================================================
58019 [ 77.662939] [ BUG: lock held when returning to user space! ]
58020 [ 77.664104] 3.9.0-rc5+ #17 Not tainted
58021 [ 77.664982] ------------------------------------------------
58022 [ 77.666488] mount/514 is leaving the kernel with locks still held!
58023 [ 77.668027] 2 locks held by mount/514:
58024 [ 77.668817] #0: (&sb->s_type->i_mutex_key#7){+.+.+.}, at: [<ffffffff811cca22>] lock_mount+0x32/0xe0
58025 [ 77.671755] #1: (&namespace_sem){+++++.}, at: [<ffffffff811cca3a>] lock_mount+0x4a/0xe0
58026
58027 Signed-off-by: Andrey Vagin <avagin@openvz.org>
58028 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
58029
58030 fs/namespace.c | 2 +-
58031 1 files changed, 1 insertions(+), 1 deletions(-)
58032
58033commit 679e536b9d9536d804f049fe942367a596253e6d
58034Author: Alex Williamson <alex.williamson@redhat.com>
58035Date: Tue Mar 26 11:33:16 2013 -0600
58036
58037 Upstream commit: 904c680c7bf016a8619a045850937427f8d7368c
58038
58039 vfio-pci: Fix possible integer overflow
58040
58041 The VFIO_DEVICE_SET_IRQS ioctl takes a start and count parameter, both
58042 of which are unsigned. We attempt to bounds check these, but fail to
58043 account for the case where start is a very large number, allowing
58044 start + count to wrap back into the valid range. Bounds check both
58045 start and start + count.
58046
58047 Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
58048 Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
58049
58050 drivers/vfio/pci/vfio_pci.c | 3 ++-
58051 1 files changed, 2 insertions(+), 1 deletions(-)
58052
58053commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7
58054Author: Brad Spengler <spender@grsecurity.net>
58055Date: Wed Apr 10 18:48:45 2013 -0400
58056
58057 Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot
58058
58059 security/Kconfig | 2 +-
58060 1 files changed, 1 insertions(+), 1 deletions(-)
58061
58062commit b5261a6384ee42499b29495aaae40b271e77d394
58063Author: Brad Spengler <spender@grsecurity.net>
58064Date: Tue Apr 9 17:30:45 2013 -0400
58065
58066 some undefined behavior fixups
58067
58068 grsecurity/gracl.c | 4 ++--
58069 grsecurity/gracl_ip.c | 10 +++++-----
58070 grsecurity/gracl_segv.c | 4 ++--
58071 3 files changed, 9 insertions(+), 9 deletions(-)
58072
58073commit 9f83caa35e78be1f3e753586ab217555c3b21ff4
58074Author: Brad Spengler <spender@grsecurity.net>
58075Date: Tue Apr 9 17:28:54 2013 -0400
58076
58077 don't whine about denied ipv6 when it's not enabled
58078
58079 grsecurity/gracl_ip.c | 3 +++
58080 1 files changed, 3 insertions(+), 0 deletions(-)
58081
58082commit 5a02f8bc96bd0c31f9ff09e63f9d85d560b8be61
58083Merge: 97bca88 9123489
58084Author: Brad Spengler <spender@grsecurity.net>
58085Date: Tue Apr 9 17:18:45 2013 -0400
58086
58087 Merge branch 'pax-test' into grsec-test
58088
58089commit 9123489428c58668a89f316db6619739cbdd2c2a
58090Author: Brad Spengler <spender@grsecurity.net>
58091Date: Tue Apr 9 17:17:46 2013 -0400
58092
58093 Update to pax-linux-3.8.6-test18.patch:
58094 - new size overflow plugin from Emese to work around a gcc optimization
58095 resulting in an intentional overflow, reported by Carlos Carvalho
58096 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3409)
58097
58098 tools/gcc/size_overflow_plugin.c | 68 ++++++++++++++++++++++++++++++++++++-
58099 1 files changed, 66 insertions(+), 2 deletions(-)
58100
58101commit 97bca8889e0f1e853f16b7026c39c6729a8587ab
58102Merge: 675a41e e9d6073
58103Author: Brad Spengler <spender@grsecurity.net>
58104Date: Mon Apr 8 21:32:59 2013 -0400
58105
58106 Merge branch 'pax-test' into grsec-test
58107
58108 Conflicts:
58109 arch/sparc/kernel/us3_cpufreq.c
58110
58111commit e9d6073f15010ccace0b6b0f0a19ed63cf1adeef
58112Author: Brad Spengler <spender@grsecurity.net>
58113Date: Mon Apr 8 21:19:03 2013 -0400
58114
58115 Update to pax-linux-3.8.6-test17.patch:
58116 - fixed ia64/ppc/sparc compilation by spender
58117 - improved the STRUCTLEAK gcc plugin to cover a few more cases (credit to stef for the bugreport)
58118
58119 arch/ia64/include/asm/uaccess.h | 2 -
58120 arch/powerpc/include/asm/uaccess.h | 2 -
58121 arch/sparc/include/asm/uaccess.h | 7 ----
58122 arch/sparc/kernel/prom_common.c | 2 +-
58123 arch/sparc/kernel/us3_cpufreq.c | 69 ++++++++++--------------------------
58124 tools/gcc/structleak_plugin.c | 15 ++++----
58125 6 files changed, 28 insertions(+), 69 deletions(-)
58126
58127commit 675a41e42a636dcb1e97bffe0f0fa6262242e64b
58128Author: Brad Spengler <spender@grsecurity.net>
58129Date: Sun Apr 7 12:00:50 2013 -0400
58130
58131 fix similar leaks in sys_recvfrom as fixed in recvmsg, already handled by the new structleak plugin
58132
58133 net/socket.c | 2 +-
58134 1 files changed, 1 insertions(+), 1 deletions(-)
58135
58136commit 5a216624a06429488f24ce47db093da042f90e48
58137Author: Brad Spengler <spender@grsecurity.net>
58138Date: Sat Apr 6 13:22:24 2013 -0400
58139
58140 fix typo
58141
58142 arch/sparc/kernel/us3_cpufreq.c | 5 +----
58143 1 files changed, 1 insertions(+), 4 deletions(-)
58144
58145commit e476ca18d21788898cd3acd1b57049971a2fb70f
58146Author: Brad Spengler <spender@grsecurity.net>
58147Date: Sat Apr 6 13:16:13 2013 -0400
58148
58149 properly fix cpufreq_driver for ultrasparc III with constification
58150
58151 arch/sparc/kernel/us3_cpufreq.c | 35 +++++++++++++++++------------------
58152 1 files changed, 17 insertions(+), 18 deletions(-)
58153
58154commit 3ef64a33c8a38d17db7d1e6ff13d9036c75598ae
58155Author: Brad Spengler <spender@grsecurity.net>
58156Date: Sat Apr 6 12:58:48 2013 -0400
58157
58158 mark prom_sparc_ops __initconst
58159
58160 arch/sparc/kernel/prom_common.c | 2 +-
58161 1 files changed, 1 insertions(+), 1 deletions(-)
58162
58163commit daaa8e290cb1eb08e86c6d3f0fb1a8270d897439
58164Author: Brad Spengler <spender@grsecurity.net>
58165Date: Sat Apr 6 12:53:16 2013 -0400
58166
58167 fix ia64/powerpc/sparc compilation
58168
58169 arch/ia64/include/asm/uaccess.h | 2 --
58170 arch/powerpc/include/asm/uaccess.h | 2 --
58171 arch/sparc/include/asm/uaccess.h | 7 -------
58172 3 files changed, 0 insertions(+), 11 deletions(-)
58173
58174commit 4a0cd3af0fd8788bd1c84de775743c8ae51e9a39
58175Author: Johannes Berg <johannes.berg@intel.com>
58176Date: Tue Mar 19 20:26:57 2013 +0100
58177
58178 Upstream commit: ce1eadda6badef9e4e3460097ede674fca47383d
58179
58180 cfg80211: fix wdev tracing crash
58181
58182 Arend reported a crash in tracing if the driver returns an
58183 ERR_PTR() value from the add_virtual_intf() callback. This
58184 is due to the tracing then still attempting to dereference
58185 the "pointer", fix this by using IS_ERR_OR_NULL().
58186
58187 Reported-by: Arend van Spriel <arend@broadcom.com>
58188 Tested-by: Arend van Spriel <arend@broadcom.com>
58189 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
58190
58191 net/wireless/trace.h | 3 ++-
58192 1 files changed, 2 insertions(+), 1 deletions(-)
58193
58194commit 68e6eafdaf9a3b37c780b3916a35a1961b1559fd
58195Author: Johannes Berg <johannes.berg@intel.com>
58196Date: Mon Mar 25 11:51:14 2013 +0100
58197
58198 Upstream commit: 3fbd45ca8d1c98f3c2582ef8bc70ade42f70947b
58199
58200 mac80211: fix remain-on-channel cancel crash
58201
58202 If a ROC item is canceled just as it expires, the work
58203 struct may be scheduled while it is running (and waiting
58204 for the mutex). This results in it being run after being
58205 freed, which obviously crashes.
58206
58207 To fix this don't free it when aborting is requested but
58208 instead mark it as "to be freed", which makes the work a
58209 no-op and allows freeing it outside.
58210
58211 Cc: stable@vger.kernel.org [3.6+]
58212 Reported-by: Jouni Malinen <j@w1.fi>
58213 Tested-by: Jouni Malinen <j@w1.fi>
58214 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
58215
58216 net/mac80211/cfg.c | 6 ++++--
58217 net/mac80211/ieee80211_i.h | 3 ++-
58218 net/mac80211/offchannel.c | 23 +++++++++++++++++------
58219 3 files changed, 23 insertions(+), 9 deletions(-)
58220
58221commit dd5df32b00e3c2344ba39fe01071e7b67b83e1e4
58222Author: Stone Piao <piaoyun@marvell.com>
58223Date: Fri Mar 29 19:21:21 2013 -0700
58224
58225 Upstream commit: 901ceba4e81e9dd6b4a3c4c37ee22000a6c5c65f
58226
58227 mwifiex: limit channel number not to overflow memory
58228
58229 Limit the channel number in scan request, or the driver scan
58230 config structure memory will be overflowed.
58231
58232 Cc: <stable@vger.kernel.org> # 3.5+
58233 Signed-off-by: Stone Piao <piaoyun@marvell.com>
58234 Signed-off-by: Bing Zhao <bzhao@marvell.com>
58235 Signed-off-by: John W. Linville <linville@tuxdriver.com>
58236
58237 drivers/net/wireless/mwifiex/cfg80211.c | 3 ++-
58238 1 files changed, 2 insertions(+), 1 deletions(-)
58239
58240commit 207c411512bdaf0e4271f93ecac6ca26588da36f
58241Author: Gao feng <gaofeng@cn.fujitsu.com>
58242Date: Thu Mar 21 19:48:41 2013 +0000
58243
58244 Upstream commit: 130549fed828cc34c22624c6195afcf9e7ae56fe
58245
58246 netfilter: reset nf_trace in nf_reset
58247
58248 We forgot to clear the nf_trace of sk_buff in nf_reset,
58249 When we use veth device, this nf_trace information will
58250 be leaked from one net namespace to another net namespace.
58251
58252 Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
58253 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
58254
58255 include/linux/skbuff.h | 3 +++
58256 1 files changed, 3 insertions(+), 0 deletions(-)
58257
58258commit 3b12800d73c763265b2de5f2a7a745d9caa62c6f
58259Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
58260Date: Fri Mar 22 01:28:18 2013 +0000
58261
58262 Upstream commit: 558724a5b2a73ad0c7638e21e8dffc419d267b6c
58263
58264 netfilter: nfnetlink_queue: fix error return code in nfnetlink_queue_init()
58265
58266 Fix to return a negative error code from the error handling
58267 case instead of 0, as returned elsewhere in this function.
58268
58269 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
58270 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
58271
58272 net/netfilter/nfnetlink_queue_core.c | 4 +++-
58273 1 files changed, 3 insertions(+), 1 deletions(-)
58274
58275commit a79feb7d3251eca577d83d7f69eee2b961ab2924
58276Author: Pablo Neira Ayuso <pablo@netfilter.org>
58277Date: Sat Mar 23 16:57:59 2013 +0100
58278
58279 Upstream commit: deadcfc3324410726cd6a663fb4fc46be595abe7
58280
58281 netfilter: nfnetlink_acct: return -EINVAL if object name is empty
58282
58283 If user-space tries to create accounting object with an empty
58284 name, then return -EINVAL.
58285
58286 Reported-by: Michael Zintakis <michael.zintakis@googlemail.com>
58287 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
58288
58289 net/netfilter/nfnetlink_acct.c | 2 ++
58290 1 files changed, 2 insertions(+), 0 deletions(-)
58291
58292commit 1a51dca4fc16538d90a7a4c92b1ffe7e0fd76cf7
58293Author: Matthias Schiffer <mschiffer@universe-factory.net>
58294Date: Sat Mar 30 10:23:12 2013 +0000
58295
58296 Upstream commit: 906b1c394d0906a154fbdc904ca506bceb515756
58297
58298 netfilter: ip6t_NPT: Fix translation for non-multiple of 32 prefix lengths
58299
58300 The bitmask used for the prefix mangling was being calculated
58301 incorrectly, leading to the wrong part of the address being replaced
58302 when the prefix length wasn't a multiple of 32.
58303
58304 Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
58305 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
58306
58307 net/ipv6/netfilter/ip6t_NPT.c | 2 +-
58308 1 files changed, 1 insertions(+), 1 deletions(-)
58309
58310commit 3425de1e3dc22e1602f9c77fe8d258da58416d5e
58311Author: Veaceslav Falico <vfalico@redhat.com>
58312Date: Wed Apr 3 05:46:33 2013 +0000
58313
58314 Upstream commit: 4de79c737b200492195ebc54a887075327e1ec1d
58315
58316 bonding: remove sysfs before removing devices
58317
58318 We have a race condition if we try to rmmod bonding and simultaneously add
58319 a bond master through sysfs. In bonding_exit() we first remove the devices
58320 (through rtnl_link_unregister() ) and only after that we remove the sysfs.
58321 If we manage to add a device through sysfs after that the devices were
58322 removed - we'll end up with that device/sysfs structure and with the module
58323 unloaded.
58324
58325 Fix this by first removing the sysfs and only after that calling
58326 rtnl_link_unregister().
58327
58328 Signed-off-by: Veaceslav Falico <vfalico@redhat.com>
58329 Signed-off-by: David S. Miller <davem@davemloft.net>
58330
58331 drivers/net/bonding/bond_main.c | 2 +-
58332 1 files changed, 1 insertions(+), 1 deletions(-)
58333
58334commit d12cae44a9d12441d81c489178803237219d403d
58335Author: Eric W. Biederman <ebiederm@xmission.com>
58336Date: Wed Apr 3 16:14:47 2013 +0000
58337
58338 Upstream commit: 0e82e7f6dfeec1013339612f74abc2cdd29d43d2
58339
58340 af_unix: If we don't care about credentials coallesce all messages
58341
58342 It was reported that the following LSB test case failed
58343 https://lsbbugs.linuxfoundation.org/attachment.cgi?id=2144 because we
58344 were not coallescing unix stream messages when the application was
58345 expecting us to.
58346
58347 The problem was that the first send was before the socket was accepted
58348 and thus sock->sk_socket was NULL in maybe_add_creds, and the second
58349 send after the socket was accepted had a non-NULL value for sk->socket
58350 and thus we could tell the credentials were not needed so we did not
58351 bother.
58352
58353 The unnecessary credentials on the first message cause
58354 unix_stream_recvmsg to start verifying that all messages had the same
58355 credentials before coallescing and then the coallescing failed because
58356 the second message had no credentials.
58357
58358 Ignoring credentials when we don't care in unix_stream_recvmsg fixes a
58359 long standing pessimization which would fail to coallesce messages when
58360 reading from a unix stream socket if the senders were different even if
58361 we did not care about their credentials.
58362
58363 I have tested this and verified that the in the LSB test case mentioned
58364 above that the messages do coallesce now, while the were failing to
58365 coallesce without this change.
58366
58367 Reported-by: Karel Srot <ksrot@redhat.com>
58368 Reported-by: Ding Tianhong <dingtianhong@huawei.com>
58369 Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
58370 Signed-off-by: David S. Miller <davem@davemloft.net>
58371
58372 net/unix/af_unix.c | 2 +-
58373 1 files changed, 1 insertions(+), 1 deletions(-)
58374
58375commit 126d882492b130da6367f71cdf3ac59bf4f4c1bf
58376Author: Eric W. Biederman <ebiederm@xmission.com>
58377Date: Wed Apr 3 16:13:35 2013 +0000
58378
58379 Upstream commit: 25da0e3e9d3fb2b522bc2a598076735850310eb1
58380
58381 Revert "af_unix: dont send SCM_CREDENTIAL when dest socket is NULL"
58382
58383 This reverts commit 14134f6584212d585b310ce95428014b653dfaf6.
58384
58385 The problem that the above patch was meant to address is that af_unix
58386 messages are not being coallesced because we are sending unnecesarry
58387 credentials. Not sending credentials in maybe_add_creds totally
58388 breaks unconnected unix domain sockets that wish to send credentails
58389 to other sockets.
58390
58391 In practice this break some versions of udev because they receive a
58392 message and the sending uid is bogus so they drop the message.
58393
58394 Reported-by: Sven Joachim <svenjoac@gmx.de>
58395 Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
58396 Signed-off-by: David S. Miller <davem@davemloft.net>
58397
58398 net/unix/af_unix.c | 4 ++--
58399 1 files changed, 2 insertions(+), 2 deletions(-)
58400
58401commit 1295b4f600e8f5ab56af71e5a89e4c0e74e95663
58402Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
58403Date: Wed Mar 20 21:31:42 2013 +0000
58404
58405 Upstream commit: cb0e51d80694fc9964436be1a1a15275e991cb1e
58406
58407 lantiq_etop: use free_netdev(netdev) instead of kfree()
58408
58409 Freeing netdev without free_netdev() leads to net, tx leaks.
58410 And it may lead to dereferencing freed pointer.
58411
58412 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
58413 Signed-off-by: David S. Miller <davem@davemloft.net>
58414
58415 drivers/net/ethernet/lantiq_etop.c | 2 +-
58416 1 files changed, 1 insertions(+), 1 deletions(-)
58417
58418commit 1dcdddf846697fbd0b474e7b12ff92f7b408fe5f
58419Author: Cong Wang <amwang@redhat.com>
58420Date: Fri Mar 22 19:14:07 2013 +0000
58421
58422 Upstream commit: 4a7df340ed1bac190c124c1601bfc10cde9fb4fb
58423
58424 8021q: fix a potential use-after-free
58425
58426 vlan_vid_del() could possibly free ->vlan_info after a RCU grace
58427 period, however, we may still refer to the freed memory area
58428 by 'grp' pointer. Found by code inspection.
58429
58430 This patch moves vlan_vid_del() as behind as possible.
58431
58432 Cc: Patrick McHardy <kaber@trash.net>
58433 Cc: "David S. Miller" <davem@davemloft.net>
58434 Signed-off-by: Cong Wang <amwang@redhat.com>
58435 Acked-by: Eric Dumazet <edumazet@google.com>
58436 Signed-off-by: David S. Miller <davem@davemloft.net>
58437
58438 net/8021q/vlan.c | 7 +++++++
58439 1 files changed, 7 insertions(+), 0 deletions(-)
58440
58441commit fff29c277024a39845d4b535083c8dafc21b45d9
58442Author: Hong zhi guo <honkiko@gmail.com>
58443Date: Sat Mar 23 02:27:50 2013 +0000
58444
58445 Upstream commit: 9b46922e15f4d9d2aedcd320c3b7f7f54d956da7
58446
58447 bridge: fix crash when set mac address of br interface
58448
58449 When I tried to set mac address of a bridge interface to a mac
58450 address which already learned on this bridge, I got system hang.
58451
58452 The cause is straight forward: function br_fdb_change_mac_address
58453 calls fdb_insert with NULL source nbp. Then an fdb lookup is
58454 performed. If an fdb entry is found and it's local, it's OK. But
58455 if it's not local, source is dereferenced for printk without NULL
58456 check.
58457
58458 Signed-off-by: Hong Zhiguo <honkiko@gmail.com>
58459 Signed-off-by: David S. Miller <davem@davemloft.net>
58460
58461 net/bridge/br_fdb.c | 2 +-
58462 1 files changed, 1 insertions(+), 1 deletions(-)
58463
58464commit b72eca0f8495b4b084bcf3eb4fbb425281ba5349
58465Author: Kumar Amit Mehta <gmate.amit@gmail.com>
58466Date: Sat Mar 23 20:10:25 2013 +0000
58467
58468 Upstream commit: 8fe7f99a9e11a43183bc27420309ae105e1fec1a
58469
58470 bnx2x: fix assignment of signed expression to unsigned variable
58471
58472 fix for incorrect assignment of signed expression to unsigned variable.
58473
58474 Signed-off-by: Kumar Amit Mehta <gmate.amit@gmail.com>
58475 Acked-by: Dmitry Kravkov <dmitry@broadcom.com>
58476 Signed-off-by: David S. Miller <davem@davemloft.net>
58477
58478 drivers/net/ethernet/broadcom/bnx2x/bnx2x_dcb.c | 18 +++++++++---------
58479 1 files changed, 9 insertions(+), 9 deletions(-)
58480
58481commit 4d2d5e3694574d8e9d7594bf6111f144dccc873e
58482Author: dingtianhong <dingtianhong@huawei.com>
58483Date: Mon Mar 25 17:02:04 2013 +0000
58484
58485 Upstream commit: 14134f6584212d585b310ce95428014b653dfaf6
58486
58487 af_unix: dont send SCM_CREDENTIAL when dest socket is NULL
58488
58489 SCM_SCREDENTIALS should apply to write() syscalls only either source or destination
58490 socket asserted SOCK_PASSCRED. The original implememtation in maybe_add_creds is wrong,
58491 and breaks several LSB testcases ( i.e. /tset/LSB.os/netowkr/recvfrom/T.recvfrom).
58492
58493 Origionally-authored-by: Karel Srot <ksrot@redhat.com>
58494 Signed-off-by: Ding Tianhong <dingtianhong@huawei.com>
58495 Acked-by: Eric Dumazet <edumazet@google.com>
58496 Signed-off-by: David S. Miller <davem@davemloft.net>
58497
58498 net/unix/af_unix.c | 4 ++--
58499 1 files changed, 2 insertions(+), 2 deletions(-)
58500
58501commit b964e1e61f0f0ccaa380be3342f956c604054bdc
58502Author: Eric W. Biederman <ebiederm@xmission.com>
58503Date: Thu Mar 21 02:30:41 2013 -0700
58504
58505 Upstream commit: eddc0a3abff273842a94784d2d022bbc36dc9015
58506
58507 yama: Better permission check for ptraceme
58508
58509 Change the permission check for yama_ptrace_ptracee to the standard
58510 ptrace permission check, testing if the traceer has CAP_SYS_PTRACE
58511 in the tracees user namespace.
58512
58513 Reviewed-by: Kees Cook <keescook@chromium.org>
58514 Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
58515
58516 security/yama/yama_lsm.c | 4 +---
58517 1 files changed, 1 insertions(+), 3 deletions(-)
58518
58519commit b94e71c7b6abe75989edff18aca2781233fa143b
58520Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
58521Date: Mon Apr 1 11:40:51 2013 +0400
58522
58523 Upstream commit: 2dc958fa2fe6987e7ab106bd97029a09a82fcd8d
58524
58525 ipc: set msg back to -EAGAIN if copy wasn't performed
58526
58527 Make sure that msg pointer is set back to error value in case of
58528 MSG_COPY flag is set and desired message to copy wasn't found. This
58529 garantees that msg is either a error pointer or a copy address.
58530
58531 Otherwise the last message in queue will be freed without unlinking from
58532 the queue (which leads to memory corruption) and the dummy allocated
58533 copy won't be released.
58534
58535 Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
58536 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
58537
58538 ipc/msg.c | 1 +
58539 1 files changed, 1 insertions(+), 0 deletions(-)
58540
58541commit a997fbbe7a37ffd805f4784a18b8e530da6978d1
58542Author: Jan Kara <jack@suse.cz>
58543Date: Fri Mar 29 15:39:16 2013 +0100
58544
58545 Upstream commit: 35e5cbc0af240778e61113286c019837e06aeec6
58546
58547 reiserfs: Fix warning and inode leak when deleting inode with xattrs
58548
58549 After commit 21d8a15a (lookup_one_len: don't accept . and ..) reiserfs
58550 started failing to delete xattrs from inode. This was due to a buggy
58551 test for '.' and '..' in fill_with_dentries() which resulted in passing
58552 '.' and '..' entries to lookup_one_len() in some cases. That returned
58553 error and so we failed to iterate over all xattrs of and inode.
58554
58555 Fix the test in fill_with_dentries() along the lines of the one in
58556 lookup_one_len().
58557
58558 Reported-by: Pawel Zawora <pzawora@gmail.com>
58559 CC: stable@vger.kernel.org
58560 Signed-off-by: Jan Kara <jack@suse.cz>
58561
58562 fs/reiserfs/xattr.c | 4 ++--
58563 1 files changed, 2 insertions(+), 2 deletions(-)
58564
58565commit 9f07957378e0f55abb81da8e23b124a608fbe1cc
58566Author: Paul Bolle <pebolle@tiscali.nl>
58567Date: Wed Apr 3 12:24:45 2013 +0100
58568
58569 Upstream commit: 4e1db26a0b42e2b6e27c05d68adcc01709c2eed2
58570
58571 ARM: 7690/1: mm: fix CONFIG_LPAE typos
58572
58573 CONFIG_LPAE doesn't exist: the correct option is CONFIG_ARM_LPAE, so fix
58574 up the two typos under arch/arm/.
58575
58576 The fix to head.S is slightly scary, but this is just for setting up
58577 an early io-mapping for the serial port when running on a big-endian,
58578 LPAE system. Since these systems don't exist in the wild (at least, I
58579 have no access to one outside of kvmtool, which doesn't provide a serial
58580 port suitable for earlyprintk), then we can revisit the code later if it
58581 causes any problems.
58582
58583 Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
58584 Signed-off-by: Will Deacon <will.deacon@arm.com>
58585 Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
58586
58587 arch/arm/kernel/head.S | 2 +-
58588 arch/arm/kernel/setup.c | 2 +-
58589 2 files changed, 2 insertions(+), 2 deletions(-)
58590
58591commit 984ba346b2d8f158473e9723ba145031368431ed
58592Author: Catalin Marinas <catalin.marinas@arm.com>
58593Date: Tue Mar 26 23:35:04 2013 +0100
58594
58595 Upstream commit: 93dc68876b608da041fe40ed39424b0fcd5aa2fb
58596
58597 ARM: 7684/1: errata: Workaround for Cortex-A15 erratum 798181 (TLBI/DSB operations)
58598
58599 On Cortex-A15 (r0p0..r3p2) the TLBI/DSB are not adequately shooting down
58600 all use of the old entries. This patch implements the erratum workaround
58601 which consists of:
58602
58603 1. Dummy TLBIMVAIS and DSB on the CPU doing the TLBI operation.
58604 2. Send IPI to the CPUs that are running the same mm (and ASID) as the
58605 one being invalidated (or all the online CPUs for global pages).
58606 3. CPU receiving the IPI executes a DMB and CLREX (part of the exception
58607 return code already).
58608
58609 Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
58610 Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
58611
58612 Conflicts:
58613
58614 arch/arm/include/asm/tlbflush.h
58615 arch/arm/kernel/smp_tlb.c
58616 arch/arm/mm/context.c
58617
58618 arch/arm/Kconfig | 10 +++++
58619 arch/arm/include/asm/highmem.h | 7 ++++
58620 arch/arm/include/asm/mmu_context.h | 2 +
58621 arch/arm/include/asm/tlbflush.h | 15 ++++++++
58622 arch/arm/kernel/smp_tlb.c | 66 ++++++++++++++++++++++++++++++++++++
58623 arch/arm/mm/context.c | 6 ++-
58624 6 files changed, 104 insertions(+), 2 deletions(-)
58625
58626commit 9a6ef010c38b3d5471886d2dea6e3c1622e2a286
58627Author: Jan Stancek <jstancek@redhat.com>
58628Date: Thu Apr 4 11:35:10 2013 -0700
58629
58630 Upstream commit: b6a9b7f6b1f21735a7456d534dc0e68e61359d2c
58631
58632 mm: prevent mmap_cache race in find_vma()
58633
58634 find_vma() can be called by multiple threads with read lock
58635 held on mm->mmap_sem and any of them can update mm->mmap_cache.
58636 Prevent compiler from re-fetching mm->mmap_cache, because other
58637 readers could update it in the meantime:
58638
58639 thread 1 thread 2
58640 |
58641 find_vma() | find_vma()
58642 struct vm_area_struct *vma = NULL; |
58643 vma = mm->mmap_cache; |
58644 if (!(vma && vma->vm_end > addr |
58645 && vma->vm_start <= addr)) { |
58646 | mm->mmap_cache = vma;
58647 return vma; |
58648 ^^ compiler may optimize this |
58649 local variable out and re-read |
58650 mm->mmap_cache |
58651
58652 This issue can be reproduced with gcc-4.8.0-1 on s390x by running
58653 mallocstress testcase from LTP, which triggers:
58654
58655 kernel BUG at mm/rmap.c:1088!
58656 Call Trace:
58657 ([<000003d100c57000>] 0x3d100c57000)
58658 [<000000000023a1c0>] do_wp_page+0x2fc/0xa88
58659 [<000000000023baae>] handle_pte_fault+0x41a/0xac8
58660 [<000000000023d832>] handle_mm_fault+0x17a/0x268
58661 [<000000000060507a>] do_protection_exception+0x1e2/0x394
58662 [<0000000000603a04>] pgm_check_handler+0x138/0x13c
58663 [<000003fffcf1f07a>] 0x3fffcf1f07a
58664 Last Breaking-Event-Address:
58665 [<000000000024755e>] page_add_new_anon_rmap+0xc2/0x168
58666
58667 Thanks to Jakub Jelinek for his insight on gcc and helping to
58668 track this down.
58669
58670 Signed-off-by: Jan Stancek <jstancek@redhat.com>
58671 Acked-by: David Rientjes <rientjes@google.com>
58672 Signed-off-by: Hugh Dickins <hughd@google.com>
58673 Cc: stable@vger.kernel.org
58674 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
58675
58676 mm/mmap.c | 2 +-
58677 mm/nommu.c | 2 +-
58678 2 files changed, 2 insertions(+), 2 deletions(-)
58679
58680commit 53f5096daa14967938bc154e6c41f9119863fb36
58681Merge: e988d7c 0a45285
58682Author: Brad Spengler <spender@grsecurity.net>
58683Date: Fri Apr 5 17:32:31 2013 -0400
58684
58685 Merge branch 'pax-test' into grsec-test
58686
58687 Conflicts:
58688 drivers/net/ethernet/broadcom/tg3.c
58689
58690commit 0a452855444d02502df6eb21ef3083cf303f71e1
58691Merge: 0277fa1 00cfbb8
58692Author: Brad Spengler <spender@grsecurity.net>
58693Date: Fri Apr 5 17:31:15 2013 -0400
58694
58695 Update to pax-linux-3.8.6-test16.patch:
58696 - fixed some attribute leakage into userland headers, patch by Mathias Krause
58697 - fixed some of the access_*_vm related breakage that trigger size overflows, reported by Hunger
58698
58699 Merge branch 'linux-3.8.y' into pax-test
58700
58701 Conflicts:
58702 drivers/gpu/drm/i915/intel_display.c
58703
58704commit e988d7c8d946c816a2cb97f0d38048a1584966b8
58705Merge: baec40e 0277fa1
58706Author: Brad Spengler <spender@grsecurity.net>
58707Date: Wed Apr 3 22:05:41 2013 -0400
58708
58709 Merge branch 'pax-test' into grsec-test
58710
58711commit 0277fa123b486cf11420967e4568d7653e225fd3
58712Author: Brad Spengler <spender@grsecurity.net>
58713Date: Wed Apr 3 22:04:48 2013 -0400
58714
58715 Update to pax-linux-3.8.5-test15.patch:
58716 - fixed section mismatch error caused by CONSTIFY (http://forums.grsecurity.net/viewtopic.php?f=3&t=3388 and http://forums.grsecurity.net/viewtopic.php?f=3&t=3391)
58717 - fixed integer type mixup in the cx88 driver (http://forums.grsecurity.net/viewtopic.php?f=3&t=3394)
58718
58719 drivers/media/pci/cx88/cx88-video.c | 6 +++---
58720 include/net/net_namespace.h | 4 ++++
58721 2 files changed, 7 insertions(+), 3 deletions(-)
58722
58723commit baec40e6708fd5ae2000cad6c70c5980c998b91c
58724Author: Brad Spengler <spender@grsecurity.net>
58725Date: Tue Apr 2 19:50:32 2013 -0400
58726
58727 fix compilation as reported on forums for gcc versions lacking plugin
58728 support
58729
58730 include/net/net_namespace.h | 4 ++++
58731 1 files changed, 4 insertions(+), 0 deletions(-)
58732
58733commit f6da5efca8a7edc9d3af02d6c35fddae0d2fd095
58734Merge: 6b69c35 0db9d15
58735Author: Brad Spengler <spender@grsecurity.net>
58736Date: Tue Apr 2 17:47:27 2013 -0400
58737
58738 Merge branch 'pax-test' into grsec-test
58739
58740commit 0db9d156826bdd50510086fde837648a3dfd370e
58741Author: Brad Spengler <spender@grsecurity.net>
58742Date: Tue Apr 2 17:46:05 2013 -0400
58743
58744 Update to pax-linux-3.8.5-test14.patch:
58745 - removed some no longer necessary __size_overflow marks and updated the overflow plugin's hash table
58746
58747 arch/x86/include/asm/uaccess_64.h | 6 +-
58748 include/linux/moduleloader.h | 4 +-
58749 tools/gcc/size_overflow_hash.data | 98 +++++++++++++++++++++----------------
58750 3 files changed, 61 insertions(+), 47 deletions(-)
58751
58752commit 6b69c3589fa97b454a08c28ecfac5a512f610f4d
58753Author: Brad Spengler <spender@grsecurity.net>
58754Date: Tue Apr 2 17:35:06 2013 -0400
58755
58756 remove duplicate compiler.h
58757
58758 include/linux/sysrq.h | 1 -
58759 1 files changed, 0 insertions(+), 1 deletions(-)
58760
58761commit 01e1d503fd2220adaaec0b92ea19441bdff73555
58762Author: Brad Spengler <spender@grsecurity.net>
58763Date: Fri Mar 29 19:53:50 2013 -0400
58764
58765 fix intentional_overflow marking on sys_sendto
58766
58767 include/linux/syscalls.h | 2 +-
58768 net/socket.c | 2 +-
58769 2 files changed, 2 insertions(+), 2 deletions(-)
58770
58771commit cd5ff114d958470f471c63775278e8c05e774630
58772Author: Brad Spengler <spender@grsecurity.net>
58773Date: Fri Mar 29 18:46:16 2013 -0400
58774
58775 fix size_overflow false positive
58776
58777 kernel/futex_compat.c | 2 +-
58778 1 files changed, 1 insertions(+), 1 deletions(-)
58779
58780commit 295ba16cc53df2375261accbedd6575ea327770a
58781Merge: 18340f1 278a989
58782Author: Brad Spengler <spender@grsecurity.net>
58783Date: Fri Mar 29 17:36:18 2013 -0400
58784
58785 Merge branch 'pax-test' into grsec-test
58786
58787 Conflicts:
58788 fs/exec.c
58789 include/linux/thread_info.h
58790
58791commit 278a989c831d62193c7b3d119fe2302babd45d12
58792Author: Brad Spengler <spender@grsecurity.net>
58793Date: Fri Mar 29 17:34:34 2013 -0400
58794
58795 Resync with pax-linux-3.8.5-test13.patch
58796
58797 arch/arm/include/asm/pgtable.h | 3 ++-
58798 arch/arm/lib/delay.c | 1 +
58799 fs/exec.c | 8 ++++----
58800 include/linux/compiler.h | 1 +
58801 include/linux/proc_fs.h | 2 +-
58802 include/linux/thread_info.h | 6 +++---
58803 include/linux/zlib.h | 3 ++-
58804 init/main.c | 4 ++--
58805 kernel/user_namespace.c | 2 +-
58806 lib/list_debug.c | 4 ++--
58807 mm/slab.c | 1 +
58808 mm/slob.c | 1 +
58809 mm/slub.c | 1 +
58810 net/core/sysctl_net_core.c | 3 +--
58811 tools/gcc/constify_plugin.c | 1 +
58812 15 files changed, 24 insertions(+), 17 deletions(-)
58813
58814commit 18340f14bd42d06c60995ab04cf6bb235bcaade6
58815Merge: 05f01ae e8cfeae
58816Author: Brad Spengler <spender@grsecurity.net>
58817Date: Fri Mar 29 17:30:57 2013 -0400
58818
58819 Merge branch 'pax-test' into grsec-test
58820
58821commit e8cfeae7751abb844911a15114dff5c9b2b9fcd9
58822Merge: b461cb7 aa4cfde
58823Author: Brad Spengler <spender@grsecurity.net>
58824Date: Fri Mar 29 17:30:44 2013 -0400
58825
58826 Merge branch 'linux-3.8.y' into pax-test
58827
58828 Conflicts:
58829 drivers/gpu/drm/i915/i915_gem_execbuffer.c
58830 fs/nfsd/vfs.c
58831
58832commit 05f01ae4c3479541586a2387f916a6620889c479
58833Author: Brad Spengler <spender@grsecurity.net>
58834Date: Fri Mar 29 17:05:39 2013 -0400
58835
58836 Another infoleak, up to 128 bytes on the stack in __sys_recvmsg
58837 takes user-provided length, copies up to that amount in a sockaddr_storage
58838 struct on the stack, then takes an upper-bounded-only user-provided length
58839 and copies the sockaddr_storage struct back out to userland, complete with
58840 uninitialized data
58841
58842 net/socket.c | 2 +-
58843 1 files changed, 1 insertions(+), 1 deletions(-)
58844
58845commit eea6ade59490784e83e08ec67322288fcf14cb31
58846Author: Brad Spengler <spender@grsecurity.net>
58847Date: Thu Mar 28 23:07:37 2013 -0400
58848
58849 return a proper error, otherwise we could be accessing uninitialized data
58850 (previous define was a positive value)
58851
58852 drivers/usb/storage/realtek_cr.c | 2 +-
58853 1 files changed, 1 insertions(+), 1 deletions(-)
58854
58855commit 3cc43b90104c3016adb40f412ce2e4b0dcdd4c9e
58856Merge: c3dc9a6 b461cb7
58857Author: Brad Spengler <spender@grsecurity.net>
58858Date: Thu Mar 28 20:54:24 2013 -0400
58859
58860 Merge branch 'pax-test' into grsec-test
58861
58862commit b461cb7b1d85490430ef7896c247794af72c3749
58863Author: Brad Spengler <spender@grsecurity.net>
58864Date: Thu Mar 28 20:54:11 2013 -0400
58865
58866 Add structleak plugin
58867
58868 tools/gcc/structleak_plugin.c | 270 +++++++++++++++++++++++++++++++++++++++++
58869 1 files changed, 270 insertions(+), 0 deletions(-)
58870
58871commit c3dc9a6ef10782894bb11fd088fd712db44d8062
58872Author: Brad Spengler <spender@grsecurity.net>
58873Date: Thu Mar 28 20:53:22 2013 -0400
58874
58875 Enable structleak by default for the security auto-config
58876
58877 security/Kconfig | 11 +++++++----
58878 1 files changed, 7 insertions(+), 4 deletions(-)
58879
58880commit 6568e7348222fbe00256c9d337c4c24ee57e3f7e
58881Merge: d8503a3 74bec16
58882Author: Brad Spengler <spender@grsecurity.net>
58883Date: Thu Mar 28 20:47:10 2013 -0400
58884
58885 Merge branch 'pax-test' into grsec-test
58886
58887commit 74bec16b657147a5575b1f14f4423a717ba317a6
58888Author: Brad Spengler <spender@grsecurity.net>
58889Date: Thu Mar 28 20:46:13 2013 -0400
58890
58891 Update to pax-linux-3.8.4-test13.patch:
58892 - fixed bug with the old PAGEEXEC method and hugetlb, reported by Alex Efros (https://bugs.gentoo.org/show_bug.cgi?id=437722)
58893 - added a new gcc plugin to plug (pun intended) some of the kernel stack leaks to userland
58894
58895 Makefile | 5 +++-
58896 arch/x86/include/asm/compat.h | 2 +-
58897 arch/x86/mm/fault.c | 3 +-
58898 fs/binfmt_elf.c | 2 +-
58899 include/linux/compiler.h | 42 ++++++++++++++--------------------------
58900 security/Kconfig | 16 +++++++++++++++
58901 tools/gcc/Makefile | 2 +
58902 tools/gcc/constify_plugin.c | 7 +++++-
58903 8 files changed, 47 insertions(+), 32 deletions(-)
58904
58905commit d8503a3a35d68b9ba1615d29335aef3f70d51465
58906Author: Brad Spengler <spender@grsecurity.net>
58907Date: Thu Mar 28 20:02:40 2013 -0400
58908
58909 Fix 8-byte stack infoleak in ia32_rt_sigpending
58910 User controls length, kernel only performs check on the upper bound, will
58911 fill in any amount less than sizeof(sigset_t) via a copy_to_user under
58912 KERNEL_DS in sys_rt_sigpending, then will copy the full size of compat_sigset_t
58913 regardless of whether the sigset_t content copied into it has been initialized
58914 or not
58915
58916 arch/x86/ia32/sys_ia32.c | 2 +-
58917 1 files changed, 1 insertions(+), 1 deletions(-)
58918
58919commit 46a9f4b871ebf298ee67cc3f799dbd6c2382022b
58920Author: Brad Spengler <spender@grsecurity.net>
58921Date: Tue Mar 26 21:05:05 2013 -0400
58922
58923 commit 814d9d4f9164c3d778dadd093a54bb55d9a0c576
58924 Author: J. Bruce Fields <bfields@redhat.com>
58925 Date: Tue Mar 26 14:11:13 2013 -0400
58926
58927 nfsd4: reject "negative" acl lengths
58928
58929 Since we only enforce an upper bound, not a lower bound, a "negative"
58930 length can get through here.
58931
58932 The symptom seen was a warning when we attempt to a kmalloc with an
58933 excessive size.
58934
58935 Reported-by: Toralf Förster <toralf.foerster@gmx.de>
58936 Signed-off-by: J. Bruce Fields <bfields@redhat.com>
58937
58938 fs/nfsd/nfs4xdr.c | 2 +-
58939 1 files changed, 1 insertions(+), 1 deletions(-)
58940
58941commit 2cf84a1843bfdf9298e2a1dc8df4e52d11a1af89
58942Author: Jeff Layton <jlayton@redhat.com>
58943Date: Mon Mar 11 09:52:19 2013 -0400
58944
58945 Upstream commit: f853c616883a8de966873a1dab283f1369e275a1
58946
58947 cifs: ignore everything in SPNEGO blob after mechTypes
58948
58949 We've had several reports of people attempting to mount Windows 8 shares
58950 and getting failures with a return code of -EINVAL. The default sec=
58951 mode changed recently to sec=ntlmssp. With that, we expect and parse a
58952 SPNEGO blob from the server in the NEGOTIATE reply.
58953
58954 The current decode_negTokenInit function first parses all of the
58955 mechTypes and then tries to parse the rest of the negTokenInit reply.
58956 The parser however currently expects a mechListMIC or nothing to follow the
58957 mechTypes, but Windows 8 puts a mechToken field there instead to carry
58958 some info for the new NegoEx stuff.
58959
58960 In practice, we don't do anything with the fields after the mechTypes
58961 anyway so I don't see any real benefit in continuing to parse them.
58962 This patch just has the kernel ignore the fields after the mechTypes.
58963 We'll probably need to reinstate some of this if we ever want to support
58964 NegoEx.
58965
58966 Reported-by: Jason Burgess <jason@jacknife2.dns2go.com>
58967 Reported-by: Yan Li <elliot.li.tech@gmail.com>
58968 Signed-off-by: Jeff Layton <jlayton@redhat.com>
58969 Cc: <stable@vger.kernel.org>
58970 Signed-off-by: Steve French <sfrench@us.ibm.com>
58971
58972 fs/cifs/asn1.c | 53 +++++------------------------------------------------
58973 1 files changed, 5 insertions(+), 48 deletions(-)
58974
58975commit 0b1c6223105a05d5a84e39a5e951868e37610e1c
58976Merge: 93ff726 0deb54c
58977Author: Brad Spengler <spender@grsecurity.net>
58978Date: Mon Mar 25 18:35:15 2013 -0400
58979
58980 Merge branch 'pax-test' into grsec-test
58981
58982commit 0deb54c1f47145aef38f4d2bf0b7de3e9fbab959
58983Author: Brad Spengler <spender@grsecurity.net>
58984Date: Mon Mar 25 18:35:05 2013 -0400
58985
58986 fix typo
58987
58988 arch/x86/mm/ioremap.c | 2 +-
58989 1 files changed, 1 insertions(+), 1 deletions(-)
58990
58991commit 93ff72680353534d4b0b213aecb61f1fc2f9a152
58992Merge: be9f8b8 f95e53a
58993Author: Brad Spengler <spender@grsecurity.net>
58994Date: Mon Mar 25 18:30:06 2013 -0400
58995
58996 Merge branch 'pax-test' into grsec-test
58997
58998commit f95e53abadb6e4665866e4502ff9f518514193e1
58999Author: Brad Spengler <spender@grsecurity.net>
59000Date: Mon Mar 25 18:29:25 2013 -0400
59001
59002 Update to pax-linux-3.8.4-test12.patch:
59003
59004 - fixed perf compilation reported by Michael Tremer
59005 - fixed USERCOPY reports triggered by SCTP, reported by mcp
59006 - last fix for aslr gap accounting, promise (thanks to spender)
59007
59008 arch/x86/mm/ioremap.c | 3 +++
59009 fs/binfmt_elf.c | 5 ++---
59010 mm/mmap.c | 2 +-
59011 net/sctp/socket.c | 19 +++++++++++++++----
59012 tools/perf/util/include/linux/compiler.h | 8 ++++++++
59013 5 files changed, 29 insertions(+), 8 deletions(-)
59014
59015commit be9f8b82b0d8a21d7515fb6e44a907623381c5df
59016Author: Brad Spengler <spender@grsecurity.net>
59017Date: Mon Mar 25 16:48:34 2013 -0400
59018
59019 From: Al Viro <viro@ZenIV.linux.org.uk>
59020 To: Brad Spengler <spender@grsecurity.net>
59021 Cc: Linus Torvalds <torvalds@linux-foundation.org>
59022
59023 Umm... I see what you are describing, and AFAICS you are correct; let me
59024 see if I am misreading your analysis:
59025 * vfsmount_lock may act fair; A holding it shared, with B spinning
59026 on attempt to take it exclusive may lead to C spinning on attempt to take
59027 it shared.
59028 * path_is_under() tries get rename_lock while holding vfsmount_lock
59029 shared.
59030 * d_path() et.al. try to take vfsmount_lock shared, while holding
59031 rename_lock.
59032
59033 All true and yes, it's a bug (I'd probably classify it as a livelock, but
59034 that doesn't make any real difference). There are three possible solutions,
59035 AFAICS:
59036 1) two-liner in path_is_under() replacing the use of vfsmount_lock
59037 with that of namespace_sem; trivial, but results in function unexpectedly
59038 blocking. The current callers are fine with that, but it's a trouble
59039 waiting to happen.
59040 2) replace write_seqlock() in prepend_path() callers with
59041 read_seqbegin/read_seqretry loops; bigger and more brittle, since unlike
59042 is_subdir() we need more than just ->d_parent not pointing to something
59043 freed - we also care about ->d_name.len being in sync with ->d_name.name.
59044 It probably can be worked around, but...
59045
59046 3) declare that rename_lock nests inside vfsmount_lock and let
59047 the callers of prepend_path() take vfsmount_lock(). I'd probably prefer
59048 that one...
59049
59050 Nest rename_lock inside vfsmount_lock
59051
59052 ... lest we get livelocks between path_is_under() and d_path() and friends.
59053
59054 [ add grsec-specific bits, thanks to Alexey Vlasov for his patience in reproducing
59055 the issue ]
59056
59057 Spotted-by: Brad Spengler <spender@grsecurity.net>
59058 Cc: stable@vger.kernel.org
59059 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
59060
59061 fs/dcache.c | 16 +++++++++++-----
59062 grsecurity/gracl.c | 20 ++++++++++----------
59063 2 files changed, 21 insertions(+), 15 deletions(-)
59064
59065commit d9253ae96e0e88510ae7b8adb8ab3ef089be6dee
59066Author: Linus Torvalds <torvalds@linux-foundation.org>
59067Date: Fri Mar 22 11:44:04 2013 -0700
59068
59069 Upstream commit: 51f0885e5415b4cc6535e9cdcc5145bfbc134353
59070
59071 vfs,proc: guarantee unique inodes in /proc
59072
59073 Dave Jones found another /proc issue with his Trinity tool: thanks to
59074 the namespace model, we can have multiple /proc dentries that point to
59075 the same inode, aliasing directories in /proc/<pid>/net/ for example.
59076
59077 This ends up being a total disaster, because it acts like hardlinked
59078 directories, and causes locking problems. We rely on the topological
59079 sort of the inodes pointed to by dentries, and if we have aliased
59080 directories, that odering becomes unreliable.
59081
59082 In short: don't do this. Multiple dentries with the same (directory)
59083 inode is just a bad idea, and the namespace code should never have
59084 exposed things this way. But we're kind of stuck with it.
59085
59086 This solves things by just always allocating a new inode during /proc
59087 dentry lookup, instead of using "iget_locked()" to look up existing
59088 inodes by superblock and number. That actually simplies the code a bit,
59089 at the cost of potentially doing more inode [de]allocations.
59090
59091 That said, the inode lookup wasn't free either (and did a lot of locking
59092 of inodes), so it is probably not that noticeable. We could easily keep
59093 the old lookup model for non-directory entries, but rather than try to
59094 be excessively clever this just implements the minimal and simplest
59095 workaround for the problem.
59096
59097 Reported-and-tested-by: Dave Jones <davej@redhat.com>
59098 Analyzed-by: Al Viro <viro@zeniv.linux.org.uk>
59099 Cc: stable@vger.kernel.org
59100 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
59101
59102 Conflicts:
59103
59104 fs/proc/inode.c
59105
59106 fs/proc/inode.c | 9 +++------
59107 1 files changed, 3 insertions(+), 6 deletions(-)
59108
59109commit 399d3bbdb82db765c86118ae5a0bf1d2d17762fb
59110Author: Vladimir Davydov <vdavydov@parallels.com>
59111Date: Fri Mar 22 15:04:51 2013 -0700
59112
59113 Upstream commit: 38d78e587d4960d0db94add518d27ee74bad2301
59114
59115 mqueue: sys_mq_open: do not call mnt_drop_write() if read-only
59116
59117 mnt_drop_write() must be called only if mnt_want_write() succeeded,
59118 otherwise the mnt_writers counter will diverge.
59119
59120 mnt_writers counters are used to check if remounting FS as read-only is
59121 OK, so after an extra mnt_drop_write() call, it would be impossible to
59122 remount mqueue FS as read-only. Besides, on umount a warning would be
59123 printed like this one:
59124
59125 =====================================
59126 [ BUG: bad unlock balance detected! ]
59127 3.9.0-rc3 #5 Not tainted
59128 -------------------------------------
59129 a.out/12486 is trying to release lock (sb_writers) at:
59130 mnt_drop_write+0x1f/0x30
59131 but there are no more locks to release!
59132
59133 Signed-off-by: Vladimir Davydov <vdavydov@parallels.com>
59134 Cc: Doug Ledford <dledford@redhat.com>
59135 Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
59136 Cc: "Eric W. Biederman" <ebiederm@xmission.com>
59137 Cc: Al Viro <viro@zeniv.linux.org.uk>
59138 Cc: <stable@vger.kernel.org>
59139 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
59140 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
59141
59142 ipc/mqueue.c | 3 ++-
59143 1 files changed, 2 insertions(+), 1 deletions(-)
59144
59145commit d3859c71e2ec174b6f3e5cbe06d3011cdddaa59e
59146Author: Brad Spengler <spender@grsecurity.net>
59147Date: Sat Mar 23 13:02:32 2013 -0400
59148
59149 Don't use constify plugin if not enabled in config,
59150 reported by Alexey Vlasov
59151
59152 Makefile | 2 +-
59153 1 files changed, 1 insertions(+), 1 deletions(-)
59154
59155commit 3afb82e020593249ac394e9859397c3e0ef5341c
59156Author: Brad Spengler <spender@grsecurity.net>
59157Date: Sat Mar 23 12:50:13 2013 -0400
59158
59159 oded 0day #2
59160 http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
59161 slide 20
59162
59163 drivers/net/ethernet/broadcom/tg3.c | 6 ++++--
59164 1 files changed, 4 insertions(+), 2 deletions(-)
59165
59166commit 4cc4b98b29faff2530540be16e0fcd8a74800b06
59167Author: Brad Spengler <spender@grsecurity.net>
59168Date: Sat Mar 23 12:15:50 2013 -0400
59169
59170 oded 0day #1
59171 http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
59172 slide 18
59173
59174 drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
59175 1 files changed, 1 insertions(+), 1 deletions(-)
59176
59177commit 8a3292af6fdae4b88b49a2a4ef96eee145b4d479
59178Author: Brad Spengler <spender@grsecurity.net>
59179Date: Sat Mar 23 12:13:12 2013 -0400
59180
59181 remove warning on accessing this /proc entry, HIDESYM already caught the infoleak
59182
59183 drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
59184 1 files changed, 1 insertions(+), 1 deletions(-)
59185
59186commit 44cb11a9470f72157601d0ad4d572d111f90f504
59187Author: Brad Spengler <spender@grsecurity.net>
59188Date: Fri Mar 22 18:11:42 2013 -0400
59189
59190 use VM_DONTDUMP
59191
59192 fs/binfmt_elf.c | 2 +-
59193 1 files changed, 1 insertions(+), 1 deletions(-)
59194
59195commit 92dd7f850ae63e3ddc3d262f2b7134cf54b51abb
59196Author: Brad Spengler <spender@grsecurity.net>
59197Date: Fri Mar 22 17:53:09 2013 -0400
59198
59199 fix recent RLIMIT_AS changes (due to vm_flags typo)
59200
59201 Conflicts:
59202
59203 fs/binfmt_elf.c
59204
59205 fs/binfmt_elf.c | 2 +-
59206 mm/mmap.c | 2 +-
59207 2 files changed, 2 insertions(+), 2 deletions(-)
59208
59209commit fd5f0d92b0fbec02029dad124501a9c80e527a32
59210Author: Brad Spengler <spender@grsecurity.net>
59211Date: Fri Mar 22 17:08:48 2013 -0400
59212
59213 complete_walk drops rcu-walk mode, no need for our own dropping
59214 method outside of generic_permission
59215
59216 fs/namei.c | 30 ------------------------------
59217 1 files changed, 0 insertions(+), 30 deletions(-)
59218
59219commit b49ab1c73edb6442eec609b26bba4d850b3111b6
59220Merge: 5e9a707 783ade9
59221Author: Brad Spengler <spender@grsecurity.net>
59222Date: Thu Mar 21 21:56:28 2013 -0400
59223
59224 Merge branch 'pax-test' into grsec-test
59225
59226commit 783ade9f97f0f736e3c83275b7c9fcb2d6e9d9c4
59227Author: Brad Spengler <spender@grsecurity.net>
59228Date: Thu Mar 21 21:55:31 2013 -0400
59229
59230 Update to pax-linux-3.8.3-test11.patch:
59231 - rewrote the ASLR gap accounting code once again
59232 - fixed ptrace compat bug found by the size overflow plugin
59233
59234 fs/binfmt_elf.c | 25 ++++++++++++-------------
59235 fs/exec.c | 7 ++-----
59236 include/linux/compat.h | 2 +-
59237 include/linux/mm.h | 5 +++++
59238 include/linux/mm_types.h | 2 +-
59239 kernel/ptrace.c | 2 +-
59240 mm/mmap.c | 15 ++++++++++-----
59241 7 files changed, 32 insertions(+), 26 deletions(-)
59242
59243commit 5e9a7077d935b2279f25428c5d32fd53cbbfb92a
59244Author: Brad Spengler <spender@grsecurity.net>
59245Date: Thu Mar 21 19:37:33 2013 -0400
59246
59247 Make the constify plugin usage actually depend on the introduced config option
59248 (it was still forced on)
59249
59250 tools/gcc/Makefile | 2 +-
59251 1 files changed, 1 insertions(+), 1 deletions(-)
59252
59253commit 1974b4f58d9d729c80ac1987785446115304a54c
59254Author: Brad Spengler <spender@grsecurity.net>
59255Date: Thu Mar 21 16:12:38 2013 -0400
59256
59257 fix failed merge
59258
59259 arch/arm/mm/fault.c | 15 +++------------
59260 1 files changed, 3 insertions(+), 12 deletions(-)
59261
59262commit 675a8ab4a8fe8315df348735a37a302a7535224c
59263Author: Brad Spengler <spender@grsecurity.net>
59264Date: Wed Mar 20 23:36:14 2013 -0400
59265
59266 From c4dab66c31612717f798e1e8ff11b57253a81a31 Mon Sep 17 00:00:00 2001
59267 From: Kees Cook <keescook@chromium.org>
59268 Date: Sun, 10 Mar 2013 20:09:31 +0000
59269 Subject: drm/i915: bounds check execbuffer relocation count
59270
59271 It is possible to wrap the counter used to allocate the buffer for
59272 relocation copies. This could lead to heap writing overflows.
59273
59274 CVE-2013-0913
59275
59276 Signed-off-by: Kees Cook <keescook@chromium.org>
59277 Reported-by: Pinkie Pie
59278 Cc: stable@vger.kernel.org
59279
59280 drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++---
59281 1 files changed, 8 insertions(+), 3 deletions(-)
59282
59283commit ddeac12cbb9076bffd51c544e03463f94c9eaa39
59284Author: Andy Honig <ahonig@google.com>
59285Date: Wed Feb 20 14:48:10 2013 -0800
59286
59287 Upstream commit: 0b79459b482e85cb7426aa7da683a9f2c97aeae1
59288
59289 KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797)
59290
59291 There is a potential use after free issue with the handling of
59292 MSR_KVM_SYSTEM_TIME. If the guest specifies a GPA in a movable or removable
59293 memory such as frame buffers then KVM might continue to write to that
59294 address even after it's removed via KVM_SET_USER_MEMORY_REGION. KVM pins
59295 the page in memory so it's unlikely to cause an issue, but if the user
59296 space component re-purposes the memory previously used for the guest, then
59297 the guest will be able to corrupt that memory.
59298
59299 Tested: Tested against kvmclock unit test
59300
59301 Signed-off-by: Andrew Honig <ahonig@google.com>
59302 Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
59303
59304 arch/x86/include/asm/kvm_host.h | 4 +-
59305 arch/x86/kvm/x86.c | 47 ++++++++++++++++----------------------
59306 2 files changed, 22 insertions(+), 29 deletions(-)
59307
59308commit 0bcac31b57c381001feb69fd6ec8069e61e03432
59309Author: Andy Honig <ahonig@google.com>
59310Date: Mon Mar 11 09:34:52 2013 -0700
59311
59312 Upstream commit: c300aa64ddf57d9c5d9c898a64b36877345dd4a9
59313
59314 KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796)
59315
59316 If the guest sets the GPA of the time_page so that the request to update the
59317 time straddles a page then KVM will write onto an incorrect page. The
59318 write is done byusing kmap atomic to get a pointer to the page for the time
59319 structure and then performing a memcpy to that page starting at an offset
59320 that the guest controls. Well behaved guests always provide a 32-byte aligned
59321 address, however a malicious guest could use this to corrupt host kernel
59322 memory.
59323
59324 Tested: Tested against kvmclock unit test.
59325
59326 Signed-off-by: Andrew Honig <ahonig@google.com>
59327 Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
59328
59329 arch/x86/kvm/x86.c | 5 +++++
59330 1 files changed, 5 insertions(+), 0 deletions(-)
59331
59332commit 695c59887e4ec10b0b695ab4f645d1226c433be0
59333Author: Andy Honig <ahonig@google.com>
59334Date: Wed Feb 20 14:49:16 2013 -0800
59335
59336 Upstream commit: a2c118bfab8bc6b8bb213abfc35201e441693d55
59337
59338 KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798)
59339
59340 If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows
59341 that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate
59342 that request. ioapic_read_indirect contains an
59343 ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in
59344 non-debug builds. In recent kernels this allows a guest to cause a kernel
59345 oops by reading invalid memory. In older kernels (pre-3.3) this allows a
59346 guest to read from large ranges of host memory.
59347
59348 Tested: tested against apic unit tests.
59349
59350 Signed-off-by: Andrew Honig <ahonig@google.com>
59351 Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
59352
59353 virt/kvm/ioapic.c | 7 +++++--
59354 1 files changed, 5 insertions(+), 2 deletions(-)
59355
59356commit c77e4017f6f372ac09751b6fcd85c35781dc2d9e
59357Merge: aec3cd4 c522e3a
59358Author: Brad Spengler <spender@grsecurity.net>
59359Date: Wed Mar 20 19:38:25 2013 -0400
59360
59361 Merge branch 'pax-test' into grsec-test
59362
59363commit c522e3a2167ff5e18996e55ca8cca5ca6f6d29e3
59364Merge: c57d855 405acc3
59365Author: Brad Spengler <spender@grsecurity.net>
59366Date: Wed Mar 20 19:38:11 2013 -0400
59367
59368 Merge branch 'linux-3.8.y' into pax-test
59369
59370commit aec3cd4d2bd54673b155d9ae3fb9c44becc790d1
59371Author: Brad Spengler <spender@grsecurity.net>
59372Date: Tue Mar 19 19:56:04 2013 -0400
59373
59374 include linux/compiler.h
59375
59376 include/linux/zlib.h | 1 +
59377 1 files changed, 1 insertions(+), 0 deletions(-)
59378
59379commit 1f1109e97bc609218e52e4bb57683d3b23cf2e8e
59380Author: Brad Spengler <spender@grsecurity.net>
59381Date: Tue Mar 19 18:42:20 2013 -0400
59382
59383 fix missing sock_release()
59384
59385 net/irda/af_irda.c | 6 ++++--
59386 1 files changed, 4 insertions(+), 2 deletions(-)
59387
59388commit dd65c05cd24faf8946d4941434a553ee285c35a3
59389Author: Brad Spengler <spender@grsecurity.net>
59390Date: Tue Mar 19 18:36:17 2013 -0400
59391
59392 fix mpt fusion infoleak
59393
59394 drivers/message/fusion/mptbase.c | 4 ++++
59395 1 files changed, 4 insertions(+), 0 deletions(-)
59396
59397commit e297b4f150b769efdc4c547d3caf1e3c0f24735f
59398Author: Brad Spengler <spender@grsecurity.net>
59399Date: Tue Mar 19 18:33:45 2013 -0400
59400
59401 Fix size_overflow false positive reported by slashbeast
59402
59403 include/linux/zlib.h | 2 +-
59404 1 files changed, 1 insertions(+), 1 deletions(-)
59405
59406commit 5b9982733764361c7102c2b1a9cbe42e5bf4f4be
59407Author: Brad Spengler <spender@grsecurity.net>
59408Date: Tue Mar 19 17:35:36 2013 -0400
59409
59410 fix up failed merge
59411
59412 arch/arm/mm/fault.c | 9 ++-------
59413 1 files changed, 2 insertions(+), 7 deletions(-)
59414
59415commit a1bdc34d1d882da3abf47923a760e5b0bbdaf0bd
59416Author: Brad Spengler <spender@grsecurity.net>
59417Date: Tue Mar 19 17:34:36 2013 -0400
59418
59419 update documentation on consequences of building without gcc plugin support
59420
59421 Makefile | 2 +-
59422 1 files changed, 1 insertions(+), 1 deletions(-)
59423
59424commit f49ae0f6c3bbedf6b3817ee2b1b232e0da7fa537
59425Author: Brad Spengler <spender@grsecurity.net>
59426Date: Tue Mar 19 17:18:13 2013 -0400
59427
59428 fix compilation failure associated with the latent entropy plugin and lack of gcc plugin support reported on the forums
59429
59430 init/main.c | 4 ++--
59431 1 files changed, 2 insertions(+), 2 deletions(-)
59432
59433commit f00195c633f91cfbd8c1f530d2c371b713026e20
59434Author: Brad Spengler <spender@grsecurity.net>
59435Date: Mon Mar 18 22:27:33 2013 -0400
59436
59437 Fix compile error reported by KDE on the forums
59438
59439 kernel/user_namespace.c | 2 +-
59440 1 files changed, 1 insertions(+), 1 deletions(-)
59441
59442commit 2979c6ee78aabb4421873ea53581380c6bb6ed05
59443Merge: 0949569 c57d855
59444Author: Brad Spengler <spender@grsecurity.net>
59445Date: Mon Mar 18 22:20:46 2013 -0400
59446
59447 Merge branch 'pax-test' into grsec-test
59448
59449 Conflicts:
59450 arch/arm/mm/fault.c
59451 arch/x86/mm/fault.c
59452 fs/exec.c
59453
59454commit c57d8557f5f2d77c2c7fa1f58316819a5e1f9293
59455Author: Brad Spengler <spender@grsecurity.net>
59456Date: Mon Mar 18 21:22:03 2013 -0400
59457
59458 Update to pax-linux-3.8.2-test9.patch:
59459 arm changes from spender
59460 - removed userland access to the vectors page
59461 - removed obsolete sigreturn trampoline handling
59462 - added emulation for __kuser_get_tls
59463 - fixed missing uderef instrumentation in unaligned memory accessors (failed safe)
59464 - fixed recent sysfs/power_supply attr breakage reported by Steven Allen
59465 - hopefully fixed the remaining issues with aslr_gap accounting (http://forums.grsecurity.net/viewtopic.php?f=3&t=2960)
59466 - changed debian packager rules to include the compiler plugins, from Tyler Coumbes <coumbes@gmail.com>
59467 - fixed the sa_restorer leak discovered and reported by Emese Revfy (CVE-2013-0914, google chromium bug #177956)
59468 - new size overflow plugin from Emese that instruments a whole lot more code due to tracking function return values
59469 and more type casts as well. this found the above mentioned sa_restorer leak and would have protected against CVE-2013-0913.
59470
59471 arch/arm/kernel/process.c | 5 +-
59472 arch/arm/kernel/signal.c | 24 +-
59473 arch/arm/kernel/traps.c | 7 -
59474 arch/arm/mm/alignment.c | 8 +
59475 arch/arm/mm/fault.c | 23 +-
59476 arch/arm/mm/mmu.c | 2 +-
59477 arch/x86/include/asm/bitops.h | 2 +-
59478 arch/x86/include/asm/desc.h | 2 +-
59479 arch/x86/include/asm/div64.h | 2 +-
59480 arch/x86/include/asm/io.h | 8 +-
59481 arch/x86/include/asm/paravirt.h | 2 +-
59482 arch/x86/kernel/cpu/perf_event_intel_uncore.c | 16 +-
59483 arch/x86/kernel/setup_percpu.c | 2 +-
59484 arch/x86/mm/fault.c | 4 +-
59485 arch/x86/mm/numa.c | 2 +-
59486 arch/x86/mm/physaddr.c | 4 +-
59487 drivers/ata/libahci.c | 2 +-
59488 drivers/gpu/drm/i915/i915_gem_execbuffer.c | 2 +-
59489 drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +-
59490 drivers/infiniband/hw/mthca/mthca_mr.c | 2 +-
59491 drivers/lguest/page_tables.c | 2 +-
59492 drivers/net/wireless/at76c50x-usb.c | 2 +-
59493 drivers/oprofile/oprofile_files.c | 2 +-
59494 drivers/power/power_supply_core.c | 1 +
59495 drivers/usb/core/message.c | 2 +-
59496 fs/befs/endian.h | 4 +-
59497 fs/binfmt_elf.c | 5 +-
59498 fs/exec.c | 4 +-
59499 fs/qnx6/qnx6.h | 4 +-
59500 fs/sysv/sysv.h | 2 +-
59501 fs/ubifs/io.c | 2 +-
59502 fs/ufs/swab.h | 4 +-
59503 include/linux/compat.h | 4 +-
59504 include/linux/completion.h | 6 +-
59505 include/linux/cpumask.h | 12 +-
59506 include/linux/ctype.h | 2 +-
59507 include/linux/err.h | 4 +-
59508 include/linux/math64.h | 6 +-
59509 include/linux/sched.h | 2 +-
59510 include/linux/unaligned/access_ok.h | 12 +-
59511 include/linux/usb.h | 2 +-
59512 include/uapi/linux/byteorder/little_endian.h | 4 +-
59513 include/uapi/linux/swab.h | 6 +-
59514 kernel/sched/core.c | 6 +-
59515 kernel/signal.c | 3 +
59516 kernel/time.c | 2 +-
59517 kernel/timer.c | 2 +-
59518 lib/div64.c | 4 +-
59519 mm/page-writeback.c | 2 +-
59520 net/socket.c | 2 +
59521 scripts/package/builddeb | 1 +
59522 tools/gcc/size_overflow_hash.data | 8869 +++++++++++++++----------
59523 tools/gcc/size_overflow_plugin.c | 1072 ++--
59524 53 files changed, 6227 insertions(+), 3951 deletions(-)
59525
59526commit 09495691bb31f11ec14d9127429f9a0f3f716f22
59527Author: Brad Spengler <spender@grsecurity.net>
59528Date: Sun Mar 17 20:51:50 2013 -0400
59529
59530 fix typo
59531
59532 grsecurity/gracl.c | 2 +-
59533 1 files changed, 1 insertions(+), 1 deletions(-)
59534
59535commit deb85b00d0f9f886e264e116313f298401ec5c59
59536Author: Brad Spengler <spender@grsecurity.net>
59537Date: Sun Mar 17 20:03:33 2013 -0400
59538
59539 Call update_rlimit_cpu to immediately change RLIMIT_CPU on the task
59540 with a subject applied to it with RES_CPU. Otherwise, the limit will only
59541 begin to be applied at fork time.
59542
59543 Thanks to Bjornar Ness for the report.
59544
59545 grsecurity/gracl.c | 4 ++++
59546 1 files changed, 4 insertions(+), 0 deletions(-)
59547
59548commit 2126421f123513f604ceef2b23ba9ed516de7e58
59549Author: Brad Spengler <spender@grsecurity.net>
59550Date: Sat Mar 16 22:07:43 2013 -0400
59551
59552 Move inode auditing prior to our refcnt dropping
59553
59554 fs/namei.c | 2 +-
59555 1 files changed, 1 insertions(+), 1 deletions(-)
59556
59557commit 4d4e665885aab4bacfe662ad6d2190fc9d817146
59558Author: Brad Spengler <spender@grsecurity.net>
59559Date: Sat Mar 16 22:00:30 2013 -0400
59560
59561 Drop reference on completed path walked in RCU mode or when violating
59562 the chroot fchdir check inside a chroot -- possible culprit for a reported
59563 vfsmount_lock hang during unmount
59564
59565 fs/namei.c | 8 ++++++--
59566 1 files changed, 6 insertions(+), 2 deletions(-)
59567
59568commit 53a8a413f45340ee176dd36dd283de3a1ebb7417
59569Author: Brad Spengler <spender@grsecurity.net>
59570Date: Sat Mar 16 16:43:45 2013 -0400
59571
59572 add user_arg_ptr back to exec.c
59573
59574 fs/exec.c | 12 ++++++++++++
59575 1 files changed, 12 insertions(+), 0 deletions(-)
59576
59577commit 83d285953c7e75db388c7f65be5cf1e16fcedec8
59578Author: Brad Spengler <spender@grsecurity.net>
59579Date: Sat Mar 16 11:22:36 2013 -0400
59580
59581 Don't globally include compat.h -- with the new X32 support it
59582 changes some definitions involving ELF binaries resulting in invalid
59583 coredumps, as reported by KDE on the forums:
59584 http://forums.grsecurity.net/viewtopic.php?f=3&t=3310
59585 Thanks to the PaX Team for debugging
59586
59587 fs/exec.c | 3 +++
59588 grsecurity/grsec_exec.c | 13 +++++++++++++
59589 include/linux/grsecurity.h | 15 ---------------
59590 3 files changed, 16 insertions(+), 15 deletions(-)
59591
59592commit 67a94583659cf6c583fbbb023ec2a8ed471ba94a
59593Author: Brad Spengler <spender@grsecurity.net>
59594Date: Thu Mar 14 20:59:26 2013 -0400
59595
59596 Add peer information to /proc/net/unix from Kenan Kalajdzic:
59597 http://marc.info/?l=linux-netdev&m=126745636809191&w=2
59598
59599 We use a "P" prefix to the inode number instead of "peer=". This
59600 additional information can be used, for instance, to find what processes
59601 are connected to MySQL's unix domain socket.
59602
59603 net/unix/af_unix.c | 12 +++++++++---
59604 1 files changed, 9 insertions(+), 3 deletions(-)
59605
59606commit 1cd623d11a462d151ea8a5cace4521e1724911a3
59607Author: Oliver Neukum <oneukum@suse.de>
59608Date: Tue Mar 12 14:52:42 2013 +0100
59609
59610 Upstream commit: c0f5ecee4e741667b2493c742b60b6218d40b3aa
59611
59612 USB: cdc-wdm: fix buffer overflow
59613
59614 The buffer for responses must not overflow.
59615 If this would happen, set a flag, drop the data and return
59616 an error after user space has read all remaining data.
59617
59618 Signed-off-by: Oliver Neukum <oliver@neukum.org>
59619 CC: stable@kernel.org
59620 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
59621
59622 drivers/usb/class/cdc-wdm.c | 23 ++++++++++++++++++++---
59623 1 files changed, 20 insertions(+), 3 deletions(-)
59624
59625commit 3e9e7beb379eaf424d0634c0c556e47c07d367fc
59626Merge: 9cdf9bc db4cb92
59627Author: Brad Spengler <spender@grsecurity.net>
59628Date: Thu Mar 14 20:23:14 2013 -0400
59629
59630 Merge branch 'pax-test' into grsec-test
59631
59632 Conflicts:
59633 security/keys/compat.c
59634
59635commit db4cb924546e3fec3a59f78d056f48176eaf7100
59636Author: Brad Spengler <spender@grsecurity.net>
59637Date: Thu Mar 14 20:22:24 2013 -0400
59638
59639 Update to pax-linux-3.8.2-test8.patch
59640
59641 arch/arm/include/asm/cache.h | 2 ++
59642 arch/arm/mach-omap2/gpmc.c | 22 ++++++++++++----------
59643 arch/arm/mach-omap2/omap_device.c | 4 ++--
59644 arch/arm/mach-omap2/omap_device.h | 4 ++--
59645 arch/arm/plat-orion/include/plat/addr-map.h | 2 +-
59646 5 files changed, 19 insertions(+), 15 deletions(-)
59647
59648commit 5e72fcce7c468d29168c64c72c18ff5ff0d3b4ae
59649Merge: 3c865f9 1a45c31
59650Author: Brad Spengler <spender@grsecurity.net>
59651Date: Thu Mar 14 20:20:54 2013 -0400
59652
59653 Merge branch 'linux-3.8.y' into pax-test
59654
59655 Conflicts:
59656 arch/arm/include/asm/delay.h
59657 arch/arm/include/asm/pgtable.h
59658 arch/arm/lib/delay.c
59659 security/keys/compat.c
59660
59661commit 9cdf9bccf22d6a6741e4152bb5d32335beb8caf1
59662Author: Al Viro <viro@ZenIV.linux.org.uk>
59663Date: Tue Mar 12 02:59:49 2013 +0000
59664
59665 Upstream commit: a930d8790552658140d7d0d2e316af4f0d76a512
59666
59667 vfs: fix pipe counter breakage
59668
59669 If you open a pipe for neither read nor write, the pipe code will not
59670 add any usage counters to the pipe, causing the 'struct pipe_inode_info"
59671 to be potentially released early.
59672
59673 That doesn't normally matter, since you cannot actually use the pipe,
59674 but the pipe release code - particularly fasync handling - still expects
59675 the actual pipe infrastructure to all be there. And rather than adding
59676 NULL pointer checks, let's just disallow this case, the same way we
59677 already do for the named pipe ("fifo") case.
59678
59679 This is ancient going back to pre-2.4 days, and until trinity, nobody
59680 naver noticed.
59681
59682 Reported-by: Dave Jones <davej@redhat.com>
59683 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
59684
59685 fs/pipe.c | 3 +++
59686 1 files changed, 3 insertions(+), 0 deletions(-)
59687
59688commit c11fa4be226659a40a6c73f0fa09fee074fba1b2
59689Author: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
59690Date: Mon Feb 25 10:20:36 2013 -0500
59691
59692 Upstream commit: 8aec0f5d4137532de14e6554fd5dd201ff3a3c49
59693
59694 Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys
59695
59696 Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to
59697 compat_process_vm_rw() shows that the compatibility code requires an
59698 explicit "access_ok()" check before calling
59699 compat_rw_copy_check_uvector(). The same difference seems to appear when
59700 we compare fs/read_write.c:do_readv_writev() to
59701 fs/compat.c:compat_do_readv_writev().
59702
59703 This subtle difference between the compat and non-compat requirements
59704 should probably be debated, as it seems to be error-prone. In fact,
59705 there are two others sites that use this function in the Linux kernel,
59706 and they both seem to get it wrong:
59707
59708 Now shifting our attention to fs/aio.c, we see that aio_setup_iocb()
59709 also ends up calling compat_rw_copy_check_uvector() through
59710 aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to
59711 be missing. Same situation for
59712 security/keys/compat.c:compat_keyctl_instantiate_key_iov().
59713
59714 I propose that we add the access_ok() check directly into
59715 compat_rw_copy_check_uvector(), so callers don't have to worry about it,
59716 and it therefore makes the compat call code similar to its non-compat
59717 counterpart. Place the access_ok() check in the same location where
59718 copy_from_user() can trigger a -EFAULT error in the non-compat code, so
59719 the ABI behaviors are alike on both compat and non-compat.
59720
59721 While we are here, fix compat_do_readv_writev() so it checks for
59722 compat_rw_copy_check_uvector() negative return values.
59723
59724 And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error
59725 handling.
59726
59727 Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
59728 Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
59729 Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
59730 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
59731
59732 Conflicts:
59733
59734 security/keys/compat.c
59735
59736 fs/compat.c | 15 +++++++--------
59737 mm/process_vm_access.c | 8 --------
59738 security/keys/compat.c | 3 ++-
59739 3 files changed, 9 insertions(+), 17 deletions(-)
59740
59741commit 13487f197ab2d5bc76156224c24c45a44bbd6a11
59742Author: Brad Spengler <spender@grsecurity.net>
59743Date: Mon Mar 11 18:38:38 2013 -0400
59744
59745 Fix leak of signal handler addresses across execve, found by Emese Revfy
59746
59747 kernel/signal.c | 3 +++
59748 1 files changed, 3 insertions(+), 0 deletions(-)
59749
59750commit 79b130c4b11c7940daf2b33d653a17666331c634
59751Merge: 6480ce9 3c865f9
59752Author: Brad Spengler <spender@grsecurity.net>
59753Date: Sun Mar 10 20:04:03 2013 -0400
59754
59755 Merge branch 'pax-test' into grsec-test
59756
59757commit 3c865f9184c6fd56c634bce0096cfc8039d5c43d
59758Author: Brad Spengler <spender@grsecurity.net>
59759Date: Sun Mar 10 20:03:12 2013 -0400
59760
59761 Update to pax-linux-3.8.2-test7.patch:
59762 - fixed gcc asserts reported by KDE (http://forums.grsecurity.net/viewtopic.php?f=3&t=3342)
59763 - adjusted RLIMIT_AS accounting for the extra ASLR gap mappings, reported by Alexander Stoll (https://bugs.gentoo.org/show_bug.cgi?id=459268)
59764
59765 fs/binfmt_elf.c | 3 ++-
59766 fs/exec.c | 3 +++
59767 include/linux/mm_types.h | 2 +-
59768 init/main.c | 4 ++--
59769 mm/mmap.c | 2 +-
59770 mm/page_alloc.c | 4 ++--
59771 tools/gcc/latent_entropy_plugin.c | 11 +++++++----
59772 7 files changed, 18 insertions(+), 11 deletions(-)
59773
59774commit 6480ce919bd7d68ba14f3194e4bdd7b61bc8e491
59775Merge: 4a5305e 25b3569
59776Author: Brad Spengler <spender@grsecurity.net>
59777Date: Sun Mar 10 10:41:16 2013 -0400
59778
59779 Merge branch 'pax-test' into grsec-test
59780
59781commit 25b356980568bed9958315bb5a551fdc610055ed
59782Author: Brad Spengler <spender@grsecurity.net>
59783Date: Sun Mar 10 10:40:48 2013 -0400
59784
59785 Update to pax-linux-3.8.2-test6.patch:
59786 - fixed a KERNEXEC false positive on arm reported by Gu1
59787 - fixed various compile errors reported by x14sg1 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3340)
59788 - fixed too strict mmap parameter checking on i386, reported by browndav (http://forums.grsecurity.net/viewtopic.php?f=1&t=3339)
59789 - added fix from spender for some namespace breakage reported by zakalwe
59790 - small latent entropy improvement: pass pax_extra_latent_entropy to the kernel to extract entropy from RAM content during boot
59791
59792 Documentation/kernel-parameters.txt | 5 +++++
59793 arch/arm/kernel/patch.c | 2 ++
59794 arch/x86/kernel/sys_i386_32.c | 5 +++--
59795 drivers/acpi/blacklist.c | 2 +-
59796 drivers/video/aty/mach64_cursor.c | 1 +
59797 init/main.c | 4 ----
59798 mm/page_alloc.c | 27 +++++++++++++++++++++++++++
59799 net/ipv4/ip_fragment.c | 2 +-
59800 security/Kconfig | 5 +++++
59801 tools/gcc/latent_entropy_plugin.c | 7 +++++--
59802 10 files changed, 50 insertions(+), 10 deletions(-)
59803
59804commit 4a5305eb7b6c5e49c332feeca9b6bfead9ab917f
59805Author: Brad Spengler <spender@grsecurity.net>
59806Date: Sat Mar 9 11:19:06 2013 -0500
59807
59808 From: Mathias Krause <minipli@googlemail.com>
59809 To: "David S. Miller" <davem@davemloft.net>
59810 Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>,
59811 Stephen Hemminger <stephen@networkplumber.org>
59812 Subject: [PATCH 1/3] bridge: fix mdb info leaks
59813 Date: Sat, 9 Mar 2013 16:52:19 +0100
59814
59815 The bridging code discloses heap and stack bytes via the RTM_GETMDB
59816 netlink interface and via the notify messages send to group RTNLGRP_MDB
59817 afer a successful add/del.
59818
59819 Fix both cases by initializing all unset members/padding bytes with
59820 memset(0).
59821
59822 Cc: Stephen Hemminger <stephen@networkplumber.org>
59823 Signed-off-by: Mathias Krause <minipli@googlemail.com>
59824
59825 From: Mathias Krause <minipli@googlemail.com>
59826 To: "David S. Miller" <davem@davemloft.net>
59827 Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>
59828 Subject: [PATCH 2/3] rtnl: fix info leak on RTM_GETLINK request for VF devices
59829 Date: Sat, 9 Mar 2013 16:52:20 +0100
59830
59831 Initialize the mac address buffer with 0 as the driver specific function
59832 will probably not fill the whole buffer. In fact, all in-kernel drivers
59833 fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible
59834 bytes. Therefore we currently leak 26 bytes of stack memory to userland
59835 via the netlink interface.
59836
59837 Signed-off-by: Mathias Krause <minipli@googlemail.com>
59838
59839 From: Mathias Krause <minipli@googlemail.com>
59840 To: "David S. Miller" <davem@davemloft.net>
59841 Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>
59842 Subject: [PATCH 3/3] dcbnl: fix various netlink info leaks
59843 Date: Sat, 9 Mar 2013 16:52:21 +0100
59844
59845 The dcb netlink interface leaks stack memory in various places:
59846 * perm_addr[] buffer is only filled at max with 12 of the 32 bytes but
59847 copied completely,
59848 * no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand,
59849 so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes
59850 for ieee_pfc structs, etc.,
59851 * the same is true for CEE -- no in-kernel driver fills the whole
59852 struct,
59853
59854 Prevent all of the above stack info leaks by properly initializing the
59855 buffers/structures involved.
59856
59857 Signed-off-by: Mathias Krause <minipli@googlemail.com>
59858
59859 net/bridge/br_mdb.c | 4 ++++
59860 net/core/rtnetlink.c | 1 +
59861 net/dcb/dcbnl.c | 8 ++++++++
59862 3 files changed, 13 insertions(+), 0 deletions(-)
59863
59864commit 601dd446f896e3a362f706943df18a68d50420a1
59865Author: Brad Spengler <spender@grsecurity.net>
59866Date: Sat Mar 9 09:35:25 2013 -0500
59867
59868 add open/close wrappers in __patch_text() as reported by Gu1 on IRC
59869
59870 arch/arm/kernel/patch.c | 2 ++
59871 1 files changed, 2 insertions(+), 0 deletions(-)
59872
59873commit ae39966fd85a493e9079b357e3faa62245a41222
59874Author: Peter Hurley <peter@hurleysoftware.com>
59875Date: Fri Mar 8 12:43:27 2013 -0800
59876
59877 Upstream commit: 88b9e456b1649722673ffa147914299799dc9041
59878
59879 ipc: don't allocate a copy larger than max
59880
59881 When MSG_COPY is set, a duplicate message must be allocated for the copy
59882 before locking the queue. However, the copy could not be larger than was
59883 sent which is limited to msg_ctlmax.
59884
59885 Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
59886 Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
59887 Cc: <stable@vger.kernel.org>
59888 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
59889 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
59890
59891 ipc/msg.c | 6 ++++--
59892 1 files changed, 4 insertions(+), 2 deletions(-)
59893
59894commit 61240e99650ea3e540a03a3e994349c5086f166b
59895Author: Peter Hurley <peter@hurleysoftware.com>
59896Date: Fri Mar 8 12:43:26 2013 -0800
59897
59898 Upstream commit: e1082f45f1e2bbf6e25f6b614fc6616ebf709d19
59899
59900 ipc: fix potential oops when src msg > 4k w/ MSG_COPY
59901
59902 If the src msg is > 4k, then dest->next points to the
59903 next allocated segment; resetting it just prior to dereferencing
59904 is bad.
59905
59906 Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
59907 Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
59908 Cc: <stable@vger.kernel.org>
59909 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
59910 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
59911
59912 ipc/msgutil.c | 3 ---
59913 1 files changed, 0 insertions(+), 3 deletions(-)
59914
59915commit 51727f602a267f34fb2e0dc9557f1714028d51a2
59916Author: Brad Spengler <spender@grsecurity.net>
59917Date: Fri Mar 8 22:14:06 2013 -0500
59918
59919 add missing 'else' in recent constify fixups
59920
59921 net/ipv4/ip_fragment.c | 2 +-
59922 1 files changed, 1 insertions(+), 1 deletions(-)
59923
59924commit a38c1a640729b3d8e584d1ab98e908c221bc12cf
59925Merge: 1580bb3 47c3f47
59926Author: Brad Spengler <spender@grsecurity.net>
59927Date: Fri Mar 8 18:18:37 2013 -0500
59928
59929 Merge branch 'pax-test' into grsec-test
59930
59931commit 47c3f47ba4f874f5c72e4c04b76b6b92e44daebe
59932Author: Brad Spengler <spender@grsecurity.net>
59933Date: Fri Mar 8 18:17:22 2013 -0500
59934
59935 Update to pax-linux-3.8.2-test5.patch:
59936 - fixed some fallout after the last round of constification changes, reported by several people
59937
59938 arch/arm/common/gic.c | 4 ++--
59939 arch/arm/include/asm/hardware/gic.h | 3 ++-
59940 arch/x86/include/asm/nmi.h | 2 +-
59941 arch/x86/kernel/nmi.c | 2 +-
59942 arch/x86/pci/irq.c | 2 +-
59943 drivers/base/power/domain.c | 4 ++--
59944 drivers/cpufreq/cpufreq_governor.c | 4 ++--
59945 drivers/mfd/twl4030-irq.c | 1 +
59946 drivers/video/vesafb.c | 7 +++++--
59947 include/linux/irq.h | 1 +
59948 include/linux/pm_domain.h | 2 +-
59949 kernel/sched/core.c | 4 ++++
59950 lib/Kconfig.debug | 4 ++--
59951 net/core/sysctl_net_core.c | 2 +-
59952 net/decnet/af_decnet.c | 1 +
59953 net/ipv4/devinet.c | 2 +-
59954 net/ipv4/ip_fragment.c | 2 +-
59955 net/ipv4/route.c | 2 +-
59956 net/ipv4/sysctl_net_ipv4.c | 2 +-
59957 net/ipv6/netfilter/nf_conntrack_reasm.c | 2 +-
59958 net/ipv6/reassembly.c | 2 +-
59959 scripts/sortextable.h | 6 +++---
59960 22 files changed, 36 insertions(+), 25 deletions(-)
59961
59962commit 1580bb38b4db0bf2a46316599815e8b234edad81
59963Author: Brad Spengler <spender@grsecurity.net>
59964Date: Thu Mar 7 22:02:59 2013 -0500
59965
59966 add an additional open/close wrapper
59967
59968 kernel/sched/core.c | 2 ++
59969 1 files changed, 2 insertions(+), 0 deletions(-)
59970
59971commit 21622672d28d58e0d93a805cd1f9650a894a752a
59972Author: Brad Spengler <spender@grsecurity.net>
59973Date: Thu Mar 7 21:58:24 2013 -0500
59974
59975 fix oops at shutdown with new constify code
59976
59977 kernel/sched/core.c | 2 ++
59978 1 files changed, 2 insertions(+), 0 deletions(-)
59979
59980commit f6b9ab9fcc747bb1b14a4857d59e6681936220ec
59981Author: Brad Spengler <spender@grsecurity.net>
59982Date: Thu Mar 7 21:18:44 2013 -0500
59983
59984 Add PAX_CONSTIFY_PLUGIN, which we previously enabled unconditionally
59985 it currently conflicts with some lock debugging options, so made as an
59986 option to allow for debugging when necessary
59987
59988 Makefile | 2 --
59989 lib/Kconfig.debug | 6 +++---
59990 security/Kconfig | 18 ++++++++++++++++++
59991 3 files changed, 21 insertions(+), 5 deletions(-)
59992
59993commit 0885b00b8373a1597b69c38032a0c9eee279303b
59994Author: Brad Spengler <spender@grsecurity.net>
59995Date: Thu Mar 7 20:55:19 2013 -0500
59996
59997 disable DEBUG_LOCK_ALLOC, as it conflicts with the new constify
59998
59999 lib/Kconfig.debug | 2 +-
60000 1 files changed, 1 insertions(+), 1 deletions(-)
60001
60002commit c8a2617165e7127a54f293cbf57d22d50dd83abd
60003Author: Brad Spengler <spender@grsecurity.net>
60004Date: Thu Mar 7 20:30:41 2013 -0500
60005
60006 Fix error:
60007 drivers/video/vesafb.c:502:3: error: assignment of member ‘fb_pan_display’ in read-only object
60008 with cast and proper kernexec accessors
60009
60010 drivers/video/vesafb.c | 7 +++++--
60011 1 files changed, 5 insertions(+), 2 deletions(-)
60012
60013commit 99f2814d3e2a6db25985edc47c7e09c4a2d8c408
60014Author: Brad Spengler <spender@grsecurity.net>
60015Date: Thu Mar 7 20:20:28 2013 -0500
60016
60017 fix typo
60018
60019 grsecurity/gracl.c | 2 +-
60020 1 files changed, 1 insertions(+), 1 deletions(-)
60021
60022commit 399674de6c42bbcae2d01b082d6d9ce9d183b000
60023Author: Brad Spengler <spender@grsecurity.net>
60024Date: Thu Mar 7 20:12:17 2013 -0500
60025
60026 fix compilation error -- no reason for task_pid_nr to not take a const task ptr
60027
60028 include/linux/sched.h | 2 +-
60029 1 files changed, 1 insertions(+), 1 deletions(-)
60030
60031commit a6c239eacf683f9dd2aeebb1b1adb71e5eedbd9f
60032Author: Kees Cook <keescook@chromium.org>
60033Date: Mon Feb 25 21:32:25 2013 +0000
60034
60035 Upstream commit: e70ab977991964a5a7ad1182799451d067e62669
60036
60037 proc connector: reject unprivileged listener bumps
60038
60039 While PROC_CN_MCAST_LISTEN/IGNORE is entirely advisory, it was possible
60040 for an unprivileged user to turn off notifications for all listeners by
60041 sending PROC_CN_MCAST_IGNORE. Instead, require the same privileges as
60042 required for a multicast bind.
60043
60044 Signed-off-by: Kees Cook <keescook@chromium.org>
60045 Cc: Evgeniy Polyakov <zbr@ioremap.net>
60046 Cc: Matt Helsley <matthltc@us.ibm.com>
60047 Cc: stable@vger.kernel.org
60048 Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
60049 Acked-by: Matt Helsley <matthltc@us.ibm.com>
60050 Signed-off-by: David S. Miller <davem@davemloft.net>
60051
60052 drivers/connector/cn_proc.c | 8 ++++++++
60053 1 files changed, 8 insertions(+), 0 deletions(-)
60054
60055commit ac6014ded57101e3e608941555ff507e20c1ece3
60056Author: Dan Carpenter <dan.carpenter@oracle.com>
60057Date: Tue Feb 26 19:15:02 2013 +0000
60058
60059 Upstream commit: 90c7881ecee1f08e0a49172cf61371cf2509ee4a
60060
60061 irda: small read beyond end of array in debug code
60062
60063 charset comes from skb->data. It's a number in the 0-255 range.
60064 If we have debugging turned on then this could cause a read beyond
60065 the end of the array.
60066
60067 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
60068 Signed-off-by: David S. Miller <davem@davemloft.net>
60069
60070 net/irda/iriap.c | 7 +++++--
60071 1 files changed, 5 insertions(+), 2 deletions(-)
60072
60073commit e60bd2aad9bfdb68731cc888eae14a7600bd2ffe
60074Author: Guenter Roeck <linux@roeck-us.net>
60075Date: Wed Feb 27 10:57:31 2013 +0000
60076
60077 Upstream commit: 726bc6b092da4c093eb74d13c07184b18c1af0f1
60078
60079 net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS
60080
60081 Building sctp may fail with:
60082
60083 In function ‘copy_from_user’,
60084 inlined from ‘sctp_getsockopt_assoc_stats’ at
60085 net/sctp/socket.c:5656:20:
60086 arch/x86/include/asm/uaccess_32.h:211:26: error: call to
60087 ‘copy_from_user_overflow’ declared with attribute error: copy_from_user()
60088 buffer size is not provably correct
60089
60090 if built with W=1 due to a missing parameter size validation
60091 before the call to copy_from_user.
60092
60093 Signed-off-by: Guenter Roeck <linux@roeck-us.net>
60094 Acked-by: Vlad Yasevich <vyasevich@gmail.com>
60095 Signed-off-by: David S. Miller <davem@davemloft.net>
60096
60097 net/sctp/socket.c | 6 +++---
60098 1 files changed, 3 insertions(+), 3 deletions(-)
60099
60100commit be49e0ae9a4d0e8daa831d7d8d6f3a56beda3e3c
60101Author: Guillaume Nault <g.nault@alphalink.fr>
60102Date: Fri Mar 1 05:02:02 2013 +0000
60103
60104 Upstream commit: 8b82547e33e85fc24d4d172a93c796de1fefa81a
60105
60106 l2tp: Restore socket refcount when sendmsg succeeds
60107
60108 The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket
60109 reference counter after successful transmissions. Any successful
60110 sendmsg() call from userspace will then increase the reference counter
60111 forever, thus preventing the kernel's session and tunnel data from
60112 being freed later on.
60113
60114 The problem only happens when writing directly on L2TP sockets.
60115 PPP sockets attached to L2TP are unaffected as the PPP subsystem
60116 uses pppol2tp_xmit() which symmetrically increase/decrease reference
60117 counters.
60118
60119 This patch adds the missing call to sock_put() before returning from
60120 pppol2tp_sendmsg().
60121
60122 Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
60123 Signed-off-by: David S. Miller <davem@davemloft.net>
60124
60125 net/l2tp/l2tp_ppp.c | 1 +
60126 1 files changed, 1 insertions(+), 0 deletions(-)
60127
60128commit 98a9a5f981f5deda4059a255c1196886f2f27e2f
60129Author: Cong Wang <amwang@redhat.com>
60130Date: Sun Mar 3 16:18:11 2013 +0000
60131
60132 Upstream commit: ece6b0a2b25652d684a7ced4ae680a863af041e0
60133
60134 rds: limit the size allocated by rds_message_alloc()
60135
60136 Dave Jones reported the following bug:
60137
60138 "When fed mangled socket data, rds will trust what userspace gives it,
60139 and tries to allocate enormous amounts of memory larger than what
60140 kmalloc can satisfy."
60141
60142 WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0()
60143 Hardware name: GA-MA78GM-S2H
60144 Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s
60145 Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65
60146 Call Trace:
60147 [<ffffffff81044155>] warn_slowpath_common+0x75/0xa0
60148 [<ffffffff8104419a>] warn_slowpath_null+0x1a/0x20
60149 [<ffffffff811444ad>] __alloc_pages_nodemask+0xa0d/0xbe0
60150 [<ffffffff8100a196>] ? native_sched_clock+0x26/0x90
60151 [<ffffffff810b2128>] ? trace_hardirqs_off_caller+0x28/0xc0
60152 [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
60153 [<ffffffff811861f8>] alloc_pages_current+0xb8/0x180
60154 [<ffffffff8113eaaa>] __get_free_pages+0x2a/0x80
60155 [<ffffffff811934fe>] kmalloc_order_trace+0x3e/0x1a0
60156 [<ffffffff81193955>] __kmalloc+0x2f5/0x3a0
60157 [<ffffffff8104df0c>] ? local_bh_enable_ip+0x7c/0xf0
60158 [<ffffffffa0401ab3>] rds_message_alloc+0x23/0xb0 [rds]
60159 [<ffffffffa04043a1>] rds_sendmsg+0x2b1/0x990 [rds]
60160 [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
60161 [<ffffffff81564620>] sock_sendmsg+0xb0/0xe0
60162 [<ffffffff810b2052>] ? get_lock_stats+0x22/0x70
60163 [<ffffffff810b24be>] ? put_lock_stats.isra.23+0xe/0x40
60164 [<ffffffff81567f30>] sys_sendto+0x130/0x180
60165 [<ffffffff810b872d>] ? trace_hardirqs_on+0xd/0x10
60166 [<ffffffff816c547b>] ? _raw_spin_unlock_irq+0x3b/0x60
60167 [<ffffffff816cd767>] ? sysret_check+0x1b/0x56
60168 [<ffffffff810b8695>] ? trace_hardirqs_on_caller+0x115/0x1a0
60169 [<ffffffff81341d8e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
60170 [<ffffffff816cd742>] system_call_fastpath+0x16/0x1b
60171 ---[ end trace eed6ae990d018c8b ]---
60172
60173 Reported-by: Dave Jones <davej@redhat.com>
60174 Cc: Dave Jones <davej@redhat.com>
60175 Cc: David S. Miller <davem@davemloft.net>
60176 Cc: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
60177 Signed-off-by: Cong Wang <amwang@redhat.com>
60178 Acked-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
60179 Signed-off-by: David S. Miller <davem@davemloft.net>
60180
60181 net/rds/message.c | 3 +++
60182 1 files changed, 3 insertions(+), 0 deletions(-)
60183
60184commit b46df323e01c63c62fdb82cf2c47e4386f5a0499
60185Author: Cong Wang <amwang@redhat.com>
60186Date: Sun Mar 3 16:28:27 2013 +0000
60187
60188 Upstream commit: 3f736868b47687d1336fe88185560b22bb92021e
60189
60190 sctp: use KMALLOC_MAX_SIZE instead of its own MAX_KMALLOC_SIZE
60191
60192 Don't definite its own MAX_KMALLOC_SIZE, use the one
60193 defined in mm.
60194
60195 Cc: Vlad Yasevich <vyasevich@gmail.com>
60196 Cc: Sridhar Samudrala <sri@us.ibm.com>
60197 Cc: Neil Horman <nhorman@tuxdriver.com>
60198 Cc: David S. Miller <davem@davemloft.net>
60199 Signed-off-by: Cong Wang <amwang@redhat.com>
60200 Acked-by: Neil Horman <nhorman@tuxdriver.com>
60201 Signed-off-by: David S. Miller <davem@davemloft.net>
60202
60203 net/sctp/ssnmap.c | 8 +++-----
60204 1 files changed, 3 insertions(+), 5 deletions(-)
60205
60206commit 4295a024e812f903fc580c81de5e81cc149503fa
60207Author: Brad Spengler <spender@grsecurity.net>
60208Date: Thu Mar 7 17:57:49 2013 -0500
60209
60210 Upstream commit: https://lkml.org/lkml/2013/3/6/535
60211
60212 security/keys/process_keys.c | 2 +-
60213 1 files changed, 1 insertions(+), 1 deletions(-)
60214
60215commit 33edd486a9899a145a15586d7134636b0300aaee
60216Merge: 4eeeaf3 a2a2094
60217Author: Brad Spengler <spender@grsecurity.net>
60218Date: Thu Mar 7 17:53:00 2013 -0500
60219
60220 Merge branch 'pax-test' into grsec-test
60221
60222 Conflicts:
60223 arch/arm/include/asm/domain.h
60224
60225commit a2a20947f5e1332e474160a39af520738b3c8c19
60226Author: Brad Spengler <spender@grsecurity.net>
60227Date: Thu Mar 7 17:51:04 2013 -0500
60228
60229 Update to pax-linux-3.8.2-test4.patch:
60230 fixed arm compilation problems reported by Michael Tremer
60231 - the constify plugin got smarter that enabled, with some additional patching,
60232 the elimination of about half the static function pointers on amd64/allmod
60233 (up from about 18%), depending on the kernel config it can be even more (70%)
60234
60235 Documentation/dontdiff | 2 +
60236 arch/arm/include/asm/domain.h | 1 +
60237 arch/x86/include/asm/i8259.h | 2 +-
60238 arch/x86/include/asm/nmi.h | 4 +-
60239 arch/x86/kernel/acpi/boot.c | 4 +-
60240 arch/x86/kernel/apic/apic_noop.c | 2 +-
60241 arch/x86/kernel/apic/es7000_32.c | 2 +-
60242 arch/x86/kernel/apic/io_apic.c | 10 +-
60243 arch/x86/kernel/cpu/mcheck/mce.c | 2 +-
60244 arch/x86/kernel/cpu/perf_event.c | 6 +-
60245 arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +-
60246 arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
60247 arch/x86/kernel/i8259.c | 6 +-
60248 arch/x86/kernel/io_delay.c | 2 +-
60249 arch/x86/kernel/nmi.c | 6 +-
60250 arch/x86/kernel/nmi_selftest.c | 4 +-
60251 arch/x86/kernel/pci-swiotlb.c | 2 +-
60252 arch/x86/oprofile/nmi_int.c | 8 +-
60253 arch/x86/oprofile/op_model_amd.c | 8 +-
60254 arch/x86/oprofile/op_model_ppro.c | 7 +-
60255 arch/x86/oprofile/op_x86_model.h | 2 +-
60256 arch/x86/pci/irq.c | 6 +-
60257 drivers/acpi/apei/apei-internal.h | 2 +-
60258 drivers/acpi/bgrt.c | 6 +-
60259 drivers/acpi/blacklist.c | 2 +-
60260 drivers/acpi/processor_idle.c | 2 +-
60261 drivers/acpi/sysfs.c | 4 +-
60262 drivers/base/bus.c | 4 +-
60263 drivers/base/node.c | 2 +-
60264 drivers/base/syscore.c | 4 +-
60265 drivers/block/drbd/drbd_receiver.c | 4 +-
60266 drivers/char/random.c | 2 +-
60267 drivers/cpufreq/acpi-cpufreq.c | 20 ++-
60268 drivers/cpufreq/cpufreq.c | 7 +-
60269 drivers/cpufreq/cpufreq_governor.c | 4 +-
60270 drivers/cpufreq/cpufreq_governor.h | 2 +-
60271 drivers/cpufreq/p4-clockmod.c | 12 +-
60272 drivers/cpufreq/speedstep-centrino.c | 7 +-
60273 drivers/cpuidle/cpuidle.c | 2 +-
60274 drivers/cpuidle/governor.c | 4 +-
60275 drivers/cpuidle/sysfs.c | 2 +-
60276 drivers/devfreq/devfreq.c | 4 +-
60277 drivers/edac/edac_mc_sysfs.c | 2 +-
60278 drivers/edac/edac_pci_sysfs.c | 2 +-
60279 drivers/firewire/core-device.c | 2 +-
60280 drivers/firmware/dmi-id.c | 2 +-
60281 drivers/firmware/efivars.c | 2 +-
60282 drivers/firmware/google/memconsole.c | 4 +-
60283 drivers/gpio/gpio-ich.c | 2 +-
60284 drivers/gpu/drm/drm_drv.c | 2 +-
60285 drivers/gpu/drm/drm_ioc32.c | 9 +-
60286 drivers/gpu/drm/i915/i915_ioc32.c | 11 +-
60287 drivers/gpu/drm/i915/intel_display.c | 26 ++-
60288 drivers/gpu/drm/mga/mga_ioc32.c | 11 +-
60289 drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +-
60290 drivers/gpu/drm/r128/r128_ioc32.c | 11 +-
60291 drivers/gpu/drm/radeon/radeon_ioc32.c | 11 +-
60292 drivers/gpu/drm/radeon/radeon_ttm.c | 33 ++--
60293 drivers/gpu/drm/udl/udl_fb.c | 1 -
60294 drivers/hwmon/acpi_power_meter.c | 4 +-
60295 drivers/hwmon/applesmc.c | 2 +-
60296 drivers/hwmon/asus_atk0110.c | 10 +-
60297 drivers/hwmon/ibmaem.c | 2 +-
60298 drivers/hwmon/pmbus/pmbus_core.c | 2 +-
60299 drivers/iio/industrialio-core.c | 2 +-
60300 drivers/input/mouse/psmouse.h | 2 +-
60301 drivers/iommu/iommu.c | 2 +-
60302 drivers/leds/leds-clevo-mail.c | 2 +-
60303 drivers/leds/leds-ss4200.c | 2 +-
60304 drivers/media/v4l2-core/v4l2-ioctl.c | 5 +-
60305 drivers/mfd/twl4030-irq.c | 8 +-
60306 drivers/mfd/twl6030-irq.c | 10 +-
60307 drivers/misc/c2port/core.c | 4 +-
60308 drivers/mtd/sm_ftl.c | 2 +-
60309 drivers/net/bonding/bond_main.c | 2 +-
60310 drivers/net/macvlan.c | 16 +-
60311 drivers/net/vxlan.c | 2 +-
60312 drivers/pci/hotplug/acpiphp_ibm.c | 4 +-
60313 drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
60314 drivers/pci/hotplug/pciehp_core.c | 2 +-
60315 drivers/pci/pci-sysfs.c | 6 +-
60316 drivers/pci/pci.h | 2 +-
60317 drivers/platform/x86/msi-laptop.c | 14 +-
60318 drivers/platform/x86/sony-laptop.c | 2 +-
60319 drivers/power/power_supply.h | 4 +-
60320 drivers/power/power_supply_core.c | 6 +-
60321 drivers/power/power_supply_sysfs.c | 6 +-
60322 drivers/rtc/rtc-cmos.c | 4 +-
60323 drivers/rtc/rtc-ds1307.c | 2 +-
60324 drivers/rtc/rtc-m48t59.c | 4 +-
60325 drivers/scsi/bfa/bfa.h | 2 +-
60326 drivers/staging/iio/iio_hwmon.c | 2 +-
60327 drivers/usb/storage/usb.h | 2 +-
60328 drivers/video/aty/atyfb_base.c | 8 +-
60329 drivers/video/aty/mach64_cursor.c | 4 +-
60330 drivers/video/backlight/kb3886_bl.c | 2 +-
60331 drivers/video/fb_defio.c | 6 +-
60332 drivers/video/mb862xx/mb862xxfb_accel.c | 16 +-
60333 drivers/video/nvidia/nvidia.c | 27 ++-
60334 drivers/video/s1d13xxxfb.c | 6 +-
60335 drivers/video/smscufx.c | 4 +-
60336 drivers/video/udlfb.c | 4 +-
60337 drivers/video/uvesafb.c | 14 +-
60338 fs/exec.c | 6 +-
60339 fs/ext4/super.c | 2 +-
60340 fs/jfs/super.c | 4 +-
60341 fs/nfs/callback_xdr.c | 2 +-
60342 fs/nfsd/nfs4proc.c | 2 +-
60343 fs/nfsd/nfs4xdr.c | 6 +-
60344 fs/nls/nls_base.c | 18 +-
60345 fs/nls/nls_euc-jp.c | 6 +-
60346 fs/nls/nls_koi8-ru.c | 6 +-
60347 fs/proc/proc_sysctl.c | 18 +-
60348 include/drm/drmP.h | 12 +-
60349 include/keys/asymmetric-subtype.h | 2 +-
60350 include/linux/atmdev.h | 2 +-
60351 include/linux/binfmts.h | 2 +-
60352 include/linux/configfs.h | 2 +-
60353 include/linux/cpufreq.h | 3 +-
60354 include/linux/cpuidle.h | 5 +-
60355 include/linux/devfreq.h | 2 +-
60356 include/linux/device.h | 7 +-
60357 include/linux/extcon.h | 2 +-
60358 include/linux/fb.h | 2 +-
60359 include/linux/fscache.h | 2 +-
60360 include/linux/genl_magic_func.h | 2 +-
60361 include/linux/hwmon-sysfs.h | 5 +-
60362 include/linux/iommu.h | 2 +-
60363 include/linux/irq.h | 2 +-
60364 include/linux/key-type.h | 2 +-
60365 include/linux/kobject.h | 1 +
60366 include/linux/kobject_ns.h | 2 +-
60367 include/linux/list.h | 14 +-
60368 include/linux/mod_devicetable.h | 2 +-
60369 include/linux/module.h | 5 +-
60370 include/linux/net.h | 2 +-
60371 include/linux/netfilter.h | 2 +-
60372 include/linux/nls.h | 2 +-
60373 include/linux/pci_hotplug.h | 3 +-
60374 include/linux/platform_data/usb-exynos.h | 2 +-
60375 include/linux/pnp.h | 2 +-
60376 include/linux/ppp-comp.h | 2 +-
60377 include/linux/rculist.h | 16 ++
60378 include/linux/sched.h | 2 +-
60379 include/linux/sock_diag.h | 2 +-
60380 include/linux/sunrpc/clnt.h | 2 +-
60381 include/linux/sunrpc/svc.h | 2 +-
60382 include/linux/sunrpc/svcauth.h | 2 +-
60383 include/linux/swiotlb.h | 3 +-
60384 include/linux/syscore_ops.h | 2 +-
60385 include/linux/sysctl.h | 6 +-
60386 include/linux/sysfs.h | 10 +-
60387 include/linux/sysrq.h | 1 +
60388 include/linux/xattr.h | 2 +-
60389 include/net/9p/transport.h | 2 +-
60390 include/net/bluetooth/l2cap.h | 2 +-
60391 include/net/genetlink.h | 2 +-
60392 include/net/ip.h | 2 +-
60393 include/net/ip_vs.h | 4 +-
60394 include/net/llc_c_ac.h | 2 +-
60395 include/net/llc_c_ev.h | 4 +-
60396 include/net/llc_c_st.h | 2 +-
60397 include/net/llc_s_ac.h | 2 +-
60398 include/net/llc_s_st.h | 2 +-
60399 include/net/mac80211.h | 2 +-
60400 include/net/net_namespace.h | 2 +-
60401 include/net/netns/conntrack.h | 6 +-
60402 include/net/rtnetlink.h | 2 +-
60403 include/net/sctp/sm.h | 4 +-
60404 include/net/sctp/structs.h | 2 +-
60405 include/net/xfrm.h | 4 +-
60406 ipc/ipc_sysctl.c | 10 +-
60407 ipc/mq_sysctl.c | 2 +-
60408 kernel/kmod.c | 2 +-
60409 kernel/ksysfs.c | 2 +-
60410 kernel/module.c | 4 +-
60411 kernel/pid_namespace.c | 2 +-
60412 kernel/rcutree_plugin.h | 2 +-
60413 kernel/sched/core.c | 39 ++--
60414 kernel/smpboot.c | 4 +-
60415 kernel/softirq.c | 2 +-
60416 kernel/sysctl.c | 2 +-
60417 kernel/utsname_sysctl.c | 2 +-
60418 kernel/watchdog.c | 2 +-
60419 lib/Kconfig.debug | 2 +-
60420 lib/kobject.c | 4 +-
60421 lib/list_debug.c | 57 ++++-
60422 lib/swiotlb.c | 2 +-
60423 mm/hugetlb.c | 16 +-
60424 mm/memory-failure.c | 2 +-
60425 mm/slab_common.c | 2 +-
60426 net/9p/mod.c | 4 +-
60427 net/ax25/sysctl_net_ax25.c | 2 +-
60428 net/core/neighbour.c | 2 +-
60429 net/core/net-sysfs.c | 2 +-
60430 net/core/net_namespace.c | 8 +-
60431 net/core/rtnetlink.c | 11 +-
60432 net/core/sock_diag.c | 9 +-
60433 net/core/sysctl_net_core.c | 15 +-
60434 net/ipv4/af_inet.c | 8 +-
60435 net/ipv4/devinet.c | 12 +-
60436 net/ipv4/inet_connection_sock.c | 2 +-
60437 net/ipv4/ip_fragment.c | 9 +-
60438 net/ipv4/ip_gre.c | 6 +-
60439 net/ipv4/ip_vti.c | 4 +-
60440 net/ipv4/ipip.c | 4 +-
60441 net/ipv4/route.c | 14 +-
60442 net/ipv4/sysctl_net_ipv4.c | 43 ++--
60443 net/ipv6/addrconf.c | 4 +-
60444 net/ipv6/icmp.c | 2 +-
60445 net/ipv6/ip6_gre.c | 6 +-
60446 net/ipv6/ip6_tunnel.c | 4 +-
60447 net/ipv6/netfilter/nf_conntrack_reasm.c | 12 +-
60448 net/ipv6/reassembly.c | 11 +-
60449 net/ipv6/route.c | 2 +-
60450 net/ipv6/sit.c | 4 +-
60451 net/ipv6/sysctl_net_ipv6.c | 2 +-
60452 net/netfilter/ipset/ip_set_core.c | 2 +-
60453 net/netfilter/ipvs/ip_vs_ctl.c | 4 +-
60454 net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
60455 net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
60456 net/netfilter/nf_conntrack_acct.c | 2 +-
60457 net/netfilter/nf_conntrack_ecache.c | 2 +-
60458 net/netfilter/nf_conntrack_helper.c | 2 +-
60459 net/netfilter/nf_conntrack_proto.c | 2 +-
60460 net/netfilter/nf_conntrack_standalone.c | 2 +-
60461 net/netfilter/nf_conntrack_timestamp.c | 2 +-
60462 net/netfilter/nf_log.c | 10 +-
60463 net/netfilter/nf_sockopt.c | 4 +-
60464 net/netlink/genetlink.c | 16 +-
60465 net/phonet/sysctl.c | 2 +-
60466 net/rds/rds.h | 2 +-
60467 net/sctp/ipv6.c | 6 +-
60468 net/sctp/protocol.c | 10 +-
60469 net/sctp/sm_sideeffect.c | 2 +-
60470 net/sctp/sysctl.c | 4 +-
60471 net/sunrpc/clnt.c | 4 +-
60472 net/sunrpc/svc.c | 4 +-
60473 net/unix/sysctl_net_unix.c | 2 +-
60474 net/xfrm/xfrm_policy.c | 11 +-
60475 net/xfrm/xfrm_state.c | 29 ++-
60476 net/xfrm/xfrm_sysctl.c | 2 +-
60477 security/apparmor/lsm.c | 2 +-
60478 security/keys/key.c | 18 +-
60479 security/yama/yama_lsm.c | 22 +-
60480 tools/gcc/Makefile | 4 +-
60481 tools/gcc/constify_plugin.c | 299 +++++++++++++++++++------
60482 tools/gcc/size_overflow_plugin.c | 7 +-
60483 248 files changed, 994 insertions(+), 668 deletions(-)
60484
60485commit 4eeeaf3a560e25d1685f8973ef676b205efaa81b
60486Author: Brad Spengler <spender@grsecurity.net>
60487Date: Wed Mar 6 12:58:21 2013 -0500
60488
60489 Make slab_state __read_only, it's only written to during init
60490
60491 mm/slab_common.c | 2 +-
60492 1 files changed, 1 insertions(+), 1 deletions(-)
60493
60494commit e7067b68d36fb9e0e8818de5d9ce1b4ba19ce24a
60495Author: Brad Spengler <spender@grsecurity.net>
60496Date: Wed Mar 6 12:31:35 2013 -0500
60497
60498 Make two new helper functions:
60499 gr_is_global_root() and gr_is_global_nonroot()
60500
60501 grsecurity/gracl.c | 10 +++++-----
60502 grsecurity/gracl_segv.c | 2 +-
60503 grsecurity/grsec_link.c | 4 ++--
60504 grsecurity/grsec_sig.c | 10 +++++-----
60505 grsecurity/grsec_tpe.c | 6 +++---
60506 include/linux/uidgid.h | 2 ++
60507 6 files changed, 18 insertions(+), 16 deletions(-)
60508
60509commit d45d88eddd4998b280b1e5b5384289ee11ca7088
60510Author: Brad Spengler <spender@grsecurity.net>
60511Date: Wed Mar 6 12:14:41 2013 -0500
60512
60513 convert remaining task->pid to task_pid_nr(task)
60514
60515 grsecurity/gracl.c | 22 +++++++++++-----------
60516 grsecurity/gracl_shm.c | 2 +-
60517 grsecurity/grsec_chroot.c | 4 ++--
60518 grsecurity/grsec_sig.c | 4 ++--
60519 4 files changed, 16 insertions(+), 16 deletions(-)
60520
60521commit c877f2ece03ee2232dd281c1977ae59507297124
60522Author: Brad Spengler <spender@grsecurity.net>
60523Date: Tue Mar 5 17:29:54 2013 -0500
60524
60525 compat-log is only used anymore by vm86-on-64bit and allows unlimited
60526 spamming of the kernel log buffer (and since it includes the changable
60527 process name, can avoid syslog log deduplication)
60528 Turn it off by default
60529
60530 fs/compat.c | 2 +-
60531 1 files changed, 1 insertions(+), 1 deletions(-)
60532
60533commit 7c1964c4b7276889d7967bee70e46918cdca1b14
60534Author: Brad Spengler <spender@grsecurity.net>
60535Date: Mon Mar 4 17:19:10 2013 -0500
60536
60537 fix compilation error reported on IRC and forums when GRKERNSEC_PROC_USERGROUP
60538 is enabled, introduced with recent userns support
60539
60540 init/main.c | 4 ++--
60541 1 files changed, 2 insertions(+), 2 deletions(-)
60542
60543commit c3ce01b94d8dd42b9c7942c0d513b152613e0656
60544Author: Brad Spengler <spender@grsecurity.net>
60545Date: Sun Mar 3 18:46:12 2013 -0500
60546
60547 Prevent TOMOYO from auto-loading modules by unprivileged users
60548 (Only reachable if TOMOYO is actually used)
60549
60550 security/tomoyo/mount.c | 4 ++++
60551 1 files changed, 4 insertions(+), 0 deletions(-)
60552
60553commit 79e142f9455b398759ff9d93d4963a21b98dddda
60554Author: Brad Spengler <spender@grsecurity.net>
60555Date: Sun Mar 3 18:28:45 2013 -0500
60556
60557 For now, don't permit any special access to /proc in a user namespace
60558 Later we can go back and allow a userns-uid0 special access to a /proc
60559 with a non-global pid namespace
60560
60561 fs/proc/base.c | 2 +-
60562 1 files changed, 1 insertions(+), 1 deletions(-)
60563
60564commit 8b91fb393049ce5f3c0a86f62247409853fd9700
60565Merge: d931eb8 603ef05
60566Author: Brad Spengler <spender@grsecurity.net>
60567Date: Sun Mar 3 17:42:09 2013 -0500
60568
60569 Merge branch 'pax-test' into grsec-test
60570
60571commit 603ef0579b9c3765d999c1938cb7a120d8c8e00b
60572Author: Brad Spengler <spender@grsecurity.net>
60573Date: Sun Mar 3 17:41:31 2013 -0500
60574
60575 Fix compilation error on ARM reported by Michael Tremer
60576
60577 arch/arm/mach-omap2/wd_timer.c | 6 +++---
60578 1 files changed, 3 insertions(+), 3 deletions(-)
60579
60580commit b4c9ce81fdd7839a150c97873c710c479e788280
60581Author: Brad Spengler <spender@grsecurity.net>
60582Date: Sun Mar 3 17:39:53 2013 -0500
60583
60584 Fix compilation error on ARM reported by Michael Tremer
60585
60586 arch/arm/kernel/armksyms.c | 2 +-
60587 1 files changed, 1 insertions(+), 1 deletions(-)
60588
60589commit d931eb81ab3da46896268fd61373a6aa7bbea930
60590Merge: bfa7f44 5948f93
60591Author: Brad Spengler <spender@grsecurity.net>
60592Date: Sun Mar 3 17:34:36 2013 -0500
60593
60594 Merge branch 'pax-test' into grsec-test
60595
60596commit 5948f930bc1c2d22138c1c76ca7e1bc94b6a3ce0
60597Merge: ab30472 19b00d2
60598Author: Brad Spengler <spender@grsecurity.net>
60599Date: Sun Mar 3 17:34:08 2013 -0500
60600
60601 Merge branch 'linux-3.8.y' into pax-test
60602
60603commit bfa7f445c5d484de51a5828b92ad2ff65053cc87
60604Author: Brad Spengler <spender@grsecurity.net>
60605Date: Sun Mar 3 15:12:12 2013 -0500
60606
60607 Initial support for user namespaces, as we previously didn't allow
60608 the option to be enabled at all.
60609
60610 RBAC will act on the global uids/gids only, so all uids/gids in user
60611 namespaces will be converted
60612
60613 Because Eric Biederman is insulted that I didn't support his
60614 backdoor prior to it receiving proper review. I still have the CAP_SYS_ADMIN
60615 check in for user namespaces, so this is generally irrelevant.
60616
60617 fs/exec.c | 6 +-
60618 fs/proc/base.c | 2 +-
60619 fs/proc/proc_net.c | 4 +-
60620 grsecurity/gracl.c | 128 +++++++++++++++++++++++++++++-------------
60621 grsecurity/gracl_cap.c | 4 +-
60622 grsecurity/gracl_ip.c | 16 +++---
60623 grsecurity/gracl_segv.c | 12 +++-
60624 grsecurity/gracl_shm.c | 4 +-
60625 grsecurity/grsec_disabled.c | 10 ++--
60626 grsecurity/grsec_fifo.c | 6 +-
60627 grsecurity/grsec_init.c | 24 ++++----
60628 grsecurity/grsec_log.c | 3 -
60629 grsecurity/grsec_tpe.c | 6 +-
60630 include/linux/grinternal.h | 12 ++--
60631 include/linux/grsecurity.h | 12 ++--
60632 include/linux/uidgid.h | 3 +
60633 init/Kconfig | 2 -
60634 ipc/shm.c | 2 +-
60635 kernel/cred.c | 5 +-
60636 kernel/kallsyms.c | 2 +-
60637 kernel/kmod.c | 6 +-
60638 kernel/sys.c | 12 ++--
60639 22 files changed, 166 insertions(+), 115 deletions(-)
60640
60641commit 27a8cc1a9f22f95de6fe8740bdc900a160274dff
60642Author: Linus Torvalds <torvalds@linux-foundation.org>
60643Date: Wed Feb 27 08:36:04 2013 -0800
60644
60645 Upstream commit: 09884964335e85e897876d17783c2ad33cf8a2e0
60646
60647 mm: do not grow the stack vma just because of an overrun on preceding vma
60648
60649 The stack vma is designed to grow automatically (marked with VM_GROWSUP
60650 or VM_GROWSDOWN depending on architecture) when an access is made beyond
60651 the existing boundary. However, particularly if you have not limited
60652 your stack at all ("ulimit -s unlimited"), this can cause the stack to
60653 grow even if the access was really just one past *another* segment.
60654
60655 And that's wrong, especially since we first grow the segment, but then
60656 immediately later enforce the stack guard page on the last page of the
60657 segment. So _despite_ first growing the stack segment as a result of
60658 the access, the kernel will then make the access cause a SIGSEGV anyway!
60659
60660 So do the same logic as the guard page check does, and consider an
60661 access to within one page of the next segment to be a bad access, rather
60662 than growing the stack to abut the next segment.
60663
60664 Reported-and-tested-by: Heiko Carstens <heiko.carstens@de.ibm.com>
60665 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
60666
60667 mm/mmap.c | 27 +++++++++++++++++++++++++++
60668 1 files changed, 27 insertions(+), 0 deletions(-)
60669
60670commit 5596211af754867ca825f58e6e0300a8439950fe
60671Author: H. Peter Anvin <hpa@linux.intel.com>
60672Date: Wed Feb 27 12:46:40 2013 -0800
60673
60674 Upstream commit: 7c10093692ed2e6f318387d96b829320aa0ca64c
60675
60676 x86: Make sure we can boot in the case the BDA contains pure garbage
60677
60678 On non-BIOS platforms it is possible that the BIOS data area contains
60679 garbage instead of being zeroed or something equivalent (firmware
60680 people: we are talking of 1.5K here, so please do the sane thing.)
60681
60682 We need on the order of 20-30K of low memory in order to boot, which
60683 may grow up to < 64K in the future. We probably want to avoid the
60684 lowest of the low memory. At the same time, it seems extremely
60685 unlikely that a legitimate EBDA would ever reach down to the 128K
60686 (which would require it to be over half a megabyte in size.) Thus,
60687 pick 128K as the cutoff for "this is insane, ignore." We may still
60688 end up reserving a bunch of extra memory on the low megabyte, but that
60689 is not really a major issue these days. In the worst case we lose
60690 512K of RAM.
60691
60692 This code really should be merged with trim_bios_range() in
60693 arch/x86/kernel/setup.c, but that is a bigger patch for a later merge
60694 window.
60695
60696 Reported-by: Darren Hart <dvhart@linux.intel.com>
60697 Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
60698 Cc: Matt Fleming <matt.fleming@intel.com>
60699 Cc: <stable@vger.kernel.org>
60700 Link: http://lkml.kernel.org/n/tip-oebml055yyfm8yxmria09rja@git.kernel.org
60701
60702 arch/x86/kernel/head.c | 53 ++++++++++++++++++++++++++++++-----------------
60703 1 files changed, 34 insertions(+), 19 deletions(-)
60704
60705commit 10eb1dabfb743fb22dcbcf186bb8d2192d2d55ea
60706Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
60707Date: Wed Feb 27 17:05:46 2013 -0800
60708
60709 Upstream commit: 940da353a83e895ea600cb8ab17dceefb1bcb469
60710
60711 memstick: move the dereference below the NULL test
60712
60713 The dereference should be moved below the NULL test.
60714
60715 spatch with a semantic match is used to found this.
60716 (http://coccinelle.lip6.fr/)
60717
60718 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
60719 Cc: Maxim Levitsky <maximlevitsky@gmail.com>
60720 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
60721 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
60722
60723 drivers/memstick/host/r592.c | 3 ++-
60724 1 files changed, 2 insertions(+), 1 deletions(-)
60725
60726commit 1a63cb1ca50a10748cbf766894ecedf34a89baa3
60727Author: Xi Wang <xi.wang@gmail.com>
60728Date: Wed Feb 27 17:05:21 2013 -0800
60729
60730 Upstream commit: df1778be1a33edffa51d094eeda87c858ded6560
60731
60732 sysctl: fix null checking in bin_dn_node_address()
60733
60734 The null check of `strchr() + 1' is broken, which is always non-null,
60735 leading to OOB read. Instead, check the result of strchr().
60736
60737 Signed-off-by: Xi Wang <xi.wang@gmail.com>
60738 Cc: "Eric W. Biederman" <ebiederm@xmission.com>
60739 Cc: <stable@vger.kernel.org>
60740 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
60741 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
60742
60743 kernel/sysctl_binary.c | 3 ++-
60744 1 files changed, 2 insertions(+), 1 deletions(-)
60745
60746commit 7ca96db0817416fd40761e7437d1939fc0731380
60747Author: Tejun Heo <tj@kernel.org>
60748Date: Wed Feb 27 17:03:34 2013 -0800
60749
60750 Upstream commit: 6cdae7416a1c45c2ce105a78187d9b7e8feb9e24
60751
60752 idr: fix a subtle bug in idr_get_next()
60753
60754 The iteration logic of idr_get_next() is borrowed mostly verbatim from
60755 idr_for_each(). It walks down the tree looking for the slot matching
60756 the current ID. If the matching slot is not found, the ID is
60757 incremented by the distance of single slot at the given level and
60758 repeats.
60759
60760 The implementation assumes that during the whole iteration id is aligned
60761 to the layer boundaries of the level closest to the leaf, which is true
60762 for all iterations starting from zero or an existing element and thus is
60763 fine for idr_for_each().
60764
60765 However, idr_get_next() may be given any point and if the starting id
60766 hits in the middle of a non-existent layer, increment to the next layer
60767 will end up skipping the same offset into it. For example, an IDR with
60768 IDs filled between [64, 127] would look like the following.
60769
60770 [ 0 64 ... ]
60771 /----/ |
60772 | |
60773 NULL [ 64 ... 127 ]
60774
60775 If idr_get_next() is called with 63 as the starting point, it will try
60776 to follow down the pointer from 0. As it is NULL, it will then try to
60777 proceed to the next slot in the same level by adding the slot distance
60778 at that level which is 64 - making the next try 127. It goes around the
60779 loop and finds and returns 127 skipping [64, 126].
60780
60781 Note that this bug also triggers in idr_for_each_entry() loop which
60782 deletes during iteration as deletions can make layers go away leaving
60783 the iteration with unaligned ID into missing layers.
60784
60785 Fix it by ensuring proceeding to the next slot doesn't carry over the
60786 unaligned offset - ie. use round_up(id + 1, slot_distance) instead of
60787 id += slot_distance.
60788
60789 Signed-off-by: Tejun Heo <tj@kernel.org>
60790 Reported-by: David Teigland <teigland@redhat.com>
60791 Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
60792 Cc: <stable@vger.kernel.org>
60793 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
60794 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
60795
60796 lib/idr.c | 9 ++++++++-
60797 1 files changed, 8 insertions(+), 1 deletions(-)
60798
60799commit 745362f28034f54242ba2e64eaa7374ab9869613
60800Author: Brad Spengler <spender@grsecurity.net>
60801Date: Fri Mar 1 20:31:42 2013 -0500
60802
60803 Fix dentry use-after-free after failed complete_walk() with RBAC enabled
60804 Many thanks to zakalwe from #grsecurity for the report and debugging help
60805
60806 fs/namei.c | 8 +++-----
60807 1 files changed, 3 insertions(+), 5 deletions(-)
60808
60809commit b53b3b14330920c6f7cfb74c8508a3026e1be620
60810Author: Brad Spengler <spender@grsecurity.net>
60811Date: Thu Feb 28 18:29:26 2013 -0500
60812
60813 Fix bad git merge
60814
60815 fs/namespace.c | 8 --------
60816 1 files changed, 0 insertions(+), 8 deletions(-)
60817
60818commit 71886f69ea10fa22e593dba1bdbe5c0334c6fede
60819Merge: 1cce1dd ab30472
60820Author: Brad Spengler <spender@grsecurity.net>
60821Date: Thu Feb 28 17:45:14 2013 -0500
60822
60823 Merge branch 'pax-test' into grsec-test
60824
60825 Conflicts:
60826 net/core/sock_diag.c
60827
60828commit ab3047280e1dfb43f1b301a296123757b4ac4f6e
60829Merge: 4b61d21 4c91a0e
60830Author: Brad Spengler <spender@grsecurity.net>
60831Date: Thu Feb 28 17:43:56 2013 -0500
60832
60833 Merge branch 'linux-3.8.y' into pax-test
60834
60835commit 1cce1ddd17c584c80465521834c3faf1a7c607d7
60836Author: Brad Spengler <spender@grsecurity.net>
60837Date: Wed Feb 27 22:20:22 2013 -0500
60838
60839 add compiler.h to sysrq.h to fix compilation problem reported by micu on forums
60840
60841 include/linux/sysrq.h | 1 +
60842 1 files changed, 1 insertions(+), 0 deletions(-)
60843
60844commit 9f1e7fe130803fde83eb903b575335f59cd2bd18
60845Author: Brad Spengler <spender@grsecurity.net>
60846Date: Wed Feb 27 17:52:31 2013 -0500
60847
60848 declare check_syslog_permissions() earlier in file, fix bug in syslog_action_restricted() in upstream kernel
60849
60850 kernel/printk.c | 12 +++++++-----
60851 1 files changed, 7 insertions(+), 5 deletions(-)
60852
60853commit 11dd499888fa76f3466821ce4daa5e0c55e43d39
60854Author: Brad Spengler <spender@grsecurity.net>
60855Date: Wed Feb 27 17:23:46 2013 -0500
60856
60857 Fix upstream vulnerability from addition of a /dev/kmsg device
60858 while neglecting to add the same set of existing permission checks
60859 from do_syslog. This bit both dmesg_restrict and GRKERNSEC_DMESG.
60860 A temporary workaround without this patch would be to
60861 chmod 0600 /dev/kmsg (and is likely a good idea anyway).
60862
60863 Notified in #grsecurity IRC by Jason A. Donenfeld and Petr Matousek
60864 Initially reported to Redhat bugzilla by Christian Kujau:
60865 https://bugzilla.redhat.com/show_bug.cgi?id=903192
60866
60867 kernel/printk.c | 4 ++++
60868 1 files changed, 4 insertions(+), 0 deletions(-)
60869
60870commit 66c04806f5660988c3cb4855e60de294e77e3d0e
60871Author: David Howells <dhowells@redhat.com>
60872Date: Thu Feb 21 12:00:25 2013 +0000
60873
60874 Upstream commit: fe9453a1dcb5fb146f9653267e78f4a558066f6f
60875
60876 KEYS: Revert one application of "Fix unreachable code" patch
60877
60878 A patch to fix some unreachable code in search_my_process_keyrings() got
60879 applied twice by two different routes upstream as commits e67eab39bee2
60880 and b010520ab3d2 (both "fix unreachable code").
60881
60882 Unfortunately, the second application removed something it shouldn't
60883 have and this wasn't detected by GIT. This is due to the patch not
60884 having sufficient lines of context to distinguish the two places of
60885 application.
60886
60887 The effect of this is relatively minor: inside the kernel, the keyring
60888 search routines may search multiple keyrings and then prioritise the
60889 errors if no keys or negative keys are found in any of them. With the
60890 extra deletion, the presence of a negative key in the thread keyring
60891 (causing ENOKEY) is incorrectly overridden by an error searching the
60892 process keyring.
60893
60894 So revert the second application of the patch.
60895
60896 Signed-off-by: David Howells <dhowells@redhat.com>
60897 Cc: Jiri Kosina <jkosina@suse.cz>
60898 Cc: Andrew Morton <akpm@linux-foundation.org>
60899 Cc: stable@vger.kernel.org
60900 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
60901
60902 security/keys/process_keys.c | 2 ++
60903 1 files changed, 2 insertions(+), 0 deletions(-)
60904
60905commit 954b0c8a95b08c09c3d15ec38106ce403bf714da
60906Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
60907Date: Thu Feb 21 16:42:43 2013 -0800
60908
60909 Upstream commit: 49deb4bc227cb9db5b8ebf9434367f8bed057c7a
60910
60911 configfs: move the dereference below the NULL test
60912
60913 The dereference should be moved below the NULL test.
60914
60915 spatch with a semantic match is used to found this.
60916 (http://coccinelle.lip6.fr/)
60917
60918 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
60919 Cc: Joel Becker <jlbec@evilplan.org>
60920 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
60921 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
60922
60923 fs/configfs/dir.c | 5 +++--
60924 1 files changed, 3 insertions(+), 2 deletions(-)
60925
60926commit d16d42c4fdc8baca5816d75b4a115102bf3d3423
60927Author: Nicolas Pitre <nicolas.pitre@linaro.org>
60928Date: Sun Feb 24 20:06:09 2013 -0500
60929
60930 Upstream commit: a883b70d8e0a88278c0a1f80753b4dc99962b541
60931
60932 tty vt: fix character insertion overflow
60933
60934 Commit 81732c3b2fed ("tty vt: Fix line garbage in virtual console on
60935 command line edition") broke insert_char() in multiple ways. Then
60936 commit b1a925f44a3a ("tty vt: Fix a regression in command line edition")
60937 partially fixed it. However, the buffer being moved is still too large
60938 and overflowing beyond the end of the current line, corrupting existing
60939 characters on the next line.
60940
60941 Example test case:
60942
60943 echo -e "abc\nde\x1b[A\x1b[4h \x1b[4l\x1b[B"
60944
60945 Expected result:
60946
60947 ab c
60948 de
60949
60950 Current result:
60951
60952 ab c
60953 e
60954
60955 Needless to say that this is very annoying when inserting words in the
60956 middle of paragraphs with certain text editors.
60957
60958 Signed-off-by: Nicolas Pitre <nico@linaro.org>
60959 Cc: Jean-François Moine <moinejf@free.fr>
60960 Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
60961 Cc: <stable@vger.kernel.org>
60962 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
60963
60964 drivers/tty/vt/vt.c | 2 +-
60965 1 files changed, 1 insertions(+), 1 deletions(-)
60966
60967commit 6cda35071669b4aabde081bd039e0ffea36f997a
60968Author: Robin Holt <holt@sgi.com>
60969Date: Fri Feb 22 16:35:34 2013 -0800
60970
60971 Upstream commit: 751efd8610d3d7d67b7bdf7f62646edea7365dd7
60972
60973 mmu_notifier_unregister NULL Pointer deref and multiple ->release() callouts
60974
60975 There is a race condition between mmu_notifier_unregister() and
60976 __mmu_notifier_release().
60977
60978 Assume two tasks, one calling mmu_notifier_unregister() as a result of a
60979 filp_close() ->flush() callout (task A), and the other calling
60980 mmu_notifier_release() from an mmput() (task B).
60981
60982 A B
60983 t1 srcu_read_lock()
60984 t2 if (!hlist_unhashed())
60985 t3 srcu_read_unlock()
60986 t4 srcu_read_lock()
60987 t5 hlist_del_init_rcu()
60988 t6 synchronize_srcu()
60989 t7 srcu_read_unlock()
60990 t8 hlist_del_rcu() <--- NULL pointer deref.
60991
60992 Additionally, the list traversal in __mmu_notifier_release() is not
60993 protected by the by the mmu_notifier_mm->hlist_lock which can result in
60994 callouts to the ->release() notifier from both mmu_notifier_unregister()
60995 and __mmu_notifier_release().
60996
60997 -stable suggestions:
60998
60999 The stable trees prior to 3.7.y need commits 21a92735f660 and
61000 70400303ce0c cherry-picked in that order prior to cherry-picking this
61001 commit. The 3.7.y tree already has those two commits.
61002
61003 Signed-off-by: Robin Holt <holt@sgi.com>
61004 Cc: Andrea Arcangeli <aarcange@redhat.com>
61005 Cc: Wanpeng Li <liwanp@linux.vnet.ibm.com>
61006 Cc: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
61007 Cc: Avi Kivity <avi@redhat.com>
61008 Cc: Hugh Dickins <hughd@google.com>
61009 Cc: Marcelo Tosatti <mtosatti@redhat.com>
61010 Cc: Sagi Grimberg <sagig@mellanox.co.il>
61011 Cc: Haggai Eran <haggaie@mellanox.com>
61012 Cc: <stable@vger.kernel.org>
61013 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
61014 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
61015
61016 mm/mmu_notifier.c | 82 +++++++++++++++++++++++++++--------------------------
61017 1 files changed, 42 insertions(+), 40 deletions(-)
61018
61019commit bf5167ed78ba6131c6874887f714bda50c2cab83
61020Author: Mike Galbraith <bitbucket@online.de>
61021Date: Mon Jan 28 12:19:25 2013 +0100
61022
61023 Upstream commit: e0a79f529d5ba2507486d498b25da40911d95cf6
61024
61025 sched: Fix select_idle_sibling() bouncing cow syndrome
61026
61027 If the previous CPU is cache affine and idle, select it.
61028
61029 The current implementation simply traverses the sd_llc domain,
61030 taking the first idle CPU encountered, which walks buddy pairs
61031 hand in hand over the package, inflicting excruciating pain.
61032
61033 1 tbench pair (worst case) in a 10 core + SMT package:
61034
61035 pre 15.22 MB/sec 1 procs
61036 post 252.01 MB/sec 1 procs
61037
61038 Signed-off-by: Mike Galbraith <bitbucket@online.de>
61039 Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
61040 Link: http://lkml.kernel.org/r/1359371965.5783.127.camel@marge.simpson.net
61041 Signed-off-by: Ingo Molnar <mingo@kernel.org>
61042
61043 kernel/sched/fair.c | 21 +++++++--------------
61044 1 files changed, 7 insertions(+), 14 deletions(-)
61045
61046commit cf7c2d257836fdcb5d51ad142cbc56ac12f7a37c
61047Author: Eric W. Biederman <ebiederm@xmission.com>
61048Date: Fri Dec 28 18:58:39 2012 -0800
61049
61050 Upstream commit: c61a2810a2161986353705b44d9503e6bb079f4f
61051
61052 userns: Avoid recursion in put_user_ns
61053
61054 When freeing a deeply nested user namespace free_user_ns calls
61055 put_user_ns on it's parent which may in turn call free_user_ns again.
61056 When -fno-optimize-sibling-calls is passed to gcc one stack frame per
61057 user namespace is left on the stack, potentially overflowing the
61058 kernel stack. CONFIG_FRAME_POINTER forces -fno-optimize-sibling-calls
61059 so we can't count on gcc to optimize this code.
61060
61061 Remove struct kref and use a plain atomic_t. Making the code more
61062 flexible and easier to comprehend. Make the loop in free_user_ns
61063 explict to guarantee that the stack does not overflow with
61064 CONFIG_FRAME_POINTER enabled.
61065
61066 I have tested this fix with a simple program that uses unshare to
61067 create a deeply nested user namespace structure and then calls exit.
61068 With 1000 nesteuser namespaces before this change running my test
61069 program causes the kernel to die a horrible death. With 10,000,000
61070 nested user namespaces after this change my test program runs to
61071 completion and causes no harm.
61072
61073 Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
61074 Pointed-out-by: Vasily Kulikov <segoon@openwall.com>
61075 Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
61076
61077 include/linux/user_namespace.h | 10 +++++-----
61078 kernel/user.c | 4 +---
61079 kernel/user_namespace.c | 17 +++++++++--------
61080 3 files changed, 15 insertions(+), 16 deletions(-)
61081
61082commit 81501c7106ccc186c94806f4db954626295b5ebe
61083Author: Brad Spengler <spender@grsecurity.net>
61084Date: Tue Feb 26 17:12:30 2013 -0500
61085
61086 Pass the same flags to kern_path_create as the original function
61087
61088 fs/namei.c | 4 ++--
61089 1 files changed, 2 insertions(+), 2 deletions(-)
61090
61091commit a677c8eee35afe48868f92c7d6745bfe809cd481
61092Author: Al Viro <viro@zeniv.linux.org.uk>
61093Date: Fri Feb 22 22:45:42 2013 -0500
61094
61095 Upstream commit: 9b40bc90abd126bcc5da5658059b8e72e285e559
61096
61097 get rid of unprotected dereferencing of mnt->mnt_ns
61098
61099 It's safe only under namespace_sem or vfsmount_lock; all places
61100 in fs/namespace.c that want mnt->mnt_ns->user_ns actually want to use
61101 current->nsproxy->mnt_ns->user_ns (note the calls of check_mnt() in
61102 there).
61103
61104 Cc: stable@vger.kernel.org
61105 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
61106
61107 fs/namespace.c | 29 +++++++++++++++++------------
61108 1 files changed, 17 insertions(+), 12 deletions(-)
61109
61110commit 89298124d0c96dc34a60377e7a1308f8f532ff75
61111Author: Greg Thelen <gthelen@google.com>
61112Date: Fri Feb 22 16:36:01 2013 -0800
61113
61114 Upstream fix: 5f00110f7273f9ff04ac69a5f85bb535a4fd0987
61115
61116 tmpfs: fix use-after-free of mempolicy object
61117
61118 The tmpfs remount logic preserves filesystem mempolicy if the mpol=M
61119 option is not specified in the remount request. A new policy can be
61120 specified if mpol=M is given.
61121
61122 Before this patch remounting an mpol bound tmpfs without specifying
61123 mpol= mount option in the remount request would set the filesystem's
61124 mempolicy object to a freed mempolicy object.
61125
61126 To reproduce the problem boot a DEBUG_PAGEALLOC kernel and run:
61127 # mkdir /tmp/x
61128
61129 # mount -t tmpfs -o size=100M,mpol=interleave nodev /tmp/x
61130
61131 # grep /tmp/x /proc/mounts
61132 nodev /tmp/x tmpfs rw,relatime,size=102400k,mpol=interleave:0-3 0 0
61133
61134 # mount -o remount,size=200M nodev /tmp/x
61135
61136 # grep /tmp/x /proc/mounts
61137 nodev /tmp/x tmpfs rw,relatime,size=204800k,mpol=??? 0 0
61138 # note ? garbage in mpol=... output above
61139
61140 # dd if=/dev/zero of=/tmp/x/f count=1
61141 # panic here
61142
61143 Panic:
61144 BUG: unable to handle kernel NULL pointer dereference at (null)
61145 IP: [< (null)>] (null)
61146 [...]
61147 Oops: 0010 [#1] SMP DEBUG_PAGEALLOC
61148 Call Trace:
61149 mpol_shared_policy_init+0xa5/0x160
61150 shmem_get_inode+0x209/0x270
61151 shmem_mknod+0x3e/0xf0
61152 shmem_create+0x18/0x20
61153 vfs_create+0xb5/0x130
61154 do_last+0x9a1/0xea0
61155 path_openat+0xb3/0x4d0
61156 do_filp_open+0x42/0xa0
61157 do_sys_open+0xfe/0x1e0
61158 compat_sys_open+0x1b/0x20
61159 cstar_dispatch+0x7/0x1f
61160
61161 Non-debug kernels will not crash immediately because referencing the
61162 dangling mpol will not cause a fault. Instead the filesystem will
61163 reference a freed mempolicy object, which will cause unpredictable
61164 behavior.
61165
61166 The problem boils down to a dropped mpol reference below if
61167 shmem_parse_options() does not allocate a new mpol:
61168
61169 config = *sbinfo
61170 shmem_parse_options(data, &config, true)
61171 mpol_put(sbinfo->mpol)
61172 sbinfo->mpol = config.mpol /* BUG: saves unreferenced mpol */
61173
61174 This patch avoids the crash by not releasing the mempolicy if
61175 shmem_parse_options() doesn't create a new mpol.
61176
61177 How far back does this issue go? I see it in both 2.6.36 and 3.3. I did
61178 not look back further.
61179
61180 Signed-off-by: Greg Thelen <gthelen@google.com>
61181 Acked-by: Hugh Dickins <hughd@google.com>
61182 Cc: <stable@vger.kernel.org>
61183 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
61184 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
61185
61186 mm/shmem.c | 10 ++++++++--
61187 1 files changed, 8 insertions(+), 2 deletions(-)
61188
61189commit 614943c76d9e49f12f3e1154f1dea80dc4bb2743
61190Author: Brad Spengler <spender@grsecurity.net>
61191Date: Sat Feb 23 11:08:05 2013 -0500
61192
61193 Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY
61194 with a family greater or equal then AF_MAX -- the array size of
61195 sock_diag_handlers[]. The current code does not test for this
61196 condition therefore is vulnerable to an out-of-bound access opening
61197 doors for a privilege escalation.
61198
61199 Signed-off-by: Mathias Krause <minipli@googlemail.com>
61200
61201 The sock_diag_lock_handler() and sock_diag_unlock_handler() actually
61202 make the code less readable. Get rid of them and make the lock usage
61203 and access to sock_diag_handlers[] clear on the first sight.
61204
61205 Signed-off-by: Mathias Krause <minipli@googlemail.com>
61206
61207 net/core/sock_diag.c | 27 ++++++++++-----------------
61208 1 files changed, 10 insertions(+), 17 deletions(-)
61209
61210commit e8d44970f8ac5ceda7b0e3f2c2ab33cefb800990
61211Author: Brad Spengler <spender@grsecurity.net>
61212Date: Sat Feb 23 10:58:52 2013 -0500
61213
61214 Fix compilation failure reported by Hinnerk van Bruinehsen when CPU_USE_DOMAINS is not defined
61215
61216 arch/arm/include/asm/domain.h | 1 +
61217 1 files changed, 1 insertions(+), 0 deletions(-)
61218
61219commit 7b729586eb81f344fdedf0942fab0acc738a6725
61220Author: Brad Spengler <spender@grsecurity.net>
61221Date: Fri Feb 22 19:02:51 2013 -0500
61222
61223 Add back capability check for user namespaces. They have not seen enough proper review and needlessly exposes additional attack surface for all users.
61224
61225 kernel/fork.c | 17 +++++++++++++++++
61226 1 files changed, 17 insertions(+), 0 deletions(-)
61227
61228commit fadc560d0c486af88da83177735f5515e88acdcc
61229Author: Brad Spengler <spender@grsecurity.net>
61230Date: Thu Feb 21 23:06:48 2013 -0500
61231
61232 put is_hugetlbfs_mnt inside ifdefs
61233
61234 grsecurity/gracl.c | 2 ++
61235 1 files changed, 2 insertions(+), 0 deletions(-)
61236
61237commit 8252176922d405484f986eb2cc350b7cd3ae586e
61238Author: Brad Spengler <spender@grsecurity.net>
61239Date: Thu Feb 21 23:02:07 2013 -0500
61240
61241 remove unused label
61242
61243 kernel/module.c | 1 -
61244 1 files changed, 0 insertions(+), 1 deletions(-)
61245
61246commit dad4a980f0b625059e215d13da728aa7fd02a374
61247Author: Brad Spengler <spender@grsecurity.net>
61248Date: Thu Feb 21 23:00:52 2013 -0500
61249
61250 compile fix
61251
61252 fs/open.c | 2 +-
61253 1 files changed, 1 insertions(+), 1 deletions(-)
61254
61255commit 13e3266c41b98a40f3d8a4a7fb8ee5c0983156b7
61256Author: Brad Spengler <spender@grsecurity.net>
61257Date: Thu Feb 21 22:57:49 2013 -0500
61258
61259 remove kmalloc_array_error for the same reasons as kcalloc_error
61260
61261 include/linux/slab.h | 9 ---------
61262 1 files changed, 0 insertions(+), 9 deletions(-)
61263
61264commit 0c24df0e81ae880c4523cc78ff91609b9aa6133a
61265Author: Brad Spengler <spender@grsecurity.net>
61266Date: Thu Feb 21 22:49:35 2013 -0500
61267
61268 Initial port of grsecurity for Linux 3.8
61269
61270 Documentation/kernel-parameters.txt | 4 +
61271 Makefile | 10 +-
61272 arch/alpha/include/asm/cache.h | 4 +-
61273 arch/alpha/kernel/osf_sys.c | 14 +-
61274 arch/arm/include/asm/cache.h | 2 +
61275 arch/arm/include/asm/thread_info.h | 9 +-
61276 arch/arm/kernel/process.c | 4 +-
61277 arch/arm/kernel/ptrace.c | 9 +
61278 arch/arm/kernel/traps.c | 7 +-
61279 arch/arm/mm/fault.c | 27 +-
61280 arch/arm/mm/mmap.c | 6 +-
61281 arch/avr32/include/asm/cache.h | 4 +-
61282 arch/blackfin/include/asm/cache.h | 3 +-
61283 arch/cris/include/arch-v10/arch/cache.h | 3 +-
61284 arch/cris/include/arch-v32/arch/cache.h | 3 +-
61285 arch/frv/include/asm/cache.h | 3 +-
61286 arch/frv/mm/elf-fdpic.c | 7 +-
61287 arch/hexagon/include/asm/cache.h | 6 +-
61288 arch/ia64/include/asm/cache.h | 3 +-
61289 arch/ia64/kernel/sys_ia64.c | 3 +-
61290 arch/ia64/mm/hugetlbpage.c | 3 +-
61291 arch/m32r/include/asm/cache.h | 4 +-
61292 arch/m68k/include/asm/cache.h | 4 +-
61293 arch/microblaze/include/asm/cache.h | 3 +-
61294 arch/mips/include/asm/cache.h | 3 +-
61295 arch/mips/include/asm/thread_info.h | 9 +-
61296 arch/mips/kernel/ptrace.c | 9 +
61297 arch/mips/kernel/scall32-o32.S | 2 +-
61298 arch/mips/kernel/scall64-64.S | 2 +-
61299 arch/mips/kernel/scall64-n32.S | 2 +-
61300 arch/mips/kernel/scall64-o32.S | 2 +-
61301 arch/mips/mm/mmap.c | 3 +-
61302 arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +-
61303 arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +-
61304 arch/openrisc/include/asm/cache.h | 4 +-
61305 arch/parisc/include/asm/cache.h | 5 +-
61306 arch/parisc/kernel/sys_parisc.c | 19 +-
61307 arch/powerpc/include/asm/cache.h | 3 +-
61308 arch/powerpc/include/asm/thread_info.h | 8 +-
61309 arch/powerpc/kernel/process.c | 10 +-
61310 arch/powerpc/kernel/ptrace.c | 14 +
61311 arch/powerpc/kernel/traps.c | 5 +
61312 arch/powerpc/mm/slice.c | 8 +-
61313 arch/s390/include/asm/cache.h | 4 +-
61314 arch/score/include/asm/cache.h | 4 +-
61315 arch/sh/include/asm/cache.h | 3 +-
61316 arch/sh/mm/mmap.c | 6 +-
61317 arch/sparc/include/asm/cache.h | 4 +-
61318 arch/sparc/include/asm/thread_info_64.h | 9 +-
61319 arch/sparc/kernel/process_32.c | 6 +-
61320 arch/sparc/kernel/process_64.c | 8 +-
61321 arch/sparc/kernel/ptrace_64.c | 14 +
61322 arch/sparc/kernel/sys_sparc_64.c | 6 +-
61323 arch/sparc/kernel/syscalls.S | 8 +-
61324 arch/sparc/kernel/traps_32.c | 8 +-
61325 arch/sparc/kernel/traps_64.c | 28 +-
61326 arch/sparc/kernel/unaligned_64.c | 2 +-
61327 arch/sparc/mm/fault_64.c | 2 +-
61328 arch/sparc/mm/hugetlbpage.c | 3 +-
61329 arch/tile/include/asm/cache.h | 3 +-
61330 arch/um/include/asm/cache.h | 3 +-
61331 arch/unicore32/include/asm/cache.h | 6 +-
61332 arch/x86/Kconfig | 5 +-
61333 arch/x86/Kconfig.debug | 2 +-
61334 arch/x86/ia32/ia32_aout.c | 2 +
61335 arch/x86/include/asm/thread_info.h | 8 +-
61336 arch/x86/kernel/dumpstack.c | 8 +
61337 arch/x86/kernel/entry_32.S | 2 +-
61338 arch/x86/kernel/entry_64.S | 2 +-
61339 arch/x86/kernel/ioport.c | 13 +
61340 arch/x86/kernel/ptrace.c | 14 +
61341 arch/x86/kernel/smpboot.c | 3 +
61342 arch/x86/kernel/sys_i386_32.c | 14 +-
61343 arch/x86/kernel/sys_x86_64.c | 3 +-
61344 arch/x86/kernel/verify_cpu.S | 1 +
61345 arch/x86/kernel/vm86_32.c | 16 +
61346 arch/x86/mm/fault.c | 12 +-
61347 arch/x86/mm/hugetlbpage.c | 3 +-
61348 arch/x86/mm/init.c | 66 +-
61349 arch/x86/net/bpf_jit_comp.c | 126 +-
61350 arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
61351 arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
61352 arch/xtensa/variants/s6000/include/variant/core.h | 3 +-
61353 crypto/ablkcipher.c | 12 +-
61354 crypto/aead.c | 9 +-
61355 crypto/ahash.c | 2 +-
61356 crypto/blkcipher.c | 6 +-
61357 crypto/crypto_user.c | 38 +-
61358 crypto/pcompress.c | 3 +-
61359 crypto/rng.c | 2 +-
61360 crypto/shash.c | 3 +-
61361 drivers/block/cciss.c | 2 +
61362 drivers/char/Kconfig | 4 +-
61363 drivers/char/genrtc.c | 1 +
61364 drivers/char/mem.c | 17 +
61365 drivers/char/random.c | 12 +
61366 drivers/gpu/drm/drm_info.c | 4 +
61367 drivers/hid/hid-wiimote-debug.c | 2 +-
61368 drivers/media/radio/radio-cadet.c | 2 +-
61369 drivers/message/fusion/mptbase.c | 5 +
61370 drivers/net/phy/mdio-bitbang.c | 1 +
61371 drivers/pci/proc.c | 9 +
61372 drivers/rtc/rtc-dev.c | 3 +
61373 drivers/tty/sysrq.c | 2 +-
61374 drivers/tty/vt/keyboard.c | 22 +-
61375 drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++--------
61376 drivers/xen/xenfs/xenstored.c | 5 +
61377 fs/attr.c | 1 +
61378 fs/autofs4/waitq.c | 9 +
61379 fs/binfmt_aout.c | 7 +
61380 fs/binfmt_elf.c | 6 +
61381 fs/btrfs/inode.c | 10 +-
61382 fs/btrfs/ioctl.c | 6 +-
61383 fs/compat.c | 18 +
61384 fs/coredump.c | 10 +-
61385 fs/debugfs/inode.c | 4 +
61386 fs/exec.c | 155 +-
61387 fs/ext2/balloc.c | 4 +-
61388 fs/ext3/balloc.c | 4 +-
61389 fs/ext4/balloc.c | 4 +-
61390 fs/fcntl.c | 5 +
61391 fs/file.c | 4 +
61392 fs/filesystems.c | 5 +
61393 fs/fs_struct.c | 26 +-
61394 fs/hugetlbfs/inode.c | 5 +-
61395 fs/namei.c | 269 ++-
61396 fs/namespace.c | 24 +
61397 fs/open.c | 38 +
61398 fs/pipe.c | 2 +-
61399 fs/proc/Kconfig | 10 +-
61400 fs/proc/array.c | 59 +-
61401 fs/proc/base.c | 168 +-
61402 fs/proc/cmdline.c | 4 +
61403 fs/proc/devices.c | 4 +
61404 fs/proc/fd.c | 17 +-
61405 fs/proc/inode.c | 17 +
61406 fs/proc/internal.h | 3 +
61407 fs/proc/kcore.c | 3 +
61408 fs/proc/proc_net.c | 12 +
61409 fs/proc/proc_sysctl.c | 43 +-
61410 fs/proc/root.c | 8 +
61411 fs/proc/task_mmu.c | 75 +-
61412 fs/readdir.c | 19 +
61413 fs/select.c | 2 +
61414 fs/seq_file.c | 12 +-
61415 fs/stat.c | 19 +-
61416 fs/sysfs/dir.c | 12 +
61417 fs/utimes.c | 7 +
61418 fs/xattr.c | 19 +-
61419 grsecurity/Kconfig | 1021 +++++
61420 grsecurity/Makefile | 38 +
61421 grsecurity/gracl.c | 4017 ++++++++++++++++++++
61422 grsecurity/gracl_alloc.c | 105 +
61423 grsecurity/gracl_cap.c | 110 +
61424 grsecurity/gracl_fs.c | 431 +++
61425 grsecurity/gracl_ip.c | 384 ++
61426 grsecurity/gracl_learn.c | 207 +
61427 grsecurity/gracl_res.c | 68 +
61428 grsecurity/gracl_segv.c | 299 ++
61429 grsecurity/gracl_shm.c | 40 +
61430 grsecurity/grsec_chdir.c | 19 +
61431 grsecurity/grsec_chroot.c | 357 ++
61432 grsecurity/grsec_disabled.c | 434 +++
61433 grsecurity/grsec_exec.c | 174 +
61434 grsecurity/grsec_fifo.c | 24 +
61435 grsecurity/grsec_fork.c | 23 +
61436 grsecurity/grsec_init.c | 283 ++
61437 grsecurity/grsec_link.c | 58 +
61438 grsecurity/grsec_log.c | 329 ++
61439 grsecurity/grsec_mem.c | 40 +
61440 grsecurity/grsec_mount.c | 62 +
61441 grsecurity/grsec_pax.c | 36 +
61442 grsecurity/grsec_ptrace.c | 30 +
61443 grsecurity/grsec_sig.c | 222 ++
61444 grsecurity/grsec_sock.c | 244 ++
61445 grsecurity/grsec_sysctl.c | 469 +++
61446 grsecurity/grsec_time.c | 16 +
61447 grsecurity/grsec_tpe.c | 73 +
61448 grsecurity/grsum.c | 61 +
61449 include/linux/capability.h | 5 +
61450 include/linux/cred.h | 3 +
61451 include/linux/fs.h | 10 +
61452 include/linux/fsnotify.h | 6 +
61453 include/linux/gracl.h | 319 ++
61454 include/linux/gralloc.h | 9 +
61455 include/linux/grdefs.h | 140 +
61456 include/linux/grinternal.h | 215 ++
61457 include/linux/grmsg.h | 111 +
61458 include/linux/grsecurity.h | 257 ++
61459 include/linux/grsock.h | 19 +
61460 include/linux/kallsyms.h | 14 +-
61461 include/linux/kmod.h | 2 +
61462 include/linux/netfilter/xt_gradm.h | 9 +
61463 include/linux/printk.h | 3 +-
61464 include/linux/proc_fs.h | 12 +
61465 include/linux/sched.h | 66 +-
61466 include/linux/security.h | 1 +
61467 include/linux/seq_file.h | 3 +
61468 include/linux/shm.h | 4 +
61469 include/linux/sysctl.h | 2 +
61470 include/linux/thread_info.h | 2 +
61471 include/linux/vermagic.h | 9 +-
61472 include/trace/events/fs.h | 53 +
61473 include/uapi/linux/personality.h | 1 +
61474 init/Kconfig | 5 +-
61475 init/main.c | 14 +
61476 ipc/mqueue.c | 1 +
61477 ipc/shm.c | 28 +
61478 kernel/capability.c | 39 +-
61479 kernel/cgroup.c | 2 +-
61480 kernel/compat.c | 1 +
61481 kernel/configs.c | 11 +
61482 kernel/cred.c | 109 +-
61483 kernel/exit.c | 10 +-
61484 kernel/fork.c | 24 +-
61485 kernel/futex.c | 1 +
61486 kernel/kallsyms.c | 9 +
61487 kernel/kcmp.c | 4 +
61488 kernel/kmod.c | 71 +-
61489 kernel/kprobes.c | 4 +-
61490 kernel/ksysfs.c | 2 +
61491 kernel/lockdep_proc.c | 10 +-
61492 kernel/module.c | 80 +-
61493 kernel/panic.c | 4 +-
61494 kernel/pid.c | 19 +-
61495 kernel/posix-timers.c | 8 +
61496 kernel/printk.c | 5 +
61497 kernel/ptrace.c | 20 +-
61498 kernel/resource.c | 10 +
61499 kernel/sched/core.c | 6 +-
61500 kernel/signal.c | 37 +-
61501 kernel/sys.c | 38 +-
61502 kernel/sysctl.c | 39 +-
61503 kernel/taskstats.c | 6 +
61504 kernel/time.c | 5 +
61505 kernel/time/timekeeping.c | 3 +
61506 kernel/time/timer_list.c | 12 +
61507 kernel/time/timer_stats.c | 10 +-
61508 lib/Kconfig.debug | 5 +-
61509 lib/is_single_threaded.c | 3 +
61510 lib/vsprintf.c | 35 +-
61511 localversion-grsec | 1 +
61512 mm/Kconfig | 4 +-
61513 mm/filemap.c | 1 +
61514 mm/kmemleak.c | 4 +-
61515 mm/mempolicy.c | 12 +-
61516 mm/migrate.c | 3 +-
61517 mm/mlock.c | 3 +
61518 mm/mmap.c | 62 +-
61519 mm/mprotect.c | 8 +
61520 mm/page_alloc.c | 6 +
61521 mm/process_vm_access.c | 6 +
61522 mm/shmem.c | 2 +-
61523 mm/slab.c | 2 +-
61524 mm/slub.c | 14 +-
61525 mm/vmalloc.c | 4 +
61526 mm/vmstat.c | 18 +-
61527 net/core/dev.c | 9 +
61528 net/core/sock_diag.c | 7 +
61529 net/ipv4/inet_hashtables.c | 5 +
61530 net/ipv4/ip_sockglue.c | 3 +-
61531 net/ipv4/tcp_input.c | 4 +-
61532 net/ipv4/tcp_ipv4.c | 24 +-
61533 net/ipv4/tcp_minisocks.c | 9 +-
61534 net/ipv4/tcp_timer.c | 11 +
61535 net/ipv4/udp.c | 24 +
61536 net/ipv6/tcp_ipv6.c | 23 +-
61537 net/ipv6/udp.c | 7 +
61538 net/netfilter/Kconfig | 10 +
61539 net/netfilter/Makefile | 1 +
61540 net/netfilter/nf_conntrack_core.c | 8 +
61541 net/netfilter/xt_gradm.c | 51 +
61542 net/netrom/af_netrom.c | 2 +-
61543 net/phonet/af_phonet.c | 4 +-
61544 net/sctp/proc.c | 3 +-
61545 net/socket.c | 62 +-
61546 net/sysctl_net.c | 2 +-
61547 net/unix/af_unix.c | 19 +
61548 security/Kconfig | 320 ++-
61549 security/apparmor/lsm.c | 2 +-
61550 security/commoncap.c | 29 +
61551 security/min_addr.c | 2 +
61552 security/security.c | 2 -
61553 security/selinux/hooks.c | 2 -
61554 security/yama/Kconfig | 2 +-
61555 tools/gcc/Makefile | 2 +-
61556 286 files changed, 15083 insertions(+), 2067 deletions(-)
61557
61558commit 4b61d2188de70da9dc9b3e67fc0565077370eb27
61559Author: Brad Spengler <spender@grsecurity.net>
61560Date: Wed Feb 20 21:00:42 2013 -0500
61561
61562 Initial import of pax-linux-3.8-test3.patch
61563
61564 Documentation/dontdiff | 43 +-
61565 Documentation/kernel-parameters.txt | 7 +
61566 Makefile | 97 +-
61567 arch/alpha/include/asm/atomic.h | 10 +
61568 arch/alpha/include/asm/elf.h | 7 +
61569 arch/alpha/include/asm/pgalloc.h | 6 +
61570 arch/alpha/include/asm/pgtable.h | 11 +
61571 arch/alpha/kernel/module.c | 2 +-
61572 arch/alpha/kernel/osf_sys.c | 10 +-
61573 arch/alpha/mm/fault.c | 141 +-
61574 arch/arm/Kconfig | 2 +-
61575 arch/arm/include/asm/atomic.h | 421 +++-
61576 arch/arm/include/asm/cache.h | 3 +-
61577 arch/arm/include/asm/cacheflush.h | 2 +-
61578 arch/arm/include/asm/checksum.h | 14 +-
61579 arch/arm/include/asm/cmpxchg.h | 2 +
61580 arch/arm/include/asm/delay.h | 8 +-
61581 arch/arm/include/asm/domain.h | 32 +-
61582 arch/arm/include/asm/elf.h | 13 +-
61583 arch/arm/include/asm/fncpy.h | 2 +
61584 arch/arm/include/asm/futex.h | 10 +
61585 arch/arm/include/asm/kmap_types.h | 2 +-
61586 arch/arm/include/asm/mach/dma.h | 2 +-
61587 arch/arm/include/asm/mach/map.h | 7 +-
61588 arch/arm/include/asm/outercache.h | 2 +-
61589 arch/arm/include/asm/page.h | 2 +-
61590 arch/arm/include/asm/pgalloc.h | 22 +-
61591 arch/arm/include/asm/pgtable-2level-hwdef.h | 5 +
61592 arch/arm/include/asm/pgtable-2level.h | 1 +
61593 arch/arm/include/asm/pgtable-3level-hwdef.h | 4 +
61594 arch/arm/include/asm/pgtable-3level.h | 2 +
61595 arch/arm/include/asm/pgtable.h | 56 +-
61596 arch/arm/include/asm/proc-fns.h | 2 +-
61597 arch/arm/include/asm/processor.h | 5 +-
61598 arch/arm/include/asm/smp.h | 2 +-
61599 arch/arm/include/asm/thread_info.h | 6 +-
61600 arch/arm/include/asm/uaccess.h | 92 +-
61601 arch/arm/include/uapi/asm/ptrace.h | 2 +-
61602 arch/arm/kernel/armksyms.c | 4 +-
61603 arch/arm/kernel/entry-armv.S | 107 +-
61604 arch/arm/kernel/entry-common.S | 41 +-
61605 arch/arm/kernel/entry-header.S | 60 +
61606 arch/arm/kernel/fiq.c | 2 +
61607 arch/arm/kernel/head.S | 6 +-
61608 arch/arm/kernel/hw_breakpoint.c | 2 +-
61609 arch/arm/kernel/module.c | 29 +-
61610 arch/arm/kernel/perf_event_cpu.c | 2 +-
61611 arch/arm/kernel/process.c | 10 +-
61612 arch/arm/kernel/setup.c | 22 +-
61613 arch/arm/kernel/smp.c | 2 +-
61614 arch/arm/kernel/traps.c | 8 +-
61615 arch/arm/kernel/vmlinux.lds.S | 20 +-
61616 arch/arm/lib/clear_user.S | 6 +-
61617 arch/arm/lib/copy_from_user.S | 6 +-
61618 arch/arm/lib/copy_page.S | 1 +
61619 arch/arm/lib/copy_to_user.S | 6 +-
61620 arch/arm/lib/csumpartialcopyuser.S | 4 +-
61621 arch/arm/lib/delay.c | 14 +-
61622 arch/arm/lib/uaccess_with_memcpy.c | 2 +-
61623 arch/arm/mach-kirkwood/common.c | 19 +-
61624 arch/arm/mach-omap2/board-n8x0.c | 2 +-
61625 arch/arm/mach-omap2/omap-wakeupgen.c | 2 +-
61626 arch/arm/mach-omap2/omap_hwmod.c | 4 +-
61627 arch/arm/mach-ux500/include/mach/setup.h | 7 -
61628 arch/arm/mm/Kconfig | 3 +-
61629 arch/arm/mm/fault.c | 78 +
61630 arch/arm/mm/fault.h | 12 +
61631 arch/arm/mm/init.c | 41 +
61632 arch/arm/mm/ioremap.c | 4 +-
61633 arch/arm/mm/mmap.c | 36 +-
61634 arch/arm/mm/mmu.c | 186 +-
61635 arch/arm/mm/proc-v7-2level.S | 3 +
61636 arch/arm/plat-omap/sram.c | 2 +
61637 arch/arm/plat-orion/include/plat/addr-map.h | 2 +-
61638 arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +-
61639 arch/arm64/kernel/debug-monitors.c | 2 +-
61640 arch/arm64/kernel/hw_breakpoint.c | 2 +-
61641 arch/avr32/include/asm/elf.h | 8 +-
61642 arch/avr32/include/asm/kmap_types.h | 4 +-
61643 arch/avr32/mm/fault.c | 27 +
61644 arch/frv/include/asm/atomic.h | 10 +
61645 arch/frv/include/asm/kmap_types.h | 2 +-
61646 arch/frv/mm/elf-fdpic.c | 7 +-
61647 arch/ia64/include/asm/atomic.h | 10 +
61648 arch/ia64/include/asm/elf.h | 7 +
61649 arch/ia64/include/asm/pgalloc.h | 12 +
61650 arch/ia64/include/asm/pgtable.h | 13 +-
61651 arch/ia64/include/asm/spinlock.h | 2 +-
61652 arch/ia64/include/asm/uaccess.h | 28 +-
61653 arch/ia64/kernel/err_inject.c | 2 +-
61654 arch/ia64/kernel/mca.c | 2 +-
61655 arch/ia64/kernel/module.c | 48 +-
61656 arch/ia64/kernel/palinfo.c | 2 +-
61657 arch/ia64/kernel/salinfo.c | 2 +-
61658 arch/ia64/kernel/sys_ia64.c | 13 +-
61659 arch/ia64/kernel/topology.c | 2 +-
61660 arch/ia64/kernel/vmlinux.lds.S | 2 +-
61661 arch/ia64/mm/fault.c | 32 +-
61662 arch/ia64/mm/hugetlbpage.c | 2 +-
61663 arch/ia64/mm/init.c | 13 +
61664 arch/m32r/lib/usercopy.c | 6 +
61665 arch/mips/include/asm/atomic.h | 14 +
61666 arch/mips/include/asm/elf.h | 11 +-
61667 arch/mips/include/asm/exec.h | 2 +-
61668 arch/mips/include/asm/page.h | 2 +-
61669 arch/mips/include/asm/pgalloc.h | 5 +
61670 arch/mips/kernel/binfmt_elfn32.c | 7 +
61671 arch/mips/kernel/binfmt_elfo32.c | 7 +
61672 arch/mips/kernel/process.c | 12 -
61673 arch/mips/mm/fault.c | 17 +
61674 arch/mips/mm/mmap.c | 51 +-
61675 arch/parisc/include/asm/atomic.h | 10 +
61676 arch/parisc/include/asm/elf.h | 7 +
61677 arch/parisc/include/asm/pgalloc.h | 6 +
61678 arch/parisc/include/asm/pgtable.h | 11 +
61679 arch/parisc/include/asm/uaccess.h | 4 +-
61680 arch/parisc/kernel/module.c | 50 +-
61681 arch/parisc/kernel/sys_parisc.c | 6 +-
61682 arch/parisc/kernel/traps.c | 4 +-
61683 arch/parisc/mm/fault.c | 140 +-
61684 arch/powerpc/include/asm/atomic.h | 10 +
61685 arch/powerpc/include/asm/elf.h | 19 +-
61686 arch/powerpc/include/asm/exec.h | 2 +-
61687 arch/powerpc/include/asm/kmap_types.h | 2 +-
61688 arch/powerpc/include/asm/mman.h | 2 +-
61689 arch/powerpc/include/asm/page.h | 8 +-
61690 arch/powerpc/include/asm/page_64.h | 7 +-
61691 arch/powerpc/include/asm/pgalloc-64.h | 7 +
61692 arch/powerpc/include/asm/pgtable.h | 1 +
61693 arch/powerpc/include/asm/pte-hash32.h | 1 +
61694 arch/powerpc/include/asm/reg.h | 1 +
61695 arch/powerpc/include/asm/uaccess.h | 142 +-
61696 arch/powerpc/kernel/exceptions-64e.S | 4 +-
61697 arch/powerpc/kernel/exceptions-64s.S | 2 +-
61698 arch/powerpc/kernel/module_32.c | 13 +-
61699 arch/powerpc/kernel/process.c | 55 -
61700 arch/powerpc/kernel/signal_32.c | 2 +-
61701 arch/powerpc/kernel/signal_64.c | 2 +-
61702 arch/powerpc/kernel/sysfs.c | 2 +-
61703 arch/powerpc/kernel/vdso.c | 5 +-
61704 arch/powerpc/lib/usercopy_64.c | 18 -
61705 arch/powerpc/mm/fault.c | 54 +-
61706 arch/powerpc/mm/mmap_64.c | 16 +
61707 arch/powerpc/mm/mmu_context_nohash.c | 2 +-
61708 arch/powerpc/mm/numa.c | 2 +-
61709 arch/powerpc/mm/slice.c | 23 +-
61710 arch/powerpc/platforms/powermac/smp.c | 2 +-
61711 arch/s390/include/asm/atomic.h | 10 +
61712 arch/s390/include/asm/elf.h | 13 +-
61713 arch/s390/include/asm/exec.h | 2 +-
61714 arch/s390/include/asm/uaccess.h | 15 +-
61715 arch/s390/kernel/module.c | 22 +-
61716 arch/s390/kernel/process.c | 36 -
61717 arch/s390/mm/mmap.c | 24 +
61718 arch/score/include/asm/exec.h | 2 +-
61719 arch/score/kernel/process.c | 5 -
61720 arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +-
61721 arch/sh/mm/mmap.c | 22 +-
61722 arch/sparc/include/asm/atomic_64.h | 106 +-
61723 arch/sparc/include/asm/cache.h | 2 +-
61724 arch/sparc/include/asm/elf_32.h | 7 +
61725 arch/sparc/include/asm/elf_64.h | 7 +
61726 arch/sparc/include/asm/pgalloc_32.h | 1 +
61727 arch/sparc/include/asm/pgalloc_64.h | 1 +
61728 arch/sparc/include/asm/pgtable_32.h | 15 +-
61729 arch/sparc/include/asm/pgtsrmmu.h | 5 +
61730 arch/sparc/include/asm/spinlock_64.h | 35 +-
61731 arch/sparc/include/asm/thread_info_32.h | 2 +
61732 arch/sparc/include/asm/thread_info_64.h | 2 +
61733 arch/sparc/include/asm/uaccess.h | 8 +
61734 arch/sparc/include/asm/uaccess_32.h | 27 +-
61735 arch/sparc/include/asm/uaccess_64.h | 19 +-
61736 arch/sparc/kernel/Makefile | 2 +-
61737 arch/sparc/kernel/sys_sparc_32.c | 2 +-
61738 arch/sparc/kernel/sys_sparc_64.c | 48 +-
61739 arch/sparc/kernel/sysfs.c | 2 +-
61740 arch/sparc/kernel/traps_64.c | 13 +-
61741 arch/sparc/lib/Makefile | 2 +-
61742 arch/sparc/lib/atomic_64.S | 136 +-
61743 arch/sparc/lib/ksyms.c | 6 +
61744 arch/sparc/mm/Makefile | 2 +-
61745 arch/sparc/mm/fault_32.c | 292 ++
61746 arch/sparc/mm/fault_64.c | 486 +++
61747 arch/sparc/mm/hugetlbpage.c | 21 +-
61748 arch/tile/include/asm/atomic_64.h | 10 +
61749 arch/tile/include/asm/uaccess.h | 4 +-
61750 arch/um/Makefile | 4 +
61751 arch/um/include/asm/kmap_types.h | 2 +-
61752 arch/um/include/asm/page.h | 3 +
61753 arch/um/include/asm/pgtable-3level.h | 1 +
61754 arch/um/kernel/process.c | 16 -
61755 arch/x86/Kconfig | 10 +-
61756 arch/x86/Kconfig.cpu | 6 +-
61757 arch/x86/Kconfig.debug | 6 +-
61758 arch/x86/Makefile | 10 +
61759 arch/x86/boot/Makefile | 3 +
61760 arch/x86/boot/bitops.h | 4 +-
61761 arch/x86/boot/boot.h | 4 +-
61762 arch/x86/boot/compressed/Makefile | 3 +
61763 arch/x86/boot/compressed/eboot.c | 2 -
61764 arch/x86/boot/compressed/head_32.S | 7 +-
61765 arch/x86/boot/compressed/head_64.S | 4 +-
61766 arch/x86/boot/compressed/misc.c | 4 +-
61767 arch/x86/boot/cpucheck.c | 28 +-
61768 arch/x86/boot/header.S | 6 +-
61769 arch/x86/boot/memory.c | 2 +-
61770 arch/x86/boot/video-vesa.c | 1 +
61771 arch/x86/boot/video.c | 2 +-
61772 arch/x86/crypto/aes-x86_64-asm_64.S | 4 +
61773 arch/x86/crypto/aesni-intel_asm.S | 31 +
61774 arch/x86/crypto/blowfish-x86_64-asm_64.S | 8 +
61775 arch/x86/crypto/camellia-x86_64-asm_64.S | 8 +
61776 arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 8 +
61777 arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 8 +
61778 arch/x86/crypto/salsa20-x86_64-asm_64.S | 5 +
61779 arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 8 +
61780 arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 5 +
61781 arch/x86/crypto/sha1_ssse3_asm.S | 3 +
61782 arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 8 +
61783 arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 5 +
61784 arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
61785 arch/x86/ia32/ia32_signal.c | 14 +-
61786 arch/x86/ia32/ia32entry.S | 141 +-
61787 arch/x86/ia32/sys_ia32.c | 12 +-
61788 arch/x86/include/asm/alternative-asm.h | 39 +
61789 arch/x86/include/asm/alternative.h | 4 +-
61790 arch/x86/include/asm/apic.h | 2 +-
61791 arch/x86/include/asm/apm.h | 4 +-
61792 arch/x86/include/asm/atomic.h | 307 ++-
61793 arch/x86/include/asm/atomic64_32.h | 100 +
61794 arch/x86/include/asm/atomic64_64.h | 202 ++-
61795 arch/x86/include/asm/bitops.h | 2 +-
61796 arch/x86/include/asm/boot.h | 7 +-
61797 arch/x86/include/asm/cache.h | 5 +-
61798 arch/x86/include/asm/cacheflush.h | 2 +-
61799 arch/x86/include/asm/checksum_32.h | 12 +-
61800 arch/x86/include/asm/cmpxchg.h | 35 +
61801 arch/x86/include/asm/cpufeature.h | 4 +-
61802 arch/x86/include/asm/desc.h | 65 +-
61803 arch/x86/include/asm/desc_defs.h | 6 +
61804 arch/x86/include/asm/elf.h | 31 +-
61805 arch/x86/include/asm/emergency-restart.h | 2 +-
61806 arch/x86/include/asm/fpu-internal.h | 6 +-
61807 arch/x86/include/asm/futex.h | 16 +-
61808 arch/x86/include/asm/hw_irq.h | 4 +-
61809 arch/x86/include/asm/io.h | 13 +-
61810 arch/x86/include/asm/irqflags.h | 5 +
61811 arch/x86/include/asm/kprobes.h | 9 +-
61812 arch/x86/include/asm/local.h | 142 +-
61813 arch/x86/include/asm/mman.h | 15 +
61814 arch/x86/include/asm/mmu.h | 16 +-
61815 arch/x86/include/asm/mmu_context.h | 76 +-
61816 arch/x86/include/asm/module.h | 17 +-
61817 arch/x86/include/asm/page_64_types.h | 2 +-
61818 arch/x86/include/asm/paravirt.h | 44 +-
61819 arch/x86/include/asm/paravirt_types.h | 17 +-
61820 arch/x86/include/asm/pgalloc.h | 23 +
61821 arch/x86/include/asm/pgtable-2level.h | 2 +
61822 arch/x86/include/asm/pgtable-3level.h | 4 +
61823 arch/x86/include/asm/pgtable.h | 110 +-
61824 arch/x86/include/asm/pgtable_32.h | 14 +-
61825 arch/x86/include/asm/pgtable_32_types.h | 15 +-
61826 arch/x86/include/asm/pgtable_64.h | 19 +-
61827 arch/x86/include/asm/pgtable_64_types.h | 5 +
61828 arch/x86/include/asm/pgtable_types.h | 36 +-
61829 arch/x86/include/asm/processor.h | 39 +-
61830 arch/x86/include/asm/ptrace.h | 26 +-
61831 arch/x86/include/asm/realmode.h | 4 +-
61832 arch/x86/include/asm/reboot.h | 10 +-
61833 arch/x86/include/asm/rwsem.h | 60 +-
61834 arch/x86/include/asm/segment.h | 24 +-
61835 arch/x86/include/asm/smp.h | 14 +-
61836 arch/x86/include/asm/spinlock.h | 36 +-
61837 arch/x86/include/asm/stackprotector.h | 4 +-
61838 arch/x86/include/asm/stacktrace.h | 32 +-
61839 arch/x86/include/asm/switch_to.h | 4 +-
61840 arch/x86/include/asm/thread_info.h | 83 +-
61841 arch/x86/include/asm/uaccess.h | 96 +-
61842 arch/x86/include/asm/uaccess_32.h | 106 +-
61843 arch/x86/include/asm/uaccess_64.h | 232 +-
61844 arch/x86/include/asm/word-at-a-time.h | 2 +-
61845 arch/x86/include/asm/x86_init.h | 10 +-
61846 arch/x86/include/asm/xsave.h | 10 +-
61847 arch/x86/include/uapi/asm/e820.h | 2 +-
61848 arch/x86/kernel/Makefile | 2 +-
61849 arch/x86/kernel/acpi/sleep.c | 4 +
61850 arch/x86/kernel/acpi/wakeup_32.S | 6 +-
61851 arch/x86/kernel/alternative.c | 65 +-
61852 arch/x86/kernel/apic/apic.c | 6 +-
61853 arch/x86/kernel/apic/apic_flat_64.c | 4 +-
61854 arch/x86/kernel/apic/bigsmp_32.c | 2 +-
61855 arch/x86/kernel/apic/es7000_32.c | 5 +-
61856 arch/x86/kernel/apic/io_apic.c | 8 +-
61857 arch/x86/kernel/apic/numaq_32.c | 3 +-
61858 arch/x86/kernel/apic/probe_32.c | 2 +-
61859 arch/x86/kernel/apic/summit_32.c | 2 +-
61860 arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
61861 arch/x86/kernel/apic/x2apic_phys.c | 2 +-
61862 arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
61863 arch/x86/kernel/apm_32.c | 19 +-
61864 arch/x86/kernel/asm-offsets.c | 20 +
61865 arch/x86/kernel/asm-offsets_64.c | 1 +
61866 arch/x86/kernel/cpu/Makefile | 4 -
61867 arch/x86/kernel/cpu/amd.c | 2 +-
61868 arch/x86/kernel/cpu/common.c | 75 +-
61869 arch/x86/kernel/cpu/intel.c | 2 +-
61870 arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +-
61871 arch/x86/kernel/cpu/mcheck/mce.c | 29 +-
61872 arch/x86/kernel/cpu/mcheck/p5.c | 3 +
61873 arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +-
61874 arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
61875 arch/x86/kernel/cpu/mtrr/main.c | 2 +-
61876 arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
61877 arch/x86/kernel/cpu/perf_event.c | 4 +-
61878 arch/x86/kernel/cpu/perf_event_intel.c | 6 +-
61879 arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +-
61880 arch/x86/kernel/cpuid.c | 2 +-
61881 arch/x86/kernel/crash.c | 4 +-
61882 arch/x86/kernel/doublefault_32.c | 8 +-
61883 arch/x86/kernel/dumpstack.c | 30 +-
61884 arch/x86/kernel/dumpstack_32.c | 34 +-
61885 arch/x86/kernel/dumpstack_64.c | 63 +-
61886 arch/x86/kernel/early_printk.c | 1 +
61887 arch/x86/kernel/entry_32.S | 354 ++-
61888 arch/x86/kernel/entry_64.S | 512 +++-
61889 arch/x86/kernel/ftrace.c | 14 +-
61890 arch/x86/kernel/head32.c | 4 +-
61891 arch/x86/kernel/head_32.S | 237 ++-
61892 arch/x86/kernel/head_64.S | 158 +-
61893 arch/x86/kernel/i386_ksyms_32.c | 8 +
61894 arch/x86/kernel/i387.c | 2 +-
61895 arch/x86/kernel/i8259.c | 2 +-
61896 arch/x86/kernel/ioport.c | 2 +-
61897 arch/x86/kernel/irq.c | 10 +-
61898 arch/x86/kernel/irq_32.c | 69 +-
61899 arch/x86/kernel/irq_64.c | 2 +-
61900 arch/x86/kernel/kdebugfs.c | 2 +-
61901 arch/x86/kernel/kgdb.c | 25 +-
61902 arch/x86/kernel/kprobes-opt.c | 12 +-
61903 arch/x86/kernel/kprobes.c | 30 +-
61904 arch/x86/kernel/kvm.c | 2 +-
61905 arch/x86/kernel/ldt.c | 31 +-
61906 arch/x86/kernel/machine_kexec_32.c | 6 +-
61907 arch/x86/kernel/microcode_core.c | 2 +-
61908 arch/x86/kernel/microcode_intel.c | 4 +-
61909 arch/x86/kernel/module.c | 76 +-
61910 arch/x86/kernel/msr.c | 2 +-
61911 arch/x86/kernel/nmi.c | 11 +
61912 arch/x86/kernel/paravirt-spinlocks.c | 2 +-
61913 arch/x86/kernel/paravirt.c | 43 +-
61914 arch/x86/kernel/pci-iommu_table.c | 2 +-
61915 arch/x86/kernel/process.c | 57 +-
61916 arch/x86/kernel/process_32.c | 29 +-
61917 arch/x86/kernel/process_64.c | 15 +-
61918 arch/x86/kernel/ptrace.c | 25 +-
61919 arch/x86/kernel/pvclock.c | 8 +-
61920 arch/x86/kernel/reboot.c | 44 +-
61921 arch/x86/kernel/relocate_kernel_64.S | 4 +-
61922 arch/x86/kernel/setup.c | 14 +-
61923 arch/x86/kernel/setup_percpu.c | 27 +-
61924 arch/x86/kernel/signal.c | 15 +-
61925 arch/x86/kernel/smp.c | 2 +-
61926 arch/x86/kernel/smpboot.c | 15 +-
61927 arch/x86/kernel/step.c | 10 +-
61928 arch/x86/kernel/sys_i386_32.c | 247 ++
61929 arch/x86/kernel/sys_x86_64.c | 19 +-
61930 arch/x86/kernel/tboot.c | 14 +-
61931 arch/x86/kernel/time.c | 10 +-
61932 arch/x86/kernel/tls.c | 7 +-
61933 arch/x86/kernel/traps.c | 64 +-
61934 arch/x86/kernel/uprobes.c | 2 +-
61935 arch/x86/kernel/vm86_32.c | 6 +-
61936 arch/x86/kernel/vmlinux.lds.S | 148 +-
61937 arch/x86/kernel/vsyscall_64.c | 12 +-
61938 arch/x86/kernel/x8664_ksyms_64.c | 2 -
61939 arch/x86/kernel/x86_init.c | 8 +-
61940 arch/x86/kernel/xsave.c | 2 +
61941 arch/x86/kvm/cpuid.c | 21 +-
61942 arch/x86/kvm/emulate.c | 4 +-
61943 arch/x86/kvm/lapic.c | 2 +-
61944 arch/x86/kvm/paging_tmpl.h | 2 +-
61945 arch/x86/kvm/svm.c | 8 +
61946 arch/x86/kvm/vmx.c | 47 +-
61947 arch/x86/kvm/x86.c | 10 +-
61948 arch/x86/lguest/boot.c | 3 +-
61949 arch/x86/lib/atomic64_386_32.S | 164 +
61950 arch/x86/lib/atomic64_cx8_32.S | 103 +-
61951 arch/x86/lib/checksum_32.S | 100 +-
61952 arch/x86/lib/clear_page_64.S | 5 +-
61953 arch/x86/lib/cmpxchg16b_emu.S | 2 +
61954 arch/x86/lib/copy_page_64.S | 24 +-
61955 arch/x86/lib/copy_user_64.S | 47 +-
61956 arch/x86/lib/copy_user_nocache_64.S | 20 +-
61957 arch/x86/lib/csum-copy_64.S | 2 +
61958 arch/x86/lib/csum-wrappers_64.c | 4 +-
61959 arch/x86/lib/getuser.S | 68 +-
61960 arch/x86/lib/insn.c | 6 +-
61961 arch/x86/lib/iomap_copy_64.S | 2 +
61962 arch/x86/lib/memcpy_64.S | 18 +-
61963 arch/x86/lib/memmove_64.S | 34 +-
61964 arch/x86/lib/memset_64.S | 7 +-
61965 arch/x86/lib/mmx_32.c | 243 +-
61966 arch/x86/lib/msr-reg.S | 18 +-
61967 arch/x86/lib/putuser.S | 90 +-
61968 arch/x86/lib/rwlock.S | 42 +
61969 arch/x86/lib/rwsem.S | 6 +-
61970 arch/x86/lib/thunk_64.S | 2 +
61971 arch/x86/lib/usercopy_32.c | 376 ++-
61972 arch/x86/lib/usercopy_64.c | 25 +-
61973 arch/x86/mm/extable.c | 25 +-
61974 arch/x86/mm/fault.c | 555 +++-
61975 arch/x86/mm/gup.c | 2 +-
61976 arch/x86/mm/highmem_32.c | 4 +
61977 arch/x86/mm/hugetlbpage.c | 30 +-
61978 arch/x86/mm/init.c | 92 +-
61979 arch/x86/mm/init_32.c | 122 +-
61980 arch/x86/mm/init_64.c | 48 +-
61981 arch/x86/mm/iomap_32.c | 4 +
61982 arch/x86/mm/ioremap.c | 12 +-
61983 arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
61984 arch/x86/mm/mmap.c | 41 +-
61985 arch/x86/mm/mmio-mod.c | 10 +-
61986 arch/x86/mm/pageattr-test.c | 2 +-
61987 arch/x86/mm/pageattr.c | 33 +-
61988 arch/x86/mm/pat.c | 12 +-
61989 arch/x86/mm/pf_in.c | 10 +-
61990 arch/x86/mm/pgtable.c | 137 +-
61991 arch/x86/mm/pgtable_32.c | 3 +
61992 arch/x86/mm/setup_nx.c | 7 +
61993 arch/x86/mm/tlb.c | 4 +
61994 arch/x86/net/bpf_jit.S | 14 +
61995 arch/x86/net/bpf_jit_comp.c | 37 +-
61996 arch/x86/oprofile/backtrace.c | 8 +-
61997 arch/x86/pci/amd_bus.c | 2 +-
61998 arch/x86/pci/mrst.c | 4 +-
61999 arch/x86/pci/pcbios.c | 144 +-
62000 arch/x86/platform/efi/efi_32.c | 19 +
62001 arch/x86/platform/efi/efi_stub_32.S | 64 +-
62002 arch/x86/platform/efi/efi_stub_64.S | 8 +
62003 arch/x86/platform/mrst/mrst.c | 6 +-
62004 arch/x86/platform/olpc/olpc_dt.c | 2 +-
62005 arch/x86/power/cpu.c | 4 +-
62006 arch/x86/realmode/init.c | 8 +-
62007 arch/x86/realmode/rm/Makefile | 3 +
62008 arch/x86/realmode/rm/header.S | 4 +-
62009 arch/x86/realmode/rm/trampoline_32.S | 12 +-
62010 arch/x86/realmode/rm/trampoline_64.S | 2 +-
62011 arch/x86/tools/relocs.c | 95 +-
62012 arch/x86/vdso/Makefile | 2 +-
62013 arch/x86/vdso/vdso32-setup.c | 23 +-
62014 arch/x86/vdso/vma.c | 29 +-
62015 arch/x86/xen/enlighten.c | 47 +-
62016 arch/x86/xen/mmu.c | 9 +
62017 arch/x86/xen/smp.c | 18 +-
62018 arch/x86/xen/xen-asm_32.S | 12 +-
62019 arch/x86/xen/xen-head.S | 11 +
62020 arch/x86/xen/xen-ops.h | 2 -
62021 block/blk-iopoll.c | 4 +-
62022 block/blk-map.c | 2 +-
62023 block/blk-softirq.c | 4 +-
62024 block/bsg.c | 12 +-
62025 block/compat_ioctl.c | 2 +-
62026 block/partitions/efi.c | 8 +-
62027 block/scsi_ioctl.c | 27 +-
62028 crypto/cryptd.c | 4 +-
62029 drivers/acpi/apei/cper.c | 8 +-
62030 drivers/acpi/ec_sys.c | 12 +-
62031 drivers/acpi/processor_driver.c | 2 +-
62032 drivers/ata/libata-core.c | 8 +-
62033 drivers/ata/pata_arasan_cf.c | 4 +-
62034 drivers/atm/adummy.c | 2 +-
62035 drivers/atm/ambassador.c | 8 +-
62036 drivers/atm/atmtcp.c | 14 +-
62037 drivers/atm/eni.c | 10 +-
62038 drivers/atm/firestream.c | 8 +-
62039 drivers/atm/fore200e.c | 14 +-
62040 drivers/atm/he.c | 18 +-
62041 drivers/atm/horizon.c | 4 +-
62042 drivers/atm/idt77252.c | 36 +-
62043 drivers/atm/iphase.c | 34 +-
62044 drivers/atm/lanai.c | 12 +-
62045 drivers/atm/nicstar.c | 46 +-
62046 drivers/atm/solos-pci.c | 4 +-
62047 drivers/atm/suni.c | 4 +-
62048 drivers/atm/uPD98402.c | 16 +-
62049 drivers/atm/zatm.c | 6 +-
62050 drivers/base/devtmpfs.c | 2 +-
62051 drivers/base/power/wakeup.c | 8 +-
62052 drivers/block/cciss.c | 28 +-
62053 drivers/block/cciss.h | 2 +-
62054 drivers/block/cpqarray.c | 28 +-
62055 drivers/block/cpqarray.h | 2 +-
62056 drivers/block/drbd/drbd_int.h | 6 +-
62057 drivers/block/drbd/drbd_main.c | 8 +-
62058 drivers/block/drbd/drbd_receiver.c | 18 +-
62059 drivers/block/loop.c | 2 +-
62060 drivers/cdrom/cdrom.c | 9 +-
62061 drivers/cdrom/gdrom.c | 1 -
62062 drivers/char/agp/frontend.c | 2 +-
62063 drivers/char/hpet.c | 2 +-
62064 drivers/char/ipmi/ipmi_msghandler.c | 8 +-
62065 drivers/char/ipmi/ipmi_si_intf.c | 8 +-
62066 drivers/char/mem.c | 41 +-
62067 drivers/char/nvram.c | 2 +-
62068 drivers/char/pcmcia/synclink_cs.c | 18 +-
62069 drivers/char/random.c | 8 +-
62070 drivers/char/sonypi.c | 9 +-
62071 drivers/char/tpm/tpm.c | 2 +-
62072 drivers/char/tpm/tpm_acpi.c | 3 +-
62073 drivers/char/tpm/tpm_eventlog.c | 7 +-
62074 drivers/char/virtio_console.c | 4 +-
62075 drivers/clocksource/arm_generic.c | 2 +-
62076 drivers/cpufreq/cpufreq.c | 2 +-
62077 drivers/cpufreq/cpufreq_stats.c | 2 +-
62078 drivers/dma/sh/shdma.c | 2 +-
62079 drivers/edac/edac_pci_sysfs.c | 20 +-
62080 drivers/edac/mce_amd.h | 2 +-
62081 drivers/firewire/core-card.c | 2 +-
62082 drivers/firewire/core-cdev.c | 3 +-
62083 drivers/firewire/core-transaction.c | 1 +
62084 drivers/firewire/core.h | 1 +
62085 drivers/firmware/dmi_scan.c | 7 +-
62086 drivers/firmware/efivars.c | 2 +-
62087 drivers/gpio/gpio-vr41xx.c | 2 +-
62088 drivers/gpu/drm/drm_crtc_helper.c | 2 +-
62089 drivers/gpu/drm/drm_drv.c | 4 +-
62090 drivers/gpu/drm/drm_fops.c | 18 +-
62091 drivers/gpu/drm/drm_global.c | 14 +-
62092 drivers/gpu/drm/drm_info.c | 14 +-
62093 drivers/gpu/drm/drm_ioc32.c | 4 +-
62094 drivers/gpu/drm/drm_ioctl.c | 2 +-
62095 drivers/gpu/drm/drm_lock.c | 4 +-
62096 drivers/gpu/drm/drm_stub.c | 2 +-
62097 drivers/gpu/drm/i810/i810_dma.c | 8 +-
62098 drivers/gpu/drm/i810/i810_drv.h | 4 +-
62099 drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
62100 drivers/gpu/drm/i915/i915_dma.c | 2 +-
62101 drivers/gpu/drm/i915/i915_drv.h | 6 +-
62102 drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +-
62103 drivers/gpu/drm/i915/i915_irq.c | 22 +-
62104 drivers/gpu/drm/i915/intel_display.c | 9 +-
62105 drivers/gpu/drm/mga/mga_drv.h | 4 +-
62106 drivers/gpu/drm/mga/mga_irq.c | 8 +-
62107 drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +-
62108 drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +-
62109 drivers/gpu/drm/nouveau/nouveau_fence.h | 2 +-
62110 drivers/gpu/drm/nouveau/nouveau_gem.c | 2 +-
62111 drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +-
62112 drivers/gpu/drm/r128/r128_cce.c | 2 +-
62113 drivers/gpu/drm/r128/r128_drv.h | 4 +-
62114 drivers/gpu/drm/r128/r128_irq.c | 4 +-
62115 drivers/gpu/drm/r128/r128_state.c | 4 +-
62116 drivers/gpu/drm/radeon/mkregtable.c | 4 +-
62117 drivers/gpu/drm/radeon/radeon_device.c | 2 +-
62118 drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
62119 drivers/gpu/drm/radeon/radeon_ioc32.c | 2 +-
62120 drivers/gpu/drm/radeon/radeon_irq.c | 6 +-
62121 drivers/gpu/drm/radeon/radeon_state.c | 4 +-
62122 drivers/gpu/drm/radeon/radeon_ttm.c | 4 +-
62123 drivers/gpu/drm/radeon/rs690.c | 4 +-
62124 drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +-
62125 drivers/gpu/drm/via/via_drv.h | 4 +-
62126 drivers/gpu/drm/via/via_irq.c | 18 +-
62127 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
62128 drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
62129 drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
62130 drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
62131 drivers/hid/hid-core.c | 4 +-
62132 drivers/hv/channel.c | 4 +-
62133 drivers/hv/hv.c | 2 +-
62134 drivers/hv/hyperv_vmbus.h | 2 +-
62135 drivers/hv/vmbus_drv.c | 4 +-
62136 drivers/hwmon/coretemp.c | 2 +-
62137 drivers/hwmon/sht15.c | 12 +-
62138 drivers/hwmon/via-cputemp.c | 2 +-
62139 drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
62140 drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
62141 drivers/ide/ide-cd.c | 2 +-
62142 drivers/infiniband/core/cm.c | 32 +-
62143 drivers/infiniband/core/fmr_pool.c | 20 +-
62144 drivers/infiniband/hw/cxgb4/mem.c | 4 +-
62145 drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
62146 drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
62147 drivers/infiniband/hw/nes/nes.c | 4 +-
62148 drivers/infiniband/hw/nes/nes.h | 40 +-
62149 drivers/infiniband/hw/nes/nes_cm.c | 62 +-
62150 drivers/infiniband/hw/nes/nes_mgt.c | 8 +-
62151 drivers/infiniband/hw/nes/nes_nic.c | 40 +-
62152 drivers/infiniband/hw/nes/nes_verbs.c | 10 +-
62153 drivers/infiniband/hw/qib/qib.h | 1 +
62154 drivers/input/gameport/gameport.c | 4 +-
62155 drivers/input/input.c | 4 +-
62156 drivers/input/joystick/sidewinder.c | 1 +
62157 drivers/input/joystick/xpad.c | 4 +-
62158 drivers/input/mousedev.c | 2 +-
62159 drivers/input/serio/serio.c | 4 +-
62160 drivers/isdn/capi/capi.c | 10 +-
62161 drivers/isdn/gigaset/interface.c | 8 +-
62162 drivers/isdn/hardware/avm/b1.c | 4 +-
62163 drivers/isdn/i4l/isdn_tty.c | 22 +-
62164 drivers/isdn/icn/icn.c | 2 +-
62165 drivers/lguest/core.c | 10 +-
62166 drivers/lguest/x86/core.c | 12 +-
62167 drivers/lguest/x86/switcher_32.S | 27 +-
62168 drivers/md/bitmap.c | 2 +-
62169 drivers/md/dm-ioctl.c | 2 +-
62170 drivers/md/dm-raid1.c | 16 +-
62171 drivers/md/dm-stripe.c | 10 +-
62172 drivers/md/dm-table.c | 2 +-
62173 drivers/md/dm-thin-metadata.c | 4 +-
62174 drivers/md/dm.c | 16 +-
62175 drivers/md/md.c | 26 +-
62176 drivers/md/md.h | 6 +-
62177 drivers/md/persistent-data/dm-space-map.h | 1 +
62178 drivers/md/raid1.c | 4 +-
62179 drivers/md/raid10.c | 16 +-
62180 drivers/md/raid5.c | 10 +-
62181 drivers/media/dvb-core/dvbdev.c | 2 +-
62182 drivers/media/dvb-frontends/dib3000.h | 2 +-
62183 drivers/media/platform/omap/omap_vout.c | 11 +-
62184 drivers/media/platform/s5p-tv/mixer.h | 2 +-
62185 drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +-
62186 drivers/media/platform/s5p-tv/mixer_reg.c | 2 +-
62187 drivers/media/platform/s5p-tv/mixer_video.c | 24 +-
62188 drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +-
62189 drivers/media/radio/radio-cadet.c | 2 +
62190 drivers/media/usb/dvb-usb/cxusb.c | 2 +-
62191 drivers/media/usb/dvb-usb/dw2102.c | 2 +-
62192 drivers/message/fusion/mptsas.c | 34 +-
62193 drivers/message/fusion/mptscsih.c | 19 +-
62194 drivers/message/i2o/i2o_proc.c | 51 +-
62195 drivers/message/i2o/iop.c | 8 +-
62196 drivers/mfd/janz-cmodio.c | 1 +
62197 drivers/misc/kgdbts.c | 4 +-
62198 drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
62199 drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
62200 drivers/misc/sgi-gru/gruhandles.c | 4 +-
62201 drivers/misc/sgi-gru/gruprocfs.c | 8 +-
62202 drivers/misc/sgi-gru/grutables.h | 154 +-
62203 drivers/misc/sgi-xp/xp.h | 2 +-
62204 drivers/misc/sgi-xp/xpc.h | 3 +-
62205 drivers/misc/sgi-xp/xpc_main.c | 4 +-
62206 drivers/mmc/core/mmc_ops.c | 2 +-
62207 drivers/mmc/host/dw_mmc.h | 2 +-
62208 drivers/mmc/host/sdhci-s3c.c | 8 +-
62209 drivers/mtd/devices/doc2000.c | 2 +-
62210 drivers/mtd/nand/denali.c | 1 +
62211 drivers/mtd/nftlmount.c | 1 +
62212 drivers/net/ethernet/8390/ax88796.c | 4 +-
62213 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
62214 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-
62215 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +-
62216 drivers/net/ethernet/broadcom/tg3.h | 1 +
62217 drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
62218 drivers/net/ethernet/dec/tulip/de4x5.c | 4 +-
62219 drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
62220 drivers/net/ethernet/faraday/ftgmac100.c | 2 +
62221 drivers/net/ethernet/faraday/ftmac100.c | 2 +
62222 drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
62223 drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
62224 drivers/net/ethernet/realtek/r8169.c | 8 +-
62225 drivers/net/ethernet/sfc/ptp.c | 2 +-
62226 drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
62227 drivers/net/hyperv/hyperv_net.h | 2 +-
62228 drivers/net/hyperv/rndis_filter.c | 4 +-
62229 drivers/net/ieee802154/fakehard.c | 2 +-
62230 drivers/net/macvlan.c | 2 +-
62231 drivers/net/macvtap.c | 2 +-
62232 drivers/net/ppp/ppp_generic.c | 4 +-
62233 drivers/net/team/team.c | 2 +-
62234 drivers/net/tun.c | 5 +-
62235 drivers/net/usb/hso.c | 23 +-
62236 drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +-
62237 drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +-
62238 drivers/net/wireless/ath/ath9k/hw.h | 4 +-
62239 drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
62240 drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +-
62241 drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +-
62242 drivers/net/wireless/mac80211_hwsim.c | 32 +-
62243 drivers/net/wireless/rndis_wlan.c | 2 +-
62244 drivers/net/wireless/rt2x00/rt2x00.h | 2 +-
62245 drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +-
62246 drivers/net/wireless/ti/wl1251/sdio.c | 12 +-
62247 drivers/net/wireless/ti/wl12xx/main.c | 8 +-
62248 drivers/net/wireless/ti/wl18xx/main.c | 6 +-
62249 drivers/oprofile/buffer_sync.c | 8 +-
62250 drivers/oprofile/event_buffer.c | 2 +-
62251 drivers/oprofile/oprof.c | 2 +-
62252 drivers/oprofile/oprofile_stats.c | 10 +-
62253 drivers/oprofile/oprofile_stats.h | 10 +-
62254 drivers/oprofile/oprofilefs.c | 2 +-
62255 drivers/oprofile/timer_int.c | 2 +-
62256 drivers/parport/procfs.c | 4 +-
62257 drivers/pci/hotplug/cpcihp_generic.c | 6 +-
62258 drivers/pci/hotplug/cpcihp_zt5550.c | 14 +-
62259 drivers/pci/hotplug/cpqphp_nvram.c | 4 +
62260 drivers/pci/pcie/aspm.c | 6 +-
62261 drivers/pci/probe.c | 2 +-
62262 drivers/platform/x86/thinkpad_acpi.c | 70 +-
62263 drivers/pnp/pnpbios/bioscalls.c | 14 +-
62264 drivers/pnp/resource.c | 4 +-
62265 drivers/power/pda_power.c | 7 +-
62266 drivers/regulator/max8660.c | 6 +-
62267 drivers/regulator/max8973-regulator.c | 8 +-
62268 drivers/regulator/mc13892-regulator.c | 6 +-
62269 drivers/scsi/bfa/bfa.h | 2 +-
62270 drivers/scsi/bfa/bfa_fcpim.h | 2 +-
62271 drivers/scsi/bfa/bfa_ioc.h | 4 +-
62272 drivers/scsi/hosts.c | 4 +-
62273 drivers/scsi/hpsa.c | 30 +-
62274 drivers/scsi/hpsa.h | 2 +-
62275 drivers/scsi/libfc/fc_exch.c | 50 +-
62276 drivers/scsi/libsas/sas_ata.c | 2 +-
62277 drivers/scsi/lpfc/lpfc.h | 8 +-
62278 drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
62279 drivers/scsi/lpfc/lpfc_init.c | 6 +-
62280 drivers/scsi/lpfc/lpfc_scsi.c | 16 +-
62281 drivers/scsi/pmcraid.c | 20 +-
62282 drivers/scsi/pmcraid.h | 8 +-
62283 drivers/scsi/qla2xxx/qla_attr.c | 4 +-
62284 drivers/scsi/qla2xxx/qla_gbl.h | 4 +-
62285 drivers/scsi/qla2xxx/qla_os.c | 6 +-
62286 drivers/scsi/qla4xxx/ql4_def.h | 2 +-
62287 drivers/scsi/qla4xxx/ql4_os.c | 6 +-
62288 drivers/scsi/scsi.c | 2 +-
62289 drivers/scsi/scsi_lib.c | 6 +-
62290 drivers/scsi/scsi_sysfs.c | 2 +-
62291 drivers/scsi/scsi_tgt_lib.c | 2 +-
62292 drivers/scsi/scsi_transport_fc.c | 8 +-
62293 drivers/scsi/scsi_transport_iscsi.c | 6 +-
62294 drivers/scsi/scsi_transport_srp.c | 6 +-
62295 drivers/scsi/sd.c | 2 +-
62296 drivers/scsi/sg.c | 2 +-
62297 drivers/spi/spi.c | 2 +-
62298 drivers/staging/octeon/ethernet-rx.c | 12 +-
62299 drivers/staging/octeon/ethernet.c | 8 +-
62300 drivers/staging/ramster/tmem.c | 54 +-
62301 drivers/staging/rtl8712/rtl871x_io.h | 2 +-
62302 drivers/staging/sbe-2t3e3/netdev.c | 2 +-
62303 drivers/staging/usbip/vhci.h | 2 +-
62304 drivers/staging/usbip/vhci_hcd.c | 6 +-
62305 drivers/staging/usbip/vhci_rx.c | 2 +-
62306 drivers/staging/vt6655/hostap.c | 7 +-
62307 drivers/staging/vt6656/hostap.c | 7 +-
62308 drivers/staging/zcache/tmem.c | 4 +-
62309 drivers/staging/zcache/tmem.h | 2 +
62310 drivers/target/target_core_device.c | 2 +-
62311 drivers/target/target_core_transport.c | 2 +-
62312 drivers/tty/cyclades.c | 6 +-
62313 drivers/tty/hvc/hvc_console.c | 14 +-
62314 drivers/tty/hvc/hvcs.c | 21 +-
62315 drivers/tty/ipwireless/tty.c | 27 +-
62316 drivers/tty/moxa.c | 2 +-
62317 drivers/tty/n_gsm.c | 4 +-
62318 drivers/tty/n_tty.c | 3 +-
62319 drivers/tty/pty.c | 4 +-
62320 drivers/tty/rocket.c | 6 +-
62321 drivers/tty/serial/kgdboc.c | 32 +-
62322 drivers/tty/serial/samsung.c | 9 +-
62323 drivers/tty/serial/serial_core.c | 8 +-
62324 drivers/tty/synclink.c | 34 +-
62325 drivers/tty/synclink_gt.c | 28 +-
62326 drivers/tty/synclinkmp.c | 34 +-
62327 drivers/tty/tty_io.c | 2 +-
62328 drivers/tty/tty_ldisc.c | 10 +-
62329 drivers/tty/tty_port.c | 22 +-
62330 drivers/uio/uio.c | 21 +-
62331 drivers/usb/atm/cxacru.c | 2 +-
62332 drivers/usb/atm/usbatm.c | 24 +-
62333 drivers/usb/core/devices.c | 6 +-
62334 drivers/usb/core/hcd.c | 4 +-
62335 drivers/usb/core/sysfs.c | 2 +-
62336 drivers/usb/core/usb.c | 2 +-
62337 drivers/usb/early/ehci-dbgp.c | 16 +-
62338 drivers/usb/gadget/u_serial.c | 22 +-
62339 drivers/usb/serial/console.c | 6 +-
62340 drivers/usb/wusbcore/wa-hc.h | 4 +-
62341 drivers/usb/wusbcore/wa-xfer.c | 2 +-
62342 drivers/video/aty/aty128fb.c | 2 +-
62343 drivers/video/fbcmap.c | 3 +-
62344 drivers/video/fbmem.c | 6 +-
62345 drivers/video/i810/i810_accel.c | 1 +
62346 drivers/video/udlfb.c | 32 +-
62347 drivers/video/uvesafb.c | 39 +-
62348 drivers/video/vesafb.c | 51 +-
62349 drivers/video/via/via_clock.h | 2 +-
62350 fs/9p/vfs_inode.c | 2 +-
62351 fs/Kconfig.binfmt | 2 +-
62352 fs/aio.c | 11 +-
62353 fs/autofs4/waitq.c | 2 +-
62354 fs/befs/linuxvfs.c | 2 +-
62355 fs/binfmt_aout.c | 23 +-
62356 fs/binfmt_elf.c | 604 ++++-
62357 fs/binfmt_flat.c | 6 +
62358 fs/bio.c | 6 +-
62359 fs/block_dev.c | 2 +-
62360 fs/btrfs/ctree.c | 9 +-
62361 fs/btrfs/relocation.c | 2 +-
62362 fs/btrfs/super.c | 2 +-
62363 fs/cachefiles/bind.c | 6 +-
62364 fs/cachefiles/daemon.c | 8 +-
62365 fs/cachefiles/internal.h | 12 +-
62366 fs/cachefiles/namei.c | 2 +-
62367 fs/cachefiles/proc.c | 12 +-
62368 fs/cachefiles/rdwr.c | 2 +-
62369 fs/ceph/dir.c | 2 +-
62370 fs/cifs/cifs_debug.c | 12 +-
62371 fs/cifs/cifsfs.c | 8 +-
62372 fs/cifs/cifsglob.h | 54 +-
62373 fs/cifs/link.c | 2 +-
62374 fs/cifs/misc.c | 4 +-
62375 fs/cifs/smb1ops.c | 80 +-
62376 fs/cifs/smb2ops.c | 84 +-
62377 fs/cifs/smb2pdu.c | 3 +-
62378 fs/coda/cache.c | 10 +-
62379 fs/compat.c | 6 +-
62380 fs/compat_binfmt_elf.c | 2 +
62381 fs/compat_ioctl.c | 8 +-
62382 fs/configfs/dir.c | 10 +-
62383 fs/coredump.c | 24 +-
62384 fs/dcache.c | 2 +-
62385 fs/ecryptfs/inode.c | 4 +-
62386 fs/ecryptfs/miscdev.c | 2 +-
62387 fs/ecryptfs/read_write.c | 4 +-
62388 fs/exec.c | 356 ++-
62389 fs/ext4/ext4.h | 20 +-
62390 fs/ext4/mballoc.c | 44 +-
62391 fs/fhandle.c | 3 +-
62392 fs/fifo.c | 22 +-
62393 fs/fs_struct.c | 8 +-
62394 fs/fscache/cookie.c | 36 +-
62395 fs/fscache/internal.h | 196 +-
62396 fs/fscache/object.c | 28 +-
62397 fs/fscache/operation.c | 30 +-
62398 fs/fscache/page.c | 110 +-
62399 fs/fscache/stats.c | 344 +-
62400 fs/fuse/cuse.c | 10 +-
62401 fs/fuse/dev.c | 2 +-
62402 fs/fuse/dir.c | 2 +-
62403 fs/gfs2/inode.c | 2 +-
62404 fs/hugetlbfs/inode.c | 13 +-
62405 fs/inode.c | 4 +-
62406 fs/jffs2/erase.c | 3 +-
62407 fs/jffs2/wbuf.c | 3 +-
62408 fs/jfs/super.c | 2 +-
62409 fs/libfs.c | 10 +-
62410 fs/lockd/clntproc.c | 4 +-
62411 fs/locks.c | 8 +-
62412 fs/namei.c | 15 +-
62413 fs/namespace.c | 2 +-
62414 fs/nfs/inode.c | 6 +-
62415 fs/nfsd/vfs.c | 6 +-
62416 fs/notify/fanotify/fanotify_user.c | 4 +-
62417 fs/notify/notification.c | 4 +-
62418 fs/ntfs/dir.c | 2 +-
62419 fs/ntfs/file.c | 4 +-
62420 fs/ocfs2/localalloc.c | 2 +-
62421 fs/ocfs2/ocfs2.h | 10 +-
62422 fs/ocfs2/suballoc.c | 12 +-
62423 fs/ocfs2/super.c | 20 +-
62424 fs/pipe.c | 33 +-
62425 fs/proc/array.c | 20 +
62426 fs/proc/kcore.c | 32 +-
62427 fs/proc/meminfo.c | 2 +-
62428 fs/proc/nommu.c | 2 +-
62429 fs/proc/self.c | 2 +-
62430 fs/proc/task_mmu.c | 39 +-
62431 fs/proc/task_nommu.c | 4 +-
62432 fs/quota/netlink.c | 4 +-
62433 fs/readdir.c | 2 +-
62434 fs/reiserfs/do_balan.c | 2 +-
62435 fs/reiserfs/procfs.c | 2 +-
62436 fs/reiserfs/reiserfs.h | 4 +-
62437 fs/seq_file.c | 2 +-
62438 fs/splice.c | 36 +-
62439 fs/sysfs/file.c | 10 +-
62440 fs/sysfs/symlink.c | 2 +-
62441 fs/udf/misc.c | 2 +-
62442 fs/xattr_acl.c | 4 +-
62443 fs/xfs/xfs_bmap.c | 2 +-
62444 fs/xfs/xfs_dir2_sf.c | 10 +-
62445 fs/xfs/xfs_ioctl.c | 2 +-
62446 fs/xfs/xfs_iops.c | 2 +-
62447 include/asm-generic/4level-fixup.h | 2 +
62448 include/asm-generic/atomic-long.h | 210 ++
62449 include/asm-generic/atomic.h | 2 +-
62450 include/asm-generic/atomic64.h | 12 +
62451 include/asm-generic/cache.h | 4 +-
62452 include/asm-generic/emergency-restart.h | 2 +-
62453 include/asm-generic/kmap_types.h | 4 +-
62454 include/asm-generic/local.h | 13 +
62455 include/asm-generic/pgtable-nopmd.h | 18 +-
62456 include/asm-generic/pgtable-nopud.h | 15 +-
62457 include/asm-generic/pgtable.h | 8 +
62458 include/asm-generic/vmlinux.lds.h | 10 +-
62459 include/crypto/algapi.h | 2 +-
62460 include/drm/drmP.h | 5 +-
62461 include/drm/drm_crtc_helper.h | 2 +-
62462 include/drm/ttm/ttm_memory.h | 2 +-
62463 include/linux/atmdev.h | 2 +-
62464 include/linux/binfmts.h | 1 +
62465 include/linux/blkdev.h | 2 +-
62466 include/linux/blktrace_api.h | 2 +-
62467 include/linux/cache.h | 4 +
62468 include/linux/cdrom.h | 1 -
62469 include/linux/cleancache.h | 2 +-
62470 include/linux/compiler-gcc4.h | 20 +
62471 include/linux/compiler.h | 72 +-
62472 include/linux/cpu.h | 2 +-
62473 include/linux/crypto.h | 6 +-
62474 include/linux/decompress/mm.h | 2 +-
62475 include/linux/dma-mapping.h | 2 +-
62476 include/linux/dmaengine.h | 4 +-
62477 include/linux/efi.h | 1 +
62478 include/linux/elf.h | 2 +
62479 include/linux/filter.h | 4 +
62480 include/linux/frontswap.h | 2 +-
62481 include/linux/fs.h | 3 +-
62482 include/linux/fs_struct.h | 2 +-
62483 include/linux/fscache-cache.h | 4 +-
62484 include/linux/fsnotify.h | 2 +-
62485 include/linux/ftrace_event.h | 2 +-
62486 include/linux/genhd.h | 2 +-
62487 include/linux/gfp.h | 12 +-
62488 include/linux/highmem.h | 12 +
62489 include/linux/i2c.h | 1 +
62490 include/linux/i2o.h | 2 +-
62491 include/linux/if_pppox.h | 2 +-
62492 include/linux/init.h | 33 +-
62493 include/linux/init_task.h | 7 +
62494 include/linux/interrupt.h | 8 +-
62495 include/linux/kgdb.h | 6 +-
62496 include/linux/kobject.h | 2 +-
62497 include/linux/kref.h | 2 +-
62498 include/linux/kvm_host.h | 4 +-
62499 include/linux/libata.h | 2 +-
62500 include/linux/list.h | 3 +
62501 include/linux/mm.h | 91 +-
62502 include/linux/mm_types.h | 22 +-
62503 include/linux/mmiotrace.h | 4 +-
62504 include/linux/mmzone.h | 2 +-
62505 include/linux/mod_devicetable.h | 4 +-
62506 include/linux/module.h | 55 +-
62507 include/linux/moduleloader.h | 18 +-
62508 include/linux/moduleparam.h | 4 +-
62509 include/linux/namei.h | 6 +-
62510 include/linux/netdevice.h | 3 +-
62511 include/linux/netfilter/ipset/ip_set.h | 2 +-
62512 include/linux/netfilter/nfnetlink.h | 2 +-
62513 include/linux/notifier.h | 3 +-
62514 include/linux/oprofile.h | 4 +-
62515 include/linux/perf_event.h | 10 +-
62516 include/linux/pipe_fs_i.h | 6 +-
62517 include/linux/platform_data/usb-ehci-s5p.h | 2 +-
62518 include/linux/pm_runtime.h | 2 +-
62519 include/linux/poison.h | 4 +-
62520 include/linux/power/smartreflex.h | 2 +-
62521 include/linux/random.h | 5 +
62522 include/linux/reboot.h | 14 +-
62523 include/linux/regset.h | 3 +-
62524 include/linux/relay.h | 2 +-
62525 include/linux/rio.h | 2 +-
62526 include/linux/rmap.h | 4 +-
62527 include/linux/sched.h | 64 +-
62528 include/linux/seq_file.h | 1 +
62529 include/linux/skbuff.h | 12 +-
62530 include/linux/slab.h | 36 +-
62531 include/linux/slab_def.h | 33 +-
62532 include/linux/slob_def.h | 4 +-
62533 include/linux/slub_def.h | 10 +-
62534 include/linux/sonet.h | 2 +-
62535 include/linux/sunrpc/clnt.h | 8 +-
62536 include/linux/sunrpc/svc_rdma.h | 18 +-
62537 include/linux/sysrq.h | 2 +-
62538 include/linux/thread_info.h | 7 +
62539 include/linux/tty.h | 4 +-
62540 include/linux/tty_driver.h | 2 +-
62541 include/linux/tty_ldisc.h | 2 +-
62542 include/linux/types.h | 16 +
62543 include/linux/uaccess.h | 6 +-
62544 include/linux/unaligned/access_ok.h | 12 +-
62545 include/linux/usb.h | 2 +-
62546 include/linux/usb/renesas_usbhs.h | 2 +-
62547 include/linux/vermagic.h | 21 +-
62548 include/linux/vmalloc.h | 11 +-
62549 include/linux/vmstat.h | 20 +-
62550 include/media/v4l2-dev.h | 2 +-
62551 include/media/v4l2-ioctl.h | 1 -
62552 include/net/caif/cfctrl.h | 6 +-
62553 include/net/flow.h | 2 +-
62554 include/net/gro_cells.h | 6 +-
62555 include/net/inet_connection_sock.h | 2 +-
62556 include/net/inetpeer.h | 8 +-
62557 include/net/ip_fib.h | 2 +-
62558 include/net/ip_vs.h | 4 +-
62559 include/net/irda/ircomm_tty.h | 1 +
62560 include/net/iucv/af_iucv.h | 2 +-
62561 include/net/neighbour.h | 2 +-
62562 include/net/net_namespace.h | 6 +-
62563 include/net/netdma.h | 2 +-
62564 include/net/netlink.h | 2 +-
62565 include/net/netns/ipv4.h | 2 +-
62566 include/net/protocol.h | 4 +-
62567 include/net/sctp/sctp.h | 6 +-
62568 include/net/sctp/structs.h | 4 +-
62569 include/net/sock.h | 6 +-
62570 include/net/tcp.h | 8 +-
62571 include/net/xfrm.h | 4 +-
62572 include/rdma/iw_cm.h | 2 +-
62573 include/scsi/libfc.h | 3 +-
62574 include/scsi/scsi_device.h | 6 +-
62575 include/scsi/scsi_transport_fc.h | 3 +-
62576 include/sound/soc.h | 4 +-
62577 include/target/target_core_base.h | 2 +-
62578 include/trace/events/irq.h | 4 +-
62579 include/uapi/linux/a.out.h | 8 +
62580 include/uapi/linux/byteorder/little_endian.h | 24 +-
62581 include/uapi/linux/elf.h | 28 +
62582 include/uapi/linux/screen_info.h | 3 +-
62583 include/uapi/linux/sysctl.h | 6 +-
62584 include/uapi/linux/xattr.h | 4 +
62585 include/video/udlfb.h | 8 +-
62586 include/video/uvesafb.h | 1 +
62587 init/Kconfig | 2 +-
62588 init/Makefile | 3 +
62589 init/do_mounts.c | 14 +-
62590 init/do_mounts.h | 8 +-
62591 init/do_mounts_initrd.c | 22 +-
62592 init/do_mounts_md.c | 6 +-
62593 init/init_task.c | 4 +
62594 init/initramfs.c | 40 +-
62595 init/main.c | 78 +-
62596 ipc/msg.c | 11 +-
62597 ipc/sem.c | 11 +-
62598 ipc/shm.c | 17 +-
62599 kernel/acct.c | 2 +-
62600 kernel/audit.c | 8 +-
62601 kernel/auditsc.c | 4 +-
62602 kernel/capability.c | 3 +
62603 kernel/compat.c | 40 +-
62604 kernel/debug/debug_core.c | 16 +-
62605 kernel/debug/kdb/kdb_main.c | 4 +-
62606 kernel/events/core.c | 28 +-
62607 kernel/exit.c | 4 +-
62608 kernel/fork.c | 167 +-
62609 kernel/futex.c | 9 +
62610 kernel/gcov/base.c | 7 +-
62611 kernel/hrtimer.c | 4 +-
62612 kernel/jump_label.c | 5 +
62613 kernel/kallsyms.c | 39 +-
62614 kernel/kexec.c | 3 +-
62615 kernel/kmod.c | 2 +-
62616 kernel/kprobes.c | 8 +-
62617 kernel/lockdep.c | 7 +-
62618 kernel/module.c | 333 ++-
62619 kernel/mutex-debug.c | 12 +-
62620 kernel/mutex-debug.h | 4 +-
62621 kernel/mutex.c | 7 +-
62622 kernel/notifier.c | 17 +-
62623 kernel/panic.c | 3 +-
62624 kernel/pid.c | 2 +-
62625 kernel/posix-cpu-timers.c | 4 +-
62626 kernel/posix-timers.c | 20 +-
62627 kernel/power/process.c | 12 +-
62628 kernel/profile.c | 14 +-
62629 kernel/ptrace.c | 6 +-
62630 kernel/rcutiny.c | 4 +-
62631 kernel/rcutiny_plugin.h | 2 +-
62632 kernel/rcutorture.c | 56 +-
62633 kernel/rcutree.c | 72 +-
62634 kernel/rcutree.h | 24 +-
62635 kernel/rcutree_plugin.h | 18 +-
62636 kernel/rcutree_trace.c | 22 +-
62637 kernel/rtmutex-tester.c | 24 +-
62638 kernel/sched/auto_group.c | 4 +-
62639 kernel/sched/core.c | 2 +-
62640 kernel/sched/fair.c | 4 +-
62641 kernel/signal.c | 12 +-
62642 kernel/smp.c | 2 +-
62643 kernel/softirq.c | 16 +-
62644 kernel/srcu.c | 6 +-
62645 kernel/stop_machine.c | 2 +-
62646 kernel/sys.c | 12 +-
62647 kernel/sysctl.c | 37 +-
62648 kernel/sysctl_binary.c | 14 +-
62649 kernel/time/alarmtimer.c | 2 +-
62650 kernel/time/tick-broadcast.c | 2 +-
62651 kernel/time/timer_stats.c | 10 +-
62652 kernel/timer.c | 4 +-
62653 kernel/trace/blktrace.c | 6 +-
62654 kernel/trace/ftrace.c | 20 +-
62655 kernel/trace/ring_buffer.c | 76 +-
62656 kernel/trace/trace.c | 6 +-
62657 kernel/trace/trace_events.c | 25 +-
62658 kernel/trace/trace_mmiotrace.c | 8 +-
62659 kernel/trace/trace_output.c | 12 +-
62660 kernel/trace/trace_stack.c | 2 +-
62661 lib/Makefile | 2 +-
62662 lib/bitmap.c | 8 +-
62663 lib/bug.c | 2 +
62664 lib/debugobjects.c | 2 +-
62665 lib/devres.c | 4 +-
62666 lib/dma-debug.c | 4 +-
62667 lib/inflate.c | 2 +-
62668 lib/ioremap.c | 4 +-
62669 lib/list_debug.c | 89 +-
62670 lib/radix-tree.c | 2 +-
62671 lib/strncpy_from_user.c | 2 +-
62672 lib/strnlen_user.c | 2 +-
62673 lib/vsprintf.c | 12 +-
62674 mm/Kconfig | 6 +-
62675 mm/filemap.c | 2 +-
62676 mm/fremap.c | 5 +
62677 mm/highmem.c | 7 +-
62678 mm/hugetlb.c | 54 +
62679 mm/internal.h | 1 +
62680 mm/maccess.c | 4 +-
62681 mm/madvise.c | 41 +
62682 mm/memory-failure.c | 18 +-
62683 mm/memory.c | 404 ++-
62684 mm/mempolicy.c | 26 +
62685 mm/mlock.c | 16 +-
62686 mm/mmap.c | 573 +++-
62687 mm/mprotect.c | 138 +-
62688 mm/mremap.c | 44 +-
62689 mm/nommu.c | 11 +-
62690 mm/page-writeback.c | 2 +-
62691 mm/page_alloc.c | 14 +-
62692 mm/percpu.c | 2 +-
62693 mm/process_vm_access.c | 14 +-
62694 mm/rmap.c | 38 +-
62695 mm/shmem.c | 19 +-
62696 mm/slab.c | 104 +-
62697 mm/slab.h | 5 +-
62698 mm/slab_common.c | 9 +-
62699 mm/slob.c | 200 +-
62700 mm/slub.c | 98 +-
62701 mm/sparse-vmemmap.c | 4 +-
62702 mm/sparse.c | 2 +-
62703 mm/swap.c | 3 +
62704 mm/swapfile.c | 12 +-
62705 mm/util.c | 6 +
62706 mm/vmalloc.c | 82 +-
62707 mm/vmstat.c | 12 +-
62708 net/8021q/vlan.c | 5 +-
62709 net/9p/trans_fd.c | 2 +-
62710 net/atm/atm_misc.c | 8 +-
62711 net/atm/lec.h | 2 +-
62712 net/atm/proc.c | 6 +-
62713 net/atm/resources.c | 4 +-
62714 net/batman-adv/bat_iv_ogm.c | 8 +-
62715 net/batman-adv/hard-interface.c | 4 +-
62716 net/batman-adv/soft-interface.c | 4 +-
62717 net/batman-adv/types.h | 6 +-
62718 net/batman-adv/unicast.c | 2 +-
62719 net/bluetooth/hci_sock.c | 2 +-
62720 net/bluetooth/l2cap_core.c | 6 +-
62721 net/bluetooth/l2cap_sock.c | 12 +-
62722 net/bluetooth/rfcomm/sock.c | 4 +-
62723 net/bluetooth/rfcomm/tty.c | 10 +-
62724 net/bridge/netfilter/ebtables.c | 6 +-
62725 net/caif/cfctrl.c | 11 +-
62726 net/can/af_can.c | 2 +-
62727 net/can/gw.c | 6 +-
62728 net/compat.c | 34 +-
62729 net/core/datagram.c | 2 +-
62730 net/core/dev.c | 16 +-
62731 net/core/flow.c | 8 +-
62732 net/core/iovec.c | 4 +-
62733 net/core/rtnetlink.c | 2 +-
62734 net/core/scm.c | 8 +-
62735 net/core/sock.c | 24 +-
62736 net/decnet/sysctl_net_decnet.c | 4 +-
62737 net/ipv4/ah4.c | 2 +-
62738 net/ipv4/esp4.c | 2 +-
62739 net/ipv4/fib_frontend.c | 6 +-
62740 net/ipv4/fib_semantics.c | 2 +-
62741 net/ipv4/inetpeer.c | 4 +-
62742 net/ipv4/ip_fragment.c | 2 +-
62743 net/ipv4/ip_sockglue.c | 2 +-
62744 net/ipv4/ipcomp.c | 2 +-
62745 net/ipv4/ipconfig.c | 6 +-
62746 net/ipv4/netfilter/arp_tables.c | 12 +-
62747 net/ipv4/netfilter/ip_tables.c | 12 +-
62748 net/ipv4/ping.c | 2 +-
62749 net/ipv4/raw.c | 14 +-
62750 net/ipv4/route.c | 2 +-
62751 net/ipv4/tcp_input.c | 2 +-
62752 net/ipv4/tcp_probe.c | 2 +-
62753 net/ipv4/udp.c | 10 +-
62754 net/ipv6/addrconf.c | 2 +-
62755 net/ipv6/ip6_gre.c | 2 +-
62756 net/ipv6/ipv6_sockglue.c | 2 +-
62757 net/ipv6/netfilter/ip6_tables.c | 12 +-
62758 net/ipv6/raw.c | 19 +-
62759 net/ipv6/udp.c | 8 +-
62760 net/irda/ircomm/ircomm_tty.c | 18 +-
62761 net/iucv/af_iucv.c | 4 +-
62762 net/iucv/iucv.c | 2 +-
62763 net/key/af_key.c | 4 +-
62764 net/mac80211/cfg.c | 4 +-
62765 net/mac80211/ieee80211_i.h | 3 +-
62766 net/mac80211/iface.c | 14 +-
62767 net/mac80211/main.c | 2 +-
62768 net/mac80211/pm.c | 6 +-
62769 net/mac80211/rate.c | 2 +-
62770 net/mac80211/rc80211_pid_debugfs.c | 2 +-
62771 net/mac80211/util.c | 2 +-
62772 net/netfilter/ipvs/ip_vs_conn.c | 6 +-
62773 net/netfilter/ipvs/ip_vs_core.c | 4 +-
62774 net/netfilter/ipvs/ip_vs_ctl.c | 10 +-
62775 net/netfilter/ipvs/ip_vs_sync.c | 6 +-
62776 net/netfilter/ipvs/ip_vs_xmit.c | 4 +-
62777 net/netfilter/nfnetlink_log.c | 4 +-
62778 net/netfilter/xt_statistic.c | 8 +-
62779 net/netlink/af_netlink.c | 4 +-
62780 net/packet/af_packet.c | 12 +-
62781 net/phonet/pep.c | 6 +-
62782 net/phonet/socket.c | 2 +-
62783 net/rds/cong.c | 6 +-
62784 net/rds/ib.h | 2 +-
62785 net/rds/ib_cm.c | 2 +-
62786 net/rds/ib_recv.c | 4 +-
62787 net/rds/iw.h | 2 +-
62788 net/rds/iw_cm.c | 2 +-
62789 net/rds/iw_recv.c | 4 +-
62790 net/rds/tcp.c | 2 +-
62791 net/rds/tcp_send.c | 2 +-
62792 net/rxrpc/af_rxrpc.c | 2 +-
62793 net/rxrpc/ar-ack.c | 14 +-
62794 net/rxrpc/ar-call.c | 2 +-
62795 net/rxrpc/ar-connection.c | 2 +-
62796 net/rxrpc/ar-connevent.c | 2 +-
62797 net/rxrpc/ar-input.c | 4 +-
62798 net/rxrpc/ar-internal.h | 8 +-
62799 net/rxrpc/ar-local.c | 2 +-
62800 net/rxrpc/ar-output.c | 4 +-
62801 net/rxrpc/ar-peer.c | 2 +-
62802 net/rxrpc/ar-proc.c | 4 +-
62803 net/rxrpc/ar-transport.c | 2 +-
62804 net/rxrpc/rxkad.c | 4 +-
62805 net/sctp/ipv6.c | 2 +-
62806 net/sctp/protocol.c | 8 +-
62807 net/sctp/socket.c | 2 +
62808 net/socket.c | 34 +-
62809 net/sunrpc/sched.c | 4 +-
62810 net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
62811 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +-
62812 net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
62813 net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +-
62814 net/tipc/link.c | 6 +-
62815 net/tipc/msg.c | 2 +-
62816 net/tipc/subscr.c | 2 +-
62817 net/wireless/wext-core.c | 19 +-
62818 net/xfrm/xfrm_policy.c | 16 +-
62819 net/xfrm/xfrm_state.c | 4 +-
62820 scripts/Makefile.build | 2 +-
62821 scripts/Makefile.clean | 3 +-
62822 scripts/Makefile.host | 28 +-
62823 scripts/basic/fixdep.c | 12 +-
62824 scripts/gcc-plugin.sh | 17 +
62825 scripts/link-vmlinux.sh | 2 +-
62826 scripts/mod/file2alias.c | 14 +-
62827 scripts/mod/modpost.c | 25 +-
62828 scripts/mod/modpost.h | 6 +-
62829 scripts/mod/sumversion.c | 2 +-
62830 scripts/pnmtologo.c | 6 +-
62831 security/Kconfig | 654 ++++-
62832 security/integrity/ima/ima.h | 4 +-
62833 security/integrity/ima/ima_api.c | 2 +-
62834 security/integrity/ima/ima_fs.c | 4 +-
62835 security/integrity/ima/ima_queue.c | 2 +-
62836 security/keys/compat.c | 2 +-
62837 security/keys/keyctl.c | 8 +-
62838 security/keys/keyring.c | 6 +-
62839 security/security.c | 9 +-
62840 security/selinux/hooks.c | 2 +-
62841 security/selinux/include/xfrm.h | 2 +-
62842 security/smack/smack_lsm.c | 2 +-
62843 security/tomoyo/tomoyo.c | 2 +-
62844 sound/aoa/codecs/onyx.c | 7 +-
62845 sound/aoa/codecs/onyx.h | 1 +
62846 sound/core/oss/pcm_oss.c | 18 +-
62847 sound/core/pcm_compat.c | 2 +-
62848 sound/core/pcm_native.c | 4 +-
62849 sound/core/seq/seq_device.c | 8 +-
62850 sound/drivers/mts64.c | 14 +-
62851 sound/drivers/opl4/opl4_lib.c | 2 +-
62852 sound/drivers/portman2x4.c | 3 +-
62853 sound/firewire/amdtp.c | 4 +-
62854 sound/firewire/amdtp.h | 2 +-
62855 sound/firewire/isight.c | 10 +-
62856 sound/firewire/scs1x.c | 8 +-
62857 sound/oss/sb_audio.c | 2 +-
62858 sound/oss/swarm_cs4297a.c | 6 +-
62859 sound/pci/ymfpci/ymfpci.h | 2 +-
62860 sound/pci/ymfpci/ymfpci_main.c | 12 +-
62861 tools/gcc/.gitignore | 1 +
62862 tools/gcc/Makefile | 43 +
62863 tools/gcc/checker_plugin.c | 171 +
62864 tools/gcc/colorize_plugin.c | 151 +
62865 tools/gcc/constify_plugin.c | 359 +++
62866 tools/gcc/generate_size_overflow_hash.sh | 94 +
62867 tools/gcc/kallocstat_plugin.c | 170 +
62868 tools/gcc/kernexec_plugin.c | 465 +++
62869 tools/gcc/latent_entropy_plugin.c | 321 ++
62870 tools/gcc/size_overflow_hash.data | 3713 ++++++++++++++++++++++
62871 tools/gcc/size_overflow_plugin.c | 1941 +++++++++++
62872 tools/gcc/stackleak_plugin.c | 327 ++
62873 tools/perf/util/include/asm/alternative-asm.h | 3 +
62874 virt/kvm/kvm_main.c | 32 +-
62875 1311 files changed, 26668 insertions(+), 6394 deletions(-)
62876commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
62877Merge: 0949bd4 fc53d63
62878Author: Brad Spengler <spender@grsecurity.net>
62879Date: Thu Mar 22 19:03:44 2012 -0400
62880
62881 Merge branch 'pax-test' into grsec-test
62882
62883commit fc53d6338964741b368070ec5c935bc579b8c2a6
62884Author: Brad Spengler <spender@grsecurity.net>
62885Date: Thu Mar 22 19:02:45 2012 -0400
62886
62887 Update to pax-linux-3.2.12-test33.patch
62888
62889commit 0949bd46a6455b308f66ad7c993bfee62412db35
62890Author: Brad Spengler <spender@grsecurity.net>
62891Date: Thu Mar 22 16:56:09 2012 -0400
62892
62893 Use current_umask() instead of current->fs->umask
62894
62895commit 22f6432d0fe733619cfcb523782ed7d80c46d645
62896Author: Brad Spengler <spender@grsecurity.net>
62897Date: Wed Mar 21 19:42:42 2012 -0400
62898
62899 compile fix
62900
62901commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
62902Author: Brad Spengler <spender@grsecurity.net>
62903Date: Wed Mar 21 19:34:56 2012 -0400
62904
62905 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
62906 uses of domains with particular hash collisions
62907
62908commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
62909Author: Brad Spengler <spender@grsecurity.net>
62910Date: Tue Mar 20 20:25:49 2012 -0400
62911
62912 zero kernel_role
62913
62914commit b00953b43c69238d181d21121ef1577c988d5f6b
62915Author: Brad Spengler <spender@grsecurity.net>
62916Date: Tue Mar 20 19:29:34 2012 -0400
62917
62918 zero real_root after releasing it
62919
62920commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
62921Merge: b724f59 273f98e
62922Author: Brad Spengler <spender@grsecurity.net>
62923Date: Tue Mar 20 19:11:26 2012 -0400
62924
62925 Merge branch 'pax-test' into grsec-test
62926
62927commit 273f98e58cdac555d3b5dce5c1ca168349f95878
62928Author: Brad Spengler <spender@grsecurity.net>
62929Date: Tue Mar 20 19:10:52 2012 -0400
62930
62931 Temporary workaround for (most) size_overflow plugin false-positives
62932 Increase randomization for brk-managed heap to 21 bits
62933 Update to pax-linux-3.2.12-test32.patch
62934
62935commit b724f59125304460c2af8bd4b02921993afbb5d3
62936Author: Brad Spengler <spender@grsecurity.net>
62937Date: Tue Mar 20 18:58:53 2012 -0400
62938
62939 compile fix
62940
62941commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
62942Author: Brad Spengler <spender@grsecurity.net>
62943Date: Tue Mar 20 18:52:23 2012 -0400
62944
62945 Require default and kernel role
62946
62947commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
62948Author: Brad Spengler <spender@grsecurity.net>
62949Date: Tue Mar 20 18:47:28 2012 -0400
62950
62951 Allow policies without special roles
62952 don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)
62953
62954commit 402ec3d24d66d38403dc543c84851f5e72d39e22
62955Merge: 8e012dc f14661a
62956Author: Brad Spengler <spender@grsecurity.net>
62957Date: Mon Mar 19 18:06:59 2012 -0400
62958
62959 Merge branch 'pax-test' into grsec-test
62960
62961 Conflicts:
62962 fs/namei.c
62963
62964commit f14661aaf202155c97f66626cea0269017bb7775
62965Merge: eae671f 058b017
62966Author: Brad Spengler <spender@grsecurity.net>
62967Date: Mon Mar 19 18:05:44 2012 -0400
62968
62969 Merge branch 'linux-3.2.y' into pax-test
62970
62971commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
62972Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
62973Date: Fri Mar 16 17:08:39 2012 -0700
62974
62975 nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
62976
62977 According to the report from Slicky Devil, nilfs caused kernel oops at
62978 nilfs_load_super_block function during mount after he shrank the
62979 partition without resizing the filesystem:
62980
62981 BUG: unable to handle kernel NULL pointer dereference at 00000048
62982 IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
62983 *pde = 00000000
62984 Oops: 0000 [#1] PREEMPT SMP
62985 ...
62986 Call Trace:
62987 [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
62988 [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
62989 [<c0226636>] mount_fs+0x36/0x180
62990 [<c023d961>] vfs_kern_mount+0x51/0xa0
62991 [<c023ddae>] do_kern_mount+0x3e/0xe0
62992 [<c023f189>] do_mount+0x169/0x700
62993 [<c023fa9b>] sys_mount+0x6b/0xa0
62994 [<c04abd1f>] sysenter_do_call+0x12/0x28
62995 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
62996 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
62997 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
62998 EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
62999 CR2: 0000000000000048
63000
63001 This turned out due to a defect in an error path which runs if the
63002 calculated location of the secondary super block was invalid.
63003
63004 This patch fixes it and eliminates the reported oops.
63005
63006 Reported-by: Slicky Devil <slicky.dvl@gmail.com>
63007 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
63008 Tested-by: Slicky Devil <slicky.dvl@gmail.com>
63009 Cc: <stable@vger.kernel.org> [2.6.30+]
63010 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
63011 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
63012
63013commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
63014Author: Haogang Chen <haogangchen@gmail.com>
63015Date: Fri Mar 16 17:08:38 2012 -0700
63016
63017 nilfs2: clamp ns_r_segments_percentage to [1, 99]
63018
63019 ns_r_segments_percentage is read from the disk. Bogus or malicious
63020 value could cause integer overflow and malfunction due to meaningless
63021 disk usage calculation. This patch reports error when mounting such
63022 bogus volumes.
63023
63024 Signed-off-by: Haogang Chen <haogangchen@gmail.com>
63025 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
63026 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
63027 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
63028
63029commit e1a90645643f9b0194a5984ec8febd06360d5c8b
63030Author: Eric Dumazet <eric.dumazet@gmail.com>
63031Date: Sat Mar 10 09:20:21 2012 +0000
63032
63033 tcp: fix syncookie regression
63034
63035 commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
63036 added a serious regression on synflood handling.
63037
63038 Simon Kirby discovered a successful connection was delayed by 20 seconds
63039 before being responsive.
63040
63041 In my tests, I discovered that xmit frames were lost, and needed ~4
63042 retransmits and a socket dst rebuild before being really sent.
63043
63044 In case of syncookie initiated connection, we use a different path to
63045 initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
63046
63047 As ip_queue_xmit() now depends on inet flow being setup, fix this by
63048 copying the temp flowi4 we use in cookie_v4_check().
63049
63050 Reported-by: Simon Kirby <sim@netnation.com>
63051 Bisected-by: Simon Kirby <sim@netnation.com>
63052 Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
63053 Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
63054 Signed-off-by: David S. Miller <davem@davemloft.net>
63055
63056commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
63057Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
63058Date: Mon Mar 12 02:59:41 2012 +0000
63059
63060 tun: don't hold network namespace by tun sockets
63061
63062 v3: added previously removed sock_put() to the tun_release() callback, because
63063 sk_release_kernel() doesn't drop the socket reference.
63064
63065 v2: sk_release_kernel() used for socket release. Dummy tun_release() is
63066 required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
63067 call.
63068
63069 TUN was designed to destroy it's socket on network namesapce shutdown. But this
63070 will never happen for persistent device, because it's socket holds network
63071 namespace.
63072 This patch removes of holding network namespace by TUN socket and replaces it
63073 by creating socket in init_net and then changing it's net it to desired one. On
63074 shutdown socket is moved back to init_net prior to final put.
63075
63076 Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
63077 Signed-off-by: David S. Miller <davem@davemloft.net>
63078
63079commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
63080Author: Tyler Hicks <tyhicks@canonical.com>
63081Date: Mon Dec 12 10:02:30 2011 -0600
63082
63083 vfs: Correctly set the dir i_mutex lockdep class
63084
63085 9a7aa12f3911853a introduced additional logic around setting the i_mutex
63086 lockdep class for directory inodes. The idea was that some filesystems
63087 may want their own special lockdep class for different directory
63088 inodes and calling unlock_new_inode() should not clobber one of
63089 those special classes.
63090
63091 I believe that the added conditional, around the *negated* return value
63092 of lockdep_match_class(), caused directory inodes to be placed in the
63093 wrong lockdep class.
63094
63095 inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
63096 all inodes. If the filesystem did not change the class during inode
63097 initialization, then the conditional mentioned above was false and the
63098 directory inode was incorrectly left in the non-directory lockdep class.
63099 If the filesystem did set a special lockdep class, then the conditional
63100 mentioned above was true and that class was clobbered with
63101 i_mutex_dir_key.
63102
63103 This patch removes the negation from the conditional so that the i_mutex
63104 lockdep class is properly set for directory inodes. Special classes are
63105 preserved and directory inodes with unmodified classes are set with
63106 i_mutex_dir_key.
63107
63108 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
63109 Reviewed-by: Jan Kara <jack@suse.cz>
63110 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
63111
63112commit 603590b0d2eca61ce26499eac9c563bc567a18c9
63113Author: Jan Kara <jack@suse.cz>
63114Date: Mon Feb 20 17:54:00 2012 +0100
63115
63116 udf: Fix deadlock in udf_release_file()
63117
63118 udf_release_file() can be called from munmap() path with mmap_sem held. Thus
63119 we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
63120 i_mutex is not needed in udf_release_file() anymore since protection by
63121 i_data_sem is enough to protect from races with write and truncate.
63122
63123 Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
63124 Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
63125 Signed-off-by: Jan Kara <jack@suse.cz>
63126 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
63127
63128commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
63129Author: Miklos Szeredi <mszeredi@suse.cz>
63130Date: Tue Mar 6 13:56:33 2012 +0100
63131
63132 vfs: fix double put after complete_walk()
63133
63134 complete_walk() already puts nd->path, no need to do it again at cleanup time.
63135
63136 This would result in Oopses if triggered, apparently the codepath is not too
63137 well exercised.
63138
63139 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
63140 CC: stable@vger.kernel.org
63141 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
63142
63143commit 13885ba2b18400f3ef6540497d30f1af896605e5
63144Author: Miklos Szeredi <mszeredi@suse.cz>
63145Date: Tue Mar 6 13:56:34 2012 +0100
63146
63147 vfs: fix return value from do_last()
63148
63149 complete_walk() returns either ECHILD or ESTALE. do_last() turns this into
63150 ECHILD unconditionally. If not in RCU mode, this error will reach userspace
63151 which is complete nonsense.
63152
63153 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
63154 CC: stable@vger.kernel.org
63155 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
63156
63157 Conflicts:
63158
63159 fs/namei.c
63160
63161commit f5ab7572c99ffb58953eb1070622307e904c3b7f
63162Author: Al Viro <viro@zeniv.linux.org.uk>
63163Date: Sat Mar 10 17:07:28 2012 -0500
63164
63165 restore smp_mb() in unlock_new_inode()
63166
63167 wait_on_inode() doesn't have ->i_lock
63168
63169 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
63170
63171commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
63172Author: David S. Miller <davem@davemloft.net>
63173Date: Tue Mar 13 18:19:51 2012 -0700
63174
63175 sparc32: Add -Av8 to assembler command line.
63176
63177 Newer version of binutils are more strict about specifying the
63178 correct options to enable certain classes of instructions.
63179
63180 The sparc32 build is done for v7 in order to support sun4c systems
63181 which lack hardware integer multiply and divide instructions.
63182
63183 So we have to pass -Av8 when building the assembler routines that
63184 use these instructions and get patched into the kernel when we find
63185 out that we have a v8 capable cpu.
63186
63187 Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
63188 Signed-off-by: David S. Miller <davem@davemloft.net>
63189
63190commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
63191Author: Thomas Gleixner <tglx@linutronix.de>
63192Date: Fri Mar 9 20:55:10 2012 +0100
63193
63194 x86: Derandom delay_tsc for 64 bit
63195
63196 Commit f0fbf0abc093 ("x86: integrate delay functions") converted
63197 delay_tsc() into a random delay generator for 64 bit. The reason is
63198 that it merged the mostly identical versions of delay_32.c and
63199 delay_64.c. Though the subtle difference of the result was:
63200
63201 static void delay_tsc(unsigned long loops)
63202 {
63203 - unsigned bclock, now;
63204 + unsigned long bclock, now;
63205
63206 Now the function uses rdtscl() which returns the lower 32bit of the
63207 TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
63208 bit this fails when the lower 32bit are close to wrap around when
63209 bclock is read, because the following check
63210
63211 if ((now - bclock) >= loops)
63212 break;
63213
63214 evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
63215 because the unsigned long (now - bclock) of these values results in
63216 0xffffffff00000001 which is definitely larger than the loops
63217 value. That explains Tvortkos observation:
63218
63219 "Because I am seeing udelay(500) (_occasionally_) being short, and
63220 that by delaying for some duration between 0us (yep) and 491us."
63221
63222 Make those variables explicitely u32 again, so this works for both 32
63223 and 64 bit.
63224
63225 Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
63226 Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
63227 Cc: stable@vger.kernel.org # >= 2.6.27
63228 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
63229
63230commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
63231Author: Al Viro <viro@ZenIV.linux.org.uk>
63232Date: Thu Mar 8 17:51:19 2012 +0000
63233
63234 aio: fix the "too late munmap()" race
63235
63236 Current code has put_ioctx() called asynchronously from aio_fput_routine();
63237 that's done *after* we have killed the request that used to pin ioctx,
63238 so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
63239 from progressing. As the result, we can end up with async call of
63240 put_ioctx() being the last one and possibly happening during exit_mmap()
63241 or elf_core_dump(), neither of which expects stray munmap() being done
63242 to them...
63243
63244 We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
63245 with that, but that's all we care about - neither io_destroy() nor
63246 exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
63247 does really_put_req(), so the ioctx teardown won't be done until then
63248 and we don't care about the contents of ioctx past that point.
63249
63250 Since actual freeing of these suckers is RCU-delayed, we don't need to
63251 bump ioctx refcount when request goes into list for async removal.
63252 All we need is rcu_read_lock held just over the ->ctx_lock-protected
63253 area in aio_fput_routine().
63254
63255 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
63256 Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
63257 Acked-by: Benjamin LaHaise <bcrl@kvack.org>
63258 Cc: stable@vger.kernel.org
63259 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
63260
63261commit 002124c055afbf09b52226af65621999e8316448
63262Author: Al Viro <viro@ZenIV.linux.org.uk>
63263Date: Wed Mar 7 05:16:35 2012 +0000
63264
63265 aio: fix io_setup/io_destroy race
63266
63267 Have ioctx_alloc() return an extra reference, so that caller would drop it
63268 on success and not bother with re-grabbing it on failure exit. The current
63269 code is obviously broken - io_destroy() from another thread that managed
63270 to guess the address io_setup() would've returned would free ioctx right
63271 under us; gets especially interesting if aio_context_t * we pass to
63272 io_setup() points to PROT_READ mapping, so put_user() fails and we end
63273 up doing io_destroy() on kioctx another thread has just got freed...
63274
63275 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
63276 Acked-by: Benjamin LaHaise <bcrl@kvack.org>
63277 Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
63278 Cc: stable@vger.kernel.org
63279 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
63280
63281commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
63282Author: Dan Carpenter <dan.carpenter@oracle.com>
63283Date: Thu Mar 15 15:17:12 2012 -0700
63284
63285 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
63286
63287 strict_strtoul() writes a long but ->gamma_mode only has space to store an
63288 int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
63289 well. I've changed it to use kstrtouint() instead.
63290
63291 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
63292 Acked-by: Inki Dae <inki.dae@samsung.com>
63293 Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
63294 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
63295 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
63296
63297commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
63298Merge: e4b05b6 eae671f
63299Author: Brad Spengler <spender@grsecurity.net>
63300Date: Fri Mar 16 21:04:27 2012 -0400
63301
63302 Merge branch 'pax-test' into grsec-test
63303
63304 Conflicts:
63305 security/Kconfig
63306
63307commit eae671fafe93f04685c04a089cc13efebc05d600
63308Author: Brad Spengler <spender@grsecurity.net>
63309Date: Fri Mar 16 20:58:01 2012 -0400
63310
63311 Update to pax-linux-3.2.11-test31.patch
63312 Introduction of the size_overflow plugin from Emese Revfy
63313 Many thanks to Emese for her hard work :)
63314
63315commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
63316Merge: e55aa68 258c015
63317Author: Brad Spengler <spender@grsecurity.net>
63318Date: Thu Mar 15 20:59:19 2012 -0400
63319
63320 Merge branch 'pax-test' into grsec-test
63321
63322commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
63323Author: Brad Spengler <spender@grsecurity.net>
63324Date: Thu Mar 15 20:59:05 2012 -0400
63325
63326 fix ARM compilation
63327
63328commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
63329Merge: 8f95ea9 55b7573
63330Author: Brad Spengler <spender@grsecurity.net>
63331Date: Wed Mar 14 19:33:41 2012 -0400
63332
63333 Merge branch 'pax-test' into grsec-test
63334
63335commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
63336Author: Brad Spengler <spender@grsecurity.net>
63337Date: Wed Mar 14 19:33:15 2012 -0400
63338
63339 Update to pax-linux-3.2.10-test28.patch
63340
63341commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
63342Merge: c8786a2 886ac5e
63343Author: Brad Spengler <spender@grsecurity.net>
63344Date: Tue Mar 13 17:38:13 2012 -0400
63345
63346 Merge branch 'pax-test' into grsec-test
63347
63348 Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)
63349
63350commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
63351Author: Brad Spengler <spender@grsecurity.net>
63352Date: Tue Mar 13 17:37:44 2012 -0400
63353
63354 Update to pax-linux-3.2.10-test26.patch
63355
63356commit c8786a2abed5e5327f68efa520c04db99bb6a63a
63357Merge: 219c982 c061fcf
63358Author: Brad Spengler <spender@grsecurity.net>
63359Date: Tue Mar 13 17:25:06 2012 -0400
63360
63361 Merge branch 'pax-test' into grsec-test
63362
63363commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
63364Merge: 89373d2 3f4b3b2
63365Author: Brad Spengler <spender@grsecurity.net>
63366Date: Tue Mar 13 17:25:02 2012 -0400
63367
63368 Merge branch 'linux-3.2.y' into pax-test
63369
63370commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
63371Merge: 54e19a3 89373d2
63372Author: Brad Spengler <spender@grsecurity.net>
63373Date: Mon Mar 12 17:23:57 2012 -0400
63374
63375 Merge branch 'pax-test' into grsec-test
63376
63377commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
63378Merge: a778588 7459f11
63379Author: Brad Spengler <spender@grsecurity.net>
63380Date: Mon Mar 12 17:23:49 2012 -0400
63381
63382 Merge branch 'linux-3.2.y' into pax-test
63383
63384commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
63385Merge: c4650f1 a778588
63386Author: Brad Spengler <spender@grsecurity.net>
63387Date: Mon Mar 12 16:51:25 2012 -0400
63388
63389 Merge branch 'pax-test' into grsec-test
63390
63391commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
63392Author: Brad Spengler <spender@grsecurity.net>
63393Date: Mon Mar 12 16:51:12 2012 -0400
63394
63395 Update to pax-linux-3.2.9-test24.patch
63396
63397commit c4650f14b13f84735fe3de06a1f3ff5776473eff
63398Merge: fb2abee 1015790
63399Author: Brad Spengler <spender@grsecurity.net>
63400Date: Sun Mar 11 21:08:28 2012 -0400
63401
63402 Merge branch 'pax-test' into grsec-test
63403
63404 Conflicts:
63405 security/Kconfig
63406
63407commit 101579028a736c224e590c7e12a7357018c424e1
63408Author: Brad Spengler <spender@grsecurity.net>
63409Date: Sun Mar 11 21:07:27 2012 -0400
63410
63411 Update to pax-linux-3.2.9-test22.patch
63412
63413commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
63414Author: Brad Spengler <spender@grsecurity.net>
63415Date: Sun Mar 11 11:02:17 2012 -0400
63416
63417 Allow 4096 CPUs
63418
63419commit 96bae28cbe6a41d48e3b56e5904814096e956000
63420Author: Brad Spengler <spender@grsecurity.net>
63421Date: Sun Mar 11 10:25:58 2012 -0400
63422
63423 Use a per-cpu 48-bit counter instead of a global atomic64
63424 Initialize each counter to have the cpu number in the lower 16 bits
63425 instead of incrementing the counter each time by 1, perform the increments
63426 above the cpu number so that wrapping/exhausting the counter doesn't corrupt
63427 any state
63428 idea from PaX Team
63429
63430commit b975688101da6e966aebb1bc6b8c5c5983974f9c
63431Author: Brad Spengler <spender@grsecurity.net>
63432Date: Sat Mar 10 20:33:12 2012 -0500
63433
63434 Special vnsec edition! :)
63435 Further reduce argv/env allowance for suid/sgid apps to 512KB
63436 Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
63437 Clear 3GB personality on suid/sgid binaries
63438 Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
63439 with the main purpose of throwing off program stack -> arg/env alignment
63440 Update documentation
63441
63442commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
63443Author: Brad Spengler <spender@grsecurity.net>
63444Date: Sat Mar 10 19:54:47 2012 -0500
63445
63446 Resolve skbuff.h warnings that turn into errors during compilation in
63447 the grsecurity directory with -Werror
63448
63449commit 2023210ad43a944033fcacc660ce410888f562ee
63450Merge: ece4383 5f66adf
63451Author: Brad Spengler <spender@grsecurity.net>
63452Date: Fri Mar 9 19:48:01 2012 -0500
63453
63454 Merge branch 'pax-test' into grsec-test
63455
63456commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
63457Author: Brad Spengler <spender@grsecurity.net>
63458Date: Fri Mar 9 19:47:06 2012 -0500
63459
63460 Add colorize plugin
63461
63462commit ece4383e5e91c92d138c4df84225a70b552f4d69
63463Merge: a366d0e ab4a5a1
63464Author: Brad Spengler <spender@grsecurity.net>
63465Date: Fri Mar 9 17:56:46 2012 -0500
63466
63467 Merge branch 'pax-test' into grsec-test
63468
63469commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
63470Author: Brad Spengler <spender@grsecurity.net>
63471Date: Fri Mar 9 17:56:26 2012 -0500
63472
63473 Update to pax-linux-3.2.9-test21.patch
63474
63475commit a366d0ed963ce93fce10121c1100989d5f064e75
63476Author: Mikulas Patocka <mpatocka@redhat.com>
63477Date: Sun Mar 4 19:52:03 2012 -0500
63478
63479 mm: fix find_vma_prev
63480
63481 Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
63482 management on PA-RISC.
63483
63484 After application of the patch, programs that allocate big arrays on the
63485 stack crash with segfault, for example, this will crash if compiled
63486 without optimization:
63487
63488 int main()
63489 {
63490 char array[200000];
63491 array[199999] = 0;
63492 return 0;
63493 }
63494
63495 The reason is that PA-RISC has up-growing stack and the stack is usually
63496 the last memory area. In the above example, a page fault happens above
63497 the stack.
63498
63499 Previously, if we passed too high address to find_vma_prev, it returned
63500 NULL and stored the last VMA in *pprev. After "simplify find_vma_prev"
63501 change, it stores NULL in *pprev. Consequently, the stack area is not
63502 found and it is not expanded, as it used to be before the change.
63503
63504 This patch restores the old behavior and makes it return the last VMA in
63505 *pprev if the requested address is higher than address of any other VMA.
63506
63507 Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
63508 Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
63509 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
63510
63511commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
63512Author: Hugh Dickins <hughd@google.com>
63513Date: Tue Mar 6 12:28:52 2012 -0800
63514
63515 mmap: EINVAL not ENOMEM when rejecting VM_GROWS
63516
63517 Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
63518 from shared anonymous: hoist the file case's -EINVAL up for both.
63519
63520 Signed-off-by: Hugh Dickins <hughd@google.com>
63521 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
63522
63523commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
63524Author: Al Viro <viro@ZenIV.linux.org.uk>
63525Date: Mon Mar 5 06:38:42 2012 +0000
63526
63527 aout: move setup_arg_pages() prior to reading/mapping the binary
63528
63529 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
63530 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
63531
63532commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
63533Author: Jan Beulich <JBeulich@suse.com>
63534Date: Mon Mar 5 16:49:24 2012 +0000
63535
63536 vsprintf: make %pV handling compatible with kasprintf()
63537
63538 kasprintf() (and potentially other functions that I didn't run across so
63539 far) want to evaluate argument lists twice. Caring to do so for the
63540 primary list is obviously their job, but they can't reasonably be
63541 expected to check the format string for instances of %pV, which however
63542 need special handling too: On architectures like x86-64 (as opposed to
63543 e.g. ix86), using the same argument list twice doesn't produce the
63544 expected results, as an internally managed cursor gets updated during
63545 the first run.
63546
63547 Fix the problem by always acting on a copy of the original list when
63548 handling %pV.
63549
63550 Signed-off-by: Jan Beulich <jbeulich@suse.com>
63551 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
63552
63553commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
63554Author: Al Viro <viro@ZenIV.linux.org.uk>
63555Date: Mon Mar 5 06:39:47 2012 +0000
63556
63557 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
63558
63559 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
63560 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
63561
63562commit a831bd53764695ea680cc1fa3c98759a610ed2ac
63563Author: Christian König <deathsimple@vodafone.de>
63564Date: Tue Feb 28 23:19:20 2012 +0100
63565
63566 drm/radeon: fix uninitialized variable
63567
63568 Without this fix the driver randomly treats
63569 textures as arrays and I'm really wondering
63570 why gcc isn't complaining about it.
63571
63572 Signed-off-by: Christian König <deathsimple@vodafone.de>
63573 Reviewed-by: Jerome Glisse <jglisse@redhat.com>
63574 Signed-off-by: Dave Airlie <airlied@redhat.com>
63575
63576commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
63577Author: H. Peter Anvin <hpa@zytor.com>
63578Date: Fri Mar 2 10:43:48 2012 -0800
63579
63580 regset: Prevent null pointer reference on readonly regsets
63581
63582 The regset common infrastructure assumed that regsets would always
63583 have .get and .set methods, but not necessarily .active methods.
63584 Unfortunately people have since written regsets without .set methods.
63585
63586 Rather than putting in stub functions everywhere, handle regsets with
63587 null .get or .set methods explicitly.
63588
63589 Signed-off-by: H. Peter Anvin <hpa@zytor.com>
63590 Reviewed-by: Oleg Nesterov <oleg@redhat.com>
63591 Acked-by: Roland McGrath <roland@hack.frob.com>
63592 Cc: <stable@vger.kernel.org>
63593 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
63594
63595commit 072ddd99401c79b53c6bf6bff9deb93022124c79
63596Author: Brad Spengler <spender@grsecurity.net>
63597Date: Mon Mar 5 18:12:57 2012 -0500
63598
63599 Fix compiler errors reported on forums
63600
63601commit 1606774b48af24e6f99d99c624c0e447d4b66474
63602Merge: 3127bd5 4ca2ffd
63603Author: Brad Spengler <spender@grsecurity.net>
63604Date: Mon Mar 5 17:31:35 2012 -0500
63605
63606 Merge branch 'pax-test' into grsec-test
63607
63608commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
63609Author: Brad Spengler <spender@grsecurity.net>
63610Date: Mon Mar 5 17:31:21 2012 -0500
63611
63612 Update to pax-linux-3.2.9-test20.patch
63613
63614commit 3127bd581a292966b1057c7433219dac188c3720
63615Author: Brad Spengler <spender@grsecurity.net>
63616Date: Fri Mar 2 21:30:37 2012 -0500
63617
63618 Fix memory leak on logged exec_id check failure in /proc/pid/statm
63619 Thanks to Djalal Harouni for the report
63620
63621commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
63622Merge: 0a56be8 9aa8288
63623Author: Brad Spengler <spender@grsecurity.net>
63624Date: Fri Mar 2 18:38:22 2012 -0500
63625
63626 Merge branch 'pax-test' into grsec-test
63627
63628commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
63629Author: Brad Spengler <spender@grsecurity.net>
63630Date: Fri Mar 2 18:37:43 2012 -0500
63631
63632 Update to pax-linux-3.2.9-test19.patch
63633
63634commit 0a56be884bbd7ce733cac0b879c45383494d73b0
63635Merge: 9e66745 3f5c52a
63636Author: Brad Spengler <spender@grsecurity.net>
63637Date: Thu Mar 1 20:18:01 2012 -0500
63638
63639 Merge branch 'pax-test' into grsec-test
63640
63641commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
63642Author: Brad Spengler <spender@grsecurity.net>
63643Date: Thu Mar 1 20:16:56 2012 -0500
63644
63645 Update to pax-linux-3.2.9-test18.patch
63646
63647commit ae53ec231d12719a36bf871f8c5841020ed692ee
63648Merge: b255baf 44fb317
63649Author: Brad Spengler <spender@grsecurity.net>
63650Date: Thu Mar 1 20:15:31 2012 -0500
63651
63652 Merge branch 'linux-3.2.y' into pax-test
63653
63654commit 9e667456c03eadea2f305be761abe4de9a5877a3
63655Merge: 5e4e200 b255baf
63656Author: Brad Spengler <spender@grsecurity.net>
63657Date: Mon Feb 27 20:53:59 2012 -0500
63658
63659 Merge branch 'pax-test' into grsec-test
63660
63661commit b255baf50365d39b406f43aab2c64745607baaa2
63662Merge: 340ce90 1de504e
63663Author: Brad Spengler <spender@grsecurity.net>
63664Date: Mon Feb 27 20:53:29 2012 -0500
63665
63666 Merge branch 'linux-3.2.y' into pax-test
63667 Update to pax-linux-3.2.8-test17.patch
63668
63669 Conflicts:
63670 arch/x86/include/asm/i387.h
63671 arch/x86/kernel/process_32.c
63672 arch/x86/kernel/traps.c
63673
63674commit 5e4e200ac530452884b625cb75de240e1e98c731
63675Merge: 44306d7 340ce90
63676Author: Brad Spengler <spender@grsecurity.net>
63677Date: Mon Feb 27 18:02:13 2012 -0500
63678
63679 Merge branch 'pax-test' into grsec-test
63680
63681commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
63682Author: Brad Spengler <spender@grsecurity.net>
63683Date: Mon Feb 27 18:01:48 2012 -0500
63684
63685 Update to pax-linux-3.2.7-test17.patch
63686
63687commit 44306d7b3097f77e73040dd25f4f6750751bae7a
63688Merge: 29d0b07 521c411
63689Author: Brad Spengler <spender@grsecurity.net>
63690Date: Sun Feb 26 19:04:15 2012 -0500
63691
63692 Merge branch 'pax-test' into grsec-test
63693
63694 Conflicts:
63695 Makefile
63696
63697commit 521c411bb4ca66ce01146fde8bac9dd22414076d
63698Author: Brad Spengler <spender@grsecurity.net>
63699Date: Sun Feb 26 19:03:33 2012 -0500
63700
63701 Update to pax-linux-3.2.7-test16.patch
63702
63703commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
63704Author: Brad Spengler <spender@grsecurity.net>
63705Date: Sun Feb 26 17:12:44 2012 -0500
63706
63707 fix typo
63708
63709commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
63710Merge: f45b3be caa8f83
63711Author: Brad Spengler <spender@grsecurity.net>
63712Date: Sat Feb 25 20:59:27 2012 -0500
63713
63714 Merge branch 'pax-test' into grsec-test
63715
63716commit caa8f83456c4d0b204beefffaa1d1993f2348d08
63717Author: Brad Spengler <spender@grsecurity.net>
63718Date: Sat Feb 25 20:59:12 2012 -0500
63719
63720 Update to pax-linux-3.2.7-test15.patch
63721
63722commit f45b3be34a345502a302e736af9a65742ddef7cb
63723Merge: 62f35fd 9f1309b
63724Author: Brad Spengler <spender@grsecurity.net>
63725Date: Sat Feb 25 11:40:15 2012 -0500
63726
63727 Merge branch 'pax-test' into grsec-test
63728
63729commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
63730Author: Brad Spengler <spender@grsecurity.net>
63731Date: Sat Feb 25 11:39:57 2012 -0500
63732
63733 Update to pax-linux-3.2.7-test14.patch
63734
63735commit 62f35fdbecc58f2988fe13638d907b87a15776bb
63736Author: Brad Spengler <spender@grsecurity.net>
63737Date: Sat Feb 25 09:08:55 2012 -0500
63738
63739 We could log on attempted exploits of writing /proc/self/mem, but the current
63740 log function declares the access a read, so just swap the ordering for now
63741
63742commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
63743Author: Brad Spengler <spender@grsecurity.net>
63744Date: Sat Feb 25 08:46:14 2012 -0500
63745
63746 Log /proc/pid/mem attempts
63747
63748commit 674471e581893a94d475acac3e3c4496209b3ac9
63749Author: Brad Spengler <spender@grsecurity.net>
63750Date: Sat Feb 25 08:15:00 2012 -0500
63751
63752 Make use of f_version for protecting /proc file structs (fine since we're not a directory
63753 or seq_file)
63754
63755commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
63756Author: Brad Spengler <spender@grsecurity.net>
63757Date: Fri Feb 24 20:02:19 2012 -0500
63758
63759 Fix ia64 compilation
63760
63761commit 50dfea412fd395e0183c2ade368efa525d38b267
63762Merge: 12db845 4c6f99b
63763Author: Brad Spengler <spender@grsecurity.net>
63764Date: Fri Feb 24 19:00:53 2012 -0500
63765
63766 Merge branch 'pax-test' into grsec-test
63767
63768commit 4c6f99bf338e03966356b147d0360cb3b522a44f
63769Author: Brad Spengler <spender@grsecurity.net>
63770Date: Fri Feb 24 19:00:36 2012 -0500
63771
63772 (6:57:09 PM) pipacs: but you can be proactive
63773 (Fix other-arch atomic64/REFCOUNT compilation failures)
63774
63775commit 12db8453f6bb0a756f369c9151668ba1249bc478
63776Author: Brad Spengler <spender@grsecurity.net>
63777Date: Thu Feb 23 21:10:12 2012 -0500
63778
63779 Remove unnecessary copies, as suggested by solar
63780
63781commit cc02cab84368467ea03cb35f861a8a7092d91ab4
63782Author: Brad Spengler <spender@grsecurity.net>
63783Date: Thu Feb 23 20:59:35 2012 -0500
63784
63785 Make global_exec_counter static, as suggested by solar
63786
63787commit e642091a475ebb3a30e81f85e7751233d0c2af43
63788Author: Brad Spengler <spender@grsecurity.net>
63789Date: Thu Feb 23 19:00:26 2012 -0500
63790
63791 sync with stable tree
63792
63793commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
63794Author: Brad Spengler <spender@grsecurity.net>
63795Date: Thu Feb 23 18:48:47 2012 -0500
63796
63797 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
63798 Remove handling of old kludge in chmod/fchmod
63799
63800commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
63801Author: Brad Spengler <spender@grsecurity.net>
63802Date: Thu Feb 23 18:18:49 2012 -0500
63803
63804 Apply umask checks to chmod/fchmod as well, as requested by sponsor
63805 Union the enforced umask with the existing one to produce minimal privilege
63806 Change umask type to u16
63807
63808commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
63809Author: Brad Spengler <spender@grsecurity.net>
63810Date: Wed Feb 22 18:16:11 2012 -0500
63811
63812 Add per-role umask enforcement to RBAC, requested by a sponsor
63813
63814commit ad5ac943fe58199f1cc475912a39edb157acb77b
63815Merge: dda0bb5 41722e3
63816Author: Brad Spengler <spender@grsecurity.net>
63817Date: Mon Feb 20 20:04:42 2012 -0500
63818
63819 Merge branch 'pax-test' into grsec-test
63820
63821commit 41722e342e116d95f3d3556d66c97c888d752d39
63822Author: Brad Spengler <spender@grsecurity.net>
63823Date: Mon Feb 20 20:04:00 2012 -0500
63824
63825 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
63826 KERNEXEC plugin
63827
63828commit dda0bb57137846a476a866c60db2681aaf6052c0
63829Merge: 4fd554e d70927a
63830Author: Brad Spengler <spender@grsecurity.net>
63831Date: Mon Feb 20 20:01:41 2012 -0500
63832
63833 Merge branch 'pax-test' into grsec-test
63834
63835commit d70927afec977d489a54c106a3c3ddc32e953050
63836Merge: 1daebf1 9d0231c
63837Author: Brad Spengler <spender@grsecurity.net>
63838Date: Mon Feb 20 20:01:33 2012 -0500
63839
63840 Merge branch 'linux-3.2.y' into pax-test
63841
63842commit 4fd554e3a097b22c5049fcdc423897477deff5ef
63843Author: Brad Spengler <spender@grsecurity.net>
63844Date: Mon Feb 20 09:17:57 2012 -0500
63845
63846 Fix wrong logic on capability checks for switching roles, broke policies
63847 Thanks to Richard Kojedzinszky for reporting
63848
63849commit 12f97d52ac603f24344f8d71569c412a307e9422
63850Author: Brad Spengler <spender@grsecurity.net>
63851Date: Thu Feb 16 21:20:10 2012 -0500
63852
63853 sparc64 compile fix
63854
63855commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
63856Author: Brad Spengler <spender@grsecurity.net>
63857Date: Thu Feb 16 18:38:32 2012 -0500
63858
63859 Update configuration help and name for GRKERNSEC_PROC_MEMMAP
63860
63861commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
63862Author: Brad Spengler <spender@grsecurity.net>
63863Date: Thu Feb 16 18:18:01 2012 -0500
63864
63865 optimize the check a bit
63866
63867commit 03159050f64989be44ae03be769cbed62a7cd2e5
63868Author: Brad Spengler <spender@grsecurity.net>
63869Date: Thu Feb 16 18:00:45 2012 -0500
63870
63871 smile VUPEN :D
63872 (limit argv+env to 1MB for suid/sgid binaries)
63873
63874commit dd759d8800d225a397e4de49fe729c7d601298d2
63875Author: Brad Spengler <spender@grsecurity.net>
63876Date: Thu Feb 16 17:49:33 2012 -0500
63877
63878 Address Space Protection -> Memory Protections (suggested on IRC for consistency)
63879
63880commit 4de635bda8ebfb85312e3bf851bdbff93de400da
63881Author: Brad Spengler <spender@grsecurity.net>
63882Date: Thu Feb 16 17:45:06 2012 -0500
63883
63884 Change the long long type for exec_id to the proper u64
63885
63886commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
63887Author: Dan Carpenter <dan.carpenter@oracle.com>
63888Date: Thu Feb 9 00:46:47 2012 +0000
63889
63890 isdn: type bug in isdn_net_header()
63891
63892 We use len to store the return value from eth_header(). eth_header()
63893 can return -ETH_HLEN (-14). We want to pass this back instead of
63894 truncating it to 65522 and returning that.
63895
63896 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
63897 Acked-by: Neil Horman <nhorman@tuxdriver.com>
63898 Signed-off-by: David S. Miller <davem@davemloft.net>
63899
63900commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
63901Author: Heiko Carstens <heiko.carstens@de.ibm.com>
63902Date: Sat Feb 4 10:47:10 2012 +0100
63903
63904 exec: fix use-after-free bug in setup_new_exec()
63905
63906 Setting the task name is done within setup_new_exec() by accessing
63907 bprm->filename. However this happens after flush_old_exec().
63908 This may result in a use after free bug, flush_old_exec() may
63909 "complete" vfork_done, which will wake up the parent which in turn
63910 may free the passed in filename.
63911 To fix this add a new tcomm field in struct linux_binprm which
63912 contains the now early generated task name until it is used.
63913
63914 Fixes this bug on s390:
63915
63916 Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
63917 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
63918 Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
63919 Call Trace:
63920 ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
63921 [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
63922 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
63923 [<0000000000282b6c>] do_execve_common+0x410/0x514
63924 [<0000000000282cb6>] do_execve+0x46/0x58
63925 [<00000000005bce58>] kernel_execve+0x28/0x70
63926 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
63927 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
63928 [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
63929 Last Breaking-Event-Address:
63930 [<00000000002830f0>] setup_new_exec+0x2fc/0x374
63931
63932 Kernel panic - not syncing: Fatal exception: panic_on_oops
63933
63934 Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
63935 Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
63936 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
63937
63938commit d758ee9f5230893dabb5aab737b3109684bde196
63939Author: Dan Carpenter <dan.carpenter@oracle.com>
63940Date: Fri Feb 10 09:03:58 2012 +0100
63941
63942 relay: prevent integer overflow in relay_open()
63943
63944 "subbuf_size" and "n_subbufs" come from the user and they need to be
63945 capped to prevent an integer overflow.
63946
63947 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
63948 Cc: stable@kernel.org
63949 Signed-off-by: Jens Axboe <axboe@kernel.dk>
63950
63951commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
63952Merge: b1baadf 1daebf1
63953Author: Brad Spengler <spender@grsecurity.net>
63954Date: Mon Feb 13 17:47:04 2012 -0500
63955
63956 Merge branch 'pax-test' into grsec-test
63957
63958 Conflicts:
63959 fs/proc/base.c
63960
63961commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
63962Merge: 1413df2 c2db2e2
63963Author: Brad Spengler <spender@grsecurity.net>
63964Date: Mon Feb 13 17:45:54 2012 -0500
63965
63966 Merge branch 'linux-3.2.y' into pax-test
63967
63968commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
63969Author: Brad Spengler <spender@grsecurity.net>
63970Date: Sun Feb 12 16:44:05 2012 -0500
63971
63972 add missing declaration
63973
63974commit 3981059c35e8463002517935c28f3d74b8e3703c
63975Author: Brad Spengler <spender@grsecurity.net>
63976Date: Sun Feb 12 16:36:04 2012 -0500
63977
63978 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
63979 in addition to existing checks (this handles the setresuid ruid = euid case)
63980
63981commit 0beab03263c773f463412c350ad9064b44b6ede0
63982Author: Brad Spengler <spender@grsecurity.net>
63983Date: Sun Feb 12 16:13:40 2012 -0500
63984
63985 Revert setreuid changes when RBAC is enabled, breaks freeradius
63986 I'll fix the learning issue Lavish reported a different way through
63987 gradm modifications
63988
63989 This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.
63990
63991commit 0c61cb1cfbbfec7d07647268c922d51434d22621
63992Author: Brad Spengler <spender@grsecurity.net>
63993Date: Sat Feb 11 14:22:46 2012 -0500
63994
63995 copy exec_id on fork
63996
63997commit 000c08e0890630086b2ed04084050ed856a7ec31
63998Author: Brad Spengler <spender@grsecurity.net>
63999Date: Fri Feb 10 20:00:36 2012 -0500
64000
64001 compile fix
64002
64003commit 54b8c8f54484e5ee18040657827158bc4b63bccc
64004Author: Brad Spengler <spender@grsecurity.net>
64005Date: Fri Feb 10 19:19:52 2012 -0500
64006
64007 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
64008 denies reading of sensitive /proc/pid entries where the file descriptor
64009 was opened in a different task than the one performing the read
64010
64011commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
64012Author: Brad Spengler <spender@grsecurity.net>
64013Date: Fri Feb 10 17:43:24 2012 -0500
64014
64015 Remove duplicate signal check
64016
64017commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
64018Merge: 4eba97e 1413df2
64019Author: Brad Spengler <spender@grsecurity.net>
64020Date: Wed Feb 8 19:24:34 2012 -0500
64021
64022 Merge branch 'pax-test' into grsec-test
64023
64024commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
64025Author: Brad Spengler <spender@grsecurity.net>
64026Date: Wed Feb 8 19:24:08 2012 -0500
64027
64028 Merge changes from pax-linux-3.2.4-test11.patch
64029
64030commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
64031Merge: 0e058dd 8dd90a2
64032Author: Brad Spengler <spender@grsecurity.net>
64033Date: Mon Feb 6 17:50:12 2012 -0500
64034
64035 Merge branch 'pax-test' into grsec-test
64036
64037commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
64038Author: Brad Spengler <spender@grsecurity.net>
64039Date: Mon Feb 6 17:49:07 2012 -0500
64040
64041 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free
64042
64043commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
64044Merge: 7e4169c 6133971
64045Author: Brad Spengler <spender@grsecurity.net>
64046Date: Mon Feb 6 17:48:57 2012 -0500
64047
64048 Merge branch 'linux-3.2.y' into pax-test
64049
64050commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
64051Author: Brad Spengler <spender@grsecurity.net>
64052Date: Sun Feb 5 19:24:45 2012 -0500
64053
64054 We now allow configurations with no PaX markings, giving the system no way to override the defaults
64055
64056commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
64057Author: Brad Spengler <spender@grsecurity.net>
64058Date: Sun Feb 5 10:01:23 2012 -0500
64059
64060 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory
64061
64062commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
64063Author: Brad Spengler <spender@grsecurity.net>
64064Date: Sat Feb 4 21:01:16 2012 -0500
64065
64066 Improve security of ptrace-based monitoring/sandboxing
64067 See:
64068 http://article.gmane.org/gmane.linux.kernel.lsm/15156
64069
64070commit ca4ca5a1027b41f9528794e52a53ce9c47926101
64071Author: Brad Spengler <spender@grsecurity.net>
64072Date: Fri Feb 3 20:42:55 2012 -0500
64073
64074 fix typo
64075
64076commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
64077Author: Brad Spengler <spender@grsecurity.net>
64078Date: Fri Feb 3 20:25:38 2012 -0500
64079
64080 Reported by lavish on IRC:
64081 If a suid/sgid binary did not learn any setuid/setgid call during learning,
64082 we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
64083 any restrictions on uid/gid changes. uid and gid can however be changed
64084 within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
64085 euid/egid.
64086
64087 My fix:
64088 POSIX doesn't specify whether unprivileged users can perform the above
64089 setresuid/setresgid as an unprivileged user, though Linux has historically
64090 permitted them. Modify this behavior when RBAC is enabled to require
64091 CAP_SETUID/CAP_SETGID for these operations.
64092
64093 Thanks to Lavish for the report!
64094
64095 Conflicts:
64096
64097 kernel/sys.c
64098
64099commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
64100Merge: ba586eb 7e4169c
64101Author: Brad Spengler <spender@grsecurity.net>
64102Date: Fri Feb 3 20:10:21 2012 -0500
64103
64104 Merge branch 'pax-test' into grsec-test
64105
64106commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
64107Author: Brad Spengler <spender@grsecurity.net>
64108Date: Fri Feb 3 20:10:05 2012 -0500
64109
64110 Merge changes from pax-linux-3.2.4-test9.patch
64111
64112commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
64113Author: Christopher Yeoh <cyeoh@au1.ibm.com>
64114Date: Thu Feb 2 11:34:09 2012 +1030
64115
64116 Fix race in process_vm_rw_core
64117
64118 This fixes the race in process_vm_core found by Oleg (see
64119
64120 http://article.gmane.org/gmane.linux.kernel/1235667/
64121
64122 for details).
64123
64124 This has been updated since I last sent it as the creation of the new
64125 mm_access() function did almost exactly the same thing as parts of the
64126 previous version of this patch did.
64127
64128 In order to use mm_access() even when /proc isn't enabled, we move it to
64129 kernel/fork.c where other related process mm access functions already
64130 are.
64131
64132 Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
64133 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
64134
64135 Conflicts:
64136
64137 fs/proc/base.c
64138 mm/process_vm_access.c
64139
64140commit b9194d60fb9fe579f5c34817ed822abde18939a0
64141Author: Oleg Nesterov <oleg@redhat.com>
64142Date: Tue Jan 31 17:15:11 2012 +0100
64143
64144 proc: make sure mem_open() doesn't pin the target's memory
64145
64146 Once /proc/pid/mem is opened, the memory can't be released until
64147 mem_release() even if its owner exits.
64148
64149 Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
64150 pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
64151 before access_remote_vm(), this verifies that this mm is still alive.
64152
64153 I am not sure what should mem_rw() return if atomic_inc_not_zero()
64154 fails. With this patch it returns zero to match the "mm == NULL" case,
64155 may be it should return -EINVAL like it did before e268337d.
64156
64157 Perhaps it makes sense to add the additional fatal_signal_pending()
64158 check into the main loop, to ensure we do not hold this memory if
64159 the target task was oom-killed.
64160
64161 Cc: stable@kernel.org
64162 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
64163 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
64164
64165commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
64166Author: Oleg Nesterov <oleg@redhat.com>
64167Date: Tue Jan 31 17:14:38 2012 +0100
64168
64169 proc: mem_release() should check mm != NULL
64170
64171 mem_release() can hit mm == NULL, add the necessary check.
64172
64173 Cc: stable@kernel.org
64174 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
64175 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
64176
64177commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
64178Author: Oleg Nesterov <oleg@redhat.com>
64179Date: Tue Jan 31 17:14:54 2012 +0100
64180
64181 note: redisabled mem_write
64182
64183 proc: unify mem_read() and mem_write()
64184
64185 No functional changes, cleanup and preparation.
64186
64187 mem_read() and mem_write() are very similar. Move this code into the
64188 new common helper, mem_rw(), which takes the additional "int write"
64189 argument.
64190
64191 Cc: stable@kernel.org
64192 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
64193 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
64194
64195 Conflicts:
64196
64197 fs/proc/base.c
64198
64199commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
64200Merge: 3903f01 01fee18
64201Author: Brad Spengler <spender@grsecurity.net>
64202Date: Fri Feb 3 19:50:40 2012 -0500
64203
64204 Merge branch 'pax-test' into grsec-test
64205
64206commit 01fee1851aef26b898ccba5312cabf1f919b74cb
64207Author: Brad Spengler <spender@grsecurity.net>
64208Date: Fri Feb 3 19:49:46 2012 -0500
64209
64210 Merge changes from pax-linux-3.2.4-test8.patch
64211
64212commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
64213Merge: 201c0db 141936c
64214Author: Brad Spengler <spender@grsecurity.net>
64215Date: Fri Feb 3 19:49:01 2012 -0500
64216
64217 Merge branch 'linux-3.2.y' into pax-test
64218
64219commit 3903f0172ecadf7a575ba3535402a1506133640a
64220Author: Brad Spengler <spender@grsecurity.net>
64221Date: Mon Jan 30 23:26:44 2012 -0500
64222
64223 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
64224
64225 We'll whitelist required directories for compatibility instead of requiring
64226 that people disable the feature entirely if they use SELinux, fuse, etc
64227
64228 Conflicts:
64229
64230 fs/sysfs/mount.c
64231
64232commit e3618feaa7e63807f1b88c199882075b3ec9bd05
64233Author: Brad Spengler <spender@grsecurity.net>
64234Date: Sun Jan 29 01:12:19 2012 -0500
64235
64236 perform RBAC check if TPE is on but match fails, matches previous behavior
64237
64238commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
64239Author: Brad Spengler <spender@grsecurity.net>
64240Date: Sat Jan 28 13:17:06 2012 -0500
64241
64242 log more information about the reason for a TPE denial for novice users, requested by a sponsor
64243
64244commit efefd67008cbad8a8591e2484410966a300a39a5
64245Author: Brad Spengler <spender@grsecurity.net>
64246Date: Fri Jan 27 19:58:53 2012 -0500
64247
64248 merge upstream sha512 changes
64249
64250commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
64251Author: Brad Spengler <spender@grsecurity.net>
64252Date: Fri Jan 27 19:49:07 2012 -0500
64253
64254 drop lock on error in xfs_readlink
64255
64256 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0
64257
64258commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
64259Author: Li Wang <liwang@nudt.edu.cn>
64260Date: Thu Jan 19 09:44:36 2012 +0800
64261
64262 eCryptfs: Infinite loop due to overflow in ecryptfs_write()
64263
64264 ecryptfs_write() can enter an infinite loop when truncating a file to a
64265 size larger than 4G. This only happens on architectures where size_t is
64266 represented by 32 bits.
64267
64268 This was caused by a size_t overflow due to it incorrectly being used to
64269 store the result of a calculation which uses potentially large values of
64270 type loff_t.
64271
64272 [tyhicks@canonical.com: rewrite subject and commit message]
64273 Signed-off-by: Li Wang <liwang@nudt.edu.cn>
64274 Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
64275 Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
64276 Cc: <stable@vger.kernel.org>
64277 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
64278
64279commit a7607747d0f74f357d78bb796d70635dd05f46e8
64280Author: Tyler Hicks <tyhicks@canonical.com>
64281Date: Thu Jan 19 20:33:44 2012 -0600
64282
64283 eCryptfs: Check inode changes in setattr
64284
64285 Most filesystems call inode_change_ok() very early in ->setattr(), but
64286 eCryptfs didn't call it at all. It allowed the lower filesystem to make
64287 the call in its ->setattr() function. Then, eCryptfs would copy the
64288 appropriate inode attributes from the lower inode to the eCryptfs inode.
64289
64290 This patch changes that and actually calls inode_change_ok() on the
64291 eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
64292 would happen earlier in ecryptfs_setattr(), but there are some possible
64293 inode initialization steps that must happen first.
64294
64295 Since the call was already being made on the lower inode, the change in
64296 functionality should be minimal, except for the case of a file extending
64297 truncate call. In that case, inode_newsize_ok() was never being
64298 called on the eCryptfs inode. Rather than inode_newsize_ok() catching
64299 maximum file size errors early on, eCryptfs would encrypt zeroed pages
64300 and write them to the lower filesystem until the lower filesystem's
64301 write path caught the error in generic_write_checks(). This patch
64302 introduces a new function, called ecryptfs_inode_newsize_ok(), which
64303 checks if the new lower file size is within the appropriate limits when
64304 the truncate operation will be growing the lower file.
64305
64306 In summary this change prevents eCryptfs truncate operations (and the
64307 resulting page encryptions), which would exceed the lower filesystem
64308 limits or FSIZE rlimits, from ever starting.
64309
64310 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
64311 Reviewed-by: Li Wang <liwang@nudt.edu.cn>
64312 Cc: <stable@vger.kernel.org>
64313
64314commit 0d96f190a39505254ace4e9330219aaeda9b64e3
64315Author: Tyler Hicks <tyhicks@canonical.com>
64316Date: Wed Jan 18 18:30:04 2012 -0600
64317
64318 eCryptfs: Make truncate path killable
64319
64320 ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
64321 page, zeroes out the appropriate portions, and then encrypts the page
64322 before writing it to the lower filesystem. It was unkillable and due to
64323 the lack of sparse file support could result in tying up a large portion
64324 of system resources, while encrypting pages of zeros, with no way for
64325 the truncate operation to be stopped from userspace.
64326
64327 This patch adds the ability for ecryptfs_write() to detect a pending
64328 fatal signal and return as gracefully as possible. The intent is to
64329 leave the lower file in a useable state, while still allowing a user to
64330 break out of the encryption loop. If a pending fatal signal is detected,
64331 the eCryptfs inode size is updated to reflect the modified inode size
64332 and then -EINTR is returned.
64333
64334 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
64335 Cc: <stable@vger.kernel.org>
64336
64337commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
64338Author: Tyler Hicks <tyhicks@canonical.com>
64339Date: Tue Jan 24 10:02:22 2012 -0600
64340
64341 eCryptfs: Fix oops when printing debug info in extent crypto functions
64342
64343 If pages passed to the eCryptfs extent-based crypto functions are not
64344 mapped and the module parameter ecryptfs_verbosity=1 was specified at
64345 loading time, a NULL pointer dereference will occur.
64346
64347 Note that this wouldn't happen on a production system, as you wouldn't
64348 pass ecryptfs_verbosity=1 on a production system. It leaks private
64349 information to the system logs and is for debugging only.
64350
64351 The debugging info printed in these messages is no longer very useful
64352 and rather than doing a kmap() in these debugging paths, it will be
64353 better to simply remove the debugging paths completely.
64354
64355 https://launchpad.net/bugs/913651
64356
64357 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
64358 Reported-by: Daniel DeFreez
64359 Cc: <stable@vger.kernel.org>
64360
64361commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
64362Author: Tyler Hicks <tyhicks@canonical.com>
64363Date: Thu Jan 12 11:30:44 2012 +0100
64364
64365 eCryptfs: Sanitize write counts of /dev/ecryptfs
64366
64367 A malicious count value specified when writing to /dev/ecryptfs may
64368 result in a a very large kernel memory allocation.
64369
64370 This patch peeks at the specified packet payload size, adds that to the
64371 size of the packet headers and compares the result with the write count
64372 value. The resulting maximum memory allocation size is approximately 532
64373 bytes.
64374
64375 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
64376 Reported-by: Sasha Levin <levinsasha928@gmail.com>
64377 Cc: <stable@vger.kernel.org>
64378
64379commit 96dcb7282d323813181a1791f51c0ab7696b675b
64380Merge: 6c09fa5 201c0db
64381Author: Brad Spengler <spender@grsecurity.net>
64382Date: Fri Jan 27 19:44:15 2012 -0500
64383
64384 Merge branch 'pax-test' into grsec-test
64385
64386commit 201c0dbf177527367676028151e36d340923f033
64387Author: Brad Spengler <spender@grsecurity.net>
64388Date: Fri Jan 27 19:43:24 2012 -0500
64389
64390 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
64391 on loading modules with empty sections
64392
64393commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
64394Author: Brad Spengler <spender@grsecurity.net>
64395Date: Fri Jan 27 19:42:13 2012 -0500
64396
64397 compile fix
64398
64399commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
64400Author: Brad Spengler <spender@grsecurity.net>
64401Date: Fri Jan 27 19:39:28 2012 -0500
64402
64403 use LSM flags instead of duplicating checks
64404
64405commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
64406Merge: 44b9f11 558718b
64407Author: Brad Spengler <spender@grsecurity.net>
64408Date: Fri Jan 27 18:56:23 2012 -0500
64409
64410 Merge branch 'pax-test' into grsec-test
64411
64412commit 558718b2217beff69edf60f34a6f9893d910e9ac
64413Author: Brad Spengler <spender@grsecurity.net>
64414Date: Fri Jan 27 18:56:04 2012 -0500
64415
64416 Merge changes from pax-linux-3.2.2-test6.patch
64417
64418commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
64419Author: Brad Spengler <spender@grsecurity.net>
64420Date: Fri Jan 27 18:53:55 2012 -0500
64421
64422 don't increase the size of task_struct when unnecessary
64423 change ptrace_readexec log message
64424
64425commit a9c9626e054adb885883aa64f85506852894dd33
64426Author: Brad Spengler <spender@grsecurity.net>
64427Date: Fri Jan 27 18:16:28 2012 -0500
64428
64429 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
64430 the protection applies to all unreadable binaries.
64431
64432commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
64433Merge: 7b3f3af 05a1349
64434Author: Brad Spengler <spender@grsecurity.net>
64435Date: Wed Jan 25 20:52:09 2012 -0500
64436
64437 Merge branch 'pax-test' into grsec-test
64438
64439 Conflicts:
64440 block/scsi_ioctl.c
64441 drivers/scsi/sd.c
64442 fs/proc/base.c
64443
64444commit 05a134966efb9cb9346ad3422888969ffc79ac1d
64445Author: Brad Spengler <spender@grsecurity.net>
64446Date: Wed Jan 25 20:47:36 2012 -0500
64447
64448 Resync with pax-linux-3.2.2-test5.patch
64449
64450commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
64451Merge: c6d443d 3499d64
64452Author: Brad Spengler <spender@grsecurity.net>
64453Date: Wed Jan 25 20:45:16 2012 -0500
64454
64455 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
64456
64457 Conflicts:
64458 ipc/shm.c
64459
64460commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
64461Author: Brad Spengler <spender@grsecurity.net>
64462Date: Tue Jan 24 19:42:01 2012 -0500
64463
64464 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
64465 (may be changed if it breaks some userland), the other has its own
64466 config option
64467
64468 First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
64469 the syscall or /proc/sys.
64470
64471 Second feature requires read access to a suid/sgid binary in order
64472 to ptrace it, preventing infoleaking of binaries in situations where
64473 the admin has specified 4711 or 2711 perms. Feature has been
64474 given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
64475 a sysctl entry of ptrace_readexec
64476
64477commit 11a7bb25c411c9dccfdca5718639b4becdffd388
64478Author: Brad Spengler <spender@grsecurity.net>
64479Date: Sun Jan 22 14:37:10 2012 -0500
64480
64481 Compilation fixes
64482
64483commit cd400e21c7c352baba47d6f375297a7847afb33a
64484Author: Brad Spengler <spender@grsecurity.net>
64485Date: Sun Jan 22 14:20:27 2012 -0500
64486
64487 Initial port of grsecurity 2.2.2 for Linux 3.2.1
64488 Note that the new syscalls added to this kernel for remote process read/write
64489 are subject to ptrace hardening/other relevant RBAC features
64490 /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
64491 as well
64492 pax_track_stack has been removed from support for this kernel -- if you're running this kernel
64493 you should be using a version of gcc with plugin support
64494
64495commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
64496Author: Brad Spengler <spender@grsecurity.net>
64497Date: Sun Jan 22 11:47:31 2012 -0500
64498
64499 Import pax-linux-3.2.1-test5.patch
64500commit bfd7db842f835f9837cd43644459b3a95b0b488d
64501Author: Brad Spengler <spender@grsecurity.net>
64502Date: Sun Jan 22 11:02:02 2012 -0500
64503
64504 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
64505 instead of returning -EACCES
64506 thanks to Wraith from irc for the report
64507
64508commit 873ac13576506cd48ddb527c2540f274e249da50
64509Merge: 34083dd 8a44fcc
64510Author: Brad Spengler <spender@grsecurity.net>
64511Date: Fri Jan 20 18:04:02 2012 -0500
64512
64513 Merge branch 'pax-test' into grsec-test
64514
64515commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
64516Author: Brad Spengler <spender@grsecurity.net>
64517Date: Fri Jan 20 18:02:15 2012 -0500
64518
64519 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
64520 Denies executable shared memory when MPROTECT is active
64521 Fixes ia32 emulation crash on 64bit host introduced in a recent patch
64522
64523commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
64524Author: Brad Spengler <spender@grsecurity.net>
64525Date: Thu Jan 19 20:23:14 2012 -0500
64526
64527 Introduce new GRKERNSEC_SETXID implementation
64528 We're not able to change the credentials of other threads in the process until at most
64529 one syscall after the first thread does it, since we mark the threads as needing rescheduling
64530 and such work occurs on syscall exit.
64531 This does however ensure that we're only modifying the current task's credentials
64532 which upholds RCU expectations
64533
64534 Many thanks to corsac for testing
64535
64536commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
64537Author: Brad Spengler <spender@grsecurity.net>
64538Date: Thu Jan 19 17:42:48 2012 -0500
64539
64540 Simplify backport
64541
64542commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
64543Author: Brad Spengler <spender@grsecurity.net>
64544Date: Thu Jan 19 17:08:16 2012 -0500
64545
64546 Commit the latest silent fix for a local privilege escalation from Linus
64547 Also disable writing to /proc/pid/mem
64548 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc
64549
64550commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
64551Merge: 0394a3f 7e6299b
64552Author: Brad Spengler <spender@grsecurity.net>
64553Date: Wed Jan 18 20:22:09 2012 -0500
64554
64555 Merge branch 'pax-test' into grsec-test
64556
64557commit 7e6299b4733c082dde930375dd207b63237751ec
64558Merge: 83555fb 9bb1282
64559Author: Brad Spengler <spender@grsecurity.net>
64560Date: Wed Jan 18 20:21:37 2012 -0500
64561
64562 Merge branch 'linux-3.1.y' into pax-test
64563
64564commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
64565Author: Jesper Juhl <jj@chaosbits.net>
64566Date: Sun Jan 8 22:44:29 2012 +0100
64567
64568 audit: always follow va_copy() with va_end()
64569
64570 A call to va_copy() should always be followed by a call to va_end() in
64571 the same function. In kernel/autit.c::audit_log_vformat() this is not
64572 always done. This patch makes sure va_end() is always called.
64573
64574 Signed-off-by: Jesper Juhl <jj@chaosbits.net>
64575 Cc: Al Viro <viro@zeniv.linux.org.uk>
64576 Cc: Eric Paris <eparis@redhat.com>
64577 Cc: Andrew Morton <akpm@linux-foundation.org>
64578 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
64579
64580commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
64581Author: Andi Kleen <ak@linux.intel.com>
64582Date: Thu Jan 12 17:20:30 2012 -0800
64583
64584 panic: don't print redundant backtraces on oops
64585
64586 When an oops causes a panic and panic prints another backtrace it's pretty
64587 common to have the original oops data be scrolled away on a 80x50 screen.
64588
64589 The second backtrace is quite redundant and not needed anyways.
64590
64591 So don't print the panic backtrace when oops_in_progress is true.
64592
64593 [akpm@linux-foundation.org: add comment]
64594 Signed-off-by: Andi Kleen <ak@linux.intel.com>
64595 Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
64596 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
64597 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
64598
64599commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
64600Author: Miklos Szeredi <mszeredi@suse.cz>
64601Date: Thu Jan 12 17:59:46 2012 +0100
64602
64603 fsnotify: don't BUG in fsnotify_destroy_mark()
64604
64605 Removing the parent of a watched file results in "kernel BUG at
64606 fs/notify/mark.c:139".
64607
64608 To reproduce
64609
64610 add "-w /tmp/audit/dir/watched_file" to audit.rules
64611 rm -rf /tmp/audit/dir
64612
64613 This is caused by fsnotify_destroy_mark() being called without an
64614 extra reference taken by the caller.
64615
64616 Reported by Francesco Cosoleto here:
64617
64618 https://bugzilla.novell.com/show_bug.cgi?id=689860
64619
64620 Fix by removing the BUG_ON and adding a comment about not accessing mark after
64621 the iput.
64622
64623 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
64624 CC: stable@vger.kernel.org
64625 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
64626
64627commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
64628Author: Paolo Bonzini <pbonzini@redhat.com>
64629Date: Thu Jan 12 16:01:28 2012 +0100
64630
64631 block: fail SCSI passthrough ioctls on partition devices
64632
64633 Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
64634 will pass the command to the underlying block device. This is
64635 well-known, but it is also a large security problem when (via Unix
64636 permissions, ACLs, SELinux or a combination thereof) a program or user
64637 needs to be granted access only to part of the disk.
64638
64639 This patch lets partitions forward a small set of harmless ioctls;
64640 others are logged with printk so that we can see which ioctls are
64641 actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred.
64642 Of course it was being sent to a (partition on a) hard disk, so it would
64643 have failed with ENOTTY and the patch isn't changing anything in
64644 practice. Still, I'm treating it specially to avoid spamming the logs.
64645
64646 In principle, this restriction should include programs running with
64647 CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and
64648 /dev/sdb, it still should not be able to read/write outside the
64649 boundaries of /dev/sda2 independent of the capabilities. However, for
64650 now programs with CAP_SYS_RAWIO will still be allowed to send the
64651 ioctls. Their actions will still be logged.
64652
64653 This patch does not affect the non-libata IDE driver. That driver
64654 however already tests for bd != bd->bd_contains before issuing some
64655 ioctl; it could be restricted further to forbid these ioctls even for
64656 programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
64657
64658 Cc: linux-scsi@vger.kernel.org
64659 Cc: Jens Axboe <axboe@kernel.dk>
64660 Cc: James Bottomley <JBottomley@parallels.com>
64661 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
64662 [ Make it also print the command name when warning - Linus ]
64663 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
64664
64665commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
64666Author: Paolo Bonzini <pbonzini@redhat.com>
64667Date: Thu Jan 12 16:01:27 2012 +0100
64668
64669 block: add and use scsi_blk_cmd_ioctl
64670
64671 Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
64672
64673 The function will then be enhanced to detect partition block devices
64674 and, in that case, subject the ioctls to whitelisting.
64675
64676 Cc: linux-scsi@vger.kernel.org
64677 Cc: Jens Axboe <axboe@kernel.dk>
64678 Cc: James Bottomley <JBottomley@parallels.com>
64679 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
64680 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
64681
64682commit 97a79814903fc350e1d13704ea31528a42705401
64683Author: Kees Cook <keescook@chromium.org>
64684Date: Sat Jan 7 10:41:04 2012 -0800
64685
64686 audit: treat s_id as an untrusted string
64687
64688 The use of s_id should go through the untrusted string path, just to be
64689 extra careful.
64690
64691 Signed-off-by: Kees Cook <keescook@chromium.org>
64692 Acked-by: Mimi Zohar <zohar@us.ibm.com>
64693 Signed-off-by: Eric Paris <eparis@redhat.com>
64694
64695commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
64696Author: Xi Wang <xi.wang@gmail.com>
64697Date: Tue Dec 20 18:39:41 2011 -0500
64698
64699 audit: fix signedness bug in audit_log_execve_info()
64700
64701 In the loop, a size_t "len" is used to hold the return value of
64702 audit_log_single_execve_arg(), which returns -1 on error. In that
64703 case the error handling (len <= 0) will be bypassed since "len" is
64704 unsigned, and the loop continues with (p += len) being wrapped.
64705 Change the type of "len" to signed int to fix the error handling.
64706
64707 size_t len;
64708 ...
64709 for (...) {
64710 len = audit_log_single_execve_arg(...);
64711 if (len <= 0)
64712 break;
64713 p += len;
64714 }
64715
64716 Signed-off-by: Xi Wang <xi.wang@gmail.com>
64717 Signed-off-by: Eric Paris <eparis@redhat.com>
64718
64719commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
64720Author: Dan Carpenter <dan.carpenter@oracle.com>
64721Date: Tue Jan 17 03:28:51 2012 -0300
64722
64723 [media] ds3000: using logical && instead of bitwise &
64724
64725 The intent here was to test if the FE_HAS_LOCK was set. The current
64726 test is equivalent to "if (status) { ..."
64727
64728 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
64729 Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
64730
64731commit 36522330dc59d2fc70c042f3f081d75c32b6259a
64732Author: Brad Spengler <spender@grsecurity.net>
64733Date: Mon Jan 16 13:10:38 2012 -0500
64734
64735 Ignore the 0 signal for protected task RBAC checks
64736
64737commit d513acd55f7a683f6e146a4f570cdb63300479ab
64738Author: Brad Spengler <spender@grsecurity.net>
64739Date: Mon Jan 16 11:56:13 2012 -0500
64740
64741 whitespace cleanup
64742
64743commit ced261c4b82818c700aff8487f647f6f3e5b5122
64744Merge: d48751f 83555fb
64745Author: Brad Spengler <spender@grsecurity.net>
64746Date: Fri Jan 13 20:12:54 2012 -0500
64747
64748 Merge branch 'pax-test' into grsec-test
64749
64750commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
64751Merge: fcd8129 93dad39
64752Author: Brad Spengler <spender@grsecurity.net>
64753Date: Fri Jan 13 20:12:43 2012 -0500
64754
64755 Merge branch 'linux-3.1.y' into pax-test
64756
64757commit d48751f3919ae855fda0ff6c149db82442329253
64758Author: Brad Spengler <spender@grsecurity.net>
64759Date: Wed Jan 11 19:05:47 2012 -0500
64760
64761 Call our own set_user when forcing change to new id
64762
64763commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
64764Merge: e6578ff fcd8129
64765Author: Brad Spengler <spender@grsecurity.net>
64766Date: Tue Jan 10 16:00:10 2012 -0500
64767
64768 Merge branch 'pax-test' into grsec-test
64769
64770commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
64771Author: Brad Spengler <spender@grsecurity.net>
64772Date: Tue Jan 10 15:58:43 2012 -0500
64773
64774 Merge changes from pax-linux-3.1.8-test23.patch
64775
64776commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
64777Merge: 8859ec3 a120549
64778Author: Brad Spengler <spender@grsecurity.net>
64779Date: Fri Jan 6 21:45:56 2012 -0500
64780
64781 Merge branch 'pax-test' into grsec-test
64782
64783commit a12054967a77090de1caa07c41e694a77db4e237
64784Author: Brad Spengler <spender@grsecurity.net>
64785Date: Fri Jan 6 21:45:30 2012 -0500
64786
64787 Merge changes from pax-linux-3.1.8-test22.patch
64788
64789commit 8859ec32f9815c274df65448f9f2960176c380d3
64790Merge: a5016b4 ddd4114
64791Author: Brad Spengler <spender@grsecurity.net>
64792Date: Fri Jan 6 21:26:08 2012 -0500
64793
64794 Merge branch 'pax-test' into grsec-test
64795
64796 Conflicts:
64797 fs/binfmt_elf.c
64798 security/Kconfig
64799
64800commit ddd41147e158a79704983a409b7433eba797cf66
64801Author: Brad Spengler <spender@grsecurity.net>
64802Date: Fri Jan 6 21:12:42 2012 -0500
64803
64804 Resync with PaX patch (whitespace difference)
64805
64806commit 29e569df8205c5f0e043fe4803aa984406c8b118
64807Author: Brad Spengler <spender@grsecurity.net>
64808Date: Fri Jan 6 21:09:47 2012 -0500
64809
64810 Merge changes from pax-linux-3.1.8-test21.patch
64811
64812commit a5016b4f9c09c337b17e063a7f369af1e86d944d
64813Merge: 0124c92 04231d5
64814Author: Brad Spengler <spender@grsecurity.net>
64815Date: Fri Jan 6 18:52:20 2012 -0500
64816
64817 Merge branch 'pax-test' into grsec-test
64818
64819commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
64820Merge: 7bdddeb a919904
64821Author: Brad Spengler <spender@grsecurity.net>
64822Date: Fri Jan 6 18:51:50 2012 -0500
64823
64824 Merge branch 'linux-3.1.y' into pax-test
64825
64826 Conflicts:
64827 include/net/flow.h
64828
64829commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
64830Author: Brad Spengler <spender@grsecurity.net>
64831Date: Fri Jan 6 18:33:05 2012 -0500
64832
64833 Make GRKERNSEC_SETXID option compatible with credential debugging
64834
64835commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
64836Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
64837Date: Wed Dec 28 15:57:11 2011 -0800
64838
64839 mm/mempolicy.c: refix mbind_range() vma issue
64840
64841 commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
64842 slightly incorrect fix.
64843
64844 Why? Think following case.
64845
64846 1. map 4 pages of a file at offset 0
64847
64848 [0123]
64849
64850 2. map 2 pages just after the first mapping of the same file but with
64851 page offset 2
64852
64853 [0123][23]
64854
64855 3. mbind() 2 pages from the first mapping at offset 2.
64856 mbind_range() should treat new vma is,
64857
64858 [0123][23]
64859 |23|
64860 mbind vma
64861
64862 but it does
64863
64864 [0123][23]
64865 |01|
64866 mbind vma
64867
64868 Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
64869
64870 This patch fixes it.
64871
64872 [testcase]
64873 test result - before the patch
64874
64875 case4: 126: test failed. expect '2,4', actual '2,2,2'
64876 case5: passed
64877 case6: passed
64878 case7: passed
64879 case8: passed
64880 case_n: 246: test failed. expect '4,2', actual '1,4'
64881
64882 ------------[ cut here ]------------
64883 kernel BUG at mm/filemap.c:135!
64884 invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
64885
64886 (snip long bug on messages)
64887
64888 test result - after the patch
64889
64890 case4: passed
64891 case5: passed
64892 case6: passed
64893 case7: passed
64894 case8: passed
64895 case_n: passed
64896
64897 source: mbind_vma_test.c
64898 ============================================================
64899 #include <numaif.h>
64900 #include <numa.h>
64901 #include <sys/mman.h>
64902 #include <stdio.h>
64903 #include <unistd.h>
64904 #include <stdlib.h>
64905 #include <string.h>
64906
64907 static unsigned long pagesize;
64908 void* mmap_addr;
64909 struct bitmask *nmask;
64910 char buf[1024];
64911 FILE *file;
64912 char retbuf[10240] = "";
64913 int mapped_fd;
64914
64915 char *rubysrc = "ruby -e '\
64916 pid = %d; \
64917 vstart = 0x%llx; \
64918 vend = 0x%llx; \
64919 s = `pmap -q #{pid}`; \
64920 rary = []; \
64921 s.each_line {|line|; \
64922 ary=line.split(\" \"); \
64923 addr = ary[0].to_i(16); \
64924 if(vstart <= addr && addr < vend) then \
64925 rary.push(ary[1].to_i()/4); \
64926 end; \
64927 }; \
64928 print rary.join(\",\"); \
64929 '";
64930
64931 void init(void)
64932 {
64933 void* addr;
64934 char buf[128];
64935
64936 nmask = numa_allocate_nodemask();
64937 numa_bitmask_setbit(nmask, 0);
64938
64939 pagesize = getpagesize();
64940
64941 sprintf(buf, "%s", "mbind_vma_XXXXXX");
64942 mapped_fd = mkstemp(buf);
64943 if (mapped_fd == -1)
64944 perror("mkstemp "), exit(1);
64945 unlink(buf);
64946
64947 if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
64948 perror("lseek "), exit(1);
64949 if (write(mapped_fd, "\0", 1) < 0)
64950 perror("write "), exit(1);
64951
64952 addr = mmap(NULL, pagesize*8, PROT_NONE,
64953 MAP_SHARED, mapped_fd, 0);
64954 if (addr == MAP_FAILED)
64955 perror("mmap "), exit(1);
64956
64957 if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
64958 perror("mprotect "), exit(1);
64959
64960 mmap_addr = addr + pagesize;
64961
64962 /* make page populate */
64963 memset(mmap_addr, 0, pagesize*6);
64964 }
64965
64966 void fin(void)
64967 {
64968 void* addr = mmap_addr - pagesize;
64969 munmap(addr, pagesize*8);
64970
64971 memset(buf, 0, sizeof(buf));
64972 memset(retbuf, 0, sizeof(retbuf));
64973 }
64974
64975 void mem_bind(int index, int len)
64976 {
64977 int err;
64978
64979 err = mbind(mmap_addr+pagesize*index, pagesize*len,
64980 MPOL_BIND, nmask->maskp, nmask->size, 0);
64981 if (err)
64982 perror("mbind "), exit(err);
64983 }
64984
64985 void mem_interleave(int index, int len)
64986 {
64987 int err;
64988
64989 err = mbind(mmap_addr+pagesize*index, pagesize*len,
64990 MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
64991 if (err)
64992 perror("mbind "), exit(err);
64993 }
64994
64995 void mem_unbind(int index, int len)
64996 {
64997 int err;
64998
64999 err = mbind(mmap_addr+pagesize*index, pagesize*len,
65000 MPOL_DEFAULT, NULL, 0, 0);
65001 if (err)
65002 perror("mbind "), exit(err);
65003 }
65004
65005 void Assert(char *expected, char *value, char *name, int line)
65006 {
65007 if (strcmp(expected, value) == 0) {
65008 fprintf(stderr, "%s: passed\n", name);
65009 return;
65010 }
65011 else {
65012 fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
65013 name, line,
65014 expected, value);
65015 // exit(1);
65016 }
65017 }
65018
65019 /*
65020 AAAA
65021 PPPPPPNNNNNN
65022 might become
65023 PPNNNNNNNNNN
65024 case 4 below
65025 */
65026 void case4(void)
65027 {
65028 init();
65029 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
65030
65031 mem_bind(0, 4);
65032 mem_unbind(2, 2);
65033
65034 file = popen(buf, "r");
65035 fread(retbuf, sizeof(retbuf), 1, file);
65036 Assert("2,4", retbuf, "case4", __LINE__);
65037
65038 fin();
65039 }
65040
65041 /*
65042 AAAA
65043 PPPPPPNNNNNN
65044 might become
65045 PPPPPPPPPPNN
65046 case 5 below
65047 */
65048 void case5(void)
65049 {
65050 init();
65051 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
65052
65053 mem_bind(0, 2);
65054 mem_bind(2, 2);
65055
65056 file = popen(buf, "r");
65057 fread(retbuf, sizeof(retbuf), 1, file);
65058 Assert("4,2", retbuf, "case5", __LINE__);
65059
65060 fin();
65061 }
65062
65063 /*
65064 AAAA
65065 PPPPNNNNXXXX
65066 might become
65067 PPPPPPPPPPPP 6
65068 */
65069 void case6(void)
65070 {
65071 init();
65072 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
65073
65074 mem_bind(0, 2);
65075 mem_bind(4, 2);
65076 mem_bind(2, 2);
65077
65078 file = popen(buf, "r");
65079 fread(retbuf, sizeof(retbuf), 1, file);
65080 Assert("6", retbuf, "case6", __LINE__);
65081
65082 fin();
65083 }
65084
65085 /*
65086 AAAA
65087 PPPPNNNNXXXX
65088 might become
65089 PPPPPPPPXXXX 7
65090 */
65091 void case7(void)
65092 {
65093 init();
65094 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
65095
65096 mem_bind(0, 2);
65097 mem_interleave(4, 2);
65098 mem_bind(2, 2);
65099
65100 file = popen(buf, "r");
65101 fread(retbuf, sizeof(retbuf), 1, file);
65102 Assert("4,2", retbuf, "case7", __LINE__);
65103
65104 fin();
65105 }
65106
65107 /*
65108 AAAA
65109 PPPPNNNNXXXX
65110 might become
65111 PPPPNNNNNNNN 8
65112 */
65113 void case8(void)
65114 {
65115 init();
65116 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
65117
65118 mem_bind(0, 2);
65119 mem_interleave(4, 2);
65120 mem_interleave(2, 2);
65121
65122 file = popen(buf, "r");
65123 fread(retbuf, sizeof(retbuf), 1, file);
65124 Assert("2,4", retbuf, "case8", __LINE__);
65125
65126 fin();
65127 }
65128
65129 void case_n(void)
65130 {
65131 init();
65132 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
65133
65134 /* make redundunt mappings [0][1234][34][7] */
65135 mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
65136 MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
65137
65138 /* Expect to do nothing. */
65139 mem_unbind(2, 2);
65140
65141 file = popen(buf, "r");
65142 fread(retbuf, sizeof(retbuf), 1, file);
65143 Assert("4,2", retbuf, "case_n", __LINE__);
65144
65145 fin();
65146 }
65147
65148 int main(int argc, char** argv)
65149 {
65150 case4();
65151 case5();
65152 case6();
65153 case7();
65154 case8();
65155 case_n();
65156
65157 return 0;
65158 }
65159 =============================================================
65160
65161 Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
65162 Acked-by: Johannes Weiner <hannes@cmpxchg.org>
65163 Cc: Minchan Kim <minchan.kim@gmail.com>
65164 Cc: Caspar Zhang <caspar@casparzhang.com>
65165 Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
65166 Cc: Christoph Lameter <cl@linux.com>
65167 Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
65168 Cc: Mel Gorman <mel@csn.ul.ie>
65169 Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
65170 Cc: <stable@vger.kernel.org> [3.1.x]
65171 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
65172 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
65173
65174commit f3a1082005781777086df235049f8c0b7efe524e
65175Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
65176Date: Tue Dec 27 22:32:41 2011 -0500
65177
65178 packet: fix possible dev refcnt leak when bind fail
65179
65180 If bind is fail when bind is called after set PACKET_FANOUT
65181 sock option, the dev refcnt will leak.
65182
65183 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
65184 Signed-off-by: David S. Miller <davem@davemloft.net>
65185
65186commit 915f8b08dac68839dc7204ee81cf9852fda16d24
65187Author: Haogang Chen <haogangchen@gmail.com>
65188Date: Mon Dec 19 17:11:56 2011 -0800
65189
65190 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
65191
65192 There is a potential integer overflow in nilfs_ioctl_clean_segments().
65193 When a large argv[n].v_nmembs is passed from the userspace, the subsequent
65194 call to vmalloc() will allocate a buffer smaller than expected, which
65195 leads to out-of-bound access in nilfs_ioctl_move_blocks() and
65196 lfs_clean_segments().
65197
65198 The following check does not prevent the overflow because nsegs is also
65199 controlled by the userspace and could be very large.
65200
65201 if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
65202 goto out_free;
65203
65204 This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
65205 returns -EINVAL when overflow.
65206
65207 Signed-off-by: Haogang Chen <haogangchen@gmail.com>
65208 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
65209 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
65210 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
65211
65212commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
65213Author: Kautuk Consul <consul.kautuk@gmail.com>
65214Date: Mon Dec 19 17:12:04 2011 -0800
65215
65216 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
65217
65218 Static storage is not required for the struct vmap_area in
65219 __get_vm_area_node.
65220
65221 Removing "static" to store this variable on the stack instead.
65222
65223 Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
65224 Acked-by: David Rientjes <rientjes@google.com>
65225 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
65226 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
65227
65228commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
65229Author: Michel Lespinasse <walken@google.com>
65230Date: Mon Dec 19 17:12:06 2011 -0800
65231
65232 binary_sysctl(): fix memory leak
65233
65234 binary_sysctl() calls sysctl_getname() which allocates from names_cache
65235 slab usin __getname()
65236
65237 The matching function to free the name is __putname(), and not putname()
65238 which should be used only to match getname() allocations.
65239
65240 This is because when auditing is enabled, putname() calls audit_putname
65241 *instead* (not in addition) to __putname(). Then, if a syscall is in
65242 progress, audit_putname does not release the name - instead, it expects
65243 the name to get released when the syscall completes, but that will happen
65244 only if audit_getname() was called previously, i.e. if the name was
65245 allocated with getname() rather than the naked __getname(). So,
65246 __getname() followed by putname() ends up leaking memory.
65247
65248 Signed-off-by: Michel Lespinasse <walken@google.com>
65249 Acked-by: Al Viro <viro@zeniv.linux.org.uk>
65250 Cc: Christoph Hellwig <hch@infradead.org>
65251 Cc: Eric Paris <eparis@redhat.com>
65252 Cc: <stable@vger.kernel.org>
65253 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
65254 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
65255
65256commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
65257Author: Sean Hefty <sean.hefty@intel.com>
65258Date: Tue Dec 6 21:17:11 2011 +0000
65259
65260 RDMA/cma: Verify private data length
65261
65262 private_data_len is defined as a u8. If the user specifies a large
65263 private_data size (> 220 bytes), we will calculate a total length that
65264 exceeds 255, resulting in private_data_len wrapping back to 0. This
65265 can lead to overwriting random kernel memory. Avoid this by verifying
65266 that the resulting size fits into a u8.
65267
65268 Reported-by: B. Thery <benjamin.thery@bull.net>
65269 Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
65270 Signed-off-by: Sean Hefty <sean.hefty@intel.com>
65271 Signed-off-by: Roland Dreier <roland@purestorage.com>
65272
65273commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
65274Author: Xi Wang <xi.wang@gmail.com>
65275Date: Sun Dec 11 23:40:56 2011 -0800
65276
65277 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
65278
65279 The error check (intr_status < 0) didn't work because intr_status is
65280 a u8. Change its type to signed int.
65281
65282 Signed-off-by: Xi Wang <xi.wang@gmail.com>
65283 Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
65284
65285commit e27f34e383d7863b2528a63b81b23db09781f6b6
65286Author: Xi Wang <xi.wang@gmail.com>
65287Date: Fri Dec 16 12:44:15 2011 +0000
65288
65289 sctp: fix incorrect overflow check on autoclose
65290
65291 Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
65292 limiting the autoclose value. If userspace passes in -1 on 32-bit
65293 platform, the overflow check didn't work and autoclose would be set
65294 to 0xffffffff.
65295
65296 This patch defines a max_autoclose (in seconds) for limiting the value
65297 and exposes it through sysctl, with the following intentions.
65298
65299 1) Avoid overflowing autoclose * HZ.
65300
65301 2) Keep the default autoclose bound consistent across 32- and 64-bit
65302 platforms (INT_MAX / HZ in this patch).
65303
65304 3) Keep the autoclose value consistent between setsockopt() and
65305 getsockopt() calls.
65306
65307 Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
65308 Signed-off-by: Xi Wang <xi.wang@gmail.com>
65309 Signed-off-by: David S. Miller <davem@davemloft.net>
65310
65311commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
65312Author: Xi Wang <xi.wang@gmail.com>
65313Date: Wed Dec 21 05:18:33 2011 -0500
65314
65315 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
65316
65317 Commit e133e737 didn't correctly fix the integer overflow issue.
65318
65319 - unsigned int required_size;
65320 + u64 required_size;
65321 ...
65322 required_size = mode_cmd->pitch * mode_cmd->height;
65323 - if (unlikely(required_size > dev_priv->vram_size)) {
65324 + if (unlikely(required_size > (u64) dev_priv->vram_size)) {
65325
65326 Note that both pitch and height are u32. Their product is still u32 and
65327 would overflow before being assigned to required_size. A correct way is
65328 to convert pitch and height to u64 before the multiplication.
65329
65330 required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
65331
65332 This patch calls the existing vmw_kms_validate_mode_vram() for
65333 validation.
65334
65335 Signed-off-by: Xi Wang <xi.wang@gmail.com>
65336 Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
65337 Signed-off-by: Dave Airlie <airlied@redhat.com>
65338
65339 Conflicts:
65340
65341 drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
65342
65343commit eb8f0bd01fb994c9abc77dc84729794cd841753d
65344Author: Xi Wang <xi.wang@gmail.com>
65345Date: Thu Dec 22 13:35:22 2011 +0000
65346
65347 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
65348
65349 Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
65350 cause a kernel oops due to insufficient bounds checking.
65351
65352 if (count > 1<<30) {
65353 /* Enforce a limit to prevent overflow */
65354 return -EINVAL;
65355 }
65356 count = roundup_pow_of_two(count);
65357 table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
65358
65359 Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
65360
65361 ... + (count * sizeof(struct rps_dev_flow))
65362
65363 where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow
65364 32 bits.
65365
65366 This patch replaces the magic number (1 << 30) with a symbolic bound.
65367
65368 Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
65369 Signed-off-by: Xi Wang <xi.wang@gmail.com>
65370 Signed-off-by: David S. Miller <davem@davemloft.net>
65371
65372commit 648188958672024b616c42c1f6c98c8cfc85619d
65373Author: Xi Wang <xi.wang@gmail.com>
65374Date: Fri Dec 30 10:40:17 2011 -0500
65375
65376 netfilter: ctnetlink: fix timeout calculation
65377
65378 The sanity check (timeout < 0) never works; the dividend is unsigned
65379 and so is the division, which should have been a signed division.
65380
65381 long timeout = (ct->timeout.expires - jiffies) / HZ;
65382 if (timeout < 0)
65383 timeout = 0;
65384
65385 This patch converts the time values to signed for the division.
65386
65387 Signed-off-by: Xi Wang <xi.wang@gmail.com>
65388 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
65389
65390commit ab03a0973cee73f88655ff4981812ad316a6cd59
65391Merge: 76f82df 7bdddeb
65392Author: Brad Spengler <spender@grsecurity.net>
65393Date: Tue Jan 3 17:42:50 2012 -0500
65394
65395 Merge branch 'pax-test' into grsec-test
65396
65397commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
65398Merge: 3e59cb5 55cc81a
65399Author: Brad Spengler <spender@grsecurity.net>
65400Date: Tue Jan 3 17:42:36 2012 -0500
65401
65402 Merge branch 'linux-3.1.y' into pax-test
65403
65404commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
65405Author: Brad Spengler <spender@grsecurity.net>
65406Date: Thu Dec 22 20:15:02 2011 -0500
65407
65408 Only further restrict futex targeting another process -- our modified
65409 permission check also happened to allow a case where a process retaining
65410 uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
65411 being non-zero (reported on forums by ben_w)
65412
65413commit 6b235a4450a5fea41663ec35fa0608988b6078c6
65414Merge: 97c16f0 3e59cb5
65415Author: Brad Spengler <spender@grsecurity.net>
65416Date: Thu Dec 22 19:11:06 2011 -0500
65417
65418 Merge branch 'pax-test' into grsec-test
65419
65420 Conflicts:
65421 fs/hfs/btree.c
65422
65423commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
65424Merge: 285eb4e c26f60b
65425Author: Brad Spengler <spender@grsecurity.net>
65426Date: Thu Dec 22 19:09:57 2011 -0500
65427
65428 Merge branch 'linux-3.1.y' into pax-test
65429
65430 Conflicts:
65431 arch/x86/kernel/process.c
65432
65433commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
65434Author: Brad Spengler <spender@grsecurity.net>
65435Date: Mon Dec 19 21:54:01 2011 -0500
65436
65437 Add new option: "Enforce consistent multithreaded privileges"
65438
65439commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
65440Author: Brad Spengler <spender@grsecurity.net>
65441Date: Wed Dec 7 19:58:31 2011 -0500
65442
65443 Remove harmless duplicate code -- exec_file would be null already so the
65444 second check would never pass.
65445
65446commit 4e3304e94aa72737810bc50169519af157dce4ce
65447Author: Brad Spengler <spender@grsecurity.net>
65448Date: Wed Dec 7 19:50:39 2011 -0500
65449
65450 Revert back to (possibly?) undocumented /proc/pid behavior that gdb
65451 depended on for attaching to a thread. Entries exist in /proc for
65452 threads, but are not visible in a readdir.
65453
65454commit 1bd899335f23815cfe8deac44c6b346398f3b95e
65455Author: Brad Spengler <spender@grsecurity.net>
65456Date: Sun Dec 4 18:03:28 2011 -0500
65457
65458 Put the already-walked path if in RCU-walk mode
65459
65460commit ec7ae36b7159f10649709779443a988662965d66
65461Author: Brad Spengler <spender@grsecurity.net>
65462Date: Sun Dec 4 17:35:21 2011 -0500
65463
65464 Fix memory leak introduced by recent (unpublished) commit
65465 75ab998b94a29d464518d6d501bdde3fbfcbfa14
65466
65467commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
65468Author: Brad Spengler <spender@grsecurity.net>
65469Date: Sun Dec 4 13:56:10 2011 -0500
65470
65471 Explicitly check size copied to userland in override_release to silence gcc
65472
65473commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
65474Author: Brad Spengler <spender@grsecurity.net>
65475Date: Sun Dec 4 13:54:02 2011 -0500
65476
65477 Initialize variable to silence erroneous gcc warning
65478
65479commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
65480Author: Brad Spengler <spender@grsecurity.net>
65481Date: Sun Dec 4 13:47:47 2011 -0500
65482
65483 Future-proof other potential RCU-aware locations where we can log.
65484
65485commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
65486Author: Brad Spengler <spender@grsecurity.net>
65487Date: Sun Dec 4 13:02:54 2011 -0500
65488
65489 Fix freeze reported by 'vs' on the forums. Bug occurred due to
65490 MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used
65491 in generic_permission() was in the task's effective set but disallowed by
65492 RBAC, would block when acquiring locks resulting in the freeze.
65493
65494 Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
65495 as being required when CAP_DAC_OVERRIDE is present (consistent with
65496 older patches).
65497
65498commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
65499Author: Xi Wang <xi.wang@gmail.com>
65500Date: Tue Nov 29 09:26:30 2011 +0000
65501
65502 sctp: better integer overflow check in sctp_auth_create_key()
65503
65504 The check from commit 30c2235c is incomplete and cannot prevent
65505 cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the
65506 left-hand side of the check (INT_MAX - key_len), which is unsigned,
65507 becomes 0xffffffff (UINT_MAX) and bypasses the check.
65508
65509 However this shouldn't be a security issue. The function is called
65510 from the following two code paths:
65511
65512 1) setsockopt()
65513
65514 2) sctp_auth_asoc_set_secret()
65515
65516 In case (1), sca_keylength is never going to exceed 65535 since it's
65517 bounded by a u16 from the user API. As such, the key length will
65518 never overflow.
65519
65520 In case (2), sca_keylength is computed based on the user key (1 short)
65521 and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
65522 will not overflow.
65523
65524 In other words, this overflow check is not really necessary. Just
65525 make it more correct.
65526
65527 Signed-off-by: Xi Wang <xi.wang@gmail.com>
65528 Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
65529 Signed-off-by: David S. Miller <davem@davemloft.net>
65530
65531commit e565e28c3635a1d50f80541fbf6b606d742fec76
65532Author: Josh Boyer <jwboyer@redhat.com>
65533Date: Fri Aug 19 14:50:26 2011 -0400
65534
65535 fs/minix: Verify bitmap block counts before mounting
65536
65537 Newer versions of MINIX can create filesystems that allocate an extra
65538 bitmap block. Mounting of this succeeds, but doing a statfs call will
65539 result in an oops in count_free because of a negative number being used
65540 for the bh index.
65541
65542 Avoid this by verifying the number of allocated blocks at mount time,
65543 erroring out if there are not enough and make statfs ignore the extras
65544 if there are too many.
65545
65546 This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
65547
65548 Signed-off-by: Josh Boyer <jwboyer@redhat.com>
65549 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
65550
65551commit 6e134e398ec1a3f428261680e83df4319e64bed9
65552Author: Julia Lawall <julia@diku.dk>
65553Date: Tue Nov 15 14:53:11 2011 -0800
65554
65555 drivers/gpu/vga/vgaarb.c: add missing kfree
65556
65557 kbuf is a buffer that is local to this function, so all of the error paths
65558 leaving the function should release it.
65559
65560 Signed-off-by: Julia Lawall <julia@diku.dk>
65561 Cc: Jesper Juhl <jj@chaosbits.net>
65562 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
65563 Signed-off-by: Dave Airlie <airlied@redhat.com>
65564
65565commit 2b9057b321e36860e8d63985b5c4e496f254b717
65566Author: Brad Spengler <spender@grsecurity.net>
65567Date: Sat Dec 3 21:33:28 2011 -0500
65568
65569 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch
65570
65571commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
65572Author: Brad Spengler <spender@grsecurity.net>
65573Date: Sat Dec 3 21:29:37 2011 -0500
65574
65575 Import pax-linux-3.1.4-test18.patch
65576
65577commit 285eb4ea45d853ae00426b3315a61c1368080dad
65578Author: Brad Spengler <spender@grsecurity.net>
65579Date: Sat Dec 10 18:33:46 2011 -0500
65580
65581 Import changes from pax-linux-3.1.5-test20.patch
65582
65583commit a6bda918fc90ec1d5c387e978d147ad2044153f1
65584Author: Brad Spengler <spender@grsecurity.net>
65585Date: Thu Dec 8 20:55:54 2011 -0500
65586
65587 Import changes from pax-linux-3.1.4-test19.patch
65588
65589commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
65590Author: Brad Spengler <spender@grsecurity.net>
65591Date: Sat Dec 3 21:29:37 2011 -0500
65592
65593 Import pax-linux-3.1.4-test18.patch
65594commit 9a7168e3d96ba81ab00bde22d38f7a035cc25466
65595Author: Brad Spengler <spender@grsecurity.net>
65596Date: Sun Nov 24 17:50:21 2013 -0500
65597
65598 remove unnecessary code/comments after new reload method
65599
65600 grsecurity/gracl.c | 4 ----
65601 grsecurity/gracl_policy.c | 13 -------------
65602 2 files changed, 0 insertions(+), 17 deletions(-)
65603
65604commit 4e61142788b54cbbc4e0d3418987ee892b34ee7d
65605Author: Brad Spengler <spender@grsecurity.net>
65606Date: Sun Nov 24 16:05:01 2013 -0500
65607
65608 Version bumped to 3.0 (we'd been on 2.9.1 for way too long and numerous
65609 features have been added since then)
65610
65611 Introduce new atomic RBAC reload method, developed as part of sponsorship
65612 by EIG
65613
65614 This is accompanied by an updated 3.0 gradm which will use the new reload
65615 method when -R is passed to gradm. The old method will still be available
65616 via gradm -r (which is what a 2.9.1 gradm will continue to use).
65617
65618 The new RBAC reload method is atomic in the sense that at no point in the
65619 reload process will the system not be covered by a coherent full policy.
65620 In contrast to previous reload behavior, it also preserves inherited subjects
65621 and special roles.
65622
65623 The old RBAC reload method has also been made atomic. Both methods have
65624 been updated to perform role_allowed_ip checks only against the IP tagged
65625 to the task at the time its role was first applied or changed. This resolves
65626 long-standing usability problems with the use of role_allowed_ip and matches
65627 the policies created by learning.
65628
65629 grsecurity/Makefile | 2 +-
65630 grsecurity/gracl.c | 3903 +++++++++++++------------------------------
65631 grsecurity/gracl_alloc.c | 42 +-
65632 grsecurity/gracl_compat.c | 3 +-
65633 grsecurity/gracl_policy.c | 1838 ++++++++++++++++++++
65634 grsecurity/gracl_segv.c | 12 +-
65635 grsecurity/grsec_disabled.c | 7 -
65636 grsecurity/grsec_init.c | 15 -
65637 include/linux/gracl.h | 43 +-
65638 include/linux/grinternal.h | 1 -
65639 include/linux/grsecurity.h | 1 -
65640 include/linux/sched.h | 2 +
65641 12 files changed, 3082 insertions(+), 2787 deletions(-)
65642
65643commit d8981a4fd03025434a466fd87a0eaea93755bc70
65644Author: Brad Spengler <spender@grsecurity.net>
65645Date: Sun Nov 24 15:08:28 2013 -0500
65646
65647 compile fix for recent GRKERNSEC_CHROOT_INITRD change
65648
65649 init/main.c | 12 +++---------
65650 1 files changed, 3 insertions(+), 9 deletions(-)
65651
65652commit c3f95fe9875bea3eeb61cad1586b3f9b6226a42f
65653Author: Brad Spengler <spender@grsecurity.net>
65654Date: Sat Nov 23 18:27:37 2013 -0500
65655
65656 Make the recent usermode_helper protection race-free as far as userland
65657 is concerned by creating a copy of the path to be executed, then check against
65658 that copied path instead of the still-mutable original path
65659
65660 include/linux/kmod.h | 3 +++
65661 kernel/kmod.c | 13 +++++++++++++
65662 2 files changed, 16 insertions(+), 0 deletions(-)
65663
65664commit ecdd0610bef058fd33fee50b489d949c1a0db07a
65665Author: Brad Spengler <spender@grsecurity.net>
65666Date: Sat Nov 23 17:20:15 2013 -0500
65667
65668 Produce a UDEREF message when faulting on kernel access to a non-present
65669 page in the userland range. This is purely for consistency of logs,
65670 due to there being no domain present to fault based on. An
65671 "Unable to handle kernel fault.." oops would already (and still is)
65672 generated for these cases, triggering grsec's bruteforce prevention.
65673
65674 Reported by acez on IRC
65675
65676 arch/arm/mm/fault.c | 11 +++++++++++
65677 1 files changed, 11 insertions(+), 0 deletions(-)
65678
65679commit 3f4adfade80bba0d865b5c603bd58da555ca4553
65680Author: Brad Spengler <spender@grsecurity.net>
65681Date: Sat Nov 23 16:56:46 2013 -0500
65682
65683 Make GRKERNSEC_CHROOT_INITRD depend on the correct initrd option,
65684 Also make sure we mark init as run if no initrd was used. Though this
65685 should already be enforced in grsec_chroot.c, this should future-proof
65686 the feature a bit in case userland somehow changes drastically.
65687
65688 Conflicts:
65689
65690 init/main.c
65691
65692 grsecurity/Kconfig | 2 +-
65693 grsecurity/grsec_chroot.c | 2 +-
65694 init/main.c | 15 +++++++++++++++
65695 3 files changed, 17 insertions(+), 2 deletions(-)
65696
65697commit d4a9bb63091852b5b49ebd216796b374e5c0dc71
65698Author: Brad Spengler <spender@grsecurity.net>
65699Date: Sat Nov 23 16:33:20 2013 -0500
65700
65701 limit all usermode helper binaries to /sbin, all other attempts will be logged and rejected
65702
65703 kernel/kmod.c | 8 ++++++++
65704 1 files changed, 8 insertions(+), 0 deletions(-)
65705
65706commit e727db195f8bed17c65d050e1772643d730fe565
65707Author: Brad Spengler <spender@grsecurity.net>
65708Date: Sat Nov 23 16:02:01 2013 -0500
65709
65710 perform USERCOPY kernel text checks against the linear mapping on amd64 as well
65711
65712 fs/exec.c | 8 ++++++++
65713 1 files changed, 8 insertions(+), 0 deletions(-)
65714
65715commit 7e0e0cf6d81af9c7901e16345737157fd563ccfb
65716Merge: 2fcc3a5 2d1263b
65717Author: Brad Spengler <spender@grsecurity.net>
65718Date: Fri Nov 22 21:11:44 2013 -0500
65719
65720 Merge branch 'pax-test' into grsec-test
65721
65722commit 2d1263be436ef0c7c964a2028dec3fc7e90205a1
65723Merge: d52f291 e0cd057
65724Author: Brad Spengler <spender@grsecurity.net>
65725Date: Fri Nov 22 21:11:33 2013 -0500
65726
65727 Merge branch 'linux-3.11.y' into pax-test
65728
65729 Conflicts:
65730 drivers/net/ethernet/chelsio/cxgb3/sge.c
65731
65732commit 2fcc3a573d2b676c6cdb1aa0c9f61ce723189972
65733Author: Brad Spengler <spender@grsecurity.net>
65734Date: Fri Nov 22 20:31:37 2013 -0500
65735
65736 Revert "Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69"
65737
65738 This reverts commit 8bb32f2682953e1b748a59c4a4363b237c3510df.
65739
65740 It caused errors with traceroute, reported to upstream and fixed with
65741 http://patchwork.ozlabs.org/patch/293614/
65742 But there's no reason for us to maintain this backport as we're
65743 already impervious to recvmsg/msg_name infoleaks
65744
65745 Conflicts:
65746
65747 net/ipv4/ping.c
65748
65749 net/ieee802154/dgram.c | 3 ++-
65750 net/ipv4/ping.c | 11 +++++++++--
65751 net/ipv4/raw.c | 4 +++-
65752 net/ipv4/udp.c | 7 ++++++-
65753 net/ipv6/raw.c | 4 +++-
65754 net/ipv6/udp.c | 5 ++++-
65755 net/l2tp/l2tp_ip.c | 4 +++-
65756 net/phonet/datagram.c | 9 +++++----
65757 8 files changed, 35 insertions(+), 12 deletions(-)
65758
65759commit 5a0b39755f07014ed0d34a432b89cfbb38b82e0b
65760Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
65761Date: Mon Nov 18 07:07:45 2013 +0100
65762
65763 Upstream commit: cf970c002d270c36202bd5b9c2804d3097a52da0
65764
65765 ping: prevent NULL pointer dereference on write to msg_name
65766
65767 A plain read() on a socket does set msg->msg_name to NULL. So check for
65768 NULL pointer first.
65769
65770 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
65771 Signed-off-by: David S. Miller <davem@davemloft.net>
65772
65773 net/ipv4/ping.c | 34 +++++++++++++++++++---------------
65774 1 files changed, 19 insertions(+), 15 deletions(-)
65775
65776commit 8bb32f2682953e1b748a59c4a4363b237c3510df
65777Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
65778Date: Mon Nov 18 04:20:45 2013 +0100
65779
65780 Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69
65781
65782 inet: prevent leakage of uninitialized memory to user in recv syscalls
65783
65784 Only update *addr_len when we actually fill in sockaddr, otherwise we
65785 can return uninitialized memory from the stack to the caller in the
65786 recvfrom, recvmmsg and recvmsg syscalls. Drop the the (addr_len == NULL)
65787 checks because we only get called with a valid addr_len pointer either
65788 from sock_common_recvmsg or inet_recvmsg.
65789
65790 If a blocking read waits on a socket which is concurrently shut down we
65791 now return zero and set msg_msgnamelen to 0.
65792
65793 Reported-by: mpb <mpb.mail@gmail.com>
65794 Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
65795 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
65796 Signed-off-by: David S. Miller <davem@davemloft.net>
65797
65798 net/ieee802154/dgram.c | 3 +--
65799 net/ipv4/ping.c | 19 +++++++------------
65800 net/ipv4/raw.c | 4 +---
65801 net/ipv4/udp.c | 7 +------
65802 net/ipv6/raw.c | 4 +---
65803 net/ipv6/udp.c | 5 +----
65804 net/l2tp/l2tp_ip.c | 4 +---
65805 net/phonet/datagram.c | 9 ++++-----
65806 8 files changed, 17 insertions(+), 38 deletions(-)
65807
65808commit 642d754081c130a151e7df27e5c07edf2f368106
65809Author: Jeff Layton <jlayton@redhat.com>
65810Date: Wed Nov 13 09:08:21 2013 -0500
65811
65812 Upstream commit: 6d769f1e1420179d1f83cf1a9cdc585b46c28545
65813
65814 nfs: don't retry detect_trunking with RPC_AUTH_UNIX more than once
65815
65816 Currently, when we try to mount and get back NFS4ERR_CLID_IN_USE or
65817 NFS4ERR_WRONGSEC, we create a new rpc_clnt and then try the call again.
65818 There is no guarantee that doing so will work however, so we can end up
65819 retrying the call in an infinite loop.
65820
65821 Worse yet, we create the new client using rpc_clone_client_set_auth,
65822 which creates the new client as a child of the old one. Thus, we can end
65823 up with a *very* long lineage of rpc_clnts. When we go to put all of the
65824 references to them, we can end up with a long call chain that can smash
65825 the stack as each rpc_free_client() call can recurse back into itself.
65826
65827 This patch fixes this by simply ensuring that the SETCLIENTID call will
65828 only be retried in this situation if the last attempt did not use
65829 RPC_AUTH_UNIX.
65830
65831 Note too that with this change, we don't need the (i > 2) check in the
65832 -EACCES case since we now have a more reliable test as to whether we
65833 should reattempt.
65834
65835 Cc: stable@vger.kernel.org # v3.10+
65836 Cc: Chuck Lever <chuck.lever@oracle.com>
65837 Tested-by/Acked-by: Weston Andros Adamson <dros@netapp.com>
65838 Signed-off-by: Jeff Layton <jlayton@redhat.com>
65839 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
65840
65841 fs/nfs/nfs4state.c | 7 ++++++-
65842 1 files changed, 6 insertions(+), 1 deletions(-)
65843
65844commit a96ee20d2e099c56fd89b91ee309551e7b50b8f2
65845Author: Chuck Lever <chuck.lever@oracle.com>
65846Date: Wed Jul 24 12:28:28 2013 -0400
65847
65848 Upstream commit: d688f7b8f62857c252b886fa16e8b38b83cfaf7e
65849
65850 NFS: Use root's credential for lease management when keytab is missing
65851
65852 Commit 05f4c350 "NFS: Discover NFSv4 server trunking when mounting"
65853 Fri Sep 14 17:24:32 2012 introduced Uniform Client String support,
65854 which forces our NFS client to establish a client ID immediately
65855 during a mount operation rather than waiting until a user wants to
65856 open a file.
65857
65858 Normally machine credentials (eg. from a keytab) are used to perform
65859 a mount operation that is protected by Kerberos. Before 05fc350,
65860 SETCLIENTID used a machine credential, or fell back to a regular
65861 user's credential if no keytab is available.
65862
65863 On clients that don't have a keytab, performing SETCLIENTID early
65864 means there's no user credential to fall back on, since no regular
65865 user has kinit'd yet. 05f4c350 seems to have broken the ability
65866 to mount with sec=krb5 on clients that don't have a keytab in
65867 kernels 3.7 - 3.10.
65868
65869 To address this regression, commit 4edaa308 (NFS: Use "krb5i" to
65870 establish NFSv4 state whenever possible), Sat Mar 16 15:56:20 2013,
65871 was merged in 3.10. This commit forces the NFS client to fall back
65872 to AUTH_SYS for lease management operations if no keytab is
65873 available.
65874
65875 Neil Brown noticed that, since root is required to kinit to do a
65876 sec=krb5 mount when a client doesn't have a keytab, we can try to
65877 use root's Kerberos credential before AUTH_SYS.
65878
65879 Now, when determining a principal and flavor to use for lease
65880 management, the NFS client tries in this order:
65881
65882 1. Flavor: AUTH_GSS, krb5i
65883 Principal: service principal (via keytab)
65884
65885 2. Flavor: AUTH_GSS, krb5i
65886 Principal: user principal established for UID 0 (via kinit)
65887
65888 3. Flavor: AUTH_SYS
65889 Principal: UID 0 / GID 0
65890
65891 Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
65892 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
65893
65894 fs/nfs/nfs4state.c | 19 ++++++++++++++++++-
65895 1 files changed, 18 insertions(+), 1 deletions(-)
65896
65897commit 6ebab64904f37af82e950b0c6d321437e810b248
65898Author: Trond Myklebust <Trond.Myklebust@netapp.com>
65899Date: Tue Nov 12 17:24:36 2013 -0500
65900
65901 Upstream commit: d07ba8422f1e58be94cc98a1f475946dc1b89f1b
65902
65903 SUNRPC: Avoid deep recursion in rpc_release_client
65904
65905 In cases where an rpc client has a parent hierarchy, then
65906 rpc_free_client may end up calling rpc_release_client() on the
65907 parent, thus recursing back into rpc_free_client. If the hierarchy
65908 is deep enough, then we can get into situations where the stack
65909 simply overflows.
65910
65911 The fix is to have rpc_release_client() loop so that it can take
65912 care of the parent rpc client hierarchy without needing to
65913 recurse.
65914
65915 Reported-by: Jeff Layton <jlayton@redhat.com>
65916 Reported-by: Weston Andros Adamson <dros@netapp.com>
65917 Reported-by: Bruce Fields <bfields@fieldses.org>
65918 Link: http://lkml.kernel.org/r/2C73011F-0939-434C-9E4D-13A1EB1403D7@netapp.com
65919 Cc: stable@vger.kernel.org
65920 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
65921
65922 net/sunrpc/clnt.c | 29 +++++++++++++++++------------
65923 1 files changed, 17 insertions(+), 12 deletions(-)
65924
65925commit fcb4306973aed105cc6d042077bf31e21b812008
65926Author: Trond Myklebust <Trond.Myklebust@netapp.com>
65927Date: Fri Nov 8 16:03:50 2013 -0500
65928
65929 Upstream commit: a6b31d18b02ff9d7915c5898c9b5ca41a798cd73
65930
65931 SUNRPC: Fix a data corruption issue when retransmitting RPC calls
65932
65933 The following scenario can cause silent data corruption when doing
65934 NFS writes. It has mainly been observed when doing database writes
65935 using O_DIRECT.
65936
65937 1) The RPC client uses sendpage() to do zero-copy of the page data.
65938 2) Due to networking issues, the reply from the server is delayed,
65939 and so the RPC client times out.
65940
65941 3) The client issues a second sendpage of the page data as part of
65942 an RPC call retransmission.
65943
65944 4) The reply to the first transmission arrives from the server
65945 _before_ the client hardware has emptied the TCP socket send
65946 buffer.
65947 5) After processing the reply, the RPC state machine rules that
65948 the call to be done, and triggers the completion callbacks.
65949 6) The application notices the RPC call is done, and reuses the
65950 pages to store something else (e.g. a new write).
65951
65952 7) The client NIC drains the TCP socket send buffer. Since the
65953 page data has now changed, it reads a corrupted version of the
65954 initial RPC call, and puts it on the wire.
65955
65956 This patch fixes the problem in the following manner:
65957
65958 The ordering guarantees of TCP ensure that when the server sends a
65959 reply, then we know that the _first_ transmission has completed. Using
65960 zero-copy in that situation is therefore safe.
65961 If a time out occurs, we then send the retransmission using sendmsg()
65962 (i.e. no zero-copy), We then know that the socket contains a full copy of
65963 the data, and so it will retransmit a faithful reproduction even if the
65964 RPC call completes, and the application reuses the O_DIRECT buffer in
65965 the meantime.
65966
65967 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
65968 Cc: stable@vger.kernel.org
65969
65970 net/sunrpc/xprtsock.c | 28 +++++++++++++++++++++-------
65971 1 files changed, 21 insertions(+), 7 deletions(-)
65972
65973commit 2c59d4080ae744532dbe595f6923dcba72279977
65974Merge: b2b99c6 d52f291
65975Author: Brad Spengler <spender@grsecurity.net>
65976Date: Mon Nov 18 19:07:55 2013 -0500
65977
65978 Merge branch 'pax-test' into grsec-test
65979
65980commit d52f291621da9227cda5fd647e82dfe9bfc11265
65981Author: Brad Spengler <spender@grsecurity.net>
65982Date: Mon Nov 18 19:07:14 2013 -0500
65983
65984 Update to pax-linux-3.11.8-test14.patch:
65985 - fixed a gcc-4.6 crash caused by a recent change in the latent entropy plugin, reported by Marko Randjelovic and mckinney (http://forums.grsecurity.net/viewtopic.php?f=3&t=3878)
65986
65987 mm/page_alloc.c | 2 +-
65988 tools/gcc/latent_entropy_plugin.c | 34 ++++++++++++++++++++++++----------
65989 2 files changed, 25 insertions(+), 11 deletions(-)
65990
65991commit b2b99c6972e345565d561b722de210f071e5e259
65992Author: Brad Spengler <spender@grsecurity.net>
65993Date: Thu Nov 14 20:47:37 2013 -0500
65994
65995 Upstream commit: 0e033e04c2678dbbe74a46b23fffb7bb918c288e
65996
65997 ipv6: fix headroom calculation in udp6_ufo_fragment
65998 Commit 1e2bd517c108816220f262d7954b697af03b5f9c ("udp6: Fix udp
65999 fragmentation for tunnel traffic.") changed the calculation if
66000 there is enough space to include a fragment header in the skb from a
66001 skb->mac_header dervived one to skb_headroom. Because we already peeled
66002 off the skb to transport_header this is wrong. Change this back to check
66003 if we have enough room before the mac_header.
66004
66005 This fixes a panic Saran Neti reported. He used the tbf scheduler which
66006 skb_gso_segments the skb. The offsets get negative and we panic in memcpy
66007 because the skb was erroneously not expanded at the head.
66008
66009 Reported-by: Saran Neti <Saran.Neti@telus.com>
66010 Cc: Pravin B Shelar <pshelar@nicira.com>
66011 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
66012 Signed-off-by: David S. Miller <davem@davemloft.net>
66013
66014 net/ipv6/udp_offload.c | 2 +-
66015 1 files changed, 1 insertions(+), 1 deletions(-)
66016
66017commit 012ee7647e16f464f8d1ad004e28eac2ba778158
66018Author: Dan Carpenter <dan.carpenter@oracle.com>
66019Date: Thu Nov 14 11:21:10 2013 +0300
66020
66021 Upstream commit: f9a23c84486ed350cce7bb1b2828abd1f6658796
66022
66023 isdnloop: use strlcpy() instead of strcpy()
66024
66025 These strings come from a copy_from_user() and there is no way to be
66026 sure they are NUL terminated.
66027
66028 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
66029 Signed-off-by: David S. Miller <davem@davemloft.net>
66030
66031 drivers/isdn/isdnloop/isdnloop.c | 8 +++++---
66032 1 files changed, 5 insertions(+), 3 deletions(-)
66033
66034commit 2a897c9870257c3cd6dd17ec6ff453331dc71a4f
66035Author: Eric Dumazet <edumazet@google.com>
66036Date: Thu Nov 14 13:37:54 2013 -0800
66037
66038 Upstream commit: c9e9042994d37cbc1ee538c500e9da1bb9d1bcdf
66039
66040 ipv4: fix possible seqlock deadlock
66041
66042 ip4_datagram_connect() being called from process context,
66043 it should use IP_INC_STATS() instead of IP_INC_STATS_BH()
66044 otherwise we can deadlock on 32bit arches, or get corruptions of
66045 SNMP counters.
66046
66047 Fixes: 584bdf8cbdf6 ("[IPV4]: Fix "ipOutNoRoutes" counter error for TCP and UDP")
66048 Signed-off-by: Eric Dumazet <edumazet@google.com>
66049 Reported-by: Dave Jones <davej@redhat.com>
66050 Signed-off-by: David S. Miller <davem@davemloft.net>
66051
66052 net/ipv4/datagram.c | 2 +-
66053 1 files changed, 1 insertions(+), 1 deletions(-)
66054
66055commit 1a642170613ae336331f2df38aa8f2c1227d3c96
66056Merge: 60c6423 84d78c7
66057Author: Brad Spengler <spender@grsecurity.net>
66058Date: Thu Nov 14 20:28:51 2013 -0500
66059
66060 Merge branch 'pax-test' into grsec-test
66061
66062commit 84d78c7b2f5d1517e8c9d5ef2ca178c90e80a730
66063Author: Brad Spengler <spender@grsecurity.net>
66064Date: Thu Nov 14 20:28:07 2013 -0500
66065
66066 Update to pax-linux-3.11.8-test13.patch:
66067 - forward port to 3.11.8
66068 - removed some no longer used code from bpf jit
66069 - fixed some atomic_unchecked_t usage in oprofile and uio
66070 - fixed a few incorrect uses of static local variables based on an analysis plugin written by Emese Revfy
66071
66072 arch/x86/include/asm/mmu_context.h | 8 ++++++++
66073 arch/x86/kernel/setup.c | 2 +-
66074 drivers/bluetooth/btwilink.c | 2 +-
66075 drivers/md/dm-table.c | 2 +-
66076 drivers/message/i2o/i2o_proc.c | 16 ++++++++--------
66077 drivers/mfd/max8925-i2c.c | 2 +-
66078 drivers/mfd/tps65910.c | 2 +-
66079 drivers/mtd/chips/cfi_cmdset_0020.c | 2 +-
66080 drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 2 +-
66081 .../net/ethernet/qlogic/qlcnic/qlcnic_minidump.c | 2 +-
66082 drivers/net/wireless/airo.c | 2 +-
66083 drivers/net/wireless/b43/phy_lp.c | 2 +-
66084 drivers/nfc/nfcwilink.c | 2 +-
66085 drivers/oprofile/oprofilefs.c | 4 ++--
66086 drivers/platform/x86/msi-wmi.c | 2 +-
66087 drivers/scsi/aic7xxx/aic79xx_pci.c | 18 +++++-------------
66088 drivers/scsi/mpt2sas/mpt2sas_scsih.c | 8 ++++----
66089 drivers/usb/serial/console.c | 2 +-
66090 include/linux/filter.h | 4 ----
66091 kernel/audit.c | 2 +-
66092 20 files changed, 41 insertions(+), 45 deletions(-)
66093
66094commit 60c642339ceb814688d1fdfa9bf3f9bc4cd0a38c
66095Author: Brad Spengler <spender@grsecurity.net>
66096Date: Thu Nov 14 20:15:51 2013 -0500
66097
66098 GRKERNSEC_HARDEN_IPC should depend on SYSVIPC
66099
66100 grsecurity/Kconfig | 1 +
66101 1 files changed, 1 insertions(+), 0 deletions(-)
66102
66103commit a5bc567fc9cea02e7e0146d4d25bbc25d9903f43
66104Author: Brad Spengler <spender@grsecurity.net>
66105Date: Thu Nov 14 19:07:11 2013 -0500
66106
66107 Not necessary since CPU_V6 is the only bool that would select CPU_USE_DOMAINS
66108 and that depended on !PAX_KERNEXEC && !PAX_MEMORY_UDEREF, but this helps
66109 make it more obvious that while we make use of domains, CPU_USE_DOMAINS is
66110 disabled as far as the kernel knows
66111
66112 arch/arm/mm/Kconfig | 2 +-
66113 1 files changed, 1 insertions(+), 1 deletions(-)
66114
66115commit a2568c19e361c8599fb9bb0a58ba758f5cb40dba
66116Author: Brad Spengler <spender@grsecurity.net>
66117Date: Thu Nov 14 19:01:59 2013 -0500
66118
66119 Add a new feature: GRKERNSEC_HARDEN_IPC in response to Tim Brown's research
66120 on overly-permissive shared memory found in hundreds of areas in Linux
66121 distros:
66122 http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/
66123
66124 Will let this sit in -test for a while to weed out any app incompatibilities
66125
66126 grsecurity/Kconfig | 17 +++++++++++++++++
66127 grsecurity/Makefile | 2 +-
66128 grsecurity/grsec_init.c | 4 ++++
66129 grsecurity/grsec_ipc.c | 22 ++++++++++++++++++++++
66130 grsecurity/grsec_sysctl.c | 9 +++++++++
66131 include/linux/grinternal.h | 1 +
66132 include/linux/grmsg.h | 1 +
66133 ipc/util.c | 5 +++++
66134 8 files changed, 60 insertions(+), 1 deletions(-)
66135
66136commit 27c3b43bd5ad9c9b877016f26192dbc30da54018
66137Merge: 08e883f d0a09ad
66138Author: Brad Spengler <spender@grsecurity.net>
66139Date: Wed Nov 13 22:27:13 2013 -0500
66140
66141 Merge branch 'pax-test' into grsec-test
66142
66143commit d0a09ad6430008135b98da6e1941e98a6110b59e
66144Merge: 4e826ac 02709ef
66145Author: Brad Spengler <spender@grsecurity.net>
66146Date: Wed Nov 13 22:27:03 2013 -0500
66147
66148 Merge branch 'linux-3.11.y' into pax-test
66149
66150commit 08e883f3159b541ec8b2740a4b3f35fb25629fd1
66151Author: Brad Spengler <spender@grsecurity.net>
66152Date: Mon Nov 11 10:48:10 2013 -0500
66153
66154 Fix the overflowable range check just to be correct.
66155 Referenced in http://www.x90c.org/advisories/xadv-2013003_linux_kernel.txt
66156 but I believe this to be unexploitable due to bounds checks on 'count'
66157 from rw_verify_area() in fs/read_write.c
66158
66159 drivers/video/arcfb.c | 2 +-
66160 1 files changed, 1 insertions(+), 1 deletions(-)
66161
66162commit 094c08532f9877a287ffac7a87b05841a56b4e5d
66163Author: Brad Spengler <spender@grsecurity.net>
66164Date: Sun Nov 10 22:01:33 2013 -0500
66165
66166 Add missing include
66167
66168 fs/proc/proc_sysctl.c | 1 +
66169 1 files changed, 1 insertions(+), 0 deletions(-)
66170
66171commit e383790f8252620f52895e202cc057c4318da3f4
66172Author: Brad Spengler <spender@grsecurity.net>
66173Date: Sun Nov 10 17:50:12 2013 -0500
66174
66175 add an option to handle old ARM userlands to properly toggle the KUSER_HELPERS
66176 option: GRKERNSEC_OLD_ARM_USERLAND
66177
66178 arch/arm/mm/Kconfig | 2 +-
66179 grsecurity/Kconfig | 14 ++++++++++++++
66180 2 files changed, 15 insertions(+), 1 deletions(-)
66181
66182commit 9b2775742dbcfcc004f02e5cc6bed6dcd9d73d26
66183Author: Brad Spengler <spender@grsecurity.net>
66184Date: Sun Nov 10 15:19:27 2013 -0500
66185
66186 On ARM (and other arches) we were defaulting mmap_min_addr to 64K if the LSM-based mmap_min_addr
66187 was disabled in config. This caused non-root execs to fail in some cases (via SIGKILL during ELF
66188 loading). Fix this by setting a proper default on these architectures like set on the LSM-based
66189 mmap_min_addr.
66190
66191 Thanks to acez from IRC for debugging.
66192
66193 mm/Kconfig | 1 +
66194 1 files changed, 1 insertions(+), 0 deletions(-)
66195
66196commit 17f832897194f46c4759aa02e048ad5623a04eed
66197Author: Brad Spengler <spender@grsecurity.net>
66198Date: Sun Nov 10 13:54:25 2013 -0500
66199
66200 Compatibility fix for LXC:
66201 Don't require CAP_SYS_ADMIN to modify our own net namespace's sysctl values,
66202 use a CAP_NET_ADMIN check within the user namespace of the process performing the modification
66203 CAP_SYS_ADMIN is still required for any other sysctl modification, including modification
66204 of sysctls of a net namespace other than our own
66205
66206 This allows for LXC containers to not need CAP_SYS_ADMIN to be able to set up their namespace's
66207 networking
66208
66209 Thanks to ncopa from IRC for testing
66210
66211 fs/proc/proc_sysctl.c | 9 +++++++--
66212 1 files changed, 7 insertions(+), 2 deletions(-)
66213
66214commit b374a895f9ecfccbf3c8536a5a1a51b359a66a20
66215Merge: fb281bd 4e826ac
66216Author: Brad Spengler <spender@grsecurity.net>
66217Date: Wed Nov 6 17:27:16 2013 -0500
66218
66219 Merge branch 'pax-test' into grsec-test
66220
66221 Conflicts:
66222 net/l2tp/l2tp_core.c
66223
66224commit 4e826ac763867707352d93b7d23ed86e4c6829cf
66225Merge: e309bfb 39773be
66226Author: Brad Spengler <spender@grsecurity.net>
66227Date: Wed Nov 6 17:26:23 2013 -0500
66228
66229 Merge branch 'linux-3.11.y' into pax-test
66230
66231 Conflicts:
66232 net/compat.c
66233
66234commit fb281bdee5ccb76facfe1172318a867b624011f4
66235Author: Brad Spengler <spender@grsecurity.net>
66236Date: Wed Nov 6 16:23:36 2013 -0500
66237
66238 Force on DEBUG_LIST so all users can benefit from safe linking/unlinking
66239
66240 Conflicts:
66241
66242 security/Kconfig
66243
66244 security/Kconfig | 1 +
66245 1 files changed, 1 insertions(+), 0 deletions(-)
66246
66247commit e249a2a0ee333a6ec0234de20d17670fe0d2b64a
66248Author: Brad Spengler <spender@grsecurity.net>
66249Date: Wed Nov 6 16:19:21 2013 -0500
66250
66251 change DEBUG_LIST WARNs back to BUGs so they can benefit from the kernel
66252 bruteforce deterrence
66253
66254 Conflicts:
66255
66256 lib/list_debug.c
66257
66258 lib/list_debug.c | 65 ++++++++++++++++++++++++++++++++++-------------------
66259 1 files changed, 42 insertions(+), 23 deletions(-)
66260
66261commit 61f8b4eb5c8b11ff11d28372a44d6e0f3b9b68ba
66262Author: Dan Carpenter <dan.carpenter@oracle.com>
66263Date: Tue Oct 29 23:01:43 2013 +0300
66264
66265 Upstream commit: a8b33654b1e3b0c74d4a1fed041c9aae50b3c427
66266
66267 Staging: sb105x: info leak in mp_get_count()
66268
66269 The icount.reserved[] array isn't initialized so it leaks stack
66270 information to userspace.
66271
66272 Reported-by: Nico Golde <nico@ngolde.de>
66273 Reported-by: Fabian Yamaguchi <fabs@goesec.de>
66274 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
66275 Cc: stable@kernel.org
66276 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
66277
66278 drivers/staging/sb105x/sb_pci_mp.c | 2 +-
66279 1 files changed, 1 insertions(+), 1 deletions(-)
66280
66281commit 731cf7d12aa699cc30c18e5fe25b8c72b97df3de
66282Author: Dan Carpenter <dan.carpenter@oracle.com>
66283Date: Tue Oct 29 22:06:04 2013 +0300
66284
66285 Upstream commit: 201f99f170df14ba52ea4c52847779042b7a623b
66286
66287 uml: check length in exitcode_proc_write()
66288
66289 We don't cap the size of buffer from the user so we could write past the
66290 end of the array here. Only root can write to this file.
66291
66292 Reported-by: Nico Golde <nico@ngolde.de>
66293 Reported-by: Fabian Yamaguchi <fabs@goesec.de>
66294 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
66295 Cc: stable@kernel.org
66296 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
66297
66298 arch/um/kernel/exitcode.c | 4 +++-
66299 1 files changed, 3 insertions(+), 1 deletions(-)
66300
66301commit 1285d10ec38f216f3c5de7ce085ce43447c78916
66302Author: Jason Wang <jasowang@redhat.com>
66303Date: Fri Nov 1 15:01:10 2013 +0800
66304
66305 Upstream commit: 6f092343855a71e03b8d209815d8c45bf3a27fcd
66306
66307 net: flow_dissector: fail on evil iph->ihl
66308
66309 We don't validate iph->ihl which may lead a dead loop if we meet a IPIP
66310 skb whose iph->ihl is zero. Fix this by failing immediately when iph->ihl
66311 is evil (less than 5).
66312
66313 This issue were introduced by commit ec5efe7946280d1e84603389a1030ccec0a767ae
66314 (rps: support IPIP encapsulation).
66315
66316 Cc: Eric Dumazet <edumazet@google.com>
66317 Cc: Petr Matousek <pmatouse@redhat.com>
66318 Cc: Michael S. Tsirkin <mst@redhat.com>
66319 Cc: Daniel Borkmann <dborkman@redhat.com>
66320 Signed-off-by: Jason Wang <jasowang@redhat.com>
66321 Acked-by: Eric Dumazet <edumazet@google.com>
66322 Signed-off-by: David S. Miller <davem@davemloft.net>
66323
66324 net/core/flow_dissector.c | 2 +-
66325 1 files changed, 1 insertions(+), 1 deletions(-)
66326
66327commit 3afa8cd39a80620059d7de6c382c853afe1ab4cc
66328Author: Ming Lei <ming.lei@canonical.com>
66329Date: Thu Oct 31 16:34:17 2013 -0700
66330
66331 Upstream commit: 3d77b50c5874b7e923be946ba793644f82336b75
66332
66333 lib/scatterlist.c: don't flush_kernel_dcache_page on slab page
66334
66335 Commit b1adaf65ba03 ("[SCSI] block: add sg buffer copy helper
66336 functions") introduces two sg buffer copy helpers, and calls
66337 flush_kernel_dcache_page() on pages in SG list after these pages are
66338 written to.
66339
66340 Unfortunately, the commit may introduce a potential bug:
66341
66342 - Before sending some SCSI commands, kmalloc() buffer may be passed to
66343 block layper, so flush_kernel_dcache_page() can see a slab page
66344 finally
66345
66346 - According to cachetlb.txt, flush_kernel_dcache_page() is only called
66347 on "a user page", which surely can't be a slab page.
66348
66349 - ARCH's implementation of flush_kernel_dcache_page() may use page
66350 mapping information to do optimization so page_mapping() will see the
66351 slab page, then VM_BUG_ON() is triggered.
66352
66353 Aaro Koskinen reported the bug on ARM/kirkwood when DEBUG_VM is enabled,
66354 and this patch fixes the bug by adding test of '!PageSlab(miter->page)'
66355 before calling flush_kernel_dcache_page().
66356
66357 Signed-off-by: Ming Lei <ming.lei@canonical.com>
66358 Reported-by: Aaro Koskinen <aaro.koskinen@iki.fi>
66359 Tested-by: Simon Baatz <gmbnomis@gmail.com>
66360 Cc: Russell King - ARM Linux <linux@arm.linux.org.uk>
66361 Cc: Will Deacon <will.deacon@arm.com>
66362 Cc: Aaro Koskinen <aaro.koskinen@iki.fi>
66363 Acked-by: Catalin Marinas <catalin.marinas@arm.com>
66364 Cc: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
66365 Cc: Tejun Heo <tj@kernel.org>
66366 Cc: "James E.J. Bottomley" <JBottomley@parallels.com>
66367 Cc: Jens Axboe <axboe@kernel.dk>
66368 Cc: <stable@vger.kernel.org> [3.2+]
66369 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
66370 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
66371
66372 lib/scatterlist.c | 3 ++-
66373 1 files changed, 2 insertions(+), 1 deletions(-)
66374
66375commit 54a2d1367d37e6ff23e91e81e8a293f6db3572c4
66376Author: Dan Carpenter <dan.carpenter@oracle.com>
66377Date: Tue Oct 29 23:01:11 2013 +0300
66378
66379 Upstream commit: 8d1e72250c847fa96498ec029891de4dc638a5ba
66380
66381 Staging: bcm: info leak in ioctl
66382
66383 The DevInfo.u32Reserved[] array isn't initialized so it leaks kernel
66384 information to user space.
66385
66386 Reported-by: Nico Golde <nico@ngolde.de>
66387 Reported-by: Fabian Yamaguchi <fabs@goesec.de>
66388 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
66389 Cc: stable@kernel.org
66390 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
66391
66392 drivers/staging/bcm/Bcmchar.c | 1 +
66393 1 files changed, 1 insertions(+), 0 deletions(-)
66394
66395commit a2ab9d69265a08280241a2f2152e535316d02f53
66396Author: Dan Carpenter <dan.carpenter@oracle.com>
66397Date: Tue Oct 29 22:11:06 2013 +0300
66398
66399 Upstream commit: f856567b930dfcdbc3323261bf77240ccdde01f5
66400
66401 aacraid: missing capable() check in compat ioctl
66402
66403 In commit d496f94d22d1 ('[SCSI] aacraid: fix security weakness') we
66404 added a check on CAP_SYS_RAWIO to the ioctl. The compat ioctls need the
66405 check as well.
66406
66407 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
66408 Cc: stable@kernel.org
66409 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
66410
66411 drivers/scsi/aacraid/linit.c | 2 ++
66412 1 files changed, 2 insertions(+), 0 deletions(-)
66413
66414commit 45be53b2583e3c3d9eb0bad55f22e03ad7943b3e
66415Author: Dan Carpenter <dan.carpenter@oracle.com>
66416Date: Tue Oct 29 23:00:15 2013 +0300
66417
66418 Upstream commit: b5e2f339865fb443107e5b10603e53bbc92dc054
66419
66420 staging: wlags49_h2: buffer overflow setting station name
66421
66422 We need to check the length parameter before doing the memcpy(). I've
66423 actually changed it to strlcpy() as well so that it's NUL terminated.
66424
66425 You need CAP_NET_ADMIN to trigger these so it's not the end of the
66426 world.
66427
66428 Reported-by: Nico Golde <nico@ngolde.de>
66429 Reported-by: Fabian Yamaguchi <fabs@goesec.de>
66430 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
66431 Cc: stable@kernel.org
66432 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
66433
66434 drivers/staging/wlags49_h2/wl_priv.c | 9 ++++++---
66435 1 files changed, 6 insertions(+), 3 deletions(-)
66436
66437commit afd645c1684265260b64ec8189cbc2703b91f6ab
66438Author: Dan Carpenter <dan.carpenter@oracle.com>
66439Date: Tue Oct 29 22:07:47 2013 +0300
66440
66441 Upstream commit: c2c65cd2e14ada6de44cb527e7f1990bede24e15
66442
66443 staging: ozwpan: prevent overflow in oz_cdev_write()
66444
66445 We need to check "count" so we don't overflow the ei->data buffer.
66446
66447 Reported-by: Nico Golde <nico@ngolde.de>
66448 Reported-by: Fabian Yamaguchi <fabs@goesec.de>
66449 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
66450 Cc: stable@kernel.org
66451 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
66452
66453 drivers/staging/ozwpan/ozcdev.c | 3 +++
66454 1 files changed, 3 insertions(+), 0 deletions(-)
66455
66456commit 4a907baeb462b7e0f50923be5a9d842aec93c97a
66457Author: Linus Torvalds <torvalds@linux-foundation.org>
66458Date: Tue Oct 29 10:21:34 2013 -0700
66459
66460 Fixed a little differently than Linus...
66461
66462 Obfuscated upstream security commit: 7314e613d5ff9f0934f7a0f74ed7973b903315d1
66463
66464 Fix a few incorrectly checked [io_]remap_pfn_range() calls
66465
66466 Nico Golde reports a few straggling uses of [io_]remap_pfn_range() that
66467 really should use the vm_iomap_memory() helper. This trivially converts
66468 two of them to the helper, and comments about why the third one really
66469 needs to continue to use remap_pfn_range(), and adds the missing size
66470 check.
66471
66472 Reported-by: Nico Golde <nico@ngolde.de>
66473 Cc: stable@kernel.org
66474 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org.
66475
66476 Conflicts:
66477
66478 drivers/uio/uio.c
66479
66480 drivers/uio/uio.c | 19 +++++++++++++++++--
66481 drivers/video/au1100fb.c | 26 +-------------------------
66482 drivers/video/au1200fb.c | 23 +----------------------
66483 3 files changed, 19 insertions(+), 49 deletions(-)
66484
66485commit e68e94ddd03cf81d875b30a5e7b0e1bb4682e61f
66486Merge: 0970b16 e309bfb
66487Author: Brad Spengler <spender@grsecurity.net>
66488Date: Sun Oct 27 15:17:05 2013 -0400
66489
66490 Merge branch 'pax-test' into grsec-test
66491
66492commit e309bfbf7b506b2294b30233f7a3299173a75cf7
66493Author: Hugh Dickins <hughd@google.com>
66494Date: Wed Oct 16 13:47:09 2013 -0700
66495
66496 Upstream commit: 57a8f0cdb87da776bf0e4ce7554a9133854fa779
66497
66498 mm: revert mremap pud_free anti-fix
66499
66500 Revert commit 1ecfd533f4c5 ("mm/mremap.c: call pud_free() after fail
66501 calling pmd_alloc()").
66502
66503 The original code was correct: pud_alloc(), pmd_alloc(), pte_alloc_map()
66504 ensure that the pud, pmd, pt is already allocated, and seldom do they
66505 need to allocate; on failure, upper levels are freed if appropriate by
66506 the subsequent do_munmap(). Whereas commit 1ecfd533f4c5 did an
66507 unconditional pud_free() of a most-likely still-in-use pud: saved only
66508 by the near-impossiblity of pmd_alloc() failing.
66509
66510 Signed-off-by: Hugh Dickins <hughd@google.com>
66511 Cc: Chen Gang <gang.chen@asianux.com>
66512 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
66513 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
66514
66515 mm/mremap.c | 5 +----
66516 1 files changed, 1 insertions(+), 4 deletions(-)
66517
66518commit 0970b16a9df08b8cca6929b6443f67df432ac3e5
66519Author: Eric Dumazet <edumazet@google.com>
66520Date: Tue Oct 1 21:04:11 2013 -0700
66521
66522 Upstream commit: 80ad1d61e72d626e30ebe8529a0455e660ca4693
66523
66524 net: do not call sock_put() on TIMEWAIT sockets
66525
66526 commit 3ab5aee7fe84 ("net: Convert TCP & DCCP hash tables to use RCU /
66527 hlist_nulls") incorrectly used sock_put() on TIMEWAIT sockets.
66528
66529 We should instead use inet_twsk_put()
66530
66531 Signed-off-by: Eric Dumazet <edumazet@google.com>
66532 Signed-off-by: David S. Miller <davem@davemloft.net>
66533
66534 net/ipv4/inet_hashtables.c | 2 +-
66535 net/ipv6/inet6_hashtables.c | 2 +-
66536 2 files changed, 2 insertions(+), 2 deletions(-)
66537
66538commit ed0c9c47bc3468ad88b45b8ec55d0ad335214d28
66539Author: Andi Kleen <ak@linux.intel.com>
66540Date: Mon Sep 30 13:29:08 2013 -0700
66541
66542 Upstream commit: 58e4e1f6cacddb7823c44bcfb272174553f6c645
66543
66544 igb: Avoid uninitialized advertised variable in eee_set_cur
66545
66546 eee_get_cur assumes that the output data is already zeroed. It can
66547 read-modify-write the advertised field:
66548
66549 if (ipcnfg & E1000_IPCNFG_EEE_100M_AN)
66550 2594 edata->advertised |= ADVERTISED_100baseT_Full;
66551
66552 This is ok for the normal ethtool eee_get call, which always
66553 zeroes the input data before.
66554
66555 But eee_set_cur also calls eee_get_cur and it did not zero the input
66556 field. Later on it then compares agsinst the field, which can contain partial
66557 stack garbage.
66558
66559 Zero the input field in eee_set_cur() too.
66560
66561 Cc: jeffrey.t.kirsher@intel.com
66562 Cc: netdev@vger.kernel.org
66563 Signed-off-by: Andi Kleen <ak@linux.intel.com>
66564 Acked-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
66565 Signed-off-by: David S. Miller <davem@davemloft.net>
66566
66567 drivers/net/ethernet/intel/igb/igb_ethtool.c | 2 ++
66568 1 files changed, 2 insertions(+), 0 deletions(-)
66569
66570commit 651730a8caabce37f78d8e6c84283b96e434d19f
66571Author: Dan Carpenter <dan.carpenter@oracle.com>
66572Date: Thu Oct 3 00:27:20 2013 +0300
66573
66574 Upstream commit: 1661bf364ae9c506bc8795fef70d1532931be1e8
66575
66576 net: heap overflow in __audit_sockaddr()
66577
66578 We need to cap ->msg_namelen or it leads to a buffer overflow when we
66579 to the memcpy() in __audit_sockaddr(). It requires CAP_AUDIT_CONTROL to
66580 exploit this bug.
66581
66582 The call tree is:
66583 ___sys_recvmsg()
66584 move_addr_to_user()
66585 audit_sockaddr()
66586 __audit_sockaddr()
66587
66588 Reported-by: Jüri Aedla <juri.aedla@gmail.com>
66589 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
66590 Signed-off-by: David S. Miller <davem@davemloft.net>
66591
66592 Conflicts:
66593
66594 net/compat.c
66595
66596 net/compat.c | 2 ++
66597 net/socket.c | 24 ++++++++++++++++++++----
66598 2 files changed, 22 insertions(+), 4 deletions(-)
66599
66600commit b52e008aa27ecec1ca4a2d92ffe2fe874c47fcfc
66601Author: Salva Peiró <speiro@ai2.upv.es>
66602Date: Wed Oct 16 12:46:50 2013 +0200
66603
66604 Upstream commit: 2b13d06c9584b4eb773f1e80bbaedab9a1c344e1
66605
66606 wanxl: fix info leak in ioctl
66607
66608 The wanxl_ioctl() code fails to initialize the two padding bytes of
66609 struct sync_serial_settings after the ->loopback member. Add an explicit
66610 memset(0) before filling the structure to avoid the info leak.
66611
66612 Signed-off-by: Salva Peiró <speiro@ai2.upv.es>
66613 Signed-off-by: David S. Miller <davem@davemloft.net>
66614
66615 drivers/net/wan/wanxl.c | 1 +
66616 1 files changed, 1 insertions(+), 0 deletions(-)
66617
66618commit d7e5b4f97fbdd06c03433939efe0e444d877ab4f
66619Author: Geyslan G. Bem <geyslan@gmail.com>
66620Date: Fri Oct 11 16:49:16 2013 -0300
66621
66622 Upstream commit: 3edc8376c06133e3386265a824869cad03a4efd4
66623
66624 ecryptfs: Fix memory leakage in keystore.c
66625
66626 In 'decrypt_pki_encrypted_session_key' function:
66627
66628 Initializes 'payload' pointer and releases it on exit.
66629
66630 Signed-off-by: Geyslan G. Bem <geyslan@gmail.com>
66631 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
66632 Cc: stable@vger.kernel.org # v2.6.28+
66633
66634 fs/ecryptfs/keystore.c | 3 ++-
66635 1 files changed, 2 insertions(+), 1 deletions(-)
66636
66637commit 0ccb7b191245318a36bbd1f59a1846dda72cb738
66638Author: Colin Ian King <colin.king@canonical.com>
66639Date: Thu Oct 24 14:08:07 2013 +0000
66640
66641 Upstream commit: 43b7c6c6a4e3916edd186ceb61be0c67d1e0969e
66642
66643 eCryptfs: fix 32 bit corruption issue
66644
66645 Shifting page->index on 32 bit systems was overflowing, causing
66646 data corruption of > 4GB files. Fix this by casting it first.
66647
66648 https://launchpad.net/bugs/1243636
66649
66650 Signed-off-by: Colin Ian King <colin.king@canonical.com>
66651 Reported-by: Lars Duesing <lars.duesing@camelotsweb.de>
66652 Cc: stable@vger.kernel.org # v3.11+
66653 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
66654
66655 fs/ecryptfs/crypto.c | 2 +-
66656 1 files changed, 1 insertions(+), 1 deletions(-)
66657
66658commit eeb8d56181a3fa3cdfbc106156d4f60cf3a386d4
66659Author: Brad Spengler <spender@grsecurity.net>
66660Date: Sun Oct 27 13:29:49 2013 -0400
66661
66662 This is a replacement patch only for stable which does fix the problems
66663 handled by the following two commits in -net:
66664
66665 "ip_output: do skb ufo init for peeked non ufo skb as well" (e93b7d748be887cd7639b113ba7d7ef792a7efb9)
66666 "ip6_output: do skb ufo init for peeked non ufo skb as well" (c547dbf55d5f8cf615ccc0e7265e98db27d3fb8b)
66667
66668 Three frames are written on a corked udp socket for which the output
66669 netdevice has UFO enabled. If the first and third frame are smaller than
66670 the mtu and the second one is bigger, we enqueue the second frame with
66671 skb_append_datato_frags without initializing the gso fields. This leads
66672 to the third frame appended regulary and thus constructing an invalid skb.
66673
66674 This fixes the problem by always using skb_append_datato_frags as soon
66675 as the first frag got enqueued to the skb without marking the packet
66676 as SKB_GSO_UDP.
66677
66678 The problem with only two frames for ipv6 was fixed by "ipv6: udp
66679 packets following an UFO enqueued packet need also be handled by UFO"
66680 (2811ebac2521ceac84f2bdae402455baa6a7fb47).
66681
66682 Cc: Jiri Pirko <jiri@resnulli.us>
66683 Cc: Eric Dumazet <eric.dumazet@gmail.com>
66684 Cc: David Miller <davem@davemloft.net>
66685 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
66686
66687 include/linux/skbuff.h | 5 +++++
66688 net/ipv4/ip_output.c | 2 +-
66689 net/ipv6/ip6_output.c | 2 +-
66690 3 files changed, 7 insertions(+), 2 deletions(-)
66691
66692commit aead8ff29424c6a5d25eb4614be91a01f9f6af00
66693Merge: 5cf8361 ddadc82
66694Author: Brad Spengler <spender@grsecurity.net>
66695Date: Sat Oct 26 08:42:26 2013 -0400
66696
66697 Merge branch 'pax-test' into grsec-test
66698
66699 Conflicts:
66700 security/Kconfig
66701
66702commit ddadc822a1de40d3992a5c58ca2f970b5fee57ec
66703Author: Brad Spengler <spender@grsecurity.net>
66704Date: Sat Oct 26 08:41:24 2013 -0400
66705
66706 - fixed miscompilation caused by a kernexec plugin related change in copy_user_generic, by Timo Teräs <timo.teras@iki.f> and Natanael Copa <ncopa@alpinelinux.org> (https://github.com/ncopa/linux-stable-grsec/commit/b8bf456d13988fb38cfe248676327f44a2d2ed2e)
66707 - updated config help for latent entropy to reflect recent changes
66708
66709 arch/x86/include/asm/uaccess_64.h | 4 ++--
66710 security/Kconfig | 6 +++---
66711 2 files changed, 5 insertions(+), 5 deletions(-)
66712
66713commit 5cf8361c2a7762aa1cdd3d75655361058ad451ad
66714Author: Johannes Weiner <hannes@cmpxchg.org>
66715Date: Wed Oct 16 13:47:00 2013 -0700
66716
66717 Upstream commit: 84235de394d9775bfaa7fa9762a59d91fef0c1fc
66718
66719 fs: buffer: move allocation failure loop into the allocator
66720
66721 Buffer allocation has a very crude indefinite loop around waking the
66722 flusher threads and performing global NOFS direct reclaim because it can
66723 not handle allocation failures.
66724
66725 The most immediate problem with this is that the allocation may fail due
66726 to a memory cgroup limit, where flushers + direct reclaim might not make
66727 any progress towards resolving the situation at all. Because unlike the
66728 global case, a memory cgroup may not have any cache at all, only
66729 anonymous pages but no swap. This situation will lead to a reclaim
66730 livelock with insane IO from waking the flushers and thrashing unrelated
66731 filesystem cache in a tight loop.
66732
66733 Use __GFP_NOFAIL allocations for buffers for now. This makes sure that
66734 any looping happens in the page allocator, which knows how to
66735 orchestrate kswapd, direct reclaim, and the flushers sensibly. It also
66736 allows memory cgroups to detect allocations that can't handle failure
66737 and will allow them to ultimately bypass the limit if reclaim can not
66738 make progress.
66739
66740 Reported-by: azurIt <azurit@pobox.sk>
66741 Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
66742 Cc: Michal Hocko <mhocko@suse.cz>
66743 Cc: <stable@kernel.org>
66744 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
66745 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
66746
66747 fs/buffer.c | 14 ++++++++++++--
66748 mm/memcontrol.c | 2 ++
66749 2 files changed, 14 insertions(+), 2 deletions(-)
66750
66751commit 799326c8683d8d70b2035b1e5ab913c159112b6b
66752Author: Miklos Szeredi <mszeredi@suse.cz>
66753Date: Thu Oct 10 16:48:19 2013 +0200
66754
66755 Upstream commit: 43ae9e3fc70ca0057ae0a24ef5eedff05e3fae06
66756
66757 ext[34]: fix double put in tmpfile
66758
66759 d_tmpfile() already swallowed the inode ref.
66760
66761 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
66762 Cc: stable@vger.kernel.org
66763 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
66764
66765 fs/ext3/namei.c | 5 ++---
66766 fs/ext4/namei.c | 5 ++---
66767 2 files changed, 4 insertions(+), 6 deletions(-)
66768
66769commit 799651db9a3b5b08eac1de0ee05f406df7a9a2e3
66770Author: Jan Klos <honza.klos@gmail.com>
66771Date: Sun Oct 6 21:08:20 2013 +0200
66772
66773 Upstream commit: 2f6c9479633780ba4a3484bba7eba5a721a5cf20
66774
66775 cifs: Fix inability to write files >2GB to SMB2/3 shares
66776
66777 When connecting to SMB2/3 shares, maximum file size is set to non-LFS maximum in superblock. This is due to cap_large_files bit being different for SMB1 and SMB2/3 (where it is just an internal flag that is not negotiated and the SMB1 one corresponds to multichannel capability, so maybe LFS works correctly if server sends 0x08 flag) while capabilities are checked always for the SMB1 bit in cifs_read_super().
66778
66779 The patch fixes this by checking for the correct bit according to the protocol version.
66780
66781 CC: Stable <stable@kernel.org>
66782 Signed-off-by: Jan Klos <honza.klos@gmail.com>
66783 Reviewed-by: Jeff Layton <jlayton@redhat.com>
66784 Signed-off-by: Steve French <smfrench@gmail.com>
66785
66786 fs/cifs/cifsfs.c | 6 ++++--
66787 1 files changed, 4 insertions(+), 2 deletions(-)
66788
66789commit 549fe4c5bb5e67cb1351bb09455b1d77abe5ab22
66790Author: Tim Gardner <tim.gardner@canonical.com>
66791Date: Sun Oct 13 13:29:03 2013 -0600
66792
66793 Upstream commit: 0c26606cbe4937f2228a27bb0c2cad19855be87a
66794
66795 cifs: ntstatus_to_dos_map[] is not terminated
66796
66797 Functions that walk the ntstatus_to_dos_map[] array could
66798 run off the end. For example, ntstatus_to_dos() loops
66799 while ntstatus_to_dos_map[].ntstatus is not 0. Granted,
66800 this is mostly theoretical, but could be used as a DOS attack
66801 if the error code in the SMB header is bogus.
66802
66803 [Might consider adding to stable, as this patch is low risk - Steve]
66804
66805 Reviewed-by: Jeff Layton <jlayton@redhat.com>
66806 Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
66807 Signed-off-by: Steve French <smfrench@gmail.com>
66808
66809 fs/cifs/netmisc.c | 4 +++-
66810 1 files changed, 3 insertions(+), 1 deletions(-)
66811
66812commit ed8c09a96fa260e1864c632e1dd91b1320876305
66813Author: Eric Dumazet <edumazet@google.com>
66814Date: Tue Oct 15 11:54:30 2013 -0700
66815
66816 Upstream commit: c52e2421f7368fd36cbe330d2cf41b10452e39a9
66817
66818 tcp: must unclone packets before mangling them
66819
66820 TCP stack should make sure it owns skbs before mangling them.
66821
66822 We had various crashes using bnx2x, and it turned out gso_size
66823 was cleared right before bnx2x driver was populating TC descriptor
66824 of the _previous_ packet send. TCP stack can sometime retransmit
66825 packets that are still in Qdisc.
66826
66827 Of course we could make bnx2x driver more robust (using
66828 ACCESS_ONCE(shinfo->gso_size) for example), but the bug is TCP stack.
66829
66830 We have identified two points where skb_unclone() was needed.
66831
66832 This patch adds a WARN_ON_ONCE() to warn us if we missed another
66833 fix of this kind.
66834
66835 Kudos to Neal for finding the root cause of this bug. Its visible
66836 using small MSS.
66837
66838 Signed-off-by: Eric Dumazet <edumazet@google.com>
66839 Signed-off-by: Neal Cardwell <ncardwell@google.com>
66840 Cc: Yuchung Cheng <ycheng@google.com>
66841 Signed-off-by: David S. Miller <davem@davemloft.net>
66842
66843 net/ipv4/tcp_output.c | 9 ++++++---
66844 1 files changed, 6 insertions(+), 3 deletions(-)
66845
66846commit e5dcf1772ca2a85952da10a21d0650507dc061d3
66847Author: Dan Carpenter <dan.carpenter@oracle.com>
66848Date: Mon Oct 14 15:28:38 2013 +0300
66849
66850 Upstream commit: 9e5f1721907fcfbd4b575bcafa0314188f7330a5
66851
66852 yam: integer underflow in yam_ioctl()
66853
66854 We cap bitrate at YAM_MAXBITRATE in yam_ioctl(), but it could also be
66855 negative. I don't know the impact of using a negative bitrate but let's
66856 prevent it.
66857
66858 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
66859 Signed-off-by: David S. Miller <davem@davemloft.net>
66860
66861 include/linux/yam.h | 2 +-
66862 1 files changed, 1 insertions(+), 1 deletions(-)
66863
66864commit 1f5d72d633f317248bba25158c326a61394aebf2
66865Merge: 7ca4328 4df1b96
66866Author: Brad Spengler <spender@grsecurity.net>
66867Date: Fri Oct 18 19:36:17 2013 -0400
66868
66869 Merge branch 'pax-test' into grsec-test
66870
66871 Conflicts:
66872 ipc/shm.c
66873
66874commit 4df1b965687831808af2548487e0f35a2ccc5c29
66875Merge: e41125e 5070441
66876Author: Brad Spengler <spender@grsecurity.net>
66877Date: Fri Oct 18 19:35:31 2013 -0400
66878
66879 Merge branch 'linux-3.11.y' into pax-test
66880
66881 Conflicts:
66882 arch/x86/kernel/setup.c
66883
66884commit 7ca43282302f7777ca3ae48d2552dbd0a6cef525
66885Author: Brad Spengler <spender@grsecurity.net>
66886Date: Wed Oct 16 18:35:00 2013 -0400
66887
66888 From: Mathias Krause <minipli@googlemail.com>
66889 To: Evgeniy Polyakov <zbr@ioremap.net>
66890 Cc: Mathias Krause <minipli@googlemail.com>, netdev@vger.kernel.org
66891 Subject: [PATCH 2/4] connector: use nlmsg_len() to check message length
66892
66893 The current code tests the length of the whole netlink message to be
66894 at least as long to fit a cn_msg. This is wrong as nlmsg_len includes
66895 the length of the netlink message header. Use nlmsg_len() instead to
66896 fix this "off-by-NLMSG_HDRLEN" size check.
66897
66898 Cc: stable@vger.kernel.org # v2.6.14+
66899 Signed-off-by: Mathias Krause <minipli@googlemail.com>
66900
66901 drivers/connector/connector.c | 7 ++++---
66902 1 files changed, 4 insertions(+), 3 deletions(-)
66903
66904commit 6c495f94e2f002ed19fb8e265e2746fd6ee08489
66905Author: Brad Spengler <spender@grsecurity.net>
66906Date: Wed Oct 16 18:36:25 2013 -0400
66907
66908 From: Mathias Krause <minipli@googlemail.com>
66909 To: linux-audit@redhat.com
66910 Cc: Mathias Krause <minipli@googlemail.com>, Al Viro <viro@zeniv.linux.org.uk>, Eric Paris <eparis@redhat.com>
66911 Subject: [PATCH 1/2] audit: fix info leak in AUDIT_GET requests
66912
66913 We leak 4 bytes of kernel stack in response to an AUDIT_GET request as
66914 we miss to initialize the mask member of status_set. Fix that.
66915
66916 Cc: Al Viro <viro@zeniv.linux.org.uk>
66917 Cc: Eric Paris <eparis@redhat.com>
66918 Cc: stable@vger.kernel.org # v2.6.6+
66919 Signed-off-by: Mathias Krause <minipli@googlemail.com>
66920
66921 kernel/audit.c | 1 +
66922 1 files changed, 1 insertions(+), 0 deletions(-)
66923
66924commit 9557a8727fd46e68f092dec0830a982e85b231f7
66925Author: Brad Spengler <spender@grsecurity.net>
66926Date: Wed Oct 16 19:02:32 2013 -0400
66927
66928 add 2nd chunk of audit nlmsg_len() fix from minipli
66929
66930 kernel/audit.c | 2 +-
66931 1 files changed, 1 insertions(+), 1 deletions(-)
66932
66933commit ceb5f8bae05f3321af941eddb9d2bbe264e0d2cd
66934Author: Brad Spengler <spender@grsecurity.net>
66935Date: Wed Oct 16 18:37:59 2013 -0400
66936
66937 From: Mathias Krause <minipli@googlemail.com>
66938 To: linux-audit@redhat.com
66939 Cc: Mathias Krause <minipli@googlemail.com>, Al Viro <viro@zeniv.linux.org.uk>, Eric Paris <eparis@redhat.com>
66940 Subject: [PATCH 2/2] audit: use nlmsg_len() to get message payload length
66941
66942 Using the nlmsg_len member of the netlink header to test if the message
66943 is valid is wrong as it includes the size of the netlink header itself.
66944 Thereby allowing to send short netlink messages that pass those checks.
66945
66946 Use nlmsg_len() instead to test for the right message length. The result
66947 of nlmsg_len() is guaranteed to be non-negative as the netlink message
66948 already passed the checks of nlmsg_ok().
66949
66950 Also switch to min_t() to please checkpatch.pl.
66951
66952 Cc: Al Viro <viro@zeniv.linux.org.uk>
66953 Cc: Eric Paris <eparis@redhat.com>
66954 Cc: stable@vger.kernel.org # v2.6.6+ for the 1st hunk, v2.6.23+ for the 2nd
66955
66956 kernel/audit.c | 2 +-
66957 1 files changed, 1 insertions(+), 1 deletions(-)
66958
66959commit 7547b29750381c776dfd47f4b1277a492d5b0f72
66960Author: Brad Spengler <spender@grsecurity.net>
66961Date: Wed Oct 16 18:41:01 2013 -0400
66962
66963 From: Mathias Krause <minipli@googlemail.com>
66964 To: netfilter-devel@vger.kernel.org
66965 Cc: Mathias Krause <minipli@googlemail.com>, Pablo Neira Ayuso <pablo@netfilter.org>, Patrick McHardy <kaber@trash.net>, Jozsef Kadlecsik
66966 <kadlec@blackhole.kfki.hu>, Bart De Schuymer <bart.de.schuymer@pandora.be>
66967 Subject: [PATCH 1/2] netfilter: ebt_ulog: fix info leaks
66968
66969 The ulog messages leak heap bytes by the means of padding bytes and
66970 incompletely filled string arrays. Fix those by memset(0)'ing the
66971 whole struct before filling it.
66972
66973 Cc: Bart De Schuymer <bart.de.schuymer@pandora.be>
66974 Signed-off-by: Mathias Krause <minipli@googlemail.com>
66975
66976 Conflicts:
66977
66978 net/bridge/netfilter/ebt_ulog.c
66979
66980 net/bridge/netfilter/ebt_ulog.c | 9 +++------
66981 1 files changed, 3 insertions(+), 6 deletions(-)
66982
66983commit c1da6a5ba1b529d70214142de4eaa7f1b9d62528
66984Author: Brad Spengler <spender@grsecurity.net>
66985Date: Wed Oct 16 18:43:01 2013 -0400
66986
66987 From: Mathias Krause <minipli@googlemail.com>
66988 To: netfilter-devel@vger.kernel.org
66989 Cc: Mathias Krause <minipli@googlemail.com>, Pablo Neira Ayuso <pablo@netfilter.org>, Patrick McHardy <kaber@trash.net>, Jozsef Kadlecsik
66990 <kadlec@blackhole.kfki.hu>
66991 Subject: [PATCH 2/2] netfilter: ipt_ULOG: fix info leaks
66992
66993 The ulog messages leak heap bytes by the means of padding bytes and
66994 incompletely filled string arrays. Fix those by memset(0)'ing the
66995 whole struct before filling it.
66996
66997 Cc: Pablo Neira Ayuso <pablo@netfilter.org>
66998 Cc: Patrick McHardy <kaber@trash.net>
66999 Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
67000 Signed-off-by: Mathias Krause <minipli@googlemail.com>
67001
67002 Conflicts:
67003
67004 net/ipv4/netfilter/ipt_ULOG.c
67005
67006 net/ipv4/netfilter/ipt_ULOG.c | 7 +------
67007 1 files changed, 1 insertions(+), 6 deletions(-)
67008
67009commit 2965f6e6122325a18e69296ad3817c66ca59b7e3
67010Author: Brad Spengler <spender@grsecurity.net>
67011Date: Wed Oct 16 18:49:45 2013 -0400
67012
67013 From: Mathias Krause <minipli@googlemail.com>
67014 To: "David S. Miller" <davem@davemloft.net>
67015 Cc: Mathias Krause <minipli@googlemail.com>, netdev@vger.kernel.org
67016 Subject: [PATCH net] unix_diag: fix info leak
67017
67018 When filling the netlink message we miss to wipe the pad field,
67019 therefore leak one byte of heap memory to userland. Fix this by
67020 setting pad to 0.
67021
67022 Signed-off-by: Mathias Krause <minipli@googlemail.com>
67023
67024 net/unix/diag.c | 1 +
67025 1 files changed, 1 insertions(+), 0 deletions(-)
67026
67027commit c6bc48165dc213ad8b24fbd872d5c01deb4508bc
67028Author: Mathias Krause <minipli@googlemail.com>
67029Date: Mon Sep 30 22:03:06 2013 +0200
67030
67031 Upstream commit: e727ca82e0e9616ab4844301e6bae60ca7327682
67032
67033 proc connector: fix info leaks
67034
67035 Initialize event_data for all possible message types to prevent leaking
67036 kernel stack contents to userland (up to 20 bytes). Also set the flags
67037 member of the connector message to 0 to prevent leaking two more stack
67038 bytes this way.
67039
67040 Cc: stable@vger.kernel.org # v2.6.15+
67041 Signed-off-by: Mathias Krause <minipli@googlemail.com>
67042 Signed-off-by: David S. Miller <davem@davemloft.net>
67043
67044 drivers/connector/cn_proc.c | 18 ++++++++++++++++++
67045 1 files changed, 18 insertions(+), 0 deletions(-)
67046
67047commit 6398c8e93f1f8fcf80ae2f024a8cca9ea84ccd04
67048Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
67049Date: Wed Oct 9 15:58:29 2013 +0100
67050
67051 Upstream commit: 3c1532df5c1b54b5f6246cdef94eeb73a39fe43a
67052
67053 ARM: 7851/1: check for number of arguments in syscall_get/set_arguments()
67054
67055 In ftrace_syscall_enter(),
67056 syscall_get_arguments(..., 0, n, ...)
67057 if (i == 0) { <handle ORIG_r0> ...; n--;}
67058 memcpy(..., n * sizeof(args[0]));
67059 If 'number of arguments(n)' is zero and 'argument index(i)' is also zero in
67060 syscall_get_arguments(), none of arguments should be copied by memcpy().
67061 Otherwise 'n--' can be a big positive number and unexpected amount of data
67062 will be copied. Tracing system calls which take no argument, say sync(void),
67063 may hit this case and eventually make the system corrupted.
67064 This patch fixes the issue both in syscall_get_arguments() and
67065 syscall_set_arguments().
67066
67067 Cc: <stable@vger.kernel.org>
67068 Acked-by: Will Deacon <will.deacon@arm.com>
67069 Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
67070 Signed-off-by: Will Deacon <will.deacon@arm.com>
67071 Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
67072
67073 arch/arm/include/asm/syscall.h | 6 ++++++
67074 1 files changed, 6 insertions(+), 0 deletions(-)
67075
67076commit c062c6b6774efea3e8b21dc5262f8bf9b34609c2
67077Author: Dave Jones <davej@redhat.com>
67078Date: Thu Oct 10 20:05:35 2013 -0400
67079
67080 Upstream commit: 6e4ea8e33b2057b85d75175dd89b93f5e26de3bc
67081
67082 ext4: fix memory leak in xattr
67083
67084 If we take the 2nd retry path in ext4_expand_extra_isize_ea, we
67085 potentionally return from the function without having freed these
67086 allocations. If we don't do the return, we over-write the previous
67087 allocation pointers, so we leak either way.
67088
67089 Spotted with Coverity.
67090
67091 [ Fixed by tytso to set is and bs to NULL after freeing these
67092 pointers, in case in the retry loop we later end up triggering an
67093 error causing a jump to cleanup, at which point we could have a double
67094 free bug. -- Ted ]
67095
67096 Signed-off-by: Dave Jones <davej@fedoraproject.org>
67097 Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
67098 Reviewed-by: Eric Sandeen <sandeen@redhat.com>
67099 Cc: stable@vger.kernel.org
67100
67101 fs/ext4/xattr.c | 2 ++
67102 1 files changed, 2 insertions(+), 0 deletions(-)
67103
67104commit 224e55268fbd4f81fca479e315c9483df591411d
67105Author: Salva Peiró <speiro@ai2.upv.es>
67106Date: Fri Oct 11 12:50:03 2013 +0300
67107
67108 Upstream commit: 96b340406724d87e4621284ebac5e059d67b2194
67109
67110 farsync: fix info leak in ioctl
67111
67112 The fst_get_iface() code fails to initialize the two padding bytes of
67113 struct sync_serial_settings after the ->loopback member. Add an explicit
67114 memset(0) before filling the structure to avoid the info leak.
67115
67116 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
67117 Signed-off-by: David S. Miller <davem@davemloft.net>
67118
67119 drivers/net/wan/farsync.c | 1 +
67120 1 files changed, 1 insertions(+), 0 deletions(-)
67121
67122commit 2df2f7f9ca7c383331795980a56a2f47a0d0dfd9
67123Author: James Hogan <james.hogan@imgtec.com>
67124Date: Mon Oct 7 12:14:26 2013 +0100
67125
67126 Upstream commit: 8b3c569a3999a8fd5a819f892525ab5520777c92
67127
67128 MIPS: stack protector: Fix per-task canary switch
67129
67130 Commit 1400eb6 (MIPS: r4k,octeon,r2300: stack protector: change canary
67131 per task) was merged in v3.11 and introduced assembly in the MIPS resume
67132 functions to update the value of the current canary in
67133 __stack_chk_guard. However it used PTR_L resulting in a load of the
67134 canary value, instead of PTR_LA to construct its address. The value is
67135 intended to be random but is then treated as an address in the
67136 subsequent LONG_S (store).
67137
67138 This was observed to cause a fault and panic:
67139
67140 CPU 0 Unable to handle kernel paging request at virtual address 139fea20, epc == 8000cc0c, ra == 8034f2a4
67141 Oops[#1]:
67142 ...
67143 $24 : 139fea20 1e1f7cb6
67144 ...
67145 Call Trace:
67146 [<8000cc0c>] resume+0xac/0x118
67147 [<8034f2a4>] __schedule+0x5f8/0x78c
67148 [<8034f4e0>] schedule_preempt_disabled+0x20/0x2c
67149 [<80348eec>] rest_init+0x74/0x84
67150 [<804dc990>] start_kernel+0x43c/0x454
67151 Code: 3c18804b 8f184030 8cb901f8 <af190000> 00c0e021 8cb002f0 8cb102f4 8cb202f8 8cb302fc
67152
67153 This can also be forced by modifying
67154 arch/mips/include/asm/stackprotector.h so that the default
67155 __stack_chk_guard value is more likely to be a bad (or unaligned)
67156 pointer.
67157
67158 Fix it to use PTR_LA instead, to load the address of the canary value,
67159 which the LONG_S can then use to write into it.
67160
67161 Reported-by: bobjones (via #mipslinux on IRC)
67162 Signed-off-by: James Hogan <james.hogan@imgtec.com>
67163 Cc: Ralf Baechle <ralf@linux-mips.org>
67164 Cc: Gregory Fong <gregory.0xf0@gmail.com>
67165 Cc: linux-mips@linux-mips.org
67166 Cc: stable@vger.kernel.org
67167 Patchwork: https://patchwork.linux-mips.org/patch/6026/
67168 Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
67169
67170 arch/mips/kernel/octeon_switch.S | 2 +-
67171 arch/mips/kernel/r2300_switch.S | 2 +-
67172 arch/mips/kernel/r4k_switch.S | 2 +-
67173 3 files changed, 3 insertions(+), 3 deletions(-)
67174
67175commit 4541f6c6871c1cffa3637ccbc817a37d6f093d1c
67176Author: Fan Du <fan.du@windriver.com>
67177Date: Tue Sep 17 15:14:13 2013 +0800
67178
67179 Upstream commit: 33fce60d6a6e137035f8e23a89d7fd55f3a24cda
67180
67181 xfrm: Guard IPsec anti replay window against replay bitmap
67182
67183 For legacy IPsec anti replay mechanism:
67184
67185 bitmap in struct xfrm_replay_state could only provide a 32 bits
67186 window size limit in current design, thus user level parameter
67187 sadb_sa_replay should honor this limit, otherwise misleading
67188 outputs("replay=244") by setkey -D will be:
67189
67190 192.168.25.2 192.168.22.2
67191 esp mode=transport spi=147561170(0x08cb9ad2) reqid=0(0x00000000)
67192 E: aes-cbc 9a8d7468 7655cf0b 719d27be b0ddaac2
67193 A: hmac-sha1 2d2115c2 ebf7c126 1c54f186 3b139b58 264a7331
67194 seq=0x00000000 replay=244 flags=0x00000000 state=mature
67195 created: Sep 17 14:00:00 2013 current: Sep 17 14:00:22 2013
67196 diff: 22(s) hard: 30(s) soft: 26(s)
67197 last: Sep 17 14:00:00 2013 hard: 0(s) soft: 0(s)
67198 current: 1408(bytes) hard: 0(bytes) soft: 0(bytes)
67199 allocated: 22 hard: 0 soft: 0
67200 sadb_seq=1 pid=4854 refcnt=0
67201 192.168.22.2 192.168.25.2
67202 esp mode=transport spi=255302123(0x0f3799eb) reqid=0(0x00000000)
67203 E: aes-cbc 6485d990 f61a6bd5 e5660252 608ad282
67204 A: hmac-sha1 0cca811a eb4fa893 c47ae56c 98f6e413 87379a88
67205 seq=0x00000000 replay=244 flags=0x00000000 state=mature
67206 created: Sep 17 14:00:00 2013 current: Sep 17 14:00:22 2013
67207 diff: 22(s) hard: 30(s) soft: 26(s)
67208 last: Sep 17 14:00:00 2013 hard: 0(s) soft: 0(s)
67209 current: 1408(bytes) hard: 0(bytes) soft: 0(bytes)
67210 allocated: 22 hard: 0 soft: 0
67211 sadb_seq=0 pid=4854 refcnt=0
67212
67213 And also, optimizing xfrm_replay_check window checking by setting the
67214 desirable x->props.replay_window with only doing the comparison once
67215 for all when xfrm_state is first born.
67216
67217 Signed-off-by: Fan Du <fan.du@windriver.com>
67218 Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
67219
67220 net/key/af_key.c | 3 ++-
67221 net/xfrm/xfrm_replay.c | 3 +--
67222 net/xfrm/xfrm_user.c | 3 ++-
67223 3 files changed, 5 insertions(+), 4 deletions(-)
67224
67225commit 3853002f1fb21ca8e23784e9eaeb971eaebc7541
67226Author: Thomas Egerer <thomas.egerer@secunet.com>
67227Date: Thu Sep 19 13:19:19 2013 +0200
67228
67229 Upstream commit: cd808fc9a6c7cd3a4311d9d2cffc4adbeaef5f6c
67230
67231 xfrm: Fix aevent generation for each received packet
67232
67233 If asynchronous events are enabled for a particular netlink socket,
67234 the notify function is called by the advance function. The notify
67235 function creates and dispatches a km_event if a replay timeout occurred,
67236 or at least replay_maxdiff packets have been received since the last
67237 asynchronous event has been sent. The function is supposed to return if
67238 neither of the two events were detected for a state, or replay_maxdiff
67239 is equal to zero.
67240 Replay_maxdiff is initialized in xfrm_state_construct to the value of
67241 the xfrm.sysctl_aevent_rseqth (2 by default), and updated if for a state
67242 if the netlink attribute XFRMA_REPLAY_THRESH is set.
67243 If, however, replay_maxdiff is set to zero, then all of the three notify
67244 implementations perform a break from the switch statement instead of
67245 checking whether a timeout occurred, and -- if not -- return. As a
67246 result an asynchronous event is generated for every replay update of a
67247 state that has a zero replay_maxdiff value.
67248 This patch modifies the notify functions such that they immediately
67249 return if replay_maxdiff has the value zero, unless a timeout occurred.
67250
67251 Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
67252 Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
67253
67254 net/xfrm/xfrm_replay.c | 51 +++++++++++++++++++++++++----------------------
67255 1 files changed, 27 insertions(+), 24 deletions(-)
67256
67257commit dafbbf04fb91cc92c049dcf7cabcc92fd5d29cb8
67258Author: Steffen Klassert <steffen.klassert@secunet.com>
67259Date: Tue Oct 8 10:49:45 2013 +0200
67260
67261 Upstream commit: e7d8f6cb2f8735693396872f4608bbe305e8baee
67262
67263 xfrm: Add refcount handling to queued policies
67264
67265 We need to ensure that policies can't go away as long as the hold timer
67266 is armed, so take a refcont when we arm the timer and drop one if we
67267 delete it.
67268
67269 Bug was introduced with git commit a0073fe18 ("xfrm: Add a state
67270 resolution packet queue")
67271
67272 Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
67273
67274 net/xfrm/xfrm_policy.c | 24 +++++++++++++++++-------
67275 1 files changed, 17 insertions(+), 7 deletions(-)
67276
67277commit b4948dc963442682534b3a039664b564c764e4f8
67278Author: Steffen Klassert <steffen.klassert@secunet.com>
67279Date: Tue Oct 8 10:49:51 2013 +0200
67280
67281 Upstream commit: 2bb53e2557964c2c5368a0392cf3b3b63a288cd0
67282
67283 xfrm: check for a vaild skb in xfrm_policy_queue_process
67284
67285 We might dreference a NULL pointer if the hold_queue is empty,
67286 so add a check to avoid this.
67287
67288 Bug was introduced with git commit a0073fe18 ("xfrm: Add a state
67289 resolution packet queue")
67290
67291 Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
67292
67293 net/xfrm/xfrm_policy.c | 4 ++++
67294 1 files changed, 4 insertions(+), 0 deletions(-)
67295
67296commit fad7f264b264b0b17a307aa16162cb43c7688a30
67297Author: Marc Kleine-Budde <mkl@pengutronix.de>
67298Date: Mon Oct 7 23:19:58 2013 +0200
67299
67300 Upstream commit: c33a39c575068c2ea9bffb22fd6de2df19c74b89
67301
67302 net: vlan: fix nlmsg size calculation in vlan_get_size()
67303
67304 This patch fixes the calculation of the nlmsg size, by adding the missing
67305 nla_total_size().
67306
67307 Cc: Patrick McHardy <kaber@trash.net>
67308 Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
67309 Signed-off-by: David S. Miller <davem@davemloft.net>
67310
67311 net/8021q/vlan_netlink.c | 2 +-
67312 1 files changed, 1 insertions(+), 1 deletions(-)
67313
67314commit 675e5611464fe6b4d41e7d8ba56ed845286b28dd
67315Author: François Cachereul <f.cachereul@alphalink.fr>
67316Date: Wed Oct 2 10:16:02 2013 +0200
67317
67318 Upstream commit: e18503f41f9b12132c95d7c31ca6ee5155e44e5c
67319
67320 l2tp: fix kernel panic when using IPv4-mapped IPv6 addresses
67321
67322 IPv4 mapped addresses cause kernel panic.
67323 The patch juste check whether the IPv6 address is an IPv4 mapped
67324 address. If so, use IPv4 API instead of IPv6.
67325
67326 [ 940.026915] general protection fault: 0000 [#1]
67327 [ 940.026915] Modules linked in: l2tp_ppp l2tp_netlink l2tp_core pppox ppp_generic slhc loop psmouse
67328 [ 940.026915] CPU: 0 PID: 3184 Comm: memcheck-amd64- Not tainted 3.11.0+ #1
67329 [ 940.026915] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
67330 [ 940.026915] task: ffff880007130e20 ti: ffff88000737e000 task.ti: ffff88000737e000
67331 [ 940.026915] RIP: 0010:[<ffffffff81333780>] [<ffffffff81333780>] ip6_xmit+0x276/0x326
67332 [ 940.026915] RSP: 0018:ffff88000737fd28 EFLAGS: 00010286
67333 [ 940.026915] RAX: c748521a75ceff48 RBX: ffff880000c30800 RCX: 0000000000000000
67334 [ 940.026915] RDX: ffff88000075cc4e RSI: 0000000000000028 RDI: ffff8800060e5a40
67335 [ 940.026915] RBP: ffff8800060e5a40 R08: 0000000000000000 R09: ffff88000075cc90
67336 [ 940.026915] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88000737fda0
67337 [ 940.026915] R13: 0000000000000000 R14: 0000000000002000 R15: ffff880005d3b580
67338 [ 940.026915] FS: 00007f163dc5e800(0000) GS:ffffffff81623000(0000) knlGS:0000000000000000
67339 [ 940.026915] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
67340 [ 940.026915] CR2: 00000004032dc940 CR3: 0000000005c25000 CR4: 00000000000006f0
67341 [ 940.026915] Stack:
67342 [ 940.026915] ffff88000075cc4e ffffffff81694e90 ffff880000c30b38 0000000000000020
67343 [ 940.026915] 11000000523c4bac ffff88000737fdb4 0000000000000000 ffff880000c30800
67344 [ 940.026915] ffff880005d3b580 ffff880000c30b38 ffff8800060e5a40 0000000000000020
67345 [ 940.026915] Call Trace:
67346 [ 940.026915] [<ffffffff81356cc3>] ? inet6_csk_xmit+0xa4/0xc4
67347 [ 940.026915] [<ffffffffa0038535>] ? l2tp_xmit_skb+0x503/0x55a [l2tp_core]
67348 [ 940.026915] [<ffffffff812b8d3b>] ? pskb_expand_head+0x161/0x214
67349 [ 940.026915] [<ffffffffa003e91d>] ? pppol2tp_xmit+0xf2/0x143 [l2tp_ppp]
67350 [ 940.026915] [<ffffffffa00292e0>] ? ppp_channel_push+0x36/0x8b [ppp_generic]
67351 [ 940.026915] [<ffffffffa00293fe>] ? ppp_write+0xaf/0xc5 [ppp_generic]
67352 [ 940.026915] [<ffffffff8110ead4>] ? vfs_write+0xa2/0x106
67353 [ 940.026915] [<ffffffff8110edd6>] ? SyS_write+0x56/0x8a
67354 [ 940.026915] [<ffffffff81378ac0>] ? system_call_fastpath+0x16/0x1b
67355 [ 940.026915] Code: 00 49 8b 8f d8 00 00 00 66 83 7c 11 02 00 74 60 49
67356 8b 47 58 48 83 e0 fe 48 8b 80 18 01 00 00 48 85 c0 74 13 48 8b 80 78 02
67357 00 00 <48> ff 40 28 41 8b 57 68 48 01 50 30 48 8b 54 24 08 49 c7 c1 51
67358 [ 940.026915] RIP [<ffffffff81333780>] ip6_xmit+0x276/0x326
67359 [ 940.026915] RSP <ffff88000737fd28>
67360 [ 940.057945] ---[ end trace be8aba9a61c8b7f3 ]---
67361 [ 940.058583] Kernel panic - not syncing: Fatal exception in interrupt
67362
67363 Signed-off-by: François CACHEREUL <f.cachereul@alphalink.fr>
67364 Signed-off-by: David S. Miller <davem@davemloft.net>
67365
67366 net/l2tp/l2tp_core.c | 27 +++++++++++++++++++++++----
67367 net/l2tp/l2tp_core.h | 3 +++
67368 2 files changed, 26 insertions(+), 4 deletions(-)
67369
67370commit 2db6fe58460d400bc8b995fa2328be03e27e55e1
67371Merge: 28f9622 e41125e
67372Author: Brad Spengler <spender@grsecurity.net>
67373Date: Tue Oct 15 10:00:52 2013 -0400
67374
67375 Merge branch 'pax-test' into grsec-test
67376
67377 Conflicts:
67378 arch/sparc/kernel/ds.c
67379 net/sysctl_net.c
67380
67381commit e41125e4742f332cd8cd8cf0c00cb189dba0e037
67382Merge: 740e5ec a145cb9
67383Author: Brad Spengler <spender@grsecurity.net>
67384Date: Tue Oct 15 09:58:29 2013 -0400
67385
67386 Merge branch 'linux-3.11.y' into pax-test
67387
67388commit 28f9622091224541efadf3ae006f0e5651c7fa45
67389Author: Brad Spengler <spender@grsecurity.net>
67390Date: Tue Oct 1 22:48:34 2013 -0400
67391
67392 Fix this strlcpy crap properly
67393
67394 arch/sparc/kernel/ds.c | 7 +++----
67395 1 files changed, 3 insertions(+), 4 deletions(-)
67396
67397commit 837193210e4125fe4e9e554b28d7bc33985f3554
67398Author: David S. Miller <davem@davemloft.net>
67399Date: Fri Sep 27 13:46:04 2013 -0700
67400
67401 Upstream commit: 2bd161a605f1f84a5fc8a4fe8410113a94f79355
67402
67403 sparc64: Fix buggy strlcpy() conversion in ldom_reboot().
67404
67405 Commit 117a0c5fc9c2d06045bd217385b2b39ea426b5a6 ("sparc: kernel: using
67406 strlcpy() instead of strcpy()") added a bug to ldom_reboot in
67407 arch/sparc/kernel/ds.c
67408
67409 - strcpy(full_boot_str + strlen("boot "), boot_command);
67410 + strlcpy(full_boot_str + strlen("boot "), boot_command,
67411 + sizeof(full_boot_str + strlen("boot ")));
67412
67413 That last sizeof() expression evaluates to sizeof(size_t) which is
67414 not what was intended.
67415
67416 Also even the corrected:
67417
67418 sizeof(full_boot_str) + strlen("boot ")
67419
67420 is not right as the destination buffer length is just plain
67421 "sizeof(full_boot_str)" and that's what the final argument
67422 should be.
67423
67424 Signed-off-by: David S. Miller <davem@davemloft.net>
67425
67426 arch/sparc/kernel/ds.c | 2 +-
67427 1 files changed, 1 insertions(+), 1 deletions(-)
67428
67429commit fc25f7a8bc9f268e659f0265bcdb4dcac648c249
67430Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
67431Date: Sun Sep 29 05:40:50 2013 +0200
67432
67433 Upstream commit: 3da812d860755925da890e8c713f2d2e2d7b1bae
67434
67435 ipv6: gre: correct calculation of max_headroom
67436
67437 gre_hlen already accounts for sizeof(struct ipv6_hdr) + gre header,
67438 so initialize max_headroom to zero. Otherwise the
67439
67440 if (encap_limit >= 0) {
67441 max_headroom += 8;
67442 mtu -= 8;
67443 }
67444
67445 increments an uninitialized variable before max_headroom was reset.
67446
67447 Found with coverity: 728539
67448
67449 Cc: Dmitry Kozlov <xeb@mail.ru>
67450 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
67451 Acked-by: Eric Dumazet <edumazet@google.com>
67452 Signed-off-by: David S. Miller <davem@davemloft.net>
67453
67454 Conflicts:
67455
67456 net/ipv6/ip6_gre.c
67457
67458 net/ipv6/ip6_gre.c | 4 ++--
67459 1 files changed, 2 insertions(+), 2 deletions(-)
67460
67461commit 0d68ac550952d0eaf60851497ceee68dbba24516
67462Merge: 64257ad 740e5ec
67463Author: Brad Spengler <spender@grsecurity.net>
67464Date: Tue Oct 1 18:11:52 2013 -0400
67465
67466 Merge branch 'pax-test' into grsec-test
67467
67468 Conflicts:
67469 drivers/hid/hid-core.c
67470 drivers/hid/hid-lg2ff.c
67471 drivers/hid/hid-lg3ff.c
67472 drivers/hid/hid-lg4ff.c
67473 drivers/hid/hid-lgff.c
67474 drivers/hid/hid-logitech-dj.c
67475 drivers/hid/hid-steelseries.c
67476 drivers/hid/hid-zpff.c
67477 include/linux/hid.h
67478
67479commit 740e5ec087969afd43ae0b552b4e05914437ed32
67480Merge: c38c6b0 db20388
67481Author: Brad Spengler <spender@grsecurity.net>
67482Date: Tue Oct 1 17:40:46 2013 -0400
67483
67484 Merge branch 'linux-3.11.y' into pax-test
67485
67486commit 64257ad95c51285d415f93ebdd486fae6bb9415d
67487Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
67488Date: Sat Sep 21 06:27:00 2013 +0200
67489
67490 Upstream commit: 2811ebac2521ceac84f2bdae402455baa6a7fb47
67491
67492 ipv6: udp packets following an UFO enqueued packet need also be handled by UFO
67493
67494 In the following scenario the socket is corked:
67495 If the first UDP packet is larger then the mtu we try to append it to the
67496 write queue via ip6_ufo_append_data. A following packet, which is smaller
67497 than the mtu would be appended to the already queued up gso-skb via
67498 plain ip6_append_data. This causes random memory corruptions.
67499
67500 In ip6_ufo_append_data we also have to be careful to not queue up the
67501 same skb multiple times. So setup the gso frame only when no first skb
67502 is available.
67503
67504 This also fixes a shortcoming where we add the current packet's length to
67505 cork->length but return early because of a packet > mtu with dontfrag set
67506 (instead of sutracting it again).
67507
67508 Found with trinity.
67509
67510 Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
67511 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
67512 Reported-by: Dmitry Vyukov <dvyukov@google.com>
67513 Signed-off-by: David S. Miller <davem@davemloft.net>
67514
67515 net/ipv6/ip6_output.c | 53 ++++++++++++++++++++----------------------------
67516 1 files changed, 22 insertions(+), 31 deletions(-)
67517
67518commit ee4ab63f6dfd57e8c5d67e1e154b86d1139937f6
67519Author: Dan Carpenter <dan.carpenter@oracle.com>
67520Date: Tue Sep 24 15:27:45 2013 -0700
67521
67522 Just a whitespace fix to sync with upstream as we already applied this fix
67523 via Vasiliy Kulikov in 2010. It fell through the cracks upstream
67524
67525 cciss: fix info leak in cciss_ioctl32_passthru()
67526
67527 The arg64 struct has a hole after ->buf_size which isn't cleared. Or if
67528 any of the calls to copy_from_user() fail then that would cause an
67529 information leak as well.
67530
67531 This was assigned CVE-2013-2147.
67532
67533 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
67534 Acked-by: Mike Miller <mike.miller@hp.com>
67535 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
67536 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
67537
67538 Conflicts:
67539
67540 drivers/block/cciss.c
67541
67542 drivers/block/cciss.c | 1 -
67543 1 files changed, 0 insertions(+), 1 deletions(-)
67544
67545commit 2a5d630a83f5ddd2ab0ce9cb32a93ad3e1f6dc3e
67546Author: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
67547Date: Tue Sep 24 18:29:11 2013 -0700
67548
67549 Upstream commit: 22356f447ceb8d97a4885792e7d9e4607f712e1b
67550
67551 mm: Place preemption point in do_mlockall() loop
67552
67553 There is a loop in do_mlockall() that lacks a preemption point, which
67554 means that the following can happen on non-preemptible builds of the
67555 kernel. Dave Jones reports:
67556
67557 "My fuzz tester keeps hitting this. Every instance shows the non-irq
67558 stack came in from mlockall. I'm only seeing this on one box, but
67559 that has more ram (8gb) than my other machines, which might explain
67560 it.
67561
67562 INFO: rcu_preempt self-detected stall on CPU { 3} (t=6500 jiffies g=470344 c=470343 q=0)
67563 sending NMI to all CPUs:
67564 NMI backtrace for cpu 3
67565 CPU: 3 PID: 29664 Comm: trinity-child2 Not tainted 3.11.0-rc1+ #32
67566 Call Trace:
67567 lru_add_drain_all+0x15/0x20
67568 SyS_mlockall+0xa5/0x1a0
67569 tracesys+0xdd/0xe2"
67570
67571 This commit addresses this problem by inserting the required preemption
67572 point.
67573
67574 Reported-by: Dave Jones <davej@redhat.com>
67575 Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
67576 Cc: KOSAKI Motohiro <kosaki.motohiro@gmail.com>
67577 Cc: Michel Lespinasse <walken@google.com>
67578 Cc: Andrew Morton <akpm@linux-foundation.org>
67579 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
67580
67581 mm/mlock.c | 1 +
67582 1 files changed, 1 insertions(+), 0 deletions(-)
67583
67584commit 042ecff756f1246abb9c84dd20ad9f6e9c429ed9
67585Author: Brad Spengler <spender@grsecurity.net>
67586Date: Fri Sep 27 21:06:17 2013 -0400
67587
67588 Don't log attempts to create a socket with a family that the kernel doesn't
67589 support
67590 Further, if the kernel doesn't support the socket family, instead of returning
67591 -EACCES, return -EAFNOSUPPORT -- should resolve the need to allow ipv6
67592 sockets in RBAC policy despite a kernel that doesn't support ipv6
67593 observed during a Debian userland update necessitating a policy change
67594
67595 grsecurity/gracl_ip.c | 7 +++----
67596 net/socket.c | 26 +++++++++++++++-----------
67597 2 files changed, 18 insertions(+), 15 deletions(-)
67598
67599commit 55f1e409275973513a3314fe5bfa76a4781c0db7
67600Merge: 2eac654 c38c6b0
67601Author: Brad Spengler <spender@grsecurity.net>
67602Date: Fri Sep 27 20:35:04 2013 -0400
67603
67604 Merge branch 'pax-test' into grsec-test
67605
67606 Conflicts:
67607 drivers/hid/hid-picolcd_core.c
67608
67609commit c38c6b0bbbe53bd528aeeb4a059764abc028c276
67610Merge: 115bf6a a3308b5
67611Author: Brad Spengler <spender@grsecurity.net>
67612Date: Fri Sep 27 20:34:15 2013 -0400
67613
67614 Merge branch 'linux-3.11.y' into pax-test
67615
67616 Conflicts:
67617 arch/x86/ia32/ia32_signal.c
67618 arch/x86/include/asm/checksum_32.h
67619 arch/x86/include/asm/mmu_context.h
67620 arch/x86/kernel/signal.c
67621 arch/x86/lib/csum-wrappers_64.c
67622 include/linux/compat.h
67623
67624commit 2eac65435fdffca548a56e5187840908438fc95c
67625Merge: ba0ebde 115bf6a
67626Author: Brad Spengler <spender@grsecurity.net>
67627Date: Thu Sep 26 20:00:00 2013 -0400
67628
67629 Merge branch 'pax-test' into grsec-test
67630
67631commit 115bf6af0083ea28c751d551a39cfdba1798e9dc
67632Author: Brad Spengler <spender@grsecurity.net>
67633Date: Thu Sep 26 19:59:14 2013 -0400
67634
67635 Update to pax-linux-3.11.1-test10.patch:
67636 - added missing exports for module_alloc_exec/module_free_exec on arm, by Arnaud Fontaine
67637 - fixed potential .exit.text section reference problem with REFCOUNT on arm, reported by Corey Minyard
67638 - fixed REFCOUNT false positive in the new percpu refcount code, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=486040)
67639 - fixed an integer overflow in the ELF loader that happens to be harmless due to another overflow, found by Emese Revfy's new size overflow plugin (not yet released)
67640 - beefed up latent entropy extraction
67641 - latent_entropy itself will be initialized to a compile-time random value (instead of 0)
67642 - entropy will be collected from various irq and softirq handlers
67643
67644 arch/arm/kernel/module.c | 2 ++
67645 arch/arm/kernel/vmlinux.lds.S | 2 +-
67646 block/blk-iopoll.c | 2 +-
67647 block/blk-softirq.c | 2 +-
67648 fs/binfmt_elf.c | 8 +++++---
67649 include/linux/genhd.h | 2 +-
67650 include/linux/random.h | 4 ++--
67651 kernel/hrtimer.c | 2 +-
67652 kernel/rcutiny.c | 2 +-
67653 kernel/rcutree.c | 2 +-
67654 kernel/sched/fair.c | 2 +-
67655 kernel/softirq.c | 4 ++--
67656 kernel/timer.c | 2 +-
67657 lib/percpu-refcount.c | 2 +-
67658 net/core/dev.c | 4 ++--
67659 tools/gcc/latent_entropy_plugin.c | 2 +-
67660 16 files changed, 24 insertions(+), 20 deletions(-)
67661
67662commit ba0ebdedeb2e128654dac48641bdc9d8b34530d6
67663Author: Brad Spengler <spender@grsecurity.net>
67664Date: Sun Sep 22 18:14:07 2013 -0400
67665
67666 Revert "Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db"
67667
67668 This reverts commit 7a430f97a2f6538693cb8e354c67c874f24c5ebf.
67669
67670 net/netlink/genetlink.c | 7 -------
67671 1 files changed, 0 insertions(+), 7 deletions(-)
67672
67673commit ca27c99c4f2df039e21ec15c52824d84e2cd2f35
67674Merge: f1e4228 90db383
67675Author: Brad Spengler <spender@grsecurity.net>
67676Date: Wed Sep 18 17:34:37 2013 -0400
67677
67678 Merge branch 'pax-test' into grsec-test
67679
67680commit 90db383fd7d650172d52229b0116ad7604c9bec1
67681Author: Brad Spengler <spender@grsecurity.net>
67682Date: Wed Sep 18 17:32:42 2013 -0400
67683
67684 Update to pax-linux-3.11.1-test9.patch:
67685 - fixed some arm compile regressions, reported by Arnaud Ebalard and Michael Tremer
67686 - better implementation of __read_only for modules
67687 - fixed a regression and an apparently needed kuser emulation on arm, reported by Arnaud Ebalard
67688
67689 arch/arm/kernel/entry-common.S | 12 ++++++------
67690 arch/arm/mach-omap2/omap-mpuss-lowpower.c | 4 ++--
67691 arch/arm/mm/fault.c | 26 +++++++++++++++++++++++++-
67692 arch/x86/include/asm/cache.h | 4 ----
67693 drivers/bus/arm-cci.c | 2 +-
67694 drivers/clk/socfpga/clk.c | 2 +-
67695 drivers/mmc/host/mmci.c | 4 +++-
67696 drivers/net/ethernet/chelsio/cxgb3/sge.c | 2 +-
67697 include/linux/cache.h | 4 ++++
67698 net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
67699 net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
67700 scripts/module-common.lds | 4 ++++
67701 12 files changed, 49 insertions(+), 19 deletions(-)
67702
67703commit 43fd6b476981f2b72f1fcb7dd4de6b04643e0810
67704Author: Brad Spengler <spender@grsecurity.net>
67705Date: Wed Sep 18 17:32:25 2013 -0400
67706
67707 Revert "mark sctp_af_inet forward declaration as __read_only to fix compile error"
67708
67709 This reverts commit 5e30989102e2d0df166ab6ff915b90f675f8786f.
67710
67711 net/sctp/protocol.c | 2 +-
67712 1 files changed, 1 insertions(+), 1 deletions(-)
67713
67714commit f1e42285e17479067b6cbcffc43916720e6dedd3
67715Merge: 456ca17 5e30989
67716Author: Brad Spengler <spender@grsecurity.net>
67717Date: Mon Sep 16 21:42:34 2013 -0400
67718
67719 Merge branch 'pax-test' into grsec-test
67720
67721commit 5e30989102e2d0df166ab6ff915b90f675f8786f
67722Author: Brad Spengler <spender@grsecurity.net>
67723Date: Mon Sep 16 21:41:44 2013 -0400
67724
67725 mark sctp_af_inet forward declaration as __read_only to fix compile error
67726
67727 net/sctp/protocol.c | 2 +-
67728 1 files changed, 1 insertions(+), 1 deletions(-)
67729
67730commit 456ca176141f10355c1569b29225c9ce4b7db18e
67731Merge: b406eac 5df8f36
67732Author: Brad Spengler <spender@grsecurity.net>
67733Date: Mon Sep 16 20:02:05 2013 -0400
67734
67735 Merge branch 'pax-test' into grsec-test
67736
67737commit 5df8f36fbb39fbd47e04945001d11e52c16fc0b6
67738Author: Brad Spengler <spender@grsecurity.net>
67739Date: Mon Sep 16 20:01:38 2013 -0400
67740
67741 Update to pax-linux-3.11.1-test7.patch:
67742 - fixed arm compile error, reported by Arnaud Ebalard
67743 - fixed NULL deref due to some xfrm constification, reported by marcin1j (http://forums.grsecurity.net/viewtopic.php?f=3&t=3743)
67744 - fixed od_ops constification, fixes cpufreq ondemand on AMD
67745 - latent entropy will now be gathered from module init code as well (i.e., at module load/init time)
67746 - __read_only will now be enforced in modules as well
67747 - removed unneccessary __read_only from ntfs
67748
67749 arch/arm/lib/uaccess_with_memcpy.c | 2 +-
67750 arch/x86/include/asm/cache.h | 4 ++++
67751 drivers/cpufreq/cpufreq_governor.h | 2 +-
67752 drivers/cpufreq/cpufreq_ondemand.c | 2 +-
67753 fs/ntfs/file.c | 4 ++--
67754 include/linux/init.h | 5 -----
67755 include/net/xfrm.h | 5 ++++-
67756 init/main.c | 9 +++------
67757 mm/page_alloc.c | 1 +
67758 net/ipv4/xfrm4_policy.c | 4 ++--
67759 net/ipv6/xfrm6_policy.c | 4 ++--
67760 net/xfrm/xfrm_policy.c | 11 ++---------
67761 12 files changed, 23 insertions(+), 30 deletions(-)
67762
67763commit b406eac579bb3a5faa1c9d73b8af5530f942009a
67764Author: Brad Spengler <spender@grsecurity.net>
67765Date: Mon Sep 16 12:53:22 2013 -0400
67766
67767 Backport commit from https://git.kernel.org/cgit/linux/kernel/git/klassert/ipsec.git/commit/?h=testing&id=4479ff76c43607b680f9349128d8493228b49dce
67768
67769 author Steffen Klassert <steffen.klassert@secunet.com> 2013-09-09 07:39:01 (GMT)
67770 committer Steffen Klassert <steffen.klassert@secunet.com> 2013-09-16 07:39:37 (GMT)
67771
67772 xfrm: Fix replay size checking on async events
67773 We pass the wrong netlink attribute to xfrm_replay_verify_len().
67774 It should be XFRMA_REPLAY_ESN_VAL and not XFRMA_REPLAY_VAL as
67775 we currently doing. This causes memory corruptions if the
67776 replay esn attribute has incorrect length. Fix this by passing
67777 the right attribute to xfrm_replay_verify_len().
67778
67779 Reported-by: Michael Rossberg <michael.rossberg@tu-ilmenau.de>
67780 Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
67781
67782 net/xfrm/xfrm_user.c | 2 +-
67783 1 files changed, 1 insertions(+), 1 deletions(-)
67784
67785commit 9eeb1f53a99068a1f2a77e4d250e334165b789c9
67786Merge: 84843a3 0a0ced6
67787Author: Brad Spengler <spender@grsecurity.net>
67788Date: Sun Sep 15 11:24:30 2013 -0400
67789
67790 Merge branch 'pax-test' into grsec-test
67791
67792 Conflicts:
67793 drivers/net/wireless/ath/ath10k/core.c
67794 drivers/net/wireless/ath/ath10k/htc.c
67795
67796commit 0a0ced69ec737fc1abe5bc1c5a66579a22e9bb1d
67797Author: Brad Spengler <spender@grsecurity.net>
67798Date: Sun Sep 15 11:21:43 2013 -0400
67799
67800 Update to pax-linux-3.11.1-test6.patch:
67801 - forward port to 3.11.1
67802 - fixed some CONSTIFY fallout, reported by spender
67803 - fixed INVPCID on i386, reported by spender
67804 - simplified/consolidated the recent security_ops change
67805
67806 arch/x86/include/asm/mmu_context.h | 4 ++--
67807 arch/x86/include/asm/tlbflush.h | 6 +++---
67808 arch/x86/kernel/cpu/perf_event_amd_iommu.c | 2 +-
67809 drivers/net/wireless/ath/ath10k/core.c | 6 +++---
67810 drivers/net/wireless/ath/ath10k/htc.c | 7 ++++---
67811 include/linux/security.h | 2 --
67812 security/security.c | 3 ---
67813 security/selinux/hooks.c | 5 +++--
67814 8 files changed, 16 insertions(+), 19 deletions(-)
67815
67816commit 84843a394cde0578be728cb5fd34da9859dcf110
67817Author: Brad Spengler <spender@grsecurity.net>
67818Date: Sun Sep 15 09:19:21 2013 -0400
67819
67820 remove unnecessary check from when protocol was signed
67821
67822 net/phonet/af_phonet.c | 2 +-
67823 1 files changed, 1 insertions(+), 1 deletions(-)
67824
67825commit cc7c916cac4c2eb0ec243690627e2b6a13234fef
67826Author: Brad Spengler <spender@grsecurity.net>
67827Date: Sun Sep 15 08:53:27 2013 -0400
67828
67829 resync with PaX
67830
67831 security/selinux/hooks.c | 4 ++--
67832 1 files changed, 2 insertions(+), 2 deletions(-)
67833
67834commit fdeadf7ba061242685e07a2504c6be99161f292c
67835Author: Brad Spengler <spender@grsecurity.net>
67836Date: Sat Sep 14 23:04:53 2013 -0400
67837
67838 Fix constification of ath10k_hif_cb struct located on stack
67839
67840 drivers/net/wireless/ath/ath10k/hif.h | 1 +
67841 drivers/net/wireless/ath/ath10k/htc.c | 2 +-
67842 2 files changed, 2 insertions(+), 1 deletions(-)
67843
67844commit 73c6875760e610cb636f86566a1be7a744d89b82
67845Author: Brad Spengler <spender@grsecurity.net>
67846Date: Sat Sep 14 22:41:06 2013 -0400
67847
67848 use a no_const typedef for ath10k_htc_ops, which is located on the stack
67849
67850 drivers/net/wireless/ath/ath10k/core.c | 6 +++---
67851 drivers/net/wireless/ath/ath10k/htc.h | 1 +
67852 2 files changed, 4 insertions(+), 3 deletions(-)
67853
67854commit bffb0279b95b717c739365a5a25ca0391e7479b1
67855Author: Brad Spengler <spender@grsecurity.net>
67856Date: Sat Sep 14 22:13:46 2013 -0400
67857
67858 fix compilation error under constify
67859
67860 drivers/net/wireless/ath/ath10k/core.c | 6 +++---
67861 1 files changed, 3 insertions(+), 3 deletions(-)
67862
67863commit 1044c726fd98de89a711c6655f811600d4051e46
67864Merge: ffc8003 e39d12a
67865Author: Brad Spengler <spender@grsecurity.net>
67866Date: Sat Sep 14 21:57:25 2013 -0400
67867
67868 Merge branch 'pax-test' into grsec-test
67869
67870commit e39d12a3b877293ba677bf7642c8887144ae1576
67871Author: Brad Spengler <spender@grsecurity.net>
67872Date: Sat Sep 14 21:56:56 2013 -0400
67873
67874 Update to pax-linux-3.11-test5.patch:
67875 - backported 1ecfd533f4c528b0b4cc5bc115c4c47f0b5e4828 (pud leak in alloc_new_pmd)
67876 - build_string doesn't need to account for the null terminator, fix some usage in the kernexec plugin
67877
67878 mm/mremap.c | 5 ++++-
67879 tools/gcc/kernexec_plugin.c | 4 ++--
67880 2 files changed, 6 insertions(+), 3 deletions(-)
67881
67882commit ffc8003e9c6d9a26c92ca83a8cdc48f1bf0d7a4b
67883Author: Brad Spengler <spender@grsecurity.net>
67884Date: Sat Sep 14 21:48:03 2013 -0400
67885
67886 fix compile error introduced by pipacs
67887
67888 security/selinux/hooks.c | 2 ++
67889 1 files changed, 2 insertions(+), 0 deletions(-)
67890
67891commit 874e80f445b1325df45f04cc317f67587e241218
67892Author: Brad Spengler <spender@grsecurity.net>
67893Date: Sat Sep 14 21:12:45 2013 -0400
67894
67895 Fix invalid dependency causing warning:
67896 warning: (DEBUG_WW_MUTEX_SLOWPATH) selects DEBUG_LOCK_ALLOC which has unmet direct dependencies (DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN)
67897
67898 lib/Kconfig.debug | 2 +-
67899 1 files changed, 1 insertions(+), 1 deletions(-)
67900
67901commit 76675229b0398d812bd885c2ea9ebdc66cd5d74a
67902Author: Brad Spengler <spender@grsecurity.net>
67903Date: Sat Sep 14 19:53:56 2013 -0400
67904
67905 change unsigned long descriptor array to u64, for 32bit kernels on Haswell CPUs
67906
67907 arch/x86/include/asm/tlbflush.h | 6 +++---
67908 1 files changed, 3 insertions(+), 3 deletions(-)
67909
67910commit b6dd7c7dd3e78d549c4c0e18f7803aa918d3a838
67911Author: Daniel Borkmann <dborkman@redhat.com>
67912Date: Sat Sep 7 16:44:59 2013 +0200
67913
67914 Upstream commit: a0fb05d1aef0f5df936f80b726d1b3bfd4275f95
67915
67916 net: sctp: fix bug in sctp_poll for SOCK_SELECT_ERR_QUEUE
67917
67918 If we do not add braces around ...
67919
67920 mask |= POLLERR |
67921 sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? POLLPRI : 0;
67922
67923 ... then this condition always evaluates to true as POLLERR is
67924 defined as 8 and binary or'd with whatever result comes out of
67925 sock_flag(). Hence instead of (X | Y) ? A : B, transform it into
67926 X | (Y ? A : B). Unfortunatelty, commit 8facd5fb73 ("net: fix
67927 smatch warnings inside datagram_poll") forgot about SCTP. :-(
67928
67929 Introduced by 7d4c04fc170 ("net: add option to enable error queue
67930 packets waking select").
67931
67932 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
67933 Cc: Jacob Keller <jacob.e.keller@intel.com>
67934 Acked-by: Neil Horman <nhorman@tuxdriver.com>
67935 Acked-by: Vlad Yasevich <vyasevich@gmail.com>
67936 Acked-by: Jacob Keller <jacob.e.keller@intel.com>
67937 Signed-off-by: David S. Miller <davem@davemloft.net>
67938
67939 net/sctp/socket.c | 2 +-
67940 1 files changed, 1 insertions(+), 1 deletions(-)
67941
67942commit 4ad458cf887df99b3de3ce11fb83cd27bd13d986
67943Author: Jason Wang <jasowang@redhat.com>
67944Date: Wed Sep 11 18:09:48 2013 +0800
67945
67946 Upstream commit: 662ca437e714caaab855b12415d6ffd815985bc0
67947
67948 tuntap: correctly handle error in tun_set_iff()
67949
67950 Commit c8d68e6be1c3b242f1c598595830890b65cea64a
67951 (tuntap: multiqueue support) only call free_netdev() on error in
67952 tun_set_iff(). This causes several issues:
67953
67954 - memory of tun security were leaked
67955 - use after free since the flow gc timer was not deleted and the tfile
67956 were not detached
67957
67958 This patch solves the above issues.
67959
67960 Reported-by: Wannes Rombouts <wannes.rombouts@epitech.eu>
67961 Cc: Michael S. Tsirkin <mst@redhat.com>
67962 Signed-off-by: Jason Wang <jasowang@redhat.com>
67963 Acked-by: Michael S. Tsirkin <mst@redhat.com>
67964 Signed-off-by: David S. Miller <davem@davemloft.net>
67965
67966 drivers/net/tun.c | 11 ++++++++---
67967 1 files changed, 8 insertions(+), 3 deletions(-)
67968
67969commit b504140d8590bd67ed481ea84824a9846dde2d74
67970Author: Herbert Xu <herbert@gondor.apana.org.au>
67971Date: Sun Sep 8 14:33:50 2013 +1000
67972
67973 Upstream commit: 77dbd7a95e4a4f15264c333a9e9ab97ee27dc2aa
67974
67975 crypto: api - Fix race condition in larval lookup
67976
67977 crypto_larval_lookup should only return a larval if it created one.
67978 Any larval created by another entity must be processed through
67979 crypto_larval_wait before being returned.
67980
67981 Otherwise this will lead to a larval being killed twice, which
67982 will most likely lead to a crash.
67983
67984 Cc: stable@vger.kernel.org
67985 Reported-by: Kees Cook <keescook@chromium.org>
67986 Tested-by: Kees Cook <keescook@chromium.org>
67987 Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
67988
67989 crypto/api.c | 7 ++++++-
67990 1 files changed, 6 insertions(+), 1 deletions(-)
67991
67992commit f4212fa9ec1c34c59fabc43904e16112b776b6b2
67993Author: Daniel Borkmann <dborkman@redhat.com>
67994Date: Wed Sep 11 16:58:36 2013 +0200
67995
67996 Upstream commit: 95ee62083cb6453e056562d91f597552021e6ae7
67997
67998 net: sctp: fix ipv6 ipsec encryption bug in sctp_v6_xmit
67999
68000 Alan Chester reported an issue with IPv6 on SCTP that IPsec traffic is not
68001 being encrypted, whereas on IPv4 it is. Setting up an AH + ESP transport
68002 does not seem to have the desired effect:
68003
68004 SCTP + IPv4:
68005
68006 22:14:20.809645 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 116)
68007 192.168.0.2 > 192.168.0.5: AH(spi=0x00000042,sumlen=16,seq=0x1): ESP(spi=0x00000044,seq=0x1), length 72
68008 22:14:20.813270 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 340)
68009 192.168.0.5 > 192.168.0.2: AH(spi=0x00000043,sumlen=16,seq=0x1):
68010
68011 SCTP + IPv6:
68012
68013 22:31:19.215029 IP6 (class 0x02, hlim 64, next-header SCTP (132) payload length: 364)
68014 fe80::222:15ff:fe87:7fc.3333 > fe80::92e6:baff:fe0d:5a54.36767: sctp
68015 1) [INIT ACK] [init tag: 747759530] [rwnd: 62464] [OS: 10] [MIS: 10]
68016
68017 Moreover, Alan says:
68018
68019 This problem was seen with both Racoon and Racoon2. Other people have seen
68020 this with OpenSwan. When IPsec is configured to encrypt all upper layer
68021 protocols the SCTP connection does not initialize. After using Wireshark to
68022 follow packets, this is because the SCTP packet leaves Box A unencrypted and
68023 Box B believes all upper layer protocols are to be encrypted so it drops
68024 this packet, causing the SCTP connection to fail to initialize. When IPsec
68025 is configured to encrypt just SCTP, the SCTP packets are observed unencrypted.
68026
68027 In fact, using `socat sctp6-listen:3333 -` on one end and transferring "plaintext"
68028 string on the other end, results in cleartext on the wire where SCTP eventually
68029 does not report any errors, thus in the latter case that Alan reports, the
68030 non-paranoid user might think he's communicating over an encrypted transport on
68031 SCTP although he's not (tcpdump ... -X):
68032
68033 ...
68034 0x0030: 5d70 8e1a 0003 001a 177d eb6c 0000 0000 ]p.......}.l....
68035 0x0040: 0000 0000 706c 6169 6e74 6578 740a 0000 ....plaintext...
68036
68037 Only in /proc/net/xfrm_stat we can see XfrmInTmplMismatch increasing on the
68038 receiver side. Initial follow-up analysis from Alan's bug report was done by
68039 Alexey Dobriyan. Also thanks to Vlad Yasevich for feedback on this.
68040
68041 SCTP has its own implementation of sctp_v6_xmit() not calling inet6_csk_xmit().
68042 This has the implication that it probably never really got updated along with
68043 changes in inet6_csk_xmit() and therefore does not seem to invoke xfrm handlers.
68044
68045 SCTP's IPv4 xmit however, properly calls ip_queue_xmit() to do the work. Since
68046 a call to inet6_csk_xmit() would solve this problem, but result in unecessary
68047 route lookups, let us just use the cached flowi6 instead that we got through
68048 sctp_v6_get_dst(). Since all SCTP packets are being sent through sctp_packet_transmit(),
68049 we do the route lookup / flow caching in sctp_transport_route(), hold it in
68050 tp->dst and skb_dst_set() right after that. If we would alter fl6->daddr in
68051 sctp_v6_xmit() to np->opt->srcrt, we possibly could run into the same effect
68052 of not having xfrm layer pick it up, hence, use fl6_update_dst() in sctp_v6_get_dst()
68053 instead to get the correct source routed dst entry, which we assign to the skb.
68054
68055 Also source address routing example from 625034113 ("sctp: fix sctp to work with
68056 ipv6 source address routing") still works with this patch! Nevertheless, in RFC5095
68057 it is actually 'recommended' to not use that anyway due to traffic amplification [1].
68058 So it seems we're not supposed to do that anyway in sctp_v6_xmit(). Moreover, if
68059 we overwrite the flow destination here, the lower IPv6 layer will be unable to
68060 put the correct destination address into IP header, as routing header is added in
68061 ipv6_push_nfrag_opts() but then probably with wrong final destination. Things aside,
68062 result of this patch is that we do not have any XfrmInTmplMismatch increase plus on
68063 the wire with this patch it now looks like:
68064
68065 SCTP + IPv6:
68066
68067 08:17:47.074080 IP6 2620:52:0:102f:7a2b:cbff:fe27:1b0a > 2620:52:0:102f:213:72ff:fe32:7eba:
68068 AH(spi=0x00005fb4,seq=0x1): ESP(spi=0x00005fb5,seq=0x1), length 72
68069 08:17:47.074264 IP6 2620:52:0:102f:213:72ff:fe32:7eba > 2620:52:0:102f:7a2b:cbff:fe27:1b0a:
68070 AH(spi=0x00003d54,seq=0x1): ESP(spi=0x00003d55,seq=0x1), length 296
68071
68072 This fixes Kernel Bugzilla 24412. This security issue seems to be present since
68073 2.6.18 kernels. Lets just hope some big passive adversary in the wild didn't have
68074 its fun with that. lksctp-tools IPv6 regression test suite passes as well with
68075 this patch.
68076
68077 [1] http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf
68078
68079 Reported-by: Alan Chester <alan.chester@tekelec.com>
68080 Reported-by: Alexey Dobriyan <adobriyan@gmail.com>
68081 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
68082 Cc: Steffen Klassert <steffen.klassert@secunet.com>
68083 Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
68084 Acked-by: Vlad Yasevich <vyasevich@gmail.com>
68085 Signed-off-by: David S. Miller <davem@davemloft.net>
68086
68087 net/sctp/ipv6.c | 42 +++++++++++++-----------------------------
68088 1 files changed, 13 insertions(+), 29 deletions(-)
68089
68090commit 726915e42b1a23b88cd420029003d82208a30006
68091Author: Kees Cook <keescook@chromium.org>
68092Date: Fri Sep 13 14:52:04 2013 -0700
68093
68094 Upstream commit: 35a4a5733b0a8290de39558b82896ab795b108a7
68095
68096 isdn: clean up debug format string usage
68097
68098 Avoid unneeded local string buffers for constructing debug output. Also
68099 cleans up debug calls that contain a single parameter so that they cannot
68100 be accidentally parsed as format strings.
68101
68102 Signed-off-by: Kees Cook <keescook@chromium.org>
68103 Cc: Karsten Keil <isdn@linux-pingi.de>
68104 Cc: David Miller <davem@davemloft.net>
68105 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
68106 Signed-off-by: David S. Miller <davem@davemloft.net>
68107
68108 drivers/isdn/hisax/amd7930_fn.c | 4 +-
68109 drivers/isdn/hisax/avm_pci.c | 4 +-
68110 drivers/isdn/hisax/config.c | 2 +-
68111 drivers/isdn/hisax/diva.c | 4 +-
68112 drivers/isdn/hisax/elsa.c | 2 +-
68113 drivers/isdn/hisax/elsa_ser.c | 2 +-
68114 drivers/isdn/hisax/hfc_pci.c | 2 +-
68115 drivers/isdn/hisax/hfc_sx.c | 2 +-
68116 drivers/isdn/hisax/hscx_irq.c | 4 +-
68117 drivers/isdn/hisax/icc.c | 4 +-
68118 drivers/isdn/hisax/ipacx.c | 8 +++---
68119 drivers/isdn/hisax/isac.c | 4 +-
68120 drivers/isdn/hisax/isar.c | 6 ++--
68121 drivers/isdn/hisax/jade.c | 18 ++++----------
68122 drivers/isdn/hisax/jade_irq.c | 4 +-
68123 drivers/isdn/hisax/l3_1tr6.c | 50 ++++++++++++++-------------------------
68124 drivers/isdn/hisax/netjet.c | 2 +-
68125 drivers/isdn/hisax/q931.c | 6 ++--
68126 drivers/isdn/hisax/w6692.c | 8 +++---
68127 19 files changed, 57 insertions(+), 79 deletions(-)
68128
68129commit 4c90e693066a984f2c3a05bd2b75fe2273906eb3
68130Author: Brad Spengler <spender@grsecurity.net>
68131Date: Sat Sep 14 19:16:48 2013 -0400
68132
68133 Fix a bad git merge, re-applied a previously reverted patch
68134
68135 arch/x86/include/asm/processor.h | 4 ++--
68136 arch/x86/kernel/cpu/common.c | 2 +-
68137 arch/x86/kernel/process_64.c | 2 +-
68138 arch/x86/kernel/smpboot.c | 2 +-
68139 arch/x86/xen/smp.c | 2 +-
68140 5 files changed, 6 insertions(+), 6 deletions(-)
68141
68142commit 5dea4b212b0405d6bcbea57516d77b21035d1178
68143Author: Brad Spengler <spender@grsecurity.net>
68144Date: Sat Sep 14 16:56:37 2013 -0400
68145
68146 finish porting namei.c
68147
68148 fs/namei.c | 50 +++++++++++---------------------------------------
68149 1 files changed, 11 insertions(+), 39 deletions(-)
68150
68151commit a7d5c5e2d0fd4831df19247e41c73c362809b00f
68152Author: Brad Spengler <spender@grsecurity.net>
68153Date: Sat Sep 14 16:44:08 2013 -0400
68154
68155 cred->user -> current_user()
68156
68157 fs/exec.c | 2 +-
68158 1 files changed, 1 insertions(+), 1 deletions(-)
68159
68160commit be3db5fa6532557384fb66d2d9297d77666912cf
68161Author: Brad Spengler <spender@grsecurity.net>
68162Date: Sat Sep 14 16:36:24 2013 -0400
68163
68164 Fix GRKERNSEC_DENYUSB dependency as reported by Victor Roman of Funtoo Linux
68165
68166 grsecurity/Kconfig | 3 ++-
68167 1 files changed, 2 insertions(+), 1 deletions(-)
68168
68169commit ce9afc12137b65991bfc7cce70e28d86bbb76956
68170Author: Daniel Borkmann <dborkman@redhat.com>
68171Date: Tue Sep 3 19:29:12 2013 +0200
68172
68173 Upstream commit: 3a1c756590633c0e86df606e5c618c190926a0df
68174
68175 net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv
68176
68177 In tcp_v6_do_rcv() code, when processing pkt options, we soley work
68178 on our skb clone opt_skb that we've created earlier before entering
68179 tcp_rcv_established() on our way. However, only in condition ...
68180
68181 if (np->rxopt.bits.rxtclass)
68182 np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));
68183
68184 ... we work on skb itself. As we extract every other information out
68185 of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can
68186 already be released by tcp_rcv_established() earlier on. When we try
68187 to access it in ipv6_hdr(), we will dereference freed skb.
68188
68189 [ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for
68190 IP_PKTOPTIONS") ]
68191
68192 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
68193 Cc: Eric Dumazet <eric.dumazet@gmail.com>
68194 Acked-by: Eric Dumazet <edumazet@google.com>
68195 Acked-by: Jiri Benc <jbenc@redhat.com>
68196 Signed-off-by: David S. Miller <davem@davemloft.net>
68197 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68198
68199 net/ipv6/tcp_ipv6.c | 2 +-
68200 1 files changed, 1 insertions(+), 1 deletions(-)
68201
68202commit 84aa149aa0f178516f5784d028522d60d35696c9
68203Author: Brad Spengler <spender@grsecurity.net>
68204Date: Thu Sep 5 19:36:23 2013 -0400
68205
68206 fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB
68207
68208 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68209
68210 grsecurity/Kconfig | 3 ++-
68211 1 files changed, 2 insertions(+), 1 deletions(-)
68212
68213commit 1145b56059535549be226da9891b56ab2d902b2f
68214Author: Brad Spengler <spender@grsecurity.net>
68215Date: Thu Sep 5 19:17:02 2013 -0400
68216
68217 Allow the deny_new_usb sysctl to be toggled off by a user with CAP_SYS_ADMIN. This allows for more inventive uses of the feature that would be impossible otherwise (like toggling it while the screen is locked, etc)
68218
68219 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68220
68221 grsecurity/grsec_sysctl.c | 4 +---
68222 1 files changed, 1 insertions(+), 3 deletions(-)
68223
68224commit cc604c1c66e7034ad7ddc7fb3cec749e0e5828a3
68225Author: Brad Spengler <spender@grsecurity.net>
68226Date: Thu Sep 5 18:41:49 2013 -0400
68227
68228 Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for users who know they want the functionality but don't want to bother with modifying init scripts
68229
68230 Also eliminate reset_security_ops() as a ROP target when
68231 SECURITY_SELINUX_DISABLE is disabled as it's the only user
68232
68233 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68234
68235 grsecurity/Kconfig | 17 ++++++++++++++++-
68236 grsecurity/grsec_init.c | 3 +++
68237 grsecurity/grsec_sysctl.c | 2 +-
68238 3 files changed, 20 insertions(+), 2 deletions(-)
68239
68240commit 06f8e6fe41a0de311b0c94bf853cb2c15aee67d4
68241Author: Brad Spengler <spender@grsecurity.net>
68242Date: Fri Aug 30 17:11:11 2013 -0400
68243
68244 fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast
68245
68246 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68247
68248 grsecurity/grsec_sysctl.c | 7 ++++---
68249 1 files changed, 4 insertions(+), 3 deletions(-)
68250
68251commit 74dc00678ec84a254617b500a2880974dac95220
68252Author: Brad Spengler <spender@grsecurity.net>
68253Date: Wed Aug 28 20:42:39 2013 -0400
68254
68255 add export of gr_handle_new_usb()
68256
68257 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68258
68259 grsecurity/grsec_usb.c | 2 ++
68260 1 files changed, 2 insertions(+), 0 deletions(-)
68261
68262commit f9b60ffe6e67563faa8d207fa6d00bd04252cf4f
68263Author: Brad Spengler <spender@grsecurity.net>
68264Date: Wed Aug 28 19:24:47 2013 -0400
68265
68266 Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit Kees' recent findings are motivation enough to publish it
68267
68268 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68269
68270 drivers/usb/core/hub.c | 5 +++++
68271 grsecurity/Kconfig | 20 ++++++++++++++++++++
68272 grsecurity/Makefile | 3 ++-
68273 grsecurity/grsec_init.c | 1 +
68274 grsecurity/grsec_sysctl.c | 11 +++++++++++
68275 grsecurity/grsec_usb.c | 13 +++++++++++++
68276 include/linux/grinternal.h | 1 +
68277 include/linux/grsecurity.h | 2 ++
68278 8 files changed, 55 insertions(+), 1 deletions(-)
68279
68280commit 889852764d245f44e416da4eb203fda0bd327584
68281Author: Kees Cook <keescook@chromium.org>
68282Date: Wed Aug 14 09:35:07 2013 -0700
68283
68284 HID: zeroplus: validate output report details
68285
68286 The zeroplus HID driver was not checking the size of allocated values
68287 in fields it used. A HID device could send a malicious output report
68288 that would cause the driver to write beyond the output report allocation
68289 during initialization, causing a heap overflow:
68290
68291 [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005
68292 ...
68293 [ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
68294
68295 CVE-2013-2889
68296
68297 Signed-off-by: Kees Cook <keescook@chromium.org>
68298 Cc: stable@kernel.org
68299 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68300
68301 drivers/hid/hid-zpff.c | 14 ++------------
68302 1 files changed, 2 insertions(+), 12 deletions(-)
68303
68304commit f30e932a87f25b53779d1f92b49923f8a2dc9834
68305Author: Kees Cook <keescook@chromium.org>
68306Date: Wed Aug 14 14:36:15 2013 -0700
68307
68308 HID: provide a helper for validating hid reports
68309
68310 Many drivers need to validate the characteristics of their HID report
68311 during initialization to avoid misusing the reports. This adds a common
68312 helper to perform validation of the report, its field count, and the
68313 value count within the fields.
68314
68315 Signed-off-by: Kees Cook <keescook@chromium.org>
68316 Cc: stable@kernel.org
68317 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68318
68319 drivers/hid/hid-core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++
68320 include/linux/hid.h | 4 +++
68321 2 files changed, 54 insertions(+), 0 deletions(-)
68322
68323commit f9eac59133855befee23d0c899e0d0e6ebcd3d44
68324Author: Kees Cook <keescook@chromium.org>
68325Date: Wed Aug 14 09:14:34 2013 -0700
68326
68327 HID: steelseries: validate output report details
68328
68329 A HID device could send a malicious output report that would cause the
68330 steelseries HID driver to write beyond the output report allocation
68331 during initialization, causing a heap overflow:
68332
68333 [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410
68334 ...
68335 [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten
68336
68337 CVE-2013-2891
68338
68339 Signed-off-by: Kees Cook <keescook@chromium.org>
68340 Cc: stable@kernel.org
68341 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68342
68343 drivers/hid/hid-steelseries.c | 5 +++++
68344 1 files changed, 5 insertions(+), 0 deletions(-)
68345
68346commit 9f5ae466957014bc300929374ebb7afdd9d116d6
68347Author: Kees Cook <keescook@chromium.org>
68348Date: Wed Aug 14 08:49:21 2013 -0700
68349
68350 HID: pantherlord: validate output report details
68351
68352 A HID device could send a malicious output report that would cause the
68353 pantherlord HID driver to write beyond the output report allocation
68354 during initialization, causing a heap overflow:
68355
68356 [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003
68357 ...
68358 [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
68359
68360 CVE-2013-2892
68361
68362 Signed-off-by: Kees Cook <keescook@chromium.org>
68363 Cc: stable@kernel.org
68364 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68365
68366 drivers/hid/hid-pl.c | 10 ++++++++--
68367 1 files changed, 8 insertions(+), 2 deletions(-)
68368
68369commit b643b8f8af23488d92f16a817bf16c162d612ce1
68370Author: Kees Cook <keescook@chromium.org>
68371Date: Tue Aug 13 16:49:01 2013 -0700
68372
68373 HID: LG: validate HID output report details
68374
68375 A HID device could send a malicious output report that would cause the
68376 lg, lg3, and lg4 HID drivers to write beyond the output report allocation
68377 during an event, causing a heap overflow:
68378
68379 [ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287
68380 ...
68381 [ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten
68382
68383 Additionally, while lg2 did correctly validate the report details, it was
68384 cleaned up and shortened.
68385
68386 CVE-2013-2893
68387
68388 Signed-off-by: Kees Cook <keescook@chromium.org>
68389 Cc: stable@kernel.org
68390 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68391
68392 drivers/hid/hid-lg2ff.c | 19 +++----------------
68393 drivers/hid/hid-lg3ff.c | 29 ++++++-----------------------
68394 drivers/hid/hid-lg4ff.c | 20 +-------------------
68395 drivers/hid/hid-lgff.c | 17 ++---------------
68396 4 files changed, 12 insertions(+), 73 deletions(-)
68397
68398commit 975723a41239b1befae172e88082ff4422753508
68399Author: Kees Cook <keescook@chromium.org>
68400Date: Thu Aug 15 23:21:23 2013 -0700
68401
68402 HID: lenovo-tpkbd: validate output report details
68403
68404 A HID device could send a malicious output report that would cause the
68405 lenovo-tpkbd HID driver to write just beyond the output report allocation
68406 during initialization, causing a heap overflow:
68407
68408 [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009
68409 ...
68410 [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
68411
68412 CVE-2013-2894
68413
68414 Signed-off-by: Kees Cook <keescook@chromium.org>
68415 Cc: stable@kernel.org
68416 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68417
68418 drivers/hid/hid-lenovo-tpkbd.c | 5 +++++
68419 1 files changed, 5 insertions(+), 0 deletions(-)
68420
68421commit 54b39084efe20a3f10fcb58ee8327d7b6250b7cd
68422Author: Kees Cook <keescook@chromium.org>
68423Date: Thu Aug 15 23:45:03 2013 -0700
68424
68425 HID: logitech-dj: validate output report details
68426
68427 A HID device could send a malicious output report that would cause the
68428 logitech-dj HID driver to leak kernel memory contents to the device, or
68429 trigger a NULL dereference during initialization:
68430
68431 [ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b
68432 ...
68433 [ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
68434 [ 304.781409] IP: [<ffffffff815d50aa>] logi_dj_recv_send_report.isra.11+0x1a/0x90
68435
68436 CVE-2013-2895
68437
68438 Signed-off-by: Kees Cook <keescook@chromium.org>
68439 Cc: stable@kernel.org
68440 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68441
68442 drivers/hid/hid-logitech-dj.c | 12 ++++++++++--
68443 1 files changed, 10 insertions(+), 2 deletions(-)
68444
68445commit 05c3db7daee82d79c628c15b304f8621159e14f3
68446Author: Kees Cook <keescook@chromium.org>
68447Date: Fri Aug 16 00:18:15 2013 -0700
68448
68449 HID: ntrig: validate feature report details
68450
68451 A HID device could send a malicious feature report that would cause the
68452 ntrig HID driver to trigger a NULL dereference during initialization:
68453
68454 [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
68455 ...
68456 [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
68457 [57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
68458
68459 CVE-2013-2896
68460
68461 Signed-off-by: Kees Cook <keescook@chromium.org>
68462 Cc: stable@kernel.org
68463 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68464
68465 drivers/hid/hid-ntrig.c | 3 ++-
68466 1 files changed, 2 insertions(+), 1 deletions(-)
68467
68468commit a79f25f59fdd0abaf4ecfab93017aa49de089498
68469Author: Kees Cook <keescook@chromium.org>
68470Date: Fri Aug 16 00:11:32 2013 -0700
68471
68472 HID: multitouch: validate feature report details
68473
68474 When working on report indexes, always validate that they are in bounds.
68475 Without this, a HID device could report a malicious feature report that
68476 could trick the driver into a heap overflow:
68477
68478 [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
68479 ...
68480 [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
68481
68482 CVE-2013-2897
68483
68484 Signed-off-by: Kees Cook <keescook@chromium.org>
68485 Cc: stable@kernel.org
68486 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68487
68488 drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++-----
68489 1 files changed, 20 insertions(+), 5 deletions(-)
68490
68491commit 6fe8eb06e432f165872d3486fdce0d09de1515b3
68492Author: Kees Cook <keescook@chromium.org>
68493Date: Fri Aug 16 08:12:45 2013 -0700
68494
68495 HID: sensor-hub: validate feature report details
68496
68497 A HID device could send a malicious feature report that would cause the
68498 sensor-hub HID driver to read past the end of heap allocation, leaking
68499 kernel memory contents to the caller.
68500
68501 CVE-2013-2898
68502
68503 Signed-off-by: Kees Cook <keescook@chromium.org>
68504 Cc: stable@kernel.org
68505 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68506
68507 drivers/hid/hid-sensor-hub.c | 3 ++-
68508 1 files changed, 2 insertions(+), 1 deletions(-)
68509
68510commit cd5ea45deb4aae3a6ca7b99e261d771792c2e8bf
68511Author: Kees Cook <keescook@chromium.org>
68512Date: Fri Aug 16 08:05:10 2013 -0700
68513
68514 HID: picolcd_core: validate output report details
68515
68516 A HID device could send a malicious output report that would cause the
68517 picolcd HID driver to trigger a NULL dereference during attr file writing.
68518
68519 CVE-2013-2899
68520
68521 Signed-off-by: Kees Cook <keescook@chromium.org>
68522 Cc: stable@kernel.org
68523 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68524
68525 drivers/hid/hid-picolcd_core.c | 2 +-
68526 1 files changed, 1 insertions(+), 1 deletions(-)
68527
68528commit c147e32922dd91edf1969b8a6eb333aafb4abb79
68529Author: Kees Cook <keescook@chromium.org>
68530Date: Fri Aug 16 08:09:54 2013 -0700
68531
68532 HID: check for NULL field when setting values
68533
68534 Defensively check that the field to be worked on is not NULL.
68535
68536 Signed-off-by: Kees Cook <keescook@chromium.org>
68537 Cc: stable@kernel.org
68538 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68539
68540 drivers/hid/hid-core.c | 7 ++++++-
68541 1 files changed, 6 insertions(+), 1 deletions(-)
68542
68543commit 51b66e0a8cfd2eedb4f3275c7ffc2f7a831b4683
68544Author: Kees Cook <keescook@chromium.org>
68545Date: Wed Aug 28 18:09:18 2013 -0400
68546
68547 http://marc.info/?l=linux-input&m=137772180514608&q=raw
68548
68549 The "Report ID" field of a HID report is used to build indexes of
68550 reports. The kernel's index of these is limited to 256 entries, so any
68551 malicious device that sets a Report ID greater than 255 will trigger
68552 memory corruption on the host:
68553
68554 [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
68555 [ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b
68556
68557 CVE-2013-2888
68558
68559 Signed-off-by: Kees Cook <keescook@chromium.org>
68560 Cc: stable@kernel.org
68561 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68562
68563 drivers/hid/hid-core.c | 10 +++++++---
68564 include/linux/hid.h | 4 +++-
68565 2 files changed, 10 insertions(+), 4 deletions(-)
68566
68567commit 4ab7b9ed96612f5621898cead7163b6eecf30c7c
68568Author: Brad Spengler <spender@grsecurity.net>
68569Date: Mon Aug 19 22:10:04 2013 -0400
68570
68571 fix bad git merge (call to __cpu_disable_lazy_restore was duplicated) as reported by pipacs
68572
68573 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68574
68575 arch/x86/kernel/smpboot.c | 3 ---
68576 1 files changed, 0 insertions(+), 3 deletions(-)
68577
68578commit 8a6f59dd3e43d20d8e999d50001b85ba605a4dac
68579Author: Brad Spengler <spender@grsecurity.net>
68580Date: Sat Aug 17 12:00:20 2013 -0400
68581
68582 make kallsyms_lookup_size_offset available to approved source files
68583
68584 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68585
68586 include/linux/kallsyms.h | 3 +++
68587 1 files changed, 3 insertions(+), 0 deletions(-)
68588
68589commit abde07f6c047c0331f511318cb49a36d49218dfc
68590Author: Brad Spengler <spender@grsecurity.net>
68591Date: Sat Aug 17 11:18:09 2013 -0400
68592
68593 allow use of kallsyms_lookup_name to approved source files
68594
68595 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68596
68597 include/linux/kallsyms.h | 1 +
68598 1 files changed, 1 insertions(+), 0 deletions(-)
68599
68600commit 7a430f97a2f6538693cb8e354c67c874f24c5ebf
68601Author: Johannes Berg <johannes.berg@intel.com>
68602Date: Tue Aug 13 09:04:05 2013 +0200
68603
68604 Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db
68605
68606 genetlink: fix family dump race
68607
68608 When dumping generic netlink families, only the first dump call
68609 is locked with genl_lock(), which protects the list of families,
68610 and thus subsequent calls can access the data without locking,
68611 racing against family addition/removal. This can cause a crash.
68612 Fix it - the locking needs to be conditional because the first
68613 time around it's already locked.
68614
68615 A similar bug was reported to me on an old kernel (3.4.47) but
68616 the exact scenario that happened there is no longer possible,
68617 on those kernels the first round wasn't locked either. Looking
68618 at the current code I found the race described above, which had
68619 also existed on the old kernel.
68620
68621 Cc: stable@vger.kernel.org
68622 Reported-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
68623 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
68624 Signed-off-by: David S. Miller <davem@davemloft.net>
68625 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68626
68627 net/netlink/genetlink.c | 7 +++++++
68628 1 files changed, 7 insertions(+), 0 deletions(-)
68629
68630commit ab0fc298348a3fce6c8aaf4bef11f388b1bf4782
68631Author: Brad Spengler <spender@grsecurity.net>
68632Date: Sat Aug 17 08:58:34 2013 -0400
68633
68634 Fix two harmless compiler warnings
68635
68636 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68637
68638 arch/arm/kernel/process.c | 4 ++--
68639 fs/exec.c | 2 +-
68640 2 files changed, 3 insertions(+), 3 deletions(-)
68641
68642commit d502375416b17270008ebdf11f1c3be7837f7c50
68643Author: Brad Spengler <spender@grsecurity.net>
68644Date: Fri Aug 16 22:46:01 2013 -0400
68645
68646 Fix HIDESYM compatibility with kprobes, as reported by feandil at: http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376
68647
68648 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68649
68650 include/linux/kallsyms.h | 2 +-
68651 kernel/kprobes.c | 3 +++
68652 2 files changed, 4 insertions(+), 1 deletions(-)
68653
68654commit f6c363aba68cccff2815a488a7e9ed68990100d2
68655Author: Brad Spengler <spender@grsecurity.net>
68656Date: Sat Aug 10 09:41:40 2013 -0400
68657
68658 propagate the threadstack offset through to the topdown/bottomup allocators on sparc64 hugepages
68659
68660 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68661
68662 arch/sparc/mm/hugetlbpage.c | 12 ++++++++----
68663 1 files changed, 8 insertions(+), 4 deletions(-)
68664
68665commit 279d4c6643931d6488b2d5f1e7d29db8a3c3a347
68666Author: Brad Spengler <spender@grsecurity.net>
68667Date: Mon Aug 5 17:58:42 2013 -0400
68668
68669 Disable RANDKSTACK for a VirtualBox host as mentioned on the gentoo-hardened bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=382793
68670
68671 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68672
68673 security/Kconfig | 2 +-
68674 1 files changed, 1 insertions(+), 1 deletions(-)
68675
68676commit 55ee7adc9d4cd900fd86a4cfad7e0841b4373ee1
68677Author: Brad Spengler <spender@grsecurity.net>
68678Date: Mon Aug 5 17:26:40 2013 -0400
68679
68680 Move user namespace capability check to shared create_user_ns code so we cover unshare() as well.
68681
68682 Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to
68683 user namespaces!
68684
68685 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68686
68687 kernel/fork.c | 17 -----------------
68688 kernel/user_namespace.c | 15 +++++++++++++++
68689 2 files changed, 15 insertions(+), 17 deletions(-)
68690
68691commit 5c0737b045d057152a39154746d8c8e5d59185ed
68692Author: Brad Spengler <spender@grsecurity.net>
68693Date: Mon Aug 5 16:05:41 2013 -0400
68694
68695 silence a warning on older gcc
68696
68697 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68698
68699 grsecurity/gracl.c | 2 +-
68700 1 files changed, 1 insertions(+), 1 deletions(-)
68701
68702commit b9cb48614b154a4c9a4caec48f5c6a391c7b4eb8
68703Author: Brad Spengler <spender@grsecurity.net>
68704Date: Sat Aug 3 08:31:08 2013 -0400
68705
68706 we only care about mmaps of the beginning of an ELF, filter out all others as suggested by pipacs
68707
68708 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68709
68710 mm/mmap.c | 2 +-
68711 1 files changed, 1 insertions(+), 1 deletions(-)
68712
68713commit abc10b7630ee1a61c18e7b03b3cbbc9849a346c6
68714Author: Brad Spengler <spender@grsecurity.net>
68715Date: Fri Aug 2 23:54:51 2013 -0400
68716
68717 add include
68718
68719 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68720
68721 grsecurity/grsec_log.c | 1 +
68722 1 files changed, 1 insertions(+), 0 deletions(-)
68723
68724commit 448fdce6e5e32cc5dc8f6a649d58104c11cbe2f5
68725Author: Brad Spengler <spender@grsecurity.net>
68726Date: Fri Aug 2 23:49:13 2013 -0400
68727
68728 fix compilation
68729
68730 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68731
68732 include/linux/grinternal.h | 3 ++-
68733 1 files changed, 2 insertions(+), 1 deletions(-)
68734
68735commit d4d49138661d5cb646f0dd012178447380b79956
68736Author: Brad Spengler <spender@grsecurity.net>
68737Date: Fri Aug 2 23:34:35 2013 -0400
68738
68739 Improve PaX reporting (tells when anon mapping is stack or heap) Remove textrel logging option, combine into rwx logging option Enhance RWX logging option to display when PT_GNU_STACK-enabled library is loaded under an MPROTECTed binary Enhance RWX mprotect logging to display stack/heap instead of just anon mapping
68740
68741 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68742
68743 fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++
68744 fs/exec.c | 4 ++++
68745 grsecurity/Kconfig | 21 +++++----------------
68746 grsecurity/grsec_init.c | 4 ----
68747 grsecurity/grsec_log.c | 14 ++++++++++++++
68748 grsecurity/grsec_pax.c | 19 ++++++++++++++-----
68749 grsecurity/grsec_sysctl.c | 9 ---------
68750 include/linux/binfmts.h | 1 +
68751 include/linux/grinternal.h | 2 +-
68752 include/linux/grmsg.h | 3 ++-
68753 include/linux/grsecurity.h | 3 ++-
68754 mm/mmap.c | 7 +++++++
68755 mm/mprotect.c | 2 +-
68756 13 files changed, 88 insertions(+), 38 deletions(-)
68757
68758commit cfa6b85e91c7e8e7f00eeaf1908d22cbec4b0a15
68759Author: Brad Spengler <spender@grsecurity.net>
68760Date: Thu Aug 1 18:52:02 2013 -0400
68761
68762 add missing #define
68763
68764 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68765
68766 grsecurity/gracl.c | 1 +
68767 1 files changed, 1 insertions(+), 0 deletions(-)
68768
68769commit 4a307f7d3ff3ab232c0b6341415088e7618c494e
68770Author: Brad Spengler <spender@grsecurity.net>
68771Date: Thu Aug 1 18:43:53 2013 -0400
68772
68773 fix compilation for !COMPAT as reported on the forums
68774
68775 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68776
68777 grsecurity/gracl.c | 195 ++++++++++++++++++++++++++--------------------------
68778 1 files changed, 97 insertions(+), 98 deletions(-)
68779
68780commit 78011eb5c2454b8afc96b98bd86ac172e589b13c
68781Author: Brad Spengler <spender@grsecurity.net>
68782Date: Wed Jul 31 17:47:20 2013 -0400
68783
68784 Revert "revert recent PaX change that causes boot failures with 32bit userland"
68785
68786 This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4.
68787
68788 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68789
68790 arch/x86/include/asm/processor.h | 4 ++--
68791 arch/x86/kernel/cpu/common.c | 2 +-
68792 arch/x86/kernel/process_64.c | 2 +-
68793 arch/x86/kernel/smpboot.c | 2 +-
68794 arch/x86/xen/smp.c | 2 +-
68795 5 files changed, 6 insertions(+), 6 deletions(-)
68796
68797commit 17cdb36c3bee85c0985f7cc18aa8405fc7838cad
68798Author: Brad Spengler <spender@grsecurity.net>
68799Date: Wed Jul 31 16:26:58 2013 -0400
68800
68801 compile fix for !COMPAT as mentioned on forums
68802
68803 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68804
68805 grsecurity/gracl.c | 2 ++
68806 1 files changed, 2 insertions(+), 0 deletions(-)
68807
68808commit e670dc535e4501fd12d8bf00f1e1306c44266fe7
68809Author: Brad Spengler <spender@grsecurity.net>
68810Date: Tue Jul 30 22:33:14 2013 -0400
68811
68812 perform compat conversion of rlimit infinity
68813
68814 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68815
68816 grsecurity/gracl_compat.c | 10 ++++++++--
68817 1 files changed, 8 insertions(+), 2 deletions(-)
68818
68819commit 2834fe28e69176da6ac4989c6e3dc713faafefe5
68820Author: Brad Spengler <spender@grsecurity.net>
68821Date: Tue Jul 30 22:21:40 2013 -0400
68822
68823 remove debugging
68824
68825 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68826
68827 grsecurity/gracl_compat.c | 44 +++++++++++---------------------------------
68828 1 files changed, 11 insertions(+), 33 deletions(-)
68829
68830commit 2669672647f6955f0e5154596492c73cd4fda330
68831Author: Brad Spengler <spender@grsecurity.net>
68832Date: Tue Jul 30 22:20:32 2013 -0400
68833
68834 eliminate compat_dev_t
68835
68836 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68837
68838 include/linux/gracl_compat.h | 4 ++--
68839 1 files changed, 2 insertions(+), 2 deletions(-)
68840
68841commit 75de5da79f5e03936a79ffe2c827462000001985
68842Author: Brad Spengler <spender@grsecurity.net>
68843Date: Tue Jul 30 22:13:22 2013 -0400
68844
68845 fix compat rlimit size
68846
68847 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68848
68849 grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++-------------
68850 include/linux/gracl_compat.h | 4 +-
68851 2 files changed, 49 insertions(+), 23 deletions(-)
68852
68853commit 9055a8feb8493a30d1ad0fcef25eb496630d223f
68854Author: Brad Spengler <spender@grsecurity.net>
68855Date: Tue Jul 30 21:20:18 2013 -0400
68856
68857 compile fix
68858
68859 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68860
68861 grsecurity/gracl.c | 4 ++--
68862 1 files changed, 2 insertions(+), 2 deletions(-)
68863
68864commit 080577d5a71de3d2700c4c17e1d13c67bc9b6720
68865Author: Brad Spengler <spender@grsecurity.net>
68866Date: Tue Jul 30 21:14:29 2013 -0400
68867
68868 copy correct pointer size in new compat code
68869
68870 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68871
68872 grsecurity/gracl.c | 8 ++++----
68873 grsecurity/gracl_compat.c | 4 ++--
68874 2 files changed, 6 insertions(+), 6 deletions(-)
68875
68876commit 129b6204587740fd082e731a54d00e8a9fc35f8b
68877Author: Brad Spengler <spender@grsecurity.net>
68878Date: Tue Jul 30 19:15:50 2013 -0400
68879
68880 compile fix
68881
68882 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68883
68884 grsecurity/gracl_compat.c | 6 ++++++
68885 1 files changed, 6 insertions(+), 0 deletions(-)
68886
68887commit 1a8481118c2da1cf9610ec5ba9ad950358e8cd3f
68888Author: Brad Spengler <spender@grsecurity.net>
68889Date: Tue Jul 30 19:12:46 2013 -0400
68890
68891 remove BUILD_BUG_ONs
68892
68893 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68894
68895 grsecurity/gracl_compat.c | 20 --------------------
68896 1 files changed, 0 insertions(+), 20 deletions(-)
68897
68898commit 67fc73af0876d311c0d01d3b16fa429f44af12b9
68899Author: Brad Spengler <spender@grsecurity.net>
68900Date: Tue Jul 30 00:18:36 2013 -0400
68901
68902 compile fixes
68903
68904 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68905
68906 grsecurity/gracl_compat.c | 8 ++++----
68907 include/linux/gracl_compat.h | 2 +-
68908 2 files changed, 5 insertions(+), 5 deletions(-)
68909
68910commit 32f9c3609f8d6c5c893c848e0bd76e0d8d3fa096
68911Author: Brad Spengler <spender@grsecurity.net>
68912Date: Tue Jul 30 00:16:42 2013 -0400
68913
68914 compile fixes
68915
68916 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68917
68918 grsecurity/gracl.c | 4 ++--
68919 grsecurity/gracl_compat.c | 2 +-
68920 2 files changed, 3 insertions(+), 3 deletions(-)
68921
68922commit 798adb5cab6c3a8056e1b415e6f34a270f369721
68923Author: Brad Spengler <spender@grsecurity.net>
68924Date: Tue Jul 30 00:13:51 2013 -0400
68925
68926 compile fixes
68927
68928 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68929
68930 grsecurity/gracl.c | 8 ++++----
68931 1 files changed, 4 insertions(+), 4 deletions(-)
68932
68933commit 4d4945ce90d83784634b898f83cb5a7699537733
68934Author: Brad Spengler <spender@grsecurity.net>
68935Date: Tue Jul 30 00:11:03 2013 -0400
68936
68937 compile fixes
68938
68939 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68940
68941 grsecurity/gracl_compat.c | 3 +++
68942 1 files changed, 3 insertions(+), 0 deletions(-)
68943
68944commit 2e0b7505d92a89b872d9ebccae57720e3c00e4a2
68945Author: Brad Spengler <spender@grsecurity.net>
68946Date: Tue Jul 30 00:08:21 2013 -0400
68947
68948 more compile fixes
68949
68950 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68951
68952 grsecurity/gracl.c | 28 ++++++++++++++--------------
68953 1 files changed, 14 insertions(+), 14 deletions(-)
68954
68955commit 6db464f72eff84f77335b69dc2748a3759e151d1
68956Author: Brad Spengler <spender@grsecurity.net>
68957Date: Mon Jul 29 23:59:50 2013 -0400
68958
68959 more compile fixes
68960
68961 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68962
68963 grsecurity/gracl.c | 10 +++++++++-
68964 1 files changed, 9 insertions(+), 1 deletions(-)
68965
68966commit c5c54a2490dd8ec3fcad322d5c64b8cdfc6ce8d7
68967Author: Brad Spengler <spender@grsecurity.net>
68968Date: Mon Jul 29 23:56:47 2013 -0400
68969
68970 additional compile fixes
68971
68972 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68973
68974 grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++--------
68975 1 files changed, 49 insertions(+), 10 deletions(-)
68976
68977commit e78a78dcfc089142273243b54509840d3b50c538
68978Author: Brad Spengler <spender@grsecurity.net>
68979Date: Mon Jul 29 23:47:15 2013 -0400
68980
68981 fix typo
68982
68983 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68984
68985 grsecurity/gracl.c | 2 +-
68986 1 files changed, 1 insertions(+), 1 deletions(-)
68987
68988commit b27005e62bebc09e6604a6f5dc099742bb6b4434
68989Author: Brad Spengler <spender@grsecurity.net>
68990Date: Mon Jul 29 23:46:59 2013 -0400
68991
68992 compile fixes
68993
68994 Signed-off-by: Brad Spengler <spender@grsecurity.net>
68995
68996 grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++-------------
68997 1 files changed, 39 insertions(+), 14 deletions(-)
68998
68999commit 101b84a778c254dfd7399f5bcd6264ff437f1176
69000Author: Brad Spengler <spender@grsecurity.net>
69001Date: Mon Jul 29 23:22:44 2013 -0400
69002
69003 Initial commit of compat RBAC loading Permits 32bit gradm to load policy for a 64bit kernel
69004
69005 Also removed code duplication for copying strings into the kernel
69006
69007 Work performed as part of sponsorship
69008
69009 Signed-off-by: Brad Spengler <spender@grsecurity.net>
69010
69011 grsecurity/Makefile | 4 +
69012 grsecurity/gracl.c | 315 +++++++++++++++++++++++-------------------
69013 grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++
69014 include/linux/gracl_compat.h | 156 +++++++++++++++++++++
69015 4 files changed, 603 insertions(+), 142 deletions(-)
69016
69017commit 9b2b2be730d058a2bac5ded5b51d087aa65eed9e
69018Author: Brad Spengler <spender@grsecurity.net>
69019Date: Tue Jul 16 20:40:24 2013 -0400
69020
69021 allow viewing of ecryptfs version under SYSFS_RESTRICT
69022
69023 Signed-off-by: Brad Spengler <spender@grsecurity.net>
69024
69025 fs/sysfs/dir.c | 2 +-
69026 1 files changed, 1 insertions(+), 1 deletions(-)
69027
69028commit 3e182e4da46de4c6b9a9f45d41030bef19260954
69029Author: Brad Spengler <spender@grsecurity.net>
69030Date: Sun Jul 14 11:49:17 2013 -0400
69031
69032 Update PaX fix, just return the error
69033
69034 Signed-off-by: Brad Spengler <spender@grsecurity.net>
69035
69036 mm/madvise.c | 11 +++++------
69037 1 files changed, 5 insertions(+), 6 deletions(-)
69038
69039commit 0e4d6c92225be5ed70eb4d826d020c1e49fb4870
69040Author: Brad Spengler <spender@grsecurity.net>
69041Date: Sun Jul 14 11:36:00 2013 -0400
69042
69043 Fix madvise oops reported by Peter Keel
69044
69045 Signed-off-by: Brad Spengler <spender@grsecurity.net>
69046
69047 mm/madvise.c | 11 ++++++-----
69048 1 files changed, 6 insertions(+), 5 deletions(-)
69049
69050commit 32537d92b8da84f38bf45eb85b6953f452064936
69051Author: Brad Spengler <spender@grsecurity.net>
69052Date: Tue Jul 9 22:04:59 2013 -0400
69053
69054 compile fixes
69055
69056 Signed-off-by: Brad Spengler <spender@grsecurity.net>
69057
69058 fs/exec.c | 2 +-
69059 mm/mmap.c | 4 ++--
69060 2 files changed, 3 insertions(+), 3 deletions(-)
69061
69062commit a03302441afb0f56cccc9648a5d5e3c4c4d0db70
69063Author: Brad Spengler <spender@grsecurity.net>
69064Date: Sat Sep 14 16:15:10 2013 -0400
69065
69066 Initial port of grsecurity to 3.11 using new git method
69067
69068 Documentation/kernel-parameters.txt | 4 +
69069 Makefile | 8 +-
69070 arch/alpha/include/asm/cache.h | 4 +-
69071 arch/alpha/kernel/osf_sys.c | 12 +-
69072 arch/arm/include/asm/thread_info.h | 3 +-
69073 arch/arm/kernel/ptrace.c | 9 +
69074 arch/arm/kernel/traps.c | 7 +-
69075 arch/arm/mm/fault.c | 29 +-
69076 arch/arm/mm/mmap.c | 8 +-
69077 arch/avr32/include/asm/cache.h | 4 +-
69078 arch/blackfin/include/asm/cache.h | 3 +-
69079 arch/cris/include/arch-v10/arch/cache.h | 3 +-
69080 arch/cris/include/arch-v32/arch/cache.h | 3 +-
69081 arch/frv/include/asm/cache.h | 3 +-
69082 arch/frv/mm/elf-fdpic.c | 4 +-
69083 arch/hexagon/include/asm/cache.h | 6 +-
69084 arch/ia64/include/asm/cache.h | 3 +-
69085 arch/ia64/kernel/sys_ia64.c | 2 +
69086 arch/ia64/mm/hugetlbpage.c | 2 +
69087 arch/m32r/include/asm/cache.h | 4 +-
69088 arch/m68k/include/asm/cache.h | 4 +-
69089 arch/metag/mm/hugetlbpage.c | 1 +
69090 arch/microblaze/include/asm/cache.h | 3 +-
69091 arch/mips/include/asm/cache.h | 3 +-
69092 arch/mips/include/asm/thread_info.h | 12 +-
69093 arch/mips/kernel/ptrace.c | 9 +
69094 arch/mips/mm/mmap.c | 4 +-
69095 arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +-
69096 arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +-
69097 arch/openrisc/include/asm/cache.h | 4 +-
69098 arch/parisc/include/asm/cache.h | 5 +-
69099 arch/parisc/kernel/sys_parisc.c | 17 +-
69100 arch/powerpc/include/asm/cache.h | 3 +-
69101 arch/powerpc/kernel/process.c | 10 +-
69102 arch/powerpc/kernel/ptrace.c | 14 +
69103 arch/powerpc/kernel/traps.c | 5 +
69104 arch/s390/include/asm/cache.h | 4 +-
69105 arch/score/include/asm/cache.h | 4 +-
69106 arch/sh/include/asm/cache.h | 3 +-
69107 arch/sh/mm/mmap.c | 6 +-
69108 arch/sparc/include/asm/cache.h | 4 +-
69109 arch/sparc/include/asm/thread_info_64.h | 9 +-
69110 arch/sparc/kernel/process_32.c | 6 +-
69111 arch/sparc/kernel/process_64.c | 4 +-
69112 arch/sparc/kernel/ptrace_64.c | 14 +
69113 arch/sparc/kernel/sys_sparc_64.c | 8 +-
69114 arch/sparc/kernel/syscalls.S | 8 +-
69115 arch/sparc/kernel/traps_32.c | 8 +-
69116 arch/sparc/kernel/traps_64.c | 28 +-
69117 arch/sparc/kernel/unaligned_64.c | 2 +-
69118 arch/sparc/mm/fault_64.c | 2 +-
69119 arch/sparc/mm/hugetlbpage.c | 3 +-
69120 arch/tile/include/asm/cache.h | 3 +-
69121 arch/tile/mm/hugetlbpage.c | 2 +
69122 arch/um/defconfig | 1 -
69123 arch/um/include/asm/cache.h | 3 +-
69124 arch/unicore32/include/asm/cache.h | 6 +-
69125 arch/x86/Kconfig | 5 +-
69126 arch/x86/ia32/ia32_aout.c | 2 +
69127 arch/x86/include/asm/thread_info.h | 8 +-
69128 arch/x86/kernel/dumpstack.c | 8 +
69129 arch/x86/kernel/entry_32.S | 2 +-
69130 arch/x86/kernel/entry_64.S | 2 +-
69131 arch/x86/kernel/ioport.c | 13 +
69132 arch/x86/kernel/ptrace.c | 14 +
69133 arch/x86/kernel/signal.c | 9 +-
69134 arch/x86/kernel/smpboot.c | 3 +
69135 arch/x86/kernel/sys_i386_32.c | 9 +-
69136 arch/x86/kernel/sys_x86_64.c | 8 +-
69137 arch/x86/kernel/verify_cpu.S | 1 +
69138 arch/x86/kernel/vm86_32.c | 1 +
69139 arch/x86/mm/fault.c | 12 +-
69140 arch/x86/mm/hugetlbpage.c | 15 +-
69141 arch/x86/mm/init.c | 66 +-
69142 arch/x86/net/bpf_jit_comp.c | 128 ++-
69143 arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
69144 arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
69145 arch/xtensa/variants/s6000/include/variant/core.h | 3 +-
69146 drivers/block/cciss.c | 2 +
69147 drivers/block/cpqarray.c | 1 +
69148 drivers/cdrom/cdrom.c | 2 +-
69149 drivers/char/Kconfig | 4 +-
69150 drivers/char/genrtc.c | 1 +
69151 drivers/char/mem.c | 17 +
69152 drivers/char/random.c | 12 +
69153 drivers/gpu/drm/drm_info.c | 4 +
69154 drivers/hid/hid-wiimote-debug.c | 2 +-
69155 drivers/media/radio/radio-cadet.c | 2 +-
69156 drivers/message/fusion/mptbase.c | 9 +
69157 drivers/net/bonding/bond_main.c | 2 +-
69158 drivers/net/phy/mdio-bitbang.c | 1 +
69159 drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
69160 drivers/pci/proc.c | 9 +
69161 drivers/rtc/rtc-dev.c | 3 +
69162 drivers/tty/sysrq.c | 2 +-
69163 drivers/tty/vt/keyboard.c | 22 +-
69164 drivers/video/logo/logo_linux_clut224.ppm | 2000 +++++++++++---------
69165 drivers/xen/xenfs/xenstored.c | 5 +
69166 fs/attr.c | 1 +
69167 fs/autofs4/waitq.c | 9 +
69168 fs/binfmt_aout.c | 7 +
69169 fs/binfmt_elf.c | 8 +-
69170 fs/btrfs/ioctl.c | 6 +-
69171 fs/compat.c | 20 +-
69172 fs/coredump.c | 9 +-
69173 fs/debugfs/inode.c | 4 +
69174 fs/exec.c | 184 ++-
69175 fs/ext2/balloc.c | 4 +-
69176 fs/ext3/balloc.c | 4 +-
69177 fs/fcntl.c | 5 +
69178 fs/file.c | 4 +
69179 fs/filesystems.c | 4 +
69180 fs/fs_struct.c | 13 +-
69181 fs/hugetlbfs/inode.c | 5 +-
69182 fs/namei.c | 256 +++-
69183 fs/namespace.c | 16 +
69184 fs/open.c | 38 +
69185 fs/proc/Kconfig | 10 +-
69186 fs/proc/array.c | 59 +-
69187 fs/proc/base.c | 166 ++-
69188 fs/proc/cmdline.c | 4 +
69189 fs/proc/devices.c | 4 +
69190 fs/proc/fd.c | 17 +-
69191 fs/proc/inode.c | 4 +
69192 fs/proc/kcore.c | 3 +
69193 fs/proc/proc_net.c | 12 +
69194 fs/proc/proc_sysctl.c | 43 +-
69195 fs/proc/root.c | 8 +
69196 fs/proc/task_mmu.c | 75 +-
69197 fs/readdir.c | 19 +
69198 fs/select.c | 2 +
69199 fs/seq_file.c | 12 +-
69200 fs/stat.c | 19 +-
69201 fs/sysfs/dir.c | 12 +
69202 fs/utimes.c | 7 +
69203 fs/xattr.c | 19 +-
69204 include/linux/capability.h | 5 +
69205 include/linux/cred.h | 3 +
69206 include/linux/fs.h | 10 +
69207 include/linux/fsnotify.h | 6 +
69208 include/linux/kallsyms.h | 14 +-
69209 include/linux/kmod.h | 2 +
69210 include/linux/mm.h | 1 +
69211 include/linux/perf_event.h | 13 +-
69212 include/linux/printk.h | 3 +-
69213 include/linux/sched.h | 24 +-
69214 include/linux/security.h | 1 +
69215 include/linux/seq_file.h | 3 +
69216 include/linux/shm.h | 4 +
69217 include/linux/skbuff.h | 3 +
69218 include/linux/slab.h | 9 -
69219 include/linux/sysctl.h | 2 +
69220 include/linux/thread_info.h | 2 +
69221 include/linux/uidgid.h | 5 +
69222 include/linux/vermagic.h | 9 +-
69223 include/uapi/linux/personality.h | 1 +
69224 init/Kconfig | 3 +-
69225 init/main.c | 14 +
69226 ipc/mqueue.c | 1 +
69227 ipc/shm.c | 28 +
69228 kernel/capability.c | 39 +-
69229 kernel/cgroup.c | 2 +-
69230 kernel/compat.c | 1 +
69231 kernel/configs.c | 11 +
69232 kernel/cred.c | 110 ++-
69233 kernel/events/core.c | 14 +-
69234 kernel/exit.c | 10 +-
69235 kernel/fork.c | 41 +-
69236 kernel/futex.c | 1 +
69237 kernel/kallsyms.c | 9 +
69238 kernel/kcmp.c | 4 +
69239 kernel/kmod.c | 64 +-
69240 kernel/kprobes.c | 4 +-
69241 kernel/ksysfs.c | 2 +
69242 kernel/lockdep_proc.c | 10 +-
69243 kernel/module.c | 81 +-
69244 kernel/panic.c | 2 +-
69245 kernel/pid.c | 19 +-
69246 kernel/posix-timers.c | 7 +
69247 kernel/printk/printk.c | 5 +
69248 kernel/ptrace.c | 20 +-
69249 kernel/resource.c | 10 +
69250 kernel/sched/core.c | 6 +-
69251 kernel/signal.c | 37 +-
69252 kernel/sys.c | 45 +-
69253 kernel/sysctl.c | 69 +-
69254 kernel/taskstats.c | 6 +
69255 kernel/time.c | 5 +
69256 kernel/time/timekeeping.c | 1 +
69257 kernel/time/timer_list.c | 12 +
69258 kernel/time/timer_stats.c | 10 +-
69259 lib/Kconfig.debug | 5 +-
69260 lib/is_single_threaded.c | 3 +
69261 mm/Kconfig | 4 +-
69262 mm/filemap.c | 1 +
69263 mm/kmemleak.c | 4 +-
69264 mm/mempolicy.c | 12 +-
69265 mm/migrate.c | 3 +-
69266 mm/mlock.c | 3 +
69267 mm/mmap.c | 63 +-
69268 mm/mprotect.c | 8 +
69269 mm/process_vm_access.c | 6 +
69270 mm/slab.c | 2 +-
69271 mm/slub.c | 14 +-
69272 mm/vmalloc.c | 4 +
69273 mm/vmstat.c | 18 +-
69274 net/core/dev_ioctl.c | 4 +
69275 net/core/sock_diag.c | 7 +
69276 net/ipv4/inet_hashtables.c | 5 +
69277 net/ipv4/ip_sockglue.c | 3 +-
69278 net/ipv4/tcp_input.c | 4 +-
69279 net/ipv4/tcp_ipv4.c | 24 +-
69280 net/ipv4/tcp_minisocks.c | 9 +-
69281 net/ipv4/tcp_timer.c | 11 +
69282 net/ipv4/udp.c | 24 +
69283 net/ipv6/tcp_ipv6.c | 23 +-
69284 net/ipv6/udp.c | 4 +
69285 net/netfilter/Kconfig | 10 +
69286 net/netfilter/Makefile | 1 +
69287 net/netfilter/nf_conntrack_core.c | 8 +
69288 net/netrom/af_netrom.c | 1 -
69289 net/phonet/af_phonet.c | 2 +-
69290 net/sctp/proc.c | 3 +-
69291 net/socket.c | 66 +-
69292 net/sysctl_net.c | 2 +-
69293 net/unix/af_unix.c | 31 +-
69294 security/Kconfig | 341 +++-
69295 security/apparmor/Kconfig | 9 +
69296 security/apparmor/apparmorfs.c | 231 +++
69297 security/commoncap.c | 29 +
69298 security/min_addr.c | 2 +
69299 security/security.c | 2 -
69300 security/selinux/hooks.c | 2 -
69301 security/tomoyo/mount.c | 4 +
69302 security/yama/Kconfig | 2 +-
69303 235 files changed, 4384 insertions(+), 1312 deletions(-)
69304
69305commit a76b033c58b4886552911442f1b89e0cee041dae
69306Author: Brad Spengler <spender@grsecurity.net>
69307Date: Tue Jul 9 20:57:40 2013 -0400
69308
69309 Commit merge of new files and rejected patches
69310
69311 Signed-off-by: Brad Spengler <spender@grsecurity.net>
69312
69313 arch/arm/include/asm/thread_info.h | 6 +-
69314 arch/arm/kernel/process.c | 4 +-
69315 arch/powerpc/include/asm/thread_info.h | 7 +-
69316 arch/powerpc/mm/slice.c | 2 +-
69317 arch/sparc/kernel/process_64.c | 4 +-
69318 arch/x86/kernel/vm86_32.c | 15 +
69319 fs/coredump.c | 1 +
69320 fs/ext4/balloc.c | 4 +-
69321 fs/namei.c | 7 +
69322 fs/namespace.c | 8 +
69323 fs/pipe.c | 2 +-
69324 fs/proc/inode.c | 13 +
69325 fs/proc/internal.h | 3 +
69326 grsecurity/Kconfig | 1054 +++++++++
69327 grsecurity/Makefile | 38 +
69328 grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++
69329 grsecurity/gracl_alloc.c | 105 +
69330 grsecurity/gracl_cap.c | 110 +
69331 grsecurity/gracl_fs.c | 431 ++++
69332 grsecurity/gracl_ip.c | 387 +++
69333 grsecurity/gracl_learn.c | 207 ++
69334 grsecurity/gracl_res.c | 68 +
69335 grsecurity/gracl_segv.c | 305 +++
69336 grsecurity/gracl_shm.c | 40 +
69337 grsecurity/grsec_chdir.c | 19 +
69338 grsecurity/grsec_chroot.c | 370 +++
69339 grsecurity/grsec_disabled.c | 434 ++++
69340 grsecurity/grsec_exec.c | 187 ++
69341 grsecurity/grsec_fifo.c | 24 +
69342 grsecurity/grsec_fork.c | 23 +
69343 grsecurity/grsec_init.c | 283 +++
69344 grsecurity/grsec_link.c | 58 +
69345 grsecurity/grsec_log.c | 326 +++
69346 grsecurity/grsec_mem.c | 40 +
69347 grsecurity/grsec_mount.c | 62 +
69348 grsecurity/grsec_pax.c | 36 +
69349 grsecurity/grsec_ptrace.c | 30 +
69350 grsecurity/grsec_sig.c | 246 ++
69351 grsecurity/grsec_sock.c | 244 ++
69352 grsecurity/grsec_sysctl.c | 469 ++++
69353 grsecurity/grsec_time.c | 16 +
69354 grsecurity/grsec_tpe.c | 73 +
69355 grsecurity/grsum.c | 61 +
69356 include/linux/gracl.h | 319 +++
69357 include/linux/gralloc.h | 9 +
69358 include/linux/grdefs.h | 140 ++
69359 include/linux/grinternal.h | 227 ++
69360 include/linux/grmsg.h | 112 +
69361 include/linux/grsecurity.h | 241 ++
69362 include/linux/grsock.h | 19 +
69363 include/linux/netfilter/xt_gradm.h | 9 +
69364 include/linux/proc_fs.h | 13 +
69365 include/linux/sched.h | 48 +-
69366 include/trace/events/fs.h | 53 +
69367 kernel/kmod.c | 7 +-
69368 kernel/panic.c | 2 +-
69369 kernel/posix-timers.c | 1 +
69370 kernel/time/timekeeping.c | 2 +
69371 lib/Kconfig.debug | 2 +-
69372 lib/vsprintf.c | 31 +
69373 localversion-grsec | 1 +
69374 mm/mmap.c | 13 +-
69375 mm/shmem.c | 2 +-
69376 net/core/net-procfs.c | 5 +
69377 net/ipv6/udp.c | 3 +
69378 net/netfilter/xt_gradm.c | 51 +
69379 66 files changed, 11184 insertions(+), 21 deletions(-)
69380
69381commit d1cf217118e0750f54aca9136d8c6a41f0ae439c
69382Author: Brad Spengler <spender@grsecurity.net>
69383Date: Sat Sep 14 14:36:40 2013 -0400
69384
69385 Initial import of pax-linux-3.11-test4.patch
69386
69387 Documentation/dontdiff | 46 +-
69388 Documentation/kernel-parameters.txt | 23 +
69389 Makefile | 100 +-
69390 arch/alpha/include/asm/atomic.h | 10 +
69391 arch/alpha/include/asm/elf.h | 7 +
69392 arch/alpha/include/asm/pgalloc.h | 6 +
69393 arch/alpha/include/asm/pgtable.h | 11 +
69394 arch/alpha/kernel/module.c | 2 +-
69395 arch/alpha/kernel/osf_sys.c | 8 +-
69396 arch/alpha/mm/fault.c | 141 +-
69397 arch/arm/Kconfig | 2 +-
69398 arch/arm/include/asm/atomic.h | 444 ++-
69399 arch/arm/include/asm/cache.h | 5 +-
69400 arch/arm/include/asm/cacheflush.h | 2 +-
69401 arch/arm/include/asm/checksum.h | 14 +-
69402 arch/arm/include/asm/cmpxchg.h | 2 +
69403 arch/arm/include/asm/domain.h | 33 +-
69404 arch/arm/include/asm/elf.h | 13 +-
69405 arch/arm/include/asm/fncpy.h | 2 +
69406 arch/arm/include/asm/futex.h | 10 +
69407 arch/arm/include/asm/kmap_types.h | 2 +-
69408 arch/arm/include/asm/mach/dma.h | 2 +-
69409 arch/arm/include/asm/mach/map.h | 7 +-
69410 arch/arm/include/asm/outercache.h | 2 +-
69411 arch/arm/include/asm/page.h | 2 +-
69412 arch/arm/include/asm/pgalloc.h | 22 +-
69413 arch/arm/include/asm/pgtable-2level-hwdef.h | 5 +
69414 arch/arm/include/asm/pgtable-2level.h | 3 +
69415 arch/arm/include/asm/pgtable-3level-hwdef.h | 1 +
69416 arch/arm/include/asm/pgtable-3level.h | 2 +
69417 arch/arm/include/asm/pgtable.h | 54 +-
69418 arch/arm/include/asm/proc-fns.h | 2 +-
69419 arch/arm/include/asm/psci.h | 2 +-
69420 arch/arm/include/asm/smp.h | 2 +-
69421 arch/arm/include/asm/thread_info.h | 6 +-
69422 arch/arm/include/asm/uaccess.h | 95 +-
69423 arch/arm/include/uapi/asm/ptrace.h | 2 +-
69424 arch/arm/kernel/armksyms.c | 8 +-
69425 arch/arm/kernel/entry-armv.S | 110 +-
69426 arch/arm/kernel/entry-common.S | 40 +-
69427 arch/arm/kernel/entry-header.S | 60 +
69428 arch/arm/kernel/fiq.c | 3 +
69429 arch/arm/kernel/head.S | 6 +-
69430 arch/arm/kernel/module.c | 29 +-
69431 arch/arm/kernel/patch.c | 2 +
69432 arch/arm/kernel/process.c | 42 +-
69433 arch/arm/kernel/psci.c | 2 +-
69434 arch/arm/kernel/setup.c | 22 +-
69435 arch/arm/kernel/signal.c | 35 +-
69436 arch/arm/kernel/smp.c | 2 +-
69437 arch/arm/kernel/traps.c | 8 +-
69438 arch/arm/kernel/vmlinux.lds.S | 22 +-
69439 arch/arm/kvm/arm.c | 8 +-
69440 arch/arm/lib/clear_user.S | 6 +-
69441 arch/arm/lib/copy_from_user.S | 6 +-
69442 arch/arm/lib/copy_page.S | 1 +
69443 arch/arm/lib/copy_to_user.S | 6 +-
69444 arch/arm/lib/csumpartialcopyuser.S | 4 +-
69445 arch/arm/lib/delay.c | 2 +-
69446 arch/arm/lib/uaccess_with_memcpy.c | 2 +-
69447 arch/arm/mach-kirkwood/common.c | 19 +-
69448 arch/arm/mach-omap2/board-n8x0.c | 2 +-
69449 arch/arm/mach-omap2/gpmc.c | 22 +-
69450 arch/arm/mach-omap2/omap-wakeupgen.c | 2 +-
69451 arch/arm/mach-omap2/omap_device.c | 4 +-
69452 arch/arm/mach-omap2/omap_device.h | 4 +-
69453 arch/arm/mach-omap2/omap_hwmod.c | 4 +-
69454 arch/arm/mach-omap2/wd_timer.c | 6 +-
69455 arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +-
69456 arch/arm/mach-ux500/setup.h | 7 -
69457 arch/arm/mm/Kconfig | 6 +-
69458 arch/arm/mm/alignment.c | 8 +
69459 arch/arm/mm/context.c | 10 +-
69460 arch/arm/mm/fault.c | 104 +
69461 arch/arm/mm/fault.h | 12 +
69462 arch/arm/mm/init.c | 41 +
69463 arch/arm/mm/ioremap.c | 4 +-
69464 arch/arm/mm/mmap.c | 30 +-
69465 arch/arm/mm/mmu.c | 185 +-
69466 arch/arm/plat-omap/sram.c | 2 +
69467 arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +-
69468 arch/avr32/include/asm/elf.h | 8 +-
69469 arch/avr32/include/asm/kmap_types.h | 4 +-
69470 arch/avr32/mm/fault.c | 27 +
69471 arch/frv/include/asm/atomic.h | 10 +
69472 arch/frv/include/asm/kmap_types.h | 2 +-
69473 arch/frv/mm/elf-fdpic.c | 3 +-
69474 arch/ia64/include/asm/atomic.h | 10 +
69475 arch/ia64/include/asm/elf.h | 7 +
69476 arch/ia64/include/asm/pgalloc.h | 12 +
69477 arch/ia64/include/asm/pgtable.h | 13 +-
69478 arch/ia64/include/asm/spinlock.h | 2 +-
69479 arch/ia64/include/asm/uaccess.h | 26 +-
69480 arch/ia64/kernel/module.c | 48 +-
69481 arch/ia64/kernel/palinfo.c | 2 +-
69482 arch/ia64/kernel/sys_ia64.c | 7 +
69483 arch/ia64/kernel/vmlinux.lds.S | 2 +-
69484 arch/ia64/mm/fault.c | 32 +-
69485 arch/ia64/mm/init.c | 13 +
69486 arch/m32r/lib/usercopy.c | 6 +
69487 arch/mips/include/asm/atomic.h | 728 +++-
69488 arch/mips/include/asm/elf.h | 11 +-
69489 arch/mips/include/asm/exec.h | 2 +-
69490 arch/mips/include/asm/local.h | 57 +
69491 arch/mips/include/asm/page.h | 2 +-
69492 arch/mips/include/asm/pgalloc.h | 5 +
69493 arch/mips/include/asm/smtc_proc.h | 2 +-
69494 arch/mips/kernel/binfmt_elfn32.c | 7 +
69495 arch/mips/kernel/binfmt_elfo32.c | 7 +
69496 arch/mips/kernel/irq.c | 6 +-
69497 arch/mips/kernel/process.c | 12 -
69498 arch/mips/kernel/smtc-proc.c | 6 +-
69499 arch/mips/kernel/smtc.c | 2 +-
69500 arch/mips/kernel/sync-r4k.c | 24 +-
69501 arch/mips/kernel/traps.c | 13 +-
69502 arch/mips/mm/fault.c | 25 +
69503 arch/mips/mm/mmap.c | 51 +-
69504 arch/mips/sgi-ip27/ip27-nmi.c | 6 +-
69505 arch/parisc/include/asm/atomic.h | 10 +
69506 arch/parisc/include/asm/elf.h | 7 +
69507 arch/parisc/include/asm/pgalloc.h | 6 +
69508 arch/parisc/include/asm/pgtable.h | 11 +
69509 arch/parisc/include/asm/uaccess.h | 4 +-
69510 arch/parisc/kernel/module.c | 50 +-
69511 arch/parisc/kernel/sys_parisc.c | 9 +-
69512 arch/parisc/kernel/traps.c | 4 +-
69513 arch/parisc/mm/fault.c | 140 +-
69514 arch/powerpc/include/asm/atomic.h | 10 +
69515 arch/powerpc/include/asm/elf.h | 19 +-
69516 arch/powerpc/include/asm/exec.h | 2 +-
69517 arch/powerpc/include/asm/kmap_types.h | 2 +-
69518 arch/powerpc/include/asm/mman.h | 2 +-
69519 arch/powerpc/include/asm/page.h | 8 +-
69520 arch/powerpc/include/asm/page_64.h | 7 +-
69521 arch/powerpc/include/asm/pgalloc-64.h | 7 +
69522 arch/powerpc/include/asm/pgtable.h | 1 +
69523 arch/powerpc/include/asm/pte-hash32.h | 1 +
69524 arch/powerpc/include/asm/reg.h | 1 +
69525 arch/powerpc/include/asm/smp.h | 2 +-
69526 arch/powerpc/include/asm/uaccess.h | 140 +-
69527 arch/powerpc/kernel/exceptions-64e.S | 4 +-
69528 arch/powerpc/kernel/exceptions-64s.S | 2 +-
69529 arch/powerpc/kernel/module_32.c | 13 +-
69530 arch/powerpc/kernel/process.c | 55 -
69531 arch/powerpc/kernel/signal_32.c | 2 +-
69532 arch/powerpc/kernel/signal_64.c | 2 +-
69533 arch/powerpc/kernel/vdso.c | 5 +-
69534 arch/powerpc/lib/usercopy_64.c | 18 -
69535 arch/powerpc/mm/fault.c | 54 +-
69536 arch/powerpc/mm/mmap.c | 16 +
69537 arch/powerpc/mm/slice.c | 13 +-
69538 arch/powerpc/platforms/cell/spufs/file.c | 4 +-
69539 arch/s390/include/asm/atomic.h | 10 +
69540 arch/s390/include/asm/elf.h | 13 +-
69541 arch/s390/include/asm/exec.h | 2 +-
69542 arch/s390/include/asm/uaccess.h | 15 +-
69543 arch/s390/kernel/module.c | 22 +-
69544 arch/s390/kernel/process.c | 36 -
69545 arch/s390/mm/mmap.c | 24 +
69546 arch/score/include/asm/exec.h | 2 +-
69547 arch/score/kernel/process.c | 5 -
69548 arch/sh/mm/mmap.c | 22 +-
69549 arch/sparc/include/asm/atomic_64.h | 106 +-
69550 arch/sparc/include/asm/cache.h | 2 +-
69551 arch/sparc/include/asm/elf_32.h | 7 +
69552 arch/sparc/include/asm/elf_64.h | 7 +
69553 arch/sparc/include/asm/pgalloc_32.h | 1 +
69554 arch/sparc/include/asm/pgalloc_64.h | 1 +
69555 arch/sparc/include/asm/pgtable_32.h | 15 +-
69556 arch/sparc/include/asm/pgtsrmmu.h | 5 +
69557 arch/sparc/include/asm/spinlock_64.h | 35 +-
69558 arch/sparc/include/asm/thread_info_32.h | 2 +
69559 arch/sparc/include/asm/thread_info_64.h | 2 +
69560 arch/sparc/include/asm/uaccess.h | 1 +
69561 arch/sparc/include/asm/uaccess_32.h | 27 +-
69562 arch/sparc/include/asm/uaccess_64.h | 19 +-
69563 arch/sparc/kernel/Makefile | 2 +-
69564 arch/sparc/kernel/prom_common.c | 2 +-
69565 arch/sparc/kernel/smp_64.c | 12 +-
69566 arch/sparc/kernel/sys_sparc_32.c | 2 +-
69567 arch/sparc/kernel/sys_sparc_64.c | 52 +-
69568 arch/sparc/kernel/traps_64.c | 27 +-
69569 arch/sparc/lib/Makefile | 2 +-
69570 arch/sparc/lib/atomic_64.S | 136 +-
69571 arch/sparc/lib/ksyms.c | 6 +
69572 arch/sparc/mm/Makefile | 2 +-
69573 arch/sparc/mm/fault_32.c | 292 +
69574 arch/sparc/mm/fault_64.c | 486 ++
69575 arch/sparc/mm/hugetlbpage.c | 21 +-
69576 arch/sparc/mm/init_64.c | 10 +-
69577 arch/tile/include/asm/atomic_64.h | 10 +
69578 arch/tile/include/asm/uaccess.h | 4 +-
69579 arch/um/Makefile | 4 +
69580 arch/um/include/asm/kmap_types.h | 2 +-
69581 arch/um/include/asm/page.h | 3 +
69582 arch/um/include/asm/pgtable-3level.h | 1 +
69583 arch/um/kernel/process.c | 16 -
69584 arch/x86/Kconfig | 10 +-
69585 arch/x86/Kconfig.cpu | 6 +-
69586 arch/x86/Kconfig.debug | 4 +-
69587 arch/x86/Makefile | 10 +
69588 arch/x86/boot/Makefile | 3 +
69589 arch/x86/boot/bitops.h | 4 +-
69590 arch/x86/boot/boot.h | 4 +-
69591 arch/x86/boot/compressed/Makefile | 3 +
69592 arch/x86/boot/compressed/eboot.c | 2 -
69593 arch/x86/boot/compressed/efi_stub_32.S | 16 +-
69594 arch/x86/boot/compressed/head_32.S | 7 +-
69595 arch/x86/boot/compressed/head_64.S | 8 +-
69596 arch/x86/boot/compressed/misc.c | 4 +-
69597 arch/x86/boot/cpucheck.c | 28 +-
69598 arch/x86/boot/header.S | 6 +-
69599 arch/x86/boot/memory.c | 2 +-
69600 arch/x86/boot/video-vesa.c | 1 +
69601 arch/x86/boot/video.c | 2 +-
69602 arch/x86/crypto/aes-x86_64-asm_64.S | 4 +
69603 arch/x86/crypto/aesni-intel_asm.S | 22 +
69604 arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 +
69605 arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 +
69606 arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 +
69607 arch/x86/crypto/camellia-x86_64-asm_64.S | 7 +
69608 arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 +
69609 arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 9 +
69610 arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 +
69611 arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 +
69612 arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 +
69613 arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 +
69614 arch/x86/crypto/serpent-avx2-asm_64.S | 9 +
69615 arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 +
69616 arch/x86/crypto/sha1_ssse3_asm.S | 2 +
69617 arch/x86/crypto/sha256-avx-asm.S | 2 +
69618 arch/x86/crypto/sha256-avx2-asm.S | 2 +
69619 arch/x86/crypto/sha256-ssse3-asm.S | 2 +
69620 arch/x86/crypto/sha512-avx-asm.S | 2 +
69621 arch/x86/crypto/sha512-avx2-asm.S | 2 +
69622 arch/x86/crypto/sha512-ssse3-asm.S | 2 +
69623 arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 9 +
69624 arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 +
69625 arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
69626 arch/x86/ia32/ia32_signal.c | 16 +-
69627 arch/x86/ia32/ia32entry.S | 157 +-
69628 arch/x86/ia32/sys_ia32.c | 4 +-
69629 arch/x86/include/asm/alternative-asm.h | 39 +
69630 arch/x86/include/asm/alternative.h | 4 +-
69631 arch/x86/include/asm/apic.h | 2 +-
69632 arch/x86/include/asm/apm.h | 4 +-
69633 arch/x86/include/asm/atomic.h | 307 +-
69634 arch/x86/include/asm/atomic64_32.h | 100 +
69635 arch/x86/include/asm/atomic64_64.h | 202 +-
69636 arch/x86/include/asm/bitops.h | 4 +-
69637 arch/x86/include/asm/boot.h | 7 +-
69638 arch/x86/include/asm/cache.h | 5 +-
69639 arch/x86/include/asm/cacheflush.h | 2 +-
69640 arch/x86/include/asm/checksum_32.h | 12 +-
69641 arch/x86/include/asm/cmpxchg.h | 35 +
69642 arch/x86/include/asm/compat.h | 2 +-
69643 arch/x86/include/asm/cpufeature.h | 16 +-
69644 arch/x86/include/asm/desc.h | 74 +-
69645 arch/x86/include/asm/desc_defs.h | 6 +
69646 arch/x86/include/asm/div64.h | 2 +-
69647 arch/x86/include/asm/elf.h | 31 +-
69648 arch/x86/include/asm/emergency-restart.h | 2 +-
69649 arch/x86/include/asm/fpu-internal.h | 8 +-
69650 arch/x86/include/asm/futex.h | 20 +-
69651 arch/x86/include/asm/hw_irq.h | 4 +-
69652 arch/x86/include/asm/i8259.h | 2 +-
69653 arch/x86/include/asm/io.h | 21 +-
69654 arch/x86/include/asm/irqflags.h | 5 +
69655 arch/x86/include/asm/kprobes.h | 9 +-
69656 arch/x86/include/asm/local.h | 142 +-
69657 arch/x86/include/asm/mman.h | 15 +
69658 arch/x86/include/asm/mmu.h | 16 +-
69659 arch/x86/include/asm/mmu_context.h | 128 +-
69660 arch/x86/include/asm/module.h | 17 +-
69661 arch/x86/include/asm/nmi.h | 6 +-
69662 arch/x86/include/asm/page.h | 1 +
69663 arch/x86/include/asm/page_64.h | 4 +-
69664 arch/x86/include/asm/paravirt.h | 46 +-
69665 arch/x86/include/asm/paravirt_types.h | 17 +-
69666 arch/x86/include/asm/pgalloc.h | 23 +
69667 arch/x86/include/asm/pgtable-2level.h | 2 +
69668 arch/x86/include/asm/pgtable-3level.h | 4 +
69669 arch/x86/include/asm/pgtable.h | 124 +-
69670 arch/x86/include/asm/pgtable_32.h | 14 +-
69671 arch/x86/include/asm/pgtable_32_types.h | 15 +-
69672 arch/x86/include/asm/pgtable_64.h | 19 +-
69673 arch/x86/include/asm/pgtable_64_types.h | 5 +
69674 arch/x86/include/asm/pgtable_types.h | 36 +-
69675 arch/x86/include/asm/processor.h | 82 +-
69676 arch/x86/include/asm/ptrace.h | 26 +-
69677 arch/x86/include/asm/realmode.h | 4 +-
69678 arch/x86/include/asm/reboot.h | 10 +-
69679 arch/x86/include/asm/rwsem.h | 60 +-
69680 arch/x86/include/asm/segment.h | 29 +-
69681 arch/x86/include/asm/smap.h | 64 +-
69682 arch/x86/include/asm/smp.h | 14 +-
69683 arch/x86/include/asm/spinlock.h | 36 +-
69684 arch/x86/include/asm/stackprotector.h | 4 +-
69685 arch/x86/include/asm/stacktrace.h | 32 +-
69686 arch/x86/include/asm/switch_to.h | 4 +-
69687 arch/x86/include/asm/thread_info.h | 83 +-
69688 arch/x86/include/asm/tlbflush.h | 74 +-
69689 arch/x86/include/asm/uaccess.h | 112 +-
69690 arch/x86/include/asm/uaccess_32.h | 106 +-
69691 arch/x86/include/asm/uaccess_64.h | 232 +-
69692 arch/x86/include/asm/word-at-a-time.h | 2 +-
69693 arch/x86/include/asm/x86_init.h | 10 +-
69694 arch/x86/include/asm/xsave.h | 14 +-
69695 arch/x86/include/uapi/asm/e820.h | 2 +-
69696 arch/x86/kernel/Makefile | 2 +-
69697 arch/x86/kernel/acpi/boot.c | 4 +-
69698 arch/x86/kernel/acpi/sleep.c | 4 +
69699 arch/x86/kernel/acpi/wakeup_32.S | 6 +-
69700 arch/x86/kernel/alternative.c | 65 +-
69701 arch/x86/kernel/apic/apic.c | 4 +-
69702 arch/x86/kernel/apic/apic_flat_64.c | 4 +-
69703 arch/x86/kernel/apic/apic_noop.c | 2 +-
69704 arch/x86/kernel/apic/bigsmp_32.c | 2 +-
69705 arch/x86/kernel/apic/es7000_32.c | 5 +-
69706 arch/x86/kernel/apic/io_apic.c | 8 +-
69707 arch/x86/kernel/apic/numaq_32.c | 3 +-
69708 arch/x86/kernel/apic/probe_32.c | 2 +-
69709 arch/x86/kernel/apic/summit_32.c | 2 +-
69710 arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
69711 arch/x86/kernel/apic/x2apic_phys.c | 2 +-
69712 arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
69713 arch/x86/kernel/apm_32.c | 19 +-
69714 arch/x86/kernel/asm-offsets.c | 20 +
69715 arch/x86/kernel/asm-offsets_64.c | 1 +
69716 arch/x86/kernel/cpu/Makefile | 4 -
69717 arch/x86/kernel/cpu/amd.c | 2 +-
69718 arch/x86/kernel/cpu/common.c | 130 +-
69719 arch/x86/kernel/cpu/intel_cacheinfo.c | 48 +-
69720 arch/x86/kernel/cpu/mcheck/mce.c | 31 +-
69721 arch/x86/kernel/cpu/mcheck/p5.c | 3 +
69722 arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
69723 arch/x86/kernel/cpu/mtrr/main.c | 2 +-
69724 arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
69725 arch/x86/kernel/cpu/perf_event.c | 8 +-
69726 arch/x86/kernel/cpu/perf_event_intel.c | 6 +-
69727 arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +-
69728 arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
69729 arch/x86/kernel/cpuid.c | 2 +-
69730 arch/x86/kernel/crash.c | 4 +-
69731 arch/x86/kernel/crash_dump_64.c | 2 +-
69732 arch/x86/kernel/doublefault.c | 8 +-
69733 arch/x86/kernel/dumpstack.c | 30 +-
69734 arch/x86/kernel/dumpstack_32.c | 34 +-
69735 arch/x86/kernel/dumpstack_64.c | 61 +-
69736 arch/x86/kernel/e820.c | 4 +-
69737 arch/x86/kernel/early_printk.c | 1 +
69738 arch/x86/kernel/entry_32.S | 356 +-
69739 arch/x86/kernel/entry_64.S | 669 ++-
69740 arch/x86/kernel/ftrace.c | 14 +-
69741 arch/x86/kernel/head64.c | 13 +-
69742 arch/x86/kernel/head_32.S | 228 +-
69743 arch/x86/kernel/head_64.S | 138 +-
69744 arch/x86/kernel/i386_ksyms_32.c | 12 +
69745 arch/x86/kernel/i387.c | 2 +-
69746 arch/x86/kernel/i8259.c | 10 +-
69747 arch/x86/kernel/io_delay.c | 2 +-
69748 arch/x86/kernel/ioport.c | 2 +-
69749 arch/x86/kernel/irq.c | 8 +-
69750 arch/x86/kernel/irq_32.c | 67 +-
69751 arch/x86/kernel/irq_64.c | 2 +-
69752 arch/x86/kernel/kdebugfs.c | 2 +-
69753 arch/x86/kernel/kgdb.c | 25 +-
69754 arch/x86/kernel/kprobes/core.c | 30 +-
69755 arch/x86/kernel/kprobes/opt.c | 16 +-
69756 arch/x86/kernel/ldt.c | 31 +-
69757 arch/x86/kernel/machine_kexec_32.c | 6 +-
69758 arch/x86/kernel/microcode_core.c | 2 +-
69759 arch/x86/kernel/microcode_intel.c | 4 +-
69760 arch/x86/kernel/module.c | 76 +-
69761 arch/x86/kernel/msr.c | 2 +-
69762 arch/x86/kernel/nmi.c | 19 +-
69763 arch/x86/kernel/nmi_selftest.c | 4 +-
69764 arch/x86/kernel/paravirt-spinlocks.c | 2 +-
69765 arch/x86/kernel/paravirt.c | 43 +-
69766 arch/x86/kernel/pci-calgary_64.c | 2 +-
69767 arch/x86/kernel/pci-iommu_table.c | 2 +-
69768 arch/x86/kernel/pci-swiotlb.c | 2 +-
69769 arch/x86/kernel/process.c | 55 +-
69770 arch/x86/kernel/process_32.c | 29 +-
69771 arch/x86/kernel/process_64.c | 20 +-
69772 arch/x86/kernel/ptrace.c | 25 +-
69773 arch/x86/kernel/pvclock.c | 8 +-
69774 arch/x86/kernel/reboot.c | 42 +-
69775 arch/x86/kernel/reboot_fixups_32.c | 2 +-
69776 arch/x86/kernel/relocate_kernel_64.S | 5 +-
69777 arch/x86/kernel/setup.c | 65 +-
69778 arch/x86/kernel/setup_percpu.c | 29 +-
69779 arch/x86/kernel/signal.c | 19 +-
69780 arch/x86/kernel/smp.c | 2 +-
69781 arch/x86/kernel/smpboot.c | 28 +-
69782 arch/x86/kernel/step.c | 10 +-
69783 arch/x86/kernel/sys_i386_32.c | 184 +
69784 arch/x86/kernel/sys_x86_64.c | 22 +-
69785 arch/x86/kernel/tboot.c | 12 +-
69786 arch/x86/kernel/time.c | 10 +-
69787 arch/x86/kernel/tls.c | 7 +-
69788 arch/x86/kernel/tracepoint.c | 4 +-
69789 arch/x86/kernel/traps.c | 62 +-
69790 arch/x86/kernel/uprobes.c | 4 +-
69791 arch/x86/kernel/vm86_32.c | 6 +-
69792 arch/x86/kernel/vmlinux.lds.S | 147 +-
69793 arch/x86/kernel/vsyscall_64.c | 12 +-
69794 arch/x86/kernel/x8664_ksyms_64.c | 6 +-
69795 arch/x86/kernel/x86_init.c | 6 +-
69796 arch/x86/kernel/xsave.c | 2 +
69797 arch/x86/kvm/cpuid.c | 21 +-
69798 arch/x86/kvm/lapic.c | 2 +-
69799 arch/x86/kvm/paging_tmpl.h | 2 +-
69800 arch/x86/kvm/svm.c | 8 +
69801 arch/x86/kvm/vmx.c | 61 +-
69802 arch/x86/kvm/x86.c | 8 +-
69803 arch/x86/lguest/boot.c | 3 +-
69804 arch/x86/lib/atomic64_386_32.S | 164 +
69805 arch/x86/lib/atomic64_cx8_32.S | 103 +-
69806 arch/x86/lib/checksum_32.S | 100 +-
69807 arch/x86/lib/clear_page_64.S | 5 +-
69808 arch/x86/lib/cmpxchg16b_emu.S | 2 +
69809 arch/x86/lib/copy_page_64.S | 24 +-
69810 arch/x86/lib/copy_user_64.S | 89 +-
69811 arch/x86/lib/copy_user_nocache_64.S | 22 +-
69812 arch/x86/lib/csum-copy_64.S | 2 +
69813 arch/x86/lib/csum-wrappers_64.c | 13 +-
69814 arch/x86/lib/getuser.S | 74 +-
69815 arch/x86/lib/insn.c | 6 +-
69816 arch/x86/lib/iomap_copy_64.S | 2 +
69817 arch/x86/lib/memcpy_64.S | 22 +-
69818 arch/x86/lib/memmove_64.S | 36 +-
69819 arch/x86/lib/memset_64.S | 11 +-
69820 arch/x86/lib/mmx_32.c | 243 +-
69821 arch/x86/lib/msr-reg.S | 18 +-
69822 arch/x86/lib/putuser.S | 90 +-
69823 arch/x86/lib/rwlock.S | 42 +
69824 arch/x86/lib/rwsem.S | 6 +-
69825 arch/x86/lib/thunk_64.S | 2 +
69826 arch/x86/lib/usercopy_32.c | 363 +-
69827 arch/x86/lib/usercopy_64.c | 18 +-
69828 arch/x86/mm/Makefile | 4 +
69829 arch/x86/mm/extable.c | 25 +-
69830 arch/x86/mm/fault.c | 571 ++-
69831 arch/x86/mm/gup.c | 2 +-
69832 arch/x86/mm/highmem_32.c | 4 +
69833 arch/x86/mm/hugetlbpage.c | 30 +-
69834 arch/x86/mm/init.c | 101 +-
69835 arch/x86/mm/init_32.c | 111 +-
69836 arch/x86/mm/init_64.c | 45 +-
69837 arch/x86/mm/iomap_32.c | 4 +
69838 arch/x86/mm/ioremap.c | 15 +-
69839 arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
69840 arch/x86/mm/mmap.c | 36 +-
69841 arch/x86/mm/mmio-mod.c | 10 +-
69842 arch/x86/mm/numa.c | 2 +-
69843 arch/x86/mm/pageattr-test.c | 2 +-
69844 arch/x86/mm/pageattr.c | 33 +-
69845 arch/x86/mm/pat.c | 12 +-
69846 arch/x86/mm/pat_rbtree.c | 2 +-
69847 arch/x86/mm/pf_in.c | 10 +-
69848 arch/x86/mm/pgtable.c | 139 +-
69849 arch/x86/mm/pgtable_32.c | 3 +
69850 arch/x86/mm/physaddr.c | 4 +-
69851 arch/x86/mm/setup_nx.c | 7 +
69852 arch/x86/mm/tlb.c | 4 +
69853 arch/x86/mm/uderef_64.c | 37 +
69854 arch/x86/net/bpf_jit.S | 14 +
69855 arch/x86/net/bpf_jit_comp.c | 39 +-
69856 arch/x86/oprofile/backtrace.c | 8 +-
69857 arch/x86/oprofile/nmi_int.c | 8 +-
69858 arch/x86/oprofile/op_model_amd.c | 8 +-
69859 arch/x86/oprofile/op_model_ppro.c | 7 +-
69860 arch/x86/oprofile/op_x86_model.h | 2 +-
69861 arch/x86/pci/irq.c | 8 +-
69862 arch/x86/pci/mrst.c | 4 +-
69863 arch/x86/pci/pcbios.c | 144 +-
69864 arch/x86/platform/efi/efi_32.c | 24 +
69865 arch/x86/platform/efi/efi_64.c | 10 +
69866 arch/x86/platform/efi/efi_stub_32.S | 64 +-
69867 arch/x86/platform/efi/efi_stub_64.S | 8 +
69868 arch/x86/platform/mrst/mrst.c | 6 +-
69869 arch/x86/platform/olpc/olpc_dt.c | 2 +-
69870 arch/x86/power/cpu.c | 11 +-
69871 arch/x86/realmode/init.c | 10 +-
69872 arch/x86/realmode/rm/Makefile | 3 +
69873 arch/x86/realmode/rm/header.S | 4 +-
69874 arch/x86/realmode/rm/trampoline_32.S | 12 +-
69875 arch/x86/realmode/rm/trampoline_64.S | 3 +-
69876 arch/x86/tools/Makefile | 2 +-
69877 arch/x86/tools/relocs.c | 94 +-
69878 arch/x86/um/tls_32.c | 2 +-
69879 arch/x86/vdso/Makefile | 2 +-
69880 arch/x86/vdso/vdso32-setup.c | 23 +-
69881 arch/x86/vdso/vma.c | 29 +-
69882 arch/x86/xen/enlighten.c | 45 +-
69883 arch/x86/xen/mmu.c | 9 +
69884 arch/x86/xen/smp.c | 18 +-
69885 arch/x86/xen/xen-asm_32.S | 12 +-
69886 arch/x86/xen/xen-head.S | 11 +
69887 arch/x86/xen/xen-ops.h | 2 -
69888 block/blk-cgroup.c | 4 +-
69889 block/blk-iopoll.c | 2 +-
69890 block/blk-map.c | 2 +-
69891 block/blk-softirq.c | 2 +-
69892 block/bsg.c | 12 +-
69893 block/compat_ioctl.c | 2 +-
69894 block/genhd.c | 9 +-
69895 block/partitions/efi.c | 8 +-
69896 block/scsi_ioctl.c | 27 +-
69897 crypto/cryptd.c | 4 +-
69898 crypto/pcrypt.c | 2 +-
69899 drivers/acpi/apei/apei-internal.h | 2 +-
69900 drivers/acpi/apei/cper.c | 8 +-
69901 drivers/acpi/apei/ghes.c | 4 +-
69902 drivers/acpi/bgrt.c | 6 +-
69903 drivers/acpi/blacklist.c | 4 +-
69904 drivers/acpi/processor_idle.c | 2 +-
69905 drivers/acpi/sysfs.c | 4 +-
69906 drivers/ata/libahci.c | 2 +-
69907 drivers/ata/libata-core.c | 12 +-
69908 drivers/ata/libata-scsi.c | 2 +-
69909 drivers/ata/libata.h | 2 +-
69910 drivers/ata/pata_arasan_cf.c | 4 +-
69911 drivers/atm/adummy.c | 2 +-
69912 drivers/atm/ambassador.c | 8 +-
69913 drivers/atm/atmtcp.c | 14 +-
69914 drivers/atm/eni.c | 10 +-
69915 drivers/atm/firestream.c | 8 +-
69916 drivers/atm/fore200e.c | 14 +-
69917 drivers/atm/he.c | 18 +-
69918 drivers/atm/horizon.c | 4 +-
69919 drivers/atm/idt77252.c | 36 +-
69920 drivers/atm/iphase.c | 34 +-
69921 drivers/atm/lanai.c | 12 +-
69922 drivers/atm/nicstar.c | 46 +-
69923 drivers/atm/solos-pci.c | 4 +-
69924 drivers/atm/suni.c | 4 +-
69925 drivers/atm/uPD98402.c | 16 +-
69926 drivers/atm/zatm.c | 6 +-
69927 drivers/base/bus.c | 4 +-
69928 drivers/base/devtmpfs.c | 8 +-
69929 drivers/base/node.c | 2 +-
69930 drivers/base/power/domain.c | 4 +-
69931 drivers/base/power/sysfs.c | 2 +-
69932 drivers/base/power/wakeup.c | 8 +-
69933 drivers/base/syscore.c | 4 +-
69934 drivers/block/cciss.c | 28 +-
69935 drivers/block/cciss.h | 2 +-
69936 drivers/block/cpqarray.c | 28 +-
69937 drivers/block/cpqarray.h | 2 +-
69938 drivers/block/drbd/drbd_int.h | 6 +-
69939 drivers/block/drbd/drbd_main.c | 8 +-
69940 drivers/block/drbd/drbd_nl.c | 4 +-
69941 drivers/block/drbd/drbd_receiver.c | 22 +-
69942 drivers/block/loop.c | 2 +-
69943 drivers/block/pktcdvd.c | 2 +-
69944 drivers/cdrom/cdrom.c | 11 +-
69945 drivers/cdrom/gdrom.c | 1 -
69946 drivers/char/agp/compat_ioctl.c | 2 +-
69947 drivers/char/agp/frontend.c | 4 +-
69948 drivers/char/hpet.c | 2 +-
69949 drivers/char/hw_random/intel-rng.c | 2 +-
69950 drivers/char/ipmi/ipmi_msghandler.c | 8 +-
69951 drivers/char/ipmi/ipmi_si_intf.c | 8 +-
69952 drivers/char/mem.c | 43 +-
69953 drivers/char/nvram.c | 2 +-
69954 drivers/char/pcmcia/synclink_cs.c | 18 +-
69955 drivers/char/random.c | 10 +-
69956 drivers/char/sonypi.c | 9 +-
69957 drivers/char/tpm/tpm_acpi.c | 3 +-
69958 drivers/char/tpm/tpm_eventlog.c | 7 +-
69959 drivers/char/virtio_console.c | 4 +-
69960 drivers/clk/clk-composite.c | 2 +-
69961 drivers/clk/socfpga/clk.c | 7 +-
69962 drivers/cpufreq/acpi-cpufreq.c | 20 +-
69963 drivers/cpufreq/cpufreq.c | 9 +-
69964 drivers/cpufreq/cpufreq_governor.c | 6 +-
69965 drivers/cpufreq/cpufreq_governor.h | 2 +-
69966 drivers/cpufreq/cpufreq_ondemand.c | 8 +-
69967 drivers/cpufreq/cpufreq_stats.c | 2 +-
69968 drivers/cpufreq/p4-clockmod.c | 12 +-
69969 drivers/cpufreq/sparc-us3-cpufreq.c | 69 +-
69970 drivers/cpufreq/speedstep-centrino.c | 7 +-
69971 drivers/cpuidle/cpuidle.c | 2 +-
69972 drivers/cpuidle/governor.c | 4 +-
69973 drivers/cpuidle/sysfs.c | 2 +-
69974 drivers/crypto/hifn_795x.c | 4 +-
69975 drivers/devfreq/devfreq.c | 4 +-
69976 drivers/dma/sh/shdma.c | 2 +-
69977 drivers/edac/edac_device.c | 4 +-
69978 drivers/edac/edac_mc_sysfs.c | 12 +-
69979 drivers/edac/edac_pci.c | 4 +-
69980 drivers/edac/edac_pci_sysfs.c | 22 +-
69981 drivers/edac/mce_amd.h | 2 +-
69982 drivers/firewire/core-card.c | 6 +-
69983 drivers/firewire/core-device.c | 2 +-
69984 drivers/firewire/core-transaction.c | 1 +
69985 drivers/firewire/core.h | 1 +
69986 drivers/firmware/dmi-id.c | 2 +-
69987 drivers/firmware/dmi_scan.c | 7 +-
69988 drivers/firmware/efi/efi.c | 12 +-
69989 drivers/firmware/efi/efivars.c | 2 +-
69990 drivers/firmware/google/memconsole.c | 4 +-
69991 drivers/gpio/gpio-ich.c | 2 +-
69992 drivers/gpio/gpio-vr41xx.c | 2 +-
69993 drivers/gpu/drm/drm_crtc_helper.c | 2 +-
69994 drivers/gpu/drm/drm_drv.c | 6 +-
69995 drivers/gpu/drm/drm_fops.c | 18 +-
69996 drivers/gpu/drm/drm_global.c | 14 +-
69997 drivers/gpu/drm/drm_info.c | 14 +-
69998 drivers/gpu/drm/drm_ioc32.c | 13 +-
69999 drivers/gpu/drm/drm_ioctl.c | 2 +-
70000 drivers/gpu/drm/drm_lock.c | 4 +-
70001 drivers/gpu/drm/drm_stub.c | 2 +-
70002 drivers/gpu/drm/drm_sysfs.c | 2 +-
70003 drivers/gpu/drm/i810/i810_dma.c | 8 +-
70004 drivers/gpu/drm/i810/i810_drv.h | 4 +-
70005 drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
70006 drivers/gpu/drm/i915/i915_dma.c | 2 +-
70007 drivers/gpu/drm/i915/i915_drv.h | 2 +-
70008 drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +-
70009 drivers/gpu/drm/i915/i915_ioc32.c | 11 +-
70010 drivers/gpu/drm/i915/i915_irq.c | 24 +-
70011 drivers/gpu/drm/i915/intel_display.c | 26 +-
70012 drivers/gpu/drm/mga/mga_drv.h | 4 +-
70013 drivers/gpu/drm/mga/mga_ioc32.c | 11 +-
70014 drivers/gpu/drm/mga/mga_irq.c | 8 +-
70015 drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +-
70016 drivers/gpu/drm/nouveau/nouveau_drm.h | 1 -
70017 drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +-
70018 drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +-
70019 drivers/gpu/drm/qxl/qxl_ttm.c | 38 +-
70020 drivers/gpu/drm/r128/r128_cce.c | 2 +-
70021 drivers/gpu/drm/r128/r128_drv.h | 4 +-
70022 drivers/gpu/drm/r128/r128_ioc32.c | 11 +-
70023 drivers/gpu/drm/r128/r128_irq.c | 4 +-
70024 drivers/gpu/drm/r128/r128_state.c | 4 +-
70025 drivers/gpu/drm/radeon/mkregtable.c | 4 +-
70026 drivers/gpu/drm/radeon/radeon_device.c | 2 +-
70027 drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
70028 drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +-
70029 drivers/gpu/drm/radeon/radeon_irq.c | 6 +-
70030 drivers/gpu/drm/radeon/radeon_state.c | 4 +-
70031 drivers/gpu/drm/radeon/radeon_ttm.c | 57 +-
70032 drivers/gpu/drm/radeon/rs690.c | 4 +-
70033 drivers/gpu/drm/ttm/ttm_memory.c | 4 +-
70034 drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +-
70035 drivers/gpu/drm/udl/udl_fb.c | 1 -
70036 drivers/gpu/drm/via/via_drv.h | 4 +-
70037 drivers/gpu/drm/via/via_irq.c | 18 +-
70038 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
70039 drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
70040 drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +-
70041 drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
70042 drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
70043 drivers/gpu/host1x/drm/dc.c | 2 +-
70044 drivers/hid/hid-core.c | 4 +-
70045 drivers/hid/uhid.c | 6 +-
70046 drivers/hv/channel.c | 4 +-
70047 drivers/hv/hv.c | 2 +-
70048 drivers/hv/hv_balloon.c | 18 +-
70049 drivers/hv/hyperv_vmbus.h | 2 +-
70050 drivers/hv/vmbus_drv.c | 4 +-
70051 drivers/hwmon/acpi_power_meter.c | 4 +-
70052 drivers/hwmon/applesmc.c | 2 +-
70053 drivers/hwmon/asus_atk0110.c | 10 +-
70054 drivers/hwmon/coretemp.c | 2 +-
70055 drivers/hwmon/ibmaem.c | 2 +-
70056 drivers/hwmon/iio_hwmon.c | 2 +-
70057 drivers/hwmon/pmbus/pmbus_core.c | 10 +-
70058 drivers/hwmon/sht15.c | 12 +-
70059 drivers/hwmon/via-cputemp.c | 2 +-
70060 drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
70061 drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
70062 drivers/i2c/i2c-dev.c | 2 +-
70063 drivers/ide/ide-cd.c | 2 +-
70064 drivers/iio/industrialio-core.c | 2 +-
70065 drivers/infiniband/core/cm.c | 32 +-
70066 drivers/infiniband/core/fmr_pool.c | 20 +-
70067 drivers/infiniband/hw/cxgb4/mem.c | 4 +-
70068 drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
70069 drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
70070 drivers/infiniband/hw/mlx4/mad.c | 2 +-
70071 drivers/infiniband/hw/mlx4/mcg.c | 2 +-
70072 drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +-
70073 drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +-
70074 drivers/infiniband/hw/mthca/mthca_mr.c | 2 +-
70075 drivers/infiniband/hw/nes/nes.c | 4 +-
70076 drivers/infiniband/hw/nes/nes.h | 40 +-
70077 drivers/infiniband/hw/nes/nes_cm.c | 62 +-
70078 drivers/infiniband/hw/nes/nes_mgt.c | 8 +-
70079 drivers/infiniband/hw/nes/nes_nic.c | 40 +-
70080 drivers/infiniband/hw/nes/nes_verbs.c | 10 +-
70081 drivers/infiniband/hw/qib/qib.h | 1 +
70082 drivers/input/gameport/gameport.c | 4 +-
70083 drivers/input/input.c | 4 +-
70084 drivers/input/joystick/sidewinder.c | 1 +
70085 drivers/input/joystick/xpad.c | 4 +-
70086 drivers/input/misc/ims-pcu.c | 4 +-
70087 drivers/input/mouse/psmouse.h | 2 +-
70088 drivers/input/mousedev.c | 2 +-
70089 drivers/input/serio/serio.c | 4 +-
70090 drivers/input/serio/serio_raw.c | 4 +-
70091 drivers/iommu/iommu.c | 2 +-
70092 drivers/iommu/irq_remapping.c | 12 +-
70093 drivers/irqchip/irq-gic.c | 4 +-
70094 drivers/isdn/capi/capi.c | 10 +-
70095 drivers/isdn/gigaset/interface.c | 8 +-
70096 drivers/isdn/gigaset/usb-gigaset.c | 2 +-
70097 drivers/isdn/hardware/avm/b1.c | 4 +-
70098 drivers/isdn/i4l/isdn_common.c | 2 +
70099 drivers/isdn/i4l/isdn_tty.c | 22 +-
70100 drivers/isdn/icn/icn.c | 2 +-
70101 drivers/leds/leds-clevo-mail.c | 2 +-
70102 drivers/leds/leds-ss4200.c | 2 +-
70103 drivers/lguest/core.c | 10 +-
70104 drivers/lguest/page_tables.c | 2 +-
70105 drivers/lguest/x86/core.c | 12 +-
70106 drivers/lguest/x86/switcher_32.S | 27 +-
70107 drivers/md/bcache/closure.h | 2 +-
70108 drivers/md/bcache/super.c | 2 +-
70109 drivers/md/bitmap.c | 2 +-
70110 drivers/md/dm-ioctl.c | 2 +-
70111 drivers/md/dm-raid1.c | 16 +-
70112 drivers/md/dm-stripe.c | 10 +-
70113 drivers/md/dm-table.c | 2 +-
70114 drivers/md/dm-thin-metadata.c | 4 +-
70115 drivers/md/dm.c | 16 +-
70116 drivers/md/md.c | 26 +-
70117 drivers/md/md.h | 6 +-
70118 drivers/md/persistent-data/dm-space-map.h | 1 +
70119 drivers/md/raid1.c | 4 +-
70120 drivers/md/raid10.c | 16 +-
70121 drivers/md/raid5.c | 10 +-
70122 drivers/media/dvb-core/dvbdev.c | 2 +-
70123 drivers/media/dvb-frontends/dib3000.h | 2 +-
70124 drivers/media/pci/cx88/cx88-video.c | 6 +-
70125 drivers/media/pci/ivtv/ivtv-driver.c | 2 +-
70126 drivers/media/platform/omap/omap_vout.c | 11 +-
70127 drivers/media/platform/s5p-tv/mixer.h | 2 +-
70128 drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +-
70129 drivers/media/platform/s5p-tv/mixer_reg.c | 2 +-
70130 drivers/media/platform/s5p-tv/mixer_video.c | 24 +-
70131 drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +-
70132 drivers/media/radio/radio-cadet.c | 2 +
70133 drivers/media/radio/radio-maxiradio.c | 2 +-
70134 drivers/media/radio/radio-shark.c | 2 +-
70135 drivers/media/radio/radio-shark2.c | 2 +-
70136 drivers/media/radio/radio-si476x.c | 2 +-
70137 drivers/media/rc/rc-main.c | 4 +-
70138 drivers/media/usb/dvb-usb/cxusb.c | 2 +-
70139 drivers/media/usb/dvb-usb/dw2102.c | 2 +-
70140 drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +-
70141 drivers/media/v4l2-core/v4l2-device.c | 4 +-
70142 drivers/media/v4l2-core/v4l2-ioctl.c | 11 +-
70143 drivers/message/fusion/mptsas.c | 34 +-
70144 drivers/message/fusion/mptscsih.c | 19 +-
70145 drivers/message/i2o/i2o_proc.c | 51 +-
70146 drivers/message/i2o/iop.c | 8 +-
70147 drivers/mfd/janz-cmodio.c | 1 +
70148 drivers/mfd/twl4030-irq.c | 9 +-
70149 drivers/mfd/twl6030-irq.c | 10 +-
70150 drivers/misc/c2port/core.c | 4 +-
70151 drivers/misc/kgdbts.c | 4 +-
70152 drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
70153 drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
70154 drivers/misc/sgi-gru/gruhandles.c | 4 +-
70155 drivers/misc/sgi-gru/gruprocfs.c | 8 +-
70156 drivers/misc/sgi-gru/grutables.h | 154 +-
70157 drivers/misc/sgi-xp/xp.h | 2 +-
70158 drivers/misc/sgi-xp/xpc.h | 3 +-
70159 drivers/misc/sgi-xp/xpc_main.c | 4 +-
70160 drivers/mmc/core/mmc_ops.c | 2 +-
70161 drivers/mmc/host/dw_mmc.h | 2 +-
70162 drivers/mmc/host/sdhci-s3c.c | 8 +-
70163 drivers/mtd/nand/denali.c | 1 +
70164 drivers/mtd/nftlmount.c | 1 +
70165 drivers/mtd/sm_ftl.c | 2 +-
70166 drivers/net/bonding/bond_main.c | 2 +-
70167 drivers/net/ethernet/8390/ax88796.c | 4 +-
70168 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
70169 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-
70170 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +-
70171 drivers/net/ethernet/broadcom/tg3.h | 1 +
70172 drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
70173 drivers/net/ethernet/dec/tulip/de4x5.c | 4 +-
70174 drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
70175 drivers/net/ethernet/faraday/ftgmac100.c | 2 +
70176 drivers/net/ethernet/faraday/ftmac100.c | 2 +
70177 drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
70178 drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
70179 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +-
70180 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +-
70181 drivers/net/ethernet/realtek/r8169.c | 8 +-
70182 drivers/net/ethernet/sfc/ptp.c | 2 +-
70183 drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
70184 drivers/net/hyperv/hyperv_net.h | 2 +-
70185 drivers/net/hyperv/rndis_filter.c | 4 +-
70186 drivers/net/ieee802154/fakehard.c | 2 +-
70187 drivers/net/macvlan.c | 18 +-
70188 drivers/net/macvtap.c | 2 +-
70189 drivers/net/ppp/ppp_generic.c | 4 +-
70190 drivers/net/slip/slhc.c | 2 +-
70191 drivers/net/team/team.c | 2 +-
70192 drivers/net/tun.c | 5 +-
70193 drivers/net/usb/hso.c | 23 +-
70194 drivers/net/usb/sierra_net.c | 4 +-
70195 drivers/net/vxlan.c | 2 +-
70196 drivers/net/wimax/i2400m/rx.c | 2 +-
70197 drivers/net/wireless/at76c50x-usb.c | 2 +-
70198 drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +-
70199 drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +-
70200 drivers/net/wireless/ath/ath9k/hw.h | 4 +-
70201 drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
70202 drivers/net/wireless/iwlwifi/dvm/debugfs.c | 34 +-
70203 drivers/net/wireless/iwlwifi/dvm/main.c | 3 +-
70204 drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +-
70205 drivers/net/wireless/mac80211_hwsim.c | 32 +-
70206 drivers/net/wireless/rndis_wlan.c | 2 +-
70207 drivers/net/wireless/rt2x00/rt2x00.h | 2 +-
70208 drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +-
70209 drivers/net/wireless/ti/wl1251/sdio.c | 12 +-
70210 drivers/net/wireless/ti/wl12xx/main.c | 8 +-
70211 drivers/net/wireless/ti/wl18xx/main.c | 6 +-
70212 drivers/oprofile/buffer_sync.c | 8 +-
70213 drivers/oprofile/event_buffer.c | 2 +-
70214 drivers/oprofile/oprof.c | 2 +-
70215 drivers/oprofile/oprofile_files.c | 2 +-
70216 drivers/oprofile/oprofile_stats.c | 10 +-
70217 drivers/oprofile/oprofile_stats.h | 10 +-
70218 drivers/oprofile/oprofilefs.c | 2 +-
70219 drivers/oprofile/timer_int.c | 2 +-
70220 drivers/parport/procfs.c | 4 +-
70221 drivers/pci/hotplug/acpiphp_ibm.c | 4 +-
70222 drivers/pci/hotplug/cpcihp_generic.c | 6 +-
70223 drivers/pci/hotplug/cpcihp_zt5550.c | 14 +-
70224 drivers/pci/hotplug/cpqphp_nvram.c | 4 +
70225 drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
70226 drivers/pci/hotplug/pciehp_core.c | 2 +-
70227 drivers/pci/pci-sysfs.c | 6 +-
70228 drivers/pci/pci.h | 2 +-
70229 drivers/pci/pcie/aspm.c | 6 +-
70230 drivers/pci/probe.c | 2 +-
70231 drivers/platform/x86/chromeos_laptop.c | 2 +-
70232 drivers/platform/x86/msi-laptop.c | 14 +-
70233 drivers/platform/x86/sony-laptop.c | 2 +-
70234 drivers/platform/x86/thinkpad_acpi.c | 70 +-
70235 drivers/pnp/pnpbios/bioscalls.c | 14 +-
70236 drivers/pnp/resource.c | 4 +-
70237 drivers/power/pda_power.c | 7 +-
70238 drivers/power/power_supply.h | 4 +-
70239 drivers/power/power_supply_core.c | 7 +-
70240 drivers/power/power_supply_sysfs.c | 6 +-
70241 drivers/regulator/core.c | 4 +-
70242 drivers/regulator/max8660.c | 6 +-
70243 drivers/regulator/max8973-regulator.c | 8 +-
70244 drivers/regulator/mc13892-regulator.c | 6 +-
70245 drivers/rtc/rtc-cmos.c | 4 +-
70246 drivers/rtc/rtc-ds1307.c | 2 +-
70247 drivers/rtc/rtc-m48t59.c | 4 +-
70248 drivers/scsi/bfa/bfa_fcpim.h | 2 +-
70249 drivers/scsi/bfa/bfa_ioc.h | 4 +-
70250 drivers/scsi/fcoe/fcoe_sysfs.c | 12 +-
70251 drivers/scsi/hosts.c | 4 +-
70252 drivers/scsi/hpsa.c | 30 +-
70253 drivers/scsi/hpsa.h | 2 +-
70254 drivers/scsi/libfc/fc_exch.c | 50 +-
70255 drivers/scsi/libsas/sas_ata.c | 2 +-
70256 drivers/scsi/lpfc/lpfc.h | 8 +-
70257 drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
70258 drivers/scsi/lpfc/lpfc_init.c | 6 +-
70259 drivers/scsi/lpfc/lpfc_scsi.c | 16 +-
70260 drivers/scsi/pmcraid.c | 20 +-
70261 drivers/scsi/pmcraid.h | 8 +-
70262 drivers/scsi/qla2xxx/qla_attr.c | 4 +-
70263 drivers/scsi/qla2xxx/qla_gbl.h | 4 +-
70264 drivers/scsi/qla2xxx/qla_os.c | 6 +-
70265 drivers/scsi/qla4xxx/ql4_def.h | 2 +-
70266 drivers/scsi/qla4xxx/ql4_os.c | 6 +-
70267 drivers/scsi/scsi.c | 2 +-
70268 drivers/scsi/scsi_lib.c | 6 +-
70269 drivers/scsi/scsi_sysfs.c | 2 +-
70270 drivers/scsi/scsi_tgt_lib.c | 2 +-
70271 drivers/scsi/scsi_transport_fc.c | 8 +-
70272 drivers/scsi/scsi_transport_iscsi.c | 6 +-
70273 drivers/scsi/scsi_transport_srp.c | 6 +-
70274 drivers/scsi/sd.c | 2 +-
70275 drivers/scsi/sg.c | 2 +-
70276 drivers/spi/spi.c | 2 +-
70277 drivers/staging/android/timed_output.c | 6 +-
70278 drivers/staging/media/solo6x10/solo6x10-core.c | 2 +-
70279 drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +-
70280 drivers/staging/media/solo6x10/solo6x10.h | 2 +-
70281 drivers/staging/octeon/ethernet-rx.c | 12 +-
70282 drivers/staging/octeon/ethernet.c | 8 +-
70283 drivers/staging/rtl8712/rtl871x_io.h | 2 +-
70284 drivers/staging/sbe-2t3e3/netdev.c | 2 +-
70285 drivers/staging/usbip/vhci.h | 2 +-
70286 drivers/staging/usbip/vhci_hcd.c | 6 +-
70287 drivers/staging/usbip/vhci_rx.c | 2 +-
70288 drivers/staging/vt6655/hostap.c | 7 +-
70289 drivers/staging/vt6656/hostap.c | 7 +-
70290 drivers/staging/zcache/tmem.h | 4 +-
70291 drivers/target/sbp/sbp_target.c | 4 +-
70292 drivers/target/target_core_device.c | 2 +-
70293 drivers/target/target_core_transport.c | 2 +-
70294 drivers/tty/cyclades.c | 6 +-
70295 drivers/tty/hvc/hvc_console.c | 14 +-
70296 drivers/tty/hvc/hvcs.c | 21 +-
70297 drivers/tty/hvc/hvsi.c | 12 +-
70298 drivers/tty/hvc/hvsi_lib.c | 6 +-
70299 drivers/tty/ipwireless/tty.c | 27 +-
70300 drivers/tty/moxa.c | 2 +-
70301 drivers/tty/n_gsm.c | 4 +-
70302 drivers/tty/n_tty.c | 3 +-
70303 drivers/tty/pty.c | 4 +-
70304 drivers/tty/rocket.c | 6 +-
70305 drivers/tty/serial/ioc4_serial.c | 6 +-
70306 drivers/tty/serial/kgdboc.c | 32 +-
70307 drivers/tty/serial/msm_serial.c | 4 +-
70308 drivers/tty/serial/samsung.c | 9 +-
70309 drivers/tty/serial/serial_core.c | 8 +-
70310 drivers/tty/synclink.c | 34 +-
70311 drivers/tty/synclink_gt.c | 28 +-
70312 drivers/tty/synclinkmp.c | 34 +-
70313 drivers/tty/tty_io.c | 2 +-
70314 drivers/tty/tty_ldisc.c | 10 +-
70315 drivers/tty/tty_port.c | 22 +-
70316 drivers/uio/uio.c | 21 +-
70317 drivers/usb/atm/cxacru.c | 2 +-
70318 drivers/usb/atm/usbatm.c | 24 +-
70319 drivers/usb/core/devices.c | 6 +-
70320 drivers/usb/core/hcd.c | 4 +-
70321 drivers/usb/core/message.c | 2 +-
70322 drivers/usb/core/sysfs.c | 2 +-
70323 drivers/usb/core/usb.c | 2 +-
70324 drivers/usb/dwc3/gadget.c | 2 -
70325 drivers/usb/early/ehci-dbgp.c | 16 +-
70326 drivers/usb/gadget/u_serial.c | 22 +-
70327 drivers/usb/misc/appledisplay.c | 4 +-
70328 drivers/usb/serial/console.c | 6 +-
70329 drivers/usb/storage/usb.h | 2 +-
70330 drivers/usb/wusbcore/wa-hc.h | 4 +-
70331 drivers/usb/wusbcore/wa-xfer.c | 2 +-
70332 drivers/vfio/vfio.c | 2 +-
70333 drivers/vhost/vringh.c | 2 +-
70334 drivers/video/aty/aty128fb.c | 2 +-
70335 drivers/video/aty/atyfb_base.c | 8 +-
70336 drivers/video/aty/mach64_cursor.c | 5 +-
70337 drivers/video/backlight/kb3886_bl.c | 2 +-
70338 drivers/video/fb_defio.c | 6 +-
70339 drivers/video/fbcmap.c | 3 +-
70340 drivers/video/fbmem.c | 6 +-
70341 drivers/video/hyperv_fb.c | 4 +-
70342 drivers/video/i810/i810_accel.c | 1 +
70343 drivers/video/mb862xx/mb862xxfb_accel.c | 16 +-
70344 drivers/video/nvidia/nvidia.c | 27 +-
70345 drivers/video/s1d13xxxfb.c | 6 +-
70346 drivers/video/smscufx.c | 4 +-
70347 drivers/video/udlfb.c | 36 +-
70348 drivers/video/uvesafb.c | 53 +-
70349 drivers/video/vesafb.c | 58 +-
70350 drivers/video/via/via_clock.h | 2 +-
70351 fs/9p/vfs_addr.c | 2 +-
70352 fs/9p/vfs_inode.c | 2 +-
70353 fs/Kconfig.binfmt | 2 +-
70354 fs/afs/inode.c | 4 +-
70355 fs/aio.c | 12 +-
70356 fs/autofs4/waitq.c | 2 +-
70357 fs/befs/endian.h | 4 +-
70358 fs/befs/linuxvfs.c | 2 +-
70359 fs/binfmt_aout.c | 23 +-
70360 fs/binfmt_elf.c | 648 ++-
70361 fs/binfmt_flat.c | 6 +
70362 fs/bio.c | 6 +-
70363 fs/block_dev.c | 2 +-
70364 fs/btrfs/ctree.c | 9 +-
70365 fs/btrfs/delayed-inode.c | 6 +-
70366 fs/btrfs/delayed-inode.h | 4 +-
70367 fs/btrfs/super.c | 2 +-
70368 fs/buffer.c | 2 +-
70369 fs/cachefiles/bind.c | 6 +-
70370 fs/cachefiles/daemon.c | 8 +-
70371 fs/cachefiles/internal.h | 12 +-
70372 fs/cachefiles/namei.c | 2 +-
70373 fs/cachefiles/proc.c | 12 +-
70374 fs/cachefiles/rdwr.c | 2 +-
70375 fs/ceph/dir.c | 2 +-
70376 fs/ceph/super.c | 4 +-
70377 fs/cifs/cifs_debug.c | 12 +-
70378 fs/cifs/cifsfs.c | 8 +-
70379 fs/cifs/cifsglob.h | 54 +-
70380 fs/cifs/link.c | 2 +-
70381 fs/cifs/misc.c | 4 +-
70382 fs/cifs/smb1ops.c | 80 +-
70383 fs/cifs/smb2ops.c | 84 +-
70384 fs/cifs/smb2pdu.c | 3 +-
70385 fs/coda/cache.c | 10 +-
70386 fs/compat.c | 4 +-
70387 fs/compat_binfmt_elf.c | 2 +
70388 fs/compat_ioctl.c | 12 +-
70389 fs/configfs/dir.c | 10 +-
70390 fs/coredump.c | 18 +-
70391 fs/dcache.c | 3 +-
70392 fs/ecryptfs/inode.c | 4 +-
70393 fs/ecryptfs/miscdev.c | 2 +-
70394 fs/exec.c | 362 +-
70395 fs/ext4/ext4.h | 20 +-
70396 fs/ext4/mballoc.c | 44 +-
70397 fs/ext4/mmp.c | 2 +-
70398 fs/ext4/super.c | 4 +-
70399 fs/fhandle.c | 3 +-
70400 fs/fs_struct.c | 8 +-
70401 fs/fscache/cookie.c | 38 +-
70402 fs/fscache/internal.h | 196 +-
70403 fs/fscache/object.c | 26 +-
70404 fs/fscache/operation.c | 30 +-
70405 fs/fscache/page.c | 110 +-
70406 fs/fscache/stats.c | 344 +-
70407 fs/fuse/cuse.c | 10 +-
70408 fs/fuse/dev.c | 4 +-
70409 fs/fuse/dir.c | 2 +-
70410 fs/gfs2/inode.c | 2 +-
70411 fs/hugetlbfs/inode.c | 13 +-
70412 fs/inode.c | 4 +-
70413 fs/jffs2/erase.c | 3 +-
70414 fs/jffs2/wbuf.c | 3 +-
70415 fs/jfs/super.c | 2 +-
70416 fs/libfs.c | 10 +-
70417 fs/lockd/clntproc.c | 4 +-
70418 fs/locks.c | 8 +-
70419 fs/namei.c | 15 +-
70420 fs/namespace.c | 16 +-
70421 fs/nfs/callback_xdr.c | 2 +-
70422 fs/nfs/inode.c | 6 +-
70423 fs/nfsd/nfs4proc.c | 2 +-
70424 fs/nfsd/nfs4xdr.c | 6 +-
70425 fs/nfsd/nfscache.c | 9 +-
70426 fs/nfsd/vfs.c | 6 +-
70427 fs/nls/nls_base.c | 18 +-
70428 fs/nls/nls_euc-jp.c | 6 +-
70429 fs/nls/nls_koi8-ru.c | 6 +-
70430 fs/notify/fanotify/fanotify_user.c | 4 +-
70431 fs/notify/notification.c | 4 +-
70432 fs/ntfs/dir.c | 2 +-
70433 fs/ntfs/file.c | 6 +-
70434 fs/ntfs/super.c | 6 +-
70435 fs/ocfs2/localalloc.c | 2 +-
70436 fs/ocfs2/ocfs2.h | 10 +-
70437 fs/ocfs2/suballoc.c | 12 +-
70438 fs/ocfs2/super.c | 20 +-
70439 fs/pipe.c | 61 +-
70440 fs/proc/array.c | 20 +
70441 fs/proc/base.c | 4 +-
70442 fs/proc/kcore.c | 32 +-
70443 fs/proc/meminfo.c | 2 +-
70444 fs/proc/nommu.c | 2 +-
70445 fs/proc/proc_sysctl.c | 18 +-
70446 fs/proc/self.c | 2 +-
70447 fs/proc/task_mmu.c | 39 +-
70448 fs/proc/task_nommu.c | 4 +-
70449 fs/proc/vmcore.c | 12 +-
70450 fs/qnx6/qnx6.h | 4 +-
70451 fs/quota/netlink.c | 4 +-
70452 fs/read_write.c | 2 +-
70453 fs/reiserfs/do_balan.c | 2 +-
70454 fs/reiserfs/procfs.c | 2 +-
70455 fs/reiserfs/reiserfs.h | 4 +-
70456 fs/seq_file.c | 2 +-
70457 fs/splice.c | 41 +-
70458 fs/sysfs/bin.c | 6 +-
70459 fs/sysfs/dir.c | 2 +-
70460 fs/sysfs/file.c | 10 +-
70461 fs/sysfs/symlink.c | 2 +-
70462 fs/sysv/sysv.h | 2 +-
70463 fs/ubifs/io.c | 2 +-
70464 fs/udf/misc.c | 2 +-
70465 fs/ufs/swab.h | 4 +-
70466 fs/xattr.c | 21 +
70467 fs/xattr_acl.c | 4 +-
70468 fs/xfs/xfs_bmap.c | 2 +-
70469 fs/xfs/xfs_dir2_sf.c | 7 +-
70470 fs/xfs/xfs_ioctl.c | 2 +-
70471 fs/xfs/xfs_iops.c | 2 +-
70472 include/asm-generic/4level-fixup.h | 2 +
70473 include/asm-generic/atomic-long.h | 210 +
70474 include/asm-generic/atomic.h | 2 +-
70475 include/asm-generic/atomic64.h | 12 +
70476 include/asm-generic/cache.h | 4 +-
70477 include/asm-generic/emergency-restart.h | 2 +-
70478 include/asm-generic/kmap_types.h | 4 +-
70479 include/asm-generic/local.h | 13 +
70480 include/asm-generic/pgtable-nopmd.h | 18 +-
70481 include/asm-generic/pgtable-nopud.h | 15 +-
70482 include/asm-generic/pgtable.h | 16 +
70483 include/asm-generic/uaccess.h | 16 +
70484 include/asm-generic/vmlinux.lds.h | 10 +-
70485 include/crypto/algapi.h | 2 +-
70486 include/drm/drmP.h | 17 +-
70487 include/drm/drm_crtc_helper.h | 2 +-
70488 include/drm/ttm/ttm_memory.h | 2 +-
70489 include/keys/asymmetric-subtype.h | 2 +-
70490 include/linux/atmdev.h | 4 +-
70491 include/linux/binfmts.h | 3 +-
70492 include/linux/blkdev.h | 2 +-
70493 include/linux/blktrace_api.h | 2 +-
70494 include/linux/cache.h | 4 +
70495 include/linux/cdrom.h | 1 -
70496 include/linux/cleancache.h | 2 +-
70497 include/linux/clk-provider.h | 1 +
70498 include/linux/compat.h | 5 +-
70499 include/linux/compiler-gcc4.h | 20 +
70500 include/linux/compiler.h | 65 +-
70501 include/linux/completion.h | 6 +-
70502 include/linux/configfs.h | 2 +-
70503 include/linux/cpufreq.h | 3 +-
70504 include/linux/cpuidle.h | 5 +-
70505 include/linux/cpumask.h | 12 +-
70506 include/linux/crypto.h | 6 +-
70507 include/linux/ctype.h | 2 +-
70508 include/linux/decompress/mm.h | 2 +-
70509 include/linux/devfreq.h | 2 +-
70510 include/linux/device.h | 7 +-
70511 include/linux/dma-mapping.h | 2 +-
70512 include/linux/dmaengine.h | 4 +-
70513 include/linux/efi.h | 1 +
70514 include/linux/elf.h | 2 +
70515 include/linux/err.h | 4 +-
70516 include/linux/extcon.h | 2 +-
70517 include/linux/fb.h | 2 +-
70518 include/linux/fdtable.h | 2 +-
70519 include/linux/filter.h | 4 +
70520 include/linux/frontswap.h | 2 +-
70521 include/linux/fs.h | 3 +-
70522 include/linux/fs_struct.h | 2 +-
70523 include/linux/fscache-cache.h | 4 +-
70524 include/linux/fscache.h | 2 +-
70525 include/linux/fsnotify.h | 2 +-
70526 include/linux/genhd.h | 2 +-
70527 include/linux/genl_magic_func.h | 2 +-
70528 include/linux/gfp.h | 12 +-
70529 include/linux/highmem.h | 12 +
70530 include/linux/hwmon-sysfs.h | 5 +-
70531 include/linux/i2c.h | 1 +
70532 include/linux/i2o.h | 2 +-
70533 include/linux/if_pppox.h | 2 +-
70534 include/linux/init.h | 17 +-
70535 include/linux/init_task.h | 7 +
70536 include/linux/interrupt.h | 8 +-
70537 include/linux/iommu.h | 2 +-
70538 include/linux/ioport.h | 2 +-
70539 include/linux/irq.h | 3 +-
70540 include/linux/irqchip/arm-gic.h | 4 +-
70541 include/linux/key-type.h | 2 +-
70542 include/linux/kgdb.h | 6 +-
70543 include/linux/kobject.h | 3 +-
70544 include/linux/kobject_ns.h | 2 +-
70545 include/linux/kref.h | 2 +-
70546 include/linux/kvm_host.h | 4 +-
70547 include/linux/libata.h | 2 +-
70548 include/linux/linkage.h | 1 +
70549 include/linux/list.h | 15 +
70550 include/linux/math64.h | 8 +-
70551 include/linux/mm.h | 116 +-
70552 include/linux/mm_types.h | 20 +
70553 include/linux/mmiotrace.h | 4 +-
70554 include/linux/mmzone.h | 2 +-
70555 include/linux/mod_devicetable.h | 6 +-
70556 include/linux/module.h | 60 +-
70557 include/linux/moduleloader.h | 16 +
70558 include/linux/moduleparam.h | 4 +-
70559 include/linux/namei.h | 6 +-
70560 include/linux/net.h | 2 +-
70561 include/linux/netdevice.h | 3 +-
70562 include/linux/netfilter.h | 2 +-
70563 include/linux/netfilter/ipset/ip_set.h | 2 +-
70564 include/linux/netfilter/nfnetlink.h | 2 +-
70565 include/linux/nls.h | 2 +-
70566 include/linux/notifier.h | 3 +-
70567 include/linux/oprofile.h | 4 +-
70568 include/linux/pci_hotplug.h | 3 +-
70569 include/linux/perf_event.h | 10 +-
70570 include/linux/pipe_fs_i.h | 8 +-
70571 include/linux/platform_data/usb-ehci-s5p.h | 2 +-
70572 include/linux/platform_data/usb-ohci-exynos.h | 2 +-
70573 include/linux/pm_domain.h | 2 +-
70574 include/linux/pm_runtime.h | 2 +-
70575 include/linux/pnp.h | 2 +-
70576 include/linux/poison.h | 4 +-
70577 include/linux/power/smartreflex.h | 2 +-
70578 include/linux/ppp-comp.h | 2 +-
70579 include/linux/preempt.h | 19 +
70580 include/linux/proc_ns.h | 2 +-
70581 include/linux/random.h | 15 +
70582 include/linux/rculist.h | 16 +
70583 include/linux/reboot.h | 14 +-
70584 include/linux/regset.h | 3 +-
70585 include/linux/relay.h | 2 +-
70586 include/linux/rio.h | 2 +-
70587 include/linux/rmap.h | 4 +-
70588 include/linux/sched.h | 67 +-
70589 include/linux/sched/sysctl.h | 1 +
70590 include/linux/security.h | 2 +-
70591 include/linux/seq_file.h | 1 +
70592 include/linux/signal.h | 1 +
70593 include/linux/skbuff.h | 12 +-
70594 include/linux/slab.h | 48 +-
70595 include/linux/slab_def.h | 32 +-
70596 include/linux/slob_def.h | 4 +-
70597 include/linux/slub_def.h | 8 +-
70598 include/linux/smp.h | 2 +
70599 include/linux/sock_diag.h | 2 +-
70600 include/linux/sonet.h | 2 +-
70601 include/linux/sunrpc/addr.h | 8 +-
70602 include/linux/sunrpc/clnt.h | 2 +-
70603 include/linux/sunrpc/svc.h | 2 +-
70604 include/linux/sunrpc/svc_rdma.h | 18 +-
70605 include/linux/sunrpc/svcauth.h | 2 +-
70606 include/linux/swiotlb.h | 3 +-
70607 include/linux/syscalls.h | 18 +-
70608 include/linux/syscore_ops.h | 2 +-
70609 include/linux/sysctl.h | 6 +-
70610 include/linux/sysfs.h | 9 +-
70611 include/linux/sysrq.h | 3 +-
70612 include/linux/thread_info.h | 7 +
70613 include/linux/tty.h | 4 +-
70614 include/linux/tty_driver.h | 2 +-
70615 include/linux/tty_ldisc.h | 2 +-
70616 include/linux/types.h | 16 +
70617 include/linux/uaccess.h | 6 +-
70618 include/linux/unaligned/access_ok.h | 24 +-
70619 include/linux/usb.h | 4 +-
70620 include/linux/usb/renesas_usbhs.h | 2 +-
70621 include/linux/vermagic.h | 21 +-
70622 include/linux/vmalloc.h | 11 +-
70623 include/linux/vmstat.h | 20 +-
70624 include/linux/xattr.h | 5 +-
70625 include/linux/zlib.h | 3 +-
70626 include/media/v4l2-dev.h | 2 +-
70627 include/media/v4l2-device.h | 2 +-
70628 include/net/9p/transport.h | 2 +-
70629 include/net/bluetooth/l2cap.h | 2 +-
70630 include/net/caif/cfctrl.h | 6 +-
70631 include/net/flow.h | 2 +-
70632 include/net/genetlink.h | 2 +-
70633 include/net/gro_cells.h | 2 +-
70634 include/net/inet_connection_sock.h | 2 +-
70635 include/net/inetpeer.h | 17 +-
70636 include/net/ip.h | 2 +-
70637 include/net/ip_fib.h | 2 +-
70638 include/net/ip_vs.h | 8 +-
70639 include/net/irda/ircomm_tty.h | 1 +
70640 include/net/iucv/af_iucv.h | 2 +-
70641 include/net/llc_c_ac.h | 2 +-
70642 include/net/llc_c_ev.h | 4 +-
70643 include/net/llc_c_st.h | 2 +-
70644 include/net/llc_s_ac.h | 2 +-
70645 include/net/llc_s_st.h | 2 +-
70646 include/net/mac80211.h | 2 +-
70647 include/net/neighbour.h | 2 +-
70648 include/net/net_namespace.h | 18 +-
70649 include/net/netdma.h | 2 +-
70650 include/net/netlink.h | 2 +-
70651 include/net/netns/conntrack.h | 6 +-
70652 include/net/netns/ipv4.h | 2 +-
70653 include/net/netns/ipv6.h | 2 +-
70654 include/net/ping.h | 2 +-
70655 include/net/protocol.h | 4 +-
70656 include/net/rtnetlink.h | 2 +-
70657 include/net/sctp/sm.h | 4 +-
70658 include/net/sctp/structs.h | 2 +-
70659 include/net/sock.h | 6 +-
70660 include/net/tcp.h | 8 +-
70661 include/net/xfrm.h | 8 +-
70662 include/rdma/iw_cm.h | 2 +-
70663 include/scsi/libfc.h | 3 +-
70664 include/scsi/scsi_device.h | 6 +-
70665 include/scsi/scsi_transport_fc.h | 3 +-
70666 include/sound/compress_driver.h | 2 +-
70667 include/sound/soc.h | 4 +-
70668 include/target/target_core_base.h | 2 +-
70669 include/trace/events/irq.h | 4 +-
70670 include/uapi/linux/a.out.h | 8 +
70671 include/uapi/linux/byteorder/little_endian.h | 28 +-
70672 include/uapi/linux/elf.h | 28 +
70673 include/uapi/linux/screen_info.h | 3 +-
70674 include/uapi/linux/swab.h | 6 +-
70675 include/uapi/linux/sysctl.h | 6 +-
70676 include/uapi/linux/xattr.h | 4 +
70677 include/video/udlfb.h | 8 +-
70678 include/video/uvesafb.h | 1 +
70679 init/Kconfig | 2 +-
70680 init/Makefile | 3 +
70681 init/do_mounts.c | 14 +-
70682 init/do_mounts.h | 8 +-
70683 init/do_mounts_initrd.c | 30 +-
70684 init/do_mounts_md.c | 6 +-
70685 init/init_task.c | 4 +
70686 init/initramfs.c | 42 +-
70687 init/main.c | 84 +-
70688 ipc/ipc_sysctl.c | 10 +-
70689 ipc/mq_sysctl.c | 2 +-
70690 ipc/msg.c | 11 +-
70691 ipc/sem.c | 11 +-
70692 ipc/shm.c | 17 +-
70693 kernel/acct.c | 2 +-
70694 kernel/audit.c | 8 +-
70695 kernel/auditsc.c | 4 +-
70696 kernel/capability.c | 3 +
70697 kernel/compat.c | 38 +-
70698 kernel/debug/debug_core.c | 16 +-
70699 kernel/debug/kdb/kdb_main.c | 4 +-
70700 kernel/events/core.c | 30 +-
70701 kernel/events/internal.h | 12 +-
70702 kernel/events/uprobes.c | 2 +-
70703 kernel/exit.c | 4 +-
70704 kernel/fork.c | 170 +-
70705 kernel/futex.c | 11 +-
70706 kernel/futex_compat.c | 2 +-
70707 kernel/gcov/base.c | 7 +-
70708 kernel/hrtimer.c | 2 +-
70709 kernel/irq_work.c | 7 +-
70710 kernel/jump_label.c | 5 +
70711 kernel/kallsyms.c | 39 +-
70712 kernel/kexec.c | 3 +-
70713 kernel/kmod.c | 4 +-
70714 kernel/kprobes.c | 8 +-
70715 kernel/ksysfs.c | 2 +-
70716 kernel/lockdep.c | 7 +-
70717 kernel/module.c | 337 +-
70718 kernel/mutex-debug.c | 12 +-
70719 kernel/mutex-debug.h | 4 +-
70720 kernel/mutex.c | 10 +-
70721 kernel/notifier.c | 17 +-
70722 kernel/panic.c | 3 +-
70723 kernel/pid.c | 2 +-
70724 kernel/pid_namespace.c | 2 +-
70725 kernel/posix-cpu-timers.c | 4 +-
70726 kernel/posix-timers.c | 24 +-
70727 kernel/power/process.c | 12 +-
70728 kernel/profile.c | 14 +-
70729 kernel/ptrace.c | 8 +-
70730 kernel/rcupdate.c | 4 +-
70731 kernel/rcutiny.c | 4 +-
70732 kernel/rcutorture.c | 56 +-
70733 kernel/rcutree.c | 74 +-
70734 kernel/rcutree.h | 24 +-
70735 kernel/rcutree_plugin.h | 20 +-
70736 kernel/rcutree_trace.c | 22 +-
70737 kernel/rtmutex-tester.c | 24 +-
70738 kernel/sched/auto_group.c | 4 +-
70739 kernel/sched/core.c | 49 +-
70740 kernel/sched/fair.c | 4 +-
70741 kernel/sched/sched.h | 2 +-
70742 kernel/signal.c | 32 +-
70743 kernel/smpboot.c | 4 +-
70744 kernel/softirq.c | 14 +-
70745 kernel/srcu.c | 4 +-
70746 kernel/sys.c | 10 +-
70747 kernel/sysctl.c | 39 +-
70748 kernel/time.c | 2 +-
70749 kernel/time/alarmtimer.c | 2 +-
70750 kernel/time/timer_stats.c | 10 +-
70751 kernel/timer.c | 4 +-
70752 kernel/trace/blktrace.c | 6 +-
70753 kernel/trace/ftrace.c | 18 +-
70754 kernel/trace/ring_buffer.c | 76 +-
70755 kernel/trace/trace.c | 2 +-
70756 kernel/trace/trace.h | 2 +-
70757 kernel/trace/trace_clock.c | 4 +-
70758 kernel/trace/trace_events.c | 25 +-
70759 kernel/trace/trace_mmiotrace.c | 8 +-
70760 kernel/trace/trace_output.c | 12 +-
70761 kernel/trace/trace_stack.c | 2 +-
70762 kernel/user_namespace.c | 2 +-
70763 kernel/utsname_sysctl.c | 2 +-
70764 kernel/watchdog.c | 2 +-
70765 kernel/workqueue.c | 2 +-
70766 lib/Kconfig.debug | 8 +-
70767 lib/Makefile | 2 +-
70768 lib/bitmap.c | 8 +-
70769 lib/bug.c | 2 +
70770 lib/debugobjects.c | 2 +-
70771 lib/devres.c | 4 +-
70772 lib/div64.c | 4 +-
70773 lib/dma-debug.c | 4 +-
70774 lib/inflate.c | 2 +-
70775 lib/ioremap.c | 4 +-
70776 lib/kobject.c | 4 +-
70777 lib/list_debug.c | 126 +-
70778 lib/radix-tree.c | 2 +-
70779 lib/strncpy_from_user.c | 2 +-
70780 lib/strnlen_user.c | 2 +-
70781 lib/swiotlb.c | 2 +-
70782 lib/usercopy.c | 6 +
70783 lib/vsprintf.c | 12 +-
70784 mm/Kconfig | 6 +-
70785 mm/backing-dev.c | 4 +-
70786 mm/filemap.c | 10 +-
70787 mm/fremap.c | 5 +
70788 mm/highmem.c | 7 +-
70789 mm/hugetlb.c | 70 +-
70790 mm/internal.h | 3 +-
70791 mm/maccess.c | 4 +-
70792 mm/madvise.c | 41 +
70793 mm/memory-failure.c | 26 +-
70794 mm/memory.c | 424 ++-
70795 mm/mempolicy.c | 25 +
70796 mm/mlock.c | 15 +-
70797 mm/mmap.c | 588 ++-
70798 mm/mprotect.c | 139 +-
70799 mm/mremap.c | 44 +-
70800 mm/nommu.c | 21 +-
70801 mm/page-writeback.c | 2 +-
70802 mm/page_alloc.c | 41 +-
70803 mm/page_io.c | 2 +-
70804 mm/percpu.c | 2 +-
70805 mm/process_vm_access.c | 14 +-
70806 mm/rmap.c | 44 +-
70807 mm/shmem.c | 19 +-
70808 mm/slab.c | 108 +-
70809 mm/slab.h | 15 +-
70810 mm/slab_common.c | 60 +-
70811 mm/slob.c | 206 +-
70812 mm/slub.c | 88 +-
70813 mm/sparse-vmemmap.c | 4 +-
70814 mm/sparse.c | 2 +-
70815 mm/swap.c | 3 +
70816 mm/swapfile.c | 12 +-
70817 mm/util.c | 6 +
70818 mm/vmalloc.c | 77 +-
70819 mm/vmstat.c | 10 +-
70820 net/8021q/vlan.c | 5 +-
70821 net/9p/mod.c | 4 +-
70822 net/9p/trans_fd.c | 2 +-
70823 net/atm/atm_misc.c | 8 +-
70824 net/atm/lec.h | 2 +-
70825 net/atm/proc.c | 6 +-
70826 net/atm/resources.c | 4 +-
70827 net/ax25/sysctl_net_ax25.c | 2 +-
70828 net/batman-adv/bat_iv_ogm.c | 8 +-
70829 net/batman-adv/hard-interface.c | 2 +-
70830 net/batman-adv/soft-interface.c | 4 +-
70831 net/batman-adv/types.h | 6 +-
70832 net/batman-adv/unicast.c | 2 +-
70833 net/bluetooth/hci_sock.c | 2 +-
70834 net/bluetooth/l2cap_core.c | 6 +-
70835 net/bluetooth/l2cap_sock.c | 12 +-
70836 net/bluetooth/rfcomm/sock.c | 4 +-
70837 net/bluetooth/rfcomm/tty.c | 10 +-
70838 net/bridge/netfilter/ebtables.c | 6 +-
70839 net/caif/cfctrl.c | 11 +-
70840 net/can/af_can.c | 2 +-
70841 net/can/gw.c | 6 +-
70842 net/ceph/messenger.c | 4 +-
70843 net/compat.c | 34 +-
70844 net/core/datagram.c | 2 +-
70845 net/core/dev.c | 16 +-
70846 net/core/flow.c | 8 +-
70847 net/core/iovec.c | 4 +-
70848 net/core/neighbour.c | 2 +-
70849 net/core/net-sysfs.c | 2 +-
70850 net/core/net_namespace.c | 8 +-
70851 net/core/netpoll.c | 4 +-
70852 net/core/rtnetlink.c | 13 +-
70853 net/core/scm.c | 8 +-
70854 net/core/skbuff.c | 6 +-
70855 net/core/sock.c | 24 +-
70856 net/core/sock_diag.c | 9 +-
70857 net/core/sysctl_net_core.c | 18 +-
70858 net/decnet/af_decnet.c | 1 +
70859 net/decnet/sysctl_net_decnet.c | 4 +-
70860 net/ieee802154/6lowpan.c | 2 +-
70861 net/ipv4/af_inet.c | 8 +-
70862 net/ipv4/devinet.c | 18 +-
70863 net/ipv4/fib_frontend.c | 6 +-
70864 net/ipv4/fib_semantics.c | 2 +-
70865 net/ipv4/inet_connection_sock.c | 2 +-
70866 net/ipv4/inetpeer.c | 4 +-
70867 net/ipv4/ip_fragment.c | 15 +-
70868 net/ipv4/ip_gre.c | 6 +-
70869 net/ipv4/ip_sockglue.c | 2 +-
70870 net/ipv4/ip_vti.c | 4 +-
70871 net/ipv4/ipconfig.c | 6 +-
70872 net/ipv4/ipip.c | 4 +-
70873 net/ipv4/netfilter/arp_tables.c | 12 +-
70874 net/ipv4/netfilter/ip_tables.c | 12 +-
70875 net/ipv4/ping.c | 14 +-
70876 net/ipv4/raw.c | 14 +-
70877 net/ipv4/route.c | 20 +-
70878 net/ipv4/sysctl_net_ipv4.c | 45 +-
70879 net/ipv4/tcp_input.c | 2 +-
70880 net/ipv4/tcp_probe.c | 2 +-
70881 net/ipv4/udp.c | 10 +-
70882 net/ipv4/xfrm4_policy.c | 14 +-
70883 net/ipv6/addrconf.c | 12 +-
70884 net/ipv6/datagram.c | 2 +-
70885 net/ipv6/icmp.c | 2 +-
70886 net/ipv6/ip6_gre.c | 8 +-
70887 net/ipv6/ip6_tunnel.c | 4 +-
70888 net/ipv6/ipv6_sockglue.c | 2 +-
70889 net/ipv6/netfilter/ip6_tables.c | 12 +-
70890 net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +-
70891 net/ipv6/output_core.c | 15 +-
70892 net/ipv6/ping.c | 28 +-
70893 net/ipv6/raw.c | 19 +-
70894 net/ipv6/reassembly.c | 13 +-
70895 net/ipv6/route.c | 2 +-
70896 net/ipv6/sit.c | 4 +-
70897 net/ipv6/sysctl_net_ipv6.c | 2 +-
70898 net/ipv6/udp.c | 6 +-
70899 net/ipv6/xfrm6_policy.c | 13 +-
70900 net/irda/ircomm/ircomm_tty.c | 18 +-
70901 net/iucv/af_iucv.c | 4 +-
70902 net/iucv/iucv.c | 2 +-
70903 net/key/af_key.c | 4 +-
70904 net/mac80211/cfg.c | 8 +-
70905 net/mac80211/ieee80211_i.h | 3 +-
70906 net/mac80211/iface.c | 16 +-
70907 net/mac80211/main.c | 2 +-
70908 net/mac80211/pm.c | 6 +-
70909 net/mac80211/rate.c | 2 +-
70910 net/mac80211/rc80211_pid_debugfs.c | 2 +-
70911 net/mac80211/util.c | 4 +-
70912 net/netfilter/ipset/ip_set_core.c | 2 +-
70913 net/netfilter/ipvs/ip_vs_conn.c | 6 +-
70914 net/netfilter/ipvs/ip_vs_core.c | 4 +-
70915 net/netfilter/ipvs/ip_vs_ctl.c | 14 +-
70916 net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
70917 net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
70918 net/netfilter/ipvs/ip_vs_sync.c | 6 +-
70919 net/netfilter/ipvs/ip_vs_xmit.c | 4 +-
70920 net/netfilter/nf_conntrack_acct.c | 2 +-
70921 net/netfilter/nf_conntrack_ecache.c | 2 +-
70922 net/netfilter/nf_conntrack_helper.c | 2 +-
70923 net/netfilter/nf_conntrack_proto.c | 2 +-
70924 net/netfilter/nf_conntrack_proto_dccp.c | 10 +-
70925 net/netfilter/nf_conntrack_standalone.c | 2 +-
70926 net/netfilter/nf_conntrack_timestamp.c | 2 +-
70927 net/netfilter/nf_log.c | 10 +-
70928 net/netfilter/nf_sockopt.c | 4 +-
70929 net/netfilter/nfnetlink_log.c | 4 +-
70930 net/netfilter/xt_statistic.c | 8 +-
70931 net/netlink/af_netlink.c | 4 +-
70932 net/netlink/genetlink.c | 16 +-
70933 net/packet/af_packet.c | 12 +-
70934 net/phonet/pep.c | 6 +-
70935 net/phonet/socket.c | 2 +-
70936 net/phonet/sysctl.c | 2 +-
70937 net/rds/cong.c | 6 +-
70938 net/rds/ib.h | 2 +-
70939 net/rds/ib_cm.c | 2 +-
70940 net/rds/ib_recv.c | 4 +-
70941 net/rds/iw.h | 2 +-
70942 net/rds/iw_cm.c | 2 +-
70943 net/rds/iw_recv.c | 4 +-
70944 net/rds/rds.h | 2 +-
70945 net/rds/tcp.c | 2 +-
70946 net/rds/tcp_send.c | 2 +-
70947 net/rxrpc/af_rxrpc.c | 2 +-
70948 net/rxrpc/ar-ack.c | 14 +-
70949 net/rxrpc/ar-call.c | 2 +-
70950 net/rxrpc/ar-connection.c | 2 +-
70951 net/rxrpc/ar-connevent.c | 2 +-
70952 net/rxrpc/ar-input.c | 4 +-
70953 net/rxrpc/ar-internal.h | 8 +-
70954 net/rxrpc/ar-local.c | 2 +-
70955 net/rxrpc/ar-output.c | 4 +-
70956 net/rxrpc/ar-peer.c | 2 +-
70957 net/rxrpc/ar-proc.c | 4 +-
70958 net/rxrpc/ar-transport.c | 2 +-
70959 net/rxrpc/rxkad.c | 4 +-
70960 net/sctp/ipv6.c | 6 +-
70961 net/sctp/protocol.c | 10 +-
70962 net/sctp/sm_sideeffect.c | 2 +-
70963 net/sctp/socket.c | 21 +-
70964 net/sctp/sysctl.c | 4 +-
70965 net/socket.c | 18 +-
70966 net/sunrpc/auth_gss/svcauth_gss.c | 4 +-
70967 net/sunrpc/clnt.c | 4 +-
70968 net/sunrpc/sched.c | 4 +-
70969 net/sunrpc/svc.c | 4 +-
70970 net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
70971 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +-
70972 net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
70973 net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +-
70974 net/tipc/link.c | 4 +-
70975 net/tipc/msg.c | 2 +-
70976 net/tipc/subscr.c | 2 +-
70977 net/unix/sysctl_net_unix.c | 2 +-
70978 net/wireless/wext-core.c | 19 +-
70979 net/xfrm/xfrm_policy.c | 27 +-
70980 net/xfrm/xfrm_state.c | 33 +-
70981 net/xfrm/xfrm_sysctl.c | 2 +-
70982 scripts/Makefile.build | 2 +-
70983 scripts/Makefile.clean | 3 +-
70984 scripts/Makefile.host | 28 +-
70985 scripts/basic/fixdep.c | 12 +-
70986 scripts/gcc-plugin.sh | 17 +
70987 scripts/headers_install.sh | 1 +
70988 scripts/link-vmlinux.sh | 2 +-
70989 scripts/mod/file2alias.c | 14 +-
70990 scripts/mod/modpost.c | 25 +-
70991 scripts/mod/modpost.h | 6 +-
70992 scripts/mod/sumversion.c | 2 +-
70993 scripts/package/builddeb | 1 +
70994 scripts/pnmtologo.c | 6 +-
70995 scripts/sortextable.h | 6 +-
70996 security/Kconfig | 690 +++-
70997 security/apparmor/lsm.c | 2 +-
70998 security/integrity/ima/ima.h | 4 +-
70999 security/integrity/ima/ima_api.c | 2 +-
71000 security/integrity/ima/ima_fs.c | 4 +-
71001 security/integrity/ima/ima_queue.c | 2 +-
71002 security/keys/compat.c | 2 +-
71003 security/keys/internal.h | 2 +-
71004 security/keys/key.c | 18 +-
71005 security/keys/keyctl.c | 8 +-
71006 security/keys/keyring.c | 6 +-
71007 security/security.c | 12 +-
71008 security/selinux/avc.c | 6 +-
71009 security/selinux/hooks.c | 6 +-
71010 security/selinux/include/xfrm.h | 2 +-
71011 security/smack/smack_lsm.c | 2 +-
71012 security/tomoyo/tomoyo.c | 2 +-
71013 security/yama/yama_lsm.c | 22 +-
71014 sound/aoa/codecs/onyx.c | 7 +-
71015 sound/aoa/codecs/onyx.h | 1 +
71016 sound/core/oss/pcm_oss.c | 18 +-
71017 sound/core/pcm_compat.c | 2 +-
71018 sound/core/pcm_native.c | 4 +-
71019 sound/core/seq/seq_device.c | 8 +-
71020 sound/core/sound.c | 2 +-
71021 sound/drivers/mts64.c | 14 +-
71022 sound/drivers/opl4/opl4_lib.c | 2 +-
71023 sound/drivers/portman2x4.c | 3 +-
71024 sound/firewire/amdtp.c | 4 +-
71025 sound/firewire/amdtp.h | 2 +-
71026 sound/firewire/isight.c | 10 +-
71027 sound/firewire/scs1x.c | 8 +-
71028 sound/oss/sb_audio.c | 2 +-
71029 sound/oss/swarm_cs4297a.c | 6 +-
71030 sound/pci/hda/hda_codec.c | 8 +-
71031 sound/pci/ymfpci/ymfpci.h | 2 +-
71032 sound/pci/ymfpci/ymfpci_main.c | 12 +-
71033 sound/soc/fsl/fsl_ssi.c | 2 +-
71034 tools/gcc/.gitignore | 1 +
71035 tools/gcc/Makefile | 45 +
71036 tools/gcc/checker_plugin.c | 172 +
71037 tools/gcc/colorize_plugin.c | 151 +
71038 tools/gcc/constify_plugin.c | 560 ++
71039 tools/gcc/generate_size_overflow_hash.sh | 94 +
71040 tools/gcc/kallocstat_plugin.c | 170 +
71041 tools/gcc/kernexec_plugin.c | 471 ++
71042 tools/gcc/latent_entropy_plugin.c | 321 +
71043 tools/gcc/size_overflow_hash.data | 6350 ++++++++++++++++++++
71044 tools/gcc/size_overflow_plugin.c | 2113 +++++++
71045 tools/gcc/stackleak_plugin.c | 327 +
71046 tools/gcc/structleak_plugin.c | 277 +
71047 tools/lib/lk/Makefile | 2 +-
71048 tools/perf/util/include/asm/alternative-asm.h | 3 +
71049 tools/perf/util/include/linux/compiler.h | 8 +
71050 virt/kvm/kvm_main.c | 32 +-
71051 1664 files changed, 32957 insertions(+), 7636 deletions(-)
71052commit 4c61dba17c53d0a775c77aed0c0ddb15a12daa3c
71053Merge: c3ccfb2 777e08c
71054Author: Brad Spengler <spender@grsecurity.net>
71055Date: Sun Sep 8 19:49:04 2013 -0400
71056
71057 Merge branch 'pax-test' into grsec-test
71058
71059commit 777e08c6a87ef43439f4431d8d458732ca5e17c6
71060Author: Brad Spengler <spender@grsecurity.net>
71061Date: Sun Sep 8 19:47:32 2013 -0400
71062
71063 Update to pax-linux-3.10.11-test26.patch:
71064 - reworked __SC_LONG to care about only int and smaller types, this eliminates size overflow false positives reported by hunger
71065 - fixed an uninitialized read in splice, reported by hunger
71066
71067 fs/splice.c | 1 +
71068 include/linux/syscalls.h | 14 +-
71069 tools/gcc/size_overflow_hash.data | 426 +++++++++++++++++++++----------------
71070 3 files changed, 247 insertions(+), 194 deletions(-)
71071
71072commit 5c3161364270c842d901789faac731f79a9f9cd6
71073Merge: cf9c476 85cdabb
71074Author: Brad Spengler <spender@grsecurity.net>
71075Date: Sun Sep 8 19:24:25 2013 -0400
71076
71077 Merge branch 'linux-3.10.y' into pax-test
71078
71079commit c3ccfb29794a03413095422100ce90d40ef7df0f
71080Author: Jakob Bornecrantz <jakob@vmware.com>
71081Date: Thu Aug 29 02:32:53 2013 +0200
71082
71083 Upstream commit: 6e4dcff3adbf25acb87e74500a58e3c07bdec40f
71084
71085 drm/vmwgfx: Split GMR2_REMAP commands if they are to large
71086
71087 This fixes the piglit test texturing/max-texture-size
71088 causing the VM to die due to a too large SVGA command.
71089
71090 Signed-off-by: Jakob Bornecrantz <jakob@vmware.com>
71091 Reviewed-by: Biran Paul <brianp@vmware.com>
71092 Reviewed-by: Zack Rusin <zackr@vmware.com>
71093 Cc: stable@vger.kernel.org
71094 Signed-off-by: Dave Airlie <airlied@gmail.com>
71095
71096 drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c | 58 +++++++++++++++++++++++-----------
71097 1 files changed, 39 insertions(+), 19 deletions(-)
71098
71099commit d260badf708d6aa16c44f56f54727532dcae826e
71100Author: Daniel Borkmann <dborkman@redhat.com>
71101Date: Tue Sep 3 19:29:12 2013 +0200
71102
71103 Upstream commit: 3a1c756590633c0e86df606e5c618c190926a0df
71104
71105 net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv
71106
71107 In tcp_v6_do_rcv() code, when processing pkt options, we soley work
71108 on our skb clone opt_skb that we've created earlier before entering
71109 tcp_rcv_established() on our way. However, only in condition ...
71110
71111 if (np->rxopt.bits.rxtclass)
71112 np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));
71113
71114 ... we work on skb itself. As we extract every other information out
71115 of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can
71116 already be released by tcp_rcv_established() earlier on. When we try
71117 to access it in ipv6_hdr(), we will dereference freed skb.
71118
71119 [ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for
71120 IP_PKTOPTIONS") ]
71121
71122 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
71123 Cc: Eric Dumazet <eric.dumazet@gmail.com>
71124 Acked-by: Eric Dumazet <edumazet@google.com>
71125 Acked-by: Jiri Benc <jbenc@redhat.com>
71126 Signed-off-by: David S. Miller <davem@davemloft.net>
71127
71128 net/ipv6/tcp_ipv6.c | 2 +-
71129 1 files changed, 1 insertions(+), 1 deletions(-)
71130
71131commit ee3db7a4fb3619d70b8e0c1a8de07402a67e8d31
71132Author: Dan Carpenter <dan.carpenter@oracle.com>
71133Date: Thu Aug 29 11:47:00 2013 +0300
71134
71135 Upstream commit: 0d63c27d9e879a0b54eb405636d60ab12040ca46
71136
71137 mISDN: return -EINVAL on error in dsp_control_req()
71138
71139 If skb->len is too short then we should return an error. Otherwise we
71140 read beyond the end of skb->data for several bytes.
71141
71142 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
71143 Signed-off-by: David S. Miller <davem@davemloft.net>
71144
71145 drivers/isdn/mISDN/dsp_core.c | 4 +++-
71146 1 files changed, 3 insertions(+), 1 deletions(-)
71147
71148commit af7c2bc789c8fe5ef7474f22dacf212be22fd0af
71149Author: Brad Spengler <spender@grsecurity.net>
71150Date: Thu Sep 5 19:36:23 2013 -0400
71151
71152 fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB
71153
71154 grsecurity/Kconfig | 3 ++-
71155 1 files changed, 2 insertions(+), 1 deletions(-)
71156
71157commit da68dbcd96c617923a0aedb177d36b2701f9c858
71158Author: Brad Spengler <spender@grsecurity.net>
71159Date: Thu Sep 5 19:17:02 2013 -0400
71160
71161 Allow the deny_new_usb sysctl to be toggled off by a user with
71162 CAP_SYS_ADMIN. This allows for more inventive uses of the feature
71163 that would be impossible otherwise (like toggling it while the screen is
71164 locked, etc)
71165
71166 grsecurity/grsec_sysctl.c | 4 +---
71167 1 files changed, 1 insertions(+), 3 deletions(-)
71168
71169commit ce0e893adc830ee110f97071cc17e661fb35ae3d
71170Author: Brad Spengler <spender@grsecurity.net>
71171Date: Thu Sep 5 18:41:49 2013 -0400
71172
71173 Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what
71174 GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for
71175 users who know they want the functionality but don't want to bother
71176 with modifying init scripts
71177
71178 Also eliminate reset_security_ops() as a ROP target when
71179 SECURITY_SELINUX_DISABLE is disabled as it's the only user
71180
71181 grsecurity/Kconfig | 17 ++++++++++++++++-
71182 grsecurity/grsec_init.c | 3 +++
71183 grsecurity/grsec_sysctl.c | 2 +-
71184 security/security.c | 4 ++++
71185 4 files changed, 24 insertions(+), 2 deletions(-)
71186
71187commit 0d5ca3a057ae48b5fdccb2f0a7a841a5cc76d3dd
71188Merge: 7ee3899 cf9c476
71189Author: Brad Spengler <spender@grsecurity.net>
71190Date: Sun Sep 1 13:56:57 2013 -0400
71191
71192 Merge branch 'pax-test' into grsec-test
71193
71194commit cf9c47690fa0f3da590de766ea8c6a543984ee3c
71195Author: Brad Spengler <spender@grsecurity.net>
71196Date: Sun Sep 1 13:56:16 2013 -0400
71197
71198 Update to pax-linux-3.10.10-test25.patch:
71199 - fixed a few more REFCOUNT false positives, by Mathias Krause <minipli@googlemail.com>
71200 - got inet_getid and ipv6_select_ident rid of the cmpxchg loop
71201
71202 block/blk-cgroup.c | 4 ++--
71203 drivers/video/hyperv_fb.c | 4 ++--
71204 fs/namespace.c | 4 ++--
71205 include/net/inetpeer.h | 13 +++++--------
71206 kernel/trace/trace_clock.c | 4 ++--
71207 net/ipv6/output_core.c | 15 ++++++---------
71208 net/sunrpc/auth_gss/svcauth_gss.c | 4 ++--
71209 7 files changed, 21 insertions(+), 27 deletions(-)
71210
71211commit 7ee3899312d611b85cadd3eda173f7a3952bb8aa
71212Merge: fd0338c 2bdeae7
71213Author: Brad Spengler <spender@grsecurity.net>
71214Date: Sat Aug 31 22:07:38 2013 -0400
71215
71216 Merge branch 'pax-test' into grsec-test
71217
71218commit 2bdeae76eab5c34e4b88c7090a435b969037a3c1
71219Author: Brad Spengler <spender@grsecurity.net>
71220Date: Sat Aug 31 22:06:55 2013 -0400
71221
71222 Update to pax-linux-3.10.10-test24.patch:
71223 - fixed a REFCOUNT false positive, by Mathias Krause <minipli@googlemail.com>
71224 - fixed a bunch more after a quick audit of atomic_inc_return users
71225
71226 drivers/acpi/apei/ghes.c | 4 ++--
71227 drivers/ata/libata-core.c | 4 ++--
71228 drivers/ata/libata-scsi.c | 2 +-
71229 drivers/ata/libata.h | 2 +-
71230 drivers/block/drbd/drbd_nl.c | 4 ++--
71231 drivers/crypto/hifn_795x.c | 4 ++--
71232 drivers/edac/edac_device.c | 4 ++--
71233 drivers/edac/edac_pci.c | 4 ++--
71234 drivers/firewire/core-card.c | 4 ++--
71235 drivers/hv/hv_balloon.c | 18 +++++++++---------
71236 drivers/infiniband/hw/mlx4/mad.c | 2 +-
71237 drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +-
71238 drivers/input/misc/ims-pcu.c | 4 ++--
71239 drivers/input/serio/serio_raw.c | 4 ++--
71240 drivers/media/pci/ivtv/ivtv-driver.c | 2 +-
71241 drivers/media/radio/radio-maxiradio.c | 2 +-
71242 drivers/media/radio/radio-shark.c | 2 +-
71243 drivers/media/radio/radio-shark2.c | 2 +-
71244 drivers/media/radio/radio-si476x.c | 2 +-
71245 drivers/media/rc/rc-main.c | 4 ++--
71246 drivers/media/v4l2-core/v4l2-device.c | 4 ++--
71247 drivers/net/usb/sierra_net.c | 4 ++--
71248 drivers/pci/hotplug/pciehp_hpc.c | 4 +---
71249 drivers/regulator/core.c | 4 ++--
71250 drivers/scsi/fcoe/fcoe_sysfs.c | 12 ++++++------
71251 drivers/staging/android/timed_output.c | 6 +++---
71252 drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +-
71253 drivers/staging/media/solo6x10/solo6x10.h | 2 +-
71254 drivers/target/sbp/sbp_target.c | 4 ++--
71255 drivers/tty/hvc/hvsi.c | 12 ++++++------
71256 drivers/tty/hvc/hvsi_lib.c | 6 +++---
71257 drivers/tty/serial/ioc4_serial.c | 6 +++---
71258 drivers/tty/serial/msm_serial.c | 4 ++--
71259 drivers/usb/misc/appledisplay.c | 4 ++--
71260 fs/afs/inode.c | 4 ++--
71261 fs/btrfs/delayed-inode.c | 6 +++---
71262 fs/btrfs/delayed-inode.h | 4 ++--
71263 fs/fscache/cookie.c | 4 ++--
71264 include/media/v4l2-device.h | 2 +-
71265 net/ceph/messenger.c | 4 ++--
71266 net/core/netpoll.c | 4 ++--
71267 net/xfrm/xfrm_state.c | 4 ++--
71268 security/selinux/avc.c | 6 +++---
71269 43 files changed, 93 insertions(+), 95 deletions(-)
71270
71271commit fd0338c8877c47789a9cc61f3a26c83e68aa3d37
71272Merge: 1bdf7ec 85099d2
71273Author: Brad Spengler <spender@grsecurity.net>
71274Date: Sat Aug 31 21:07:29 2013 -0400
71275
71276 Merge branch 'pax-test' into grsec-test
71277
71278commit 85099d220fb014b6e4c6ffe18a55b20c61f6daed
71279Author: Brad Spengler <spender@grsecurity.net>
71280Date: Sat Aug 31 21:06:55 2013 -0400
71281
71282 Update to pax-linux-3.10.10-test23.patch:
71283 - added the necessary atomic_unchecked_t conversion for mips
71284 - audited and fixed arm and sparc for proper atomic_unchecked_t usage
71285
71286 arch/arm/kvm/arm.c | 8 ++++----
71287 arch/arm/mm/context.c | 10 +++++-----
71288 arch/mips/kernel/irq.c | 6 +++---
71289 arch/mips/kernel/sync-r4k.c | 24 ++++++++++++------------
71290 arch/mips/sgi-ip27/ip27-nmi.c | 6 +++---
71291 arch/sparc/kernel/smp_64.c | 12 ++++++------
71292 arch/sparc/kernel/traps_64.c | 14 +++++++-------
71293 arch/sparc/mm/init_64.c | 10 +++++-----
71294 8 files changed, 45 insertions(+), 45 deletions(-)
71295
71296commit 1bdf7ec39027ffd7c3099b78ff20c39295448b34
71297Merge: 995a168 38ee86c
71298Author: Brad Spengler <spender@grsecurity.net>
71299Date: Fri Aug 30 19:23:36 2013 -0400
71300
71301 Merge branch 'pax-test' into grsec-test
71302
71303commit 38ee86c05df0f8db582df8776b9f23f317d42bbb
71304Author: Brad Spengler <spender@grsecurity.net>
71305Date: Fri Aug 30 19:23:11 2013 -0400
71306
71307 Update to pax-linux-3.10.10-test22.patch:
71308 - fixed !REFCOUNT/mips compilation, by Corey Minyard <cminyard@mvista.com>
71309 - fixed a few more format strings
71310
71311 arch/mips/include/asm/atomic.h | 20 ++++++++++++++++----
71312 drivers/md/bcache/super.c | 2 +-
71313 drivers/net/wireless/iwlwifi/dvm/main.c | 3 +--
71314 drivers/pci/hotplug/pciehp_hpc.c | 2 +-
71315 drivers/platform/x86/wmi.c | 2 +-
71316 drivers/scsi/sd.c | 2 +-
71317 drivers/vfio/vfio.c | 4 ++--
71318 fs/ntfs/super.c | 6 +++---
71319 include/linux/workqueue.h | 6 +++---
71320 net/mac80211/main.c | 2 +-
71321 sound/pci/hda/hda_codec.c | 8 ++------
71322 11 files changed, 32 insertions(+), 25 deletions(-)
71323
71324commit 995a16841e2097c3a9dfc652e856469679c4a0ba
71325Author: Brad Spengler <spender@grsecurity.net>
71326Date: Fri Aug 30 17:11:11 2013 -0400
71327
71328 fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast
71329
71330 grsecurity/grsec_sysctl.c | 7 ++++---
71331 1 files changed, 4 insertions(+), 3 deletions(-)
71332
71333commit 8ba1cc35ec5216383369ddf3ef2cde5e4aaacb57
71334Merge: be2497c 1052971
71335Author: Brad Spengler <spender@grsecurity.net>
71336Date: Thu Aug 29 20:44:29 2013 -0400
71337
71338 Merge branch 'pax-test' into grsec-test
71339
71340 Conflicts:
71341 include/linux/sched.h
71342
71343commit 10529710192fe7f7d42ad7bb1dfef2143cca8ad2
71344Merge: e902dad 8bf3379
71345Author: Brad Spengler <spender@grsecurity.net>
71346Date: Thu Aug 29 20:39:50 2013 -0400
71347
71348 Update to pax-linux-3.10.10-test21.patch
71349
71350 Merge branch 'linux-3.10.y' into pax-test
71351
71352 Conflicts:
71353 arch/x86/kernel/sys_x86_64.c
71354 arch/x86/mm/mmap.c
71355 include/linux/sched.h
71356
71357commit be2497c1b629a5ad604a8b0ec265ef5d801c7de8
71358Merge: 081c22b e902dad
71359Author: Brad Spengler <spender@grsecurity.net>
71360Date: Wed Aug 28 20:52:44 2013 -0400
71361
71362 Merge branch 'pax-test' into grsec-test
71363
71364commit e902dad6b609a176f58c1b9393b3a98f14bd4b74
71365Author: Brad Spengler <spender@grsecurity.net>
71366Date: Wed Aug 28 20:51:21 2013 -0400
71367
71368 Update to pax-linux-3.10.9-test21.patch:
71369 - removed unnecessary type cast in do_PrefetchAbort, noticed by spender
71370 - since pax_report_refcount_overflow disables preemption inside, no need to do it explicitly in do_ov
71371 - fixed a REFCOUNT false positive in UHID
71372 - inspired by Dan Carpenter's recent fix (http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=909bd5926d474e275599094acad986af79671ac9)
71373 Emese Revfy wrote a gcc plugin to find other instances of the same error, here's the fallout
71374 (come to the 10th H2HC if you want to learn about the magic behind this and other plugins):
71375 - icmpv6_filter: no memory corruption, probably just some logical error in the caller
71376 - dccp_new/dccp_packet/dccp_error: probably remote kernel stack overflow (12 byte network data overwriting a local ptr variable)
71377 - gigaset_brkchars: causes DMA on the kernel stack, some archs don't like it (more of this is to come)
71378 - isdn_ioctl/IIOCDBGVAR: kernel heap address leak (by design), restricted to CAP_SYS_RAWIO now
71379 - __dwc3_gadget_ep_enable: probably forgotten memset, seems harmless
71380 - lowpan_header_create: leaks 3 bytes of a kernel heap address over the network
71381
71382 arch/arm/mm/fault.c | 2 +-
71383 arch/mips/kernel/traps.c | 2 --
71384 drivers/hid/uhid.c | 6 +++---
71385 drivers/isdn/gigaset/usb-gigaset.c | 2 +-
71386 drivers/isdn/i4l/isdn_common.c | 2 ++
71387 drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++--
71388 drivers/usb/dwc3/gadget.c | 2 --
71389 net/ieee802154/6lowpan.c | 2 +-
71390 net/ipv6/raw.c | 2 +-
71391 net/netfilter/nf_conntrack_proto_dccp.c | 6 +++---
71392 10 files changed, 14 insertions(+), 16 deletions(-)
71393
71394commit 081c22b436d4d4ac8c9ef7c3f3b9587cfb02d804
71395Author: Brad Spengler <spender@grsecurity.net>
71396Date: Wed Aug 28 20:42:39 2013 -0400
71397
71398 add export of gr_handle_new_usb()
71399
71400 grsecurity/grsec_usb.c | 2 ++
71401 1 files changed, 2 insertions(+), 0 deletions(-)
71402
71403commit 2e708ca9984ef74536d1d9b1d4e6e73d27561ed6
71404Author: Brad Spengler <spender@grsecurity.net>
71405Date: Wed Aug 28 19:24:47 2013 -0400
71406
71407 Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit
71408 Kees' recent findings are motivation enough to publish it
71409
71410 drivers/usb/core/hub.c | 5 +++++
71411 grsecurity/Kconfig | 20 ++++++++++++++++++++
71412 grsecurity/Makefile | 3 ++-
71413 grsecurity/grsec_init.c | 1 +
71414 grsecurity/grsec_sysctl.c | 11 +++++++++++
71415 grsecurity/grsec_usb.c | 13 +++++++++++++
71416 include/linux/grinternal.h | 1 +
71417 include/linux/grsecurity.h | 2 ++
71418 8 files changed, 55 insertions(+), 1 deletions(-)
71419
71420commit 8044382257ec75a03f3d784ce048ef14e94b90ca
71421Author: Kees Cook <keescook@chromium.org>
71422Date: Wed Aug 14 09:35:07 2013 -0700
71423
71424 HID: zeroplus: validate output report details
71425
71426 The zeroplus HID driver was not checking the size of allocated values
71427 in fields it used. A HID device could send a malicious output report
71428 that would cause the driver to write beyond the output report allocation
71429 during initialization, causing a heap overflow:
71430
71431 [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005
71432 ...
71433 [ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
71434
71435 CVE-2013-2889
71436
71437 Signed-off-by: Kees Cook <keescook@chromium.org>
71438 Cc: stable@kernel.org
71439
71440 drivers/hid/hid-zpff.c | 14 ++------------
71441 1 files changed, 2 insertions(+), 12 deletions(-)
71442
71443commit 1ead832874dde8c45c3d4c8c704f2cd7ad6a328f
71444Author: Kees Cook <keescook@chromium.org>
71445Date: Wed Aug 14 14:36:15 2013 -0700
71446
71447 HID: provide a helper for validating hid reports
71448
71449 Many drivers need to validate the characteristics of their HID report
71450 during initialization to avoid misusing the reports. This adds a common
71451 helper to perform validation of the report, its field count, and the
71452 value count within the fields.
71453
71454 Signed-off-by: Kees Cook <keescook@chromium.org>
71455 Cc: stable@kernel.org
71456
71457 drivers/hid/hid-core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++
71458 include/linux/hid.h | 4 +++
71459 2 files changed, 54 insertions(+), 0 deletions(-)
71460
71461commit 270ba9096ddecdc3cf6c4d76e6892184820116be
71462Author: Kees Cook <keescook@chromium.org>
71463Date: Wed Aug 14 09:14:34 2013 -0700
71464
71465 HID: steelseries: validate output report details
71466
71467 A HID device could send a malicious output report that would cause the
71468 steelseries HID driver to write beyond the output report allocation
71469 during initialization, causing a heap overflow:
71470
71471 [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410
71472 ...
71473 [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten
71474
71475 CVE-2013-2891
71476
71477 Signed-off-by: Kees Cook <keescook@chromium.org>
71478 Cc: stable@kernel.org
71479
71480 drivers/hid/hid-steelseries.c | 5 +++++
71481 1 files changed, 5 insertions(+), 0 deletions(-)
71482
71483commit 366e6cf394366e4bb2598e5d3763c6ca53fb7248
71484Author: Kees Cook <keescook@chromium.org>
71485Date: Wed Aug 14 08:49:21 2013 -0700
71486
71487 HID: pantherlord: validate output report details
71488
71489 A HID device could send a malicious output report that would cause the
71490 pantherlord HID driver to write beyond the output report allocation
71491 during initialization, causing a heap overflow:
71492
71493 [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003
71494 ...
71495 [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
71496
71497 CVE-2013-2892
71498
71499 Signed-off-by: Kees Cook <keescook@chromium.org>
71500 Cc: stable@kernel.org
71501
71502 drivers/hid/hid-pl.c | 10 ++++++++--
71503 1 files changed, 8 insertions(+), 2 deletions(-)
71504
71505commit 60115e8108e508060815bce5ef9504233c81898c
71506Author: Kees Cook <keescook@chromium.org>
71507Date: Tue Aug 13 16:49:01 2013 -0700
71508
71509 HID: LG: validate HID output report details
71510
71511 A HID device could send a malicious output report that would cause the
71512 lg, lg3, and lg4 HID drivers to write beyond the output report allocation
71513 during an event, causing a heap overflow:
71514
71515 [ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287
71516 ...
71517 [ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten
71518
71519 Additionally, while lg2 did correctly validate the report details, it was
71520 cleaned up and shortened.
71521
71522 CVE-2013-2893
71523
71524 Signed-off-by: Kees Cook <keescook@chromium.org>
71525 Cc: stable@kernel.org
71526
71527 drivers/hid/hid-lg2ff.c | 19 +++----------------
71528 drivers/hid/hid-lg3ff.c | 29 ++++++-----------------------
71529 drivers/hid/hid-lg4ff.c | 20 +-------------------
71530 drivers/hid/hid-lgff.c | 17 ++---------------
71531 4 files changed, 12 insertions(+), 73 deletions(-)
71532
71533commit 1814f6ffbd0d5feccce1f03e8cc17882528e8a9f
71534Author: Kees Cook <keescook@chromium.org>
71535Date: Thu Aug 15 23:21:23 2013 -0700
71536
71537 HID: lenovo-tpkbd: validate output report details
71538
71539 A HID device could send a malicious output report that would cause the
71540 lenovo-tpkbd HID driver to write just beyond the output report allocation
71541 during initialization, causing a heap overflow:
71542
71543 [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009
71544 ...
71545 [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
71546
71547 CVE-2013-2894
71548
71549 Signed-off-by: Kees Cook <keescook@chromium.org>
71550 Cc: stable@kernel.org
71551
71552 drivers/hid/hid-lenovo-tpkbd.c | 5 +++++
71553 1 files changed, 5 insertions(+), 0 deletions(-)
71554
71555commit 38627769bb2b9a550e251b2caf1babda7566fb4a
71556Author: Kees Cook <keescook@chromium.org>
71557Date: Thu Aug 15 23:45:03 2013 -0700
71558
71559 HID: logitech-dj: validate output report details
71560
71561 A HID device could send a malicious output report that would cause the
71562 logitech-dj HID driver to leak kernel memory contents to the device, or
71563 trigger a NULL dereference during initialization:
71564
71565 [ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b
71566 ...
71567 [ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
71568 [ 304.781409] IP: [<ffffffff815d50aa>] logi_dj_recv_send_report.isra.11+0x1a/0x90
71569
71570 CVE-2013-2895
71571
71572 Signed-off-by: Kees Cook <keescook@chromium.org>
71573 Cc: stable@kernel.org
71574
71575 drivers/hid/hid-logitech-dj.c | 12 ++++++++++--
71576 1 files changed, 10 insertions(+), 2 deletions(-)
71577
71578commit db334388c9d3f95aeb6aacdcec72169b6edd6f07
71579Author: Kees Cook <keescook@chromium.org>
71580Date: Fri Aug 16 00:18:15 2013 -0700
71581
71582 HID: ntrig: validate feature report details
71583
71584 A HID device could send a malicious feature report that would cause the
71585 ntrig HID driver to trigger a NULL dereference during initialization:
71586
71587 [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
71588 ...
71589 [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
71590 [57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
71591
71592 CVE-2013-2896
71593
71594 Signed-off-by: Kees Cook <keescook@chromium.org>
71595 Cc: stable@kernel.org
71596
71597 drivers/hid/hid-ntrig.c | 3 ++-
71598 1 files changed, 2 insertions(+), 1 deletions(-)
71599
71600commit 86adcfe96ceefd7d64593a493abe07c155bb8f88
71601Author: Kees Cook <keescook@chromium.org>
71602Date: Fri Aug 16 00:11:32 2013 -0700
71603
71604 HID: multitouch: validate feature report details
71605
71606 When working on report indexes, always validate that they are in bounds.
71607 Without this, a HID device could report a malicious feature report that
71608 could trick the driver into a heap overflow:
71609
71610 [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
71611 ...
71612 [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
71613
71614 CVE-2013-2897
71615
71616 Signed-off-by: Kees Cook <keescook@chromium.org>
71617 Cc: stable@kernel.org
71618
71619 drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++-----
71620 1 files changed, 20 insertions(+), 5 deletions(-)
71621
71622commit 813f51e0881e4ea6d221da828b1cced02ad9694d
71623Author: Kees Cook <keescook@chromium.org>
71624Date: Fri Aug 16 08:12:45 2013 -0700
71625
71626 HID: sensor-hub: validate feature report details
71627
71628 A HID device could send a malicious feature report that would cause the
71629 sensor-hub HID driver to read past the end of heap allocation, leaking
71630 kernel memory contents to the caller.
71631
71632 CVE-2013-2898
71633
71634 Signed-off-by: Kees Cook <keescook@chromium.org>
71635 Cc: stable@kernel.org
71636
71637 drivers/hid/hid-sensor-hub.c | 3 ++-
71638 1 files changed, 2 insertions(+), 1 deletions(-)
71639
71640commit 6ed7d602e322c67adcfa3ebe79ca2c4a3376330c
71641Author: Kees Cook <keescook@chromium.org>
71642Date: Fri Aug 16 08:05:10 2013 -0700
71643
71644 HID: picolcd_core: validate output report details
71645
71646 A HID device could send a malicious output report that would cause the
71647 picolcd HID driver to trigger a NULL dereference during attr file writing.
71648
71649 CVE-2013-2899
71650
71651 Signed-off-by: Kees Cook <keescook@chromium.org>
71652 Cc: stable@kernel.org
71653
71654 drivers/hid/hid-picolcd_core.c | 2 +-
71655 1 files changed, 1 insertions(+), 1 deletions(-)
71656
71657commit 95e3cfb5a995dabe45b98cafb77e59d074de151f
71658Author: Kees Cook <keescook@chromium.org>
71659Date: Fri Aug 16 08:09:54 2013 -0700
71660
71661 HID: check for NULL field when setting values
71662
71663 Defensively check that the field to be worked on is not NULL.
71664
71665 Signed-off-by: Kees Cook <keescook@chromium.org>
71666 Cc: stable@kernel.org
71667
71668 drivers/hid/hid-core.c | 7 ++++++-
71669 1 files changed, 6 insertions(+), 1 deletions(-)
71670
71671commit 96a55ce1b2f3af376c400a02059174e79ce4399c
71672Author: Brad Spengler <spender@grsecurity.net>
71673Date: Wed Aug 28 18:09:18 2013 -0400
71674
71675 http://marc.info/?l=linux-input&m=137772180514608&q=raw
71676
71677 From: Kees Cook <keescook@chromium.org>
71678
71679 The "Report ID" field of a HID report is used to build indexes of
71680 reports. The kernel's index of these is limited to 256 entries, so any
71681 malicious device that sets a Report ID greater than 255 will trigger
71682 memory corruption on the host:
71683
71684 [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
71685 [ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b
71686
71687 CVE-2013-2888
71688
71689 Signed-off-by: Kees Cook <keescook@chromium.org>
71690 Cc: stable@kernel.org
71691 ---
71692 drivers/hid/hid-core.c | 10 +++++++---
71693 include/linux/hid.h | 4 +++-
71694 2 files changed, 10 insertions(+), 4 deletions(-)
71695
71696 drivers/hid/hid-core.c | 10 +++++++---
71697 include/linux/hid.h | 4 +++-
71698 2 files changed, 10 insertions(+), 4 deletions(-)
71699
71700commit eb1106eef5f17bfda833ca3cf89e315919173257
71701Author: Dan Carpenter <dan.carpenter@oracle.com>
71702Date: Fri Aug 9 12:52:31 2013 +0300
71703
71704 Upstream commit: 909bd5926d474e275599094acad986af79671ac9
71705
71706 Hostap: copying wrong data prism2_ioctl_giwaplist()
71707
71708 We want the data stored in "addr" and "qual", but the extra ampersands
71709 mean we are copying stack data instead.
71710
71711 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
71712 Cc: stable@vger.kernel.org
71713 Signed-off-by: John W. Linville <linville@tuxdriver.com>
71714
71715 drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++--
71716 1 files changed, 2 insertions(+), 2 deletions(-)
71717
71718commit b12fdddbc01b0d855dd56fa6fea6b4100aae7af4
71719Author: Brad Spengler <spender@grsecurity.net>
71720Date: Wed Aug 28 17:01:21 2013 -0400
71721
71722 fix typo in ipv6 backport
71723
71724 net/ipv6/addrconf.c | 2 +-
71725 1 files changed, 1 insertions(+), 1 deletions(-)
71726
71727commit b42367d45ce67de82c38c5c7cb6f4cf521cca2f4
71728Author: Andy Lutomirski <luto@amacapital.net>
71729Date: Thu Aug 22 11:39:15 2013 -0700
71730
71731 Upstream commit: d661684cf6820331feae71146c35da83d794467e
71732
71733 net: Check the correct namespace when spoofing pid over SCM_RIGHTS
71734
71735 This is a security bug.
71736
71737 The follow-up will fix nsproxy to discourage this type of issue from
71738 happening again.
71739
71740 Cc: stable@vger.kernel.org
71741 Signed-off-by: Andy Lutomirski <luto@amacapital.net>
71742 Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com>
71743 Signed-off-by: David S. Miller <davem@davemloft.net>
71744
71745 net/core/scm.c | 2 +-
71746 1 files changed, 1 insertions(+), 1 deletions(-)
71747
71748commit 10b2e7e1f75d1da2e0bbe0bff04233ea2ec1bed9
71749Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
71750Date: Fri Aug 16 13:02:27 2013 +0200
71751
71752 Upstream commit: 4b08a8f1bd8cb4541c93ec170027b4d0782dab52
71753
71754 ipv6: remove max_addresses check from ipv6_create_tempaddr
71755
71756 Because of the max_addresses check attackers were able to disable privacy
71757 extensions on an interface by creating enough autoconfigured addresses:
71758
71759 <http://seclists.org/oss-sec/2012/q4/292>
71760
71761 But the check is not actually needed: max_addresses protects the
71762 kernel to install too many ipv6 addresses on an interface and guards
71763 addrconf_prefix_rcv to install further addresses as soon as this limit
71764 is reached. We only generate temporary addresses in direct response of
71765 a new address showing up. As soon as we filled up the maximum number of
71766 addresses of an interface, we stop installing more addresses and thus
71767 also stop generating more temp addresses.
71768
71769 Even if the attacker tries to generate a lot of temporary addresses
71770 by announcing a prefix and removing it again (lifetime == 0) we won't
71771 install more temp addresses, because the temporary addresses do count
71772 to the maximum number of addresses, thus we would stop installing new
71773 autoconfigured addresses when the limit is reached.
71774
71775 This patch fixes CVE-2013-0343 (but other layer-2 attacks are still
71776 possible).
71777
71778 Thanks to Ding Tianhong to bring this topic up again.
71779
71780 Cc: Ding Tianhong <dingtianhong@huawei.com>
71781 Cc: George Kargiotakis <kargig@void.gr>
71782 Cc: P J P <ppandit@redhat.com>
71783 Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
71784 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
71785 Acked-by: Ding Tianhong <dingtianhong@huawei.com>
71786 Signed-off-by: David S. Miller <davem@davemloft.net>
71787
71788 Conflicts:
71789
71790 net/ipv6/addrconf.c
71791
71792 net/ipv6/addrconf.c | 10 ++++------
71793 1 files changed, 4 insertions(+), 6 deletions(-)
71794
71795commit 8333e0981469a226a47d0142ff31090a48db95a4
71796Author: David Vrabel <david.vrabel@citrix.com>
71797Date: Thu Aug 15 13:21:06 2013 +0100
71798
71799 Upstream commit: 84ca7a8e45dafb49cd5ca90a343ba033e2885c17
71800
71801 xen/events: initialize local per-cpu mask for all possible events
71802
71803 The sizeof() argument in init_evtchn_cpu_bindings() is incorrect
71804 resulting in only the first 64 (or 32 in 32-bit guests) ports having
71805 their bindings being initialized to VCPU 0.
71806
71807 In most cases this does not cause a problem as request_irq() will set
71808 the irq affinity which will set the correct local per-cpu mask.
71809 However, if the request_irq() is called on a VCPU other than 0, there
71810 is a window between the unmasking of the event and the affinity being
71811 set were an event may be lost because it is not locally unmasked on
71812 any VCPU. If request_irq() is called on VCPU 0 then local irqs are
71813 disabled during the window and the race does not occur.
71814
71815 Fix this by initializing all NR_EVENT_CHANNEL bits in the local
71816 per-cpu masks.
71817
71818 Signed-off-by: David Vrabel <david.vrabel@citrix.com>
71819 Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
71820 CC: stable@vger.kernel.org
71821
71822 drivers/xen/events.c | 2 +-
71823 1 files changed, 1 insertions(+), 1 deletions(-)
71824
71825commit 2a9a83768433937a2b7a97001ba1627156c0efed
71826Author: Roland Dreier <roland@purestorage.com>
71827Date: Mon Aug 5 17:55:01 2013 -0700
71828
71829 Upstream commit: 35dc248383bbab0a7203fca4d722875bc81ef091
71830
71831 [SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a signal
71832
71833 There is a nasty bug in the SCSI SG_IO ioctl that in some circumstances
71834 leads to one process writing data into the address space of some other
71835 random unrelated process if the ioctl is interrupted by a signal.
71836 What happens is the following:
71837
71838 - A process issues an SG_IO ioctl with direction DXFER_FROM_DEV (ie the
71839 underlying SCSI command will transfer data from the SCSI device to
71840 the buffer provided in the ioctl)
71841
71842 - Before the command finishes, a signal is sent to the process waiting
71843 in the ioctl. This will end up waking up the sg_ioctl() code:
71844
71845 result = wait_event_interruptible(sfp->read_wait,
71846 (srp_done(sfp, srp) || sdp->detached));
71847
71848 but neither srp_done() nor sdp->detached is true, so we end up just
71849 setting srp->orphan and returning to userspace:
71850
71851 srp->orphan = 1;
71852 write_unlock_irq(&sfp->rq_list_lock);
71853 return result; /* -ERESTARTSYS because signal hit process */
71854
71855 At this point the original process is done with the ioctl and
71856 blithely goes ahead handling the signal, reissuing the ioctl, etc.
71857
71858 - Eventually, the SCSI command issued by the first ioctl finishes and
71859 ends up in sg_rq_end_io(). At the end of that function, we run through:
71860
71861 write_lock_irqsave(&sfp->rq_list_lock, iflags);
71862 if (unlikely(srp->orphan)) {
71863 if (sfp->keep_orphan)
71864 srp->sg_io_owned = 0;
71865 else
71866 done = 0;
71867 }
71868 srp->done = done;
71869 write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
71870
71871 if (likely(done)) {
71872 /* Now wake up any sg_read() that is waiting for this
71873 * packet.
71874 */
71875 wake_up_interruptible(&sfp->read_wait);
71876 kill_fasync(&sfp->async_qp, SIGPOLL, POLL_IN);
71877 kref_put(&sfp->f_ref, sg_remove_sfp);
71878 } else {
71879 INIT_WORK(&srp->ew.work, sg_rq_end_io_usercontext);
71880 schedule_work(&srp->ew.work);
71881 }
71882
71883 Since srp->orphan *is* set, we set done to 0 (assuming the
71884 userspace app has not set keep_orphan via an SG_SET_KEEP_ORPHAN
71885 ioctl), and therefore we end up scheduling sg_rq_end_io_usercontext()
71886 to run in a workqueue.
71887
71888 - In workqueue context we go through sg_rq_end_io_usercontext() ->
71889 sg_finish_rem_req() -> blk_rq_unmap_user() -> ... ->
71890 bio_uncopy_user() -> __bio_copy_iov() -> copy_to_user().
71891
71892 The key point here is that we are doing copy_to_user() on a
71893 workqueue -- that is, we're on a kernel thread with current->mm
71894 equal to whatever random previous user process was scheduled before
71895 this kernel thread. So we end up copying whatever data the SCSI
71896 command returned to the virtual address of the buffer passed into
71897 the original ioctl, but it's quite likely we do this copying into a
71898 different address space!
71899
71900 As suggested by James Bottomley <James.Bottomley@hansenpartnership.com>,
71901 add a check for current->mm (which is NULL if we're on a kernel thread
71902 without a real userspace address space) in bio_uncopy_user(), and skip
71903 the copy if we're on a kernel thread.
71904
71905 There's no reason that I can think of for any caller of bio_uncopy_user()
71906 to want to do copying on a kernel thread with a random active userspace
71907 address space.
71908
71909 Huge thanks to Costa Sapuntzakis <costa@purestorage.com> for the
71910 original pointer to this bug in the sg code.
71911
71912 Signed-off-by: Roland Dreier <roland@purestorage.com>
71913 Tested-by: David Milburn <dmilburn@redhat.com>
71914 Cc: Jens Axboe <axboe@kernel.dk>
71915 Cc: <stable@vger.kernel.org>
71916 Signed-off-by: James Bottomley <JBottomley@Parallels.com>
71917
71918 fs/bio.c | 20 +++++++++++++++-----
71919 1 files changed, 15 insertions(+), 5 deletions(-)
71920
71921commit e6fe57dee152671afd618d6bc8cbf23155be6c34
71922Merge: cdc8f7d f2095a4
71923Author: Brad Spengler <spender@grsecurity.net>
71924Date: Tue Aug 27 18:13:35 2013 -0400
71925
71926 Merge branch 'pax-test' into grsec-test
71927
71928 Conflicts:
71929 arch/arm/mm/fault.c
71930 security/Kconfig
71931
71932commit f2095a4787f7d332e5919f0bd00f8de6021ad612
71933Author: Brad Spengler <spender@grsecurity.net>
71934Date: Tue Aug 27 18:08:23 2013 -0400
71935
71936 Update to pax-linux-3.10.9-test20.patch:
71937 - removed unnecessary mark_sym_for_renaming calls from the gcc plugins, reported by Emese Revfy
71938 - made some KERNEXEC/UDEREF induced fault handling on arm more robust (IFAR isn't always set on v7), by Corey Minyard <cminyard@mvista.com>
71939 - converted some mips atomic accessor macros to functions in preparation of REFCOUNT support, by Corey Minyard <cminyard@mvista.com>
71940 - __copy_from_user_inatomic on amd64 will now return unsigned long like other userland accessors do
71941 - added REFCOUNT support for mips, by Corey Minyard <cminyard@mvista.com>
71942 - fixed arm compilation with UDEREF disabled, reported by fabled (http://forums.grsecurity.net/viewtopic.php?f=1&t=3720)
71943 - fixed early boot panic due to a INVCPID/PCID mismatch, reported by Patrick McLean (https://bugs.gentoo.org/show_bug.cgi?id=482010)
71944
71945 arch/arm/mm/fault.c | 11 +-
71946 arch/mips/include/asm/atomic.h | 722 +++++++++++++++++++++++++++++++++++--
71947 arch/mips/kernel/traps.c | 14 +-
71948 arch/x86/include/asm/tlbflush.h | 4 +
71949 arch/x86/include/asm/uaccess_64.h | 2 +-
71950 fs/ntfs/file.c | 2 +-
71951 kernel/events/internal.h | 4 +-
71952 kernel/events/uprobes.c | 2 +-
71953 kernel/futex.c | 2 +-
71954 mm/filemap.c | 8 +-
71955 security/Kconfig | 2 +-
71956 tools/gcc/kernexec_plugin.c | 18 +-
71957 tools/gcc/latent_entropy_plugin.c | 26 +-
71958 tools/gcc/size_overflow_plugin.c | 3 +-
71959 14 files changed, 750 insertions(+), 70 deletions(-)
71960
71961commit cdc8f7d7a0d09f5ccec1717d1378ac284b5bb4e9
71962Merge: 5a9ae57 745975e
71963Author: Brad Spengler <spender@grsecurity.net>
71964Date: Mon Aug 26 20:27:33 2013 -0400
71965
71966 Merge branch 'pax-test' into grsec-test
71967
71968commit 745975e3b3b74b64e00e85778f9a22714d1274f2
71969Author: Brad Spengler <spender@grsecurity.net>
71970Date: Mon Aug 26 20:26:33 2013 -0400
71971
71972 Fix compilation when UDEREF is enabled and KERNEXEC is disabled,
71973 as reported by fabled on the forums:
71974 http://forums.grsecurity.net/viewtopic.php?f=1&t=3720
71975
71976 arch/arm/include/asm/pgtable.h | 4 +---
71977 1 files changed, 1 insertions(+), 3 deletions(-)
71978
71979commit 5a9ae577def10802fc8ad6957f05ce2a180dfa36
71980Merge: 486ec00 f68df21
71981Author: Brad Spengler <spender@grsecurity.net>
71982Date: Tue Aug 20 20:15:20 2013 -0400
71983
71984 Merge branch 'pax-test' into grsec-test
71985
71986commit f68df215c8bf7fada2710c14b3f3a0ea53fd9e43
71987Author: Brad Spengler <spender@grsecurity.net>
71988Date: Tue Aug 20 20:14:50 2013 -0400
71989
71990 Update to pax-linux-3.10.9-test18.patch:
71991 - fixed missing export of cpu_pgd, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481786)
71992 - fixed UDEREF regression on !PCID processors, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481790)
71993 - forward port to 3.10.9
71994
71995 arch/x86/kernel/entry_64.S | 18 +++++++++---------
71996 arch/x86/kernel/i386_ksyms_32.c | 4 ++++
71997 arch/x86/kernel/x8664_ksyms_64.c | 4 ++++
71998 3 files changed, 17 insertions(+), 9 deletions(-)
71999
72000commit 486ec00945b5dd8826f625e4af8995c5c8cb2a6f
72001Merge: f47a293 d8fed0e
72002Author: Brad Spengler <spender@grsecurity.net>
72003Date: Tue Aug 20 20:12:47 2013 -0400
72004
72005 Merge branch 'pax-test' into grsec-test
72006
72007commit d8fed0eba89a7607afe296c0caf17bc72311d6e9
72008Merge: f6ace8e 0a4b6d4
72009Author: Brad Spengler <spender@grsecurity.net>
72010Date: Tue Aug 20 20:12:33 2013 -0400
72011
72012 Merge branch 'linux-3.10.y' into pax-test
72013
72014commit f47a293a1440da2a3e2c239d43d636e37ca74f10
72015Merge: f1e8ec7 f6ace8e
72016Author: Brad Spengler <spender@grsecurity.net>
72017Date: Tue Aug 20 18:20:05 2013 -0400
72018
72019 Merge branch 'pax-test' into grsec-test
72020
72021 Conflicts:
72022 arch/arm/kernel/perf_event.c
72023 include/linux/sched.h
72024
72025commit f6ace8e1804aadc296bec38b4c4a2d711b9e7c72
72026Merge: b4fa847 6f54059
72027Author: Brad Spengler <spender@grsecurity.net>
72028Date: Tue Aug 20 18:18:02 2013 -0400
72029
72030 Update to pax-linux-3.10.8-test18.patch
72031
72032 Merge branch 'linux-3.10.y' into pax-test
72033
72034 Conflicts:
72035 arch/x86/kernel/sys_x86_64.c
72036 arch/x86/mm/mmap.c
72037 include/linux/sched.h
72038
72039commit f1e8ec79b6019ca0aa6a6cdde5668c1bbd9f51ca
72040Merge: 6f88011 b4fa847
72041Author: Brad Spengler <spender@grsecurity.net>
72042Date: Tue Aug 20 18:05:12 2013 -0400
72043
72044 Merge branch 'pax-test' into grsec-test
72045
72046commit b4fa84790ec760430818ab9b74a8b5acc6b40e63
72047Author: Brad Spengler <spender@grsecurity.net>
72048Date: Tue Aug 20 18:04:14 2013 -0400
72049
72050 Update to pax-linux-3.10.7-test18.patch:
72051 - reverted constification of zcache, problem reported by Marcin Mirosław (https://bugs.gentoo.org/show_bug.cgi?id=481752)
72052 - fixed a UDEREF resume regression due to the constification of clone_pgd_mask
72053 - fixed suspend/resume regression due to the recent constification of mmu_cr4_features, reported by Mathias Krause
72054
72055 arch/arm/kernel/process.c | 2 +-
72056 arch/x86/include/asm/processor.h | 25 ++-----------------------
72057 arch/x86/kernel/cpu/common.c | 4 ++++
72058 arch/x86/kernel/setup.c | 36 ++++++++++++++++++++++++++++++++++++
72059 drivers/staging/zcache/tmem.c | 4 ++--
72060 drivers/staging/zcache/tmem.h | 6 ++----
72061 6 files changed, 47 insertions(+), 30 deletions(-)
72062
72063commit 6f88011297cb3b1b79ff4d96f8a9b8e2ed5a025f
72064Author: Brad Spengler <spender@grsecurity.net>
72065Date: Mon Aug 19 22:10:04 2013 -0400
72066
72067 fix bad git merge (call to __cpu_disable_lazy_restore was duplicated)
72068 as reported by pipacs
72069
72070 arch/x86/kernel/smpboot.c | 3 ---
72071 1 files changed, 0 insertions(+), 3 deletions(-)
72072
72073commit 07f718e061bc4696b64a98ac1cf56e9ca1275dc3
72074Merge: 6eba999 5de93c8
72075Author: Brad Spengler <spender@grsecurity.net>
72076Date: Sun Aug 18 22:03:19 2013 -0400
72077
72078 Merge branch 'pax-test' into grsec-test
72079
72080commit 5de93c8e2a86865f7a2d62dbcf8702dbf12494db
72081Author: Brad Spengler <spender@grsecurity.net>
72082Date: Sun Aug 18 22:02:47 2013 -0400
72083
72084 Update to pax-linux-3.10.7-test15.patch:
72085 - fixed more PCID fallout, reported by spender, Negres and GBit (http://forums.grsecurity.net/viewtopic.php?f=3&t=3705)
72086 - fixed some new REFCOUNT false positives, caught by inspection
72087
72088 arch/x86/kernel/cpu/common.c | 5 +++--
72089 arch/x86/kernel/entry_64.S | 11 +++++++----
72090 fs/ceph/super.c | 4 ++--
72091 mm/backing-dev.c | 4 ++--
72092 4 files changed, 14 insertions(+), 10 deletions(-)
72093
72094commit 94c119587c76723c1072237b98fff9886ccb7689
72095Author: Brad Spengler <spender@grsecurity.net>
72096Date: Sun Aug 18 20:49:39 2013 -0400
72097
72098 fix pipacs' DEMORGAN typo
72099
72100 arch/x86/include/asm/tlbflush.h | 2 +-
72101 1 files changed, 1 insertions(+), 1 deletions(-)
72102
72103commit 6eba999a3263c2ed3f7e87222a5c9c55315c7f00
72104Merge: df347f6 64a293e
72105Author: Brad Spengler <spender@grsecurity.net>
72106Date: Sun Aug 18 18:13:04 2013 -0400
72107
72108 Merge branch 'pax-test' into grsec-test
72109
72110commit 64a293ebd17bf4a7ce6bd921ed879673e79fe128
72111Author: Brad Spengler <spender@grsecurity.net>
72112Date: Sun Aug 18 18:12:37 2013 -0400
72113
72114 Update to pax-linux-3.10.7-test14.patch:
72115 - fixed compile error introduced by the previous PCID change
72116 - fixed timer_create kernel stack leak, reported by Roman Žilka (https://bugs.gentoo.org/show_bug.cgi?id=470214)
72117
72118 arch/x86/include/asm/tlbflush.h | 2 +-
72119 kernel/posix-timers.c | 2 +-
72120 2 files changed, 2 insertions(+), 2 deletions(-)
72121
72122commit df347f6db6cc0aaa40406d8a8b7284b7c15bc685
72123Merge: d8efbc5 e11b314
72124Author: Brad Spengler <spender@grsecurity.net>
72125Date: Sun Aug 18 08:15:00 2013 -0400
72126
72127 Merge branch 'pax-test' into grsec-test
72128
72129commit e11b314734c5b7317f5468be75305ad812e78c2b
72130Author: Brad Spengler <spender@grsecurity.net>
72131Date: Sun Aug 18 08:14:26 2013 -0400
72132
72133 Update to pax-linux-3.10.7-test13.patch:
72134 - always enable the use of PCID and INVPCID when available in the CPU
72135 - kvm guest kernels can use these features even if the host kernel lacks UDEREF
72136
72137 arch/x86/include/asm/tlbflush.h | 69 ++++++++++++++++++++++----------------
72138 arch/x86/kernel/cpu/common.c | 48 +++++++++++++++++----------
72139 2 files changed, 70 insertions(+), 47 deletions(-)
72140
72141commit d8efbc54f5c8aba589d4d12eed9257a754a67de8
72142Author: Brad Spengler <spender@grsecurity.net>
72143Date: Sat Aug 17 12:00:20 2013 -0400
72144
72145 make kallsyms_lookup_size_offset available to approved source files
72146
72147 include/linux/kallsyms.h | 3 +++
72148 1 files changed, 3 insertions(+), 0 deletions(-)
72149
72150commit 6c8feffa95ce2db280160015027b52bb41a344c8
72151Merge: dbf6930 0bb1c2b
72152Author: Brad Spengler <spender@grsecurity.net>
72153Date: Sat Aug 17 11:57:50 2013 -0400
72154
72155 Merge branch 'pax-test' into grsec-test
72156
72157commit 0bb1c2b2d9ba9a15fb504d47270499e8e2764106
72158Author: Brad Spengler <spender@grsecurity.net>
72159Date: Sat Aug 17 11:56:43 2013 -0400
72160
72161 Update to pax-linux-3.10.7-test12.patch:
72162 - fixed superfluous initializer in __native_flush_tlb_single, reported by Mathias Krause
72163 - fixed some arm compile problems
72164
72165 arch/x86/include/asm/tlbflush.h | 2 +-
72166 drivers/clocksource/bcm_kona_timer.c | 2 +-
72167 kernel/signal.c | 4 ++++
72168 3 files changed, 6 insertions(+), 2 deletions(-)
72169
72170commit dbf69305ad4f8a037aae95af90f9201f556dcb48
72171Author: Brad Spengler <spender@grsecurity.net>
72172Date: Sat Aug 17 11:18:09 2013 -0400
72173
72174 allow use of kallsyms_lookup_name to approved source files
72175
72176 include/linux/kallsyms.h | 1 +
72177 1 files changed, 1 insertions(+), 0 deletions(-)
72178
72179commit a566c5f4dec33f410678c257e95ab6726ce8e4f9
72180Merge: 68bd16f f562e3e
72181Author: Brad Spengler <spender@grsecurity.net>
72182Date: Sat Aug 17 10:35:02 2013 -0400
72183
72184 Merge branch 'pax-test' into grsec-test
72185
72186commit f562e3ef7737ea8d80431a722479b36a12504ace
72187Author: Brad Spengler <spender@grsecurity.net>
72188Date: Sat Aug 17 10:34:51 2013 -0400
72189
72190 add uderef_64.c
72191
72192 arch/x86/mm/uderef_64.c | 37 +++++++++++++++++++++++++++++++++++++
72193 1 files changed, 37 insertions(+), 0 deletions(-)
72194
72195commit 68bd16fce3cf51c4c407e2ac6bc3db0629783622
72196Author: Asbjoern Sloth Toennesen <ast@fiberby.net>
72197Date: Mon Aug 12 16:30:09 2013 +0000
72198
72199 Upstream commit: 3e805ad288c524bb65aad3f1e004402223d3d504
72200
72201 rtnetlink: rtnl_bridge_getlink: Call nlmsg_find_attr() with ifinfomsg header
72202
72203 Fix the iproute2 command `bridge vlan show`, after switching from
72204 rtgenmsg to ifinfomsg.
72205
72206 Let's start with a little history:
72207
72208 Feb 20: Vlad Yasevich got his VLAN-aware bridge patchset included in
72209 the 3.9 merge window.
72210 In the kernel commit 6cbdceeb, he added attribute support to
72211 bridge GETLINK requests sent with rtgenmsg.
72212
72213 Mar 6th: Vlad got this iproute2 reference implementation of the bridge
72214 vlan netlink interface accepted (iproute2 9eff0e5c)
72215
72216 Apr 25th: iproute2 switched from using rtgenmsg to ifinfomsg (63338dca)
72217 http://patchwork.ozlabs.org/patch/239602/
72218 http://marc.info/?t=136680900700007
72219
72220 Apr 28th: Linus released 3.9
72221
72222 Apr 30th: Stephen released iproute2 3.9.0
72223
72224 The `bridge vlan show` command haven't been working since the switch to
72225 ifinfomsg, or in a released version of iproute2. Since the kernel side
72226 only supports rtgenmsg, which iproute2 switched away from just prior to
72227 the iproute2 3.9.0 release.
72228
72229 I haven't been able to find any documentation, about neither rtgenmsg
72230 nor ifinfomsg, and in which situation to use which, but kernel commit
72231 88c5b5ce seams to suggest that ifinfomsg should be used.
72232
72233 Fixing this in kernel will break compatibility, but I doubt that anybody
72234 have been using it due to this bug in the user space reference
72235 implementation, at least not without noticing this bug. That said the
72236 functionality is still fully functional in 3.9, when reversing iproute2
72237 commit 63338dca.
72238
72239 This could also be fixed in iproute2, but thats an ugly patch that would
72240 reintroduce rtgenmsg in iproute2, and from searching in netdev it seams
72241 like rtgenmsg usage is discouraged. I'm assuming that the only reason
72242 that Vlad implemented the kernel side to use rtgenmsg, was because
72243 iproute2 was using it at the time.
72244
72245 Signed-off-by: Asbjoern Sloth Toennesen <ast@fiberby.net>
72246 Reviewed-by: Vlad Yasevich <vyasevich@gmail.com>
72247 Signed-off-by: David S. Miller <davem@davemloft.net>
72248
72249 net/core/rtnetlink.c | 2 +-
72250 1 files changed, 1 insertions(+), 1 deletions(-)
72251
72252commit 8c7bc5bafddddff55ed4687203a977e96f72540a
72253Author: Johannes Berg <johannes.berg@intel.com>
72254Date: Tue Aug 13 09:04:05 2013 +0200
72255
72256 Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db
72257
72258 genetlink: fix family dump race
72259
72260 When dumping generic netlink families, only the first dump call
72261 is locked with genl_lock(), which protects the list of families,
72262 and thus subsequent calls can access the data without locking,
72263 racing against family addition/removal. This can cause a crash.
72264 Fix it - the locking needs to be conditional because the first
72265 time around it's already locked.
72266
72267 A similar bug was reported to me on an old kernel (3.4.47) but
72268 the exact scenario that happened there is no longer possible,
72269 on those kernels the first round wasn't locked either. Looking
72270 at the current code I found the race described above, which had
72271 also existed on the old kernel.
72272
72273 Cc: stable@vger.kernel.org
72274 Reported-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
72275 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
72276 Signed-off-by: David S. Miller <davem@davemloft.net>
72277
72278 net/netlink/genetlink.c | 7 +++++++
72279 1 files changed, 7 insertions(+), 0 deletions(-)
72280
72281commit 0aef405c4f269d1e35abb5393cee4e7d452ed4bb
72282Author: Daniel Borkmann <dborkman@redhat.com>
72283Date: Fri Aug 9 16:25:21 2013 +0200
72284
72285 Upstream commit: 771085d6bf3c52de29fc213e5bad07a82e57c23e
72286
72287 net: sctp: sctp_transport_destroy{, _rcu}: fix potential pointer corruption
72288
72289 Probably this one is quite unlikely to be triggered, but it's more safe
72290 to do the call_rcu() at the end after we have dropped the reference on
72291 the asoc and freed sctp packet chunks. The reason why is because in
72292 sctp_transport_destroy_rcu() the transport is being kfree()'d, and if
72293 we're unlucky enough we could run into corrupted pointers. Probably
72294 that's more of theoretical nature, but it's safer to have this simple fix.
72295
72296 Introduced by commit 8c98653f ("sctp: sctp_close: fix release of bindings
72297 for deferred call_rcu's"). I also did the 8c98653f regression test and
72298 it's fine that way.
72299
72300 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
72301 Acked-by: Vlad Yasevich <vyasevich@gmail.com>
72302 Signed-off-by: David S. Miller <davem@davemloft.net>
72303
72304 net/sctp/transport.c | 4 ++--
72305 1 files changed, 2 insertions(+), 2 deletions(-)
72306
72307commit 3925eab5483946fd746575a46f97bee9d566bb77
72308Author: Stephane Grosjean <s.grosjean@peak-system.com>
72309Date: Fri Aug 9 11:44:06 2013 +0200
72310
72311 Upstream commit: 3c322a56b01695df15c70bfdc2d02e0ccd80654e
72312
72313 can: pcan_usb: fix wrong memcpy() bytes length
72314
72315 Fix possibly wrong memcpy() bytes length since some CAN records received from
72316 PCAN-USB could define a DLC field in range [9..15].
72317 In that case, the real DLC value MUST be used to move forward the record pointer
72318 but, only 8 bytes max. MUST be copied into the data field of the struct
72319 can_frame object of the skb given to the network core.
72320
72321 Cc: linux-stable <stable@vger.kernel.org>
72322 Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
72323 Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
72324 Signed-off-by: David S. Miller <davem@davemloft.net>
72325
72326 drivers/net/can/usb/peak_usb/pcan_usb.c | 2 +-
72327 1 files changed, 1 insertions(+), 1 deletions(-)
72328
72329commit c1ac6642baae4a400d1f87115024d1bb1ef53598
72330Author: Linus Lüssing <linus.luessing@web.de>
72331Date: Tue Aug 6 20:21:15 2013 +0200
72332
72333 Upstream commit: 9d2c9488cedb666bc8206fbdcdc1575e0fbc5929
72334
72335 batman-adv: fix potential kernel paging errors for unicast transmissions
72336
72337 There are several functions which might reallocate skb data. Currently
72338 some places keep reusing their old ethhdr pointer regardless of whether
72339 they became invalid after such a reallocation or not. This potentially
72340 leads to kernel paging errors.
72341
72342 This patch fixes these by refetching the ethdr pointer after the
72343 potential reallocations.
72344
72345 Signed-off-by: Linus Lüssing <linus.luessing@web.de>
72346 Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
72347 Signed-off-by: Antonio Quartulli <ordex@autistici.org>
72348
72349 net/batman-adv/bridge_loop_avoidance.c | 2 ++
72350 net/batman-adv/gateway_client.c | 13 ++++++++++++-
72351 net/batman-adv/gateway_client.h | 3 +--
72352 net/batman-adv/soft-interface.c | 9 ++++++++-
72353 net/batman-adv/unicast.c | 13 ++++++++++---
72354 5 files changed, 33 insertions(+), 7 deletions(-)
72355
72356commit d11ebb55757d366b2e445dea5a96e3ef1b4d22eb
72357Author: Yuchung Cheng <ycheng@google.com>
72358Date: Fri Aug 9 17:21:27 2013 -0700
72359
72360 Upstream commit: 356d7d88e088687b6578ca64601b0a2c9d145296
72361
72362 netfilter: nf_conntrack: fix tcp_in_window for Fast Open
72363
72364 Currently the conntrack checks if the ending sequence of a packet
72365 falls within the observed receive window. However it does so even
72366 if it has not observe any packet from the remote yet and uses an
72367 uninitialized receive window (td_maxwin).
72368
72369 If a connection uses Fast Open to send a SYN-data packet which is
72370 dropped afterward in the network. The subsequent SYNs retransmits
72371 will all fail this check and be discarded, leading to a connection
72372 timeout. This is because the SYN retransmit does not contain data
72373 payload so
72374
72375 end == initial sequence number (isn) + 1
72376 sender->td_end == isn + syn_data_len
72377 receiver->td_maxwin == 0
72378
72379 The fix is to only apply this check after td_maxwin is initialized.
72380
72381 Reported-by: Michael Chan <mcfchan@stanford.edu>
72382 Signed-off-by: Yuchung Cheng <ycheng@google.com>
72383 Acked-by: Eric Dumazet <edumazet@google.com>
72384 Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
72385 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
72386
72387 net/netfilter/nf_conntrack_proto_tcp.c | 12 ++++++++----
72388 1 files changed, 8 insertions(+), 4 deletions(-)
72389
72390commit 94462727d1f151aa2e3f7fbf0dedb19d8545d2ec
72391Author: Dan Carpenter <dan.carpenter@oracle.com>
72392Date: Thu Aug 1 12:36:57 2013 +0300
72393
72394 Upstream commit: e4d091d7bf787cd303383725b8071d0bae76f981
72395
72396 netfilter: nfnetlink_{log,queue}: fix information leaks in netlink message
72397
72398 These structs have a "_pad" member. Also the "phw" structs have an 8
72399 byte "hw_addr[]" array but sometimes only the first 6 bytes are
72400 initialized.
72401
72402 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
72403 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
72404
72405 net/netfilter/nfnetlink_log.c | 6 +++++-
72406 net/netfilter/nfnetlink_queue_core.c | 5 ++++-
72407 2 files changed, 9 insertions(+), 2 deletions(-)
72408
72409commit c5b469d0a0b480a8b2dcac9b4e6532c0ac17f81f
72410Author: Pablo Neira Ayuso <pablo@netfilter.org>
72411Date: Thu Jul 25 10:46:46 2013 +0200
72412
72413 Upstream commit: a206bcb3b02025b23137f3228109d72e0f835c05
72414
72415 netfilter: xt_TCPOPTSTRIP: fix possible off by one access
72416
72417 Fix a possible off by one access since optlen()
72418 touches opt[offset+1] unsafely when i == tcp_hdrlen(skb) - 1.
72419
72420 This patch replaces tcp_hdrlen() by the local variable tcp_hdrlen
72421 that stores the TCP header length, to save some cycles.
72422
72423 Reported-by: Julian Anastasov <ja@ssi.bg>
72424 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
72425
72426 net/netfilter/xt_TCPOPTSTRIP.c | 10 ++++++----
72427 1 files changed, 6 insertions(+), 4 deletions(-)
72428
72429commit 4634def261cf5f635bc60afe8a6ad436b3ec151e
72430Author: Pablo Neira Ayuso <pablo@netfilter.org>
72431Date: Thu Jul 25 10:37:49 2013 +0200
72432
72433 Upstream commit: 71ffe9c77dd7a2b62207953091efa8dafec958dd
72434
72435 netfilter: xt_TCPMSS: fix handling of malformed TCP header and options
72436
72437 Make sure the packet has enough room for the TCP header and
72438 that it is not malformed.
72439
72440 While at it, store tcph->doff*4 in a variable, as it is used
72441 several times.
72442
72443 This patch also fixes a possible off by one in case of malformed
72444 TCP options.
72445
72446 Reported-by: Julian Anastasov <ja@ssi.bg>
72447 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
72448
72449 net/netfilter/xt_TCPMSS.c | 28 ++++++++++++++++------------
72450 1 files changed, 16 insertions(+), 12 deletions(-)
72451
72452commit dc552b7b377b8b0cba23513ee09a2341d6714ae8
72453Author: Dave Jones <davej@redhat.com>
72454Date: Fri Aug 9 11:16:34 2013 -0700
72455
72456 Upstream commit: d06f5187469eee1b2932c02fd093d113cfc60d5e
72457
72458 8139cp: Fix skb leak in rx_status_loop failure path.
72459
72460 Introduced in cf3c4c03060b688cbc389ebc5065ebcce5653e96
72461 ("8139cp: Add dma_mapping_error checking")
72462
72463 Signed-off-by: Dave Jones <davej@redhat.com>
72464 Signed-off-by: David S. Miller <davem@davemloft.net>
72465
72466 drivers/net/ethernet/realtek/8139cp.c | 1 +
72467 1 files changed, 1 insertions(+), 0 deletions(-)
72468
72469commit 227b279491a0bbcc70ca3654f34903282c378600
72470Author: Timo Teräs <timo.teras@iki.fi>
72471Date: Tue Aug 6 13:45:43 2013 +0300
72472
72473 Upstream commit: 77a482bdb2e68d13fae87541b341905ba70d572b
72474
72475 ip_gre: fix ipgre_header to return correct offset
72476
72477 Fix ipgre_header() (header_ops->create) to return the correct
72478 amount of bytes pushed. Most callers of dev_hard_header() seem
72479 to care only if it was success, but af_packet.c uses it as
72480 offset to the skb to copy from userspace only once. In practice
72481 this fixes packet socket sendto()/sendmsg() to gre tunnels.
72482
72483 Regression introduced in c54419321455631079c7d6e60bc732dd0c5914c5
72484 ("GRE: Refactor GRE tunneling code.")
72485
72486 Cc: Pravin B Shelar <pshelar@nicira.com>
72487 Signed-off-by: Timo Teräs <timo.teras@iki.fi>
72488 Acked-by: Eric Dumazet <edumazet@google.com>
72489 Signed-off-by: David S. Miller <davem@davemloft.net>
72490
72491 net/ipv4/ip_gre.c | 2 +-
72492 1 files changed, 1 insertions(+), 1 deletions(-)
72493
72494commit 4b37d11c0ebb440d9335861ce8f1e690a34c10fb
72495Author: Eric Dumazet <edumazet@google.com>
72496Date: Mon Aug 5 11:18:49 2013 -0700
72497
72498 Upstream commit: aab515d7c32a34300312416c50314e755ea6f765
72499
72500 fib_trie: remove potential out of bound access
72501
72502 AddressSanitizer [1] dynamic checker pointed a potential
72503 out of bound access in leaf_walk_rcu()
72504
72505 We could allocate one more slot in tnode_new() to leave the prefetch()
72506 in-place but it looks not worth the pain.
72507
72508 Bug added in commit 82cfbb008572b ("[IPV4] fib_trie: iterator recode")
72509
72510 [1] :
72511 https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel
72512
72513 Reported-by: Andrey Konovalov <andreyknvl@google.com>
72514 Signed-off-by: Eric Dumazet <edumazet@google.com>
72515 Cc: Dmitry Vyukov <dvyukov@google.com>
72516 Signed-off-by: David S. Miller <davem@davemloft.net>
72517
72518 net/ipv4/fib_trie.c | 5 +----
72519 1 files changed, 1 insertions(+), 4 deletions(-)
72520
72521commit 3928184d65fdaf3eef446f0e6c5f305352c1fd02
72522Author: Daniel Borkmann <dborkman@redhat.com>
72523Date: Mon Aug 5 12:49:35 2013 +0200
72524
72525 Upstream commit: 7921895a5e852fc99de347bc0600659997de9298
72526
72527 net: esp{4,6}: fix potential MTU calculation overflows
72528
72529 Commit 91657eafb ("xfrm: take net hdr len into account for esp payload
72530 size calculation") introduced a possible interger overflow in
72531 esp{4,6}_get_mtu() handlers in case of x->props.mode equals
72532 XFRM_MODE_TUNNEL. Thus, the following expression will overflow
72533
72534 unsigned int net_adj;
72535 ...
72536 <case ipv{4,6} XFRM_MODE_TUNNEL>
72537 net_adj = 0;
72538 ...
72539 return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) -
72540 net_adj) & ~(align - 1)) + (net_adj - 2);
72541
72542 where (net_adj - 2) would be evaluated as <foo> + (0 - 2) in an unsigned
72543 context. Fix it by simply removing brackets as those operations here
72544 do not need to have special precedence.
72545
72546 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
72547 Cc: Benjamin Poirier <bpoirier@suse.de>
72548 Cc: Steffen Klassert <steffen.klassert@secunet.com>
72549 Acked-by: Benjamin Poirier <bpoirier@suse.de>
72550 Signed-off-by: David S. Miller <davem@davemloft.net>
72551
72552 net/ipv4/esp4.c | 2 +-
72553 net/ipv6/esp6.c | 2 +-
72554 2 files changed, 2 insertions(+), 2 deletions(-)
72555
72556commit f02bce292d1c2fe610be509c96593e70b3de387b
72557Author: Julia Lawall <Julia.Lawall@lip6.fr>
72558Date: Mon Aug 5 16:47:38 2013 +0200
72559
72560 Upstream commit: d9af2d67e490b48f0d36f448d34e7bab9425f142
72561
72562 net/vmw_vsock/af_vsock.c: drop unneeded semicolon
72563
72564 Drop the semicolon at the end of the list_for_each_entry loop header.
72565
72566 Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
72567 Signed-off-by: David S. Miller <davem@davemloft.net>
72568
72569 net/vmw_vsock/af_vsock.c | 2 +-
72570 1 files changed, 1 insertions(+), 1 deletions(-)
72571
72572commit 4b62f0cbc3f949056e8bbe0af036acfc20e8e049
72573Author: Tiger Yang <tiger.yang@oracle.com>
72574Date: Tue Aug 13 16:00:58 2013 -0700
72575
72576 Upstream commit: c7dd3392ad469e6ba125170ad29f881bed85b678
72577
72578 ocfs2: fix NULL pointer dereference in ocfs2_duplicate_clusters_by_page
72579
72580 Since ocfs2_cow_file_pos will invoke ocfs2_refcount_icow with a NULL as
72581 the struct file pointer, it finally result in a null pointer dereference
72582 in ocfs2_duplicate_clusters_by_page.
72583
72584 This patch replace file pointer with inode pointer in
72585 cow_duplicate_clusters to fix this issue.
72586
72587 [jeff.liu@oracle.com: rebased patch against linux-next tree]
72588 Signed-off-by: Tiger Yang <tiger.yang@oracle.com>
72589 Signed-off-by: Jie Liu <jeff.liu@oracle.com>
72590 Cc: Joel Becker <jlbec@evilplan.org>
72591 Cc: Mark Fasheh <mfasheh@suse.com>
72592 Acked-by: Tao Ma <tm@tao.ma>
72593 Tested-by: David Weber <wb@munzinger.de>
72594 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
72595 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
72596
72597 fs/ocfs2/aops.c | 2 +-
72598 fs/ocfs2/file.c | 6 ++--
72599 fs/ocfs2/move_extents.c | 2 +-
72600 fs/ocfs2/refcounttree.c | 53 +++++++---------------------------------------
72601 fs/ocfs2/refcounttree.h | 6 ++--
72602 5 files changed, 16 insertions(+), 53 deletions(-)
72603
72604commit 433bf493c7472435b328b2bc85b6e54f6dd3d0d3
72605Author: Dan Carpenter <dan.carpenter@oracle.com>
72606Date: Thu Aug 15 15:52:57 2013 +0300
72607
72608 Upstream commit: 15718ea0d844e4816dbd95d57a8a0e3e264ba90e
72609
72610 tun: signedness bug in tun_get_user()
72611
72612 The recent fix d9bf5f1309 "tun: compare with 0 instead of total_len" is
72613 not totally correct. Because "len" and "sizeof()" are size_t type, that
72614 means they are never less than zero.
72615
72616 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
72617 Acked-by: Michael S. Tsirkin <mst@redhat.com>
72618 Acked-by: Neil Horman <nhorman@tuxdriver.com>
72619 Signed-off-by: David S. Miller <davem@davemloft.net>
72620
72621 drivers/net/tun.c | 6 ++++--
72622 1 files changed, 4 insertions(+), 2 deletions(-)
72623
72624commit 26ad267ddda451919357965a0cf271ca24d1bcf2
72625Author: Weiping Pan <wpan@redhat.com>
72626Date: Tue Aug 13 21:46:56 2013 +0800
72627
72628 Upstream commit: d9bf5f130946695063469749bfd190087b7fad39
72629
72630 tun: compare with 0 instead of total_len
72631
72632 Since we set "len = total_len" in the beginning of tun_get_user(),
72633 so we should compare the new len with 0, instead of total_len,
72634 or the if statement always returns false.
72635
72636 Signed-off-by: Weiping Pan <wpan@redhat.com>
72637 Signed-off-by: David S. Miller <davem@davemloft.net>
72638
72639 drivers/net/tun.c | 4 ++--
72640 1 files changed, 2 insertions(+), 2 deletions(-)
72641
72642commit 70023d3ea40fae8b6b6a142a7a5c3db0bcc283f9
72643Author: Guenter Roeck <linux@roeck-us.net>
72644Date: Fri Aug 16 20:50:55 2013 -0700
72645
72646 Upstream commit: 215b28a5308f3d332df2ee09ef11fda45d7e4a92
72647
72648 s390: Fix broken build
72649
72650 Fix this build error:
72651
72652 In file included from fs/exec.c:61:0:
72653 arch/s390/include/asm/tlb.h:35:23: error: expected identifier or '(' before 'unsigned'
72654 arch/s390/include/asm/tlb.h:36:1: warning: no semicolon at end of struct or union [enabled by default]
72655 arch/s390/include/asm/tlb.h: In function 'tlb_gather_mmu':
72656 arch/s390/include/asm/tlb.h:57:5: error: 'struct mmu_gather' has no member named 'end'
72657
72658 Broken due to commit 2b047252d0 ("Fix TLB gather virtual address range
72659 invalidation corner cases").
72660
72661 Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
72662 Cc: stable@vger.kernel.org
72663 Signed-off-by: Guenter Roeck <linux@roeck-us.net>
72664 [ Oh well. We had build testing for ppc amd um, but no s390 - Linus ]
72665 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
72666
72667 arch/s390/include/asm/tlb.h | 2 +-
72668 1 files changed, 1 insertions(+), 1 deletions(-)
72669
72670commit 4e57312c2de2a25ddb181d129dafbc0251062c33
72671Author: Linus Torvalds <torvalds@linux-foundation.org>
72672Date: Thu Aug 15 11:42:25 2013 -0700
72673
72674 Upstream commit: 2b047252d087be7f2ba088b4933cd904f92e6fce
72675
72676 Fix TLB gather virtual address range invalidation corner cases
72677
72678 Ben Tebulin reported:
72679
72680 "Since v3.7.2 on two independent machines a very specific Git
72681 repository fails in 9/10 cases on git-fsck due to an SHA1/memory
72682 failures. This only occurs on a very specific repository and can be
72683 reproduced stably on two independent laptops. Git mailing list ran
72684 out of ideas and for me this looks like some very exotic kernel issue"
72685
72686 and bisected the failure to the backport of commit 53a59fc67f97 ("mm:
72687 limit mmu_gather batching to fix soft lockups on !CONFIG_PREEMPT").
72688
72689 That commit itself is not actually buggy, but what it does is to make it
72690 much more likely to hit the partial TLB invalidation case, since it
72691 introduces a new case in tlb_next_batch() that previously only ever
72692 happened when running out of memory.
72693
72694 The real bug is that the TLB gather virtual memory range setup is subtly
72695 buggered. It was introduced in commit 597e1c3580b7 ("mm/mmu_gather:
72696 enable tlb flush range in generic mmu_gather"), and the range handling
72697 was already fixed at least once in commit e6c495a96ce0 ("mm: fix the TLB
72698 range flushed when __tlb_remove_page() runs out of slots"), but that fix
72699 was not complete.
72700
72701 The problem with the TLB gather virtual address range is that it isn't
72702 set up by the initial tlb_gather_mmu() initialization (which didn't get
72703 the TLB range information), but it is set up ad-hoc later by the
72704 functions that actually flush the TLB. And so any such case that forgot
72705 to update the TLB range entries would potentially miss TLB invalidates.
72706
72707 Rather than try to figure out exactly which particular ad-hoc range
72708 setup was missing (I personally suspect it's the hugetlb case in
72709 zap_huge_pmd(), which didn't have the same logic as zap_pte_range()
72710 did), this patch just gets rid of the problem at the source: make the
72711 TLB range information available to tlb_gather_mmu(), and initialize it
72712 when initializing all the other tlb gather fields.
72713
72714 This makes the patch larger, but conceptually much simpler. And the end
72715 result is much more understandable; even if you want to play games with
72716 partial ranges when invalidating the TLB contents in chunks, now the
72717 range information is always there, and anybody who doesn't want to
72718 bother with it won't introduce subtle bugs.
72719
72720 Ben verified that this fixes his problem.
72721
72722 Reported-bisected-and-tested-by: Ben Tebulin <tebulin@googlemail.com>
72723 Build-testing-by: Stephen Rothwell <sfr@canb.auug.org.au>
72724 Build-testing-by: Richard Weinberger <richard.weinberger@gmail.com>
72725 Reviewed-by: Michal Hocko <mhocko@suse.cz>
72726 Acked-by: Peter Zijlstra <peterz@infradead.org>
72727 Cc: stable@vger.kernel.org
72728 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
72729
72730 arch/arm/include/asm/tlb.h | 7 +++++--
72731 arch/arm64/include/asm/tlb.h | 7 +++++--
72732 arch/ia64/include/asm/tlb.h | 9 ++++++---
72733 arch/s390/include/asm/tlb.h | 8 ++++++--
72734 arch/sh/include/asm/tlb.h | 6 ++++--
72735 arch/um/include/asm/tlb.h | 6 ++++--
72736 fs/exec.c | 4 ++--
72737 include/asm-generic/tlb.h | 2 +-
72738 mm/hugetlb.c | 2 +-
72739 mm/memory.c | 36 +++++++++++++++++++++---------------
72740 mm/mmap.c | 4 ++--
72741 11 files changed, 57 insertions(+), 34 deletions(-)
72742
72743commit 771ed01c6027772eca1a0df8de65043e7f0d94f8
72744Merge: 5568c80 ffceabf
72745Author: Brad Spengler <spender@grsecurity.net>
72746Date: Sat Aug 17 09:11:41 2013 -0400
72747
72748 Merge branch 'pax-test' into grsec-test
72749
72750commit ffceabfcc65c60109ba5fca694d78d4dc7047809
72751Author: Brad Spengler <spender@grsecurity.net>
72752Date: Sat Aug 17 09:10:44 2013 -0400
72753
72754 Update to pax-linux-3.10.7-test11.patch:
72755 - simplified some arm code
72756 - disabled preemption when calling show_regs, reported by Corey Minyard
72757 - added PCID based support for UDEREF on amd64 (blog will have more details)
72758 - requires Westmere/Sandy Bridge/Ivy Bridge/Haswell/etc
72759 - nopcid turns it off
72760 - by default a strong form of UDEREF is used under PCID
72761 - pax_weakuderef switches to the older, less secure UDEREF
72762 - fixed several bugs that would also have manifested under SMAP
72763 - INVPCID is used when available (Haswell)
72764 - added a few more return insn instrumentation in new amd64 crypto code
72765
72766 Documentation/kernel-parameters.txt | 7 +
72767 arch/arm/include/asm/uaccess.h | 3 +
72768 arch/x86/crypto/blowfish-avx2-asm_64.S | 6 +
72769 arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 ++
72770 arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 ++
72771 arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 +
72772 arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 +
72773 arch/x86/crypto/serpent-avx2-asm_64.S | 9 ++
72774 arch/x86/crypto/sha256-avx-asm.S | 2 +
72775 arch/x86/crypto/sha256-avx2-asm.S | 2 +
72776 arch/x86/crypto/sha256-ssse3-asm.S | 2 +
72777 arch/x86/crypto/sha512-avx-asm.S | 2 +
72778 arch/x86/crypto/sha512-avx2-asm.S | 2 +
72779 arch/x86/crypto/sha512-ssse3-asm.S | 2 +
72780 arch/x86/crypto/twofish-avx2-asm_64.S | 8 ++
72781 arch/x86/ia32/ia32_signal.c | 2 +-
72782 arch/x86/ia32/ia32entry.S | 24 ++++-
72783 arch/x86/include/asm/cpufeature.h | 3 +-
72784 arch/x86/include/asm/fpu-internal.h | 2 +
72785 arch/x86/include/asm/futex.h | 4 +
72786 arch/x86/include/asm/mmu_context.h | 80 +++++++++++---
72787 arch/x86/include/asm/pgtable.h | 10 +-
72788 arch/x86/include/asm/processor.h | 15 +++-
72789 arch/x86/include/asm/segment.h | 5 +-
72790 arch/x86/include/asm/smap.h | 64 +++++++++++-
72791 arch/x86/include/asm/tlbflush.h | 63 +++++++++--
72792 arch/x86/include/asm/uaccess.h | 18 +++-
72793 arch/x86/include/asm/xsave.h | 4 +
72794 arch/x86/kernel/cpu/common.c | 38 +++++++
72795 arch/x86/kernel/entry_32.S | 2 +-
72796 arch/x86/kernel/entry_64.S | 152 +++++++++++++++++++++++---
72797 arch/x86/kernel/head_32.S | 2 +-
72798 arch/x86/kernel/head_64.S | 8 +-
72799 arch/x86/kernel/process_64.c | 5 +
72800 arch/x86/kernel/setup.c | 8 +-
72801 arch/x86/kernel/signal.c | 4 +-
72802 arch/x86/kernel/smpboot.c | 15 ++-
72803 arch/x86/lib/copy_user_64.S | 50 +--------
72804 arch/x86/lib/copy_user_nocache_64.S | 2 +
72805 arch/x86/lib/csum-wrappers_64.c | 11 ++-
72806 arch/x86/lib/memcpy_64.S | 4 +-
72807 arch/x86/lib/memmove_64.S | 2 +-
72808 arch/x86/lib/memset_64.S | 4 +-
72809 arch/x86/lib/usercopy_64.c | 5 +-
72810 arch/x86/mm/Makefile | 4 +
72811 arch/x86/mm/fault.c | 29 ++++--
72812 arch/x86/mm/init.c | 7 +-
72813 arch/x86/mm/init_64.c | 9 ++-
72814 arch/x86/mm/pageattr.c | 2 +-
72815 arch/x86/mm/pgtable.c | 3 +
72816 arch/x86/platform/efi/efi_32.c | 2 +-
72817 arch/x86/platform/efi/efi_64.c | 2 +-
72818 arch/x86/realmode/rm/trampoline_64.S | 1 +
72819 fs/exec.c | 2 +
72820 include/asm-generic/uaccess.h | 8 ++
72821 include/linux/compat.h | 1 +
72822 include/linux/preempt.h | 19 +++
72823 include/linux/signal.h | 1 +
72824 include/linux/smp.h | 2 +
72825 init/main.c | 14 ++-
72826 kernel/signal.c | 16 +++
72827 security/Kconfig | 5 +
72828 tools/lib/lk/Makefile | 2 +-
72829 tools/perf/Makefile | 2 +-
72830 64 files changed, 673 insertions(+), 136 deletions(-)
72831
72832commit 5568c8059e78d6d002815409df4e90c83b3b08a8
72833Author: Brad Spengler <spender@grsecurity.net>
72834Date: Sat Aug 17 08:58:34 2013 -0400
72835
72836 Fix two harmless compiler warnings
72837
72838 arch/arm/kernel/process.c | 4 ++--
72839 fs/exec.c | 2 +-
72840 2 files changed, 3 insertions(+), 3 deletions(-)
72841
72842commit e4a41a3eef8c6bdebdbe273cc0fbe372bcb62806
72843Author: Brad Spengler <spender@grsecurity.net>
72844Date: Fri Aug 16 22:55:24 2013 -0400
72845
72846 Upstream commit: c95eb3184ea1a3a2551df57190c81da695e2144b
72847
72848 arch/arm/kernel/perf_event.c | 5 ++++-
72849 1 files changed, 4 insertions(+), 1 deletions(-)
72850
72851commit 3637bc893b57a227b01852fe34685ab237285b10
72852Author: Stephen Boyd <sboyd@codeaurora.org>
72853Date: Wed Aug 7 16:18:08 2013 -0700
72854
72855 Upstream commit: b88a2595b6d8aedbd275c07dfa784657b4f757eb
72856
72857 perf/arm: Fix armpmu_map_hw_event()
72858
72859 Fix constraint check in armpmu_map_hw_event().
72860
72861 Reported-and-tested-by: Vince Weaver <vincent.weaver@maine.edu>
72862 Cc: <stable@kernel.org>
72863 Signed-off-by: Ingo Molnar <mingo@kernel.org>
72864 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
72865
72866 arch/arm/kernel/perf_event.c | 7 ++++++-
72867 1 files changed, 6 insertions(+), 1 deletions(-)
72868
72869commit 11802e1f961a088c39af58d1c1b14d861eedfb35
72870Author: Brad Spengler <spender@grsecurity.net>
72871Date: Fri Aug 16 22:53:30 2013 -0400
72872
72873 More ARM backports
72874
72875 arch/arm/kernel/entry-armv.S | 3 ++-
72876 arch/arm/kernel/fiq.c | 8 ++------
72877 2 files changed, 4 insertions(+), 7 deletions(-)
72878
72879commit bf89938c71ddbd6efb2c2e43bf4f3f99fef623ea
72880Author: Brad Spengler <spender@grsecurity.net>
72881Date: Fri Aug 16 22:46:01 2013 -0400
72882
72883 Fix HIDESYM compatibility with kprobes, as reported by feandil at:
72884 http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376
72885
72886 include/linux/kallsyms.h | 2 +-
72887 kernel/kprobes.c | 3 +++
72888 2 files changed, 4 insertions(+), 1 deletions(-)
72889
72890commit 3d1cf88bbdbe4c0e83dd7d731ecaf1741209d6b7
72891Author: yonghua zheng <younghua.zheng@gmail.com>
72892Date: Tue Aug 13 16:01:03 2013 -0700
72893
72894 fs/proc/task_mmu.c: fix buffer overflow in add_page_map()
72895
72896 Recently we met quite a lot of random kernel panic issues after enabling
72897 CONFIG_PROC_PAGE_MONITOR. After debuggind we found this has something
72898 to do with following bug in pagemap:
72899
72900 In struct pagemapread:
72901
72902 struct pagemapread {
72903 int pos, len;
72904 pagemap_entry_t *buffer;
72905 bool v2;
72906 };
72907
72908 pos is number of PM_ENTRY_BYTES in buffer, but len is the size of
72909 buffer, it is a mistake to compare pos and len in add_page_map() for
72910 checking buffer is full or not, and this can lead to buffer overflow and
72911 random kernel panic issue.
72912
72913 Correct len to be total number of PM_ENTRY_BYTES in buffer.
72914
72915 [akpm@linux-foundation.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition]
72916 Signed-off-by: Yonghua Zheng <younghua.zheng@gmail.com>
72917 Cc: <stable@vger.kernel.org>
72918 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
72919 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
72920
72921 Conflicts:
72922
72923 fs/proc/task_mmu.c
72924
72925 fs/proc/task_mmu.c | 8 ++++----
72926 1 files changed, 4 insertions(+), 4 deletions(-)
72927
72928commit 0a3dac834746de241c10d4978bf61b4f146ba89d
72929Merge: dc19474 e12de30
72930Author: Brad Spengler <spender@grsecurity.net>
72931Date: Fri Aug 16 17:39:01 2013 -0400
72932
72933 Merge branch 'pax-test' into grsec-test
72934
72935commit e12de30aa6b575fc3c9f5cd098dd03623598cb33
72936Author: Brad Spengler <spender@grsecurity.net>
72937Date: Fri Aug 16 17:34:47 2013 -0400
72938
72939 Update to pax-linux-3.10.7-test9.patch:
72940 - Emese fixed a size overflow false positive reported by Sven Vermeulen
72941 - fixed some arm compile problems reported by spender
72942 - added empty unchecked wrappers for local_t accessors on mips, by Corey Minyard <cminyard@mvista.com>
72943 eventually we'll have full REFCOUNT support on mips
72944
72945 arch/arm/kernel/process.c | 5 ++-
72946 arch/arm/mm/Kconfig | 2 +-
72947 arch/arm/mm/fault.c | 3 ++
72948 arch/mips/include/asm/local.h | 57 +++++++++++++++++++++++++++++++++++++++++
72949 mm/internal.h | 2 +-
72950 5 files changed, 65 insertions(+), 4 deletions(-)
72951
72952commit dc19474d0ea6ea3c939544ae5f906067b1784a10
72953Merge: 51b78c0 82266f9
72954Author: Brad Spengler <spender@grsecurity.net>
72955Date: Thu Aug 15 21:47:37 2013 -0400
72956
72957 Merge branch 'pax-test' into grsec-test
72958
72959commit 82266f90a3f87ab5017329fb539aebf94c42253a
72960Author: Brad Spengler <spender@grsecurity.net>
72961Date: Thu Aug 15 21:14:47 2013 -0400
72962
72963 Update to pax-linux-3.10.7-test9.patch
72964
72965 arch/arm/kernel/process.c | 6 ++----
72966 1 files changed, 2 insertions(+), 4 deletions(-)
72967
72968commit 51b78c06d1f41614f593cd36456b4af559e9d7fa
72969Merge: e32d904 cb77ead
72970Author: Brad Spengler <spender@grsecurity.net>
72971Date: Thu Aug 15 20:53:45 2013 -0400
72972
72973 Merge branch 'pax-test' into grsec-test
72974
72975 Conflicts:
72976 security/Kconfig
72977
72978commit cb77ead0eccb5abb75f7e437a3725d0254558ccd
72979Merge: 13675b8 519be45
72980Author: Brad Spengler <spender@grsecurity.net>
72981Date: Thu Aug 15 20:50:47 2013 -0400
72982
72983 Update to pax-linux-3.10.7-test8.patch
72984
72985 Merge branch 'linux-3.10.y' into pax-test
72986
72987commit e32d904b87292288e74e2637b900fd1115687b8e
72988Author: Brad Spengler <spender@grsecurity.net>
72989Date: Sat Aug 10 09:41:40 2013 -0400
72990
72991 propagate the threadstack offset through to the topdown/bottomup allocators
72992 on sparc64 hugepages
72993
72994 arch/sparc/mm/hugetlbpage.c | 12 ++++++++----
72995 1 files changed, 8 insertions(+), 4 deletions(-)
72996
72997commit cefa30759f6c977fff5cc1634ecfbfe0ee44391c
72998Author: Oleg Nesterov <oleg@redhat.com>
72999Date: Thu Aug 8 18:55:32 2013 +0200
73000
73001 Upstream commit: 8742f229b635bf1c1c84a3dfe5e47c814c20b5c8
73002
73003 another local DoS found in reaction to the one I reported,
73004 we don't allow unpriv user ns use so this doesn't matter much to us
73005
73006 userns: limit the maximum depth of user_namespace->parent chain
73007
73008 Ensure that user_namespace->parent chain can't grow too much.
73009 Currently we use the hardroded 32 as limit.
73010
73011 Reported-by: Andy Lutomirski <luto@amacapital.net>
73012 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
73013 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
73014
73015 include/linux/user_namespace.h | 1 +
73016 kernel/user_namespace.c | 4 ++++
73017 2 files changed, 5 insertions(+), 0 deletions(-)
73018
73019commit 223ac007ef18bf3a5095ba0a56675c1f16200149
73020Merge: 1c92de4 13675b8
73021Author: Brad Spengler <spender@grsecurity.net>
73022Date: Thu Aug 8 20:45:24 2013 -0400
73023
73024 Merge branch 'pax-test' into grsec-test
73025
73026 Conflicts:
73027 security/Kconfig
73028
73029commit 13675b848cf02bffd26924b2b84d927095bc253d
73030Author: Brad Spengler <spender@grsecurity.net>
73031Date: Thu Aug 8 20:43:52 2013 -0400
73032
73033 Update to pax-linux-3.10.5-test8.patch:
73034 - Emese fixed a size overflow false positive, reported by markusle (http://forums.grsecurity.net/viewtopic.php?f=3&t=3692)
73035 - fixed the use of PXN for 2-level pages tables on arm, by Corey Minyard <cminyard@mvista.com>
73036 - added PAGEEXEC/XI violation reporting on mips, by Corey Minyard <cminyard@mvista.com>
73037
73038 arch/arm/include/asm/pgtable-2level.h | 4 +++-
73039 arch/arm/mm/proc-v7-2level.S | 3 ---
73040 arch/mips/mm/fault.c | 8 ++++++++
73041 arch/x86/include/asm/processor.h | 3 ++-
73042 include/linux/math64.h | 2 +-
73043 security/Kconfig | 2 --
73044 6 files changed, 14 insertions(+), 8 deletions(-)
73045
73046commit 1c92de4b8811c330af033c31d83c9c45e3d064b2
73047Merge: e65aa3d 1660f49
73048Author: Brad Spengler <spender@grsecurity.net>
73049Date: Mon Aug 5 18:50:45 2013 -0400
73050
73051 Merge branch 'pax-test' into grsec-test
73052
73053commit 1660f496848b8400d263f7920989dae15e72185a
73054Merge: 7f91ba1 dc51cd2
73055Author: Brad Spengler <spender@grsecurity.net>
73056Date: Mon Aug 5 18:50:12 2013 -0400
73057
73058 Update to pax-linux-3.10.5-test7.patch
73059
73060 Merge branch 'linux-3.10.y' into pax-test
73061
73062 Conflicts:
73063 arch/x86/kernel/head_64.S
73064 mm/mempolicy.c
73065
73066commit e65aa3dd447115cb79b4815bc1ceac7b3cacef15
73067Author: Brad Spengler <spender@grsecurity.net>
73068Date: Mon Aug 5 17:58:42 2013 -0400
73069
73070 Disable RANDKSTACK for a VirtualBox host as mentioned on the
73071 gentoo-hardened bugzilla:
73072 https://bugs.gentoo.org/show_bug.cgi?id=382793
73073
73074 security/Kconfig | 2 +-
73075 1 files changed, 1 insertions(+), 1 deletions(-)
73076
73077commit 60d8cffd7740fd1d527790caf9a24a35d8c45858
73078Author: Dan Carpenter <dan.carpenter@oracle.com>
73079Date: Tue Jul 30 13:23:39 2013 +0300
73080
73081 Upstream commit: 8cb3b9c3642c0263d48f31d525bcee7170eedc20
73082
73083 net_sched: info leak in atm_tc_dump_class()
73084
73085 The "pvc" struct has a hole after pvc.sap_family which is not cleared.
73086
73087 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
73088 Reviewed-by: Jiri Pirko <jiri@resnulli.us>
73089 Signed-off-by: David S. Miller <davem@davemloft.net>
73090
73091 net/sched/sch_atm.c | 1 +
73092 1 files changed, 1 insertions(+), 0 deletions(-)
73093
73094commit 50d20ebce56b6e0b9622685930e007e46c7c04bb
73095Author: Daniel Borkmann <dborkman@redhat.com>
73096Date: Fri Aug 2 11:32:43 2013 +0200
73097
73098 Upstream commit: 446266b0c742a2c9ee8f0dce759a0117bce58a86
73099
73100 net: rtm_to_ifaddr: free ifa if ifa_cacheinfo processing fails
73101
73102 Commit 5c766d642 ("ipv4: introduce address lifetime") leaves the ifa
73103 resource that was allocated via inet_alloc_ifa() unfreed when returning
73104 the function with -EINVAL. Thus, free it first via inet_free_ifa().
73105
73106 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
73107 Reviewed-by: Jiri Pirko <jiri@resnulli.us>
73108 Signed-off-by: David S. Miller <davem@davemloft.net>
73109
73110 net/ipv4/devinet.c | 4 +++-
73111 1 files changed, 3 insertions(+), 1 deletions(-)
73112
73113commit 0acaba4eea12097cc59bc61a46ba1ef4a468b260
73114Author: Himanshu Madhani <himanshu.madhani@qlogic.com>
73115Date: Fri Aug 2 23:15:56 2013 -0400
73116
73117 Upstream commit: f91bbcb0b82186b4d5669021b142c263b66505e1
73118
73119 qlcnic: Free up memory in error path.
73120
73121 Signed-off-by: Himanshu Madhani <himanshu.madhani@qlogic.com>
73122 Signed-off-by: Shahed Shaikh <shahed.shaikh@qlogic.com>
73123 Signed-off-by: David S. Miller <davem@davemloft.net>
73124
73125 drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c | 6 +++---
73126 1 files changed, 3 insertions(+), 3 deletions(-)
73127
73128commit 3626ec32c8b24cb38b8db2a1b2f5430bd898408a
73129Author: Shahed Shaikh <shahed.shaikh@qlogic.com>
73130Date: Fri Aug 2 23:15:54 2013 -0400
73131
73132 Upstream commit: 4a99ab56cea66f9f67b9d07ace5cd40a336c8e6f
73133
73134 qlcnic: Fix MAC address filter issue on 82xx adapter
73135
73136 Driver was passing the address of a pointer instead of
73137 the pointer itself.
73138
73139 Signed-off-by: Shahed Shaikh <shahed.shaikh@qlogic.com>
73140 Signed-off-by: David S. Miller <davem@davemloft.net>
73141
73142 drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c | 2 +-
73143 1 files changed, 1 insertions(+), 1 deletions(-)
73144
73145commit 5570df953d6c143e05f1d60d9c23210e60dbbe81
73146Author: Brad Spengler <spender@grsecurity.net>
73147Date: Mon Aug 5 17:26:40 2013 -0400
73148
73149 Move user namespace capability check to shared create_user_ns code so we
73150 cover unshare() as well.
73151
73152 Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to
73153 user namespaces!
73154
73155 kernel/fork.c | 17 -----------------
73156 kernel/user_namespace.c | 24 ++++++++++++++++++++++--
73157 2 files changed, 22 insertions(+), 19 deletions(-)
73158
73159commit 97112fe30de4ca84e79c82ebfa2353b9c9988ca1
73160Author: Brad Spengler <spender@grsecurity.net>
73161Date: Mon Aug 5 16:05:41 2013 -0400
73162
73163 silence a warning on older gcc
73164
73165 grsecurity/gracl.c | 2 +-
73166 1 files changed, 1 insertions(+), 1 deletions(-)
73167
73168commit b8966a5d577e9220fbc63306eee978f819f24e2e
73169Author: Brad Spengler <spender@grsecurity.net>
73170Date: Sat Aug 3 08:31:08 2013 -0400
73171
73172 we only care about mmaps of the beginning of an ELF, filter out
73173 all others as suggested by pipacs
73174
73175 mm/mmap.c | 2 +-
73176 1 files changed, 1 insertions(+), 1 deletions(-)
73177
73178commit 8aea9fe5866dec3c847a34f743f343e18cf1cdcb
73179Author: Brad Spengler <spender@grsecurity.net>
73180Date: Fri Aug 2 23:54:51 2013 -0400
73181
73182 add include
73183
73184 grsecurity/grsec_log.c | 1 +
73185 1 files changed, 1 insertions(+), 0 deletions(-)
73186
73187commit d48425ef8cb3761ab6130e52f1f8e401f5b5a295
73188Author: Brad Spengler <spender@grsecurity.net>
73189Date: Fri Aug 2 23:49:13 2013 -0400
73190
73191 fix compilation
73192
73193 include/linux/grinternal.h | 3 ++-
73194 1 files changed, 2 insertions(+), 1 deletions(-)
73195
73196commit 1704c23fdc55b68f512dc9927940e72237f3f43e
73197Author: Brad Spengler <spender@grsecurity.net>
73198Date: Fri Aug 2 23:34:35 2013 -0400
73199
73200 Improve PaX reporting (tells when anon mapping is stack or heap)
73201 Remove textrel logging option, combine into rwx logging option
73202 Enhance RWX logging option to display when PT_GNU_STACK-enabled library
73203 is loaded under an MPROTECTed binary
73204 Enhance RWX mprotect logging to display stack/heap instead of just
73205 anon mapping
73206
73207 fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++
73208 fs/exec.c | 4 ++++
73209 grsecurity/Kconfig | 21 +++++----------------
73210 grsecurity/grsec_init.c | 4 ----
73211 grsecurity/grsec_log.c | 14 ++++++++++++++
73212 grsecurity/grsec_pax.c | 19 ++++++++++++++-----
73213 grsecurity/grsec_sysctl.c | 9 ---------
73214 include/linux/binfmts.h | 1 +
73215 include/linux/grinternal.h | 2 +-
73216 include/linux/grmsg.h | 3 ++-
73217 include/linux/grsecurity.h | 3 ++-
73218 mm/mmap.c | 7 +++++++
73219 mm/mprotect.c | 2 +-
73220 13 files changed, 88 insertions(+), 38 deletions(-)
73221
73222commit faf81c100c8565524e21c9af780a0ad2ce3fd925
73223Author: Brad Spengler <spender@grsecurity.net>
73224Date: Thu Aug 1 18:52:02 2013 -0400
73225
73226 add missing #define
73227
73228 grsecurity/gracl.c | 1 +
73229 1 files changed, 1 insertions(+), 0 deletions(-)
73230
73231commit e87232d1fcb4da72df971cbc623aac6c9b3871a0
73232Author: Brad Spengler <spender@grsecurity.net>
73233Date: Thu Aug 1 18:43:53 2013 -0400
73234
73235 fix compilation for !COMPAT as reported on the forums
73236
73237 grsecurity/gracl.c | 195 ++++++++++++++++++++++++++--------------------------
73238 1 files changed, 97 insertions(+), 98 deletions(-)
73239
73240commit 65c9b9c6c42939dc55be1b8842e7c2e05733056c
73241Merge: 65019c9 7f91ba1
73242Author: Brad Spengler <spender@grsecurity.net>
73243Date: Wed Jul 31 17:47:31 2013 -0400
73244
73245 Merge branch 'pax-test' into grsec-test
73246
73247commit 65019c9bd05f860437071cbf00e2027fd2d68615
73248Author: Brad Spengler <spender@grsecurity.net>
73249Date: Wed Jul 31 17:47:20 2013 -0400
73250
73251 Revert "revert recent PaX change that causes boot failures with 32bit userland"
73252
73253 This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4.
73254
73255 arch/x86/include/asm/processor.h | 4 ++--
73256 arch/x86/kernel/cpu/common.c | 2 +-
73257 arch/x86/kernel/process_64.c | 2 +-
73258 arch/x86/kernel/smpboot.c | 2 +-
73259 arch/x86/xen/smp.c | 2 +-
73260 5 files changed, 6 insertions(+), 6 deletions(-)
73261
73262commit 7f91ba11122fcaa96fc2dca42bddcd5f8db3b945
73263Author: Brad Spengler <spender@grsecurity.net>
73264Date: Wed Jul 31 17:46:00 2013 -0400
73265
73266 Update to pax-linux-3.10.4-test7.patch:
73267 - added a few more missing format strings
73268 - added reporting of mismatched MPROTECT/EMUTRAMP flags between libraries and the main executable
73269 - reverted the recent amd64 kstack alignment fix, it'll be done the harder way another time
73270 - fixed a UDEREF/i386 regression, __get_user_8 would always fail
73271
73272 arch/x86/include/asm/processor.h | 4 +-
73273 arch/x86/kernel/cpu/common.c | 2 +-
73274 arch/x86/kernel/dumpstack.c | 2 +-
73275 arch/x86/kernel/process_64.c | 2 +-
73276 arch/x86/kernel/reboot_fixups_32.c | 2 +-
73277 arch/x86/kernel/smpboot.c | 2 +-
73278 arch/x86/lib/getuser.S | 4 +-
73279 arch/x86/xen/smp.c | 2 +-
73280 drivers/net/wireless/iwlwifi/dvm/debugfs.c | 8 ++--
73281 drivers/video/backlight/backlight.c | 2 +-
73282 drivers/video/backlight/lcd.c | 2 +-
73283 fs/binfmt_elf.c | 51 +++++++++++++++++++++++++---
73284 fs/exec.c | 50 +++++++++++++--------------
73285 include/linux/sched.h | 2 +
73286 14 files changed, 88 insertions(+), 47 deletions(-)
73287
73288commit 043130da54cb7cc8dc44e0ce889d426e889a0532
73289Author: Brad Spengler <spender@grsecurity.net>
73290Date: Wed Jul 31 16:26:58 2013 -0400
73291
73292 compile fix for !COMPAT as mentioned on forums
73293
73294 grsecurity/gracl.c | 2 ++
73295 1 files changed, 2 insertions(+), 0 deletions(-)
73296
73297commit ed0a195abd4e41c2449a020a53a19c74dc866d78
73298Author: Brad Spengler <spender@grsecurity.net>
73299Date: Tue Jul 30 22:33:14 2013 -0400
73300
73301 perform compat conversion of rlimit infinity
73302
73303 grsecurity/gracl_compat.c | 10 ++++++++--
73304 1 files changed, 8 insertions(+), 2 deletions(-)
73305
73306commit a99c1b9f31678c1c72a63bea65aed1b2d3205259
73307Author: Brad Spengler <spender@grsecurity.net>
73308Date: Tue Jul 30 22:21:40 2013 -0400
73309
73310 remove debugging
73311
73312 grsecurity/gracl_compat.c | 44 +++++++++++---------------------------------
73313 1 files changed, 11 insertions(+), 33 deletions(-)
73314
73315commit e75b3f504692b97960a7530ad0855d91441d79c0
73316Author: Brad Spengler <spender@grsecurity.net>
73317Date: Tue Jul 30 22:20:32 2013 -0400
73318
73319 eliminate compat_dev_t
73320
73321 include/linux/gracl_compat.h | 4 ++--
73322 1 files changed, 2 insertions(+), 2 deletions(-)
73323
73324commit e5abbaf95313066a724e1a843d4fc902a9a6450e
73325Author: Brad Spengler <spender@grsecurity.net>
73326Date: Tue Jul 30 22:13:22 2013 -0400
73327
73328 fix compat rlimit size
73329
73330 grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++-------------
73331 include/linux/gracl_compat.h | 4 +-
73332 2 files changed, 49 insertions(+), 23 deletions(-)
73333
73334commit 877d6c2f8b3518ff39601084560bb33c58d35a1f
73335Author: Brad Spengler <spender@grsecurity.net>
73336Date: Tue Jul 30 21:20:18 2013 -0400
73337
73338 compile fix
73339
73340 grsecurity/gracl.c | 4 ++--
73341 1 files changed, 2 insertions(+), 2 deletions(-)
73342
73343commit a2062eae8d1dc48d338480e599fedee2dc5e2f98
73344Author: Brad Spengler <spender@grsecurity.net>
73345Date: Tue Jul 30 21:14:29 2013 -0400
73346
73347 copy correct pointer size in new compat code
73348
73349 grsecurity/gracl.c | 8 ++++----
73350 grsecurity/gracl_compat.c | 4 ++--
73351 2 files changed, 6 insertions(+), 6 deletions(-)
73352
73353commit 23278a1ee1c7738dd1e7005241394d32b82196e4
73354Author: Brad Spengler <spender@grsecurity.net>
73355Date: Tue Jul 30 19:48:58 2013 -0400
73356
73357 revert recent PaX change that causes boot failures with 32bit userland
73358
73359 arch/x86/include/asm/processor.h | 4 ++--
73360 arch/x86/kernel/cpu/common.c | 2 +-
73361 arch/x86/kernel/process_64.c | 2 +-
73362 arch/x86/kernel/smpboot.c | 2 +-
73363 arch/x86/xen/smp.c | 2 +-
73364 5 files changed, 6 insertions(+), 6 deletions(-)
73365
73366commit ec27f71a813656fea8ab37faecb2b485fe99d08e
73367Merge: 3a11bcf 05f0a61
73368Author: Brad Spengler <spender@grsecurity.net>
73369Date: Tue Jul 30 19:42:21 2013 -0400
73370
73371 Merge branch 'pax-test' into grsec-test
73372
73373commit 05f0a610373fa95df838f97c3fcfb59a3d79c5b8
73374Author: Brad Spengler <spender@grsecurity.net>
73375Date: Tue Jul 30 19:41:44 2013 -0400
73376
73377 Update to pax-linux-3.10.4-test6.patch:
73378 - fixed some size_overflow false positives on i386 caused by __SC_LONG, reported by spender
73379
73380 include/linux/syscalls.h | 8 ++++++--
73381 1 files changed, 6 insertions(+), 2 deletions(-)
73382
73383commit 3a11bcfcc738ed5dbf0d56713db872ed36351a26
73384Author: Brad Spengler <spender@grsecurity.net>
73385Date: Tue Jul 30 19:15:50 2013 -0400
73386
73387 compile fix
73388
73389 grsecurity/gracl_compat.c | 6 ++++++
73390 1 files changed, 6 insertions(+), 0 deletions(-)
73391
73392commit 1dbd99b5cb0b6757eadf22309501e7fdd84f5de7
73393Author: Brad Spengler <spender@grsecurity.net>
73394Date: Tue Jul 30 19:12:46 2013 -0400
73395
73396 remove BUILD_BUG_ONs
73397
73398 grsecurity/gracl_compat.c | 20 --------------------
73399 1 files changed, 0 insertions(+), 20 deletions(-)
73400
73401commit a283b21cbd77622383a1dcb1f7bf1080db3bae88
73402Author: Brad Spengler <spender@grsecurity.net>
73403Date: Tue Jul 30 00:18:36 2013 -0400
73404
73405 compile fixes
73406
73407 grsecurity/gracl_compat.c | 8 ++++----
73408 include/linux/gracl_compat.h | 2 +-
73409 2 files changed, 5 insertions(+), 5 deletions(-)
73410
73411commit 8b744005f8bae565e24c1fd88af77e6e619b9434
73412Author: Brad Spengler <spender@grsecurity.net>
73413Date: Tue Jul 30 00:16:42 2013 -0400
73414
73415 compile fixes
73416
73417 grsecurity/gracl.c | 4 ++--
73418 grsecurity/gracl_compat.c | 2 +-
73419 2 files changed, 3 insertions(+), 3 deletions(-)
73420
73421commit 5cd86afa393bf9bf38c2e9063191709ac2beff2c
73422Author: Brad Spengler <spender@grsecurity.net>
73423Date: Tue Jul 30 00:13:51 2013 -0400
73424
73425 compile fixes
73426
73427 grsecurity/gracl.c | 8 ++++----
73428 1 files changed, 4 insertions(+), 4 deletions(-)
73429
73430commit b93b829afcc98b6108b18d99ff63c53642d0b951
73431Author: Brad Spengler <spender@grsecurity.net>
73432Date: Tue Jul 30 00:11:03 2013 -0400
73433
73434 compile fixes
73435
73436 grsecurity/gracl_compat.c | 3 +++
73437 1 files changed, 3 insertions(+), 0 deletions(-)
73438
73439commit 7da096415fa633c4ad2b1f74bd43d3a58a63b5c0
73440Author: Brad Spengler <spender@grsecurity.net>
73441Date: Tue Jul 30 00:08:21 2013 -0400
73442
73443 more compile fixes
73444
73445 grsecurity/gracl.c | 28 ++++++++++++++--------------
73446 1 files changed, 14 insertions(+), 14 deletions(-)
73447
73448commit 6c1fd80e19f1449b6895f1ed77f23f1245470b3b
73449Author: Brad Spengler <spender@grsecurity.net>
73450Date: Mon Jul 29 23:59:50 2013 -0400
73451
73452 more compile fixes
73453
73454 grsecurity/gracl.c | 10 +++++++++-
73455 1 files changed, 9 insertions(+), 1 deletions(-)
73456
73457commit 89dda536f276dd4bb55fa0f9ea8980ac8b750d29
73458Author: Brad Spengler <spender@grsecurity.net>
73459Date: Mon Jul 29 23:56:47 2013 -0400
73460
73461 additional compile fixes
73462
73463 grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++--------
73464 1 files changed, 49 insertions(+), 10 deletions(-)
73465
73466commit ac695a081d1124fb28bec46814535d34c5e40611
73467Author: Brad Spengler <spender@grsecurity.net>
73468Date: Mon Jul 29 23:47:15 2013 -0400
73469
73470 fix typo
73471
73472 grsecurity/gracl.c | 2 +-
73473 1 files changed, 1 insertions(+), 1 deletions(-)
73474
73475commit d95dd21a8d6d00c5cf34fee3f45dd914b6da6093
73476Author: Brad Spengler <spender@grsecurity.net>
73477Date: Mon Jul 29 23:46:59 2013 -0400
73478
73479 compile fixes
73480
73481 grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++-------------
73482 1 files changed, 39 insertions(+), 14 deletions(-)
73483
73484commit 82631f451cc7432b6c5578cf8d24155473feb25c
73485Author: Brad Spengler <spender@grsecurity.net>
73486Date: Mon Jul 29 23:22:44 2013 -0400
73487
73488 Initial commit of compat RBAC loading
73489 Permits 32bit gradm to load policy for a 64bit kernel
73490
73491 Also removed code duplication for copying strings into the kernel
73492
73493 Work performed as part of sponsorship
73494
73495 grsecurity/Makefile | 4 +
73496 grsecurity/gracl.c | 315 +++++++++++++++++++++++-------------------
73497 grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++
73498 include/linux/gracl_compat.h | 156 +++++++++++++++++++++
73499 4 files changed, 603 insertions(+), 142 deletions(-)
73500
73501commit 84c4a433dfb096e4a1162ee5e68025122c70b421
73502Merge: c9d3ed3 9fe5897
73503Author: Brad Spengler <spender@grsecurity.net>
73504Date: Mon Jul 29 17:08:56 2013 -0400
73505
73506 Merge branch 'pax-test' into grsec-test
73507
73508commit 9fe58978938e357642885866ca48090a7753d403
73509Merge: 8f693ad 6f7bb6b
73510Author: Brad Spengler <spender@grsecurity.net>
73511Date: Mon Jul 29 17:08:43 2013 -0400
73512
73513 Merge branch 'linux-3.10.y' into pax-test
73514
73515commit c9d3ed33c5370bbacfadf86f6a1566828a3d7775
73516Merge: d5e5bfd 8f693ad
73517Author: Brad Spengler <spender@grsecurity.net>
73518Date: Sun Jul 28 10:03:08 2013 -0400
73519
73520 Merge branch 'pax-test' into grsec-test
73521
73522commit 8f693ade9b3e448f92706d34148b00a087637f70
73523Author: Brad Spengler <spender@grsecurity.net>
73524Date: Sun Jul 28 10:02:16 2013 -0400
73525
73526 Update to pax-linux-3.10.3-test5.patch:
73527 - fixed amd64 kstack alignment (caught by some crazy codegen by clang/llvm)
73528 - fixed handling of faulting userland accesses for UDEREF/arm, from spender
73529 - updated the size overflow hash table, from Emese
73530
73531 arch/arm/kernel/entry-armv.S | 3 +-
73532 arch/x86/include/asm/processor.h | 4 +-
73533 arch/x86/kernel/cpu/common.c | 2 +-
73534 arch/x86/kernel/process_64.c | 2 +-
73535 arch/x86/kernel/smpboot.c | 2 +-
73536 arch/x86/xen/smp.c | 2 +-
73537 tools/gcc/size_overflow_hash.data | 553 +++++++++++++++++++++++++++++++++----
73538 7 files changed, 513 insertions(+), 55 deletions(-)
73539
73540commit d5e5bfd6ecc1fc7e86d070df8eb0ce8d0643c558
73541Merge: 19e077b 8a8a0d0
73542Author: Brad Spengler <spender@grsecurity.net>
73543Date: Thu Jul 25 21:05:18 2013 -0400
73544
73545 Merge branch 'pax-test' into grsec-test
73546
73547commit 8a8a0d0b22a86bf65302d03bb6732e42bc0a2e56
73548Author: Brad Spengler <spender@grsecurity.net>
73549Date: Thu Jul 25 21:04:09 2013 -0400
73550
73551 Update to pax-linux-3.10.3-test4.patch:
73552 - introduced per-slab object sanitization, contributed by Mathias Krause and secunet.
73553 this is finer grained sanitization than the existing per-page based approach (which
73554 is still done) at a somewhat higher performance cost. the pax_sanitize_slab command
73555 line option can be used to enable/disable it on boot (it's enabled by default when
73556 CONFIG_PAX_MEMORY_SANITIZE is enabled).
73557
73558 Documentation/kernel-parameters.txt | 4 ++++
73559 fs/buffer.c | 2 +-
73560 fs/dcache.c | 3 ++-
73561 include/linux/slab.h | 7 +++++++
73562 include/linux/slab_def.h | 4 ++++
73563 kernel/fork.c | 2 +-
73564 mm/rmap.c | 6 ++++--
73565 mm/slab.c | 27 +++++++++++++++++++++++++++
73566 mm/slab.h | 12 +++++++++++-
73567 mm/slab_common.c | 14 ++++++++++++++
73568 mm/slob.c | 5 +++++
73569 mm/slub.c | 11 +++++++++++
73570 net/core/skbuff.c | 6 ++++--
73571 security/Kconfig | 23 +++++++++++++++++------
73572 14 files changed, 112 insertions(+), 14 deletions(-)
73573
73574commit 19e077bfff54ca211d0142c07cb6dd88069a390c
73575Merge: 960ec51 c8f7f51
73576Author: Brad Spengler <spender@grsecurity.net>
73577Date: Thu Jul 25 19:53:34 2013 -0400
73578
73579 Merge branch 'pax-test' into grsec-test
73580
73581commit c8f7f51591207b82530214300e86277028919286
73582Merge: d5142e3 81a4648
73583Author: Brad Spengler <spender@grsecurity.net>
73584Date: Thu Jul 25 19:52:29 2013 -0400
73585
73586 Update to pax-linux-3.10.3-test3.patch:
73587 - fixed some compile issues reported by Michael Tremer and spender
73588 - fixed an i386 regression with the lower address space gap on i386, reported by cnu
73589
73590 Merge branch 'linux-3.10.y' into pax-test
73591
73592 Conflicts:
73593 kernel/time/tick-broadcast.c
73594
73595commit 960ec51ab2142544fbae563d4fd5744775408965
73596Author: Al Viro <viro@zeniv.linux.org.uk>
73597Date: Sat Jul 20 03:13:55 2013 +0400
73598
73599 Upstream commit: acfec9a5a892f98461f52ed5770de99a3e571ae2
73600
73601 livelock avoidance in sget()
73602
73603 Eric Sandeen has found a nasty livelock in sget() - take a mount(2) about
73604 to fail. The superblock is on ->fs_supers, ->s_umount is held exclusive,
73605 ->s_active is 1. Along comes two more processes, trying to mount the same
73606 thing; sget() in each is picking that superblock, bumping ->s_count and
73607 trying to grab ->s_umount. ->s_active is 3 now. Original mount(2)
73608 finally gets to deactivate_locked_super() on failure; ->s_active is 2,
73609 superblock is still ->fs_supers because shutdown will *not* happen until
73610 ->s_active hits 0. ->s_umount is dropped and now we have two processes
73611 chasing each other:
73612 s_active = 2, A acquired ->s_umount, B blocked
73613 A sees that the damn thing is stillborn, does deactivate_locked_super()
73614 s_active = 1, A drops ->s_umount, B gets it
73615 A restarts the search and finds the same superblock. And bumps it ->s_active.
73616 s_active = 2, B holds ->s_umount, A blocked on trying to get it
73617 ... and we are in the earlier situation with A and B switched places.
73618
73619 The root cause, of course, is that ->s_active should not grow until we'd
73620 got MS_BORN. Then failing ->mount() will have deactivate_locked_super()
73621 shut the damn thing down. Fortunately, it's easy to do - the key point
73622 is that grab_super() is called only for superblocks currently on ->fs_supers,
73623 so it can bump ->s_count and grab ->s_umount first, then check MS_BORN and
73624 bump ->s_active; we must never increment ->s_count for superblocks past
73625 ->kill_sb(), but grab_super() is never called for those.
73626
73627 The bug is pretty old; we would've caught it by now, if not for accidental
73628 exclusion between sget() for block filesystems; the things like cgroup or
73629 e.g. mtd-based filesystems don't have anything of that sort, so they get
73630 bitten. The right way to deal with that is obviously to fix sget()...
73631
73632 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
73633
73634 fs/super.c | 25 ++++++++++---------------
73635 1 files changed, 10 insertions(+), 15 deletions(-)
73636
73637commit 3540cebbbfa4aef94527ad3e0e49097848147fb9
73638Merge: ab95b58 d5142e3
73639Author: Brad Spengler <spender@grsecurity.net>
73640Date: Sun Jul 21 22:47:46 2013 -0400
73641
73642 Merge branch 'pax-test' into grsec-test
73643
73644commit d5142e31785f8c32c7338c51fcc27313bdd4a84e
73645Merge: f36ae8c 0f4a56e
73646Author: Brad Spengler <spender@grsecurity.net>
73647Date: Sun Jul 21 22:47:34 2013 -0400
73648
73649 Merge branch 'linux-3.10.y' into pax-test
73650
73651commit ab95b5842899d61ff5c30f4582e72029b3155be8
73652Author: Brad Spengler <spender@grsecurity.net>
73653Date: Sun Jul 21 22:28:40 2013 -0400
73654
73655 compile fix with constification reported by Michael Tremer
73656
73657 drivers/gpu/host1x/drm/dc.c | 2 +-
73658 1 files changed, 1 insertions(+), 1 deletions(-)
73659
73660commit 817cd2d1e7a55720326599dd8f542578eef30927
73661Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
73662Date: Fri Jul 12 23:46:33 2013 +0200
73663
73664 Upstream commit: 307f2fb95e9b96b3577916e73d92e104f8f26494
73665
73666 ipv6: only static routes qualify for equal cost multipathing
73667
73668 Static routes in this case are non-expiring routes which did not get
73669 configured by autoconf or by icmpv6 redirects.
73670
73671 To make sure we actually get an ecmp route while searching for the first
73672 one in this fib6_node's leafs, also make sure it matches the ecmp route
73673 assumptions.
73674
73675 v2:
73676 a) Removed RTF_EXPIRE check in dst.from chain. The check of RTF_ADDRCONF
73677 already ensures that this route, even if added again without
73678 RTF_EXPIRES (in case of a RA announcement with infinite timeout),
73679 does not cause the rt6i_nsiblings logic to go wrong if a later RA
73680 updates the expiration time later.
73681
73682 v3:
73683 a) Allow RTF_EXPIRES routes to enter the ecmp route set. We have to do so,
73684 because an pmtu event could update the RTF_EXPIRES flag and we would
73685 not count this route, if another route joins this set. We now filter
73686 only for RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC, which are flags that
73687 don't get changed after rt6_info construction.
73688
73689 Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
73690 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
73691 Signed-off-by: David S. Miller <davem@davemloft.net>
73692
73693 net/ipv6/ip6_fib.c | 15 +++++++++++----
73694 1 files changed, 11 insertions(+), 4 deletions(-)
73695
73696commit 77db8196d51b043e2e2d124094da101b0f01bccb
73697Author: Dan Carpenter <dan.carpenter@oracle.com>
73698Date: Fri Jul 12 09:39:03 2013 +0300
73699
73700 Upstream commit: b2781e1021525649c0b33fffd005ef219da33926
73701
73702 svcrdma: underflow issue in decode_write_list()
73703
73704 My static checker marks everything from ntohl() as untrusted and it
73705 complains we could have an underflow problem doing:
73706
73707 return (u32 *)&ary->wc_array[nchunks];
73708
73709 Also on 32 bit systems the upper bound check could overflow.
73710
73711 Cc: stable@vger.kernel.org
73712 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
73713 Signed-off-by: J. Bruce Fields <bfields@redhat.com>
73714
73715 net/sunrpc/xprtrdma/svc_rdma_marshal.c | 20 ++++++++++++++------
73716 1 files changed, 14 insertions(+), 6 deletions(-)
73717
73718commit 926473317fd7953137ef97835edd36dabc584b01
73719Author: Brad Spengler <spender@grsecurity.net>
73720Date: Wed Jul 17 21:29:02 2013 -0400
73721
73722 add missing asm/pgtable.h include, reported by Michael Tremer
73723
73724 drivers/clk/socfpga/clk.c | 1 +
73725 1 files changed, 1 insertions(+), 0 deletions(-)
73726
73727commit c592ae0001b31932ef1491784dfa374058797c66
73728Author: Brad Spengler <spender@grsecurity.net>
73729Date: Tue Jul 16 20:40:24 2013 -0400
73730
73731 allow viewing of ecryptfs version under SYSFS_RESTRICT
73732
73733 fs/sysfs/dir.c | 2 +-
73734 1 files changed, 1 insertions(+), 1 deletions(-)
73735
73736commit 36db325ef3b07ea8cdb47f549e706e5d71398e14
73737Merge: 9c96441 f36ae8c
73738Author: Brad Spengler <spender@grsecurity.net>
73739Date: Sun Jul 14 19:23:13 2013 -0400
73740
73741 Merge branch 'pax-test' into grsec-test
73742
73743commit f36ae8c741ae32b1caff10825be12c327792c925
73744Author: Brad Spengler <spender@grsecurity.net>
73745Date: Sun Jul 14 19:22:15 2013 -0400
73746
73747 Update to pax-linux-3.10-test2.patch:
73748 - spender fixed a compile regression in a recent arm/UDEREF change, reported by Michael Tremer
73749 - spender fixed arm/KERNEXEC for v5 and older CPUs, reported by Michael Tremer
73750 - spender fixed a new CONSTIFY victim on arm, reported by Michael Tremer
73751 - spender fixed an madvise regression, reported by Peter Keel
73752 - spender fixed a SLAB regression, reported by Thorsten (http://forums.grsecurity.net/viewtopic.php?f=3&t=3614) and Jens (http://forums.grsecurity.net/viewtopic.php?f=1&t=3616)
73753 - fixed a headers_install regression, reported by Mathias Krause
73754 - fixed a SLOB compile regression, reported by Mathias Krause
73755
73756 arch/arm/include/asm/uaccess.h | 4 ++--
73757 arch/arm/mm/mmu.c | 15 +++++++++++++--
73758 drivers/clk/socfpga/clk.c | 6 ++++--
73759 mm/madvise.c | 4 ++--
73760 mm/slab.c | 4 ++--
73761 mm/slob.c | 4 ++--
73762 scripts/headers_install.sh | 2 +-
73763 7 files changed, 26 insertions(+), 13 deletions(-)
73764
73765commit 9c9644156a49637050741d9165df79174e59b0ef
73766Author: Brad Spengler <spender@grsecurity.net>
73767Date: Sun Jul 14 19:19:54 2013 -0400
73768
73769 Fix sparc64 compilation, reported by Blake Self
73770
73771 arch/sparc/kernel/sys_sparc_64.c | 4 ++--
73772 1 files changed, 2 insertions(+), 2 deletions(-)
73773
73774commit 7bcd3db081454768542c3d741bcf32cd61a50cf5
73775Author: Brad Spengler <spender@grsecurity.net>
73776Date: Sun Jul 14 11:49:17 2013 -0400
73777
73778 Update PaX fix, just return the error
73779
73780 mm/madvise.c | 15 +++++++--------
73781 1 files changed, 7 insertions(+), 8 deletions(-)
73782
73783commit a10e377d0eddd37e8a3665b135e546ab03d9d171
73784Author: Brad Spengler <spender@grsecurity.net>
73785Date: Sun Jul 14 11:36:00 2013 -0400
73786
73787 Fix madvise oops reported by Peter Keel
73788
73789 mm/madvise.c | 11 ++++++-----
73790 1 files changed, 6 insertions(+), 5 deletions(-)
73791
73792commit 08c5adca34d408772255b313f90d82c250c1d967
73793Author: Brad Spengler <spender@grsecurity.net>
73794Date: Sun Jul 14 11:26:34 2013 -0400
73795
73796 don't make high vector mapping non-present on old ARM architectures, no
73797 point in emulating some vector entries when the processor doesn't even support XN
73798
73799 arch/arm/mm/mmu.c | 7 +++++--
73800 1 files changed, 5 insertions(+), 2 deletions(-)
73801
73802commit 2b40781d4197a89a003616af584884e36361c5b2
73803Author: Brad Spengler <spender@grsecurity.net>
73804Date: Sun Jul 14 09:51:58 2013 -0400
73805
73806 Temporary compile fix for code incorrectly modifying const data
73807 Wrap a cast version of the code with open/close
73808
73809 Thanks to Michael Tremer for the report
73810
73811 drivers/clk/socfpga/clk.c | 6 ++++--
73812 1 files changed, 4 insertions(+), 2 deletions(-)
73813
73814commit a8258c1b4098c396cd4ea719e20858182feac1c1
73815Author: Brad Spengler <spender@grsecurity.net>
73816Date: Sun Jul 14 09:41:16 2013 -0400
73817
73818 Fix missing right parens in pipacs' "improvement" of my ARM code ;)
73819 Thanks to Michael Tremer for reporting
73820
73821 arch/arm/include/asm/uaccess.h | 4 ++--
73822 1 files changed, 2 insertions(+), 2 deletions(-)
73823
73824commit 8542e1e973be7cc9a009d2ada8033576b2890e6f
73825Merge: 86f446e 2577f8e
73826Author: Brad Spengler <spender@grsecurity.net>
73827Date: Sat Jul 13 20:46:58 2013 -0400
73828
73829 Merge branch 'pax-test' into grsec-test
73830
73831 Conflicts:
73832 mm/memcontrol.c
73833
73834commit 2577f8e4ec41efb347706a59c6838de20f0c90da
73835Merge: 75a36f0 cb5d8be
73836Author: Brad Spengler <spender@grsecurity.net>
73837Date: Sat Jul 13 20:43:42 2013 -0400
73838
73839 Merge branch 'linux-3.10.y' into pax-test
73840
73841 Conflicts:
73842 crypto/algapi.c
73843 drivers/block/nbd.c
73844
73845commit 86f446e9d5c6b475d2e9360cc04f4361ad1b19b8
73846Author: Brad Spengler <spender@grsecurity.net>
73847Date: Fri Jul 12 23:02:11 2013 -0400
73848
73849 we always want the vector page to be noaccess for userland
73850 therefore, when kernexec is disabled, instead of L_PTE_USER | L_PTE_RDONLY
73851 which turns into supervisor rwx, userland rx, we instead omit that entirely,
73852 leaving it as supervisor rwx only
73853
73854 Fixes booting on ARMv5 and earlier, which need to write directly
73855 to the high vector mapping via set_tls when context switching
73856
73857 Thanks to Michael Tremer for the bugreport
73858
73859 arch/arm/mm/mmu.c | 12 ++++++++++--
73860 1 files changed, 10 insertions(+), 2 deletions(-)
73861
73862commit 90cd0827eef656ec884f19c977873fefe2f2e47d
73863Author: Cong Wang <amwang@redhat.com>
73864Date: Sat Jun 29 12:02:59 2013 +0800
73865
73866 Upstream commit: 6c734fb8592f6768170e48e7102cb2f0a1bb9759
73867
73868 gre: fix a regression in ioctl
73869
73870 When testing GRE tunnel, I got:
73871
73872 # ip tunnel show
73873 get tunnel gre0 failed: Invalid argument
73874 get tunnel gre1 failed: Invalid argument
73875
73876 This is a regression introduced by commit c54419321455631079c7d
73877 ("GRE: Refactor GRE tunneling code.") because previously we
73878 only check the parameters for SIOCADDTUNNEL and SIOCCHGTUNNEL,
73879 after that commit, the check is moved for all commands.
73880
73881 So, just check for SIOCADDTUNNEL and SIOCCHGTUNNEL.
73882
73883 After this patch I got:
73884
73885 # ip tunnel show
73886 gre0: gre/ip remote any local any ttl inherit nopmtudisc
73887 gre1: gre/ip remote 192.168.122.101 local 192.168.122.45 ttl inherit
73888
73889 Cc: Pravin B Shelar <pshelar@nicira.com>
73890 Cc: "David S. Miller" <davem@davemloft.net>
73891 Signed-off-by: Cong Wang <amwang@redhat.com>
73892 Signed-off-by: David S. Miller <davem@davemloft.net>
73893
73894 net/ipv4/ip_gre.c | 9 +++++----
73895 1 files changed, 5 insertions(+), 4 deletions(-)
73896
73897commit 50d4e90ec8da630eac8840da9c53b8738a2f98b5
73898Author: Cong Wang <amwang@redhat.com>
73899Date: Sat Jun 29 13:00:57 2013 +0800
73900
73901 Upstream commit: ab6c7a0a43c2eaafa57583822b619b22637b49c7
73902
73903 vti: remove duplicated code to fix a memory leak
73904
73905 vti module allocates dev->tstats twice: in vti_fb_tunnel_init()
73906 and in vti_tunnel_init(), this lead to a memory leak of
73907 dev->tstats.
73908
73909 Just remove the duplicated operations in vti_fb_tunnel_init().
73910
73911 (candidate for -stable)
73912
73913 Cc: Stephen Hemminger <stephen@networkplumber.org>
73914 Cc: Saurabh Mohan <saurabh.mohan@vyatta.com>
73915 Cc: "David S. Miller" <davem@davemloft.net>
73916 Signed-off-by: Cong Wang <amwang@redhat.com>
73917 Acked-by: Stephen Hemminger <stephen@networkplumber.org>
73918 Signed-off-by: David S. Miller <davem@davemloft.net>
73919
73920 net/ipv4/ip_vti.c | 7 -------
73921 1 files changed, 0 insertions(+), 7 deletions(-)
73922
73923commit af9e57897a8fab9bbeceb984bd0aeaedb36aefcd
73924Author: Michal Schmidt <mschmidt@redhat.com>
73925Date: Mon Jul 1 17:23:05 2013 +0200
73926
73927 Upstream commit: 058eec4116935c5640299913e1e0715e87ec622a
73928
73929 bnx2x: remove zeroing of dump data buffer
73930
73931 There is no need to initialize the dump data with zeros.
73932 data is allocated with vzalloc, so it's already zero-filled.
73933
73934 More importantly, the memset is harmful, because dump->len (the length
73935 requested by userspace) can be bigger than the allocated buffer (whose
73936 size is determined by asking the driver's .get_dump_flag method).
73937
73938 Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
73939 Signed-off-by: David S. Miller <davem@davemloft.net>
73940
73941 .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 2 --
73942 1 files changed, 0 insertions(+), 2 deletions(-)
73943
73944commit c771072b72c261f9bddd6734dca6979c1b96e7df
73945Author: Michal Schmidt <mschmidt@redhat.com>
73946Date: Mon Jul 1 17:23:06 2013 +0200
73947
73948 Upstream commit: 5bb680d6cbe36de9d7ba12b05f845c91a8692318
73949
73950 bnx2x: fix dump flag handling
73951
73952 bnx2x interprets the dump flag as an index of a register preset.
73953 It is important to validate the index to avoid out of bounds
73954 memory accesses.
73955
73956 Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
73957 Signed-off-by: David S. Miller <davem@davemloft.net>
73958
73959 .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 3 +++
73960 drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 2 ++
73961 2 files changed, 5 insertions(+), 0 deletions(-)
73962
73963commit aed315c8fad9b2044143b46b239574b1b72135ce
73964Author: Michal Schmidt <mschmidt@redhat.com>
73965Date: Mon Jul 1 17:23:30 2013 +0200
73966
73967 Upstream commit: c590b5e2f05b5e98e614382582b7ae4cddb37599
73968
73969 ethtool: make .get_dump_data() harder to misuse by drivers
73970
73971 As the patch "bnx2x: remove zeroing of dump data buffer" showed,
73972 it is too easy implement .get_dump_data incorrectly in a driver.
73973
73974 Let's make sure drivers cannot get confused by userspace requesting
73975 a too big dump.
73976
73977 Also WARN if the driver sets dump->len to something weird and make
73978 sure the length reported to userspace is the actual length of data
73979 copied to userspace.
73980
73981 Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
73982 Reviewed-by: Ben Hutchings <ben@decadent.org.uk>
73983 Signed-off-by: David S. Miller <davem@davemloft.net>
73984
73985 net/core/ethtool.c | 21 ++++++++++++++++++++-
73986 1 files changed, 20 insertions(+), 1 deletions(-)
73987
73988commit 5c57991e66216e386dcc875d34c33f0edd038569
73989Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
73990Date: Tue Jul 2 09:02:07 2013 +0800
73991
73992 Upstream commit: e1558a93b61962710733dc8c11a2bc765607f1cd
73993
73994 l2tp: add missing .owner to struct pppox_proto
73995
73996 Add missing .owner of struct pppox_proto. This prevents the
73997 module from being removed from underneath its users.
73998
73999 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
74000 Signed-off-by: David S. Miller <davem@davemloft.net>
74001
74002 net/l2tp/l2tp_ppp.c | 3 ++-
74003 1 files changed, 2 insertions(+), 1 deletions(-)
74004
74005commit 4613b8adae32cc774bb727d2ec71f3d0bd7ff1c4
74006Author: Benjamin Herrenschmidt <benh@kernel.crashing.org>
74007Date: Sun Jun 30 14:37:11 2013 +1000
74008
74009 Upstream commit: 7cc47d139f9a815a91bd9e7377063238c69a0423
74010
74011 cxgb3: Missing rtnl lock in error recovery
74012
74013 When exercising error injection on IBM pseries machine, I hit the
74014 following warning:
74015
74016 [ 251.450043] RTAS: event: 89, Type: Platform Error, Severity: 2
74017 [ 253.549822] cxgb3 0006:01:00.0: enabling device (0140 -> 0142)
74018 [ 253.713560] cxgb3 0006:01:00.0: adapter recovering, PEX ERR 0x100
74019 [ 254.895437] RTNL: assertion failed at net/core/dev.c (2031)
74020 [ 254.895467] CPU: 6 PID: 5449 Comm: eehd Tainted: G W 3.10.0-rc7-00157-gea461ab #19
74021 [ 254.895474] Call Trace:
74022 [ 254.895483] [c000000fac56f7d0] [c000000000014dcc] .show_stack+0x7c/0x1f0 (unreliable)
74023 [ 254.895493] [c000000fac56f8a0] [c0000000007ba318] .dump_stack+0x28/0x3c
74024 [ 254.895500] [c000000fac56f910] [c0000000006c0384] .netif_set_real_num_tx_queues+0x224/0x230
74025 [ 254.895515] [c000000fac56f9b0] [d00000000ef35510] .cxgb_open+0x80/0x3f0 [cxgb3]
74026 [ 254.895525] [c000000fac56fa50] [d00000000ef35914] .t3_resume_ports+0x94/0x100 [cxgb3]
74027 [ 254.895533] [c000000fac56fae0] [c00000000005fc8c] .eeh_report_resume+0x8c/0xd0
74028 [ 254.895539] [c000000fac56fb60] [c00000000005e9fc] .eeh_pe_dev_traverse+0x9c/0x190
74029 [ 254.895545] [c000000fac56fc10] [c000000000060000] .eeh_handle_event+0x110/0x330
74030 [ 254.895551] [c000000fac56fca0] [c000000000060350] .eeh_event_handler+0x130/0x1a0
74031 [ 254.895558] [c000000fac56fd30] [c0000000000ad758] .kthread+0xe8/0xf0
74032 [ 254.895566] [c000000fac56fe30] [c00000000000a05c] .ret_from_kernel_thread+0x5c/0x80
74033
74034 It appears that t3_resume_ports() is called with the rtnl_lock held from
74035 the fatal error task but not from the PCI error callbacks. This fixes it.
74036
74037 Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
74038 Signed-off-by: David S. Miller <davem@davemloft.net>
74039
74040 drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 2 ++
74041 1 files changed, 2 insertions(+), 0 deletions(-)
74042
74043commit ea8f4222cddf3250dbcfc7db0437ebf74c352370
74044Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
74045Date: Mon Jul 1 20:21:30 2013 +0200
74046
74047 Upstream commit: 8822b64a0fa64a5dd1dfcf837c5b0be83f8c05d1
74048
74049 ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data
74050
74051 We accidentally call down to ip6_push_pending_frames when uncorking
74052 pending AF_INET data on a ipv6 socket. This results in the following
74053 splat (from Dave Jones):
74054
74055 skbuff: skb_under_panic: text:ffffffff816765f6 len:48 put:40 head:ffff88013deb6df0 data:ffff88013deb6dec tail:0x2c end:0xc0 dev:<NULL>
74056 ------------[ cut here ]------------
74057 kernel BUG at net/core/skbuff.c:126!
74058 invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
74059 Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth
74060 +netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c
74061 CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37
74062 task: ffff8801f52c2520 ti: ffff8801e6430000 task.ti: ffff8801e6430000
74063 RIP: 0010:[<ffffffff816e759c>] [<ffffffff816e759c>] skb_panic+0x63/0x65
74064 RSP: 0018:ffff8801e6431de8 EFLAGS: 00010282
74065 RAX: 0000000000000086 RBX: ffff8802353d3cc0 RCX: 0000000000000006
74066 RDX: 0000000000003b90 RSI: ffff8801f52c2ca0 RDI: ffff8801f52c2520
74067 RBP: ffff8801e6431e08 R08: 0000000000000000 R09: 0000000000000000
74068 R10: 0000000000000001 R11: 0000000000000001 R12: ffff88022ea0c800
74069 R13: ffff88022ea0cdf8 R14: ffff8802353ecb40 R15: ffffffff81cc7800
74070 FS: 00007f5720a10740(0000) GS:ffff880244c00000(0000) knlGS:0000000000000000
74071 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
74072 CR2: 0000000005862000 CR3: 000000022843c000 CR4: 00000000001407e0
74073 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
74074 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
74075 Stack:
74076 ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4
74077 ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6
74078 ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0
74079 Call Trace:
74080 [<ffffffff8159a9aa>] skb_push+0x3a/0x40
74081 [<ffffffff816765f6>] ip6_push_pending_frames+0x1f6/0x4d0
74082 [<ffffffff810b756b>] ? mark_held_locks+0xbb/0x140
74083 [<ffffffff81694919>] udp_v6_push_pending_frames+0x2b9/0x3d0
74084 [<ffffffff81694660>] ? udplite_getfrag+0x20/0x20
74085 [<ffffffff8162092a>] udp_lib_setsockopt+0x1aa/0x1f0
74086 [<ffffffff811cc5e7>] ? fget_light+0x387/0x4f0
74087 [<ffffffff816958a4>] udpv6_setsockopt+0x34/0x40
74088 [<ffffffff815949f4>] sock_common_setsockopt+0x14/0x20
74089 [<ffffffff81593c31>] SyS_setsockopt+0x71/0xd0
74090 [<ffffffff816f5d54>] tracesys+0xdd/0xe2
74091 Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55
74092 RIP [<ffffffff816e759c>] skb_panic+0x63/0x65
74093 RSP <ffff8801e6431de8>
74094
74095 This patch adds a check if the pending data is of address family AF_INET
74096 and directly calls udp_push_ending_frames from udp_v6_push_pending_frames
74097 if that is the case.
74098
74099 This bug was found by Dave Jones with trinity.
74100
74101 (Also move the initialization of fl6 below the AF_INET check, even if
74102 not strictly necessary.)
74103
74104 Cc: Dave Jones <davej@redhat.com>
74105 Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
74106 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
74107 Signed-off-by: David S. Miller <davem@davemloft.net>
74108
74109 include/net/udp.h | 1 +
74110 net/ipv4/udp.c | 3 ++-
74111 net/ipv6/udp.c | 7 ++++++-
74112 3 files changed, 9 insertions(+), 2 deletions(-)
74113
74114commit cd83094a85d9bbd5a67332156407d53cf8835432
74115Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
74116Date: Tue Jul 2 08:04:05 2013 +0200
74117
74118 Upstream commit: 75a493e60ac4bbe2e977e7129d6d8cbb0dd236be
74119
74120 ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size
74121
74122 If the socket had an IPV6_MTU value set, ip6_append_data_mtu lost track
74123 of this when appending the second frame on a corked socket. This results
74124 in the following splat:
74125
74126 [37598.993962] ------------[ cut here ]------------
74127 [37598.994008] kernel BUG at net/core/skbuff.c:2064!
74128 [37598.994008] invalid opcode: 0000 [#1] SMP
74129 [37598.994008] Modules linked in: tcp_lp uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media vfat fat usb_storage fuse ebtable_nat xt_CHECKSUM bridge stp llc ipt_MASQUERADE nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat
74130 +nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi
74131 +scsi_transport_iscsi rfcomm bnep iTCO_wdt iTCO_vendor_support snd_hda_codec_conexant arc4 iwldvm mac80211 snd_hda_intel acpi_cpufreq mperf coretemp snd_hda_codec microcode cdc_wdm cdc_acm
74132 [37598.994008] snd_hwdep cdc_ether snd_seq snd_seq_device usbnet mii joydev btusb snd_pcm bluetooth i2c_i801 e1000e lpc_ich mfd_core ptp iwlwifi pps_core snd_page_alloc mei cfg80211 snd_timer thinkpad_acpi snd tpm_tis soundcore rfkill tpm tpm_bios vhost_net tun macvtap macvlan kvm_intel kvm uinput binfmt_misc
74133 +dm_crypt i915 i2c_algo_bit drm_kms_helper drm i2c_core wmi video
74134 [37598.994008] CPU 0
74135 [37598.994008] Pid: 27320, comm: t2 Not tainted 3.9.6-200.fc18.x86_64 #1 LENOVO 27744PG/27744PG
74136 [37598.994008] RIP: 0010:[<ffffffff815443a5>] [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330
74137 [37598.994008] RSP: 0018:ffff88003670da18 EFLAGS: 00010202
74138 [37598.994008] RAX: ffff88018105c018 RBX: 0000000000000004 RCX: 00000000000006c0
74139 [37598.994008] RDX: ffff88018105a6c0 RSI: ffff88018105a000 RDI: ffff8801e1b0aa00
74140 [37598.994008] RBP: ffff88003670da78 R08: 0000000000000000 R09: ffff88018105c040
74141 [37598.994008] R10: ffff8801e1b0aa00 R11: 0000000000000000 R12: 000000000000fff8
74142 [37598.994008] R13: 00000000000004fc R14: 00000000ffff0504 R15: 0000000000000000
74143 [37598.994008] FS: 00007f28eea59740(0000) GS:ffff88023bc00000(0000) knlGS:0000000000000000
74144 [37598.994008] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
74145 [37598.994008] CR2: 0000003d935789e0 CR3: 00000000365cb000 CR4: 00000000000407f0
74146 [37598.994008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
74147 [37598.994008] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
74148 [37598.994008] Process t2 (pid: 27320, threadinfo ffff88003670c000, task ffff88022c162ee0)
74149 [37598.994008] Stack:
74150 [37598.994008] ffff88022e098a00 ffff88020f973fc0 0000000000000008 00000000000004c8
74151 [37598.994008] ffff88020f973fc0 00000000000004c4 ffff88003670da78 ffff8801e1b0a200
74152 [37598.994008] 0000000000000018 00000000000004c8 ffff88020f973fc0 00000000000004c4
74153 [37598.994008] Call Trace:
74154 [37598.994008] [<ffffffff815fc21f>] ip6_append_data+0xccf/0xfe0
74155 [37598.994008] [<ffffffff8158d9f0>] ? ip_copy_metadata+0x1a0/0x1a0
74156 [37598.994008] [<ffffffff81661f66>] ? _raw_spin_lock_bh+0x16/0x40
74157 [37598.994008] [<ffffffff8161548d>] udpv6_sendmsg+0x1ed/0xc10
74158 [37598.994008] [<ffffffff812a2845>] ? sock_has_perm+0x75/0x90
74159 [37598.994008] [<ffffffff815c3693>] inet_sendmsg+0x63/0xb0
74160 [37598.994008] [<ffffffff812a2973>] ? selinux_socket_sendmsg+0x23/0x30
74161 [37598.994008] [<ffffffff8153a450>] sock_sendmsg+0xb0/0xe0
74162 [37598.994008] [<ffffffff810135d1>] ? __switch_to+0x181/0x4a0
74163 [37598.994008] [<ffffffff8153d97d>] sys_sendto+0x12d/0x180
74164 [37598.994008] [<ffffffff810dfb64>] ? __audit_syscall_entry+0x94/0xf0
74165 [37598.994008] [<ffffffff81020ed1>] ? syscall_trace_enter+0x231/0x240
74166 [37598.994008] [<ffffffff8166a7e7>] tracesys+0xdd/0xe2
74167 [37598.994008] Code: fe 07 00 00 48 c7 c7 04 28 a6 81 89 45 a0 4c 89 4d b8 44 89 5d a8 e8 1b ac b1 ff 44 8b 5d a8 4c 8b 4d b8 8b 45 a0 e9 cf fe ff ff <0f> 0b 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 48
74168 [37598.994008] RIP [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330
74169 [37598.994008] RSP <ffff88003670da18>
74170 [37599.007323] ---[ end trace d69f6a17f8ac8eee ]---
74171
74172 While there, also check if path mtu discovery is activated for this
74173 socket. The logic was adapted from ip6_append_data when first writing
74174 on the corked socket.
74175
74176 This bug was introduced with commit
74177 0c1833797a5a6ec23ea9261d979aa18078720b74 ("ipv6: fix incorrect ipsec
74178 fragment").
74179
74180 v2:
74181 a) Replace IPV6_PMTU_DISC_DO with IPV6_PMTUDISC_PROBE.
74182 b) Don't pass ipv6_pinfo to ip6_append_data_mtu (suggestion by Gao
74183 feng, thanks!).
74184 c) Change mtu to unsigned int, else we get a warning about
74185 non-matching types because of the min()-macro type-check.
74186
74187 Acked-by: Gao feng <gaofeng@cn.fujitsu.com>
74188 Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
74189 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
74190 Signed-off-by: David S. Miller <davem@davemloft.net>
74191
74192 net/ipv6/ip6_output.c | 16 ++++++++++------
74193 1 files changed, 10 insertions(+), 6 deletions(-)
74194
74195commit 23151ca7ca80e58d2616dac7be9fd62943c9a72c
74196Author: Michael S. Tsirkin <mst@redhat.com>
74197Date: Sun Jul 7 14:26:53 2013 +0300
74198
74199 Upstream commit: dd7633ecd553a5e304d349aa6f8eb8a0417098c5
74200
74201 vhost-net: fix use-after-free in vhost_net_flush
74202
74203 vhost_net_ubuf_put_and_wait has a confusing name:
74204 it will actually also free it's argument.
74205 Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01
74206 "vhost-net: flush outstanding DMAs on memory change"
74207 vhost_net_flush tries to use the argument after passing it
74208 to vhost_net_ubuf_put_and_wait, this results
74209 in use after free.
74210 To fix, don't free the argument in vhost_net_ubuf_put_and_wait,
74211 add an new API for callers that want to free ubufs.
74212
74213 Acked-by: Asias He <asias@redhat.com>
74214 Acked-by: Jason Wang <jasowang@redhat.com>
74215 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
74216 Signed-off-by: David S. Miller <davem@davemloft.net>
74217
74218 drivers/vhost/net.c | 9 +++++++--
74219 1 files changed, 7 insertions(+), 2 deletions(-)
74220
74221commit 088806db74ac2f08c106202bc5498585a9ee529f
74222Author: Michal Hocko <mhocko@suse.cz>
74223Date: Mon Jul 8 16:00:29 2013 -0700
74224
74225 Upstream commit: f37a96914d1aea10fed8d9af10251f0b9caea31b
74226
74227 memcg, kmem: fix reference count handling on the error path
74228
74229 mem_cgroup_css_online calls mem_cgroup_put if memcg_init_kmem fails.
74230 This is not correct because only memcg_propagate_kmem takes an
74231 additional reference while mem_cgroup_sockets_init is allowed to fail as
74232 well (although no current implementation fails) but it doesn't take any
74233 reference. This all suggests that it should be memcg_propagate_kmem
74234 that should clean up after itself so this patch moves mem_cgroup_put
74235 over there.
74236
74237 Unfortunately this is not that easy (as pointed out by Li Zefan) because
74238 memcg_kmem_mark_dead marks the group dead (KMEM_ACCOUNTED_DEAD) if it is
74239 marked active (KMEM_ACCOUNTED_ACTIVE) which is the case even if
74240 memcg_propagate_kmem fails so the additional reference is dropped in
74241 that case in kmem_cgroup_destroy which means that the reference would be
74242 dropped two times.
74243
74244 The easiest way then would be to simply remove mem_cgrroup_put from
74245 mem_cgroup_css_online and rely on kmem_cgroup_destroy doing the right
74246 thing.
74247
74248 Signed-off-by: Michal Hocko <mhocko@suse.cz>
74249 Signed-off-by: Li Zefan <lizefan@huawei.com>
74250 Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
74251 Cc: Hugh Dickins <hughd@google.com>
74252 Cc: Tejun Heo <tj@kernel.org>
74253 Cc: Glauber Costa <glommer@openvz.org>
74254 Cc: Johannes Weiner <hannes@cmpxchg.org>
74255 Cc: <stable@vger.kernel.org> [3.8]
74256 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
74257 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
74258
74259 mm/memcontrol.c | 8 --------
74260 1 files changed, 0 insertions(+), 8 deletions(-)
74261
74262commit 08bfb6e700d13886ed722c2236e1ec10f03a95df
74263Author: Michal Hocko <mhocko@suse.cz>
74264Date: Mon Jul 8 16:00:27 2013 -0700
74265
74266 Upstream commit: fa460c2d37870e0a6f94c70e8b76d05ca11b6db0
74267
74268 Revert "memcg: avoid dangling reference count in creation failure"
74269
74270 This reverts commit e4715f01be697a.
74271
74272 mem_cgroup_put is hierarchy aware so mem_cgroup_put(memcg) already drops
74273 an additional reference from all parents so the additional
74274 mem_cgrroup_put(parent) potentially causes use-after-free.
74275
74276 Signed-off-by: Michal Hocko <mhocko@suse.cz>
74277 Signed-off-by: Li Zefan <lizefan@huawei.com>
74278 Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
74279 Cc: Hugh Dickins <hughd@google.com>
74280 Cc: Tejun Heo <tj@kernel.org>
74281 Cc: Glauber Costa <glommer@openvz.org>
74282 Cc: Johannes Weiner <hannes@cmpxchg.org>
74283 Cc: <stable@vger.kernel.org> [3.9+]
74284 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
74285 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
74286
74287 mm/memcontrol.c | 2 --
74288 1 files changed, 0 insertions(+), 2 deletions(-)
74289
74290commit 3267ec559f48327a1836eccecd53215afc5810d0
74291Author: Tyler Hicks <tyhicks@canonical.com>
74292Date: Thu Jun 20 13:13:59 2013 -0700
74293
74294 Upstream commit: 2cb33cac622afde897aa02d3dcd9fbba8bae839e
74295
74296 libceph: Fix NULL pointer dereference in auth client code
74297
74298 A malicious monitor can craft an auth reply message that could cause a
74299 NULL function pointer dereference in the client's kernel.
74300
74301 To prevent this, the auth_none protocol handler needs an empty
74302 ceph_auth_client_ops->build_request() function.
74303
74304 CVE-2013-1059
74305
74306 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
74307 Reported-by: Chanam Park <chanam.park@hkpco.kr>
74308 Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
74309 Reviewed-by: Sage Weil <sage@inktank.com>
74310 Cc: stable@vger.kernel.org
74311
74312 net/ceph/auth_none.c | 6 ++++++
74313 1 files changed, 6 insertions(+), 0 deletions(-)
74314
74315commit cdfeb4049e7cb38702215b2c356ce0407974ac79
74316Author: Eric Paris <eparis@redhat.com>
74317Date: Wed Jul 3 15:08:29 2013 -0700
74318
74319 Upstream commit: b57922b6c76c3ee401bb32fd3f298409dd6e6a53
74320
74321 fork: reorder permissions when violating number of processes limits
74322
74323 When a task is attempting to violate the RLIMIT_NPROC limit we have a
74324 check to see if the task is sufficiently priviledged. The check first
74325 looks at CAP_SYS_ADMIN, then CAP_SYS_RESOURCE, then if the task is uid=0.
74326
74327 A result is that tasks which are allowed by the uid=0 check are first
74328 checked against the security subsystem. This results in the security
74329 subsystem auditting a denial for sys_admin and sys_resource and then the
74330 task passing the uid=0 check.
74331
74332 This patch rearranges the code to first check uid=0, since if we pass that
74333 we shouldn't hit the security system at all. We then check sys_resource,
74334 since it is the smallest capability which will solve the problem. Lastly
74335 we check the fallback everything cap_sysadmin. We don't want to give this
74336 capability many places since it is so powerful.
74337
74338 This will eliminate many of the false positive/needless denial messages we
74339 get when a root task tries to violate the nproc limit. (note that
74340 kthreads count against root, so on a sufficiently large machine we can
74341 actually get past the default limits before any userspace tasks are
74342 launched.)
74343
74344 Signed-off-by: Eric Paris <eparis@redhat.com>
74345 Cc: Al Viro <viro@zeniv.linux.org.uk>
74346 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
74347 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
74348
74349 kernel/fork.c | 4 ++--
74350 1 files changed, 2 insertions(+), 2 deletions(-)
74351
74352commit 08c87e049c8a50707908785d950fd48c334f4c09
74353Author: Chen Gang <gang.chen@asianux.com>
74354Date: Sat Jun 22 13:26:09 2013 +0800
74355
74356 Upstream commit: f118e9abddfae94d7ef88858159d7556e1c2f7f6
74357
74358 arch: sparc: kernel: check the memory length before use strcpy().
74359
74360 For the related next strcpy(), the destination length is less than 512,
74361 but the source maximize length may be 'OPROMMAXPARAM' (4096) which is
74362 more than 512.
74363
74364 One work flow may:
74365 openprom_sunos_ioctl() -> if (cmd == OPROMSETOPT)
74366 getstrings() -> will alloc buffer with size 'OPROMMAXPARAM'.
74367 opromsetopt() -> devide the buffer into 'var' and 'value'
74368 of_set_property() -> pass
74369 prom_setprop() -> pass
74370 ldom_set_var()
74371
74372 And do not mind the additional 4 alignment buffer increasing, since
74373 'sizeof(pkt) - sizeof(pkt.header)' is 4 alignment at least.
74374
74375 Signed-off-by: Chen Gang <gang.chen@asianux.com>
74376 Signed-off-by: David S. Miller <davem@davemloft.net>
74377
74378 arch/sparc/kernel/ds.c | 10 ++++++++++
74379 1 files changed, 10 insertions(+), 0 deletions(-)
74380
74381commit 0f5d7e1171c65a8d4e9186b3656e1206121efb13
74382Author: Brad Spengler <spender@grsecurity.net>
74383Date: Fri Jul 12 20:38:45 2013 -0400
74384
74385 Fix SLAB boot errors due to PAX_USERCOPY reported on the forums
74386
74387 Unlike slub, slab can initally create two of the kmalloc_caches
74388 which will be used later for generic kmallocs of their particular
74389 aligned size (since the later loop in the unified allocator code
74390 skips any already-existing kmalloc_caches)
74391
74392 mm/slab.c | 4 ++--
74393 1 files changed, 2 insertions(+), 2 deletions(-)
74394
74395commit 7afc9d07a4c0a676aa5c4ac2b30882f60be6bae3
74396Author: Brad Spengler <spender@grsecurity.net>
74397Date: Tue Jul 9 22:04:59 2013 -0400
74398
74399 compile fixes
74400
74401 fs/exec.c | 2 +-
74402 mm/mmap.c | 4 ++--
74403 2 files changed, 3 insertions(+), 3 deletions(-)
74404
74405commit e2d027c7e0f106be683c0c72482b8285daefcbe6
74406Author: Brad Spengler <spender@grsecurity.net>
74407Date: Tue Jul 9 20:58:40 2013 -0400
74408
74409 commit successful merges
74410
74411 Documentation/kernel-parameters.txt | 4 +
74412 Makefile | 8 +-
74413 arch/alpha/include/asm/cache.h | 4 +-
74414 arch/alpha/kernel/osf_sys.c | 12 +-
74415 arch/arm/include/asm/thread_info.h | 3 +-
74416 arch/arm/kernel/ptrace.c | 9 +
74417 arch/arm/kernel/traps.c | 7 +-
74418 arch/arm/mm/fault.c | 29 +-
74419 arch/arm/mm/mmap.c | 8 +-
74420 arch/avr32/include/asm/cache.h | 4 +-
74421 arch/blackfin/include/asm/cache.h | 3 +-
74422 arch/cris/include/arch-v10/arch/cache.h | 3 +-
74423 arch/cris/include/arch-v32/arch/cache.h | 3 +-
74424 arch/frv/include/asm/cache.h | 3 +-
74425 arch/frv/mm/elf-fdpic.c | 4 +-
74426 arch/hexagon/include/asm/cache.h | 6 +-
74427 arch/ia64/include/asm/cache.h | 3 +-
74428 arch/ia64/kernel/sys_ia64.c | 2 +
74429 arch/ia64/mm/hugetlbpage.c | 2 +
74430 arch/m32r/include/asm/cache.h | 4 +-
74431 arch/m68k/include/asm/cache.h | 4 +-
74432 arch/metag/mm/hugetlbpage.c | 1 +
74433 arch/microblaze/include/asm/cache.h | 3 +-
74434 arch/mips/include/asm/cache.h | 3 +-
74435 arch/mips/include/asm/thread_info.h | 9 +-
74436 arch/mips/kernel/ptrace.c | 9 +
74437 arch/mips/kernel/scall32-o32.S | 2 +-
74438 arch/mips/kernel/scall64-64.S | 2 +-
74439 arch/mips/kernel/scall64-n32.S | 2 +-
74440 arch/mips/kernel/scall64-o32.S | 2 +-
74441 arch/mips/mm/mmap.c | 4 +-
74442 arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +-
74443 arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +-
74444 arch/openrisc/include/asm/cache.h | 4 +-
74445 arch/parisc/include/asm/cache.h | 5 +-
74446 arch/parisc/kernel/sys_parisc.c | 17 +-
74447 arch/powerpc/include/asm/cache.h | 3 +-
74448 arch/powerpc/kernel/process.c | 10 +-
74449 arch/powerpc/kernel/ptrace.c | 14 +
74450 arch/powerpc/kernel/traps.c | 5 +
74451 arch/s390/include/asm/cache.h | 4 +-
74452 arch/score/include/asm/cache.h | 4 +-
74453 arch/sh/include/asm/cache.h | 3 +-
74454 arch/sh/mm/mmap.c | 6 +-
74455 arch/sparc/include/asm/cache.h | 4 +-
74456 arch/sparc/include/asm/thread_info_64.h | 9 +-
74457 arch/sparc/kernel/process_32.c | 6 +-
74458 arch/sparc/kernel/process_64.c | 4 +-
74459 arch/sparc/kernel/ptrace_64.c | 14 +
74460 arch/sparc/kernel/sys_sparc_64.c | 8 +-
74461 arch/sparc/kernel/syscalls.S | 8 +-
74462 arch/sparc/kernel/traps_32.c | 8 +-
74463 arch/sparc/kernel/traps_64.c | 28 +-
74464 arch/sparc/kernel/unaligned_64.c | 2 +-
74465 arch/sparc/mm/fault_64.c | 2 +-
74466 arch/sparc/mm/hugetlbpage.c | 3 +-
74467 arch/tile/include/asm/cache.h | 3 +-
74468 arch/tile/mm/hugetlbpage.c | 2 +
74469 arch/um/defconfig | 1 -
74470 arch/um/include/asm/cache.h | 3 +-
74471 arch/unicore32/include/asm/cache.h | 6 +-
74472 arch/x86/Kconfig | 5 +-
74473 arch/x86/ia32/ia32_aout.c | 2 +
74474 arch/x86/include/asm/thread_info.h | 8 +-
74475 arch/x86/kernel/dumpstack.c | 8 +
74476 arch/x86/kernel/entry_32.S | 2 +-
74477 arch/x86/kernel/entry_64.S | 2 +-
74478 arch/x86/kernel/ioport.c | 13 +
74479 arch/x86/kernel/ptrace.c | 14 +
74480 arch/x86/kernel/signal.c | 9 +-
74481 arch/x86/kernel/smpboot.c | 3 +
74482 arch/x86/kernel/sys_i386_32.c | 9 +-
74483 arch/x86/kernel/sys_x86_64.c | 8 +-
74484 arch/x86/kernel/verify_cpu.S | 1 +
74485 arch/x86/kernel/vm86_32.c | 1 +
74486 arch/x86/mm/fault.c | 12 +-
74487 arch/x86/mm/hugetlbpage.c | 15 +-
74488 arch/x86/mm/init.c | 66 +-
74489 arch/x86/net/bpf_jit_comp.c | 129 +-
74490 arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
74491 arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
74492 arch/xtensa/variants/s6000/include/variant/core.h | 3 +-
74493 drivers/block/cciss.c | 2 +
74494 drivers/block/cpqarray.c | 1 +
74495 drivers/cdrom/cdrom.c | 4 +-
74496 drivers/char/Kconfig | 4 +-
74497 drivers/char/genrtc.c | 1 +
74498 drivers/char/mem.c | 17 +
74499 drivers/char/mwave/tp3780i.c | 1 +
74500 drivers/char/random.c | 12 +
74501 drivers/gpu/drm/drm_info.c | 4 +
74502 drivers/hid/hid-wiimote-debug.c | 2 +-
74503 drivers/media/radio/radio-cadet.c | 2 +-
74504 drivers/message/fusion/mptbase.c | 9 +
74505 drivers/net/bonding/bond_main.c | 2 +-
74506 drivers/net/phy/mdio-bitbang.c | 1 +
74507 drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
74508 drivers/pci/proc.c | 9 +
74509 drivers/rtc/rtc-dev.c | 3 +
74510 drivers/tty/sysrq.c | 2 +-
74511 drivers/tty/vt/keyboard.c | 22 +-
74512 drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++++------------
74513 drivers/xen/xenfs/xenstored.c | 5 +
74514 fs/attr.c | 1 +
74515 fs/autofs4/waitq.c | 9 +
74516 fs/binfmt_aout.c | 7 +
74517 fs/binfmt_elf.c | 8 +-
74518 fs/btrfs/ioctl.c | 6 +-
74519 fs/compat.c | 20 +-
74520 fs/coredump.c | 9 +-
74521 fs/debugfs/inode.c | 4 +
74522 fs/exec.c | 184 ++-
74523 fs/ext2/balloc.c | 4 +-
74524 fs/ext3/balloc.c | 4 +-
74525 fs/ext4/resize.c | 17 +-
74526 fs/fcntl.c | 5 +
74527 fs/file.c | 4 +
74528 fs/filesystems.c | 4 +
74529 fs/fs_struct.c | 13 +-
74530 fs/hugetlbfs/inode.c | 5 +-
74531 fs/namei.c | 234 ++-
74532 fs/namespace.c | 16 +
74533 fs/notify/fanotify/fanotify_user.c | 1 +
74534 fs/open.c | 38 +
74535 fs/proc/Kconfig | 10 +-
74536 fs/proc/array.c | 59 +-
74537 fs/proc/base.c | 168 ++-
74538 fs/proc/cmdline.c | 4 +
74539 fs/proc/devices.c | 4 +
74540 fs/proc/fd.c | 17 +-
74541 fs/proc/inode.c | 4 +
74542 fs/proc/kcore.c | 3 +
74543 fs/proc/proc_net.c | 12 +
74544 fs/proc/proc_sysctl.c | 43 +-
74545 fs/proc/root.c | 8 +
74546 fs/proc/task_mmu.c | 75 +-
74547 fs/readdir.c | 19 +
74548 fs/select.c | 2 +
74549 fs/seq_file.c | 12 +-
74550 fs/stat.c | 19 +-
74551 fs/sysfs/dir.c | 12 +
74552 fs/utimes.c | 7 +
74553 fs/xattr.c | 19 +-
74554 include/linux/capability.h | 5 +
74555 include/linux/cred.h | 3 +
74556 include/linux/fs.h | 10 +
74557 include/linux/fsnotify.h | 6 +
74558 include/linux/kallsyms.h | 14 +-
74559 include/linux/kmod.h | 2 +
74560 include/linux/mm.h | 1 +
74561 include/linux/perf_event.h | 13 +-
74562 include/linux/printk.h | 3 +-
74563 include/linux/sched.h | 24 +-
74564 include/linux/security.h | 1 +
74565 include/linux/seq_file.h | 3 +
74566 include/linux/shm.h | 4 +
74567 include/linux/skbuff.h | 3 +
74568 include/linux/slab.h | 9 -
74569 include/linux/sysctl.h | 2 +
74570 include/linux/thread_info.h | 2 +
74571 include/linux/uidgid.h | 5 +
74572 include/linux/vermagic.h | 9 +-
74573 include/uapi/linux/personality.h | 1 +
74574 init/Kconfig | 3 +-
74575 init/main.c | 14 +
74576 ipc/mqueue.c | 1 +
74577 ipc/shm.c | 28 +
74578 kernel/capability.c | 39 +-
74579 kernel/cgroup.c | 2 +-
74580 kernel/compat.c | 1 +
74581 kernel/configs.c | 11 +
74582 kernel/cred.c | 110 +-
74583 kernel/events/core.c | 14 +-
74584 kernel/exit.c | 10 +-
74585 kernel/fork.c | 41 +-
74586 kernel/futex.c | 1 +
74587 kernel/kallsyms.c | 9 +
74588 kernel/kcmp.c | 4 +
74589 kernel/kmod.c | 64 +-
74590 kernel/kprobes.c | 4 +-
74591 kernel/ksysfs.c | 2 +
74592 kernel/lockdep_proc.c | 10 +-
74593 kernel/module.c | 81 +-
74594 kernel/panic.c | 2 +-
74595 kernel/pid.c | 19 +-
74596 kernel/posix-timers.c | 7 +
74597 kernel/printk.c | 5 +
74598 kernel/ptrace.c | 20 +-
74599 kernel/resource.c | 10 +
74600 kernel/sched/core.c | 6 +-
74601 kernel/signal.c | 37 +-
74602 kernel/sys.c | 45 +-
74603 kernel/sysctl.c | 70 +-
74604 kernel/taskstats.c | 6 +
74605 kernel/time.c | 5 +
74606 kernel/time/timekeeping.c | 1 +
74607 kernel/time/timer_list.c | 12 +
74608 kernel/time/timer_stats.c | 10 +-
74609 lib/Kconfig.debug | 5 +-
74610 lib/is_single_threaded.c | 3 +
74611 mm/Kconfig | 4 +-
74612 mm/filemap.c | 1 +
74613 mm/kmemleak.c | 4 +-
74614 mm/mempolicy.c | 12 +-
74615 mm/migrate.c | 3 +-
74616 mm/mlock.c | 3 +
74617 mm/mmap.c | 63 +-
74618 mm/mprotect.c | 8 +
74619 mm/process_vm_access.c | 6 +
74620 mm/slab.c | 2 +-
74621 mm/slub.c | 14 +-
74622 mm/vmalloc.c | 4 +
74623 mm/vmstat.c | 18 +-
74624 net/core/dev_ioctl.c | 4 +
74625 net/core/sock_diag.c | 7 +
74626 net/ipv4/inet_hashtables.c | 5 +
74627 net/ipv4/ip_sockglue.c | 3 +-
74628 net/ipv4/tcp_input.c | 4 +-
74629 net/ipv4/tcp_ipv4.c | 24 +-
74630 net/ipv4/tcp_minisocks.c | 9 +-
74631 net/ipv4/tcp_timer.c | 11 +
74632 net/ipv4/udp.c | 24 +
74633 net/ipv6/tcp_ipv6.c | 23 +-
74634 net/ipv6/udp.c | 4 +
74635 net/netfilter/Kconfig | 10 +
74636 net/netfilter/Makefile | 1 +
74637 net/netfilter/nf_conntrack_core.c | 8 +
74638 net/netrom/af_netrom.c | 1 -
74639 net/phonet/af_phonet.c | 2 +-
74640 net/sctp/proc.c | 3 +-
74641 net/socket.c | 66 +-
74642 net/sysctl_net.c | 2 +-
74643 net/unix/af_unix.c | 31 +-
74644 security/Kconfig | 343 +++-
74645 security/apparmor/Kconfig | 9 +
74646 security/apparmor/apparmorfs.c | 231 ++
74647 security/commoncap.c | 29 +
74648 security/min_addr.c | 2 +
74649 security/security.c | 2 -
74650 security/selinux/hooks.c | 2 -
74651 security/tomoyo/mount.c | 4 +
74652 security/yama/Kconfig | 2 +-
74653 242 files changed, 4385 insertions(+), 2042 deletions(-)
74654
74655commit 043a378c0f72ed92cc30182c48abce39867ac93f
74656Author: Brad Spengler <spender@grsecurity.net>
74657Date: Tue Jul 9 20:57:40 2013 -0400
74658
74659 Commit merge of new files and rejected patches
74660
74661 arch/arm/include/asm/thread_info.h | 6 +-
74662 arch/arm/kernel/process.c | 4 +-
74663 arch/powerpc/include/asm/thread_info.h | 7 +-
74664 arch/powerpc/mm/slice.c | 2 +-
74665 arch/sparc/kernel/process_64.c | 4 +-
74666 arch/x86/kernel/vm86_32.c | 15 +
74667 fs/coredump.c | 1 +
74668 fs/ext4/balloc.c | 4 +-
74669 fs/namei.c | 7 +
74670 fs/namespace.c | 8 +
74671 fs/pipe.c | 2 +-
74672 fs/proc/inode.c | 13 +
74673 fs/proc/internal.h | 3 +
74674 grsecurity/Kconfig | 1054 +++++++++
74675 grsecurity/Makefile | 38 +
74676 grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++
74677 grsecurity/gracl_alloc.c | 105 +
74678 grsecurity/gracl_cap.c | 110 +
74679 grsecurity/gracl_fs.c | 431 ++++
74680 grsecurity/gracl_ip.c | 387 +++
74681 grsecurity/gracl_learn.c | 207 ++
74682 grsecurity/gracl_res.c | 68 +
74683 grsecurity/gracl_segv.c | 305 +++
74684 grsecurity/gracl_shm.c | 40 +
74685 grsecurity/grsec_chdir.c | 19 +
74686 grsecurity/grsec_chroot.c | 370 +++
74687 grsecurity/grsec_disabled.c | 434 ++++
74688 grsecurity/grsec_exec.c | 187 ++
74689 grsecurity/grsec_fifo.c | 24 +
74690 grsecurity/grsec_fork.c | 23 +
74691 grsecurity/grsec_init.c | 283 +++
74692 grsecurity/grsec_link.c | 58 +
74693 grsecurity/grsec_log.c | 326 +++
74694 grsecurity/grsec_mem.c | 40 +
74695 grsecurity/grsec_mount.c | 62 +
74696 grsecurity/grsec_pax.c | 36 +
74697 grsecurity/grsec_ptrace.c | 30 +
74698 grsecurity/grsec_sig.c | 246 ++
74699 grsecurity/grsec_sock.c | 244 ++
74700 grsecurity/grsec_sysctl.c | 469 ++++
74701 grsecurity/grsec_time.c | 16 +
74702 grsecurity/grsec_tpe.c | 73 +
74703 grsecurity/grsum.c | 61 +
74704 include/linux/gracl.h | 319 +++
74705 include/linux/gralloc.h | 9 +
74706 include/linux/grdefs.h | 140 ++
74707 include/linux/grinternal.h | 227 ++
74708 include/linux/grmsg.h | 112 +
74709 include/linux/grsecurity.h | 241 ++
74710 include/linux/grsock.h | 19 +
74711 include/linux/netfilter/xt_gradm.h | 9 +
74712 include/linux/proc_fs.h | 13 +
74713 include/linux/sched.h | 48 +-
74714 include/trace/events/fs.h | 53 +
74715 kernel/kmod.c | 7 +-
74716 kernel/panic.c | 2 +-
74717 kernel/posix-timers.c | 1 +
74718 kernel/time/timekeeping.c | 2 +
74719 lib/Kconfig.debug | 2 +-
74720 lib/vsprintf.c | 31 +
74721 localversion-grsec | 1 +
74722 mm/mmap.c | 13 +-
74723 mm/shmem.c | 2 +-
74724 net/core/net-procfs.c | 5 +
74725 net/ipv6/udp.c | 3 +
74726 net/netfilter/xt_gradm.c | 51 +
74727 66 files changed, 11184 insertions(+), 21 deletions(-)
74728
74729commit 75a36f058b5abbc82f9b94ba5576eef4b40cd5d6
74730Author: Brad Spengler <spender@grsecurity.net>
74731Date: Tue Jul 9 17:35:47 2013 -0400
74732
74733 Initial import of pax-linux-3.10-test1.patch
74734
74735 Documentation/dontdiff | 46 +-
74736 Documentation/kernel-parameters.txt | 12 +
74737 Makefile | 100 +-
74738 arch/alpha/include/asm/atomic.h | 10 +
74739 arch/alpha/include/asm/elf.h | 7 +
74740 arch/alpha/include/asm/pgalloc.h | 6 +
74741 arch/alpha/include/asm/pgtable.h | 11 +
74742 arch/alpha/kernel/module.c | 2 +-
74743 arch/alpha/kernel/osf_sys.c | 8 +-
74744 arch/alpha/mm/fault.c | 141 +-
74745 arch/arm/Kconfig | 2 +-
74746 arch/arm/include/asm/atomic.h | 444 ++-
74747 arch/arm/include/asm/cache.h | 5 +-
74748 arch/arm/include/asm/cacheflush.h | 2 +-
74749 arch/arm/include/asm/checksum.h | 14 +-
74750 arch/arm/include/asm/cmpxchg.h | 2 +
74751 arch/arm/include/asm/domain.h | 33 +-
74752 arch/arm/include/asm/elf.h | 13 +-
74753 arch/arm/include/asm/fncpy.h | 2 +
74754 arch/arm/include/asm/futex.h | 10 +
74755 arch/arm/include/asm/kmap_types.h | 2 +-
74756 arch/arm/include/asm/mach/dma.h | 2 +-
74757 arch/arm/include/asm/mach/map.h | 7 +-
74758 arch/arm/include/asm/outercache.h | 2 +-
74759 arch/arm/include/asm/page.h | 2 +-
74760 arch/arm/include/asm/pgalloc.h | 22 +-
74761 arch/arm/include/asm/pgtable-2level-hwdef.h | 5 +
74762 arch/arm/include/asm/pgtable-2level.h | 1 +
74763 arch/arm/include/asm/pgtable-3level-hwdef.h | 2 +
74764 arch/arm/include/asm/pgtable-3level.h | 2 +
74765 arch/arm/include/asm/pgtable.h | 56 +-
74766 arch/arm/include/asm/proc-fns.h | 2 +-
74767 arch/arm/include/asm/processor.h | 5 +-
74768 arch/arm/include/asm/psci.h | 2 +-
74769 arch/arm/include/asm/smp.h | 2 +-
74770 arch/arm/include/asm/thread_info.h | 6 +-
74771 arch/arm/include/asm/uaccess.h | 92 +-
74772 arch/arm/include/uapi/asm/ptrace.h | 2 +-
74773 arch/arm/kernel/armksyms.c | 8 +-
74774 arch/arm/kernel/entry-armv.S | 107 +-
74775 arch/arm/kernel/entry-common.S | 41 +-
74776 arch/arm/kernel/entry-header.S | 60 +
74777 arch/arm/kernel/fiq.c | 2 +
74778 arch/arm/kernel/head.S | 6 +-
74779 arch/arm/kernel/hw_breakpoint.c | 2 +-
74780 arch/arm/kernel/module.c | 29 +-
74781 arch/arm/kernel/patch.c | 2 +
74782 arch/arm/kernel/perf_event_cpu.c | 2 +-
74783 arch/arm/kernel/process.c | 14 +-
74784 arch/arm/kernel/psci.c | 2 +-
74785 arch/arm/kernel/setup.c | 22 +-
74786 arch/arm/kernel/signal.c | 24 +-
74787 arch/arm/kernel/smp.c | 2 +-
74788 arch/arm/kernel/traps.c | 15 +-
74789 arch/arm/kernel/vmlinux.lds.S | 22 +-
74790 arch/arm/lib/clear_user.S | 6 +-
74791 arch/arm/lib/copy_from_user.S | 6 +-
74792 arch/arm/lib/copy_page.S | 1 +
74793 arch/arm/lib/copy_to_user.S | 6 +-
74794 arch/arm/lib/csumpartialcopyuser.S | 4 +-
74795 arch/arm/lib/delay.c | 2 +-
74796 arch/arm/lib/uaccess_with_memcpy.c | 2 +-
74797 arch/arm/mach-kirkwood/common.c | 19 +-
74798 arch/arm/mach-omap2/board-n8x0.c | 2 +-
74799 arch/arm/mach-omap2/gpmc.c | 22 +-
74800 arch/arm/mach-omap2/omap-wakeupgen.c | 2 +-
74801 arch/arm/mach-omap2/omap_device.c | 4 +-
74802 arch/arm/mach-omap2/omap_device.h | 4 +-
74803 arch/arm/mach-omap2/omap_hwmod.c | 4 +-
74804 arch/arm/mach-omap2/wd_timer.c | 6 +-
74805 arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +-
74806 arch/arm/mach-ux500/setup.h | 7 -
74807 arch/arm/mm/Kconfig | 3 +-
74808 arch/arm/mm/alignment.c | 8 +
74809 arch/arm/mm/fault.c | 91 +
74810 arch/arm/mm/fault.h | 12 +
74811 arch/arm/mm/init.c | 41 +
74812 arch/arm/mm/ioremap.c | 4 +-
74813 arch/arm/mm/mmap.c | 30 +-
74814 arch/arm/mm/mmu.c | 187 +-
74815 arch/arm/mm/proc-v7-2level.S | 3 +
74816 arch/arm/plat-omap/sram.c | 2 +
74817 arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +-
74818 arch/arm64/kernel/debug-monitors.c | 2 +-
74819 arch/arm64/kernel/hw_breakpoint.c | 2 +-
74820 arch/avr32/include/asm/elf.h | 8 +-
74821 arch/avr32/include/asm/kmap_types.h | 4 +-
74822 arch/avr32/mm/fault.c | 27 +
74823 arch/frv/include/asm/atomic.h | 10 +
74824 arch/frv/include/asm/kmap_types.h | 2 +-
74825 arch/frv/mm/elf-fdpic.c | 3 +-
74826 arch/ia64/include/asm/atomic.h | 10 +
74827 arch/ia64/include/asm/elf.h | 7 +
74828 arch/ia64/include/asm/pgalloc.h | 12 +
74829 arch/ia64/include/asm/pgtable.h | 13 +-
74830 arch/ia64/include/asm/spinlock.h | 2 +-
74831 arch/ia64/include/asm/uaccess.h | 26 +-
74832 arch/ia64/kernel/err_inject.c | 2 +-
74833 arch/ia64/kernel/mca.c | 2 +-
74834 arch/ia64/kernel/module.c | 48 +-
74835 arch/ia64/kernel/palinfo.c | 2 +-
74836 arch/ia64/kernel/salinfo.c | 2 +-
74837 arch/ia64/kernel/sys_ia64.c | 7 +
74838 arch/ia64/kernel/topology.c | 2 +-
74839 arch/ia64/kernel/vmlinux.lds.S | 2 +-
74840 arch/ia64/mm/fault.c | 32 +-
74841 arch/ia64/mm/init.c | 13 +
74842 arch/m32r/lib/usercopy.c | 6 +
74843 arch/mips/include/asm/atomic.h | 14 +
74844 arch/mips/include/asm/elf.h | 11 +-
74845 arch/mips/include/asm/exec.h | 2 +-
74846 arch/mips/include/asm/page.h | 2 +-
74847 arch/mips/include/asm/pgalloc.h | 5 +
74848 arch/mips/kernel/binfmt_elfn32.c | 7 +
74849 arch/mips/kernel/binfmt_elfo32.c | 7 +
74850 arch/mips/kernel/process.c | 12 -
74851 arch/mips/mm/fault.c | 17 +
74852 arch/mips/mm/mmap.c | 51 +-
74853 arch/parisc/include/asm/atomic.h | 10 +
74854 arch/parisc/include/asm/elf.h | 7 +
74855 arch/parisc/include/asm/pgalloc.h | 6 +
74856 arch/parisc/include/asm/pgtable.h | 11 +
74857 arch/parisc/include/asm/uaccess.h | 4 +-
74858 arch/parisc/kernel/module.c | 50 +-
74859 arch/parisc/kernel/sys_parisc.c | 9 +-
74860 arch/parisc/kernel/traps.c | 4 +-
74861 arch/parisc/mm/fault.c | 140 +-
74862 arch/powerpc/include/asm/atomic.h | 10 +
74863 arch/powerpc/include/asm/elf.h | 19 +-
74864 arch/powerpc/include/asm/exec.h | 2 +-
74865 arch/powerpc/include/asm/kmap_types.h | 2 +-
74866 arch/powerpc/include/asm/mman.h | 2 +-
74867 arch/powerpc/include/asm/page.h | 8 +-
74868 arch/powerpc/include/asm/page_64.h | 7 +-
74869 arch/powerpc/include/asm/pgalloc-64.h | 7 +
74870 arch/powerpc/include/asm/pgtable.h | 1 +
74871 arch/powerpc/include/asm/pte-hash32.h | 1 +
74872 arch/powerpc/include/asm/reg.h | 1 +
74873 arch/powerpc/include/asm/smp.h | 2 +-
74874 arch/powerpc/include/asm/uaccess.h | 140 +-
74875 arch/powerpc/kernel/exceptions-64e.S | 4 +-
74876 arch/powerpc/kernel/exceptions-64s.S | 2 +-
74877 arch/powerpc/kernel/module_32.c | 13 +-
74878 arch/powerpc/kernel/process.c | 55 -
74879 arch/powerpc/kernel/signal_32.c | 2 +-
74880 arch/powerpc/kernel/signal_64.c | 2 +-
74881 arch/powerpc/kernel/sysfs.c | 2 +-
74882 arch/powerpc/kernel/vdso.c | 5 +-
74883 arch/powerpc/lib/usercopy_64.c | 18 -
74884 arch/powerpc/mm/fault.c | 54 +-
74885 arch/powerpc/mm/mmap_64.c | 16 +
74886 arch/powerpc/mm/mmu_context_nohash.c | 2 +-
74887 arch/powerpc/mm/numa.c | 2 +-
74888 arch/powerpc/mm/slice.c | 13 +-
74889 arch/powerpc/platforms/cell/spufs/file.c | 4 +-
74890 arch/powerpc/platforms/powermac/smp.c | 2 +-
74891 arch/s390/include/asm/atomic.h | 10 +
74892 arch/s390/include/asm/elf.h | 13 +-
74893 arch/s390/include/asm/exec.h | 2 +-
74894 arch/s390/include/asm/uaccess.h | 15 +-
74895 arch/s390/kernel/module.c | 22 +-
74896 arch/s390/kernel/process.c | 36 -
74897 arch/s390/mm/mmap.c | 24 +
74898 arch/score/include/asm/exec.h | 2 +-
74899 arch/score/kernel/process.c | 5 -
74900 arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +-
74901 arch/sh/mm/mmap.c | 22 +-
74902 arch/sparc/include/asm/atomic_64.h | 106 +-
74903 arch/sparc/include/asm/cache.h | 2 +-
74904 arch/sparc/include/asm/elf_32.h | 7 +
74905 arch/sparc/include/asm/elf_64.h | 7 +
74906 arch/sparc/include/asm/pgalloc_32.h | 1 +
74907 arch/sparc/include/asm/pgalloc_64.h | 1 +
74908 arch/sparc/include/asm/pgtable_32.h | 15 +-
74909 arch/sparc/include/asm/pgtsrmmu.h | 5 +
74910 arch/sparc/include/asm/spinlock_64.h | 35 +-
74911 arch/sparc/include/asm/thread_info_32.h | 2 +
74912 arch/sparc/include/asm/thread_info_64.h | 2 +
74913 arch/sparc/include/asm/uaccess.h | 1 +
74914 arch/sparc/include/asm/uaccess_32.h | 27 +-
74915 arch/sparc/include/asm/uaccess_64.h | 19 +-
74916 arch/sparc/kernel/Makefile | 2 +-
74917 arch/sparc/kernel/prom_common.c | 2 +-
74918 arch/sparc/kernel/sys_sparc_32.c | 2 +-
74919 arch/sparc/kernel/sys_sparc_64.c | 48 +-
74920 arch/sparc/kernel/sysfs.c | 2 +-
74921 arch/sparc/kernel/traps_64.c | 13 +-
74922 arch/sparc/lib/Makefile | 2 +-
74923 arch/sparc/lib/atomic_64.S | 136 +-
74924 arch/sparc/lib/ksyms.c | 6 +
74925 arch/sparc/mm/Makefile | 2 +-
74926 arch/sparc/mm/fault_32.c | 292 +
74927 arch/sparc/mm/fault_64.c | 486 ++
74928 arch/sparc/mm/hugetlbpage.c | 21 +-
74929 arch/tile/include/asm/atomic_64.h | 10 +
74930 arch/tile/include/asm/uaccess.h | 4 +-
74931 arch/um/Makefile | 4 +
74932 arch/um/include/asm/kmap_types.h | 2 +-
74933 arch/um/include/asm/page.h | 3 +
74934 arch/um/include/asm/pgtable-3level.h | 1 +
74935 arch/um/kernel/process.c | 16 -
74936 arch/x86/Kconfig | 10 +-
74937 arch/x86/Kconfig.cpu | 6 +-
74938 arch/x86/Kconfig.debug | 4 +-
74939 arch/x86/Makefile | 10 +
74940 arch/x86/boot/Makefile | 3 +
74941 arch/x86/boot/bitops.h | 4 +-
74942 arch/x86/boot/boot.h | 4 +-
74943 arch/x86/boot/compressed/Makefile | 3 +
74944 arch/x86/boot/compressed/eboot.c | 2 -
74945 arch/x86/boot/compressed/efi_stub_32.S | 16 +-
74946 arch/x86/boot/compressed/head_32.S | 7 +-
74947 arch/x86/boot/compressed/head_64.S | 8 +-
74948 arch/x86/boot/compressed/misc.c | 4 +-
74949 arch/x86/boot/cpucheck.c | 28 +-
74950 arch/x86/boot/header.S | 6 +-
74951 arch/x86/boot/memory.c | 2 +-
74952 arch/x86/boot/video-vesa.c | 1 +
74953 arch/x86/boot/video.c | 2 +-
74954 arch/x86/crypto/aes-x86_64-asm_64.S | 4 +
74955 arch/x86/crypto/aesni-intel_asm.S | 22 +
74956 arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 +
74957 arch/x86/crypto/camellia-x86_64-asm_64.S | 7 +
74958 arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 +
74959 arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 9 +
74960 arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 +
74961 arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 +
74962 arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 +
74963 arch/x86/crypto/sha1_ssse3_asm.S | 2 +
74964 arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 9 +
74965 arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 +
74966 arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
74967 arch/x86/ia32/ia32_signal.c | 14 +-
74968 arch/x86/ia32/ia32entry.S | 141 +-
74969 arch/x86/ia32/sys_ia32.c | 4 +-
74970 arch/x86/include/asm/alternative-asm.h | 39 +
74971 arch/x86/include/asm/alternative.h | 4 +-
74972 arch/x86/include/asm/apic.h | 2 +-
74973 arch/x86/include/asm/apm.h | 4 +-
74974 arch/x86/include/asm/atomic.h | 307 +-
74975 arch/x86/include/asm/atomic64_32.h | 100 +
74976 arch/x86/include/asm/atomic64_64.h | 202 +-
74977 arch/x86/include/asm/bitops.h | 4 +-
74978 arch/x86/include/asm/boot.h | 7 +-
74979 arch/x86/include/asm/cache.h | 5 +-
74980 arch/x86/include/asm/cacheflush.h | 2 +-
74981 arch/x86/include/asm/checksum_32.h | 12 +-
74982 arch/x86/include/asm/cmpxchg.h | 35 +
74983 arch/x86/include/asm/compat.h | 2 +-
74984 arch/x86/include/asm/cpufeature.h | 4 +-
74985 arch/x86/include/asm/desc.h | 67 +-
74986 arch/x86/include/asm/desc_defs.h | 6 +
74987 arch/x86/include/asm/div64.h | 2 +-
74988 arch/x86/include/asm/elf.h | 31 +-
74989 arch/x86/include/asm/emergency-restart.h | 2 +-
74990 arch/x86/include/asm/fpu-internal.h | 6 +-
74991 arch/x86/include/asm/futex.h | 16 +-
74992 arch/x86/include/asm/hw_irq.h | 4 +-
74993 arch/x86/include/asm/i8259.h | 2 +-
74994 arch/x86/include/asm/io.h | 21 +-
74995 arch/x86/include/asm/irqflags.h | 5 +
74996 arch/x86/include/asm/kprobes.h | 9 +-
74997 arch/x86/include/asm/local.h | 142 +-
74998 arch/x86/include/asm/mman.h | 15 +
74999 arch/x86/include/asm/mmu.h | 16 +-
75000 arch/x86/include/asm/mmu_context.h | 76 +-
75001 arch/x86/include/asm/module.h | 17 +-
75002 arch/x86/include/asm/nmi.h | 6 +-
75003 arch/x86/include/asm/page.h | 1 +
75004 arch/x86/include/asm/page_64.h | 4 +-
75005 arch/x86/include/asm/paravirt.h | 46 +-
75006 arch/x86/include/asm/paravirt_types.h | 17 +-
75007 arch/x86/include/asm/pgalloc.h | 23 +
75008 arch/x86/include/asm/pgtable-2level.h | 2 +
75009 arch/x86/include/asm/pgtable-3level.h | 4 +
75010 arch/x86/include/asm/pgtable.h | 122 +-
75011 arch/x86/include/asm/pgtable_32.h | 14 +-
75012 arch/x86/include/asm/pgtable_32_types.h | 15 +-
75013 arch/x86/include/asm/pgtable_64.h | 19 +-
75014 arch/x86/include/asm/pgtable_64_types.h | 5 +
75015 arch/x86/include/asm/pgtable_types.h | 36 +-
75016 arch/x86/include/asm/processor.h | 39 +-
75017 arch/x86/include/asm/ptrace.h | 26 +-
75018 arch/x86/include/asm/realmode.h | 4 +-
75019 arch/x86/include/asm/reboot.h | 10 +-
75020 arch/x86/include/asm/rwsem.h | 60 +-
75021 arch/x86/include/asm/segment.h | 24 +-
75022 arch/x86/include/asm/smp.h | 14 +-
75023 arch/x86/include/asm/spinlock.h | 36 +-
75024 arch/x86/include/asm/stackprotector.h | 4 +-
75025 arch/x86/include/asm/stacktrace.h | 32 +-
75026 arch/x86/include/asm/switch_to.h | 4 +-
75027 arch/x86/include/asm/thread_info.h | 83 +-
75028 arch/x86/include/asm/uaccess.h | 96 +-
75029 arch/x86/include/asm/uaccess_32.h | 106 +-
75030 arch/x86/include/asm/uaccess_64.h | 232 +-
75031 arch/x86/include/asm/word-at-a-time.h | 2 +-
75032 arch/x86/include/asm/x86_init.h | 10 +-
75033 arch/x86/include/asm/xsave.h | 10 +-
75034 arch/x86/include/uapi/asm/e820.h | 2 +-
75035 arch/x86/kernel/Makefile | 2 +-
75036 arch/x86/kernel/acpi/boot.c | 4 +-
75037 arch/x86/kernel/acpi/sleep.c | 4 +
75038 arch/x86/kernel/acpi/wakeup_32.S | 6 +-
75039 arch/x86/kernel/alternative.c | 65 +-
75040 arch/x86/kernel/apic/apic.c | 4 +-
75041 arch/x86/kernel/apic/apic_flat_64.c | 4 +-
75042 arch/x86/kernel/apic/apic_noop.c | 2 +-
75043 arch/x86/kernel/apic/bigsmp_32.c | 2 +-
75044 arch/x86/kernel/apic/es7000_32.c | 5 +-
75045 arch/x86/kernel/apic/io_apic.c | 8 +-
75046 arch/x86/kernel/apic/numaq_32.c | 3 +-
75047 arch/x86/kernel/apic/probe_32.c | 2 +-
75048 arch/x86/kernel/apic/summit_32.c | 2 +-
75049 arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
75050 arch/x86/kernel/apic/x2apic_phys.c | 2 +-
75051 arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
75052 arch/x86/kernel/apm_32.c | 19 +-
75053 arch/x86/kernel/asm-offsets.c | 20 +
75054 arch/x86/kernel/asm-offsets_64.c | 1 +
75055 arch/x86/kernel/cpu/Makefile | 4 -
75056 arch/x86/kernel/cpu/amd.c | 2 +-
75057 arch/x86/kernel/cpu/common.c | 75 +-
75058 arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +-
75059 arch/x86/kernel/cpu/mcheck/mce.c | 33 +-
75060 arch/x86/kernel/cpu/mcheck/p5.c | 3 +
75061 arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +-
75062 arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
75063 arch/x86/kernel/cpu/mtrr/main.c | 2 +-
75064 arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
75065 arch/x86/kernel/cpu/perf_event.c | 8 +-
75066 arch/x86/kernel/cpu/perf_event_intel.c | 6 +-
75067 arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +-
75068 arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
75069 arch/x86/kernel/cpuid.c | 2 +-
75070 arch/x86/kernel/crash.c | 4 +-
75071 arch/x86/kernel/crash_dump_64.c | 2 +-
75072 arch/x86/kernel/doublefault_32.c | 8 +-
75073 arch/x86/kernel/dumpstack.c | 28 +-
75074 arch/x86/kernel/dumpstack_32.c | 34 +-
75075 arch/x86/kernel/dumpstack_64.c | 61 +-
75076 arch/x86/kernel/e820.c | 4 +-
75077 arch/x86/kernel/early_printk.c | 1 +
75078 arch/x86/kernel/entry_32.S | 354 +-
75079 arch/x86/kernel/entry_64.S | 548 ++-
75080 arch/x86/kernel/ftrace.c | 14 +-
75081 arch/x86/kernel/head64.c | 13 +-
75082 arch/x86/kernel/head_32.S | 237 +-
75083 arch/x86/kernel/head_64.S | 143 +-
75084 arch/x86/kernel/i386_ksyms_32.c | 8 +
75085 arch/x86/kernel/i387.c | 2 +-
75086 arch/x86/kernel/i8259.c | 10 +-
75087 arch/x86/kernel/io_delay.c | 2 +-
75088 arch/x86/kernel/ioport.c | 2 +-
75089 arch/x86/kernel/irq.c | 8 +-
75090 arch/x86/kernel/irq_32.c | 69 +-
75091 arch/x86/kernel/irq_64.c | 2 +-
75092 arch/x86/kernel/kdebugfs.c | 2 +-
75093 arch/x86/kernel/kgdb.c | 25 +-
75094 arch/x86/kernel/kprobes/core.c | 30 +-
75095 arch/x86/kernel/kprobes/opt.c | 16 +-
75096 arch/x86/kernel/kvm.c | 2 +-
75097 arch/x86/kernel/ldt.c | 31 +-
75098 arch/x86/kernel/machine_kexec_32.c | 6 +-
75099 arch/x86/kernel/microcode_core.c | 2 +-
75100 arch/x86/kernel/microcode_intel.c | 4 +-
75101 arch/x86/kernel/module.c | 76 +-
75102 arch/x86/kernel/msr.c | 2 +-
75103 arch/x86/kernel/nmi.c | 19 +-
75104 arch/x86/kernel/nmi_selftest.c | 4 +-
75105 arch/x86/kernel/paravirt-spinlocks.c | 2 +-
75106 arch/x86/kernel/paravirt.c | 43 +-
75107 arch/x86/kernel/pci-calgary_64.c | 2 +-
75108 arch/x86/kernel/pci-iommu_table.c | 2 +-
75109 arch/x86/kernel/pci-swiotlb.c | 2 +-
75110 arch/x86/kernel/process.c | 55 +-
75111 arch/x86/kernel/process_32.c | 29 +-
75112 arch/x86/kernel/process_64.c | 15 +-
75113 arch/x86/kernel/ptrace.c | 25 +-
75114 arch/x86/kernel/pvclock.c | 8 +-
75115 arch/x86/kernel/reboot.c | 44 +-
75116 arch/x86/kernel/relocate_kernel_64.S | 2 +
75117 arch/x86/kernel/setup.c | 21 +-
75118 arch/x86/kernel/setup_percpu.c | 29 +-
75119 arch/x86/kernel/signal.c | 15 +-
75120 arch/x86/kernel/smp.c | 2 +-
75121 arch/x86/kernel/smpboot.c | 15 +-
75122 arch/x86/kernel/step.c | 10 +-
75123 arch/x86/kernel/sys_i386_32.c | 184 +
75124 arch/x86/kernel/sys_x86_64.c | 22 +-
75125 arch/x86/kernel/tboot.c | 14 +-
75126 arch/x86/kernel/time.c | 10 +-
75127 arch/x86/kernel/tls.c | 7 +-
75128 arch/x86/kernel/traps.c | 64 +-
75129 arch/x86/kernel/uprobes.c | 4 +-
75130 arch/x86/kernel/vm86_32.c | 6 +-
75131 arch/x86/kernel/vmlinux.lds.S | 148 +-
75132 arch/x86/kernel/vsyscall_64.c | 12 +-
75133 arch/x86/kernel/x8664_ksyms_64.c | 2 -
75134 arch/x86/kernel/x86_init.c | 8 +-
75135 arch/x86/kernel/xsave.c | 2 +
75136 arch/x86/kvm/cpuid.c | 21 +-
75137 arch/x86/kvm/emulate.c | 4 +-
75138 arch/x86/kvm/lapic.c | 2 +-
75139 arch/x86/kvm/paging_tmpl.h | 2 +-
75140 arch/x86/kvm/svm.c | 8 +
75141 arch/x86/kvm/vmx.c | 61 +-
75142 arch/x86/kvm/x86.c | 8 +-
75143 arch/x86/lguest/boot.c | 3 +-
75144 arch/x86/lib/atomic64_386_32.S | 164 +
75145 arch/x86/lib/atomic64_cx8_32.S | 103 +-
75146 arch/x86/lib/checksum_32.S | 100 +-
75147 arch/x86/lib/clear_page_64.S | 5 +-
75148 arch/x86/lib/cmpxchg16b_emu.S | 2 +
75149 arch/x86/lib/copy_page_64.S | 24 +-
75150 arch/x86/lib/copy_user_64.S | 47 +-
75151 arch/x86/lib/copy_user_nocache_64.S | 20 +-
75152 arch/x86/lib/csum-copy_64.S | 2 +
75153 arch/x86/lib/csum-wrappers_64.c | 4 +-
75154 arch/x86/lib/getuser.S | 70 +-
75155 arch/x86/lib/insn.c | 6 +-
75156 arch/x86/lib/iomap_copy_64.S | 2 +
75157 arch/x86/lib/memcpy_64.S | 18 +-
75158 arch/x86/lib/memmove_64.S | 34 +-
75159 arch/x86/lib/memset_64.S | 7 +-
75160 arch/x86/lib/mmx_32.c | 243 +-
75161 arch/x86/lib/msr-reg.S | 18 +-
75162 arch/x86/lib/putuser.S | 90 +-
75163 arch/x86/lib/rwlock.S | 42 +
75164 arch/x86/lib/rwsem.S | 6 +-
75165 arch/x86/lib/thunk_64.S | 2 +
75166 arch/x86/lib/usercopy_32.c | 363 +-
75167 arch/x86/lib/usercopy_64.c | 13 +-
75168 arch/x86/mm/extable.c | 25 +-
75169 arch/x86/mm/fault.c | 556 ++-
75170 arch/x86/mm/gup.c | 2 +-
75171 arch/x86/mm/highmem_32.c | 4 +
75172 arch/x86/mm/hugetlbpage.c | 30 +-
75173 arch/x86/mm/init.c | 98 +-
75174 arch/x86/mm/init_32.c | 113 +-
75175 arch/x86/mm/init_64.c | 38 +-
75176 arch/x86/mm/iomap_32.c | 4 +
75177 arch/x86/mm/ioremap.c | 15 +-
75178 arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
75179 arch/x86/mm/mmap.c | 41 +-
75180 arch/x86/mm/mmio-mod.c | 10 +-
75181 arch/x86/mm/numa.c | 2 +-
75182 arch/x86/mm/pageattr-test.c | 2 +-
75183 arch/x86/mm/pageattr.c | 33 +-
75184 arch/x86/mm/pat.c | 12 +-
75185 arch/x86/mm/pat_rbtree.c | 2 +-
75186 arch/x86/mm/pf_in.c | 10 +-
75187 arch/x86/mm/pgtable.c | 137 +-
75188 arch/x86/mm/pgtable_32.c | 3 +
75189 arch/x86/mm/physaddr.c | 4 +-
75190 arch/x86/mm/setup_nx.c | 7 +
75191 arch/x86/mm/tlb.c | 4 +
75192 arch/x86/net/bpf_jit.S | 14 +
75193 arch/x86/net/bpf_jit_comp.c | 37 +-
75194 arch/x86/oprofile/backtrace.c | 8 +-
75195 arch/x86/oprofile/nmi_int.c | 8 +-
75196 arch/x86/oprofile/op_model_amd.c | 8 +-
75197 arch/x86/oprofile/op_model_ppro.c | 7 +-
75198 arch/x86/oprofile/op_x86_model.h | 2 +-
75199 arch/x86/pci/amd_bus.c | 2 +-
75200 arch/x86/pci/irq.c | 8 +-
75201 arch/x86/pci/mrst.c | 4 +-
75202 arch/x86/pci/pcbios.c | 144 +-
75203 arch/x86/platform/efi/efi_32.c | 24 +
75204 arch/x86/platform/efi/efi_64.c | 10 +
75205 arch/x86/platform/efi/efi_stub_32.S | 64 +-
75206 arch/x86/platform/efi/efi_stub_64.S | 8 +
75207 arch/x86/platform/mrst/mrst.c | 6 +-
75208 arch/x86/platform/olpc/olpc_dt.c | 2 +-
75209 arch/x86/power/cpu.c | 11 +-
75210 arch/x86/realmode/init.c | 10 +-
75211 arch/x86/realmode/rm/Makefile | 3 +
75212 arch/x86/realmode/rm/header.S | 4 +-
75213 arch/x86/realmode/rm/trampoline_32.S | 12 +-
75214 arch/x86/realmode/rm/trampoline_64.S | 2 +-
75215 arch/x86/tools/Makefile | 2 +-
75216 arch/x86/tools/relocs.c | 94 +-
75217 arch/x86/um/tls_32.c | 2 +-
75218 arch/x86/vdso/Makefile | 2 +-
75219 arch/x86/vdso/vdso32-setup.c | 23 +-
75220 arch/x86/vdso/vma.c | 29 +-
75221 arch/x86/xen/enlighten.c | 47 +-
75222 arch/x86/xen/mmu.c | 9 +
75223 arch/x86/xen/smp.c | 18 +-
75224 arch/x86/xen/xen-asm_32.S | 12 +-
75225 arch/x86/xen/xen-head.S | 11 +
75226 arch/x86/xen/xen-ops.h | 2 -
75227 block/blk-iopoll.c | 4 +-
75228 block/blk-map.c | 2 +-
75229 block/blk-softirq.c | 4 +-
75230 block/bsg.c | 12 +-
75231 block/compat_ioctl.c | 2 +-
75232 block/genhd.c | 11 +-
75233 block/partitions/efi.c | 8 +-
75234 block/scsi_ioctl.c | 27 +-
75235 crypto/algapi.c | 2 +-
75236 crypto/cryptd.c | 4 +-
75237 crypto/pcrypt.c | 6 +-
75238 drivers/acpi/apei/apei-internal.h | 2 +-
75239 drivers/acpi/apei/cper.c | 8 +-
75240 drivers/acpi/bgrt.c | 6 +-
75241 drivers/acpi/blacklist.c | 4 +-
75242 drivers/acpi/ec_sys.c | 12 +-
75243 drivers/acpi/processor_idle.c | 2 +-
75244 drivers/acpi/sysfs.c | 4 +-
75245 drivers/ata/libahci.c | 2 +-
75246 drivers/ata/libata-core.c | 8 +-
75247 drivers/ata/pata_arasan_cf.c | 4 +-
75248 drivers/atm/adummy.c | 2 +-
75249 drivers/atm/ambassador.c | 8 +-
75250 drivers/atm/atmtcp.c | 14 +-
75251 drivers/atm/eni.c | 10 +-
75252 drivers/atm/firestream.c | 8 +-
75253 drivers/atm/fore200e.c | 14 +-
75254 drivers/atm/he.c | 18 +-
75255 drivers/atm/horizon.c | 4 +-
75256 drivers/atm/idt77252.c | 36 +-
75257 drivers/atm/iphase.c | 34 +-
75258 drivers/atm/lanai.c | 12 +-
75259 drivers/atm/nicstar.c | 46 +-
75260 drivers/atm/solos-pci.c | 4 +-
75261 drivers/atm/suni.c | 4 +-
75262 drivers/atm/uPD98402.c | 16 +-
75263 drivers/atm/zatm.c | 6 +-
75264 drivers/base/attribute_container.c | 2 +-
75265 drivers/base/bus.c | 4 +-
75266 drivers/base/devtmpfs.c | 8 +-
75267 drivers/base/node.c | 2 +-
75268 drivers/base/power/domain.c | 4 +-
75269 drivers/base/power/sysfs.c | 2 +-
75270 drivers/base/power/wakeup.c | 8 +-
75271 drivers/base/syscore.c | 4 +-
75272 drivers/block/cciss.c | 28 +-
75273 drivers/block/cciss.h | 2 +-
75274 drivers/block/cpqarray.c | 28 +-
75275 drivers/block/cpqarray.h | 2 +-
75276 drivers/block/drbd/drbd_int.h | 6 +-
75277 drivers/block/drbd/drbd_main.c | 8 +-
75278 drivers/block/drbd/drbd_receiver.c | 22 +-
75279 drivers/block/loop.c | 2 +-
75280 drivers/block/nbd.c | 2 +-
75281 drivers/block/pktcdvd.c | 2 +-
75282 drivers/cdrom/cdrom.c | 11 +-
75283 drivers/cdrom/gdrom.c | 1 -
75284 drivers/char/agp/compat_ioctl.c | 2 +-
75285 drivers/char/agp/frontend.c | 4 +-
75286 drivers/char/hpet.c | 2 +-
75287 drivers/char/hw_random/intel-rng.c | 2 +-
75288 drivers/char/ipmi/ipmi_msghandler.c | 8 +-
75289 drivers/char/ipmi/ipmi_si_intf.c | 8 +-
75290 drivers/char/mem.c | 45 +-
75291 drivers/char/nvram.c | 2 +-
75292 drivers/char/pcmcia/synclink_cs.c | 18 +-
75293 drivers/char/random.c | 10 +-
75294 drivers/char/sonypi.c | 9 +-
75295 drivers/char/tpm/tpm_acpi.c | 3 +-
75296 drivers/char/tpm/tpm_eventlog.c | 7 +-
75297 drivers/char/virtio_console.c | 4 +-
75298 drivers/clk/clk-composite.c | 2 +-
75299 drivers/clocksource/arm_arch_timer.c | 2 +-
75300 drivers/clocksource/metag_generic.c | 2 +-
75301 drivers/cpufreq/acpi-cpufreq.c | 20 +-
75302 drivers/cpufreq/cpufreq.c | 9 +-
75303 drivers/cpufreq/cpufreq_governor.c | 6 +-
75304 drivers/cpufreq/cpufreq_governor.h | 2 +-
75305 drivers/cpufreq/cpufreq_ondemand.c | 8 +-
75306 drivers/cpufreq/cpufreq_stats.c | 2 +-
75307 drivers/cpufreq/p4-clockmod.c | 12 +-
75308 drivers/cpufreq/sparc-us3-cpufreq.c | 69 +-
75309 drivers/cpufreq/speedstep-centrino.c | 7 +-
75310 drivers/cpuidle/cpuidle.c | 2 +-
75311 drivers/cpuidle/governor.c | 4 +-
75312 drivers/cpuidle/sysfs.c | 2 +-
75313 drivers/devfreq/devfreq.c | 6 +-
75314 drivers/dma/sh/shdma.c | 2 +-
75315 drivers/edac/edac_mc_sysfs.c | 12 +-
75316 drivers/edac/edac_pci_sysfs.c | 22 +-
75317 drivers/edac/mce_amd.h | 2 +-
75318 drivers/firewire/core-card.c | 2 +-
75319 drivers/firewire/core-device.c | 2 +-
75320 drivers/firewire/core-transaction.c | 1 +
75321 drivers/firewire/core.h | 1 +
75322 drivers/firmware/dmi-id.c | 2 +-
75323 drivers/firmware/dmi_scan.c | 7 +-
75324 drivers/firmware/efi/efi.c | 12 +-
75325 drivers/firmware/efi/efivars.c | 2 +-
75326 drivers/firmware/google/memconsole.c | 4 +-
75327 drivers/gpio/gpio-ich.c | 2 +-
75328 drivers/gpio/gpio-vr41xx.c | 2 +-
75329 drivers/gpu/drm/drm_crtc_helper.c | 2 +-
75330 drivers/gpu/drm/drm_drv.c | 6 +-
75331 drivers/gpu/drm/drm_fops.c | 18 +-
75332 drivers/gpu/drm/drm_global.c | 14 +-
75333 drivers/gpu/drm/drm_info.c | 14 +-
75334 drivers/gpu/drm/drm_ioc32.c | 13 +-
75335 drivers/gpu/drm/drm_ioctl.c | 2 +-
75336 drivers/gpu/drm/drm_lock.c | 4 +-
75337 drivers/gpu/drm/drm_stub.c | 2 +-
75338 drivers/gpu/drm/drm_sysfs.c | 2 +-
75339 drivers/gpu/drm/i810/i810_dma.c | 8 +-
75340 drivers/gpu/drm/i810/i810_drv.h | 4 +-
75341 drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
75342 drivers/gpu/drm/i915/i915_dma.c | 2 +-
75343 drivers/gpu/drm/i915/i915_drv.h | 4 +-
75344 drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +-
75345 drivers/gpu/drm/i915/i915_ioc32.c | 11 +-
75346 drivers/gpu/drm/i915/i915_irq.c | 22 +-
75347 drivers/gpu/drm/i915/intel_display.c | 26 +-
75348 drivers/gpu/drm/mga/mga_drv.h | 4 +-
75349 drivers/gpu/drm/mga/mga_ioc32.c | 11 +-
75350 drivers/gpu/drm/mga/mga_irq.c | 8 +-
75351 drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +-
75352 drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +-
75353 drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +-
75354 drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +-
75355 drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +-
75356 drivers/gpu/drm/qxl/qxl_ttm.c | 38 +-
75357 drivers/gpu/drm/r128/r128_cce.c | 2 +-
75358 drivers/gpu/drm/r128/r128_drv.h | 4 +-
75359 drivers/gpu/drm/r128/r128_ioc32.c | 11 +-
75360 drivers/gpu/drm/r128/r128_irq.c | 4 +-
75361 drivers/gpu/drm/r128/r128_state.c | 4 +-
75362 drivers/gpu/drm/radeon/mkregtable.c | 4 +-
75363 drivers/gpu/drm/radeon/radeon_device.c | 2 +-
75364 drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
75365 drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +-
75366 drivers/gpu/drm/radeon/radeon_irq.c | 6 +-
75367 drivers/gpu/drm/radeon/radeon_state.c | 4 +-
75368 drivers/gpu/drm/radeon/radeon_ttm.c | 57 +-
75369 drivers/gpu/drm/radeon/rs690.c | 4 +-
75370 drivers/gpu/drm/ttm/ttm_memory.c | 4 +-
75371 drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +-
75372 drivers/gpu/drm/udl/udl_fb.c | 1 -
75373 drivers/gpu/drm/via/via_drv.h | 4 +-
75374 drivers/gpu/drm/via/via_irq.c | 18 +-
75375 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
75376 drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
75377 drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +-
75378 drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
75379 drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
75380 drivers/hid/hid-core.c | 4 +-
75381 drivers/hv/channel.c | 4 +-
75382 drivers/hv/hv.c | 2 +-
75383 drivers/hv/hyperv_vmbus.h | 2 +-
75384 drivers/hv/vmbus_drv.c | 4 +-
75385 drivers/hwmon/acpi_power_meter.c | 4 +-
75386 drivers/hwmon/applesmc.c | 2 +-
75387 drivers/hwmon/asus_atk0110.c | 10 +-
75388 drivers/hwmon/coretemp.c | 2 +-
75389 drivers/hwmon/ibmaem.c | 2 +-
75390 drivers/hwmon/iio_hwmon.c | 2 +-
75391 drivers/hwmon/pmbus/pmbus_core.c | 10 +-
75392 drivers/hwmon/sht15.c | 12 +-
75393 drivers/hwmon/via-cputemp.c | 2 +-
75394 drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
75395 drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
75396 drivers/i2c/i2c-dev.c | 2 +-
75397 drivers/ide/ide-cd.c | 2 +-
75398 drivers/iio/industrialio-core.c | 2 +-
75399 drivers/infiniband/core/cm.c | 32 +-
75400 drivers/infiniband/core/fmr_pool.c | 20 +-
75401 drivers/infiniband/hw/cxgb4/mem.c | 4 +-
75402 drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
75403 drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
75404 drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +-
75405 drivers/infiniband/hw/mthca/mthca_mr.c | 2 +-
75406 drivers/infiniband/hw/nes/nes.c | 4 +-
75407 drivers/infiniband/hw/nes/nes.h | 40 +-
75408 drivers/infiniband/hw/nes/nes_cm.c | 62 +-
75409 drivers/infiniband/hw/nes/nes_mgt.c | 8 +-
75410 drivers/infiniband/hw/nes/nes_nic.c | 40 +-
75411 drivers/infiniband/hw/nes/nes_verbs.c | 10 +-
75412 drivers/infiniband/hw/qib/qib.h | 1 +
75413 drivers/input/gameport/gameport.c | 4 +-
75414 drivers/input/input.c | 4 +-
75415 drivers/input/joystick/sidewinder.c | 1 +
75416 drivers/input/joystick/xpad.c | 4 +-
75417 drivers/input/mouse/psmouse.h | 2 +-
75418 drivers/input/mousedev.c | 2 +-
75419 drivers/input/serio/serio.c | 4 +-
75420 drivers/iommu/iommu.c | 2 +-
75421 drivers/iommu/irq_remapping.c | 12 +-
75422 drivers/irqchip/irq-gic.c | 4 +-
75423 drivers/isdn/capi/capi.c | 10 +-
75424 drivers/isdn/gigaset/interface.c | 8 +-
75425 drivers/isdn/hardware/avm/b1.c | 4 +-
75426 drivers/isdn/i4l/isdn_tty.c | 22 +-
75427 drivers/isdn/icn/icn.c | 2 +-
75428 drivers/leds/leds-clevo-mail.c | 2 +-
75429 drivers/leds/leds-ss4200.c | 2 +-
75430 drivers/lguest/core.c | 10 +-
75431 drivers/lguest/page_tables.c | 2 +-
75432 drivers/lguest/x86/core.c | 12 +-
75433 drivers/lguest/x86/switcher_32.S | 27 +-
75434 drivers/md/bcache/closure.h | 2 +-
75435 drivers/md/bitmap.c | 2 +-
75436 drivers/md/dm-ioctl.c | 2 +-
75437 drivers/md/dm-raid1.c | 16 +-
75438 drivers/md/dm-stripe.c | 10 +-
75439 drivers/md/dm-table.c | 2 +-
75440 drivers/md/dm-thin-metadata.c | 4 +-
75441 drivers/md/dm.c | 16 +-
75442 drivers/md/md.c | 26 +-
75443 drivers/md/md.h | 6 +-
75444 drivers/md/persistent-data/dm-space-map.h | 1 +
75445 drivers/md/raid1.c | 4 +-
75446 drivers/md/raid10.c | 16 +-
75447 drivers/md/raid5.c | 10 +-
75448 drivers/media/dvb-core/dvbdev.c | 2 +-
75449 drivers/media/dvb-frontends/dib3000.h | 2 +-
75450 drivers/media/pci/cx88/cx88-video.c | 6 +-
75451 drivers/media/platform/omap/omap_vout.c | 11 +-
75452 drivers/media/platform/s5p-tv/mixer.h | 2 +-
75453 drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +-
75454 drivers/media/platform/s5p-tv/mixer_reg.c | 2 +-
75455 drivers/media/platform/s5p-tv/mixer_video.c | 24 +-
75456 drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +-
75457 drivers/media/radio/radio-cadet.c | 2 +
75458 drivers/media/usb/dvb-usb/cxusb.c | 2 +-
75459 drivers/media/usb/dvb-usb/dw2102.c | 2 +-
75460 drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +-
75461 drivers/media/v4l2-core/v4l2-ioctl.c | 11 +-
75462 drivers/message/fusion/mptsas.c | 34 +-
75463 drivers/message/fusion/mptscsih.c | 19 +-
75464 drivers/message/i2o/i2o_proc.c | 51 +-
75465 drivers/message/i2o/iop.c | 8 +-
75466 drivers/mfd/janz-cmodio.c | 1 +
75467 drivers/mfd/twl4030-irq.c | 9 +-
75468 drivers/mfd/twl6030-irq.c | 10 +-
75469 drivers/misc/c2port/core.c | 4 +-
75470 drivers/misc/kgdbts.c | 4 +-
75471 drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
75472 drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
75473 drivers/misc/sgi-gru/gruhandles.c | 4 +-
75474 drivers/misc/sgi-gru/gruprocfs.c | 8 +-
75475 drivers/misc/sgi-gru/grutables.h | 154 +-
75476 drivers/misc/sgi-xp/xp.h | 2 +-
75477 drivers/misc/sgi-xp/xpc.h | 3 +-
75478 drivers/misc/sgi-xp/xpc_main.c | 4 +-
75479 drivers/mmc/core/mmc_ops.c | 2 +-
75480 drivers/mmc/host/dw_mmc.h | 2 +-
75481 drivers/mmc/host/sdhci-s3c.c | 8 +-
75482 drivers/mtd/nand/denali.c | 1 +
75483 drivers/mtd/nftlmount.c | 1 +
75484 drivers/mtd/sm_ftl.c | 2 +-
75485 drivers/net/bonding/bond_main.c | 2 +-
75486 drivers/net/ethernet/8390/ax88796.c | 4 +-
75487 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
75488 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-
75489 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +-
75490 drivers/net/ethernet/broadcom/tg3.h | 1 +
75491 drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
75492 drivers/net/ethernet/dec/tulip/de4x5.c | 4 +-
75493 drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
75494 drivers/net/ethernet/faraday/ftgmac100.c | 2 +
75495 drivers/net/ethernet/faraday/ftmac100.c | 2 +
75496 drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
75497 drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
75498 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +-
75499 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +-
75500 drivers/net/ethernet/realtek/r8169.c | 8 +-
75501 drivers/net/ethernet/sfc/ptp.c | 2 +-
75502 drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
75503 drivers/net/hyperv/hyperv_net.h | 2 +-
75504 drivers/net/hyperv/rndis_filter.c | 4 +-
75505 drivers/net/ieee802154/fakehard.c | 2 +-
75506 drivers/net/macvlan.c | 18 +-
75507 drivers/net/macvtap.c | 2 +-
75508 drivers/net/ppp/ppp_generic.c | 4 +-
75509 drivers/net/slip/slhc.c | 2 +-
75510 drivers/net/team/team.c | 2 +-
75511 drivers/net/tun.c | 5 +-
75512 drivers/net/usb/hso.c | 23 +-
75513 drivers/net/vxlan.c | 2 +-
75514 drivers/net/wireless/at76c50x-usb.c | 2 +-
75515 drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +-
75516 drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +-
75517 drivers/net/wireless/ath/ath9k/hw.h | 4 +-
75518 drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
75519 drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +-
75520 drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +-
75521 drivers/net/wireless/mac80211_hwsim.c | 32 +-
75522 drivers/net/wireless/rndis_wlan.c | 2 +-
75523 drivers/net/wireless/rt2x00/rt2x00.h | 2 +-
75524 drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +-
75525 drivers/net/wireless/ti/wl1251/sdio.c | 12 +-
75526 drivers/net/wireless/ti/wl12xx/main.c | 8 +-
75527 drivers/net/wireless/ti/wl18xx/main.c | 6 +-
75528 drivers/oprofile/buffer_sync.c | 8 +-
75529 drivers/oprofile/event_buffer.c | 2 +-
75530 drivers/oprofile/oprof.c | 2 +-
75531 drivers/oprofile/oprofile_files.c | 2 +-
75532 drivers/oprofile/oprofile_stats.c | 10 +-
75533 drivers/oprofile/oprofile_stats.h | 10 +-
75534 drivers/oprofile/oprofilefs.c | 2 +-
75535 drivers/oprofile/timer_int.c | 2 +-
75536 drivers/parport/procfs.c | 4 +-
75537 drivers/pci/hotplug/acpiphp_ibm.c | 4 +-
75538 drivers/pci/hotplug/cpcihp_generic.c | 6 +-
75539 drivers/pci/hotplug/cpcihp_zt5550.c | 14 +-
75540 drivers/pci/hotplug/cpqphp_nvram.c | 4 +
75541 drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
75542 drivers/pci/hotplug/pciehp_core.c | 2 +-
75543 drivers/pci/pci-sysfs.c | 6 +-
75544 drivers/pci/pci.h | 2 +-
75545 drivers/pci/pcie/aspm.c | 6 +-
75546 drivers/pci/probe.c | 2 +-
75547 drivers/platform/x86/chromeos_laptop.c | 2 +-
75548 drivers/platform/x86/msi-laptop.c | 14 +-
75549 drivers/platform/x86/sony-laptop.c | 2 +-
75550 drivers/platform/x86/thinkpad_acpi.c | 70 +-
75551 drivers/pnp/pnpbios/bioscalls.c | 14 +-
75552 drivers/pnp/resource.c | 4 +-
75553 drivers/power/pda_power.c | 7 +-
75554 drivers/power/power_supply.h | 4 +-
75555 drivers/power/power_supply_core.c | 7 +-
75556 drivers/power/power_supply_sysfs.c | 6 +-
75557 drivers/regulator/max8660.c | 6 +-
75558 drivers/regulator/max8973-regulator.c | 8 +-
75559 drivers/regulator/mc13892-regulator.c | 6 +-
75560 drivers/rtc/rtc-cmos.c | 4 +-
75561 drivers/rtc/rtc-ds1307.c | 2 +-
75562 drivers/rtc/rtc-m48t59.c | 4 +-
75563 drivers/scsi/bfa/bfa_fcpim.h | 2 +-
75564 drivers/scsi/bfa/bfa_ioc.h | 4 +-
75565 drivers/scsi/hosts.c | 4 +-
75566 drivers/scsi/hpsa.c | 30 +-
75567 drivers/scsi/hpsa.h | 2 +-
75568 drivers/scsi/libfc/fc_exch.c | 50 +-
75569 drivers/scsi/libsas/sas_ata.c | 2 +-
75570 drivers/scsi/lpfc/lpfc.h | 8 +-
75571 drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
75572 drivers/scsi/lpfc/lpfc_init.c | 6 +-
75573 drivers/scsi/lpfc/lpfc_scsi.c | 16 +-
75574 drivers/scsi/pmcraid.c | 20 +-
75575 drivers/scsi/pmcraid.h | 8 +-
75576 drivers/scsi/qla2xxx/qla_attr.c | 4 +-
75577 drivers/scsi/qla2xxx/qla_gbl.h | 4 +-
75578 drivers/scsi/qla2xxx/qla_os.c | 6 +-
75579 drivers/scsi/qla4xxx/ql4_def.h | 2 +-
75580 drivers/scsi/qla4xxx/ql4_os.c | 6 +-
75581 drivers/scsi/scsi.c | 2 +-
75582 drivers/scsi/scsi_lib.c | 6 +-
75583 drivers/scsi/scsi_sysfs.c | 2 +-
75584 drivers/scsi/scsi_tgt_lib.c | 2 +-
75585 drivers/scsi/scsi_transport_fc.c | 8 +-
75586 drivers/scsi/scsi_transport_iscsi.c | 6 +-
75587 drivers/scsi/scsi_transport_srp.c | 6 +-
75588 drivers/scsi/sd.c | 2 +-
75589 drivers/scsi/sg.c | 2 +-
75590 drivers/spi/spi.c | 2 +-
75591 drivers/staging/media/solo6x10/solo6x10-core.c | 2 +-
75592 drivers/staging/octeon/ethernet-rx.c | 12 +-
75593 drivers/staging/octeon/ethernet.c | 8 +-
75594 drivers/staging/rtl8712/rtl871x_io.h | 2 +-
75595 drivers/staging/sbe-2t3e3/netdev.c | 2 +-
75596 drivers/staging/usbip/vhci.h | 2 +-
75597 drivers/staging/usbip/vhci_hcd.c | 6 +-
75598 drivers/staging/usbip/vhci_rx.c | 2 +-
75599 drivers/staging/vt6655/hostap.c | 7 +-
75600 drivers/staging/vt6656/hostap.c | 7 +-
75601 drivers/staging/zcache/tmem.c | 4 +-
75602 drivers/staging/zcache/tmem.h | 2 +
75603 drivers/target/target_core_device.c | 2 +-
75604 drivers/target/target_core_transport.c | 2 +-
75605 drivers/tty/cyclades.c | 6 +-
75606 drivers/tty/hvc/hvc_console.c | 14 +-
75607 drivers/tty/hvc/hvcs.c | 21 +-
75608 drivers/tty/ipwireless/tty.c | 27 +-
75609 drivers/tty/moxa.c | 2 +-
75610 drivers/tty/n_gsm.c | 4 +-
75611 drivers/tty/n_tty.c | 3 +-
75612 drivers/tty/pty.c | 4 +-
75613 drivers/tty/rocket.c | 6 +-
75614 drivers/tty/serial/kgdboc.c | 32 +-
75615 drivers/tty/serial/samsung.c | 9 +-
75616 drivers/tty/serial/serial_core.c | 8 +-
75617 drivers/tty/synclink.c | 34 +-
75618 drivers/tty/synclink_gt.c | 28 +-
75619 drivers/tty/synclinkmp.c | 34 +-
75620 drivers/tty/tty_io.c | 2 +-
75621 drivers/tty/tty_ldisc.c | 10 +-
75622 drivers/tty/tty_port.c | 22 +-
75623 drivers/uio/uio.c | 21 +-
75624 drivers/usb/atm/cxacru.c | 2 +-
75625 drivers/usb/atm/usbatm.c | 24 +-
75626 drivers/usb/core/devices.c | 6 +-
75627 drivers/usb/core/hcd.c | 4 +-
75628 drivers/usb/core/message.c | 2 +-
75629 drivers/usb/core/sysfs.c | 2 +-
75630 drivers/usb/core/usb.c | 2 +-
75631 drivers/usb/early/ehci-dbgp.c | 16 +-
75632 drivers/usb/gadget/u_serial.c | 22 +-
75633 drivers/usb/serial/console.c | 6 +-
75634 drivers/usb/storage/usb.h | 2 +-
75635 drivers/usb/wusbcore/wa-hc.h | 4 +-
75636 drivers/usb/wusbcore/wa-xfer.c | 2 +-
75637 drivers/vhost/vringh.c | 2 +-
75638 drivers/video/aty/aty128fb.c | 2 +-
75639 drivers/video/aty/atyfb_base.c | 8 +-
75640 drivers/video/aty/mach64_cursor.c | 5 +-
75641 drivers/video/backlight/kb3886_bl.c | 2 +-
75642 drivers/video/fb_defio.c | 6 +-
75643 drivers/video/fbcmap.c | 3 +-
75644 drivers/video/fbmem.c | 6 +-
75645 drivers/video/i810/i810_accel.c | 1 +
75646 drivers/video/mb862xx/mb862xxfb_accel.c | 16 +-
75647 drivers/video/nvidia/nvidia.c | 27 +-
75648 drivers/video/output.c | 2 +-
75649 drivers/video/s1d13xxxfb.c | 6 +-
75650 drivers/video/smscufx.c | 4 +-
75651 drivers/video/udlfb.c | 36 +-
75652 drivers/video/uvesafb.c | 53 +-
75653 drivers/video/vesafb.c | 58 +-
75654 drivers/video/via/via_clock.h | 2 +-
75655 fs/9p/vfs_addr.c | 2 +-
75656 fs/9p/vfs_inode.c | 2 +-
75657 fs/Kconfig.binfmt | 2 +-
75658 fs/aio.c | 12 +-
75659 fs/autofs4/waitq.c | 2 +-
75660 fs/befs/endian.h | 4 +-
75661 fs/befs/linuxvfs.c | 2 +-
75662 fs/binfmt_aout.c | 23 +-
75663 fs/binfmt_elf.c | 607 ++-
75664 fs/binfmt_flat.c | 6 +
75665 fs/bio.c | 6 +-
75666 fs/block_dev.c | 2 +-
75667 fs/btrfs/ctree.c | 9 +-
75668 fs/btrfs/super.c | 2 +-
75669 fs/cachefiles/bind.c | 6 +-
75670 fs/cachefiles/daemon.c | 8 +-
75671 fs/cachefiles/internal.h | 12 +-
75672 fs/cachefiles/namei.c | 2 +-
75673 fs/cachefiles/proc.c | 12 +-
75674 fs/cachefiles/rdwr.c | 2 +-
75675 fs/ceph/dir.c | 2 +-
75676 fs/cifs/cifs_debug.c | 12 +-
75677 fs/cifs/cifsfs.c | 8 +-
75678 fs/cifs/cifsglob.h | 54 +-
75679 fs/cifs/link.c | 2 +-
75680 fs/cifs/misc.c | 4 +-
75681 fs/cifs/smb1ops.c | 80 +-
75682 fs/cifs/smb2ops.c | 84 +-
75683 fs/cifs/smb2pdu.c | 3 +-
75684 fs/coda/cache.c | 10 +-
75685 fs/compat.c | 6 +-
75686 fs/compat_binfmt_elf.c | 2 +
75687 fs/compat_ioctl.c | 12 +-
75688 fs/configfs/dir.c | 10 +-
75689 fs/coredump.c | 24 +-
75690 fs/dcache.c | 2 +-
75691 fs/ecryptfs/inode.c | 4 +-
75692 fs/ecryptfs/miscdev.c | 2 +-
75693 fs/exec.c | 362 ++-
75694 fs/ext4/ext4.h | 20 +-
75695 fs/ext4/mballoc.c | 44 +-
75696 fs/ext4/mmp.c | 2 +-
75697 fs/ext4/super.c | 4 +-
75698 fs/fhandle.c | 3 +-
75699 fs/fs_struct.c | 8 +-
75700 fs/fscache/cookie.c | 36 +-
75701 fs/fscache/internal.h | 196 +-
75702 fs/fscache/object.c | 28 +-
75703 fs/fscache/operation.c | 30 +-
75704 fs/fscache/page.c | 110 +-
75705 fs/fscache/stats.c | 344 +-
75706 fs/fuse/cuse.c | 10 +-
75707 fs/fuse/dev.c | 4 +-
75708 fs/fuse/dir.c | 2 +-
75709 fs/gfs2/inode.c | 2 +-
75710 fs/hugetlbfs/inode.c | 13 +-
75711 fs/inode.c | 4 +-
75712 fs/jffs2/erase.c | 3 +-
75713 fs/jffs2/wbuf.c | 3 +-
75714 fs/jfs/super.c | 2 +-
75715 fs/libfs.c | 10 +-
75716 fs/lockd/clntproc.c | 4 +-
75717 fs/lockd/svc.c | 2 +-
75718 fs/locks.c | 8 +-
75719 fs/namei.c | 15 +-
75720 fs/namespace.c | 10 +-
75721 fs/nfs/callback.c | 4 +-
75722 fs/nfs/callback_xdr.c | 2 +-
75723 fs/nfs/inode.c | 6 +-
75724 fs/nfs/nfs4state.c | 2 +-
75725 fs/nfsd/nfs4proc.c | 2 +-
75726 fs/nfsd/nfs4xdr.c | 6 +-
75727 fs/nfsd/nfscache.c | 9 +-
75728 fs/nfsd/vfs.c | 6 +-
75729 fs/nls/nls_base.c | 18 +-
75730 fs/nls/nls_euc-jp.c | 6 +-
75731 fs/nls/nls_koi8-ru.c | 6 +-
75732 fs/notify/fanotify/fanotify_user.c | 4 +-
75733 fs/notify/notification.c | 4 +-
75734 fs/ntfs/dir.c | 2 +-
75735 fs/ntfs/file.c | 4 +-
75736 fs/ocfs2/localalloc.c | 2 +-
75737 fs/ocfs2/ocfs2.h | 10 +-
75738 fs/ocfs2/suballoc.c | 12 +-
75739 fs/ocfs2/super.c | 20 +-
75740 fs/pipe.c | 61 +-
75741 fs/proc/array.c | 20 +
75742 fs/proc/base.c | 4 +-
75743 fs/proc/kcore.c | 32 +-
75744 fs/proc/meminfo.c | 2 +-
75745 fs/proc/nommu.c | 2 +-
75746 fs/proc/proc_sysctl.c | 18 +-
75747 fs/proc/self.c | 2 +-
75748 fs/proc/task_mmu.c | 39 +-
75749 fs/proc/task_nommu.c | 4 +-
75750 fs/proc/vmcore.c | 12 +-
75751 fs/qnx6/qnx6.h | 4 +-
75752 fs/quota/netlink.c | 4 +-
75753 fs/read_write.c | 2 +-
75754 fs/readdir.c | 2 +-
75755 fs/reiserfs/do_balan.c | 2 +-
75756 fs/reiserfs/procfs.c | 2 +-
75757 fs/reiserfs/reiserfs.h | 4 +-
75758 fs/seq_file.c | 2 +-
75759 fs/splice.c | 40 +-
75760 fs/sysfs/bin.c | 6 +-
75761 fs/sysfs/dir.c | 2 +-
75762 fs/sysfs/file.c | 10 +-
75763 fs/sysfs/symlink.c | 2 +-
75764 fs/sysv/sysv.h | 2 +-
75765 fs/ubifs/io.c | 2 +-
75766 fs/udf/misc.c | 2 +-
75767 fs/ufs/swab.h | 4 +-
75768 fs/xattr.c | 21 +
75769 fs/xattr_acl.c | 4 +-
75770 fs/xfs/xfs_bmap.c | 2 +-
75771 fs/xfs/xfs_dir2_sf.c | 10 +-
75772 fs/xfs/xfs_ioctl.c | 2 +-
75773 fs/xfs/xfs_iops.c | 2 +-
75774 include/asm-generic/4level-fixup.h | 2 +
75775 include/asm-generic/atomic-long.h | 210 +
75776 include/asm-generic/atomic.h | 2 +-
75777 include/asm-generic/atomic64.h | 12 +
75778 include/asm-generic/cache.h | 4 +-
75779 include/asm-generic/emergency-restart.h | 2 +-
75780 include/asm-generic/kmap_types.h | 4 +-
75781 include/asm-generic/local.h | 13 +
75782 include/asm-generic/pgtable-nopmd.h | 18 +-
75783 include/asm-generic/pgtable-nopud.h | 15 +-
75784 include/asm-generic/pgtable.h | 8 +
75785 include/asm-generic/vmlinux.lds.h | 10 +-
75786 include/crypto/algapi.h | 2 +-
75787 include/drm/drmP.h | 17 +-
75788 include/drm/drm_crtc_helper.h | 2 +-
75789 include/drm/ttm/ttm_memory.h | 2 +-
75790 include/keys/asymmetric-subtype.h | 2 +-
75791 include/linux/atmdev.h | 4 +-
75792 include/linux/binfmts.h | 3 +-
75793 include/linux/blkdev.h | 2 +-
75794 include/linux/blktrace_api.h | 2 +-
75795 include/linux/cache.h | 4 +
75796 include/linux/cdrom.h | 1 -
75797 include/linux/cleancache.h | 2 +-
75798 include/linux/clk-provider.h | 1 +
75799 include/linux/compat.h | 4 +-
75800 include/linux/compiler-gcc4.h | 20 +
75801 include/linux/compiler.h | 65 +-
75802 include/linux/completion.h | 6 +-
75803 include/linux/configfs.h | 2 +-
75804 include/linux/cpu.h | 2 +-
75805 include/linux/cpufreq.h | 3 +-
75806 include/linux/cpuidle.h | 5 +-
75807 include/linux/cpumask.h | 12 +-
75808 include/linux/crypto.h | 6 +-
75809 include/linux/ctype.h | 2 +-
75810 include/linux/decompress/mm.h | 2 +-
75811 include/linux/devfreq.h | 2 +-
75812 include/linux/device.h | 7 +-
75813 include/linux/dma-mapping.h | 2 +-
75814 include/linux/dmaengine.h | 4 +-
75815 include/linux/efi.h | 1 +
75816 include/linux/elf.h | 2 +
75817 include/linux/err.h | 4 +-
75818 include/linux/extcon.h | 2 +-
75819 include/linux/fb.h | 2 +-
75820 include/linux/filter.h | 4 +
75821 include/linux/frontswap.h | 2 +-
75822 include/linux/fs.h | 3 +-
75823 include/linux/fs_struct.h | 2 +-
75824 include/linux/fscache-cache.h | 4 +-
75825 include/linux/fscache.h | 2 +-
75826 include/linux/fsnotify.h | 2 +-
75827 include/linux/genhd.h | 2 +-
75828 include/linux/genl_magic_func.h | 2 +-
75829 include/linux/gfp.h | 12 +-
75830 include/linux/highmem.h | 12 +
75831 include/linux/hwmon-sysfs.h | 5 +-
75832 include/linux/i2c.h | 1 +
75833 include/linux/i2o.h | 2 +-
75834 include/linux/if_pppox.h | 2 +-
75835 include/linux/init.h | 33 +-
75836 include/linux/init_task.h | 7 +
75837 include/linux/interrupt.h | 8 +-
75838 include/linux/iommu.h | 2 +-
75839 include/linux/ioport.h | 2 +-
75840 include/linux/irq.h | 3 +-
75841 include/linux/irqchip/arm-gic.h | 4 +-
75842 include/linux/key-type.h | 2 +-
75843 include/linux/kgdb.h | 6 +-
75844 include/linux/kobject.h | 3 +-
75845 include/linux/kobject_ns.h | 2 +-
75846 include/linux/kref.h | 2 +-
75847 include/linux/kvm_host.h | 4 +-
75848 include/linux/libata.h | 2 +-
75849 include/linux/list.h | 15 +
75850 include/linux/math64.h | 6 +-
75851 include/linux/mm.h | 116 +-
75852 include/linux/mm_types.h | 20 +
75853 include/linux/mmiotrace.h | 4 +-
75854 include/linux/mmzone.h | 2 +-
75855 include/linux/mod_devicetable.h | 6 +-
75856 include/linux/module.h | 60 +-
75857 include/linux/moduleloader.h | 16 +
75858 include/linux/moduleparam.h | 4 +-
75859 include/linux/namei.h | 6 +-
75860 include/linux/net.h | 2 +-
75861 include/linux/netdevice.h | 3 +-
75862 include/linux/netfilter.h | 2 +-
75863 include/linux/netfilter/ipset/ip_set.h | 2 +-
75864 include/linux/netfilter/nfnetlink.h | 2 +-
75865 include/linux/nls.h | 2 +-
75866 include/linux/notifier.h | 3 +-
75867 include/linux/oprofile.h | 4 +-
75868 include/linux/pci_hotplug.h | 3 +-
75869 include/linux/perf_event.h | 12 +-
75870 include/linux/pipe_fs_i.h | 8 +-
75871 include/linux/platform_data/usb-ehci-s5p.h | 2 +-
75872 include/linux/platform_data/usb-ohci-exynos.h | 2 +-
75873 include/linux/pm_domain.h | 2 +-
75874 include/linux/pm_runtime.h | 2 +-
75875 include/linux/pnp.h | 2 +-
75876 include/linux/poison.h | 4 +-
75877 include/linux/power/smartreflex.h | 2 +-
75878 include/linux/ppp-comp.h | 2 +-
75879 include/linux/proc_ns.h | 2 +-
75880 include/linux/random.h | 5 +
75881 include/linux/rculist.h | 16 +
75882 include/linux/reboot.h | 14 +-
75883 include/linux/regset.h | 3 +-
75884 include/linux/relay.h | 2 +-
75885 include/linux/rio.h | 2 +-
75886 include/linux/rmap.h | 4 +-
75887 include/linux/sched.h | 65 +-
75888 include/linux/sched/sysctl.h | 1 +
75889 include/linux/seq_file.h | 1 +
75890 include/linux/skbuff.h | 12 +-
75891 include/linux/slab.h | 42 +-
75892 include/linux/slab_def.h | 28 +-
75893 include/linux/slob_def.h | 4 +-
75894 include/linux/slub_def.h | 8 +-
75895 include/linux/sock_diag.h | 2 +-
75896 include/linux/sonet.h | 2 +-
75897 include/linux/sunrpc/addr.h | 8 +-
75898 include/linux/sunrpc/clnt.h | 2 +-
75899 include/linux/sunrpc/svc.h | 2 +-
75900 include/linux/sunrpc/svc_rdma.h | 18 +-
75901 include/linux/sunrpc/svcauth.h | 2 +-
75902 include/linux/swiotlb.h | 3 +-
75903 include/linux/syscalls.h | 10 +-
75904 include/linux/syscore_ops.h | 2 +-
75905 include/linux/sysctl.h | 6 +-
75906 include/linux/sysfs.h | 10 +-
75907 include/linux/sysrq.h | 3 +-
75908 include/linux/thread_info.h | 7 +
75909 include/linux/tty.h | 4 +-
75910 include/linux/tty_driver.h | 2 +-
75911 include/linux/tty_ldisc.h | 2 +-
75912 include/linux/types.h | 16 +
75913 include/linux/uaccess.h | 6 +-
75914 include/linux/unaligned/access_ok.h | 24 +-
75915 include/linux/usb.h | 4 +-
75916 include/linux/usb/renesas_usbhs.h | 2 +-
75917 include/linux/vermagic.h | 21 +-
75918 include/linux/vmalloc.h | 11 +-
75919 include/linux/vmstat.h | 20 +-
75920 include/linux/xattr.h | 5 +-
75921 include/linux/zlib.h | 3 +-
75922 include/media/v4l2-dev.h | 2 +-
75923 include/net/9p/transport.h | 2 +-
75924 include/net/bluetooth/l2cap.h | 2 +-
75925 include/net/caif/cfctrl.h | 6 +-
75926 include/net/flow.h | 2 +-
75927 include/net/genetlink.h | 2 +-
75928 include/net/gro_cells.h | 2 +-
75929 include/net/inet_connection_sock.h | 2 +-
75930 include/net/inetpeer.h | 8 +-
75931 include/net/ip.h | 2 +-
75932 include/net/ip_fib.h | 2 +-
75933 include/net/ip_vs.h | 8 +-
75934 include/net/irda/ircomm_tty.h | 1 +
75935 include/net/iucv/af_iucv.h | 2 +-
75936 include/net/llc_c_ac.h | 2 +-
75937 include/net/llc_c_ev.h | 4 +-
75938 include/net/llc_c_st.h | 2 +-
75939 include/net/llc_s_ac.h | 2 +-
75940 include/net/llc_s_st.h | 2 +-
75941 include/net/mac80211.h | 2 +-
75942 include/net/neighbour.h | 2 +-
75943 include/net/net_namespace.h | 12 +-
75944 include/net/netdma.h | 2 +-
75945 include/net/netlink.h | 2 +-
75946 include/net/netns/conntrack.h | 6 +-
75947 include/net/netns/ipv4.h | 2 +-
75948 include/net/netns/ipv6.h | 2 +-
75949 include/net/protocol.h | 4 +-
75950 include/net/rtnetlink.h | 2 +-
75951 include/net/sctp/sctp.h | 6 +-
75952 include/net/sctp/sm.h | 4 +-
75953 include/net/sctp/structs.h | 2 +-
75954 include/net/sock.h | 6 +-
75955 include/net/tcp.h | 8 +-
75956 include/net/xfrm.h | 8 +-
75957 include/rdma/iw_cm.h | 2 +-
75958 include/scsi/libfc.h | 3 +-
75959 include/scsi/scsi_device.h | 6 +-
75960 include/scsi/scsi_transport_fc.h | 3 +-
75961 include/sound/compress_driver.h | 2 +-
75962 include/sound/soc.h | 4 +-
75963 include/target/target_core_base.h | 2 +-
75964 include/trace/events/irq.h | 4 +-
75965 include/uapi/linux/a.out.h | 8 +
75966 include/uapi/linux/byteorder/little_endian.h | 28 +-
75967 include/uapi/linux/elf.h | 28 +
75968 include/uapi/linux/screen_info.h | 3 +-
75969 include/uapi/linux/swab.h | 6 +-
75970 include/uapi/linux/sysctl.h | 6 +-
75971 include/uapi/linux/xattr.h | 4 +
75972 include/video/udlfb.h | 8 +-
75973 include/video/uvesafb.h | 1 +
75974 init/Kconfig | 2 +-
75975 init/Makefile | 3 +
75976 init/do_mounts.c | 14 +-
75977 init/do_mounts.h | 8 +-
75978 init/do_mounts_initrd.c | 30 +-
75979 init/do_mounts_md.c | 6 +-
75980 init/init_task.c | 4 +
75981 init/initramfs.c | 42 +-
75982 init/main.c | 83 +-
75983 ipc/ipc_sysctl.c | 10 +-
75984 ipc/mq_sysctl.c | 2 +-
75985 ipc/msg.c | 11 +-
75986 ipc/sem.c | 11 +-
75987 ipc/shm.c | 17 +-
75988 kernel/acct.c | 2 +-
75989 kernel/audit.c | 8 +-
75990 kernel/auditfilter.c | 2 +-
75991 kernel/auditsc.c | 4 +-
75992 kernel/capability.c | 3 +
75993 kernel/compat.c | 38 +-
75994 kernel/debug/debug_core.c | 16 +-
75995 kernel/debug/kdb/kdb_main.c | 4 +-
75996 kernel/events/core.c | 30 +-
75997 kernel/events/internal.h | 10 +-
75998 kernel/exit.c | 4 +-
75999 kernel/fork.c | 167 +-
76000 kernel/futex.c | 9 +
76001 kernel/futex_compat.c | 2 +-
76002 kernel/gcov/base.c | 7 +-
76003 kernel/hrtimer.c | 4 +-
76004 kernel/irq_work.c | 7 +-
76005 kernel/jump_label.c | 5 +
76006 kernel/kallsyms.c | 39 +-
76007 kernel/kexec.c | 3 +-
76008 kernel/kmod.c | 4 +-
76009 kernel/kprobes.c | 8 +-
76010 kernel/ksysfs.c | 2 +-
76011 kernel/lockdep.c | 7 +-
76012 kernel/module.c | 337 +-
76013 kernel/mutex-debug.c | 12 +-
76014 kernel/mutex-debug.h | 4 +-
76015 kernel/mutex.c | 11 +-
76016 kernel/notifier.c | 17 +-
76017 kernel/panic.c | 3 +-
76018 kernel/pid.c | 2 +-
76019 kernel/pid_namespace.c | 2 +-
76020 kernel/posix-cpu-timers.c | 4 +-
76021 kernel/posix-timers.c | 22 +-
76022 kernel/power/process.c | 12 +-
76023 kernel/profile.c | 14 +-
76024 kernel/ptrace.c | 8 +-
76025 kernel/rcupdate.c | 4 +-
76026 kernel/rcutiny.c | 4 +-
76027 kernel/rcutiny_plugin.h | 2 +-
76028 kernel/rcutorture.c | 56 +-
76029 kernel/rcutree.c | 76 +-
76030 kernel/rcutree.h | 24 +-
76031 kernel/rcutree_plugin.h | 20 +-
76032 kernel/rcutree_trace.c | 22 +-
76033 kernel/rtmutex-tester.c | 24 +-
76034 kernel/sched/auto_group.c | 4 +-
76035 kernel/sched/core.c | 51 +-
76036 kernel/sched/fair.c | 4 +-
76037 kernel/sched/sched.h | 2 +-
76038 kernel/signal.c | 12 +-
76039 kernel/smp.c | 2 +-
76040 kernel/smpboot.c | 4 +-
76041 kernel/softirq.c | 18 +-
76042 kernel/srcu.c | 4 +-
76043 kernel/sys.c | 10 +-
76044 kernel/sysctl.c | 39 +-
76045 kernel/time.c | 2 +-
76046 kernel/time/alarmtimer.c | 2 +-
76047 kernel/time/tick-broadcast.c | 2 +-
76048 kernel/time/timer_stats.c | 10 +-
76049 kernel/timer.c | 6 +-
76050 kernel/trace/blktrace.c | 6 +-
76051 kernel/trace/ftrace.c | 18 +-
76052 kernel/trace/ring_buffer.c | 76 +-
76053 kernel/trace/trace.c | 2 +-
76054 kernel/trace/trace.h | 2 +-
76055 kernel/trace/trace_events.c | 25 +-
76056 kernel/trace/trace_mmiotrace.c | 8 +-
76057 kernel/trace/trace_output.c | 12 +-
76058 kernel/trace/trace_stack.c | 2 +-
76059 kernel/user_namespace.c | 2 +-
76060 kernel/utsname_sysctl.c | 2 +-
76061 kernel/watchdog.c | 2 +-
76062 kernel/workqueue.c | 2 +-
76063 lib/Kconfig.debug | 8 +-
76064 lib/Makefile | 2 +-
76065 lib/bitmap.c | 8 +-
76066 lib/bug.c | 2 +
76067 lib/debugobjects.c | 2 +-
76068 lib/devres.c | 4 +-
76069 lib/div64.c | 4 +-
76070 lib/dma-debug.c | 4 +-
76071 lib/inflate.c | 2 +-
76072 lib/ioremap.c | 4 +-
76073 lib/kobject.c | 6 +-
76074 lib/list_debug.c | 126 +-
76075 lib/radix-tree.c | 2 +-
76076 lib/strncpy_from_user.c | 2 +-
76077 lib/strnlen_user.c | 2 +-
76078 lib/swiotlb.c | 2 +-
76079 lib/usercopy.c | 6 +
76080 lib/vsprintf.c | 12 +-
76081 mm/Kconfig | 6 +-
76082 mm/backing-dev.c | 4 +-
76083 mm/filemap.c | 2 +-
76084 mm/fremap.c | 5 +
76085 mm/highmem.c | 7 +-
76086 mm/hugetlb.c | 70 +-
76087 mm/internal.h | 1 +
76088 mm/maccess.c | 4 +-
76089 mm/madvise.c | 41 +
76090 mm/memory-failure.c | 26 +-
76091 mm/memory.c | 424 ++-
76092 mm/mempolicy.c | 26 +
76093 mm/mlock.c | 15 +-
76094 mm/mmap.c | 606 ++-
76095 mm/mprotect.c | 139 +-
76096 mm/mremap.c | 44 +-
76097 mm/nommu.c | 21 +-
76098 mm/page-writeback.c | 4 +-
76099 mm/page_alloc.c | 41 +-
76100 mm/page_io.c | 2 +-
76101 mm/percpu.c | 2 +-
76102 mm/process_vm_access.c | 14 +-
76103 mm/rmap.c | 38 +-
76104 mm/shmem.c | 19 +-
76105 mm/slab.c | 79 +-
76106 mm/slab.h | 5 +-
76107 mm/slab_common.c | 46 +-
76108 mm/slob.c | 201 +-
76109 mm/slub.c | 79 +-
76110 mm/sparse-vmemmap.c | 4 +-
76111 mm/sparse.c | 2 +-
76112 mm/swap.c | 3 +
76113 mm/swapfile.c | 12 +-
76114 mm/util.c | 6 +
76115 mm/vmalloc.c | 77 +-
76116 mm/vmstat.c | 12 +-
76117 net/8021q/vlan.c | 5 +-
76118 net/9p/mod.c | 4 +-
76119 net/9p/trans_fd.c | 2 +-
76120 net/atm/atm_misc.c | 8 +-
76121 net/atm/lec.h | 2 +-
76122 net/atm/proc.c | 6 +-
76123 net/atm/resources.c | 4 +-
76124 net/ax25/sysctl_net_ax25.c | 2 +-
76125 net/batman-adv/bat_iv_ogm.c | 8 +-
76126 net/batman-adv/hard-interface.c | 4 +-
76127 net/batman-adv/soft-interface.c | 4 +-
76128 net/batman-adv/types.h | 6 +-
76129 net/batman-adv/unicast.c | 2 +-
76130 net/bluetooth/hci_core.c | 8 +-
76131 net/bluetooth/hci_sock.c | 2 +-
76132 net/bluetooth/l2cap_core.c | 6 +-
76133 net/bluetooth/l2cap_sock.c | 12 +-
76134 net/bluetooth/rfcomm/sock.c | 4 +-
76135 net/bluetooth/rfcomm/tty.c | 10 +-
76136 net/bridge/netfilter/ebtables.c | 6 +-
76137 net/caif/cfctrl.c | 11 +-
76138 net/can/af_can.c | 2 +-
76139 net/can/gw.c | 6 +-
76140 net/compat.c | 34 +-
76141 net/core/datagram.c | 2 +-
76142 net/core/dev.c | 16 +-
76143 net/core/flow.c | 8 +-
76144 net/core/iovec.c | 4 +-
76145 net/core/neighbour.c | 2 +-
76146 net/core/net-sysfs.c | 2 +-
76147 net/core/net_namespace.c | 8 +-
76148 net/core/rtnetlink.c | 13 +-
76149 net/core/scm.c | 8 +-
76150 net/core/sock.c | 24 +-
76151 net/core/sock_diag.c | 9 +-
76152 net/core/sysctl_net_core.c | 18 +-
76153 net/decnet/af_decnet.c | 1 +
76154 net/decnet/sysctl_net_decnet.c | 4 +-
76155 net/ipv4/af_inet.c | 8 +-
76156 net/ipv4/ah4.c | 2 +-
76157 net/ipv4/devinet.c | 18 +-
76158 net/ipv4/esp4.c | 2 +-
76159 net/ipv4/fib_frontend.c | 6 +-
76160 net/ipv4/fib_semantics.c | 2 +-
76161 net/ipv4/inet_connection_sock.c | 2 +-
76162 net/ipv4/inetpeer.c | 4 +-
76163 net/ipv4/ip_fragment.c | 15 +-
76164 net/ipv4/ip_gre.c | 6 +-
76165 net/ipv4/ip_sockglue.c | 2 +-
76166 net/ipv4/ip_vti.c | 4 +-
76167 net/ipv4/ipcomp.c | 2 +-
76168 net/ipv4/ipconfig.c | 6 +-
76169 net/ipv4/ipip.c | 4 +-
76170 net/ipv4/netfilter/arp_tables.c | 12 +-
76171 net/ipv4/netfilter/ip_tables.c | 12 +-
76172 net/ipv4/ping.c | 2 +-
76173 net/ipv4/raw.c | 14 +-
76174 net/ipv4/route.c | 18 +-
76175 net/ipv4/sysctl_net_ipv4.c | 45 +-
76176 net/ipv4/tcp_input.c | 2 +-
76177 net/ipv4/tcp_probe.c | 2 +-
76178 net/ipv4/udp.c | 10 +-
76179 net/ipv4/xfrm4_policy.c | 14 +-
76180 net/ipv6/addrconf.c | 12 +-
76181 net/ipv6/icmp.c | 2 +-
76182 net/ipv6/ip6_gre.c | 8 +-
76183 net/ipv6/ip6_tunnel.c | 4 +-
76184 net/ipv6/ipv6_sockglue.c | 2 +-
76185 net/ipv6/netfilter/ip6_tables.c | 12 +-
76186 net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +-
76187 net/ipv6/raw.c | 19 +-
76188 net/ipv6/reassembly.c | 13 +-
76189 net/ipv6/route.c | 2 +-
76190 net/ipv6/sit.c | 4 +-
76191 net/ipv6/sysctl_net_ipv6.c | 2 +-
76192 net/ipv6/udp.c | 8 +-
76193 net/ipv6/xfrm6_policy.c | 13 +-
76194 net/irda/ircomm/ircomm_tty.c | 18 +-
76195 net/iucv/af_iucv.c | 4 +-
76196 net/iucv/iucv.c | 2 +-
76197 net/key/af_key.c | 4 +-
76198 net/mac80211/cfg.c | 8 +-
76199 net/mac80211/ieee80211_i.h | 3 +-
76200 net/mac80211/iface.c | 16 +-
76201 net/mac80211/main.c | 2 +-
76202 net/mac80211/pm.c | 6 +-
76203 net/mac80211/rate.c | 2 +-
76204 net/mac80211/rc80211_pid_debugfs.c | 2 +-
76205 net/mac80211/util.c | 4 +-
76206 net/netfilter/ipset/ip_set_core.c | 2 +-
76207 net/netfilter/ipvs/ip_vs_conn.c | 6 +-
76208 net/netfilter/ipvs/ip_vs_core.c | 4 +-
76209 net/netfilter/ipvs/ip_vs_ctl.c | 14 +-
76210 net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
76211 net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
76212 net/netfilter/ipvs/ip_vs_sync.c | 6 +-
76213 net/netfilter/ipvs/ip_vs_xmit.c | 4 +-
76214 net/netfilter/nf_conntrack_acct.c | 2 +-
76215 net/netfilter/nf_conntrack_ecache.c | 2 +-
76216 net/netfilter/nf_conntrack_helper.c | 2 +-
76217 net/netfilter/nf_conntrack_proto.c | 2 +-
76218 net/netfilter/nf_conntrack_proto_dccp.c | 4 +-
76219 net/netfilter/nf_conntrack_standalone.c | 2 +-
76220 net/netfilter/nf_conntrack_timestamp.c | 2 +-
76221 net/netfilter/nf_log.c | 10 +-
76222 net/netfilter/nf_sockopt.c | 4 +-
76223 net/netfilter/nfnetlink_log.c | 4 +-
76224 net/netfilter/xt_statistic.c | 8 +-
76225 net/netlink/af_netlink.c | 4 +-
76226 net/netlink/genetlink.c | 16 +-
76227 net/packet/af_packet.c | 12 +-
76228 net/phonet/pep.c | 6 +-
76229 net/phonet/socket.c | 2 +-
76230 net/phonet/sysctl.c | 2 +-
76231 net/rds/cong.c | 6 +-
76232 net/rds/ib.h | 2 +-
76233 net/rds/ib_cm.c | 2 +-
76234 net/rds/ib_recv.c | 4 +-
76235 net/rds/iw.h | 2 +-
76236 net/rds/iw_cm.c | 2 +-
76237 net/rds/iw_recv.c | 4 +-
76238 net/rds/rds.h | 2 +-
76239 net/rds/tcp.c | 2 +-
76240 net/rds/tcp_send.c | 2 +-
76241 net/rxrpc/af_rxrpc.c | 2 +-
76242 net/rxrpc/ar-ack.c | 14 +-
76243 net/rxrpc/ar-call.c | 2 +-
76244 net/rxrpc/ar-connection.c | 2 +-
76245 net/rxrpc/ar-connevent.c | 2 +-
76246 net/rxrpc/ar-input.c | 4 +-
76247 net/rxrpc/ar-internal.h | 8 +-
76248 net/rxrpc/ar-local.c | 2 +-
76249 net/rxrpc/ar-output.c | 4 +-
76250 net/rxrpc/ar-peer.c | 2 +-
76251 net/rxrpc/ar-proc.c | 4 +-
76252 net/rxrpc/ar-transport.c | 2 +-
76253 net/rxrpc/rxkad.c | 4 +-
76254 net/sctp/ipv6.c | 6 +-
76255 net/sctp/protocol.c | 10 +-
76256 net/sctp/sm_sideeffect.c | 2 +-
76257 net/sctp/socket.c | 21 +-
76258 net/sctp/sysctl.c | 4 +-
76259 net/socket.c | 18 +-
76260 net/sunrpc/clnt.c | 4 +-
76261 net/sunrpc/sched.c | 4 +-
76262 net/sunrpc/svc.c | 6 +-
76263 net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
76264 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +-
76265 net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
76266 net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +-
76267 net/tipc/link.c | 6 +-
76268 net/tipc/msg.c | 2 +-
76269 net/tipc/subscr.c | 2 +-
76270 net/unix/sysctl_net_unix.c | 2 +-
76271 net/wireless/wext-core.c | 19 +-
76272 net/xfrm/xfrm_policy.c | 27 +-
76273 net/xfrm/xfrm_state.c | 29 +-
76274 net/xfrm/xfrm_sysctl.c | 2 +-
76275 scripts/Makefile.build | 2 +-
76276 scripts/Makefile.clean | 3 +-
76277 scripts/Makefile.host | 28 +-
76278 scripts/basic/fixdep.c | 12 +-
76279 scripts/gcc-plugin.sh | 17 +
76280 scripts/headers_install.sh | 1 +
76281 scripts/link-vmlinux.sh | 2 +-
76282 scripts/mod/file2alias.c | 14 +-
76283 scripts/mod/modpost.c | 25 +-
76284 scripts/mod/modpost.h | 6 +-
76285 scripts/mod/sumversion.c | 2 +-
76286 scripts/package/builddeb | 1 +
76287 scripts/pnmtologo.c | 6 +-
76288 scripts/sortextable.h | 6 +-
76289 security/Kconfig | 676 +++-
76290 security/apparmor/lsm.c | 2 +-
76291 security/integrity/ima/ima.h | 4 +-
76292 security/integrity/ima/ima_api.c | 2 +-
76293 security/integrity/ima/ima_fs.c | 4 +-
76294 security/integrity/ima/ima_queue.c | 2 +-
76295 security/keys/compat.c | 2 +-
76296 security/keys/internal.h | 2 +-
76297 security/keys/key.c | 18 +-
76298 security/keys/keyctl.c | 8 +-
76299 security/keys/keyring.c | 6 +-
76300 security/security.c | 9 +-
76301 security/selinux/hooks.c | 2 +-
76302 security/selinux/include/xfrm.h | 2 +-
76303 security/smack/smack_lsm.c | 2 +-
76304 security/tomoyo/tomoyo.c | 2 +-
76305 security/yama/yama_lsm.c | 22 +-
76306 sound/aoa/codecs/onyx.c | 7 +-
76307 sound/aoa/codecs/onyx.h | 1 +
76308 sound/core/oss/pcm_oss.c | 18 +-
76309 sound/core/pcm_compat.c | 2 +-
76310 sound/core/pcm_native.c | 4 +-
76311 sound/core/seq/seq_device.c | 8 +-
76312 sound/core/sound.c | 2 +-
76313 sound/drivers/mts64.c | 14 +-
76314 sound/drivers/opl4/opl4_lib.c | 2 +-
76315 sound/drivers/portman2x4.c | 3 +-
76316 sound/firewire/amdtp.c | 4 +-
76317 sound/firewire/amdtp.h | 2 +-
76318 sound/firewire/isight.c | 10 +-
76319 sound/firewire/scs1x.c | 8 +-
76320 sound/oss/sb_audio.c | 2 +-
76321 sound/oss/swarm_cs4297a.c | 6 +-
76322 sound/pci/ymfpci/ymfpci.h | 2 +-
76323 sound/pci/ymfpci/ymfpci_main.c | 12 +-
76324 sound/soc/fsl/fsl_ssi.c | 2 +-
76325 sound/sound_core.c | 2 +-
76326 tools/gcc/.gitignore | 1 +
76327 tools/gcc/Makefile | 45 +
76328 tools/gcc/checker_plugin.c | 172 +
76329 tools/gcc/colorize_plugin.c | 151 +
76330 tools/gcc/constify_plugin.c | 560 ++
76331 tools/gcc/generate_size_overflow_hash.sh | 94 +
76332 tools/gcc/kallocstat_plugin.c | 170 +
76333 tools/gcc/kernexec_plugin.c | 465 ++
76334 tools/gcc/latent_entropy_plugin.c | 327 ++
76335 tools/gcc/size_overflow_hash.data | 5893 ++++++++++++++++++++
76336 tools/gcc/size_overflow_plugin.c | 2114 +++++++
76337 tools/gcc/stackleak_plugin.c | 327 ++
76338 tools/gcc/structleak_plugin.c | 277 +
76339 tools/perf/util/include/asm/alternative-asm.h | 3 +
76340 tools/perf/util/include/linux/compiler.h | 8 +
76341 virt/kvm/kvm_main.c | 32 +-
76342 1607 files changed, 30734 insertions(+), 7318 deletions(-)
76343commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
76344Merge: 0949bd4 fc53d63
76345Author: Brad Spengler <spender@grsecurity.net>
76346Date: Thu Mar 22 19:03:44 2012 -0400
76347
76348 Merge branch 'pax-test' into grsec-test
76349
76350commit fc53d6338964741b368070ec5c935bc579b8c2a6
76351Author: Brad Spengler <spender@grsecurity.net>
76352Date: Thu Mar 22 19:02:45 2012 -0400
76353
76354 Update to pax-linux-3.2.12-test33.patch
76355
76356commit 0949bd46a6455b308f66ad7c993bfee62412db35
76357Author: Brad Spengler <spender@grsecurity.net>
76358Date: Thu Mar 22 16:56:09 2012 -0400
76359
76360 Use current_umask() instead of current->fs->umask
76361
76362commit 22f6432d0fe733619cfcb523782ed7d80c46d645
76363Author: Brad Spengler <spender@grsecurity.net>
76364Date: Wed Mar 21 19:42:42 2012 -0400
76365
76366 compile fix
76367
76368commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
76369Author: Brad Spengler <spender@grsecurity.net>
76370Date: Wed Mar 21 19:34:56 2012 -0400
76371
76372 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
76373 uses of domains with particular hash collisions
76374
76375commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
76376Author: Brad Spengler <spender@grsecurity.net>
76377Date: Tue Mar 20 20:25:49 2012 -0400
76378
76379 zero kernel_role
76380
76381commit b00953b43c69238d181d21121ef1577c988d5f6b
76382Author: Brad Spengler <spender@grsecurity.net>
76383Date: Tue Mar 20 19:29:34 2012 -0400
76384
76385 zero real_root after releasing it
76386
76387commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
76388Merge: b724f59 273f98e
76389Author: Brad Spengler <spender@grsecurity.net>
76390Date: Tue Mar 20 19:11:26 2012 -0400
76391
76392 Merge branch 'pax-test' into grsec-test
76393
76394commit 273f98e58cdac555d3b5dce5c1ca168349f95878
76395Author: Brad Spengler <spender@grsecurity.net>
76396Date: Tue Mar 20 19:10:52 2012 -0400
76397
76398 Temporary workaround for (most) size_overflow plugin false-positives
76399 Increase randomization for brk-managed heap to 21 bits
76400 Update to pax-linux-3.2.12-test32.patch
76401
76402commit b724f59125304460c2af8bd4b02921993afbb5d3
76403Author: Brad Spengler <spender@grsecurity.net>
76404Date: Tue Mar 20 18:58:53 2012 -0400
76405
76406 compile fix
76407
76408commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
76409Author: Brad Spengler <spender@grsecurity.net>
76410Date: Tue Mar 20 18:52:23 2012 -0400
76411
76412 Require default and kernel role
76413
76414commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
76415Author: Brad Spengler <spender@grsecurity.net>
76416Date: Tue Mar 20 18:47:28 2012 -0400
76417
76418 Allow policies without special roles
76419 don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)
76420
76421commit 402ec3d24d66d38403dc543c84851f5e72d39e22
76422Merge: 8e012dc f14661a
76423Author: Brad Spengler <spender@grsecurity.net>
76424Date: Mon Mar 19 18:06:59 2012 -0400
76425
76426 Merge branch 'pax-test' into grsec-test
76427
76428 Conflicts:
76429 fs/namei.c
76430
76431commit f14661aaf202155c97f66626cea0269017bb7775
76432Merge: eae671f 058b017
76433Author: Brad Spengler <spender@grsecurity.net>
76434Date: Mon Mar 19 18:05:44 2012 -0400
76435
76436 Merge branch 'linux-3.2.y' into pax-test
76437
76438commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
76439Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
76440Date: Fri Mar 16 17:08:39 2012 -0700
76441
76442 nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
76443
76444 According to the report from Slicky Devil, nilfs caused kernel oops at
76445 nilfs_load_super_block function during mount after he shrank the
76446 partition without resizing the filesystem:
76447
76448 BUG: unable to handle kernel NULL pointer dereference at 00000048
76449 IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
76450 *pde = 00000000
76451 Oops: 0000 [#1] PREEMPT SMP
76452 ...
76453 Call Trace:
76454 [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
76455 [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
76456 [<c0226636>] mount_fs+0x36/0x180
76457 [<c023d961>] vfs_kern_mount+0x51/0xa0
76458 [<c023ddae>] do_kern_mount+0x3e/0xe0
76459 [<c023f189>] do_mount+0x169/0x700
76460 [<c023fa9b>] sys_mount+0x6b/0xa0
76461 [<c04abd1f>] sysenter_do_call+0x12/0x28
76462 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
76463 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
76464 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
76465 EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
76466 CR2: 0000000000000048
76467
76468 This turned out due to a defect in an error path which runs if the
76469 calculated location of the secondary super block was invalid.
76470
76471 This patch fixes it and eliminates the reported oops.
76472
76473 Reported-by: Slicky Devil <slicky.dvl@gmail.com>
76474 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
76475 Tested-by: Slicky Devil <slicky.dvl@gmail.com>
76476 Cc: <stable@vger.kernel.org> [2.6.30+]
76477 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
76478 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
76479
76480commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
76481Author: Haogang Chen <haogangchen@gmail.com>
76482Date: Fri Mar 16 17:08:38 2012 -0700
76483
76484 nilfs2: clamp ns_r_segments_percentage to [1, 99]
76485
76486 ns_r_segments_percentage is read from the disk. Bogus or malicious
76487 value could cause integer overflow and malfunction due to meaningless
76488 disk usage calculation. This patch reports error when mounting such
76489 bogus volumes.
76490
76491 Signed-off-by: Haogang Chen <haogangchen@gmail.com>
76492 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
76493 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
76494 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
76495
76496commit e1a90645643f9b0194a5984ec8febd06360d5c8b
76497Author: Eric Dumazet <eric.dumazet@gmail.com>
76498Date: Sat Mar 10 09:20:21 2012 +0000
76499
76500 tcp: fix syncookie regression
76501
76502 commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
76503 added a serious regression on synflood handling.
76504
76505 Simon Kirby discovered a successful connection was delayed by 20 seconds
76506 before being responsive.
76507
76508 In my tests, I discovered that xmit frames were lost, and needed ~4
76509 retransmits and a socket dst rebuild before being really sent.
76510
76511 In case of syncookie initiated connection, we use a different path to
76512 initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
76513
76514 As ip_queue_xmit() now depends on inet flow being setup, fix this by
76515 copying the temp flowi4 we use in cookie_v4_check().
76516
76517 Reported-by: Simon Kirby <sim@netnation.com>
76518 Bisected-by: Simon Kirby <sim@netnation.com>
76519 Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
76520 Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
76521 Signed-off-by: David S. Miller <davem@davemloft.net>
76522
76523commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
76524Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
76525Date: Mon Mar 12 02:59:41 2012 +0000
76526
76527 tun: don't hold network namespace by tun sockets
76528
76529 v3: added previously removed sock_put() to the tun_release() callback, because
76530 sk_release_kernel() doesn't drop the socket reference.
76531
76532 v2: sk_release_kernel() used for socket release. Dummy tun_release() is
76533 required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
76534 call.
76535
76536 TUN was designed to destroy it's socket on network namesapce shutdown. But this
76537 will never happen for persistent device, because it's socket holds network
76538 namespace.
76539 This patch removes of holding network namespace by TUN socket and replaces it
76540 by creating socket in init_net and then changing it's net it to desired one. On
76541 shutdown socket is moved back to init_net prior to final put.
76542
76543 Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
76544 Signed-off-by: David S. Miller <davem@davemloft.net>
76545
76546commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
76547Author: Tyler Hicks <tyhicks@canonical.com>
76548Date: Mon Dec 12 10:02:30 2011 -0600
76549
76550 vfs: Correctly set the dir i_mutex lockdep class
76551
76552 9a7aa12f3911853a introduced additional logic around setting the i_mutex
76553 lockdep class for directory inodes. The idea was that some filesystems
76554 may want their own special lockdep class for different directory
76555 inodes and calling unlock_new_inode() should not clobber one of
76556 those special classes.
76557
76558 I believe that the added conditional, around the *negated* return value
76559 of lockdep_match_class(), caused directory inodes to be placed in the
76560 wrong lockdep class.
76561
76562 inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
76563 all inodes. If the filesystem did not change the class during inode
76564 initialization, then the conditional mentioned above was false and the
76565 directory inode was incorrectly left in the non-directory lockdep class.
76566 If the filesystem did set a special lockdep class, then the conditional
76567 mentioned above was true and that class was clobbered with
76568 i_mutex_dir_key.
76569
76570 This patch removes the negation from the conditional so that the i_mutex
76571 lockdep class is properly set for directory inodes. Special classes are
76572 preserved and directory inodes with unmodified classes are set with
76573 i_mutex_dir_key.
76574
76575 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
76576 Reviewed-by: Jan Kara <jack@suse.cz>
76577 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
76578
76579commit 603590b0d2eca61ce26499eac9c563bc567a18c9
76580Author: Jan Kara <jack@suse.cz>
76581Date: Mon Feb 20 17:54:00 2012 +0100
76582
76583 udf: Fix deadlock in udf_release_file()
76584
76585 udf_release_file() can be called from munmap() path with mmap_sem held. Thus
76586 we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
76587 i_mutex is not needed in udf_release_file() anymore since protection by
76588 i_data_sem is enough to protect from races with write and truncate.
76589
76590 Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
76591 Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
76592 Signed-off-by: Jan Kara <jack@suse.cz>
76593 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
76594
76595commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
76596Author: Miklos Szeredi <mszeredi@suse.cz>
76597Date: Tue Mar 6 13:56:33 2012 +0100
76598
76599 vfs: fix double put after complete_walk()
76600
76601 complete_walk() already puts nd->path, no need to do it again at cleanup time.
76602
76603 This would result in Oopses if triggered, apparently the codepath is not too
76604 well exercised.
76605
76606 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
76607 CC: stable@vger.kernel.org
76608 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
76609
76610commit 13885ba2b18400f3ef6540497d30f1af896605e5
76611Author: Miklos Szeredi <mszeredi@suse.cz>
76612Date: Tue Mar 6 13:56:34 2012 +0100
76613
76614 vfs: fix return value from do_last()
76615
76616 complete_walk() returns either ECHILD or ESTALE. do_last() turns this into
76617 ECHILD unconditionally. If not in RCU mode, this error will reach userspace
76618 which is complete nonsense.
76619
76620 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
76621 CC: stable@vger.kernel.org
76622 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
76623
76624 Conflicts:
76625
76626 fs/namei.c
76627
76628commit f5ab7572c99ffb58953eb1070622307e904c3b7f
76629Author: Al Viro <viro@zeniv.linux.org.uk>
76630Date: Sat Mar 10 17:07:28 2012 -0500
76631
76632 restore smp_mb() in unlock_new_inode()
76633
76634 wait_on_inode() doesn't have ->i_lock
76635
76636 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
76637
76638commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
76639Author: David S. Miller <davem@davemloft.net>
76640Date: Tue Mar 13 18:19:51 2012 -0700
76641
76642 sparc32: Add -Av8 to assembler command line.
76643
76644 Newer version of binutils are more strict about specifying the
76645 correct options to enable certain classes of instructions.
76646
76647 The sparc32 build is done for v7 in order to support sun4c systems
76648 which lack hardware integer multiply and divide instructions.
76649
76650 So we have to pass -Av8 when building the assembler routines that
76651 use these instructions and get patched into the kernel when we find
76652 out that we have a v8 capable cpu.
76653
76654 Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
76655 Signed-off-by: David S. Miller <davem@davemloft.net>
76656
76657commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
76658Author: Thomas Gleixner <tglx@linutronix.de>
76659Date: Fri Mar 9 20:55:10 2012 +0100
76660
76661 x86: Derandom delay_tsc for 64 bit
76662
76663 Commit f0fbf0abc093 ("x86: integrate delay functions") converted
76664 delay_tsc() into a random delay generator for 64 bit. The reason is
76665 that it merged the mostly identical versions of delay_32.c and
76666 delay_64.c. Though the subtle difference of the result was:
76667
76668 static void delay_tsc(unsigned long loops)
76669 {
76670 - unsigned bclock, now;
76671 + unsigned long bclock, now;
76672
76673 Now the function uses rdtscl() which returns the lower 32bit of the
76674 TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
76675 bit this fails when the lower 32bit are close to wrap around when
76676 bclock is read, because the following check
76677
76678 if ((now - bclock) >= loops)
76679 break;
76680
76681 evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
76682 because the unsigned long (now - bclock) of these values results in
76683 0xffffffff00000001 which is definitely larger than the loops
76684 value. That explains Tvortkos observation:
76685
76686 "Because I am seeing udelay(500) (_occasionally_) being short, and
76687 that by delaying for some duration between 0us (yep) and 491us."
76688
76689 Make those variables explicitely u32 again, so this works for both 32
76690 and 64 bit.
76691
76692 Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
76693 Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
76694 Cc: stable@vger.kernel.org # >= 2.6.27
76695 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
76696
76697commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
76698Author: Al Viro <viro@ZenIV.linux.org.uk>
76699Date: Thu Mar 8 17:51:19 2012 +0000
76700
76701 aio: fix the "too late munmap()" race
76702
76703 Current code has put_ioctx() called asynchronously from aio_fput_routine();
76704 that's done *after* we have killed the request that used to pin ioctx,
76705 so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
76706 from progressing. As the result, we can end up with async call of
76707 put_ioctx() being the last one and possibly happening during exit_mmap()
76708 or elf_core_dump(), neither of which expects stray munmap() being done
76709 to them...
76710
76711 We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
76712 with that, but that's all we care about - neither io_destroy() nor
76713 exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
76714 does really_put_req(), so the ioctx teardown won't be done until then
76715 and we don't care about the contents of ioctx past that point.
76716
76717 Since actual freeing of these suckers is RCU-delayed, we don't need to
76718 bump ioctx refcount when request goes into list for async removal.
76719 All we need is rcu_read_lock held just over the ->ctx_lock-protected
76720 area in aio_fput_routine().
76721
76722 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
76723 Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
76724 Acked-by: Benjamin LaHaise <bcrl@kvack.org>
76725 Cc: stable@vger.kernel.org
76726 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
76727
76728commit 002124c055afbf09b52226af65621999e8316448
76729Author: Al Viro <viro@ZenIV.linux.org.uk>
76730Date: Wed Mar 7 05:16:35 2012 +0000
76731
76732 aio: fix io_setup/io_destroy race
76733
76734 Have ioctx_alloc() return an extra reference, so that caller would drop it
76735 on success and not bother with re-grabbing it on failure exit. The current
76736 code is obviously broken - io_destroy() from another thread that managed
76737 to guess the address io_setup() would've returned would free ioctx right
76738 under us; gets especially interesting if aio_context_t * we pass to
76739 io_setup() points to PROT_READ mapping, so put_user() fails and we end
76740 up doing io_destroy() on kioctx another thread has just got freed...
76741
76742 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
76743 Acked-by: Benjamin LaHaise <bcrl@kvack.org>
76744 Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
76745 Cc: stable@vger.kernel.org
76746 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
76747
76748commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
76749Author: Dan Carpenter <dan.carpenter@oracle.com>
76750Date: Thu Mar 15 15:17:12 2012 -0700
76751
76752 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
76753
76754 strict_strtoul() writes a long but ->gamma_mode only has space to store an
76755 int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
76756 well. I've changed it to use kstrtouint() instead.
76757
76758 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
76759 Acked-by: Inki Dae <inki.dae@samsung.com>
76760 Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
76761 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
76762 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
76763
76764commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
76765Merge: e4b05b6 eae671f
76766Author: Brad Spengler <spender@grsecurity.net>
76767Date: Fri Mar 16 21:04:27 2012 -0400
76768
76769 Merge branch 'pax-test' into grsec-test
76770
76771 Conflicts:
76772 security/Kconfig
76773
76774commit eae671fafe93f04685c04a089cc13efebc05d600
76775Author: Brad Spengler <spender@grsecurity.net>
76776Date: Fri Mar 16 20:58:01 2012 -0400
76777
76778 Update to pax-linux-3.2.11-test31.patch
76779 Introduction of the size_overflow plugin from Emese Revfy
76780 Many thanks to Emese for her hard work :)
76781
76782commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
76783Merge: e55aa68 258c015
76784Author: Brad Spengler <spender@grsecurity.net>
76785Date: Thu Mar 15 20:59:19 2012 -0400
76786
76787 Merge branch 'pax-test' into grsec-test
76788
76789commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
76790Author: Brad Spengler <spender@grsecurity.net>
76791Date: Thu Mar 15 20:59:05 2012 -0400
76792
76793 fix ARM compilation
76794
76795commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
76796Merge: 8f95ea9 55b7573
76797Author: Brad Spengler <spender@grsecurity.net>
76798Date: Wed Mar 14 19:33:41 2012 -0400
76799
76800 Merge branch 'pax-test' into grsec-test
76801
76802commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
76803Author: Brad Spengler <spender@grsecurity.net>
76804Date: Wed Mar 14 19:33:15 2012 -0400
76805
76806 Update to pax-linux-3.2.10-test28.patch
76807
76808commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
76809Merge: c8786a2 886ac5e
76810Author: Brad Spengler <spender@grsecurity.net>
76811Date: Tue Mar 13 17:38:13 2012 -0400
76812
76813 Merge branch 'pax-test' into grsec-test
76814
76815 Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)
76816
76817commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
76818Author: Brad Spengler <spender@grsecurity.net>
76819Date: Tue Mar 13 17:37:44 2012 -0400
76820
76821 Update to pax-linux-3.2.10-test26.patch
76822
76823commit c8786a2abed5e5327f68efa520c04db99bb6a63a
76824Merge: 219c982 c061fcf
76825Author: Brad Spengler <spender@grsecurity.net>
76826Date: Tue Mar 13 17:25:06 2012 -0400
76827
76828 Merge branch 'pax-test' into grsec-test
76829
76830commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
76831Merge: 89373d2 3f4b3b2
76832Author: Brad Spengler <spender@grsecurity.net>
76833Date: Tue Mar 13 17:25:02 2012 -0400
76834
76835 Merge branch 'linux-3.2.y' into pax-test
76836
76837commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
76838Merge: 54e19a3 89373d2
76839Author: Brad Spengler <spender@grsecurity.net>
76840Date: Mon Mar 12 17:23:57 2012 -0400
76841
76842 Merge branch 'pax-test' into grsec-test
76843
76844commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
76845Merge: a778588 7459f11
76846Author: Brad Spengler <spender@grsecurity.net>
76847Date: Mon Mar 12 17:23:49 2012 -0400
76848
76849 Merge branch 'linux-3.2.y' into pax-test
76850
76851commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
76852Merge: c4650f1 a778588
76853Author: Brad Spengler <spender@grsecurity.net>
76854Date: Mon Mar 12 16:51:25 2012 -0400
76855
76856 Merge branch 'pax-test' into grsec-test
76857
76858commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
76859Author: Brad Spengler <spender@grsecurity.net>
76860Date: Mon Mar 12 16:51:12 2012 -0400
76861
76862 Update to pax-linux-3.2.9-test24.patch
76863
76864commit c4650f14b13f84735fe3de06a1f3ff5776473eff
76865Merge: fb2abee 1015790
76866Author: Brad Spengler <spender@grsecurity.net>
76867Date: Sun Mar 11 21:08:28 2012 -0400
76868
76869 Merge branch 'pax-test' into grsec-test
76870
76871 Conflicts:
76872 security/Kconfig
76873
76874commit 101579028a736c224e590c7e12a7357018c424e1
76875Author: Brad Spengler <spender@grsecurity.net>
76876Date: Sun Mar 11 21:07:27 2012 -0400
76877
76878 Update to pax-linux-3.2.9-test22.patch
76879
76880commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
76881Author: Brad Spengler <spender@grsecurity.net>
76882Date: Sun Mar 11 11:02:17 2012 -0400
76883
76884 Allow 4096 CPUs
76885
76886commit 96bae28cbe6a41d48e3b56e5904814096e956000
76887Author: Brad Spengler <spender@grsecurity.net>
76888Date: Sun Mar 11 10:25:58 2012 -0400
76889
76890 Use a per-cpu 48-bit counter instead of a global atomic64
76891 Initialize each counter to have the cpu number in the lower 16 bits
76892 instead of incrementing the counter each time by 1, perform the increments
76893 above the cpu number so that wrapping/exhausting the counter doesn't corrupt
76894 any state
76895 idea from PaX Team
76896
76897commit b975688101da6e966aebb1bc6b8c5c5983974f9c
76898Author: Brad Spengler <spender@grsecurity.net>
76899Date: Sat Mar 10 20:33:12 2012 -0500
76900
76901 Special vnsec edition! :)
76902 Further reduce argv/env allowance for suid/sgid apps to 512KB
76903 Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
76904 Clear 3GB personality on suid/sgid binaries
76905 Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
76906 with the main purpose of throwing off program stack -> arg/env alignment
76907 Update documentation
76908
76909commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
76910Author: Brad Spengler <spender@grsecurity.net>
76911Date: Sat Mar 10 19:54:47 2012 -0500
76912
76913 Resolve skbuff.h warnings that turn into errors during compilation in
76914 the grsecurity directory with -Werror
76915
76916commit 2023210ad43a944033fcacc660ce410888f562ee
76917Merge: ece4383 5f66adf
76918Author: Brad Spengler <spender@grsecurity.net>
76919Date: Fri Mar 9 19:48:01 2012 -0500
76920
76921 Merge branch 'pax-test' into grsec-test
76922
76923commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
76924Author: Brad Spengler <spender@grsecurity.net>
76925Date: Fri Mar 9 19:47:06 2012 -0500
76926
76927 Add colorize plugin
76928
76929commit ece4383e5e91c92d138c4df84225a70b552f4d69
76930Merge: a366d0e ab4a5a1
76931Author: Brad Spengler <spender@grsecurity.net>
76932Date: Fri Mar 9 17:56:46 2012 -0500
76933
76934 Merge branch 'pax-test' into grsec-test
76935
76936commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
76937Author: Brad Spengler <spender@grsecurity.net>
76938Date: Fri Mar 9 17:56:26 2012 -0500
76939
76940 Update to pax-linux-3.2.9-test21.patch
76941
76942commit a366d0ed963ce93fce10121c1100989d5f064e75
76943Author: Mikulas Patocka <mpatocka@redhat.com>
76944Date: Sun Mar 4 19:52:03 2012 -0500
76945
76946 mm: fix find_vma_prev
76947
76948 Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
76949 management on PA-RISC.
76950
76951 After application of the patch, programs that allocate big arrays on the
76952 stack crash with segfault, for example, this will crash if compiled
76953 without optimization:
76954
76955 int main()
76956 {
76957 char array[200000];
76958 array[199999] = 0;
76959 return 0;
76960 }
76961
76962 The reason is that PA-RISC has up-growing stack and the stack is usually
76963 the last memory area. In the above example, a page fault happens above
76964 the stack.
76965
76966 Previously, if we passed too high address to find_vma_prev, it returned
76967 NULL and stored the last VMA in *pprev. After "simplify find_vma_prev"
76968 change, it stores NULL in *pprev. Consequently, the stack area is not
76969 found and it is not expanded, as it used to be before the change.
76970
76971 This patch restores the old behavior and makes it return the last VMA in
76972 *pprev if the requested address is higher than address of any other VMA.
76973
76974 Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
76975 Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
76976 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
76977
76978commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
76979Author: Hugh Dickins <hughd@google.com>
76980Date: Tue Mar 6 12:28:52 2012 -0800
76981
76982 mmap: EINVAL not ENOMEM when rejecting VM_GROWS
76983
76984 Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
76985 from shared anonymous: hoist the file case's -EINVAL up for both.
76986
76987 Signed-off-by: Hugh Dickins <hughd@google.com>
76988 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
76989
76990commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
76991Author: Al Viro <viro@ZenIV.linux.org.uk>
76992Date: Mon Mar 5 06:38:42 2012 +0000
76993
76994 aout: move setup_arg_pages() prior to reading/mapping the binary
76995
76996 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
76997 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
76998
76999commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
77000Author: Jan Beulich <JBeulich@suse.com>
77001Date: Mon Mar 5 16:49:24 2012 +0000
77002
77003 vsprintf: make %pV handling compatible with kasprintf()
77004
77005 kasprintf() (and potentially other functions that I didn't run across so
77006 far) want to evaluate argument lists twice. Caring to do so for the
77007 primary list is obviously their job, but they can't reasonably be
77008 expected to check the format string for instances of %pV, which however
77009 need special handling too: On architectures like x86-64 (as opposed to
77010 e.g. ix86), using the same argument list twice doesn't produce the
77011 expected results, as an internally managed cursor gets updated during
77012 the first run.
77013
77014 Fix the problem by always acting on a copy of the original list when
77015 handling %pV.
77016
77017 Signed-off-by: Jan Beulich <jbeulich@suse.com>
77018 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
77019
77020commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
77021Author: Al Viro <viro@ZenIV.linux.org.uk>
77022Date: Mon Mar 5 06:39:47 2012 +0000
77023
77024 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
77025
77026 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
77027 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
77028
77029commit a831bd53764695ea680cc1fa3c98759a610ed2ac
77030Author: Christian König <deathsimple@vodafone.de>
77031Date: Tue Feb 28 23:19:20 2012 +0100
77032
77033 drm/radeon: fix uninitialized variable
77034
77035 Without this fix the driver randomly treats
77036 textures as arrays and I'm really wondering
77037 why gcc isn't complaining about it.
77038
77039 Signed-off-by: Christian König <deathsimple@vodafone.de>
77040 Reviewed-by: Jerome Glisse <jglisse@redhat.com>
77041 Signed-off-by: Dave Airlie <airlied@redhat.com>
77042
77043commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
77044Author: H. Peter Anvin <hpa@zytor.com>
77045Date: Fri Mar 2 10:43:48 2012 -0800
77046
77047 regset: Prevent null pointer reference on readonly regsets
77048
77049 The regset common infrastructure assumed that regsets would always
77050 have .get and .set methods, but not necessarily .active methods.
77051 Unfortunately people have since written regsets without .set methods.
77052
77053 Rather than putting in stub functions everywhere, handle regsets with
77054 null .get or .set methods explicitly.
77055
77056 Signed-off-by: H. Peter Anvin <hpa@zytor.com>
77057 Reviewed-by: Oleg Nesterov <oleg@redhat.com>
77058 Acked-by: Roland McGrath <roland@hack.frob.com>
77059 Cc: <stable@vger.kernel.org>
77060 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
77061
77062commit 072ddd99401c79b53c6bf6bff9deb93022124c79
77063Author: Brad Spengler <spender@grsecurity.net>
77064Date: Mon Mar 5 18:12:57 2012 -0500
77065
77066 Fix compiler errors reported on forums
77067
77068commit 1606774b48af24e6f99d99c624c0e447d4b66474
77069Merge: 3127bd5 4ca2ffd
77070Author: Brad Spengler <spender@grsecurity.net>
77071Date: Mon Mar 5 17:31:35 2012 -0500
77072
77073 Merge branch 'pax-test' into grsec-test
77074
77075commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
77076Author: Brad Spengler <spender@grsecurity.net>
77077Date: Mon Mar 5 17:31:21 2012 -0500
77078
77079 Update to pax-linux-3.2.9-test20.patch
77080
77081commit 3127bd581a292966b1057c7433219dac188c3720
77082Author: Brad Spengler <spender@grsecurity.net>
77083Date: Fri Mar 2 21:30:37 2012 -0500
77084
77085 Fix memory leak on logged exec_id check failure in /proc/pid/statm
77086 Thanks to Djalal Harouni for the report
77087
77088commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
77089Merge: 0a56be8 9aa8288
77090Author: Brad Spengler <spender@grsecurity.net>
77091Date: Fri Mar 2 18:38:22 2012 -0500
77092
77093 Merge branch 'pax-test' into grsec-test
77094
77095commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
77096Author: Brad Spengler <spender@grsecurity.net>
77097Date: Fri Mar 2 18:37:43 2012 -0500
77098
77099 Update to pax-linux-3.2.9-test19.patch
77100
77101commit 0a56be884bbd7ce733cac0b879c45383494d73b0
77102Merge: 9e66745 3f5c52a
77103Author: Brad Spengler <spender@grsecurity.net>
77104Date: Thu Mar 1 20:18:01 2012 -0500
77105
77106 Merge branch 'pax-test' into grsec-test
77107
77108commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
77109Author: Brad Spengler <spender@grsecurity.net>
77110Date: Thu Mar 1 20:16:56 2012 -0500
77111
77112 Update to pax-linux-3.2.9-test18.patch
77113
77114commit ae53ec231d12719a36bf871f8c5841020ed692ee
77115Merge: b255baf 44fb317
77116Author: Brad Spengler <spender@grsecurity.net>
77117Date: Thu Mar 1 20:15:31 2012 -0500
77118
77119 Merge branch 'linux-3.2.y' into pax-test
77120
77121commit 9e667456c03eadea2f305be761abe4de9a5877a3
77122Merge: 5e4e200 b255baf
77123Author: Brad Spengler <spender@grsecurity.net>
77124Date: Mon Feb 27 20:53:59 2012 -0500
77125
77126 Merge branch 'pax-test' into grsec-test
77127
77128commit b255baf50365d39b406f43aab2c64745607baaa2
77129Merge: 340ce90 1de504e
77130Author: Brad Spengler <spender@grsecurity.net>
77131Date: Mon Feb 27 20:53:29 2012 -0500
77132
77133 Merge branch 'linux-3.2.y' into pax-test
77134 Update to pax-linux-3.2.8-test17.patch
77135
77136 Conflicts:
77137 arch/x86/include/asm/i387.h
77138 arch/x86/kernel/process_32.c
77139 arch/x86/kernel/traps.c
77140
77141commit 5e4e200ac530452884b625cb75de240e1e98c731
77142Merge: 44306d7 340ce90
77143Author: Brad Spengler <spender@grsecurity.net>
77144Date: Mon Feb 27 18:02:13 2012 -0500
77145
77146 Merge branch 'pax-test' into grsec-test
77147
77148commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
77149Author: Brad Spengler <spender@grsecurity.net>
77150Date: Mon Feb 27 18:01:48 2012 -0500
77151
77152 Update to pax-linux-3.2.7-test17.patch
77153
77154commit 44306d7b3097f77e73040dd25f4f6750751bae7a
77155Merge: 29d0b07 521c411
77156Author: Brad Spengler <spender@grsecurity.net>
77157Date: Sun Feb 26 19:04:15 2012 -0500
77158
77159 Merge branch 'pax-test' into grsec-test
77160
77161 Conflicts:
77162 Makefile
77163
77164commit 521c411bb4ca66ce01146fde8bac9dd22414076d
77165Author: Brad Spengler <spender@grsecurity.net>
77166Date: Sun Feb 26 19:03:33 2012 -0500
77167
77168 Update to pax-linux-3.2.7-test16.patch
77169
77170commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
77171Author: Brad Spengler <spender@grsecurity.net>
77172Date: Sun Feb 26 17:12:44 2012 -0500
77173
77174 fix typo
77175
77176commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
77177Merge: f45b3be caa8f83
77178Author: Brad Spengler <spender@grsecurity.net>
77179Date: Sat Feb 25 20:59:27 2012 -0500
77180
77181 Merge branch 'pax-test' into grsec-test
77182
77183commit caa8f83456c4d0b204beefffaa1d1993f2348d08
77184Author: Brad Spengler <spender@grsecurity.net>
77185Date: Sat Feb 25 20:59:12 2012 -0500
77186
77187 Update to pax-linux-3.2.7-test15.patch
77188
77189commit f45b3be34a345502a302e736af9a65742ddef7cb
77190Merge: 62f35fd 9f1309b
77191Author: Brad Spengler <spender@grsecurity.net>
77192Date: Sat Feb 25 11:40:15 2012 -0500
77193
77194 Merge branch 'pax-test' into grsec-test
77195
77196commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
77197Author: Brad Spengler <spender@grsecurity.net>
77198Date: Sat Feb 25 11:39:57 2012 -0500
77199
77200 Update to pax-linux-3.2.7-test14.patch
77201
77202commit 62f35fdbecc58f2988fe13638d907b87a15776bb
77203Author: Brad Spengler <spender@grsecurity.net>
77204Date: Sat Feb 25 09:08:55 2012 -0500
77205
77206 We could log on attempted exploits of writing /proc/self/mem, but the current
77207 log function declares the access a read, so just swap the ordering for now
77208
77209commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
77210Author: Brad Spengler <spender@grsecurity.net>
77211Date: Sat Feb 25 08:46:14 2012 -0500
77212
77213 Log /proc/pid/mem attempts
77214
77215commit 674471e581893a94d475acac3e3c4496209b3ac9
77216Author: Brad Spengler <spender@grsecurity.net>
77217Date: Sat Feb 25 08:15:00 2012 -0500
77218
77219 Make use of f_version for protecting /proc file structs (fine since we're not a directory
77220 or seq_file)
77221
77222commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
77223Author: Brad Spengler <spender@grsecurity.net>
77224Date: Fri Feb 24 20:02:19 2012 -0500
77225
77226 Fix ia64 compilation
77227
77228commit 50dfea412fd395e0183c2ade368efa525d38b267
77229Merge: 12db845 4c6f99b
77230Author: Brad Spengler <spender@grsecurity.net>
77231Date: Fri Feb 24 19:00:53 2012 -0500
77232
77233 Merge branch 'pax-test' into grsec-test
77234
77235commit 4c6f99bf338e03966356b147d0360cb3b522a44f
77236Author: Brad Spengler <spender@grsecurity.net>
77237Date: Fri Feb 24 19:00:36 2012 -0500
77238
77239 (6:57:09 PM) pipacs: but you can be proactive
77240 (Fix other-arch atomic64/REFCOUNT compilation failures)
77241
77242commit 12db8453f6bb0a756f369c9151668ba1249bc478
77243Author: Brad Spengler <spender@grsecurity.net>
77244Date: Thu Feb 23 21:10:12 2012 -0500
77245
77246 Remove unnecessary copies, as suggested by solar
77247
77248commit cc02cab84368467ea03cb35f861a8a7092d91ab4
77249Author: Brad Spengler <spender@grsecurity.net>
77250Date: Thu Feb 23 20:59:35 2012 -0500
77251
77252 Make global_exec_counter static, as suggested by solar
77253
77254commit e642091a475ebb3a30e81f85e7751233d0c2af43
77255Author: Brad Spengler <spender@grsecurity.net>
77256Date: Thu Feb 23 19:00:26 2012 -0500
77257
77258 sync with stable tree
77259
77260commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
77261Author: Brad Spengler <spender@grsecurity.net>
77262Date: Thu Feb 23 18:48:47 2012 -0500
77263
77264 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
77265 Remove handling of old kludge in chmod/fchmod
77266
77267commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
77268Author: Brad Spengler <spender@grsecurity.net>
77269Date: Thu Feb 23 18:18:49 2012 -0500
77270
77271 Apply umask checks to chmod/fchmod as well, as requested by sponsor
77272 Union the enforced umask with the existing one to produce minimal privilege
77273 Change umask type to u16
77274
77275commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
77276Author: Brad Spengler <spender@grsecurity.net>
77277Date: Wed Feb 22 18:16:11 2012 -0500
77278
77279 Add per-role umask enforcement to RBAC, requested by a sponsor
77280
77281commit ad5ac943fe58199f1cc475912a39edb157acb77b
77282Merge: dda0bb5 41722e3
77283Author: Brad Spengler <spender@grsecurity.net>
77284Date: Mon Feb 20 20:04:42 2012 -0500
77285
77286 Merge branch 'pax-test' into grsec-test
77287
77288commit 41722e342e116d95f3d3556d66c97c888d752d39
77289Author: Brad Spengler <spender@grsecurity.net>
77290Date: Mon Feb 20 20:04:00 2012 -0500
77291
77292 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
77293 KERNEXEC plugin
77294
77295commit dda0bb57137846a476a866c60db2681aaf6052c0
77296Merge: 4fd554e d70927a
77297Author: Brad Spengler <spender@grsecurity.net>
77298Date: Mon Feb 20 20:01:41 2012 -0500
77299
77300 Merge branch 'pax-test' into grsec-test
77301
77302commit d70927afec977d489a54c106a3c3ddc32e953050
77303Merge: 1daebf1 9d0231c
77304Author: Brad Spengler <spender@grsecurity.net>
77305Date: Mon Feb 20 20:01:33 2012 -0500
77306
77307 Merge branch 'linux-3.2.y' into pax-test
77308
77309commit 4fd554e3a097b22c5049fcdc423897477deff5ef
77310Author: Brad Spengler <spender@grsecurity.net>
77311Date: Mon Feb 20 09:17:57 2012 -0500
77312
77313 Fix wrong logic on capability checks for switching roles, broke policies
77314 Thanks to Richard Kojedzinszky for reporting
77315
77316commit 12f97d52ac603f24344f8d71569c412a307e9422
77317Author: Brad Spengler <spender@grsecurity.net>
77318Date: Thu Feb 16 21:20:10 2012 -0500
77319
77320 sparc64 compile fix
77321
77322commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
77323Author: Brad Spengler <spender@grsecurity.net>
77324Date: Thu Feb 16 18:38:32 2012 -0500
77325
77326 Update configuration help and name for GRKERNSEC_PROC_MEMMAP
77327
77328commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
77329Author: Brad Spengler <spender@grsecurity.net>
77330Date: Thu Feb 16 18:18:01 2012 -0500
77331
77332 optimize the check a bit
77333
77334commit 03159050f64989be44ae03be769cbed62a7cd2e5
77335Author: Brad Spengler <spender@grsecurity.net>
77336Date: Thu Feb 16 18:00:45 2012 -0500
77337
77338 smile VUPEN :D
77339 (limit argv+env to 1MB for suid/sgid binaries)
77340
77341commit dd759d8800d225a397e4de49fe729c7d601298d2
77342Author: Brad Spengler <spender@grsecurity.net>
77343Date: Thu Feb 16 17:49:33 2012 -0500
77344
77345 Address Space Protection -> Memory Protections (suggested on IRC for consistency)
77346
77347commit 4de635bda8ebfb85312e3bf851bdbff93de400da
77348Author: Brad Spengler <spender@grsecurity.net>
77349Date: Thu Feb 16 17:45:06 2012 -0500
77350
77351 Change the long long type for exec_id to the proper u64
77352
77353commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
77354Author: Dan Carpenter <dan.carpenter@oracle.com>
77355Date: Thu Feb 9 00:46:47 2012 +0000
77356
77357 isdn: type bug in isdn_net_header()
77358
77359 We use len to store the return value from eth_header(). eth_header()
77360 can return -ETH_HLEN (-14). We want to pass this back instead of
77361 truncating it to 65522 and returning that.
77362
77363 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
77364 Acked-by: Neil Horman <nhorman@tuxdriver.com>
77365 Signed-off-by: David S. Miller <davem@davemloft.net>
77366
77367commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
77368Author: Heiko Carstens <heiko.carstens@de.ibm.com>
77369Date: Sat Feb 4 10:47:10 2012 +0100
77370
77371 exec: fix use-after-free bug in setup_new_exec()
77372
77373 Setting the task name is done within setup_new_exec() by accessing
77374 bprm->filename. However this happens after flush_old_exec().
77375 This may result in a use after free bug, flush_old_exec() may
77376 "complete" vfork_done, which will wake up the parent which in turn
77377 may free the passed in filename.
77378 To fix this add a new tcomm field in struct linux_binprm which
77379 contains the now early generated task name until it is used.
77380
77381 Fixes this bug on s390:
77382
77383 Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
77384 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
77385 Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
77386 Call Trace:
77387 ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
77388 [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
77389 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
77390 [<0000000000282b6c>] do_execve_common+0x410/0x514
77391 [<0000000000282cb6>] do_execve+0x46/0x58
77392 [<00000000005bce58>] kernel_execve+0x28/0x70
77393 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
77394 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
77395 [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
77396 Last Breaking-Event-Address:
77397 [<00000000002830f0>] setup_new_exec+0x2fc/0x374
77398
77399 Kernel panic - not syncing: Fatal exception: panic_on_oops
77400
77401 Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
77402 Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
77403 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
77404
77405commit d758ee9f5230893dabb5aab737b3109684bde196
77406Author: Dan Carpenter <dan.carpenter@oracle.com>
77407Date: Fri Feb 10 09:03:58 2012 +0100
77408
77409 relay: prevent integer overflow in relay_open()
77410
77411 "subbuf_size" and "n_subbufs" come from the user and they need to be
77412 capped to prevent an integer overflow.
77413
77414 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
77415 Cc: stable@kernel.org
77416 Signed-off-by: Jens Axboe <axboe@kernel.dk>
77417
77418commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
77419Merge: b1baadf 1daebf1
77420Author: Brad Spengler <spender@grsecurity.net>
77421Date: Mon Feb 13 17:47:04 2012 -0500
77422
77423 Merge branch 'pax-test' into grsec-test
77424
77425 Conflicts:
77426 fs/proc/base.c
77427
77428commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
77429Merge: 1413df2 c2db2e2
77430Author: Brad Spengler <spender@grsecurity.net>
77431Date: Mon Feb 13 17:45:54 2012 -0500
77432
77433 Merge branch 'linux-3.2.y' into pax-test
77434
77435commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
77436Author: Brad Spengler <spender@grsecurity.net>
77437Date: Sun Feb 12 16:44:05 2012 -0500
77438
77439 add missing declaration
77440
77441commit 3981059c35e8463002517935c28f3d74b8e3703c
77442Author: Brad Spengler <spender@grsecurity.net>
77443Date: Sun Feb 12 16:36:04 2012 -0500
77444
77445 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
77446 in addition to existing checks (this handles the setresuid ruid = euid case)
77447
77448commit 0beab03263c773f463412c350ad9064b44b6ede0
77449Author: Brad Spengler <spender@grsecurity.net>
77450Date: Sun Feb 12 16:13:40 2012 -0500
77451
77452 Revert setreuid changes when RBAC is enabled, breaks freeradius
77453 I'll fix the learning issue Lavish reported a different way through
77454 gradm modifications
77455
77456 This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.
77457
77458commit 0c61cb1cfbbfec7d07647268c922d51434d22621
77459Author: Brad Spengler <spender@grsecurity.net>
77460Date: Sat Feb 11 14:22:46 2012 -0500
77461
77462 copy exec_id on fork
77463
77464commit 000c08e0890630086b2ed04084050ed856a7ec31
77465Author: Brad Spengler <spender@grsecurity.net>
77466Date: Fri Feb 10 20:00:36 2012 -0500
77467
77468 compile fix
77469
77470commit 54b8c8f54484e5ee18040657827158bc4b63bccc
77471Author: Brad Spengler <spender@grsecurity.net>
77472Date: Fri Feb 10 19:19:52 2012 -0500
77473
77474 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
77475 denies reading of sensitive /proc/pid entries where the file descriptor
77476 was opened in a different task than the one performing the read
77477
77478commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
77479Author: Brad Spengler <spender@grsecurity.net>
77480Date: Fri Feb 10 17:43:24 2012 -0500
77481
77482 Remove duplicate signal check
77483
77484commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
77485Merge: 4eba97e 1413df2
77486Author: Brad Spengler <spender@grsecurity.net>
77487Date: Wed Feb 8 19:24:34 2012 -0500
77488
77489 Merge branch 'pax-test' into grsec-test
77490
77491commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
77492Author: Brad Spengler <spender@grsecurity.net>
77493Date: Wed Feb 8 19:24:08 2012 -0500
77494
77495 Merge changes from pax-linux-3.2.4-test11.patch
77496
77497commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
77498Merge: 0e058dd 8dd90a2
77499Author: Brad Spengler <spender@grsecurity.net>
77500Date: Mon Feb 6 17:50:12 2012 -0500
77501
77502 Merge branch 'pax-test' into grsec-test
77503
77504commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
77505Author: Brad Spengler <spender@grsecurity.net>
77506Date: Mon Feb 6 17:49:07 2012 -0500
77507
77508 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free
77509
77510commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
77511Merge: 7e4169c 6133971
77512Author: Brad Spengler <spender@grsecurity.net>
77513Date: Mon Feb 6 17:48:57 2012 -0500
77514
77515 Merge branch 'linux-3.2.y' into pax-test
77516
77517commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
77518Author: Brad Spengler <spender@grsecurity.net>
77519Date: Sun Feb 5 19:24:45 2012 -0500
77520
77521 We now allow configurations with no PaX markings, giving the system no way to override the defaults
77522
77523commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
77524Author: Brad Spengler <spender@grsecurity.net>
77525Date: Sun Feb 5 10:01:23 2012 -0500
77526
77527 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory
77528
77529commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
77530Author: Brad Spengler <spender@grsecurity.net>
77531Date: Sat Feb 4 21:01:16 2012 -0500
77532
77533 Improve security of ptrace-based monitoring/sandboxing
77534 See:
77535 http://article.gmane.org/gmane.linux.kernel.lsm/15156
77536
77537commit ca4ca5a1027b41f9528794e52a53ce9c47926101
77538Author: Brad Spengler <spender@grsecurity.net>
77539Date: Fri Feb 3 20:42:55 2012 -0500
77540
77541 fix typo
77542
77543commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
77544Author: Brad Spengler <spender@grsecurity.net>
77545Date: Fri Feb 3 20:25:38 2012 -0500
77546
77547 Reported by lavish on IRC:
77548 If a suid/sgid binary did not learn any setuid/setgid call during learning,
77549 we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
77550 any restrictions on uid/gid changes. uid and gid can however be changed
77551 within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
77552 euid/egid.
77553
77554 My fix:
77555 POSIX doesn't specify whether unprivileged users can perform the above
77556 setresuid/setresgid as an unprivileged user, though Linux has historically
77557 permitted them. Modify this behavior when RBAC is enabled to require
77558 CAP_SETUID/CAP_SETGID for these operations.
77559
77560 Thanks to Lavish for the report!
77561
77562 Conflicts:
77563
77564 kernel/sys.c
77565
77566commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
77567Merge: ba586eb 7e4169c
77568Author: Brad Spengler <spender@grsecurity.net>
77569Date: Fri Feb 3 20:10:21 2012 -0500
77570
77571 Merge branch 'pax-test' into grsec-test
77572
77573commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
77574Author: Brad Spengler <spender@grsecurity.net>
77575Date: Fri Feb 3 20:10:05 2012 -0500
77576
77577 Merge changes from pax-linux-3.2.4-test9.patch
77578
77579commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
77580Author: Christopher Yeoh <cyeoh@au1.ibm.com>
77581Date: Thu Feb 2 11:34:09 2012 +1030
77582
77583 Fix race in process_vm_rw_core
77584
77585 This fixes the race in process_vm_core found by Oleg (see
77586
77587 http://article.gmane.org/gmane.linux.kernel/1235667/
77588
77589 for details).
77590
77591 This has been updated since I last sent it as the creation of the new
77592 mm_access() function did almost exactly the same thing as parts of the
77593 previous version of this patch did.
77594
77595 In order to use mm_access() even when /proc isn't enabled, we move it to
77596 kernel/fork.c where other related process mm access functions already
77597 are.
77598
77599 Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
77600 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
77601
77602 Conflicts:
77603
77604 fs/proc/base.c
77605 mm/process_vm_access.c
77606
77607commit b9194d60fb9fe579f5c34817ed822abde18939a0
77608Author: Oleg Nesterov <oleg@redhat.com>
77609Date: Tue Jan 31 17:15:11 2012 +0100
77610
77611 proc: make sure mem_open() doesn't pin the target's memory
77612
77613 Once /proc/pid/mem is opened, the memory can't be released until
77614 mem_release() even if its owner exits.
77615
77616 Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
77617 pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
77618 before access_remote_vm(), this verifies that this mm is still alive.
77619
77620 I am not sure what should mem_rw() return if atomic_inc_not_zero()
77621 fails. With this patch it returns zero to match the "mm == NULL" case,
77622 may be it should return -EINVAL like it did before e268337d.
77623
77624 Perhaps it makes sense to add the additional fatal_signal_pending()
77625 check into the main loop, to ensure we do not hold this memory if
77626 the target task was oom-killed.
77627
77628 Cc: stable@kernel.org
77629 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
77630 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
77631
77632commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
77633Author: Oleg Nesterov <oleg@redhat.com>
77634Date: Tue Jan 31 17:14:38 2012 +0100
77635
77636 proc: mem_release() should check mm != NULL
77637
77638 mem_release() can hit mm == NULL, add the necessary check.
77639
77640 Cc: stable@kernel.org
77641 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
77642 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
77643
77644commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
77645Author: Oleg Nesterov <oleg@redhat.com>
77646Date: Tue Jan 31 17:14:54 2012 +0100
77647
77648 note: redisabled mem_write
77649
77650 proc: unify mem_read() and mem_write()
77651
77652 No functional changes, cleanup and preparation.
77653
77654 mem_read() and mem_write() are very similar. Move this code into the
77655 new common helper, mem_rw(), which takes the additional "int write"
77656 argument.
77657
77658 Cc: stable@kernel.org
77659 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
77660 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
77661
77662 Conflicts:
77663
77664 fs/proc/base.c
77665
77666commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
77667Merge: 3903f01 01fee18
77668Author: Brad Spengler <spender@grsecurity.net>
77669Date: Fri Feb 3 19:50:40 2012 -0500
77670
77671 Merge branch 'pax-test' into grsec-test
77672
77673commit 01fee1851aef26b898ccba5312cabf1f919b74cb
77674Author: Brad Spengler <spender@grsecurity.net>
77675Date: Fri Feb 3 19:49:46 2012 -0500
77676
77677 Merge changes from pax-linux-3.2.4-test8.patch
77678
77679commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
77680Merge: 201c0db 141936c
77681Author: Brad Spengler <spender@grsecurity.net>
77682Date: Fri Feb 3 19:49:01 2012 -0500
77683
77684 Merge branch 'linux-3.2.y' into pax-test
77685
77686commit 3903f0172ecadf7a575ba3535402a1506133640a
77687Author: Brad Spengler <spender@grsecurity.net>
77688Date: Mon Jan 30 23:26:44 2012 -0500
77689
77690 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
77691
77692 We'll whitelist required directories for compatibility instead of requiring
77693 that people disable the feature entirely if they use SELinux, fuse, etc
77694
77695 Conflicts:
77696
77697 fs/sysfs/mount.c
77698
77699commit e3618feaa7e63807f1b88c199882075b3ec9bd05
77700Author: Brad Spengler <spender@grsecurity.net>
77701Date: Sun Jan 29 01:12:19 2012 -0500
77702
77703 perform RBAC check if TPE is on but match fails, matches previous behavior
77704
77705commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
77706Author: Brad Spengler <spender@grsecurity.net>
77707Date: Sat Jan 28 13:17:06 2012 -0500
77708
77709 log more information about the reason for a TPE denial for novice users, requested by a sponsor
77710
77711commit efefd67008cbad8a8591e2484410966a300a39a5
77712Author: Brad Spengler <spender@grsecurity.net>
77713Date: Fri Jan 27 19:58:53 2012 -0500
77714
77715 merge upstream sha512 changes
77716
77717commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
77718Author: Brad Spengler <spender@grsecurity.net>
77719Date: Fri Jan 27 19:49:07 2012 -0500
77720
77721 drop lock on error in xfs_readlink
77722
77723 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0
77724
77725commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
77726Author: Li Wang <liwang@nudt.edu.cn>
77727Date: Thu Jan 19 09:44:36 2012 +0800
77728
77729 eCryptfs: Infinite loop due to overflow in ecryptfs_write()
77730
77731 ecryptfs_write() can enter an infinite loop when truncating a file to a
77732 size larger than 4G. This only happens on architectures where size_t is
77733 represented by 32 bits.
77734
77735 This was caused by a size_t overflow due to it incorrectly being used to
77736 store the result of a calculation which uses potentially large values of
77737 type loff_t.
77738
77739 [tyhicks@canonical.com: rewrite subject and commit message]
77740 Signed-off-by: Li Wang <liwang@nudt.edu.cn>
77741 Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
77742 Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
77743 Cc: <stable@vger.kernel.org>
77744 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
77745
77746commit a7607747d0f74f357d78bb796d70635dd05f46e8
77747Author: Tyler Hicks <tyhicks@canonical.com>
77748Date: Thu Jan 19 20:33:44 2012 -0600
77749
77750 eCryptfs: Check inode changes in setattr
77751
77752 Most filesystems call inode_change_ok() very early in ->setattr(), but
77753 eCryptfs didn't call it at all. It allowed the lower filesystem to make
77754 the call in its ->setattr() function. Then, eCryptfs would copy the
77755 appropriate inode attributes from the lower inode to the eCryptfs inode.
77756
77757 This patch changes that and actually calls inode_change_ok() on the
77758 eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
77759 would happen earlier in ecryptfs_setattr(), but there are some possible
77760 inode initialization steps that must happen first.
77761
77762 Since the call was already being made on the lower inode, the change in
77763 functionality should be minimal, except for the case of a file extending
77764 truncate call. In that case, inode_newsize_ok() was never being
77765 called on the eCryptfs inode. Rather than inode_newsize_ok() catching
77766 maximum file size errors early on, eCryptfs would encrypt zeroed pages
77767 and write them to the lower filesystem until the lower filesystem's
77768 write path caught the error in generic_write_checks(). This patch
77769 introduces a new function, called ecryptfs_inode_newsize_ok(), which
77770 checks if the new lower file size is within the appropriate limits when
77771 the truncate operation will be growing the lower file.
77772
77773 In summary this change prevents eCryptfs truncate operations (and the
77774 resulting page encryptions), which would exceed the lower filesystem
77775 limits or FSIZE rlimits, from ever starting.
77776
77777 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
77778 Reviewed-by: Li Wang <liwang@nudt.edu.cn>
77779 Cc: <stable@vger.kernel.org>
77780
77781commit 0d96f190a39505254ace4e9330219aaeda9b64e3
77782Author: Tyler Hicks <tyhicks@canonical.com>
77783Date: Wed Jan 18 18:30:04 2012 -0600
77784
77785 eCryptfs: Make truncate path killable
77786
77787 ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
77788 page, zeroes out the appropriate portions, and then encrypts the page
77789 before writing it to the lower filesystem. It was unkillable and due to
77790 the lack of sparse file support could result in tying up a large portion
77791 of system resources, while encrypting pages of zeros, with no way for
77792 the truncate operation to be stopped from userspace.
77793
77794 This patch adds the ability for ecryptfs_write() to detect a pending
77795 fatal signal and return as gracefully as possible. The intent is to
77796 leave the lower file in a useable state, while still allowing a user to
77797 break out of the encryption loop. If a pending fatal signal is detected,
77798 the eCryptfs inode size is updated to reflect the modified inode size
77799 and then -EINTR is returned.
77800
77801 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
77802 Cc: <stable@vger.kernel.org>
77803
77804commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
77805Author: Tyler Hicks <tyhicks@canonical.com>
77806Date: Tue Jan 24 10:02:22 2012 -0600
77807
77808 eCryptfs: Fix oops when printing debug info in extent crypto functions
77809
77810 If pages passed to the eCryptfs extent-based crypto functions are not
77811 mapped and the module parameter ecryptfs_verbosity=1 was specified at
77812 loading time, a NULL pointer dereference will occur.
77813
77814 Note that this wouldn't happen on a production system, as you wouldn't
77815 pass ecryptfs_verbosity=1 on a production system. It leaks private
77816 information to the system logs and is for debugging only.
77817
77818 The debugging info printed in these messages is no longer very useful
77819 and rather than doing a kmap() in these debugging paths, it will be
77820 better to simply remove the debugging paths completely.
77821
77822 https://launchpad.net/bugs/913651
77823
77824 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
77825 Reported-by: Daniel DeFreez
77826 Cc: <stable@vger.kernel.org>
77827
77828commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
77829Author: Tyler Hicks <tyhicks@canonical.com>
77830Date: Thu Jan 12 11:30:44 2012 +0100
77831
77832 eCryptfs: Sanitize write counts of /dev/ecryptfs
77833
77834 A malicious count value specified when writing to /dev/ecryptfs may
77835 result in a a very large kernel memory allocation.
77836
77837 This patch peeks at the specified packet payload size, adds that to the
77838 size of the packet headers and compares the result with the write count
77839 value. The resulting maximum memory allocation size is approximately 532
77840 bytes.
77841
77842 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
77843 Reported-by: Sasha Levin <levinsasha928@gmail.com>
77844 Cc: <stable@vger.kernel.org>
77845
77846commit 96dcb7282d323813181a1791f51c0ab7696b675b
77847Merge: 6c09fa5 201c0db
77848Author: Brad Spengler <spender@grsecurity.net>
77849Date: Fri Jan 27 19:44:15 2012 -0500
77850
77851 Merge branch 'pax-test' into grsec-test
77852
77853commit 201c0dbf177527367676028151e36d340923f033
77854Author: Brad Spengler <spender@grsecurity.net>
77855Date: Fri Jan 27 19:43:24 2012 -0500
77856
77857 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
77858 on loading modules with empty sections
77859
77860commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
77861Author: Brad Spengler <spender@grsecurity.net>
77862Date: Fri Jan 27 19:42:13 2012 -0500
77863
77864 compile fix
77865
77866commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
77867Author: Brad Spengler <spender@grsecurity.net>
77868Date: Fri Jan 27 19:39:28 2012 -0500
77869
77870 use LSM flags instead of duplicating checks
77871
77872commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
77873Merge: 44b9f11 558718b
77874Author: Brad Spengler <spender@grsecurity.net>
77875Date: Fri Jan 27 18:56:23 2012 -0500
77876
77877 Merge branch 'pax-test' into grsec-test
77878
77879commit 558718b2217beff69edf60f34a6f9893d910e9ac
77880Author: Brad Spengler <spender@grsecurity.net>
77881Date: Fri Jan 27 18:56:04 2012 -0500
77882
77883 Merge changes from pax-linux-3.2.2-test6.patch
77884
77885commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
77886Author: Brad Spengler <spender@grsecurity.net>
77887Date: Fri Jan 27 18:53:55 2012 -0500
77888
77889 don't increase the size of task_struct when unnecessary
77890 change ptrace_readexec log message
77891
77892commit a9c9626e054adb885883aa64f85506852894dd33
77893Author: Brad Spengler <spender@grsecurity.net>
77894Date: Fri Jan 27 18:16:28 2012 -0500
77895
77896 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
77897 the protection applies to all unreadable binaries.
77898
77899commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
77900Merge: 7b3f3af 05a1349
77901Author: Brad Spengler <spender@grsecurity.net>
77902Date: Wed Jan 25 20:52:09 2012 -0500
77903
77904 Merge branch 'pax-test' into grsec-test
77905
77906 Conflicts:
77907 block/scsi_ioctl.c
77908 drivers/scsi/sd.c
77909 fs/proc/base.c
77910
77911commit 05a134966efb9cb9346ad3422888969ffc79ac1d
77912Author: Brad Spengler <spender@grsecurity.net>
77913Date: Wed Jan 25 20:47:36 2012 -0500
77914
77915 Resync with pax-linux-3.2.2-test5.patch
77916
77917commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
77918Merge: c6d443d 3499d64
77919Author: Brad Spengler <spender@grsecurity.net>
77920Date: Wed Jan 25 20:45:16 2012 -0500
77921
77922 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
77923
77924 Conflicts:
77925 ipc/shm.c
77926
77927commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
77928Author: Brad Spengler <spender@grsecurity.net>
77929Date: Tue Jan 24 19:42:01 2012 -0500
77930
77931 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
77932 (may be changed if it breaks some userland), the other has its own
77933 config option
77934
77935 First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
77936 the syscall or /proc/sys.
77937
77938 Second feature requires read access to a suid/sgid binary in order
77939 to ptrace it, preventing infoleaking of binaries in situations where
77940 the admin has specified 4711 or 2711 perms. Feature has been
77941 given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
77942 a sysctl entry of ptrace_readexec
77943
77944commit 11a7bb25c411c9dccfdca5718639b4becdffd388
77945Author: Brad Spengler <spender@grsecurity.net>
77946Date: Sun Jan 22 14:37:10 2012 -0500
77947
77948 Compilation fixes
77949
77950commit cd400e21c7c352baba47d6f375297a7847afb33a
77951Author: Brad Spengler <spender@grsecurity.net>
77952Date: Sun Jan 22 14:20:27 2012 -0500
77953
77954 Initial port of grsecurity 2.2.2 for Linux 3.2.1
77955 Note that the new syscalls added to this kernel for remote process read/write
77956 are subject to ptrace hardening/other relevant RBAC features
77957 /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
77958 as well
77959 pax_track_stack has been removed from support for this kernel -- if you're running this kernel
77960 you should be using a version of gcc with plugin support
77961
77962commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
77963Author: Brad Spengler <spender@grsecurity.net>
77964Date: Sun Jan 22 11:47:31 2012 -0500
77965
77966 Import pax-linux-3.2.1-test5.patch
77967commit bfd7db842f835f9837cd43644459b3a95b0b488d
77968Author: Brad Spengler <spender@grsecurity.net>
77969Date: Sun Jan 22 11:02:02 2012 -0500
77970
77971 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
77972 instead of returning -EACCES
77973 thanks to Wraith from irc for the report
77974
77975commit 873ac13576506cd48ddb527c2540f274e249da50
77976Merge: 34083dd 8a44fcc
77977Author: Brad Spengler <spender@grsecurity.net>
77978Date: Fri Jan 20 18:04:02 2012 -0500
77979
77980 Merge branch 'pax-test' into grsec-test
77981
77982commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
77983Author: Brad Spengler <spender@grsecurity.net>
77984Date: Fri Jan 20 18:02:15 2012 -0500
77985
77986 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
77987 Denies executable shared memory when MPROTECT is active
77988 Fixes ia32 emulation crash on 64bit host introduced in a recent patch
77989
77990commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
77991Author: Brad Spengler <spender@grsecurity.net>
77992Date: Thu Jan 19 20:23:14 2012 -0500
77993
77994 Introduce new GRKERNSEC_SETXID implementation
77995 We're not able to change the credentials of other threads in the process until at most
77996 one syscall after the first thread does it, since we mark the threads as needing rescheduling
77997 and such work occurs on syscall exit.
77998 This does however ensure that we're only modifying the current task's credentials
77999 which upholds RCU expectations
78000
78001 Many thanks to corsac for testing
78002
78003commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
78004Author: Brad Spengler <spender@grsecurity.net>
78005Date: Thu Jan 19 17:42:48 2012 -0500
78006
78007 Simplify backport
78008
78009commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
78010Author: Brad Spengler <spender@grsecurity.net>
78011Date: Thu Jan 19 17:08:16 2012 -0500
78012
78013 Commit the latest silent fix for a local privilege escalation from Linus
78014 Also disable writing to /proc/pid/mem
78015 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc
78016
78017commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
78018Merge: 0394a3f 7e6299b
78019Author: Brad Spengler <spender@grsecurity.net>
78020Date: Wed Jan 18 20:22:09 2012 -0500
78021
78022 Merge branch 'pax-test' into grsec-test
78023
78024commit 7e6299b4733c082dde930375dd207b63237751ec
78025Merge: 83555fb 9bb1282
78026Author: Brad Spengler <spender@grsecurity.net>
78027Date: Wed Jan 18 20:21:37 2012 -0500
78028
78029 Merge branch 'linux-3.1.y' into pax-test
78030
78031commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
78032Author: Jesper Juhl <jj@chaosbits.net>
78033Date: Sun Jan 8 22:44:29 2012 +0100
78034
78035 audit: always follow va_copy() with va_end()
78036
78037 A call to va_copy() should always be followed by a call to va_end() in
78038 the same function. In kernel/autit.c::audit_log_vformat() this is not
78039 always done. This patch makes sure va_end() is always called.
78040
78041 Signed-off-by: Jesper Juhl <jj@chaosbits.net>
78042 Cc: Al Viro <viro@zeniv.linux.org.uk>
78043 Cc: Eric Paris <eparis@redhat.com>
78044 Cc: Andrew Morton <akpm@linux-foundation.org>
78045 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
78046
78047commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
78048Author: Andi Kleen <ak@linux.intel.com>
78049Date: Thu Jan 12 17:20:30 2012 -0800
78050
78051 panic: don't print redundant backtraces on oops
78052
78053 When an oops causes a panic and panic prints another backtrace it's pretty
78054 common to have the original oops data be scrolled away on a 80x50 screen.
78055
78056 The second backtrace is quite redundant and not needed anyways.
78057
78058 So don't print the panic backtrace when oops_in_progress is true.
78059
78060 [akpm@linux-foundation.org: add comment]
78061 Signed-off-by: Andi Kleen <ak@linux.intel.com>
78062 Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
78063 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
78064 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
78065
78066commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
78067Author: Miklos Szeredi <mszeredi@suse.cz>
78068Date: Thu Jan 12 17:59:46 2012 +0100
78069
78070 fsnotify: don't BUG in fsnotify_destroy_mark()
78071
78072 Removing the parent of a watched file results in "kernel BUG at
78073 fs/notify/mark.c:139".
78074
78075 To reproduce
78076
78077 add "-w /tmp/audit/dir/watched_file" to audit.rules
78078 rm -rf /tmp/audit/dir
78079
78080 This is caused by fsnotify_destroy_mark() being called without an
78081 extra reference taken by the caller.
78082
78083 Reported by Francesco Cosoleto here:
78084
78085 https://bugzilla.novell.com/show_bug.cgi?id=689860
78086
78087 Fix by removing the BUG_ON and adding a comment about not accessing mark after
78088 the iput.
78089
78090 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
78091 CC: stable@vger.kernel.org
78092 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
78093
78094commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
78095Author: Paolo Bonzini <pbonzini@redhat.com>
78096Date: Thu Jan 12 16:01:28 2012 +0100
78097
78098 block: fail SCSI passthrough ioctls on partition devices
78099
78100 Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
78101 will pass the command to the underlying block device. This is
78102 well-known, but it is also a large security problem when (via Unix
78103 permissions, ACLs, SELinux or a combination thereof) a program or user
78104 needs to be granted access only to part of the disk.
78105
78106 This patch lets partitions forward a small set of harmless ioctls;
78107 others are logged with printk so that we can see which ioctls are
78108 actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred.
78109 Of course it was being sent to a (partition on a) hard disk, so it would
78110 have failed with ENOTTY and the patch isn't changing anything in
78111 practice. Still, I'm treating it specially to avoid spamming the logs.
78112
78113 In principle, this restriction should include programs running with
78114 CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and
78115 /dev/sdb, it still should not be able to read/write outside the
78116 boundaries of /dev/sda2 independent of the capabilities. However, for
78117 now programs with CAP_SYS_RAWIO will still be allowed to send the
78118 ioctls. Their actions will still be logged.
78119
78120 This patch does not affect the non-libata IDE driver. That driver
78121 however already tests for bd != bd->bd_contains before issuing some
78122 ioctl; it could be restricted further to forbid these ioctls even for
78123 programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
78124
78125 Cc: linux-scsi@vger.kernel.org
78126 Cc: Jens Axboe <axboe@kernel.dk>
78127 Cc: James Bottomley <JBottomley@parallels.com>
78128 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
78129 [ Make it also print the command name when warning - Linus ]
78130 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
78131
78132commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
78133Author: Paolo Bonzini <pbonzini@redhat.com>
78134Date: Thu Jan 12 16:01:27 2012 +0100
78135
78136 block: add and use scsi_blk_cmd_ioctl
78137
78138 Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
78139
78140 The function will then be enhanced to detect partition block devices
78141 and, in that case, subject the ioctls to whitelisting.
78142
78143 Cc: linux-scsi@vger.kernel.org
78144 Cc: Jens Axboe <axboe@kernel.dk>
78145 Cc: James Bottomley <JBottomley@parallels.com>
78146 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
78147 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
78148
78149commit 97a79814903fc350e1d13704ea31528a42705401
78150Author: Kees Cook <keescook@chromium.org>
78151Date: Sat Jan 7 10:41:04 2012 -0800
78152
78153 audit: treat s_id as an untrusted string
78154
78155 The use of s_id should go through the untrusted string path, just to be
78156 extra careful.
78157
78158 Signed-off-by: Kees Cook <keescook@chromium.org>
78159 Acked-by: Mimi Zohar <zohar@us.ibm.com>
78160 Signed-off-by: Eric Paris <eparis@redhat.com>
78161
78162commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
78163Author: Xi Wang <xi.wang@gmail.com>
78164Date: Tue Dec 20 18:39:41 2011 -0500
78165
78166 audit: fix signedness bug in audit_log_execve_info()
78167
78168 In the loop, a size_t "len" is used to hold the return value of
78169 audit_log_single_execve_arg(), which returns -1 on error. In that
78170 case the error handling (len <= 0) will be bypassed since "len" is
78171 unsigned, and the loop continues with (p += len) being wrapped.
78172 Change the type of "len" to signed int to fix the error handling.
78173
78174 size_t len;
78175 ...
78176 for (...) {
78177 len = audit_log_single_execve_arg(...);
78178 if (len <= 0)
78179 break;
78180 p += len;
78181 }
78182
78183 Signed-off-by: Xi Wang <xi.wang@gmail.com>
78184 Signed-off-by: Eric Paris <eparis@redhat.com>
78185
78186commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
78187Author: Dan Carpenter <dan.carpenter@oracle.com>
78188Date: Tue Jan 17 03:28:51 2012 -0300
78189
78190 [media] ds3000: using logical && instead of bitwise &
78191
78192 The intent here was to test if the FE_HAS_LOCK was set. The current
78193 test is equivalent to "if (status) { ..."
78194
78195 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
78196 Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
78197
78198commit 36522330dc59d2fc70c042f3f081d75c32b6259a
78199Author: Brad Spengler <spender@grsecurity.net>
78200Date: Mon Jan 16 13:10:38 2012 -0500
78201
78202 Ignore the 0 signal for protected task RBAC checks
78203
78204commit d513acd55f7a683f6e146a4f570cdb63300479ab
78205Author: Brad Spengler <spender@grsecurity.net>
78206Date: Mon Jan 16 11:56:13 2012 -0500
78207
78208 whitespace cleanup
78209
78210commit ced261c4b82818c700aff8487f647f6f3e5b5122
78211Merge: d48751f 83555fb
78212Author: Brad Spengler <spender@grsecurity.net>
78213Date: Fri Jan 13 20:12:54 2012 -0500
78214
78215 Merge branch 'pax-test' into grsec-test
78216
78217commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
78218Merge: fcd8129 93dad39
78219Author: Brad Spengler <spender@grsecurity.net>
78220Date: Fri Jan 13 20:12:43 2012 -0500
78221
78222 Merge branch 'linux-3.1.y' into pax-test
78223
78224commit d48751f3919ae855fda0ff6c149db82442329253
78225Author: Brad Spengler <spender@grsecurity.net>
78226Date: Wed Jan 11 19:05:47 2012 -0500
78227
78228 Call our own set_user when forcing change to new id
78229
78230commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
78231Merge: e6578ff fcd8129
78232Author: Brad Spengler <spender@grsecurity.net>
78233Date: Tue Jan 10 16:00:10 2012 -0500
78234
78235 Merge branch 'pax-test' into grsec-test
78236
78237commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
78238Author: Brad Spengler <spender@grsecurity.net>
78239Date: Tue Jan 10 15:58:43 2012 -0500
78240
78241 Merge changes from pax-linux-3.1.8-test23.patch
78242
78243commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
78244Merge: 8859ec3 a120549
78245Author: Brad Spengler <spender@grsecurity.net>
78246Date: Fri Jan 6 21:45:56 2012 -0500
78247
78248 Merge branch 'pax-test' into grsec-test
78249
78250commit a12054967a77090de1caa07c41e694a77db4e237
78251Author: Brad Spengler <spender@grsecurity.net>
78252Date: Fri Jan 6 21:45:30 2012 -0500
78253
78254 Merge changes from pax-linux-3.1.8-test22.patch
78255
78256commit 8859ec32f9815c274df65448f9f2960176c380d3
78257Merge: a5016b4 ddd4114
78258Author: Brad Spengler <spender@grsecurity.net>
78259Date: Fri Jan 6 21:26:08 2012 -0500
78260
78261 Merge branch 'pax-test' into grsec-test
78262
78263 Conflicts:
78264 fs/binfmt_elf.c
78265 security/Kconfig
78266
78267commit ddd41147e158a79704983a409b7433eba797cf66
78268Author: Brad Spengler <spender@grsecurity.net>
78269Date: Fri Jan 6 21:12:42 2012 -0500
78270
78271 Resync with PaX patch (whitespace difference)
78272
78273commit 29e569df8205c5f0e043fe4803aa984406c8b118
78274Author: Brad Spengler <spender@grsecurity.net>
78275Date: Fri Jan 6 21:09:47 2012 -0500
78276
78277 Merge changes from pax-linux-3.1.8-test21.patch
78278
78279commit a5016b4f9c09c337b17e063a7f369af1e86d944d
78280Merge: 0124c92 04231d5
78281Author: Brad Spengler <spender@grsecurity.net>
78282Date: Fri Jan 6 18:52:20 2012 -0500
78283
78284 Merge branch 'pax-test' into grsec-test
78285
78286commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
78287Merge: 7bdddeb a919904
78288Author: Brad Spengler <spender@grsecurity.net>
78289Date: Fri Jan 6 18:51:50 2012 -0500
78290
78291 Merge branch 'linux-3.1.y' into pax-test
78292
78293 Conflicts:
78294 include/net/flow.h
78295
78296commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
78297Author: Brad Spengler <spender@grsecurity.net>
78298Date: Fri Jan 6 18:33:05 2012 -0500
78299
78300 Make GRKERNSEC_SETXID option compatible with credential debugging
78301
78302commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
78303Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
78304Date: Wed Dec 28 15:57:11 2011 -0800
78305
78306 mm/mempolicy.c: refix mbind_range() vma issue
78307
78308 commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
78309 slightly incorrect fix.
78310
78311 Why? Think following case.
78312
78313 1. map 4 pages of a file at offset 0
78314
78315 [0123]
78316
78317 2. map 2 pages just after the first mapping of the same file but with
78318 page offset 2
78319
78320 [0123][23]
78321
78322 3. mbind() 2 pages from the first mapping at offset 2.
78323 mbind_range() should treat new vma is,
78324
78325 [0123][23]
78326 |23|
78327 mbind vma
78328
78329 but it does
78330
78331 [0123][23]
78332 |01|
78333 mbind vma
78334
78335 Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
78336
78337 This patch fixes it.
78338
78339 [testcase]
78340 test result - before the patch
78341
78342 case4: 126: test failed. expect '2,4', actual '2,2,2'
78343 case5: passed
78344 case6: passed
78345 case7: passed
78346 case8: passed
78347 case_n: 246: test failed. expect '4,2', actual '1,4'
78348
78349 ------------[ cut here ]------------
78350 kernel BUG at mm/filemap.c:135!
78351 invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
78352
78353 (snip long bug on messages)
78354
78355 test result - after the patch
78356
78357 case4: passed
78358 case5: passed
78359 case6: passed
78360 case7: passed
78361 case8: passed
78362 case_n: passed
78363
78364 source: mbind_vma_test.c
78365 ============================================================
78366 #include <numaif.h>
78367 #include <numa.h>
78368 #include <sys/mman.h>
78369 #include <stdio.h>
78370 #include <unistd.h>
78371 #include <stdlib.h>
78372 #include <string.h>
78373
78374 static unsigned long pagesize;
78375 void* mmap_addr;
78376 struct bitmask *nmask;
78377 char buf[1024];
78378 FILE *file;
78379 char retbuf[10240] = "";
78380 int mapped_fd;
78381
78382 char *rubysrc = "ruby -e '\
78383 pid = %d; \
78384 vstart = 0x%llx; \
78385 vend = 0x%llx; \
78386 s = `pmap -q #{pid}`; \
78387 rary = []; \
78388 s.each_line {|line|; \
78389 ary=line.split(\" \"); \
78390 addr = ary[0].to_i(16); \
78391 if(vstart <= addr && addr < vend) then \
78392 rary.push(ary[1].to_i()/4); \
78393 end; \
78394 }; \
78395 print rary.join(\",\"); \
78396 '";
78397
78398 void init(void)
78399 {
78400 void* addr;
78401 char buf[128];
78402
78403 nmask = numa_allocate_nodemask();
78404 numa_bitmask_setbit(nmask, 0);
78405
78406 pagesize = getpagesize();
78407
78408 sprintf(buf, "%s", "mbind_vma_XXXXXX");
78409 mapped_fd = mkstemp(buf);
78410 if (mapped_fd == -1)
78411 perror("mkstemp "), exit(1);
78412 unlink(buf);
78413
78414 if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
78415 perror("lseek "), exit(1);
78416 if (write(mapped_fd, "\0", 1) < 0)
78417 perror("write "), exit(1);
78418
78419 addr = mmap(NULL, pagesize*8, PROT_NONE,
78420 MAP_SHARED, mapped_fd, 0);
78421 if (addr == MAP_FAILED)
78422 perror("mmap "), exit(1);
78423
78424 if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
78425 perror("mprotect "), exit(1);
78426
78427 mmap_addr = addr + pagesize;
78428
78429 /* make page populate */
78430 memset(mmap_addr, 0, pagesize*6);
78431 }
78432
78433 void fin(void)
78434 {
78435 void* addr = mmap_addr - pagesize;
78436 munmap(addr, pagesize*8);
78437
78438 memset(buf, 0, sizeof(buf));
78439 memset(retbuf, 0, sizeof(retbuf));
78440 }
78441
78442 void mem_bind(int index, int len)
78443 {
78444 int err;
78445
78446 err = mbind(mmap_addr+pagesize*index, pagesize*len,
78447 MPOL_BIND, nmask->maskp, nmask->size, 0);
78448 if (err)
78449 perror("mbind "), exit(err);
78450 }
78451
78452 void mem_interleave(int index, int len)
78453 {
78454 int err;
78455
78456 err = mbind(mmap_addr+pagesize*index, pagesize*len,
78457 MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
78458 if (err)
78459 perror("mbind "), exit(err);
78460 }
78461
78462 void mem_unbind(int index, int len)
78463 {
78464 int err;
78465
78466 err = mbind(mmap_addr+pagesize*index, pagesize*len,
78467 MPOL_DEFAULT, NULL, 0, 0);
78468 if (err)
78469 perror("mbind "), exit(err);
78470 }
78471
78472 void Assert(char *expected, char *value, char *name, int line)
78473 {
78474 if (strcmp(expected, value) == 0) {
78475 fprintf(stderr, "%s: passed\n", name);
78476 return;
78477 }
78478 else {
78479 fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
78480 name, line,
78481 expected, value);
78482 // exit(1);
78483 }
78484 }
78485
78486 /*
78487 AAAA
78488 PPPPPPNNNNNN
78489 might become
78490 PPNNNNNNNNNN
78491 case 4 below
78492 */
78493 void case4(void)
78494 {
78495 init();
78496 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
78497
78498 mem_bind(0, 4);
78499 mem_unbind(2, 2);
78500
78501 file = popen(buf, "r");
78502 fread(retbuf, sizeof(retbuf), 1, file);
78503 Assert("2,4", retbuf, "case4", __LINE__);
78504
78505 fin();
78506 }
78507
78508 /*
78509 AAAA
78510 PPPPPPNNNNNN
78511 might become
78512 PPPPPPPPPPNN
78513 case 5 below
78514 */
78515 void case5(void)
78516 {
78517 init();
78518 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
78519
78520 mem_bind(0, 2);
78521 mem_bind(2, 2);
78522
78523 file = popen(buf, "r");
78524 fread(retbuf, sizeof(retbuf), 1, file);
78525 Assert("4,2", retbuf, "case5", __LINE__);
78526
78527 fin();
78528 }
78529
78530 /*
78531 AAAA
78532 PPPPNNNNXXXX
78533 might become
78534 PPPPPPPPPPPP 6
78535 */
78536 void case6(void)
78537 {
78538 init();
78539 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
78540
78541 mem_bind(0, 2);
78542 mem_bind(4, 2);
78543 mem_bind(2, 2);
78544
78545 file = popen(buf, "r");
78546 fread(retbuf, sizeof(retbuf), 1, file);
78547 Assert("6", retbuf, "case6", __LINE__);
78548
78549 fin();
78550 }
78551
78552 /*
78553 AAAA
78554 PPPPNNNNXXXX
78555 might become
78556 PPPPPPPPXXXX 7
78557 */
78558 void case7(void)
78559 {
78560 init();
78561 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
78562
78563 mem_bind(0, 2);
78564 mem_interleave(4, 2);
78565 mem_bind(2, 2);
78566
78567 file = popen(buf, "r");
78568 fread(retbuf, sizeof(retbuf), 1, file);
78569 Assert("4,2", retbuf, "case7", __LINE__);
78570
78571 fin();
78572 }
78573
78574 /*
78575 AAAA
78576 PPPPNNNNXXXX
78577 might become
78578 PPPPNNNNNNNN 8
78579 */
78580 void case8(void)
78581 {
78582 init();
78583 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
78584
78585 mem_bind(0, 2);
78586 mem_interleave(4, 2);
78587 mem_interleave(2, 2);
78588
78589 file = popen(buf, "r");
78590 fread(retbuf, sizeof(retbuf), 1, file);
78591 Assert("2,4", retbuf, "case8", __LINE__);
78592
78593 fin();
78594 }
78595
78596 void case_n(void)
78597 {
78598 init();
78599 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
78600
78601 /* make redundunt mappings [0][1234][34][7] */
78602 mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
78603 MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
78604
78605 /* Expect to do nothing. */
78606 mem_unbind(2, 2);
78607
78608 file = popen(buf, "r");
78609 fread(retbuf, sizeof(retbuf), 1, file);
78610 Assert("4,2", retbuf, "case_n", __LINE__);
78611
78612 fin();
78613 }
78614
78615 int main(int argc, char** argv)
78616 {
78617 case4();
78618 case5();
78619 case6();
78620 case7();
78621 case8();
78622 case_n();
78623
78624 return 0;
78625 }
78626 =============================================================
78627
78628 Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
78629 Acked-by: Johannes Weiner <hannes@cmpxchg.org>
78630 Cc: Minchan Kim <minchan.kim@gmail.com>
78631 Cc: Caspar Zhang <caspar@casparzhang.com>
78632 Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
78633 Cc: Christoph Lameter <cl@linux.com>
78634 Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
78635 Cc: Mel Gorman <mel@csn.ul.ie>
78636 Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
78637 Cc: <stable@vger.kernel.org> [3.1.x]
78638 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
78639 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
78640
78641commit f3a1082005781777086df235049f8c0b7efe524e
78642Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
78643Date: Tue Dec 27 22:32:41 2011 -0500
78644
78645 packet: fix possible dev refcnt leak when bind fail
78646
78647 If bind is fail when bind is called after set PACKET_FANOUT
78648 sock option, the dev refcnt will leak.
78649
78650 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
78651 Signed-off-by: David S. Miller <davem@davemloft.net>
78652
78653commit 915f8b08dac68839dc7204ee81cf9852fda16d24
78654Author: Haogang Chen <haogangchen@gmail.com>
78655Date: Mon Dec 19 17:11:56 2011 -0800
78656
78657 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
78658
78659 There is a potential integer overflow in nilfs_ioctl_clean_segments().
78660 When a large argv[n].v_nmembs is passed from the userspace, the subsequent
78661 call to vmalloc() will allocate a buffer smaller than expected, which
78662 leads to out-of-bound access in nilfs_ioctl_move_blocks() and
78663 lfs_clean_segments().
78664
78665 The following check does not prevent the overflow because nsegs is also
78666 controlled by the userspace and could be very large.
78667
78668 if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
78669 goto out_free;
78670
78671 This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
78672 returns -EINVAL when overflow.
78673
78674 Signed-off-by: Haogang Chen <haogangchen@gmail.com>
78675 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
78676 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
78677 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
78678
78679commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
78680Author: Kautuk Consul <consul.kautuk@gmail.com>
78681Date: Mon Dec 19 17:12:04 2011 -0800
78682
78683 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
78684
78685 Static storage is not required for the struct vmap_area in
78686 __get_vm_area_node.
78687
78688 Removing "static" to store this variable on the stack instead.
78689
78690 Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
78691 Acked-by: David Rientjes <rientjes@google.com>
78692 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
78693 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
78694
78695commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
78696Author: Michel Lespinasse <walken@google.com>
78697Date: Mon Dec 19 17:12:06 2011 -0800
78698
78699 binary_sysctl(): fix memory leak
78700
78701 binary_sysctl() calls sysctl_getname() which allocates from names_cache
78702 slab usin __getname()
78703
78704 The matching function to free the name is __putname(), and not putname()
78705 which should be used only to match getname() allocations.
78706
78707 This is because when auditing is enabled, putname() calls audit_putname
78708 *instead* (not in addition) to __putname(). Then, if a syscall is in
78709 progress, audit_putname does not release the name - instead, it expects
78710 the name to get released when the syscall completes, but that will happen
78711 only if audit_getname() was called previously, i.e. if the name was
78712 allocated with getname() rather than the naked __getname(). So,
78713 __getname() followed by putname() ends up leaking memory.
78714
78715 Signed-off-by: Michel Lespinasse <walken@google.com>
78716 Acked-by: Al Viro <viro@zeniv.linux.org.uk>
78717 Cc: Christoph Hellwig <hch@infradead.org>
78718 Cc: Eric Paris <eparis@redhat.com>
78719 Cc: <stable@vger.kernel.org>
78720 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
78721 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
78722
78723commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
78724Author: Sean Hefty <sean.hefty@intel.com>
78725Date: Tue Dec 6 21:17:11 2011 +0000
78726
78727 RDMA/cma: Verify private data length
78728
78729 private_data_len is defined as a u8. If the user specifies a large
78730 private_data size (> 220 bytes), we will calculate a total length that
78731 exceeds 255, resulting in private_data_len wrapping back to 0. This
78732 can lead to overwriting random kernel memory. Avoid this by verifying
78733 that the resulting size fits into a u8.
78734
78735 Reported-by: B. Thery <benjamin.thery@bull.net>
78736 Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
78737 Signed-off-by: Sean Hefty <sean.hefty@intel.com>
78738 Signed-off-by: Roland Dreier <roland@purestorage.com>
78739
78740commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
78741Author: Xi Wang <xi.wang@gmail.com>
78742Date: Sun Dec 11 23:40:56 2011 -0800
78743
78744 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
78745
78746 The error check (intr_status < 0) didn't work because intr_status is
78747 a u8. Change its type to signed int.
78748
78749 Signed-off-by: Xi Wang <xi.wang@gmail.com>
78750 Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
78751
78752commit e27f34e383d7863b2528a63b81b23db09781f6b6
78753Author: Xi Wang <xi.wang@gmail.com>
78754Date: Fri Dec 16 12:44:15 2011 +0000
78755
78756 sctp: fix incorrect overflow check on autoclose
78757
78758 Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
78759 limiting the autoclose value. If userspace passes in -1 on 32-bit
78760 platform, the overflow check didn't work and autoclose would be set
78761 to 0xffffffff.
78762
78763 This patch defines a max_autoclose (in seconds) for limiting the value
78764 and exposes it through sysctl, with the following intentions.
78765
78766 1) Avoid overflowing autoclose * HZ.
78767
78768 2) Keep the default autoclose bound consistent across 32- and 64-bit
78769 platforms (INT_MAX / HZ in this patch).
78770
78771 3) Keep the autoclose value consistent between setsockopt() and
78772 getsockopt() calls.
78773
78774 Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
78775 Signed-off-by: Xi Wang <xi.wang@gmail.com>
78776 Signed-off-by: David S. Miller <davem@davemloft.net>
78777
78778commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
78779Author: Xi Wang <xi.wang@gmail.com>
78780Date: Wed Dec 21 05:18:33 2011 -0500
78781
78782 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
78783
78784 Commit e133e737 didn't correctly fix the integer overflow issue.
78785
78786 - unsigned int required_size;
78787 + u64 required_size;
78788 ...
78789 required_size = mode_cmd->pitch * mode_cmd->height;
78790 - if (unlikely(required_size > dev_priv->vram_size)) {
78791 + if (unlikely(required_size > (u64) dev_priv->vram_size)) {
78792
78793 Note that both pitch and height are u32. Their product is still u32 and
78794 would overflow before being assigned to required_size. A correct way is
78795 to convert pitch and height to u64 before the multiplication.
78796
78797 required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
78798
78799 This patch calls the existing vmw_kms_validate_mode_vram() for
78800 validation.
78801
78802 Signed-off-by: Xi Wang <xi.wang@gmail.com>
78803 Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
78804 Signed-off-by: Dave Airlie <airlied@redhat.com>
78805
78806 Conflicts:
78807
78808 drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
78809
78810commit eb8f0bd01fb994c9abc77dc84729794cd841753d
78811Author: Xi Wang <xi.wang@gmail.com>
78812Date: Thu Dec 22 13:35:22 2011 +0000
78813
78814 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
78815
78816 Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
78817 cause a kernel oops due to insufficient bounds checking.
78818
78819 if (count > 1<<30) {
78820 /* Enforce a limit to prevent overflow */
78821 return -EINVAL;
78822 }
78823 count = roundup_pow_of_two(count);
78824 table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
78825
78826 Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
78827
78828 ... + (count * sizeof(struct rps_dev_flow))
78829
78830 where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow
78831 32 bits.
78832
78833 This patch replaces the magic number (1 << 30) with a symbolic bound.
78834
78835 Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
78836 Signed-off-by: Xi Wang <xi.wang@gmail.com>
78837 Signed-off-by: David S. Miller <davem@davemloft.net>
78838
78839commit 648188958672024b616c42c1f6c98c8cfc85619d
78840Author: Xi Wang <xi.wang@gmail.com>
78841Date: Fri Dec 30 10:40:17 2011 -0500
78842
78843 netfilter: ctnetlink: fix timeout calculation
78844
78845 The sanity check (timeout < 0) never works; the dividend is unsigned
78846 and so is the division, which should have been a signed division.
78847
78848 long timeout = (ct->timeout.expires - jiffies) / HZ;
78849 if (timeout < 0)
78850 timeout = 0;
78851
78852 This patch converts the time values to signed for the division.
78853
78854 Signed-off-by: Xi Wang <xi.wang@gmail.com>
78855 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
78856
78857commit ab03a0973cee73f88655ff4981812ad316a6cd59
78858Merge: 76f82df 7bdddeb
78859Author: Brad Spengler <spender@grsecurity.net>
78860Date: Tue Jan 3 17:42:50 2012 -0500
78861
78862 Merge branch 'pax-test' into grsec-test
78863
78864commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
78865Merge: 3e59cb5 55cc81a
78866Author: Brad Spengler <spender@grsecurity.net>
78867Date: Tue Jan 3 17:42:36 2012 -0500
78868
78869 Merge branch 'linux-3.1.y' into pax-test
78870
78871commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
78872Author: Brad Spengler <spender@grsecurity.net>
78873Date: Thu Dec 22 20:15:02 2011 -0500
78874
78875 Only further restrict futex targeting another process -- our modified
78876 permission check also happened to allow a case where a process retaining
78877 uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
78878 being non-zero (reported on forums by ben_w)
78879
78880commit 6b235a4450a5fea41663ec35fa0608988b6078c6
78881Merge: 97c16f0 3e59cb5
78882Author: Brad Spengler <spender@grsecurity.net>
78883Date: Thu Dec 22 19:11:06 2011 -0500
78884
78885 Merge branch 'pax-test' into grsec-test
78886
78887 Conflicts:
78888 fs/hfs/btree.c
78889
78890commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
78891Merge: 285eb4e c26f60b
78892Author: Brad Spengler <spender@grsecurity.net>
78893Date: Thu Dec 22 19:09:57 2011 -0500
78894
78895 Merge branch 'linux-3.1.y' into pax-test
78896
78897 Conflicts:
78898 arch/x86/kernel/process.c
78899
78900commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
78901Author: Brad Spengler <spender@grsecurity.net>
78902Date: Mon Dec 19 21:54:01 2011 -0500
78903
78904 Add new option: "Enforce consistent multithreaded privileges"
78905
78906commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
78907Author: Brad Spengler <spender@grsecurity.net>
78908Date: Wed Dec 7 19:58:31 2011 -0500
78909
78910 Remove harmless duplicate code -- exec_file would be null already so the
78911 second check would never pass.
78912
78913commit 4e3304e94aa72737810bc50169519af157dce4ce
78914Author: Brad Spengler <spender@grsecurity.net>
78915Date: Wed Dec 7 19:50:39 2011 -0500
78916
78917 Revert back to (possibly?) undocumented /proc/pid behavior that gdb
78918 depended on for attaching to a thread. Entries exist in /proc for
78919 threads, but are not visible in a readdir.
78920
78921commit 1bd899335f23815cfe8deac44c6b346398f3b95e
78922Author: Brad Spengler <spender@grsecurity.net>
78923Date: Sun Dec 4 18:03:28 2011 -0500
78924
78925 Put the already-walked path if in RCU-walk mode
78926
78927commit ec7ae36b7159f10649709779443a988662965d66
78928Author: Brad Spengler <spender@grsecurity.net>
78929Date: Sun Dec 4 17:35:21 2011 -0500
78930
78931 Fix memory leak introduced by recent (unpublished) commit
78932 75ab998b94a29d464518d6d501bdde3fbfcbfa14
78933
78934commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
78935Author: Brad Spengler <spender@grsecurity.net>
78936Date: Sun Dec 4 13:56:10 2011 -0500
78937
78938 Explicitly check size copied to userland in override_release to silence gcc
78939
78940commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
78941Author: Brad Spengler <spender@grsecurity.net>
78942Date: Sun Dec 4 13:54:02 2011 -0500
78943
78944 Initialize variable to silence erroneous gcc warning
78945
78946commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
78947Author: Brad Spengler <spender@grsecurity.net>
78948Date: Sun Dec 4 13:47:47 2011 -0500
78949
78950 Future-proof other potential RCU-aware locations where we can log.
78951
78952commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
78953Author: Brad Spengler <spender@grsecurity.net>
78954Date: Sun Dec 4 13:02:54 2011 -0500
78955
78956 Fix freeze reported by 'vs' on the forums. Bug occurred due to
78957 MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used
78958 in generic_permission() was in the task's effective set but disallowed by
78959 RBAC, would block when acquiring locks resulting in the freeze.
78960
78961 Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
78962 as being required when CAP_DAC_OVERRIDE is present (consistent with
78963 older patches).
78964
78965commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
78966Author: Xi Wang <xi.wang@gmail.com>
78967Date: Tue Nov 29 09:26:30 2011 +0000
78968
78969 sctp: better integer overflow check in sctp_auth_create_key()
78970
78971 The check from commit 30c2235c is incomplete and cannot prevent
78972 cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the
78973 left-hand side of the check (INT_MAX - key_len), which is unsigned,
78974 becomes 0xffffffff (UINT_MAX) and bypasses the check.
78975
78976 However this shouldn't be a security issue. The function is called
78977 from the following two code paths:
78978
78979 1) setsockopt()
78980
78981 2) sctp_auth_asoc_set_secret()
78982
78983 In case (1), sca_keylength is never going to exceed 65535 since it's
78984 bounded by a u16 from the user API. As such, the key length will
78985 never overflow.
78986
78987 In case (2), sca_keylength is computed based on the user key (1 short)
78988 and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
78989 will not overflow.
78990
78991 In other words, this overflow check is not really necessary. Just
78992 make it more correct.
78993
78994 Signed-off-by: Xi Wang <xi.wang@gmail.com>
78995 Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
78996 Signed-off-by: David S. Miller <davem@davemloft.net>
78997
78998commit e565e28c3635a1d50f80541fbf6b606d742fec76
78999Author: Josh Boyer <jwboyer@redhat.com>
79000Date: Fri Aug 19 14:50:26 2011 -0400
79001
79002 fs/minix: Verify bitmap block counts before mounting
79003
79004 Newer versions of MINIX can create filesystems that allocate an extra
79005 bitmap block. Mounting of this succeeds, but doing a statfs call will
79006 result in an oops in count_free because of a negative number being used
79007 for the bh index.
79008
79009 Avoid this by verifying the number of allocated blocks at mount time,
79010 erroring out if there are not enough and make statfs ignore the extras
79011 if there are too many.
79012
79013 This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
79014
79015 Signed-off-by: Josh Boyer <jwboyer@redhat.com>
79016 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
79017
79018commit 6e134e398ec1a3f428261680e83df4319e64bed9
79019Author: Julia Lawall <julia@diku.dk>
79020Date: Tue Nov 15 14:53:11 2011 -0800
79021
79022 drivers/gpu/vga/vgaarb.c: add missing kfree
79023
79024 kbuf is a buffer that is local to this function, so all of the error paths
79025 leaving the function should release it.
79026
79027 Signed-off-by: Julia Lawall <julia@diku.dk>
79028 Cc: Jesper Juhl <jj@chaosbits.net>
79029 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
79030 Signed-off-by: Dave Airlie <airlied@redhat.com>
79031
79032commit 2b9057b321e36860e8d63985b5c4e496f254b717
79033Author: Brad Spengler <spender@grsecurity.net>
79034Date: Sat Dec 3 21:33:28 2011 -0500
79035
79036 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch
79037
79038commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
79039Author: Brad Spengler <spender@grsecurity.net>
79040Date: Sat Dec 3 21:29:37 2011 -0500
79041
79042 Import pax-linux-3.1.4-test18.patch
79043
79044commit 285eb4ea45d853ae00426b3315a61c1368080dad
79045Author: Brad Spengler <spender@grsecurity.net>
79046Date: Sat Dec 10 18:33:46 2011 -0500
79047
79048 Import changes from pax-linux-3.1.5-test20.patch
79049
79050commit a6bda918fc90ec1d5c387e978d147ad2044153f1
79051Author: Brad Spengler <spender@grsecurity.net>
79052Date: Thu Dec 8 20:55:54 2011 -0500
79053
79054 Import changes from pax-linux-3.1.4-test19.patch
79055
79056commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
79057Author: Brad Spengler <spender@grsecurity.net>
79058Date: Sat Dec 3 21:29:37 2011 -0500
79059
79060 Import pax-linux-3.1.4-test18.patch
79061commit d92091aac493a547d85ddf1b98bd9aaa8c7112a5
79062Author: Brad Spengler <spender@grsecurity.net>
79063Date: Thu Jul 4 23:05:14 2013 -0400
79064
79065 always enforce a non-zero gap for RAND_THREADSTACK
79066
79067 mm/mmap.c | 2 +-
79068 1 files changed, 1 insertions(+), 1 deletions(-)
79069
79070commit 40d67e38a42d4e94b43b3d7400addc662b9857dc
79071Author: Brad Spengler <spender@grsecurity.net>
79072Date: Thu Jul 4 16:09:28 2013 -0400
79073
79074 fix up file comparisons
79075
79076 grsecurity/gracl_segv.c | 2 +-
79077 grsecurity/grsec_sig.c | 4 ++--
79078 include/linux/grinternal.h | 12 ++++++++++++
79079 3 files changed, 15 insertions(+), 3 deletions(-)
79080
79081commit a1fff2c95162314626dd96bec71d951a8c1c4708
79082Author: Brad Spengler <spender@grsecurity.net>
79083Date: Thu Jul 4 15:33:18 2013 -0400
79084
79085 fix suid binary matching
79086
79087 grsecurity/grsec_sig.c | 2 +-
79088 1 files changed, 1 insertions(+), 1 deletions(-)
79089
79090commit 00131c458eea5200971c8fc326e90fdb6c2d0baa
79091Merge: 37b97a9 47beb61
79092Author: Brad Spengler <spender@grsecurity.net>
79093Date: Thu Jul 4 15:02:31 2013 -0400
79094
79095 Merge branch 'pax-test' into grsec-test
79096
79097commit 47beb61be9d430ab3fdb79a3b1e2099b4cfcf798
79098Author: Brad Spengler <spender@grsecurity.net>
79099Date: Thu Jul 4 15:01:37 2013 -0400
79100
79101 Update to pax-linux-3.9.9-test13.patch:
79102 - hopefully fixed the EFI boot regression (https://bugs.gentoo.org/show_bug.cgi?id=471626)
79103 - fixed some arm compilation issues (http://forums.grsecurity.net/viewtopic.php?f=1&t=3586 and http://forums.grsecurity.net/viewtopic.php?f=1&t=3587)
79104
79105 arch/arm/include/asm/uaccess.h | 20 ++++++++++----------
79106 arch/arm/kernel/armksyms.c | 2 +-
79107 arch/arm/kernel/entry-armv.S | 4 ++--
79108 arch/arm/mm/Kconfig | 2 +-
79109 arch/x86/ia32/ia32entry.S | 4 ++--
79110 arch/x86/include/asm/page.h | 1 +
79111 arch/x86/kernel/entry_32.S | 4 ++--
79112 arch/x86/kernel/entry_64.S | 8 ++++----
79113 arch/x86/kernel/head64.c | 12 ++++++------
79114 arch/x86/kernel/head_64.S | 16 ++++++++++++----
79115 arch/x86/mm/init.c | 8 ++++++++
79116 arch/x86/mm/init_32.c | 6 ------
79117 arch/x86/mm/init_64.c | 6 ------
79118 arch/x86/platform/efi/efi_32.c | 5 +++++
79119 arch/x86/platform/efi/efi_64.c | 10 ++++++++++
79120 15 files changed, 64 insertions(+), 44 deletions(-)
79121
79122commit 89085d2d0643813a62f23d1199a335dc1e129bc0
79123Merge: 963af7f 0adf2e7
79124Author: Brad Spengler <spender@grsecurity.net>
79125Date: Thu Jul 4 14:55:44 2013 -0400
79126
79127 Merge branch 'linux-3.9.y' into pax-test
79128
79129commit 37b97a95e97badc79cc8b6e092f0f94ac24e4ae4
79130Author: Brad Spengler <spender@grsecurity.net>
79131Date: Thu Jul 4 13:46:02 2013 -0400
79132
79133 fix typo
79134
79135 grsecurity/gracl.c | 2 +-
79136 1 files changed, 1 insertions(+), 1 deletions(-)
79137
79138commit 32538dba4959a290a1de81a7f8eeaba99f952aa6
79139Author: Brad Spengler <spender@grsecurity.net>
79140Date: Thu Jul 4 13:29:51 2013 -0400
79141
79142 update log arguments
79143
79144 grsecurity/grsec_sig.c | 3 ++-
79145 1 files changed, 2 insertions(+), 1 deletions(-)
79146
79147commit 5c7ee197d6ecb3ec9b3b9588d2b0cb8541d9fa71
79148Author: Brad Spengler <spender@grsecurity.net>
79149Date: Thu Jul 4 13:20:23 2013 -0400
79150
79151 Update logging of suid exec ban
79152
79153 Conflicts:
79154
79155 grsecurity/grsec_sig.c
79156
79157 grsecurity/grsec_sig.c | 3 +--
79158 include/linux/grmsg.h | 1 +
79159 2 files changed, 2 insertions(+), 2 deletions(-)
79160
79161commit ef808866c070aa1901bd2224521baaf5d145a3a7
79162Author: Brad Spengler <spender@grsecurity.net>
79163Date: Thu Jul 4 12:58:33 2013 -0400
79164
79165 Additional improvements to the user banning code:
79166
79167 Separate the kernel-bruteforcing case from the suid bruteforcing case
79168 In the suid bruteforcing case, only kill existing copies of the bruteforced
79169 binary. Instead of preventing all future execs by this user, prevent them
79170 from executing any suid/sgid binaries for the next 15 minutes.
79171
79172 Kernel case is mostly unchanged from before, except the task trying to change
79173 real uid to the banned user will be terminated instead of failing the setuid
79174 call.
79175
79176 Configuration help has been updated to reflect the new changes.
79177
79178 fs/exec.c | 13 +++++---
79179 grsecurity/Kconfig | 5 ++-
79180 grsecurity/gracl.c | 6 ++--
79181 grsecurity/grsec_sig.c | 76 ++++++++++++++++++++++++++------------------
79182 include/linux/grsecurity.h | 1 -
79183 include/linux/sched.h | 9 +++--
79184 6 files changed, 65 insertions(+), 45 deletions(-)
79185
79186commit 0f0b6c9d67d429364621b8784ef4a048b7e40736
79187Author: Brad Spengler <spender@grsecurity.net>
79188Date: Wed Jul 3 16:14:09 2013 -0400
79189
79190 fix renamed export of csum_partial_copy_from_user, as reported by fabled
79191 on the forums
79192
79193 arch/arm/kernel/armksyms.c | 2 +-
79194 1 files changed, 1 insertions(+), 1 deletions(-)
79195
79196commit 318235973c2a548c3d25562645d6b69f66e85934
79197Author: Brad Spengler <spender@grsecurity.net>
79198Date: Wed Jul 3 16:09:16 2013 -0400
79199
79200 make CPU_USE_DOMAINS depend on !PAX_MEMORY_UDEREF, fixes compile error
79201 reported on the forums by fabled
79202
79203 arch/arm/mm/Kconfig | 2 +-
79204 1 files changed, 1 insertions(+), 1 deletions(-)
79205
79206commit b569a7f60fab7a522d8c142765c8b847bbce8a1e
79207Author: Brad Spengler <spender@grsecurity.net>
79208Date: Wed Jul 3 15:53:12 2013 -0400
79209
79210 Revise the user ban code to kill the process issuing a banned
79211 set*id instead of returning an error. For the sake of keeping
79212 unified user banning between the suid and kernel bruteforce case,
79213 we will apply this killing to the suid bruteforce case, despite
79214 a check just at exec time (that already existed) being sufficient.
79215
79216 Returning an error could enable exploitation of the "failure to check
79217 setuid return value" case which was recently effectively closed
79218 upstream, albeit in a rare situation with a suitable binary and
79219 two colluding users.
79220
79221 Many thanks to stealth for reviewing the user ban code.
79222
79223 grsecurity/gracl.c | 4 ++--
79224 grsecurity/grsec_sig.c | 16 +++++++++++++---
79225 2 files changed, 15 insertions(+), 5 deletions(-)
79226
79227commit 4a0808a0aa34bf3692f9ade0f11f6fbe30418c4f
79228Author: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
79229Date: Fri Jun 28 14:15:15 2013 +0300
79230
79231 Upstream commit: 605c912bb843c024b1ed173dc427cd5c08e5d54d
79232
79233 UBIFS: fix a horrid bug
79234
79235 Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no
79236 mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are
79237 in the middle of 'ubifs_readdir()'.
79238
79239 This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses
79240 it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage,
79241 but this may corrupt memory and lead to all kinds of problems like crashes an
79242 security holes.
79243
79244 This patch fixes the problem by using the 'file->f_version' field, which
79245 '->llseek()' always unconditionally sets to zero. We set it to 1 in
79246 'ubifs_readdir()' and whenever we detect that it became 0, we know there was a
79247 seek and it is time to clear the state saved in 'file->private_data'.
79248
79249 I tested this patch by writing a user-space program which runds readdir and
79250 seek in parallell. I could easily crash the kernel without these patches, but
79251 could not crash it with these patches.
79252
79253 Cc: stable@vger.kernel.org
79254 Reported-by: Al Viro <viro@zeniv.linux.org.uk>
79255 Tested-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
79256 Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
79257 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
79258
79259 fs/ubifs/dir.c | 30 +++++++++++++++++++++++++++---
79260 1 files changed, 27 insertions(+), 3 deletions(-)
79261
79262commit c22280b85088978bd8b45bd23096879459b48008
79263Author: Stephane Eranian <eranian@google.com>
79264Date: Thu Jun 20 11:36:28 2013 +0200
79265
79266 Upstream commit: 2976b10f05bd7f6dab9f9e7524451ddfed656a89
79267
79268 perf: Disable monitoring on setuid processes for regular users
79269
79270 There was a a bug in setup_new_exec(), whereby
79271 the test to disabled perf monitoring was not
79272 correct because the new credentials for the
79273 process were not yet committed and therefore
79274 the get_dumpable() test was never firing.
79275
79276 The patch fixes the problem by moving the
79277 perf_event test until after the credentials
79278 are committed.
79279
79280 Signed-off-by: Stephane Eranian <eranian@google.com>
79281 Tested-by: Jiri Olsa <jolsa@redhat.com>
79282 Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
79283 Cc: <stable@kernel.org>
79284 Signed-off-by: Ingo Molnar <mingo@kernel.org>
79285
79286 fs/exec.c | 16 +++++++++-------
79287 1 files changed, 9 insertions(+), 7 deletions(-)
79288
79289commit 16e6a61c34ae5ed0fbfa9151b24dc6a751cca7c0
79290Author: Brad Spengler <spender@grsecurity.net>
79291Date: Sat Jun 29 13:10:02 2013 -0400
79292
79293 on context switch, make sure we switch DACR when domain support and
79294 KERNEXEC is disabled but UDEREF is enabled
79295
79296 arch/arm/kernel/entry-armv.S | 4 ++--
79297 1 files changed, 2 insertions(+), 2 deletions(-)
79298
79299commit 08d017fa51370921694ce087b28c96fec92993d4
79300Author: Michael S. Tsirkin <mst@redhat.com>
79301Date: Sun Jun 23 17:26:58 2013 +0300
79302
79303 Upstream commit: 4c7ab054ab4f5d63625508ed6f8a607184cae7c2
79304
79305 macvtap: fix recovery from gup errors
79306
79307 get user pages might fail partially in macvtap zero copy
79308 mode. To recover we need to put all pages that we got,
79309 but code used a wrong index resulting in double-free
79310 errors.
79311
79312 Reported-by: Brad Hubbard <bhubbard@redhat.com>
79313 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
79314 Acked-by: Jason Wang <jasowang@redhat.com>
79315 Signed-off-by: David S. Miller <davem@davemloft.net>
79316
79317 drivers/net/macvtap.c | 6 ++++--
79318 1 files changed, 4 insertions(+), 2 deletions(-)
79319
79320commit 8118c60e6478b9d0687c2aa7779e45ac7859b1be
79321Author: Michael S. Tsirkin <mst@redhat.com>
79322Date: Sun Jun 23 17:19:03 2013 +0300
79323
79324 Upstream commit: 7e24bfbe43b545b1689a5f134ed83645b9e34b86
79325
79326 tun: fix recovery from gup errors
79327
79328 get user pages might fail partially in tun zero copy
79329 mode. To recover we need to put all pages that we got,
79330 but code used a wrong index resulting in double-free
79331 errors.
79332
79333 Reported-by: Brad Hubbard <bhubbard@redhat.com>
79334 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
79335 Acked-by: Jason Wang <jasowang@redhat.com>
79336 Acked-by: Neil Horman <nhorman@tuxdriver.com>
79337 Signed-off-by: David S. Miller <davem@davemloft.net>
79338
79339 drivers/net/tun.c | 6 ++++--
79340 1 files changed, 4 insertions(+), 2 deletions(-)
79341
79342commit c71e53d3b87fba6f7ba29a440d4c835f03aadf28
79343Author: Balazs Peter Odor <balazs@obiserver.hu>
79344Date: Sat Jun 22 19:24:43 2013 +0200
79345
79346 Upstream commit: 5aed93875cd88502f04a0d4517b8a2d89a849773
79347
79348 netfilter: nf_nat_sip: fix mangling
79349
79350 In (b20ab9c netfilter: nf_ct_helper: better logging for dropped packets)
79351 there were some missing brackets around the logging information, thus
79352 always returning drop.
79353
79354 Closes https://bugzilla.kernel.org/show_bug.cgi?id=60061
79355
79356 Signed-off-by: Balazs Peter Odor <balazs@obiserver.hu>
79357 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
79358
79359 net/netfilter/nf_nat_sip.c | 3 ++-
79360 1 files changed, 2 insertions(+), 1 deletions(-)
79361
79362commit 87c18924aecb841586b8972fabb20c5b75ca2fc9
79363Author: Anderson Lizardo <anderson.lizardo@openbossa.org>
79364Date: Sun Jun 2 16:30:40 2013 -0400
79365
79366 Upstream commit: 300b962e5244a1ea010df7e88595faa0085b461d
79367
79368 Bluetooth: Fix crash in l2cap_build_cmd() with small MTU
79369
79370 If a too small MTU value is set with ioctl(HCISETACLMTU) or by a bogus
79371 controller, memory corruption happens due to a memcpy() call with
79372 negative length.
79373
79374 Fix this crash on either incoming or outgoing connections with a MTU
79375 smaller than L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE:
79376
79377 [ 46.885433] BUG: unable to handle kernel paging request at f56ad000
79378 [ 46.888037] IP: [<c03d94cd>] memcpy+0x1d/0x40
79379 [ 46.888037] *pdpt = 0000000000ac3001 *pde = 00000000373f8067 *pte = 80000000356ad060
79380 [ 46.888037] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC
79381 [ 46.888037] Modules linked in: hci_vhci bluetooth virtio_balloon i2c_piix4 uhci_hcd usbcore usb_common
79382 [ 46.888037] CPU: 0 PID: 1044 Comm: kworker/u3:0 Not tainted 3.10.0-rc1+ #12
79383 [ 46.888037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
79384 [ 46.888037] Workqueue: hci0 hci_rx_work [bluetooth]
79385 [ 46.888037] task: f59b15b0 ti: f55c4000 task.ti: f55c4000
79386 [ 46.888037] EIP: 0060:[<c03d94cd>] EFLAGS: 00010212 CPU: 0
79387 [ 46.888037] EIP is at memcpy+0x1d/0x40
79388 [ 46.888037] EAX: f56ac1c0 EBX: fffffff8 ECX: 3ffffc6e EDX: f55c5cf2
79389 [ 46.888037] ESI: f55c6b32 EDI: f56ad000 EBP: f55c5c68 ESP: f55c5c5c
79390 [ 46.888037] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
79391 [ 46.888037] CR0: 8005003b CR2: f56ad000 CR3: 3557d000 CR4: 000006f0
79392 [ 46.888037] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
79393 [ 46.888037] DR6: ffff0ff0 DR7: 00000400
79394 [ 46.888037] Stack:
79395 [ 46.888037] fffffff8 00000010 00000003 f55c5cac f8c6a54c ffffffff f8c69eb2 00000000
79396 [ 46.888037] f4783cdc f57f0070 f759c590 1001c580 00000003 0200000a 00000000 f5a88560
79397 [ 46.888037] f5ba2600 f5a88560 00000041 00000000 f55c5d90 f8c6f4c7 00000008 f55c5cf2
79398 [ 46.888037] Call Trace:
79399 [ 46.888037] [<f8c6a54c>] l2cap_send_cmd+0x1cc/0x230 [bluetooth]
79400 [ 46.888037] [<f8c69eb2>] ? l2cap_global_chan_by_psm+0x152/0x1a0 [bluetooth]
79401 [ 46.888037] [<f8c6f4c7>] l2cap_connect+0x3f7/0x540 [bluetooth]
79402 [ 46.888037] [<c019b37b>] ? trace_hardirqs_off+0xb/0x10
79403 [ 46.888037] [<c01a0ff8>] ? mark_held_locks+0x68/0x110
79404 [ 46.888037] [<c064ad20>] ? mutex_lock_nested+0x280/0x360
79405 [ 46.888037] [<c064b9d9>] ? __mutex_unlock_slowpath+0xa9/0x150
79406 [ 46.888037] [<c01a118c>] ? trace_hardirqs_on_caller+0xec/0x1b0
79407 [ 46.888037] [<c064ad08>] ? mutex_lock_nested+0x268/0x360
79408 [ 46.888037] [<c01a125b>] ? trace_hardirqs_on+0xb/0x10
79409 [ 46.888037] [<f8c72f8d>] l2cap_recv_frame+0xb2d/0x1d30 [bluetooth]
79410 [ 46.888037] [<c01a0ff8>] ? mark_held_locks+0x68/0x110
79411 [ 46.888037] [<c064b9d9>] ? __mutex_unlock_slowpath+0xa9/0x150
79412 [ 46.888037] [<c01a118c>] ? trace_hardirqs_on_caller+0xec/0x1b0
79413 [ 46.888037] [<f8c754f1>] l2cap_recv_acldata+0x2a1/0x320 [bluetooth]
79414 [ 46.888037] [<f8c491d8>] hci_rx_work+0x518/0x810 [bluetooth]
79415 [ 46.888037] [<f8c48df2>] ? hci_rx_work+0x132/0x810 [bluetooth]
79416 [ 46.888037] [<c0158979>] process_one_work+0x1a9/0x600
79417 [ 46.888037] [<c01588fb>] ? process_one_work+0x12b/0x600
79418 [ 46.888037] [<c015922e>] ? worker_thread+0x19e/0x320
79419 [ 46.888037] [<c015922e>] ? worker_thread+0x19e/0x320
79420 [ 46.888037] [<c0159187>] worker_thread+0xf7/0x320
79421 [ 46.888037] [<c0159090>] ? rescuer_thread+0x290/0x290
79422 [ 46.888037] [<c01602f8>] kthread+0xa8/0xb0
79423 [ 46.888037] [<c0656777>] ret_from_kernel_thread+0x1b/0x28
79424 [ 46.888037] [<c0160250>] ? flush_kthread_worker+0x120/0x120
79425 [ 46.888037] Code: c3 90 8d 74 26 00 e8 63 fc ff ff eb e8 90 55 89 e5 83 ec 0c 89 5d f4 89 75 f8 89 7d fc 3e 8d 74 26 00 89 cb 89 c7 c1 e9 02 89 d6 <f3> a5 89 d9 83 e1 03 74 02 f3 a4 8b 5d f4 8b 75 f8 8b 7d fc 89
79426 [ 46.888037] EIP: [<c03d94cd>] memcpy+0x1d/0x40 SS:ESP 0068:f55c5c5c
79427 [ 46.888037] CR2: 00000000f56ad000
79428 [ 46.888037] ---[ end trace 0217c1f4d78714a9 ]---
79429
79430 Signed-off-by: Anderson Lizardo <anderson.lizardo@openbossa.org>
79431 Cc: stable@vger.kernel.org
79432 Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
79433 Signed-off-by: John W. Linville <linville@tuxdriver.com>
79434
79435 net/bluetooth/l2cap_core.c | 3 +++
79436 1 files changed, 3 insertions(+), 0 deletions(-)
79437
79438commit b0471b6c1160858fc646d8e94628fd1299f61692
79439Author: Jaganath Kanakkassery <jaganath.k@samsung.com>
79440Date: Fri Jun 21 19:55:11 2013 +0530
79441
79442 Upstream commit: 3f6fa3d489e127ca5a5b298eabac3ff5dbe0e112
79443
79444 Bluetooth: Fix invalid length check in l2cap_information_rsp()
79445
79446 The length check is invalid since the length varies with type of
79447 info response.
79448
79449 This was introduced by the commit cb3b3152b2f5939d67005cff841a1ca748b19888
79450
79451 Because of this, l2cap info rsp is not handled and command reject is sent.
79452
79453 > ACL data: handle 11 flags 0x02 dlen 16
79454 L2CAP(s): Info rsp: type 2 result 0
79455 Extended feature mask 0x00b8
79456 Enhanced Retransmission mode
79457 Streaming mode
79458 FCS Option
79459 Fixed Channels
79460 < ACL data: handle 11 flags 0x00 dlen 10
79461 L2CAP(s): Command rej: reason 0
79462 Command not understood
79463
79464 Cc: stable@vger.kernel.org
79465 Signed-off-by: Jaganath Kanakkassery <jaganath.k@samsung.com>
79466 Signed-off-by: Chan-Yeol Park <chanyeol.park@samsung.com>
79467 Acked-by: Johan Hedberg <johan.hedberg@intel.com>
79468 Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
79469
79470 net/bluetooth/l2cap_core.c | 2 +-
79471 1 files changed, 1 insertions(+), 1 deletions(-)
79472
79473commit 4184af98c360d825e638b268b1a9847232e8d299
79474Author: Eric Dumazet <edumazet@google.com>
79475Date: Wed Jun 26 04:15:07 2013 -0700
79476
79477 Upstream commit: a963a37d384d71ad43b3e9e79d68d42fbe0901f3
79478
79479 ipv6: ip6_sk_dst_check() must not assume ipv6 dst
79480
79481 It's possible to use AF_INET6 sockets and to connect to an IPv4
79482 destination. After this, socket dst cache is a pointer to a rtable,
79483 not rt6_info.
79484
79485 ip6_sk_dst_check() should check the socket dst cache is IPv6, or else
79486 various corruptions/crashes can happen.
79487
79488 Dave Jones can reproduce immediate crash with
79489 trinity -q -l off -n -c sendmsg -c connect
79490
79491 With help from Hannes Frederic Sowa
79492
79493 Reported-by: Dave Jones <davej@redhat.com>
79494 Reported-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
79495 Signed-off-by: Eric Dumazet <edumazet@google.com>
79496 Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
79497 Signed-off-by: David S. Miller <davem@davemloft.net>
79498
79499 net/ipv6/ip6_output.c | 8 +++++++-
79500 1 files changed, 7 insertions(+), 1 deletions(-)
79501
79502commit a9909c4993e8547ebeeafc4a4f5ff8570a941eb2
79503Author: Zefan Li <lizefan@huawei.com>
79504Date: Wed Jun 26 15:29:54 2013 +0800
79505
79506 Upstream commit: 11eb2645cbf38a08ae491bf6c602eea900ec0bb5
79507
79508 dlci: acquire rtnl_lock before calling __dev_get_by_name()
79509
79510 Otherwise the net device returned can be freed at anytime.
79511
79512 Signed-off-by: Li Zefan <lizefan@huawei.com>
79513 Cc: stable@vger.kernel.org
79514 Signed-off-by: David S. Miller <davem@davemloft.net>
79515
79516 drivers/net/wan/dlci.c | 14 +++++++++-----
79517 1 files changed, 9 insertions(+), 5 deletions(-)
79518
79519commit 1fe6f23c9acd14d832d056909ff326bde418e645
79520Author: Zefan Li <lizefan@huawei.com>
79521Date: Wed Jun 26 15:31:58 2013 +0800
79522
79523 Upstream commit: 578a1310f2592ba90c5674bca21c1dbd1adf3f0a
79524
79525 dlci: validate the net device in dlci_del()
79526
79527 We triggered an oops while running trinity with 3.4 kernel:
79528
79529 BUG: unable to handle kernel paging request at 0000000100000d07
79530 IP: [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci]
79531 PGD 640c0d067 PUD 0
79532 Oops: 0000 [#1] PREEMPT SMP
79533 CPU 3
79534 ...
79535 Pid: 7302, comm: trinity-child3 Not tainted 3.4.24.09+ 40 Huawei Technologies Co., Ltd. Tecal RH2285 /BC11BTSA
79536 RIP: 0010:[<ffffffffa0109738>] [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci]
79537 ...
79538 Call Trace:
79539 [<ffffffff8137c5c3>] sock_ioctl+0x153/0x280
79540 [<ffffffff81195494>] do_vfs_ioctl+0xa4/0x5e0
79541 [<ffffffff8118354a>] ? fget_light+0x3ea/0x490
79542 [<ffffffff81195a1f>] sys_ioctl+0x4f/0x80
79543 [<ffffffff81478b69>] system_call_fastpath+0x16/0x1b
79544 ...
79545
79546 It's because the net device is not a dlci device.
79547
79548 Reported-by: Li Jinyue <lijinyue@huawei.com>
79549 Signed-off-by: Li Zefan <lizefan@huawei.com>
79550 Cc: stable@vger.kernel.org
79551 Signed-off-by: David S. Miller <davem@davemloft.net>
79552
79553 drivers/net/wan/dlci.c | 12 ++++++++++++
79554 1 files changed, 12 insertions(+), 0 deletions(-)
79555
79556commit 4d4464407611527ef6b6b5475cfcab6121b3da66
79557Merge: 59571a9 963af7f
79558Author: Brad Spengler <spender@grsecurity.net>
79559Date: Thu Jun 27 18:54:52 2013 -0400
79560
79561 Merge branch 'pax-test' into grsec-test
79562
79563commit 963af7f7f591759b731ce6325ceb583a72fcf423
79564Merge: c51e25a 55db48a
79565Author: Brad Spengler <spender@grsecurity.net>
79566Date: Thu Jun 27 18:54:42 2013 -0400
79567
79568 Merge branch 'linux-3.9.y' into pax-test
79569
79570commit 59571a9db7485f530a1e865a13cacc4c991ec41f
79571Author: Brad Spengler <spender@grsecurity.net>
79572Date: Wed Jun 26 18:39:08 2013 -0400
79573
79574 From: Mathias Krause <minipli@googlemail.com>
79575 To: Steffen Klassert <steffen.klassert@secunet.com>,
79576 "David S. Miller" <davem@davemloft.net>
79577 Cc: Mathias Krause <minipli@googlemail.com>, netdev@vger.kernel.org,
79578 Herbert Xu <herbert@gondor.apana.org.au>
79579 Subject: [PATCH] af_key: fix info leaks in notify messages
79580
79581 key_notify_sa_flush() and key_notify_policy_flush() miss to initialize
79582 the sadb_msg_reserved member of the broadcasted message and thereby
79583 leak 2 bytes of heap memory to listeners. Fix that.
79584
79585 Signed-off-by: Mathias Krause <minipli@googlemail.com>
79586 Cc: Steffen Klassert <steffen.klassert@secunet.com>
79587 Cc: "David S. Miller" <davem@davemloft.net>
79588 Cc: Herbert Xu <herbert@gondor.apana.org.au>
79589
79590 net/key/af_key.c | 2 ++
79591 1 files changed, 2 insertions(+), 0 deletions(-)
79592
79593commit e1dd9fb168b3597f15fd5bd4bc88a7dd4cce5fd9
79594Author: Brad Spengler <spender@grsecurity.net>
79595Date: Wed Jun 26 18:33:06 2013 -0400
79596
79597 update rand_threadstack code to continue the search for a gap if the first
79598 choice doesn't have enough space, instead of returning ENOMEM
79599
79600 mm/mmap.c | 17 ++++++++++-------
79601 1 files changed, 10 insertions(+), 7 deletions(-)
79602
79603commit 87020d4a4d83038d65ff1fd519938840f6888b9e
79604Merge: 2682346 c51e25a
79605Author: Brad Spengler <spender@grsecurity.net>
79606Date: Wed Jun 26 18:25:32 2013 -0400
79607
79608 Merge branch 'pax-test' into grsec-test
79609
79610commit c51e25a23f30a1198076bd085f19b2073caf164d
79611Author: Brad Spengler <spender@grsecurity.net>
79612Date: Wed Jun 26 18:24:54 2013 -0400
79613
79614 Update to pax-linux-3.9.7-test12.patch:
79615 - fixed a regression on PARAVIRT/amd64 kernels
79616 - simplified the recent vm_unmapped_area_info based change
79617
79618 arch/x86/kernel/entry_64.S | 8 ++++----
79619 mm/mmap.c | 22 ++++++++++++----------
79620 2 files changed, 16 insertions(+), 14 deletions(-)
79621
79622commit 26823469a08e59cb67bea18d448d9e8c65f82e08
79623Author: Brad Spengler <spender@grsecurity.net>
79624Date: Tue Jun 25 21:26:51 2013 -0400
79625
79626 re-enable GRKERNSEC_RAND_THREADSTACK now that the generic PaX
79627 vm_unmapped_area code is complete
79628
79629 arch/x86/kernel/sys_i386_32.c | 5 +++++
79630 grsecurity/Kconfig | 2 +-
79631 mm/mmap.c | 11 ++++++++++-
79632 3 files changed, 16 insertions(+), 2 deletions(-)
79633
79634commit bcd93cc348a8faba1716f5cc137a48f25d6a67e7
79635Merge: e58fe8c c4e0704
79636Author: Brad Spengler <spender@grsecurity.net>
79637Date: Tue Jun 25 19:08:52 2013 -0400
79638
79639 Merge branch 'pax-test' into grsec-test
79640
79641 Conflicts:
79642 arch/x86/kernel/sys_i386_32.c
79643
79644commit c4e07040c2c32c9eb2b093e5ae6e5bb050cb7511
79645Author: Brad Spengler <spender@grsecurity.net>
79646Date: Tue Jun 25 19:05:39 2013 -0400
79647
79648 Update to pax-linux-3.9.7-test11.patch:
79649 - fixed some fallout from the recent executable vmalloc changes (http://forums.grsecurity.net/viewtopic.php?t=3562#p13111)
79650 - moved the PaX specific heap-stack gap check code over to the vm_unmapped_area_info based infrastructure
79651 - fixed the recent nested nmi related fixes some more
79652 - fixed a regression in kernel memory initialization on relocatable i386 kernels
79653 - empty_zero_page can be read-only on amd64 as well
79654
79655 arch/arm/mm/mmap.c | 6 --
79656 arch/x86/kernel/entry_64.S | 8 +--
79657 arch/x86/kernel/head_64.S | 1 -
79658 arch/x86/kernel/setup.c | 2 +-
79659 arch/x86/kernel/sys_i386_32.c | 160 ++++++++++++----------------------------
79660 drivers/lguest/core.c | 2 +-
79661 include/linux/mm.h | 6 +-
79662 include/linux/vmalloc.h | 2 +-
79663 mm/mmap.c | 30 +++++++-
79664 9 files changed, 83 insertions(+), 134 deletions(-)
79665
79666commit e58fe8c43f6ee7047ac830ebfa9a70626b7ed11d
79667Author: Brad Spengler <spender@grsecurity.net>
79668Date: Sun Jun 23 14:37:14 2013 -0400
79669
79670 second compile fix, reported by forsaken on forums
79671
79672 include/linux/vmalloc.h | 2 +-
79673 1 files changed, 1 insertions(+), 1 deletions(-)
79674
79675commit 0ee10d89b09b56b46bc242ce760a1d9598276e2f
79676Author: Brad Spengler <spender@grsecurity.net>
79677Date: Sun Jun 23 14:36:35 2013 -0400
79678
79679 compile fix, reported by KDE on forums
79680
79681 kernel/printk.c | 7 -------
79682 1 files changed, 0 insertions(+), 7 deletions(-)
79683
79684commit 1fc9a5e2e267205d28302e1e86ca0da434561111
79685Author: Ben Hutchings <ben@decadent.org.uk>
79686Date: Sun Jun 16 21:27:12 2013 +0100
79687
79688 Upstream commit: b8cb62f82103083a6e8fa5470bfe634a2c06514d
79689
79690 x86/efi: Fix dummy variable buffer allocation
79691
79692 1. Check for allocation failure
79693 2. Clear the buffer contents, as they may actually be written to flash
79694 3. Don't leak the buffer
79695
79696 Compile-tested only.
79697
79698 [ Tested successfully on my buggy ASUS machine - Matt ]
79699
79700 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
79701 Cc: stable@vger.kernel.org
79702 Signed-off-by: Matt Fleming <matt.fleming@intel.com>
79703
79704 arch/x86/platform/efi/efi.c | 7 ++++++-
79705 1 files changed, 6 insertions(+), 1 deletions(-)
79706
79707commit 83e15c8baaa620d8c777e84aa037b4302f0487c5
79708Author: Dave Kleikamp <dave.kleikamp@oracle.com>
79709Date: Tue Jun 18 09:05:36 2013 -0500
79710
79711 Upstream commit: 23a01138efe216f8084cfaa74b0b90dd4b097441
79712
79713 sparc: tsb must be flushed before tlb
79714
79715 This fixes a race where a cpu may re-load a tlb from a stale tsb right
79716 after it has been flushed by a remote function call.
79717
79718 I still see some instability when stressing the system with parallel
79719 kernel builds while creating memory pressure by writing to
79720 /proc/sys/vm/nr_hugepages, but this patch improves the stability
79721 significantly.
79722
79723 Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
79724 Acked-by: Bob Picco <bob.picco@oracle.com>
79725 Signed-off-by: David S. Miller <davem@davemloft.net>
79726
79727 arch/sparc/mm/tlb.c | 2 +-
79728 1 files changed, 1 insertions(+), 1 deletions(-)
79729
79730commit d93b62f6485db9aadda34322a6867868db07f56f
79731Merge: 4ef62f5 71d83e9
79732Author: Brad Spengler <spender@grsecurity.net>
79733Date: Fri Jun 21 16:52:55 2013 -0400
79734
79735 Merge branch 'pax-test' into grsec-test
79736
79737 Conflicts:
79738 security/Kconfig
79739
79740commit 71d83e97c936563913bcfb5a25c45b2021a331eb
79741Author: Brad Spengler <spender@grsecurity.net>
79742Date: Fri Jun 21 16:48:42 2013 -0400
79743
79744 Update to pax-linux-3.9.7-test10.patch:
79745 - fixed a few format string problems uncovered by -Wformat-nonliteral
79746 - another attempt at fixing the nested nmi/cr0.wp problem
79747 - fixed vmalloc when used for allocating executable memory on non-modular kernels, reported by Lorand Kelemen (https://bugs.gentoo.org/show_bug.cgi?id=473866)
79748 - worked around an intentional gcc overflow in nfscache that tripped up the size overflow plugin (https://bugs.gentoo.org/show_bug.cgi?id=472274)
79749 - fixed a locking issue with track_exec_limit reported by spender
79750 - hunger reported a size overflow event in kobj_map that turned out to be a real bug, fix by Tejun Heo (https://patchwork.kernel.org/patch/2676631/)
79751
79752 Documentation/dontdiff | 1 +
79753 arch/x86/boot/compressed/efi_stub_32.S | 16 ++-----
79754 arch/x86/kernel/cpu/mcheck/mce.c | 2 +-
79755 arch/x86/kernel/e820.c | 4 +-
79756 arch/x86/kernel/entry_64.S | 74 ++++++++++++++++++------------
79757 arch/x86/kernel/vmlinux.lds.S | 2 +-
79758 block/genhd.c | 11 +++--
79759 crypto/algapi.c | 2 +-
79760 crypto/pcrypt.c | 6 +-
79761 drivers/base/attribute_container.c | 2 +-
79762 drivers/base/power/sysfs.c | 2 +-
79763 drivers/block/nbd.c | 2 +-
79764 drivers/cdrom/cdrom.c | 2 +-
79765 drivers/char/hw_random/intel-rng.c | 2 +-
79766 drivers/char/mem.c | 2 +-
79767 drivers/devfreq/devfreq.c | 2 +-
79768 drivers/gpu/drm/drm_encoder_slave.c | 6 +--
79769 drivers/gpu/drm/drm_sysfs.c | 2 +-
79770 drivers/gpu/drm/ttm/ttm_memory.c | 4 +-
79771 drivers/iommu/irq_remapping.c | 2 +-
79772 drivers/video/output.c | 2 +-
79773 fs/ext4/mmp.c | 2 +-
79774 fs/ext4/super.c | 2 +-
79775 fs/lockd/svc.c | 2 +-
79776 fs/nfs/callback.c | 4 +-
79777 fs/nfs/nfs4state.c | 2 +-
79778 fs/nfsd/nfscache.c | 3 +-
79779 init/initramfs.c | 2 +-
79780 kernel/rcutree.c | 2 +-
79781 lib/kobject.c | 2 +-
79782 mm/backing-dev.c | 4 +-
79783 mm/mmap.c | 4 +-
79784 mm/slub.c | 2 +-
79785 mm/vmalloc.c | 15 +++----
79786 net/bluetooth/hci_core.c | 8 ++--
79787 net/netfilter/nf_conntrack_proto_dccp.c | 4 +-
79788 net/sunrpc/svc.c | 2 +-
79789 security/Kconfig | 15 +++---
79790 sound/core/sound.c | 2 +-
79791 sound/sound_core.c | 2 +-
79792 40 files changed, 116 insertions(+), 111 deletions(-)
79793
79794commit 4ef62f52ab23ed87aaf0106be3eddf2019bc7d2c
79795Merge: 39efd8f 256eff7
79796Author: Brad Spengler <spender@grsecurity.net>
79797Date: Fri Jun 21 16:45:15 2013 -0400
79798
79799 Merge branch 'pax-test' into grsec-test
79800
79801 Conflicts:
79802 kernel/printk.c
79803
79804commit 256eff7a817d5faa18cd56fb97cc8c25112ec0a6
79805Merge: e6e3059 485f25f
79806Author: Brad Spengler <spender@grsecurity.net>
79807Date: Thu Jun 20 22:14:24 2013 -0400
79808
79809 Merge branch 'linux-3.9.y' into pax-test
79810
79811commit 39efd8f4b9573d1ce31f47cdbea00b6c12054d4d
79812Author: Brad Spengler <spender@grsecurity.net>
79813Date: Tue Jun 18 17:20:18 2013 -0400
79814
79815 add apparmor compat patch
79816
79817 security/apparmor/Kconfig | 9 ++
79818 security/apparmor/apparmorfs.c | 231 ++++++++++++++++++++++++++++++++++++++++
79819 2 files changed, 240 insertions(+), 0 deletions(-)
79820
79821commit 49bee3c5341687504669bf62becf4a419a226ba0
79822Author: Brad Spengler <spender@grsecurity.net>
79823Date: Mon Jun 17 18:48:04 2013 -0400
79824
79825 Revert "Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db"
79826
79827 This reverts commit 066d9226bc6c569d5f420c978b758e0bddd23444.
79828
79829 kernel/sys.c | 29 +++--------------------------
79830 1 files changed, 3 insertions(+), 26 deletions(-)
79831
79832commit bece88b4276babb2039a3e4f3e3b0cdeb8cd8328
79833Author: Al Viro <viro@ZenIV.linux.org.uk>
79834Date: Sun Jun 16 18:06:06 2013 +0100
79835
79836 Upstream commit: 8177a9d79c0e942dcac3312f15585d0344d505a5
79837
79838 lseek(fd, n, SEEK_END) does *not* go to eof - n
79839
79840 When you copy some code, you are supposed to read it. If nothing else,
79841 there's a chance to spot and fix an obvious bug instead of sharing it...
79842
79843 X-Song: "I Got It From Agnes", by Tom Lehrer
79844 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
79845 [ Tom Lehrer? You're dating yourself, Al ]
79846 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
79847
79848 drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 2 +-
79849 drivers/scsi/bfa/bfad_debugfs.c | 2 +-
79850 drivers/scsi/fnic/fnic_debugfs.c | 2 +-
79851 drivers/scsi/lpfc/lpfc_debugfs.c | 2 +-
79852 4 files changed, 4 insertions(+), 4 deletions(-)
79853
79854commit 5a450f1c46f0c84379518aee878993d3f4a331b6
79855Author: Theodore Ts'o <tytso@mit.edu>
79856Date: Thu Jun 6 11:14:31 2013 -0400
79857
79858 Upstream commit: 40c87e7a5404861cef33f6ced9809525a5ee2c50
79859
79860 ext4: verify group number in verify_group_input() before using it
79861
79862 Check the group number for sanity earilier, before calling routines
79863 such as ext4_bg_has_super() or ext4_group_overhead_blocks().
79864
79865 Reported-by: Jonathan Salwan <jonathan.salwan@gmail.com>
79866 Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
79867
79868 fs/ext4/resize.c | 17 +++++++++++------
79869 1 files changed, 11 insertions(+), 6 deletions(-)
79870
79871commit e2700ce1305cc746d2d9000392f00d96fdf28fb8
79872Author: Neil Horman <nhorman@tuxdriver.com>
79873Date: Wed Jun 12 14:26:44 2013 -0400
79874
79875 Upstream commit: c5c7774d7eb4397891edca9ebdf750ba90977a69
79876
79877 sctp: fully initialize sctp_outq in sctp_outq_init
79878
79879 In commit 2f94aabd9f6c925d77aecb3ff020f1cc12ed8f86
79880 (refactor sctp_outq_teardown to insure proper re-initalization)
79881 we modified sctp_outq_teardown to use sctp_outq_init to fully re-initalize the
79882 outq structure. Steve West recently asked me why I removed the q->error = 0
79883 initalization from sctp_outq_teardown. I did so because I was operating under
79884 the impression that sctp_outq_init would properly initalize that value for us,
79885 but it doesn't. sctp_outq_init operates under the assumption that the outq
79886 struct is all 0's (as it is when called from sctp_association_init), but using
79887 it in __sctp_outq_teardown violates that assumption. We should do a memset in
79888 sctp_outq_init to ensure that the entire structure is in a known state there
79889 instead.
79890
79891 Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
79892 Reported-by: "West, Steve (NSN - US/Fort Worth)" <steve.west@nsn.com>
79893 CC: Vlad Yasevich <vyasevich@gmail.com>
79894 CC: netdev@vger.kernel.org
79895 CC: davem@davemloft.net
79896 Acked-by: Vlad Yasevich <vyasevich@gmail.com>
79897 Signed-off-by: David S. Miller <davem@davemloft.net>
79898
79899 Conflicts:
79900
79901 net/sctp/outqueue.c
79902
79903 net/sctp/outqueue.c | 8 ++------
79904 1 files changed, 2 insertions(+), 6 deletions(-)
79905
79906commit e13515ad7a9c7634599a105b2527752e527a905d
79907Author: Saurabh Mohan <saurabh@vyatta.com>
79908Date: Mon Jun 10 17:45:10 2013 -0700
79909
79910 Upstream commit: baafc77b32f647daa7c45825f7af8cdd55d00817
79911
79912 net/ipv4: ip_vti clear skb cb before tunneling.
79913
79914 If users apply shaper to vti tunnel then it will cause a kernel crash. The
79915 problem seems to be due to the vti_tunnel_xmit function not clearing
79916 skb->opt field before passing the packet to xfrm tunneling code.
79917
79918 Signed-off-by: Saurabh Mohan <saurabh@vyatta.com>
79919 Acked-by: Stephen Hemminger <stephen@networkplumber.org>
79920 Signed-off-by: David S. Miller <davem@davemloft.net>
79921
79922 net/ipv4/ip_vti.c | 3 +--
79923 1 files changed, 1 insertions(+), 2 deletions(-)
79924
79925commit e63056a252ed6fc0f16ab158d7c34cb57bd762e4
79926Author: Guillaume Nault <g.nault@alphalink.fr>
79927Date: Wed Jun 12 16:07:36 2013 +0200
79928
79929 Upstream commit: a6f79d0f26704214b5b702bbac525cb72997f984
79930
79931 l2tp: Fix sendmsg() return value
79932
79933 PPPoL2TP sockets should comply with the standard send*() return values
79934 (i.e. return number of bytes sent instead of 0 upon success).
79935
79936 Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
79937 Signed-off-by: David S. Miller <davem@davemloft.net>
79938
79939 net/l2tp/l2tp_ppp.c | 2 +-
79940 1 files changed, 1 insertions(+), 1 deletions(-)
79941
79942commit af361b412e816e894fb42ddff7a0545b7def64c0
79943Author: Guillaume Nault <g.nault@alphalink.fr>
79944Date: Wed Jun 12 16:07:23 2013 +0200
79945
79946 Upstream commit: 55b92b7a11690bc377b5d373872a6b650ae88e64
79947
79948 l2tp: Fix PPP header erasure and memory leak
79949
79950 Copy user data after PPP framing header. This prevents erasure of the
79951 added PPP header and avoids leaking two bytes of uninitialised memory
79952 at the end of skb's data buffer.
79953
79954 Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
79955 Signed-off-by: David S. Miller <davem@davemloft.net>
79956
79957 net/l2tp/l2tp_ppp.c | 4 ++--
79958 1 files changed, 2 insertions(+), 2 deletions(-)
79959
79960commit 1f43aca088c35dda35abf76e08544e534c71fed4
79961Author: Daniel Borkmann <dborkman@redhat.com>
79962Date: Wed Jun 12 16:02:27 2013 +0200
79963
79964 Upstream commit: 2dc85bf323515e59e15dfa858d1472bb25cad0fe
79965
79966 packet: packet_getname_spkt: make sure string is always 0-terminated
79967
79968 uaddr->sa_data is exactly of size 14, which is hard-coded here and
79969 passed as a size argument to strncpy(). A device name can be of size
79970 IFNAMSIZ (== 16), meaning we might leave the destination string
79971 unterminated. Thus, use strlcpy() and also sizeof() while we're
79972 at it. We need to memset the data area beforehand, since strlcpy
79973 does not padd the remaining buffer with zeroes for user space, so
79974 that we do not possibly leak anything.
79975
79976 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
79977 Signed-off-by: David S. Miller <davem@davemloft.net>
79978
79979 net/packet/af_packet.c | 5 ++---
79980 1 files changed, 2 insertions(+), 3 deletions(-)
79981
79982commit d0ae62fae5528bf2a393377f50b8dd9888d1e49f
79983Author: Andy Lutomirski <luto@amacapital.net>
79984Date: Wed Jun 5 19:38:26 2013 +0000
79985
79986 Upstream commit: a7526eb5d06b0084ef12d7b168d008fcf516caab
79987
79988 net: Unbreak compat_sys_{send,recv}msg
79989
79990 I broke them in this commit:
79991
79992 commit 1be374a0518a288147c6a7398792583200a67261
79993 Author: Andy Lutomirski <luto@amacapital.net>
79994 Date: Wed May 22 14:07:44 2013 -0700
79995
79996 net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
79997
79998 This patch adds __sys_sendmsg and __sys_sendmsg as common helpers that accept
79999 MSG_CMSG_COMPAT and blocks MSG_CMSG_COMPAT at the syscall entrypoints. It
80000 also reverts some unnecessary checks in sys_socketcall.
80001
80002 Apparently I was suffering from underscore blindness the first time around.
80003
80004 Signed-off-by: Andy Lutomirski <luto@amacapital.net>
80005 Tested-by: Eric Dumazet <edumazet@google.com>
80006 Signed-off-by: David S. Miller <davem@davemloft.net>
80007
80008 include/linux/socket.h | 3 ++
80009 net/compat.c | 13 +++++++-
80010 net/socket.c | 72 ++++++++++++++++++++++--------------------------
80011 3 files changed, 47 insertions(+), 41 deletions(-)
80012
80013commit b481a366021e5db07a9ea138bc0c1fe598a5ba2f
80014Author: Andy Lutomirski <luto@amacapital.net>
80015Date: Wed May 22 14:07:44 2013 -0700
80016
80017 Upstream commit: 1be374a0518a288147c6a7398792583200a67261
80018
80019 net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
80020
80021 To: linux-kernel@vger.kernel.org
80022 Cc: x86@kernel.org, trinity@vger.kernel.org, Andy Lutomirski <luto@amacapital.net>, netdev@vger.kernel.org, "David S.
80023 Miller" <davem@davemloft.net>
80024 Subject: [PATCH 5/5] net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
80025
80026 MSG_CMSG_COMPAT is (AFAIK) not intended to be part of the API --
80027 it's a hack that steals a bit to indicate to other networking code
80028 that a compat entry was used. So don't allow it from a non-compat
80029 syscall.
80030
80031 This prevents an oops when running this code:
80032
80033 int main()
80034 {
80035 int s;
80036 struct sockaddr_in addr;
80037 struct msghdr *hdr;
80038
80039 char *highpage = mmap((void*)(TASK_SIZE_MAX - 4096), 4096,
80040 PROT_READ | PROT_WRITE,
80041 MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
80042 if (highpage == MAP_FAILED)
80043 err(1, "mmap");
80044
80045 s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
80046 if (s == -1)
80047 err(1, "socket");
80048
80049 addr.sin_family = AF_INET;
80050 addr.sin_port = htons(1);
80051 addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
80052 if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) != 0)
80053 err(1, "connect");
80054
80055 void *evil = highpage + 4096 - COMPAT_MSGHDR_SIZE;
80056 printf("Evil address is %p\n", evil);
80057
80058 if (syscall(__NR_sendmmsg, s, evil, 1, MSG_CMSG_COMPAT) < 0)
80059 err(1, "sendmmsg");
80060
80061 return 0;
80062 }
80063
80064 Cc: David S. Miller <davem@davemloft.net>
80065 Signed-off-by: Andy Lutomirski <luto@amacapital.net>
80066 Signed-off-by: David S. Miller <davem@davemloft.net>
80067
80068 net/socket.c | 33 +++++++++++++++++++++++++++++++--
80069 1 files changed, 31 insertions(+), 2 deletions(-)
80070
80071commit 6ccb09f408cc4ff23adbf68c7d2307f5fffcf88e
80072Author: Kees Cook <keescook@chromium.org>
80073Date: Fri May 10 14:48:21 2013 -0700
80074
80075 Upstream commit: e0e29b683d6784ef59bbc914eac85a04b650e63c
80076
80077 b43: stop format string leaking into error msgs
80078
80079 The module parameter "fwpostfix" is userspace controllable, unfiltered,
80080 and is used to define the firmware filename. b43_do_request_fw() populates
80081 ctx->errors[] on error, containing the firmware filename. b43err()
80082 parses its arguments as a format string. For systems with b43 hardware,
80083 this could lead to a uid-0 to ring-0 escalation.
80084
80085 CVE-2013-2852
80086
80087 Signed-off-by: Kees Cook <keescook@chromium.org>
80088 Cc: stable@vger.kernel.org
80089 Signed-off-by: John W. Linville <linville@tuxdriver.com>
80090
80091 drivers/net/wireless/b43/main.c | 2 +-
80092 1 files changed, 1 insertions(+), 1 deletions(-)
80093
80094commit dfb67a67049ace7b94ad7e2febfac69816d50d85
80095Author: Mark A. Greer <mgreer@animalcreek.com>
80096Date: Wed May 29 12:25:34 2013 -0700
80097
80098 Upstream commit: f873ded213d6d8c36354c0fc903af44da4fd6ac5
80099
80100 mwifiex: debugfs: Fix out of bounds array access
80101
80102 When reading the contents of '/sys/kernel/debug/mwifiex/p2p0/info',
80103 the following panic occurs:
80104
80105 $ cat /sys/kernel/debug/mwifiex/p2p0/info
80106 Unable to handle kernel paging request at virtual address 74706164
80107 pgd = de530000
80108 [74706164] *pgd=00000000
80109 Internal error: Oops: 5 [#1] SMP ARM
80110 Modules linked in: phy_twl4030_usb omap2430 musb_hdrc mwifiex_sdio mwifiex
80111 CPU: 0 PID: 1635 Comm: cat Not tainted 3.10.0-rc1-00010-g1268390 #1
80112 task: de16b6c0 ti: de048000 task.ti: de048000
80113 PC is at strnlen+0xc/0x4c
80114 LR is at string+0x3c/0xf8
80115 pc : [<c02c123c>] lr : [<c02c2d1c>] psr: a0000013
80116 sp : de049e10 ip : c06efba0 fp : de6d2092
80117 r10: bf01a260 r9 : ffffffff r8 : 74706164
80118 r7 : 0000ffff r6 : ffffffff r5 : de6d209c r4 : 00000000
80119 r3 : ff0a0004 r2 : 74706164 r1 : ffffffff r0 : 74706164
80120 Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
80121 Control: 10c5387d Table: 9e530019 DAC: 00000015
80122 Process cat (pid: 1635, stack limit = 0xde048240)
80123 Stack: (0xde049e10 to 0xde04a000)
80124 9e00: de6d2092 00000002 bf01a25e de6d209c
80125 9e20: de049e80 c02c438c 0000000a ff0a0004 ffffffff 00000000 00000000 de049e48
80126 9e40: 00000000 2192df6d ff0a0004 ffffffff 00000000 de6d2092 de049ef8 bef3cc00
80127 9e60: de6b0000 dc358000 de6d2000 00000000 00000003 c02c45a4 bf01790c bf01a254
80128 9e80: 74706164 bf018698 00000000 de59c3c0 de048000 de049f80 00001000 bef3cc00
80129 9ea0: 00000008 00000000 00000000 00000000 00000000 00000000 00000000 00000000
80130 9ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
80131 9ee0: 00000000 00000000 00000000 00000001 00000000 00000000 6669776d 20786569
80132 9f00: 20302e31 2e343128 392e3636 3231702e 00202933 00000000 00000003 c0294898
80133 9f20: 00000000 00000000 00000000 00000000 de59c3c0 c0107c04 de554000 de59c3c0
80134 9f40: 00001000 bef3cc00 de049f80 bef3cc00 de049f80 00000000 00000003 c0108a00
80135 9f60: de048000 de59c3c0 00000000 00000000 de59c3c0 00001000 bef3cc00 c0108b60
80136 9f80: 00000000 00000000 00001000 bef3cc00 00000003 00000003 c0014128 de048000
80137 9fa0: 00000000 c0013f80 00001000 bef3cc00 00000003 bef3cc00 00001000 00000000
80138 9fc0: 00001000 bef3cc00 00000003 00000003 00000001 00000001 00000001 00000003
80139 9fe0: 00000000 bef3cbdc 00011984 b6f1127c 60000010 00000003 18dbdd2c 7f7bfffd
80140 [<c02c123c>] (strnlen+0xc/0x4c) from [<c02c2d1c>] (string+0x3c/0xf8)
80141 [<c02c2d1c>] (string+0x3c/0xf8) from [<c02c438c>] (vsnprintf+0x1e8/0x3e8)
80142 [<c02c438c>] (vsnprintf+0x1e8/0x3e8) from [<c02c45a4>] (sprintf+0x18/0x24)
80143 [<c02c45a4>] (sprintf+0x18/0x24) from [<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex])
80144 [<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) from [<c0108a00>] (vfs_read+0xb0/0x144)
80145 [<c0108a00>] (vfs_read+0xb0/0x144) from [<c0108b60>] (SyS_read+0x44/0x70)
80146 [<c0108b60>] (SyS_read+0x44/0x70) from [<c0013f80>] (ret_fast_syscall+0x0/0x30)
80147 Code: e12fff1e e3510000 e1a02000 0a00000d (e5d03000)
80148 ---[ end trace ca98273dc605a04f ]---
80149
80150 The panic is caused by the mwifiex_info_read() routine assuming that
80151 there can only be four modes (0-3) which is an invalid assumption.
80152 For example, when testing P2P, the mode is '8' (P2P_CLIENT) so the
80153 code accesses data beyond the bounds of the bss_modes[] array which
80154 causes the panic. Fix this by updating bss_modes[] to support the
80155 current list of modes and adding a check to prevent the out-of-bounds
80156 access from occuring in the future when more modes are added.
80157
80158 Signed-off-by: Mark A. Greer <mgreer@animalcreek.com>
80159 Acked-by: Bing Zhao <bzhao@marvell.com>
80160 Signed-off-by: John W. Linville <linville@tuxdriver.com>
80161
80162 drivers/net/wireless/mwifiex/debugfs.c | 22 +++++++++++++++++-----
80163 1 files changed, 17 insertions(+), 5 deletions(-)
80164
80165commit 04152dec6e99ca4c0fc52219f7cf2152dafe6b52
80166Author: Johan Hedberg <johan.hedberg@intel.com>
80167Date: Tue May 28 13:46:30 2013 +0300
80168
80169 Upstream commit: cb3b3152b2f5939d67005cff841a1ca748b19888
80170
80171 Bluetooth: Fix missing length checks for L2CAP signalling PDUs
80172
80173 There has been code in place to check that the L2CAP length header
80174 matches the amount of data received, but many PDU handlers have not been
80175 checking that the data received actually matches that expected by the
80176 specific PDU. This patch adds passing the length header to the specific
80177 handler functions and ensures that those functions fail cleanly in the
80178 case of an incorrect amount of data.
80179
80180 Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
80181 Cc: stable@vger.kernel.org
80182 Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
80183 Signed-off-by: John W. Linville <linville@tuxdriver.com>
80184
80185 net/bluetooth/l2cap_core.c | 70 ++++++++++++++++++++++++++++++++-----------
80186 1 files changed, 52 insertions(+), 18 deletions(-)
80187
80188commit 628be2427afb241b5a1aa24bc5907d05287e1f25
80189Author: Dan Carpenter <dan.carpenter@oracle.com>
80190Date: Mon Jun 3 12:00:49 2013 +0300
80191
80192 Upstream commit: a8241c63517ec0b900695daa9003cddc41c536a1
80193
80194 ipvs: info leak in __ip_vs_get_dest_entries()
80195
80196 The entry struct has a 2 byte hole after ->port and another 4 byte
80197 hole after ->stats.outpkts. You must have CAP_NET_ADMIN in your
80198 namespace to hit this information leak.
80199
80200 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
80201 Acked-by: Julian Anastasov <ja@ssi.bg>
80202 Signed-off-by: Simon Horman <horms@verge.net.au>
80203 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
80204
80205 net/netfilter/ipvs/ip_vs_ctl.c | 1 +
80206 1 files changed, 1 insertions(+), 0 deletions(-)
80207
80208commit 066d9226bc6c569d5f420c978b758e0bddd23444
80209Author: Robin Holt <holt@sgi.com>
80210Date: Wed Jun 12 14:04:37 2013 -0700
80211
80212 Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db
80213
80214 reboot: rigrate shutdown/reboot to boot cpu
80215
80216 We recently noticed that reboot of a 1024 cpu machine takes approx 16
80217 minutes of just stopping the cpus. The slowdown was tracked to commit
80218 f96972f2dc63 ("kernel/sys.c: call disable_nonboot_cpus() in
80219 kernel_restart()").
80220
80221 The current implementation does all the work of hot removing the cpus
80222 before halting the system. We are switching to just migrating to the
80223 boot cpu and then continuing with shutdown/reboot.
80224
80225 This also has the effect of not breaking x86's command line parameter
80226 for specifying the reboot cpu. Note, this code was shamelessly copied
80227 from arch/x86/kernel/reboot.c with bits removed pertaining to the
80228 reboot_cpu command line parameter.
80229
80230 Signed-off-by: Robin Holt <holt@sgi.com>
80231 Tested-by: Shawn Guo <shawn.guo@linaro.org>
80232 Cc: "Srivatsa S. Bhat" <srivatsa.bhat@linux.vnet.ibm.com>
80233 Cc: H. Peter Anvin <hpa@zytor.com>
80234 Cc: Thomas Gleixner <tglx@linutronix.de>
80235 Cc: Ingo Molnar <mingo@elte.hu>
80236 Cc: Russ Anderson <rja@sgi.com>
80237 Cc: Robin Holt <holt@sgi.com>
80238 Cc: Russell King <linux@arm.linux.org.uk>
80239 Cc: Guan Xuetao <gxt@mprc.pku.edu.cn>
80240 Cc: <stable@vger.kernel.org>
80241 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
80242 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
80243
80244 kernel/sys.c | 29 ++++++++++++++++++++++++++---
80245 1 files changed, 26 insertions(+), 3 deletions(-)
80246
80247commit 94e2a91600b07d39825e7059195f35eb611a39a2
80248Merge: 20cc761 e6e3059
80249Author: Brad Spengler <spender@grsecurity.net>
80250Date: Thu Jun 13 16:23:46 2013 -0400
80251
80252 Merge branch 'pax-test' into grsec-test
80253
80254commit e6e3059de5525ebcd55af43b20c9cdbf43b9d30a
80255Merge: c6aadb1 4b73feb
80256Author: Brad Spengler <spender@grsecurity.net>
80257Date: Thu Jun 13 16:23:39 2013 -0400
80258
80259 Merge branch 'linux-3.9.y' into pax-test
80260
80261commit 20cc7613e38cde07adc73179a91d6c15292e8d43
80262Author: Daniel Borkmann <dborkman@redhat.com>
80263Date: Thu Jun 6 15:53:47 2013 +0200
80264
80265 Upstream commit: 1abd165ed757db1afdefaac0a4bc8a70f97d258c
80266
80267 net: sctp: fix NULL pointer dereference in socket destruction
80268
80269 While stress testing sctp sockets, I hit the following panic:
80270
80271 BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
80272 IP: [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
80273 PGD 7cead067 PUD 7ce76067 PMD 0
80274 Oops: 0000 [#1] SMP
80275 Modules linked in: sctp(F) libcrc32c(F) [...]
80276 CPU: 7 PID: 2950 Comm: acc Tainted: GF 3.10.0-rc2+ #1
80277 Hardware name: Dell Inc. PowerEdge T410/0H19HD, BIOS 1.6.3 02/01/2011
80278 task: ffff88007ce0e0c0 ti: ffff88007b568000 task.ti: ffff88007b568000
80279 RIP: 0010:[<ffffffffa0490c4e>] [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
80280 RSP: 0018:ffff88007b569e08 EFLAGS: 00010292
80281 RAX: 0000000000000000 RBX: ffff88007db78a00 RCX: dead000000200200
80282 RDX: ffffffffa049fdb0 RSI: ffff8800379baf38 RDI: 0000000000000000
80283 RBP: ffff88007b569e18 R08: ffff88007c230da0 R09: 0000000000000001
80284 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
80285 R13: ffff880077990d00 R14: 0000000000000084 R15: ffff88007db78a00
80286 FS: 00007fc18ab61700(0000) GS:ffff88007fc60000(0000) knlGS:0000000000000000
80287 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
80288 CR2: 0000000000000020 CR3: 000000007cf9d000 CR4: 00000000000007e0
80289 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
80290 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
80291 Stack:
80292 ffff88007b569e38 ffff88007db78a00 ffff88007b569e38 ffffffffa049fded
80293 ffffffff81abf0c0 ffff88007db78a00 ffff88007b569e58 ffffffff8145b60e
80294 0000000000000000 0000000000000000 ffff88007b569eb8 ffffffff814df36e
80295 Call Trace:
80296 [<ffffffffa049fded>] sctp_destroy_sock+0x3d/0x80 [sctp]
80297 [<ffffffff8145b60e>] sk_common_release+0x1e/0xf0
80298 [<ffffffff814df36e>] inet_create+0x2ae/0x350
80299 [<ffffffff81455a6f>] __sock_create+0x11f/0x240
80300 [<ffffffff81455bf0>] sock_create+0x30/0x40
80301 [<ffffffff8145696c>] SyS_socket+0x4c/0xc0
80302 [<ffffffff815403be>] ? do_page_fault+0xe/0x10
80303 [<ffffffff8153cb32>] ? page_fault+0x22/0x30
80304 [<ffffffff81544e02>] system_call_fastpath+0x16/0x1b
80305 Code: 0c c9 c3 66 2e 0f 1f 84 00 00 00 00 00 e8 fb fe ff ff c9 c3 66 0f
80306 1f 84 00 00 00 00 00 55 48 89 e5 53 48 83 ec 08 66 66 66 66 90 <48>
80307 8b 47 20 48 89 fb c6 47 1c 01 c6 40 12 07 e8 9e 68 01 00 48
80308 RIP [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
80309 RSP <ffff88007b569e08>
80310 CR2: 0000000000000020
80311 ---[ end trace e0d71ec1108c1dd9 ]---
80312
80313 I did not hit this with the lksctp-tools functional tests, but with a
80314 small, multi-threaded test program, that heavily allocates, binds,
80315 listens and waits in accept on sctp sockets, and then randomly kills
80316 some of them (no need for an actual client in this case to hit this).
80317 Then, again, allocating, binding, etc, and then killing child processes.
80318
80319 This panic then only occurs when ``echo 1 > /proc/sys/net/sctp/auth_enable''
80320 is set. The cause for that is actually very simple: in sctp_endpoint_init()
80321 we enter the path of sctp_auth_init_hmacs(). There, we try to allocate
80322 our crypto transforms through crypto_alloc_hash(). In our scenario,
80323 it then can happen that crypto_alloc_hash() fails with -EINTR from
80324 crypto_larval_wait(), thus we bail out and release the socket via
80325 sk_common_release(), sctp_destroy_sock() and hit the NULL pointer
80326 dereference as soon as we try to access members in the endpoint during
80327 sctp_endpoint_free(), since endpoint at that time is still NULL. Now,
80328 if we have that case, we do not need to do any cleanup work and just
80329 leave the destruction handler.
80330
80331 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
80332 Acked-by: Neil Horman <nhorman@tuxdriver.com>
80333 Acked-by: Vlad Yasevich <vyasevich@gmail.com>
80334 Signed-off-by: David S. Miller <davem@davemloft.net>
80335
80336 net/sctp/socket.c | 6 ++++++
80337 1 files changed, 6 insertions(+), 0 deletions(-)
80338
80339commit 386ba837978cc8a1111440bdcd8600f2df4634a4
80340Author: Brad Spengler <spender@grsecurity.net>
80341Date: Wed Jun 12 20:37:48 2013 -0400
80342
80343 fix deadlock when booting i386 kernel without NX
80344
80345 mm/mmap.c | 4 +++-
80346 1 files changed, 3 insertions(+), 1 deletions(-)
80347
80348commit fe96e11acb36fcda9a9e6f6439557db4aa4e8da0
80349Author: Brad Spengler <spender@grsecurity.net>
80350Date: Tue Jun 11 22:18:07 2013 -0400
80351
80352 fix elif / elif defined() typo in recent change
80353
80354 kernel/events/core.c | 2 +-
80355 1 files changed, 1 insertions(+), 1 deletions(-)
80356
80357commit bc43377e1e757cd37a06be0187884a42af718aab
80358Merge: 3cdea63 c6aadb1
80359Author: Brad Spengler <spender@grsecurity.net>
80360Date: Tue Jun 11 18:50:39 2013 -0400
80361
80362 Merge branch 'pax-test' into grsec-test
80363
80364commit c6aadb12ae8dd3d12c2d6b8fbe80d29e514d60c0
80365Author: Brad Spengler <spender@grsecurity.net>
80366Date: Tue Jun 11 18:49:36 2013 -0400
80367
80368 Update to pax-linux-3.9.4-test9.patch:
80369 - fixed a KERNEXEC regression resulting in unusable RAM regions (http://forums.grsecurity.net/viewtopic.php?f=3&t=3506)
80370 - removed a user-triggerable BUG_ON, fixing it properly wasn't worth the effort
80371
80372 arch/x86/kernel/setup.c | 2 +-
80373 mm/mlock.c | 1 -
80374 2 files changed, 1 insertions(+), 2 deletions(-)
80375
80376commit 3cdea63e90607d8d55820b101854091623feedb8
80377Author: Brad Spengler <spender@grsecurity.net>
80378Date: Mon Jun 10 21:21:44 2013 -0400
80379
80380 Fix fanotify infoleak reported by Dan Carpenter at:
80381 https://lkml.org/lkml/2013/6/3/128
80382
80383 Requires CAP_SYS_ADMIN, so this is about as low priority as it gets
80384
80385 fs/notify/fanotify/fanotify_user.c | 1 +
80386 1 files changed, 1 insertions(+), 0 deletions(-)
80387
80388commit 373a2b5df78f82b9d3db72bd6577e29a71591323
80389Author: Brad Spengler <spender@grsecurity.net>
80390Date: Mon Jun 10 21:16:46 2013 -0400
80391
80392 Backport infoleak fix by Dan Carpenter in cpqarray:
80393 https://lkml.org/lkml/2013/6/3/131
80394
80395 drivers/block/cpqarray.c | 1 +
80396 1 files changed, 1 insertions(+), 0 deletions(-)
80397
80398commit 251e84b9b05e063981b20be154c9389862f94759
80399Author: Brad Spengler <spender@grsecurity.net>
80400Date: Mon Jun 10 21:04:17 2013 -0400
80401
80402 Backport 050e4b8fb7cdd7096c987a9cd556029c622c7fe2
80403
80404 drivers/cdrom/cdrom.c | 4 ++--
80405 1 files changed, 2 insertions(+), 2 deletions(-)
80406
80407commit 383d89bf95818b05a485a6e8b118963b5bcbc83e
80408Author: Brad Spengler <spender@grsecurity.net>
80409Date: Mon Jun 10 18:34:32 2013 -0400
80410
80411 change const to __read_only
80412
80413 kernel/sysctl.c | 18 +++++++++---------
80414 1 files changed, 9 insertions(+), 9 deletions(-)
80415
80416commit 8f08f803f605649e63f0857a1b9a9805b629eaa4
80417Author: Brad Spengler <spender@grsecurity.net>
80418Date: Mon Jun 10 17:34:13 2013 -0400
80419
80420 compile fix, make const values const
80421
80422 kernel/sysctl.c | 18 +++++++++---------
80423 1 files changed, 9 insertions(+), 9 deletions(-)
80424
80425commit 6b90c228f6d4a3c2cc9c2b9a6a7ac14534ebd42d
80426Author: Brad Spengler <spender@grsecurity.net>
80427Date: Mon Jun 10 17:37:13 2013 -0400
80428
80429 Backport upstream commit: af733960ca59f7d59ea337e1f633771c9e67101a
80430
80431 drivers/char/mwave/tp3780i.c | 1 +
80432 1 files changed, 1 insertions(+), 0 deletions(-)
80433
80434commit 1c590aa70c95ebd76ba9672aa23d800b81780615
80435Author: Brad Spengler <spender@grsecurity.net>
80436Date: Sun Jun 9 19:50:35 2013 -0400
80437
80438 allow -1 perf_event_paranoid
80439
80440 kernel/sysctl.c | 2 +-
80441 1 files changed, 1 insertions(+), 1 deletions(-)
80442
80443commit defdc4a2bd3efda4af2bb6f3aa8f495fa8078584
80444Merge: 4e85539 117c3fa
80445Author: Brad Spengler <spender@grsecurity.net>
80446Date: Sun Jun 9 17:30:12 2013 -0400
80447
80448 Merge branch 'pax-test' into grsec-test
80449
80450commit 117c3fa8d26c3806103123560f807d99071b60b6
80451Merge: ed9b427 5dd2e98
80452Author: Brad Spengler <spender@grsecurity.net>
80453Date: Sun Jun 9 17:30:00 2013 -0400
80454
80455 Merge branch 'linux-3.9.y' into pax-test
80456
80457commit 4e8553989b0406f15be4a2dccdbc7599cc2b4f42
80458Author: Eric Dumazet <edumazet@google.com>
80459Date: Mon May 13 21:25:52 2013 +0000
80460
80461 Upstream commit: 54d27fcb338bd9c42d1dfc5a39e18f6f9d373c2e
80462
80463 tcp: fix tcp_md5_hash_skb_data()
80464
80465 TCP md5 communications fail [1] for some devices, because sg/crypto code
80466 assume page offsets are below PAGE_SIZE.
80467
80468 This was discovered using mlx4 driver [2], but I suspect loopback
80469 might trigger the same bug now we use order-3 pages in tcp_sendmsg()
80470
80471 [1] Failure is giving following messages.
80472
80473 huh, entered softirq 3 NET_RX ffffffff806ad230 preempt_count 00000100,
80474 exited with 00000101?
80475
80476 [2] mlx4 driver uses order-2 pages to allocate RX frags
80477
80478 Reported-by: Matt Schnall <mischnal@google.com>
80479 Signed-off-by: Eric Dumazet <edumazet@google.com>
80480 Cc: Bernhard Beck <bbeck@google.com>
80481 Signed-off-by: David S. Miller <davem@davemloft.net>
80482
80483 net/ipv4/tcp.c | 7 +++++--
80484 1 files changed, 5 insertions(+), 2 deletions(-)
80485
80486commit 4f1ed254c28a1b3e03c0b0b744c5042661c295eb
80487Author: Eric Dumazet <edumazet@google.com>
80488Date: Fri May 17 04:53:13 2013 +0000
80489
80490 Upstream commit: 284041ef21fdf2e0d216ab6b787bc9072b4eb58a
80491
80492 ipv6: fix possible crashes in ip6_cork_release()
80493
80494 commit 0178b695fd6b4 ("ipv6: Copy cork options in ip6_append_data")
80495 added some code duplication and bad error recovery, leading to potential
80496 crash in ip6_cork_release() as kfree() could be called with garbage.
80497
80498 use kzalloc() to make sure this wont happen.
80499
80500 Signed-off-by: Eric Dumazet <edumazet@google.com>
80501 Signed-off-by: David S. Miller <davem@davemloft.net>
80502 Cc: Herbert Xu <herbert@gondor.apana.org.au>
80503 Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
80504 Cc: Neal Cardwell <ncardwell@google.com>
80505
80506 net/ipv6/ip6_output.c | 2 +-
80507 1 files changed, 1 insertions(+), 1 deletions(-)
80508
80509commit 5771263fe368cd384127dd17d7596a7e1a4e2eec
80510Author: Chen Gang <gang.chen@asianux.com>
80511Date: Thu May 16 23:13:04 2013 +0000
80512
80513 Upstream commit: ff0102ee104847023c36357e2b9f133f3f40d211
80514
80515 net: irda: using kzalloc() instead of kmalloc() to avoid strncpy() issue.
80516
80517 'discovery->data.info' length is 22, NICKNAME_MAX_LEN is 21, so the
80518 strncpy() will always left the last byte of 'discovery->data.info'
80519 uninitialized.
80520
80521 When 'text' length is longer than 21 (NICKNAME_MAX_LEN), if still left
80522 the last byte of 'discovery->data.info' uninitialized, the next
80523 strlen() will cause issue.
80524
80525 Also 'discovery->data' is 'struct irda_device_info' which defined in
80526 "include/uapi/...", it may copy to user mode, so need whole initialized.
80527
80528 All together, need use kzalloc() instead of kmalloc() to initialize all
80529 members firstly.
80530
80531 Signed-off-by: Chen Gang <gang.chen@asianux.com>
80532 Signed-off-by: David S. Miller <davem@davemloft.net>
80533
80534 net/irda/irlap_frame.c | 2 +-
80535 1 files changed, 1 insertions(+), 1 deletions(-)
80536
80537commit c01c9af268cb066f240aec53454b8b74d8d01688
80538Author: Dan Carpenter <dan.carpenter@oracle.com>
80539Date: Sun May 19 08:36:36 2013 +0000
80540
80541 Upstream commit: 25dff94ff9df40d4d663bb6ea3193a7758cc50e5
80542
80543 isdn/kcapi: fix a small underflow
80544
80545 In get_capi_ctr_by_nr() and get_capi_appl_by_nr() the parameter comes
80546 from skb->data. The current code can underflow to one space before the
80547 start of the array.
80548
80549 The sanity check isn't needed in __get_capi_appl_by_nr() but I changed
80550 it to match the others.
80551
80552 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
80553 Signed-off-by: David S. Miller <davem@davemloft.net>
80554
80555 drivers/isdn/capi/kcapi.c | 6 +++---
80556 1 files changed, 3 insertions(+), 3 deletions(-)
80557
80558commit 4a3f12a9df775147b0c4b0277de1aa99eddc5c66
80559Author: Timo Teräs <timo.teras@iki.fi>
80560Date: Wed May 22 01:40:47 2013 +0000
80561
80562 Upstream commit: 497574c72c9922cf20c12aed15313c389f722fa0
80563
80564 xfrm: properly handle invalid states as an error
80565
80566 The error exit path needs err explicitly set. Otherwise it
80567 returns success and the only caller, xfrm_output_resume(),
80568 would oops in skb_dst(skb)->ops derefence as skb_dst(skb) is
80569 NULL.
80570
80571 Bug introduced in commit bb65a9cb (xfrm: removes a superfluous
80572 check and add a statistic).
80573
80574 Signed-off-by: Timo Teräs <timo.teras@iki.fi>
80575 Cc: Li RongQing <roy.qing.li@gmail.com>
80576 Cc: Steffen Klassert <steffen.klassert@secunet.com>
80577 Signed-off-by: David S. Miller <davem@davemloft.net>
80578
80579 net/xfrm/xfrm_output.c | 1 +
80580 1 files changed, 1 insertions(+), 0 deletions(-)
80581
80582commit 61d8e1e848afa93cd971f6d1da875ad98b6ddfbd
80583Author: Jeff Mahoney <jeffm@jeffreymahoney.com>
80584Date: Fri May 31 15:07:52 2013 -0400
80585
80586 Upstream commit: 0bdc7acba56a7ca4232f15f37b16f7ec079385ab
80587
80588 reiserfs: fix spurious multiple-fill in reiserfs_readdir_dentry
80589
80590 After sleeping for filldir(), we check to see if the file system has
80591 changed and research. The next_pos pointer is updated but its value
80592 isn't pushed into the key used for the search itself. As a result,
80593 the search returns the same item that the last cycle of the loop did
80594 and filldir() is called multiple times with the same data.
80595
80596 The end result is that the buffer can contain the same name multiple
80597 times. This can be returned to userspace or used internally in the
80598 xattr code where it can manifest with the following warning:
80599
80600 jdm-20004 reiserfs_delete_xattrs: Couldn't delete all xattrs (-2)
80601
80602 reiserfs_for_each_xattr uses reiserfs_readdir_dentry to iterate over
80603 the xattr names and ends up trying to unlink the same name twice. The
80604 second attempt fails with -ENOENT and the error is returned. At some
80605 point I'll need to add support into reiserfsck to remove the orphaned
80606 directories left behind when this occurs.
80607
80608 The fix is to push the value into the key before researching.
80609
80610 Signed-off-by: Jeff Mahoney <jeffm@suse.com>
80611 Signed-off-by: Jan Kara <jack@suse.cz>
80612
80613 fs/reiserfs/dir.c | 2 ++
80614 1 files changed, 2 insertions(+), 0 deletions(-)
80615
80616commit ca0746bf380eec77d75d1741ac4742ded0e55ec7
80617Author: Jeff Mahoney <jeffm@suse.com>
80618Date: Fri May 31 15:51:17 2013 -0400
80619
80620 Upstream commit: a1457c0ce976bad1356b9b0437f2a5c3ab8a9cfc
80621
80622 reiserfs: fix deadlock with nfs racing on create/lookup
80623
80624 Reiserfs is currently able to be deadlocked by having two NFS clients
80625 where one has removed and recreated a file and another is accessing the
80626 file with an open file handle.
80627
80628 If one client deletes and recreates a file with timing such that the
80629 recreated file obtains the same [dirid, objectid] pair as the original
80630 file while another client accesses the file via file handle, the create
80631 and lookup can race and deadlock if the lookup manages to create the
80632 in-memory inode first.
80633
80634 The create thread, in insert_inode_locked4, will hold the write lock
80635 while waiting on the other inode to be unlocked. The lookup thread,
80636 anywhere in the iget path, will release and reacquire the write lock while
80637 it schedules. If it needs to reacquire the lock while the create thread
80638 has it, it will never be able to make forward progress because it needs
80639 to reacquire the lock before ultimately unlocking the inode.
80640
80641 This patch drops the write lock across the insert_inode_locked4 call so
80642 that the ordering of inode_wait -> write lock is retained. Since this
80643 would have been the case before the BKL push-down, this is safe.
80644
80645 Signed-off-by: Jeff Mahoney <jeffm@suse.com>
80646 Signed-off-by: Jan Kara <jack@suse.cz>
80647
80648 fs/reiserfs/inode.c | 9 +++++++--
80649 1 files changed, 7 insertions(+), 2 deletions(-)
80650
80651commit cd21c0eb4950498be46a07257426c0cea4aa2bf1
80652Author: Jeff Mahoney <jeffm@suse.com>
80653Date: Fri May 31 15:54:17 2013 -0400
80654
80655 Upstream commit: 4a8570112b76a63ad21cfcbe2783f98f7fd5ba1b
80656
80657 reiserfs: fix problems with chowning setuid file w/ xattrs
80658
80659 reiserfs_chown_xattrs() takes the iattr struct passed into ->setattr
80660 and uses it to iterate over all the attrs associated with a file to change
80661 ownership of xattrs (and transfer quota associated with the xattr files).
80662
80663 When the setuid bit is cleared during chown, ATTR_MODE and iattr->ia_mode
80664 are passed to all the xattrs as well. This means that the xattr directory
80665 will have S_IFREG added to its mode bits.
80666
80667 This has been prevented in practice by a missing IS_PRIVATE check
80668 in reiserfs_acl_chmod, which caused a double-lock to occur while holding
80669 the write lock. Since the file system was completely locked up, the
80670 writeout of the corrupted mode never happened.
80671
80672 This patch temporarily clears everything but ATTR_UID|ATTR_GID for the
80673 calls to reiserfs_setattr and adds the missing IS_PRIVATE check.
80674
80675 Signed-off-by: Jeff Mahoney <jeffm@suse.com>
80676 Signed-off-by: Jan Kara <jack@suse.cz>
80677
80678 fs/reiserfs/xattr.c | 14 +++++++++++++-
80679 fs/reiserfs/xattr_acl.c | 3 +++
80680 2 files changed, 16 insertions(+), 1 deletions(-)
80681
80682commit c18cef940310c06bdf86d64d8cb227e56e165300
80683Author: Dave Chinner <dchinner@redhat.com>
80684Date: Mon May 27 16:38:25 2013 +1000
80685
80686 Upstream commit: 2962f5a5dcc56f69cbf62121a7be67cc15d6940b
80687
80688 xfs: kill suid/sgid through the truncate path.
80689
80690 XFS has failed to kill suid/sgid bits correctly when truncating
80691 files of non-zero size since commit c4ed4243 ("xfs: split
80692 xfs_setattr") introduced in the 3.1 kernel. Fix it.
80693
80694 Fix it.
80695
80696 cc: stable kernel <stable@vger.kernel.org>
80697 Signed-off-by: Dave Chinner <dchinner@redhat.com>
80698 Reviewed-by: Brian Foster <bfoster@redhat.com>
80699 Signed-off-by: Ben Myers <bpm@sgi.com>
80700
80701 (cherry picked from commit 56c19e89b38618390addfc743d822f99519055c6)
80702
80703 fs/xfs/xfs_iops.c | 47 ++++++++++++++++++++++++++++++++---------------
80704 1 files changed, 32 insertions(+), 15 deletions(-)
80705
80706commit 8e62c6a0946a4b11a55540094a0ee5d3a222dbcc
80707Author: Trond Myklebust <Trond.Myklebust@netapp.com>
80708Date: Wed May 29 15:36:40 2013 -0400
80709
80710 Upstream commit: f448badd34700ae728a32ba024249626d49c10e1
80711
80712 NFSv4: Fix a thinko in nfs4_try_open_cached
80713
80714 We need to pass the full open mode flags to nfs_may_open() when doing
80715 a delegated open.
80716
80717 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
80718 Cc: stable@vger.kernel.org
80719
80720 fs/nfs/nfs4proc.c | 2 +-
80721 1 files changed, 1 insertions(+), 1 deletions(-)
80722
80723commit c47de62893a9f269be0a272c2840aac1e2a35c68
80724Author: Chen Gang <gang.chen@asianux.com>
80725Date: Thu May 30 01:18:43 2013 +0000
80726
80727 Upstream commit: ea99b1adf22abd62bdcf14b1c9a0a4d3664eefd8
80728
80729 parisc: kernel: using strlcpy() instead of strcpy()
80730
80731 'boot_args' is an input args, and 'boot_command_line' has a fix length.
80732 So use strlcpy() instead of strcpy() to avoid memory overflow.
80733
80734 Signed-off-by: Chen Gang <gang.chen@asianux.com>
80735 Acked-by: Kyle McMartin <kyle@mcmartin.ca>
80736 Signed-off-by: Helge Deller <deller@gmx.de>
80737
80738 arch/parisc/kernel/setup.c | 3 ++-
80739 1 files changed, 2 insertions(+), 1 deletions(-)
80740
80741commit ce869e6f799f95fcac340420ba3612503df80dbf
80742Author: Chen Gang <gang.chen@asianux.com>
80743Date: Mon May 27 04:57:09 2013 +0000
80744
80745 Upstream commit: 3f108de96ba449a8df3d7e3c053bf890fee2cb95
80746
80747 parisc: memory overflow, 'name' length is too short for using
80748
80749 'path.bc[i]' can be asigned by PCI_SLOT() which can '> 10', so sizeof(6
80750 * "%u:" + "%u" + '\0') may be 21.
80751
80752 Since 'name' length is 20, it may be memory overflow.
80753
80754 And 'path.bc[i]' is 'unsigned char' for printing, we can be sure the
80755 max length of 'name' must be less than 28.
80756
80757 So simplify thinking, we can use 28 instead of 20 directly, and do not
80758 think of whether 'patchc.bc[i]' can '> 100'.
80759
80760 Signed-off-by: Chen Gang <gang.chen@asianux.com>
80761 Signed-off-by: Helge Deller <deller@gmx.de>
80762
80763 arch/parisc/kernel/drivers.c | 2 +-
80764 1 files changed, 1 insertions(+), 1 deletions(-)
80765
80766commit 5dc65cd34d442783118a17c518e2daedb90a31d0
80767Author: Brad Spengler <spender@grsecurity.net>
80768Date: Tue Jun 4 17:52:23 2013 -0400
80769
80770 add PERF_HARDEN recommendation
80771
80772 grsecurity/Kconfig | 3 +++
80773 1 files changed, 3 insertions(+), 0 deletions(-)
80774
80775commit 45b0f6e97666ca330b9a69e7fd2d2d9345d9618c
80776Author: Brad Spengler <spender@grsecurity.net>
80777Date: Tue Jun 4 17:22:44 2013 -0400
80778
80779 Introduce new feature: CONFIG_GRKERNSEC_PERF_HARDEN
80780
80781 grsecurity/Kconfig | 19 +++++++++++++++++++
80782 include/linux/perf_event.h | 5 +++++
80783 kernel/events/core.c | 10 +++++++++-
80784 kernel/sysctl.c | 9 ++++++++-
80785 4 files changed, 41 insertions(+), 2 deletions(-)
80786
80787commit 84619a3501fd38285a72d9e963f58d1827beedd6
80788Author: Brad Spengler <spender@grsecurity.net>
80789Date: Sat Jun 1 14:23:31 2013 -0400
80790
80791 remove user-triggerable BUG_ON in do_munlockall()
80792
80793 mm/mlock.c | 1 -
80794 1 files changed, 0 insertions(+), 1 deletions(-)
80795
80796commit f4bcf6087bd7b9a5b9c9021790396865c5362da0
80797Author: Brad Spengler <spender@grsecurity.net>
80798Date: Sat Jun 1 13:44:05 2013 -0400
80799
80800 Upstream commit: cea4dcfdad926a27a18e188720efe0f2c9403456
80801
80802 From: Kees Cook <keescook@chromium.org>
80803 Date: Thu, 23 May 2013 17:32:17 +0000
80804 Subject: iscsi-target: fix heap buffer overflow on error
80805
80806 If a key was larger than 64 bytes, as checked by iscsi_check_key(), the
80807 error response packet, generated by iscsi_add_notunderstood_response(),
80808 would still attempt to copy the entire key into the packet, overflowing
80809 the structure on the heap.
80810
80811 Remote preauthentication kernel memory corruption was possible if a
80812 target was configured and listening on the network.
80813
80814 CVE-2013-2850
80815
80816 Embargo-screwup-by: Kees Cook <keescook@chromium.org>
80817 Cc: stable@vger.kernel.org
80818 Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
80819
80820 drivers/target/iscsi/iscsi_target_parameters.c | 8 +++-----
80821 drivers/target/iscsi/iscsi_target_parameters.h | 4 +++-
80822 2 files changed, 6 insertions(+), 6 deletions(-)
80823
80824commit 2fdc3e0a0ecd44f22d49ea2230638ed650dd5e7e
80825Author: Brad Spengler <spender@grsecurity.net>
80826Date: Sat Jun 1 13:43:26 2013 -0400
80827
80828 Revert "Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters"
80829 Applying upstream fix instead
80830
80831 This reverts commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291.
80832
80833 drivers/target/iscsi/iscsi_target_parameters.c | 5 +++--
80834 1 files changed, 3 insertions(+), 2 deletions(-)
80835
80836commit 8ad50b7b6bbaaec7f07f894c15d76abe801f0769
80837Author: Dan Carpenter <dan.carpenter@oracle.com>
80838Date: Sun May 19 21:52:20 2013 +0300
80839
80840 Upstream commit: e75b61897276c5100e61c9c74fd55ded28f31431
80841
80842 USB: cxacru: potential underflow in cxacru_cm_get_array()
80843
80844 commit 2a0ebf80aa95cc758d4725f74a7016e992606a39 upstream.
80845
80846 The value of "offd" comes off the instance->rcv_buf[] and we used it as
80847 the offset into an array. The problem is that we check the upper bound
80848 but not for negative values.
80849
80850 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
80851 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
80852 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
80853
80854 drivers/usb/atm/cxacru.c | 3 ++-
80855 1 files changed, 2 insertions(+), 1 deletions(-)
80856
80857commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291
80858Author: Brad Spengler <spender@grsecurity.net>
80859Date: Sat Jun 1 11:30:17 2013 -0400
80860
80861 Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters
80862
80863 drivers/target/iscsi/iscsi_target_parameters.c | 5 ++---
80864 1 files changed, 2 insertions(+), 3 deletions(-)
80865
80866commit 8578566969d91678a3d7d5251b4eafc6d7775314
80867Author: Brad Spengler <spender@grsecurity.net>
80868Date: Thu May 30 17:44:15 2013 -0400
80869
80870 Apply compatibility fix to previous RLIMIT_NPROC change
80871 don't enforce the rlimit check at exec time if the user is root
80872 Prevents problems with sudo if root is listed as part of a group
80873 in limits.conf with process limits enforced
80874
80875 kernel/sys.c | 2 +-
80876 1 files changed, 1 insertions(+), 1 deletions(-)
80877
80878commit 0ed0c927ce3db94e2d0c0f328e24a28fe4f143e7
80879Merge: 643b294 ed9b427
80880Author: Brad Spengler <spender@grsecurity.net>
80881Date: Wed May 29 19:19:28 2013 -0400
80882
80883 Merge branch 'pax-test' into grsec-test
80884
80885commit ed9b4276488528d0c3803df1dc0df804238241e0
80886Author: Brad Spengler <spender@grsecurity.net>
80887Date: Wed May 29 19:18:45 2013 -0400
80888
80889 Updated to pax-linux-3.9.4-test8.patch:
80890 - fixed some fallout detected by the checker plugin
80891
80892 arch/x86/kernel/crash_dump_64.c | 2 +-
80893 drivers/base/devtmpfs.c | 6 +++---
80894 drivers/char/agp/compat_ioctl.c | 2 +-
80895 drivers/char/agp/frontend.c | 2 +-
80896 drivers/char/mem.c | 2 +-
80897 drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 ++--
80898 drivers/i2c/i2c-dev.c | 2 +-
80899 drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +++---
80900 drivers/media/v4l2-core/v4l2-ioctl.c | 20 ++++++++++++--------
80901 fs/9p/vfs_addr.c | 2 +-
80902 fs/binfmt_elf.c | 4 ++--
80903 fs/compat_ioctl.c | 4 ++--
80904 fs/exec.c | 2 +-
80905 fs/namespace.c | 8 ++++----
80906 fs/proc/vmcore.c | 12 ++++++++----
80907 fs/read_write.c | 2 +-
80908 include/linux/syscalls.h | 8 ++++----
80909 init/do_mounts_initrd.c | 8 ++++----
80910 init/main.c | 4 ++--
80911 kernel/events/core.c | 2 +-
80912 kernel/events/internal.h | 10 +++++-----
80913 mm/page_io.c | 2 +-
80914 security/keys/internal.h | 2 +-
80915 tools/gcc/checker_plugin.c | 1 +
80916 24 files changed, 63 insertions(+), 54 deletions(-)
80917
80918commit 643b294b41c6adcad1cf107efe4ae52a834e6f15
80919Author: Brad Spengler <spender@grsecurity.net>
80920Date: Wed May 29 18:51:31 2013 -0400
80921
80922 eliminate gcc warning
80923
80924 fs/exec.c | 4 ++--
80925 1 files changed, 2 insertions(+), 2 deletions(-)
80926
80927commit cf6f73059387ffeddb7b1de3e97a3cf588bcef86
80928Author: Brad Spengler <spender@grsecurity.net>
80929Date: Wed May 29 18:30:20 2013 -0400
80930
80931 use BUILD_BUG() instead of BUILD_BUG_ON(1)
80932
80933 arch/x86/net/bpf_jit_comp.c | 4 ++--
80934 1 files changed, 2 insertions(+), 2 deletions(-)
80935
80936commit 5343410354267368e5809f3ad8d9a264f141be18
80937Author: Brad Spengler <spender@grsecurity.net>
80938Date: Wed May 29 17:57:41 2013 -0400
80939
80940 defensively handle additions to the BPF JIT by introducing a BUILD_BUG_ON
80941 for unknown opcodes
80942
80943 arch/x86/net/bpf_jit_comp.c | 11 +++++++----
80944 1 files changed, 7 insertions(+), 4 deletions(-)
80945
80946commit 01f78a604b47c93fb26e8aeb68ef619bb3b8579d
80947Author: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
80948Date: Fri May 24 15:55:11 2013 -0700
80949
80950 Upstream commit: d34883d4e35c0a994e91dd847a82b4c9e0c31d83
80951
80952 mm: mmu_notifier: re-fix freed page still mapped in secondary MMU
80953
80954 Commit 751efd8610d3 ("mmu_notifier_unregister NULL Pointer deref and
80955 multiple ->release()") breaks the fix 3ad3d901bbcf ("mm: mmu_notifier:
80956 fix freed page still mapped in secondary MMU").
80957
80958 Since hlist_for_each_entry_rcu() is changed now, we can not revert that
80959 patch directly, so this patch reverts the commit and simply fix the bug
80960 spotted by that patch
80961
80962 This bug spotted by commit 751efd8610d3 is:
80963
80964 There is a race condition between mmu_notifier_unregister() and
80965 __mmu_notifier_release().
80966
80967 Assume two tasks, one calling mmu_notifier_unregister() as a result
80968 of a filp_close() ->flush() callout (task A), and the other calling
80969 mmu_notifier_release() from an mmput() (task B).
80970
80971 A B
80972 t1 srcu_read_lock()
80973 t2 if (!hlist_unhashed())
80974 t3 srcu_read_unlock()
80975 t4 srcu_read_lock()
80976 t5 hlist_del_init_rcu()
80977 t6 synchronize_srcu()
80978 t7 srcu_read_unlock()
80979 t8 hlist_del_rcu() <--- NULL pointer deref.
80980
80981 This can be fixed by using hlist_del_init_rcu instead of hlist_del_rcu.
80982
80983 The another issue spotted in the commit is "multiple ->release()
80984 callouts", we needn't care it too much because it is really rare (e.g,
80985 can not happen on kvm since mmu-notify is unregistered after
80986 exit_mmap()) and the later call of multiple ->release should be fast
80987 since all the pages have already been released by the first call.
80988 Anyway, this issue should be fixed in a separate patch.
80989
80990 -stable suggestions: Any version that has commit 751efd8610d3 need to be
80991 backported. I find the oldest version has this commit is 3.0-stable.
80992
80993 [akpm@linux-foundation.org: tweak comments]
80994 Signed-off-by: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
80995 Tested-by: Robin Holt <holt@sgi.com>
80996 Cc: <stable@vger.kernel.org>
80997 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
80998 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
80999
81000 mm/mmu_notifier.c | 79 ++++++++++++++++++++++++++---------------------------
81001 1 files changed, 39 insertions(+), 40 deletions(-)
81002
81003commit 163a5539b36247865d39b2bcfa8efc03a62124a6
81004Author: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
81005Date: Fri May 24 15:55:21 2013 -0700
81006
81007 Upstream commit: 7c3425123ddfdc5f48e7913ff59d908789712b18
81008
81009 mm/THP: use pmd_populate() to update the pmd with pgtable_t pointer
81010
81011 We should not use set_pmd_at to update pmd_t with pgtable_t pointer.
81012 set_pmd_at is used to set pmd with huge pte entries and architectures
81013 like ppc64, clear few flags from the pte when saving a new entry.
81014 Without this change we observe bad pte errors like below on ppc64 with
81015 THP enabled.
81016
81017 BUG: Bad page map in process ld mm=0xc000001ee39f4780 pte:7fc3f37848000001 pmd:c000001ec0000000
81018
81019 Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
81020 Cc: Hugh Dickins <hughd@google.com>
81021 Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
81022 Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
81023 Cc: <stable@vger.kernel.org>
81024 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
81025 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
81026
81027 mm/huge_memory.c | 7 ++++++-
81028 1 files changed, 6 insertions(+), 1 deletions(-)
81029
81030commit 3e54faf888d324d5f362dcba16173ea7bba61e8a
81031Author: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
81032Date: Fri May 24 15:55:08 2013 -0700
81033
81034 Upstream commit: 7b92d03c3239f43e5b86c9cc9630f026d36ee995
81035
81036 fat: fix possible overflow for fat_clusters
81037
81038 Intermediate value of fat_clusters can be overflowed on 32bits arch.
81039
81040 Reported-by: Krzysztof Strasburger <strasbur@chkw386.ch.pwr.wroc.pl>
81041 Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
81042 Cc: <stable@vger.kernel.org>
81043 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
81044 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
81045
81046 fs/fat/inode.c | 15 ++++++++++++++-
81047 1 files changed, 14 insertions(+), 1 deletions(-)
81048
81049commit 2d9fc67d9d63641e6bbf389edba8d8514c68655d
81050Author: Jarod Wilson <jarod@redhat.com>
81051Date: Fri May 24 15:55:31 2013 -0700
81052
81053 Upstream commit: 1e7e2e05c179a68aaf8830fe91547a87f4589e53
81054
81055 drivers/char/random.c: fix priming of last_data
81056
81057 Commit ec8f02da9ea5 ("random: prime last_data value per fips
81058 requirements") added priming of last_data per fips requirements.
81059
81060 Unfortuantely, it did so in a way that can lead to multiple threads all
81061 incrementing nbytes, but only one actually doing anything with the extra
81062 data, which leads to some fun random corruption and panics.
81063
81064 The fix is to simply do everything needed to prime last_data in a single
81065 shot, so there's no window for multiple cpus to increment nbytes -- in
81066 fact, we won't even increment or decrement nbytes anymore, we'll just
81067 extract the needed EXTRACT_SIZE one time per pool and then carry on with
81068 the normal routine.
81069
81070 All these changes have been tested across multiple hosts and
81071 architectures where panics were previously encoutered. The code changes
81072 are are strictly limited to areas only touched when when booted in fips
81073 mode.
81074
81075 This change should also go into 3.8-stable, to make the myriads of fips
81076 users on 3.8.x happy.
81077
81078 Signed-off-by: Jarod Wilson <jarod@redhat.com>
81079 Tested-by: Jan Stancek <jstancek@redhat.com>
81080 Tested-by: Jan Stodola <jstodola@redhat.com>
81081 Cc: Herbert Xu <herbert@gondor.apana.org.au>
81082 Acked-by: Neil Horman <nhorman@tuxdriver.com>
81083 Cc: "David S. Miller" <davem@davemloft.net>
81084 Cc: Matt Mackall <mpm@selenic.com>
81085 Cc: "Theodore Ts'o" <tytso@mit.edu>
81086 Cc: <stable@vger.kernel.org>
81087 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
81088 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
81089
81090 drivers/char/random.c | 30 +++++++++++++++---------------
81091 1 files changed, 15 insertions(+), 15 deletions(-)
81092
81093commit 2d74639040ba6ce47f57ec010714ec06529c4b42
81094Author: Jiri Kosina <jkosina@suse.cz>
81095Date: Fri May 24 15:55:33 2013 -0700
81096
81097 Upstream commit: 10b3a32d292c21ea5b3ad5ca5975e88bb20b8d68
81098
81099 random: fix accounting race condition with lockless irq entropy_count update
81100
81101 Commit 902c098a3663 ("random: use lockless techniques in the interrupt
81102 path") turned IRQ path from being spinlock protected into lockless
81103 cmpxchg-retry update.
81104
81105 That commit removed r->lock serialization between crediting entropy bits
81106 from IRQ context and accounting when extracting entropy on userspace
81107 read path, but didn't turn the r->entropy_count reads/updates in
81108 account() to use cmpxchg as well.
81109
81110 It has been observed, that under certain circumstances this leads to
81111 read() on /dev/urandom to return 0 (EOF), as r->entropy_count gets
81112 corrupted and becomes negative, which in turn results in propagating 0
81113 all the way from account() to the actual read() call.
81114
81115 Convert the accounting code to be the proper lockless counterpart of
81116 what has been partially done by 902c098a3663.
81117
81118 Signed-off-by: Jiri Kosina <jkosina@suse.cz>
81119 Cc: Theodore Ts'o <tytso@mit.edu>
81120 Cc: Greg KH <greg@kroah.com>
81121 Cc: <stable@vger.kernel.org>
81122 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
81123 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
81124
81125 drivers/char/random.c | 26 +++++++++++++++++---------
81126 1 files changed, 17 insertions(+), 9 deletions(-)
81127
81128commit 65d05c7ea468c23c175105526dd4f163302a92cf
81129Merge: 1a98d0a 6ce3a135
81130Author: Brad Spengler <spender@grsecurity.net>
81131Date: Sat May 25 07:48:15 2013 -0400
81132
81133 Merge branch 'pax-test' into grsec-test
81134
81135 Conflicts:
81136 arch/x86/kernel/vm86_32.c
81137
81138commit 6ce3a13567ec17c1e72a88871ddf46da61ad5166
81139Merge: 79bdd65 0bfd8ff
81140Author: Brad Spengler <spender@grsecurity.net>
81141Date: Sat May 25 07:46:55 2013 -0400
81142
81143 Merge branch 'linux-3.9.y' into pax-test
81144
81145commit 1a98d0a10ede55ae99fabfb2d67eb536d3de9444
81146Author: Brad Spengler <spender@grsecurity.net>
81147Date: Thu May 23 18:42:23 2013 -0400
81148
81149 use existing local variable
81150
81151 fs/exec.c | 2 +-
81152 1 files changed, 1 insertions(+), 1 deletions(-)
81153
81154commit b2b80ef8586061e32e986b31608717c25d1e7c54
81155Merge: cb45fbd 79bdd65
81156Author: Brad Spengler <spender@grsecurity.net>
81157Date: Thu May 23 17:58:53 2013 -0400
81158
81159 Merge branch 'pax-test' into grsec-test
81160
81161commit 79bdd65dac68267bc1b201c6b4a99966a373c305
81162Author: Brad Spengler <spender@grsecurity.net>
81163Date: Thu May 23 17:57:46 2013 -0400
81164
81165 Update to pax-linux-3.9.3-test7.patch:
81166 - fixed some size overflow related warnings (hash table, attributes)
81167 - fixed a gcc bug/feature exposed by constification, the investigation was prompted by http://rikiji.it/2013/05/10/CVE-2013-2094-x86.html
81168
81169 arch/x86/include/asm/page_64.h | 2 +-
81170 arch/x86/kernel/head64.c | 2 +-
81171 tools/gcc/constify_plugin.c | 48 ++-
81172 tools/gcc/size_overflow_hash.data | 1191 +++++++++++++++++++------------------
81173 4 files changed, 651 insertions(+), 592 deletions(-)
81174
81175commit cb45fbda4967b1b544a754fbdc92d73283379522
81176Merge: 62588fa 57c11b8
81177Author: Brad Spengler <spender@grsecurity.net>
81178Date: Mon May 20 17:32:17 2013 -0400
81179
81180 Merge branch 'pax-test' into grsec-test
81181
81182commit 57c11b85acd841a088aa4df8e60be337880df8cd
81183Merge: 0598b37 4bb0869
81184Author: Brad Spengler <spender@grsecurity.net>
81185Date: Mon May 20 17:32:08 2013 -0400
81186
81187 Merge branch 'linux-3.9.y' into pax-test
81188
81189commit 62588fa72b82a8ff7027f52dc2a05729f41e0f53
81190Merge: e261c7b 0598b37
81191Author: Brad Spengler <spender@grsecurity.net>
81192Date: Fri May 17 22:57:36 2013 -0400
81193
81194 Merge branch 'pax-test' into grsec-test
81195
81196commit 0598b3778624dbc6c3887af025c040dbd6e92ba5
81197Author: Brad Spengler <spender@grsecurity.net>
81198Date: Fri May 17 22:57:07 2013 -0400
81199
81200 Update to pax-linux-3.9.2-test6.patch:
81201 - fixed a gcc assert in the structleak plugin, reported by Emese Revfy
81202 - fixed pfn extraction from pud/pgd entries, reported by ousado
81203
81204 arch/x86/include/asm/pgtable.h | 9 +++++++--
81205 tools/gcc/structleak_plugin.c | 3 ++-
81206 2 files changed, 9 insertions(+), 3 deletions(-)
81207
81208commit e261c7bc611e9127bbb7bd95cddd51524bf255ae
81209Author: Brad Spengler <spender@grsecurity.net>
81210Date: Thu May 16 22:54:12 2013 -0400
81211
81212 add offset to topdown check, fixes compilation
81213
81214 arch/x86/kernel/sys_x86_64.c | 2 +-
81215 1 files changed, 1 insertions(+), 1 deletions(-)
81216
81217commit 455c5ed5279cf546f5d5c3844fb16f17300b2219
81218Author: Brad Spengler <spender@grsecurity.net>
81219Date: Thu May 16 20:57:41 2013 -0400
81220
81221 CONFIG_GRKERNSEC depends on the recently-introduced CONFIG_TTY,
81222 reported by lulzh3ad on irc
81223
81224 security/Kconfig | 1 +
81225 1 files changed, 1 insertions(+), 0 deletions(-)
81226
81227commit 0d4593e84707cdf6deb6b925c18c676a476b1613
81228Merge: 43cd0c0 39a877f
81229Author: Brad Spengler <spender@grsecurity.net>
81230Date: Thu May 16 20:39:11 2013 -0400
81231
81232 Merge branch 'pax-test' into grsec-test
81233
81234commit 39a877f192ed305d88edac10a14a9e8e1e161f3f
81235Author: Brad Spengler <spender@grsecurity.net>
81236Date: Thu May 16 20:37:35 2013 -0400
81237
81238 Update to pax-linux-3.9.2-test105.patch:
81239 - fixed !EFI boot problem, reported by spender
81240 - fixed a few compile warnings
81241 - fixed some more compile errors due to constification
81242 - fixed some arm fallout, reported by Michael Tremer
81243
81244 arch/arm/include/asm/psci.h | 2 +-
81245 arch/arm/kernel/psci.c | 2 +-
81246 arch/x86/kernel/sys_x86_64.c | 3 +--
81247 arch/x86/realmode/init.c | 2 +-
81248 drivers/hwmon/pmbus/pmbus_core.c | 10 +++++-----
81249 drivers/irqchip/irq-gic.c | 2 +-
81250 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +++-
81251 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +++++++++---
81252 drivers/platform/x86/chromeos_laptop.c | 2 +-
81253 fs/jfs/super.c | 4 ++--
81254 include/linux/irqchip/arm-gic.h | 2 ++
81255 include/sound/compress_driver.h | 2 +-
81256 net/mac80211/cfg.c | 4 ++--
81257 sound/soc/fsl/fsl_ssi.c | 2 +-
81258 14 files changed, 31 insertions(+), 22 deletions(-)
81259
81260commit 43cd0c0c7bf3f3331689f88130a8e8ce58fc8540
81261Author: Brad Spengler <spender@grsecurity.net>
81262Date: Thu May 16 20:35:22 2013 -0400
81263
81264 Fix usercopy false positive under gcc 4.1
81265
81266 arch/x86/kernel/signal.c | 9 +++++++--
81267 1 files changed, 7 insertions(+), 2 deletions(-)
81268
81269commit 56a166129d817f6634c8c230e6ec497669bdfaca
81270Author: Amerigo Wang <amwang@redhat.com>
81271Date: Thu May 9 21:56:37 2013 +0000
81272
81273 Upstream commit: 5dbd5068430b8bd1c19387d46d6c1a88b261257f
81274
81275 ipv6,gre: do not leak info to user-space
81276
81277 There is a hole in struct ip6_tnl_parm2, so we have to
81278 zero the struct on stack before copying it to user-space.
81279
81280 Cc: David S. Miller <davem@davemloft.net>
81281 Signed-off-by: Cong Wang <amwang@redhat.com>
81282 Signed-off-by: David S. Miller <davem@davemloft.net>
81283
81284 net/ipv6/ip6_gre.c | 2 ++
81285 1 files changed, 2 insertions(+), 0 deletions(-)
81286
81287commit d6f50dae2653ad912952da40417a8ccbd59c7699
81288Author: Brad Spengler <spender@grsecurity.net>
81289Date: Tue May 14 16:52:35 2013 -0400
81290
81291 disable unprivileged kernel profiling under HIDESYM, rename
81292 the variable to something more appropriate
81293
81294 include/linux/perf_event.h | 8 ++++----
81295 kernel/events/core.c | 6 +++++-
81296 kernel/sysctl.c | 4 ++--
81297 3 files changed, 11 insertions(+), 7 deletions(-)
81298
81299commit 01322c6951bed4eedefbd2178dbd99292b365d99
81300Author: Brad Spengler <spender@grsecurity.net>
81301Date: Mon May 13 17:19:57 2013 -0400
81302
81303 mark GRKERNSEC_RAND_THREADSTACK broken until PaX fixes its
81304 existing stack-heap gap code for the new unified vm_unmapped_area
81305
81306 grsecurity/Kconfig | 2 +-
81307 1 files changed, 1 insertions(+), 1 deletions(-)
81308
81309commit 8e576ddc2196770ba2b86ba8f7b9e76c141d1083
81310Author: Brad Spengler <spender@grsecurity.net>
81311Date: Mon May 13 15:40:32 2013 -0400
81312
81313 fix NX fault on early boot
81314
81315 arch/x86/realmode/init.c | 2 +-
81316 1 files changed, 1 insertions(+), 1 deletions(-)
81317
81318commit 85ce9b6f668f9b02f21d23ae61a1bacc8804f615
81319Author: Brad Spengler <spender@grsecurity.net>
81320Date: Mon May 13 10:48:13 2013 -0400
81321
81322 compile fix, we weren't using %pa anyway and it's now being used
81323 by upstream for physical address printing
81324
81325 lib/vsprintf.c | 3 +--
81326 1 files changed, 1 insertions(+), 2 deletions(-)
81327
81328commit 4eeaeea04d4776b8263f0e9b018edcdbe66c929d
81329Author: Brad Spengler <spender@grsecurity.net>
81330Date: Mon May 13 10:39:52 2013 -0400
81331
81332 compile fix
81333
81334 grsecurity/grsec_chroot.c | 2 +-
81335 1 files changed, 1 insertions(+), 1 deletions(-)
81336
81337commit 155fe84d0b966e41b077781e6b3bc6f6ed5b294b
81338Author: Brad Spengler <spender@grsecurity.net>
81339Date: Mon May 13 10:35:36 2013 -0400
81340
81341 compile fixes
81342
81343 grsecurity/grsec_chroot.c | 2 +-
81344 include/linux/grinternal.h | 8 ++++----
81345 include/linux/grsecurity.h | 4 ++--
81346 3 files changed, 7 insertions(+), 7 deletions(-)
81347
81348commit f92047409f0a843ec0b44033ca4c37e539f9a1d5
81349Author: Brad Spengler <spender@grsecurity.net>
81350Date: Mon May 13 10:27:18 2013 -0400
81351
81352 compile fix
81353
81354 fs/exec.c | 6 +++---
81355 1 files changed, 3 insertions(+), 3 deletions(-)
81356
81357commit 0e4123608755ab6af3f448cca6f6a8a57dbdcff1
81358Author: Brad Spengler <spender@grsecurity.net>
81359Date: Mon May 13 10:23:17 2013 -0400
81360
81361 Initial port of grsecurity for 3.9.2
81362
81363 Documentation/kernel-parameters.txt | 4 +
81364 Makefile | 8 +-
81365 arch/alpha/include/asm/cache.h | 4 +-
81366 arch/alpha/kernel/osf_sys.c | 12 +-
81367 arch/arm/include/asm/thread_info.h | 9 +-
81368 arch/arm/kernel/process.c | 4 +-
81369 arch/arm/kernel/ptrace.c | 9 +
81370 arch/arm/kernel/traps.c | 7 +-
81371 arch/arm/mm/fault.c | 29 +-
81372 arch/arm/mm/mmap.c | 8 +-
81373 arch/avr32/include/asm/cache.h | 4 +-
81374 arch/blackfin/include/asm/cache.h | 3 +-
81375 arch/cris/include/arch-v10/arch/cache.h | 3 +-
81376 arch/cris/include/arch-v32/arch/cache.h | 3 +-
81377 arch/frv/include/asm/cache.h | 3 +-
81378 arch/frv/mm/elf-fdpic.c | 4 +-
81379 arch/hexagon/include/asm/cache.h | 6 +-
81380 arch/ia64/include/asm/cache.h | 3 +-
81381 arch/ia64/kernel/sys_ia64.c | 2 +
81382 arch/ia64/mm/hugetlbpage.c | 2 +
81383 arch/m32r/include/asm/cache.h | 4 +-
81384 arch/m68k/include/asm/cache.h | 4 +-
81385 arch/metag/mm/hugetlbpage.c | 1 +
81386 arch/microblaze/include/asm/cache.h | 3 +-
81387 arch/mips/include/asm/cache.h | 3 +-
81388 arch/mips/include/asm/thread_info.h | 9 +-
81389 arch/mips/kernel/ptrace.c | 9 +
81390 arch/mips/kernel/scall32-o32.S | 2 +-
81391 arch/mips/kernel/scall64-64.S | 2 +-
81392 arch/mips/kernel/scall64-n32.S | 2 +-
81393 arch/mips/kernel/scall64-o32.S | 2 +-
81394 arch/mips/mm/mmap.c | 4 +-
81395 arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +-
81396 arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +-
81397 arch/openrisc/include/asm/cache.h | 4 +-
81398 arch/parisc/include/asm/cache.h | 5 +-
81399 arch/parisc/kernel/sys_parisc.c | 17 +-
81400 arch/powerpc/include/asm/cache.h | 3 +-
81401 arch/powerpc/include/asm/thread_info.h | 8 +-
81402 arch/powerpc/kernel/process.c | 10 +-
81403 arch/powerpc/kernel/ptrace.c | 14 +
81404 arch/powerpc/kernel/traps.c | 5 +
81405 arch/powerpc/mm/slice.c | 8 +-
81406 arch/s390/include/asm/cache.h | 4 +-
81407 arch/score/include/asm/cache.h | 4 +-
81408 arch/sh/include/asm/cache.h | 3 +-
81409 arch/sh/mm/mmap.c | 6 +-
81410 arch/sparc/include/asm/cache.h | 4 +-
81411 arch/sparc/include/asm/thread_info_64.h | 9 +-
81412 arch/sparc/kernel/process_32.c | 6 +-
81413 arch/sparc/kernel/process_64.c | 8 +-
81414 arch/sparc/kernel/ptrace_64.c | 14 +
81415 arch/sparc/kernel/sys_sparc_64.c | 8 +-
81416 arch/sparc/kernel/syscalls.S | 8 +-
81417 arch/sparc/kernel/traps_32.c | 8 +-
81418 arch/sparc/kernel/traps_64.c | 28 +-
81419 arch/sparc/kernel/unaligned_64.c | 2 +-
81420 arch/sparc/mm/fault_64.c | 2 +-
81421 arch/sparc/mm/hugetlbpage.c | 3 +-
81422 arch/tile/include/asm/cache.h | 3 +-
81423 arch/tile/mm/hugetlbpage.c | 2 +
81424 arch/um/defconfig | 1 -
81425 arch/um/include/asm/cache.h | 3 +-
81426 arch/unicore32/include/asm/cache.h | 6 +-
81427 arch/x86/Kconfig | 5 +-
81428 arch/x86/Kconfig.debug | 2 +-
81429 arch/x86/ia32/ia32_aout.c | 2 +
81430 arch/x86/include/asm/thread_info.h | 8 +-
81431 arch/x86/kernel/dumpstack.c | 8 +
81432 arch/x86/kernel/entry_32.S | 2 +-
81433 arch/x86/kernel/entry_64.S | 2 +-
81434 arch/x86/kernel/ioport.c | 13 +
81435 arch/x86/kernel/ptrace.c | 14 +
81436 arch/x86/kernel/smpboot.c | 3 +
81437 arch/x86/kernel/sys_i386_32.c | 14 +-
81438 arch/x86/kernel/sys_x86_64.c | 6 +-
81439 arch/x86/kernel/verify_cpu.S | 1 +
81440 arch/x86/kernel/vm86_32.c | 16 +
81441 arch/x86/mm/fault.c | 12 +-
81442 arch/x86/mm/hugetlbpage.c | 15 +-
81443 arch/x86/mm/init.c | 66 +-
81444 arch/x86/net/bpf_jit_comp.c | 126 +-
81445 arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
81446 arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
81447 arch/xtensa/variants/s6000/include/variant/core.h | 3 +-
81448 drivers/block/cciss.c | 2 +
81449 drivers/char/Kconfig | 4 +-
81450 drivers/char/genrtc.c | 1 +
81451 drivers/char/mem.c | 17 +
81452 drivers/char/random.c | 12 +
81453 drivers/gpu/drm/drm_info.c | 4 +
81454 drivers/hid/hid-wiimote-debug.c | 2 +-
81455 drivers/media/radio/radio-cadet.c | 2 +-
81456 drivers/message/fusion/mptbase.c | 9 +
81457 drivers/net/bonding/bond_main.c | 2 +-
81458 drivers/net/phy/mdio-bitbang.c | 1 +
81459 drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
81460 drivers/pci/proc.c | 9 +
81461 drivers/rtc/rtc-dev.c | 3 +
81462 drivers/tty/sysrq.c | 2 +-
81463 drivers/tty/vt/keyboard.c | 22 +-
81464 drivers/usb/storage/realtek_cr.c | 2 +-
81465 drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++--------
81466 drivers/xen/xenfs/xenstored.c | 5 +
81467 fs/attr.c | 1 +
81468 fs/autofs4/waitq.c | 9 +
81469 fs/binfmt_aout.c | 7 +
81470 fs/binfmt_elf.c | 8 +-
81471 fs/btrfs/ioctl.c | 6 +-
81472 fs/compat.c | 20 +-
81473 fs/coredump.c | 10 +-
81474 fs/debugfs/inode.c | 4 +
81475 fs/exec.c | 181 +-
81476 fs/ext2/balloc.c | 4 +-
81477 fs/ext3/balloc.c | 4 +-
81478 fs/ext4/balloc.c | 4 +-
81479 fs/fcntl.c | 5 +
81480 fs/file.c | 4 +
81481 fs/filesystems.c | 4 +
81482 fs/fs_struct.c | 13 +-
81483 fs/hugetlbfs/inode.c | 5 +-
81484 fs/namei.c | 241 ++-
81485 fs/namespace.c | 24 +
81486 fs/open.c | 38 +
81487 fs/pipe.c | 2 +-
81488 fs/proc/Kconfig | 10 +-
81489 fs/proc/array.c | 59 +-
81490 fs/proc/base.c | 168 +-
81491 fs/proc/cmdline.c | 4 +
81492 fs/proc/devices.c | 4 +
81493 fs/proc/fd.c | 17 +-
81494 fs/proc/inode.c | 17 +
81495 fs/proc/internal.h | 3 +
81496 fs/proc/kcore.c | 3 +
81497 fs/proc/proc_net.c | 12 +
81498 fs/proc/proc_sysctl.c | 43 +-
81499 fs/proc/root.c | 8 +
81500 fs/proc/task_mmu.c | 75 +-
81501 fs/readdir.c | 19 +
81502 fs/select.c | 2 +
81503 fs/seq_file.c | 12 +-
81504 fs/stat.c | 19 +-
81505 fs/sysfs/dir.c | 12 +
81506 fs/utimes.c | 7 +
81507 fs/xattr.c | 19 +-
81508 grsecurity/Kconfig | 1031 +++++
81509 grsecurity/Makefile | 38 +
81510 grsecurity/gracl.c | 4073 ++++++++++++++++++++
81511 grsecurity/gracl_alloc.c | 105 +
81512 grsecurity/gracl_cap.c | 110 +
81513 grsecurity/gracl_fs.c | 431 +++
81514 grsecurity/gracl_ip.c | 387 ++
81515 grsecurity/gracl_learn.c | 207 +
81516 grsecurity/gracl_res.c | 68 +
81517 grsecurity/gracl_segv.c | 305 ++
81518 grsecurity/gracl_shm.c | 40 +
81519 grsecurity/grsec_chdir.c | 19 +
81520 grsecurity/grsec_chroot.c | 370 ++
81521 grsecurity/grsec_disabled.c | 434 +++
81522 grsecurity/grsec_exec.c | 187 +
81523 grsecurity/grsec_fifo.c | 24 +
81524 grsecurity/grsec_fork.c | 23 +
81525 grsecurity/grsec_init.c | 283 ++
81526 grsecurity/grsec_link.c | 58 +
81527 grsecurity/grsec_log.c | 326 ++
81528 grsecurity/grsec_mem.c | 40 +
81529 grsecurity/grsec_mount.c | 62 +
81530 grsecurity/grsec_pax.c | 36 +
81531 grsecurity/grsec_ptrace.c | 30 +
81532 grsecurity/grsec_sig.c | 222 ++
81533 grsecurity/grsec_sock.c | 244 ++
81534 grsecurity/grsec_sysctl.c | 469 +++
81535 grsecurity/grsec_time.c | 16 +
81536 grsecurity/grsec_tpe.c | 73 +
81537 grsecurity/grsum.c | 61 +
81538 include/linux/capability.h | 5 +
81539 include/linux/cred.h | 3 +
81540 include/linux/fs.h | 10 +
81541 include/linux/fsnotify.h | 6 +
81542 include/linux/gracl.h | 319 ++
81543 include/linux/gralloc.h | 9 +
81544 include/linux/grdefs.h | 140 +
81545 include/linux/grinternal.h | 215 +
81546 include/linux/grmsg.h | 111 +
81547 include/linux/grsecurity.h | 242 ++
81548 include/linux/grsock.h | 19 +
81549 include/linux/kallsyms.h | 14 +-
81550 include/linux/kmod.h | 2 +
81551 include/linux/mm.h | 1 +
81552 include/linux/netfilter/xt_gradm.h | 9 +
81553 include/linux/printk.h | 3 +-
81554 include/linux/proc_fs.h | 12 +
81555 include/linux/sched.h | 68 +-
81556 include/linux/security.h | 1 +
81557 include/linux/seq_file.h | 3 +
81558 include/linux/shm.h | 4 +
81559 include/linux/skbuff.h | 3 +
81560 include/linux/slab.h | 9 -
81561 include/linux/sysctl.h | 2 +
81562 include/linux/thread_info.h | 2 +
81563 include/linux/uidgid.h | 5 +
81564 include/linux/vermagic.h | 9 +-
81565 include/net/secure_seq.h | 1 +
81566 include/trace/events/fs.h | 53 +
81567 include/uapi/linux/personality.h | 1 +
81568 init/Kconfig | 3 +-
81569 init/main.c | 14 +
81570 ipc/mqueue.c | 1 +
81571 ipc/shm.c | 28 +
81572 kernel/capability.c | 39 +-
81573 kernel/cgroup.c | 2 +-
81574 kernel/compat.c | 1 +
81575 kernel/configs.c | 11 +
81576 kernel/cred.c | 110 +-
81577 kernel/exit.c | 10 +-
81578 kernel/fork.c | 41 +-
81579 kernel/futex.c | 1 +
81580 kernel/kallsyms.c | 9 +
81581 kernel/kcmp.c | 4 +
81582 kernel/kmod.c | 71 +-
81583 kernel/kprobes.c | 4 +-
81584 kernel/ksysfs.c | 2 +
81585 kernel/lockdep_proc.c | 10 +-
81586 kernel/module.c | 81 +-
81587 kernel/panic.c | 4 +-
81588 kernel/pid.c | 19 +-
81589 kernel/posix-timers.c | 8 +
81590 kernel/printk.c | 13 +-
81591 kernel/ptrace.c | 20 +-
81592 kernel/resource.c | 10 +
81593 kernel/sched/core.c | 6 +-
81594 kernel/signal.c | 37 +-
81595 kernel/sys.c | 45 +-
81596 kernel/sysctl.c | 39 +-
81597 kernel/taskstats.c | 6 +
81598 kernel/time.c | 5 +
81599 kernel/time/timekeeping.c | 3 +
81600 kernel/time/timer_list.c | 12 +
81601 kernel/time/timer_stats.c | 10 +-
81602 lib/Kconfig.debug | 5 +-
81603 lib/is_single_threaded.c | 3 +
81604 lib/vsprintf.c | 35 +-
81605 localversion-grsec | 1 +
81606 mm/Kconfig | 4 +-
81607 mm/filemap.c | 1 +
81608 mm/kmemleak.c | 4 +-
81609 mm/mempolicy.c | 12 +-
81610 mm/migrate.c | 3 +-
81611 mm/mlock.c | 3 +
81612 mm/mmap.c | 64 +-
81613 mm/mprotect.c | 8 +
81614 mm/process_vm_access.c | 6 +
81615 mm/shmem.c | 2 +-
81616 mm/slab.c | 2 +-
81617 mm/slub.c | 14 +-
81618 mm/vmalloc.c | 4 +
81619 mm/vmstat.c | 18 +-
81620 net/8021q/vlan.c | 7 +
81621 net/core/dev_ioctl.c | 4 +
81622 net/core/net-procfs.c | 5 +
81623 net/core/secure_seq.c | 4 +-
81624 net/core/sock_diag.c | 7 +
81625 net/ipv4/af_inet.c | 5 +-
81626 net/ipv4/inet_hashtables.c | 5 +
81627 net/ipv4/ip_sockglue.c | 3 +-
81628 net/ipv4/tcp_input.c | 4 +-
81629 net/ipv4/tcp_ipv4.c | 24 +-
81630 net/ipv4/tcp_minisocks.c | 9 +-
81631 net/ipv4/tcp_timer.c | 11 +
81632 net/ipv4/udp.c | 24 +
81633 net/ipv6/tcp_ipv6.c | 23 +-
81634 net/ipv6/udp.c | 7 +
81635 net/netfilter/Kconfig | 10 +
81636 net/netfilter/Makefile | 1 +
81637 net/netfilter/nf_conntrack_core.c | 8 +
81638 net/netfilter/xt_gradm.c | 51 +
81639 net/netrom/af_netrom.c | 2 +-
81640 net/phonet/af_phonet.c | 2 +-
81641 net/sctp/probe.c | 2 +-
81642 net/sctp/proc.c | 3 +-
81643 net/socket.c | 66 +-
81644 net/sysctl_net.c | 2 +-
81645 net/tipc/link.c | 11 +-
81646 net/unix/af_unix.c | 31 +-
81647 security/Kconfig | 342 ++-
81648 security/commoncap.c | 29 +
81649 security/min_addr.c | 2 +
81650 security/security.c | 2 -
81651 security/selinux/hooks.c | 2 -
81652 security/tomoyo/mount.c | 4 +
81653 security/yama/Kconfig | 2 +-
81654 291 files changed, 15221 insertions(+), 2052 deletions(-)
81655
81656commit 88854c350c899bceca4a94598c42bed44d0dc91b
81657Author: Brad Spengler <spender@grsecurity.net>
81658Date: Mon May 13 07:37:47 2013 -0400
81659
81660 Initial import of pax-linux-3.9.2-test2.patch
81661
81662 Documentation/dontdiff | 45 +-
81663 Documentation/kernel-parameters.txt | 12 +
81664 Makefile | 100 +-
81665 arch/alpha/include/asm/atomic.h | 10 +
81666 arch/alpha/include/asm/elf.h | 7 +
81667 arch/alpha/include/asm/pgalloc.h | 6 +
81668 arch/alpha/include/asm/pgtable.h | 11 +
81669 arch/alpha/kernel/module.c | 2 +-
81670 arch/alpha/kernel/osf_sys.c | 8 +-
81671 arch/alpha/mm/fault.c | 141 +-
81672 arch/arm/Kconfig | 2 +-
81673 arch/arm/include/asm/atomic.h | 421 ++-
81674 arch/arm/include/asm/cache.h | 5 +-
81675 arch/arm/include/asm/cacheflush.h | 2 +-
81676 arch/arm/include/asm/checksum.h | 14 +-
81677 arch/arm/include/asm/cmpxchg.h | 2 +
81678 arch/arm/include/asm/domain.h | 33 +-
81679 arch/arm/include/asm/elf.h | 13 +-
81680 arch/arm/include/asm/fncpy.h | 2 +
81681 arch/arm/include/asm/futex.h | 10 +
81682 arch/arm/include/asm/kmap_types.h | 2 +-
81683 arch/arm/include/asm/mach/dma.h | 2 +-
81684 arch/arm/include/asm/mach/map.h | 7 +-
81685 arch/arm/include/asm/outercache.h | 2 +-
81686 arch/arm/include/asm/page.h | 2 +-
81687 arch/arm/include/asm/pgalloc.h | 22 +-
81688 arch/arm/include/asm/pgtable-2level-hwdef.h | 5 +
81689 arch/arm/include/asm/pgtable-2level.h | 1 +
81690 arch/arm/include/asm/pgtable-3level-hwdef.h | 2 +
81691 arch/arm/include/asm/pgtable-3level.h | 2 +
81692 arch/arm/include/asm/pgtable.h | 56 +-
81693 arch/arm/include/asm/proc-fns.h | 2 +-
81694 arch/arm/include/asm/processor.h | 5 +-
81695 arch/arm/include/asm/smp.h | 2 +-
81696 arch/arm/include/asm/thread_info.h | 6 +-
81697 arch/arm/include/asm/uaccess.h | 92 +-
81698 arch/arm/include/uapi/asm/ptrace.h | 2 +-
81699 arch/arm/kernel/armksyms.c | 6 +-
81700 arch/arm/kernel/entry-armv.S | 107 +-
81701 arch/arm/kernel/entry-common.S | 41 +-
81702 arch/arm/kernel/entry-header.S | 60 +
81703 arch/arm/kernel/fiq.c | 2 +
81704 arch/arm/kernel/head.S | 6 +-
81705 arch/arm/kernel/hw_breakpoint.c | 2 +-
81706 arch/arm/kernel/module.c | 29 +-
81707 arch/arm/kernel/patch.c | 2 +
81708 arch/arm/kernel/perf_event_cpu.c | 2 +-
81709 arch/arm/kernel/process.c | 15 +-
81710 arch/arm/kernel/setup.c | 22 +-
81711 arch/arm/kernel/signal.c | 24 +-
81712 arch/arm/kernel/smp.c | 2 +-
81713 arch/arm/kernel/traps.c | 15 +-
81714 arch/arm/kernel/vmlinux.lds.S | 22 +-
81715 arch/arm/lib/clear_user.S | 6 +-
81716 arch/arm/lib/copy_from_user.S | 6 +-
81717 arch/arm/lib/copy_page.S | 1 +
81718 arch/arm/lib/copy_to_user.S | 6 +-
81719 arch/arm/lib/csumpartialcopyuser.S | 4 +-
81720 arch/arm/lib/delay.c | 2 +-
81721 arch/arm/lib/uaccess_with_memcpy.c | 2 +-
81722 arch/arm/mach-kirkwood/common.c | 19 +-
81723 arch/arm/mach-omap2/board-n8x0.c | 2 +-
81724 arch/arm/mach-omap2/gpmc.c | 22 +-
81725 arch/arm/mach-omap2/omap-wakeupgen.c | 2 +-
81726 arch/arm/mach-omap2/omap_device.c | 4 +-
81727 arch/arm/mach-omap2/omap_device.h | 4 +-
81728 arch/arm/mach-omap2/omap_hwmod.c | 4 +-
81729 arch/arm/mach-omap2/wd_timer.c | 6 +-
81730 arch/arm/mach-ux500/include/mach/setup.h | 7 -
81731 arch/arm/mm/Kconfig | 3 +-
81732 arch/arm/mm/alignment.c | 8 +
81733 arch/arm/mm/fault.c | 91 +
81734 arch/arm/mm/fault.h | 12 +
81735 arch/arm/mm/init.c | 41 +
81736 arch/arm/mm/ioremap.c | 4 +-
81737 arch/arm/mm/mmap.c | 36 +-
81738 arch/arm/mm/mmu.c | 187 +-
81739 arch/arm/mm/proc-v7-2level.S | 3 +
81740 arch/arm/plat-omap/sram.c | 2 +
81741 arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +-
81742 arch/arm64/kernel/debug-monitors.c | 2 +-
81743 arch/arm64/kernel/hw_breakpoint.c | 2 +-
81744 arch/avr32/include/asm/elf.h | 8 +-
81745 arch/avr32/include/asm/kmap_types.h | 4 +-
81746 arch/avr32/mm/fault.c | 27 +
81747 arch/frv/include/asm/atomic.h | 10 +
81748 arch/frv/include/asm/kmap_types.h | 2 +-
81749 arch/frv/mm/elf-fdpic.c | 3 +-
81750 arch/ia64/include/asm/atomic.h | 10 +
81751 arch/ia64/include/asm/elf.h | 7 +
81752 arch/ia64/include/asm/pgalloc.h | 12 +
81753 arch/ia64/include/asm/pgtable.h | 13 +-
81754 arch/ia64/include/asm/spinlock.h | 2 +-
81755 arch/ia64/include/asm/uaccess.h | 26 +-
81756 arch/ia64/kernel/err_inject.c | 2 +-
81757 arch/ia64/kernel/mca.c | 2 +-
81758 arch/ia64/kernel/module.c | 48 +-
81759 arch/ia64/kernel/palinfo.c | 2 +-
81760 arch/ia64/kernel/salinfo.c | 2 +-
81761 arch/ia64/kernel/sys_ia64.c | 7 +
81762 arch/ia64/kernel/topology.c | 2 +-
81763 arch/ia64/kernel/vmlinux.lds.S | 2 +-
81764 arch/ia64/mm/fault.c | 32 +-
81765 arch/ia64/mm/init.c | 13 +
81766 arch/m32r/lib/usercopy.c | 6 +
81767 arch/mips/include/asm/atomic.h | 14 +
81768 arch/mips/include/asm/elf.h | 11 +-
81769 arch/mips/include/asm/exec.h | 2 +-
81770 arch/mips/include/asm/page.h | 2 +-
81771 arch/mips/include/asm/pgalloc.h | 5 +
81772 arch/mips/kernel/binfmt_elfn32.c | 7 +
81773 arch/mips/kernel/binfmt_elfo32.c | 7 +
81774 arch/mips/kernel/process.c | 12 -
81775 arch/mips/mm/fault.c | 17 +
81776 arch/mips/mm/mmap.c | 51 +-
81777 arch/parisc/include/asm/atomic.h | 10 +
81778 arch/parisc/include/asm/elf.h | 7 +
81779 arch/parisc/include/asm/pgalloc.h | 6 +
81780 arch/parisc/include/asm/pgtable.h | 11 +
81781 arch/parisc/include/asm/uaccess.h | 4 +-
81782 arch/parisc/kernel/module.c | 50 +-
81783 arch/parisc/kernel/sys_parisc.c | 9 +-
81784 arch/parisc/kernel/traps.c | 4 +-
81785 arch/parisc/mm/fault.c | 140 +-
81786 arch/powerpc/include/asm/atomic.h | 10 +
81787 arch/powerpc/include/asm/elf.h | 19 +-
81788 arch/powerpc/include/asm/exec.h | 2 +-
81789 arch/powerpc/include/asm/kmap_types.h | 2 +-
81790 arch/powerpc/include/asm/mman.h | 2 +-
81791 arch/powerpc/include/asm/page.h | 8 +-
81792 arch/powerpc/include/asm/page_64.h | 7 +-
81793 arch/powerpc/include/asm/pgalloc-64.h | 7 +
81794 arch/powerpc/include/asm/pgtable.h | 1 +
81795 arch/powerpc/include/asm/pte-hash32.h | 1 +
81796 arch/powerpc/include/asm/reg.h | 1 +
81797 arch/powerpc/include/asm/smp.h | 2 +-
81798 arch/powerpc/include/asm/uaccess.h | 140 +-
81799 arch/powerpc/kernel/exceptions-64e.S | 4 +-
81800 arch/powerpc/kernel/exceptions-64s.S | 2 +-
81801 arch/powerpc/kernel/module_32.c | 13 +-
81802 arch/powerpc/kernel/process.c | 55 -
81803 arch/powerpc/kernel/signal_32.c | 2 +-
81804 arch/powerpc/kernel/signal_64.c | 2 +-
81805 arch/powerpc/kernel/sysfs.c | 2 +-
81806 arch/powerpc/kernel/vdso.c | 5 +-
81807 arch/powerpc/lib/usercopy_64.c | 18 -
81808 arch/powerpc/mm/fault.c | 54 +-
81809 arch/powerpc/mm/mmap_64.c | 16 +
81810 arch/powerpc/mm/mmu_context_nohash.c | 2 +-
81811 arch/powerpc/mm/numa.c | 2 +-
81812 arch/powerpc/mm/slice.c | 23 +-
81813 arch/powerpc/platforms/cell/spufs/file.c | 4 +-
81814 arch/powerpc/platforms/powermac/smp.c | 2 +-
81815 arch/s390/include/asm/atomic.h | 10 +
81816 arch/s390/include/asm/elf.h | 13 +-
81817 arch/s390/include/asm/exec.h | 2 +-
81818 arch/s390/include/asm/uaccess.h | 15 +-
81819 arch/s390/kernel/module.c | 22 +-
81820 arch/s390/kernel/process.c | 36 -
81821 arch/s390/mm/mmap.c | 24 +
81822 arch/score/include/asm/exec.h | 2 +-
81823 arch/score/kernel/process.c | 5 -
81824 arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +-
81825 arch/sh/mm/mmap.c | 22 +-
81826 arch/sparc/include/asm/atomic_64.h | 106 +-
81827 arch/sparc/include/asm/cache.h | 2 +-
81828 arch/sparc/include/asm/elf_32.h | 7 +
81829 arch/sparc/include/asm/elf_64.h | 7 +
81830 arch/sparc/include/asm/pgalloc_32.h | 1 +
81831 arch/sparc/include/asm/pgalloc_64.h | 1 +
81832 arch/sparc/include/asm/pgtable_32.h | 15 +-
81833 arch/sparc/include/asm/pgtsrmmu.h | 5 +
81834 arch/sparc/include/asm/spinlock_64.h | 35 +-
81835 arch/sparc/include/asm/thread_info_32.h | 2 +
81836 arch/sparc/include/asm/thread_info_64.h | 2 +
81837 arch/sparc/include/asm/uaccess.h | 1 +
81838 arch/sparc/include/asm/uaccess_32.h | 27 +-
81839 arch/sparc/include/asm/uaccess_64.h | 19 +-
81840 arch/sparc/kernel/Makefile | 2 +-
81841 arch/sparc/kernel/prom_common.c | 2 +-
81842 arch/sparc/kernel/sys_sparc_32.c | 2 +-
81843 arch/sparc/kernel/sys_sparc_64.c | 48 +-
81844 arch/sparc/kernel/sysfs.c | 2 +-
81845 arch/sparc/kernel/traps_64.c | 13 +-
81846 arch/sparc/kernel/us3_cpufreq.c | 69 +-
81847 arch/sparc/lib/Makefile | 2 +-
81848 arch/sparc/lib/atomic_64.S | 136 +-
81849 arch/sparc/lib/ksyms.c | 6 +
81850 arch/sparc/mm/Makefile | 2 +-
81851 arch/sparc/mm/fault_32.c | 292 ++
81852 arch/sparc/mm/fault_64.c | 486 ++
81853 arch/sparc/mm/hugetlbpage.c | 21 +-
81854 arch/tile/include/asm/atomic_64.h | 10 +
81855 arch/tile/include/asm/uaccess.h | 4 +-
81856 arch/um/Makefile | 4 +
81857 arch/um/include/asm/kmap_types.h | 2 +-
81858 arch/um/include/asm/page.h | 3 +
81859 arch/um/include/asm/pgtable-3level.h | 1 +
81860 arch/um/kernel/process.c | 16 -
81861 arch/x86/Kconfig | 10 +-
81862 arch/x86/Kconfig.cpu | 6 +-
81863 arch/x86/Kconfig.debug | 6 +-
81864 arch/x86/Makefile | 10 +
81865 arch/x86/boot/Makefile | 3 +
81866 arch/x86/boot/bitops.h | 4 +-
81867 arch/x86/boot/boot.h | 4 +-
81868 arch/x86/boot/compressed/Makefile | 3 +
81869 arch/x86/boot/compressed/eboot.c | 2 -
81870 arch/x86/boot/compressed/head_32.S | 7 +-
81871 arch/x86/boot/compressed/head_64.S | 8 +-
81872 arch/x86/boot/compressed/misc.c | 4 +-
81873 arch/x86/boot/cpucheck.c | 28 +-
81874 arch/x86/boot/header.S | 6 +-
81875 arch/x86/boot/memory.c | 2 +-
81876 arch/x86/boot/video-vesa.c | 1 +
81877 arch/x86/boot/video.c | 2 +-
81878 arch/x86/crypto/aes-x86_64-asm_64.S | 4 +
81879 arch/x86/crypto/aesni-intel_asm.S | 21 +
81880 arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 +
81881 arch/x86/crypto/camellia-x86_64-asm_64.S | 7 +
81882 arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 +
81883 arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 7 +
81884 arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 +
81885 arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 7 +
81886 arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 +
81887 arch/x86/crypto/sha1_ssse3_asm.S | 2 +
81888 arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 7 +
81889 arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 +
81890 arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
81891 arch/x86/ia32/ia32_signal.c | 14 +-
81892 arch/x86/ia32/ia32entry.S | 141 +-
81893 arch/x86/ia32/sys_ia32.c | 6 +-
81894 arch/x86/include/asm/alternative-asm.h | 39 +
81895 arch/x86/include/asm/alternative.h | 4 +-
81896 arch/x86/include/asm/apic.h | 2 +-
81897 arch/x86/include/asm/apm.h | 4 +-
81898 arch/x86/include/asm/atomic.h | 307 ++-
81899 arch/x86/include/asm/atomic64_32.h | 100 +
81900 arch/x86/include/asm/atomic64_64.h | 202 +-
81901 arch/x86/include/asm/bitops.h | 4 +-
81902 arch/x86/include/asm/boot.h | 7 +-
81903 arch/x86/include/asm/cache.h | 5 +-
81904 arch/x86/include/asm/cacheflush.h | 2 +-
81905 arch/x86/include/asm/checksum_32.h | 12 +-
81906 arch/x86/include/asm/cmpxchg.h | 35 +
81907 arch/x86/include/asm/compat.h | 2 +-
81908 arch/x86/include/asm/cpufeature.h | 4 +-
81909 arch/x86/include/asm/desc.h | 67 +-
81910 arch/x86/include/asm/desc_defs.h | 6 +
81911 arch/x86/include/asm/div64.h | 2 +-
81912 arch/x86/include/asm/elf.h | 31 +-
81913 arch/x86/include/asm/emergency-restart.h | 2 +-
81914 arch/x86/include/asm/fpu-internal.h | 6 +-
81915 arch/x86/include/asm/futex.h | 16 +-
81916 arch/x86/include/asm/hw_irq.h | 4 +-
81917 arch/x86/include/asm/i8259.h | 2 +-
81918 arch/x86/include/asm/io.h | 21 +-
81919 arch/x86/include/asm/irqflags.h | 5 +
81920 arch/x86/include/asm/kprobes.h | 9 +-
81921 arch/x86/include/asm/local.h | 142 +-
81922 arch/x86/include/asm/mman.h | 15 +
81923 arch/x86/include/asm/mmu.h | 16 +-
81924 arch/x86/include/asm/mmu_context.h | 76 +-
81925 arch/x86/include/asm/module.h | 17 +-
81926 arch/x86/include/asm/nmi.h | 6 +-
81927 arch/x86/include/asm/page_64.h | 2 +-
81928 arch/x86/include/asm/paravirt.h | 46 +-
81929 arch/x86/include/asm/paravirt_types.h | 17 +-
81930 arch/x86/include/asm/pgalloc.h | 23 +
81931 arch/x86/include/asm/pgtable-2level.h | 2 +
81932 arch/x86/include/asm/pgtable-3level.h | 4 +
81933 arch/x86/include/asm/pgtable.h | 113 +-
81934 arch/x86/include/asm/pgtable_32.h | 14 +-
81935 arch/x86/include/asm/pgtable_32_types.h | 15 +-
81936 arch/x86/include/asm/pgtable_64.h | 19 +-
81937 arch/x86/include/asm/pgtable_64_types.h | 5 +
81938 arch/x86/include/asm/pgtable_types.h | 36 +-
81939 arch/x86/include/asm/processor.h | 39 +-
81940 arch/x86/include/asm/ptrace.h | 26 +-
81941 arch/x86/include/asm/realmode.h | 4 +-
81942 arch/x86/include/asm/reboot.h | 10 +-
81943 arch/x86/include/asm/rwsem.h | 60 +-
81944 arch/x86/include/asm/segment.h | 24 +-
81945 arch/x86/include/asm/smp.h | 14 +-
81946 arch/x86/include/asm/spinlock.h | 36 +-
81947 arch/x86/include/asm/stackprotector.h | 4 +-
81948 arch/x86/include/asm/stacktrace.h | 32 +-
81949 arch/x86/include/asm/switch_to.h | 4 +-
81950 arch/x86/include/asm/thread_info.h | 83 +-
81951 arch/x86/include/asm/uaccess.h | 96 +-
81952 arch/x86/include/asm/uaccess_32.h | 106 +-
81953 arch/x86/include/asm/uaccess_64.h | 232 +-
81954 arch/x86/include/asm/word-at-a-time.h | 2 +-
81955 arch/x86/include/asm/x86_init.h | 10 +-
81956 arch/x86/include/asm/xsave.h | 10 +-
81957 arch/x86/include/uapi/asm/e820.h | 2 +-
81958 arch/x86/kernel/Makefile | 2 +-
81959 arch/x86/kernel/acpi/boot.c | 4 +-
81960 arch/x86/kernel/acpi/sleep.c | 4 +
81961 arch/x86/kernel/acpi/wakeup_32.S | 6 +-
81962 arch/x86/kernel/alternative.c | 65 +-
81963 arch/x86/kernel/apic/apic.c | 4 +-
81964 arch/x86/kernel/apic/apic_flat_64.c | 4 +-
81965 arch/x86/kernel/apic/apic_noop.c | 2 +-
81966 arch/x86/kernel/apic/bigsmp_32.c | 2 +-
81967 arch/x86/kernel/apic/es7000_32.c | 5 +-
81968 arch/x86/kernel/apic/io_apic.c | 8 +-
81969 arch/x86/kernel/apic/numaq_32.c | 3 +-
81970 arch/x86/kernel/apic/probe_32.c | 2 +-
81971 arch/x86/kernel/apic/summit_32.c | 2 +-
81972 arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
81973 arch/x86/kernel/apic/x2apic_phys.c | 2 +-
81974 arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
81975 arch/x86/kernel/apm_32.c | 19 +-
81976 arch/x86/kernel/asm-offsets.c | 20 +
81977 arch/x86/kernel/asm-offsets_64.c | 1 +
81978 arch/x86/kernel/cpu/Makefile | 4 -
81979 arch/x86/kernel/cpu/amd.c | 2 +-
81980 arch/x86/kernel/cpu/common.c | 75 +-
81981 arch/x86/kernel/cpu/intel.c | 2 +-
81982 arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +-
81983 arch/x86/kernel/cpu/mcheck/mce.c | 31 +-
81984 arch/x86/kernel/cpu/mcheck/p5.c | 3 +
81985 arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +-
81986 arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
81987 arch/x86/kernel/cpu/mtrr/main.c | 2 +-
81988 arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
81989 arch/x86/kernel/cpu/perf_event.c | 8 +-
81990 arch/x86/kernel/cpu/perf_event_intel.c | 6 +-
81991 arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +-
81992 arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
81993 arch/x86/kernel/cpuid.c | 2 +-
81994 arch/x86/kernel/crash.c | 4 +-
81995 arch/x86/kernel/doublefault_32.c | 8 +-
81996 arch/x86/kernel/dumpstack.c | 30 +-
81997 arch/x86/kernel/dumpstack_32.c | 34 +-
81998 arch/x86/kernel/dumpstack_64.c | 63 +-
81999 arch/x86/kernel/early_printk.c | 1 +
82000 arch/x86/kernel/entry_32.S | 354 ++-
82001 arch/x86/kernel/entry_64.S | 530 ++-
82002 arch/x86/kernel/ftrace.c | 14 +-
82003 arch/x86/kernel/head64.c | 1 -
82004 arch/x86/kernel/head_32.S | 237 +-
82005 arch/x86/kernel/head_64.S | 120 +-
82006 arch/x86/kernel/i386_ksyms_32.c | 8 +
82007 arch/x86/kernel/i387.c | 2 +-
82008 arch/x86/kernel/i8259.c | 10 +-
82009 arch/x86/kernel/io_delay.c | 2 +-
82010 arch/x86/kernel/ioport.c | 2 +-
82011 arch/x86/kernel/irq.c | 8 +-
82012 arch/x86/kernel/irq_32.c | 69 +-
82013 arch/x86/kernel/irq_64.c | 2 +-
82014 arch/x86/kernel/kdebugfs.c | 2 +-
82015 arch/x86/kernel/kgdb.c | 25 +-
82016 arch/x86/kernel/kprobes/core.c | 30 +-
82017 arch/x86/kernel/kprobes/opt.c | 16 +-
82018 arch/x86/kernel/kvm.c | 2 +-
82019 arch/x86/kernel/ldt.c | 31 +-
82020 arch/x86/kernel/machine_kexec_32.c | 6 +-
82021 arch/x86/kernel/microcode_core.c | 2 +-
82022 arch/x86/kernel/microcode_intel.c | 4 +-
82023 arch/x86/kernel/module.c | 76 +-
82024 arch/x86/kernel/msr.c | 2 +-
82025 arch/x86/kernel/nmi.c | 19 +-
82026 arch/x86/kernel/nmi_selftest.c | 4 +-
82027 arch/x86/kernel/paravirt-spinlocks.c | 2 +-
82028 arch/x86/kernel/paravirt.c | 43 +-
82029 arch/x86/kernel/pci-calgary_64.c | 2 +-
82030 arch/x86/kernel/pci-iommu_table.c | 2 +-
82031 arch/x86/kernel/pci-swiotlb.c | 2 +-
82032 arch/x86/kernel/process.c | 57 +-
82033 arch/x86/kernel/process_32.c | 29 +-
82034 arch/x86/kernel/process_64.c | 15 +-
82035 arch/x86/kernel/ptrace.c | 25 +-
82036 arch/x86/kernel/pvclock.c | 8 +-
82037 arch/x86/kernel/reboot.c | 44 +-
82038 arch/x86/kernel/relocate_kernel_64.S | 4 +-
82039 arch/x86/kernel/setup.c | 19 +-
82040 arch/x86/kernel/setup_percpu.c | 29 +-
82041 arch/x86/kernel/signal.c | 15 +-
82042 arch/x86/kernel/smp.c | 2 +-
82043 arch/x86/kernel/smpboot.c | 15 +-
82044 arch/x86/kernel/step.c | 10 +-
82045 arch/x86/kernel/sys_i386_32.c | 248 +
82046 arch/x86/kernel/sys_x86_64.c | 19 +-
82047 arch/x86/kernel/tboot.c | 14 +-
82048 arch/x86/kernel/time.c | 10 +-
82049 arch/x86/kernel/tls.c | 7 +-
82050 arch/x86/kernel/traps.c | 64 +-
82051 arch/x86/kernel/uprobes.c | 2 +-
82052 arch/x86/kernel/vm86_32.c | 6 +-
82053 arch/x86/kernel/vmlinux.lds.S | 148 +-
82054 arch/x86/kernel/vsyscall_64.c | 12 +-
82055 arch/x86/kernel/x8664_ksyms_64.c | 2 -
82056 arch/x86/kernel/x86_init.c | 8 +-
82057 arch/x86/kernel/xsave.c | 2 +
82058 arch/x86/kvm/cpuid.c | 21 +-
82059 arch/x86/kvm/emulate.c | 4 +-
82060 arch/x86/kvm/lapic.c | 2 +-
82061 arch/x86/kvm/paging_tmpl.h | 2 +-
82062 arch/x86/kvm/svm.c | 8 +
82063 arch/x86/kvm/vmx.c | 57 +-
82064 arch/x86/kvm/x86.c | 10 +-
82065 arch/x86/lguest/boot.c | 3 +-
82066 arch/x86/lib/atomic64_386_32.S | 164 +
82067 arch/x86/lib/atomic64_cx8_32.S | 103 +-
82068 arch/x86/lib/checksum_32.S | 100 +-
82069 arch/x86/lib/clear_page_64.S | 5 +-
82070 arch/x86/lib/cmpxchg16b_emu.S | 2 +
82071 arch/x86/lib/copy_page_64.S | 24 +-
82072 arch/x86/lib/copy_user_64.S | 47 +-
82073 arch/x86/lib/copy_user_nocache_64.S | 20 +-
82074 arch/x86/lib/csum-copy_64.S | 2 +
82075 arch/x86/lib/csum-wrappers_64.c | 4 +-
82076 arch/x86/lib/getuser.S | 70 +-
82077 arch/x86/lib/insn.c | 6 +-
82078 arch/x86/lib/iomap_copy_64.S | 2 +
82079 arch/x86/lib/memcpy_64.S | 18 +-
82080 arch/x86/lib/memmove_64.S | 34 +-
82081 arch/x86/lib/memset_64.S | 7 +-
82082 arch/x86/lib/mmx_32.c | 243 +-
82083 arch/x86/lib/msr-reg.S | 18 +-
82084 arch/x86/lib/putuser.S | 90 +-
82085 arch/x86/lib/rwlock.S | 42 +
82086 arch/x86/lib/rwsem.S | 6 +-
82087 arch/x86/lib/thunk_64.S | 2 +
82088 arch/x86/lib/usercopy_32.c | 376 +-
82089 arch/x86/lib/usercopy_64.c | 25 +-
82090 arch/x86/mm/extable.c | 25 +-
82091 arch/x86/mm/fault.c | 556 ++-
82092 arch/x86/mm/gup.c | 2 +-
82093 arch/x86/mm/highmem_32.c | 4 +
82094 arch/x86/mm/hugetlbpage.c | 30 +-
82095 arch/x86/mm/init.c | 90 +-
82096 arch/x86/mm/init_32.c | 119 +-
82097 arch/x86/mm/init_64.c | 44 +-
82098 arch/x86/mm/iomap_32.c | 4 +
82099 arch/x86/mm/ioremap.c | 15 +-
82100 arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
82101 arch/x86/mm/mmap.c | 41 +-
82102 arch/x86/mm/mmio-mod.c | 10 +-
82103 arch/x86/mm/numa.c | 2 +-
82104 arch/x86/mm/pageattr-test.c | 2 +-
82105 arch/x86/mm/pageattr.c | 33 +-
82106 arch/x86/mm/pat.c | 12 +-
82107 arch/x86/mm/pf_in.c | 10 +-
82108 arch/x86/mm/pgtable.c | 137 +-
82109 arch/x86/mm/pgtable_32.c | 3 +
82110 arch/x86/mm/physaddr.c | 4 +-
82111 arch/x86/mm/setup_nx.c | 7 +
82112 arch/x86/mm/tlb.c | 4 +
82113 arch/x86/net/bpf_jit.S | 14 +
82114 arch/x86/net/bpf_jit_comp.c | 37 +-
82115 arch/x86/oprofile/backtrace.c | 8 +-
82116 arch/x86/oprofile/nmi_int.c | 8 +-
82117 arch/x86/oprofile/op_model_amd.c | 8 +-
82118 arch/x86/oprofile/op_model_ppro.c | 7 +-
82119 arch/x86/oprofile/op_x86_model.h | 2 +-
82120 arch/x86/pci/amd_bus.c | 2 +-
82121 arch/x86/pci/irq.c | 8 +-
82122 arch/x86/pci/mrst.c | 4 +-
82123 arch/x86/pci/pcbios.c | 144 +-
82124 arch/x86/platform/efi/efi_32.c | 19 +
82125 arch/x86/platform/efi/efi_stub_32.S | 64 +-
82126 arch/x86/platform/efi/efi_stub_64.S | 8 +
82127 arch/x86/platform/mrst/mrst.c | 6 +-
82128 arch/x86/platform/olpc/olpc_dt.c | 2 +-
82129 arch/x86/power/cpu.c | 4 +-
82130 arch/x86/realmode/init.c | 8 +-
82131 arch/x86/realmode/rm/Makefile | 3 +
82132 arch/x86/realmode/rm/header.S | 4 +-
82133 arch/x86/realmode/rm/trampoline_32.S | 12 +-
82134 arch/x86/realmode/rm/trampoline_64.S | 2 +-
82135 arch/x86/tools/relocs.c | 95 +-
82136 arch/x86/vdso/Makefile | 2 +-
82137 arch/x86/vdso/vdso32-setup.c | 23 +-
82138 arch/x86/vdso/vma.c | 29 +-
82139 arch/x86/xen/enlighten.c | 47 +-
82140 arch/x86/xen/mmu.c | 9 +
82141 arch/x86/xen/smp.c | 18 +-
82142 arch/x86/xen/xen-asm_32.S | 12 +-
82143 arch/x86/xen/xen-head.S | 11 +
82144 arch/x86/xen/xen-ops.h | 2 -
82145 block/blk-iopoll.c | 4 +-
82146 block/blk-map.c | 2 +-
82147 block/blk-softirq.c | 4 +-
82148 block/bsg.c | 12 +-
82149 block/compat_ioctl.c | 2 +-
82150 block/partitions/efi.c | 8 +-
82151 block/scsi_ioctl.c | 27 +-
82152 crypto/cryptd.c | 4 +-
82153 drivers/acpi/apei/apei-internal.h | 2 +-
82154 drivers/acpi/apei/cper.c | 8 +-
82155 drivers/acpi/bgrt.c | 6 +-
82156 drivers/acpi/blacklist.c | 4 +-
82157 drivers/acpi/ec_sys.c | 12 +-
82158 drivers/acpi/processor_idle.c | 2 +-
82159 drivers/acpi/sysfs.c | 4 +-
82160 drivers/ata/libahci.c | 2 +-
82161 drivers/ata/libata-core.c | 8 +-
82162 drivers/ata/pata_arasan_cf.c | 4 +-
82163 drivers/atm/adummy.c | 2 +-
82164 drivers/atm/ambassador.c | 8 +-
82165 drivers/atm/atmtcp.c | 14 +-
82166 drivers/atm/eni.c | 10 +-
82167 drivers/atm/firestream.c | 8 +-
82168 drivers/atm/fore200e.c | 14 +-
82169 drivers/atm/he.c | 18 +-
82170 drivers/atm/horizon.c | 4 +-
82171 drivers/atm/idt77252.c | 36 +-
82172 drivers/atm/iphase.c | 34 +-
82173 drivers/atm/lanai.c | 12 +-
82174 drivers/atm/nicstar.c | 46 +-
82175 drivers/atm/solos-pci.c | 4 +-
82176 drivers/atm/suni.c | 4 +-
82177 drivers/atm/uPD98402.c | 16 +-
82178 drivers/atm/zatm.c | 6 +-
82179 drivers/base/bus.c | 4 +-
82180 drivers/base/devtmpfs.c | 2 +-
82181 drivers/base/node.c | 2 +-
82182 drivers/base/power/domain.c | 4 +-
82183 drivers/base/power/wakeup.c | 8 +-
82184 drivers/base/syscore.c | 4 +-
82185 drivers/block/cciss.c | 28 +-
82186 drivers/block/cciss.h | 2 +-
82187 drivers/block/cpqarray.c | 28 +-
82188 drivers/block/cpqarray.h | 2 +-
82189 drivers/block/drbd/drbd_int.h | 6 +-
82190 drivers/block/drbd/drbd_main.c | 8 +-
82191 drivers/block/drbd/drbd_receiver.c | 22 +-
82192 drivers/block/loop.c | 2 +-
82193 drivers/block/pktcdvd.c | 2 +-
82194 drivers/cdrom/cdrom.c | 9 +-
82195 drivers/cdrom/gdrom.c | 1 -
82196 drivers/char/agp/frontend.c | 2 +-
82197 drivers/char/hpet.c | 2 +-
82198 drivers/char/ipmi/ipmi_msghandler.c | 8 +-
82199 drivers/char/ipmi/ipmi_si_intf.c | 8 +-
82200 drivers/char/mem.c | 41 +-
82201 drivers/char/nvram.c | 2 +-
82202 drivers/char/pcmcia/synclink_cs.c | 18 +-
82203 drivers/char/random.c | 10 +-
82204 drivers/char/sonypi.c | 9 +-
82205 drivers/char/tpm/tpm_acpi.c | 3 +-
82206 drivers/char/tpm/tpm_eventlog.c | 7 +-
82207 drivers/char/virtio_console.c | 4 +-
82208 drivers/clocksource/arm_arch_timer.c | 2 +-
82209 drivers/clocksource/metag_generic.c | 2 +-
82210 drivers/cpufreq/acpi-cpufreq.c | 20 +-
82211 drivers/cpufreq/cpufreq.c | 9 +-
82212 drivers/cpufreq/cpufreq_governor.c | 4 +-
82213 drivers/cpufreq/cpufreq_governor.h | 2 +-
82214 drivers/cpufreq/cpufreq_stats.c | 2 +-
82215 drivers/cpufreq/p4-clockmod.c | 12 +-
82216 drivers/cpufreq/speedstep-centrino.c | 7 +-
82217 drivers/cpuidle/cpuidle.c | 2 +-
82218 drivers/cpuidle/governor.c | 4 +-
82219 drivers/cpuidle/sysfs.c | 2 +-
82220 drivers/devfreq/devfreq.c | 4 +-
82221 drivers/dma/sh/shdma.c | 2 +-
82222 drivers/edac/edac_mc_sysfs.c | 12 +-
82223 drivers/edac/edac_pci_sysfs.c | 22 +-
82224 drivers/edac/mce_amd.h | 2 +-
82225 drivers/firewire/core-card.c | 2 +-
82226 drivers/firewire/core-cdev.c | 3 +-
82227 drivers/firewire/core-device.c | 2 +-
82228 drivers/firewire/core-transaction.c | 1 +
82229 drivers/firewire/core.h | 1 +
82230 drivers/firmware/dmi-id.c | 2 +-
82231 drivers/firmware/dmi_scan.c | 7 +-
82232 drivers/firmware/efivars.c | 4 +-
82233 drivers/firmware/google/memconsole.c | 4 +-
82234 drivers/gpio/gpio-ich.c | 2 +-
82235 drivers/gpio/gpio-vr41xx.c | 2 +-
82236 drivers/gpu/drm/drm_crtc_helper.c | 2 +-
82237 drivers/gpu/drm/drm_drv.c | 6 +-
82238 drivers/gpu/drm/drm_fops.c | 18 +-
82239 drivers/gpu/drm/drm_global.c | 14 +-
82240 drivers/gpu/drm/drm_info.c | 14 +-
82241 drivers/gpu/drm/drm_ioc32.c | 13 +-
82242 drivers/gpu/drm/drm_ioctl.c | 2 +-
82243 drivers/gpu/drm/drm_lock.c | 4 +-
82244 drivers/gpu/drm/drm_stub.c | 2 +-
82245 drivers/gpu/drm/i810/i810_dma.c | 8 +-
82246 drivers/gpu/drm/i810/i810_drv.h | 4 +-
82247 drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
82248 drivers/gpu/drm/i915/i915_dma.c | 2 +-
82249 drivers/gpu/drm/i915/i915_drv.h | 4 +-
82250 drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +-
82251 drivers/gpu/drm/i915/i915_ioc32.c | 11 +-
82252 drivers/gpu/drm/i915/i915_irq.c | 22 +-
82253 drivers/gpu/drm/i915/intel_display.c | 26 +-
82254 drivers/gpu/drm/mga/mga_drv.h | 4 +-
82255 drivers/gpu/drm/mga/mga_ioc32.c | 11 +-
82256 drivers/gpu/drm/mga/mga_irq.c | 8 +-
82257 drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +-
82258 drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +-
82259 drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +-
82260 drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +-
82261 drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +-
82262 drivers/gpu/drm/r128/r128_cce.c | 2 +-
82263 drivers/gpu/drm/r128/r128_drv.h | 4 +-
82264 drivers/gpu/drm/r128/r128_ioc32.c | 11 +-
82265 drivers/gpu/drm/r128/r128_irq.c | 4 +-
82266 drivers/gpu/drm/r128/r128_state.c | 4 +-
82267 drivers/gpu/drm/radeon/mkregtable.c | 4 +-
82268 drivers/gpu/drm/radeon/radeon_device.c | 2 +-
82269 drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
82270 drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +-
82271 drivers/gpu/drm/radeon/radeon_irq.c | 6 +-
82272 drivers/gpu/drm/radeon/radeon_state.c | 4 +-
82273 drivers/gpu/drm/radeon/radeon_ttm.c | 37 +-
82274 drivers/gpu/drm/radeon/rs690.c | 4 +-
82275 drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +-
82276 drivers/gpu/drm/udl/udl_fb.c | 1 -
82277 drivers/gpu/drm/via/via_drv.h | 4 +-
82278 drivers/gpu/drm/via/via_irq.c | 18 +-
82279 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
82280 drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
82281 drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
82282 drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
82283 drivers/hid/hid-core.c | 4 +-
82284 drivers/hv/channel.c | 4 +-
82285 drivers/hv/hv.c | 2 +-
82286 drivers/hv/hyperv_vmbus.h | 2 +-
82287 drivers/hv/vmbus_drv.c | 4 +-
82288 drivers/hwmon/acpi_power_meter.c | 4 +-
82289 drivers/hwmon/applesmc.c | 2 +-
82290 drivers/hwmon/asus_atk0110.c | 10 +-
82291 drivers/hwmon/coretemp.c | 2 +-
82292 drivers/hwmon/ibmaem.c | 2 +-
82293 drivers/hwmon/sht15.c | 12 +-
82294 drivers/hwmon/via-cputemp.c | 2 +-
82295 drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
82296 drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
82297 drivers/ide/ide-cd.c | 2 +-
82298 drivers/iio/industrialio-core.c | 2 +-
82299 drivers/infiniband/core/cm.c | 32 +-
82300 drivers/infiniband/core/fmr_pool.c | 20 +-
82301 drivers/infiniband/hw/cxgb4/mem.c | 4 +-
82302 drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
82303 drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
82304 drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +-
82305 drivers/infiniband/hw/mthca/mthca_mr.c | 2 +-
82306 drivers/infiniband/hw/nes/nes.c | 4 +-
82307 drivers/infiniband/hw/nes/nes.h | 40 +-
82308 drivers/infiniband/hw/nes/nes_cm.c | 62 +-
82309 drivers/infiniband/hw/nes/nes_mgt.c | 8 +-
82310 drivers/infiniband/hw/nes/nes_nic.c | 40 +-
82311 drivers/infiniband/hw/nes/nes_verbs.c | 10 +-
82312 drivers/infiniband/hw/qib/qib.h | 1 +
82313 drivers/input/gameport/gameport.c | 4 +-
82314 drivers/input/input.c | 4 +-
82315 drivers/input/joystick/sidewinder.c | 1 +
82316 drivers/input/joystick/xpad.c | 4 +-
82317 drivers/input/mouse/psmouse.h | 2 +-
82318 drivers/input/mousedev.c | 2 +-
82319 drivers/input/serio/serio.c | 4 +-
82320 drivers/iommu/iommu.c | 2 +-
82321 drivers/iommu/irq_remapping.c | 10 +-
82322 drivers/irqchip/irq-gic.c | 4 +-
82323 drivers/isdn/capi/capi.c | 10 +-
82324 drivers/isdn/gigaset/interface.c | 8 +-
82325 drivers/isdn/hardware/avm/b1.c | 4 +-
82326 drivers/isdn/i4l/isdn_tty.c | 22 +-
82327 drivers/isdn/icn/icn.c | 2 +-
82328 drivers/leds/leds-clevo-mail.c | 2 +-
82329 drivers/leds/leds-ss4200.c | 2 +-
82330 drivers/lguest/core.c | 10 +-
82331 drivers/lguest/page_tables.c | 2 +-
82332 drivers/lguest/x86/core.c | 12 +-
82333 drivers/lguest/x86/switcher_32.S | 27 +-
82334 drivers/md/bitmap.c | 2 +-
82335 drivers/md/dm-ioctl.c | 2 +-
82336 drivers/md/dm-raid1.c | 16 +-
82337 drivers/md/dm-stripe.c | 10 +-
82338 drivers/md/dm-table.c | 2 +-
82339 drivers/md/dm-thin-metadata.c | 4 +-
82340 drivers/md/dm.c | 16 +-
82341 drivers/md/md.c | 26 +-
82342 drivers/md/md.h | 6 +-
82343 drivers/md/persistent-data/dm-space-map.h | 1 +
82344 drivers/md/raid1.c | 4 +-
82345 drivers/md/raid10.c | 16 +-
82346 drivers/md/raid5.c | 10 +-
82347 drivers/media/dvb-core/dvbdev.c | 2 +-
82348 drivers/media/dvb-frontends/dib3000.h | 2 +-
82349 drivers/media/pci/cx88/cx88-video.c | 6 +-
82350 drivers/media/platform/omap/omap_vout.c | 11 +-
82351 drivers/media/platform/s5p-tv/mixer.h | 2 +-
82352 drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +-
82353 drivers/media/platform/s5p-tv/mixer_reg.c | 2 +-
82354 drivers/media/platform/s5p-tv/mixer_video.c | 24 +-
82355 drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +-
82356 drivers/media/radio/radio-cadet.c | 2 +
82357 drivers/media/usb/dvb-usb/cxusb.c | 2 +-
82358 drivers/media/usb/dvb-usb/dw2102.c | 2 +-
82359 drivers/media/v4l2-core/v4l2-ioctl.c | 5 +-
82360 drivers/message/fusion/mptsas.c | 34 +-
82361 drivers/message/fusion/mptscsih.c | 19 +-
82362 drivers/message/i2o/i2o_proc.c | 51 +-
82363 drivers/message/i2o/iop.c | 8 +-
82364 drivers/mfd/janz-cmodio.c | 1 +
82365 drivers/mfd/twl4030-irq.c | 9 +-
82366 drivers/mfd/twl6030-irq.c | 10 +-
82367 drivers/misc/c2port/core.c | 4 +-
82368 drivers/misc/kgdbts.c | 4 +-
82369 drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
82370 drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
82371 drivers/misc/sgi-gru/gruhandles.c | 4 +-
82372 drivers/misc/sgi-gru/gruprocfs.c | 8 +-
82373 drivers/misc/sgi-gru/grutables.h | 154 +-
82374 drivers/misc/sgi-xp/xp.h | 2 +-
82375 drivers/misc/sgi-xp/xpc.h | 3 +-
82376 drivers/misc/sgi-xp/xpc_main.c | 4 +-
82377 drivers/mmc/core/mmc_ops.c | 2 +-
82378 drivers/mmc/host/dw_mmc.h | 2 +-
82379 drivers/mmc/host/sdhci-s3c.c | 8 +-
82380 drivers/mtd/devices/doc2000.c | 2 +-
82381 drivers/mtd/nand/denali.c | 1 +
82382 drivers/mtd/nftlmount.c | 1 +
82383 drivers/mtd/sm_ftl.c | 2 +-
82384 drivers/net/bonding/bond_main.c | 2 +-
82385 drivers/net/ethernet/8390/ax88796.c | 4 +-
82386 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
82387 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-
82388 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +-
82389 drivers/net/ethernet/broadcom/tg3.h | 1 +
82390 drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
82391 drivers/net/ethernet/dec/tulip/de4x5.c | 4 +-
82392 drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
82393 drivers/net/ethernet/faraday/ftgmac100.c | 2 +
82394 drivers/net/ethernet/faraday/ftmac100.c | 2 +
82395 drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
82396 drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
82397 drivers/net/ethernet/realtek/r8169.c | 8 +-
82398 drivers/net/ethernet/sfc/ptp.c | 2 +-
82399 drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
82400 drivers/net/hyperv/hyperv_net.h | 2 +-
82401 drivers/net/hyperv/rndis_filter.c | 4 +-
82402 drivers/net/ieee802154/fakehard.c | 2 +-
82403 drivers/net/macvlan.c | 18 +-
82404 drivers/net/macvtap.c | 2 +-
82405 drivers/net/ppp/ppp_generic.c | 4 +-
82406 drivers/net/slip/slhc.c | 2 +-
82407 drivers/net/team/team.c | 2 +-
82408 drivers/net/tun.c | 5 +-
82409 drivers/net/usb/hso.c | 23 +-
82410 drivers/net/vxlan.c | 2 +-
82411 drivers/net/wireless/at76c50x-usb.c | 2 +-
82412 drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +-
82413 drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +-
82414 drivers/net/wireless/ath/ath9k/hw.h | 4 +-
82415 drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
82416 drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +-
82417 drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +-
82418 drivers/net/wireless/mac80211_hwsim.c | 32 +-
82419 drivers/net/wireless/rndis_wlan.c | 2 +-
82420 drivers/net/wireless/rt2x00/rt2x00.h | 2 +-
82421 drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +-
82422 drivers/net/wireless/ti/wl1251/sdio.c | 12 +-
82423 drivers/net/wireless/ti/wl12xx/main.c | 8 +-
82424 drivers/net/wireless/ti/wl18xx/main.c | 6 +-
82425 drivers/oprofile/buffer_sync.c | 8 +-
82426 drivers/oprofile/event_buffer.c | 2 +-
82427 drivers/oprofile/oprof.c | 2 +-
82428 drivers/oprofile/oprofile_files.c | 2 +-
82429 drivers/oprofile/oprofile_stats.c | 10 +-
82430 drivers/oprofile/oprofile_stats.h | 10 +-
82431 drivers/oprofile/oprofilefs.c | 2 +-
82432 drivers/oprofile/timer_int.c | 2 +-
82433 drivers/parport/procfs.c | 4 +-
82434 drivers/pci/hotplug/acpiphp_ibm.c | 4 +-
82435 drivers/pci/hotplug/cpcihp_generic.c | 6 +-
82436 drivers/pci/hotplug/cpcihp_zt5550.c | 14 +-
82437 drivers/pci/hotplug/cpqphp_nvram.c | 4 +
82438 drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
82439 drivers/pci/hotplug/pciehp_core.c | 2 +-
82440 drivers/pci/pci-sysfs.c | 6 +-
82441 drivers/pci/pci.h | 2 +-
82442 drivers/pci/pcie/aspm.c | 6 +-
82443 drivers/pci/probe.c | 2 +-
82444 drivers/platform/x86/msi-laptop.c | 14 +-
82445 drivers/platform/x86/sony-laptop.c | 2 +-
82446 drivers/platform/x86/thinkpad_acpi.c | 70 +-
82447 drivers/pnp/pnpbios/bioscalls.c | 14 +-
82448 drivers/pnp/resource.c | 4 +-
82449 drivers/power/pda_power.c | 7 +-
82450 drivers/power/power_supply.h | 4 +-
82451 drivers/power/power_supply_core.c | 7 +-
82452 drivers/power/power_supply_sysfs.c | 6 +-
82453 drivers/regulator/max8660.c | 6 +-
82454 drivers/regulator/max8973-regulator.c | 8 +-
82455 drivers/regulator/mc13892-regulator.c | 6 +-
82456 drivers/rtc/rtc-cmos.c | 4 +-
82457 drivers/rtc/rtc-ds1307.c | 2 +-
82458 drivers/rtc/rtc-m48t59.c | 4 +-
82459 drivers/scsi/bfa/bfa_fcpim.h | 2 +-
82460 drivers/scsi/bfa/bfa_ioc.h | 4 +-
82461 drivers/scsi/hosts.c | 4 +-
82462 drivers/scsi/hpsa.c | 30 +-
82463 drivers/scsi/hpsa.h | 2 +-
82464 drivers/scsi/libfc/fc_exch.c | 50 +-
82465 drivers/scsi/libsas/sas_ata.c | 2 +-
82466 drivers/scsi/lpfc/lpfc.h | 8 +-
82467 drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
82468 drivers/scsi/lpfc/lpfc_init.c | 6 +-
82469 drivers/scsi/lpfc/lpfc_scsi.c | 16 +-
82470 drivers/scsi/pmcraid.c | 20 +-
82471 drivers/scsi/pmcraid.h | 8 +-
82472 drivers/scsi/qla2xxx/qla_attr.c | 4 +-
82473 drivers/scsi/qla2xxx/qla_gbl.h | 4 +-
82474 drivers/scsi/qla2xxx/qla_os.c | 6 +-
82475 drivers/scsi/qla4xxx/ql4_def.h | 2 +-
82476 drivers/scsi/qla4xxx/ql4_os.c | 6 +-
82477 drivers/scsi/scsi.c | 2 +-
82478 drivers/scsi/scsi_lib.c | 6 +-
82479 drivers/scsi/scsi_sysfs.c | 2 +-
82480 drivers/scsi/scsi_tgt_lib.c | 2 +-
82481 drivers/scsi/scsi_transport_fc.c | 8 +-
82482 drivers/scsi/scsi_transport_iscsi.c | 6 +-
82483 drivers/scsi/scsi_transport_srp.c | 6 +-
82484 drivers/scsi/sd.c | 2 +-
82485 drivers/scsi/sg.c | 2 +-
82486 drivers/spi/spi.c | 2 +-
82487 drivers/staging/iio/iio_hwmon.c | 2 +-
82488 drivers/staging/octeon/ethernet-rx.c | 12 +-
82489 drivers/staging/octeon/ethernet.c | 8 +-
82490 drivers/staging/rtl8712/rtl871x_io.h | 2 +-
82491 drivers/staging/sbe-2t3e3/netdev.c | 2 +-
82492 drivers/staging/usbip/vhci.h | 2 +-
82493 drivers/staging/usbip/vhci_hcd.c | 6 +-
82494 drivers/staging/usbip/vhci_rx.c | 2 +-
82495 drivers/staging/vt6655/hostap.c | 7 +-
82496 drivers/staging/vt6656/hostap.c | 7 +-
82497 drivers/staging/zcache/tmem.c | 4 +-
82498 drivers/staging/zcache/tmem.h | 2 +
82499 drivers/target/target_core_device.c | 2 +-
82500 drivers/target/target_core_transport.c | 2 +-
82501 drivers/tty/cyclades.c | 6 +-
82502 drivers/tty/hvc/hvc_console.c | 14 +-
82503 drivers/tty/hvc/hvcs.c | 21 +-
82504 drivers/tty/ipwireless/tty.c | 27 +-
82505 drivers/tty/moxa.c | 2 +-
82506 drivers/tty/n_gsm.c | 4 +-
82507 drivers/tty/n_tty.c | 3 +-
82508 drivers/tty/pty.c | 4 +-
82509 drivers/tty/rocket.c | 6 +-
82510 drivers/tty/serial/kgdboc.c | 32 +-
82511 drivers/tty/serial/samsung.c | 9 +-
82512 drivers/tty/serial/serial_core.c | 8 +-
82513 drivers/tty/synclink.c | 34 +-
82514 drivers/tty/synclink_gt.c | 28 +-
82515 drivers/tty/synclinkmp.c | 34 +-
82516 drivers/tty/tty_io.c | 2 +-
82517 drivers/tty/tty_ldisc.c | 10 +-
82518 drivers/tty/tty_port.c | 22 +-
82519 drivers/uio/uio.c | 21 +-
82520 drivers/usb/atm/cxacru.c | 2 +-
82521 drivers/usb/atm/usbatm.c | 24 +-
82522 drivers/usb/core/devices.c | 6 +-
82523 drivers/usb/core/hcd.c | 4 +-
82524 drivers/usb/core/message.c | 2 +-
82525 drivers/usb/core/sysfs.c | 2 +-
82526 drivers/usb/core/usb.c | 2 +-
82527 drivers/usb/early/ehci-dbgp.c | 16 +-
82528 drivers/usb/gadget/u_serial.c | 22 +-
82529 drivers/usb/serial/console.c | 6 +-
82530 drivers/usb/storage/usb.h | 2 +-
82531 drivers/usb/wusbcore/wa-hc.h | 4 +-
82532 drivers/usb/wusbcore/wa-xfer.c | 2 +-
82533 drivers/video/aty/aty128fb.c | 2 +-
82534 drivers/video/aty/atyfb_base.c | 8 +-
82535 drivers/video/aty/mach64_cursor.c | 5 +-
82536 drivers/video/backlight/kb3886_bl.c | 2 +-
82537 drivers/video/fb_defio.c | 6 +-
82538 drivers/video/fbcmap.c | 3 +-
82539 drivers/video/fbmem.c | 6 +-
82540 drivers/video/i810/i810_accel.c | 1 +
82541 drivers/video/mb862xx/mb862xxfb_accel.c | 16 +-
82542 drivers/video/nvidia/nvidia.c | 27 +-
82543 drivers/video/s1d13xxxfb.c | 6 +-
82544 drivers/video/smscufx.c | 4 +-
82545 drivers/video/udlfb.c | 36 +-
82546 drivers/video/uvesafb.c | 53 +-
82547 drivers/video/vesafb.c | 58 +-
82548 drivers/video/via/via_clock.h | 2 +-
82549 fs/9p/vfs_inode.c | 2 +-
82550 fs/Kconfig.binfmt | 2 +-
82551 fs/aio.c | 11 +-
82552 fs/autofs4/waitq.c | 2 +-
82553 fs/befs/endian.h | 4 +-
82554 fs/befs/linuxvfs.c | 2 +-
82555 fs/binfmt_aout.c | 23 +-
82556 fs/binfmt_elf.c | 605 +++-
82557 fs/binfmt_flat.c | 6 +
82558 fs/bio.c | 6 +-
82559 fs/block_dev.c | 2 +-
82560 fs/btrfs/ctree.c | 9 +-
82561 fs/btrfs/super.c | 2 +-
82562 fs/cachefiles/bind.c | 6 +-
82563 fs/cachefiles/daemon.c | 8 +-
82564 fs/cachefiles/internal.h | 12 +-
82565 fs/cachefiles/namei.c | 2 +-
82566 fs/cachefiles/proc.c | 12 +-
82567 fs/cachefiles/rdwr.c | 2 +-
82568 fs/ceph/dir.c | 2 +-
82569 fs/cifs/cifs_debug.c | 12 +-
82570 fs/cifs/cifsfs.c | 8 +-
82571 fs/cifs/cifsglob.h | 54 +-
82572 fs/cifs/link.c | 2 +-
82573 fs/cifs/misc.c | 4 +-
82574 fs/cifs/smb1ops.c | 80 +-
82575 fs/cifs/smb2ops.c | 84 +-
82576 fs/cifs/smb2pdu.c | 3 +-
82577 fs/coda/cache.c | 10 +-
82578 fs/compat.c | 6 +-
82579 fs/compat_binfmt_elf.c | 2 +
82580 fs/compat_ioctl.c | 8 +-
82581 fs/configfs/dir.c | 10 +-
82582 fs/coredump.c | 24 +-
82583 fs/dcache.c | 2 +-
82584 fs/ecryptfs/inode.c | 4 +-
82585 fs/ecryptfs/miscdev.c | 2 +-
82586 fs/ecryptfs/read_write.c | 2 +-
82587 fs/exec.c | 362 ++-
82588 fs/ext4/ext4.h | 20 +-
82589 fs/ext4/mballoc.c | 44 +-
82590 fs/ext4/super.c | 2 +-
82591 fs/fhandle.c | 3 +-
82592 fs/fifo.c | 22 +-
82593 fs/fs_struct.c | 8 +-
82594 fs/fscache/cookie.c | 36 +-
82595 fs/fscache/internal.h | 196 +-
82596 fs/fscache/object.c | 28 +-
82597 fs/fscache/operation.c | 30 +-
82598 fs/fscache/page.c | 110 +-
82599 fs/fscache/stats.c | 344 +-
82600 fs/fuse/cuse.c | 10 +-
82601 fs/fuse/dev.c | 2 +-
82602 fs/fuse/dir.c | 2 +-
82603 fs/gfs2/inode.c | 2 +-
82604 fs/hugetlbfs/inode.c | 13 +-
82605 fs/inode.c | 4 +-
82606 fs/jffs2/erase.c | 3 +-
82607 fs/jffs2/wbuf.c | 3 +-
82608 fs/jfs/super.c | 6 +-
82609 fs/libfs.c | 10 +-
82610 fs/lockd/clntproc.c | 4 +-
82611 fs/locks.c | 8 +-
82612 fs/namei.c | 15 +-
82613 fs/namespace.c | 2 +-
82614 fs/nfs/callback_xdr.c | 2 +-
82615 fs/nfs/inode.c | 6 +-
82616 fs/nfsd/nfs4proc.c | 2 +-
82617 fs/nfsd/nfs4xdr.c | 6 +-
82618 fs/nfsd/nfscache.c | 8 +-
82619 fs/nfsd/vfs.c | 6 +-
82620 fs/nls/nls_base.c | 18 +-
82621 fs/nls/nls_euc-jp.c | 6 +-
82622 fs/nls/nls_koi8-ru.c | 6 +-
82623 fs/notify/fanotify/fanotify_user.c | 4 +-
82624 fs/notify/notification.c | 4 +-
82625 fs/ntfs/dir.c | 2 +-
82626 fs/ntfs/file.c | 4 +-
82627 fs/ocfs2/localalloc.c | 2 +-
82628 fs/ocfs2/ocfs2.h | 10 +-
82629 fs/ocfs2/suballoc.c | 12 +-
82630 fs/ocfs2/super.c | 20 +-
82631 fs/pipe.c | 33 +-
82632 fs/proc/array.c | 20 +
82633 fs/proc/base.c | 4 +-
82634 fs/proc/kcore.c | 32 +-
82635 fs/proc/meminfo.c | 2 +-
82636 fs/proc/nommu.c | 2 +-
82637 fs/proc/proc_sysctl.c | 18 +-
82638 fs/proc/self.c | 2 +-
82639 fs/proc/task_mmu.c | 39 +-
82640 fs/proc/task_nommu.c | 4 +-
82641 fs/qnx6/qnx6.h | 4 +-
82642 fs/quota/netlink.c | 4 +-
82643 fs/readdir.c | 2 +-
82644 fs/reiserfs/do_balan.c | 2 +-
82645 fs/reiserfs/procfs.c | 2 +-
82646 fs/reiserfs/reiserfs.h | 4 +-
82647 fs/seq_file.c | 2 +-
82648 fs/splice.c | 36 +-
82649 fs/sysfs/bin.c | 6 +-
82650 fs/sysfs/dir.c | 2 +-
82651 fs/sysfs/file.c | 10 +-
82652 fs/sysfs/symlink.c | 2 +-
82653 fs/sysv/sysv.h | 2 +-
82654 fs/ubifs/io.c | 2 +-
82655 fs/udf/misc.c | 2 +-
82656 fs/ufs/swab.h | 4 +-
82657 fs/xattr.c | 21 +
82658 fs/xattr_acl.c | 4 +-
82659 fs/xfs/xfs_bmap.c | 2 +-
82660 fs/xfs/xfs_dir2_sf.c | 10 +-
82661 fs/xfs/xfs_ioctl.c | 2 +-
82662 fs/xfs/xfs_iops.c | 2 +-
82663 include/asm-generic/4level-fixup.h | 2 +
82664 include/asm-generic/atomic-long.h | 210 +
82665 include/asm-generic/atomic.h | 2 +-
82666 include/asm-generic/atomic64.h | 12 +
82667 include/asm-generic/cache.h | 4 +-
82668 include/asm-generic/emergency-restart.h | 2 +-
82669 include/asm-generic/kmap_types.h | 4 +-
82670 include/asm-generic/local.h | 13 +
82671 include/asm-generic/pgtable-nopmd.h | 18 +-
82672 include/asm-generic/pgtable-nopud.h | 15 +-
82673 include/asm-generic/pgtable.h | 8 +
82674 include/asm-generic/vmlinux.lds.h | 10 +-
82675 include/crypto/algapi.h | 2 +-
82676 include/drm/drmP.h | 17 +-
82677 include/drm/drm_crtc_helper.h | 2 +-
82678 include/drm/ttm/ttm_memory.h | 2 +-
82679 include/keys/asymmetric-subtype.h | 2 +-
82680 include/linux/atmdev.h | 4 +-
82681 include/linux/binfmts.h | 3 +-
82682 include/linux/blkdev.h | 2 +-
82683 include/linux/blktrace_api.h | 2 +-
82684 include/linux/cache.h | 4 +
82685 include/linux/cdrom.h | 1 -
82686 include/linux/cleancache.h | 2 +-
82687 include/linux/compat.h | 6 +-
82688 include/linux/compiler-gcc4.h | 20 +
82689 include/linux/compiler.h | 65 +-
82690 include/linux/completion.h | 6 +-
82691 include/linux/configfs.h | 2 +-
82692 include/linux/cpu.h | 2 +-
82693 include/linux/cpufreq.h | 3 +-
82694 include/linux/cpuidle.h | 5 +-
82695 include/linux/cpumask.h | 12 +-
82696 include/linux/crypto.h | 6 +-
82697 include/linux/ctype.h | 2 +-
82698 include/linux/decompress/mm.h | 2 +-
82699 include/linux/devfreq.h | 2 +-
82700 include/linux/device.h | 7 +-
82701 include/linux/dma-mapping.h | 2 +-
82702 include/linux/dmaengine.h | 4 +-
82703 include/linux/efi.h | 1 +
82704 include/linux/elf.h | 2 +
82705 include/linux/err.h | 4 +-
82706 include/linux/extcon.h | 2 +-
82707 include/linux/fb.h | 2 +-
82708 include/linux/filter.h | 4 +
82709 include/linux/frontswap.h | 2 +-
82710 include/linux/fs.h | 3 +-
82711 include/linux/fs_struct.h | 2 +-
82712 include/linux/fscache-cache.h | 4 +-
82713 include/linux/fscache.h | 2 +-
82714 include/linux/fsnotify.h | 2 +-
82715 include/linux/ftrace_event.h | 2 +-
82716 include/linux/genhd.h | 2 +-
82717 include/linux/genl_magic_func.h | 2 +-
82718 include/linux/gfp.h | 12 +-
82719 include/linux/highmem.h | 12 +
82720 include/linux/hwmon-sysfs.h | 5 +-
82721 include/linux/i2c.h | 1 +
82722 include/linux/i2o.h | 2 +-
82723 include/linux/if_pppox.h | 2 +-
82724 include/linux/init.h | 33 +-
82725 include/linux/init_task.h | 7 +
82726 include/linux/interrupt.h | 8 +-
82727 include/linux/iommu.h | 2 +-
82728 include/linux/ioport.h | 2 +-
82729 include/linux/irq.h | 3 +-
82730 include/linux/irqchip/arm-gic.h | 2 +-
82731 include/linux/key-type.h | 2 +-
82732 include/linux/kgdb.h | 6 +-
82733 include/linux/kobject.h | 3 +-
82734 include/linux/kobject_ns.h | 2 +-
82735 include/linux/kref.h | 2 +-
82736 include/linux/kvm_host.h | 4 +-
82737 include/linux/libata.h | 2 +-
82738 include/linux/list.h | 15 +
82739 include/linux/math64.h | 6 +-
82740 include/linux/mm.h | 110 +-
82741 include/linux/mm_types.h | 20 +
82742 include/linux/mmiotrace.h | 4 +-
82743 include/linux/mmzone.h | 2 +-
82744 include/linux/mod_devicetable.h | 6 +-
82745 include/linux/module.h | 60 +-
82746 include/linux/moduleloader.h | 16 +
82747 include/linux/moduleparam.h | 4 +-
82748 include/linux/namei.h | 6 +-
82749 include/linux/net.h | 2 +-
82750 include/linux/netdevice.h | 3 +-
82751 include/linux/netfilter.h | 2 +-
82752 include/linux/netfilter/ipset/ip_set.h | 2 +-
82753 include/linux/netfilter/nfnetlink.h | 2 +-
82754 include/linux/nls.h | 2 +-
82755 include/linux/notifier.h | 3 +-
82756 include/linux/oprofile.h | 4 +-
82757 include/linux/pci_hotplug.h | 3 +-
82758 include/linux/perf_event.h | 12 +-
82759 include/linux/pipe_fs_i.h | 6 +-
82760 include/linux/platform_data/usb-ehci-s5p.h | 2 +-
82761 include/linux/platform_data/usb-exynos.h | 2 +-
82762 include/linux/pm_domain.h | 2 +-
82763 include/linux/pm_runtime.h | 2 +-
82764 include/linux/pnp.h | 2 +-
82765 include/linux/poison.h | 4 +-
82766 include/linux/power/smartreflex.h | 2 +-
82767 include/linux/ppp-comp.h | 2 +-
82768 include/linux/proc_fs.h | 2 +-
82769 include/linux/random.h | 5 +
82770 include/linux/rculist.h | 16 +
82771 include/linux/reboot.h | 14 +-
82772 include/linux/regset.h | 3 +-
82773 include/linux/relay.h | 2 +-
82774 include/linux/rio.h | 2 +-
82775 include/linux/rmap.h | 4 +-
82776 include/linux/sched.h | 67 +-
82777 include/linux/sched/sysctl.h | 1 +
82778 include/linux/seq_file.h | 1 +
82779 include/linux/skbuff.h | 12 +-
82780 include/linux/slab.h | 36 +-
82781 include/linux/slab_def.h | 33 +-
82782 include/linux/slob_def.h | 4 +-
82783 include/linux/slub_def.h | 10 +-
82784 include/linux/sock_diag.h | 2 +-
82785 include/linux/sonet.h | 2 +-
82786 include/linux/sunrpc/addr.h | 8 +-
82787 include/linux/sunrpc/clnt.h | 2 +-
82788 include/linux/sunrpc/svc.h | 2 +-
82789 include/linux/sunrpc/svc_rdma.h | 18 +-
82790 include/linux/sunrpc/svcauth.h | 2 +-
82791 include/linux/swiotlb.h | 3 +-
82792 include/linux/syscalls.h | 2 +-
82793 include/linux/syscore_ops.h | 2 +-
82794 include/linux/sysctl.h | 6 +-
82795 include/linux/sysfs.h | 10 +-
82796 include/linux/sysrq.h | 3 +-
82797 include/linux/thread_info.h | 7 +
82798 include/linux/tty.h | 4 +-
82799 include/linux/tty_driver.h | 2 +-
82800 include/linux/tty_ldisc.h | 2 +-
82801 include/linux/types.h | 16 +
82802 include/linux/uaccess.h | 6 +-
82803 include/linux/unaligned/access_ok.h | 24 +-
82804 include/linux/usb.h | 4 +-
82805 include/linux/usb/renesas_usbhs.h | 2 +-
82806 include/linux/vermagic.h | 21 +-
82807 include/linux/vmalloc.h | 11 +-
82808 include/linux/vmstat.h | 20 +-
82809 include/linux/xattr.h | 5 +-
82810 include/linux/zlib.h | 3 +-
82811 include/media/v4l2-dev.h | 2 +-
82812 include/media/v4l2-ioctl.h | 1 -
82813 include/net/9p/transport.h | 2 +-
82814 include/net/bluetooth/l2cap.h | 2 +-
82815 include/net/caif/cfctrl.h | 6 +-
82816 include/net/flow.h | 2 +-
82817 include/net/genetlink.h | 2 +-
82818 include/net/gro_cells.h | 2 +-
82819 include/net/inet_connection_sock.h | 2 +-
82820 include/net/inetpeer.h | 8 +-
82821 include/net/ip.h | 2 +-
82822 include/net/ip_fib.h | 2 +-
82823 include/net/ip_vs.h | 8 +-
82824 include/net/irda/ircomm_tty.h | 1 +
82825 include/net/iucv/af_iucv.h | 2 +-
82826 include/net/llc_c_ac.h | 2 +-
82827 include/net/llc_c_ev.h | 4 +-
82828 include/net/llc_c_st.h | 2 +-
82829 include/net/llc_s_ac.h | 2 +-
82830 include/net/llc_s_st.h | 2 +-
82831 include/net/mac80211.h | 2 +-
82832 include/net/neighbour.h | 2 +-
82833 include/net/net_namespace.h | 12 +-
82834 include/net/netdma.h | 2 +-
82835 include/net/netlink.h | 2 +-
82836 include/net/netns/conntrack.h | 6 +-
82837 include/net/netns/ipv4.h | 2 +-
82838 include/net/protocol.h | 4 +-
82839 include/net/rtnetlink.h | 2 +-
82840 include/net/sctp/sctp.h | 6 +-
82841 include/net/sctp/sm.h | 4 +-
82842 include/net/sctp/structs.h | 2 +-
82843 include/net/sock.h | 6 +-
82844 include/net/tcp.h | 8 +-
82845 include/net/xfrm.h | 8 +-
82846 include/rdma/iw_cm.h | 2 +-
82847 include/scsi/libfc.h | 3 +-
82848 include/scsi/scsi_device.h | 6 +-
82849 include/scsi/scsi_transport_fc.h | 3 +-
82850 include/sound/soc.h | 4 +-
82851 include/target/target_core_base.h | 2 +-
82852 include/trace/events/irq.h | 4 +-
82853 include/uapi/linux/a.out.h | 8 +
82854 include/uapi/linux/byteorder/little_endian.h | 28 +-
82855 include/uapi/linux/elf.h | 28 +
82856 include/uapi/linux/screen_info.h | 3 +-
82857 include/uapi/linux/swab.h | 6 +-
82858 include/uapi/linux/sysctl.h | 6 +-
82859 include/uapi/linux/xattr.h | 4 +
82860 include/video/udlfb.h | 8 +-
82861 include/video/uvesafb.h | 1 +
82862 init/Kconfig | 2 +-
82863 init/Makefile | 3 +
82864 init/do_mounts.c | 14 +-
82865 init/do_mounts.h | 8 +-
82866 init/do_mounts_initrd.c | 22 +-
82867 init/do_mounts_md.c | 6 +-
82868 init/init_task.c | 4 +
82869 init/initramfs.c | 40 +-
82870 init/main.c | 77 +-
82871 ipc/ipc_sysctl.c | 10 +-
82872 ipc/mq_sysctl.c | 2 +-
82873 ipc/msg.c | 11 +-
82874 ipc/sem.c | 11 +-
82875 ipc/shm.c | 17 +-
82876 kernel/acct.c | 2 +-
82877 kernel/audit.c | 8 +-
82878 kernel/auditsc.c | 4 +-
82879 kernel/capability.c | 3 +
82880 kernel/compat.c | 40 +-
82881 kernel/debug/debug_core.c | 16 +-
82882 kernel/debug/kdb/kdb_main.c | 4 +-
82883 kernel/events/core.c | 28 +-
82884 kernel/exit.c | 4 +-
82885 kernel/fork.c | 167 +-
82886 kernel/futex.c | 9 +
82887 kernel/futex_compat.c | 2 +-
82888 kernel/gcov/base.c | 7 +-
82889 kernel/hrtimer.c | 4 +-
82890 kernel/irq_work.c | 7 +-
82891 kernel/jump_label.c | 5 +
82892 kernel/kallsyms.c | 39 +-
82893 kernel/kexec.c | 3 +-
82894 kernel/kmod.c | 4 +-
82895 kernel/kprobes.c | 8 +-
82896 kernel/ksysfs.c | 2 +-
82897 kernel/lockdep.c | 7 +-
82898 kernel/module.c | 337 +-
82899 kernel/mutex-debug.c | 12 +-
82900 kernel/mutex-debug.h | 4 +-
82901 kernel/mutex.c | 7 +-
82902 kernel/notifier.c | 17 +-
82903 kernel/panic.c | 3 +-
82904 kernel/pid.c | 2 +-
82905 kernel/pid_namespace.c | 2 +-
82906 kernel/posix-cpu-timers.c | 4 +-
82907 kernel/posix-timers.c | 20 +-
82908 kernel/power/process.c | 12 +-
82909 kernel/profile.c | 14 +-
82910 kernel/ptrace.c | 8 +-
82911 kernel/rcupdate.c | 4 +-
82912 kernel/rcutiny.c | 4 +-
82913 kernel/rcutiny_plugin.h | 2 +-
82914 kernel/rcutorture.c | 56 +-
82915 kernel/rcutree.c | 68 +-
82916 kernel/rcutree.h | 24 +-
82917 kernel/rcutree_plugin.h | 20 +-
82918 kernel/rcutree_trace.c | 22 +-
82919 kernel/rtmutex-tester.c | 24 +-
82920 kernel/sched/auto_group.c | 4 +-
82921 kernel/sched/core.c | 51 +-
82922 kernel/sched/fair.c | 4 +-
82923 kernel/signal.c | 12 +-
82924 kernel/smp.c | 2 +-
82925 kernel/smpboot.c | 4 +-
82926 kernel/softirq.c | 18 +-
82927 kernel/srcu.c | 4 +-
82928 kernel/sys.c | 10 +-
82929 kernel/sysctl.c | 39 +-
82930 kernel/time.c | 2 +-
82931 kernel/time/alarmtimer.c | 2 +-
82932 kernel/time/tick-broadcast.c | 2 +-
82933 kernel/time/timer_stats.c | 10 +-
82934 kernel/timer.c | 6 +-
82935 kernel/trace/blktrace.c | 6 +-
82936 kernel/trace/ftrace.c | 20 +-
82937 kernel/trace/ring_buffer.c | 76 +-
82938 kernel/trace/trace.c | 8 +-
82939 kernel/trace/trace.h | 2 +-
82940 kernel/trace/trace_events.c | 25 +-
82941 kernel/trace/trace_mmiotrace.c | 8 +-
82942 kernel/trace/trace_output.c | 12 +-
82943 kernel/trace/trace_stack.c | 2 +-
82944 kernel/user_namespace.c | 2 +-
82945 kernel/utsname_sysctl.c | 2 +-
82946 kernel/watchdog.c | 2 +-
82947 lib/Kconfig.debug | 6 +-
82948 lib/Makefile | 2 +-
82949 lib/bitmap.c | 8 +-
82950 lib/bug.c | 2 +
82951 lib/debugobjects.c | 2 +-
82952 lib/devres.c | 4 +-
82953 lib/div64.c | 4 +-
82954 lib/dma-debug.c | 4 +-
82955 lib/inflate.c | 2 +-
82956 lib/ioremap.c | 4 +-
82957 lib/kobject.c | 4 +-
82958 lib/list_debug.c | 126 +-
82959 lib/radix-tree.c | 2 +-
82960 lib/strncpy_from_user.c | 2 +-
82961 lib/strnlen_user.c | 2 +-
82962 lib/swiotlb.c | 2 +-
82963 lib/vsprintf.c | 12 +-
82964 mm/Kconfig | 6 +-
82965 mm/filemap.c | 2 +-
82966 mm/fremap.c | 5 +
82967 mm/highmem.c | 7 +-
82968 mm/hugetlb.c | 70 +-
82969 mm/internal.h | 1 +
82970 mm/maccess.c | 4 +-
82971 mm/madvise.c | 41 +
82972 mm/memory-failure.c | 26 +-
82973 mm/memory.c | 424 ++-
82974 mm/mempolicy.c | 26 +
82975 mm/mlock.c | 16 +-
82976 mm/mmap.c | 576 ++-
82977 mm/mprotect.c | 139 +-
82978 mm/mremap.c | 44 +-
82979 mm/nommu.c | 21 +-
82980 mm/page-writeback.c | 4 +-
82981 mm/page_alloc.c | 41 +-
82982 mm/percpu.c | 2 +-
82983 mm/process_vm_access.c | 14 +-
82984 mm/rmap.c | 38 +-
82985 mm/shmem.c | 19 +-
82986 mm/slab.c | 105 +-
82987 mm/slab.h | 5 +-
82988 mm/slab_common.c | 11 +-
82989 mm/slob.c | 201 +-
82990 mm/slub.c | 99 +-
82991 mm/sparse-vmemmap.c | 4 +-
82992 mm/sparse.c | 2 +-
82993 mm/swap.c | 3 +
82994 mm/swapfile.c | 12 +-
82995 mm/util.c | 6 +
82996 mm/vmalloc.c | 82 +-
82997 mm/vmstat.c | 12 +-
82998 net/8021q/vlan.c | 5 +-
82999 net/9p/mod.c | 4 +-
83000 net/9p/trans_fd.c | 2 +-
83001 net/atm/atm_misc.c | 8 +-
83002 net/atm/lec.h | 2 +-
83003 net/atm/proc.c | 6 +-
83004 net/atm/resources.c | 4 +-
83005 net/ax25/sysctl_net_ax25.c | 2 +-
83006 net/batman-adv/bat_iv_ogm.c | 8 +-
83007 net/batman-adv/hard-interface.c | 4 +-
83008 net/batman-adv/soft-interface.c | 4 +-
83009 net/batman-adv/types.h | 6 +-
83010 net/batman-adv/unicast.c | 2 +-
83011 net/bluetooth/hci_sock.c | 2 +-
83012 net/bluetooth/l2cap_core.c | 6 +-
83013 net/bluetooth/l2cap_sock.c | 12 +-
83014 net/bluetooth/rfcomm/sock.c | 4 +-
83015 net/bluetooth/rfcomm/tty.c | 10 +-
83016 net/bridge/netfilter/ebtables.c | 6 +-
83017 net/caif/cfctrl.c | 11 +-
83018 net/can/af_can.c | 2 +-
83019 net/can/gw.c | 6 +-
83020 net/compat.c | 34 +-
83021 net/core/datagram.c | 2 +-
83022 net/core/dev.c | 16 +-
83023 net/core/flow.c | 8 +-
83024 net/core/iovec.c | 4 +-
83025 net/core/neighbour.c | 2 +-
83026 net/core/net-sysfs.c | 2 +-
83027 net/core/net_namespace.c | 8 +-
83028 net/core/rtnetlink.c | 13 +-
83029 net/core/scm.c | 8 +-
83030 net/core/sock.c | 24 +-
83031 net/core/sock_diag.c | 9 +-
83032 net/core/sysctl_net_core.c | 18 +-
83033 net/decnet/af_decnet.c | 1 +
83034 net/decnet/sysctl_net_decnet.c | 4 +-
83035 net/ipv4/af_inet.c | 8 +-
83036 net/ipv4/ah4.c | 2 +-
83037 net/ipv4/devinet.c | 14 +-
83038 net/ipv4/esp4.c | 2 +-
83039 net/ipv4/fib_frontend.c | 6 +-
83040 net/ipv4/fib_semantics.c | 2 +-
83041 net/ipv4/inet_connection_sock.c | 2 +-
83042 net/ipv4/inetpeer.c | 4 +-
83043 net/ipv4/ip_fragment.c | 15 +-
83044 net/ipv4/ip_gre.c | 6 +-
83045 net/ipv4/ip_sockglue.c | 2 +-
83046 net/ipv4/ip_vti.c | 4 +-
83047 net/ipv4/ipcomp.c | 2 +-
83048 net/ipv4/ipconfig.c | 6 +-
83049 net/ipv4/ipip.c | 4 +-
83050 net/ipv4/netfilter/arp_tables.c | 12 +-
83051 net/ipv4/netfilter/ip_tables.c | 12 +-
83052 net/ipv4/ping.c | 2 +-
83053 net/ipv4/raw.c | 14 +-
83054 net/ipv4/route.c | 18 +-
83055 net/ipv4/sysctl_net_ipv4.c | 45 +-
83056 net/ipv4/tcp_input.c | 2 +-
83057 net/ipv4/tcp_probe.c | 2 +-
83058 net/ipv4/udp.c | 10 +-
83059 net/ipv4/xfrm4_policy.c | 14 +-
83060 net/ipv6/addrconf.c | 6 +-
83061 net/ipv6/icmp.c | 2 +-
83062 net/ipv6/ip6_gre.c | 8 +-
83063 net/ipv6/ip6_tunnel.c | 4 +-
83064 net/ipv6/ipv6_sockglue.c | 2 +-
83065 net/ipv6/netfilter/ip6_tables.c | 12 +-
83066 net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +-
83067 net/ipv6/raw.c | 19 +-
83068 net/ipv6/reassembly.c | 13 +-
83069 net/ipv6/route.c | 2 +-
83070 net/ipv6/sit.c | 4 +-
83071 net/ipv6/sysctl_net_ipv6.c | 2 +-
83072 net/ipv6/udp.c | 8 +-
83073 net/ipv6/xfrm6_policy.c | 13 +-
83074 net/irda/ircomm/ircomm_tty.c | 18 +-
83075 net/iucv/af_iucv.c | 4 +-
83076 net/iucv/iucv.c | 2 +-
83077 net/key/af_key.c | 4 +-
83078 net/mac80211/cfg.c | 8 +-
83079 net/mac80211/ieee80211_i.h | 3 +-
83080 net/mac80211/iface.c | 14 +-
83081 net/mac80211/main.c | 2 +-
83082 net/mac80211/pm.c | 6 +-
83083 net/mac80211/rate.c | 2 +-
83084 net/mac80211/rc80211_pid_debugfs.c | 2 +-
83085 net/mac80211/util.c | 2 +-
83086 net/netfilter/ipset/ip_set_core.c | 2 +-
83087 net/netfilter/ipvs/ip_vs_conn.c | 6 +-
83088 net/netfilter/ipvs/ip_vs_core.c | 4 +-
83089 net/netfilter/ipvs/ip_vs_ctl.c | 14 +-
83090 net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
83091 net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
83092 net/netfilter/ipvs/ip_vs_sync.c | 6 +-
83093 net/netfilter/ipvs/ip_vs_xmit.c | 4 +-
83094 net/netfilter/nf_conntrack_acct.c | 2 +-
83095 net/netfilter/nf_conntrack_ecache.c | 2 +-
83096 net/netfilter/nf_conntrack_helper.c | 2 +-
83097 net/netfilter/nf_conntrack_proto.c | 2 +-
83098 net/netfilter/nf_conntrack_standalone.c | 2 +-
83099 net/netfilter/nf_conntrack_timestamp.c | 2 +-
83100 net/netfilter/nf_log.c | 10 +-
83101 net/netfilter/nf_sockopt.c | 4 +-
83102 net/netfilter/nfnetlink_log.c | 4 +-
83103 net/netfilter/xt_statistic.c | 8 +-
83104 net/netlink/af_netlink.c | 4 +-
83105 net/netlink/genetlink.c | 16 +-
83106 net/packet/af_packet.c | 12 +-
83107 net/phonet/pep.c | 6 +-
83108 net/phonet/socket.c | 2 +-
83109 net/phonet/sysctl.c | 2 +-
83110 net/rds/cong.c | 6 +-
83111 net/rds/ib.h | 2 +-
83112 net/rds/ib_cm.c | 2 +-
83113 net/rds/ib_recv.c | 4 +-
83114 net/rds/iw.h | 2 +-
83115 net/rds/iw_cm.c | 2 +-
83116 net/rds/iw_recv.c | 4 +-
83117 net/rds/rds.h | 2 +-
83118 net/rds/tcp.c | 2 +-
83119 net/rds/tcp_send.c | 2 +-
83120 net/rxrpc/af_rxrpc.c | 2 +-
83121 net/rxrpc/ar-ack.c | 14 +-
83122 net/rxrpc/ar-call.c | 2 +-
83123 net/rxrpc/ar-connection.c | 2 +-
83124 net/rxrpc/ar-connevent.c | 2 +-
83125 net/rxrpc/ar-input.c | 4 +-
83126 net/rxrpc/ar-internal.h | 8 +-
83127 net/rxrpc/ar-local.c | 2 +-
83128 net/rxrpc/ar-output.c | 4 +-
83129 net/rxrpc/ar-peer.c | 2 +-
83130 net/rxrpc/ar-proc.c | 4 +-
83131 net/rxrpc/ar-transport.c | 2 +-
83132 net/rxrpc/rxkad.c | 4 +-
83133 net/sctp/ipv6.c | 6 +-
83134 net/sctp/protocol.c | 10 +-
83135 net/sctp/sm_sideeffect.c | 2 +-
83136 net/sctp/socket.c | 21 +-
83137 net/sctp/sysctl.c | 4 +-
83138 net/socket.c | 18 +-
83139 net/sunrpc/clnt.c | 4 +-
83140 net/sunrpc/sched.c | 4 +-
83141 net/sunrpc/svc.c | 4 +-
83142 net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
83143 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +-
83144 net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
83145 net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +-
83146 net/tipc/link.c | 6 +-
83147 net/tipc/msg.c | 2 +-
83148 net/tipc/subscr.c | 2 +-
83149 net/unix/sysctl_net_unix.c | 2 +-
83150 net/wireless/wext-core.c | 19 +-
83151 net/xfrm/xfrm_policy.c | 27 +-
83152 net/xfrm/xfrm_state.c | 29 +-
83153 net/xfrm/xfrm_sysctl.c | 2 +-
83154 scripts/Makefile.build | 2 +-
83155 scripts/Makefile.clean | 3 +-
83156 scripts/Makefile.host | 28 +-
83157 scripts/basic/fixdep.c | 12 +-
83158 scripts/gcc-plugin.sh | 17 +
83159 scripts/headers_install.pl | 1 +
83160 scripts/link-vmlinux.sh | 2 +-
83161 scripts/mod/file2alias.c | 14 +-
83162 scripts/mod/modpost.c | 25 +-
83163 scripts/mod/modpost.h | 6 +-
83164 scripts/mod/sumversion.c | 2 +-
83165 scripts/package/builddeb | 1 +
83166 scripts/pnmtologo.c | 6 +-
83167 scripts/sortextable.h | 6 +-
83168 security/Kconfig | 675 +++-
83169 security/apparmor/lsm.c | 2 +-
83170 security/integrity/ima/ima.h | 4 +-
83171 security/integrity/ima/ima_api.c | 2 +-
83172 security/integrity/ima/ima_fs.c | 4 +-
83173 security/integrity/ima/ima_queue.c | 2 +-
83174 security/keys/compat.c | 2 +-
83175 security/keys/key.c | 18 +-
83176 security/keys/keyctl.c | 8 +-
83177 security/keys/keyring.c | 6 +-
83178 security/security.c | 9 +-
83179 security/selinux/hooks.c | 2 +-
83180 security/selinux/include/xfrm.h | 2 +-
83181 security/smack/smack_lsm.c | 2 +-
83182 security/tomoyo/tomoyo.c | 2 +-
83183 security/yama/yama_lsm.c | 22 +-
83184 sound/aoa/codecs/onyx.c | 7 +-
83185 sound/aoa/codecs/onyx.h | 1 +
83186 sound/core/oss/pcm_oss.c | 18 +-
83187 sound/core/pcm_compat.c | 2 +-
83188 sound/core/pcm_native.c | 4 +-
83189 sound/core/seq/seq_device.c | 8 +-
83190 sound/drivers/mts64.c | 14 +-
83191 sound/drivers/opl4/opl4_lib.c | 2 +-
83192 sound/drivers/portman2x4.c | 3 +-
83193 sound/firewire/amdtp.c | 4 +-
83194 sound/firewire/amdtp.h | 2 +-
83195 sound/firewire/isight.c | 10 +-
83196 sound/firewire/scs1x.c | 8 +-
83197 sound/oss/sb_audio.c | 2 +-
83198 sound/oss/swarm_cs4297a.c | 6 +-
83199 sound/pci/ymfpci/ymfpci.h | 2 +-
83200 sound/pci/ymfpci/ymfpci_main.c | 12 +-
83201 tools/gcc/.gitignore | 1 +
83202 tools/gcc/Makefile | 45 +
83203 tools/gcc/checker_plugin.c | 171 +
83204 tools/gcc/colorize_plugin.c | 151 +
83205 tools/gcc/constify_plugin.c | 518 ++
83206 tools/gcc/generate_size_overflow_hash.sh | 94 +
83207 tools/gcc/kallocstat_plugin.c | 170 +
83208 tools/gcc/kernexec_plugin.c | 465 ++
83209 tools/gcc/latent_entropy_plugin.c | 327 ++
83210 tools/gcc/size_overflow_hash.data | 5876 ++++++++++++++++++++++
83211 tools/gcc/size_overflow_plugin.c | 2114 ++++++++
83212 tools/gcc/stackleak_plugin.c | 327 ++
83213 tools/gcc/structleak_plugin.c | 276 +
83214 tools/perf/util/include/asm/alternative-asm.h | 3 +
83215 tools/perf/util/include/linux/compiler.h | 8 +
83216 virt/kvm/kvm_main.c | 32 +-
83217 1555 files changed, 30474 insertions(+), 7126 deletions(-)
83218commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
83219Merge: 0949bd4 fc53d63
83220Author: Brad Spengler <spender@grsecurity.net>
83221Date: Thu Mar 22 19:03:44 2012 -0400
83222
83223 Merge branch 'pax-test' into grsec-test
83224
83225commit fc53d6338964741b368070ec5c935bc579b8c2a6
83226Author: Brad Spengler <spender@grsecurity.net>
83227Date: Thu Mar 22 19:02:45 2012 -0400
83228
83229 Update to pax-linux-3.2.12-test33.patch
83230
83231commit 0949bd46a6455b308f66ad7c993bfee62412db35
83232Author: Brad Spengler <spender@grsecurity.net>
83233Date: Thu Mar 22 16:56:09 2012 -0400
83234
83235 Use current_umask() instead of current->fs->umask
83236
83237commit 22f6432d0fe733619cfcb523782ed7d80c46d645
83238Author: Brad Spengler <spender@grsecurity.net>
83239Date: Wed Mar 21 19:42:42 2012 -0400
83240
83241 compile fix
83242
83243commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
83244Author: Brad Spengler <spender@grsecurity.net>
83245Date: Wed Mar 21 19:34:56 2012 -0400
83246
83247 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
83248 uses of domains with particular hash collisions
83249
83250commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
83251Author: Brad Spengler <spender@grsecurity.net>
83252Date: Tue Mar 20 20:25:49 2012 -0400
83253
83254 zero kernel_role
83255
83256commit b00953b43c69238d181d21121ef1577c988d5f6b
83257Author: Brad Spengler <spender@grsecurity.net>
83258Date: Tue Mar 20 19:29:34 2012 -0400
83259
83260 zero real_root after releasing it
83261
83262commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
83263Merge: b724f59 273f98e
83264Author: Brad Spengler <spender@grsecurity.net>
83265Date: Tue Mar 20 19:11:26 2012 -0400
83266
83267 Merge branch 'pax-test' into grsec-test
83268
83269commit 273f98e58cdac555d3b5dce5c1ca168349f95878
83270Author: Brad Spengler <spender@grsecurity.net>
83271Date: Tue Mar 20 19:10:52 2012 -0400
83272
83273 Temporary workaround for (most) size_overflow plugin false-positives
83274 Increase randomization for brk-managed heap to 21 bits
83275 Update to pax-linux-3.2.12-test32.patch
83276
83277commit b724f59125304460c2af8bd4b02921993afbb5d3
83278Author: Brad Spengler <spender@grsecurity.net>
83279Date: Tue Mar 20 18:58:53 2012 -0400
83280
83281 compile fix
83282
83283commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
83284Author: Brad Spengler <spender@grsecurity.net>
83285Date: Tue Mar 20 18:52:23 2012 -0400
83286
83287 Require default and kernel role
83288
83289commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
83290Author: Brad Spengler <spender@grsecurity.net>
83291Date: Tue Mar 20 18:47:28 2012 -0400
83292
83293 Allow policies without special roles
83294 don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)
83295
83296commit 402ec3d24d66d38403dc543c84851f5e72d39e22
83297Merge: 8e012dc f14661a
83298Author: Brad Spengler <spender@grsecurity.net>
83299Date: Mon Mar 19 18:06:59 2012 -0400
83300
83301 Merge branch 'pax-test' into grsec-test
83302
83303 Conflicts:
83304 fs/namei.c
83305
83306commit f14661aaf202155c97f66626cea0269017bb7775
83307Merge: eae671f 058b017
83308Author: Brad Spengler <spender@grsecurity.net>
83309Date: Mon Mar 19 18:05:44 2012 -0400
83310
83311 Merge branch 'linux-3.2.y' into pax-test
83312
83313commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
83314Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
83315Date: Fri Mar 16 17:08:39 2012 -0700
83316
83317 nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
83318
83319 According to the report from Slicky Devil, nilfs caused kernel oops at
83320 nilfs_load_super_block function during mount after he shrank the
83321 partition without resizing the filesystem:
83322
83323 BUG: unable to handle kernel NULL pointer dereference at 00000048
83324 IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
83325 *pde = 00000000
83326 Oops: 0000 [#1] PREEMPT SMP
83327 ...
83328 Call Trace:
83329 [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
83330 [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
83331 [<c0226636>] mount_fs+0x36/0x180
83332 [<c023d961>] vfs_kern_mount+0x51/0xa0
83333 [<c023ddae>] do_kern_mount+0x3e/0xe0
83334 [<c023f189>] do_mount+0x169/0x700
83335 [<c023fa9b>] sys_mount+0x6b/0xa0
83336 [<c04abd1f>] sysenter_do_call+0x12/0x28
83337 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
83338 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
83339 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
83340 EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
83341 CR2: 0000000000000048
83342
83343 This turned out due to a defect in an error path which runs if the
83344 calculated location of the secondary super block was invalid.
83345
83346 This patch fixes it and eliminates the reported oops.
83347
83348 Reported-by: Slicky Devil <slicky.dvl@gmail.com>
83349 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
83350 Tested-by: Slicky Devil <slicky.dvl@gmail.com>
83351 Cc: <stable@vger.kernel.org> [2.6.30+]
83352 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
83353 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
83354
83355commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
83356Author: Haogang Chen <haogangchen@gmail.com>
83357Date: Fri Mar 16 17:08:38 2012 -0700
83358
83359 nilfs2: clamp ns_r_segments_percentage to [1, 99]
83360
83361 ns_r_segments_percentage is read from the disk. Bogus or malicious
83362 value could cause integer overflow and malfunction due to meaningless
83363 disk usage calculation. This patch reports error when mounting such
83364 bogus volumes.
83365
83366 Signed-off-by: Haogang Chen <haogangchen@gmail.com>
83367 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
83368 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
83369 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
83370
83371commit e1a90645643f9b0194a5984ec8febd06360d5c8b
83372Author: Eric Dumazet <eric.dumazet@gmail.com>
83373Date: Sat Mar 10 09:20:21 2012 +0000
83374
83375 tcp: fix syncookie regression
83376
83377 commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
83378 added a serious regression on synflood handling.
83379
83380 Simon Kirby discovered a successful connection was delayed by 20 seconds
83381 before being responsive.
83382
83383 In my tests, I discovered that xmit frames were lost, and needed ~4
83384 retransmits and a socket dst rebuild before being really sent.
83385
83386 In case of syncookie initiated connection, we use a different path to
83387 initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
83388
83389 As ip_queue_xmit() now depends on inet flow being setup, fix this by
83390 copying the temp flowi4 we use in cookie_v4_check().
83391
83392 Reported-by: Simon Kirby <sim@netnation.com>
83393 Bisected-by: Simon Kirby <sim@netnation.com>
83394 Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
83395 Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
83396 Signed-off-by: David S. Miller <davem@davemloft.net>
83397
83398commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
83399Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
83400Date: Mon Mar 12 02:59:41 2012 +0000
83401
83402 tun: don't hold network namespace by tun sockets
83403
83404 v3: added previously removed sock_put() to the tun_release() callback, because
83405 sk_release_kernel() doesn't drop the socket reference.
83406
83407 v2: sk_release_kernel() used for socket release. Dummy tun_release() is
83408 required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
83409 call.
83410
83411 TUN was designed to destroy it's socket on network namesapce shutdown. But this
83412 will never happen for persistent device, because it's socket holds network
83413 namespace.
83414 This patch removes of holding network namespace by TUN socket and replaces it
83415 by creating socket in init_net and then changing it's net it to desired one. On
83416 shutdown socket is moved back to init_net prior to final put.
83417
83418 Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
83419 Signed-off-by: David S. Miller <davem@davemloft.net>
83420
83421commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
83422Author: Tyler Hicks <tyhicks@canonical.com>
83423Date: Mon Dec 12 10:02:30 2011 -0600
83424
83425 vfs: Correctly set the dir i_mutex lockdep class
83426
83427 9a7aa12f3911853a introduced additional logic around setting the i_mutex
83428 lockdep class for directory inodes. The idea was that some filesystems
83429 may want their own special lockdep class for different directory
83430 inodes and calling unlock_new_inode() should not clobber one of
83431 those special classes.
83432
83433 I believe that the added conditional, around the *negated* return value
83434 of lockdep_match_class(), caused directory inodes to be placed in the
83435 wrong lockdep class.
83436
83437 inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
83438 all inodes. If the filesystem did not change the class during inode
83439 initialization, then the conditional mentioned above was false and the
83440 directory inode was incorrectly left in the non-directory lockdep class.
83441 If the filesystem did set a special lockdep class, then the conditional
83442 mentioned above was true and that class was clobbered with
83443 i_mutex_dir_key.
83444
83445 This patch removes the negation from the conditional so that the i_mutex
83446 lockdep class is properly set for directory inodes. Special classes are
83447 preserved and directory inodes with unmodified classes are set with
83448 i_mutex_dir_key.
83449
83450 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
83451 Reviewed-by: Jan Kara <jack@suse.cz>
83452 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
83453
83454commit 603590b0d2eca61ce26499eac9c563bc567a18c9
83455Author: Jan Kara <jack@suse.cz>
83456Date: Mon Feb 20 17:54:00 2012 +0100
83457
83458 udf: Fix deadlock in udf_release_file()
83459
83460 udf_release_file() can be called from munmap() path with mmap_sem held. Thus
83461 we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
83462 i_mutex is not needed in udf_release_file() anymore since protection by
83463 i_data_sem is enough to protect from races with write and truncate.
83464
83465 Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
83466 Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
83467 Signed-off-by: Jan Kara <jack@suse.cz>
83468 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
83469
83470commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
83471Author: Miklos Szeredi <mszeredi@suse.cz>
83472Date: Tue Mar 6 13:56:33 2012 +0100
83473
83474 vfs: fix double put after complete_walk()
83475
83476 complete_walk() already puts nd->path, no need to do it again at cleanup time.
83477
83478 This would result in Oopses if triggered, apparently the codepath is not too
83479 well exercised.
83480
83481 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
83482 CC: stable@vger.kernel.org
83483 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
83484
83485commit 13885ba2b18400f3ef6540497d30f1af896605e5
83486Author: Miklos Szeredi <mszeredi@suse.cz>
83487Date: Tue Mar 6 13:56:34 2012 +0100
83488
83489 vfs: fix return value from do_last()
83490
83491 complete_walk() returns either ECHILD or ESTALE. do_last() turns this into
83492 ECHILD unconditionally. If not in RCU mode, this error will reach userspace
83493 which is complete nonsense.
83494
83495 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
83496 CC: stable@vger.kernel.org
83497 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
83498
83499 Conflicts:
83500
83501 fs/namei.c
83502
83503commit f5ab7572c99ffb58953eb1070622307e904c3b7f
83504Author: Al Viro <viro@zeniv.linux.org.uk>
83505Date: Sat Mar 10 17:07:28 2012 -0500
83506
83507 restore smp_mb() in unlock_new_inode()
83508
83509 wait_on_inode() doesn't have ->i_lock
83510
83511 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
83512
83513commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
83514Author: David S. Miller <davem@davemloft.net>
83515Date: Tue Mar 13 18:19:51 2012 -0700
83516
83517 sparc32: Add -Av8 to assembler command line.
83518
83519 Newer version of binutils are more strict about specifying the
83520 correct options to enable certain classes of instructions.
83521
83522 The sparc32 build is done for v7 in order to support sun4c systems
83523 which lack hardware integer multiply and divide instructions.
83524
83525 So we have to pass -Av8 when building the assembler routines that
83526 use these instructions and get patched into the kernel when we find
83527 out that we have a v8 capable cpu.
83528
83529 Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
83530 Signed-off-by: David S. Miller <davem@davemloft.net>
83531
83532commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
83533Author: Thomas Gleixner <tglx@linutronix.de>
83534Date: Fri Mar 9 20:55:10 2012 +0100
83535
83536 x86: Derandom delay_tsc for 64 bit
83537
83538 Commit f0fbf0abc093 ("x86: integrate delay functions") converted
83539 delay_tsc() into a random delay generator for 64 bit. The reason is
83540 that it merged the mostly identical versions of delay_32.c and
83541 delay_64.c. Though the subtle difference of the result was:
83542
83543 static void delay_tsc(unsigned long loops)
83544 {
83545 - unsigned bclock, now;
83546 + unsigned long bclock, now;
83547
83548 Now the function uses rdtscl() which returns the lower 32bit of the
83549 TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
83550 bit this fails when the lower 32bit are close to wrap around when
83551 bclock is read, because the following check
83552
83553 if ((now - bclock) >= loops)
83554 break;
83555
83556 evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
83557 because the unsigned long (now - bclock) of these values results in
83558 0xffffffff00000001 which is definitely larger than the loops
83559 value. That explains Tvortkos observation:
83560
83561 "Because I am seeing udelay(500) (_occasionally_) being short, and
83562 that by delaying for some duration between 0us (yep) and 491us."
83563
83564 Make those variables explicitely u32 again, so this works for both 32
83565 and 64 bit.
83566
83567 Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
83568 Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
83569 Cc: stable@vger.kernel.org # >= 2.6.27
83570 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
83571
83572commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
83573Author: Al Viro <viro@ZenIV.linux.org.uk>
83574Date: Thu Mar 8 17:51:19 2012 +0000
83575
83576 aio: fix the "too late munmap()" race
83577
83578 Current code has put_ioctx() called asynchronously from aio_fput_routine();
83579 that's done *after* we have killed the request that used to pin ioctx,
83580 so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
83581 from progressing. As the result, we can end up with async call of
83582 put_ioctx() being the last one and possibly happening during exit_mmap()
83583 or elf_core_dump(), neither of which expects stray munmap() being done
83584 to them...
83585
83586 We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
83587 with that, but that's all we care about - neither io_destroy() nor
83588 exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
83589 does really_put_req(), so the ioctx teardown won't be done until then
83590 and we don't care about the contents of ioctx past that point.
83591
83592 Since actual freeing of these suckers is RCU-delayed, we don't need to
83593 bump ioctx refcount when request goes into list for async removal.
83594 All we need is rcu_read_lock held just over the ->ctx_lock-protected
83595 area in aio_fput_routine().
83596
83597 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
83598 Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
83599 Acked-by: Benjamin LaHaise <bcrl@kvack.org>
83600 Cc: stable@vger.kernel.org
83601 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
83602
83603commit 002124c055afbf09b52226af65621999e8316448
83604Author: Al Viro <viro@ZenIV.linux.org.uk>
83605Date: Wed Mar 7 05:16:35 2012 +0000
83606
83607 aio: fix io_setup/io_destroy race
83608
83609 Have ioctx_alloc() return an extra reference, so that caller would drop it
83610 on success and not bother with re-grabbing it on failure exit. The current
83611 code is obviously broken - io_destroy() from another thread that managed
83612 to guess the address io_setup() would've returned would free ioctx right
83613 under us; gets especially interesting if aio_context_t * we pass to
83614 io_setup() points to PROT_READ mapping, so put_user() fails and we end
83615 up doing io_destroy() on kioctx another thread has just got freed...
83616
83617 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
83618 Acked-by: Benjamin LaHaise <bcrl@kvack.org>
83619 Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
83620 Cc: stable@vger.kernel.org
83621 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
83622
83623commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
83624Author: Dan Carpenter <dan.carpenter@oracle.com>
83625Date: Thu Mar 15 15:17:12 2012 -0700
83626
83627 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
83628
83629 strict_strtoul() writes a long but ->gamma_mode only has space to store an
83630 int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
83631 well. I've changed it to use kstrtouint() instead.
83632
83633 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
83634 Acked-by: Inki Dae <inki.dae@samsung.com>
83635 Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
83636 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
83637 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
83638
83639commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
83640Merge: e4b05b6 eae671f
83641Author: Brad Spengler <spender@grsecurity.net>
83642Date: Fri Mar 16 21:04:27 2012 -0400
83643
83644 Merge branch 'pax-test' into grsec-test
83645
83646 Conflicts:
83647 security/Kconfig
83648
83649commit eae671fafe93f04685c04a089cc13efebc05d600
83650Author: Brad Spengler <spender@grsecurity.net>
83651Date: Fri Mar 16 20:58:01 2012 -0400
83652
83653 Update to pax-linux-3.2.11-test31.patch
83654 Introduction of the size_overflow plugin from Emese Revfy
83655 Many thanks to Emese for her hard work :)
83656
83657commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
83658Merge: e55aa68 258c015
83659Author: Brad Spengler <spender@grsecurity.net>
83660Date: Thu Mar 15 20:59:19 2012 -0400
83661
83662 Merge branch 'pax-test' into grsec-test
83663
83664commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
83665Author: Brad Spengler <spender@grsecurity.net>
83666Date: Thu Mar 15 20:59:05 2012 -0400
83667
83668 fix ARM compilation
83669
83670commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
83671Merge: 8f95ea9 55b7573
83672Author: Brad Spengler <spender@grsecurity.net>
83673Date: Wed Mar 14 19:33:41 2012 -0400
83674
83675 Merge branch 'pax-test' into grsec-test
83676
83677commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
83678Author: Brad Spengler <spender@grsecurity.net>
83679Date: Wed Mar 14 19:33:15 2012 -0400
83680
83681 Update to pax-linux-3.2.10-test28.patch
83682
83683commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
83684Merge: c8786a2 886ac5e
83685Author: Brad Spengler <spender@grsecurity.net>
83686Date: Tue Mar 13 17:38:13 2012 -0400
83687
83688 Merge branch 'pax-test' into grsec-test
83689
83690 Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)
83691
83692commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
83693Author: Brad Spengler <spender@grsecurity.net>
83694Date: Tue Mar 13 17:37:44 2012 -0400
83695
83696 Update to pax-linux-3.2.10-test26.patch
83697
83698commit c8786a2abed5e5327f68efa520c04db99bb6a63a
83699Merge: 219c982 c061fcf
83700Author: Brad Spengler <spender@grsecurity.net>
83701Date: Tue Mar 13 17:25:06 2012 -0400
83702
83703 Merge branch 'pax-test' into grsec-test
83704
83705commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
83706Merge: 89373d2 3f4b3b2
83707Author: Brad Spengler <spender@grsecurity.net>
83708Date: Tue Mar 13 17:25:02 2012 -0400
83709
83710 Merge branch 'linux-3.2.y' into pax-test
83711
83712commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
83713Merge: 54e19a3 89373d2
83714Author: Brad Spengler <spender@grsecurity.net>
83715Date: Mon Mar 12 17:23:57 2012 -0400
83716
83717 Merge branch 'pax-test' into grsec-test
83718
83719commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
83720Merge: a778588 7459f11
83721Author: Brad Spengler <spender@grsecurity.net>
83722Date: Mon Mar 12 17:23:49 2012 -0400
83723
83724 Merge branch 'linux-3.2.y' into pax-test
83725
83726commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
83727Merge: c4650f1 a778588
83728Author: Brad Spengler <spender@grsecurity.net>
83729Date: Mon Mar 12 16:51:25 2012 -0400
83730
83731 Merge branch 'pax-test' into grsec-test
83732
83733commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
83734Author: Brad Spengler <spender@grsecurity.net>
83735Date: Mon Mar 12 16:51:12 2012 -0400
83736
83737 Update to pax-linux-3.2.9-test24.patch
83738
83739commit c4650f14b13f84735fe3de06a1f3ff5776473eff
83740Merge: fb2abee 1015790
83741Author: Brad Spengler <spender@grsecurity.net>
83742Date: Sun Mar 11 21:08:28 2012 -0400
83743
83744 Merge branch 'pax-test' into grsec-test
83745
83746 Conflicts:
83747 security/Kconfig
83748
83749commit 101579028a736c224e590c7e12a7357018c424e1
83750Author: Brad Spengler <spender@grsecurity.net>
83751Date: Sun Mar 11 21:07:27 2012 -0400
83752
83753 Update to pax-linux-3.2.9-test22.patch
83754
83755commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
83756Author: Brad Spengler <spender@grsecurity.net>
83757Date: Sun Mar 11 11:02:17 2012 -0400
83758
83759 Allow 4096 CPUs
83760
83761commit 96bae28cbe6a41d48e3b56e5904814096e956000
83762Author: Brad Spengler <spender@grsecurity.net>
83763Date: Sun Mar 11 10:25:58 2012 -0400
83764
83765 Use a per-cpu 48-bit counter instead of a global atomic64
83766 Initialize each counter to have the cpu number in the lower 16 bits
83767 instead of incrementing the counter each time by 1, perform the increments
83768 above the cpu number so that wrapping/exhausting the counter doesn't corrupt
83769 any state
83770 idea from PaX Team
83771
83772commit b975688101da6e966aebb1bc6b8c5c5983974f9c
83773Author: Brad Spengler <spender@grsecurity.net>
83774Date: Sat Mar 10 20:33:12 2012 -0500
83775
83776 Special vnsec edition! :)
83777 Further reduce argv/env allowance for suid/sgid apps to 512KB
83778 Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
83779 Clear 3GB personality on suid/sgid binaries
83780 Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
83781 with the main purpose of throwing off program stack -> arg/env alignment
83782 Update documentation
83783
83784commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
83785Author: Brad Spengler <spender@grsecurity.net>
83786Date: Sat Mar 10 19:54:47 2012 -0500
83787
83788 Resolve skbuff.h warnings that turn into errors during compilation in
83789 the grsecurity directory with -Werror
83790
83791commit 2023210ad43a944033fcacc660ce410888f562ee
83792Merge: ece4383 5f66adf
83793Author: Brad Spengler <spender@grsecurity.net>
83794Date: Fri Mar 9 19:48:01 2012 -0500
83795
83796 Merge branch 'pax-test' into grsec-test
83797
83798commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
83799Author: Brad Spengler <spender@grsecurity.net>
83800Date: Fri Mar 9 19:47:06 2012 -0500
83801
83802 Add colorize plugin
83803
83804commit ece4383e5e91c92d138c4df84225a70b552f4d69
83805Merge: a366d0e ab4a5a1
83806Author: Brad Spengler <spender@grsecurity.net>
83807Date: Fri Mar 9 17:56:46 2012 -0500
83808
83809 Merge branch 'pax-test' into grsec-test
83810
83811commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
83812Author: Brad Spengler <spender@grsecurity.net>
83813Date: Fri Mar 9 17:56:26 2012 -0500
83814
83815 Update to pax-linux-3.2.9-test21.patch
83816
83817commit a366d0ed963ce93fce10121c1100989d5f064e75
83818Author: Mikulas Patocka <mpatocka@redhat.com>
83819Date: Sun Mar 4 19:52:03 2012 -0500
83820
83821 mm: fix find_vma_prev
83822
83823 Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
83824 management on PA-RISC.
83825
83826 After application of the patch, programs that allocate big arrays on the
83827 stack crash with segfault, for example, this will crash if compiled
83828 without optimization:
83829
83830 int main()
83831 {
83832 char array[200000];
83833 array[199999] = 0;
83834 return 0;
83835 }
83836
83837 The reason is that PA-RISC has up-growing stack and the stack is usually
83838 the last memory area. In the above example, a page fault happens above
83839 the stack.
83840
83841 Previously, if we passed too high address to find_vma_prev, it returned
83842 NULL and stored the last VMA in *pprev. After "simplify find_vma_prev"
83843 change, it stores NULL in *pprev. Consequently, the stack area is not
83844 found and it is not expanded, as it used to be before the change.
83845
83846 This patch restores the old behavior and makes it return the last VMA in
83847 *pprev if the requested address is higher than address of any other VMA.
83848
83849 Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
83850 Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
83851 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
83852
83853commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
83854Author: Hugh Dickins <hughd@google.com>
83855Date: Tue Mar 6 12:28:52 2012 -0800
83856
83857 mmap: EINVAL not ENOMEM when rejecting VM_GROWS
83858
83859 Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
83860 from shared anonymous: hoist the file case's -EINVAL up for both.
83861
83862 Signed-off-by: Hugh Dickins <hughd@google.com>
83863 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
83864
83865commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
83866Author: Al Viro <viro@ZenIV.linux.org.uk>
83867Date: Mon Mar 5 06:38:42 2012 +0000
83868
83869 aout: move setup_arg_pages() prior to reading/mapping the binary
83870
83871 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
83872 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
83873
83874commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
83875Author: Jan Beulich <JBeulich@suse.com>
83876Date: Mon Mar 5 16:49:24 2012 +0000
83877
83878 vsprintf: make %pV handling compatible with kasprintf()
83879
83880 kasprintf() (and potentially other functions that I didn't run across so
83881 far) want to evaluate argument lists twice. Caring to do so for the
83882 primary list is obviously their job, but they can't reasonably be
83883 expected to check the format string for instances of %pV, which however
83884 need special handling too: On architectures like x86-64 (as opposed to
83885 e.g. ix86), using the same argument list twice doesn't produce the
83886 expected results, as an internally managed cursor gets updated during
83887 the first run.
83888
83889 Fix the problem by always acting on a copy of the original list when
83890 handling %pV.
83891
83892 Signed-off-by: Jan Beulich <jbeulich@suse.com>
83893 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
83894
83895commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
83896Author: Al Viro <viro@ZenIV.linux.org.uk>
83897Date: Mon Mar 5 06:39:47 2012 +0000
83898
83899 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
83900
83901 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
83902 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
83903
83904commit a831bd53764695ea680cc1fa3c98759a610ed2ac
83905Author: Christian König <deathsimple@vodafone.de>
83906Date: Tue Feb 28 23:19:20 2012 +0100
83907
83908 drm/radeon: fix uninitialized variable
83909
83910 Without this fix the driver randomly treats
83911 textures as arrays and I'm really wondering
83912 why gcc isn't complaining about it.
83913
83914 Signed-off-by: Christian König <deathsimple@vodafone.de>
83915 Reviewed-by: Jerome Glisse <jglisse@redhat.com>
83916 Signed-off-by: Dave Airlie <airlied@redhat.com>
83917
83918commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
83919Author: H. Peter Anvin <hpa@zytor.com>
83920Date: Fri Mar 2 10:43:48 2012 -0800
83921
83922 regset: Prevent null pointer reference on readonly regsets
83923
83924 The regset common infrastructure assumed that regsets would always
83925 have .get and .set methods, but not necessarily .active methods.
83926 Unfortunately people have since written regsets without .set methods.
83927
83928 Rather than putting in stub functions everywhere, handle regsets with
83929 null .get or .set methods explicitly.
83930
83931 Signed-off-by: H. Peter Anvin <hpa@zytor.com>
83932 Reviewed-by: Oleg Nesterov <oleg@redhat.com>
83933 Acked-by: Roland McGrath <roland@hack.frob.com>
83934 Cc: <stable@vger.kernel.org>
83935 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
83936
83937commit 072ddd99401c79b53c6bf6bff9deb93022124c79
83938Author: Brad Spengler <spender@grsecurity.net>
83939Date: Mon Mar 5 18:12:57 2012 -0500
83940
83941 Fix compiler errors reported on forums
83942
83943commit 1606774b48af24e6f99d99c624c0e447d4b66474
83944Merge: 3127bd5 4ca2ffd
83945Author: Brad Spengler <spender@grsecurity.net>
83946Date: Mon Mar 5 17:31:35 2012 -0500
83947
83948 Merge branch 'pax-test' into grsec-test
83949
83950commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
83951Author: Brad Spengler <spender@grsecurity.net>
83952Date: Mon Mar 5 17:31:21 2012 -0500
83953
83954 Update to pax-linux-3.2.9-test20.patch
83955
83956commit 3127bd581a292966b1057c7433219dac188c3720
83957Author: Brad Spengler <spender@grsecurity.net>
83958Date: Fri Mar 2 21:30:37 2012 -0500
83959
83960 Fix memory leak on logged exec_id check failure in /proc/pid/statm
83961 Thanks to Djalal Harouni for the report
83962
83963commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
83964Merge: 0a56be8 9aa8288
83965Author: Brad Spengler <spender@grsecurity.net>
83966Date: Fri Mar 2 18:38:22 2012 -0500
83967
83968 Merge branch 'pax-test' into grsec-test
83969
83970commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
83971Author: Brad Spengler <spender@grsecurity.net>
83972Date: Fri Mar 2 18:37:43 2012 -0500
83973
83974 Update to pax-linux-3.2.9-test19.patch
83975
83976commit 0a56be884bbd7ce733cac0b879c45383494d73b0
83977Merge: 9e66745 3f5c52a
83978Author: Brad Spengler <spender@grsecurity.net>
83979Date: Thu Mar 1 20:18:01 2012 -0500
83980
83981 Merge branch 'pax-test' into grsec-test
83982
83983commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
83984Author: Brad Spengler <spender@grsecurity.net>
83985Date: Thu Mar 1 20:16:56 2012 -0500
83986
83987 Update to pax-linux-3.2.9-test18.patch
83988
83989commit ae53ec231d12719a36bf871f8c5841020ed692ee
83990Merge: b255baf 44fb317
83991Author: Brad Spengler <spender@grsecurity.net>
83992Date: Thu Mar 1 20:15:31 2012 -0500
83993
83994 Merge branch 'linux-3.2.y' into pax-test
83995
83996commit 9e667456c03eadea2f305be761abe4de9a5877a3
83997Merge: 5e4e200 b255baf
83998Author: Brad Spengler <spender@grsecurity.net>
83999Date: Mon Feb 27 20:53:59 2012 -0500
84000
84001 Merge branch 'pax-test' into grsec-test
84002
84003commit b255baf50365d39b406f43aab2c64745607baaa2
84004Merge: 340ce90 1de504e
84005Author: Brad Spengler <spender@grsecurity.net>
84006Date: Mon Feb 27 20:53:29 2012 -0500
84007
84008 Merge branch 'linux-3.2.y' into pax-test
84009 Update to pax-linux-3.2.8-test17.patch
84010
84011 Conflicts:
84012 arch/x86/include/asm/i387.h
84013 arch/x86/kernel/process_32.c
84014 arch/x86/kernel/traps.c
84015
84016commit 5e4e200ac530452884b625cb75de240e1e98c731
84017Merge: 44306d7 340ce90
84018Author: Brad Spengler <spender@grsecurity.net>
84019Date: Mon Feb 27 18:02:13 2012 -0500
84020
84021 Merge branch 'pax-test' into grsec-test
84022
84023commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
84024Author: Brad Spengler <spender@grsecurity.net>
84025Date: Mon Feb 27 18:01:48 2012 -0500
84026
84027 Update to pax-linux-3.2.7-test17.patch
84028
84029commit 44306d7b3097f77e73040dd25f4f6750751bae7a
84030Merge: 29d0b07 521c411
84031Author: Brad Spengler <spender@grsecurity.net>
84032Date: Sun Feb 26 19:04:15 2012 -0500
84033
84034 Merge branch 'pax-test' into grsec-test
84035
84036 Conflicts:
84037 Makefile
84038
84039commit 521c411bb4ca66ce01146fde8bac9dd22414076d
84040Author: Brad Spengler <spender@grsecurity.net>
84041Date: Sun Feb 26 19:03:33 2012 -0500
84042
84043 Update to pax-linux-3.2.7-test16.patch
84044
84045commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
84046Author: Brad Spengler <spender@grsecurity.net>
84047Date: Sun Feb 26 17:12:44 2012 -0500
84048
84049 fix typo
84050
84051commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
84052Merge: f45b3be caa8f83
84053Author: Brad Spengler <spender@grsecurity.net>
84054Date: Sat Feb 25 20:59:27 2012 -0500
84055
84056 Merge branch 'pax-test' into grsec-test
84057
84058commit caa8f83456c4d0b204beefffaa1d1993f2348d08
84059Author: Brad Spengler <spender@grsecurity.net>
84060Date: Sat Feb 25 20:59:12 2012 -0500
84061
84062 Update to pax-linux-3.2.7-test15.patch
84063
84064commit f45b3be34a345502a302e736af9a65742ddef7cb
84065Merge: 62f35fd 9f1309b
84066Author: Brad Spengler <spender@grsecurity.net>
84067Date: Sat Feb 25 11:40:15 2012 -0500
84068
84069 Merge branch 'pax-test' into grsec-test
84070
84071commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
84072Author: Brad Spengler <spender@grsecurity.net>
84073Date: Sat Feb 25 11:39:57 2012 -0500
84074
84075 Update to pax-linux-3.2.7-test14.patch
84076
84077commit 62f35fdbecc58f2988fe13638d907b87a15776bb
84078Author: Brad Spengler <spender@grsecurity.net>
84079Date: Sat Feb 25 09:08:55 2012 -0500
84080
84081 We could log on attempted exploits of writing /proc/self/mem, but the current
84082 log function declares the access a read, so just swap the ordering for now
84083
84084commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
84085Author: Brad Spengler <spender@grsecurity.net>
84086Date: Sat Feb 25 08:46:14 2012 -0500
84087
84088 Log /proc/pid/mem attempts
84089
84090commit 674471e581893a94d475acac3e3c4496209b3ac9
84091Author: Brad Spengler <spender@grsecurity.net>
84092Date: Sat Feb 25 08:15:00 2012 -0500
84093
84094 Make use of f_version for protecting /proc file structs (fine since we're not a directory
84095 or seq_file)
84096
84097commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
84098Author: Brad Spengler <spender@grsecurity.net>
84099Date: Fri Feb 24 20:02:19 2012 -0500
84100
84101 Fix ia64 compilation
84102
84103commit 50dfea412fd395e0183c2ade368efa525d38b267
84104Merge: 12db845 4c6f99b
84105Author: Brad Spengler <spender@grsecurity.net>
84106Date: Fri Feb 24 19:00:53 2012 -0500
84107
84108 Merge branch 'pax-test' into grsec-test
84109
84110commit 4c6f99bf338e03966356b147d0360cb3b522a44f
84111Author: Brad Spengler <spender@grsecurity.net>
84112Date: Fri Feb 24 19:00:36 2012 -0500
84113
84114 (6:57:09 PM) pipacs: but you can be proactive
84115 (Fix other-arch atomic64/REFCOUNT compilation failures)
84116
84117commit 12db8453f6bb0a756f369c9151668ba1249bc478
84118Author: Brad Spengler <spender@grsecurity.net>
84119Date: Thu Feb 23 21:10:12 2012 -0500
84120
84121 Remove unnecessary copies, as suggested by solar
84122
84123commit cc02cab84368467ea03cb35f861a8a7092d91ab4
84124Author: Brad Spengler <spender@grsecurity.net>
84125Date: Thu Feb 23 20:59:35 2012 -0500
84126
84127 Make global_exec_counter static, as suggested by solar
84128
84129commit e642091a475ebb3a30e81f85e7751233d0c2af43
84130Author: Brad Spengler <spender@grsecurity.net>
84131Date: Thu Feb 23 19:00:26 2012 -0500
84132
84133 sync with stable tree
84134
84135commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
84136Author: Brad Spengler <spender@grsecurity.net>
84137Date: Thu Feb 23 18:48:47 2012 -0500
84138
84139 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
84140 Remove handling of old kludge in chmod/fchmod
84141
84142commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
84143Author: Brad Spengler <spender@grsecurity.net>
84144Date: Thu Feb 23 18:18:49 2012 -0500
84145
84146 Apply umask checks to chmod/fchmod as well, as requested by sponsor
84147 Union the enforced umask with the existing one to produce minimal privilege
84148 Change umask type to u16
84149
84150commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
84151Author: Brad Spengler <spender@grsecurity.net>
84152Date: Wed Feb 22 18:16:11 2012 -0500
84153
84154 Add per-role umask enforcement to RBAC, requested by a sponsor
84155
84156commit ad5ac943fe58199f1cc475912a39edb157acb77b
84157Merge: dda0bb5 41722e3
84158Author: Brad Spengler <spender@grsecurity.net>
84159Date: Mon Feb 20 20:04:42 2012 -0500
84160
84161 Merge branch 'pax-test' into grsec-test
84162
84163commit 41722e342e116d95f3d3556d66c97c888d752d39
84164Author: Brad Spengler <spender@grsecurity.net>
84165Date: Mon Feb 20 20:04:00 2012 -0500
84166
84167 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
84168 KERNEXEC plugin
84169
84170commit dda0bb57137846a476a866c60db2681aaf6052c0
84171Merge: 4fd554e d70927a
84172Author: Brad Spengler <spender@grsecurity.net>
84173Date: Mon Feb 20 20:01:41 2012 -0500
84174
84175 Merge branch 'pax-test' into grsec-test
84176
84177commit d70927afec977d489a54c106a3c3ddc32e953050
84178Merge: 1daebf1 9d0231c
84179Author: Brad Spengler <spender@grsecurity.net>
84180Date: Mon Feb 20 20:01:33 2012 -0500
84181
84182 Merge branch 'linux-3.2.y' into pax-test
84183
84184commit 4fd554e3a097b22c5049fcdc423897477deff5ef
84185Author: Brad Spengler <spender@grsecurity.net>
84186Date: Mon Feb 20 09:17:57 2012 -0500
84187
84188 Fix wrong logic on capability checks for switching roles, broke policies
84189 Thanks to Richard Kojedzinszky for reporting
84190
84191commit 12f97d52ac603f24344f8d71569c412a307e9422
84192Author: Brad Spengler <spender@grsecurity.net>
84193Date: Thu Feb 16 21:20:10 2012 -0500
84194
84195 sparc64 compile fix
84196
84197commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
84198Author: Brad Spengler <spender@grsecurity.net>
84199Date: Thu Feb 16 18:38:32 2012 -0500
84200
84201 Update configuration help and name for GRKERNSEC_PROC_MEMMAP
84202
84203commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
84204Author: Brad Spengler <spender@grsecurity.net>
84205Date: Thu Feb 16 18:18:01 2012 -0500
84206
84207 optimize the check a bit
84208
84209commit 03159050f64989be44ae03be769cbed62a7cd2e5
84210Author: Brad Spengler <spender@grsecurity.net>
84211Date: Thu Feb 16 18:00:45 2012 -0500
84212
84213 smile VUPEN :D
84214 (limit argv+env to 1MB for suid/sgid binaries)
84215
84216commit dd759d8800d225a397e4de49fe729c7d601298d2
84217Author: Brad Spengler <spender@grsecurity.net>
84218Date: Thu Feb 16 17:49:33 2012 -0500
84219
84220 Address Space Protection -> Memory Protections (suggested on IRC for consistency)
84221
84222commit 4de635bda8ebfb85312e3bf851bdbff93de400da
84223Author: Brad Spengler <spender@grsecurity.net>
84224Date: Thu Feb 16 17:45:06 2012 -0500
84225
84226 Change the long long type for exec_id to the proper u64
84227
84228commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
84229Author: Dan Carpenter <dan.carpenter@oracle.com>
84230Date: Thu Feb 9 00:46:47 2012 +0000
84231
84232 isdn: type bug in isdn_net_header()
84233
84234 We use len to store the return value from eth_header(). eth_header()
84235 can return -ETH_HLEN (-14). We want to pass this back instead of
84236 truncating it to 65522 and returning that.
84237
84238 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
84239 Acked-by: Neil Horman <nhorman@tuxdriver.com>
84240 Signed-off-by: David S. Miller <davem@davemloft.net>
84241
84242commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
84243Author: Heiko Carstens <heiko.carstens@de.ibm.com>
84244Date: Sat Feb 4 10:47:10 2012 +0100
84245
84246 exec: fix use-after-free bug in setup_new_exec()
84247
84248 Setting the task name is done within setup_new_exec() by accessing
84249 bprm->filename. However this happens after flush_old_exec().
84250 This may result in a use after free bug, flush_old_exec() may
84251 "complete" vfork_done, which will wake up the parent which in turn
84252 may free the passed in filename.
84253 To fix this add a new tcomm field in struct linux_binprm which
84254 contains the now early generated task name until it is used.
84255
84256 Fixes this bug on s390:
84257
84258 Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
84259 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
84260 Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
84261 Call Trace:
84262 ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
84263 [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
84264 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
84265 [<0000000000282b6c>] do_execve_common+0x410/0x514
84266 [<0000000000282cb6>] do_execve+0x46/0x58
84267 [<00000000005bce58>] kernel_execve+0x28/0x70
84268 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
84269 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
84270 [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
84271 Last Breaking-Event-Address:
84272 [<00000000002830f0>] setup_new_exec+0x2fc/0x374
84273
84274 Kernel panic - not syncing: Fatal exception: panic_on_oops
84275
84276 Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
84277 Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
84278 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
84279
84280commit d758ee9f5230893dabb5aab737b3109684bde196
84281Author: Dan Carpenter <dan.carpenter@oracle.com>
84282Date: Fri Feb 10 09:03:58 2012 +0100
84283
84284 relay: prevent integer overflow in relay_open()
84285
84286 "subbuf_size" and "n_subbufs" come from the user and they need to be
84287 capped to prevent an integer overflow.
84288
84289 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
84290 Cc: stable@kernel.org
84291 Signed-off-by: Jens Axboe <axboe@kernel.dk>
84292
84293commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
84294Merge: b1baadf 1daebf1
84295Author: Brad Spengler <spender@grsecurity.net>
84296Date: Mon Feb 13 17:47:04 2012 -0500
84297
84298 Merge branch 'pax-test' into grsec-test
84299
84300 Conflicts:
84301 fs/proc/base.c
84302
84303commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
84304Merge: 1413df2 c2db2e2
84305Author: Brad Spengler <spender@grsecurity.net>
84306Date: Mon Feb 13 17:45:54 2012 -0500
84307
84308 Merge branch 'linux-3.2.y' into pax-test
84309
84310commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
84311Author: Brad Spengler <spender@grsecurity.net>
84312Date: Sun Feb 12 16:44:05 2012 -0500
84313
84314 add missing declaration
84315
84316commit 3981059c35e8463002517935c28f3d74b8e3703c
84317Author: Brad Spengler <spender@grsecurity.net>
84318Date: Sun Feb 12 16:36:04 2012 -0500
84319
84320 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
84321 in addition to existing checks (this handles the setresuid ruid = euid case)
84322
84323commit 0beab03263c773f463412c350ad9064b44b6ede0
84324Author: Brad Spengler <spender@grsecurity.net>
84325Date: Sun Feb 12 16:13:40 2012 -0500
84326
84327 Revert setreuid changes when RBAC is enabled, breaks freeradius
84328 I'll fix the learning issue Lavish reported a different way through
84329 gradm modifications
84330
84331 This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.
84332
84333commit 0c61cb1cfbbfec7d07647268c922d51434d22621
84334Author: Brad Spengler <spender@grsecurity.net>
84335Date: Sat Feb 11 14:22:46 2012 -0500
84336
84337 copy exec_id on fork
84338
84339commit 000c08e0890630086b2ed04084050ed856a7ec31
84340Author: Brad Spengler <spender@grsecurity.net>
84341Date: Fri Feb 10 20:00:36 2012 -0500
84342
84343 compile fix
84344
84345commit 54b8c8f54484e5ee18040657827158bc4b63bccc
84346Author: Brad Spengler <spender@grsecurity.net>
84347Date: Fri Feb 10 19:19:52 2012 -0500
84348
84349 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
84350 denies reading of sensitive /proc/pid entries where the file descriptor
84351 was opened in a different task than the one performing the read
84352
84353commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
84354Author: Brad Spengler <spender@grsecurity.net>
84355Date: Fri Feb 10 17:43:24 2012 -0500
84356
84357 Remove duplicate signal check
84358
84359commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
84360Merge: 4eba97e 1413df2
84361Author: Brad Spengler <spender@grsecurity.net>
84362Date: Wed Feb 8 19:24:34 2012 -0500
84363
84364 Merge branch 'pax-test' into grsec-test
84365
84366commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
84367Author: Brad Spengler <spender@grsecurity.net>
84368Date: Wed Feb 8 19:24:08 2012 -0500
84369
84370 Merge changes from pax-linux-3.2.4-test11.patch
84371
84372commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
84373Merge: 0e058dd 8dd90a2
84374Author: Brad Spengler <spender@grsecurity.net>
84375Date: Mon Feb 6 17:50:12 2012 -0500
84376
84377 Merge branch 'pax-test' into grsec-test
84378
84379commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
84380Author: Brad Spengler <spender@grsecurity.net>
84381Date: Mon Feb 6 17:49:07 2012 -0500
84382
84383 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free
84384
84385commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
84386Merge: 7e4169c 6133971
84387Author: Brad Spengler <spender@grsecurity.net>
84388Date: Mon Feb 6 17:48:57 2012 -0500
84389
84390 Merge branch 'linux-3.2.y' into pax-test
84391
84392commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
84393Author: Brad Spengler <spender@grsecurity.net>
84394Date: Sun Feb 5 19:24:45 2012 -0500
84395
84396 We now allow configurations with no PaX markings, giving the system no way to override the defaults
84397
84398commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
84399Author: Brad Spengler <spender@grsecurity.net>
84400Date: Sun Feb 5 10:01:23 2012 -0500
84401
84402 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory
84403
84404commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
84405Author: Brad Spengler <spender@grsecurity.net>
84406Date: Sat Feb 4 21:01:16 2012 -0500
84407
84408 Improve security of ptrace-based monitoring/sandboxing
84409 See:
84410 http://article.gmane.org/gmane.linux.kernel.lsm/15156
84411
84412commit ca4ca5a1027b41f9528794e52a53ce9c47926101
84413Author: Brad Spengler <spender@grsecurity.net>
84414Date: Fri Feb 3 20:42:55 2012 -0500
84415
84416 fix typo
84417
84418commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
84419Author: Brad Spengler <spender@grsecurity.net>
84420Date: Fri Feb 3 20:25:38 2012 -0500
84421
84422 Reported by lavish on IRC:
84423 If a suid/sgid binary did not learn any setuid/setgid call during learning,
84424 we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
84425 any restrictions on uid/gid changes. uid and gid can however be changed
84426 within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
84427 euid/egid.
84428
84429 My fix:
84430 POSIX doesn't specify whether unprivileged users can perform the above
84431 setresuid/setresgid as an unprivileged user, though Linux has historically
84432 permitted them. Modify this behavior when RBAC is enabled to require
84433 CAP_SETUID/CAP_SETGID for these operations.
84434
84435 Thanks to Lavish for the report!
84436
84437 Conflicts:
84438
84439 kernel/sys.c
84440
84441commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
84442Merge: ba586eb 7e4169c
84443Author: Brad Spengler <spender@grsecurity.net>
84444Date: Fri Feb 3 20:10:21 2012 -0500
84445
84446 Merge branch 'pax-test' into grsec-test
84447
84448commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
84449Author: Brad Spengler <spender@grsecurity.net>
84450Date: Fri Feb 3 20:10:05 2012 -0500
84451
84452 Merge changes from pax-linux-3.2.4-test9.patch
84453
84454commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
84455Author: Christopher Yeoh <cyeoh@au1.ibm.com>
84456Date: Thu Feb 2 11:34:09 2012 +1030
84457
84458 Fix race in process_vm_rw_core
84459
84460 This fixes the race in process_vm_core found by Oleg (see
84461
84462 http://article.gmane.org/gmane.linux.kernel/1235667/
84463
84464 for details).
84465
84466 This has been updated since I last sent it as the creation of the new
84467 mm_access() function did almost exactly the same thing as parts of the
84468 previous version of this patch did.
84469
84470 In order to use mm_access() even when /proc isn't enabled, we move it to
84471 kernel/fork.c where other related process mm access functions already
84472 are.
84473
84474 Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
84475 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
84476
84477 Conflicts:
84478
84479 fs/proc/base.c
84480 mm/process_vm_access.c
84481
84482commit b9194d60fb9fe579f5c34817ed822abde18939a0
84483Author: Oleg Nesterov <oleg@redhat.com>
84484Date: Tue Jan 31 17:15:11 2012 +0100
84485
84486 proc: make sure mem_open() doesn't pin the target's memory
84487
84488 Once /proc/pid/mem is opened, the memory can't be released until
84489 mem_release() even if its owner exits.
84490
84491 Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
84492 pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
84493 before access_remote_vm(), this verifies that this mm is still alive.
84494
84495 I am not sure what should mem_rw() return if atomic_inc_not_zero()
84496 fails. With this patch it returns zero to match the "mm == NULL" case,
84497 may be it should return -EINVAL like it did before e268337d.
84498
84499 Perhaps it makes sense to add the additional fatal_signal_pending()
84500 check into the main loop, to ensure we do not hold this memory if
84501 the target task was oom-killed.
84502
84503 Cc: stable@kernel.org
84504 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
84505 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
84506
84507commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
84508Author: Oleg Nesterov <oleg@redhat.com>
84509Date: Tue Jan 31 17:14:38 2012 +0100
84510
84511 proc: mem_release() should check mm != NULL
84512
84513 mem_release() can hit mm == NULL, add the necessary check.
84514
84515 Cc: stable@kernel.org
84516 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
84517 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
84518
84519commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
84520Author: Oleg Nesterov <oleg@redhat.com>
84521Date: Tue Jan 31 17:14:54 2012 +0100
84522
84523 note: redisabled mem_write
84524
84525 proc: unify mem_read() and mem_write()
84526
84527 No functional changes, cleanup and preparation.
84528
84529 mem_read() and mem_write() are very similar. Move this code into the
84530 new common helper, mem_rw(), which takes the additional "int write"
84531 argument.
84532
84533 Cc: stable@kernel.org
84534 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
84535 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
84536
84537 Conflicts:
84538
84539 fs/proc/base.c
84540
84541commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
84542Merge: 3903f01 01fee18
84543Author: Brad Spengler <spender@grsecurity.net>
84544Date: Fri Feb 3 19:50:40 2012 -0500
84545
84546 Merge branch 'pax-test' into grsec-test
84547
84548commit 01fee1851aef26b898ccba5312cabf1f919b74cb
84549Author: Brad Spengler <spender@grsecurity.net>
84550Date: Fri Feb 3 19:49:46 2012 -0500
84551
84552 Merge changes from pax-linux-3.2.4-test8.patch
84553
84554commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
84555Merge: 201c0db 141936c
84556Author: Brad Spengler <spender@grsecurity.net>
84557Date: Fri Feb 3 19:49:01 2012 -0500
84558
84559 Merge branch 'linux-3.2.y' into pax-test
84560
84561commit 3903f0172ecadf7a575ba3535402a1506133640a
84562Author: Brad Spengler <spender@grsecurity.net>
84563Date: Mon Jan 30 23:26:44 2012 -0500
84564
84565 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
84566
84567 We'll whitelist required directories for compatibility instead of requiring
84568 that people disable the feature entirely if they use SELinux, fuse, etc
84569
84570 Conflicts:
84571
84572 fs/sysfs/mount.c
84573
84574commit e3618feaa7e63807f1b88c199882075b3ec9bd05
84575Author: Brad Spengler <spender@grsecurity.net>
84576Date: Sun Jan 29 01:12:19 2012 -0500
84577
84578 perform RBAC check if TPE is on but match fails, matches previous behavior
84579
84580commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
84581Author: Brad Spengler <spender@grsecurity.net>
84582Date: Sat Jan 28 13:17:06 2012 -0500
84583
84584 log more information about the reason for a TPE denial for novice users, requested by a sponsor
84585
84586commit efefd67008cbad8a8591e2484410966a300a39a5
84587Author: Brad Spengler <spender@grsecurity.net>
84588Date: Fri Jan 27 19:58:53 2012 -0500
84589
84590 merge upstream sha512 changes
84591
84592commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
84593Author: Brad Spengler <spender@grsecurity.net>
84594Date: Fri Jan 27 19:49:07 2012 -0500
84595
84596 drop lock on error in xfs_readlink
84597
84598 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0
84599
84600commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
84601Author: Li Wang <liwang@nudt.edu.cn>
84602Date: Thu Jan 19 09:44:36 2012 +0800
84603
84604 eCryptfs: Infinite loop due to overflow in ecryptfs_write()
84605
84606 ecryptfs_write() can enter an infinite loop when truncating a file to a
84607 size larger than 4G. This only happens on architectures where size_t is
84608 represented by 32 bits.
84609
84610 This was caused by a size_t overflow due to it incorrectly being used to
84611 store the result of a calculation which uses potentially large values of
84612 type loff_t.
84613
84614 [tyhicks@canonical.com: rewrite subject and commit message]
84615 Signed-off-by: Li Wang <liwang@nudt.edu.cn>
84616 Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
84617 Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
84618 Cc: <stable@vger.kernel.org>
84619 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
84620
84621commit a7607747d0f74f357d78bb796d70635dd05f46e8
84622Author: Tyler Hicks <tyhicks@canonical.com>
84623Date: Thu Jan 19 20:33:44 2012 -0600
84624
84625 eCryptfs: Check inode changes in setattr
84626
84627 Most filesystems call inode_change_ok() very early in ->setattr(), but
84628 eCryptfs didn't call it at all. It allowed the lower filesystem to make
84629 the call in its ->setattr() function. Then, eCryptfs would copy the
84630 appropriate inode attributes from the lower inode to the eCryptfs inode.
84631
84632 This patch changes that and actually calls inode_change_ok() on the
84633 eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
84634 would happen earlier in ecryptfs_setattr(), but there are some possible
84635 inode initialization steps that must happen first.
84636
84637 Since the call was already being made on the lower inode, the change in
84638 functionality should be minimal, except for the case of a file extending
84639 truncate call. In that case, inode_newsize_ok() was never being
84640 called on the eCryptfs inode. Rather than inode_newsize_ok() catching
84641 maximum file size errors early on, eCryptfs would encrypt zeroed pages
84642 and write them to the lower filesystem until the lower filesystem's
84643 write path caught the error in generic_write_checks(). This patch
84644 introduces a new function, called ecryptfs_inode_newsize_ok(), which
84645 checks if the new lower file size is within the appropriate limits when
84646 the truncate operation will be growing the lower file.
84647
84648 In summary this change prevents eCryptfs truncate operations (and the
84649 resulting page encryptions), which would exceed the lower filesystem
84650 limits or FSIZE rlimits, from ever starting.
84651
84652 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
84653 Reviewed-by: Li Wang <liwang@nudt.edu.cn>
84654 Cc: <stable@vger.kernel.org>
84655
84656commit 0d96f190a39505254ace4e9330219aaeda9b64e3
84657Author: Tyler Hicks <tyhicks@canonical.com>
84658Date: Wed Jan 18 18:30:04 2012 -0600
84659
84660 eCryptfs: Make truncate path killable
84661
84662 ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
84663 page, zeroes out the appropriate portions, and then encrypts the page
84664 before writing it to the lower filesystem. It was unkillable and due to
84665 the lack of sparse file support could result in tying up a large portion
84666 of system resources, while encrypting pages of zeros, with no way for
84667 the truncate operation to be stopped from userspace.
84668
84669 This patch adds the ability for ecryptfs_write() to detect a pending
84670 fatal signal and return as gracefully as possible. The intent is to
84671 leave the lower file in a useable state, while still allowing a user to
84672 break out of the encryption loop. If a pending fatal signal is detected,
84673 the eCryptfs inode size is updated to reflect the modified inode size
84674 and then -EINTR is returned.
84675
84676 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
84677 Cc: <stable@vger.kernel.org>
84678
84679commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
84680Author: Tyler Hicks <tyhicks@canonical.com>
84681Date: Tue Jan 24 10:02:22 2012 -0600
84682
84683 eCryptfs: Fix oops when printing debug info in extent crypto functions
84684
84685 If pages passed to the eCryptfs extent-based crypto functions are not
84686 mapped and the module parameter ecryptfs_verbosity=1 was specified at
84687 loading time, a NULL pointer dereference will occur.
84688
84689 Note that this wouldn't happen on a production system, as you wouldn't
84690 pass ecryptfs_verbosity=1 on a production system. It leaks private
84691 information to the system logs and is for debugging only.
84692
84693 The debugging info printed in these messages is no longer very useful
84694 and rather than doing a kmap() in these debugging paths, it will be
84695 better to simply remove the debugging paths completely.
84696
84697 https://launchpad.net/bugs/913651
84698
84699 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
84700 Reported-by: Daniel DeFreez
84701 Cc: <stable@vger.kernel.org>
84702
84703commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
84704Author: Tyler Hicks <tyhicks@canonical.com>
84705Date: Thu Jan 12 11:30:44 2012 +0100
84706
84707 eCryptfs: Sanitize write counts of /dev/ecryptfs
84708
84709 A malicious count value specified when writing to /dev/ecryptfs may
84710 result in a a very large kernel memory allocation.
84711
84712 This patch peeks at the specified packet payload size, adds that to the
84713 size of the packet headers and compares the result with the write count
84714 value. The resulting maximum memory allocation size is approximately 532
84715 bytes.
84716
84717 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
84718 Reported-by: Sasha Levin <levinsasha928@gmail.com>
84719 Cc: <stable@vger.kernel.org>
84720
84721commit 96dcb7282d323813181a1791f51c0ab7696b675b
84722Merge: 6c09fa5 201c0db
84723Author: Brad Spengler <spender@grsecurity.net>
84724Date: Fri Jan 27 19:44:15 2012 -0500
84725
84726 Merge branch 'pax-test' into grsec-test
84727
84728commit 201c0dbf177527367676028151e36d340923f033
84729Author: Brad Spengler <spender@grsecurity.net>
84730Date: Fri Jan 27 19:43:24 2012 -0500
84731
84732 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
84733 on loading modules with empty sections
84734
84735commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
84736Author: Brad Spengler <spender@grsecurity.net>
84737Date: Fri Jan 27 19:42:13 2012 -0500
84738
84739 compile fix
84740
84741commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
84742Author: Brad Spengler <spender@grsecurity.net>
84743Date: Fri Jan 27 19:39:28 2012 -0500
84744
84745 use LSM flags instead of duplicating checks
84746
84747commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
84748Merge: 44b9f11 558718b
84749Author: Brad Spengler <spender@grsecurity.net>
84750Date: Fri Jan 27 18:56:23 2012 -0500
84751
84752 Merge branch 'pax-test' into grsec-test
84753
84754commit 558718b2217beff69edf60f34a6f9893d910e9ac
84755Author: Brad Spengler <spender@grsecurity.net>
84756Date: Fri Jan 27 18:56:04 2012 -0500
84757
84758 Merge changes from pax-linux-3.2.2-test6.patch
84759
84760commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
84761Author: Brad Spengler <spender@grsecurity.net>
84762Date: Fri Jan 27 18:53:55 2012 -0500
84763
84764 don't increase the size of task_struct when unnecessary
84765 change ptrace_readexec log message
84766
84767commit a9c9626e054adb885883aa64f85506852894dd33
84768Author: Brad Spengler <spender@grsecurity.net>
84769Date: Fri Jan 27 18:16:28 2012 -0500
84770
84771 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
84772 the protection applies to all unreadable binaries.
84773
84774commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
84775Merge: 7b3f3af 05a1349
84776Author: Brad Spengler <spender@grsecurity.net>
84777Date: Wed Jan 25 20:52:09 2012 -0500
84778
84779 Merge branch 'pax-test' into grsec-test
84780
84781 Conflicts:
84782 block/scsi_ioctl.c
84783 drivers/scsi/sd.c
84784 fs/proc/base.c
84785
84786commit 05a134966efb9cb9346ad3422888969ffc79ac1d
84787Author: Brad Spengler <spender@grsecurity.net>
84788Date: Wed Jan 25 20:47:36 2012 -0500
84789
84790 Resync with pax-linux-3.2.2-test5.patch
84791
84792commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
84793Merge: c6d443d 3499d64
84794Author: Brad Spengler <spender@grsecurity.net>
84795Date: Wed Jan 25 20:45:16 2012 -0500
84796
84797 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
84798
84799 Conflicts:
84800 ipc/shm.c
84801
84802commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
84803Author: Brad Spengler <spender@grsecurity.net>
84804Date: Tue Jan 24 19:42:01 2012 -0500
84805
84806 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
84807 (may be changed if it breaks some userland), the other has its own
84808 config option
84809
84810 First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
84811 the syscall or /proc/sys.
84812
84813 Second feature requires read access to a suid/sgid binary in order
84814 to ptrace it, preventing infoleaking of binaries in situations where
84815 the admin has specified 4711 or 2711 perms. Feature has been
84816 given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
84817 a sysctl entry of ptrace_readexec
84818
84819commit 11a7bb25c411c9dccfdca5718639b4becdffd388
84820Author: Brad Spengler <spender@grsecurity.net>
84821Date: Sun Jan 22 14:37:10 2012 -0500
84822
84823 Compilation fixes
84824
84825commit cd400e21c7c352baba47d6f375297a7847afb33a
84826Author: Brad Spengler <spender@grsecurity.net>
84827Date: Sun Jan 22 14:20:27 2012 -0500
84828
84829 Initial port of grsecurity 2.2.2 for Linux 3.2.1
84830 Note that the new syscalls added to this kernel for remote process read/write
84831 are subject to ptrace hardening/other relevant RBAC features
84832 /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
84833 as well
84834 pax_track_stack has been removed from support for this kernel -- if you're running this kernel
84835 you should be using a version of gcc with plugin support
84836
84837commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
84838Author: Brad Spengler <spender@grsecurity.net>
84839Date: Sun Jan 22 11:47:31 2012 -0500
84840
84841 Import pax-linux-3.2.1-test5.patch
84842commit bfd7db842f835f9837cd43644459b3a95b0b488d
84843Author: Brad Spengler <spender@grsecurity.net>
84844Date: Sun Jan 22 11:02:02 2012 -0500
84845
84846 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
84847 instead of returning -EACCES
84848 thanks to Wraith from irc for the report
84849
84850commit 873ac13576506cd48ddb527c2540f274e249da50
84851Merge: 34083dd 8a44fcc
84852Author: Brad Spengler <spender@grsecurity.net>
84853Date: Fri Jan 20 18:04:02 2012 -0500
84854
84855 Merge branch 'pax-test' into grsec-test
84856
84857commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
84858Author: Brad Spengler <spender@grsecurity.net>
84859Date: Fri Jan 20 18:02:15 2012 -0500
84860
84861 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
84862 Denies executable shared memory when MPROTECT is active
84863 Fixes ia32 emulation crash on 64bit host introduced in a recent patch
84864
84865commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
84866Author: Brad Spengler <spender@grsecurity.net>
84867Date: Thu Jan 19 20:23:14 2012 -0500
84868
84869 Introduce new GRKERNSEC_SETXID implementation
84870 We're not able to change the credentials of other threads in the process until at most
84871 one syscall after the first thread does it, since we mark the threads as needing rescheduling
84872 and such work occurs on syscall exit.
84873 This does however ensure that we're only modifying the current task's credentials
84874 which upholds RCU expectations
84875
84876 Many thanks to corsac for testing
84877
84878commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
84879Author: Brad Spengler <spender@grsecurity.net>
84880Date: Thu Jan 19 17:42:48 2012 -0500
84881
84882 Simplify backport
84883
84884commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
84885Author: Brad Spengler <spender@grsecurity.net>
84886Date: Thu Jan 19 17:08:16 2012 -0500
84887
84888 Commit the latest silent fix for a local privilege escalation from Linus
84889 Also disable writing to /proc/pid/mem
84890 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc
84891
84892commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
84893Merge: 0394a3f 7e6299b
84894Author: Brad Spengler <spender@grsecurity.net>
84895Date: Wed Jan 18 20:22:09 2012 -0500
84896
84897 Merge branch 'pax-test' into grsec-test
84898
84899commit 7e6299b4733c082dde930375dd207b63237751ec
84900Merge: 83555fb 9bb1282
84901Author: Brad Spengler <spender@grsecurity.net>
84902Date: Wed Jan 18 20:21:37 2012 -0500
84903
84904 Merge branch 'linux-3.1.y' into pax-test
84905
84906commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
84907Author: Jesper Juhl <jj@chaosbits.net>
84908Date: Sun Jan 8 22:44:29 2012 +0100
84909
84910 audit: always follow va_copy() with va_end()
84911
84912 A call to va_copy() should always be followed by a call to va_end() in
84913 the same function. In kernel/autit.c::audit_log_vformat() this is not
84914 always done. This patch makes sure va_end() is always called.
84915
84916 Signed-off-by: Jesper Juhl <jj@chaosbits.net>
84917 Cc: Al Viro <viro@zeniv.linux.org.uk>
84918 Cc: Eric Paris <eparis@redhat.com>
84919 Cc: Andrew Morton <akpm@linux-foundation.org>
84920 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
84921
84922commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
84923Author: Andi Kleen <ak@linux.intel.com>
84924Date: Thu Jan 12 17:20:30 2012 -0800
84925
84926 panic: don't print redundant backtraces on oops
84927
84928 When an oops causes a panic and panic prints another backtrace it's pretty
84929 common to have the original oops data be scrolled away on a 80x50 screen.
84930
84931 The second backtrace is quite redundant and not needed anyways.
84932
84933 So don't print the panic backtrace when oops_in_progress is true.
84934
84935 [akpm@linux-foundation.org: add comment]
84936 Signed-off-by: Andi Kleen <ak@linux.intel.com>
84937 Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
84938 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
84939 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
84940
84941commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
84942Author: Miklos Szeredi <mszeredi@suse.cz>
84943Date: Thu Jan 12 17:59:46 2012 +0100
84944
84945 fsnotify: don't BUG in fsnotify_destroy_mark()
84946
84947 Removing the parent of a watched file results in "kernel BUG at
84948 fs/notify/mark.c:139".
84949
84950 To reproduce
84951
84952 add "-w /tmp/audit/dir/watched_file" to audit.rules
84953 rm -rf /tmp/audit/dir
84954
84955 This is caused by fsnotify_destroy_mark() being called without an
84956 extra reference taken by the caller.
84957
84958 Reported by Francesco Cosoleto here:
84959
84960 https://bugzilla.novell.com/show_bug.cgi?id=689860
84961
84962 Fix by removing the BUG_ON and adding a comment about not accessing mark after
84963 the iput.
84964
84965 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
84966 CC: stable@vger.kernel.org
84967 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
84968
84969commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
84970Author: Paolo Bonzini <pbonzini@redhat.com>
84971Date: Thu Jan 12 16:01:28 2012 +0100
84972
84973 block: fail SCSI passthrough ioctls on partition devices
84974
84975 Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
84976 will pass the command to the underlying block device. This is
84977 well-known, but it is also a large security problem when (via Unix
84978 permissions, ACLs, SELinux or a combination thereof) a program or user
84979 needs to be granted access only to part of the disk.
84980
84981 This patch lets partitions forward a small set of harmless ioctls;
84982 others are logged with printk so that we can see which ioctls are
84983 actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred.
84984 Of course it was being sent to a (partition on a) hard disk, so it would
84985 have failed with ENOTTY and the patch isn't changing anything in
84986 practice. Still, I'm treating it specially to avoid spamming the logs.
84987
84988 In principle, this restriction should include programs running with
84989 CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and
84990 /dev/sdb, it still should not be able to read/write outside the
84991 boundaries of /dev/sda2 independent of the capabilities. However, for
84992 now programs with CAP_SYS_RAWIO will still be allowed to send the
84993 ioctls. Their actions will still be logged.
84994
84995 This patch does not affect the non-libata IDE driver. That driver
84996 however already tests for bd != bd->bd_contains before issuing some
84997 ioctl; it could be restricted further to forbid these ioctls even for
84998 programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
84999
85000 Cc: linux-scsi@vger.kernel.org
85001 Cc: Jens Axboe <axboe@kernel.dk>
85002 Cc: James Bottomley <JBottomley@parallels.com>
85003 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
85004 [ Make it also print the command name when warning - Linus ]
85005 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
85006
85007commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
85008Author: Paolo Bonzini <pbonzini@redhat.com>
85009Date: Thu Jan 12 16:01:27 2012 +0100
85010
85011 block: add and use scsi_blk_cmd_ioctl
85012
85013 Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
85014
85015 The function will then be enhanced to detect partition block devices
85016 and, in that case, subject the ioctls to whitelisting.
85017
85018 Cc: linux-scsi@vger.kernel.org
85019 Cc: Jens Axboe <axboe@kernel.dk>
85020 Cc: James Bottomley <JBottomley@parallels.com>
85021 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
85022 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
85023
85024commit 97a79814903fc350e1d13704ea31528a42705401
85025Author: Kees Cook <keescook@chromium.org>
85026Date: Sat Jan 7 10:41:04 2012 -0800
85027
85028 audit: treat s_id as an untrusted string
85029
85030 The use of s_id should go through the untrusted string path, just to be
85031 extra careful.
85032
85033 Signed-off-by: Kees Cook <keescook@chromium.org>
85034 Acked-by: Mimi Zohar <zohar@us.ibm.com>
85035 Signed-off-by: Eric Paris <eparis@redhat.com>
85036
85037commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
85038Author: Xi Wang <xi.wang@gmail.com>
85039Date: Tue Dec 20 18:39:41 2011 -0500
85040
85041 audit: fix signedness bug in audit_log_execve_info()
85042
85043 In the loop, a size_t "len" is used to hold the return value of
85044 audit_log_single_execve_arg(), which returns -1 on error. In that
85045 case the error handling (len <= 0) will be bypassed since "len" is
85046 unsigned, and the loop continues with (p += len) being wrapped.
85047 Change the type of "len" to signed int to fix the error handling.
85048
85049 size_t len;
85050 ...
85051 for (...) {
85052 len = audit_log_single_execve_arg(...);
85053 if (len <= 0)
85054 break;
85055 p += len;
85056 }
85057
85058 Signed-off-by: Xi Wang <xi.wang@gmail.com>
85059 Signed-off-by: Eric Paris <eparis@redhat.com>
85060
85061commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
85062Author: Dan Carpenter <dan.carpenter@oracle.com>
85063Date: Tue Jan 17 03:28:51 2012 -0300
85064
85065 [media] ds3000: using logical && instead of bitwise &
85066
85067 The intent here was to test if the FE_HAS_LOCK was set. The current
85068 test is equivalent to "if (status) { ..."
85069
85070 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
85071 Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
85072
85073commit 36522330dc59d2fc70c042f3f081d75c32b6259a
85074Author: Brad Spengler <spender@grsecurity.net>
85075Date: Mon Jan 16 13:10:38 2012 -0500
85076
85077 Ignore the 0 signal for protected task RBAC checks
85078
85079commit d513acd55f7a683f6e146a4f570cdb63300479ab
85080Author: Brad Spengler <spender@grsecurity.net>
85081Date: Mon Jan 16 11:56:13 2012 -0500
85082
85083 whitespace cleanup
85084
85085commit ced261c4b82818c700aff8487f647f6f3e5b5122
85086Merge: d48751f 83555fb
85087Author: Brad Spengler <spender@grsecurity.net>
85088Date: Fri Jan 13 20:12:54 2012 -0500
85089
85090 Merge branch 'pax-test' into grsec-test
85091
85092commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
85093Merge: fcd8129 93dad39
85094Author: Brad Spengler <spender@grsecurity.net>
85095Date: Fri Jan 13 20:12:43 2012 -0500
85096
85097 Merge branch 'linux-3.1.y' into pax-test
85098
85099commit d48751f3919ae855fda0ff6c149db82442329253
85100Author: Brad Spengler <spender@grsecurity.net>
85101Date: Wed Jan 11 19:05:47 2012 -0500
85102
85103 Call our own set_user when forcing change to new id
85104
85105commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
85106Merge: e6578ff fcd8129
85107Author: Brad Spengler <spender@grsecurity.net>
85108Date: Tue Jan 10 16:00:10 2012 -0500
85109
85110 Merge branch 'pax-test' into grsec-test
85111
85112commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
85113Author: Brad Spengler <spender@grsecurity.net>
85114Date: Tue Jan 10 15:58:43 2012 -0500
85115
85116 Merge changes from pax-linux-3.1.8-test23.patch
85117
85118commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
85119Merge: 8859ec3 a120549
85120Author: Brad Spengler <spender@grsecurity.net>
85121Date: Fri Jan 6 21:45:56 2012 -0500
85122
85123 Merge branch 'pax-test' into grsec-test
85124
85125commit a12054967a77090de1caa07c41e694a77db4e237
85126Author: Brad Spengler <spender@grsecurity.net>
85127Date: Fri Jan 6 21:45:30 2012 -0500
85128
85129 Merge changes from pax-linux-3.1.8-test22.patch
85130
85131commit 8859ec32f9815c274df65448f9f2960176c380d3
85132Merge: a5016b4 ddd4114
85133Author: Brad Spengler <spender@grsecurity.net>
85134Date: Fri Jan 6 21:26:08 2012 -0500
85135
85136 Merge branch 'pax-test' into grsec-test
85137
85138 Conflicts:
85139 fs/binfmt_elf.c
85140 security/Kconfig
85141
85142commit ddd41147e158a79704983a409b7433eba797cf66
85143Author: Brad Spengler <spender@grsecurity.net>
85144Date: Fri Jan 6 21:12:42 2012 -0500
85145
85146 Resync with PaX patch (whitespace difference)
85147
85148commit 29e569df8205c5f0e043fe4803aa984406c8b118
85149Author: Brad Spengler <spender@grsecurity.net>
85150Date: Fri Jan 6 21:09:47 2012 -0500
85151
85152 Merge changes from pax-linux-3.1.8-test21.patch
85153
85154commit a5016b4f9c09c337b17e063a7f369af1e86d944d
85155Merge: 0124c92 04231d5
85156Author: Brad Spengler <spender@grsecurity.net>
85157Date: Fri Jan 6 18:52:20 2012 -0500
85158
85159 Merge branch 'pax-test' into grsec-test
85160
85161commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
85162Merge: 7bdddeb a919904
85163Author: Brad Spengler <spender@grsecurity.net>
85164Date: Fri Jan 6 18:51:50 2012 -0500
85165
85166 Merge branch 'linux-3.1.y' into pax-test
85167
85168 Conflicts:
85169 include/net/flow.h
85170
85171commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
85172Author: Brad Spengler <spender@grsecurity.net>
85173Date: Fri Jan 6 18:33:05 2012 -0500
85174
85175 Make GRKERNSEC_SETXID option compatible with credential debugging
85176
85177commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
85178Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
85179Date: Wed Dec 28 15:57:11 2011 -0800
85180
85181 mm/mempolicy.c: refix mbind_range() vma issue
85182
85183 commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
85184 slightly incorrect fix.
85185
85186 Why? Think following case.
85187
85188 1. map 4 pages of a file at offset 0
85189
85190 [0123]
85191
85192 2. map 2 pages just after the first mapping of the same file but with
85193 page offset 2
85194
85195 [0123][23]
85196
85197 3. mbind() 2 pages from the first mapping at offset 2.
85198 mbind_range() should treat new vma is,
85199
85200 [0123][23]
85201 |23|
85202 mbind vma
85203
85204 but it does
85205
85206 [0123][23]
85207 |01|
85208 mbind vma
85209
85210 Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
85211
85212 This patch fixes it.
85213
85214 [testcase]
85215 test result - before the patch
85216
85217 case4: 126: test failed. expect '2,4', actual '2,2,2'
85218 case5: passed
85219 case6: passed
85220 case7: passed
85221 case8: passed
85222 case_n: 246: test failed. expect '4,2', actual '1,4'
85223
85224 ------------[ cut here ]------------
85225 kernel BUG at mm/filemap.c:135!
85226 invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
85227
85228 (snip long bug on messages)
85229
85230 test result - after the patch
85231
85232 case4: passed
85233 case5: passed
85234 case6: passed
85235 case7: passed
85236 case8: passed
85237 case_n: passed
85238
85239 source: mbind_vma_test.c
85240 ============================================================
85241 #include <numaif.h>
85242 #include <numa.h>
85243 #include <sys/mman.h>
85244 #include <stdio.h>
85245 #include <unistd.h>
85246 #include <stdlib.h>
85247 #include <string.h>
85248
85249 static unsigned long pagesize;
85250 void* mmap_addr;
85251 struct bitmask *nmask;
85252 char buf[1024];
85253 FILE *file;
85254 char retbuf[10240] = "";
85255 int mapped_fd;
85256
85257 char *rubysrc = "ruby -e '\
85258 pid = %d; \
85259 vstart = 0x%llx; \
85260 vend = 0x%llx; \
85261 s = `pmap -q #{pid}`; \
85262 rary = []; \
85263 s.each_line {|line|; \
85264 ary=line.split(\" \"); \
85265 addr = ary[0].to_i(16); \
85266 if(vstart <= addr && addr < vend) then \
85267 rary.push(ary[1].to_i()/4); \
85268 end; \
85269 }; \
85270 print rary.join(\",\"); \
85271 '";
85272
85273 void init(void)
85274 {
85275 void* addr;
85276 char buf[128];
85277
85278 nmask = numa_allocate_nodemask();
85279 numa_bitmask_setbit(nmask, 0);
85280
85281 pagesize = getpagesize();
85282
85283 sprintf(buf, "%s", "mbind_vma_XXXXXX");
85284 mapped_fd = mkstemp(buf);
85285 if (mapped_fd == -1)
85286 perror("mkstemp "), exit(1);
85287 unlink(buf);
85288
85289 if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
85290 perror("lseek "), exit(1);
85291 if (write(mapped_fd, "\0", 1) < 0)
85292 perror("write "), exit(1);
85293
85294 addr = mmap(NULL, pagesize*8, PROT_NONE,
85295 MAP_SHARED, mapped_fd, 0);
85296 if (addr == MAP_FAILED)
85297 perror("mmap "), exit(1);
85298
85299 if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
85300 perror("mprotect "), exit(1);
85301
85302 mmap_addr = addr + pagesize;
85303
85304 /* make page populate */
85305 memset(mmap_addr, 0, pagesize*6);
85306 }
85307
85308 void fin(void)
85309 {
85310 void* addr = mmap_addr - pagesize;
85311 munmap(addr, pagesize*8);
85312
85313 memset(buf, 0, sizeof(buf));
85314 memset(retbuf, 0, sizeof(retbuf));
85315 }
85316
85317 void mem_bind(int index, int len)
85318 {
85319 int err;
85320
85321 err = mbind(mmap_addr+pagesize*index, pagesize*len,
85322 MPOL_BIND, nmask->maskp, nmask->size, 0);
85323 if (err)
85324 perror("mbind "), exit(err);
85325 }
85326
85327 void mem_interleave(int index, int len)
85328 {
85329 int err;
85330
85331 err = mbind(mmap_addr+pagesize*index, pagesize*len,
85332 MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
85333 if (err)
85334 perror("mbind "), exit(err);
85335 }
85336
85337 void mem_unbind(int index, int len)
85338 {
85339 int err;
85340
85341 err = mbind(mmap_addr+pagesize*index, pagesize*len,
85342 MPOL_DEFAULT, NULL, 0, 0);
85343 if (err)
85344 perror("mbind "), exit(err);
85345 }
85346
85347 void Assert(char *expected, char *value, char *name, int line)
85348 {
85349 if (strcmp(expected, value) == 0) {
85350 fprintf(stderr, "%s: passed\n", name);
85351 return;
85352 }
85353 else {
85354 fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
85355 name, line,
85356 expected, value);
85357 // exit(1);
85358 }
85359 }
85360
85361 /*
85362 AAAA
85363 PPPPPPNNNNNN
85364 might become
85365 PPNNNNNNNNNN
85366 case 4 below
85367 */
85368 void case4(void)
85369 {
85370 init();
85371 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
85372
85373 mem_bind(0, 4);
85374 mem_unbind(2, 2);
85375
85376 file = popen(buf, "r");
85377 fread(retbuf, sizeof(retbuf), 1, file);
85378 Assert("2,4", retbuf, "case4", __LINE__);
85379
85380 fin();
85381 }
85382
85383 /*
85384 AAAA
85385 PPPPPPNNNNNN
85386 might become
85387 PPPPPPPPPPNN
85388 case 5 below
85389 */
85390 void case5(void)
85391 {
85392 init();
85393 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
85394
85395 mem_bind(0, 2);
85396 mem_bind(2, 2);
85397
85398 file = popen(buf, "r");
85399 fread(retbuf, sizeof(retbuf), 1, file);
85400 Assert("4,2", retbuf, "case5", __LINE__);
85401
85402 fin();
85403 }
85404
85405 /*
85406 AAAA
85407 PPPPNNNNXXXX
85408 might become
85409 PPPPPPPPPPPP 6
85410 */
85411 void case6(void)
85412 {
85413 init();
85414 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
85415
85416 mem_bind(0, 2);
85417 mem_bind(4, 2);
85418 mem_bind(2, 2);
85419
85420 file = popen(buf, "r");
85421 fread(retbuf, sizeof(retbuf), 1, file);
85422 Assert("6", retbuf, "case6", __LINE__);
85423
85424 fin();
85425 }
85426
85427 /*
85428 AAAA
85429 PPPPNNNNXXXX
85430 might become
85431 PPPPPPPPXXXX 7
85432 */
85433 void case7(void)
85434 {
85435 init();
85436 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
85437
85438 mem_bind(0, 2);
85439 mem_interleave(4, 2);
85440 mem_bind(2, 2);
85441
85442 file = popen(buf, "r");
85443 fread(retbuf, sizeof(retbuf), 1, file);
85444 Assert("4,2", retbuf, "case7", __LINE__);
85445
85446 fin();
85447 }
85448
85449 /*
85450 AAAA
85451 PPPPNNNNXXXX
85452 might become
85453 PPPPNNNNNNNN 8
85454 */
85455 void case8(void)
85456 {
85457 init();
85458 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
85459
85460 mem_bind(0, 2);
85461 mem_interleave(4, 2);
85462 mem_interleave(2, 2);
85463
85464 file = popen(buf, "r");
85465 fread(retbuf, sizeof(retbuf), 1, file);
85466 Assert("2,4", retbuf, "case8", __LINE__);
85467
85468 fin();
85469 }
85470
85471 void case_n(void)
85472 {
85473 init();
85474 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
85475
85476 /* make redundunt mappings [0][1234][34][7] */
85477 mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
85478 MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
85479
85480 /* Expect to do nothing. */
85481 mem_unbind(2, 2);
85482
85483 file = popen(buf, "r");
85484 fread(retbuf, sizeof(retbuf), 1, file);
85485 Assert("4,2", retbuf, "case_n", __LINE__);
85486
85487 fin();
85488 }
85489
85490 int main(int argc, char** argv)
85491 {
85492 case4();
85493 case5();
85494 case6();
85495 case7();
85496 case8();
85497 case_n();
85498
85499 return 0;
85500 }
85501 =============================================================
85502
85503 Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
85504 Acked-by: Johannes Weiner <hannes@cmpxchg.org>
85505 Cc: Minchan Kim <minchan.kim@gmail.com>
85506 Cc: Caspar Zhang <caspar@casparzhang.com>
85507 Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
85508 Cc: Christoph Lameter <cl@linux.com>
85509 Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
85510 Cc: Mel Gorman <mel@csn.ul.ie>
85511 Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
85512 Cc: <stable@vger.kernel.org> [3.1.x]
85513 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
85514 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
85515
85516commit f3a1082005781777086df235049f8c0b7efe524e
85517Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
85518Date: Tue Dec 27 22:32:41 2011 -0500
85519
85520 packet: fix possible dev refcnt leak when bind fail
85521
85522 If bind is fail when bind is called after set PACKET_FANOUT
85523 sock option, the dev refcnt will leak.
85524
85525 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
85526 Signed-off-by: David S. Miller <davem@davemloft.net>
85527
85528commit 915f8b08dac68839dc7204ee81cf9852fda16d24
85529Author: Haogang Chen <haogangchen@gmail.com>
85530Date: Mon Dec 19 17:11:56 2011 -0800
85531
85532 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
85533
85534 There is a potential integer overflow in nilfs_ioctl_clean_segments().
85535 When a large argv[n].v_nmembs is passed from the userspace, the subsequent
85536 call to vmalloc() will allocate a buffer smaller than expected, which
85537 leads to out-of-bound access in nilfs_ioctl_move_blocks() and
85538 lfs_clean_segments().
85539
85540 The following check does not prevent the overflow because nsegs is also
85541 controlled by the userspace and could be very large.
85542
85543 if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
85544 goto out_free;
85545
85546 This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
85547 returns -EINVAL when overflow.
85548
85549 Signed-off-by: Haogang Chen <haogangchen@gmail.com>
85550 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
85551 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
85552 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
85553
85554commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
85555Author: Kautuk Consul <consul.kautuk@gmail.com>
85556Date: Mon Dec 19 17:12:04 2011 -0800
85557
85558 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
85559
85560 Static storage is not required for the struct vmap_area in
85561 __get_vm_area_node.
85562
85563 Removing "static" to store this variable on the stack instead.
85564
85565 Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
85566 Acked-by: David Rientjes <rientjes@google.com>
85567 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
85568 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
85569
85570commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
85571Author: Michel Lespinasse <walken@google.com>
85572Date: Mon Dec 19 17:12:06 2011 -0800
85573
85574 binary_sysctl(): fix memory leak
85575
85576 binary_sysctl() calls sysctl_getname() which allocates from names_cache
85577 slab usin __getname()
85578
85579 The matching function to free the name is __putname(), and not putname()
85580 which should be used only to match getname() allocations.
85581
85582 This is because when auditing is enabled, putname() calls audit_putname
85583 *instead* (not in addition) to __putname(). Then, if a syscall is in
85584 progress, audit_putname does not release the name - instead, it expects
85585 the name to get released when the syscall completes, but that will happen
85586 only if audit_getname() was called previously, i.e. if the name was
85587 allocated with getname() rather than the naked __getname(). So,
85588 __getname() followed by putname() ends up leaking memory.
85589
85590 Signed-off-by: Michel Lespinasse <walken@google.com>
85591 Acked-by: Al Viro <viro@zeniv.linux.org.uk>
85592 Cc: Christoph Hellwig <hch@infradead.org>
85593 Cc: Eric Paris <eparis@redhat.com>
85594 Cc: <stable@vger.kernel.org>
85595 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
85596 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
85597
85598commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
85599Author: Sean Hefty <sean.hefty@intel.com>
85600Date: Tue Dec 6 21:17:11 2011 +0000
85601
85602 RDMA/cma: Verify private data length
85603
85604 private_data_len is defined as a u8. If the user specifies a large
85605 private_data size (> 220 bytes), we will calculate a total length that
85606 exceeds 255, resulting in private_data_len wrapping back to 0. This
85607 can lead to overwriting random kernel memory. Avoid this by verifying
85608 that the resulting size fits into a u8.
85609
85610 Reported-by: B. Thery <benjamin.thery@bull.net>
85611 Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
85612 Signed-off-by: Sean Hefty <sean.hefty@intel.com>
85613 Signed-off-by: Roland Dreier <roland@purestorage.com>
85614
85615commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
85616Author: Xi Wang <xi.wang@gmail.com>
85617Date: Sun Dec 11 23:40:56 2011 -0800
85618
85619 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
85620
85621 The error check (intr_status < 0) didn't work because intr_status is
85622 a u8. Change its type to signed int.
85623
85624 Signed-off-by: Xi Wang <xi.wang@gmail.com>
85625 Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
85626
85627commit e27f34e383d7863b2528a63b81b23db09781f6b6
85628Author: Xi Wang <xi.wang@gmail.com>
85629Date: Fri Dec 16 12:44:15 2011 +0000
85630
85631 sctp: fix incorrect overflow check on autoclose
85632
85633 Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
85634 limiting the autoclose value. If userspace passes in -1 on 32-bit
85635 platform, the overflow check didn't work and autoclose would be set
85636 to 0xffffffff.
85637
85638 This patch defines a max_autoclose (in seconds) for limiting the value
85639 and exposes it through sysctl, with the following intentions.
85640
85641 1) Avoid overflowing autoclose * HZ.
85642
85643 2) Keep the default autoclose bound consistent across 32- and 64-bit
85644 platforms (INT_MAX / HZ in this patch).
85645
85646 3) Keep the autoclose value consistent between setsockopt() and
85647 getsockopt() calls.
85648
85649 Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
85650 Signed-off-by: Xi Wang <xi.wang@gmail.com>
85651 Signed-off-by: David S. Miller <davem@davemloft.net>
85652
85653commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
85654Author: Xi Wang <xi.wang@gmail.com>
85655Date: Wed Dec 21 05:18:33 2011 -0500
85656
85657 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
85658
85659 Commit e133e737 didn't correctly fix the integer overflow issue.
85660
85661 - unsigned int required_size;
85662 + u64 required_size;
85663 ...
85664 required_size = mode_cmd->pitch * mode_cmd->height;
85665 - if (unlikely(required_size > dev_priv->vram_size)) {
85666 + if (unlikely(required_size > (u64) dev_priv->vram_size)) {
85667
85668 Note that both pitch and height are u32. Their product is still u32 and
85669 would overflow before being assigned to required_size. A correct way is
85670 to convert pitch and height to u64 before the multiplication.
85671
85672 required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
85673
85674 This patch calls the existing vmw_kms_validate_mode_vram() for
85675 validation.
85676
85677 Signed-off-by: Xi Wang <xi.wang@gmail.com>
85678 Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
85679 Signed-off-by: Dave Airlie <airlied@redhat.com>
85680
85681 Conflicts:
85682
85683 drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
85684
85685commit eb8f0bd01fb994c9abc77dc84729794cd841753d
85686Author: Xi Wang <xi.wang@gmail.com>
85687Date: Thu Dec 22 13:35:22 2011 +0000
85688
85689 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
85690
85691 Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
85692 cause a kernel oops due to insufficient bounds checking.
85693
85694 if (count > 1<<30) {
85695 /* Enforce a limit to prevent overflow */
85696 return -EINVAL;
85697 }
85698 count = roundup_pow_of_two(count);
85699 table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
85700
85701 Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
85702
85703 ... + (count * sizeof(struct rps_dev_flow))
85704
85705 where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow
85706 32 bits.
85707
85708 This patch replaces the magic number (1 << 30) with a symbolic bound.
85709
85710 Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
85711 Signed-off-by: Xi Wang <xi.wang@gmail.com>
85712 Signed-off-by: David S. Miller <davem@davemloft.net>
85713
85714commit 648188958672024b616c42c1f6c98c8cfc85619d
85715Author: Xi Wang <xi.wang@gmail.com>
85716Date: Fri Dec 30 10:40:17 2011 -0500
85717
85718 netfilter: ctnetlink: fix timeout calculation
85719
85720 The sanity check (timeout < 0) never works; the dividend is unsigned
85721 and so is the division, which should have been a signed division.
85722
85723 long timeout = (ct->timeout.expires - jiffies) / HZ;
85724 if (timeout < 0)
85725 timeout = 0;
85726
85727 This patch converts the time values to signed for the division.
85728
85729 Signed-off-by: Xi Wang <xi.wang@gmail.com>
85730 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
85731
85732commit ab03a0973cee73f88655ff4981812ad316a6cd59
85733Merge: 76f82df 7bdddeb
85734Author: Brad Spengler <spender@grsecurity.net>
85735Date: Tue Jan 3 17:42:50 2012 -0500
85736
85737 Merge branch 'pax-test' into grsec-test
85738
85739commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
85740Merge: 3e59cb5 55cc81a
85741Author: Brad Spengler <spender@grsecurity.net>
85742Date: Tue Jan 3 17:42:36 2012 -0500
85743
85744 Merge branch 'linux-3.1.y' into pax-test
85745
85746commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
85747Author: Brad Spengler <spender@grsecurity.net>
85748Date: Thu Dec 22 20:15:02 2011 -0500
85749
85750 Only further restrict futex targeting another process -- our modified
85751 permission check also happened to allow a case where a process retaining
85752 uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
85753 being non-zero (reported on forums by ben_w)
85754
85755commit 6b235a4450a5fea41663ec35fa0608988b6078c6
85756Merge: 97c16f0 3e59cb5
85757Author: Brad Spengler <spender@grsecurity.net>
85758Date: Thu Dec 22 19:11:06 2011 -0500
85759
85760 Merge branch 'pax-test' into grsec-test
85761
85762 Conflicts:
85763 fs/hfs/btree.c
85764
85765commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
85766Merge: 285eb4e c26f60b
85767Author: Brad Spengler <spender@grsecurity.net>
85768Date: Thu Dec 22 19:09:57 2011 -0500
85769
85770 Merge branch 'linux-3.1.y' into pax-test
85771
85772 Conflicts:
85773 arch/x86/kernel/process.c
85774
85775commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
85776Author: Brad Spengler <spender@grsecurity.net>
85777Date: Mon Dec 19 21:54:01 2011 -0500
85778
85779 Add new option: "Enforce consistent multithreaded privileges"
85780
85781commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
85782Author: Brad Spengler <spender@grsecurity.net>
85783Date: Wed Dec 7 19:58:31 2011 -0500
85784
85785 Remove harmless duplicate code -- exec_file would be null already so the
85786 second check would never pass.
85787
85788commit 4e3304e94aa72737810bc50169519af157dce4ce
85789Author: Brad Spengler <spender@grsecurity.net>
85790Date: Wed Dec 7 19:50:39 2011 -0500
85791
85792 Revert back to (possibly?) undocumented /proc/pid behavior that gdb
85793 depended on for attaching to a thread. Entries exist in /proc for
85794 threads, but are not visible in a readdir.
85795
85796commit 1bd899335f23815cfe8deac44c6b346398f3b95e
85797Author: Brad Spengler <spender@grsecurity.net>
85798Date: Sun Dec 4 18:03:28 2011 -0500
85799
85800 Put the already-walked path if in RCU-walk mode
85801
85802commit ec7ae36b7159f10649709779443a988662965d66
85803Author: Brad Spengler <spender@grsecurity.net>
85804Date: Sun Dec 4 17:35:21 2011 -0500
85805
85806 Fix memory leak introduced by recent (unpublished) commit
85807 75ab998b94a29d464518d6d501bdde3fbfcbfa14
85808
85809commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
85810Author: Brad Spengler <spender@grsecurity.net>
85811Date: Sun Dec 4 13:56:10 2011 -0500
85812
85813 Explicitly check size copied to userland in override_release to silence gcc
85814
85815commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
85816Author: Brad Spengler <spender@grsecurity.net>
85817Date: Sun Dec 4 13:54:02 2011 -0500
85818
85819 Initialize variable to silence erroneous gcc warning
85820
85821commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
85822Author: Brad Spengler <spender@grsecurity.net>
85823Date: Sun Dec 4 13:47:47 2011 -0500
85824
85825 Future-proof other potential RCU-aware locations where we can log.
85826
85827commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
85828Author: Brad Spengler <spender@grsecurity.net>
85829Date: Sun Dec 4 13:02:54 2011 -0500
85830
85831 Fix freeze reported by 'vs' on the forums. Bug occurred due to
85832 MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used
85833 in generic_permission() was in the task's effective set but disallowed by
85834 RBAC, would block when acquiring locks resulting in the freeze.
85835
85836 Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
85837 as being required when CAP_DAC_OVERRIDE is present (consistent with
85838 older patches).
85839
85840commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
85841Author: Xi Wang <xi.wang@gmail.com>
85842Date: Tue Nov 29 09:26:30 2011 +0000
85843
85844 sctp: better integer overflow check in sctp_auth_create_key()
85845
85846 The check from commit 30c2235c is incomplete and cannot prevent
85847 cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the
85848 left-hand side of the check (INT_MAX - key_len), which is unsigned,
85849 becomes 0xffffffff (UINT_MAX) and bypasses the check.
85850
85851 However this shouldn't be a security issue. The function is called
85852 from the following two code paths:
85853
85854 1) setsockopt()
85855
85856 2) sctp_auth_asoc_set_secret()
85857
85858 In case (1), sca_keylength is never going to exceed 65535 since it's
85859 bounded by a u16 from the user API. As such, the key length will
85860 never overflow.
85861
85862 In case (2), sca_keylength is computed based on the user key (1 short)
85863 and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
85864 will not overflow.
85865
85866 In other words, this overflow check is not really necessary. Just
85867 make it more correct.
85868
85869 Signed-off-by: Xi Wang <xi.wang@gmail.com>
85870 Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
85871 Signed-off-by: David S. Miller <davem@davemloft.net>
85872
85873commit e565e28c3635a1d50f80541fbf6b606d742fec76
85874Author: Josh Boyer <jwboyer@redhat.com>
85875Date: Fri Aug 19 14:50:26 2011 -0400
85876
85877 fs/minix: Verify bitmap block counts before mounting
85878
85879 Newer versions of MINIX can create filesystems that allocate an extra
85880 bitmap block. Mounting of this succeeds, but doing a statfs call will
85881 result in an oops in count_free because of a negative number being used
85882 for the bh index.
85883
85884 Avoid this by verifying the number of allocated blocks at mount time,
85885 erroring out if there are not enough and make statfs ignore the extras
85886 if there are too many.
85887
85888 This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
85889
85890 Signed-off-by: Josh Boyer <jwboyer@redhat.com>
85891 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
85892
85893commit 6e134e398ec1a3f428261680e83df4319e64bed9
85894Author: Julia Lawall <julia@diku.dk>
85895Date: Tue Nov 15 14:53:11 2011 -0800
85896
85897 drivers/gpu/vga/vgaarb.c: add missing kfree
85898
85899 kbuf is a buffer that is local to this function, so all of the error paths
85900 leaving the function should release it.
85901
85902 Signed-off-by: Julia Lawall <julia@diku.dk>
85903 Cc: Jesper Juhl <jj@chaosbits.net>
85904 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
85905 Signed-off-by: Dave Airlie <airlied@redhat.com>
85906
85907commit 2b9057b321e36860e8d63985b5c4e496f254b717
85908Author: Brad Spengler <spender@grsecurity.net>
85909Date: Sat Dec 3 21:33:28 2011 -0500
85910
85911 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch
85912
85913commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
85914Author: Brad Spengler <spender@grsecurity.net>
85915Date: Sat Dec 3 21:29:37 2011 -0500
85916
85917 Import pax-linux-3.1.4-test18.patch
85918
85919commit 285eb4ea45d853ae00426b3315a61c1368080dad
85920Author: Brad Spengler <spender@grsecurity.net>
85921Date: Sat Dec 10 18:33:46 2011 -0500
85922
85923 Import changes from pax-linux-3.1.5-test20.patch
85924
85925commit a6bda918fc90ec1d5c387e978d147ad2044153f1
85926Author: Brad Spengler <spender@grsecurity.net>
85927Date: Thu Dec 8 20:55:54 2011 -0500
85928
85929 Import changes from pax-linux-3.1.4-test19.patch
85930
85931commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
85932Author: Brad Spengler <spender@grsecurity.net>
85933Date: Sat Dec 3 21:29:37 2011 -0500
85934
85935 Import pax-linux-3.1.4-test18.patch
85936commit c982acca364cbd7677bad7e53b9c7ecfaa6dfeb7
85937Merge: 814820a 3a59a59
85938Author: Brad Spengler <spender@grsecurity.net>
85939Date: Sun May 12 21:51:18 2013 -0400
85940
85941 Merge branch 'pax-test' into grsec-test
85942
85943 Conflicts:
85944 security/Kconfig
85945
85946commit 3a59a59cf5e1bf88f96b05c64f7969e97f7f051f
85947Author: Brad Spengler <spender@grsecurity.net>
85948Date: Sun May 12 21:50:07 2013 -0400
85949
85950 Update to pax-linux-3.8.13-test24.patch:
85951 - fixed sparc/constification compile error, reported by blake
85952 - UDEREF/amd64 should be a bit more efficient when disabled at boot time
85953 - fixed some unnecessary integer truncations that could trip up the size overflow plugin
85954
85955 arch/arm/kernel/vmlinux.lds.S | 4 ++--
85956 arch/sparc/kernel/us3_cpufreq.c | 4 ++--
85957 arch/x86/ia32/ia32entry.S | 4 ++--
85958 arch/x86/include/asm/pgtable.h | 6 ++++--
85959 arch/x86/include/asm/uaccess.h | 6 +++---
85960 arch/x86/kernel/kprobes-opt.c | 4 ++++
85961 arch/x86/lib/copy_user_nocache_64.S | 2 +-
85962 arch/x86/lib/getuser.S | 8 ++++----
85963 arch/x86/lib/putuser.S | 8 ++++----
85964 arch/x86/mm/fault.c | 6 +++---
85965 drivers/net/slip/slhc.c | 2 +-
85966 drivers/staging/iio/ring_sw.c | 2 +-
85967 fs/binfmt_elf.c | 6 +++---
85968 fs/nfsd/nfscache.c | 2 +-
85969 fs/xattr.c | 21 +++++++++++++++++++++
85970 include/linux/syscalls.h | 2 +-
85971 include/linux/xattr.h | 3 +++
85972 init/main.c | 3 +++
85973 kernel/futex_compat.c | 2 +-
85974 kernel/trace/trace.h | 2 +-
85975 net/socket.c | 2 +-
85976 security/Kconfig | 2 +-
85977 22 files changed, 67 insertions(+), 34 deletions(-)
85978
85979commit 814820abfe5b9a34401d838b2510431a4cd92be9
85980Author: Dan Carpenter <dan.carpenter@oracle.com>
85981Date: Mon May 6 09:31:17 2013 +0000
85982
85983 Upstream commit: 6bf15191f666c5965d212561d7a5c7b78b808dfa
85984
85985 tipc: potential divide by zero in tipc_link_recv_fragment()
85986
85987 The worry here is that fragm_sz could be zero since it comes from
85988 skb->data.
85989
85990 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
85991 Signed-off-by: David S. Miller <davem@davemloft.net>
85992
85993 net/tipc/link.c | 6 ++++--
85994 1 files changed, 4 insertions(+), 2 deletions(-)
85995
85996commit b58503d2784f0a4dbf4d9dbef9bdcc7bf163e3c1
85997Author: Dan Carpenter <dan.carpenter@oracle.com>
85998Date: Mon May 6 08:28:41 2013 +0000
85999
86000 Upstream commit: cb4b102f0ab29fcbaf945c6b1f85ef006cdb8edc
86001
86002 tipc: add a bounds check in link_recv_changeover_msg()
86003
86004 The bearer_id here comes from skb->data and it can be a number from 0 to
86005 7. The problem is that the ->links[] array has only 2 elements so I
86006 have added a range check.
86007
86008 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
86009 Signed-off-by: David S. Miller <davem@davemloft.net>
86010
86011 net/tipc/link.c | 5 ++++-
86012 1 files changed, 4 insertions(+), 1 deletions(-)
86013
86014commit ed0428c4ef6c5498870772f212ac651216eb8d0c
86015Merge: 2452d8d dbf932a
86016Author: Brad Spengler <spender@grsecurity.net>
86017Date: Sun May 12 21:18:25 2013 -0400
86018
86019 Merge branch 'linux-3.8.y' into pax-test
86020
86021 Conflicts:
86022 arch/x86/kernel/cpu/perf_event_intel_uncore.c
86023 arch/x86/mm/init.c
86024
86025commit a113d6ac19303cd76d405df5aef5a4d190e6e7d7
86026Author: Brad Spengler <spender@grsecurity.net>
86027Date: Sun May 12 20:24:01 2013 -0400
86028
86029 compile fix
86030
86031 grsecurity/gracl.c | 1 +
86032 grsecurity/gracl_segv.c | 1 +
86033 2 files changed, 2 insertions(+), 0 deletions(-)
86034
86035commit 1bd664ee9054a28bbcf1dad6f9ffbc9e8500bb00
86036Author: Brad Spengler <spender@grsecurity.net>
86037Date: Sun May 12 18:25:26 2013 -0400
86038
86039 fix btrfs support here as well
86040
86041 grsecurity/gracl_segv.c | 17 +++++++++--------
86042 1 files changed, 9 insertions(+), 8 deletions(-)
86043
86044commit c75e4664fe4d20da1639f70d9def097c4f20856b
86045Author: Brad Spengler <spender@grsecurity.net>
86046Date: Sun May 12 18:12:57 2013 -0400
86047
86048 Fix RBAC compatibility with btrfs compiled as a module, as
86049 reported on the forums by YuHg at:
86050 http://forums.grsecurity.net/viewtopic.php?t=2575&p=12952#p12952
86051
86052 fs/btrfs/inode.c | 11 +----------
86053 grsecurity/gracl.c | 19 ++++++++++---------
86054 grsecurity/gracl_segv.c | 2 +-
86055 grsecurity/grsec_disabled.c | 2 +-
86056 4 files changed, 13 insertions(+), 21 deletions(-)
86057
86058commit e40c5804acc5b83e10d16ca3ba92502a3e5f7f27
86059Author: Brad Spengler <spender@grsecurity.net>
86060Date: Sat May 11 12:12:00 2013 -0400
86061
86062 allow copies just up to the start of kernel code
86063
86064 fs/exec.c | 2 +-
86065 1 files changed, 1 insertions(+), 1 deletions(-)
86066
86067commit 04638852588cf243f865f5a73aa9dab94fab53b7
86068Author: Brad Spengler <spender@grsecurity.net>
86069Date: Fri May 10 16:53:07 2013 -0400
86070
86071 MODULES_EXEC_VADDR is a virtual address
86072
86073 fs/exec.c | 2 +-
86074 1 files changed, 1 insertions(+), 1 deletions(-)
86075
86076commit 017fc58a177b8b3fd9c2a7a4366f3590c9d49435
86077Author: Brad Spengler <spender@grsecurity.net>
86078Date: Fri May 10 16:51:03 2013 -0400
86079
86080 exempt module rx areas from usercopy protection under i386 kernexec
86081 their .rodata will be placed between stext/etext causing copies of
86082 constant strings to trigger usercopy reports/terminations
86083
86084 fs/exec.c | 5 +++++
86085 1 files changed, 5 insertions(+), 0 deletions(-)
86086
86087commit c1b2cc5dd5f5ae5c88402c7acbcb270f8d36a9da
86088Author: Brad Spengler <spender@grsecurity.net>
86089Date: Wed May 8 20:25:52 2013 -0400
86090
86091 User jorgus on the forums:
86092 http://forums.grsecurity.net/viewtopic.php?f=3&t=3446
86093 discovered that the upstreamed version of enforcing RLIMIT_NPROC
86094 at setuid/exec time missed an important corner case:
86095 If RLIMIT_NPROC is set after a setuid occurs and the user's process
86096 limit is reached elsewhere, no enforcement of RLIMIT_NPROC will
86097 happen at exec time for the task with a modified RLIMIT_NPROC.
86098
86099 This patch fixes that.
86100
86101 kernel/sys.c | 7 +++++++
86102 1 files changed, 7 insertions(+), 0 deletions(-)
86103
86104commit 85ffce8c95bd1d9114852f74db8c66ddbc2e77ff
86105Merge: 539fff0 2452d8d
86106Author: Brad Spengler <spender@grsecurity.net>
86107Date: Wed May 8 18:13:41 2013 -0400
86108
86109 Merge branch 'pax-test' into grsec-test
86110
86111commit 2452d8d0416d5c9c32805443dd89e5c9778dea4a
86112Merge: 6c850d8 9c9ab76
86113Author: Brad Spengler <spender@grsecurity.net>
86114Date: Wed May 8 18:13:31 2013 -0400
86115
86116 Merge branch 'linux-3.8.y' into pax-test
86117
86118 Conflicts:
86119 arch/x86/kernel/irq.c
86120 kernel/trace/trace_stack.c
86121
86122commit 539fff0cf95c3dcc02c5e0ac3ef8da4519efdb9a
86123Author: Brad Spengler <spender@grsecurity.net>
86124Date: Tue May 7 21:43:00 2013 -0400
86125
86126 turn counter into a flag
86127
86128 grsecurity/Kconfig | 2 +-
86129 grsecurity/grsec_chroot.c | 8 ++++----
86130 2 files changed, 5 insertions(+), 5 deletions(-)
86131
86132commit 3da48c0f89377e1ef76470d4b19f19df793fdf32
86133Author: Brad Spengler <spender@grsecurity.net>
86134Date: Tue May 7 21:02:39 2013 -0400
86135
86136 add GRKERNSEC_CHROOT_INITRD to work around Plymouth stupidity
86137 useful for Fedora/RHEL users
86138
86139 grsecurity/Kconfig | 10 ++++++++++
86140 grsecurity/grsec_chroot.c | 17 +++++++++++++++--
86141 2 files changed, 25 insertions(+), 2 deletions(-)
86142
86143commit 418102925c0cfb0de51b0a021abaa575e28fafa6
86144Author: Peter Zijlstra <a.p.zijlstra@chello.nl>
86145Date: Fri May 3 14:11:25 2013 +0200
86146
86147 Upstream commit: 7cc23cd6c0c7d7f4bee057607e7ce01568925717
86148
86149 perf/x86/intel/lbr: Demand proper privileges for PERF_SAMPLE_BRANCH_KERNEL
86150
86151 We should always have proper privileges when requesting kernel
86152 data.
86153
86154 Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
86155 Cc: <stable@kernel.org>
86156 Cc: Andi Kleen <ak@linux.intel.com>
86157 Cc: eranian@google.com
86158 Link: http://lkml.kernel.org/r/20130503121256.230745028@chello.nl
86159 [ Fix build error reported by fengguang.wu@intel.com, propagate error code back. ]
86160 Signed-off-by: Ingo Molnar <mingo@kernel.org>
86161 Link: http://lkml.kernel.org/n/tip-v0x9ky3ahzr6nm3c6ilwrili@git.kernel.org
86162
86163 arch/x86/kernel/cpu/perf_event_intel_lbr.c | 13 ++++++++++---
86164 1 files changed, 10 insertions(+), 3 deletions(-)
86165
86166commit f9e1af27cca1722a4c6a801000b5b3b5410401a2
86167Author: Eric Dumazet <edumazet@google.com>
86168Date: Mon Apr 29 05:58:52 2013 +0000
86169
86170 Upstream commit: aebda156a570782a86fc4426842152237a19427d
86171
86172 net: defer net_secret[] initialization
86173
86174 Instead of feeding net_secret[] at boot time, defer the init
86175 at the point first socket is created.
86176
86177 This permits some platforms to use better entropy sources than
86178 the ones available at boot time.
86179
86180 Signed-off-by: Eric Dumazet <edumazet@google.com>
86181 Signed-off-by: David S. Miller <davem@davemloft.net>
86182
86183 include/net/secure_seq.h | 1 +
86184 net/core/secure_seq.c | 4 +---
86185 net/ipv4/af_inet.c | 5 ++++-
86186 3 files changed, 6 insertions(+), 4 deletions(-)
86187
86188commit a9229d75129cd9744a5e486ec99a0fe6aeaf10ac
86189Author: Daniel Borkmann <dborkman@redhat.com>
86190Date: Wed May 1 02:59:23 2013 +0000
86191
86192 Upstream commit: be3e45810bb1ee0bdfa93f6b9532d8c451e50f48
86193
86194 net: sctp: attribute printl with __printf for gcc fmt checks
86195
86196 Let GCC check for format string errors in sctp's probe printl
86197 function. This patch fixes the warning when compiled with W=1:
86198
86199 net/sctp/probe.c:73:2: warning: function might be possible candidate
86200 for 'gnu_printf' format attribute [-Wmissing-format-attribute]
86201
86202 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
86203 Signed-off-by: David S. Miller <davem@davemloft.net>
86204
86205 net/sctp/probe.c | 2 +-
86206 1 files changed, 1 insertions(+), 1 deletions(-)
86207
86208commit 81b98190c66a90f0ed2de4560f542b1dea7664f2
86209Author: Brad Spengler <spender@grsecurity.net>
86210Date: Thu May 2 19:58:54 2013 -0400
86211
86212 remove no-longer-needed vmware 8 compat fix
86213
86214 mm/page_alloc.c | 6 ------
86215 1 files changed, 0 insertions(+), 6 deletions(-)
86216
86217commit a7716a90c1dbe09a8a6d98c74ea2f7fe2a530e94
86218Author: Brad Spengler <spender@grsecurity.net>
86219Date: Thu May 2 19:55:23 2013 -0400
86220
86221 remove unnecessary < 0 check
86222
86223 net/phonet/af_phonet.c | 2 +-
86224 1 files changed, 1 insertions(+), 1 deletions(-)
86225
86226commit a4e8dd5b1cca13c2e4145af75694a04aaa811f3f
86227Author: Brad Spengler <spender@grsecurity.net>
86228Date: Wed May 1 18:30:48 2013 -0400
86229
86230 remove references to CONFIG_X86_WP_WORKS_OK
86231
86232 arch/um/defconfig | 1 -
86233 security/Kconfig | 2 +-
86234 2 files changed, 1 insertions(+), 2 deletions(-)
86235
86236commit 408da6791f93ffe00d26bfe919f1b2218fe0804d
86237Merge: a8dbe8e 6c850d8
86238Author: Brad Spengler <spender@grsecurity.net>
86239Date: Wed May 1 18:28:44 2013 -0400
86240
86241 Merge branch 'pax-test' into grsec-test
86242
86243 Conflicts:
86244 arch/sparc/mm/ultra.S
86245 drivers/tty/tty_io.c
86246
86247commit 6c850d8b76b375e418b6a18a33cc8263f36fabcf
86248Merge: cdbcbef 9fa1d01
86249Author: Brad Spengler <spender@grsecurity.net>
86250Date: Wed May 1 18:25:18 2013 -0400
86251
86252 Merge branch 'linux-3.8.y' into pax-test
86253
86254commit a8dbe8ee7a0a3ace489e2f95d69d33e14d5f0b78
86255Author: Brad Spengler <spender@grsecurity.net>
86256Date: Mon Apr 29 18:44:23 2013 -0400
86257
86258 add module.h to silence compiler warning, thanks to
86259 Sergei Trofimovich
86260
86261 fs/btrfs/inode.c | 1 +
86262 1 files changed, 1 insertions(+), 0 deletions(-)
86263
86264commit 55eba82aca97aa56378e000840c48965557721e8
86265Author: Brad Spengler <spender@grsecurity.net>
86266Date: Mon Apr 29 18:43:03 2013 -0400
86267
86268 compilation fix
86269
86270 kernel/trace/trace.h | 2 +-
86271 1 files changed, 1 insertions(+), 1 deletions(-)
86272
86273commit e3bf912b54af6df7fbebc68b5999554562056c5c
86274Merge: 5b72e37 cdbcbef
86275Author: Brad Spengler <spender@grsecurity.net>
86276Date: Mon Apr 29 18:34:42 2013 -0400
86277
86278 Merge branch 'pax-test' into grsec-test
86279
86280commit cdbcbef45c4f003cbee11e10668a35d424c17c60
86281Author: Brad Spengler <spender@grsecurity.net>
86282Date: Mon Apr 29 18:33:35 2013 -0400
86283
86284 Update to pax-linux-3.8.10-test21.patch:
86285 - removed size overflow coverage of resource_size(), reported at http://forums.grsecurity.net/viewtopic.php?f=3&t=3412
86286 - fixed bad pointer arithmetic in nfsd_cache_update, reported by Jason A. Donenfeld and http://forums.grsecurity.net/viewtopic.php?f=3&t=3438
86287 note that the false positive is not fixed yet
86288 - fixed a few unintended bitmask computations found by a not-yet-public gcc plugin
86289 - fixed the kernel stack leak bug in do_tgkill, found by the size overflow plugin (https://code.google.com/p/chromium/issues/detail?id=223444)
86290 - reverted the nested NMI fix in search for a real one
86291 - simplified the arm_delay_ops constification
86292
86293 arch/arm/include/asm/delay.h | 8 ++++----
86294 arch/arm/lib/delay.c | 17 +++++------------
86295 arch/x86/kernel/entry_64.S | 11 ++++++++++-
86296 arch/x86/kernel/i8259.c | 2 +-
86297 arch/x86/kernel/pci-calgary_64.c | 2 +-
86298 arch/x86/kvm/vmx.c | 4 ++--
86299 drivers/block/pktcdvd.c | 2 +-
86300 fs/btrfs/extent-tree.c | 2 +-
86301 fs/nfsd/nfscache.c | 6 ++++--
86302 kernel/trace/trace.c | 2 +-
86303 tools/gcc/structleak_plugin.c | 4 ++++
86304 11 files changed, 34 insertions(+), 26 deletions(-)
86305
86306commit 5b72e3790fa0e8a16a09c0ef745d8065620a1e74
86307Author: Brad Spengler <spender@grsecurity.net>
86308Date: Fri Apr 26 20:53:06 2013 -0400
86309
86310 don't use file_inode()
86311
86312 drivers/tty/tty_io.c | 2 +-
86313 1 files changed, 1 insertions(+), 1 deletions(-)
86314
86315commit a2df9595fa2e3c7a0c63b1acac75425fd4feb946
86316Author: Jiri Slaby <jslaby@suse.cz>
86317Date: Fri Apr 26 13:48:53 2013 +0200
86318
86319 Upstream commit: 37b7f3c76595e23257f61bd80b223de8658617ee
86320
86321 TTY: fix atime/mtime regression
86322
86323 In commit b0de59b5733d ("TTY: do not update atime/mtime on read/write")
86324 we removed timestamps from tty inodes to fix a security issue and waited
86325 if something breaks. Well, 'w', the utility to find out logged users
86326 and their inactivity time broke. It shows that users are inactive since
86327 the time they logged in.
86328
86329 To revert to the old behaviour while still preventing attackers to
86330 guess the password length, we update the timestamps in one-minute
86331 intervals by this patch.
86332
86333 Signed-off-by: Jiri Slaby <jslaby@suse.cz>
86334 Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
86335 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
86336
86337 Conflicts:
86338
86339 drivers/tty/tty_io.c
86340
86341 drivers/tty/tty_io.c | 15 ++++++++++++++-
86342 1 files changed, 14 insertions(+), 1 deletions(-)
86343
86344commit c9c76fe07da7611a5062dd3234e5d2369e0a78ec
86345Author: Jiri Slaby <jslaby@suse.cz>
86346Date: Fri Feb 15 15:25:05 2013 +0100
86347
86348 Upstream commit: b0de59b5733d
86349
86350 TTY: do not update atime/mtime on read/write
86351
86352 On http://vladz.devzero.fr/013_ptmx-timing.php, we can see how to find
86353 out length of a password using timestamps of /dev/ptmx. It is
86354 documented in "Timing Analysis of Keystrokes and Timing Attacks on
86355 SSH". To avoid that problem, do not update time when reading
86356 from/writing to a TTY.
86357
86358 I am afraid of regressions as this is a behavior we have since 0.97
86359 and apps may expect the time to be current, e.g. for monitoring
86360 whether there was a change on the TTY. Now, there is no change. So
86361 this would better have a lot of testing before it goes upstream.
86362
86363 References: CVE-2013-0160
86364
86365 Signed-off-by: Jiri Slaby <jslaby@suse.cz>
86366 Cc: stable <stable@vger.kernel.org> # after 3.9 is out
86367 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
86368
86369 drivers/tty/tty_io.c | 8 ++------
86370 1 files changed, 2 insertions(+), 6 deletions(-)
86371
86372commit 5344a24e2320d61dbdb88aae04922f0799deefd0
86373Author: Zhao Hongjiang <zhaohongjiang@huawei.com>
86374Date: Fri Apr 26 11:03:53 2013 +0800
86375
86376 Upstream commit: 91d80a84bbc8f28375cca7e65ec666577b4209ad
86377
86378 aio: fix possible invalid memory access when DEBUG is enabled
86379
86380 dprintk() shouldn't access @ring after it's unmapped.
86381
86382 Signed-off-by: Zhao Hongjiang <zhaohongjiang@huawei.com>
86383 Cc: stable@vger.kernel.org
86384 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
86385
86386 fs/aio.c | 2 +-
86387 1 files changed, 1 insertions(+), 1 deletions(-)
86388
86389commit 786841cb279bbd8e458d67e112a1d01a3d4598a7
86390Author: John David Anglin <dave.anglin@bell.net>
86391Date: Tue Apr 23 22:42:07 2013 +0200
86392
86393 Upstream commit: bda079d336cd8183e1d844a265ea87ae3e1bbe78
86394
86395 parisc: use spin_lock_irqsave/spin_unlock_irqrestore for PTE updates
86396
86397 User applications running on SMP kernels have long suffered from instability
86398 and random segmentation faults. This patch improves the situation although
86399 there is more work to be done.
86400
86401 One of the problems is the various routines in pgtable.h that update page table
86402 entries use different locking mechanisms, or no lock at all (set_pte_at). This
86403 change modifies the routines to all use the same lock pa_dbit_lock. This lock
86404 is used for dirty bit updates in the interruption code. The patch also purges
86405 the TLB entries associated with the PTE to ensure that inconsistent values are
86406 not used after the page table entry is updated. The UP and SMP code are now
86407 identical.
86408
86409 The change also includes a minor update to the purge_tlb_entries function in
86410 cache.c to improve its efficiency.
86411
86412 Signed-off-by: John David Anglin <dave.anglin@bell.net>
86413 Cc: Helge Deller <deller@gmx.de>
86414 Signed-off-by: Helge Deller <deller@gmx.de>
86415
86416 arch/parisc/include/asm/pgtable.h | 47 +++++++++++++++++++-----------------
86417 arch/parisc/kernel/cache.c | 5 +---
86418 2 files changed, 26 insertions(+), 26 deletions(-)
86419
86420commit 775a77ad179d4c25bc94e85ef81135cbdffcfdc1
86421Merge: ba54c97 4d05084
86422Author: Brad Spengler <spender@grsecurity.net>
86423Date: Fri Apr 26 18:17:20 2013 -0400
86424
86425 Merge branch 'pax-test' into grsec-test
86426
86427 Conflicts:
86428 arch/x86/kvm/x86.c
86429 include/linux/capability.h
86430
86431commit 4d0508463d0ee3ec4b9eca1ea6bed3be03a3df21
86432Merge: c664779 bb8dd67
86433Author: Brad Spengler <spender@grsecurity.net>
86434Date: Fri Apr 26 18:15:45 2013 -0400
86435
86436 Merge branch 'linux-3.8.y' into pax-test
86437
86438commit ba54c977fe8c3afc4a9efd7afc3f30cf10b02fa2
86439Author: David S. Miller <davem@davemloft.net>
86440Date: Wed Apr 24 16:52:18 2013 -0700
86441
86442 Upstream commit: f0af97070acbad5d6a361f485828223a4faaa0ee
86443
86444 sparc64: Fix missing put_cpu_var() in tlb_batch_add_one() when not batching.
86445
86446 Reported-by: Meelis Roos <mroos@linux.ee>
86447 Signed-off-by: David S. Miller <davem@davemloft.net>
86448
86449 arch/sparc/mm/tlb.c | 3 ++-
86450 1 files changed, 2 insertions(+), 1 deletions(-)
86451
86452commit dc080cfd57c7cdc426f8c6c2da11911ac99959d8
86453Author: David S. Miller <davem@davemloft.net>
86454Date: Fri Apr 19 17:26:26 2013 -0400
86455
86456 Upstream commit: f36391d2790d04993f48da6a45810033a2cdf847
86457
86458 sparc64: Fix race in TLB batch processing.
86459
86460 As reported by Dave Kleikamp, when we emit cross calls to do batched
86461 TLB flush processing we have a race because we do not synchronize on
86462 the sibling cpus completing the cross call.
86463
86464 So meanwhile the TLB batch can be reset (tb->tlb_nr set to zero, etc.)
86465 and either flushes are missed or flushes will flush the wrong
86466 addresses.
86467
86468 Fix this by using generic infrastructure to synchonize on the
86469 completion of the cross call.
86470
86471 This first required getting the flush_tlb_pending() call out from
86472 switch_to() which operates with locks held and interrupts disabled.
86473 The problem is that smp_call_function_many() cannot be invoked with
86474 IRQs disabled and this is explicitly checked for with WARN_ON_ONCE().
86475
86476 We get the batch processing outside of locked IRQ disabled sections by
86477 using some ideas from the powerpc port. Namely, we only batch inside
86478 of arch_{enter,leave}_lazy_mmu_mode() calls. If we're not in such a
86479 region, we flush TLBs synchronously.
86480
86481 1) Get rid of xcall_flush_tlb_pending and per-cpu type
86482 implementations.
86483
86484 2) Do TLB batch cross calls instead via:
86485
86486 smp_call_function_many()
86487 tlb_pending_func()
86488 __flush_tlb_pending()
86489
86490 3) Batch only in lazy mmu sequences:
86491
86492 a) Add 'active' member to struct tlb_batch
86493 b) Define __HAVE_ARCH_ENTER_LAZY_MMU_MODE
86494 c) Set 'active' in arch_enter_lazy_mmu_mode()
86495 d) Run batch and clear 'active' in arch_leave_lazy_mmu_mode()
86496 e) Check 'active' in tlb_batch_add_one() and do a synchronous
86497 flush if it's clear.
86498
86499 4) Add infrastructure for synchronous TLB page flushes.
86500
86501 a) Implement __flush_tlb_page and per-cpu variants, patch
86502 as needed.
86503 b) Likewise for xcall_flush_tlb_page.
86504 c) Implement smp_flush_tlb_page() to invoke the cross-call.
86505 d) Wire up global_flush_tlb_page() to the right routine based
86506 upon CONFIG_SMP
86507
86508 5) It turns out that singleton batches are very common, 2 out of every
86509 3 batch flushes have only a single entry in them.
86510
86511 The batch flush waiting is very expensive, both because of the poll
86512 on sibling cpu completeion, as well as because passing the tlb batch
86513 pointer to the sibling cpus invokes a shared memory dereference.
86514
86515 Therefore, in flush_tlb_pending(), if there is only one entry in
86516 the batch perform a completely asynchronous global_flush_tlb_page()
86517 instead.
86518
86519 Reported-by: Dave Kleikamp <dave.kleikamp@oracle.com>
86520 Signed-off-by: David S. Miller <davem@davemloft.net>
86521 Acked-by: Dave Kleikamp <dave.kleikamp@oracle.com>
86522
86523 arch/sparc/include/asm/pgtable_64.h | 1 +
86524 arch/sparc/include/asm/switch_to_64.h | 3 +-
86525 arch/sparc/include/asm/tlbflush_64.h | 37 +++++++++--
86526 arch/sparc/kernel/smp_64.c | 41 ++++++++++-
86527 arch/sparc/mm/tlb.c | 38 +++++++++-
86528 arch/sparc/mm/tsb.c | 57 ++++++++++++----
86529 arch/sparc/mm/ultra.S | 119 ++++++++++++++++++++++++++-------
86530 7 files changed, 241 insertions(+), 55 deletions(-)
86531
86532commit cd80cc3cfd122295e6ec6db1e5e16e5b7a5d3b59
86533Author: Linus Torvalds <torvalds@linux-foundation.org>
86534Date: Fri Apr 19 15:32:32 2013 +0000
86535
86536 Upstream commit: 83f1b4ba917db5dc5a061a44b3403ddb6e783494
86537
86538 net: fix incorrect credentials passing
86539
86540 Commit 257b5358b32f ("scm: Capture the full credentials of the scm
86541 sender") changed the credentials passing code to pass in the effective
86542 uid/gid instead of the real uid/gid.
86543
86544 Obviously this doesn't matter most of the time (since normally they are
86545 the same), but it results in differences for suid binaries when the wrong
86546 uid/gid ends up being used.
86547
86548 This just undoes that (presumably unintentional) part of the commit.
86549
86550 Reported-by: Andy Lutomirski <luto@amacapital.net>
86551 Cc: Eric W. Biederman <ebiederm@xmission.com>
86552 Cc: Serge E. Hallyn <serge@hallyn.com>
86553 Cc: David S. Miller <davem@davemloft.net>
86554 Cc: stable@vger.kernel.org
86555 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
86556 Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
86557 Signed-off-by: David S. Miller <davem@davemloft.net>
86558
86559 include/net/scm.h | 4 ++--
86560 1 files changed, 2 insertions(+), 2 deletions(-)
86561
86562commit e126225d1fcaa405ff2a7f1518d615cffe42e7d5
86563Author: Brad Spengler <spender@grsecurity.net>
86564Date: Thu Apr 18 19:22:40 2013 -0400
86565
86566 move _etext to only cover kernel code, not read-only data, as reported by Gu1
86567
86568 arch/arm/kernel/vmlinux.lds.S | 4 ++--
86569 1 files changed, 2 insertions(+), 2 deletions(-)
86570
86571commit 98ad6adbc48759e4f9eae435d3e51ba487155685
86572Author: Brad Spengler <spender@grsecurity.net>
86573Date: Thu Apr 18 19:17:24 2013 -0400
86574
86575 add asm/sections.h for USERCOPY change
86576
86577 fs/exec.c | 1 +
86578 1 files changed, 1 insertions(+), 0 deletions(-)
86579
86580commit c403a6c43da1bcac9b1ef2bca9bba0fb84a40f10
86581Author: Dmitry Popov <dp@highloadlab.com>
86582Date: Thu Apr 11 08:55:07 2013 +0000
86583
86584 Upstream commit: d66954a066158781ccf9c13c91d0316970fe57b6
86585
86586 tcp: incoming connections might use wrong route under synflood
86587
86588 There is a bug in cookie_v4_check (net/ipv4/syncookies.c):
86589 flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk),
86590 RT_SCOPE_UNIVERSE, IPPROTO_TCP,
86591 inet_sk_flowi_flags(sk),
86592 (opt && opt->srr) ? opt->faddr : ireq->rmt_addr,
86593 ireq->loc_addr, th->source, th->dest);
86594
86595 Here we do not respect sk->sk_bound_dev_if, therefore wrong dst_entry may be
86596 taken. This dst_entry is used by new socket (get_cookie_sock ->
86597 tcp_v4_syn_recv_sock), so its packets may take the wrong path.
86598
86599 Signed-off-by: Dmitry Popov <dp@highloadlab.com>
86600 Signed-off-by: David S. Miller <davem@davemloft.net>
86601
86602 net/ipv4/syncookies.c | 4 ++--
86603 1 files changed, 2 insertions(+), 2 deletions(-)
86604
86605commit 3600395e8fef3ae712e72f9b68c3609639616df8
86606Author: Thomas Graf <tgraf@suug.ch>
86607Date: Thu Apr 11 10:57:18 2013 +0000
86608
86609 Upstream commit: 50bceae9bd3569d56744882f3012734d48a1d413
86610
86611 tcp: Reallocate headroom if it would overflow csum_start
86612
86613 If a TCP retransmission gets partially ACKed and collapsed multiple
86614 times it is possible for the headroom to grow beyond 64K which will
86615 overflow the 16bit skb->csum_start which is based on the start of
86616 the headroom. It has been observed rarely in the wild with IPoIB due
86617 to the 64K MTU.
86618
86619 Verify if the acking and collapsing resulted in a headroom exceeding
86620 what csum_start can cover and reallocate the headroom if so.
86621
86622 A big thank you to Jim Foraker <foraker1@llnl.gov> and the team at
86623 LLNL for helping out with the investigation and testing.
86624
86625 Reported-by: Jim Foraker <foraker1@llnl.gov>
86626 Signed-off-by: Thomas Graf <tgraf@suug.ch>
86627 Acked-by: Eric Dumazet <edumazet@google.com>
86628 Signed-off-by: David S. Miller <davem@davemloft.net>
86629
86630 net/ipv4/tcp_output.c | 8 ++++++--
86631 1 files changed, 6 insertions(+), 2 deletions(-)
86632
86633commit 4b0b9a5038da806a2b6eba9efc3f3a53c5188a61
86634Author: Ivan Vecera <ivecera@redhat.com>
86635Date: Fri Apr 12 16:49:24 2013 +0200
86636
86637 Upstream commit: f11a869d4e38397ac81f2a3d22e8d2aeb3992b0f
86638
86639 be2net: take care of __vlan_put_tag return value
86640
86641 The driver should use return value of __vlan_put_tag with appropriate
86642 NULL-check instead of old skb pointer.
86643
86644 Signed-off-by: Ivan Vecera <ivecera@redhat.com>
86645 Signed-off-by: David S. Miller <davem@davemloft.net>
86646
86647 drivers/net/ethernet/emulex/benet/be_main.c | 5 +++--
86648 1 files changed, 3 insertions(+), 2 deletions(-)
86649
86650commit 8d3aca40a891f13b9b1e0d957913fa788fd1cc55
86651Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
86652Date: Fri Apr 12 03:17:12 2013 +0000
86653
86654 Upstream commit: 3be8fbab18fbc06b6ff94a56f9c225e29ea64a73
86655
86656 tuntap: fix error return code in tun_set_iff()
86657
86658 Fix to return a negative error code from the error handling
86659 case instead of 0, as returned elsewhere in this function.
86660
86661 [ Bug added in linux-3.8 , commit 4008e97f866db665
86662 ("tuntap: fix ambigious multiqueue API") ]
86663
86664 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
86665 Acked-by: Eric Dumazet <edumazet@google.com>
86666 Signed-off-by: David S. Miller <davem@davemloft.net>
86667
86668 drivers/net/tun.c | 2 +-
86669 1 files changed, 1 insertions(+), 1 deletions(-)
86670
86671commit 42cfd101287e0ffa5e8425ca7dd3c4131a7a601c
86672Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
86673Date: Sat Apr 13 15:49:03 2013 +0000
86674
86675 Upstream commit: 06848c10f720cbc20e3b784c0df24930b7304b93
86676
86677 esp4: fix error return code in esp_output()
86678
86679 Fix to return a negative error code from the error handling
86680 case instead of 0, as returned elsewhere in this function.
86681
86682 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
86683 Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
86684 Signed-off-by: David S. Miller <davem@davemloft.net>
86685
86686 net/ipv4/esp4.c | 6 +++---
86687 1 files changed, 3 insertions(+), 3 deletions(-)
86688
86689commit 2b45b5f52c2a8930f80c62de392a62516c83e225
86690Author: Bjørn Mork <bjorn@mork.no>
86691Date: Tue Apr 16 00:17:07 2013 +0000
86692
86693 Upstream commit: 32b161aa88aa40a83888a995c6e2ef81140219b1
86694
86695 net: cdc_mbim: remove bogus sizeof()
86696
86697 The intention was to test against the constant, not the size of
86698 the constant.
86699
86700 Signed-off-by: Bjørn Mork <bjorn@mork.no>
86701 Signed-off-by: David S. Miller <davem@davemloft.net>
86702
86703 drivers/net/usb/cdc_mbim.c | 2 +-
86704 1 files changed, 1 insertions(+), 1 deletions(-)
86705
86706commit 17d7408795519037a5a1272c7888238e20830bfe
86707Author: Vyacheslav Dubeyko <slava@dubeyko.com>
86708Date: Wed Apr 17 15:58:33 2013 -0700
86709
86710 Upstream commit: 12f267a20aecf8b84a2a9069b9011f1661c779b4
86711
86712 hfsplus: fix potential overflow in hfsplus_file_truncate()
86713
86714 Change a u32 to loff_t hfsplus_file_truncate().
86715
86716 Signed-off-by: Vyacheslav Dubeyko <slava@dubeyko.com>
86717 Cc: Christoph Hellwig <hch@infradead.org>
86718 Cc: Al Viro <viro@zeniv.linux.org.uk>
86719 Cc: Hin-Tak Leung <htl10@users.sourceforge.net>
86720 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
86721 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
86722
86723 fs/hfsplus/extents.c | 2 +-
86724 1 files changed, 1 insertions(+), 1 deletions(-)
86725
86726commit 5c9574e7f16e7a9b3ea9b419c46ddc57110a555b
86727Author: Emese Revfy <re.emese@gmail.com>
86728Date: Wed Apr 17 15:58:36 2013 -0700
86729
86730 Upstream commit: b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f
86731
86732 kernel/signal.c: stop info leak via the tkill and the tgkill syscalls
86733
86734 This fixes a kernel memory contents leak via the tkill and tgkill syscalls
86735 for compat processes.
86736
86737 This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field
86738 when handling signals delivered from tkill.
86739
86740 The place of the infoleak:
86741
86742 int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from)
86743 {
86744 ...
86745 put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr);
86746 ...
86747 }
86748
86749 Signed-off-by: Emese Revfy <re.emese@gmail.com>
86750 Reviewed-by: PaX Team <pageexec@freemail.hu>
86751 Signed-off-by: Kees Cook <keescook@chromium.org>
86752 Cc: Al Viro <viro@zeniv.linux.org.uk>
86753 Cc: Oleg Nesterov <oleg@redhat.com>
86754 Cc: "Eric W. Biederman" <ebiederm@xmission.com>
86755 Cc: Serge Hallyn <serge.hallyn@canonical.com>
86756 Cc: <stable@vger.kernel.org>
86757 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
86758 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
86759
86760 kernel/signal.c | 2 +-
86761 1 files changed, 1 insertions(+), 1 deletions(-)
86762
86763commit 0942d16614b0ef59d50b10151d77ec52fc98c2d0
86764Author: Brad Spengler <spender@grsecurity.net>
86765Date: Wed Apr 17 20:17:00 2013 -0400
86766
86767 Improve PAX_USERCOPY to reject direct copies to/from main kernel text
86768
86769 fs/exec.c | 29 +++++++++++++++++++++++++++--
86770 1 files changed, 27 insertions(+), 2 deletions(-)
86771
86772commit 3cb37d0c0c77dc3928ff8417f982139f95366eba
86773Merge: e87c19f c664779
86774Author: Brad Spengler <spender@grsecurity.net>
86775Date: Wed Apr 17 20:06:08 2013 -0400
86776
86777 Merge branch 'pax-test' into grsec-test
86778
86779commit c664779987cb0c27a242029f0e0db812e3236203
86780Author: Brad Spengler <spender@grsecurity.net>
86781Date: Wed Apr 17 19:54:09 2013 -0400
86782
86783 add intentional_overflow marking for resource_size() as reasoned by:
86784 http://forums.grsecurity.net/viewtopic.php?f=3&t=3412
86785
86786 include/linux/ioport.h | 2 +-
86787 1 files changed, 1 insertions(+), 1 deletions(-)
86788
86789commit e87c19f8312355b8658e5138c16bfa6043a379c8
86790Merge: 802d119 d0c636c
86791Author: Brad Spengler <spender@grsecurity.net>
86792Date: Wed Apr 17 16:57:12 2013 -0400
86793
86794 Merge branch 'pax-test' into grsec-test
86795
86796commit d0c636ceaaf406e606898ce3e770e32fb043ea8a
86797Merge: bc88628 2396403
86798Author: Brad Spengler <spender@grsecurity.net>
86799Date: Wed Apr 17 16:57:01 2013 -0400
86800
86801 Merge branch 'linux-3.8.y' into pax-test
86802
86803 Conflicts:
86804 arch/x86/kernel/paravirt.c
86805
86806commit 802d1193dcb507b2a62a2de0a869a7dbadd66b9b
86807Author: Brad Spengler <spender@grsecurity.net>
86808Date: Sun Apr 14 21:39:51 2013 -0400
86809
86810 move location of RBAC user check on setfsuid until after capability checks
86811 for consistency with other checks
86812
86813 kernel/sys.c | 6 +++---
86814 1 files changed, 3 insertions(+), 3 deletions(-)
86815
86816commit 1a860d7d67051559ab2e6d10f9888649c92904e6
86817Author: Brad Spengler <spender@grsecurity.net>
86818Date: Sun Apr 14 21:34:46 2013 -0400
86819
86820 A denied setfsuid by the RBAC system would result in an abort_creds() being called
86821 with an uninitalized pointer, introduced by a bad forward-port
86822
86823 kernel/sys.c | 6 +++---
86824 1 files changed, 3 insertions(+), 3 deletions(-)
86825
86826commit 9f94b84d0e5e101fe8ea8ebcc8eeb141d8a6edb9
86827Merge: c38d142 bc88628
86828Author: Brad Spengler <spender@grsecurity.net>
86829Date: Sun Apr 14 21:28:33 2013 -0400
86830
86831 Merge branch 'pax-test' into grsec-test
86832
86833 Conflicts:
86834 security/Kconfig
86835
86836commit bc88628a6a8fcccaabb90908640809b0540df225
86837Author: Brad Spengler <spender@grsecurity.net>
86838Date: Sun Apr 14 21:26:41 2013 -0400
86839
86840 Update to pax-linux-3.8.7-test20.patch:
86841 - fixed KERNEXEC and NMI nesting problem reported by stef&hunger
86842 - changed PHYSICAL_ALIGN/START to fix http://forums.grsecurity.net/viewtopic.php?f=3&t=3414
86843 - CONSTIFY depends on KERNEXEC (for the kernel open/close feature)
86844 - fixed CONSTIFY and powerpc interference, reported by John Hardin (https://bugs.gentoo.org/show_bug.cgi?id=456364)
86845
86846 arch/powerpc/include/asm/smp.h | 2 +-
86847 arch/x86/Kconfig | 4 ++--
86848 arch/x86/kernel/entry_64.S | 8 ++++----
86849 security/Kconfig | 2 +-
86850 4 files changed, 8 insertions(+), 8 deletions(-)
86851
86852commit c38d142744489fc4d9be80188b6435a278438fd9
86853Author: Suleiman Souhlal <suleiman@google.com>
86854Date: Sat Apr 13 16:03:06 2013 -0700
86855
86856 Upstream commit: 5b55d708335a9e3e4f61f2dadf7511502205ccd1
86857
86858 vfs: Revert spurious fix to spinning prevention in prune_icache_sb
86859
86860 Revert commit 62a3ddef6181 ("vfs: fix spinning prevention in prune_icache_sb").
86861
86862 This commit doesn't look right: since we are looking at the tail of the
86863 list (sb->s_inode_lru.prev) if we want to skip an inode, we should put
86864 it back at the head of the list instead of the tail, otherwise we will
86865 keep spinning on it.
86866
86867 Discovered when investigating why prune_icache_sb came top in perf
86868 reports of a swapping load.
86869
86870 Signed-off-by: Suleiman Souhlal <suleiman@google.com>
86871 Signed-off-by: Hugh Dickins <hughd@google.com>
86872 Cc: stable@vger.kernel.org # v3.2+
86873 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
86874
86875 fs/inode.c | 2 +-
86876 1 files changed, 1 insertions(+), 1 deletions(-)
86877
86878commit 93019624b80ba59798393942798d7f6ed0c1dbc6
86879Author: Linus Torvalds <torvalds@linux-foundation.org>
86880Date: Sat Apr 13 15:15:30 2013 -0700
86881
86882 Upstream commit: a49b7e82cab0f9b41f483359be83f44fbb6b4979
86883
86884 kobject: fix kset_find_obj() race with concurrent last kobject_put()
86885
86886 Anatol Pomozov identified a race condition that hits module unloading
86887 and re-loading. To quote Anatol:
86888
86889 "This is a race codition that exists between kset_find_obj() and
86890 kobject_put(). kset_find_obj() might return kobject that has refcount
86891 equal to 0 if this kobject is freeing by kobject_put() in other
86892 thread.
86893
86894 Here is timeline for the crash in case if kset_find_obj() searches for
86895 an object tht nobody holds and other thread is doing kobject_put() on
86896 the same kobject:
86897
86898 THREAD A (calls kset_find_obj()) THREAD B (calls kobject_put())
86899 splin_lock()
86900 atomic_dec_return(kobj->kref), counter gets zero here
86901 ... starts kobject cleanup ....
86902 spin_lock() // WAIT thread A in kobj_kset_leave()
86903 iterate over kset->list
86904 atomic_inc(kobj->kref) (counter becomes 1)
86905 spin_unlock()
86906 spin_lock() // taken
86907 // it does not know that thread A increased counter so it
86908 remove obj from list
86909 spin_unlock()
86910 vfree(module) // frees module object with containing kobj
86911
86912 // kobj points to freed memory area!!
86913 kobject_put(kobj) // OOPS!!!!
86914
86915 The race above happens because module.c tries to use kset_find_obj()
86916 when somebody unloads module. The module.c code was introduced in
86917 commit 6494a93d55fa"
86918
86919 Anatol supplied a patch specific for module.c that worked around the
86920 problem by simply not using kset_find_obj() at all, but rather than make
86921 a local band-aid, this just fixes kset_find_obj() to be thread-safe
86922 using the proper model of refusing the get a new reference if the
86923 refcount has already dropped to zero.
86924
86925 See examples of this proper refcount handling not only in the kref
86926 documentation, but in various other equivalent uses of this pattern by
86927 grepping for atomic_inc_not_zero().
86928
86929 [ Side note: the module race does indicate that module loading and
86930 unloading is not properly serialized wrt sysfs information using the
86931 module mutex. That may require further thought, but this is the
86932 correct fix at the kobject layer regardless. ]
86933
86934 Reported-analyzed-and-tested-by: Anatol Pomozov <anatol.pomozov@gmail.com>
86935 Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
86936 Cc: Al Viro <viro@zeniv.linux.org.uk>
86937 Cc: stable@vger.kernel.org
86938 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
86939
86940 lib/kobject.c | 9 ++++++++-
86941 1 files changed, 8 insertions(+), 1 deletions(-)
86942
86943commit 5277b052b5fab36729e1255fb3b12f47a4b12867
86944Author: Dave Hansen <dave@sr71.net>
86945Date: Fri Apr 12 16:23:54 2013 -0700
86946
86947 Upstream commit: 1de14c3c5cbc9bb17e9dcc648cda51c0c85d54b9
86948
86949 x86-32: Fix possible incomplete TLB invalidate with PAE pagetables
86950
86951 This patch attempts to fix:
86952
86953 https://bugzilla.kernel.org/show_bug.cgi?id=56461
86954
86955 The symptom is a crash and messages like this:
86956
86957 chrome: Corrupted page table at address 34a03000
86958 *pdpt = 0000000000000000 *pde = 0000000000000000
86959 Bad pagetable: 000f [#1] PREEMPT SMP
86960
86961 Ingo guesses this got introduced by commit 611ae8e3f520 ("x86/tlb:
86962 enable tlb flush range support for x86") since that code started to free
86963 unused pagetables.
86964
86965 On x86-32 PAE kernels, that new code has the potential to free an entire
86966 PMD page and will clear one of the four page-directory-pointer-table
86967 (aka pgd_t entries).
86968
86969 The hardware aggressively "caches" these top-level entries and invlpg
86970 does not actually affect the CPU's copy. If we clear one we *HAVE* to
86971 do a full TLB flush, otherwise we might continue using a freed pmd page.
86972 (note, we do this properly on the population side in pud_populate()).
86973
86974 This patch tracks whenever we clear one of these entries in the 'struct
86975 mmu_gather', and ensures that we follow up with a full tlb flush.
86976
86977 BTW, I disassembled and checked that:
86978
86979 if (tlb->fullmm == 0)
86980 and
86981 if (!tlb->fullmm && !tlb->need_flush_all)
86982
86983 generate essentially the same code, so there should be zero impact there
86984 to the !PAE case.
86985
86986 Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
86987 Cc: Peter Anvin <hpa@zytor.com>
86988 Cc: Ingo Molnar <mingo@kernel.org>
86989 Cc: Artem S Tashkinov <t.artem@mailcity.com>
86990 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
86991
86992 arch/x86/include/asm/tlb.h | 2 +-
86993 arch/x86/mm/pgtable.c | 7 +++++++
86994 include/asm-generic/tlb.h | 7 ++++++-
86995 mm/memory.c | 1 +
86996 4 files changed, 15 insertions(+), 2 deletions(-)
86997
86998commit 521e573fc77d1783c1d4636dfbb4617a922f043d
86999Merge: 032f626 f807619
87000Author: Brad Spengler <spender@grsecurity.net>
87001Date: Fri Apr 12 19:29:34 2013 -0400
87002
87003 Merge branch 'pax-test' into grsec-test
87004
87005commit f80761993b85df96fc142dfc3a317cadc0f8eae5
87006Author: Brad Spengler <spender@grsecurity.net>
87007Date: Fri Apr 12 19:28:21 2013 -0400
87008
87009 Update to pax-linux-3.8.7-test19.patch:
87010 - fixed STACKLEAK/XEN interference once again, reported by Jason A. Donenfeld
87011 - fixed small typo, reported by mlarm (http://forums.grsecurity.net/viewtopic.php?f=3&t=3411)
87012 - fixed the structleak plugin to compile for gcc 4.5-4.6 as well
87013
87014 Makefile | 2 +-
87015 arch/x86/xen/enlighten.c | 6 +++---
87016 tools/gcc/structleak_plugin.c | 5 +++--
87017 3 files changed, 7 insertions(+), 6 deletions(-)
87018
87019commit 032f626a4ae9bc3196313a2e762650c3d9abdc96
87020Merge: a3a770e 89886f5
87021Author: Brad Spengler <spender@grsecurity.net>
87022Date: Fri Apr 12 18:38:40 2013 -0400
87023
87024 Merge branch 'pax-test' into grsec-test
87025
87026commit 89886f561cc0d1c42a99624ec8c3704711088155
87027Merge: 9123489 531ec28
87028Author: Brad Spengler <spender@grsecurity.net>
87029Date: Fri Apr 12 18:38:30 2013 -0400
87030
87031 Merge branch 'linux-3.8.y' into pax-test
87032
87033commit a3a770e18578841e4fbe2aa0831a22811b4812cf
87034Author: Brad Spengler <spender@grsecurity.net>
87035Date: Thu Apr 11 20:46:20 2013 -0400
87036
87037 Revert "Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot"
87038 Will be fixed with the next PaX patch
87039
87040 This reverts commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7.
87041
87042 security/Kconfig | 2 +-
87043 1 files changed, 1 insertions(+), 1 deletions(-)
87044
87045commit fc98763e4f1f1487928750b26a63098b9e0ed5b1
87046Author: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
87047Date: Fri Mar 29 10:20:56 2013 -0400
87048
87049 Upstream commit: b22227944b8fe92b19150b4c36421e37979d9a16
87050
87051 xen/mmu: On early bootup, flush the TLB when changing RO->RW bits Xen provided pagetables.
87052
87053 Occassionaly on a DL380 G4 the guest would crash quite early with this:
87054
87055 (XEN) d244:v0: unhandled page fault (ec=0003)
87056 (XEN) Pagetable walk from ffffffff84dc7000:
87057 (XEN) L4[0x1ff] = 00000000c3f18067 0000000000001789
87058 (XEN) L3[0x1fe] = 00000000c3f14067 000000000000178d
87059 (XEN) L2[0x026] = 00000000dc8b2067 0000000000004def
87060 (XEN) L1[0x1c7] = 00100000dc8da067 0000000000004dc7
87061 (XEN) domain_crash_sync called from entry.S
87062 (XEN) Domain 244 (vcpu#0) crashed on cpu#3:
87063 (XEN) ----[ Xen-4.1.3OVM x86_64 debug=n Not tainted ]----
87064 (XEN) CPU: 3
87065 (XEN) RIP: e033:[<ffffffff81263f22>]
87066 (XEN) RFLAGS: 0000000000000216 EM: 1 CONTEXT: pv guest
87067 (XEN) rax: 0000000000000000 rbx: ffffffff81785f88 rcx: 000000000000003f
87068 (XEN) rdx: 0000000000000000 rsi: 00000000dc8da063 rdi: ffffffff84dc7000
87069
87070 The offending code shows it to be a loop writting the value zero
87071 (%rax) in the %rdi (the L4 provided by Xen) register:
87072
87073 0: 44 00 00 add %r8b,(%rax)
87074 3: 31 c0 xor %eax,%eax
87075 5: b9 40 00 00 00 mov $0x40,%ecx
87076 a: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1)
87077 11: 00 00
87078 13: ff c9 dec %ecx
87079 15:* 48 89 07 mov %rax,(%rdi) <-- trapping instruction
87080 18: 48 89 47 08 mov %rax,0x8(%rdi)
87081 1c: 48 89 47 10 mov %rax,0x10(%rdi)
87082
87083 which fails. xen_setup_kernel_pagetable recycles some of the Xen's
87084 page-table entries when it has switched over to its Linux page-tables.
87085
87086 Right before try to clear the page, we make a hypercall to change
87087 it from _RO to _RW and that works (otherwise we would hit an BUG()).
87088 And the _RW flag is set for that page:
87089 (XEN) L1[0x1c7] = 001000004885f067 0000000000004dc7
87090
87091 The error code is 3, so PFEC_page_present and PFEC_write_access, so page is
87092 present (correct), and we tried to write to the page, but a violation
87093 occurred. The one theory is that the the page entries in hardware
87094 (which are cached) are not up to date with what we just set. Especially
87095 as we have just done an CR3 write and flushed the multicalls.
87096
87097 This patch does solve the problem by flusing out the TLB page
87098 entry after changing it from _RO to _RW and we don't hit this
87099 issue anymore.
87100
87101 Fixed-Oracle-Bug: 16243091 [ON OCCASIONS VM START GOES INTO
87102 'CRASH' STATE: CLEAR_PAGE+0X12 ON HP DL380 G4]
87103 Reported-and-Tested-by: Saar Maoz <Saar.Maoz@oracle.com>
87104 Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
87105
87106 arch/x86/xen/mmu.c | 12 ++++++++----
87107 1 files changed, 8 insertions(+), 4 deletions(-)
87108
87109commit d56bdc2595e76ca48cbfd695def7f82c3ab80c11
87110Author: Namhyung Kim <namhyung.kim@lge.com>
87111Date: Mon Apr 1 21:46:23 2013 +0900
87112
87113 Upstream commit: 83e03b3fe4daffdebbb42151d5410d730ae50bd1
87114
87115 tracing: Fix double free when function profile init failed
87116
87117 On the failure path, stat->start and stat->pages will refer same page.
87118 So it'll attempt to free the same page again and get kernel panic.
87119
87120 Link: http://lkml.kernel.org/r/1364820385-32027-1-git-send-email-namhyung@kernel.org
87121
87122 Cc: Frederic Weisbecker <fweisbec@gmail.com>
87123 Cc: Namhyung Kim <namhyung.kim@lge.com>
87124 Cc: stable@vger.kernel.org
87125 Signed-off-by: Namhyung Kim <namhyung@kernel.org>
87126 Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
87127
87128 kernel/trace/ftrace.c | 1 -
87129 1 files changed, 0 insertions(+), 1 deletions(-)
87130
87131commit c86b0de9f4c42a7ede40df5af9436e87ccc784bb
87132Author: Neil Horman <nhorman@tuxdriver.com>
87133Date: Tue Apr 9 23:19:00 2013 +0000
87134
87135 Upstream commit: 61a0f6efc8932e9914e1782ff3a027e23c687fc6
87136
87137 e100: Add dma mapping error check
87138
87139 e100 uses pci_map_single, but fails to check for a dma mapping error after its
87140 use, resulting in a stack trace:
87141
87142 [ 46.656594] ------------[ cut here ]------------
87143 [ 46.657004] WARNING: at lib/dma-debug.c:933 check_unmap+0x47b/0x950()
87144 [ 46.657004] Hardware name: To Be Filled By O.E.M.
87145 [ 46.657004] e100 0000:00:0e.0: DMA-API: device driver failed to check map
87146 error[device address=0x000000007a4540fa] [size=90 bytes] [mapped as single]
87147 [ 46.657004] Modules linked in:
87148 [ 46.657004] w83627hf hwmon_vid snd_via82xx ppdev snd_ac97_codec ac97_bus
87149 snd_seq snd_pcm snd_mpu401 snd_mpu401_uart ns558 snd_rawmidi gameport parport_pc
87150 e100 snd_seq_device parport snd_page_alloc snd_timer snd soundcore skge shpchp
87151 k8temp mii edac_core i2c_viapro edac_mce_amd nfsd auth_rpcgss nfs_acl lockd
87152 sunrpc binfmt_misc uinput ata_generic pata_acpi radeon i2c_algo_bit
87153 drm_kms_helper ttm firewire_ohci drm firewire_core pata_via sata_via i2c_core
87154 sata_promise crc_itu_t
87155 [ 46.657004] Pid: 792, comm: ip Not tainted 3.8.0-0.rc6.git0.1.fc19.x86_64 #1
87156 [ 46.657004] Call Trace:
87157 [ 46.657004] <IRQ> [<ffffffff81065ed0>] warn_slowpath_common+0x70/0xa0
87158 [ 46.657004] [<ffffffff81065f4c>] warn_slowpath_fmt+0x4c/0x50
87159 [ 46.657004] [<ffffffff81364cfb>] check_unmap+0x47b/0x950
87160 [ 46.657004] [<ffffffff8136522f>] debug_dma_unmap_page+0x5f/0x70
87161 [ 46.657004] [<ffffffffa030f0f0>] ? e100_tx_clean+0x30/0x210 [e100]
87162 [ 46.657004] [<ffffffffa030f1a8>] e100_tx_clean+0xe8/0x210 [e100]
87163 [ 46.657004] [<ffffffffa030fc6f>] e100_poll+0x56f/0x6c0 [e100]
87164 [ 46.657004] [<ffffffff8159dce1>] ? net_rx_action+0xa1/0x370
87165 [ 46.657004] [<ffffffff8159ddb2>] net_rx_action+0x172/0x370
87166 [ 46.657004] [<ffffffff810703bf>] __do_softirq+0xef/0x3d0
87167 [ 46.657004] [<ffffffff816e4ebc>] call_softirq+0x1c/0x30
87168 [ 46.657004] [<ffffffff8101c485>] do_softirq+0x85/0xc0
87169 [ 46.657004] [<ffffffff81070885>] irq_exit+0xd5/0xe0
87170 [ 46.657004] [<ffffffff816e5756>] do_IRQ+0x56/0xc0
87171 [ 46.657004] [<ffffffff816dacb2>] common_interrupt+0x72/0x72
87172 [ 46.657004] <EOI> [<ffffffff816da1eb>] ?
87173 _raw_spin_unlock_irqrestore+0x3b/0x70
87174 [ 46.657004] [<ffffffff816d124d>] __slab_free+0x58/0x38b
87175 [ 46.657004] [<ffffffff81214424>] ? fsnotify_clear_marks_by_inode+0x34/0x120
87176 [ 46.657004] [<ffffffff811b0417>] ? kmem_cache_free+0x97/0x320
87177 [ 46.657004] [<ffffffff8157fc14>] ? sock_destroy_inode+0x34/0x40
87178 [ 46.657004] [<ffffffff8157fc14>] ? sock_destroy_inode+0x34/0x40
87179 [ 46.657004] [<ffffffff811b0692>] kmem_cache_free+0x312/0x320
87180 [ 46.657004] [<ffffffff8157fc14>] sock_destroy_inode+0x34/0x40
87181 [ 46.657004] [<ffffffff811e8c28>] destroy_inode+0x38/0x60
87182 [ 46.657004] [<ffffffff811e8d5e>] evict+0x10e/0x1a0
87183 [ 46.657004] [<ffffffff811e9605>] iput+0xf5/0x180
87184 [ 46.657004] [<ffffffff811e4338>] dput+0x248/0x310
87185 [ 46.657004] [<ffffffff811ce0e1>] __fput+0x171/0x240
87186 [ 46.657004] [<ffffffff811ce26e>] ____fput+0xe/0x10
87187 [ 46.657004] [<ffffffff8108d54c>] task_work_run+0xac/0xe0
87188 [ 46.657004] [<ffffffff8106c6ed>] do_exit+0x26d/0xc30
87189 [ 46.657004] [<ffffffff8109eccc>] ? finish_task_switch+0x7c/0x120
87190 [ 46.657004] [<ffffffff816dad58>] ? retint_swapgs+0x13/0x1b
87191 [ 46.657004] [<ffffffff8106d139>] do_group_exit+0x49/0xc0
87192 [ 46.657004] [<ffffffff8106d1c4>] sys_exit_group+0x14/0x20
87193 [ 46.657004] [<ffffffff816e3b19>] system_call_fastpath+0x16/0x1b
87194 [ 46.657004] ---[ end trace 4468c44e2156e7d1 ]---
87195 [ 46.657004] Mapped at:
87196 [ 46.657004] [<ffffffff813663d1>] debug_dma_map_page+0x91/0x140
87197 [ 46.657004] [<ffffffffa030e8eb>] e100_xmit_prepare+0x12b/0x1c0 [e100]
87198 [ 46.657004] [<ffffffffa030c924>] e100_exec_cb+0x84/0x140 [e100]
87199 [ 46.657004] [<ffffffffa030e56a>] e100_xmit_frame+0x3a/0x190 [e100]
87200 [ 46.657004] [<ffffffff8159ee89>] dev_hard_start_xmit+0x259/0x6c0
87201
87202 Easy fix, modify the cb paramter to e100_exec_cb to return an error, and do the
87203 dma_mapping_error check in the obvious place
87204
87205 This was reported previously here:
87206 http://article.gmane.org/gmane.linux.network/257893
87207
87208 But nobody stepped up and fixed it.
87209
87210 CC: Josh Boyer <jwboyer@redhat.com>
87211 CC: e1000-devel@lists.sourceforge.net
87212 Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
87213 Reported-by: Michal Jaegermann <michal@harddata.com>
87214 Tested-by: Aaron Brown <aaron.f.brown@intel.com>
87215 Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
87216 Signed-off-by: David S. Miller <davem@davemloft.net>
87217
87218 drivers/net/ethernet/intel/e100.c | 36 +++++++++++++++++++++++++-----------
87219 1 files changed, 25 insertions(+), 11 deletions(-)
87220
87221commit df93708573ce6c512b9a9406a83a6fd4e87ff6a6
87222Author: Trond Myklebust <Trond.Myklebust@netapp.com>
87223Date: Wed Apr 10 12:44:18 2013 -0400
87224
87225 Upstream commit: eb04e0ac198cec3bab407ad220438dfa65c19c67
87226
87227 NFSv4: Doh! Typo in the fix to nfs41_walk_client_list
87228
87229 Make sure that we set the status to 0 on success. Missed in testing
87230 because it never appears when doing multiple mounts to _different_
87231 servers.
87232
87233 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
87234 Cc: <stable@vger.kernel.org> # 3.7.x: 7b1f1fd: NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list
87235
87236 fs/nfs/nfs4client.c | 1 +
87237 1 files changed, 1 insertions(+), 0 deletions(-)
87238
87239commit 0ea7b7294f627588b0b3dc26a8a0ff8e1e27b5ea
87240Author: Yuval Mintz <yuvalmin@broadcom.com>
87241Date: Wed Apr 10 13:34:39 2013 +0300
87242
87243 Upstream commit: fea75645342c7ad574214497a78e562db12dfd7b
87244
87245 bnx2x: Prevent null pointer dereference in AFEX mode
87246
87247 The cnic module is responsible for initializing various bnx2x structs
87248 via callbacks provided by the bnx2x module.
87249 One such struct is the queue object for the FCoE queue.
87250
87251 If a device is working in AFEX mode and its configuration allows FCoE yet
87252 the cnic module is not loaded, it's very likely a null pointer dereference
87253 will occur, as the bnx2x will erroneously access the FCoE's queue object.
87254
87255 Prevent said access until cnic properly registers itself.
87256
87257 Signed-off-by: Yuval Mintz <yuvalmin@broadcom.com>
87258 Signed-off-by: Ariel Elior <ariele@broadcom.com>
87259 Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
87260 Signed-off-by: David S. Miller <davem@davemloft.net>
87261
87262 drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 3 ++-
87263 1 files changed, 2 insertions(+), 1 deletions(-)
87264
87265commit 2908830232725db624aaa052f7ad38d1f98bf541
87266Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
87267Date: Tue Apr 9 14:16:04 2013 +0800
87268
87269 Upstream commit: 3480a2125923e4b7a56d79efc76743089bf273fc
87270
87271 can: gw: use kmem_cache_free() instead of kfree()
87272
87273 Memory allocated by kmem_cache_alloc() should be freed using
87274 kmem_cache_free(), not kfree().
87275
87276 Cc: linux-stable <stable@vger.kernel.org> # >= v3.2
87277 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
87278 Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
87279 Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
87280
87281 net/can/gw.c | 6 +++---
87282 1 files changed, 3 insertions(+), 3 deletions(-)
87283
87284commit d40b572e845a5fb561e3c4a80cc306cd38888a4e
87285Author: Christoph Paasch <christoph.paasch@uclouvain.be>
87286Date: Sun Apr 7 04:53:15 2013 +0000
87287
87288 Upstream commit: 50a75a8914539c5dcd441c5f54d237a666a426fd
87289
87290 ipv6/tcp: Stop processing ICMPv6 redirect messages
87291
87292 Tetja Rediske found that if the host receives an ICMPv6 redirect message
87293 after sending a SYN+ACK, the connection will be reset.
87294
87295 He bisected it down to 093d04d (ipv6: Change skb->data before using
87296 icmpv6_notify() to propagate redirect), but the origin of the bug comes
87297 from ec18d9a26 (ipv6: Add redirect support to all protocol icmp error
87298 handlers.). The bug simply did not trigger prior to 093d04d, because
87299 skb->data did not point to the inner IP header and thus icmpv6_notify
87300 did not call the correct err_handler.
87301
87302 This patch adds the missing "goto out;" in tcp_v6_err. After receiving
87303 an ICMPv6 Redirect, we should not continue processing the ICMP in
87304 tcp_v6_err, as this may trigger the removal of request-socks or setting
87305 sk_err(_soft).
87306
87307 Reported-by: Tetja Rediske <tetja@tetja.de>
87308 Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be>
87309 Acked-by: Eric Dumazet <edumazet@google.com>
87310 Signed-off-by: David S. Miller <davem@davemloft.net>
87311
87312 net/ipv6/tcp_ipv6.c | 1 +
87313 1 files changed, 1 insertions(+), 0 deletions(-)
87314
87315commit c7d5c2524456ef3ea9194840e7a9a75069a46824
87316Author: Brad Spengler <spender@grsecurity.net>
87317Date: Wed Apr 10 20:32:54 2013 -0400
87318
87319 - fixed typo in Makefile reported by mlarm (https://forums.grsecurity.net/viewtopic.php?t=3411)
87320
87321 Makefile | 2 +-
87322 1 files changed, 1 insertions(+), 1 deletions(-)
87323
87324commit acac2380fd97acee4367d2aa24c74322dcf1d22b
87325Author: Trond Myklebust <Trond.Myklebust@netapp.com>
87326Date: Fri Apr 5 16:11:11 2013 -0400
87327
87328 Upstream commit: 7b1f1fd1842e6ede25183c267ae733a7f67f00bc
87329
87330 NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list
87331
87332 It is unsafe to use list_for_each_entry_safe() here, because
87333 when we drop the nn->nfs_client_lock, we pin the _current_ list
87334 entry and ensure that it stays in the list, but we don't do the
87335 same for the _next_ list entry. Use of list_for_each_entry() is
87336 therefore the correct thing to do.
87337
87338 Also fix the refcounting in nfs41_walk_client_list().
87339
87340 Finally, ensure that the nfs_client has finished being initialised
87341 and, in the case of NFSv4.1, that the session is set up.
87342
87343 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
87344 Cc: Chuck Lever <chuck.lever@oracle.com>
87345 Cc: Bryan Schumaker <bjschuma@netapp.com>
87346 Cc: stable@vger.kernel.org [>= 3.7]
87347
87348 fs/nfs/nfs4client.c | 44 ++++++++++++++++++++++++++++----------------
87349 1 files changed, 28 insertions(+), 16 deletions(-)
87350
87351commit a6cf5f387b882ac0ce655b75f623f86c075517be
87352Author: Chuck Lever <chuck.lever@oracle.com>
87353Date: Fri Mar 22 12:52:59 2013 -0400
87354
87355 Upstream commit: a58e0be6f6b3eb2079b0b8fedc9df6fa86869f1e
87356
87357 SUNRPC: Remove extra xprt_put()
87358
87359 While testing error cases where rpc_new_client() fails, I saw
87360 some oopses.
87361
87362 If rpc_new_client() fails, it already invokes xprt_put(). Thus
87363 __rpc_clone_client() does not need to invoke it again.
87364
87365 Introduced by commit 1b63a751 "SUNRPC: Refactor rpc_clone_client()"
87366 Fri Sep 14, 2012.
87367
87368 Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
87369 Cc: stable@vger.kernel.org [>=3.7]
87370 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
87371
87372 net/sunrpc/clnt.c | 4 +---
87373 1 files changed, 1 insertions(+), 3 deletions(-)
87374
87375commit a744b307c1f65ceb100412dc18cdd7ecc9a8ae00
87376Author: Trond Myklebust <Trond.Myklebust@netapp.com>
87377Date: Fri Apr 5 14:13:21 2013 -0400
87378
87379 Upstream commit: f05c124a70a4953a66acbd6d6c601ea1eb5d0fa7
87380
87381 SUNRPC: Fix a potential memory leak in rpc_new_client
87382
87383 If the call to rpciod_up() fails, we currently leak a reference to the
87384 struct rpc_xprt.
87385 As part of the fix, we also remove the redundant check for xprt!=NULL.
87386 This is already taken care of by the callers.
87387
87388 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
87389
87390 net/sunrpc/clnt.c | 7 ++-----
87391 1 files changed, 2 insertions(+), 5 deletions(-)
87392
87393commit 43b9f1b9b8380984c5c100978bd33e8f16da06ac
87394Author: Brad Spengler <spender@grsecurity.net>
87395Date: Wed Apr 10 19:16:05 2013 -0400
87396
87397 From https://lkml.org/lkml/2013/4/8/469:
87398 [PATCH] rtnetlink: call nlmsg_parse() with correct header length
87399
87400 net/core/rtnetlink.c | 4 ++--
87401 1 files changed, 2 insertions(+), 2 deletions(-)
87402
87403commit 9529169b8c405874fd543b785f53c74fa0501c2a
87404Author: Christopher Harvey <charvey@matrox.com>
87405Date: Fri Apr 5 10:51:15 2013 -0400
87406
87407 Upstream commit: 1812a3db0874be1d1524086da9e84397b800f546
87408
87409 drm/mgag200: Index 24 in extended CRTC registers is 24 in hex, not decimal.
87410
87411 This change properly enables the "requester" in G200ER cards that is
87412 responsible for getting pixels out of memory and clocking them out to
87413 the screen.
87414
87415 Signed-off-by: Christopher Harvey <charvey@matrox.com>
87416 Cc: stable@vger.kernel.org
87417 Signed-off-by: Dave Airlie <airlied@redhat.com>
87418
87419 drivers/gpu/drm/mgag200/mgag200_mode.c | 13 +++----------
87420 1 files changed, 3 insertions(+), 10 deletions(-)
87421
87422commit 07c42243c7b01e2a7a9d168ad491e28b9ef9082a
87423Author: Al Viro <viro@zeniv.linux.org.uk>
87424Date: Thu Mar 28 13:30:23 2013 -0400
87425
87426 Upstream commit: 52f21999c7b921a0390708b66ed286282c2e4bee
87427
87428 ecryptfs: close rmmod race
87429
87430 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
87431
87432 fs/ecryptfs/miscdev.c | 14 ++------------
87433 1 files changed, 2 insertions(+), 12 deletions(-)
87434
87435commit 2800bdcf9cd642b967e5fdc2a15c1c4aefbadd9b
87436Author: Brad Spengler <spender@grsecurity.net>
87437Date: Wed Apr 10 19:03:45 2013 -0400
87438
87439 Backport overflow fix from upstream commit: ccf932042fa7785832d8989ba1369cd7c7f5d7a1
87440
87441 arch/ia64/kernel/palinfo.c | 2 +-
87442 1 files changed, 1 insertions(+), 1 deletions(-)
87443
87444commit 83280e384ae3ceadad30369ced111dc7d4b46085
87445Author: Andrey Vagin <avagin@openvz.org>
87446Date: Tue Apr 9 17:33:29 2013 +0400
87447
87448 Upstream commit: e9c5d8a562f01b211926d70443378eb14b29a676
87449
87450 mnt: release locks on error path in do_loopback
87451
87452 do_loopback calls lock_mount(path) and forget to unlock_mount
87453 if clone_mnt or copy_mnt fails.
87454
87455 [ 77.661566] ================================================
87456 [ 77.662939] [ BUG: lock held when returning to user space! ]
87457 [ 77.664104] 3.9.0-rc5+ #17 Not tainted
87458 [ 77.664982] ------------------------------------------------
87459 [ 77.666488] mount/514 is leaving the kernel with locks still held!
87460 [ 77.668027] 2 locks held by mount/514:
87461 [ 77.668817] #0: (&sb->s_type->i_mutex_key#7){+.+.+.}, at: [<ffffffff811cca22>] lock_mount+0x32/0xe0
87462 [ 77.671755] #1: (&namespace_sem){+++++.}, at: [<ffffffff811cca3a>] lock_mount+0x4a/0xe0
87463
87464 Signed-off-by: Andrey Vagin <avagin@openvz.org>
87465 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
87466
87467 fs/namespace.c | 2 +-
87468 1 files changed, 1 insertions(+), 1 deletions(-)
87469
87470commit 679e536b9d9536d804f049fe942367a596253e6d
87471Author: Alex Williamson <alex.williamson@redhat.com>
87472Date: Tue Mar 26 11:33:16 2013 -0600
87473
87474 Upstream commit: 904c680c7bf016a8619a045850937427f8d7368c
87475
87476 vfio-pci: Fix possible integer overflow
87477
87478 The VFIO_DEVICE_SET_IRQS ioctl takes a start and count parameter, both
87479 of which are unsigned. We attempt to bounds check these, but fail to
87480 account for the case where start is a very large number, allowing
87481 start + count to wrap back into the valid range. Bounds check both
87482 start and start + count.
87483
87484 Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
87485 Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
87486
87487 drivers/vfio/pci/vfio_pci.c | 3 ++-
87488 1 files changed, 2 insertions(+), 1 deletions(-)
87489
87490commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7
87491Author: Brad Spengler <spender@grsecurity.net>
87492Date: Wed Apr 10 18:48:45 2013 -0400
87493
87494 Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot
87495
87496 security/Kconfig | 2 +-
87497 1 files changed, 1 insertions(+), 1 deletions(-)
87498
87499commit b5261a6384ee42499b29495aaae40b271e77d394
87500Author: Brad Spengler <spender@grsecurity.net>
87501Date: Tue Apr 9 17:30:45 2013 -0400
87502
87503 some undefined behavior fixups
87504
87505 grsecurity/gracl.c | 4 ++--
87506 grsecurity/gracl_ip.c | 10 +++++-----
87507 grsecurity/gracl_segv.c | 4 ++--
87508 3 files changed, 9 insertions(+), 9 deletions(-)
87509
87510commit 9f83caa35e78be1f3e753586ab217555c3b21ff4
87511Author: Brad Spengler <spender@grsecurity.net>
87512Date: Tue Apr 9 17:28:54 2013 -0400
87513
87514 don't whine about denied ipv6 when it's not enabled
87515
87516 grsecurity/gracl_ip.c | 3 +++
87517 1 files changed, 3 insertions(+), 0 deletions(-)
87518
87519commit 5a02f8bc96bd0c31f9ff09e63f9d85d560b8be61
87520Merge: 97bca88 9123489
87521Author: Brad Spengler <spender@grsecurity.net>
87522Date: Tue Apr 9 17:18:45 2013 -0400
87523
87524 Merge branch 'pax-test' into grsec-test
87525
87526commit 9123489428c58668a89f316db6619739cbdd2c2a
87527Author: Brad Spengler <spender@grsecurity.net>
87528Date: Tue Apr 9 17:17:46 2013 -0400
87529
87530 Update to pax-linux-3.8.6-test18.patch:
87531 - new size overflow plugin from Emese to work around a gcc optimization
87532 resulting in an intentional overflow, reported by Carlos Carvalho
87533 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3409)
87534
87535 tools/gcc/size_overflow_plugin.c | 68 ++++++++++++++++++++++++++++++++++++-
87536 1 files changed, 66 insertions(+), 2 deletions(-)
87537
87538commit 97bca8889e0f1e853f16b7026c39c6729a8587ab
87539Merge: 675a41e e9d6073
87540Author: Brad Spengler <spender@grsecurity.net>
87541Date: Mon Apr 8 21:32:59 2013 -0400
87542
87543 Merge branch 'pax-test' into grsec-test
87544
87545 Conflicts:
87546 arch/sparc/kernel/us3_cpufreq.c
87547
87548commit e9d6073f15010ccace0b6b0f0a19ed63cf1adeef
87549Author: Brad Spengler <spender@grsecurity.net>
87550Date: Mon Apr 8 21:19:03 2013 -0400
87551
87552 Update to pax-linux-3.8.6-test17.patch:
87553 - fixed ia64/ppc/sparc compilation by spender
87554 - improved the STRUCTLEAK gcc plugin to cover a few more cases (credit to stef for the bugreport)
87555
87556 arch/ia64/include/asm/uaccess.h | 2 -
87557 arch/powerpc/include/asm/uaccess.h | 2 -
87558 arch/sparc/include/asm/uaccess.h | 7 ----
87559 arch/sparc/kernel/prom_common.c | 2 +-
87560 arch/sparc/kernel/us3_cpufreq.c | 69 ++++++++++--------------------------
87561 tools/gcc/structleak_plugin.c | 15 ++++----
87562 6 files changed, 28 insertions(+), 69 deletions(-)
87563
87564commit 675a41e42a636dcb1e97bffe0f0fa6262242e64b
87565Author: Brad Spengler <spender@grsecurity.net>
87566Date: Sun Apr 7 12:00:50 2013 -0400
87567
87568 fix similar leaks in sys_recvfrom as fixed in recvmsg, already handled by the new structleak plugin
87569
87570 net/socket.c | 2 +-
87571 1 files changed, 1 insertions(+), 1 deletions(-)
87572
87573commit 5a216624a06429488f24ce47db093da042f90e48
87574Author: Brad Spengler <spender@grsecurity.net>
87575Date: Sat Apr 6 13:22:24 2013 -0400
87576
87577 fix typo
87578
87579 arch/sparc/kernel/us3_cpufreq.c | 5 +----
87580 1 files changed, 1 insertions(+), 4 deletions(-)
87581
87582commit e476ca18d21788898cd3acd1b57049971a2fb70f
87583Author: Brad Spengler <spender@grsecurity.net>
87584Date: Sat Apr 6 13:16:13 2013 -0400
87585
87586 properly fix cpufreq_driver for ultrasparc III with constification
87587
87588 arch/sparc/kernel/us3_cpufreq.c | 35 +++++++++++++++++------------------
87589 1 files changed, 17 insertions(+), 18 deletions(-)
87590
87591commit 3ef64a33c8a38d17db7d1e6ff13d9036c75598ae
87592Author: Brad Spengler <spender@grsecurity.net>
87593Date: Sat Apr 6 12:58:48 2013 -0400
87594
87595 mark prom_sparc_ops __initconst
87596
87597 arch/sparc/kernel/prom_common.c | 2 +-
87598 1 files changed, 1 insertions(+), 1 deletions(-)
87599
87600commit daaa8e290cb1eb08e86c6d3f0fb1a8270d897439
87601Author: Brad Spengler <spender@grsecurity.net>
87602Date: Sat Apr 6 12:53:16 2013 -0400
87603
87604 fix ia64/powerpc/sparc compilation
87605
87606 arch/ia64/include/asm/uaccess.h | 2 --
87607 arch/powerpc/include/asm/uaccess.h | 2 --
87608 arch/sparc/include/asm/uaccess.h | 7 -------
87609 3 files changed, 0 insertions(+), 11 deletions(-)
87610
87611commit 4a0cd3af0fd8788bd1c84de775743c8ae51e9a39
87612Author: Johannes Berg <johannes.berg@intel.com>
87613Date: Tue Mar 19 20:26:57 2013 +0100
87614
87615 Upstream commit: ce1eadda6badef9e4e3460097ede674fca47383d
87616
87617 cfg80211: fix wdev tracing crash
87618
87619 Arend reported a crash in tracing if the driver returns an
87620 ERR_PTR() value from the add_virtual_intf() callback. This
87621 is due to the tracing then still attempting to dereference
87622 the "pointer", fix this by using IS_ERR_OR_NULL().
87623
87624 Reported-by: Arend van Spriel <arend@broadcom.com>
87625 Tested-by: Arend van Spriel <arend@broadcom.com>
87626 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
87627
87628 net/wireless/trace.h | 3 ++-
87629 1 files changed, 2 insertions(+), 1 deletions(-)
87630
87631commit 68e6eafdaf9a3b37c780b3916a35a1961b1559fd
87632Author: Johannes Berg <johannes.berg@intel.com>
87633Date: Mon Mar 25 11:51:14 2013 +0100
87634
87635 Upstream commit: 3fbd45ca8d1c98f3c2582ef8bc70ade42f70947b
87636
87637 mac80211: fix remain-on-channel cancel crash
87638
87639 If a ROC item is canceled just as it expires, the work
87640 struct may be scheduled while it is running (and waiting
87641 for the mutex). This results in it being run after being
87642 freed, which obviously crashes.
87643
87644 To fix this don't free it when aborting is requested but
87645 instead mark it as "to be freed", which makes the work a
87646 no-op and allows freeing it outside.
87647
87648 Cc: stable@vger.kernel.org [3.6+]
87649 Reported-by: Jouni Malinen <j@w1.fi>
87650 Tested-by: Jouni Malinen <j@w1.fi>
87651 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
87652
87653 net/mac80211/cfg.c | 6 ++++--
87654 net/mac80211/ieee80211_i.h | 3 ++-
87655 net/mac80211/offchannel.c | 23 +++++++++++++++++------
87656 3 files changed, 23 insertions(+), 9 deletions(-)
87657
87658commit dd5df32b00e3c2344ba39fe01071e7b67b83e1e4
87659Author: Stone Piao <piaoyun@marvell.com>
87660Date: Fri Mar 29 19:21:21 2013 -0700
87661
87662 Upstream commit: 901ceba4e81e9dd6b4a3c4c37ee22000a6c5c65f
87663
87664 mwifiex: limit channel number not to overflow memory
87665
87666 Limit the channel number in scan request, or the driver scan
87667 config structure memory will be overflowed.
87668
87669 Cc: <stable@vger.kernel.org> # 3.5+
87670 Signed-off-by: Stone Piao <piaoyun@marvell.com>
87671 Signed-off-by: Bing Zhao <bzhao@marvell.com>
87672 Signed-off-by: John W. Linville <linville@tuxdriver.com>
87673
87674 drivers/net/wireless/mwifiex/cfg80211.c | 3 ++-
87675 1 files changed, 2 insertions(+), 1 deletions(-)
87676
87677commit 207c411512bdaf0e4271f93ecac6ca26588da36f
87678Author: Gao feng <gaofeng@cn.fujitsu.com>
87679Date: Thu Mar 21 19:48:41 2013 +0000
87680
87681 Upstream commit: 130549fed828cc34c22624c6195afcf9e7ae56fe
87682
87683 netfilter: reset nf_trace in nf_reset
87684
87685 We forgot to clear the nf_trace of sk_buff in nf_reset,
87686 When we use veth device, this nf_trace information will
87687 be leaked from one net namespace to another net namespace.
87688
87689 Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
87690 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
87691
87692 include/linux/skbuff.h | 3 +++
87693 1 files changed, 3 insertions(+), 0 deletions(-)
87694
87695commit 3b12800d73c763265b2de5f2a7a745d9caa62c6f
87696Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
87697Date: Fri Mar 22 01:28:18 2013 +0000
87698
87699 Upstream commit: 558724a5b2a73ad0c7638e21e8dffc419d267b6c
87700
87701 netfilter: nfnetlink_queue: fix error return code in nfnetlink_queue_init()
87702
87703 Fix to return a negative error code from the error handling
87704 case instead of 0, as returned elsewhere in this function.
87705
87706 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
87707 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
87708
87709 net/netfilter/nfnetlink_queue_core.c | 4 +++-
87710 1 files changed, 3 insertions(+), 1 deletions(-)
87711
87712commit a79feb7d3251eca577d83d7f69eee2b961ab2924
87713Author: Pablo Neira Ayuso <pablo@netfilter.org>
87714Date: Sat Mar 23 16:57:59 2013 +0100
87715
87716 Upstream commit: deadcfc3324410726cd6a663fb4fc46be595abe7
87717
87718 netfilter: nfnetlink_acct: return -EINVAL if object name is empty
87719
87720 If user-space tries to create accounting object with an empty
87721 name, then return -EINVAL.
87722
87723 Reported-by: Michael Zintakis <michael.zintakis@googlemail.com>
87724 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
87725
87726 net/netfilter/nfnetlink_acct.c | 2 ++
87727 1 files changed, 2 insertions(+), 0 deletions(-)
87728
87729commit 1a51dca4fc16538d90a7a4c92b1ffe7e0fd76cf7
87730Author: Matthias Schiffer <mschiffer@universe-factory.net>
87731Date: Sat Mar 30 10:23:12 2013 +0000
87732
87733 Upstream commit: 906b1c394d0906a154fbdc904ca506bceb515756
87734
87735 netfilter: ip6t_NPT: Fix translation for non-multiple of 32 prefix lengths
87736
87737 The bitmask used for the prefix mangling was being calculated
87738 incorrectly, leading to the wrong part of the address being replaced
87739 when the prefix length wasn't a multiple of 32.
87740
87741 Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
87742 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
87743
87744 net/ipv6/netfilter/ip6t_NPT.c | 2 +-
87745 1 files changed, 1 insertions(+), 1 deletions(-)
87746
87747commit 3425de1e3dc22e1602f9c77fe8d258da58416d5e
87748Author: Veaceslav Falico <vfalico@redhat.com>
87749Date: Wed Apr 3 05:46:33 2013 +0000
87750
87751 Upstream commit: 4de79c737b200492195ebc54a887075327e1ec1d
87752
87753 bonding: remove sysfs before removing devices
87754
87755 We have a race condition if we try to rmmod bonding and simultaneously add
87756 a bond master through sysfs. In bonding_exit() we first remove the devices
87757 (through rtnl_link_unregister() ) and only after that we remove the sysfs.
87758 If we manage to add a device through sysfs after that the devices were
87759 removed - we'll end up with that device/sysfs structure and with the module
87760 unloaded.
87761
87762 Fix this by first removing the sysfs and only after that calling
87763 rtnl_link_unregister().
87764
87765 Signed-off-by: Veaceslav Falico <vfalico@redhat.com>
87766 Signed-off-by: David S. Miller <davem@davemloft.net>
87767
87768 drivers/net/bonding/bond_main.c | 2 +-
87769 1 files changed, 1 insertions(+), 1 deletions(-)
87770
87771commit d12cae44a9d12441d81c489178803237219d403d
87772Author: Eric W. Biederman <ebiederm@xmission.com>
87773Date: Wed Apr 3 16:14:47 2013 +0000
87774
87775 Upstream commit: 0e82e7f6dfeec1013339612f74abc2cdd29d43d2
87776
87777 af_unix: If we don't care about credentials coallesce all messages
87778
87779 It was reported that the following LSB test case failed
87780 https://lsbbugs.linuxfoundation.org/attachment.cgi?id=2144 because we
87781 were not coallescing unix stream messages when the application was
87782 expecting us to.
87783
87784 The problem was that the first send was before the socket was accepted
87785 and thus sock->sk_socket was NULL in maybe_add_creds, and the second
87786 send after the socket was accepted had a non-NULL value for sk->socket
87787 and thus we could tell the credentials were not needed so we did not
87788 bother.
87789
87790 The unnecessary credentials on the first message cause
87791 unix_stream_recvmsg to start verifying that all messages had the same
87792 credentials before coallescing and then the coallescing failed because
87793 the second message had no credentials.
87794
87795 Ignoring credentials when we don't care in unix_stream_recvmsg fixes a
87796 long standing pessimization which would fail to coallesce messages when
87797 reading from a unix stream socket if the senders were different even if
87798 we did not care about their credentials.
87799
87800 I have tested this and verified that the in the LSB test case mentioned
87801 above that the messages do coallesce now, while the were failing to
87802 coallesce without this change.
87803
87804 Reported-by: Karel Srot <ksrot@redhat.com>
87805 Reported-by: Ding Tianhong <dingtianhong@huawei.com>
87806 Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
87807 Signed-off-by: David S. Miller <davem@davemloft.net>
87808
87809 net/unix/af_unix.c | 2 +-
87810 1 files changed, 1 insertions(+), 1 deletions(-)
87811
87812commit 126d882492b130da6367f71cdf3ac59bf4f4c1bf
87813Author: Eric W. Biederman <ebiederm@xmission.com>
87814Date: Wed Apr 3 16:13:35 2013 +0000
87815
87816 Upstream commit: 25da0e3e9d3fb2b522bc2a598076735850310eb1
87817
87818 Revert "af_unix: dont send SCM_CREDENTIAL when dest socket is NULL"
87819
87820 This reverts commit 14134f6584212d585b310ce95428014b653dfaf6.
87821
87822 The problem that the above patch was meant to address is that af_unix
87823 messages are not being coallesced because we are sending unnecesarry
87824 credentials. Not sending credentials in maybe_add_creds totally
87825 breaks unconnected unix domain sockets that wish to send credentails
87826 to other sockets.
87827
87828 In practice this break some versions of udev because they receive a
87829 message and the sending uid is bogus so they drop the message.
87830
87831 Reported-by: Sven Joachim <svenjoac@gmx.de>
87832 Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
87833 Signed-off-by: David S. Miller <davem@davemloft.net>
87834
87835 net/unix/af_unix.c | 4 ++--
87836 1 files changed, 2 insertions(+), 2 deletions(-)
87837
87838commit 1295b4f600e8f5ab56af71e5a89e4c0e74e95663
87839Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
87840Date: Wed Mar 20 21:31:42 2013 +0000
87841
87842 Upstream commit: cb0e51d80694fc9964436be1a1a15275e991cb1e
87843
87844 lantiq_etop: use free_netdev(netdev) instead of kfree()
87845
87846 Freeing netdev without free_netdev() leads to net, tx leaks.
87847 And it may lead to dereferencing freed pointer.
87848
87849 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
87850 Signed-off-by: David S. Miller <davem@davemloft.net>
87851
87852 drivers/net/ethernet/lantiq_etop.c | 2 +-
87853 1 files changed, 1 insertions(+), 1 deletions(-)
87854
87855commit 1dcdddf846697fbd0b474e7b12ff92f7b408fe5f
87856Author: Cong Wang <amwang@redhat.com>
87857Date: Fri Mar 22 19:14:07 2013 +0000
87858
87859 Upstream commit: 4a7df340ed1bac190c124c1601bfc10cde9fb4fb
87860
87861 8021q: fix a potential use-after-free
87862
87863 vlan_vid_del() could possibly free ->vlan_info after a RCU grace
87864 period, however, we may still refer to the freed memory area
87865 by 'grp' pointer. Found by code inspection.
87866
87867 This patch moves vlan_vid_del() as behind as possible.
87868
87869 Cc: Patrick McHardy <kaber@trash.net>
87870 Cc: "David S. Miller" <davem@davemloft.net>
87871 Signed-off-by: Cong Wang <amwang@redhat.com>
87872 Acked-by: Eric Dumazet <edumazet@google.com>
87873 Signed-off-by: David S. Miller <davem@davemloft.net>
87874
87875 net/8021q/vlan.c | 7 +++++++
87876 1 files changed, 7 insertions(+), 0 deletions(-)
87877
87878commit fff29c277024a39845d4b535083c8dafc21b45d9
87879Author: Hong zhi guo <honkiko@gmail.com>
87880Date: Sat Mar 23 02:27:50 2013 +0000
87881
87882 Upstream commit: 9b46922e15f4d9d2aedcd320c3b7f7f54d956da7
87883
87884 bridge: fix crash when set mac address of br interface
87885
87886 When I tried to set mac address of a bridge interface to a mac
87887 address which already learned on this bridge, I got system hang.
87888
87889 The cause is straight forward: function br_fdb_change_mac_address
87890 calls fdb_insert with NULL source nbp. Then an fdb lookup is
87891 performed. If an fdb entry is found and it's local, it's OK. But
87892 if it's not local, source is dereferenced for printk without NULL
87893 check.
87894
87895 Signed-off-by: Hong Zhiguo <honkiko@gmail.com>
87896 Signed-off-by: David S. Miller <davem@davemloft.net>
87897
87898 net/bridge/br_fdb.c | 2 +-
87899 1 files changed, 1 insertions(+), 1 deletions(-)
87900
87901commit b72eca0f8495b4b084bcf3eb4fbb425281ba5349
87902Author: Kumar Amit Mehta <gmate.amit@gmail.com>
87903Date: Sat Mar 23 20:10:25 2013 +0000
87904
87905 Upstream commit: 8fe7f99a9e11a43183bc27420309ae105e1fec1a
87906
87907 bnx2x: fix assignment of signed expression to unsigned variable
87908
87909 fix for incorrect assignment of signed expression to unsigned variable.
87910
87911 Signed-off-by: Kumar Amit Mehta <gmate.amit@gmail.com>
87912 Acked-by: Dmitry Kravkov <dmitry@broadcom.com>
87913 Signed-off-by: David S. Miller <davem@davemloft.net>
87914
87915 drivers/net/ethernet/broadcom/bnx2x/bnx2x_dcb.c | 18 +++++++++---------
87916 1 files changed, 9 insertions(+), 9 deletions(-)
87917
87918commit 4d2d5e3694574d8e9d7594bf6111f144dccc873e
87919Author: dingtianhong <dingtianhong@huawei.com>
87920Date: Mon Mar 25 17:02:04 2013 +0000
87921
87922 Upstream commit: 14134f6584212d585b310ce95428014b653dfaf6
87923
87924 af_unix: dont send SCM_CREDENTIAL when dest socket is NULL
87925
87926 SCM_SCREDENTIALS should apply to write() syscalls only either source or destination
87927 socket asserted SOCK_PASSCRED. The original implememtation in maybe_add_creds is wrong,
87928 and breaks several LSB testcases ( i.e. /tset/LSB.os/netowkr/recvfrom/T.recvfrom).
87929
87930 Origionally-authored-by: Karel Srot <ksrot@redhat.com>
87931 Signed-off-by: Ding Tianhong <dingtianhong@huawei.com>
87932 Acked-by: Eric Dumazet <edumazet@google.com>
87933 Signed-off-by: David S. Miller <davem@davemloft.net>
87934
87935 net/unix/af_unix.c | 4 ++--
87936 1 files changed, 2 insertions(+), 2 deletions(-)
87937
87938commit b964e1e61f0f0ccaa380be3342f956c604054bdc
87939Author: Eric W. Biederman <ebiederm@xmission.com>
87940Date: Thu Mar 21 02:30:41 2013 -0700
87941
87942 Upstream commit: eddc0a3abff273842a94784d2d022bbc36dc9015
87943
87944 yama: Better permission check for ptraceme
87945
87946 Change the permission check for yama_ptrace_ptracee to the standard
87947 ptrace permission check, testing if the traceer has CAP_SYS_PTRACE
87948 in the tracees user namespace.
87949
87950 Reviewed-by: Kees Cook <keescook@chromium.org>
87951 Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
87952
87953 security/yama/yama_lsm.c | 4 +---
87954 1 files changed, 1 insertions(+), 3 deletions(-)
87955
87956commit b94e71c7b6abe75989edff18aca2781233fa143b
87957Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
87958Date: Mon Apr 1 11:40:51 2013 +0400
87959
87960 Upstream commit: 2dc958fa2fe6987e7ab106bd97029a09a82fcd8d
87961
87962 ipc: set msg back to -EAGAIN if copy wasn't performed
87963
87964 Make sure that msg pointer is set back to error value in case of
87965 MSG_COPY flag is set and desired message to copy wasn't found. This
87966 garantees that msg is either a error pointer or a copy address.
87967
87968 Otherwise the last message in queue will be freed without unlinking from
87969 the queue (which leads to memory corruption) and the dummy allocated
87970 copy won't be released.
87971
87972 Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
87973 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
87974
87975 ipc/msg.c | 1 +
87976 1 files changed, 1 insertions(+), 0 deletions(-)
87977
87978commit a997fbbe7a37ffd805f4784a18b8e530da6978d1
87979Author: Jan Kara <jack@suse.cz>
87980Date: Fri Mar 29 15:39:16 2013 +0100
87981
87982 Upstream commit: 35e5cbc0af240778e61113286c019837e06aeec6
87983
87984 reiserfs: Fix warning and inode leak when deleting inode with xattrs
87985
87986 After commit 21d8a15a (lookup_one_len: don't accept . and ..) reiserfs
87987 started failing to delete xattrs from inode. This was due to a buggy
87988 test for '.' and '..' in fill_with_dentries() which resulted in passing
87989 '.' and '..' entries to lookup_one_len() in some cases. That returned
87990 error and so we failed to iterate over all xattrs of and inode.
87991
87992 Fix the test in fill_with_dentries() along the lines of the one in
87993 lookup_one_len().
87994
87995 Reported-by: Pawel Zawora <pzawora@gmail.com>
87996 CC: stable@vger.kernel.org
87997 Signed-off-by: Jan Kara <jack@suse.cz>
87998
87999 fs/reiserfs/xattr.c | 4 ++--
88000 1 files changed, 2 insertions(+), 2 deletions(-)
88001
88002commit 9f07957378e0f55abb81da8e23b124a608fbe1cc
88003Author: Paul Bolle <pebolle@tiscali.nl>
88004Date: Wed Apr 3 12:24:45 2013 +0100
88005
88006 Upstream commit: 4e1db26a0b42e2b6e27c05d68adcc01709c2eed2
88007
88008 ARM: 7690/1: mm: fix CONFIG_LPAE typos
88009
88010 CONFIG_LPAE doesn't exist: the correct option is CONFIG_ARM_LPAE, so fix
88011 up the two typos under arch/arm/.
88012
88013 The fix to head.S is slightly scary, but this is just for setting up
88014 an early io-mapping for the serial port when running on a big-endian,
88015 LPAE system. Since these systems don't exist in the wild (at least, I
88016 have no access to one outside of kvmtool, which doesn't provide a serial
88017 port suitable for earlyprintk), then we can revisit the code later if it
88018 causes any problems.
88019
88020 Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
88021 Signed-off-by: Will Deacon <will.deacon@arm.com>
88022 Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
88023
88024 arch/arm/kernel/head.S | 2 +-
88025 arch/arm/kernel/setup.c | 2 +-
88026 2 files changed, 2 insertions(+), 2 deletions(-)
88027
88028commit 984ba346b2d8f158473e9723ba145031368431ed
88029Author: Catalin Marinas <catalin.marinas@arm.com>
88030Date: Tue Mar 26 23:35:04 2013 +0100
88031
88032 Upstream commit: 93dc68876b608da041fe40ed39424b0fcd5aa2fb
88033
88034 ARM: 7684/1: errata: Workaround for Cortex-A15 erratum 798181 (TLBI/DSB operations)
88035
88036 On Cortex-A15 (r0p0..r3p2) the TLBI/DSB are not adequately shooting down
88037 all use of the old entries. This patch implements the erratum workaround
88038 which consists of:
88039
88040 1. Dummy TLBIMVAIS and DSB on the CPU doing the TLBI operation.
88041 2. Send IPI to the CPUs that are running the same mm (and ASID) as the
88042 one being invalidated (or all the online CPUs for global pages).
88043 3. CPU receiving the IPI executes a DMB and CLREX (part of the exception
88044 return code already).
88045
88046 Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
88047 Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
88048
88049 Conflicts:
88050
88051 arch/arm/include/asm/tlbflush.h
88052 arch/arm/kernel/smp_tlb.c
88053 arch/arm/mm/context.c
88054
88055 arch/arm/Kconfig | 10 +++++
88056 arch/arm/include/asm/highmem.h | 7 ++++
88057 arch/arm/include/asm/mmu_context.h | 2 +
88058 arch/arm/include/asm/tlbflush.h | 15 ++++++++
88059 arch/arm/kernel/smp_tlb.c | 66 ++++++++++++++++++++++++++++++++++++
88060 arch/arm/mm/context.c | 6 ++-
88061 6 files changed, 104 insertions(+), 2 deletions(-)
88062
88063commit 9a6ef010c38b3d5471886d2dea6e3c1622e2a286
88064Author: Jan Stancek <jstancek@redhat.com>
88065Date: Thu Apr 4 11:35:10 2013 -0700
88066
88067 Upstream commit: b6a9b7f6b1f21735a7456d534dc0e68e61359d2c
88068
88069 mm: prevent mmap_cache race in find_vma()
88070
88071 find_vma() can be called by multiple threads with read lock
88072 held on mm->mmap_sem and any of them can update mm->mmap_cache.
88073 Prevent compiler from re-fetching mm->mmap_cache, because other
88074 readers could update it in the meantime:
88075
88076 thread 1 thread 2
88077 |
88078 find_vma() | find_vma()
88079 struct vm_area_struct *vma = NULL; |
88080 vma = mm->mmap_cache; |
88081 if (!(vma && vma->vm_end > addr |
88082 && vma->vm_start <= addr)) { |
88083 | mm->mmap_cache = vma;
88084 return vma; |
88085 ^^ compiler may optimize this |
88086 local variable out and re-read |
88087 mm->mmap_cache |
88088
88089 This issue can be reproduced with gcc-4.8.0-1 on s390x by running
88090 mallocstress testcase from LTP, which triggers:
88091
88092 kernel BUG at mm/rmap.c:1088!
88093 Call Trace:
88094 ([<000003d100c57000>] 0x3d100c57000)
88095 [<000000000023a1c0>] do_wp_page+0x2fc/0xa88
88096 [<000000000023baae>] handle_pte_fault+0x41a/0xac8
88097 [<000000000023d832>] handle_mm_fault+0x17a/0x268
88098 [<000000000060507a>] do_protection_exception+0x1e2/0x394
88099 [<0000000000603a04>] pgm_check_handler+0x138/0x13c
88100 [<000003fffcf1f07a>] 0x3fffcf1f07a
88101 Last Breaking-Event-Address:
88102 [<000000000024755e>] page_add_new_anon_rmap+0xc2/0x168
88103
88104 Thanks to Jakub Jelinek for his insight on gcc and helping to
88105 track this down.
88106
88107 Signed-off-by: Jan Stancek <jstancek@redhat.com>
88108 Acked-by: David Rientjes <rientjes@google.com>
88109 Signed-off-by: Hugh Dickins <hughd@google.com>
88110 Cc: stable@vger.kernel.org
88111 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
88112
88113 mm/mmap.c | 2 +-
88114 mm/nommu.c | 2 +-
88115 2 files changed, 2 insertions(+), 2 deletions(-)
88116
88117commit 53f5096daa14967938bc154e6c41f9119863fb36
88118Merge: e988d7c 0a45285
88119Author: Brad Spengler <spender@grsecurity.net>
88120Date: Fri Apr 5 17:32:31 2013 -0400
88121
88122 Merge branch 'pax-test' into grsec-test
88123
88124 Conflicts:
88125 drivers/net/ethernet/broadcom/tg3.c
88126
88127commit 0a452855444d02502df6eb21ef3083cf303f71e1
88128Merge: 0277fa1 00cfbb8
88129Author: Brad Spengler <spender@grsecurity.net>
88130Date: Fri Apr 5 17:31:15 2013 -0400
88131
88132 Update to pax-linux-3.8.6-test16.patch:
88133 - fixed some attribute leakage into userland headers, patch by Mathias Krause
88134 - fixed some of the access_*_vm related breakage that trigger size overflows, reported by Hunger
88135
88136 Merge branch 'linux-3.8.y' into pax-test
88137
88138 Conflicts:
88139 drivers/gpu/drm/i915/intel_display.c
88140
88141commit e988d7c8d946c816a2cb97f0d38048a1584966b8
88142Merge: baec40e 0277fa1
88143Author: Brad Spengler <spender@grsecurity.net>
88144Date: Wed Apr 3 22:05:41 2013 -0400
88145
88146 Merge branch 'pax-test' into grsec-test
88147
88148commit 0277fa123b486cf11420967e4568d7653e225fd3
88149Author: Brad Spengler <spender@grsecurity.net>
88150Date: Wed Apr 3 22:04:48 2013 -0400
88151
88152 Update to pax-linux-3.8.5-test15.patch:
88153 - fixed section mismatch error caused by CONSTIFY (http://forums.grsecurity.net/viewtopic.php?f=3&t=3388 and http://forums.grsecurity.net/viewtopic.php?f=3&t=3391)
88154 - fixed integer type mixup in the cx88 driver (http://forums.grsecurity.net/viewtopic.php?f=3&t=3394)
88155
88156 drivers/media/pci/cx88/cx88-video.c | 6 +++---
88157 include/net/net_namespace.h | 4 ++++
88158 2 files changed, 7 insertions(+), 3 deletions(-)
88159
88160commit baec40e6708fd5ae2000cad6c70c5980c998b91c
88161Author: Brad Spengler <spender@grsecurity.net>
88162Date: Tue Apr 2 19:50:32 2013 -0400
88163
88164 fix compilation as reported on forums for gcc versions lacking plugin
88165 support
88166
88167 include/net/net_namespace.h | 4 ++++
88168 1 files changed, 4 insertions(+), 0 deletions(-)
88169
88170commit f6da5efca8a7edc9d3af02d6c35fddae0d2fd095
88171Merge: 6b69c35 0db9d15
88172Author: Brad Spengler <spender@grsecurity.net>
88173Date: Tue Apr 2 17:47:27 2013 -0400
88174
88175 Merge branch 'pax-test' into grsec-test
88176
88177commit 0db9d156826bdd50510086fde837648a3dfd370e
88178Author: Brad Spengler <spender@grsecurity.net>
88179Date: Tue Apr 2 17:46:05 2013 -0400
88180
88181 Update to pax-linux-3.8.5-test14.patch:
88182 - removed some no longer necessary __size_overflow marks and updated the overflow plugin's hash table
88183
88184 arch/x86/include/asm/uaccess_64.h | 6 +-
88185 include/linux/moduleloader.h | 4 +-
88186 tools/gcc/size_overflow_hash.data | 98 +++++++++++++++++++++----------------
88187 3 files changed, 61 insertions(+), 47 deletions(-)
88188
88189commit 6b69c3589fa97b454a08c28ecfac5a512f610f4d
88190Author: Brad Spengler <spender@grsecurity.net>
88191Date: Tue Apr 2 17:35:06 2013 -0400
88192
88193 remove duplicate compiler.h
88194
88195 include/linux/sysrq.h | 1 -
88196 1 files changed, 0 insertions(+), 1 deletions(-)
88197
88198commit 01e1d503fd2220adaaec0b92ea19441bdff73555
88199Author: Brad Spengler <spender@grsecurity.net>
88200Date: Fri Mar 29 19:53:50 2013 -0400
88201
88202 fix intentional_overflow marking on sys_sendto
88203
88204 include/linux/syscalls.h | 2 +-
88205 net/socket.c | 2 +-
88206 2 files changed, 2 insertions(+), 2 deletions(-)
88207
88208commit cd5ff114d958470f471c63775278e8c05e774630
88209Author: Brad Spengler <spender@grsecurity.net>
88210Date: Fri Mar 29 18:46:16 2013 -0400
88211
88212 fix size_overflow false positive
88213
88214 kernel/futex_compat.c | 2 +-
88215 1 files changed, 1 insertions(+), 1 deletions(-)
88216
88217commit 295ba16cc53df2375261accbedd6575ea327770a
88218Merge: 18340f1 278a989
88219Author: Brad Spengler <spender@grsecurity.net>
88220Date: Fri Mar 29 17:36:18 2013 -0400
88221
88222 Merge branch 'pax-test' into grsec-test
88223
88224 Conflicts:
88225 fs/exec.c
88226 include/linux/thread_info.h
88227
88228commit 278a989c831d62193c7b3d119fe2302babd45d12
88229Author: Brad Spengler <spender@grsecurity.net>
88230Date: Fri Mar 29 17:34:34 2013 -0400
88231
88232 Resync with pax-linux-3.8.5-test13.patch
88233
88234 arch/arm/include/asm/pgtable.h | 3 ++-
88235 arch/arm/lib/delay.c | 1 +
88236 fs/exec.c | 8 ++++----
88237 include/linux/compiler.h | 1 +
88238 include/linux/proc_fs.h | 2 +-
88239 include/linux/thread_info.h | 6 +++---
88240 include/linux/zlib.h | 3 ++-
88241 init/main.c | 4 ++--
88242 kernel/user_namespace.c | 2 +-
88243 lib/list_debug.c | 4 ++--
88244 mm/slab.c | 1 +
88245 mm/slob.c | 1 +
88246 mm/slub.c | 1 +
88247 net/core/sysctl_net_core.c | 3 +--
88248 tools/gcc/constify_plugin.c | 1 +
88249 15 files changed, 24 insertions(+), 17 deletions(-)
88250
88251commit 18340f14bd42d06c60995ab04cf6bb235bcaade6
88252Merge: 05f01ae e8cfeae
88253Author: Brad Spengler <spender@grsecurity.net>
88254Date: Fri Mar 29 17:30:57 2013 -0400
88255
88256 Merge branch 'pax-test' into grsec-test
88257
88258commit e8cfeae7751abb844911a15114dff5c9b2b9fcd9
88259Merge: b461cb7 aa4cfde
88260Author: Brad Spengler <spender@grsecurity.net>
88261Date: Fri Mar 29 17:30:44 2013 -0400
88262
88263 Merge branch 'linux-3.8.y' into pax-test
88264
88265 Conflicts:
88266 drivers/gpu/drm/i915/i915_gem_execbuffer.c
88267 fs/nfsd/vfs.c
88268
88269commit 05f01ae4c3479541586a2387f916a6620889c479
88270Author: Brad Spengler <spender@grsecurity.net>
88271Date: Fri Mar 29 17:05:39 2013 -0400
88272
88273 Another infoleak, up to 128 bytes on the stack in __sys_recvmsg
88274 takes user-provided length, copies up to that amount in a sockaddr_storage
88275 struct on the stack, then takes an upper-bounded-only user-provided length
88276 and copies the sockaddr_storage struct back out to userland, complete with
88277 uninitialized data
88278
88279 net/socket.c | 2 +-
88280 1 files changed, 1 insertions(+), 1 deletions(-)
88281
88282commit eea6ade59490784e83e08ec67322288fcf14cb31
88283Author: Brad Spengler <spender@grsecurity.net>
88284Date: Thu Mar 28 23:07:37 2013 -0400
88285
88286 return a proper error, otherwise we could be accessing uninitialized data
88287 (previous define was a positive value)
88288
88289 drivers/usb/storage/realtek_cr.c | 2 +-
88290 1 files changed, 1 insertions(+), 1 deletions(-)
88291
88292commit 3cc43b90104c3016adb40f412ce2e4b0dcdd4c9e
88293Merge: c3dc9a6 b461cb7
88294Author: Brad Spengler <spender@grsecurity.net>
88295Date: Thu Mar 28 20:54:24 2013 -0400
88296
88297 Merge branch 'pax-test' into grsec-test
88298
88299commit b461cb7b1d85490430ef7896c247794af72c3749
88300Author: Brad Spengler <spender@grsecurity.net>
88301Date: Thu Mar 28 20:54:11 2013 -0400
88302
88303 Add structleak plugin
88304
88305 tools/gcc/structleak_plugin.c | 270 +++++++++++++++++++++++++++++++++++++++++
88306 1 files changed, 270 insertions(+), 0 deletions(-)
88307
88308commit c3dc9a6ef10782894bb11fd088fd712db44d8062
88309Author: Brad Spengler <spender@grsecurity.net>
88310Date: Thu Mar 28 20:53:22 2013 -0400
88311
88312 Enable structleak by default for the security auto-config
88313
88314 security/Kconfig | 11 +++++++----
88315 1 files changed, 7 insertions(+), 4 deletions(-)
88316
88317commit 6568e7348222fbe00256c9d337c4c24ee57e3f7e
88318Merge: d8503a3 74bec16
88319Author: Brad Spengler <spender@grsecurity.net>
88320Date: Thu Mar 28 20:47:10 2013 -0400
88321
88322 Merge branch 'pax-test' into grsec-test
88323
88324commit 74bec16b657147a5575b1f14f4423a717ba317a6
88325Author: Brad Spengler <spender@grsecurity.net>
88326Date: Thu Mar 28 20:46:13 2013 -0400
88327
88328 Update to pax-linux-3.8.4-test13.patch:
88329 - fixed bug with the old PAGEEXEC method and hugetlb, reported by Alex Efros (https://bugs.gentoo.org/show_bug.cgi?id=437722)
88330 - added a new gcc plugin to plug (pun intended) some of the kernel stack leaks to userland
88331
88332 Makefile | 5 +++-
88333 arch/x86/include/asm/compat.h | 2 +-
88334 arch/x86/mm/fault.c | 3 +-
88335 fs/binfmt_elf.c | 2 +-
88336 include/linux/compiler.h | 42 ++++++++++++++--------------------------
88337 security/Kconfig | 16 +++++++++++++++
88338 tools/gcc/Makefile | 2 +
88339 tools/gcc/constify_plugin.c | 7 +++++-
88340 8 files changed, 47 insertions(+), 32 deletions(-)
88341
88342commit d8503a3a35d68b9ba1615d29335aef3f70d51465
88343Author: Brad Spengler <spender@grsecurity.net>
88344Date: Thu Mar 28 20:02:40 2013 -0400
88345
88346 Fix 8-byte stack infoleak in ia32_rt_sigpending
88347 User controls length, kernel only performs check on the upper bound, will
88348 fill in any amount less than sizeof(sigset_t) via a copy_to_user under
88349 KERNEL_DS in sys_rt_sigpending, then will copy the full size of compat_sigset_t
88350 regardless of whether the sigset_t content copied into it has been initialized
88351 or not
88352
88353 arch/x86/ia32/sys_ia32.c | 2 +-
88354 1 files changed, 1 insertions(+), 1 deletions(-)
88355
88356commit 46a9f4b871ebf298ee67cc3f799dbd6c2382022b
88357Author: Brad Spengler <spender@grsecurity.net>
88358Date: Tue Mar 26 21:05:05 2013 -0400
88359
88360 commit 814d9d4f9164c3d778dadd093a54bb55d9a0c576
88361 Author: J. Bruce Fields <bfields@redhat.com>
88362 Date: Tue Mar 26 14:11:13 2013 -0400
88363
88364 nfsd4: reject "negative" acl lengths
88365
88366 Since we only enforce an upper bound, not a lower bound, a "negative"
88367 length can get through here.
88368
88369 The symptom seen was a warning when we attempt to a kmalloc with an
88370 excessive size.
88371
88372 Reported-by: Toralf Förster <toralf.foerster@gmx.de>
88373 Signed-off-by: J. Bruce Fields <bfields@redhat.com>
88374
88375 fs/nfsd/nfs4xdr.c | 2 +-
88376 1 files changed, 1 insertions(+), 1 deletions(-)
88377
88378commit 2cf84a1843bfdf9298e2a1dc8df4e52d11a1af89
88379Author: Jeff Layton <jlayton@redhat.com>
88380Date: Mon Mar 11 09:52:19 2013 -0400
88381
88382 Upstream commit: f853c616883a8de966873a1dab283f1369e275a1
88383
88384 cifs: ignore everything in SPNEGO blob after mechTypes
88385
88386 We've had several reports of people attempting to mount Windows 8 shares
88387 and getting failures with a return code of -EINVAL. The default sec=
88388 mode changed recently to sec=ntlmssp. With that, we expect and parse a
88389 SPNEGO blob from the server in the NEGOTIATE reply.
88390
88391 The current decode_negTokenInit function first parses all of the
88392 mechTypes and then tries to parse the rest of the negTokenInit reply.
88393 The parser however currently expects a mechListMIC or nothing to follow the
88394 mechTypes, but Windows 8 puts a mechToken field there instead to carry
88395 some info for the new NegoEx stuff.
88396
88397 In practice, we don't do anything with the fields after the mechTypes
88398 anyway so I don't see any real benefit in continuing to parse them.
88399 This patch just has the kernel ignore the fields after the mechTypes.
88400 We'll probably need to reinstate some of this if we ever want to support
88401 NegoEx.
88402
88403 Reported-by: Jason Burgess <jason@jacknife2.dns2go.com>
88404 Reported-by: Yan Li <elliot.li.tech@gmail.com>
88405 Signed-off-by: Jeff Layton <jlayton@redhat.com>
88406 Cc: <stable@vger.kernel.org>
88407 Signed-off-by: Steve French <sfrench@us.ibm.com>
88408
88409 fs/cifs/asn1.c | 53 +++++------------------------------------------------
88410 1 files changed, 5 insertions(+), 48 deletions(-)
88411
88412commit 0b1c6223105a05d5a84e39a5e951868e37610e1c
88413Merge: 93ff726 0deb54c
88414Author: Brad Spengler <spender@grsecurity.net>
88415Date: Mon Mar 25 18:35:15 2013 -0400
88416
88417 Merge branch 'pax-test' into grsec-test
88418
88419commit 0deb54c1f47145aef38f4d2bf0b7de3e9fbab959
88420Author: Brad Spengler <spender@grsecurity.net>
88421Date: Mon Mar 25 18:35:05 2013 -0400
88422
88423 fix typo
88424
88425 arch/x86/mm/ioremap.c | 2 +-
88426 1 files changed, 1 insertions(+), 1 deletions(-)
88427
88428commit 93ff72680353534d4b0b213aecb61f1fc2f9a152
88429Merge: be9f8b8 f95e53a
88430Author: Brad Spengler <spender@grsecurity.net>
88431Date: Mon Mar 25 18:30:06 2013 -0400
88432
88433 Merge branch 'pax-test' into grsec-test
88434
88435commit f95e53abadb6e4665866e4502ff9f518514193e1
88436Author: Brad Spengler <spender@grsecurity.net>
88437Date: Mon Mar 25 18:29:25 2013 -0400
88438
88439 Update to pax-linux-3.8.4-test12.patch:
88440
88441 - fixed perf compilation reported by Michael Tremer
88442 - fixed USERCOPY reports triggered by SCTP, reported by mcp
88443 - last fix for aslr gap accounting, promise (thanks to spender)
88444
88445 arch/x86/mm/ioremap.c | 3 +++
88446 fs/binfmt_elf.c | 5 ++---
88447 mm/mmap.c | 2 +-
88448 net/sctp/socket.c | 19 +++++++++++++++----
88449 tools/perf/util/include/linux/compiler.h | 8 ++++++++
88450 5 files changed, 29 insertions(+), 8 deletions(-)
88451
88452commit be9f8b82b0d8a21d7515fb6e44a907623381c5df
88453Author: Brad Spengler <spender@grsecurity.net>
88454Date: Mon Mar 25 16:48:34 2013 -0400
88455
88456 From: Al Viro <viro@ZenIV.linux.org.uk>
88457 To: Brad Spengler <spender@grsecurity.net>
88458 Cc: Linus Torvalds <torvalds@linux-foundation.org>
88459
88460 Umm... I see what you are describing, and AFAICS you are correct; let me
88461 see if I am misreading your analysis:
88462 * vfsmount_lock may act fair; A holding it shared, with B spinning
88463 on attempt to take it exclusive may lead to C spinning on attempt to take
88464 it shared.
88465 * path_is_under() tries get rename_lock while holding vfsmount_lock
88466 shared.
88467 * d_path() et.al. try to take vfsmount_lock shared, while holding
88468 rename_lock.
88469
88470 All true and yes, it's a bug (I'd probably classify it as a livelock, but
88471 that doesn't make any real difference). There are three possible solutions,
88472 AFAICS:
88473 1) two-liner in path_is_under() replacing the use of vfsmount_lock
88474 with that of namespace_sem; trivial, but results in function unexpectedly
88475 blocking. The current callers are fine with that, but it's a trouble
88476 waiting to happen.
88477 2) replace write_seqlock() in prepend_path() callers with
88478 read_seqbegin/read_seqretry loops; bigger and more brittle, since unlike
88479 is_subdir() we need more than just ->d_parent not pointing to something
88480 freed - we also care about ->d_name.len being in sync with ->d_name.name.
88481 It probably can be worked around, but...
88482
88483 3) declare that rename_lock nests inside vfsmount_lock and let
88484 the callers of prepend_path() take vfsmount_lock(). I'd probably prefer
88485 that one...
88486
88487 Nest rename_lock inside vfsmount_lock
88488
88489 ... lest we get livelocks between path_is_under() and d_path() and friends.
88490
88491 [ add grsec-specific bits, thanks to Alexey Vlasov for his patience in reproducing
88492 the issue ]
88493
88494 Spotted-by: Brad Spengler <spender@grsecurity.net>
88495 Cc: stable@vger.kernel.org
88496 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
88497
88498 fs/dcache.c | 16 +++++++++++-----
88499 grsecurity/gracl.c | 20 ++++++++++----------
88500 2 files changed, 21 insertions(+), 15 deletions(-)
88501
88502commit d9253ae96e0e88510ae7b8adb8ab3ef089be6dee
88503Author: Linus Torvalds <torvalds@linux-foundation.org>
88504Date: Fri Mar 22 11:44:04 2013 -0700
88505
88506 Upstream commit: 51f0885e5415b4cc6535e9cdcc5145bfbc134353
88507
88508 vfs,proc: guarantee unique inodes in /proc
88509
88510 Dave Jones found another /proc issue with his Trinity tool: thanks to
88511 the namespace model, we can have multiple /proc dentries that point to
88512 the same inode, aliasing directories in /proc/<pid>/net/ for example.
88513
88514 This ends up being a total disaster, because it acts like hardlinked
88515 directories, and causes locking problems. We rely on the topological
88516 sort of the inodes pointed to by dentries, and if we have aliased
88517 directories, that odering becomes unreliable.
88518
88519 In short: don't do this. Multiple dentries with the same (directory)
88520 inode is just a bad idea, and the namespace code should never have
88521 exposed things this way. But we're kind of stuck with it.
88522
88523 This solves things by just always allocating a new inode during /proc
88524 dentry lookup, instead of using "iget_locked()" to look up existing
88525 inodes by superblock and number. That actually simplies the code a bit,
88526 at the cost of potentially doing more inode [de]allocations.
88527
88528 That said, the inode lookup wasn't free either (and did a lot of locking
88529 of inodes), so it is probably not that noticeable. We could easily keep
88530 the old lookup model for non-directory entries, but rather than try to
88531 be excessively clever this just implements the minimal and simplest
88532 workaround for the problem.
88533
88534 Reported-and-tested-by: Dave Jones <davej@redhat.com>
88535 Analyzed-by: Al Viro <viro@zeniv.linux.org.uk>
88536 Cc: stable@vger.kernel.org
88537 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
88538
88539 Conflicts:
88540
88541 fs/proc/inode.c
88542
88543 fs/proc/inode.c | 9 +++------
88544 1 files changed, 3 insertions(+), 6 deletions(-)
88545
88546commit 399d3bbdb82db765c86118ae5a0bf1d2d17762fb
88547Author: Vladimir Davydov <vdavydov@parallels.com>
88548Date: Fri Mar 22 15:04:51 2013 -0700
88549
88550 Upstream commit: 38d78e587d4960d0db94add518d27ee74bad2301
88551
88552 mqueue: sys_mq_open: do not call mnt_drop_write() if read-only
88553
88554 mnt_drop_write() must be called only if mnt_want_write() succeeded,
88555 otherwise the mnt_writers counter will diverge.
88556
88557 mnt_writers counters are used to check if remounting FS as read-only is
88558 OK, so after an extra mnt_drop_write() call, it would be impossible to
88559 remount mqueue FS as read-only. Besides, on umount a warning would be
88560 printed like this one:
88561
88562 =====================================
88563 [ BUG: bad unlock balance detected! ]
88564 3.9.0-rc3 #5 Not tainted
88565 -------------------------------------
88566 a.out/12486 is trying to release lock (sb_writers) at:
88567 mnt_drop_write+0x1f/0x30
88568 but there are no more locks to release!
88569
88570 Signed-off-by: Vladimir Davydov <vdavydov@parallels.com>
88571 Cc: Doug Ledford <dledford@redhat.com>
88572 Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
88573 Cc: "Eric W. Biederman" <ebiederm@xmission.com>
88574 Cc: Al Viro <viro@zeniv.linux.org.uk>
88575 Cc: <stable@vger.kernel.org>
88576 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
88577 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
88578
88579 ipc/mqueue.c | 3 ++-
88580 1 files changed, 2 insertions(+), 1 deletions(-)
88581
88582commit d3859c71e2ec174b6f3e5cbe06d3011cdddaa59e
88583Author: Brad Spengler <spender@grsecurity.net>
88584Date: Sat Mar 23 13:02:32 2013 -0400
88585
88586 Don't use constify plugin if not enabled in config,
88587 reported by Alexey Vlasov
88588
88589 Makefile | 2 +-
88590 1 files changed, 1 insertions(+), 1 deletions(-)
88591
88592commit 3afb82e020593249ac394e9859397c3e0ef5341c
88593Author: Brad Spengler <spender@grsecurity.net>
88594Date: Sat Mar 23 12:50:13 2013 -0400
88595
88596 oded 0day #2
88597 http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
88598 slide 20
88599
88600 drivers/net/ethernet/broadcom/tg3.c | 6 ++++--
88601 1 files changed, 4 insertions(+), 2 deletions(-)
88602
88603commit 4cc4b98b29faff2530540be16e0fcd8a74800b06
88604Author: Brad Spengler <spender@grsecurity.net>
88605Date: Sat Mar 23 12:15:50 2013 -0400
88606
88607 oded 0day #1
88608 http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
88609 slide 18
88610
88611 drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
88612 1 files changed, 1 insertions(+), 1 deletions(-)
88613
88614commit 8a3292af6fdae4b88b49a2a4ef96eee145b4d479
88615Author: Brad Spengler <spender@grsecurity.net>
88616Date: Sat Mar 23 12:13:12 2013 -0400
88617
88618 remove warning on accessing this /proc entry, HIDESYM already caught the infoleak
88619
88620 drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
88621 1 files changed, 1 insertions(+), 1 deletions(-)
88622
88623commit 44cb11a9470f72157601d0ad4d572d111f90f504
88624Author: Brad Spengler <spender@grsecurity.net>
88625Date: Fri Mar 22 18:11:42 2013 -0400
88626
88627 use VM_DONTDUMP
88628
88629 fs/binfmt_elf.c | 2 +-
88630 1 files changed, 1 insertions(+), 1 deletions(-)
88631
88632commit 92dd7f850ae63e3ddc3d262f2b7134cf54b51abb
88633Author: Brad Spengler <spender@grsecurity.net>
88634Date: Fri Mar 22 17:53:09 2013 -0400
88635
88636 fix recent RLIMIT_AS changes (due to vm_flags typo)
88637
88638 Conflicts:
88639
88640 fs/binfmt_elf.c
88641
88642 fs/binfmt_elf.c | 2 +-
88643 mm/mmap.c | 2 +-
88644 2 files changed, 2 insertions(+), 2 deletions(-)
88645
88646commit fd5f0d92b0fbec02029dad124501a9c80e527a32
88647Author: Brad Spengler <spender@grsecurity.net>
88648Date: Fri Mar 22 17:08:48 2013 -0400
88649
88650 complete_walk drops rcu-walk mode, no need for our own dropping
88651 method outside of generic_permission
88652
88653 fs/namei.c | 30 ------------------------------
88654 1 files changed, 0 insertions(+), 30 deletions(-)
88655
88656commit b49ab1c73edb6442eec609b26bba4d850b3111b6
88657Merge: 5e9a707 783ade9
88658Author: Brad Spengler <spender@grsecurity.net>
88659Date: Thu Mar 21 21:56:28 2013 -0400
88660
88661 Merge branch 'pax-test' into grsec-test
88662
88663commit 783ade9f97f0f736e3c83275b7c9fcb2d6e9d9c4
88664Author: Brad Spengler <spender@grsecurity.net>
88665Date: Thu Mar 21 21:55:31 2013 -0400
88666
88667 Update to pax-linux-3.8.3-test11.patch:
88668 - rewrote the ASLR gap accounting code once again
88669 - fixed ptrace compat bug found by the size overflow plugin
88670
88671 fs/binfmt_elf.c | 25 ++++++++++++-------------
88672 fs/exec.c | 7 ++-----
88673 include/linux/compat.h | 2 +-
88674 include/linux/mm.h | 5 +++++
88675 include/linux/mm_types.h | 2 +-
88676 kernel/ptrace.c | 2 +-
88677 mm/mmap.c | 15 ++++++++++-----
88678 7 files changed, 32 insertions(+), 26 deletions(-)
88679
88680commit 5e9a7077d935b2279f25428c5d32fd53cbbfb92a
88681Author: Brad Spengler <spender@grsecurity.net>
88682Date: Thu Mar 21 19:37:33 2013 -0400
88683
88684 Make the constify plugin usage actually depend on the introduced config option
88685 (it was still forced on)
88686
88687 tools/gcc/Makefile | 2 +-
88688 1 files changed, 1 insertions(+), 1 deletions(-)
88689
88690commit 1974b4f58d9d729c80ac1987785446115304a54c
88691Author: Brad Spengler <spender@grsecurity.net>
88692Date: Thu Mar 21 16:12:38 2013 -0400
88693
88694 fix failed merge
88695
88696 arch/arm/mm/fault.c | 15 +++------------
88697 1 files changed, 3 insertions(+), 12 deletions(-)
88698
88699commit 675a8ab4a8fe8315df348735a37a302a7535224c
88700Author: Brad Spengler <spender@grsecurity.net>
88701Date: Wed Mar 20 23:36:14 2013 -0400
88702
88703 From c4dab66c31612717f798e1e8ff11b57253a81a31 Mon Sep 17 00:00:00 2001
88704 From: Kees Cook <keescook@chromium.org>
88705 Date: Sun, 10 Mar 2013 20:09:31 +0000
88706 Subject: drm/i915: bounds check execbuffer relocation count
88707
88708 It is possible to wrap the counter used to allocate the buffer for
88709 relocation copies. This could lead to heap writing overflows.
88710
88711 CVE-2013-0913
88712
88713 Signed-off-by: Kees Cook <keescook@chromium.org>
88714 Reported-by: Pinkie Pie
88715 Cc: stable@vger.kernel.org
88716
88717 drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++---
88718 1 files changed, 8 insertions(+), 3 deletions(-)
88719
88720commit ddeac12cbb9076bffd51c544e03463f94c9eaa39
88721Author: Andy Honig <ahonig@google.com>
88722Date: Wed Feb 20 14:48:10 2013 -0800
88723
88724 Upstream commit: 0b79459b482e85cb7426aa7da683a9f2c97aeae1
88725
88726 KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797)
88727
88728 There is a potential use after free issue with the handling of
88729 MSR_KVM_SYSTEM_TIME. If the guest specifies a GPA in a movable or removable
88730 memory such as frame buffers then KVM might continue to write to that
88731 address even after it's removed via KVM_SET_USER_MEMORY_REGION. KVM pins
88732 the page in memory so it's unlikely to cause an issue, but if the user
88733 space component re-purposes the memory previously used for the guest, then
88734 the guest will be able to corrupt that memory.
88735
88736 Tested: Tested against kvmclock unit test
88737
88738 Signed-off-by: Andrew Honig <ahonig@google.com>
88739 Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
88740
88741 arch/x86/include/asm/kvm_host.h | 4 +-
88742 arch/x86/kvm/x86.c | 47 ++++++++++++++++----------------------
88743 2 files changed, 22 insertions(+), 29 deletions(-)
88744
88745commit 0bcac31b57c381001feb69fd6ec8069e61e03432
88746Author: Andy Honig <ahonig@google.com>
88747Date: Mon Mar 11 09:34:52 2013 -0700
88748
88749 Upstream commit: c300aa64ddf57d9c5d9c898a64b36877345dd4a9
88750
88751 KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796)
88752
88753 If the guest sets the GPA of the time_page so that the request to update the
88754 time straddles a page then KVM will write onto an incorrect page. The
88755 write is done byusing kmap atomic to get a pointer to the page for the time
88756 structure and then performing a memcpy to that page starting at an offset
88757 that the guest controls. Well behaved guests always provide a 32-byte aligned
88758 address, however a malicious guest could use this to corrupt host kernel
88759 memory.
88760
88761 Tested: Tested against kvmclock unit test.
88762
88763 Signed-off-by: Andrew Honig <ahonig@google.com>
88764 Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
88765
88766 arch/x86/kvm/x86.c | 5 +++++
88767 1 files changed, 5 insertions(+), 0 deletions(-)
88768
88769commit 695c59887e4ec10b0b695ab4f645d1226c433be0
88770Author: Andy Honig <ahonig@google.com>
88771Date: Wed Feb 20 14:49:16 2013 -0800
88772
88773 Upstream commit: a2c118bfab8bc6b8bb213abfc35201e441693d55
88774
88775 KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798)
88776
88777 If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows
88778 that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate
88779 that request. ioapic_read_indirect contains an
88780 ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in
88781 non-debug builds. In recent kernels this allows a guest to cause a kernel
88782 oops by reading invalid memory. In older kernels (pre-3.3) this allows a
88783 guest to read from large ranges of host memory.
88784
88785 Tested: tested against apic unit tests.
88786
88787 Signed-off-by: Andrew Honig <ahonig@google.com>
88788 Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
88789
88790 virt/kvm/ioapic.c | 7 +++++--
88791 1 files changed, 5 insertions(+), 2 deletions(-)
88792
88793commit c77e4017f6f372ac09751b6fcd85c35781dc2d9e
88794Merge: aec3cd4 c522e3a
88795Author: Brad Spengler <spender@grsecurity.net>
88796Date: Wed Mar 20 19:38:25 2013 -0400
88797
88798 Merge branch 'pax-test' into grsec-test
88799
88800commit c522e3a2167ff5e18996e55ca8cca5ca6f6d29e3
88801Merge: c57d855 405acc3
88802Author: Brad Spengler <spender@grsecurity.net>
88803Date: Wed Mar 20 19:38:11 2013 -0400
88804
88805 Merge branch 'linux-3.8.y' into pax-test
88806
88807commit aec3cd4d2bd54673b155d9ae3fb9c44becc790d1
88808Author: Brad Spengler <spender@grsecurity.net>
88809Date: Tue Mar 19 19:56:04 2013 -0400
88810
88811 include linux/compiler.h
88812
88813 include/linux/zlib.h | 1 +
88814 1 files changed, 1 insertions(+), 0 deletions(-)
88815
88816commit 1f1109e97bc609218e52e4bb57683d3b23cf2e8e
88817Author: Brad Spengler <spender@grsecurity.net>
88818Date: Tue Mar 19 18:42:20 2013 -0400
88819
88820 fix missing sock_release()
88821
88822 net/irda/af_irda.c | 6 ++++--
88823 1 files changed, 4 insertions(+), 2 deletions(-)
88824
88825commit dd65c05cd24faf8946d4941434a553ee285c35a3
88826Author: Brad Spengler <spender@grsecurity.net>
88827Date: Tue Mar 19 18:36:17 2013 -0400
88828
88829 fix mpt fusion infoleak
88830
88831 drivers/message/fusion/mptbase.c | 4 ++++
88832 1 files changed, 4 insertions(+), 0 deletions(-)
88833
88834commit e297b4f150b769efdc4c547d3caf1e3c0f24735f
88835Author: Brad Spengler <spender@grsecurity.net>
88836Date: Tue Mar 19 18:33:45 2013 -0400
88837
88838 Fix size_overflow false positive reported by slashbeast
88839
88840 include/linux/zlib.h | 2 +-
88841 1 files changed, 1 insertions(+), 1 deletions(-)
88842
88843commit 5b9982733764361c7102c2b1a9cbe42e5bf4f4be
88844Author: Brad Spengler <spender@grsecurity.net>
88845Date: Tue Mar 19 17:35:36 2013 -0400
88846
88847 fix up failed merge
88848
88849 arch/arm/mm/fault.c | 9 ++-------
88850 1 files changed, 2 insertions(+), 7 deletions(-)
88851
88852commit a1bdc34d1d882da3abf47923a760e5b0bbdaf0bd
88853Author: Brad Spengler <spender@grsecurity.net>
88854Date: Tue Mar 19 17:34:36 2013 -0400
88855
88856 update documentation on consequences of building without gcc plugin support
88857
88858 Makefile | 2 +-
88859 1 files changed, 1 insertions(+), 1 deletions(-)
88860
88861commit f49ae0f6c3bbedf6b3817ee2b1b232e0da7fa537
88862Author: Brad Spengler <spender@grsecurity.net>
88863Date: Tue Mar 19 17:18:13 2013 -0400
88864
88865 fix compilation failure associated with the latent entropy plugin and lack of gcc plugin support reported on the forums
88866
88867 init/main.c | 4 ++--
88868 1 files changed, 2 insertions(+), 2 deletions(-)
88869
88870commit f00195c633f91cfbd8c1f530d2c371b713026e20
88871Author: Brad Spengler <spender@grsecurity.net>
88872Date: Mon Mar 18 22:27:33 2013 -0400
88873
88874 Fix compile error reported by KDE on the forums
88875
88876 kernel/user_namespace.c | 2 +-
88877 1 files changed, 1 insertions(+), 1 deletions(-)
88878
88879commit 2979c6ee78aabb4421873ea53581380c6bb6ed05
88880Merge: 0949569 c57d855
88881Author: Brad Spengler <spender@grsecurity.net>
88882Date: Mon Mar 18 22:20:46 2013 -0400
88883
88884 Merge branch 'pax-test' into grsec-test
88885
88886 Conflicts:
88887 arch/arm/mm/fault.c
88888 arch/x86/mm/fault.c
88889 fs/exec.c
88890
88891commit c57d8557f5f2d77c2c7fa1f58316819a5e1f9293
88892Author: Brad Spengler <spender@grsecurity.net>
88893Date: Mon Mar 18 21:22:03 2013 -0400
88894
88895 Update to pax-linux-3.8.2-test9.patch:
88896 arm changes from spender
88897 - removed userland access to the vectors page
88898 - removed obsolete sigreturn trampoline handling
88899 - added emulation for __kuser_get_tls
88900 - fixed missing uderef instrumentation in unaligned memory accessors (failed safe)
88901 - fixed recent sysfs/power_supply attr breakage reported by Steven Allen
88902 - hopefully fixed the remaining issues with aslr_gap accounting (http://forums.grsecurity.net/viewtopic.php?f=3&t=2960)
88903 - changed debian packager rules to include the compiler plugins, from Tyler Coumbes <coumbes@gmail.com>
88904 - fixed the sa_restorer leak discovered and reported by Emese Revfy (CVE-2013-0914, google chromium bug #177956)
88905 - new size overflow plugin from Emese that instruments a whole lot more code due to tracking function return values
88906 and more type casts as well. this found the above mentioned sa_restorer leak and would have protected against CVE-2013-0913.
88907
88908 arch/arm/kernel/process.c | 5 +-
88909 arch/arm/kernel/signal.c | 24 +-
88910 arch/arm/kernel/traps.c | 7 -
88911 arch/arm/mm/alignment.c | 8 +
88912 arch/arm/mm/fault.c | 23 +-
88913 arch/arm/mm/mmu.c | 2 +-
88914 arch/x86/include/asm/bitops.h | 2 +-
88915 arch/x86/include/asm/desc.h | 2 +-
88916 arch/x86/include/asm/div64.h | 2 +-
88917 arch/x86/include/asm/io.h | 8 +-
88918 arch/x86/include/asm/paravirt.h | 2 +-
88919 arch/x86/kernel/cpu/perf_event_intel_uncore.c | 16 +-
88920 arch/x86/kernel/setup_percpu.c | 2 +-
88921 arch/x86/mm/fault.c | 4 +-
88922 arch/x86/mm/numa.c | 2 +-
88923 arch/x86/mm/physaddr.c | 4 +-
88924 drivers/ata/libahci.c | 2 +-
88925 drivers/gpu/drm/i915/i915_gem_execbuffer.c | 2 +-
88926 drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +-
88927 drivers/infiniband/hw/mthca/mthca_mr.c | 2 +-
88928 drivers/lguest/page_tables.c | 2 +-
88929 drivers/net/wireless/at76c50x-usb.c | 2 +-
88930 drivers/oprofile/oprofile_files.c | 2 +-
88931 drivers/power/power_supply_core.c | 1 +
88932 drivers/usb/core/message.c | 2 +-
88933 fs/befs/endian.h | 4 +-
88934 fs/binfmt_elf.c | 5 +-
88935 fs/exec.c | 4 +-
88936 fs/qnx6/qnx6.h | 4 +-
88937 fs/sysv/sysv.h | 2 +-
88938 fs/ubifs/io.c | 2 +-
88939 fs/ufs/swab.h | 4 +-
88940 include/linux/compat.h | 4 +-
88941 include/linux/completion.h | 6 +-
88942 include/linux/cpumask.h | 12 +-
88943 include/linux/ctype.h | 2 +-
88944 include/linux/err.h | 4 +-
88945 include/linux/math64.h | 6 +-
88946 include/linux/sched.h | 2 +-
88947 include/linux/unaligned/access_ok.h | 12 +-
88948 include/linux/usb.h | 2 +-
88949 include/uapi/linux/byteorder/little_endian.h | 4 +-
88950 include/uapi/linux/swab.h | 6 +-
88951 kernel/sched/core.c | 6 +-
88952 kernel/signal.c | 3 +
88953 kernel/time.c | 2 +-
88954 kernel/timer.c | 2 +-
88955 lib/div64.c | 4 +-
88956 mm/page-writeback.c | 2 +-
88957 net/socket.c | 2 +
88958 scripts/package/builddeb | 1 +
88959 tools/gcc/size_overflow_hash.data | 8869 +++++++++++++++----------
88960 tools/gcc/size_overflow_plugin.c | 1072 ++--
88961 53 files changed, 6227 insertions(+), 3951 deletions(-)
88962
88963commit 09495691bb31f11ec14d9127429f9a0f3f716f22
88964Author: Brad Spengler <spender@grsecurity.net>
88965Date: Sun Mar 17 20:51:50 2013 -0400
88966
88967 fix typo
88968
88969 grsecurity/gracl.c | 2 +-
88970 1 files changed, 1 insertions(+), 1 deletions(-)
88971
88972commit deb85b00d0f9f886e264e116313f298401ec5c59
88973Author: Brad Spengler <spender@grsecurity.net>
88974Date: Sun Mar 17 20:03:33 2013 -0400
88975
88976 Call update_rlimit_cpu to immediately change RLIMIT_CPU on the task
88977 with a subject applied to it with RES_CPU. Otherwise, the limit will only
88978 begin to be applied at fork time.
88979
88980 Thanks to Bjornar Ness for the report.
88981
88982 grsecurity/gracl.c | 4 ++++
88983 1 files changed, 4 insertions(+), 0 deletions(-)
88984
88985commit 2126421f123513f604ceef2b23ba9ed516de7e58
88986Author: Brad Spengler <spender@grsecurity.net>
88987Date: Sat Mar 16 22:07:43 2013 -0400
88988
88989 Move inode auditing prior to our refcnt dropping
88990
88991 fs/namei.c | 2 +-
88992 1 files changed, 1 insertions(+), 1 deletions(-)
88993
88994commit 4d4e665885aab4bacfe662ad6d2190fc9d817146
88995Author: Brad Spengler <spender@grsecurity.net>
88996Date: Sat Mar 16 22:00:30 2013 -0400
88997
88998 Drop reference on completed path walked in RCU mode or when violating
88999 the chroot fchdir check inside a chroot -- possible culprit for a reported
89000 vfsmount_lock hang during unmount
89001
89002 fs/namei.c | 8 ++++++--
89003 1 files changed, 6 insertions(+), 2 deletions(-)
89004
89005commit 53a8a413f45340ee176dd36dd283de3a1ebb7417
89006Author: Brad Spengler <spender@grsecurity.net>
89007Date: Sat Mar 16 16:43:45 2013 -0400
89008
89009 add user_arg_ptr back to exec.c
89010
89011 fs/exec.c | 12 ++++++++++++
89012 1 files changed, 12 insertions(+), 0 deletions(-)
89013
89014commit 83d285953c7e75db388c7f65be5cf1e16fcedec8
89015Author: Brad Spengler <spender@grsecurity.net>
89016Date: Sat Mar 16 11:22:36 2013 -0400
89017
89018 Don't globally include compat.h -- with the new X32 support it
89019 changes some definitions involving ELF binaries resulting in invalid
89020 coredumps, as reported by KDE on the forums:
89021 http://forums.grsecurity.net/viewtopic.php?f=3&t=3310
89022 Thanks to the PaX Team for debugging
89023
89024 fs/exec.c | 3 +++
89025 grsecurity/grsec_exec.c | 13 +++++++++++++
89026 include/linux/grsecurity.h | 15 ---------------
89027 3 files changed, 16 insertions(+), 15 deletions(-)
89028
89029commit 67a94583659cf6c583fbbb023ec2a8ed471ba94a
89030Author: Brad Spengler <spender@grsecurity.net>
89031Date: Thu Mar 14 20:59:26 2013 -0400
89032
89033 Add peer information to /proc/net/unix from Kenan Kalajdzic:
89034 http://marc.info/?l=linux-netdev&m=126745636809191&w=2
89035
89036 We use a "P" prefix to the inode number instead of "peer=". This
89037 additional information can be used, for instance, to find what processes
89038 are connected to MySQL's unix domain socket.
89039
89040 net/unix/af_unix.c | 12 +++++++++---
89041 1 files changed, 9 insertions(+), 3 deletions(-)
89042
89043commit 1cd623d11a462d151ea8a5cace4521e1724911a3
89044Author: Oliver Neukum <oneukum@suse.de>
89045Date: Tue Mar 12 14:52:42 2013 +0100
89046
89047 Upstream commit: c0f5ecee4e741667b2493c742b60b6218d40b3aa
89048
89049 USB: cdc-wdm: fix buffer overflow
89050
89051 The buffer for responses must not overflow.
89052 If this would happen, set a flag, drop the data and return
89053 an error after user space has read all remaining data.
89054
89055 Signed-off-by: Oliver Neukum <oliver@neukum.org>
89056 CC: stable@kernel.org
89057 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
89058
89059 drivers/usb/class/cdc-wdm.c | 23 ++++++++++++++++++++---
89060 1 files changed, 20 insertions(+), 3 deletions(-)
89061
89062commit 3e9e7beb379eaf424d0634c0c556e47c07d367fc
89063Merge: 9cdf9bc db4cb92
89064Author: Brad Spengler <spender@grsecurity.net>
89065Date: Thu Mar 14 20:23:14 2013 -0400
89066
89067 Merge branch 'pax-test' into grsec-test
89068
89069 Conflicts:
89070 security/keys/compat.c
89071
89072commit db4cb924546e3fec3a59f78d056f48176eaf7100
89073Author: Brad Spengler <spender@grsecurity.net>
89074Date: Thu Mar 14 20:22:24 2013 -0400
89075
89076 Update to pax-linux-3.8.2-test8.patch
89077
89078 arch/arm/include/asm/cache.h | 2 ++
89079 arch/arm/mach-omap2/gpmc.c | 22 ++++++++++++----------
89080 arch/arm/mach-omap2/omap_device.c | 4 ++--
89081 arch/arm/mach-omap2/omap_device.h | 4 ++--
89082 arch/arm/plat-orion/include/plat/addr-map.h | 2 +-
89083 5 files changed, 19 insertions(+), 15 deletions(-)
89084
89085commit 5e72fcce7c468d29168c64c72c18ff5ff0d3b4ae
89086Merge: 3c865f9 1a45c31
89087Author: Brad Spengler <spender@grsecurity.net>
89088Date: Thu Mar 14 20:20:54 2013 -0400
89089
89090 Merge branch 'linux-3.8.y' into pax-test
89091
89092 Conflicts:
89093 arch/arm/include/asm/delay.h
89094 arch/arm/include/asm/pgtable.h
89095 arch/arm/lib/delay.c
89096 security/keys/compat.c
89097
89098commit 9cdf9bccf22d6a6741e4152bb5d32335beb8caf1
89099Author: Al Viro <viro@ZenIV.linux.org.uk>
89100Date: Tue Mar 12 02:59:49 2013 +0000
89101
89102 Upstream commit: a930d8790552658140d7d0d2e316af4f0d76a512
89103
89104 vfs: fix pipe counter breakage
89105
89106 If you open a pipe for neither read nor write, the pipe code will not
89107 add any usage counters to the pipe, causing the 'struct pipe_inode_info"
89108 to be potentially released early.
89109
89110 That doesn't normally matter, since you cannot actually use the pipe,
89111 but the pipe release code - particularly fasync handling - still expects
89112 the actual pipe infrastructure to all be there. And rather than adding
89113 NULL pointer checks, let's just disallow this case, the same way we
89114 already do for the named pipe ("fifo") case.
89115
89116 This is ancient going back to pre-2.4 days, and until trinity, nobody
89117 naver noticed.
89118
89119 Reported-by: Dave Jones <davej@redhat.com>
89120 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
89121
89122 fs/pipe.c | 3 +++
89123 1 files changed, 3 insertions(+), 0 deletions(-)
89124
89125commit c11fa4be226659a40a6c73f0fa09fee074fba1b2
89126Author: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
89127Date: Mon Feb 25 10:20:36 2013 -0500
89128
89129 Upstream commit: 8aec0f5d4137532de14e6554fd5dd201ff3a3c49
89130
89131 Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys
89132
89133 Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to
89134 compat_process_vm_rw() shows that the compatibility code requires an
89135 explicit "access_ok()" check before calling
89136 compat_rw_copy_check_uvector(). The same difference seems to appear when
89137 we compare fs/read_write.c:do_readv_writev() to
89138 fs/compat.c:compat_do_readv_writev().
89139
89140 This subtle difference between the compat and non-compat requirements
89141 should probably be debated, as it seems to be error-prone. In fact,
89142 there are two others sites that use this function in the Linux kernel,
89143 and they both seem to get it wrong:
89144
89145 Now shifting our attention to fs/aio.c, we see that aio_setup_iocb()
89146 also ends up calling compat_rw_copy_check_uvector() through
89147 aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to
89148 be missing. Same situation for
89149 security/keys/compat.c:compat_keyctl_instantiate_key_iov().
89150
89151 I propose that we add the access_ok() check directly into
89152 compat_rw_copy_check_uvector(), so callers don't have to worry about it,
89153 and it therefore makes the compat call code similar to its non-compat
89154 counterpart. Place the access_ok() check in the same location where
89155 copy_from_user() can trigger a -EFAULT error in the non-compat code, so
89156 the ABI behaviors are alike on both compat and non-compat.
89157
89158 While we are here, fix compat_do_readv_writev() so it checks for
89159 compat_rw_copy_check_uvector() negative return values.
89160
89161 And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error
89162 handling.
89163
89164 Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
89165 Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
89166 Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
89167 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
89168
89169 Conflicts:
89170
89171 security/keys/compat.c
89172
89173 fs/compat.c | 15 +++++++--------
89174 mm/process_vm_access.c | 8 --------
89175 security/keys/compat.c | 3 ++-
89176 3 files changed, 9 insertions(+), 17 deletions(-)
89177
89178commit 13487f197ab2d5bc76156224c24c45a44bbd6a11
89179Author: Brad Spengler <spender@grsecurity.net>
89180Date: Mon Mar 11 18:38:38 2013 -0400
89181
89182 Fix leak of signal handler addresses across execve, found by Emese Revfy
89183
89184 kernel/signal.c | 3 +++
89185 1 files changed, 3 insertions(+), 0 deletions(-)
89186
89187commit 79b130c4b11c7940daf2b33d653a17666331c634
89188Merge: 6480ce9 3c865f9
89189Author: Brad Spengler <spender@grsecurity.net>
89190Date: Sun Mar 10 20:04:03 2013 -0400
89191
89192 Merge branch 'pax-test' into grsec-test
89193
89194commit 3c865f9184c6fd56c634bce0096cfc8039d5c43d
89195Author: Brad Spengler <spender@grsecurity.net>
89196Date: Sun Mar 10 20:03:12 2013 -0400
89197
89198 Update to pax-linux-3.8.2-test7.patch:
89199 - fixed gcc asserts reported by KDE (http://forums.grsecurity.net/viewtopic.php?f=3&t=3342)
89200 - adjusted RLIMIT_AS accounting for the extra ASLR gap mappings, reported by Alexander Stoll (https://bugs.gentoo.org/show_bug.cgi?id=459268)
89201
89202 fs/binfmt_elf.c | 3 ++-
89203 fs/exec.c | 3 +++
89204 include/linux/mm_types.h | 2 +-
89205 init/main.c | 4 ++--
89206 mm/mmap.c | 2 +-
89207 mm/page_alloc.c | 4 ++--
89208 tools/gcc/latent_entropy_plugin.c | 11 +++++++----
89209 7 files changed, 18 insertions(+), 11 deletions(-)
89210
89211commit 6480ce919bd7d68ba14f3194e4bdd7b61bc8e491
89212Merge: 4a5305e 25b3569
89213Author: Brad Spengler <spender@grsecurity.net>
89214Date: Sun Mar 10 10:41:16 2013 -0400
89215
89216 Merge branch 'pax-test' into grsec-test
89217
89218commit 25b356980568bed9958315bb5a551fdc610055ed
89219Author: Brad Spengler <spender@grsecurity.net>
89220Date: Sun Mar 10 10:40:48 2013 -0400
89221
89222 Update to pax-linux-3.8.2-test6.patch:
89223 - fixed a KERNEXEC false positive on arm reported by Gu1
89224 - fixed various compile errors reported by x14sg1 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3340)
89225 - fixed too strict mmap parameter checking on i386, reported by browndav (http://forums.grsecurity.net/viewtopic.php?f=1&t=3339)
89226 - added fix from spender for some namespace breakage reported by zakalwe
89227 - small latent entropy improvement: pass pax_extra_latent_entropy to the kernel to extract entropy from RAM content during boot
89228
89229 Documentation/kernel-parameters.txt | 5 +++++
89230 arch/arm/kernel/patch.c | 2 ++
89231 arch/x86/kernel/sys_i386_32.c | 5 +++--
89232 drivers/acpi/blacklist.c | 2 +-
89233 drivers/video/aty/mach64_cursor.c | 1 +
89234 init/main.c | 4 ----
89235 mm/page_alloc.c | 27 +++++++++++++++++++++++++++
89236 net/ipv4/ip_fragment.c | 2 +-
89237 security/Kconfig | 5 +++++
89238 tools/gcc/latent_entropy_plugin.c | 7 +++++--
89239 10 files changed, 50 insertions(+), 10 deletions(-)
89240
89241commit 4a5305eb7b6c5e49c332feeca9b6bfead9ab917f
89242Author: Brad Spengler <spender@grsecurity.net>
89243Date: Sat Mar 9 11:19:06 2013 -0500
89244
89245 From: Mathias Krause <minipli@googlemail.com>
89246 To: "David S. Miller" <davem@davemloft.net>
89247 Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>,
89248 Stephen Hemminger <stephen@networkplumber.org>
89249 Subject: [PATCH 1/3] bridge: fix mdb info leaks
89250 Date: Sat, 9 Mar 2013 16:52:19 +0100
89251
89252 The bridging code discloses heap and stack bytes via the RTM_GETMDB
89253 netlink interface and via the notify messages send to group RTNLGRP_MDB
89254 afer a successful add/del.
89255
89256 Fix both cases by initializing all unset members/padding bytes with
89257 memset(0).
89258
89259 Cc: Stephen Hemminger <stephen@networkplumber.org>
89260 Signed-off-by: Mathias Krause <minipli@googlemail.com>
89261
89262 From: Mathias Krause <minipli@googlemail.com>
89263 To: "David S. Miller" <davem@davemloft.net>
89264 Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>
89265 Subject: [PATCH 2/3] rtnl: fix info leak on RTM_GETLINK request for VF devices
89266 Date: Sat, 9 Mar 2013 16:52:20 +0100
89267
89268 Initialize the mac address buffer with 0 as the driver specific function
89269 will probably not fill the whole buffer. In fact, all in-kernel drivers
89270 fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible
89271 bytes. Therefore we currently leak 26 bytes of stack memory to userland
89272 via the netlink interface.
89273
89274 Signed-off-by: Mathias Krause <minipli@googlemail.com>
89275
89276 From: Mathias Krause <minipli@googlemail.com>
89277 To: "David S. Miller" <davem@davemloft.net>
89278 Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>
89279 Subject: [PATCH 3/3] dcbnl: fix various netlink info leaks
89280 Date: Sat, 9 Mar 2013 16:52:21 +0100
89281
89282 The dcb netlink interface leaks stack memory in various places:
89283 * perm_addr[] buffer is only filled at max with 12 of the 32 bytes but
89284 copied completely,
89285 * no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand,
89286 so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes
89287 for ieee_pfc structs, etc.,
89288 * the same is true for CEE -- no in-kernel driver fills the whole
89289 struct,
89290
89291 Prevent all of the above stack info leaks by properly initializing the
89292 buffers/structures involved.
89293
89294 Signed-off-by: Mathias Krause <minipli@googlemail.com>
89295
89296 net/bridge/br_mdb.c | 4 ++++
89297 net/core/rtnetlink.c | 1 +
89298 net/dcb/dcbnl.c | 8 ++++++++
89299 3 files changed, 13 insertions(+), 0 deletions(-)
89300
89301commit 601dd446f896e3a362f706943df18a68d50420a1
89302Author: Brad Spengler <spender@grsecurity.net>
89303Date: Sat Mar 9 09:35:25 2013 -0500
89304
89305 add open/close wrappers in __patch_text() as reported by Gu1 on IRC
89306
89307 arch/arm/kernel/patch.c | 2 ++
89308 1 files changed, 2 insertions(+), 0 deletions(-)
89309
89310commit ae39966fd85a493e9079b357e3faa62245a41222
89311Author: Peter Hurley <peter@hurleysoftware.com>
89312Date: Fri Mar 8 12:43:27 2013 -0800
89313
89314 Upstream commit: 88b9e456b1649722673ffa147914299799dc9041
89315
89316 ipc: don't allocate a copy larger than max
89317
89318 When MSG_COPY is set, a duplicate message must be allocated for the copy
89319 before locking the queue. However, the copy could not be larger than was
89320 sent which is limited to msg_ctlmax.
89321
89322 Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
89323 Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
89324 Cc: <stable@vger.kernel.org>
89325 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
89326 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
89327
89328 ipc/msg.c | 6 ++++--
89329 1 files changed, 4 insertions(+), 2 deletions(-)
89330
89331commit 61240e99650ea3e540a03a3e994349c5086f166b
89332Author: Peter Hurley <peter@hurleysoftware.com>
89333Date: Fri Mar 8 12:43:26 2013 -0800
89334
89335 Upstream commit: e1082f45f1e2bbf6e25f6b614fc6616ebf709d19
89336
89337 ipc: fix potential oops when src msg > 4k w/ MSG_COPY
89338
89339 If the src msg is > 4k, then dest->next points to the
89340 next allocated segment; resetting it just prior to dereferencing
89341 is bad.
89342
89343 Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
89344 Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
89345 Cc: <stable@vger.kernel.org>
89346 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
89347 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
89348
89349 ipc/msgutil.c | 3 ---
89350 1 files changed, 0 insertions(+), 3 deletions(-)
89351
89352commit 51727f602a267f34fb2e0dc9557f1714028d51a2
89353Author: Brad Spengler <spender@grsecurity.net>
89354Date: Fri Mar 8 22:14:06 2013 -0500
89355
89356 add missing 'else' in recent constify fixups
89357
89358 net/ipv4/ip_fragment.c | 2 +-
89359 1 files changed, 1 insertions(+), 1 deletions(-)
89360
89361commit a38c1a640729b3d8e584d1ab98e908c221bc12cf
89362Merge: 1580bb3 47c3f47
89363Author: Brad Spengler <spender@grsecurity.net>
89364Date: Fri Mar 8 18:18:37 2013 -0500
89365
89366 Merge branch 'pax-test' into grsec-test
89367
89368commit 47c3f47ba4f874f5c72e4c04b76b6b92e44daebe
89369Author: Brad Spengler <spender@grsecurity.net>
89370Date: Fri Mar 8 18:17:22 2013 -0500
89371
89372 Update to pax-linux-3.8.2-test5.patch:
89373 - fixed some fallout after the last round of constification changes, reported by several people
89374
89375 arch/arm/common/gic.c | 4 ++--
89376 arch/arm/include/asm/hardware/gic.h | 3 ++-
89377 arch/x86/include/asm/nmi.h | 2 +-
89378 arch/x86/kernel/nmi.c | 2 +-
89379 arch/x86/pci/irq.c | 2 +-
89380 drivers/base/power/domain.c | 4 ++--
89381 drivers/cpufreq/cpufreq_governor.c | 4 ++--
89382 drivers/mfd/twl4030-irq.c | 1 +
89383 drivers/video/vesafb.c | 7 +++++--
89384 include/linux/irq.h | 1 +
89385 include/linux/pm_domain.h | 2 +-
89386 kernel/sched/core.c | 4 ++++
89387 lib/Kconfig.debug | 4 ++--
89388 net/core/sysctl_net_core.c | 2 +-
89389 net/decnet/af_decnet.c | 1 +
89390 net/ipv4/devinet.c | 2 +-
89391 net/ipv4/ip_fragment.c | 2 +-
89392 net/ipv4/route.c | 2 +-
89393 net/ipv4/sysctl_net_ipv4.c | 2 +-
89394 net/ipv6/netfilter/nf_conntrack_reasm.c | 2 +-
89395 net/ipv6/reassembly.c | 2 +-
89396 scripts/sortextable.h | 6 +++---
89397 22 files changed, 36 insertions(+), 25 deletions(-)
89398
89399commit 1580bb38b4db0bf2a46316599815e8b234edad81
89400Author: Brad Spengler <spender@grsecurity.net>
89401Date: Thu Mar 7 22:02:59 2013 -0500
89402
89403 add an additional open/close wrapper
89404
89405 kernel/sched/core.c | 2 ++
89406 1 files changed, 2 insertions(+), 0 deletions(-)
89407
89408commit 21622672d28d58e0d93a805cd1f9650a894a752a
89409Author: Brad Spengler <spender@grsecurity.net>
89410Date: Thu Mar 7 21:58:24 2013 -0500
89411
89412 fix oops at shutdown with new constify code
89413
89414 kernel/sched/core.c | 2 ++
89415 1 files changed, 2 insertions(+), 0 deletions(-)
89416
89417commit f6b9ab9fcc747bb1b14a4857d59e6681936220ec
89418Author: Brad Spengler <spender@grsecurity.net>
89419Date: Thu Mar 7 21:18:44 2013 -0500
89420
89421 Add PAX_CONSTIFY_PLUGIN, which we previously enabled unconditionally
89422 it currently conflicts with some lock debugging options, so made as an
89423 option to allow for debugging when necessary
89424
89425 Makefile | 2 --
89426 lib/Kconfig.debug | 6 +++---
89427 security/Kconfig | 18 ++++++++++++++++++
89428 3 files changed, 21 insertions(+), 5 deletions(-)
89429
89430commit 0885b00b8373a1597b69c38032a0c9eee279303b
89431Author: Brad Spengler <spender@grsecurity.net>
89432Date: Thu Mar 7 20:55:19 2013 -0500
89433
89434 disable DEBUG_LOCK_ALLOC, as it conflicts with the new constify
89435
89436 lib/Kconfig.debug | 2 +-
89437 1 files changed, 1 insertions(+), 1 deletions(-)
89438
89439commit c8a2617165e7127a54f293cbf57d22d50dd83abd
89440Author: Brad Spengler <spender@grsecurity.net>
89441Date: Thu Mar 7 20:30:41 2013 -0500
89442
89443 Fix error:
89444 drivers/video/vesafb.c:502:3: error: assignment of member ‘fb_pan_display’ in read-only object
89445 with cast and proper kernexec accessors
89446
89447 drivers/video/vesafb.c | 7 +++++--
89448 1 files changed, 5 insertions(+), 2 deletions(-)
89449
89450commit 99f2814d3e2a6db25985edc47c7e09c4a2d8c408
89451Author: Brad Spengler <spender@grsecurity.net>
89452Date: Thu Mar 7 20:20:28 2013 -0500
89453
89454 fix typo
89455
89456 grsecurity/gracl.c | 2 +-
89457 1 files changed, 1 insertions(+), 1 deletions(-)
89458
89459commit 399674de6c42bbcae2d01b082d6d9ce9d183b000
89460Author: Brad Spengler <spender@grsecurity.net>
89461Date: Thu Mar 7 20:12:17 2013 -0500
89462
89463 fix compilation error -- no reason for task_pid_nr to not take a const task ptr
89464
89465 include/linux/sched.h | 2 +-
89466 1 files changed, 1 insertions(+), 1 deletions(-)
89467
89468commit a6c239eacf683f9dd2aeebb1b1adb71e5eedbd9f
89469Author: Kees Cook <keescook@chromium.org>
89470Date: Mon Feb 25 21:32:25 2013 +0000
89471
89472 Upstream commit: e70ab977991964a5a7ad1182799451d067e62669
89473
89474 proc connector: reject unprivileged listener bumps
89475
89476 While PROC_CN_MCAST_LISTEN/IGNORE is entirely advisory, it was possible
89477 for an unprivileged user to turn off notifications for all listeners by
89478 sending PROC_CN_MCAST_IGNORE. Instead, require the same privileges as
89479 required for a multicast bind.
89480
89481 Signed-off-by: Kees Cook <keescook@chromium.org>
89482 Cc: Evgeniy Polyakov <zbr@ioremap.net>
89483 Cc: Matt Helsley <matthltc@us.ibm.com>
89484 Cc: stable@vger.kernel.org
89485 Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
89486 Acked-by: Matt Helsley <matthltc@us.ibm.com>
89487 Signed-off-by: David S. Miller <davem@davemloft.net>
89488
89489 drivers/connector/cn_proc.c | 8 ++++++++
89490 1 files changed, 8 insertions(+), 0 deletions(-)
89491
89492commit ac6014ded57101e3e608941555ff507e20c1ece3
89493Author: Dan Carpenter <dan.carpenter@oracle.com>
89494Date: Tue Feb 26 19:15:02 2013 +0000
89495
89496 Upstream commit: 90c7881ecee1f08e0a49172cf61371cf2509ee4a
89497
89498 irda: small read beyond end of array in debug code
89499
89500 charset comes from skb->data. It's a number in the 0-255 range.
89501 If we have debugging turned on then this could cause a read beyond
89502 the end of the array.
89503
89504 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
89505 Signed-off-by: David S. Miller <davem@davemloft.net>
89506
89507 net/irda/iriap.c | 7 +++++--
89508 1 files changed, 5 insertions(+), 2 deletions(-)
89509
89510commit e60bd2aad9bfdb68731cc888eae14a7600bd2ffe
89511Author: Guenter Roeck <linux@roeck-us.net>
89512Date: Wed Feb 27 10:57:31 2013 +0000
89513
89514 Upstream commit: 726bc6b092da4c093eb74d13c07184b18c1af0f1
89515
89516 net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS
89517
89518 Building sctp may fail with:
89519
89520 In function ‘copy_from_user’,
89521 inlined from ‘sctp_getsockopt_assoc_stats’ at
89522 net/sctp/socket.c:5656:20:
89523 arch/x86/include/asm/uaccess_32.h:211:26: error: call to
89524 ‘copy_from_user_overflow’ declared with attribute error: copy_from_user()
89525 buffer size is not provably correct
89526
89527 if built with W=1 due to a missing parameter size validation
89528 before the call to copy_from_user.
89529
89530 Signed-off-by: Guenter Roeck <linux@roeck-us.net>
89531 Acked-by: Vlad Yasevich <vyasevich@gmail.com>
89532 Signed-off-by: David S. Miller <davem@davemloft.net>
89533
89534 net/sctp/socket.c | 6 +++---
89535 1 files changed, 3 insertions(+), 3 deletions(-)
89536
89537commit be49e0ae9a4d0e8daa831d7d8d6f3a56beda3e3c
89538Author: Guillaume Nault <g.nault@alphalink.fr>
89539Date: Fri Mar 1 05:02:02 2013 +0000
89540
89541 Upstream commit: 8b82547e33e85fc24d4d172a93c796de1fefa81a
89542
89543 l2tp: Restore socket refcount when sendmsg succeeds
89544
89545 The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket
89546 reference counter after successful transmissions. Any successful
89547 sendmsg() call from userspace will then increase the reference counter
89548 forever, thus preventing the kernel's session and tunnel data from
89549 being freed later on.
89550
89551 The problem only happens when writing directly on L2TP sockets.
89552 PPP sockets attached to L2TP are unaffected as the PPP subsystem
89553 uses pppol2tp_xmit() which symmetrically increase/decrease reference
89554 counters.
89555
89556 This patch adds the missing call to sock_put() before returning from
89557 pppol2tp_sendmsg().
89558
89559 Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
89560 Signed-off-by: David S. Miller <davem@davemloft.net>
89561
89562 net/l2tp/l2tp_ppp.c | 1 +
89563 1 files changed, 1 insertions(+), 0 deletions(-)
89564
89565commit 98a9a5f981f5deda4059a255c1196886f2f27e2f
89566Author: Cong Wang <amwang@redhat.com>
89567Date: Sun Mar 3 16:18:11 2013 +0000
89568
89569 Upstream commit: ece6b0a2b25652d684a7ced4ae680a863af041e0
89570
89571 rds: limit the size allocated by rds_message_alloc()
89572
89573 Dave Jones reported the following bug:
89574
89575 "When fed mangled socket data, rds will trust what userspace gives it,
89576 and tries to allocate enormous amounts of memory larger than what
89577 kmalloc can satisfy."
89578
89579 WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0()
89580 Hardware name: GA-MA78GM-S2H
89581 Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s
89582 Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65
89583 Call Trace:
89584 [<ffffffff81044155>] warn_slowpath_common+0x75/0xa0
89585 [<ffffffff8104419a>] warn_slowpath_null+0x1a/0x20
89586 [<ffffffff811444ad>] __alloc_pages_nodemask+0xa0d/0xbe0
89587 [<ffffffff8100a196>] ? native_sched_clock+0x26/0x90
89588 [<ffffffff810b2128>] ? trace_hardirqs_off_caller+0x28/0xc0
89589 [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
89590 [<ffffffff811861f8>] alloc_pages_current+0xb8/0x180
89591 [<ffffffff8113eaaa>] __get_free_pages+0x2a/0x80
89592 [<ffffffff811934fe>] kmalloc_order_trace+0x3e/0x1a0
89593 [<ffffffff81193955>] __kmalloc+0x2f5/0x3a0
89594 [<ffffffff8104df0c>] ? local_bh_enable_ip+0x7c/0xf0
89595 [<ffffffffa0401ab3>] rds_message_alloc+0x23/0xb0 [rds]
89596 [<ffffffffa04043a1>] rds_sendmsg+0x2b1/0x990 [rds]
89597 [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
89598 [<ffffffff81564620>] sock_sendmsg+0xb0/0xe0
89599 [<ffffffff810b2052>] ? get_lock_stats+0x22/0x70
89600 [<ffffffff810b24be>] ? put_lock_stats.isra.23+0xe/0x40
89601 [<ffffffff81567f30>] sys_sendto+0x130/0x180
89602 [<ffffffff810b872d>] ? trace_hardirqs_on+0xd/0x10
89603 [<ffffffff816c547b>] ? _raw_spin_unlock_irq+0x3b/0x60
89604 [<ffffffff816cd767>] ? sysret_check+0x1b/0x56
89605 [<ffffffff810b8695>] ? trace_hardirqs_on_caller+0x115/0x1a0
89606 [<ffffffff81341d8e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
89607 [<ffffffff816cd742>] system_call_fastpath+0x16/0x1b
89608 ---[ end trace eed6ae990d018c8b ]---
89609
89610 Reported-by: Dave Jones <davej@redhat.com>
89611 Cc: Dave Jones <davej@redhat.com>
89612 Cc: David S. Miller <davem@davemloft.net>
89613 Cc: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
89614 Signed-off-by: Cong Wang <amwang@redhat.com>
89615 Acked-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
89616 Signed-off-by: David S. Miller <davem@davemloft.net>
89617
89618 net/rds/message.c | 3 +++
89619 1 files changed, 3 insertions(+), 0 deletions(-)
89620
89621commit b46df323e01c63c62fdb82cf2c47e4386f5a0499
89622Author: Cong Wang <amwang@redhat.com>
89623Date: Sun Mar 3 16:28:27 2013 +0000
89624
89625 Upstream commit: 3f736868b47687d1336fe88185560b22bb92021e
89626
89627 sctp: use KMALLOC_MAX_SIZE instead of its own MAX_KMALLOC_SIZE
89628
89629 Don't definite its own MAX_KMALLOC_SIZE, use the one
89630 defined in mm.
89631
89632 Cc: Vlad Yasevich <vyasevich@gmail.com>
89633 Cc: Sridhar Samudrala <sri@us.ibm.com>
89634 Cc: Neil Horman <nhorman@tuxdriver.com>
89635 Cc: David S. Miller <davem@davemloft.net>
89636 Signed-off-by: Cong Wang <amwang@redhat.com>
89637 Acked-by: Neil Horman <nhorman@tuxdriver.com>
89638 Signed-off-by: David S. Miller <davem@davemloft.net>
89639
89640 net/sctp/ssnmap.c | 8 +++-----
89641 1 files changed, 3 insertions(+), 5 deletions(-)
89642
89643commit 4295a024e812f903fc580c81de5e81cc149503fa
89644Author: Brad Spengler <spender@grsecurity.net>
89645Date: Thu Mar 7 17:57:49 2013 -0500
89646
89647 Upstream commit: https://lkml.org/lkml/2013/3/6/535
89648
89649 security/keys/process_keys.c | 2 +-
89650 1 files changed, 1 insertions(+), 1 deletions(-)
89651
89652commit 33edd486a9899a145a15586d7134636b0300aaee
89653Merge: 4eeeaf3 a2a2094
89654Author: Brad Spengler <spender@grsecurity.net>
89655Date: Thu Mar 7 17:53:00 2013 -0500
89656
89657 Merge branch 'pax-test' into grsec-test
89658
89659 Conflicts:
89660 arch/arm/include/asm/domain.h
89661
89662commit a2a20947f5e1332e474160a39af520738b3c8c19
89663Author: Brad Spengler <spender@grsecurity.net>
89664Date: Thu Mar 7 17:51:04 2013 -0500
89665
89666 Update to pax-linux-3.8.2-test4.patch:
89667 fixed arm compilation problems reported by Michael Tremer
89668 - the constify plugin got smarter that enabled, with some additional patching,
89669 the elimination of about half the static function pointers on amd64/allmod
89670 (up from about 18%), depending on the kernel config it can be even more (70%)
89671
89672 Documentation/dontdiff | 2 +
89673 arch/arm/include/asm/domain.h | 1 +
89674 arch/x86/include/asm/i8259.h | 2 +-
89675 arch/x86/include/asm/nmi.h | 4 +-
89676 arch/x86/kernel/acpi/boot.c | 4 +-
89677 arch/x86/kernel/apic/apic_noop.c | 2 +-
89678 arch/x86/kernel/apic/es7000_32.c | 2 +-
89679 arch/x86/kernel/apic/io_apic.c | 10 +-
89680 arch/x86/kernel/cpu/mcheck/mce.c | 2 +-
89681 arch/x86/kernel/cpu/perf_event.c | 6 +-
89682 arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +-
89683 arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
89684 arch/x86/kernel/i8259.c | 6 +-
89685 arch/x86/kernel/io_delay.c | 2 +-
89686 arch/x86/kernel/nmi.c | 6 +-
89687 arch/x86/kernel/nmi_selftest.c | 4 +-
89688 arch/x86/kernel/pci-swiotlb.c | 2 +-
89689 arch/x86/oprofile/nmi_int.c | 8 +-
89690 arch/x86/oprofile/op_model_amd.c | 8 +-
89691 arch/x86/oprofile/op_model_ppro.c | 7 +-
89692 arch/x86/oprofile/op_x86_model.h | 2 +-
89693 arch/x86/pci/irq.c | 6 +-
89694 drivers/acpi/apei/apei-internal.h | 2 +-
89695 drivers/acpi/bgrt.c | 6 +-
89696 drivers/acpi/blacklist.c | 2 +-
89697 drivers/acpi/processor_idle.c | 2 +-
89698 drivers/acpi/sysfs.c | 4 +-
89699 drivers/base/bus.c | 4 +-
89700 drivers/base/node.c | 2 +-
89701 drivers/base/syscore.c | 4 +-
89702 drivers/block/drbd/drbd_receiver.c | 4 +-
89703 drivers/char/random.c | 2 +-
89704 drivers/cpufreq/acpi-cpufreq.c | 20 ++-
89705 drivers/cpufreq/cpufreq.c | 7 +-
89706 drivers/cpufreq/cpufreq_governor.c | 4 +-
89707 drivers/cpufreq/cpufreq_governor.h | 2 +-
89708 drivers/cpufreq/p4-clockmod.c | 12 +-
89709 drivers/cpufreq/speedstep-centrino.c | 7 +-
89710 drivers/cpuidle/cpuidle.c | 2 +-
89711 drivers/cpuidle/governor.c | 4 +-
89712 drivers/cpuidle/sysfs.c | 2 +-
89713 drivers/devfreq/devfreq.c | 4 +-
89714 drivers/edac/edac_mc_sysfs.c | 2 +-
89715 drivers/edac/edac_pci_sysfs.c | 2 +-
89716 drivers/firewire/core-device.c | 2 +-
89717 drivers/firmware/dmi-id.c | 2 +-
89718 drivers/firmware/efivars.c | 2 +-
89719 drivers/firmware/google/memconsole.c | 4 +-
89720 drivers/gpio/gpio-ich.c | 2 +-
89721 drivers/gpu/drm/drm_drv.c | 2 +-
89722 drivers/gpu/drm/drm_ioc32.c | 9 +-
89723 drivers/gpu/drm/i915/i915_ioc32.c | 11 +-
89724 drivers/gpu/drm/i915/intel_display.c | 26 ++-
89725 drivers/gpu/drm/mga/mga_ioc32.c | 11 +-
89726 drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +-
89727 drivers/gpu/drm/r128/r128_ioc32.c | 11 +-
89728 drivers/gpu/drm/radeon/radeon_ioc32.c | 11 +-
89729 drivers/gpu/drm/radeon/radeon_ttm.c | 33 ++--
89730 drivers/gpu/drm/udl/udl_fb.c | 1 -
89731 drivers/hwmon/acpi_power_meter.c | 4 +-
89732 drivers/hwmon/applesmc.c | 2 +-
89733 drivers/hwmon/asus_atk0110.c | 10 +-
89734 drivers/hwmon/ibmaem.c | 2 +-
89735 drivers/hwmon/pmbus/pmbus_core.c | 2 +-
89736 drivers/iio/industrialio-core.c | 2 +-
89737 drivers/input/mouse/psmouse.h | 2 +-
89738 drivers/iommu/iommu.c | 2 +-
89739 drivers/leds/leds-clevo-mail.c | 2 +-
89740 drivers/leds/leds-ss4200.c | 2 +-
89741 drivers/media/v4l2-core/v4l2-ioctl.c | 5 +-
89742 drivers/mfd/twl4030-irq.c | 8 +-
89743 drivers/mfd/twl6030-irq.c | 10 +-
89744 drivers/misc/c2port/core.c | 4 +-
89745 drivers/mtd/sm_ftl.c | 2 +-
89746 drivers/net/bonding/bond_main.c | 2 +-
89747 drivers/net/macvlan.c | 16 +-
89748 drivers/net/vxlan.c | 2 +-
89749 drivers/pci/hotplug/acpiphp_ibm.c | 4 +-
89750 drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
89751 drivers/pci/hotplug/pciehp_core.c | 2 +-
89752 drivers/pci/pci-sysfs.c | 6 +-
89753 drivers/pci/pci.h | 2 +-
89754 drivers/platform/x86/msi-laptop.c | 14 +-
89755 drivers/platform/x86/sony-laptop.c | 2 +-
89756 drivers/power/power_supply.h | 4 +-
89757 drivers/power/power_supply_core.c | 6 +-
89758 drivers/power/power_supply_sysfs.c | 6 +-
89759 drivers/rtc/rtc-cmos.c | 4 +-
89760 drivers/rtc/rtc-ds1307.c | 2 +-
89761 drivers/rtc/rtc-m48t59.c | 4 +-
89762 drivers/scsi/bfa/bfa.h | 2 +-
89763 drivers/staging/iio/iio_hwmon.c | 2 +-
89764 drivers/usb/storage/usb.h | 2 +-
89765 drivers/video/aty/atyfb_base.c | 8 +-
89766 drivers/video/aty/mach64_cursor.c | 4 +-
89767 drivers/video/backlight/kb3886_bl.c | 2 +-
89768 drivers/video/fb_defio.c | 6 +-
89769 drivers/video/mb862xx/mb862xxfb_accel.c | 16 +-
89770 drivers/video/nvidia/nvidia.c | 27 ++-
89771 drivers/video/s1d13xxxfb.c | 6 +-
89772 drivers/video/smscufx.c | 4 +-
89773 drivers/video/udlfb.c | 4 +-
89774 drivers/video/uvesafb.c | 14 +-
89775 fs/exec.c | 6 +-
89776 fs/ext4/super.c | 2 +-
89777 fs/jfs/super.c | 4 +-
89778 fs/nfs/callback_xdr.c | 2 +-
89779 fs/nfsd/nfs4proc.c | 2 +-
89780 fs/nfsd/nfs4xdr.c | 6 +-
89781 fs/nls/nls_base.c | 18 +-
89782 fs/nls/nls_euc-jp.c | 6 +-
89783 fs/nls/nls_koi8-ru.c | 6 +-
89784 fs/proc/proc_sysctl.c | 18 +-
89785 include/drm/drmP.h | 12 +-
89786 include/keys/asymmetric-subtype.h | 2 +-
89787 include/linux/atmdev.h | 2 +-
89788 include/linux/binfmts.h | 2 +-
89789 include/linux/configfs.h | 2 +-
89790 include/linux/cpufreq.h | 3 +-
89791 include/linux/cpuidle.h | 5 +-
89792 include/linux/devfreq.h | 2 +-
89793 include/linux/device.h | 7 +-
89794 include/linux/extcon.h | 2 +-
89795 include/linux/fb.h | 2 +-
89796 include/linux/fscache.h | 2 +-
89797 include/linux/genl_magic_func.h | 2 +-
89798 include/linux/hwmon-sysfs.h | 5 +-
89799 include/linux/iommu.h | 2 +-
89800 include/linux/irq.h | 2 +-
89801 include/linux/key-type.h | 2 +-
89802 include/linux/kobject.h | 1 +
89803 include/linux/kobject_ns.h | 2 +-
89804 include/linux/list.h | 14 +-
89805 include/linux/mod_devicetable.h | 2 +-
89806 include/linux/module.h | 5 +-
89807 include/linux/net.h | 2 +-
89808 include/linux/netfilter.h | 2 +-
89809 include/linux/nls.h | 2 +-
89810 include/linux/pci_hotplug.h | 3 +-
89811 include/linux/platform_data/usb-exynos.h | 2 +-
89812 include/linux/pnp.h | 2 +-
89813 include/linux/ppp-comp.h | 2 +-
89814 include/linux/rculist.h | 16 ++
89815 include/linux/sched.h | 2 +-
89816 include/linux/sock_diag.h | 2 +-
89817 include/linux/sunrpc/clnt.h | 2 +-
89818 include/linux/sunrpc/svc.h | 2 +-
89819 include/linux/sunrpc/svcauth.h | 2 +-
89820 include/linux/swiotlb.h | 3 +-
89821 include/linux/syscore_ops.h | 2 +-
89822 include/linux/sysctl.h | 6 +-
89823 include/linux/sysfs.h | 10 +-
89824 include/linux/sysrq.h | 1 +
89825 include/linux/xattr.h | 2 +-
89826 include/net/9p/transport.h | 2 +-
89827 include/net/bluetooth/l2cap.h | 2 +-
89828 include/net/genetlink.h | 2 +-
89829 include/net/ip.h | 2 +-
89830 include/net/ip_vs.h | 4 +-
89831 include/net/llc_c_ac.h | 2 +-
89832 include/net/llc_c_ev.h | 4 +-
89833 include/net/llc_c_st.h | 2 +-
89834 include/net/llc_s_ac.h | 2 +-
89835 include/net/llc_s_st.h | 2 +-
89836 include/net/mac80211.h | 2 +-
89837 include/net/net_namespace.h | 2 +-
89838 include/net/netns/conntrack.h | 6 +-
89839 include/net/rtnetlink.h | 2 +-
89840 include/net/sctp/sm.h | 4 +-
89841 include/net/sctp/structs.h | 2 +-
89842 include/net/xfrm.h | 4 +-
89843 ipc/ipc_sysctl.c | 10 +-
89844 ipc/mq_sysctl.c | 2 +-
89845 kernel/kmod.c | 2 +-
89846 kernel/ksysfs.c | 2 +-
89847 kernel/module.c | 4 +-
89848 kernel/pid_namespace.c | 2 +-
89849 kernel/rcutree_plugin.h | 2 +-
89850 kernel/sched/core.c | 39 ++--
89851 kernel/smpboot.c | 4 +-
89852 kernel/softirq.c | 2 +-
89853 kernel/sysctl.c | 2 +-
89854 kernel/utsname_sysctl.c | 2 +-
89855 kernel/watchdog.c | 2 +-
89856 lib/Kconfig.debug | 2 +-
89857 lib/kobject.c | 4 +-
89858 lib/list_debug.c | 57 ++++-
89859 lib/swiotlb.c | 2 +-
89860 mm/hugetlb.c | 16 +-
89861 mm/memory-failure.c | 2 +-
89862 mm/slab_common.c | 2 +-
89863 net/9p/mod.c | 4 +-
89864 net/ax25/sysctl_net_ax25.c | 2 +-
89865 net/core/neighbour.c | 2 +-
89866 net/core/net-sysfs.c | 2 +-
89867 net/core/net_namespace.c | 8 +-
89868 net/core/rtnetlink.c | 11 +-
89869 net/core/sock_diag.c | 9 +-
89870 net/core/sysctl_net_core.c | 15 +-
89871 net/ipv4/af_inet.c | 8 +-
89872 net/ipv4/devinet.c | 12 +-
89873 net/ipv4/inet_connection_sock.c | 2 +-
89874 net/ipv4/ip_fragment.c | 9 +-
89875 net/ipv4/ip_gre.c | 6 +-
89876 net/ipv4/ip_vti.c | 4 +-
89877 net/ipv4/ipip.c | 4 +-
89878 net/ipv4/route.c | 14 +-
89879 net/ipv4/sysctl_net_ipv4.c | 43 ++--
89880 net/ipv6/addrconf.c | 4 +-
89881 net/ipv6/icmp.c | 2 +-
89882 net/ipv6/ip6_gre.c | 6 +-
89883 net/ipv6/ip6_tunnel.c | 4 +-
89884 net/ipv6/netfilter/nf_conntrack_reasm.c | 12 +-
89885 net/ipv6/reassembly.c | 11 +-
89886 net/ipv6/route.c | 2 +-
89887 net/ipv6/sit.c | 4 +-
89888 net/ipv6/sysctl_net_ipv6.c | 2 +-
89889 net/netfilter/ipset/ip_set_core.c | 2 +-
89890 net/netfilter/ipvs/ip_vs_ctl.c | 4 +-
89891 net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
89892 net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
89893 net/netfilter/nf_conntrack_acct.c | 2 +-
89894 net/netfilter/nf_conntrack_ecache.c | 2 +-
89895 net/netfilter/nf_conntrack_helper.c | 2 +-
89896 net/netfilter/nf_conntrack_proto.c | 2 +-
89897 net/netfilter/nf_conntrack_standalone.c | 2 +-
89898 net/netfilter/nf_conntrack_timestamp.c | 2 +-
89899 net/netfilter/nf_log.c | 10 +-
89900 net/netfilter/nf_sockopt.c | 4 +-
89901 net/netlink/genetlink.c | 16 +-
89902 net/phonet/sysctl.c | 2 +-
89903 net/rds/rds.h | 2 +-
89904 net/sctp/ipv6.c | 6 +-
89905 net/sctp/protocol.c | 10 +-
89906 net/sctp/sm_sideeffect.c | 2 +-
89907 net/sctp/sysctl.c | 4 +-
89908 net/sunrpc/clnt.c | 4 +-
89909 net/sunrpc/svc.c | 4 +-
89910 net/unix/sysctl_net_unix.c | 2 +-
89911 net/xfrm/xfrm_policy.c | 11 +-
89912 net/xfrm/xfrm_state.c | 29 ++-
89913 net/xfrm/xfrm_sysctl.c | 2 +-
89914 security/apparmor/lsm.c | 2 +-
89915 security/keys/key.c | 18 +-
89916 security/yama/yama_lsm.c | 22 +-
89917 tools/gcc/Makefile | 4 +-
89918 tools/gcc/constify_plugin.c | 299 +++++++++++++++++++------
89919 tools/gcc/size_overflow_plugin.c | 7 +-
89920 248 files changed, 994 insertions(+), 668 deletions(-)
89921
89922commit 4eeeaf3a560e25d1685f8973ef676b205efaa81b
89923Author: Brad Spengler <spender@grsecurity.net>
89924Date: Wed Mar 6 12:58:21 2013 -0500
89925
89926 Make slab_state __read_only, it's only written to during init
89927
89928 mm/slab_common.c | 2 +-
89929 1 files changed, 1 insertions(+), 1 deletions(-)
89930
89931commit e7067b68d36fb9e0e8818de5d9ce1b4ba19ce24a
89932Author: Brad Spengler <spender@grsecurity.net>
89933Date: Wed Mar 6 12:31:35 2013 -0500
89934
89935 Make two new helper functions:
89936 gr_is_global_root() and gr_is_global_nonroot()
89937
89938 grsecurity/gracl.c | 10 +++++-----
89939 grsecurity/gracl_segv.c | 2 +-
89940 grsecurity/grsec_link.c | 4 ++--
89941 grsecurity/grsec_sig.c | 10 +++++-----
89942 grsecurity/grsec_tpe.c | 6 +++---
89943 include/linux/uidgid.h | 2 ++
89944 6 files changed, 18 insertions(+), 16 deletions(-)
89945
89946commit d45d88eddd4998b280b1e5b5384289ee11ca7088
89947Author: Brad Spengler <spender@grsecurity.net>
89948Date: Wed Mar 6 12:14:41 2013 -0500
89949
89950 convert remaining task->pid to task_pid_nr(task)
89951
89952 grsecurity/gracl.c | 22 +++++++++++-----------
89953 grsecurity/gracl_shm.c | 2 +-
89954 grsecurity/grsec_chroot.c | 4 ++--
89955 grsecurity/grsec_sig.c | 4 ++--
89956 4 files changed, 16 insertions(+), 16 deletions(-)
89957
89958commit c877f2ece03ee2232dd281c1977ae59507297124
89959Author: Brad Spengler <spender@grsecurity.net>
89960Date: Tue Mar 5 17:29:54 2013 -0500
89961
89962 compat-log is only used anymore by vm86-on-64bit and allows unlimited
89963 spamming of the kernel log buffer (and since it includes the changable
89964 process name, can avoid syslog log deduplication)
89965 Turn it off by default
89966
89967 fs/compat.c | 2 +-
89968 1 files changed, 1 insertions(+), 1 deletions(-)
89969
89970commit 7c1964c4b7276889d7967bee70e46918cdca1b14
89971Author: Brad Spengler <spender@grsecurity.net>
89972Date: Mon Mar 4 17:19:10 2013 -0500
89973
89974 fix compilation error reported on IRC and forums when GRKERNSEC_PROC_USERGROUP
89975 is enabled, introduced with recent userns support
89976
89977 init/main.c | 4 ++--
89978 1 files changed, 2 insertions(+), 2 deletions(-)
89979
89980commit c3ce01b94d8dd42b9c7942c0d513b152613e0656
89981Author: Brad Spengler <spender@grsecurity.net>
89982Date: Sun Mar 3 18:46:12 2013 -0500
89983
89984 Prevent TOMOYO from auto-loading modules by unprivileged users
89985 (Only reachable if TOMOYO is actually used)
89986
89987 security/tomoyo/mount.c | 4 ++++
89988 1 files changed, 4 insertions(+), 0 deletions(-)
89989
89990commit 79e142f9455b398759ff9d93d4963a21b98dddda
89991Author: Brad Spengler <spender@grsecurity.net>
89992Date: Sun Mar 3 18:28:45 2013 -0500
89993
89994 For now, don't permit any special access to /proc in a user namespace
89995 Later we can go back and allow a userns-uid0 special access to a /proc
89996 with a non-global pid namespace
89997
89998 fs/proc/base.c | 2 +-
89999 1 files changed, 1 insertions(+), 1 deletions(-)
90000
90001commit 8b91fb393049ce5f3c0a86f62247409853fd9700
90002Merge: d931eb8 603ef05
90003Author: Brad Spengler <spender@grsecurity.net>
90004Date: Sun Mar 3 17:42:09 2013 -0500
90005
90006 Merge branch 'pax-test' into grsec-test
90007
90008commit 603ef0579b9c3765d999c1938cb7a120d8c8e00b
90009Author: Brad Spengler <spender@grsecurity.net>
90010Date: Sun Mar 3 17:41:31 2013 -0500
90011
90012 Fix compilation error on ARM reported by Michael Tremer
90013
90014 arch/arm/mach-omap2/wd_timer.c | 6 +++---
90015 1 files changed, 3 insertions(+), 3 deletions(-)
90016
90017commit b4c9ce81fdd7839a150c97873c710c479e788280
90018Author: Brad Spengler <spender@grsecurity.net>
90019Date: Sun Mar 3 17:39:53 2013 -0500
90020
90021 Fix compilation error on ARM reported by Michael Tremer
90022
90023 arch/arm/kernel/armksyms.c | 2 +-
90024 1 files changed, 1 insertions(+), 1 deletions(-)
90025
90026commit d931eb81ab3da46896268fd61373a6aa7bbea930
90027Merge: bfa7f44 5948f93
90028Author: Brad Spengler <spender@grsecurity.net>
90029Date: Sun Mar 3 17:34:36 2013 -0500
90030
90031 Merge branch 'pax-test' into grsec-test
90032
90033commit 5948f930bc1c2d22138c1c76ca7e1bc94b6a3ce0
90034Merge: ab30472 19b00d2
90035Author: Brad Spengler <spender@grsecurity.net>
90036Date: Sun Mar 3 17:34:08 2013 -0500
90037
90038 Merge branch 'linux-3.8.y' into pax-test
90039
90040commit bfa7f445c5d484de51a5828b92ad2ff65053cc87
90041Author: Brad Spengler <spender@grsecurity.net>
90042Date: Sun Mar 3 15:12:12 2013 -0500
90043
90044 Initial support for user namespaces, as we previously didn't allow
90045 the option to be enabled at all.
90046
90047 RBAC will act on the global uids/gids only, so all uids/gids in user
90048 namespaces will be converted
90049
90050 Because Eric Biederman is insulted that I didn't support his
90051 backdoor prior to it receiving proper review. I still have the CAP_SYS_ADMIN
90052 check in for user namespaces, so this is generally irrelevant.
90053
90054 fs/exec.c | 6 +-
90055 fs/proc/base.c | 2 +-
90056 fs/proc/proc_net.c | 4 +-
90057 grsecurity/gracl.c | 128 +++++++++++++++++++++++++++++-------------
90058 grsecurity/gracl_cap.c | 4 +-
90059 grsecurity/gracl_ip.c | 16 +++---
90060 grsecurity/gracl_segv.c | 12 +++-
90061 grsecurity/gracl_shm.c | 4 +-
90062 grsecurity/grsec_disabled.c | 10 ++--
90063 grsecurity/grsec_fifo.c | 6 +-
90064 grsecurity/grsec_init.c | 24 ++++----
90065 grsecurity/grsec_log.c | 3 -
90066 grsecurity/grsec_tpe.c | 6 +-
90067 include/linux/grinternal.h | 12 ++--
90068 include/linux/grsecurity.h | 12 ++--
90069 include/linux/uidgid.h | 3 +
90070 init/Kconfig | 2 -
90071 ipc/shm.c | 2 +-
90072 kernel/cred.c | 5 +-
90073 kernel/kallsyms.c | 2 +-
90074 kernel/kmod.c | 6 +-
90075 kernel/sys.c | 12 ++--
90076 22 files changed, 166 insertions(+), 115 deletions(-)
90077
90078commit 27a8cc1a9f22f95de6fe8740bdc900a160274dff
90079Author: Linus Torvalds <torvalds@linux-foundation.org>
90080Date: Wed Feb 27 08:36:04 2013 -0800
90081
90082 Upstream commit: 09884964335e85e897876d17783c2ad33cf8a2e0
90083
90084 mm: do not grow the stack vma just because of an overrun on preceding vma
90085
90086 The stack vma is designed to grow automatically (marked with VM_GROWSUP
90087 or VM_GROWSDOWN depending on architecture) when an access is made beyond
90088 the existing boundary. However, particularly if you have not limited
90089 your stack at all ("ulimit -s unlimited"), this can cause the stack to
90090 grow even if the access was really just one past *another* segment.
90091
90092 And that's wrong, especially since we first grow the segment, but then
90093 immediately later enforce the stack guard page on the last page of the
90094 segment. So _despite_ first growing the stack segment as a result of
90095 the access, the kernel will then make the access cause a SIGSEGV anyway!
90096
90097 So do the same logic as the guard page check does, and consider an
90098 access to within one page of the next segment to be a bad access, rather
90099 than growing the stack to abut the next segment.
90100
90101 Reported-and-tested-by: Heiko Carstens <heiko.carstens@de.ibm.com>
90102 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
90103
90104 mm/mmap.c | 27 +++++++++++++++++++++++++++
90105 1 files changed, 27 insertions(+), 0 deletions(-)
90106
90107commit 5596211af754867ca825f58e6e0300a8439950fe
90108Author: H. Peter Anvin <hpa@linux.intel.com>
90109Date: Wed Feb 27 12:46:40 2013 -0800
90110
90111 Upstream commit: 7c10093692ed2e6f318387d96b829320aa0ca64c
90112
90113 x86: Make sure we can boot in the case the BDA contains pure garbage
90114
90115 On non-BIOS platforms it is possible that the BIOS data area contains
90116 garbage instead of being zeroed or something equivalent (firmware
90117 people: we are talking of 1.5K here, so please do the sane thing.)
90118
90119 We need on the order of 20-30K of low memory in order to boot, which
90120 may grow up to < 64K in the future. We probably want to avoid the
90121 lowest of the low memory. At the same time, it seems extremely
90122 unlikely that a legitimate EBDA would ever reach down to the 128K
90123 (which would require it to be over half a megabyte in size.) Thus,
90124 pick 128K as the cutoff for "this is insane, ignore." We may still
90125 end up reserving a bunch of extra memory on the low megabyte, but that
90126 is not really a major issue these days. In the worst case we lose
90127 512K of RAM.
90128
90129 This code really should be merged with trim_bios_range() in
90130 arch/x86/kernel/setup.c, but that is a bigger patch for a later merge
90131 window.
90132
90133 Reported-by: Darren Hart <dvhart@linux.intel.com>
90134 Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
90135 Cc: Matt Fleming <matt.fleming@intel.com>
90136 Cc: <stable@vger.kernel.org>
90137 Link: http://lkml.kernel.org/n/tip-oebml055yyfm8yxmria09rja@git.kernel.org
90138
90139 arch/x86/kernel/head.c | 53 ++++++++++++++++++++++++++++++-----------------
90140 1 files changed, 34 insertions(+), 19 deletions(-)
90141
90142commit 10eb1dabfb743fb22dcbcf186bb8d2192d2d55ea
90143Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
90144Date: Wed Feb 27 17:05:46 2013 -0800
90145
90146 Upstream commit: 940da353a83e895ea600cb8ab17dceefb1bcb469
90147
90148 memstick: move the dereference below the NULL test
90149
90150 The dereference should be moved below the NULL test.
90151
90152 spatch with a semantic match is used to found this.
90153 (http://coccinelle.lip6.fr/)
90154
90155 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
90156 Cc: Maxim Levitsky <maximlevitsky@gmail.com>
90157 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
90158 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
90159
90160 drivers/memstick/host/r592.c | 3 ++-
90161 1 files changed, 2 insertions(+), 1 deletions(-)
90162
90163commit 1a63cb1ca50a10748cbf766894ecedf34a89baa3
90164Author: Xi Wang <xi.wang@gmail.com>
90165Date: Wed Feb 27 17:05:21 2013 -0800
90166
90167 Upstream commit: df1778be1a33edffa51d094eeda87c858ded6560
90168
90169 sysctl: fix null checking in bin_dn_node_address()
90170
90171 The null check of `strchr() + 1' is broken, which is always non-null,
90172 leading to OOB read. Instead, check the result of strchr().
90173
90174 Signed-off-by: Xi Wang <xi.wang@gmail.com>
90175 Cc: "Eric W. Biederman" <ebiederm@xmission.com>
90176 Cc: <stable@vger.kernel.org>
90177 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
90178 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
90179
90180 kernel/sysctl_binary.c | 3 ++-
90181 1 files changed, 2 insertions(+), 1 deletions(-)
90182
90183commit 7ca96db0817416fd40761e7437d1939fc0731380
90184Author: Tejun Heo <tj@kernel.org>
90185Date: Wed Feb 27 17:03:34 2013 -0800
90186
90187 Upstream commit: 6cdae7416a1c45c2ce105a78187d9b7e8feb9e24
90188
90189 idr: fix a subtle bug in idr_get_next()
90190
90191 The iteration logic of idr_get_next() is borrowed mostly verbatim from
90192 idr_for_each(). It walks down the tree looking for the slot matching
90193 the current ID. If the matching slot is not found, the ID is
90194 incremented by the distance of single slot at the given level and
90195 repeats.
90196
90197 The implementation assumes that during the whole iteration id is aligned
90198 to the layer boundaries of the level closest to the leaf, which is true
90199 for all iterations starting from zero or an existing element and thus is
90200 fine for idr_for_each().
90201
90202 However, idr_get_next() may be given any point and if the starting id
90203 hits in the middle of a non-existent layer, increment to the next layer
90204 will end up skipping the same offset into it. For example, an IDR with
90205 IDs filled between [64, 127] would look like the following.
90206
90207 [ 0 64 ... ]
90208 /----/ |
90209 | |
90210 NULL [ 64 ... 127 ]
90211
90212 If idr_get_next() is called with 63 as the starting point, it will try
90213 to follow down the pointer from 0. As it is NULL, it will then try to
90214 proceed to the next slot in the same level by adding the slot distance
90215 at that level which is 64 - making the next try 127. It goes around the
90216 loop and finds and returns 127 skipping [64, 126].
90217
90218 Note that this bug also triggers in idr_for_each_entry() loop which
90219 deletes during iteration as deletions can make layers go away leaving
90220 the iteration with unaligned ID into missing layers.
90221
90222 Fix it by ensuring proceeding to the next slot doesn't carry over the
90223 unaligned offset - ie. use round_up(id + 1, slot_distance) instead of
90224 id += slot_distance.
90225
90226 Signed-off-by: Tejun Heo <tj@kernel.org>
90227 Reported-by: David Teigland <teigland@redhat.com>
90228 Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
90229 Cc: <stable@vger.kernel.org>
90230 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
90231 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
90232
90233 lib/idr.c | 9 ++++++++-
90234 1 files changed, 8 insertions(+), 1 deletions(-)
90235
90236commit 745362f28034f54242ba2e64eaa7374ab9869613
90237Author: Brad Spengler <spender@grsecurity.net>
90238Date: Fri Mar 1 20:31:42 2013 -0500
90239
90240 Fix dentry use-after-free after failed complete_walk() with RBAC enabled
90241 Many thanks to zakalwe from #grsecurity for the report and debugging help
90242
90243 fs/namei.c | 8 +++-----
90244 1 files changed, 3 insertions(+), 5 deletions(-)
90245
90246commit b53b3b14330920c6f7cfb74c8508a3026e1be620
90247Author: Brad Spengler <spender@grsecurity.net>
90248Date: Thu Feb 28 18:29:26 2013 -0500
90249
90250 Fix bad git merge
90251
90252 fs/namespace.c | 8 --------
90253 1 files changed, 0 insertions(+), 8 deletions(-)
90254
90255commit 71886f69ea10fa22e593dba1bdbe5c0334c6fede
90256Merge: 1cce1dd ab30472
90257Author: Brad Spengler <spender@grsecurity.net>
90258Date: Thu Feb 28 17:45:14 2013 -0500
90259
90260 Merge branch 'pax-test' into grsec-test
90261
90262 Conflicts:
90263 net/core/sock_diag.c
90264
90265commit ab3047280e1dfb43f1b301a296123757b4ac4f6e
90266Merge: 4b61d21 4c91a0e
90267Author: Brad Spengler <spender@grsecurity.net>
90268Date: Thu Feb 28 17:43:56 2013 -0500
90269
90270 Merge branch 'linux-3.8.y' into pax-test
90271
90272commit 1cce1ddd17c584c80465521834c3faf1a7c607d7
90273Author: Brad Spengler <spender@grsecurity.net>
90274Date: Wed Feb 27 22:20:22 2013 -0500
90275
90276 add compiler.h to sysrq.h to fix compilation problem reported by micu on forums
90277
90278 include/linux/sysrq.h | 1 +
90279 1 files changed, 1 insertions(+), 0 deletions(-)
90280
90281commit 9f1e7fe130803fde83eb903b575335f59cd2bd18
90282Author: Brad Spengler <spender@grsecurity.net>
90283Date: Wed Feb 27 17:52:31 2013 -0500
90284
90285 declare check_syslog_permissions() earlier in file, fix bug in syslog_action_restricted() in upstream kernel
90286
90287 kernel/printk.c | 12 +++++++-----
90288 1 files changed, 7 insertions(+), 5 deletions(-)
90289
90290commit 11dd499888fa76f3466821ce4daa5e0c55e43d39
90291Author: Brad Spengler <spender@grsecurity.net>
90292Date: Wed Feb 27 17:23:46 2013 -0500
90293
90294 Fix upstream vulnerability from addition of a /dev/kmsg device
90295 while neglecting to add the same set of existing permission checks
90296 from do_syslog. This bit both dmesg_restrict and GRKERNSEC_DMESG.
90297 A temporary workaround without this patch would be to
90298 chmod 0600 /dev/kmsg (and is likely a good idea anyway).
90299
90300 Notified in #grsecurity IRC by Jason A. Donenfeld and Petr Matousek
90301 Initially reported to Redhat bugzilla by Christian Kujau:
90302 https://bugzilla.redhat.com/show_bug.cgi?id=903192
90303
90304 kernel/printk.c | 4 ++++
90305 1 files changed, 4 insertions(+), 0 deletions(-)
90306
90307commit 66c04806f5660988c3cb4855e60de294e77e3d0e
90308Author: David Howells <dhowells@redhat.com>
90309Date: Thu Feb 21 12:00:25 2013 +0000
90310
90311 Upstream commit: fe9453a1dcb5fb146f9653267e78f4a558066f6f
90312
90313 KEYS: Revert one application of "Fix unreachable code" patch
90314
90315 A patch to fix some unreachable code in search_my_process_keyrings() got
90316 applied twice by two different routes upstream as commits e67eab39bee2
90317 and b010520ab3d2 (both "fix unreachable code").
90318
90319 Unfortunately, the second application removed something it shouldn't
90320 have and this wasn't detected by GIT. This is due to the patch not
90321 having sufficient lines of context to distinguish the two places of
90322 application.
90323
90324 The effect of this is relatively minor: inside the kernel, the keyring
90325 search routines may search multiple keyrings and then prioritise the
90326 errors if no keys or negative keys are found in any of them. With the
90327 extra deletion, the presence of a negative key in the thread keyring
90328 (causing ENOKEY) is incorrectly overridden by an error searching the
90329 process keyring.
90330
90331 So revert the second application of the patch.
90332
90333 Signed-off-by: David Howells <dhowells@redhat.com>
90334 Cc: Jiri Kosina <jkosina@suse.cz>
90335 Cc: Andrew Morton <akpm@linux-foundation.org>
90336 Cc: stable@vger.kernel.org
90337 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
90338
90339 security/keys/process_keys.c | 2 ++
90340 1 files changed, 2 insertions(+), 0 deletions(-)
90341
90342commit 954b0c8a95b08c09c3d15ec38106ce403bf714da
90343Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
90344Date: Thu Feb 21 16:42:43 2013 -0800
90345
90346 Upstream commit: 49deb4bc227cb9db5b8ebf9434367f8bed057c7a
90347
90348 configfs: move the dereference below the NULL test
90349
90350 The dereference should be moved below the NULL test.
90351
90352 spatch with a semantic match is used to found this.
90353 (http://coccinelle.lip6.fr/)
90354
90355 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
90356 Cc: Joel Becker <jlbec@evilplan.org>
90357 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
90358 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
90359
90360 fs/configfs/dir.c | 5 +++--
90361 1 files changed, 3 insertions(+), 2 deletions(-)
90362
90363commit d16d42c4fdc8baca5816d75b4a115102bf3d3423
90364Author: Nicolas Pitre <nicolas.pitre@linaro.org>
90365Date: Sun Feb 24 20:06:09 2013 -0500
90366
90367 Upstream commit: a883b70d8e0a88278c0a1f80753b4dc99962b541
90368
90369 tty vt: fix character insertion overflow
90370
90371 Commit 81732c3b2fed ("tty vt: Fix line garbage in virtual console on
90372 command line edition") broke insert_char() in multiple ways. Then
90373 commit b1a925f44a3a ("tty vt: Fix a regression in command line edition")
90374 partially fixed it. However, the buffer being moved is still too large
90375 and overflowing beyond the end of the current line, corrupting existing
90376 characters on the next line.
90377
90378 Example test case:
90379
90380 echo -e "abc\nde\x1b[A\x1b[4h \x1b[4l\x1b[B"
90381
90382 Expected result:
90383
90384 ab c
90385 de
90386
90387 Current result:
90388
90389 ab c
90390 e
90391
90392 Needless to say that this is very annoying when inserting words in the
90393 middle of paragraphs with certain text editors.
90394
90395 Signed-off-by: Nicolas Pitre <nico@linaro.org>
90396 Cc: Jean-François Moine <moinejf@free.fr>
90397 Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
90398 Cc: <stable@vger.kernel.org>
90399 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
90400
90401 drivers/tty/vt/vt.c | 2 +-
90402 1 files changed, 1 insertions(+), 1 deletions(-)
90403
90404commit 6cda35071669b4aabde081bd039e0ffea36f997a
90405Author: Robin Holt <holt@sgi.com>
90406Date: Fri Feb 22 16:35:34 2013 -0800
90407
90408 Upstream commit: 751efd8610d3d7d67b7bdf7f62646edea7365dd7
90409
90410 mmu_notifier_unregister NULL Pointer deref and multiple ->release() callouts
90411
90412 There is a race condition between mmu_notifier_unregister() and
90413 __mmu_notifier_release().
90414
90415 Assume two tasks, one calling mmu_notifier_unregister() as a result of a
90416 filp_close() ->flush() callout (task A), and the other calling
90417 mmu_notifier_release() from an mmput() (task B).
90418
90419 A B
90420 t1 srcu_read_lock()
90421 t2 if (!hlist_unhashed())
90422 t3 srcu_read_unlock()
90423 t4 srcu_read_lock()
90424 t5 hlist_del_init_rcu()
90425 t6 synchronize_srcu()
90426 t7 srcu_read_unlock()
90427 t8 hlist_del_rcu() <--- NULL pointer deref.
90428
90429 Additionally, the list traversal in __mmu_notifier_release() is not
90430 protected by the by the mmu_notifier_mm->hlist_lock which can result in
90431 callouts to the ->release() notifier from both mmu_notifier_unregister()
90432 and __mmu_notifier_release().
90433
90434 -stable suggestions:
90435
90436 The stable trees prior to 3.7.y need commits 21a92735f660 and
90437 70400303ce0c cherry-picked in that order prior to cherry-picking this
90438 commit. The 3.7.y tree already has those two commits.
90439
90440 Signed-off-by: Robin Holt <holt@sgi.com>
90441 Cc: Andrea Arcangeli <aarcange@redhat.com>
90442 Cc: Wanpeng Li <liwanp@linux.vnet.ibm.com>
90443 Cc: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
90444 Cc: Avi Kivity <avi@redhat.com>
90445 Cc: Hugh Dickins <hughd@google.com>
90446 Cc: Marcelo Tosatti <mtosatti@redhat.com>
90447 Cc: Sagi Grimberg <sagig@mellanox.co.il>
90448 Cc: Haggai Eran <haggaie@mellanox.com>
90449 Cc: <stable@vger.kernel.org>
90450 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
90451 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
90452
90453 mm/mmu_notifier.c | 82 +++++++++++++++++++++++++++--------------------------
90454 1 files changed, 42 insertions(+), 40 deletions(-)
90455
90456commit bf5167ed78ba6131c6874887f714bda50c2cab83
90457Author: Mike Galbraith <bitbucket@online.de>
90458Date: Mon Jan 28 12:19:25 2013 +0100
90459
90460 Upstream commit: e0a79f529d5ba2507486d498b25da40911d95cf6
90461
90462 sched: Fix select_idle_sibling() bouncing cow syndrome
90463
90464 If the previous CPU is cache affine and idle, select it.
90465
90466 The current implementation simply traverses the sd_llc domain,
90467 taking the first idle CPU encountered, which walks buddy pairs
90468 hand in hand over the package, inflicting excruciating pain.
90469
90470 1 tbench pair (worst case) in a 10 core + SMT package:
90471
90472 pre 15.22 MB/sec 1 procs
90473 post 252.01 MB/sec 1 procs
90474
90475 Signed-off-by: Mike Galbraith <bitbucket@online.de>
90476 Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
90477 Link: http://lkml.kernel.org/r/1359371965.5783.127.camel@marge.simpson.net
90478 Signed-off-by: Ingo Molnar <mingo@kernel.org>
90479
90480 kernel/sched/fair.c | 21 +++++++--------------
90481 1 files changed, 7 insertions(+), 14 deletions(-)
90482
90483commit cf7c2d257836fdcb5d51ad142cbc56ac12f7a37c
90484Author: Eric W. Biederman <ebiederm@xmission.com>
90485Date: Fri Dec 28 18:58:39 2012 -0800
90486
90487 Upstream commit: c61a2810a2161986353705b44d9503e6bb079f4f
90488
90489 userns: Avoid recursion in put_user_ns
90490
90491 When freeing a deeply nested user namespace free_user_ns calls
90492 put_user_ns on it's parent which may in turn call free_user_ns again.
90493 When -fno-optimize-sibling-calls is passed to gcc one stack frame per
90494 user namespace is left on the stack, potentially overflowing the
90495 kernel stack. CONFIG_FRAME_POINTER forces -fno-optimize-sibling-calls
90496 so we can't count on gcc to optimize this code.
90497
90498 Remove struct kref and use a plain atomic_t. Making the code more
90499 flexible and easier to comprehend. Make the loop in free_user_ns
90500 explict to guarantee that the stack does not overflow with
90501 CONFIG_FRAME_POINTER enabled.
90502
90503 I have tested this fix with a simple program that uses unshare to
90504 create a deeply nested user namespace structure and then calls exit.
90505 With 1000 nesteuser namespaces before this change running my test
90506 program causes the kernel to die a horrible death. With 10,000,000
90507 nested user namespaces after this change my test program runs to
90508 completion and causes no harm.
90509
90510 Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
90511 Pointed-out-by: Vasily Kulikov <segoon@openwall.com>
90512 Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
90513
90514 include/linux/user_namespace.h | 10 +++++-----
90515 kernel/user.c | 4 +---
90516 kernel/user_namespace.c | 17 +++++++++--------
90517 3 files changed, 15 insertions(+), 16 deletions(-)
90518
90519commit 81501c7106ccc186c94806f4db954626295b5ebe
90520Author: Brad Spengler <spender@grsecurity.net>
90521Date: Tue Feb 26 17:12:30 2013 -0500
90522
90523 Pass the same flags to kern_path_create as the original function
90524
90525 fs/namei.c | 4 ++--
90526 1 files changed, 2 insertions(+), 2 deletions(-)
90527
90528commit a677c8eee35afe48868f92c7d6745bfe809cd481
90529Author: Al Viro <viro@zeniv.linux.org.uk>
90530Date: Fri Feb 22 22:45:42 2013 -0500
90531
90532 Upstream commit: 9b40bc90abd126bcc5da5658059b8e72e285e559
90533
90534 get rid of unprotected dereferencing of mnt->mnt_ns
90535
90536 It's safe only under namespace_sem or vfsmount_lock; all places
90537 in fs/namespace.c that want mnt->mnt_ns->user_ns actually want to use
90538 current->nsproxy->mnt_ns->user_ns (note the calls of check_mnt() in
90539 there).
90540
90541 Cc: stable@vger.kernel.org
90542 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
90543
90544 fs/namespace.c | 29 +++++++++++++++++------------
90545 1 files changed, 17 insertions(+), 12 deletions(-)
90546
90547commit 89298124d0c96dc34a60377e7a1308f8f532ff75
90548Author: Greg Thelen <gthelen@google.com>
90549Date: Fri Feb 22 16:36:01 2013 -0800
90550
90551 Upstream fix: 5f00110f7273f9ff04ac69a5f85bb535a4fd0987
90552
90553 tmpfs: fix use-after-free of mempolicy object
90554
90555 The tmpfs remount logic preserves filesystem mempolicy if the mpol=M
90556 option is not specified in the remount request. A new policy can be
90557 specified if mpol=M is given.
90558
90559 Before this patch remounting an mpol bound tmpfs without specifying
90560 mpol= mount option in the remount request would set the filesystem's
90561 mempolicy object to a freed mempolicy object.
90562
90563 To reproduce the problem boot a DEBUG_PAGEALLOC kernel and run:
90564 # mkdir /tmp/x
90565
90566 # mount -t tmpfs -o size=100M,mpol=interleave nodev /tmp/x
90567
90568 # grep /tmp/x /proc/mounts
90569 nodev /tmp/x tmpfs rw,relatime,size=102400k,mpol=interleave:0-3 0 0
90570
90571 # mount -o remount,size=200M nodev /tmp/x
90572
90573 # grep /tmp/x /proc/mounts
90574 nodev /tmp/x tmpfs rw,relatime,size=204800k,mpol=??? 0 0
90575 # note ? garbage in mpol=... output above
90576
90577 # dd if=/dev/zero of=/tmp/x/f count=1
90578 # panic here
90579
90580 Panic:
90581 BUG: unable to handle kernel NULL pointer dereference at (null)
90582 IP: [< (null)>] (null)
90583 [...]
90584 Oops: 0010 [#1] SMP DEBUG_PAGEALLOC
90585 Call Trace:
90586 mpol_shared_policy_init+0xa5/0x160
90587 shmem_get_inode+0x209/0x270
90588 shmem_mknod+0x3e/0xf0
90589 shmem_create+0x18/0x20
90590 vfs_create+0xb5/0x130
90591 do_last+0x9a1/0xea0
90592 path_openat+0xb3/0x4d0
90593 do_filp_open+0x42/0xa0
90594 do_sys_open+0xfe/0x1e0
90595 compat_sys_open+0x1b/0x20
90596 cstar_dispatch+0x7/0x1f
90597
90598 Non-debug kernels will not crash immediately because referencing the
90599 dangling mpol will not cause a fault. Instead the filesystem will
90600 reference a freed mempolicy object, which will cause unpredictable
90601 behavior.
90602
90603 The problem boils down to a dropped mpol reference below if
90604 shmem_parse_options() does not allocate a new mpol:
90605
90606 config = *sbinfo
90607 shmem_parse_options(data, &config, true)
90608 mpol_put(sbinfo->mpol)
90609 sbinfo->mpol = config.mpol /* BUG: saves unreferenced mpol */
90610
90611 This patch avoids the crash by not releasing the mempolicy if
90612 shmem_parse_options() doesn't create a new mpol.
90613
90614 How far back does this issue go? I see it in both 2.6.36 and 3.3. I did
90615 not look back further.
90616
90617 Signed-off-by: Greg Thelen <gthelen@google.com>
90618 Acked-by: Hugh Dickins <hughd@google.com>
90619 Cc: <stable@vger.kernel.org>
90620 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
90621 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
90622
90623 mm/shmem.c | 10 ++++++++--
90624 1 files changed, 8 insertions(+), 2 deletions(-)
90625
90626commit 614943c76d9e49f12f3e1154f1dea80dc4bb2743
90627Author: Brad Spengler <spender@grsecurity.net>
90628Date: Sat Feb 23 11:08:05 2013 -0500
90629
90630 Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY
90631 with a family greater or equal then AF_MAX -- the array size of
90632 sock_diag_handlers[]. The current code does not test for this
90633 condition therefore is vulnerable to an out-of-bound access opening
90634 doors for a privilege escalation.
90635
90636 Signed-off-by: Mathias Krause <minipli@googlemail.com>
90637
90638 The sock_diag_lock_handler() and sock_diag_unlock_handler() actually
90639 make the code less readable. Get rid of them and make the lock usage
90640 and access to sock_diag_handlers[] clear on the first sight.
90641
90642 Signed-off-by: Mathias Krause <minipli@googlemail.com>
90643
90644 net/core/sock_diag.c | 27 ++++++++++-----------------
90645 1 files changed, 10 insertions(+), 17 deletions(-)
90646
90647commit e8d44970f8ac5ceda7b0e3f2c2ab33cefb800990
90648Author: Brad Spengler <spender@grsecurity.net>
90649Date: Sat Feb 23 10:58:52 2013 -0500
90650
90651 Fix compilation failure reported by Hinnerk van Bruinehsen when CPU_USE_DOMAINS is not defined
90652
90653 arch/arm/include/asm/domain.h | 1 +
90654 1 files changed, 1 insertions(+), 0 deletions(-)
90655
90656commit 7b729586eb81f344fdedf0942fab0acc738a6725
90657Author: Brad Spengler <spender@grsecurity.net>
90658Date: Fri Feb 22 19:02:51 2013 -0500
90659
90660 Add back capability check for user namespaces. They have not seen enough proper review and needlessly exposes additional attack surface for all users.
90661
90662 kernel/fork.c | 17 +++++++++++++++++
90663 1 files changed, 17 insertions(+), 0 deletions(-)
90664
90665commit fadc560d0c486af88da83177735f5515e88acdcc
90666Author: Brad Spengler <spender@grsecurity.net>
90667Date: Thu Feb 21 23:06:48 2013 -0500
90668
90669 put is_hugetlbfs_mnt inside ifdefs
90670
90671 grsecurity/gracl.c | 2 ++
90672 1 files changed, 2 insertions(+), 0 deletions(-)
90673
90674commit 8252176922d405484f986eb2cc350b7cd3ae586e
90675Author: Brad Spengler <spender@grsecurity.net>
90676Date: Thu Feb 21 23:02:07 2013 -0500
90677
90678 remove unused label
90679
90680 kernel/module.c | 1 -
90681 1 files changed, 0 insertions(+), 1 deletions(-)
90682
90683commit dad4a980f0b625059e215d13da728aa7fd02a374
90684Author: Brad Spengler <spender@grsecurity.net>
90685Date: Thu Feb 21 23:00:52 2013 -0500
90686
90687 compile fix
90688
90689 fs/open.c | 2 +-
90690 1 files changed, 1 insertions(+), 1 deletions(-)
90691
90692commit 13e3266c41b98a40f3d8a4a7fb8ee5c0983156b7
90693Author: Brad Spengler <spender@grsecurity.net>
90694Date: Thu Feb 21 22:57:49 2013 -0500
90695
90696 remove kmalloc_array_error for the same reasons as kcalloc_error
90697
90698 include/linux/slab.h | 9 ---------
90699 1 files changed, 0 insertions(+), 9 deletions(-)
90700
90701commit 0c24df0e81ae880c4523cc78ff91609b9aa6133a
90702Author: Brad Spengler <spender@grsecurity.net>
90703Date: Thu Feb 21 22:49:35 2013 -0500
90704
90705 Initial port of grsecurity for Linux 3.8
90706
90707 Documentation/kernel-parameters.txt | 4 +
90708 Makefile | 10 +-
90709 arch/alpha/include/asm/cache.h | 4 +-
90710 arch/alpha/kernel/osf_sys.c | 14 +-
90711 arch/arm/include/asm/cache.h | 2 +
90712 arch/arm/include/asm/thread_info.h | 9 +-
90713 arch/arm/kernel/process.c | 4 +-
90714 arch/arm/kernel/ptrace.c | 9 +
90715 arch/arm/kernel/traps.c | 7 +-
90716 arch/arm/mm/fault.c | 27 +-
90717 arch/arm/mm/mmap.c | 6 +-
90718 arch/avr32/include/asm/cache.h | 4 +-
90719 arch/blackfin/include/asm/cache.h | 3 +-
90720 arch/cris/include/arch-v10/arch/cache.h | 3 +-
90721 arch/cris/include/arch-v32/arch/cache.h | 3 +-
90722 arch/frv/include/asm/cache.h | 3 +-
90723 arch/frv/mm/elf-fdpic.c | 7 +-
90724 arch/hexagon/include/asm/cache.h | 6 +-
90725 arch/ia64/include/asm/cache.h | 3 +-
90726 arch/ia64/kernel/sys_ia64.c | 3 +-
90727 arch/ia64/mm/hugetlbpage.c | 3 +-
90728 arch/m32r/include/asm/cache.h | 4 +-
90729 arch/m68k/include/asm/cache.h | 4 +-
90730 arch/microblaze/include/asm/cache.h | 3 +-
90731 arch/mips/include/asm/cache.h | 3 +-
90732 arch/mips/include/asm/thread_info.h | 9 +-
90733 arch/mips/kernel/ptrace.c | 9 +
90734 arch/mips/kernel/scall32-o32.S | 2 +-
90735 arch/mips/kernel/scall64-64.S | 2 +-
90736 arch/mips/kernel/scall64-n32.S | 2 +-
90737 arch/mips/kernel/scall64-o32.S | 2 +-
90738 arch/mips/mm/mmap.c | 3 +-
90739 arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +-
90740 arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +-
90741 arch/openrisc/include/asm/cache.h | 4 +-
90742 arch/parisc/include/asm/cache.h | 5 +-
90743 arch/parisc/kernel/sys_parisc.c | 19 +-
90744 arch/powerpc/include/asm/cache.h | 3 +-
90745 arch/powerpc/include/asm/thread_info.h | 8 +-
90746 arch/powerpc/kernel/process.c | 10 +-
90747 arch/powerpc/kernel/ptrace.c | 14 +
90748 arch/powerpc/kernel/traps.c | 5 +
90749 arch/powerpc/mm/slice.c | 8 +-
90750 arch/s390/include/asm/cache.h | 4 +-
90751 arch/score/include/asm/cache.h | 4 +-
90752 arch/sh/include/asm/cache.h | 3 +-
90753 arch/sh/mm/mmap.c | 6 +-
90754 arch/sparc/include/asm/cache.h | 4 +-
90755 arch/sparc/include/asm/thread_info_64.h | 9 +-
90756 arch/sparc/kernel/process_32.c | 6 +-
90757 arch/sparc/kernel/process_64.c | 8 +-
90758 arch/sparc/kernel/ptrace_64.c | 14 +
90759 arch/sparc/kernel/sys_sparc_64.c | 6 +-
90760 arch/sparc/kernel/syscalls.S | 8 +-
90761 arch/sparc/kernel/traps_32.c | 8 +-
90762 arch/sparc/kernel/traps_64.c | 28 +-
90763 arch/sparc/kernel/unaligned_64.c | 2 +-
90764 arch/sparc/mm/fault_64.c | 2 +-
90765 arch/sparc/mm/hugetlbpage.c | 3 +-
90766 arch/tile/include/asm/cache.h | 3 +-
90767 arch/um/include/asm/cache.h | 3 +-
90768 arch/unicore32/include/asm/cache.h | 6 +-
90769 arch/x86/Kconfig | 5 +-
90770 arch/x86/Kconfig.debug | 2 +-
90771 arch/x86/ia32/ia32_aout.c | 2 +
90772 arch/x86/include/asm/thread_info.h | 8 +-
90773 arch/x86/kernel/dumpstack.c | 8 +
90774 arch/x86/kernel/entry_32.S | 2 +-
90775 arch/x86/kernel/entry_64.S | 2 +-
90776 arch/x86/kernel/ioport.c | 13 +
90777 arch/x86/kernel/ptrace.c | 14 +
90778 arch/x86/kernel/smpboot.c | 3 +
90779 arch/x86/kernel/sys_i386_32.c | 14 +-
90780 arch/x86/kernel/sys_x86_64.c | 3 +-
90781 arch/x86/kernel/verify_cpu.S | 1 +
90782 arch/x86/kernel/vm86_32.c | 16 +
90783 arch/x86/mm/fault.c | 12 +-
90784 arch/x86/mm/hugetlbpage.c | 3 +-
90785 arch/x86/mm/init.c | 66 +-
90786 arch/x86/net/bpf_jit_comp.c | 126 +-
90787 arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
90788 arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
90789 arch/xtensa/variants/s6000/include/variant/core.h | 3 +-
90790 crypto/ablkcipher.c | 12 +-
90791 crypto/aead.c | 9 +-
90792 crypto/ahash.c | 2 +-
90793 crypto/blkcipher.c | 6 +-
90794 crypto/crypto_user.c | 38 +-
90795 crypto/pcompress.c | 3 +-
90796 crypto/rng.c | 2 +-
90797 crypto/shash.c | 3 +-
90798 drivers/block/cciss.c | 2 +
90799 drivers/char/Kconfig | 4 +-
90800 drivers/char/genrtc.c | 1 +
90801 drivers/char/mem.c | 17 +
90802 drivers/char/random.c | 12 +
90803 drivers/gpu/drm/drm_info.c | 4 +
90804 drivers/hid/hid-wiimote-debug.c | 2 +-
90805 drivers/media/radio/radio-cadet.c | 2 +-
90806 drivers/message/fusion/mptbase.c | 5 +
90807 drivers/net/phy/mdio-bitbang.c | 1 +
90808 drivers/pci/proc.c | 9 +
90809 drivers/rtc/rtc-dev.c | 3 +
90810 drivers/tty/sysrq.c | 2 +-
90811 drivers/tty/vt/keyboard.c | 22 +-
90812 drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++--------
90813 drivers/xen/xenfs/xenstored.c | 5 +
90814 fs/attr.c | 1 +
90815 fs/autofs4/waitq.c | 9 +
90816 fs/binfmt_aout.c | 7 +
90817 fs/binfmt_elf.c | 6 +
90818 fs/btrfs/inode.c | 10 +-
90819 fs/btrfs/ioctl.c | 6 +-
90820 fs/compat.c | 18 +
90821 fs/coredump.c | 10 +-
90822 fs/debugfs/inode.c | 4 +
90823 fs/exec.c | 155 +-
90824 fs/ext2/balloc.c | 4 +-
90825 fs/ext3/balloc.c | 4 +-
90826 fs/ext4/balloc.c | 4 +-
90827 fs/fcntl.c | 5 +
90828 fs/file.c | 4 +
90829 fs/filesystems.c | 5 +
90830 fs/fs_struct.c | 26 +-
90831 fs/hugetlbfs/inode.c | 5 +-
90832 fs/namei.c | 269 ++-
90833 fs/namespace.c | 24 +
90834 fs/open.c | 38 +
90835 fs/pipe.c | 2 +-
90836 fs/proc/Kconfig | 10 +-
90837 fs/proc/array.c | 59 +-
90838 fs/proc/base.c | 168 +-
90839 fs/proc/cmdline.c | 4 +
90840 fs/proc/devices.c | 4 +
90841 fs/proc/fd.c | 17 +-
90842 fs/proc/inode.c | 17 +
90843 fs/proc/internal.h | 3 +
90844 fs/proc/kcore.c | 3 +
90845 fs/proc/proc_net.c | 12 +
90846 fs/proc/proc_sysctl.c | 43 +-
90847 fs/proc/root.c | 8 +
90848 fs/proc/task_mmu.c | 75 +-
90849 fs/readdir.c | 19 +
90850 fs/select.c | 2 +
90851 fs/seq_file.c | 12 +-
90852 fs/stat.c | 19 +-
90853 fs/sysfs/dir.c | 12 +
90854 fs/utimes.c | 7 +
90855 fs/xattr.c | 19 +-
90856 grsecurity/Kconfig | 1021 +++++
90857 grsecurity/Makefile | 38 +
90858 grsecurity/gracl.c | 4017 ++++++++++++++++++++
90859 grsecurity/gracl_alloc.c | 105 +
90860 grsecurity/gracl_cap.c | 110 +
90861 grsecurity/gracl_fs.c | 431 +++
90862 grsecurity/gracl_ip.c | 384 ++
90863 grsecurity/gracl_learn.c | 207 +
90864 grsecurity/gracl_res.c | 68 +
90865 grsecurity/gracl_segv.c | 299 ++
90866 grsecurity/gracl_shm.c | 40 +
90867 grsecurity/grsec_chdir.c | 19 +
90868 grsecurity/grsec_chroot.c | 357 ++
90869 grsecurity/grsec_disabled.c | 434 +++
90870 grsecurity/grsec_exec.c | 174 +
90871 grsecurity/grsec_fifo.c | 24 +
90872 grsecurity/grsec_fork.c | 23 +
90873 grsecurity/grsec_init.c | 283 ++
90874 grsecurity/grsec_link.c | 58 +
90875 grsecurity/grsec_log.c | 329 ++
90876 grsecurity/grsec_mem.c | 40 +
90877 grsecurity/grsec_mount.c | 62 +
90878 grsecurity/grsec_pax.c | 36 +
90879 grsecurity/grsec_ptrace.c | 30 +
90880 grsecurity/grsec_sig.c | 222 ++
90881 grsecurity/grsec_sock.c | 244 ++
90882 grsecurity/grsec_sysctl.c | 469 +++
90883 grsecurity/grsec_time.c | 16 +
90884 grsecurity/grsec_tpe.c | 73 +
90885 grsecurity/grsum.c | 61 +
90886 include/linux/capability.h | 5 +
90887 include/linux/cred.h | 3 +
90888 include/linux/fs.h | 10 +
90889 include/linux/fsnotify.h | 6 +
90890 include/linux/gracl.h | 319 ++
90891 include/linux/gralloc.h | 9 +
90892 include/linux/grdefs.h | 140 +
90893 include/linux/grinternal.h | 215 ++
90894 include/linux/grmsg.h | 111 +
90895 include/linux/grsecurity.h | 257 ++
90896 include/linux/grsock.h | 19 +
90897 include/linux/kallsyms.h | 14 +-
90898 include/linux/kmod.h | 2 +
90899 include/linux/netfilter/xt_gradm.h | 9 +
90900 include/linux/printk.h | 3 +-
90901 include/linux/proc_fs.h | 12 +
90902 include/linux/sched.h | 66 +-
90903 include/linux/security.h | 1 +
90904 include/linux/seq_file.h | 3 +
90905 include/linux/shm.h | 4 +
90906 include/linux/sysctl.h | 2 +
90907 include/linux/thread_info.h | 2 +
90908 include/linux/vermagic.h | 9 +-
90909 include/trace/events/fs.h | 53 +
90910 include/uapi/linux/personality.h | 1 +
90911 init/Kconfig | 5 +-
90912 init/main.c | 14 +
90913 ipc/mqueue.c | 1 +
90914 ipc/shm.c | 28 +
90915 kernel/capability.c | 39 +-
90916 kernel/cgroup.c | 2 +-
90917 kernel/compat.c | 1 +
90918 kernel/configs.c | 11 +
90919 kernel/cred.c | 109 +-
90920 kernel/exit.c | 10 +-
90921 kernel/fork.c | 24 +-
90922 kernel/futex.c | 1 +
90923 kernel/kallsyms.c | 9 +
90924 kernel/kcmp.c | 4 +
90925 kernel/kmod.c | 71 +-
90926 kernel/kprobes.c | 4 +-
90927 kernel/ksysfs.c | 2 +
90928 kernel/lockdep_proc.c | 10 +-
90929 kernel/module.c | 80 +-
90930 kernel/panic.c | 4 +-
90931 kernel/pid.c | 19 +-
90932 kernel/posix-timers.c | 8 +
90933 kernel/printk.c | 5 +
90934 kernel/ptrace.c | 20 +-
90935 kernel/resource.c | 10 +
90936 kernel/sched/core.c | 6 +-
90937 kernel/signal.c | 37 +-
90938 kernel/sys.c | 38 +-
90939 kernel/sysctl.c | 39 +-
90940 kernel/taskstats.c | 6 +
90941 kernel/time.c | 5 +
90942 kernel/time/timekeeping.c | 3 +
90943 kernel/time/timer_list.c | 12 +
90944 kernel/time/timer_stats.c | 10 +-
90945 lib/Kconfig.debug | 5 +-
90946 lib/is_single_threaded.c | 3 +
90947 lib/vsprintf.c | 35 +-
90948 localversion-grsec | 1 +
90949 mm/Kconfig | 4 +-
90950 mm/filemap.c | 1 +
90951 mm/kmemleak.c | 4 +-
90952 mm/mempolicy.c | 12 +-
90953 mm/migrate.c | 3 +-
90954 mm/mlock.c | 3 +
90955 mm/mmap.c | 62 +-
90956 mm/mprotect.c | 8 +
90957 mm/page_alloc.c | 6 +
90958 mm/process_vm_access.c | 6 +
90959 mm/shmem.c | 2 +-
90960 mm/slab.c | 2 +-
90961 mm/slub.c | 14 +-
90962 mm/vmalloc.c | 4 +
90963 mm/vmstat.c | 18 +-
90964 net/core/dev.c | 9 +
90965 net/core/sock_diag.c | 7 +
90966 net/ipv4/inet_hashtables.c | 5 +
90967 net/ipv4/ip_sockglue.c | 3 +-
90968 net/ipv4/tcp_input.c | 4 +-
90969 net/ipv4/tcp_ipv4.c | 24 +-
90970 net/ipv4/tcp_minisocks.c | 9 +-
90971 net/ipv4/tcp_timer.c | 11 +
90972 net/ipv4/udp.c | 24 +
90973 net/ipv6/tcp_ipv6.c | 23 +-
90974 net/ipv6/udp.c | 7 +
90975 net/netfilter/Kconfig | 10 +
90976 net/netfilter/Makefile | 1 +
90977 net/netfilter/nf_conntrack_core.c | 8 +
90978 net/netfilter/xt_gradm.c | 51 +
90979 net/netrom/af_netrom.c | 2 +-
90980 net/phonet/af_phonet.c | 4 +-
90981 net/sctp/proc.c | 3 +-
90982 net/socket.c | 62 +-
90983 net/sysctl_net.c | 2 +-
90984 net/unix/af_unix.c | 19 +
90985 security/Kconfig | 320 ++-
90986 security/apparmor/lsm.c | 2 +-
90987 security/commoncap.c | 29 +
90988 security/min_addr.c | 2 +
90989 security/security.c | 2 -
90990 security/selinux/hooks.c | 2 -
90991 security/yama/Kconfig | 2 +-
90992 tools/gcc/Makefile | 2 +-
90993 286 files changed, 15083 insertions(+), 2067 deletions(-)
90994
90995commit 4b61d2188de70da9dc9b3e67fc0565077370eb27
90996Author: Brad Spengler <spender@grsecurity.net>
90997Date: Wed Feb 20 21:00:42 2013 -0500
90998
90999 Initial import of pax-linux-3.8-test3.patch
91000
91001 Documentation/dontdiff | 43 +-
91002 Documentation/kernel-parameters.txt | 7 +
91003 Makefile | 97 +-
91004 arch/alpha/include/asm/atomic.h | 10 +
91005 arch/alpha/include/asm/elf.h | 7 +
91006 arch/alpha/include/asm/pgalloc.h | 6 +
91007 arch/alpha/include/asm/pgtable.h | 11 +
91008 arch/alpha/kernel/module.c | 2 +-
91009 arch/alpha/kernel/osf_sys.c | 10 +-
91010 arch/alpha/mm/fault.c | 141 +-
91011 arch/arm/Kconfig | 2 +-
91012 arch/arm/include/asm/atomic.h | 421 +++-
91013 arch/arm/include/asm/cache.h | 3 +-
91014 arch/arm/include/asm/cacheflush.h | 2 +-
91015 arch/arm/include/asm/checksum.h | 14 +-
91016 arch/arm/include/asm/cmpxchg.h | 2 +
91017 arch/arm/include/asm/delay.h | 8 +-
91018 arch/arm/include/asm/domain.h | 32 +-
91019 arch/arm/include/asm/elf.h | 13 +-
91020 arch/arm/include/asm/fncpy.h | 2 +
91021 arch/arm/include/asm/futex.h | 10 +
91022 arch/arm/include/asm/kmap_types.h | 2 +-
91023 arch/arm/include/asm/mach/dma.h | 2 +-
91024 arch/arm/include/asm/mach/map.h | 7 +-
91025 arch/arm/include/asm/outercache.h | 2 +-
91026 arch/arm/include/asm/page.h | 2 +-
91027 arch/arm/include/asm/pgalloc.h | 22 +-
91028 arch/arm/include/asm/pgtable-2level-hwdef.h | 5 +
91029 arch/arm/include/asm/pgtable-2level.h | 1 +
91030 arch/arm/include/asm/pgtable-3level-hwdef.h | 4 +
91031 arch/arm/include/asm/pgtable-3level.h | 2 +
91032 arch/arm/include/asm/pgtable.h | 56 +-
91033 arch/arm/include/asm/proc-fns.h | 2 +-
91034 arch/arm/include/asm/processor.h | 5 +-
91035 arch/arm/include/asm/smp.h | 2 +-
91036 arch/arm/include/asm/thread_info.h | 6 +-
91037 arch/arm/include/asm/uaccess.h | 92 +-
91038 arch/arm/include/uapi/asm/ptrace.h | 2 +-
91039 arch/arm/kernel/armksyms.c | 4 +-
91040 arch/arm/kernel/entry-armv.S | 107 +-
91041 arch/arm/kernel/entry-common.S | 41 +-
91042 arch/arm/kernel/entry-header.S | 60 +
91043 arch/arm/kernel/fiq.c | 2 +
91044 arch/arm/kernel/head.S | 6 +-
91045 arch/arm/kernel/hw_breakpoint.c | 2 +-
91046 arch/arm/kernel/module.c | 29 +-
91047 arch/arm/kernel/perf_event_cpu.c | 2 +-
91048 arch/arm/kernel/process.c | 10 +-
91049 arch/arm/kernel/setup.c | 22 +-
91050 arch/arm/kernel/smp.c | 2 +-
91051 arch/arm/kernel/traps.c | 8 +-
91052 arch/arm/kernel/vmlinux.lds.S | 20 +-
91053 arch/arm/lib/clear_user.S | 6 +-
91054 arch/arm/lib/copy_from_user.S | 6 +-
91055 arch/arm/lib/copy_page.S | 1 +
91056 arch/arm/lib/copy_to_user.S | 6 +-
91057 arch/arm/lib/csumpartialcopyuser.S | 4 +-
91058 arch/arm/lib/delay.c | 14 +-
91059 arch/arm/lib/uaccess_with_memcpy.c | 2 +-
91060 arch/arm/mach-kirkwood/common.c | 19 +-
91061 arch/arm/mach-omap2/board-n8x0.c | 2 +-
91062 arch/arm/mach-omap2/omap-wakeupgen.c | 2 +-
91063 arch/arm/mach-omap2/omap_hwmod.c | 4 +-
91064 arch/arm/mach-ux500/include/mach/setup.h | 7 -
91065 arch/arm/mm/Kconfig | 3 +-
91066 arch/arm/mm/fault.c | 78 +
91067 arch/arm/mm/fault.h | 12 +
91068 arch/arm/mm/init.c | 41 +
91069 arch/arm/mm/ioremap.c | 4 +-
91070 arch/arm/mm/mmap.c | 36 +-
91071 arch/arm/mm/mmu.c | 186 +-
91072 arch/arm/mm/proc-v7-2level.S | 3 +
91073 arch/arm/plat-omap/sram.c | 2 +
91074 arch/arm/plat-orion/include/plat/addr-map.h | 2 +-
91075 arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +-
91076 arch/arm64/kernel/debug-monitors.c | 2 +-
91077 arch/arm64/kernel/hw_breakpoint.c | 2 +-
91078 arch/avr32/include/asm/elf.h | 8 +-
91079 arch/avr32/include/asm/kmap_types.h | 4 +-
91080 arch/avr32/mm/fault.c | 27 +
91081 arch/frv/include/asm/atomic.h | 10 +
91082 arch/frv/include/asm/kmap_types.h | 2 +-
91083 arch/frv/mm/elf-fdpic.c | 7 +-
91084 arch/ia64/include/asm/atomic.h | 10 +
91085 arch/ia64/include/asm/elf.h | 7 +
91086 arch/ia64/include/asm/pgalloc.h | 12 +
91087 arch/ia64/include/asm/pgtable.h | 13 +-
91088 arch/ia64/include/asm/spinlock.h | 2 +-
91089 arch/ia64/include/asm/uaccess.h | 28 +-
91090 arch/ia64/kernel/err_inject.c | 2 +-
91091 arch/ia64/kernel/mca.c | 2 +-
91092 arch/ia64/kernel/module.c | 48 +-
91093 arch/ia64/kernel/palinfo.c | 2 +-
91094 arch/ia64/kernel/salinfo.c | 2 +-
91095 arch/ia64/kernel/sys_ia64.c | 13 +-
91096 arch/ia64/kernel/topology.c | 2 +-
91097 arch/ia64/kernel/vmlinux.lds.S | 2 +-
91098 arch/ia64/mm/fault.c | 32 +-
91099 arch/ia64/mm/hugetlbpage.c | 2 +-
91100 arch/ia64/mm/init.c | 13 +
91101 arch/m32r/lib/usercopy.c | 6 +
91102 arch/mips/include/asm/atomic.h | 14 +
91103 arch/mips/include/asm/elf.h | 11 +-
91104 arch/mips/include/asm/exec.h | 2 +-
91105 arch/mips/include/asm/page.h | 2 +-
91106 arch/mips/include/asm/pgalloc.h | 5 +
91107 arch/mips/kernel/binfmt_elfn32.c | 7 +
91108 arch/mips/kernel/binfmt_elfo32.c | 7 +
91109 arch/mips/kernel/process.c | 12 -
91110 arch/mips/mm/fault.c | 17 +
91111 arch/mips/mm/mmap.c | 51 +-
91112 arch/parisc/include/asm/atomic.h | 10 +
91113 arch/parisc/include/asm/elf.h | 7 +
91114 arch/parisc/include/asm/pgalloc.h | 6 +
91115 arch/parisc/include/asm/pgtable.h | 11 +
91116 arch/parisc/include/asm/uaccess.h | 4 +-
91117 arch/parisc/kernel/module.c | 50 +-
91118 arch/parisc/kernel/sys_parisc.c | 6 +-
91119 arch/parisc/kernel/traps.c | 4 +-
91120 arch/parisc/mm/fault.c | 140 +-
91121 arch/powerpc/include/asm/atomic.h | 10 +
91122 arch/powerpc/include/asm/elf.h | 19 +-
91123 arch/powerpc/include/asm/exec.h | 2 +-
91124 arch/powerpc/include/asm/kmap_types.h | 2 +-
91125 arch/powerpc/include/asm/mman.h | 2 +-
91126 arch/powerpc/include/asm/page.h | 8 +-
91127 arch/powerpc/include/asm/page_64.h | 7 +-
91128 arch/powerpc/include/asm/pgalloc-64.h | 7 +
91129 arch/powerpc/include/asm/pgtable.h | 1 +
91130 arch/powerpc/include/asm/pte-hash32.h | 1 +
91131 arch/powerpc/include/asm/reg.h | 1 +
91132 arch/powerpc/include/asm/uaccess.h | 142 +-
91133 arch/powerpc/kernel/exceptions-64e.S | 4 +-
91134 arch/powerpc/kernel/exceptions-64s.S | 2 +-
91135 arch/powerpc/kernel/module_32.c | 13 +-
91136 arch/powerpc/kernel/process.c | 55 -
91137 arch/powerpc/kernel/signal_32.c | 2 +-
91138 arch/powerpc/kernel/signal_64.c | 2 +-
91139 arch/powerpc/kernel/sysfs.c | 2 +-
91140 arch/powerpc/kernel/vdso.c | 5 +-
91141 arch/powerpc/lib/usercopy_64.c | 18 -
91142 arch/powerpc/mm/fault.c | 54 +-
91143 arch/powerpc/mm/mmap_64.c | 16 +
91144 arch/powerpc/mm/mmu_context_nohash.c | 2 +-
91145 arch/powerpc/mm/numa.c | 2 +-
91146 arch/powerpc/mm/slice.c | 23 +-
91147 arch/powerpc/platforms/powermac/smp.c | 2 +-
91148 arch/s390/include/asm/atomic.h | 10 +
91149 arch/s390/include/asm/elf.h | 13 +-
91150 arch/s390/include/asm/exec.h | 2 +-
91151 arch/s390/include/asm/uaccess.h | 15 +-
91152 arch/s390/kernel/module.c | 22 +-
91153 arch/s390/kernel/process.c | 36 -
91154 arch/s390/mm/mmap.c | 24 +
91155 arch/score/include/asm/exec.h | 2 +-
91156 arch/score/kernel/process.c | 5 -
91157 arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +-
91158 arch/sh/mm/mmap.c | 22 +-
91159 arch/sparc/include/asm/atomic_64.h | 106 +-
91160 arch/sparc/include/asm/cache.h | 2 +-
91161 arch/sparc/include/asm/elf_32.h | 7 +
91162 arch/sparc/include/asm/elf_64.h | 7 +
91163 arch/sparc/include/asm/pgalloc_32.h | 1 +
91164 arch/sparc/include/asm/pgalloc_64.h | 1 +
91165 arch/sparc/include/asm/pgtable_32.h | 15 +-
91166 arch/sparc/include/asm/pgtsrmmu.h | 5 +
91167 arch/sparc/include/asm/spinlock_64.h | 35 +-
91168 arch/sparc/include/asm/thread_info_32.h | 2 +
91169 arch/sparc/include/asm/thread_info_64.h | 2 +
91170 arch/sparc/include/asm/uaccess.h | 8 +
91171 arch/sparc/include/asm/uaccess_32.h | 27 +-
91172 arch/sparc/include/asm/uaccess_64.h | 19 +-
91173 arch/sparc/kernel/Makefile | 2 +-
91174 arch/sparc/kernel/sys_sparc_32.c | 2 +-
91175 arch/sparc/kernel/sys_sparc_64.c | 48 +-
91176 arch/sparc/kernel/sysfs.c | 2 +-
91177 arch/sparc/kernel/traps_64.c | 13 +-
91178 arch/sparc/lib/Makefile | 2 +-
91179 arch/sparc/lib/atomic_64.S | 136 +-
91180 arch/sparc/lib/ksyms.c | 6 +
91181 arch/sparc/mm/Makefile | 2 +-
91182 arch/sparc/mm/fault_32.c | 292 ++
91183 arch/sparc/mm/fault_64.c | 486 +++
91184 arch/sparc/mm/hugetlbpage.c | 21 +-
91185 arch/tile/include/asm/atomic_64.h | 10 +
91186 arch/tile/include/asm/uaccess.h | 4 +-
91187 arch/um/Makefile | 4 +
91188 arch/um/include/asm/kmap_types.h | 2 +-
91189 arch/um/include/asm/page.h | 3 +
91190 arch/um/include/asm/pgtable-3level.h | 1 +
91191 arch/um/kernel/process.c | 16 -
91192 arch/x86/Kconfig | 10 +-
91193 arch/x86/Kconfig.cpu | 6 +-
91194 arch/x86/Kconfig.debug | 6 +-
91195 arch/x86/Makefile | 10 +
91196 arch/x86/boot/Makefile | 3 +
91197 arch/x86/boot/bitops.h | 4 +-
91198 arch/x86/boot/boot.h | 4 +-
91199 arch/x86/boot/compressed/Makefile | 3 +
91200 arch/x86/boot/compressed/eboot.c | 2 -
91201 arch/x86/boot/compressed/head_32.S | 7 +-
91202 arch/x86/boot/compressed/head_64.S | 4 +-
91203 arch/x86/boot/compressed/misc.c | 4 +-
91204 arch/x86/boot/cpucheck.c | 28 +-
91205 arch/x86/boot/header.S | 6 +-
91206 arch/x86/boot/memory.c | 2 +-
91207 arch/x86/boot/video-vesa.c | 1 +
91208 arch/x86/boot/video.c | 2 +-
91209 arch/x86/crypto/aes-x86_64-asm_64.S | 4 +
91210 arch/x86/crypto/aesni-intel_asm.S | 31 +
91211 arch/x86/crypto/blowfish-x86_64-asm_64.S | 8 +
91212 arch/x86/crypto/camellia-x86_64-asm_64.S | 8 +
91213 arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 8 +
91214 arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 8 +
91215 arch/x86/crypto/salsa20-x86_64-asm_64.S | 5 +
91216 arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 8 +
91217 arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 5 +
91218 arch/x86/crypto/sha1_ssse3_asm.S | 3 +
91219 arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 8 +
91220 arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 5 +
91221 arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
91222 arch/x86/ia32/ia32_signal.c | 14 +-
91223 arch/x86/ia32/ia32entry.S | 141 +-
91224 arch/x86/ia32/sys_ia32.c | 12 +-
91225 arch/x86/include/asm/alternative-asm.h | 39 +
91226 arch/x86/include/asm/alternative.h | 4 +-
91227 arch/x86/include/asm/apic.h | 2 +-
91228 arch/x86/include/asm/apm.h | 4 +-
91229 arch/x86/include/asm/atomic.h | 307 ++-
91230 arch/x86/include/asm/atomic64_32.h | 100 +
91231 arch/x86/include/asm/atomic64_64.h | 202 ++-
91232 arch/x86/include/asm/bitops.h | 2 +-
91233 arch/x86/include/asm/boot.h | 7 +-
91234 arch/x86/include/asm/cache.h | 5 +-
91235 arch/x86/include/asm/cacheflush.h | 2 +-
91236 arch/x86/include/asm/checksum_32.h | 12 +-
91237 arch/x86/include/asm/cmpxchg.h | 35 +
91238 arch/x86/include/asm/cpufeature.h | 4 +-
91239 arch/x86/include/asm/desc.h | 65 +-
91240 arch/x86/include/asm/desc_defs.h | 6 +
91241 arch/x86/include/asm/elf.h | 31 +-
91242 arch/x86/include/asm/emergency-restart.h | 2 +-
91243 arch/x86/include/asm/fpu-internal.h | 6 +-
91244 arch/x86/include/asm/futex.h | 16 +-
91245 arch/x86/include/asm/hw_irq.h | 4 +-
91246 arch/x86/include/asm/io.h | 13 +-
91247 arch/x86/include/asm/irqflags.h | 5 +
91248 arch/x86/include/asm/kprobes.h | 9 +-
91249 arch/x86/include/asm/local.h | 142 +-
91250 arch/x86/include/asm/mman.h | 15 +
91251 arch/x86/include/asm/mmu.h | 16 +-
91252 arch/x86/include/asm/mmu_context.h | 76 +-
91253 arch/x86/include/asm/module.h | 17 +-
91254 arch/x86/include/asm/page_64_types.h | 2 +-
91255 arch/x86/include/asm/paravirt.h | 44 +-
91256 arch/x86/include/asm/paravirt_types.h | 17 +-
91257 arch/x86/include/asm/pgalloc.h | 23 +
91258 arch/x86/include/asm/pgtable-2level.h | 2 +
91259 arch/x86/include/asm/pgtable-3level.h | 4 +
91260 arch/x86/include/asm/pgtable.h | 110 +-
91261 arch/x86/include/asm/pgtable_32.h | 14 +-
91262 arch/x86/include/asm/pgtable_32_types.h | 15 +-
91263 arch/x86/include/asm/pgtable_64.h | 19 +-
91264 arch/x86/include/asm/pgtable_64_types.h | 5 +
91265 arch/x86/include/asm/pgtable_types.h | 36 +-
91266 arch/x86/include/asm/processor.h | 39 +-
91267 arch/x86/include/asm/ptrace.h | 26 +-
91268 arch/x86/include/asm/realmode.h | 4 +-
91269 arch/x86/include/asm/reboot.h | 10 +-
91270 arch/x86/include/asm/rwsem.h | 60 +-
91271 arch/x86/include/asm/segment.h | 24 +-
91272 arch/x86/include/asm/smp.h | 14 +-
91273 arch/x86/include/asm/spinlock.h | 36 +-
91274 arch/x86/include/asm/stackprotector.h | 4 +-
91275 arch/x86/include/asm/stacktrace.h | 32 +-
91276 arch/x86/include/asm/switch_to.h | 4 +-
91277 arch/x86/include/asm/thread_info.h | 83 +-
91278 arch/x86/include/asm/uaccess.h | 96 +-
91279 arch/x86/include/asm/uaccess_32.h | 106 +-
91280 arch/x86/include/asm/uaccess_64.h | 232 +-
91281 arch/x86/include/asm/word-at-a-time.h | 2 +-
91282 arch/x86/include/asm/x86_init.h | 10 +-
91283 arch/x86/include/asm/xsave.h | 10 +-
91284 arch/x86/include/uapi/asm/e820.h | 2 +-
91285 arch/x86/kernel/Makefile | 2 +-
91286 arch/x86/kernel/acpi/sleep.c | 4 +
91287 arch/x86/kernel/acpi/wakeup_32.S | 6 +-
91288 arch/x86/kernel/alternative.c | 65 +-
91289 arch/x86/kernel/apic/apic.c | 6 +-
91290 arch/x86/kernel/apic/apic_flat_64.c | 4 +-
91291 arch/x86/kernel/apic/bigsmp_32.c | 2 +-
91292 arch/x86/kernel/apic/es7000_32.c | 5 +-
91293 arch/x86/kernel/apic/io_apic.c | 8 +-
91294 arch/x86/kernel/apic/numaq_32.c | 3 +-
91295 arch/x86/kernel/apic/probe_32.c | 2 +-
91296 arch/x86/kernel/apic/summit_32.c | 2 +-
91297 arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
91298 arch/x86/kernel/apic/x2apic_phys.c | 2 +-
91299 arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
91300 arch/x86/kernel/apm_32.c | 19 +-
91301 arch/x86/kernel/asm-offsets.c | 20 +
91302 arch/x86/kernel/asm-offsets_64.c | 1 +
91303 arch/x86/kernel/cpu/Makefile | 4 -
91304 arch/x86/kernel/cpu/amd.c | 2 +-
91305 arch/x86/kernel/cpu/common.c | 75 +-
91306 arch/x86/kernel/cpu/intel.c | 2 +-
91307 arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +-
91308 arch/x86/kernel/cpu/mcheck/mce.c | 29 +-
91309 arch/x86/kernel/cpu/mcheck/p5.c | 3 +
91310 arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +-
91311 arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
91312 arch/x86/kernel/cpu/mtrr/main.c | 2 +-
91313 arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
91314 arch/x86/kernel/cpu/perf_event.c | 4 +-
91315 arch/x86/kernel/cpu/perf_event_intel.c | 6 +-
91316 arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +-
91317 arch/x86/kernel/cpuid.c | 2 +-
91318 arch/x86/kernel/crash.c | 4 +-
91319 arch/x86/kernel/doublefault_32.c | 8 +-
91320 arch/x86/kernel/dumpstack.c | 30 +-
91321 arch/x86/kernel/dumpstack_32.c | 34 +-
91322 arch/x86/kernel/dumpstack_64.c | 63 +-
91323 arch/x86/kernel/early_printk.c | 1 +
91324 arch/x86/kernel/entry_32.S | 354 ++-
91325 arch/x86/kernel/entry_64.S | 512 +++-
91326 arch/x86/kernel/ftrace.c | 14 +-
91327 arch/x86/kernel/head32.c | 4 +-
91328 arch/x86/kernel/head_32.S | 237 ++-
91329 arch/x86/kernel/head_64.S | 158 +-
91330 arch/x86/kernel/i386_ksyms_32.c | 8 +
91331 arch/x86/kernel/i387.c | 2 +-
91332 arch/x86/kernel/i8259.c | 2 +-
91333 arch/x86/kernel/ioport.c | 2 +-
91334 arch/x86/kernel/irq.c | 10 +-
91335 arch/x86/kernel/irq_32.c | 69 +-
91336 arch/x86/kernel/irq_64.c | 2 +-
91337 arch/x86/kernel/kdebugfs.c | 2 +-
91338 arch/x86/kernel/kgdb.c | 25 +-
91339 arch/x86/kernel/kprobes-opt.c | 12 +-
91340 arch/x86/kernel/kprobes.c | 30 +-
91341 arch/x86/kernel/kvm.c | 2 +-
91342 arch/x86/kernel/ldt.c | 31 +-
91343 arch/x86/kernel/machine_kexec_32.c | 6 +-
91344 arch/x86/kernel/microcode_core.c | 2 +-
91345 arch/x86/kernel/microcode_intel.c | 4 +-
91346 arch/x86/kernel/module.c | 76 +-
91347 arch/x86/kernel/msr.c | 2 +-
91348 arch/x86/kernel/nmi.c | 11 +
91349 arch/x86/kernel/paravirt-spinlocks.c | 2 +-
91350 arch/x86/kernel/paravirt.c | 43 +-
91351 arch/x86/kernel/pci-iommu_table.c | 2 +-
91352 arch/x86/kernel/process.c | 57 +-
91353 arch/x86/kernel/process_32.c | 29 +-
91354 arch/x86/kernel/process_64.c | 15 +-
91355 arch/x86/kernel/ptrace.c | 25 +-
91356 arch/x86/kernel/pvclock.c | 8 +-
91357 arch/x86/kernel/reboot.c | 44 +-
91358 arch/x86/kernel/relocate_kernel_64.S | 4 +-
91359 arch/x86/kernel/setup.c | 14 +-
91360 arch/x86/kernel/setup_percpu.c | 27 +-
91361 arch/x86/kernel/signal.c | 15 +-
91362 arch/x86/kernel/smp.c | 2 +-
91363 arch/x86/kernel/smpboot.c | 15 +-
91364 arch/x86/kernel/step.c | 10 +-
91365 arch/x86/kernel/sys_i386_32.c | 247 ++
91366 arch/x86/kernel/sys_x86_64.c | 19 +-
91367 arch/x86/kernel/tboot.c | 14 +-
91368 arch/x86/kernel/time.c | 10 +-
91369 arch/x86/kernel/tls.c | 7 +-
91370 arch/x86/kernel/traps.c | 64 +-
91371 arch/x86/kernel/uprobes.c | 2 +-
91372 arch/x86/kernel/vm86_32.c | 6 +-
91373 arch/x86/kernel/vmlinux.lds.S | 148 +-
91374 arch/x86/kernel/vsyscall_64.c | 12 +-
91375 arch/x86/kernel/x8664_ksyms_64.c | 2 -
91376 arch/x86/kernel/x86_init.c | 8 +-
91377 arch/x86/kernel/xsave.c | 2 +
91378 arch/x86/kvm/cpuid.c | 21 +-
91379 arch/x86/kvm/emulate.c | 4 +-
91380 arch/x86/kvm/lapic.c | 2 +-
91381 arch/x86/kvm/paging_tmpl.h | 2 +-
91382 arch/x86/kvm/svm.c | 8 +
91383 arch/x86/kvm/vmx.c | 47 +-
91384 arch/x86/kvm/x86.c | 10 +-
91385 arch/x86/lguest/boot.c | 3 +-
91386 arch/x86/lib/atomic64_386_32.S | 164 +
91387 arch/x86/lib/atomic64_cx8_32.S | 103 +-
91388 arch/x86/lib/checksum_32.S | 100 +-
91389 arch/x86/lib/clear_page_64.S | 5 +-
91390 arch/x86/lib/cmpxchg16b_emu.S | 2 +
91391 arch/x86/lib/copy_page_64.S | 24 +-
91392 arch/x86/lib/copy_user_64.S | 47 +-
91393 arch/x86/lib/copy_user_nocache_64.S | 20 +-
91394 arch/x86/lib/csum-copy_64.S | 2 +
91395 arch/x86/lib/csum-wrappers_64.c | 4 +-
91396 arch/x86/lib/getuser.S | 68 +-
91397 arch/x86/lib/insn.c | 6 +-
91398 arch/x86/lib/iomap_copy_64.S | 2 +
91399 arch/x86/lib/memcpy_64.S | 18 +-
91400 arch/x86/lib/memmove_64.S | 34 +-
91401 arch/x86/lib/memset_64.S | 7 +-
91402 arch/x86/lib/mmx_32.c | 243 +-
91403 arch/x86/lib/msr-reg.S | 18 +-
91404 arch/x86/lib/putuser.S | 90 +-
91405 arch/x86/lib/rwlock.S | 42 +
91406 arch/x86/lib/rwsem.S | 6 +-
91407 arch/x86/lib/thunk_64.S | 2 +
91408 arch/x86/lib/usercopy_32.c | 376 ++-
91409 arch/x86/lib/usercopy_64.c | 25 +-
91410 arch/x86/mm/extable.c | 25 +-
91411 arch/x86/mm/fault.c | 555 +++-
91412 arch/x86/mm/gup.c | 2 +-
91413 arch/x86/mm/highmem_32.c | 4 +
91414 arch/x86/mm/hugetlbpage.c | 30 +-
91415 arch/x86/mm/init.c | 92 +-
91416 arch/x86/mm/init_32.c | 122 +-
91417 arch/x86/mm/init_64.c | 48 +-
91418 arch/x86/mm/iomap_32.c | 4 +
91419 arch/x86/mm/ioremap.c | 12 +-
91420 arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
91421 arch/x86/mm/mmap.c | 41 +-
91422 arch/x86/mm/mmio-mod.c | 10 +-
91423 arch/x86/mm/pageattr-test.c | 2 +-
91424 arch/x86/mm/pageattr.c | 33 +-
91425 arch/x86/mm/pat.c | 12 +-
91426 arch/x86/mm/pf_in.c | 10 +-
91427 arch/x86/mm/pgtable.c | 137 +-
91428 arch/x86/mm/pgtable_32.c | 3 +
91429 arch/x86/mm/setup_nx.c | 7 +
91430 arch/x86/mm/tlb.c | 4 +
91431 arch/x86/net/bpf_jit.S | 14 +
91432 arch/x86/net/bpf_jit_comp.c | 37 +-
91433 arch/x86/oprofile/backtrace.c | 8 +-
91434 arch/x86/pci/amd_bus.c | 2 +-
91435 arch/x86/pci/mrst.c | 4 +-
91436 arch/x86/pci/pcbios.c | 144 +-
91437 arch/x86/platform/efi/efi_32.c | 19 +
91438 arch/x86/platform/efi/efi_stub_32.S | 64 +-
91439 arch/x86/platform/efi/efi_stub_64.S | 8 +
91440 arch/x86/platform/mrst/mrst.c | 6 +-
91441 arch/x86/platform/olpc/olpc_dt.c | 2 +-
91442 arch/x86/power/cpu.c | 4 +-
91443 arch/x86/realmode/init.c | 8 +-
91444 arch/x86/realmode/rm/Makefile | 3 +
91445 arch/x86/realmode/rm/header.S | 4 +-
91446 arch/x86/realmode/rm/trampoline_32.S | 12 +-
91447 arch/x86/realmode/rm/trampoline_64.S | 2 +-
91448 arch/x86/tools/relocs.c | 95 +-
91449 arch/x86/vdso/Makefile | 2 +-
91450 arch/x86/vdso/vdso32-setup.c | 23 +-
91451 arch/x86/vdso/vma.c | 29 +-
91452 arch/x86/xen/enlighten.c | 47 +-
91453 arch/x86/xen/mmu.c | 9 +
91454 arch/x86/xen/smp.c | 18 +-
91455 arch/x86/xen/xen-asm_32.S | 12 +-
91456 arch/x86/xen/xen-head.S | 11 +
91457 arch/x86/xen/xen-ops.h | 2 -
91458 block/blk-iopoll.c | 4 +-
91459 block/blk-map.c | 2 +-
91460 block/blk-softirq.c | 4 +-
91461 block/bsg.c | 12 +-
91462 block/compat_ioctl.c | 2 +-
91463 block/partitions/efi.c | 8 +-
91464 block/scsi_ioctl.c | 27 +-
91465 crypto/cryptd.c | 4 +-
91466 drivers/acpi/apei/cper.c | 8 +-
91467 drivers/acpi/ec_sys.c | 12 +-
91468 drivers/acpi/processor_driver.c | 2 +-
91469 drivers/ata/libata-core.c | 8 +-
91470 drivers/ata/pata_arasan_cf.c | 4 +-
91471 drivers/atm/adummy.c | 2 +-
91472 drivers/atm/ambassador.c | 8 +-
91473 drivers/atm/atmtcp.c | 14 +-
91474 drivers/atm/eni.c | 10 +-
91475 drivers/atm/firestream.c | 8 +-
91476 drivers/atm/fore200e.c | 14 +-
91477 drivers/atm/he.c | 18 +-
91478 drivers/atm/horizon.c | 4 +-
91479 drivers/atm/idt77252.c | 36 +-
91480 drivers/atm/iphase.c | 34 +-
91481 drivers/atm/lanai.c | 12 +-
91482 drivers/atm/nicstar.c | 46 +-
91483 drivers/atm/solos-pci.c | 4 +-
91484 drivers/atm/suni.c | 4 +-
91485 drivers/atm/uPD98402.c | 16 +-
91486 drivers/atm/zatm.c | 6 +-
91487 drivers/base/devtmpfs.c | 2 +-
91488 drivers/base/power/wakeup.c | 8 +-
91489 drivers/block/cciss.c | 28 +-
91490 drivers/block/cciss.h | 2 +-
91491 drivers/block/cpqarray.c | 28 +-
91492 drivers/block/cpqarray.h | 2 +-
91493 drivers/block/drbd/drbd_int.h | 6 +-
91494 drivers/block/drbd/drbd_main.c | 8 +-
91495 drivers/block/drbd/drbd_receiver.c | 18 +-
91496 drivers/block/loop.c | 2 +-
91497 drivers/cdrom/cdrom.c | 9 +-
91498 drivers/cdrom/gdrom.c | 1 -
91499 drivers/char/agp/frontend.c | 2 +-
91500 drivers/char/hpet.c | 2 +-
91501 drivers/char/ipmi/ipmi_msghandler.c | 8 +-
91502 drivers/char/ipmi/ipmi_si_intf.c | 8 +-
91503 drivers/char/mem.c | 41 +-
91504 drivers/char/nvram.c | 2 +-
91505 drivers/char/pcmcia/synclink_cs.c | 18 +-
91506 drivers/char/random.c | 8 +-
91507 drivers/char/sonypi.c | 9 +-
91508 drivers/char/tpm/tpm.c | 2 +-
91509 drivers/char/tpm/tpm_acpi.c | 3 +-
91510 drivers/char/tpm/tpm_eventlog.c | 7 +-
91511 drivers/char/virtio_console.c | 4 +-
91512 drivers/clocksource/arm_generic.c | 2 +-
91513 drivers/cpufreq/cpufreq.c | 2 +-
91514 drivers/cpufreq/cpufreq_stats.c | 2 +-
91515 drivers/dma/sh/shdma.c | 2 +-
91516 drivers/edac/edac_pci_sysfs.c | 20 +-
91517 drivers/edac/mce_amd.h | 2 +-
91518 drivers/firewire/core-card.c | 2 +-
91519 drivers/firewire/core-cdev.c | 3 +-
91520 drivers/firewire/core-transaction.c | 1 +
91521 drivers/firewire/core.h | 1 +
91522 drivers/firmware/dmi_scan.c | 7 +-
91523 drivers/firmware/efivars.c | 2 +-
91524 drivers/gpio/gpio-vr41xx.c | 2 +-
91525 drivers/gpu/drm/drm_crtc_helper.c | 2 +-
91526 drivers/gpu/drm/drm_drv.c | 4 +-
91527 drivers/gpu/drm/drm_fops.c | 18 +-
91528 drivers/gpu/drm/drm_global.c | 14 +-
91529 drivers/gpu/drm/drm_info.c | 14 +-
91530 drivers/gpu/drm/drm_ioc32.c | 4 +-
91531 drivers/gpu/drm/drm_ioctl.c | 2 +-
91532 drivers/gpu/drm/drm_lock.c | 4 +-
91533 drivers/gpu/drm/drm_stub.c | 2 +-
91534 drivers/gpu/drm/i810/i810_dma.c | 8 +-
91535 drivers/gpu/drm/i810/i810_drv.h | 4 +-
91536 drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
91537 drivers/gpu/drm/i915/i915_dma.c | 2 +-
91538 drivers/gpu/drm/i915/i915_drv.h | 6 +-
91539 drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +-
91540 drivers/gpu/drm/i915/i915_irq.c | 22 +-
91541 drivers/gpu/drm/i915/intel_display.c | 9 +-
91542 drivers/gpu/drm/mga/mga_drv.h | 4 +-
91543 drivers/gpu/drm/mga/mga_irq.c | 8 +-
91544 drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +-
91545 drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +-
91546 drivers/gpu/drm/nouveau/nouveau_fence.h | 2 +-
91547 drivers/gpu/drm/nouveau/nouveau_gem.c | 2 +-
91548 drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +-
91549 drivers/gpu/drm/r128/r128_cce.c | 2 +-
91550 drivers/gpu/drm/r128/r128_drv.h | 4 +-
91551 drivers/gpu/drm/r128/r128_irq.c | 4 +-
91552 drivers/gpu/drm/r128/r128_state.c | 4 +-
91553 drivers/gpu/drm/radeon/mkregtable.c | 4 +-
91554 drivers/gpu/drm/radeon/radeon_device.c | 2 +-
91555 drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
91556 drivers/gpu/drm/radeon/radeon_ioc32.c | 2 +-
91557 drivers/gpu/drm/radeon/radeon_irq.c | 6 +-
91558 drivers/gpu/drm/radeon/radeon_state.c | 4 +-
91559 drivers/gpu/drm/radeon/radeon_ttm.c | 4 +-
91560 drivers/gpu/drm/radeon/rs690.c | 4 +-
91561 drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +-
91562 drivers/gpu/drm/via/via_drv.h | 4 +-
91563 drivers/gpu/drm/via/via_irq.c | 18 +-
91564 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
91565 drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
91566 drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
91567 drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
91568 drivers/hid/hid-core.c | 4 +-
91569 drivers/hv/channel.c | 4 +-
91570 drivers/hv/hv.c | 2 +-
91571 drivers/hv/hyperv_vmbus.h | 2 +-
91572 drivers/hv/vmbus_drv.c | 4 +-
91573 drivers/hwmon/coretemp.c | 2 +-
91574 drivers/hwmon/sht15.c | 12 +-
91575 drivers/hwmon/via-cputemp.c | 2 +-
91576 drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
91577 drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
91578 drivers/ide/ide-cd.c | 2 +-
91579 drivers/infiniband/core/cm.c | 32 +-
91580 drivers/infiniband/core/fmr_pool.c | 20 +-
91581 drivers/infiniband/hw/cxgb4/mem.c | 4 +-
91582 drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
91583 drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
91584 drivers/infiniband/hw/nes/nes.c | 4 +-
91585 drivers/infiniband/hw/nes/nes.h | 40 +-
91586 drivers/infiniband/hw/nes/nes_cm.c | 62 +-
91587 drivers/infiniband/hw/nes/nes_mgt.c | 8 +-
91588 drivers/infiniband/hw/nes/nes_nic.c | 40 +-
91589 drivers/infiniband/hw/nes/nes_verbs.c | 10 +-
91590 drivers/infiniband/hw/qib/qib.h | 1 +
91591 drivers/input/gameport/gameport.c | 4 +-
91592 drivers/input/input.c | 4 +-
91593 drivers/input/joystick/sidewinder.c | 1 +
91594 drivers/input/joystick/xpad.c | 4 +-
91595 drivers/input/mousedev.c | 2 +-
91596 drivers/input/serio/serio.c | 4 +-
91597 drivers/isdn/capi/capi.c | 10 +-
91598 drivers/isdn/gigaset/interface.c | 8 +-
91599 drivers/isdn/hardware/avm/b1.c | 4 +-
91600 drivers/isdn/i4l/isdn_tty.c | 22 +-
91601 drivers/isdn/icn/icn.c | 2 +-
91602 drivers/lguest/core.c | 10 +-
91603 drivers/lguest/x86/core.c | 12 +-
91604 drivers/lguest/x86/switcher_32.S | 27 +-
91605 drivers/md/bitmap.c | 2 +-
91606 drivers/md/dm-ioctl.c | 2 +-
91607 drivers/md/dm-raid1.c | 16 +-
91608 drivers/md/dm-stripe.c | 10 +-
91609 drivers/md/dm-table.c | 2 +-
91610 drivers/md/dm-thin-metadata.c | 4 +-
91611 drivers/md/dm.c | 16 +-
91612 drivers/md/md.c | 26 +-
91613 drivers/md/md.h | 6 +-
91614 drivers/md/persistent-data/dm-space-map.h | 1 +
91615 drivers/md/raid1.c | 4 +-
91616 drivers/md/raid10.c | 16 +-
91617 drivers/md/raid5.c | 10 +-
91618 drivers/media/dvb-core/dvbdev.c | 2 +-
91619 drivers/media/dvb-frontends/dib3000.h | 2 +-
91620 drivers/media/platform/omap/omap_vout.c | 11 +-
91621 drivers/media/platform/s5p-tv/mixer.h | 2 +-
91622 drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +-
91623 drivers/media/platform/s5p-tv/mixer_reg.c | 2 +-
91624 drivers/media/platform/s5p-tv/mixer_video.c | 24 +-
91625 drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +-
91626 drivers/media/radio/radio-cadet.c | 2 +
91627 drivers/media/usb/dvb-usb/cxusb.c | 2 +-
91628 drivers/media/usb/dvb-usb/dw2102.c | 2 +-
91629 drivers/message/fusion/mptsas.c | 34 +-
91630 drivers/message/fusion/mptscsih.c | 19 +-
91631 drivers/message/i2o/i2o_proc.c | 51 +-
91632 drivers/message/i2o/iop.c | 8 +-
91633 drivers/mfd/janz-cmodio.c | 1 +
91634 drivers/misc/kgdbts.c | 4 +-
91635 drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
91636 drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
91637 drivers/misc/sgi-gru/gruhandles.c | 4 +-
91638 drivers/misc/sgi-gru/gruprocfs.c | 8 +-
91639 drivers/misc/sgi-gru/grutables.h | 154 +-
91640 drivers/misc/sgi-xp/xp.h | 2 +-
91641 drivers/misc/sgi-xp/xpc.h | 3 +-
91642 drivers/misc/sgi-xp/xpc_main.c | 4 +-
91643 drivers/mmc/core/mmc_ops.c | 2 +-
91644 drivers/mmc/host/dw_mmc.h | 2 +-
91645 drivers/mmc/host/sdhci-s3c.c | 8 +-
91646 drivers/mtd/devices/doc2000.c | 2 +-
91647 drivers/mtd/nand/denali.c | 1 +
91648 drivers/mtd/nftlmount.c | 1 +
91649 drivers/net/ethernet/8390/ax88796.c | 4 +-
91650 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
91651 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-
91652 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +-
91653 drivers/net/ethernet/broadcom/tg3.h | 1 +
91654 drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
91655 drivers/net/ethernet/dec/tulip/de4x5.c | 4 +-
91656 drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
91657 drivers/net/ethernet/faraday/ftgmac100.c | 2 +
91658 drivers/net/ethernet/faraday/ftmac100.c | 2 +
91659 drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
91660 drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
91661 drivers/net/ethernet/realtek/r8169.c | 8 +-
91662 drivers/net/ethernet/sfc/ptp.c | 2 +-
91663 drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
91664 drivers/net/hyperv/hyperv_net.h | 2 +-
91665 drivers/net/hyperv/rndis_filter.c | 4 +-
91666 drivers/net/ieee802154/fakehard.c | 2 +-
91667 drivers/net/macvlan.c | 2 +-
91668 drivers/net/macvtap.c | 2 +-
91669 drivers/net/ppp/ppp_generic.c | 4 +-
91670 drivers/net/team/team.c | 2 +-
91671 drivers/net/tun.c | 5 +-
91672 drivers/net/usb/hso.c | 23 +-
91673 drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +-
91674 drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +-
91675 drivers/net/wireless/ath/ath9k/hw.h | 4 +-
91676 drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
91677 drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +-
91678 drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +-
91679 drivers/net/wireless/mac80211_hwsim.c | 32 +-
91680 drivers/net/wireless/rndis_wlan.c | 2 +-
91681 drivers/net/wireless/rt2x00/rt2x00.h | 2 +-
91682 drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +-
91683 drivers/net/wireless/ti/wl1251/sdio.c | 12 +-
91684 drivers/net/wireless/ti/wl12xx/main.c | 8 +-
91685 drivers/net/wireless/ti/wl18xx/main.c | 6 +-
91686 drivers/oprofile/buffer_sync.c | 8 +-
91687 drivers/oprofile/event_buffer.c | 2 +-
91688 drivers/oprofile/oprof.c | 2 +-
91689 drivers/oprofile/oprofile_stats.c | 10 +-
91690 drivers/oprofile/oprofile_stats.h | 10 +-
91691 drivers/oprofile/oprofilefs.c | 2 +-
91692 drivers/oprofile/timer_int.c | 2 +-
91693 drivers/parport/procfs.c | 4 +-
91694 drivers/pci/hotplug/cpcihp_generic.c | 6 +-
91695 drivers/pci/hotplug/cpcihp_zt5550.c | 14 +-
91696 drivers/pci/hotplug/cpqphp_nvram.c | 4 +
91697 drivers/pci/pcie/aspm.c | 6 +-
91698 drivers/pci/probe.c | 2 +-
91699 drivers/platform/x86/thinkpad_acpi.c | 70 +-
91700 drivers/pnp/pnpbios/bioscalls.c | 14 +-
91701 drivers/pnp/resource.c | 4 +-
91702 drivers/power/pda_power.c | 7 +-
91703 drivers/regulator/max8660.c | 6 +-
91704 drivers/regulator/max8973-regulator.c | 8 +-
91705 drivers/regulator/mc13892-regulator.c | 6 +-
91706 drivers/scsi/bfa/bfa.h | 2 +-
91707 drivers/scsi/bfa/bfa_fcpim.h | 2 +-
91708 drivers/scsi/bfa/bfa_ioc.h | 4 +-
91709 drivers/scsi/hosts.c | 4 +-
91710 drivers/scsi/hpsa.c | 30 +-
91711 drivers/scsi/hpsa.h | 2 +-
91712 drivers/scsi/libfc/fc_exch.c | 50 +-
91713 drivers/scsi/libsas/sas_ata.c | 2 +-
91714 drivers/scsi/lpfc/lpfc.h | 8 +-
91715 drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
91716 drivers/scsi/lpfc/lpfc_init.c | 6 +-
91717 drivers/scsi/lpfc/lpfc_scsi.c | 16 +-
91718 drivers/scsi/pmcraid.c | 20 +-
91719 drivers/scsi/pmcraid.h | 8 +-
91720 drivers/scsi/qla2xxx/qla_attr.c | 4 +-
91721 drivers/scsi/qla2xxx/qla_gbl.h | 4 +-
91722 drivers/scsi/qla2xxx/qla_os.c | 6 +-
91723 drivers/scsi/qla4xxx/ql4_def.h | 2 +-
91724 drivers/scsi/qla4xxx/ql4_os.c | 6 +-
91725 drivers/scsi/scsi.c | 2 +-
91726 drivers/scsi/scsi_lib.c | 6 +-
91727 drivers/scsi/scsi_sysfs.c | 2 +-
91728 drivers/scsi/scsi_tgt_lib.c | 2 +-
91729 drivers/scsi/scsi_transport_fc.c | 8 +-
91730 drivers/scsi/scsi_transport_iscsi.c | 6 +-
91731 drivers/scsi/scsi_transport_srp.c | 6 +-
91732 drivers/scsi/sd.c | 2 +-
91733 drivers/scsi/sg.c | 2 +-
91734 drivers/spi/spi.c | 2 +-
91735 drivers/staging/octeon/ethernet-rx.c | 12 +-
91736 drivers/staging/octeon/ethernet.c | 8 +-
91737 drivers/staging/ramster/tmem.c | 54 +-
91738 drivers/staging/rtl8712/rtl871x_io.h | 2 +-
91739 drivers/staging/sbe-2t3e3/netdev.c | 2 +-
91740 drivers/staging/usbip/vhci.h | 2 +-
91741 drivers/staging/usbip/vhci_hcd.c | 6 +-
91742 drivers/staging/usbip/vhci_rx.c | 2 +-
91743 drivers/staging/vt6655/hostap.c | 7 +-
91744 drivers/staging/vt6656/hostap.c | 7 +-
91745 drivers/staging/zcache/tmem.c | 4 +-
91746 drivers/staging/zcache/tmem.h | 2 +
91747 drivers/target/target_core_device.c | 2 +-
91748 drivers/target/target_core_transport.c | 2 +-
91749 drivers/tty/cyclades.c | 6 +-
91750 drivers/tty/hvc/hvc_console.c | 14 +-
91751 drivers/tty/hvc/hvcs.c | 21 +-
91752 drivers/tty/ipwireless/tty.c | 27 +-
91753 drivers/tty/moxa.c | 2 +-
91754 drivers/tty/n_gsm.c | 4 +-
91755 drivers/tty/n_tty.c | 3 +-
91756 drivers/tty/pty.c | 4 +-
91757 drivers/tty/rocket.c | 6 +-
91758 drivers/tty/serial/kgdboc.c | 32 +-
91759 drivers/tty/serial/samsung.c | 9 +-
91760 drivers/tty/serial/serial_core.c | 8 +-
91761 drivers/tty/synclink.c | 34 +-
91762 drivers/tty/synclink_gt.c | 28 +-
91763 drivers/tty/synclinkmp.c | 34 +-
91764 drivers/tty/tty_io.c | 2 +-
91765 drivers/tty/tty_ldisc.c | 10 +-
91766 drivers/tty/tty_port.c | 22 +-
91767 drivers/uio/uio.c | 21 +-
91768 drivers/usb/atm/cxacru.c | 2 +-
91769 drivers/usb/atm/usbatm.c | 24 +-
91770 drivers/usb/core/devices.c | 6 +-
91771 drivers/usb/core/hcd.c | 4 +-
91772 drivers/usb/core/sysfs.c | 2 +-
91773 drivers/usb/core/usb.c | 2 +-
91774 drivers/usb/early/ehci-dbgp.c | 16 +-
91775 drivers/usb/gadget/u_serial.c | 22 +-
91776 drivers/usb/serial/console.c | 6 +-
91777 drivers/usb/wusbcore/wa-hc.h | 4 +-
91778 drivers/usb/wusbcore/wa-xfer.c | 2 +-
91779 drivers/video/aty/aty128fb.c | 2 +-
91780 drivers/video/fbcmap.c | 3 +-
91781 drivers/video/fbmem.c | 6 +-
91782 drivers/video/i810/i810_accel.c | 1 +
91783 drivers/video/udlfb.c | 32 +-
91784 drivers/video/uvesafb.c | 39 +-
91785 drivers/video/vesafb.c | 51 +-
91786 drivers/video/via/via_clock.h | 2 +-
91787 fs/9p/vfs_inode.c | 2 +-
91788 fs/Kconfig.binfmt | 2 +-
91789 fs/aio.c | 11 +-
91790 fs/autofs4/waitq.c | 2 +-
91791 fs/befs/linuxvfs.c | 2 +-
91792 fs/binfmt_aout.c | 23 +-
91793 fs/binfmt_elf.c | 604 ++++-
91794 fs/binfmt_flat.c | 6 +
91795 fs/bio.c | 6 +-
91796 fs/block_dev.c | 2 +-
91797 fs/btrfs/ctree.c | 9 +-
91798 fs/btrfs/relocation.c | 2 +-
91799 fs/btrfs/super.c | 2 +-
91800 fs/cachefiles/bind.c | 6 +-
91801 fs/cachefiles/daemon.c | 8 +-
91802 fs/cachefiles/internal.h | 12 +-
91803 fs/cachefiles/namei.c | 2 +-
91804 fs/cachefiles/proc.c | 12 +-
91805 fs/cachefiles/rdwr.c | 2 +-
91806 fs/ceph/dir.c | 2 +-
91807 fs/cifs/cifs_debug.c | 12 +-
91808 fs/cifs/cifsfs.c | 8 +-
91809 fs/cifs/cifsglob.h | 54 +-
91810 fs/cifs/link.c | 2 +-
91811 fs/cifs/misc.c | 4 +-
91812 fs/cifs/smb1ops.c | 80 +-
91813 fs/cifs/smb2ops.c | 84 +-
91814 fs/cifs/smb2pdu.c | 3 +-
91815 fs/coda/cache.c | 10 +-
91816 fs/compat.c | 6 +-
91817 fs/compat_binfmt_elf.c | 2 +
91818 fs/compat_ioctl.c | 8 +-
91819 fs/configfs/dir.c | 10 +-
91820 fs/coredump.c | 24 +-
91821 fs/dcache.c | 2 +-
91822 fs/ecryptfs/inode.c | 4 +-
91823 fs/ecryptfs/miscdev.c | 2 +-
91824 fs/ecryptfs/read_write.c | 4 +-
91825 fs/exec.c | 356 ++-
91826 fs/ext4/ext4.h | 20 +-
91827 fs/ext4/mballoc.c | 44 +-
91828 fs/fhandle.c | 3 +-
91829 fs/fifo.c | 22 +-
91830 fs/fs_struct.c | 8 +-
91831 fs/fscache/cookie.c | 36 +-
91832 fs/fscache/internal.h | 196 +-
91833 fs/fscache/object.c | 28 +-
91834 fs/fscache/operation.c | 30 +-
91835 fs/fscache/page.c | 110 +-
91836 fs/fscache/stats.c | 344 +-
91837 fs/fuse/cuse.c | 10 +-
91838 fs/fuse/dev.c | 2 +-
91839 fs/fuse/dir.c | 2 +-
91840 fs/gfs2/inode.c | 2 +-
91841 fs/hugetlbfs/inode.c | 13 +-
91842 fs/inode.c | 4 +-
91843 fs/jffs2/erase.c | 3 +-
91844 fs/jffs2/wbuf.c | 3 +-
91845 fs/jfs/super.c | 2 +-
91846 fs/libfs.c | 10 +-
91847 fs/lockd/clntproc.c | 4 +-
91848 fs/locks.c | 8 +-
91849 fs/namei.c | 15 +-
91850 fs/namespace.c | 2 +-
91851 fs/nfs/inode.c | 6 +-
91852 fs/nfsd/vfs.c | 6 +-
91853 fs/notify/fanotify/fanotify_user.c | 4 +-
91854 fs/notify/notification.c | 4 +-
91855 fs/ntfs/dir.c | 2 +-
91856 fs/ntfs/file.c | 4 +-
91857 fs/ocfs2/localalloc.c | 2 +-
91858 fs/ocfs2/ocfs2.h | 10 +-
91859 fs/ocfs2/suballoc.c | 12 +-
91860 fs/ocfs2/super.c | 20 +-
91861 fs/pipe.c | 33 +-
91862 fs/proc/array.c | 20 +
91863 fs/proc/kcore.c | 32 +-
91864 fs/proc/meminfo.c | 2 +-
91865 fs/proc/nommu.c | 2 +-
91866 fs/proc/self.c | 2 +-
91867 fs/proc/task_mmu.c | 39 +-
91868 fs/proc/task_nommu.c | 4 +-
91869 fs/quota/netlink.c | 4 +-
91870 fs/readdir.c | 2 +-
91871 fs/reiserfs/do_balan.c | 2 +-
91872 fs/reiserfs/procfs.c | 2 +-
91873 fs/reiserfs/reiserfs.h | 4 +-
91874 fs/seq_file.c | 2 +-
91875 fs/splice.c | 36 +-
91876 fs/sysfs/file.c | 10 +-
91877 fs/sysfs/symlink.c | 2 +-
91878 fs/udf/misc.c | 2 +-
91879 fs/xattr_acl.c | 4 +-
91880 fs/xfs/xfs_bmap.c | 2 +-
91881 fs/xfs/xfs_dir2_sf.c | 10 +-
91882 fs/xfs/xfs_ioctl.c | 2 +-
91883 fs/xfs/xfs_iops.c | 2 +-
91884 include/asm-generic/4level-fixup.h | 2 +
91885 include/asm-generic/atomic-long.h | 210 ++
91886 include/asm-generic/atomic.h | 2 +-
91887 include/asm-generic/atomic64.h | 12 +
91888 include/asm-generic/cache.h | 4 +-
91889 include/asm-generic/emergency-restart.h | 2 +-
91890 include/asm-generic/kmap_types.h | 4 +-
91891 include/asm-generic/local.h | 13 +
91892 include/asm-generic/pgtable-nopmd.h | 18 +-
91893 include/asm-generic/pgtable-nopud.h | 15 +-
91894 include/asm-generic/pgtable.h | 8 +
91895 include/asm-generic/vmlinux.lds.h | 10 +-
91896 include/crypto/algapi.h | 2 +-
91897 include/drm/drmP.h | 5 +-
91898 include/drm/drm_crtc_helper.h | 2 +-
91899 include/drm/ttm/ttm_memory.h | 2 +-
91900 include/linux/atmdev.h | 2 +-
91901 include/linux/binfmts.h | 1 +
91902 include/linux/blkdev.h | 2 +-
91903 include/linux/blktrace_api.h | 2 +-
91904 include/linux/cache.h | 4 +
91905 include/linux/cdrom.h | 1 -
91906 include/linux/cleancache.h | 2 +-
91907 include/linux/compiler-gcc4.h | 20 +
91908 include/linux/compiler.h | 72 +-
91909 include/linux/cpu.h | 2 +-
91910 include/linux/crypto.h | 6 +-
91911 include/linux/decompress/mm.h | 2 +-
91912 include/linux/dma-mapping.h | 2 +-
91913 include/linux/dmaengine.h | 4 +-
91914 include/linux/efi.h | 1 +
91915 include/linux/elf.h | 2 +
91916 include/linux/filter.h | 4 +
91917 include/linux/frontswap.h | 2 +-
91918 include/linux/fs.h | 3 +-
91919 include/linux/fs_struct.h | 2 +-
91920 include/linux/fscache-cache.h | 4 +-
91921 include/linux/fsnotify.h | 2 +-
91922 include/linux/ftrace_event.h | 2 +-
91923 include/linux/genhd.h | 2 +-
91924 include/linux/gfp.h | 12 +-
91925 include/linux/highmem.h | 12 +
91926 include/linux/i2c.h | 1 +
91927 include/linux/i2o.h | 2 +-
91928 include/linux/if_pppox.h | 2 +-
91929 include/linux/init.h | 33 +-
91930 include/linux/init_task.h | 7 +
91931 include/linux/interrupt.h | 8 +-
91932 include/linux/kgdb.h | 6 +-
91933 include/linux/kobject.h | 2 +-
91934 include/linux/kref.h | 2 +-
91935 include/linux/kvm_host.h | 4 +-
91936 include/linux/libata.h | 2 +-
91937 include/linux/list.h | 3 +
91938 include/linux/mm.h | 91 +-
91939 include/linux/mm_types.h | 22 +-
91940 include/linux/mmiotrace.h | 4 +-
91941 include/linux/mmzone.h | 2 +-
91942 include/linux/mod_devicetable.h | 4 +-
91943 include/linux/module.h | 55 +-
91944 include/linux/moduleloader.h | 18 +-
91945 include/linux/moduleparam.h | 4 +-
91946 include/linux/namei.h | 6 +-
91947 include/linux/netdevice.h | 3 +-
91948 include/linux/netfilter/ipset/ip_set.h | 2 +-
91949 include/linux/netfilter/nfnetlink.h | 2 +-
91950 include/linux/notifier.h | 3 +-
91951 include/linux/oprofile.h | 4 +-
91952 include/linux/perf_event.h | 10 +-
91953 include/linux/pipe_fs_i.h | 6 +-
91954 include/linux/platform_data/usb-ehci-s5p.h | 2 +-
91955 include/linux/pm_runtime.h | 2 +-
91956 include/linux/poison.h | 4 +-
91957 include/linux/power/smartreflex.h | 2 +-
91958 include/linux/random.h | 5 +
91959 include/linux/reboot.h | 14 +-
91960 include/linux/regset.h | 3 +-
91961 include/linux/relay.h | 2 +-
91962 include/linux/rio.h | 2 +-
91963 include/linux/rmap.h | 4 +-
91964 include/linux/sched.h | 64 +-
91965 include/linux/seq_file.h | 1 +
91966 include/linux/skbuff.h | 12 +-
91967 include/linux/slab.h | 36 +-
91968 include/linux/slab_def.h | 33 +-
91969 include/linux/slob_def.h | 4 +-
91970 include/linux/slub_def.h | 10 +-
91971 include/linux/sonet.h | 2 +-
91972 include/linux/sunrpc/clnt.h | 8 +-
91973 include/linux/sunrpc/svc_rdma.h | 18 +-
91974 include/linux/sysrq.h | 2 +-
91975 include/linux/thread_info.h | 7 +
91976 include/linux/tty.h | 4 +-
91977 include/linux/tty_driver.h | 2 +-
91978 include/linux/tty_ldisc.h | 2 +-
91979 include/linux/types.h | 16 +
91980 include/linux/uaccess.h | 6 +-
91981 include/linux/unaligned/access_ok.h | 12 +-
91982 include/linux/usb.h | 2 +-
91983 include/linux/usb/renesas_usbhs.h | 2 +-
91984 include/linux/vermagic.h | 21 +-
91985 include/linux/vmalloc.h | 11 +-
91986 include/linux/vmstat.h | 20 +-
91987 include/media/v4l2-dev.h | 2 +-
91988 include/media/v4l2-ioctl.h | 1 -
91989 include/net/caif/cfctrl.h | 6 +-
91990 include/net/flow.h | 2 +-
91991 include/net/gro_cells.h | 6 +-
91992 include/net/inet_connection_sock.h | 2 +-
91993 include/net/inetpeer.h | 8 +-
91994 include/net/ip_fib.h | 2 +-
91995 include/net/ip_vs.h | 4 +-
91996 include/net/irda/ircomm_tty.h | 1 +
91997 include/net/iucv/af_iucv.h | 2 +-
91998 include/net/neighbour.h | 2 +-
91999 include/net/net_namespace.h | 6 +-
92000 include/net/netdma.h | 2 +-
92001 include/net/netlink.h | 2 +-
92002 include/net/netns/ipv4.h | 2 +-
92003 include/net/protocol.h | 4 +-
92004 include/net/sctp/sctp.h | 6 +-
92005 include/net/sctp/structs.h | 4 +-
92006 include/net/sock.h | 6 +-
92007 include/net/tcp.h | 8 +-
92008 include/net/xfrm.h | 4 +-
92009 include/rdma/iw_cm.h | 2 +-
92010 include/scsi/libfc.h | 3 +-
92011 include/scsi/scsi_device.h | 6 +-
92012 include/scsi/scsi_transport_fc.h | 3 +-
92013 include/sound/soc.h | 4 +-
92014 include/target/target_core_base.h | 2 +-
92015 include/trace/events/irq.h | 4 +-
92016 include/uapi/linux/a.out.h | 8 +
92017 include/uapi/linux/byteorder/little_endian.h | 24 +-
92018 include/uapi/linux/elf.h | 28 +
92019 include/uapi/linux/screen_info.h | 3 +-
92020 include/uapi/linux/sysctl.h | 6 +-
92021 include/uapi/linux/xattr.h | 4 +
92022 include/video/udlfb.h | 8 +-
92023 include/video/uvesafb.h | 1 +
92024 init/Kconfig | 2 +-
92025 init/Makefile | 3 +
92026 init/do_mounts.c | 14 +-
92027 init/do_mounts.h | 8 +-
92028 init/do_mounts_initrd.c | 22 +-
92029 init/do_mounts_md.c | 6 +-
92030 init/init_task.c | 4 +
92031 init/initramfs.c | 40 +-
92032 init/main.c | 78 +-
92033 ipc/msg.c | 11 +-
92034 ipc/sem.c | 11 +-
92035 ipc/shm.c | 17 +-
92036 kernel/acct.c | 2 +-
92037 kernel/audit.c | 8 +-
92038 kernel/auditsc.c | 4 +-
92039 kernel/capability.c | 3 +
92040 kernel/compat.c | 40 +-
92041 kernel/debug/debug_core.c | 16 +-
92042 kernel/debug/kdb/kdb_main.c | 4 +-
92043 kernel/events/core.c | 28 +-
92044 kernel/exit.c | 4 +-
92045 kernel/fork.c | 167 +-
92046 kernel/futex.c | 9 +
92047 kernel/gcov/base.c | 7 +-
92048 kernel/hrtimer.c | 4 +-
92049 kernel/jump_label.c | 5 +
92050 kernel/kallsyms.c | 39 +-
92051 kernel/kexec.c | 3 +-
92052 kernel/kmod.c | 2 +-
92053 kernel/kprobes.c | 8 +-
92054 kernel/lockdep.c | 7 +-
92055 kernel/module.c | 333 ++-
92056 kernel/mutex-debug.c | 12 +-
92057 kernel/mutex-debug.h | 4 +-
92058 kernel/mutex.c | 7 +-
92059 kernel/notifier.c | 17 +-
92060 kernel/panic.c | 3 +-
92061 kernel/pid.c | 2 +-
92062 kernel/posix-cpu-timers.c | 4 +-
92063 kernel/posix-timers.c | 20 +-
92064 kernel/power/process.c | 12 +-
92065 kernel/profile.c | 14 +-
92066 kernel/ptrace.c | 6 +-
92067 kernel/rcutiny.c | 4 +-
92068 kernel/rcutiny_plugin.h | 2 +-
92069 kernel/rcutorture.c | 56 +-
92070 kernel/rcutree.c | 72 +-
92071 kernel/rcutree.h | 24 +-
92072 kernel/rcutree_plugin.h | 18 +-
92073 kernel/rcutree_trace.c | 22 +-
92074 kernel/rtmutex-tester.c | 24 +-
92075 kernel/sched/auto_group.c | 4 +-
92076 kernel/sched/core.c | 2 +-
92077 kernel/sched/fair.c | 4 +-
92078 kernel/signal.c | 12 +-
92079 kernel/smp.c | 2 +-
92080 kernel/softirq.c | 16 +-
92081 kernel/srcu.c | 6 +-
92082 kernel/stop_machine.c | 2 +-
92083 kernel/sys.c | 12 +-
92084 kernel/sysctl.c | 37 +-
92085 kernel/sysctl_binary.c | 14 +-
92086 kernel/time/alarmtimer.c | 2 +-
92087 kernel/time/tick-broadcast.c | 2 +-
92088 kernel/time/timer_stats.c | 10 +-
92089 kernel/timer.c | 4 +-
92090 kernel/trace/blktrace.c | 6 +-
92091 kernel/trace/ftrace.c | 20 +-
92092 kernel/trace/ring_buffer.c | 76 +-
92093 kernel/trace/trace.c | 6 +-
92094 kernel/trace/trace_events.c | 25 +-
92095 kernel/trace/trace_mmiotrace.c | 8 +-
92096 kernel/trace/trace_output.c | 12 +-
92097 kernel/trace/trace_stack.c | 2 +-
92098 lib/Makefile | 2 +-
92099 lib/bitmap.c | 8 +-
92100 lib/bug.c | 2 +
92101 lib/debugobjects.c | 2 +-
92102 lib/devres.c | 4 +-
92103 lib/dma-debug.c | 4 +-
92104 lib/inflate.c | 2 +-
92105 lib/ioremap.c | 4 +-
92106 lib/list_debug.c | 89 +-
92107 lib/radix-tree.c | 2 +-
92108 lib/strncpy_from_user.c | 2 +-
92109 lib/strnlen_user.c | 2 +-
92110 lib/vsprintf.c | 12 +-
92111 mm/Kconfig | 6 +-
92112 mm/filemap.c | 2 +-
92113 mm/fremap.c | 5 +
92114 mm/highmem.c | 7 +-
92115 mm/hugetlb.c | 54 +
92116 mm/internal.h | 1 +
92117 mm/maccess.c | 4 +-
92118 mm/madvise.c | 41 +
92119 mm/memory-failure.c | 18 +-
92120 mm/memory.c | 404 ++-
92121 mm/mempolicy.c | 26 +
92122 mm/mlock.c | 16 +-
92123 mm/mmap.c | 573 +++-
92124 mm/mprotect.c | 138 +-
92125 mm/mremap.c | 44 +-
92126 mm/nommu.c | 11 +-
92127 mm/page-writeback.c | 2 +-
92128 mm/page_alloc.c | 14 +-
92129 mm/percpu.c | 2 +-
92130 mm/process_vm_access.c | 14 +-
92131 mm/rmap.c | 38 +-
92132 mm/shmem.c | 19 +-
92133 mm/slab.c | 104 +-
92134 mm/slab.h | 5 +-
92135 mm/slab_common.c | 9 +-
92136 mm/slob.c | 200 +-
92137 mm/slub.c | 98 +-
92138 mm/sparse-vmemmap.c | 4 +-
92139 mm/sparse.c | 2 +-
92140 mm/swap.c | 3 +
92141 mm/swapfile.c | 12 +-
92142 mm/util.c | 6 +
92143 mm/vmalloc.c | 82 +-
92144 mm/vmstat.c | 12 +-
92145 net/8021q/vlan.c | 5 +-
92146 net/9p/trans_fd.c | 2 +-
92147 net/atm/atm_misc.c | 8 +-
92148 net/atm/lec.h | 2 +-
92149 net/atm/proc.c | 6 +-
92150 net/atm/resources.c | 4 +-
92151 net/batman-adv/bat_iv_ogm.c | 8 +-
92152 net/batman-adv/hard-interface.c | 4 +-
92153 net/batman-adv/soft-interface.c | 4 +-
92154 net/batman-adv/types.h | 6 +-
92155 net/batman-adv/unicast.c | 2 +-
92156 net/bluetooth/hci_sock.c | 2 +-
92157 net/bluetooth/l2cap_core.c | 6 +-
92158 net/bluetooth/l2cap_sock.c | 12 +-
92159 net/bluetooth/rfcomm/sock.c | 4 +-
92160 net/bluetooth/rfcomm/tty.c | 10 +-
92161 net/bridge/netfilter/ebtables.c | 6 +-
92162 net/caif/cfctrl.c | 11 +-
92163 net/can/af_can.c | 2 +-
92164 net/can/gw.c | 6 +-
92165 net/compat.c | 34 +-
92166 net/core/datagram.c | 2 +-
92167 net/core/dev.c | 16 +-
92168 net/core/flow.c | 8 +-
92169 net/core/iovec.c | 4 +-
92170 net/core/rtnetlink.c | 2 +-
92171 net/core/scm.c | 8 +-
92172 net/core/sock.c | 24 +-
92173 net/decnet/sysctl_net_decnet.c | 4 +-
92174 net/ipv4/ah4.c | 2 +-
92175 net/ipv4/esp4.c | 2 +-
92176 net/ipv4/fib_frontend.c | 6 +-
92177 net/ipv4/fib_semantics.c | 2 +-
92178 net/ipv4/inetpeer.c | 4 +-
92179 net/ipv4/ip_fragment.c | 2 +-
92180 net/ipv4/ip_sockglue.c | 2 +-
92181 net/ipv4/ipcomp.c | 2 +-
92182 net/ipv4/ipconfig.c | 6 +-
92183 net/ipv4/netfilter/arp_tables.c | 12 +-
92184 net/ipv4/netfilter/ip_tables.c | 12 +-
92185 net/ipv4/ping.c | 2 +-
92186 net/ipv4/raw.c | 14 +-
92187 net/ipv4/route.c | 2 +-
92188 net/ipv4/tcp_input.c | 2 +-
92189 net/ipv4/tcp_probe.c | 2 +-
92190 net/ipv4/udp.c | 10 +-
92191 net/ipv6/addrconf.c | 2 +-
92192 net/ipv6/ip6_gre.c | 2 +-
92193 net/ipv6/ipv6_sockglue.c | 2 +-
92194 net/ipv6/netfilter/ip6_tables.c | 12 +-
92195 net/ipv6/raw.c | 19 +-
92196 net/ipv6/udp.c | 8 +-
92197 net/irda/ircomm/ircomm_tty.c | 18 +-
92198 net/iucv/af_iucv.c | 4 +-
92199 net/iucv/iucv.c | 2 +-
92200 net/key/af_key.c | 4 +-
92201 net/mac80211/cfg.c | 4 +-
92202 net/mac80211/ieee80211_i.h | 3 +-
92203 net/mac80211/iface.c | 14 +-
92204 net/mac80211/main.c | 2 +-
92205 net/mac80211/pm.c | 6 +-
92206 net/mac80211/rate.c | 2 +-
92207 net/mac80211/rc80211_pid_debugfs.c | 2 +-
92208 net/mac80211/util.c | 2 +-
92209 net/netfilter/ipvs/ip_vs_conn.c | 6 +-
92210 net/netfilter/ipvs/ip_vs_core.c | 4 +-
92211 net/netfilter/ipvs/ip_vs_ctl.c | 10 +-
92212 net/netfilter/ipvs/ip_vs_sync.c | 6 +-
92213 net/netfilter/ipvs/ip_vs_xmit.c | 4 +-
92214 net/netfilter/nfnetlink_log.c | 4 +-
92215 net/netfilter/xt_statistic.c | 8 +-
92216 net/netlink/af_netlink.c | 4 +-
92217 net/packet/af_packet.c | 12 +-
92218 net/phonet/pep.c | 6 +-
92219 net/phonet/socket.c | 2 +-
92220 net/rds/cong.c | 6 +-
92221 net/rds/ib.h | 2 +-
92222 net/rds/ib_cm.c | 2 +-
92223 net/rds/ib_recv.c | 4 +-
92224 net/rds/iw.h | 2 +-
92225 net/rds/iw_cm.c | 2 +-
92226 net/rds/iw_recv.c | 4 +-
92227 net/rds/tcp.c | 2 +-
92228 net/rds/tcp_send.c | 2 +-
92229 net/rxrpc/af_rxrpc.c | 2 +-
92230 net/rxrpc/ar-ack.c | 14 +-
92231 net/rxrpc/ar-call.c | 2 +-
92232 net/rxrpc/ar-connection.c | 2 +-
92233 net/rxrpc/ar-connevent.c | 2 +-
92234 net/rxrpc/ar-input.c | 4 +-
92235 net/rxrpc/ar-internal.h | 8 +-
92236 net/rxrpc/ar-local.c | 2 +-
92237 net/rxrpc/ar-output.c | 4 +-
92238 net/rxrpc/ar-peer.c | 2 +-
92239 net/rxrpc/ar-proc.c | 4 +-
92240 net/rxrpc/ar-transport.c | 2 +-
92241 net/rxrpc/rxkad.c | 4 +-
92242 net/sctp/ipv6.c | 2 +-
92243 net/sctp/protocol.c | 8 +-
92244 net/sctp/socket.c | 2 +
92245 net/socket.c | 34 +-
92246 net/sunrpc/sched.c | 4 +-
92247 net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
92248 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +-
92249 net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
92250 net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +-
92251 net/tipc/link.c | 6 +-
92252 net/tipc/msg.c | 2 +-
92253 net/tipc/subscr.c | 2 +-
92254 net/wireless/wext-core.c | 19 +-
92255 net/xfrm/xfrm_policy.c | 16 +-
92256 net/xfrm/xfrm_state.c | 4 +-
92257 scripts/Makefile.build | 2 +-
92258 scripts/Makefile.clean | 3 +-
92259 scripts/Makefile.host | 28 +-
92260 scripts/basic/fixdep.c | 12 +-
92261 scripts/gcc-plugin.sh | 17 +
92262 scripts/link-vmlinux.sh | 2 +-
92263 scripts/mod/file2alias.c | 14 +-
92264 scripts/mod/modpost.c | 25 +-
92265 scripts/mod/modpost.h | 6 +-
92266 scripts/mod/sumversion.c | 2 +-
92267 scripts/pnmtologo.c | 6 +-
92268 security/Kconfig | 654 ++++-
92269 security/integrity/ima/ima.h | 4 +-
92270 security/integrity/ima/ima_api.c | 2 +-
92271 security/integrity/ima/ima_fs.c | 4 +-
92272 security/integrity/ima/ima_queue.c | 2 +-
92273 security/keys/compat.c | 2 +-
92274 security/keys/keyctl.c | 8 +-
92275 security/keys/keyring.c | 6 +-
92276 security/security.c | 9 +-
92277 security/selinux/hooks.c | 2 +-
92278 security/selinux/include/xfrm.h | 2 +-
92279 security/smack/smack_lsm.c | 2 +-
92280 security/tomoyo/tomoyo.c | 2 +-
92281 sound/aoa/codecs/onyx.c | 7 +-
92282 sound/aoa/codecs/onyx.h | 1 +
92283 sound/core/oss/pcm_oss.c | 18 +-
92284 sound/core/pcm_compat.c | 2 +-
92285 sound/core/pcm_native.c | 4 +-
92286 sound/core/seq/seq_device.c | 8 +-
92287 sound/drivers/mts64.c | 14 +-
92288 sound/drivers/opl4/opl4_lib.c | 2 +-
92289 sound/drivers/portman2x4.c | 3 +-
92290 sound/firewire/amdtp.c | 4 +-
92291 sound/firewire/amdtp.h | 2 +-
92292 sound/firewire/isight.c | 10 +-
92293 sound/firewire/scs1x.c | 8 +-
92294 sound/oss/sb_audio.c | 2 +-
92295 sound/oss/swarm_cs4297a.c | 6 +-
92296 sound/pci/ymfpci/ymfpci.h | 2 +-
92297 sound/pci/ymfpci/ymfpci_main.c | 12 +-
92298 tools/gcc/.gitignore | 1 +
92299 tools/gcc/Makefile | 43 +
92300 tools/gcc/checker_plugin.c | 171 +
92301 tools/gcc/colorize_plugin.c | 151 +
92302 tools/gcc/constify_plugin.c | 359 +++
92303 tools/gcc/generate_size_overflow_hash.sh | 94 +
92304 tools/gcc/kallocstat_plugin.c | 170 +
92305 tools/gcc/kernexec_plugin.c | 465 +++
92306 tools/gcc/latent_entropy_plugin.c | 321 ++
92307 tools/gcc/size_overflow_hash.data | 3713 ++++++++++++++++++++++
92308 tools/gcc/size_overflow_plugin.c | 1941 +++++++++++
92309 tools/gcc/stackleak_plugin.c | 327 ++
92310 tools/perf/util/include/asm/alternative-asm.h | 3 +
92311 virt/kvm/kvm_main.c | 32 +-
92312 1311 files changed, 26668 insertions(+), 6394 deletions(-)
92313commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
92314Merge: 0949bd4 fc53d63
92315Author: Brad Spengler <spender@grsecurity.net>
92316Date: Thu Mar 22 19:03:44 2012 -0400
92317
92318 Merge branch 'pax-test' into grsec-test
92319
92320commit fc53d6338964741b368070ec5c935bc579b8c2a6
92321Author: Brad Spengler <spender@grsecurity.net>
92322Date: Thu Mar 22 19:02:45 2012 -0400
92323
92324 Update to pax-linux-3.2.12-test33.patch
92325
92326commit 0949bd46a6455b308f66ad7c993bfee62412db35
92327Author: Brad Spengler <spender@grsecurity.net>
92328Date: Thu Mar 22 16:56:09 2012 -0400
92329
92330 Use current_umask() instead of current->fs->umask
92331
92332commit 22f6432d0fe733619cfcb523782ed7d80c46d645
92333Author: Brad Spengler <spender@grsecurity.net>
92334Date: Wed Mar 21 19:42:42 2012 -0400
92335
92336 compile fix
92337
92338commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
92339Author: Brad Spengler <spender@grsecurity.net>
92340Date: Wed Mar 21 19:34:56 2012 -0400
92341
92342 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
92343 uses of domains with particular hash collisions
92344
92345commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
92346Author: Brad Spengler <spender@grsecurity.net>
92347Date: Tue Mar 20 20:25:49 2012 -0400
92348
92349 zero kernel_role
92350
92351commit b00953b43c69238d181d21121ef1577c988d5f6b
92352Author: Brad Spengler <spender@grsecurity.net>
92353Date: Tue Mar 20 19:29:34 2012 -0400
92354
92355 zero real_root after releasing it
92356
92357commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
92358Merge: b724f59 273f98e
92359Author: Brad Spengler <spender@grsecurity.net>
92360Date: Tue Mar 20 19:11:26 2012 -0400
92361
92362 Merge branch 'pax-test' into grsec-test
92363
92364commit 273f98e58cdac555d3b5dce5c1ca168349f95878
92365Author: Brad Spengler <spender@grsecurity.net>
92366Date: Tue Mar 20 19:10:52 2012 -0400
92367
92368 Temporary workaround for (most) size_overflow plugin false-positives
92369 Increase randomization for brk-managed heap to 21 bits
92370 Update to pax-linux-3.2.12-test32.patch
92371
92372commit b724f59125304460c2af8bd4b02921993afbb5d3
92373Author: Brad Spengler <spender@grsecurity.net>
92374Date: Tue Mar 20 18:58:53 2012 -0400
92375
92376 compile fix
92377
92378commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
92379Author: Brad Spengler <spender@grsecurity.net>
92380Date: Tue Mar 20 18:52:23 2012 -0400
92381
92382 Require default and kernel role
92383
92384commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
92385Author: Brad Spengler <spender@grsecurity.net>
92386Date: Tue Mar 20 18:47:28 2012 -0400
92387
92388 Allow policies without special roles
92389 don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)
92390
92391commit 402ec3d24d66d38403dc543c84851f5e72d39e22
92392Merge: 8e012dc f14661a
92393Author: Brad Spengler <spender@grsecurity.net>
92394Date: Mon Mar 19 18:06:59 2012 -0400
92395
92396 Merge branch 'pax-test' into grsec-test
92397
92398 Conflicts:
92399 fs/namei.c
92400
92401commit f14661aaf202155c97f66626cea0269017bb7775
92402Merge: eae671f 058b017
92403Author: Brad Spengler <spender@grsecurity.net>
92404Date: Mon Mar 19 18:05:44 2012 -0400
92405
92406 Merge branch 'linux-3.2.y' into pax-test
92407
92408commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
92409Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
92410Date: Fri Mar 16 17:08:39 2012 -0700
92411
92412 nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
92413
92414 According to the report from Slicky Devil, nilfs caused kernel oops at
92415 nilfs_load_super_block function during mount after he shrank the
92416 partition without resizing the filesystem:
92417
92418 BUG: unable to handle kernel NULL pointer dereference at 00000048
92419 IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
92420 *pde = 00000000
92421 Oops: 0000 [#1] PREEMPT SMP
92422 ...
92423 Call Trace:
92424 [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
92425 [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
92426 [<c0226636>] mount_fs+0x36/0x180
92427 [<c023d961>] vfs_kern_mount+0x51/0xa0
92428 [<c023ddae>] do_kern_mount+0x3e/0xe0
92429 [<c023f189>] do_mount+0x169/0x700
92430 [<c023fa9b>] sys_mount+0x6b/0xa0
92431 [<c04abd1f>] sysenter_do_call+0x12/0x28
92432 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
92433 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
92434 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
92435 EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
92436 CR2: 0000000000000048
92437
92438 This turned out due to a defect in an error path which runs if the
92439 calculated location of the secondary super block was invalid.
92440
92441 This patch fixes it and eliminates the reported oops.
92442
92443 Reported-by: Slicky Devil <slicky.dvl@gmail.com>
92444 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
92445 Tested-by: Slicky Devil <slicky.dvl@gmail.com>
92446 Cc: <stable@vger.kernel.org> [2.6.30+]
92447 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
92448 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
92449
92450commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
92451Author: Haogang Chen <haogangchen@gmail.com>
92452Date: Fri Mar 16 17:08:38 2012 -0700
92453
92454 nilfs2: clamp ns_r_segments_percentage to [1, 99]
92455
92456 ns_r_segments_percentage is read from the disk. Bogus or malicious
92457 value could cause integer overflow and malfunction due to meaningless
92458 disk usage calculation. This patch reports error when mounting such
92459 bogus volumes.
92460
92461 Signed-off-by: Haogang Chen <haogangchen@gmail.com>
92462 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
92463 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
92464 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
92465
92466commit e1a90645643f9b0194a5984ec8febd06360d5c8b
92467Author: Eric Dumazet <eric.dumazet@gmail.com>
92468Date: Sat Mar 10 09:20:21 2012 +0000
92469
92470 tcp: fix syncookie regression
92471
92472 commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
92473 added a serious regression on synflood handling.
92474
92475 Simon Kirby discovered a successful connection was delayed by 20 seconds
92476 before being responsive.
92477
92478 In my tests, I discovered that xmit frames were lost, and needed ~4
92479 retransmits and a socket dst rebuild before being really sent.
92480
92481 In case of syncookie initiated connection, we use a different path to
92482 initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
92483
92484 As ip_queue_xmit() now depends on inet flow being setup, fix this by
92485 copying the temp flowi4 we use in cookie_v4_check().
92486
92487 Reported-by: Simon Kirby <sim@netnation.com>
92488 Bisected-by: Simon Kirby <sim@netnation.com>
92489 Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
92490 Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
92491 Signed-off-by: David S. Miller <davem@davemloft.net>
92492
92493commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
92494Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
92495Date: Mon Mar 12 02:59:41 2012 +0000
92496
92497 tun: don't hold network namespace by tun sockets
92498
92499 v3: added previously removed sock_put() to the tun_release() callback, because
92500 sk_release_kernel() doesn't drop the socket reference.
92501
92502 v2: sk_release_kernel() used for socket release. Dummy tun_release() is
92503 required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
92504 call.
92505
92506 TUN was designed to destroy it's socket on network namesapce shutdown. But this
92507 will never happen for persistent device, because it's socket holds network
92508 namespace.
92509 This patch removes of holding network namespace by TUN socket and replaces it
92510 by creating socket in init_net and then changing it's net it to desired one. On
92511 shutdown socket is moved back to init_net prior to final put.
92512
92513 Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
92514 Signed-off-by: David S. Miller <davem@davemloft.net>
92515
92516commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
92517Author: Tyler Hicks <tyhicks@canonical.com>
92518Date: Mon Dec 12 10:02:30 2011 -0600
92519
92520 vfs: Correctly set the dir i_mutex lockdep class
92521
92522 9a7aa12f3911853a introduced additional logic around setting the i_mutex
92523 lockdep class for directory inodes. The idea was that some filesystems
92524 may want their own special lockdep class for different directory
92525 inodes and calling unlock_new_inode() should not clobber one of
92526 those special classes.
92527
92528 I believe that the added conditional, around the *negated* return value
92529 of lockdep_match_class(), caused directory inodes to be placed in the
92530 wrong lockdep class.
92531
92532 inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
92533 all inodes. If the filesystem did not change the class during inode
92534 initialization, then the conditional mentioned above was false and the
92535 directory inode was incorrectly left in the non-directory lockdep class.
92536 If the filesystem did set a special lockdep class, then the conditional
92537 mentioned above was true and that class was clobbered with
92538 i_mutex_dir_key.
92539
92540 This patch removes the negation from the conditional so that the i_mutex
92541 lockdep class is properly set for directory inodes. Special classes are
92542 preserved and directory inodes with unmodified classes are set with
92543 i_mutex_dir_key.
92544
92545 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
92546 Reviewed-by: Jan Kara <jack@suse.cz>
92547 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
92548
92549commit 603590b0d2eca61ce26499eac9c563bc567a18c9
92550Author: Jan Kara <jack@suse.cz>
92551Date: Mon Feb 20 17:54:00 2012 +0100
92552
92553 udf: Fix deadlock in udf_release_file()
92554
92555 udf_release_file() can be called from munmap() path with mmap_sem held. Thus
92556 we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
92557 i_mutex is not needed in udf_release_file() anymore since protection by
92558 i_data_sem is enough to protect from races with write and truncate.
92559
92560 Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
92561 Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
92562 Signed-off-by: Jan Kara <jack@suse.cz>
92563 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
92564
92565commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
92566Author: Miklos Szeredi <mszeredi@suse.cz>
92567Date: Tue Mar 6 13:56:33 2012 +0100
92568
92569 vfs: fix double put after complete_walk()
92570
92571 complete_walk() already puts nd->path, no need to do it again at cleanup time.
92572
92573 This would result in Oopses if triggered, apparently the codepath is not too
92574 well exercised.
92575
92576 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
92577 CC: stable@vger.kernel.org
92578 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
92579
92580commit 13885ba2b18400f3ef6540497d30f1af896605e5
92581Author: Miklos Szeredi <mszeredi@suse.cz>
92582Date: Tue Mar 6 13:56:34 2012 +0100
92583
92584 vfs: fix return value from do_last()
92585
92586 complete_walk() returns either ECHILD or ESTALE. do_last() turns this into
92587 ECHILD unconditionally. If not in RCU mode, this error will reach userspace
92588 which is complete nonsense.
92589
92590 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
92591 CC: stable@vger.kernel.org
92592 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
92593
92594 Conflicts:
92595
92596 fs/namei.c
92597
92598commit f5ab7572c99ffb58953eb1070622307e904c3b7f
92599Author: Al Viro <viro@zeniv.linux.org.uk>
92600Date: Sat Mar 10 17:07:28 2012 -0500
92601
92602 restore smp_mb() in unlock_new_inode()
92603
92604 wait_on_inode() doesn't have ->i_lock
92605
92606 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
92607
92608commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
92609Author: David S. Miller <davem@davemloft.net>
92610Date: Tue Mar 13 18:19:51 2012 -0700
92611
92612 sparc32: Add -Av8 to assembler command line.
92613
92614 Newer version of binutils are more strict about specifying the
92615 correct options to enable certain classes of instructions.
92616
92617 The sparc32 build is done for v7 in order to support sun4c systems
92618 which lack hardware integer multiply and divide instructions.
92619
92620 So we have to pass -Av8 when building the assembler routines that
92621 use these instructions and get patched into the kernel when we find
92622 out that we have a v8 capable cpu.
92623
92624 Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
92625 Signed-off-by: David S. Miller <davem@davemloft.net>
92626
92627commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
92628Author: Thomas Gleixner <tglx@linutronix.de>
92629Date: Fri Mar 9 20:55:10 2012 +0100
92630
92631 x86: Derandom delay_tsc for 64 bit
92632
92633 Commit f0fbf0abc093 ("x86: integrate delay functions") converted
92634 delay_tsc() into a random delay generator for 64 bit. The reason is
92635 that it merged the mostly identical versions of delay_32.c and
92636 delay_64.c. Though the subtle difference of the result was:
92637
92638 static void delay_tsc(unsigned long loops)
92639 {
92640 - unsigned bclock, now;
92641 + unsigned long bclock, now;
92642
92643 Now the function uses rdtscl() which returns the lower 32bit of the
92644 TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
92645 bit this fails when the lower 32bit are close to wrap around when
92646 bclock is read, because the following check
92647
92648 if ((now - bclock) >= loops)
92649 break;
92650
92651 evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
92652 because the unsigned long (now - bclock) of these values results in
92653 0xffffffff00000001 which is definitely larger than the loops
92654 value. That explains Tvortkos observation:
92655
92656 "Because I am seeing udelay(500) (_occasionally_) being short, and
92657 that by delaying for some duration between 0us (yep) and 491us."
92658
92659 Make those variables explicitely u32 again, so this works for both 32
92660 and 64 bit.
92661
92662 Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
92663 Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
92664 Cc: stable@vger.kernel.org # >= 2.6.27
92665 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
92666
92667commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
92668Author: Al Viro <viro@ZenIV.linux.org.uk>
92669Date: Thu Mar 8 17:51:19 2012 +0000
92670
92671 aio: fix the "too late munmap()" race
92672
92673 Current code has put_ioctx() called asynchronously from aio_fput_routine();
92674 that's done *after* we have killed the request that used to pin ioctx,
92675 so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
92676 from progressing. As the result, we can end up with async call of
92677 put_ioctx() being the last one and possibly happening during exit_mmap()
92678 or elf_core_dump(), neither of which expects stray munmap() being done
92679 to them...
92680
92681 We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
92682 with that, but that's all we care about - neither io_destroy() nor
92683 exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
92684 does really_put_req(), so the ioctx teardown won't be done until then
92685 and we don't care about the contents of ioctx past that point.
92686
92687 Since actual freeing of these suckers is RCU-delayed, we don't need to
92688 bump ioctx refcount when request goes into list for async removal.
92689 All we need is rcu_read_lock held just over the ->ctx_lock-protected
92690 area in aio_fput_routine().
92691
92692 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
92693 Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
92694 Acked-by: Benjamin LaHaise <bcrl@kvack.org>
92695 Cc: stable@vger.kernel.org
92696 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
92697
92698commit 002124c055afbf09b52226af65621999e8316448
92699Author: Al Viro <viro@ZenIV.linux.org.uk>
92700Date: Wed Mar 7 05:16:35 2012 +0000
92701
92702 aio: fix io_setup/io_destroy race
92703
92704 Have ioctx_alloc() return an extra reference, so that caller would drop it
92705 on success and not bother with re-grabbing it on failure exit. The current
92706 code is obviously broken - io_destroy() from another thread that managed
92707 to guess the address io_setup() would've returned would free ioctx right
92708 under us; gets especially interesting if aio_context_t * we pass to
92709 io_setup() points to PROT_READ mapping, so put_user() fails and we end
92710 up doing io_destroy() on kioctx another thread has just got freed...
92711
92712 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
92713 Acked-by: Benjamin LaHaise <bcrl@kvack.org>
92714 Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
92715 Cc: stable@vger.kernel.org
92716 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
92717
92718commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
92719Author: Dan Carpenter <dan.carpenter@oracle.com>
92720Date: Thu Mar 15 15:17:12 2012 -0700
92721
92722 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
92723
92724 strict_strtoul() writes a long but ->gamma_mode only has space to store an
92725 int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
92726 well. I've changed it to use kstrtouint() instead.
92727
92728 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
92729 Acked-by: Inki Dae <inki.dae@samsung.com>
92730 Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
92731 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
92732 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
92733
92734commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
92735Merge: e4b05b6 eae671f
92736Author: Brad Spengler <spender@grsecurity.net>
92737Date: Fri Mar 16 21:04:27 2012 -0400
92738
92739 Merge branch 'pax-test' into grsec-test
92740
92741 Conflicts:
92742 security/Kconfig
92743
92744commit eae671fafe93f04685c04a089cc13efebc05d600
92745Author: Brad Spengler <spender@grsecurity.net>
92746Date: Fri Mar 16 20:58:01 2012 -0400
92747
92748 Update to pax-linux-3.2.11-test31.patch
92749 Introduction of the size_overflow plugin from Emese Revfy
92750 Many thanks to Emese for her hard work :)
92751
92752commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
92753Merge: e55aa68 258c015
92754Author: Brad Spengler <spender@grsecurity.net>
92755Date: Thu Mar 15 20:59:19 2012 -0400
92756
92757 Merge branch 'pax-test' into grsec-test
92758
92759commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
92760Author: Brad Spengler <spender@grsecurity.net>
92761Date: Thu Mar 15 20:59:05 2012 -0400
92762
92763 fix ARM compilation
92764
92765commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
92766Merge: 8f95ea9 55b7573
92767Author: Brad Spengler <spender@grsecurity.net>
92768Date: Wed Mar 14 19:33:41 2012 -0400
92769
92770 Merge branch 'pax-test' into grsec-test
92771
92772commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
92773Author: Brad Spengler <spender@grsecurity.net>
92774Date: Wed Mar 14 19:33:15 2012 -0400
92775
92776 Update to pax-linux-3.2.10-test28.patch
92777
92778commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
92779Merge: c8786a2 886ac5e
92780Author: Brad Spengler <spender@grsecurity.net>
92781Date: Tue Mar 13 17:38:13 2012 -0400
92782
92783 Merge branch 'pax-test' into grsec-test
92784
92785 Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)
92786
92787commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
92788Author: Brad Spengler <spender@grsecurity.net>
92789Date: Tue Mar 13 17:37:44 2012 -0400
92790
92791 Update to pax-linux-3.2.10-test26.patch
92792
92793commit c8786a2abed5e5327f68efa520c04db99bb6a63a
92794Merge: 219c982 c061fcf
92795Author: Brad Spengler <spender@grsecurity.net>
92796Date: Tue Mar 13 17:25:06 2012 -0400
92797
92798 Merge branch 'pax-test' into grsec-test
92799
92800commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
92801Merge: 89373d2 3f4b3b2
92802Author: Brad Spengler <spender@grsecurity.net>
92803Date: Tue Mar 13 17:25:02 2012 -0400
92804
92805 Merge branch 'linux-3.2.y' into pax-test
92806
92807commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
92808Merge: 54e19a3 89373d2
92809Author: Brad Spengler <spender@grsecurity.net>
92810Date: Mon Mar 12 17:23:57 2012 -0400
92811
92812 Merge branch 'pax-test' into grsec-test
92813
92814commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
92815Merge: a778588 7459f11
92816Author: Brad Spengler <spender@grsecurity.net>
92817Date: Mon Mar 12 17:23:49 2012 -0400
92818
92819 Merge branch 'linux-3.2.y' into pax-test
92820
92821commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
92822Merge: c4650f1 a778588
92823Author: Brad Spengler <spender@grsecurity.net>
92824Date: Mon Mar 12 16:51:25 2012 -0400
92825
92826 Merge branch 'pax-test' into grsec-test
92827
92828commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
92829Author: Brad Spengler <spender@grsecurity.net>
92830Date: Mon Mar 12 16:51:12 2012 -0400
92831
92832 Update to pax-linux-3.2.9-test24.patch
92833
92834commit c4650f14b13f84735fe3de06a1f3ff5776473eff
92835Merge: fb2abee 1015790
92836Author: Brad Spengler <spender@grsecurity.net>
92837Date: Sun Mar 11 21:08:28 2012 -0400
92838
92839 Merge branch 'pax-test' into grsec-test
92840
92841 Conflicts:
92842 security/Kconfig
92843
92844commit 101579028a736c224e590c7e12a7357018c424e1
92845Author: Brad Spengler <spender@grsecurity.net>
92846Date: Sun Mar 11 21:07:27 2012 -0400
92847
92848 Update to pax-linux-3.2.9-test22.patch
92849
92850commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
92851Author: Brad Spengler <spender@grsecurity.net>
92852Date: Sun Mar 11 11:02:17 2012 -0400
92853
92854 Allow 4096 CPUs
92855
92856commit 96bae28cbe6a41d48e3b56e5904814096e956000
92857Author: Brad Spengler <spender@grsecurity.net>
92858Date: Sun Mar 11 10:25:58 2012 -0400
92859
92860 Use a per-cpu 48-bit counter instead of a global atomic64
92861 Initialize each counter to have the cpu number in the lower 16 bits
92862 instead of incrementing the counter each time by 1, perform the increments
92863 above the cpu number so that wrapping/exhausting the counter doesn't corrupt
92864 any state
92865 idea from PaX Team
92866
92867commit b975688101da6e966aebb1bc6b8c5c5983974f9c
92868Author: Brad Spengler <spender@grsecurity.net>
92869Date: Sat Mar 10 20:33:12 2012 -0500
92870
92871 Special vnsec edition! :)
92872 Further reduce argv/env allowance for suid/sgid apps to 512KB
92873 Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
92874 Clear 3GB personality on suid/sgid binaries
92875 Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
92876 with the main purpose of throwing off program stack -> arg/env alignment
92877 Update documentation
92878
92879commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
92880Author: Brad Spengler <spender@grsecurity.net>
92881Date: Sat Mar 10 19:54:47 2012 -0500
92882
92883 Resolve skbuff.h warnings that turn into errors during compilation in
92884 the grsecurity directory with -Werror
92885
92886commit 2023210ad43a944033fcacc660ce410888f562ee
92887Merge: ece4383 5f66adf
92888Author: Brad Spengler <spender@grsecurity.net>
92889Date: Fri Mar 9 19:48:01 2012 -0500
92890
92891 Merge branch 'pax-test' into grsec-test
92892
92893commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
92894Author: Brad Spengler <spender@grsecurity.net>
92895Date: Fri Mar 9 19:47:06 2012 -0500
92896
92897 Add colorize plugin
92898
92899commit ece4383e5e91c92d138c4df84225a70b552f4d69
92900Merge: a366d0e ab4a5a1
92901Author: Brad Spengler <spender@grsecurity.net>
92902Date: Fri Mar 9 17:56:46 2012 -0500
92903
92904 Merge branch 'pax-test' into grsec-test
92905
92906commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
92907Author: Brad Spengler <spender@grsecurity.net>
92908Date: Fri Mar 9 17:56:26 2012 -0500
92909
92910 Update to pax-linux-3.2.9-test21.patch
92911
92912commit a366d0ed963ce93fce10121c1100989d5f064e75
92913Author: Mikulas Patocka <mpatocka@redhat.com>
92914Date: Sun Mar 4 19:52:03 2012 -0500
92915
92916 mm: fix find_vma_prev
92917
92918 Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
92919 management on PA-RISC.
92920
92921 After application of the patch, programs that allocate big arrays on the
92922 stack crash with segfault, for example, this will crash if compiled
92923 without optimization:
92924
92925 int main()
92926 {
92927 char array[200000];
92928 array[199999] = 0;
92929 return 0;
92930 }
92931
92932 The reason is that PA-RISC has up-growing stack and the stack is usually
92933 the last memory area. In the above example, a page fault happens above
92934 the stack.
92935
92936 Previously, if we passed too high address to find_vma_prev, it returned
92937 NULL and stored the last VMA in *pprev. After "simplify find_vma_prev"
92938 change, it stores NULL in *pprev. Consequently, the stack area is not
92939 found and it is not expanded, as it used to be before the change.
92940
92941 This patch restores the old behavior and makes it return the last VMA in
92942 *pprev if the requested address is higher than address of any other VMA.
92943
92944 Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
92945 Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
92946 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
92947
92948commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
92949Author: Hugh Dickins <hughd@google.com>
92950Date: Tue Mar 6 12:28:52 2012 -0800
92951
92952 mmap: EINVAL not ENOMEM when rejecting VM_GROWS
92953
92954 Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
92955 from shared anonymous: hoist the file case's -EINVAL up for both.
92956
92957 Signed-off-by: Hugh Dickins <hughd@google.com>
92958 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
92959
92960commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
92961Author: Al Viro <viro@ZenIV.linux.org.uk>
92962Date: Mon Mar 5 06:38:42 2012 +0000
92963
92964 aout: move setup_arg_pages() prior to reading/mapping the binary
92965
92966 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
92967 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
92968
92969commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
92970Author: Jan Beulich <JBeulich@suse.com>
92971Date: Mon Mar 5 16:49:24 2012 +0000
92972
92973 vsprintf: make %pV handling compatible with kasprintf()
92974
92975 kasprintf() (and potentially other functions that I didn't run across so
92976 far) want to evaluate argument lists twice. Caring to do so for the
92977 primary list is obviously their job, but they can't reasonably be
92978 expected to check the format string for instances of %pV, which however
92979 need special handling too: On architectures like x86-64 (as opposed to
92980 e.g. ix86), using the same argument list twice doesn't produce the
92981 expected results, as an internally managed cursor gets updated during
92982 the first run.
92983
92984 Fix the problem by always acting on a copy of the original list when
92985 handling %pV.
92986
92987 Signed-off-by: Jan Beulich <jbeulich@suse.com>
92988 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
92989
92990commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
92991Author: Al Viro <viro@ZenIV.linux.org.uk>
92992Date: Mon Mar 5 06:39:47 2012 +0000
92993
92994 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
92995
92996 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
92997 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
92998
92999commit a831bd53764695ea680cc1fa3c98759a610ed2ac
93000Author: Christian König <deathsimple@vodafone.de>
93001Date: Tue Feb 28 23:19:20 2012 +0100
93002
93003 drm/radeon: fix uninitialized variable
93004
93005 Without this fix the driver randomly treats
93006 textures as arrays and I'm really wondering
93007 why gcc isn't complaining about it.
93008
93009 Signed-off-by: Christian König <deathsimple@vodafone.de>
93010 Reviewed-by: Jerome Glisse <jglisse@redhat.com>
93011 Signed-off-by: Dave Airlie <airlied@redhat.com>
93012
93013commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
93014Author: H. Peter Anvin <hpa@zytor.com>
93015Date: Fri Mar 2 10:43:48 2012 -0800
93016
93017 regset: Prevent null pointer reference on readonly regsets
93018
93019 The regset common infrastructure assumed that regsets would always
93020 have .get and .set methods, but not necessarily .active methods.
93021 Unfortunately people have since written regsets without .set methods.
93022
93023 Rather than putting in stub functions everywhere, handle regsets with
93024 null .get or .set methods explicitly.
93025
93026 Signed-off-by: H. Peter Anvin <hpa@zytor.com>
93027 Reviewed-by: Oleg Nesterov <oleg@redhat.com>
93028 Acked-by: Roland McGrath <roland@hack.frob.com>
93029 Cc: <stable@vger.kernel.org>
93030 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
93031
93032commit 072ddd99401c79b53c6bf6bff9deb93022124c79
93033Author: Brad Spengler <spender@grsecurity.net>
93034Date: Mon Mar 5 18:12:57 2012 -0500
93035
93036 Fix compiler errors reported on forums
93037
93038commit 1606774b48af24e6f99d99c624c0e447d4b66474
93039Merge: 3127bd5 4ca2ffd
93040Author: Brad Spengler <spender@grsecurity.net>
93041Date: Mon Mar 5 17:31:35 2012 -0500
93042
93043 Merge branch 'pax-test' into grsec-test
93044
93045commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
93046Author: Brad Spengler <spender@grsecurity.net>
93047Date: Mon Mar 5 17:31:21 2012 -0500
93048
93049 Update to pax-linux-3.2.9-test20.patch
93050
93051commit 3127bd581a292966b1057c7433219dac188c3720
93052Author: Brad Spengler <spender@grsecurity.net>
93053Date: Fri Mar 2 21:30:37 2012 -0500
93054
93055 Fix memory leak on logged exec_id check failure in /proc/pid/statm
93056 Thanks to Djalal Harouni for the report
93057
93058commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
93059Merge: 0a56be8 9aa8288
93060Author: Brad Spengler <spender@grsecurity.net>
93061Date: Fri Mar 2 18:38:22 2012 -0500
93062
93063 Merge branch 'pax-test' into grsec-test
93064
93065commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
93066Author: Brad Spengler <spender@grsecurity.net>
93067Date: Fri Mar 2 18:37:43 2012 -0500
93068
93069 Update to pax-linux-3.2.9-test19.patch
93070
93071commit 0a56be884bbd7ce733cac0b879c45383494d73b0
93072Merge: 9e66745 3f5c52a
93073Author: Brad Spengler <spender@grsecurity.net>
93074Date: Thu Mar 1 20:18:01 2012 -0500
93075
93076 Merge branch 'pax-test' into grsec-test
93077
93078commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
93079Author: Brad Spengler <spender@grsecurity.net>
93080Date: Thu Mar 1 20:16:56 2012 -0500
93081
93082 Update to pax-linux-3.2.9-test18.patch
93083
93084commit ae53ec231d12719a36bf871f8c5841020ed692ee
93085Merge: b255baf 44fb317
93086Author: Brad Spengler <spender@grsecurity.net>
93087Date: Thu Mar 1 20:15:31 2012 -0500
93088
93089 Merge branch 'linux-3.2.y' into pax-test
93090
93091commit 9e667456c03eadea2f305be761abe4de9a5877a3
93092Merge: 5e4e200 b255baf
93093Author: Brad Spengler <spender@grsecurity.net>
93094Date: Mon Feb 27 20:53:59 2012 -0500
93095
93096 Merge branch 'pax-test' into grsec-test
93097
93098commit b255baf50365d39b406f43aab2c64745607baaa2
93099Merge: 340ce90 1de504e
93100Author: Brad Spengler <spender@grsecurity.net>
93101Date: Mon Feb 27 20:53:29 2012 -0500
93102
93103 Merge branch 'linux-3.2.y' into pax-test
93104 Update to pax-linux-3.2.8-test17.patch
93105
93106 Conflicts:
93107 arch/x86/include/asm/i387.h
93108 arch/x86/kernel/process_32.c
93109 arch/x86/kernel/traps.c
93110
93111commit 5e4e200ac530452884b625cb75de240e1e98c731
93112Merge: 44306d7 340ce90
93113Author: Brad Spengler <spender@grsecurity.net>
93114Date: Mon Feb 27 18:02:13 2012 -0500
93115
93116 Merge branch 'pax-test' into grsec-test
93117
93118commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
93119Author: Brad Spengler <spender@grsecurity.net>
93120Date: Mon Feb 27 18:01:48 2012 -0500
93121
93122 Update to pax-linux-3.2.7-test17.patch
93123
93124commit 44306d7b3097f77e73040dd25f4f6750751bae7a
93125Merge: 29d0b07 521c411
93126Author: Brad Spengler <spender@grsecurity.net>
93127Date: Sun Feb 26 19:04:15 2012 -0500
93128
93129 Merge branch 'pax-test' into grsec-test
93130
93131 Conflicts:
93132 Makefile
93133
93134commit 521c411bb4ca66ce01146fde8bac9dd22414076d
93135Author: Brad Spengler <spender@grsecurity.net>
93136Date: Sun Feb 26 19:03:33 2012 -0500
93137
93138 Update to pax-linux-3.2.7-test16.patch
93139
93140commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
93141Author: Brad Spengler <spender@grsecurity.net>
93142Date: Sun Feb 26 17:12:44 2012 -0500
93143
93144 fix typo
93145
93146commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
93147Merge: f45b3be caa8f83
93148Author: Brad Spengler <spender@grsecurity.net>
93149Date: Sat Feb 25 20:59:27 2012 -0500
93150
93151 Merge branch 'pax-test' into grsec-test
93152
93153commit caa8f83456c4d0b204beefffaa1d1993f2348d08
93154Author: Brad Spengler <spender@grsecurity.net>
93155Date: Sat Feb 25 20:59:12 2012 -0500
93156
93157 Update to pax-linux-3.2.7-test15.patch
93158
93159commit f45b3be34a345502a302e736af9a65742ddef7cb
93160Merge: 62f35fd 9f1309b
93161Author: Brad Spengler <spender@grsecurity.net>
93162Date: Sat Feb 25 11:40:15 2012 -0500
93163
93164 Merge branch 'pax-test' into grsec-test
93165
93166commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
93167Author: Brad Spengler <spender@grsecurity.net>
93168Date: Sat Feb 25 11:39:57 2012 -0500
93169
93170 Update to pax-linux-3.2.7-test14.patch
93171
93172commit 62f35fdbecc58f2988fe13638d907b87a15776bb
93173Author: Brad Spengler <spender@grsecurity.net>
93174Date: Sat Feb 25 09:08:55 2012 -0500
93175
93176 We could log on attempted exploits of writing /proc/self/mem, but the current
93177 log function declares the access a read, so just swap the ordering for now
93178
93179commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
93180Author: Brad Spengler <spender@grsecurity.net>
93181Date: Sat Feb 25 08:46:14 2012 -0500
93182
93183 Log /proc/pid/mem attempts
93184
93185commit 674471e581893a94d475acac3e3c4496209b3ac9
93186Author: Brad Spengler <spender@grsecurity.net>
93187Date: Sat Feb 25 08:15:00 2012 -0500
93188
93189 Make use of f_version for protecting /proc file structs (fine since we're not a directory
93190 or seq_file)
93191
93192commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
93193Author: Brad Spengler <spender@grsecurity.net>
93194Date: Fri Feb 24 20:02:19 2012 -0500
93195
93196 Fix ia64 compilation
93197
93198commit 50dfea412fd395e0183c2ade368efa525d38b267
93199Merge: 12db845 4c6f99b
93200Author: Brad Spengler <spender@grsecurity.net>
93201Date: Fri Feb 24 19:00:53 2012 -0500
93202
93203 Merge branch 'pax-test' into grsec-test
93204
93205commit 4c6f99bf338e03966356b147d0360cb3b522a44f
93206Author: Brad Spengler <spender@grsecurity.net>
93207Date: Fri Feb 24 19:00:36 2012 -0500
93208
93209 (6:57:09 PM) pipacs: but you can be proactive
93210 (Fix other-arch atomic64/REFCOUNT compilation failures)
93211
93212commit 12db8453f6bb0a756f369c9151668ba1249bc478
93213Author: Brad Spengler <spender@grsecurity.net>
93214Date: Thu Feb 23 21:10:12 2012 -0500
93215
93216 Remove unnecessary copies, as suggested by solar
93217
93218commit cc02cab84368467ea03cb35f861a8a7092d91ab4
93219Author: Brad Spengler <spender@grsecurity.net>
93220Date: Thu Feb 23 20:59:35 2012 -0500
93221
93222 Make global_exec_counter static, as suggested by solar
93223
93224commit e642091a475ebb3a30e81f85e7751233d0c2af43
93225Author: Brad Spengler <spender@grsecurity.net>
93226Date: Thu Feb 23 19:00:26 2012 -0500
93227
93228 sync with stable tree
93229
93230commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
93231Author: Brad Spengler <spender@grsecurity.net>
93232Date: Thu Feb 23 18:48:47 2012 -0500
93233
93234 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
93235 Remove handling of old kludge in chmod/fchmod
93236
93237commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
93238Author: Brad Spengler <spender@grsecurity.net>
93239Date: Thu Feb 23 18:18:49 2012 -0500
93240
93241 Apply umask checks to chmod/fchmod as well, as requested by sponsor
93242 Union the enforced umask with the existing one to produce minimal privilege
93243 Change umask type to u16
93244
93245commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
93246Author: Brad Spengler <spender@grsecurity.net>
93247Date: Wed Feb 22 18:16:11 2012 -0500
93248
93249 Add per-role umask enforcement to RBAC, requested by a sponsor
93250
93251commit ad5ac943fe58199f1cc475912a39edb157acb77b
93252Merge: dda0bb5 41722e3
93253Author: Brad Spengler <spender@grsecurity.net>
93254Date: Mon Feb 20 20:04:42 2012 -0500
93255
93256 Merge branch 'pax-test' into grsec-test
93257
93258commit 41722e342e116d95f3d3556d66c97c888d752d39
93259Author: Brad Spengler <spender@grsecurity.net>
93260Date: Mon Feb 20 20:04:00 2012 -0500
93261
93262 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
93263 KERNEXEC plugin
93264
93265commit dda0bb57137846a476a866c60db2681aaf6052c0
93266Merge: 4fd554e d70927a
93267Author: Brad Spengler <spender@grsecurity.net>
93268Date: Mon Feb 20 20:01:41 2012 -0500
93269
93270 Merge branch 'pax-test' into grsec-test
93271
93272commit d70927afec977d489a54c106a3c3ddc32e953050
93273Merge: 1daebf1 9d0231c
93274Author: Brad Spengler <spender@grsecurity.net>
93275Date: Mon Feb 20 20:01:33 2012 -0500
93276
93277 Merge branch 'linux-3.2.y' into pax-test
93278
93279commit 4fd554e3a097b22c5049fcdc423897477deff5ef
93280Author: Brad Spengler <spender@grsecurity.net>
93281Date: Mon Feb 20 09:17:57 2012 -0500
93282
93283 Fix wrong logic on capability checks for switching roles, broke policies
93284 Thanks to Richard Kojedzinszky for reporting
93285
93286commit 12f97d52ac603f24344f8d71569c412a307e9422
93287Author: Brad Spengler <spender@grsecurity.net>
93288Date: Thu Feb 16 21:20:10 2012 -0500
93289
93290 sparc64 compile fix
93291
93292commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
93293Author: Brad Spengler <spender@grsecurity.net>
93294Date: Thu Feb 16 18:38:32 2012 -0500
93295
93296 Update configuration help and name for GRKERNSEC_PROC_MEMMAP
93297
93298commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
93299Author: Brad Spengler <spender@grsecurity.net>
93300Date: Thu Feb 16 18:18:01 2012 -0500
93301
93302 optimize the check a bit
93303
93304commit 03159050f64989be44ae03be769cbed62a7cd2e5
93305Author: Brad Spengler <spender@grsecurity.net>
93306Date: Thu Feb 16 18:00:45 2012 -0500
93307
93308 smile VUPEN :D
93309 (limit argv+env to 1MB for suid/sgid binaries)
93310
93311commit dd759d8800d225a397e4de49fe729c7d601298d2
93312Author: Brad Spengler <spender@grsecurity.net>
93313Date: Thu Feb 16 17:49:33 2012 -0500
93314
93315 Address Space Protection -> Memory Protections (suggested on IRC for consistency)
93316
93317commit 4de635bda8ebfb85312e3bf851bdbff93de400da
93318Author: Brad Spengler <spender@grsecurity.net>
93319Date: Thu Feb 16 17:45:06 2012 -0500
93320
93321 Change the long long type for exec_id to the proper u64
93322
93323commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
93324Author: Dan Carpenter <dan.carpenter@oracle.com>
93325Date: Thu Feb 9 00:46:47 2012 +0000
93326
93327 isdn: type bug in isdn_net_header()
93328
93329 We use len to store the return value from eth_header(). eth_header()
93330 can return -ETH_HLEN (-14). We want to pass this back instead of
93331 truncating it to 65522 and returning that.
93332
93333 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
93334 Acked-by: Neil Horman <nhorman@tuxdriver.com>
93335 Signed-off-by: David S. Miller <davem@davemloft.net>
93336
93337commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
93338Author: Heiko Carstens <heiko.carstens@de.ibm.com>
93339Date: Sat Feb 4 10:47:10 2012 +0100
93340
93341 exec: fix use-after-free bug in setup_new_exec()
93342
93343 Setting the task name is done within setup_new_exec() by accessing
93344 bprm->filename. However this happens after flush_old_exec().
93345 This may result in a use after free bug, flush_old_exec() may
93346 "complete" vfork_done, which will wake up the parent which in turn
93347 may free the passed in filename.
93348 To fix this add a new tcomm field in struct linux_binprm which
93349 contains the now early generated task name until it is used.
93350
93351 Fixes this bug on s390:
93352
93353 Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
93354 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
93355 Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
93356 Call Trace:
93357 ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
93358 [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
93359 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
93360 [<0000000000282b6c>] do_execve_common+0x410/0x514
93361 [<0000000000282cb6>] do_execve+0x46/0x58
93362 [<00000000005bce58>] kernel_execve+0x28/0x70
93363 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
93364 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
93365 [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
93366 Last Breaking-Event-Address:
93367 [<00000000002830f0>] setup_new_exec+0x2fc/0x374
93368
93369 Kernel panic - not syncing: Fatal exception: panic_on_oops
93370
93371 Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
93372 Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
93373 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
93374
93375commit d758ee9f5230893dabb5aab737b3109684bde196
93376Author: Dan Carpenter <dan.carpenter@oracle.com>
93377Date: Fri Feb 10 09:03:58 2012 +0100
93378
93379 relay: prevent integer overflow in relay_open()
93380
93381 "subbuf_size" and "n_subbufs" come from the user and they need to be
93382 capped to prevent an integer overflow.
93383
93384 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
93385 Cc: stable@kernel.org
93386 Signed-off-by: Jens Axboe <axboe@kernel.dk>
93387
93388commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
93389Merge: b1baadf 1daebf1
93390Author: Brad Spengler <spender@grsecurity.net>
93391Date: Mon Feb 13 17:47:04 2012 -0500
93392
93393 Merge branch 'pax-test' into grsec-test
93394
93395 Conflicts:
93396 fs/proc/base.c
93397
93398commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
93399Merge: 1413df2 c2db2e2
93400Author: Brad Spengler <spender@grsecurity.net>
93401Date: Mon Feb 13 17:45:54 2012 -0500
93402
93403 Merge branch 'linux-3.2.y' into pax-test
93404
93405commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
93406Author: Brad Spengler <spender@grsecurity.net>
93407Date: Sun Feb 12 16:44:05 2012 -0500
93408
93409 add missing declaration
93410
93411commit 3981059c35e8463002517935c28f3d74b8e3703c
93412Author: Brad Spengler <spender@grsecurity.net>
93413Date: Sun Feb 12 16:36:04 2012 -0500
93414
93415 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
93416 in addition to existing checks (this handles the setresuid ruid = euid case)
93417
93418commit 0beab03263c773f463412c350ad9064b44b6ede0
93419Author: Brad Spengler <spender@grsecurity.net>
93420Date: Sun Feb 12 16:13:40 2012 -0500
93421
93422 Revert setreuid changes when RBAC is enabled, breaks freeradius
93423 I'll fix the learning issue Lavish reported a different way through
93424 gradm modifications
93425
93426 This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.
93427
93428commit 0c61cb1cfbbfec7d07647268c922d51434d22621
93429Author: Brad Spengler <spender@grsecurity.net>
93430Date: Sat Feb 11 14:22:46 2012 -0500
93431
93432 copy exec_id on fork
93433
93434commit 000c08e0890630086b2ed04084050ed856a7ec31
93435Author: Brad Spengler <spender@grsecurity.net>
93436Date: Fri Feb 10 20:00:36 2012 -0500
93437
93438 compile fix
93439
93440commit 54b8c8f54484e5ee18040657827158bc4b63bccc
93441Author: Brad Spengler <spender@grsecurity.net>
93442Date: Fri Feb 10 19:19:52 2012 -0500
93443
93444 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
93445 denies reading of sensitive /proc/pid entries where the file descriptor
93446 was opened in a different task than the one performing the read
93447
93448commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
93449Author: Brad Spengler <spender@grsecurity.net>
93450Date: Fri Feb 10 17:43:24 2012 -0500
93451
93452 Remove duplicate signal check
93453
93454commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
93455Merge: 4eba97e 1413df2
93456Author: Brad Spengler <spender@grsecurity.net>
93457Date: Wed Feb 8 19:24:34 2012 -0500
93458
93459 Merge branch 'pax-test' into grsec-test
93460
93461commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
93462Author: Brad Spengler <spender@grsecurity.net>
93463Date: Wed Feb 8 19:24:08 2012 -0500
93464
93465 Merge changes from pax-linux-3.2.4-test11.patch
93466
93467commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
93468Merge: 0e058dd 8dd90a2
93469Author: Brad Spengler <spender@grsecurity.net>
93470Date: Mon Feb 6 17:50:12 2012 -0500
93471
93472 Merge branch 'pax-test' into grsec-test
93473
93474commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
93475Author: Brad Spengler <spender@grsecurity.net>
93476Date: Mon Feb 6 17:49:07 2012 -0500
93477
93478 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free
93479
93480commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
93481Merge: 7e4169c 6133971
93482Author: Brad Spengler <spender@grsecurity.net>
93483Date: Mon Feb 6 17:48:57 2012 -0500
93484
93485 Merge branch 'linux-3.2.y' into pax-test
93486
93487commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
93488Author: Brad Spengler <spender@grsecurity.net>
93489Date: Sun Feb 5 19:24:45 2012 -0500
93490
93491 We now allow configurations with no PaX markings, giving the system no way to override the defaults
93492
93493commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
93494Author: Brad Spengler <spender@grsecurity.net>
93495Date: Sun Feb 5 10:01:23 2012 -0500
93496
93497 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory
93498
93499commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
93500Author: Brad Spengler <spender@grsecurity.net>
93501Date: Sat Feb 4 21:01:16 2012 -0500
93502
93503 Improve security of ptrace-based monitoring/sandboxing
93504 See:
93505 http://article.gmane.org/gmane.linux.kernel.lsm/15156
93506
93507commit ca4ca5a1027b41f9528794e52a53ce9c47926101
93508Author: Brad Spengler <spender@grsecurity.net>
93509Date: Fri Feb 3 20:42:55 2012 -0500
93510
93511 fix typo
93512
93513commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
93514Author: Brad Spengler <spender@grsecurity.net>
93515Date: Fri Feb 3 20:25:38 2012 -0500
93516
93517 Reported by lavish on IRC:
93518 If a suid/sgid binary did not learn any setuid/setgid call during learning,
93519 we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
93520 any restrictions on uid/gid changes. uid and gid can however be changed
93521 within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
93522 euid/egid.
93523
93524 My fix:
93525 POSIX doesn't specify whether unprivileged users can perform the above
93526 setresuid/setresgid as an unprivileged user, though Linux has historically
93527 permitted them. Modify this behavior when RBAC is enabled to require
93528 CAP_SETUID/CAP_SETGID for these operations.
93529
93530 Thanks to Lavish for the report!
93531
93532 Conflicts:
93533
93534 kernel/sys.c
93535
93536commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
93537Merge: ba586eb 7e4169c
93538Author: Brad Spengler <spender@grsecurity.net>
93539Date: Fri Feb 3 20:10:21 2012 -0500
93540
93541 Merge branch 'pax-test' into grsec-test
93542
93543commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
93544Author: Brad Spengler <spender@grsecurity.net>
93545Date: Fri Feb 3 20:10:05 2012 -0500
93546
93547 Merge changes from pax-linux-3.2.4-test9.patch
93548
93549commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
93550Author: Christopher Yeoh <cyeoh@au1.ibm.com>
93551Date: Thu Feb 2 11:34:09 2012 +1030
93552
93553 Fix race in process_vm_rw_core
93554
93555 This fixes the race in process_vm_core found by Oleg (see
93556
93557 http://article.gmane.org/gmane.linux.kernel/1235667/
93558
93559 for details).
93560
93561 This has been updated since I last sent it as the creation of the new
93562 mm_access() function did almost exactly the same thing as parts of the
93563 previous version of this patch did.
93564
93565 In order to use mm_access() even when /proc isn't enabled, we move it to
93566 kernel/fork.c where other related process mm access functions already
93567 are.
93568
93569 Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
93570 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
93571
93572 Conflicts:
93573
93574 fs/proc/base.c
93575 mm/process_vm_access.c
93576
93577commit b9194d60fb9fe579f5c34817ed822abde18939a0
93578Author: Oleg Nesterov <oleg@redhat.com>
93579Date: Tue Jan 31 17:15:11 2012 +0100
93580
93581 proc: make sure mem_open() doesn't pin the target's memory
93582
93583 Once /proc/pid/mem is opened, the memory can't be released until
93584 mem_release() even if its owner exits.
93585
93586 Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
93587 pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
93588 before access_remote_vm(), this verifies that this mm is still alive.
93589
93590 I am not sure what should mem_rw() return if atomic_inc_not_zero()
93591 fails. With this patch it returns zero to match the "mm == NULL" case,
93592 may be it should return -EINVAL like it did before e268337d.
93593
93594 Perhaps it makes sense to add the additional fatal_signal_pending()
93595 check into the main loop, to ensure we do not hold this memory if
93596 the target task was oom-killed.
93597
93598 Cc: stable@kernel.org
93599 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
93600 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
93601
93602commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
93603Author: Oleg Nesterov <oleg@redhat.com>
93604Date: Tue Jan 31 17:14:38 2012 +0100
93605
93606 proc: mem_release() should check mm != NULL
93607
93608 mem_release() can hit mm == NULL, add the necessary check.
93609
93610 Cc: stable@kernel.org
93611 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
93612 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
93613
93614commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
93615Author: Oleg Nesterov <oleg@redhat.com>
93616Date: Tue Jan 31 17:14:54 2012 +0100
93617
93618 note: redisabled mem_write
93619
93620 proc: unify mem_read() and mem_write()
93621
93622 No functional changes, cleanup and preparation.
93623
93624 mem_read() and mem_write() are very similar. Move this code into the
93625 new common helper, mem_rw(), which takes the additional "int write"
93626 argument.
93627
93628 Cc: stable@kernel.org
93629 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
93630 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
93631
93632 Conflicts:
93633
93634 fs/proc/base.c
93635
93636commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
93637Merge: 3903f01 01fee18
93638Author: Brad Spengler <spender@grsecurity.net>
93639Date: Fri Feb 3 19:50:40 2012 -0500
93640
93641 Merge branch 'pax-test' into grsec-test
93642
93643commit 01fee1851aef26b898ccba5312cabf1f919b74cb
93644Author: Brad Spengler <spender@grsecurity.net>
93645Date: Fri Feb 3 19:49:46 2012 -0500
93646
93647 Merge changes from pax-linux-3.2.4-test8.patch
93648
93649commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
93650Merge: 201c0db 141936c
93651Author: Brad Spengler <spender@grsecurity.net>
93652Date: Fri Feb 3 19:49:01 2012 -0500
93653
93654 Merge branch 'linux-3.2.y' into pax-test
93655
93656commit 3903f0172ecadf7a575ba3535402a1506133640a
93657Author: Brad Spengler <spender@grsecurity.net>
93658Date: Mon Jan 30 23:26:44 2012 -0500
93659
93660 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
93661
93662 We'll whitelist required directories for compatibility instead of requiring
93663 that people disable the feature entirely if they use SELinux, fuse, etc
93664
93665 Conflicts:
93666
93667 fs/sysfs/mount.c
93668
93669commit e3618feaa7e63807f1b88c199882075b3ec9bd05
93670Author: Brad Spengler <spender@grsecurity.net>
93671Date: Sun Jan 29 01:12:19 2012 -0500
93672
93673 perform RBAC check if TPE is on but match fails, matches previous behavior
93674
93675commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
93676Author: Brad Spengler <spender@grsecurity.net>
93677Date: Sat Jan 28 13:17:06 2012 -0500
93678
93679 log more information about the reason for a TPE denial for novice users, requested by a sponsor
93680
93681commit efefd67008cbad8a8591e2484410966a300a39a5
93682Author: Brad Spengler <spender@grsecurity.net>
93683Date: Fri Jan 27 19:58:53 2012 -0500
93684
93685 merge upstream sha512 changes
93686
93687commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
93688Author: Brad Spengler <spender@grsecurity.net>
93689Date: Fri Jan 27 19:49:07 2012 -0500
93690
93691 drop lock on error in xfs_readlink
93692
93693 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0
93694
93695commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
93696Author: Li Wang <liwang@nudt.edu.cn>
93697Date: Thu Jan 19 09:44:36 2012 +0800
93698
93699 eCryptfs: Infinite loop due to overflow in ecryptfs_write()
93700
93701 ecryptfs_write() can enter an infinite loop when truncating a file to a
93702 size larger than 4G. This only happens on architectures where size_t is
93703 represented by 32 bits.
93704
93705 This was caused by a size_t overflow due to it incorrectly being used to
93706 store the result of a calculation which uses potentially large values of
93707 type loff_t.
93708
93709 [tyhicks@canonical.com: rewrite subject and commit message]
93710 Signed-off-by: Li Wang <liwang@nudt.edu.cn>
93711 Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
93712 Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
93713 Cc: <stable@vger.kernel.org>
93714 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
93715
93716commit a7607747d0f74f357d78bb796d70635dd05f46e8
93717Author: Tyler Hicks <tyhicks@canonical.com>
93718Date: Thu Jan 19 20:33:44 2012 -0600
93719
93720 eCryptfs: Check inode changes in setattr
93721
93722 Most filesystems call inode_change_ok() very early in ->setattr(), but
93723 eCryptfs didn't call it at all. It allowed the lower filesystem to make
93724 the call in its ->setattr() function. Then, eCryptfs would copy the
93725 appropriate inode attributes from the lower inode to the eCryptfs inode.
93726
93727 This patch changes that and actually calls inode_change_ok() on the
93728 eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
93729 would happen earlier in ecryptfs_setattr(), but there are some possible
93730 inode initialization steps that must happen first.
93731
93732 Since the call was already being made on the lower inode, the change in
93733 functionality should be minimal, except for the case of a file extending
93734 truncate call. In that case, inode_newsize_ok() was never being
93735 called on the eCryptfs inode. Rather than inode_newsize_ok() catching
93736 maximum file size errors early on, eCryptfs would encrypt zeroed pages
93737 and write them to the lower filesystem until the lower filesystem's
93738 write path caught the error in generic_write_checks(). This patch
93739 introduces a new function, called ecryptfs_inode_newsize_ok(), which
93740 checks if the new lower file size is within the appropriate limits when
93741 the truncate operation will be growing the lower file.
93742
93743 In summary this change prevents eCryptfs truncate operations (and the
93744 resulting page encryptions), which would exceed the lower filesystem
93745 limits or FSIZE rlimits, from ever starting.
93746
93747 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
93748 Reviewed-by: Li Wang <liwang@nudt.edu.cn>
93749 Cc: <stable@vger.kernel.org>
93750
93751commit 0d96f190a39505254ace4e9330219aaeda9b64e3
93752Author: Tyler Hicks <tyhicks@canonical.com>
93753Date: Wed Jan 18 18:30:04 2012 -0600
93754
93755 eCryptfs: Make truncate path killable
93756
93757 ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
93758 page, zeroes out the appropriate portions, and then encrypts the page
93759 before writing it to the lower filesystem. It was unkillable and due to
93760 the lack of sparse file support could result in tying up a large portion
93761 of system resources, while encrypting pages of zeros, with no way for
93762 the truncate operation to be stopped from userspace.
93763
93764 This patch adds the ability for ecryptfs_write() to detect a pending
93765 fatal signal and return as gracefully as possible. The intent is to
93766 leave the lower file in a useable state, while still allowing a user to
93767 break out of the encryption loop. If a pending fatal signal is detected,
93768 the eCryptfs inode size is updated to reflect the modified inode size
93769 and then -EINTR is returned.
93770
93771 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
93772 Cc: <stable@vger.kernel.org>
93773
93774commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
93775Author: Tyler Hicks <tyhicks@canonical.com>
93776Date: Tue Jan 24 10:02:22 2012 -0600
93777
93778 eCryptfs: Fix oops when printing debug info in extent crypto functions
93779
93780 If pages passed to the eCryptfs extent-based crypto functions are not
93781 mapped and the module parameter ecryptfs_verbosity=1 was specified at
93782 loading time, a NULL pointer dereference will occur.
93783
93784 Note that this wouldn't happen on a production system, as you wouldn't
93785 pass ecryptfs_verbosity=1 on a production system. It leaks private
93786 information to the system logs and is for debugging only.
93787
93788 The debugging info printed in these messages is no longer very useful
93789 and rather than doing a kmap() in these debugging paths, it will be
93790 better to simply remove the debugging paths completely.
93791
93792 https://launchpad.net/bugs/913651
93793
93794 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
93795 Reported-by: Daniel DeFreez
93796 Cc: <stable@vger.kernel.org>
93797
93798commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
93799Author: Tyler Hicks <tyhicks@canonical.com>
93800Date: Thu Jan 12 11:30:44 2012 +0100
93801
93802 eCryptfs: Sanitize write counts of /dev/ecryptfs
93803
93804 A malicious count value specified when writing to /dev/ecryptfs may
93805 result in a a very large kernel memory allocation.
93806
93807 This patch peeks at the specified packet payload size, adds that to the
93808 size of the packet headers and compares the result with the write count
93809 value. The resulting maximum memory allocation size is approximately 532
93810 bytes.
93811
93812 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
93813 Reported-by: Sasha Levin <levinsasha928@gmail.com>
93814 Cc: <stable@vger.kernel.org>
93815
93816commit 96dcb7282d323813181a1791f51c0ab7696b675b
93817Merge: 6c09fa5 201c0db
93818Author: Brad Spengler <spender@grsecurity.net>
93819Date: Fri Jan 27 19:44:15 2012 -0500
93820
93821 Merge branch 'pax-test' into grsec-test
93822
93823commit 201c0dbf177527367676028151e36d340923f033
93824Author: Brad Spengler <spender@grsecurity.net>
93825Date: Fri Jan 27 19:43:24 2012 -0500
93826
93827 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
93828 on loading modules with empty sections
93829
93830commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
93831Author: Brad Spengler <spender@grsecurity.net>
93832Date: Fri Jan 27 19:42:13 2012 -0500
93833
93834 compile fix
93835
93836commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
93837Author: Brad Spengler <spender@grsecurity.net>
93838Date: Fri Jan 27 19:39:28 2012 -0500
93839
93840 use LSM flags instead of duplicating checks
93841
93842commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
93843Merge: 44b9f11 558718b
93844Author: Brad Spengler <spender@grsecurity.net>
93845Date: Fri Jan 27 18:56:23 2012 -0500
93846
93847 Merge branch 'pax-test' into grsec-test
93848
93849commit 558718b2217beff69edf60f34a6f9893d910e9ac
93850Author: Brad Spengler <spender@grsecurity.net>
93851Date: Fri Jan 27 18:56:04 2012 -0500
93852
93853 Merge changes from pax-linux-3.2.2-test6.patch
93854
93855commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
93856Author: Brad Spengler <spender@grsecurity.net>
93857Date: Fri Jan 27 18:53:55 2012 -0500
93858
93859 don't increase the size of task_struct when unnecessary
93860 change ptrace_readexec log message
93861
93862commit a9c9626e054adb885883aa64f85506852894dd33
93863Author: Brad Spengler <spender@grsecurity.net>
93864Date: Fri Jan 27 18:16:28 2012 -0500
93865
93866 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
93867 the protection applies to all unreadable binaries.
93868
93869commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
93870Merge: 7b3f3af 05a1349
93871Author: Brad Spengler <spender@grsecurity.net>
93872Date: Wed Jan 25 20:52:09 2012 -0500
93873
93874 Merge branch 'pax-test' into grsec-test
93875
93876 Conflicts:
93877 block/scsi_ioctl.c
93878 drivers/scsi/sd.c
93879 fs/proc/base.c
93880
93881commit 05a134966efb9cb9346ad3422888969ffc79ac1d
93882Author: Brad Spengler <spender@grsecurity.net>
93883Date: Wed Jan 25 20:47:36 2012 -0500
93884
93885 Resync with pax-linux-3.2.2-test5.patch
93886
93887commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
93888Merge: c6d443d 3499d64
93889Author: Brad Spengler <spender@grsecurity.net>
93890Date: Wed Jan 25 20:45:16 2012 -0500
93891
93892 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
93893
93894 Conflicts:
93895 ipc/shm.c
93896
93897commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
93898Author: Brad Spengler <spender@grsecurity.net>
93899Date: Tue Jan 24 19:42:01 2012 -0500
93900
93901 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
93902 (may be changed if it breaks some userland), the other has its own
93903 config option
93904
93905 First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
93906 the syscall or /proc/sys.
93907
93908 Second feature requires read access to a suid/sgid binary in order
93909 to ptrace it, preventing infoleaking of binaries in situations where
93910 the admin has specified 4711 or 2711 perms. Feature has been
93911 given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
93912 a sysctl entry of ptrace_readexec
93913
93914commit 11a7bb25c411c9dccfdca5718639b4becdffd388
93915Author: Brad Spengler <spender@grsecurity.net>
93916Date: Sun Jan 22 14:37:10 2012 -0500
93917
93918 Compilation fixes
93919
93920commit cd400e21c7c352baba47d6f375297a7847afb33a
93921Author: Brad Spengler <spender@grsecurity.net>
93922Date: Sun Jan 22 14:20:27 2012 -0500
93923
93924 Initial port of grsecurity 2.2.2 for Linux 3.2.1
93925 Note that the new syscalls added to this kernel for remote process read/write
93926 are subject to ptrace hardening/other relevant RBAC features
93927 /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
93928 as well
93929 pax_track_stack has been removed from support for this kernel -- if you're running this kernel
93930 you should be using a version of gcc with plugin support
93931
93932commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
93933Author: Brad Spengler <spender@grsecurity.net>
93934Date: Sun Jan 22 11:47:31 2012 -0500
93935
93936 Import pax-linux-3.2.1-test5.patch
93937commit bfd7db842f835f9837cd43644459b3a95b0b488d
93938Author: Brad Spengler <spender@grsecurity.net>
93939Date: Sun Jan 22 11:02:02 2012 -0500
93940
93941 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
93942 instead of returning -EACCES
93943 thanks to Wraith from irc for the report
93944
93945commit 873ac13576506cd48ddb527c2540f274e249da50
93946Merge: 34083dd 8a44fcc
93947Author: Brad Spengler <spender@grsecurity.net>
93948Date: Fri Jan 20 18:04:02 2012 -0500
93949
93950 Merge branch 'pax-test' into grsec-test
93951
93952commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
93953Author: Brad Spengler <spender@grsecurity.net>
93954Date: Fri Jan 20 18:02:15 2012 -0500
93955
93956 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
93957 Denies executable shared memory when MPROTECT is active
93958 Fixes ia32 emulation crash on 64bit host introduced in a recent patch
93959
93960commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
93961Author: Brad Spengler <spender@grsecurity.net>
93962Date: Thu Jan 19 20:23:14 2012 -0500
93963
93964 Introduce new GRKERNSEC_SETXID implementation
93965 We're not able to change the credentials of other threads in the process until at most
93966 one syscall after the first thread does it, since we mark the threads as needing rescheduling
93967 and such work occurs on syscall exit.
93968 This does however ensure that we're only modifying the current task's credentials
93969 which upholds RCU expectations
93970
93971 Many thanks to corsac for testing
93972
93973commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
93974Author: Brad Spengler <spender@grsecurity.net>
93975Date: Thu Jan 19 17:42:48 2012 -0500
93976
93977 Simplify backport
93978
93979commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
93980Author: Brad Spengler <spender@grsecurity.net>
93981Date: Thu Jan 19 17:08:16 2012 -0500
93982
93983 Commit the latest silent fix for a local privilege escalation from Linus
93984 Also disable writing to /proc/pid/mem
93985 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc
93986
93987commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
93988Merge: 0394a3f 7e6299b
93989Author: Brad Spengler <spender@grsecurity.net>
93990Date: Wed Jan 18 20:22:09 2012 -0500
93991
93992 Merge branch 'pax-test' into grsec-test
93993
93994commit 7e6299b4733c082dde930375dd207b63237751ec
93995Merge: 83555fb 9bb1282
93996Author: Brad Spengler <spender@grsecurity.net>
93997Date: Wed Jan 18 20:21:37 2012 -0500
93998
93999 Merge branch 'linux-3.1.y' into pax-test
94000
94001commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
94002Author: Jesper Juhl <jj@chaosbits.net>
94003Date: Sun Jan 8 22:44:29 2012 +0100
94004
94005 audit: always follow va_copy() with va_end()
94006
94007 A call to va_copy() should always be followed by a call to va_end() in
94008 the same function. In kernel/autit.c::audit_log_vformat() this is not
94009 always done. This patch makes sure va_end() is always called.
94010
94011 Signed-off-by: Jesper Juhl <jj@chaosbits.net>
94012 Cc: Al Viro <viro@zeniv.linux.org.uk>
94013 Cc: Eric Paris <eparis@redhat.com>
94014 Cc: Andrew Morton <akpm@linux-foundation.org>
94015 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
94016
94017commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
94018Author: Andi Kleen <ak@linux.intel.com>
94019Date: Thu Jan 12 17:20:30 2012 -0800
94020
94021 panic: don't print redundant backtraces on oops
94022
94023 When an oops causes a panic and panic prints another backtrace it's pretty
94024 common to have the original oops data be scrolled away on a 80x50 screen.
94025
94026 The second backtrace is quite redundant and not needed anyways.
94027
94028 So don't print the panic backtrace when oops_in_progress is true.
94029
94030 [akpm@linux-foundation.org: add comment]
94031 Signed-off-by: Andi Kleen <ak@linux.intel.com>
94032 Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
94033 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
94034 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
94035
94036commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
94037Author: Miklos Szeredi <mszeredi@suse.cz>
94038Date: Thu Jan 12 17:59:46 2012 +0100
94039
94040 fsnotify: don't BUG in fsnotify_destroy_mark()
94041
94042 Removing the parent of a watched file results in "kernel BUG at
94043 fs/notify/mark.c:139".
94044
94045 To reproduce
94046
94047 add "-w /tmp/audit/dir/watched_file" to audit.rules
94048 rm -rf /tmp/audit/dir
94049
94050 This is caused by fsnotify_destroy_mark() being called without an
94051 extra reference taken by the caller.
94052
94053 Reported by Francesco Cosoleto here:
94054
94055 https://bugzilla.novell.com/show_bug.cgi?id=689860
94056
94057 Fix by removing the BUG_ON and adding a comment about not accessing mark after
94058 the iput.
94059
94060 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
94061 CC: stable@vger.kernel.org
94062 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
94063
94064commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
94065Author: Paolo Bonzini <pbonzini@redhat.com>
94066Date: Thu Jan 12 16:01:28 2012 +0100
94067
94068 block: fail SCSI passthrough ioctls on partition devices
94069
94070 Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
94071 will pass the command to the underlying block device. This is
94072 well-known, but it is also a large security problem when (via Unix
94073 permissions, ACLs, SELinux or a combination thereof) a program or user
94074 needs to be granted access only to part of the disk.
94075
94076 This patch lets partitions forward a small set of harmless ioctls;
94077 others are logged with printk so that we can see which ioctls are
94078 actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred.
94079 Of course it was being sent to a (partition on a) hard disk, so it would
94080 have failed with ENOTTY and the patch isn't changing anything in
94081 practice. Still, I'm treating it specially to avoid spamming the logs.
94082
94083 In principle, this restriction should include programs running with
94084 CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and
94085 /dev/sdb, it still should not be able to read/write outside the
94086 boundaries of /dev/sda2 independent of the capabilities. However, for
94087 now programs with CAP_SYS_RAWIO will still be allowed to send the
94088 ioctls. Their actions will still be logged.
94089
94090 This patch does not affect the non-libata IDE driver. That driver
94091 however already tests for bd != bd->bd_contains before issuing some
94092 ioctl; it could be restricted further to forbid these ioctls even for
94093 programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
94094
94095 Cc: linux-scsi@vger.kernel.org
94096 Cc: Jens Axboe <axboe@kernel.dk>
94097 Cc: James Bottomley <JBottomley@parallels.com>
94098 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
94099 [ Make it also print the command name when warning - Linus ]
94100 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
94101
94102commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
94103Author: Paolo Bonzini <pbonzini@redhat.com>
94104Date: Thu Jan 12 16:01:27 2012 +0100
94105
94106 block: add and use scsi_blk_cmd_ioctl
94107
94108 Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
94109
94110 The function will then be enhanced to detect partition block devices
94111 and, in that case, subject the ioctls to whitelisting.
94112
94113 Cc: linux-scsi@vger.kernel.org
94114 Cc: Jens Axboe <axboe@kernel.dk>
94115 Cc: James Bottomley <JBottomley@parallels.com>
94116 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
94117 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
94118
94119commit 97a79814903fc350e1d13704ea31528a42705401
94120Author: Kees Cook <keescook@chromium.org>
94121Date: Sat Jan 7 10:41:04 2012 -0800
94122
94123 audit: treat s_id as an untrusted string
94124
94125 The use of s_id should go through the untrusted string path, just to be
94126 extra careful.
94127
94128 Signed-off-by: Kees Cook <keescook@chromium.org>
94129 Acked-by: Mimi Zohar <zohar@us.ibm.com>
94130 Signed-off-by: Eric Paris <eparis@redhat.com>
94131
94132commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
94133Author: Xi Wang <xi.wang@gmail.com>
94134Date: Tue Dec 20 18:39:41 2011 -0500
94135
94136 audit: fix signedness bug in audit_log_execve_info()
94137
94138 In the loop, a size_t "len" is used to hold the return value of
94139 audit_log_single_execve_arg(), which returns -1 on error. In that
94140 case the error handling (len <= 0) will be bypassed since "len" is
94141 unsigned, and the loop continues with (p += len) being wrapped.
94142 Change the type of "len" to signed int to fix the error handling.
94143
94144 size_t len;
94145 ...
94146 for (...) {
94147 len = audit_log_single_execve_arg(...);
94148 if (len <= 0)
94149 break;
94150 p += len;
94151 }
94152
94153 Signed-off-by: Xi Wang <xi.wang@gmail.com>
94154 Signed-off-by: Eric Paris <eparis@redhat.com>
94155
94156commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
94157Author: Dan Carpenter <dan.carpenter@oracle.com>
94158Date: Tue Jan 17 03:28:51 2012 -0300
94159
94160 [media] ds3000: using logical && instead of bitwise &
94161
94162 The intent here was to test if the FE_HAS_LOCK was set. The current
94163 test is equivalent to "if (status) { ..."
94164
94165 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
94166 Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
94167
94168commit 36522330dc59d2fc70c042f3f081d75c32b6259a
94169Author: Brad Spengler <spender@grsecurity.net>
94170Date: Mon Jan 16 13:10:38 2012 -0500
94171
94172 Ignore the 0 signal for protected task RBAC checks
94173
94174commit d513acd55f7a683f6e146a4f570cdb63300479ab
94175Author: Brad Spengler <spender@grsecurity.net>
94176Date: Mon Jan 16 11:56:13 2012 -0500
94177
94178 whitespace cleanup
94179
94180commit ced261c4b82818c700aff8487f647f6f3e5b5122
94181Merge: d48751f 83555fb
94182Author: Brad Spengler <spender@grsecurity.net>
94183Date: Fri Jan 13 20:12:54 2012 -0500
94184
94185 Merge branch 'pax-test' into grsec-test
94186
94187commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
94188Merge: fcd8129 93dad39
94189Author: Brad Spengler <spender@grsecurity.net>
94190Date: Fri Jan 13 20:12:43 2012 -0500
94191
94192 Merge branch 'linux-3.1.y' into pax-test
94193
94194commit d48751f3919ae855fda0ff6c149db82442329253
94195Author: Brad Spengler <spender@grsecurity.net>
94196Date: Wed Jan 11 19:05:47 2012 -0500
94197
94198 Call our own set_user when forcing change to new id
94199
94200commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
94201Merge: e6578ff fcd8129
94202Author: Brad Spengler <spender@grsecurity.net>
94203Date: Tue Jan 10 16:00:10 2012 -0500
94204
94205 Merge branch 'pax-test' into grsec-test
94206
94207commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
94208Author: Brad Spengler <spender@grsecurity.net>
94209Date: Tue Jan 10 15:58:43 2012 -0500
94210
94211 Merge changes from pax-linux-3.1.8-test23.patch
94212
94213commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
94214Merge: 8859ec3 a120549
94215Author: Brad Spengler <spender@grsecurity.net>
94216Date: Fri Jan 6 21:45:56 2012 -0500
94217
94218 Merge branch 'pax-test' into grsec-test
94219
94220commit a12054967a77090de1caa07c41e694a77db4e237
94221Author: Brad Spengler <spender@grsecurity.net>
94222Date: Fri Jan 6 21:45:30 2012 -0500
94223
94224 Merge changes from pax-linux-3.1.8-test22.patch
94225
94226commit 8859ec32f9815c274df65448f9f2960176c380d3
94227Merge: a5016b4 ddd4114
94228Author: Brad Spengler <spender@grsecurity.net>
94229Date: Fri Jan 6 21:26:08 2012 -0500
94230
94231 Merge branch 'pax-test' into grsec-test
94232
94233 Conflicts:
94234 fs/binfmt_elf.c
94235 security/Kconfig
94236
94237commit ddd41147e158a79704983a409b7433eba797cf66
94238Author: Brad Spengler <spender@grsecurity.net>
94239Date: Fri Jan 6 21:12:42 2012 -0500
94240
94241 Resync with PaX patch (whitespace difference)
94242
94243commit 29e569df8205c5f0e043fe4803aa984406c8b118
94244Author: Brad Spengler <spender@grsecurity.net>
94245Date: Fri Jan 6 21:09:47 2012 -0500
94246
94247 Merge changes from pax-linux-3.1.8-test21.patch
94248
94249commit a5016b4f9c09c337b17e063a7f369af1e86d944d
94250Merge: 0124c92 04231d5
94251Author: Brad Spengler <spender@grsecurity.net>
94252Date: Fri Jan 6 18:52:20 2012 -0500
94253
94254 Merge branch 'pax-test' into grsec-test
94255
94256commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
94257Merge: 7bdddeb a919904
94258Author: Brad Spengler <spender@grsecurity.net>
94259Date: Fri Jan 6 18:51:50 2012 -0500
94260
94261 Merge branch 'linux-3.1.y' into pax-test
94262
94263 Conflicts:
94264 include/net/flow.h
94265
94266commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
94267Author: Brad Spengler <spender@grsecurity.net>
94268Date: Fri Jan 6 18:33:05 2012 -0500
94269
94270 Make GRKERNSEC_SETXID option compatible with credential debugging
94271
94272commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
94273Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
94274Date: Wed Dec 28 15:57:11 2011 -0800
94275
94276 mm/mempolicy.c: refix mbind_range() vma issue
94277
94278 commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
94279 slightly incorrect fix.
94280
94281 Why? Think following case.
94282
94283 1. map 4 pages of a file at offset 0
94284
94285 [0123]
94286
94287 2. map 2 pages just after the first mapping of the same file but with
94288 page offset 2
94289
94290 [0123][23]
94291
94292 3. mbind() 2 pages from the first mapping at offset 2.
94293 mbind_range() should treat new vma is,
94294
94295 [0123][23]
94296 |23|
94297 mbind vma
94298
94299 but it does
94300
94301 [0123][23]
94302 |01|
94303 mbind vma
94304
94305 Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
94306
94307 This patch fixes it.
94308
94309 [testcase]
94310 test result - before the patch
94311
94312 case4: 126: test failed. expect '2,4', actual '2,2,2'
94313 case5: passed
94314 case6: passed
94315 case7: passed
94316 case8: passed
94317 case_n: 246: test failed. expect '4,2', actual '1,4'
94318
94319 ------------[ cut here ]------------
94320 kernel BUG at mm/filemap.c:135!
94321 invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
94322
94323 (snip long bug on messages)
94324
94325 test result - after the patch
94326
94327 case4: passed
94328 case5: passed
94329 case6: passed
94330 case7: passed
94331 case8: passed
94332 case_n: passed
94333
94334 source: mbind_vma_test.c
94335 ============================================================
94336 #include <numaif.h>
94337 #include <numa.h>
94338 #include <sys/mman.h>
94339 #include <stdio.h>
94340 #include <unistd.h>
94341 #include <stdlib.h>
94342 #include <string.h>
94343
94344 static unsigned long pagesize;
94345 void* mmap_addr;
94346 struct bitmask *nmask;
94347 char buf[1024];
94348 FILE *file;
94349 char retbuf[10240] = "";
94350 int mapped_fd;
94351
94352 char *rubysrc = "ruby -e '\
94353 pid = %d; \
94354 vstart = 0x%llx; \
94355 vend = 0x%llx; \
94356 s = `pmap -q #{pid}`; \
94357 rary = []; \
94358 s.each_line {|line|; \
94359 ary=line.split(\" \"); \
94360 addr = ary[0].to_i(16); \
94361 if(vstart <= addr && addr < vend) then \
94362 rary.push(ary[1].to_i()/4); \
94363 end; \
94364 }; \
94365 print rary.join(\",\"); \
94366 '";
94367
94368 void init(void)
94369 {
94370 void* addr;
94371 char buf[128];
94372
94373 nmask = numa_allocate_nodemask();
94374 numa_bitmask_setbit(nmask, 0);
94375
94376 pagesize = getpagesize();
94377
94378 sprintf(buf, "%s", "mbind_vma_XXXXXX");
94379 mapped_fd = mkstemp(buf);
94380 if (mapped_fd == -1)
94381 perror("mkstemp "), exit(1);
94382 unlink(buf);
94383
94384 if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
94385 perror("lseek "), exit(1);
94386 if (write(mapped_fd, "\0", 1) < 0)
94387 perror("write "), exit(1);
94388
94389 addr = mmap(NULL, pagesize*8, PROT_NONE,
94390 MAP_SHARED, mapped_fd, 0);
94391 if (addr == MAP_FAILED)
94392 perror("mmap "), exit(1);
94393
94394 if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
94395 perror("mprotect "), exit(1);
94396
94397 mmap_addr = addr + pagesize;
94398
94399 /* make page populate */
94400 memset(mmap_addr, 0, pagesize*6);
94401 }
94402
94403 void fin(void)
94404 {
94405 void* addr = mmap_addr - pagesize;
94406 munmap(addr, pagesize*8);
94407
94408 memset(buf, 0, sizeof(buf));
94409 memset(retbuf, 0, sizeof(retbuf));
94410 }
94411
94412 void mem_bind(int index, int len)
94413 {
94414 int err;
94415
94416 err = mbind(mmap_addr+pagesize*index, pagesize*len,
94417 MPOL_BIND, nmask->maskp, nmask->size, 0);
94418 if (err)
94419 perror("mbind "), exit(err);
94420 }
94421
94422 void mem_interleave(int index, int len)
94423 {
94424 int err;
94425
94426 err = mbind(mmap_addr+pagesize*index, pagesize*len,
94427 MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
94428 if (err)
94429 perror("mbind "), exit(err);
94430 }
94431
94432 void mem_unbind(int index, int len)
94433 {
94434 int err;
94435
94436 err = mbind(mmap_addr+pagesize*index, pagesize*len,
94437 MPOL_DEFAULT, NULL, 0, 0);
94438 if (err)
94439 perror("mbind "), exit(err);
94440 }
94441
94442 void Assert(char *expected, char *value, char *name, int line)
94443 {
94444 if (strcmp(expected, value) == 0) {
94445 fprintf(stderr, "%s: passed\n", name);
94446 return;
94447 }
94448 else {
94449 fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
94450 name, line,
94451 expected, value);
94452 // exit(1);
94453 }
94454 }
94455
94456 /*
94457 AAAA
94458 PPPPPPNNNNNN
94459 might become
94460 PPNNNNNNNNNN
94461 case 4 below
94462 */
94463 void case4(void)
94464 {
94465 init();
94466 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
94467
94468 mem_bind(0, 4);
94469 mem_unbind(2, 2);
94470
94471 file = popen(buf, "r");
94472 fread(retbuf, sizeof(retbuf), 1, file);
94473 Assert("2,4", retbuf, "case4", __LINE__);
94474
94475 fin();
94476 }
94477
94478 /*
94479 AAAA
94480 PPPPPPNNNNNN
94481 might become
94482 PPPPPPPPPPNN
94483 case 5 below
94484 */
94485 void case5(void)
94486 {
94487 init();
94488 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
94489
94490 mem_bind(0, 2);
94491 mem_bind(2, 2);
94492
94493 file = popen(buf, "r");
94494 fread(retbuf, sizeof(retbuf), 1, file);
94495 Assert("4,2", retbuf, "case5", __LINE__);
94496
94497 fin();
94498 }
94499
94500 /*
94501 AAAA
94502 PPPPNNNNXXXX
94503 might become
94504 PPPPPPPPPPPP 6
94505 */
94506 void case6(void)
94507 {
94508 init();
94509 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
94510
94511 mem_bind(0, 2);
94512 mem_bind(4, 2);
94513 mem_bind(2, 2);
94514
94515 file = popen(buf, "r");
94516 fread(retbuf, sizeof(retbuf), 1, file);
94517 Assert("6", retbuf, "case6", __LINE__);
94518
94519 fin();
94520 }
94521
94522 /*
94523 AAAA
94524 PPPPNNNNXXXX
94525 might become
94526 PPPPPPPPXXXX 7
94527 */
94528 void case7(void)
94529 {
94530 init();
94531 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
94532
94533 mem_bind(0, 2);
94534 mem_interleave(4, 2);
94535 mem_bind(2, 2);
94536
94537 file = popen(buf, "r");
94538 fread(retbuf, sizeof(retbuf), 1, file);
94539 Assert("4,2", retbuf, "case7", __LINE__);
94540
94541 fin();
94542 }
94543
94544 /*
94545 AAAA
94546 PPPPNNNNXXXX
94547 might become
94548 PPPPNNNNNNNN 8
94549 */
94550 void case8(void)
94551 {
94552 init();
94553 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
94554
94555 mem_bind(0, 2);
94556 mem_interleave(4, 2);
94557 mem_interleave(2, 2);
94558
94559 file = popen(buf, "r");
94560 fread(retbuf, sizeof(retbuf), 1, file);
94561 Assert("2,4", retbuf, "case8", __LINE__);
94562
94563 fin();
94564 }
94565
94566 void case_n(void)
94567 {
94568 init();
94569 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
94570
94571 /* make redundunt mappings [0][1234][34][7] */
94572 mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
94573 MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
94574
94575 /* Expect to do nothing. */
94576 mem_unbind(2, 2);
94577
94578 file = popen(buf, "r");
94579 fread(retbuf, sizeof(retbuf), 1, file);
94580 Assert("4,2", retbuf, "case_n", __LINE__);
94581
94582 fin();
94583 }
94584
94585 int main(int argc, char** argv)
94586 {
94587 case4();
94588 case5();
94589 case6();
94590 case7();
94591 case8();
94592 case_n();
94593
94594 return 0;
94595 }
94596 =============================================================
94597
94598 Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
94599 Acked-by: Johannes Weiner <hannes@cmpxchg.org>
94600 Cc: Minchan Kim <minchan.kim@gmail.com>
94601 Cc: Caspar Zhang <caspar@casparzhang.com>
94602 Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
94603 Cc: Christoph Lameter <cl@linux.com>
94604 Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
94605 Cc: Mel Gorman <mel@csn.ul.ie>
94606 Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
94607 Cc: <stable@vger.kernel.org> [3.1.x]
94608 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
94609 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
94610
94611commit f3a1082005781777086df235049f8c0b7efe524e
94612Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
94613Date: Tue Dec 27 22:32:41 2011 -0500
94614
94615 packet: fix possible dev refcnt leak when bind fail
94616
94617 If bind is fail when bind is called after set PACKET_FANOUT
94618 sock option, the dev refcnt will leak.
94619
94620 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
94621 Signed-off-by: David S. Miller <davem@davemloft.net>
94622
94623commit 915f8b08dac68839dc7204ee81cf9852fda16d24
94624Author: Haogang Chen <haogangchen@gmail.com>
94625Date: Mon Dec 19 17:11:56 2011 -0800
94626
94627 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
94628
94629 There is a potential integer overflow in nilfs_ioctl_clean_segments().
94630 When a large argv[n].v_nmembs is passed from the userspace, the subsequent
94631 call to vmalloc() will allocate a buffer smaller than expected, which
94632 leads to out-of-bound access in nilfs_ioctl_move_blocks() and
94633 lfs_clean_segments().
94634
94635 The following check does not prevent the overflow because nsegs is also
94636 controlled by the userspace and could be very large.
94637
94638 if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
94639 goto out_free;
94640
94641 This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
94642 returns -EINVAL when overflow.
94643
94644 Signed-off-by: Haogang Chen <haogangchen@gmail.com>
94645 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
94646 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
94647 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
94648
94649commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
94650Author: Kautuk Consul <consul.kautuk@gmail.com>
94651Date: Mon Dec 19 17:12:04 2011 -0800
94652
94653 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
94654
94655 Static storage is not required for the struct vmap_area in
94656 __get_vm_area_node.
94657
94658 Removing "static" to store this variable on the stack instead.
94659
94660 Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
94661 Acked-by: David Rientjes <rientjes@google.com>
94662 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
94663 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
94664
94665commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
94666Author: Michel Lespinasse <walken@google.com>
94667Date: Mon Dec 19 17:12:06 2011 -0800
94668
94669 binary_sysctl(): fix memory leak
94670
94671 binary_sysctl() calls sysctl_getname() which allocates from names_cache
94672 slab usin __getname()
94673
94674 The matching function to free the name is __putname(), and not putname()
94675 which should be used only to match getname() allocations.
94676
94677 This is because when auditing is enabled, putname() calls audit_putname
94678 *instead* (not in addition) to __putname(). Then, if a syscall is in
94679 progress, audit_putname does not release the name - instead, it expects
94680 the name to get released when the syscall completes, but that will happen
94681 only if audit_getname() was called previously, i.e. if the name was
94682 allocated with getname() rather than the naked __getname(). So,
94683 __getname() followed by putname() ends up leaking memory.
94684
94685 Signed-off-by: Michel Lespinasse <walken@google.com>
94686 Acked-by: Al Viro <viro@zeniv.linux.org.uk>
94687 Cc: Christoph Hellwig <hch@infradead.org>
94688 Cc: Eric Paris <eparis@redhat.com>
94689 Cc: <stable@vger.kernel.org>
94690 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
94691 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
94692
94693commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
94694Author: Sean Hefty <sean.hefty@intel.com>
94695Date: Tue Dec 6 21:17:11 2011 +0000
94696
94697 RDMA/cma: Verify private data length
94698
94699 private_data_len is defined as a u8. If the user specifies a large
94700 private_data size (> 220 bytes), we will calculate a total length that
94701 exceeds 255, resulting in private_data_len wrapping back to 0. This
94702 can lead to overwriting random kernel memory. Avoid this by verifying
94703 that the resulting size fits into a u8.
94704
94705 Reported-by: B. Thery <benjamin.thery@bull.net>
94706 Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
94707 Signed-off-by: Sean Hefty <sean.hefty@intel.com>
94708 Signed-off-by: Roland Dreier <roland@purestorage.com>
94709
94710commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
94711Author: Xi Wang <xi.wang@gmail.com>
94712Date: Sun Dec 11 23:40:56 2011 -0800
94713
94714 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
94715
94716 The error check (intr_status < 0) didn't work because intr_status is
94717 a u8. Change its type to signed int.
94718
94719 Signed-off-by: Xi Wang <xi.wang@gmail.com>
94720 Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
94721
94722commit e27f34e383d7863b2528a63b81b23db09781f6b6
94723Author: Xi Wang <xi.wang@gmail.com>
94724Date: Fri Dec 16 12:44:15 2011 +0000
94725
94726 sctp: fix incorrect overflow check on autoclose
94727
94728 Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
94729 limiting the autoclose value. If userspace passes in -1 on 32-bit
94730 platform, the overflow check didn't work and autoclose would be set
94731 to 0xffffffff.
94732
94733 This patch defines a max_autoclose (in seconds) for limiting the value
94734 and exposes it through sysctl, with the following intentions.
94735
94736 1) Avoid overflowing autoclose * HZ.
94737
94738 2) Keep the default autoclose bound consistent across 32- and 64-bit
94739 platforms (INT_MAX / HZ in this patch).
94740
94741 3) Keep the autoclose value consistent between setsockopt() and
94742 getsockopt() calls.
94743
94744 Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
94745 Signed-off-by: Xi Wang <xi.wang@gmail.com>
94746 Signed-off-by: David S. Miller <davem@davemloft.net>
94747
94748commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
94749Author: Xi Wang <xi.wang@gmail.com>
94750Date: Wed Dec 21 05:18:33 2011 -0500
94751
94752 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
94753
94754 Commit e133e737 didn't correctly fix the integer overflow issue.
94755
94756 - unsigned int required_size;
94757 + u64 required_size;
94758 ...
94759 required_size = mode_cmd->pitch * mode_cmd->height;
94760 - if (unlikely(required_size > dev_priv->vram_size)) {
94761 + if (unlikely(required_size > (u64) dev_priv->vram_size)) {
94762
94763 Note that both pitch and height are u32. Their product is still u32 and
94764 would overflow before being assigned to required_size. A correct way is
94765 to convert pitch and height to u64 before the multiplication.
94766
94767 required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
94768
94769 This patch calls the existing vmw_kms_validate_mode_vram() for
94770 validation.
94771
94772 Signed-off-by: Xi Wang <xi.wang@gmail.com>
94773 Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
94774 Signed-off-by: Dave Airlie <airlied@redhat.com>
94775
94776 Conflicts:
94777
94778 drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
94779
94780commit eb8f0bd01fb994c9abc77dc84729794cd841753d
94781Author: Xi Wang <xi.wang@gmail.com>
94782Date: Thu Dec 22 13:35:22 2011 +0000
94783
94784 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
94785
94786 Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
94787 cause a kernel oops due to insufficient bounds checking.
94788
94789 if (count > 1<<30) {
94790 /* Enforce a limit to prevent overflow */
94791 return -EINVAL;
94792 }
94793 count = roundup_pow_of_two(count);
94794 table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
94795
94796 Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
94797
94798 ... + (count * sizeof(struct rps_dev_flow))
94799
94800 where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow
94801 32 bits.
94802
94803 This patch replaces the magic number (1 << 30) with a symbolic bound.
94804
94805 Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
94806 Signed-off-by: Xi Wang <xi.wang@gmail.com>
94807 Signed-off-by: David S. Miller <davem@davemloft.net>
94808
94809commit 648188958672024b616c42c1f6c98c8cfc85619d
94810Author: Xi Wang <xi.wang@gmail.com>
94811Date: Fri Dec 30 10:40:17 2011 -0500
94812
94813 netfilter: ctnetlink: fix timeout calculation
94814
94815 The sanity check (timeout < 0) never works; the dividend is unsigned
94816 and so is the division, which should have been a signed division.
94817
94818 long timeout = (ct->timeout.expires - jiffies) / HZ;
94819 if (timeout < 0)
94820 timeout = 0;
94821
94822 This patch converts the time values to signed for the division.
94823
94824 Signed-off-by: Xi Wang <xi.wang@gmail.com>
94825 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
94826
94827commit ab03a0973cee73f88655ff4981812ad316a6cd59
94828Merge: 76f82df 7bdddeb
94829Author: Brad Spengler <spender@grsecurity.net>
94830Date: Tue Jan 3 17:42:50 2012 -0500
94831
94832 Merge branch 'pax-test' into grsec-test
94833
94834commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
94835Merge: 3e59cb5 55cc81a
94836Author: Brad Spengler <spender@grsecurity.net>
94837Date: Tue Jan 3 17:42:36 2012 -0500
94838
94839 Merge branch 'linux-3.1.y' into pax-test
94840
94841commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
94842Author: Brad Spengler <spender@grsecurity.net>
94843Date: Thu Dec 22 20:15:02 2011 -0500
94844
94845 Only further restrict futex targeting another process -- our modified
94846 permission check also happened to allow a case where a process retaining
94847 uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
94848 being non-zero (reported on forums by ben_w)
94849
94850commit 6b235a4450a5fea41663ec35fa0608988b6078c6
94851Merge: 97c16f0 3e59cb5
94852Author: Brad Spengler <spender@grsecurity.net>
94853Date: Thu Dec 22 19:11:06 2011 -0500
94854
94855 Merge branch 'pax-test' into grsec-test
94856
94857 Conflicts:
94858 fs/hfs/btree.c
94859
94860commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
94861Merge: 285eb4e c26f60b
94862Author: Brad Spengler <spender@grsecurity.net>
94863Date: Thu Dec 22 19:09:57 2011 -0500
94864
94865 Merge branch 'linux-3.1.y' into pax-test
94866
94867 Conflicts:
94868 arch/x86/kernel/process.c
94869
94870commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
94871Author: Brad Spengler <spender@grsecurity.net>
94872Date: Mon Dec 19 21:54:01 2011 -0500
94873
94874 Add new option: "Enforce consistent multithreaded privileges"
94875
94876commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
94877Author: Brad Spengler <spender@grsecurity.net>
94878Date: Wed Dec 7 19:58:31 2011 -0500
94879
94880 Remove harmless duplicate code -- exec_file would be null already so the
94881 second check would never pass.
94882
94883commit 4e3304e94aa72737810bc50169519af157dce4ce
94884Author: Brad Spengler <spender@grsecurity.net>
94885Date: Wed Dec 7 19:50:39 2011 -0500
94886
94887 Revert back to (possibly?) undocumented /proc/pid behavior that gdb
94888 depended on for attaching to a thread. Entries exist in /proc for
94889 threads, but are not visible in a readdir.
94890
94891commit 1bd899335f23815cfe8deac44c6b346398f3b95e
94892Author: Brad Spengler <spender@grsecurity.net>
94893Date: Sun Dec 4 18:03:28 2011 -0500
94894
94895 Put the already-walked path if in RCU-walk mode
94896
94897commit ec7ae36b7159f10649709779443a988662965d66
94898Author: Brad Spengler <spender@grsecurity.net>
94899Date: Sun Dec 4 17:35:21 2011 -0500
94900
94901 Fix memory leak introduced by recent (unpublished) commit
94902 75ab998b94a29d464518d6d501bdde3fbfcbfa14
94903
94904commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
94905Author: Brad Spengler <spender@grsecurity.net>
94906Date: Sun Dec 4 13:56:10 2011 -0500
94907
94908 Explicitly check size copied to userland in override_release to silence gcc
94909
94910commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
94911Author: Brad Spengler <spender@grsecurity.net>
94912Date: Sun Dec 4 13:54:02 2011 -0500
94913
94914 Initialize variable to silence erroneous gcc warning
94915
94916commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
94917Author: Brad Spengler <spender@grsecurity.net>
94918Date: Sun Dec 4 13:47:47 2011 -0500
94919
94920 Future-proof other potential RCU-aware locations where we can log.
94921
94922commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
94923Author: Brad Spengler <spender@grsecurity.net>
94924Date: Sun Dec 4 13:02:54 2011 -0500
94925
94926 Fix freeze reported by 'vs' on the forums. Bug occurred due to
94927 MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used
94928 in generic_permission() was in the task's effective set but disallowed by
94929 RBAC, would block when acquiring locks resulting in the freeze.
94930
94931 Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
94932 as being required when CAP_DAC_OVERRIDE is present (consistent with
94933 older patches).
94934
94935commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
94936Author: Xi Wang <xi.wang@gmail.com>
94937Date: Tue Nov 29 09:26:30 2011 +0000
94938
94939 sctp: better integer overflow check in sctp_auth_create_key()
94940
94941 The check from commit 30c2235c is incomplete and cannot prevent
94942 cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the
94943 left-hand side of the check (INT_MAX - key_len), which is unsigned,
94944 becomes 0xffffffff (UINT_MAX) and bypasses the check.
94945
94946 However this shouldn't be a security issue. The function is called
94947 from the following two code paths:
94948
94949 1) setsockopt()
94950
94951 2) sctp_auth_asoc_set_secret()
94952
94953 In case (1), sca_keylength is never going to exceed 65535 since it's
94954 bounded by a u16 from the user API. As such, the key length will
94955 never overflow.
94956
94957 In case (2), sca_keylength is computed based on the user key (1 short)
94958 and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
94959 will not overflow.
94960
94961 In other words, this overflow check is not really necessary. Just
94962 make it more correct.
94963
94964 Signed-off-by: Xi Wang <xi.wang@gmail.com>
94965 Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
94966 Signed-off-by: David S. Miller <davem@davemloft.net>
94967
94968commit e565e28c3635a1d50f80541fbf6b606d742fec76
94969Author: Josh Boyer <jwboyer@redhat.com>
94970Date: Fri Aug 19 14:50:26 2011 -0400
94971
94972 fs/minix: Verify bitmap block counts before mounting
94973
94974 Newer versions of MINIX can create filesystems that allocate an extra
94975 bitmap block. Mounting of this succeeds, but doing a statfs call will
94976 result in an oops in count_free because of a negative number being used
94977 for the bh index.
94978
94979 Avoid this by verifying the number of allocated blocks at mount time,
94980 erroring out if there are not enough and make statfs ignore the extras
94981 if there are too many.
94982
94983 This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
94984
94985 Signed-off-by: Josh Boyer <jwboyer@redhat.com>
94986 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
94987
94988commit 6e134e398ec1a3f428261680e83df4319e64bed9
94989Author: Julia Lawall <julia@diku.dk>
94990Date: Tue Nov 15 14:53:11 2011 -0800
94991
94992 drivers/gpu/vga/vgaarb.c: add missing kfree
94993
94994 kbuf is a buffer that is local to this function, so all of the error paths
94995 leaving the function should release it.
94996
94997 Signed-off-by: Julia Lawall <julia@diku.dk>
94998 Cc: Jesper Juhl <jj@chaosbits.net>
94999 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
95000 Signed-off-by: Dave Airlie <airlied@redhat.com>
95001
95002commit 2b9057b321e36860e8d63985b5c4e496f254b717
95003Author: Brad Spengler <spender@grsecurity.net>
95004Date: Sat Dec 3 21:33:28 2011 -0500
95005
95006 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch
95007
95008commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
95009Author: Brad Spengler <spender@grsecurity.net>
95010Date: Sat Dec 3 21:29:37 2011 -0500
95011
95012 Import pax-linux-3.1.4-test18.patch
95013
95014commit 285eb4ea45d853ae00426b3315a61c1368080dad
95015Author: Brad Spengler <spender@grsecurity.net>
95016Date: Sat Dec 10 18:33:46 2011 -0500
95017
95018 Import changes from pax-linux-3.1.5-test20.patch
95019
95020commit a6bda918fc90ec1d5c387e978d147ad2044153f1
95021Author: Brad Spengler <spender@grsecurity.net>
95022Date: Thu Dec 8 20:55:54 2011 -0500
95023
95024 Import changes from pax-linux-3.1.4-test19.patch
95025
95026commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
95027Author: Brad Spengler <spender@grsecurity.net>
95028Date: Sat Dec 3 21:29:37 2011 -0500
95029
95030 Import pax-linux-3.1.4-test18.patch
95031commit 4c61dba17c53d0a775c77aed0c0ddb15a12daa3c
95032Merge: c3ccfb2 777e08c
95033Author: Brad Spengler <spender@grsecurity.net>
95034Date: Sun Sep 8 19:49:04 2013 -0400
95035
95036 Merge branch 'pax-test' into grsec-test
95037
95038commit 777e08c6a87ef43439f4431d8d458732ca5e17c6
95039Author: Brad Spengler <spender@grsecurity.net>
95040Date: Sun Sep 8 19:47:32 2013 -0400
95041
95042 Update to pax-linux-3.10.11-test26.patch:
95043 - reworked __SC_LONG to care about only int and smaller types, this eliminates size overflow false positives reported by hunger
95044 - fixed an uninitialized read in splice, reported by hunger
95045
95046 fs/splice.c | 1 +
95047 include/linux/syscalls.h | 14 +-
95048 tools/gcc/size_overflow_hash.data | 426 +++++++++++++++++++++----------------
95049 3 files changed, 247 insertions(+), 194 deletions(-)
95050
95051commit 5c3161364270c842d901789faac731f79a9f9cd6
95052Merge: cf9c476 85cdabb
95053Author: Brad Spengler <spender@grsecurity.net>
95054Date: Sun Sep 8 19:24:25 2013 -0400
95055
95056 Merge branch 'linux-3.10.y' into pax-test
95057
95058commit c3ccfb29794a03413095422100ce90d40ef7df0f
95059Author: Jakob Bornecrantz <jakob@vmware.com>
95060Date: Thu Aug 29 02:32:53 2013 +0200
95061
95062 Upstream commit: 6e4dcff3adbf25acb87e74500a58e3c07bdec40f
95063
95064 drm/vmwgfx: Split GMR2_REMAP commands if they are to large
95065
95066 This fixes the piglit test texturing/max-texture-size
95067 causing the VM to die due to a too large SVGA command.
95068
95069 Signed-off-by: Jakob Bornecrantz <jakob@vmware.com>
95070 Reviewed-by: Biran Paul <brianp@vmware.com>
95071 Reviewed-by: Zack Rusin <zackr@vmware.com>
95072 Cc: stable@vger.kernel.org
95073 Signed-off-by: Dave Airlie <airlied@gmail.com>
95074
95075 drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c | 58 +++++++++++++++++++++++-----------
95076 1 files changed, 39 insertions(+), 19 deletions(-)
95077
95078commit d260badf708d6aa16c44f56f54727532dcae826e
95079Author: Daniel Borkmann <dborkman@redhat.com>
95080Date: Tue Sep 3 19:29:12 2013 +0200
95081
95082 Upstream commit: 3a1c756590633c0e86df606e5c618c190926a0df
95083
95084 net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv
95085
95086 In tcp_v6_do_rcv() code, when processing pkt options, we soley work
95087 on our skb clone opt_skb that we've created earlier before entering
95088 tcp_rcv_established() on our way. However, only in condition ...
95089
95090 if (np->rxopt.bits.rxtclass)
95091 np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));
95092
95093 ... we work on skb itself. As we extract every other information out
95094 of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can
95095 already be released by tcp_rcv_established() earlier on. When we try
95096 to access it in ipv6_hdr(), we will dereference freed skb.
95097
95098 [ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for
95099 IP_PKTOPTIONS") ]
95100
95101 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
95102 Cc: Eric Dumazet <eric.dumazet@gmail.com>
95103 Acked-by: Eric Dumazet <edumazet@google.com>
95104 Acked-by: Jiri Benc <jbenc@redhat.com>
95105 Signed-off-by: David S. Miller <davem@davemloft.net>
95106
95107 net/ipv6/tcp_ipv6.c | 2 +-
95108 1 files changed, 1 insertions(+), 1 deletions(-)
95109
95110commit ee3db7a4fb3619d70b8e0c1a8de07402a67e8d31
95111Author: Dan Carpenter <dan.carpenter@oracle.com>
95112Date: Thu Aug 29 11:47:00 2013 +0300
95113
95114 Upstream commit: 0d63c27d9e879a0b54eb405636d60ab12040ca46
95115
95116 mISDN: return -EINVAL on error in dsp_control_req()
95117
95118 If skb->len is too short then we should return an error. Otherwise we
95119 read beyond the end of skb->data for several bytes.
95120
95121 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
95122 Signed-off-by: David S. Miller <davem@davemloft.net>
95123
95124 drivers/isdn/mISDN/dsp_core.c | 4 +++-
95125 1 files changed, 3 insertions(+), 1 deletions(-)
95126
95127commit af7c2bc789c8fe5ef7474f22dacf212be22fd0af
95128Author: Brad Spengler <spender@grsecurity.net>
95129Date: Thu Sep 5 19:36:23 2013 -0400
95130
95131 fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB
95132
95133 grsecurity/Kconfig | 3 ++-
95134 1 files changed, 2 insertions(+), 1 deletions(-)
95135
95136commit da68dbcd96c617923a0aedb177d36b2701f9c858
95137Author: Brad Spengler <spender@grsecurity.net>
95138Date: Thu Sep 5 19:17:02 2013 -0400
95139
95140 Allow the deny_new_usb sysctl to be toggled off by a user with
95141 CAP_SYS_ADMIN. This allows for more inventive uses of the feature
95142 that would be impossible otherwise (like toggling it while the screen is
95143 locked, etc)
95144
95145 grsecurity/grsec_sysctl.c | 4 +---
95146 1 files changed, 1 insertions(+), 3 deletions(-)
95147
95148commit ce0e893adc830ee110f97071cc17e661fb35ae3d
95149Author: Brad Spengler <spender@grsecurity.net>
95150Date: Thu Sep 5 18:41:49 2013 -0400
95151
95152 Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what
95153 GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for
95154 users who know they want the functionality but don't want to bother
95155 with modifying init scripts
95156
95157 Also eliminate reset_security_ops() as a ROP target when
95158 SECURITY_SELINUX_DISABLE is disabled as it's the only user
95159
95160 grsecurity/Kconfig | 17 ++++++++++++++++-
95161 grsecurity/grsec_init.c | 3 +++
95162 grsecurity/grsec_sysctl.c | 2 +-
95163 security/security.c | 4 ++++
95164 4 files changed, 24 insertions(+), 2 deletions(-)
95165
95166commit 0d5ca3a057ae48b5fdccb2f0a7a841a5cc76d3dd
95167Merge: 7ee3899 cf9c476
95168Author: Brad Spengler <spender@grsecurity.net>
95169Date: Sun Sep 1 13:56:57 2013 -0400
95170
95171 Merge branch 'pax-test' into grsec-test
95172
95173commit cf9c47690fa0f3da590de766ea8c6a543984ee3c
95174Author: Brad Spengler <spender@grsecurity.net>
95175Date: Sun Sep 1 13:56:16 2013 -0400
95176
95177 Update to pax-linux-3.10.10-test25.patch:
95178 - fixed a few more REFCOUNT false positives, by Mathias Krause <minipli@googlemail.com>
95179 - got inet_getid and ipv6_select_ident rid of the cmpxchg loop
95180
95181 block/blk-cgroup.c | 4 ++--
95182 drivers/video/hyperv_fb.c | 4 ++--
95183 fs/namespace.c | 4 ++--
95184 include/net/inetpeer.h | 13 +++++--------
95185 kernel/trace/trace_clock.c | 4 ++--
95186 net/ipv6/output_core.c | 15 ++++++---------
95187 net/sunrpc/auth_gss/svcauth_gss.c | 4 ++--
95188 7 files changed, 21 insertions(+), 27 deletions(-)
95189
95190commit 7ee3899312d611b85cadd3eda173f7a3952bb8aa
95191Merge: fd0338c 2bdeae7
95192Author: Brad Spengler <spender@grsecurity.net>
95193Date: Sat Aug 31 22:07:38 2013 -0400
95194
95195 Merge branch 'pax-test' into grsec-test
95196
95197commit 2bdeae76eab5c34e4b88c7090a435b969037a3c1
95198Author: Brad Spengler <spender@grsecurity.net>
95199Date: Sat Aug 31 22:06:55 2013 -0400
95200
95201 Update to pax-linux-3.10.10-test24.patch:
95202 - fixed a REFCOUNT false positive, by Mathias Krause <minipli@googlemail.com>
95203 - fixed a bunch more after a quick audit of atomic_inc_return users
95204
95205 drivers/acpi/apei/ghes.c | 4 ++--
95206 drivers/ata/libata-core.c | 4 ++--
95207 drivers/ata/libata-scsi.c | 2 +-
95208 drivers/ata/libata.h | 2 +-
95209 drivers/block/drbd/drbd_nl.c | 4 ++--
95210 drivers/crypto/hifn_795x.c | 4 ++--
95211 drivers/edac/edac_device.c | 4 ++--
95212 drivers/edac/edac_pci.c | 4 ++--
95213 drivers/firewire/core-card.c | 4 ++--
95214 drivers/hv/hv_balloon.c | 18 +++++++++---------
95215 drivers/infiniband/hw/mlx4/mad.c | 2 +-
95216 drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +-
95217 drivers/input/misc/ims-pcu.c | 4 ++--
95218 drivers/input/serio/serio_raw.c | 4 ++--
95219 drivers/media/pci/ivtv/ivtv-driver.c | 2 +-
95220 drivers/media/radio/radio-maxiradio.c | 2 +-
95221 drivers/media/radio/radio-shark.c | 2 +-
95222 drivers/media/radio/radio-shark2.c | 2 +-
95223 drivers/media/radio/radio-si476x.c | 2 +-
95224 drivers/media/rc/rc-main.c | 4 ++--
95225 drivers/media/v4l2-core/v4l2-device.c | 4 ++--
95226 drivers/net/usb/sierra_net.c | 4 ++--
95227 drivers/pci/hotplug/pciehp_hpc.c | 4 +---
95228 drivers/regulator/core.c | 4 ++--
95229 drivers/scsi/fcoe/fcoe_sysfs.c | 12 ++++++------
95230 drivers/staging/android/timed_output.c | 6 +++---
95231 drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +-
95232 drivers/staging/media/solo6x10/solo6x10.h | 2 +-
95233 drivers/target/sbp/sbp_target.c | 4 ++--
95234 drivers/tty/hvc/hvsi.c | 12 ++++++------
95235 drivers/tty/hvc/hvsi_lib.c | 6 +++---
95236 drivers/tty/serial/ioc4_serial.c | 6 +++---
95237 drivers/tty/serial/msm_serial.c | 4 ++--
95238 drivers/usb/misc/appledisplay.c | 4 ++--
95239 fs/afs/inode.c | 4 ++--
95240 fs/btrfs/delayed-inode.c | 6 +++---
95241 fs/btrfs/delayed-inode.h | 4 ++--
95242 fs/fscache/cookie.c | 4 ++--
95243 include/media/v4l2-device.h | 2 +-
95244 net/ceph/messenger.c | 4 ++--
95245 net/core/netpoll.c | 4 ++--
95246 net/xfrm/xfrm_state.c | 4 ++--
95247 security/selinux/avc.c | 6 +++---
95248 43 files changed, 93 insertions(+), 95 deletions(-)
95249
95250commit fd0338c8877c47789a9cc61f3a26c83e68aa3d37
95251Merge: 1bdf7ec 85099d2
95252Author: Brad Spengler <spender@grsecurity.net>
95253Date: Sat Aug 31 21:07:29 2013 -0400
95254
95255 Merge branch 'pax-test' into grsec-test
95256
95257commit 85099d220fb014b6e4c6ffe18a55b20c61f6daed
95258Author: Brad Spengler <spender@grsecurity.net>
95259Date: Sat Aug 31 21:06:55 2013 -0400
95260
95261 Update to pax-linux-3.10.10-test23.patch:
95262 - added the necessary atomic_unchecked_t conversion for mips
95263 - audited and fixed arm and sparc for proper atomic_unchecked_t usage
95264
95265 arch/arm/kvm/arm.c | 8 ++++----
95266 arch/arm/mm/context.c | 10 +++++-----
95267 arch/mips/kernel/irq.c | 6 +++---
95268 arch/mips/kernel/sync-r4k.c | 24 ++++++++++++------------
95269 arch/mips/sgi-ip27/ip27-nmi.c | 6 +++---
95270 arch/sparc/kernel/smp_64.c | 12 ++++++------
95271 arch/sparc/kernel/traps_64.c | 14 +++++++-------
95272 arch/sparc/mm/init_64.c | 10 +++++-----
95273 8 files changed, 45 insertions(+), 45 deletions(-)
95274
95275commit 1bdf7ec39027ffd7c3099b78ff20c39295448b34
95276Merge: 995a168 38ee86c
95277Author: Brad Spengler <spender@grsecurity.net>
95278Date: Fri Aug 30 19:23:36 2013 -0400
95279
95280 Merge branch 'pax-test' into grsec-test
95281
95282commit 38ee86c05df0f8db582df8776b9f23f317d42bbb
95283Author: Brad Spengler <spender@grsecurity.net>
95284Date: Fri Aug 30 19:23:11 2013 -0400
95285
95286 Update to pax-linux-3.10.10-test22.patch:
95287 - fixed !REFCOUNT/mips compilation, by Corey Minyard <cminyard@mvista.com>
95288 - fixed a few more format strings
95289
95290 arch/mips/include/asm/atomic.h | 20 ++++++++++++++++----
95291 drivers/md/bcache/super.c | 2 +-
95292 drivers/net/wireless/iwlwifi/dvm/main.c | 3 +--
95293 drivers/pci/hotplug/pciehp_hpc.c | 2 +-
95294 drivers/platform/x86/wmi.c | 2 +-
95295 drivers/scsi/sd.c | 2 +-
95296 drivers/vfio/vfio.c | 4 ++--
95297 fs/ntfs/super.c | 6 +++---
95298 include/linux/workqueue.h | 6 +++---
95299 net/mac80211/main.c | 2 +-
95300 sound/pci/hda/hda_codec.c | 8 ++------
95301 11 files changed, 32 insertions(+), 25 deletions(-)
95302
95303commit 995a16841e2097c3a9dfc652e856469679c4a0ba
95304Author: Brad Spengler <spender@grsecurity.net>
95305Date: Fri Aug 30 17:11:11 2013 -0400
95306
95307 fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast
95308
95309 grsecurity/grsec_sysctl.c | 7 ++++---
95310 1 files changed, 4 insertions(+), 3 deletions(-)
95311
95312commit 8ba1cc35ec5216383369ddf3ef2cde5e4aaacb57
95313Merge: be2497c 1052971
95314Author: Brad Spengler <spender@grsecurity.net>
95315Date: Thu Aug 29 20:44:29 2013 -0400
95316
95317 Merge branch 'pax-test' into grsec-test
95318
95319 Conflicts:
95320 include/linux/sched.h
95321
95322commit 10529710192fe7f7d42ad7bb1dfef2143cca8ad2
95323Merge: e902dad 8bf3379
95324Author: Brad Spengler <spender@grsecurity.net>
95325Date: Thu Aug 29 20:39:50 2013 -0400
95326
95327 Update to pax-linux-3.10.10-test21.patch
95328
95329 Merge branch 'linux-3.10.y' into pax-test
95330
95331 Conflicts:
95332 arch/x86/kernel/sys_x86_64.c
95333 arch/x86/mm/mmap.c
95334 include/linux/sched.h
95335
95336commit be2497c1b629a5ad604a8b0ec265ef5d801c7de8
95337Merge: 081c22b e902dad
95338Author: Brad Spengler <spender@grsecurity.net>
95339Date: Wed Aug 28 20:52:44 2013 -0400
95340
95341 Merge branch 'pax-test' into grsec-test
95342
95343commit e902dad6b609a176f58c1b9393b3a98f14bd4b74
95344Author: Brad Spengler <spender@grsecurity.net>
95345Date: Wed Aug 28 20:51:21 2013 -0400
95346
95347 Update to pax-linux-3.10.9-test21.patch:
95348 - removed unnecessary type cast in do_PrefetchAbort, noticed by spender
95349 - since pax_report_refcount_overflow disables preemption inside, no need to do it explicitly in do_ov
95350 - fixed a REFCOUNT false positive in UHID
95351 - inspired by Dan Carpenter's recent fix (http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=909bd5926d474e275599094acad986af79671ac9)
95352 Emese Revfy wrote a gcc plugin to find other instances of the same error, here's the fallout
95353 (come to the 10th H2HC if you want to learn about the magic behind this and other plugins):
95354 - icmpv6_filter: no memory corruption, probably just some logical error in the caller
95355 - dccp_new/dccp_packet/dccp_error: probably remote kernel stack overflow (12 byte network data overwriting a local ptr variable)
95356 - gigaset_brkchars: causes DMA on the kernel stack, some archs don't like it (more of this is to come)
95357 - isdn_ioctl/IIOCDBGVAR: kernel heap address leak (by design), restricted to CAP_SYS_RAWIO now
95358 - __dwc3_gadget_ep_enable: probably forgotten memset, seems harmless
95359 - lowpan_header_create: leaks 3 bytes of a kernel heap address over the network
95360
95361 arch/arm/mm/fault.c | 2 +-
95362 arch/mips/kernel/traps.c | 2 --
95363 drivers/hid/uhid.c | 6 +++---
95364 drivers/isdn/gigaset/usb-gigaset.c | 2 +-
95365 drivers/isdn/i4l/isdn_common.c | 2 ++
95366 drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++--
95367 drivers/usb/dwc3/gadget.c | 2 --
95368 net/ieee802154/6lowpan.c | 2 +-
95369 net/ipv6/raw.c | 2 +-
95370 net/netfilter/nf_conntrack_proto_dccp.c | 6 +++---
95371 10 files changed, 14 insertions(+), 16 deletions(-)
95372
95373commit 081c22b436d4d4ac8c9ef7c3f3b9587cfb02d804
95374Author: Brad Spengler <spender@grsecurity.net>
95375Date: Wed Aug 28 20:42:39 2013 -0400
95376
95377 add export of gr_handle_new_usb()
95378
95379 grsecurity/grsec_usb.c | 2 ++
95380 1 files changed, 2 insertions(+), 0 deletions(-)
95381
95382commit 2e708ca9984ef74536d1d9b1d4e6e73d27561ed6
95383Author: Brad Spengler <spender@grsecurity.net>
95384Date: Wed Aug 28 19:24:47 2013 -0400
95385
95386 Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit
95387 Kees' recent findings are motivation enough to publish it
95388
95389 drivers/usb/core/hub.c | 5 +++++
95390 grsecurity/Kconfig | 20 ++++++++++++++++++++
95391 grsecurity/Makefile | 3 ++-
95392 grsecurity/grsec_init.c | 1 +
95393 grsecurity/grsec_sysctl.c | 11 +++++++++++
95394 grsecurity/grsec_usb.c | 13 +++++++++++++
95395 include/linux/grinternal.h | 1 +
95396 include/linux/grsecurity.h | 2 ++
95397 8 files changed, 55 insertions(+), 1 deletions(-)
95398
95399commit 8044382257ec75a03f3d784ce048ef14e94b90ca
95400Author: Kees Cook <keescook@chromium.org>
95401Date: Wed Aug 14 09:35:07 2013 -0700
95402
95403 HID: zeroplus: validate output report details
95404
95405 The zeroplus HID driver was not checking the size of allocated values
95406 in fields it used. A HID device could send a malicious output report
95407 that would cause the driver to write beyond the output report allocation
95408 during initialization, causing a heap overflow:
95409
95410 [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005
95411 ...
95412 [ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
95413
95414 CVE-2013-2889
95415
95416 Signed-off-by: Kees Cook <keescook@chromium.org>
95417 Cc: stable@kernel.org
95418
95419 drivers/hid/hid-zpff.c | 14 ++------------
95420 1 files changed, 2 insertions(+), 12 deletions(-)
95421
95422commit 1ead832874dde8c45c3d4c8c704f2cd7ad6a328f
95423Author: Kees Cook <keescook@chromium.org>
95424Date: Wed Aug 14 14:36:15 2013 -0700
95425
95426 HID: provide a helper for validating hid reports
95427
95428 Many drivers need to validate the characteristics of their HID report
95429 during initialization to avoid misusing the reports. This adds a common
95430 helper to perform validation of the report, its field count, and the
95431 value count within the fields.
95432
95433 Signed-off-by: Kees Cook <keescook@chromium.org>
95434 Cc: stable@kernel.org
95435
95436 drivers/hid/hid-core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++
95437 include/linux/hid.h | 4 +++
95438 2 files changed, 54 insertions(+), 0 deletions(-)
95439
95440commit 270ba9096ddecdc3cf6c4d76e6892184820116be
95441Author: Kees Cook <keescook@chromium.org>
95442Date: Wed Aug 14 09:14:34 2013 -0700
95443
95444 HID: steelseries: validate output report details
95445
95446 A HID device could send a malicious output report that would cause the
95447 steelseries HID driver to write beyond the output report allocation
95448 during initialization, causing a heap overflow:
95449
95450 [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410
95451 ...
95452 [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten
95453
95454 CVE-2013-2891
95455
95456 Signed-off-by: Kees Cook <keescook@chromium.org>
95457 Cc: stable@kernel.org
95458
95459 drivers/hid/hid-steelseries.c | 5 +++++
95460 1 files changed, 5 insertions(+), 0 deletions(-)
95461
95462commit 366e6cf394366e4bb2598e5d3763c6ca53fb7248
95463Author: Kees Cook <keescook@chromium.org>
95464Date: Wed Aug 14 08:49:21 2013 -0700
95465
95466 HID: pantherlord: validate output report details
95467
95468 A HID device could send a malicious output report that would cause the
95469 pantherlord HID driver to write beyond the output report allocation
95470 during initialization, causing a heap overflow:
95471
95472 [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003
95473 ...
95474 [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
95475
95476 CVE-2013-2892
95477
95478 Signed-off-by: Kees Cook <keescook@chromium.org>
95479 Cc: stable@kernel.org
95480
95481 drivers/hid/hid-pl.c | 10 ++++++++--
95482 1 files changed, 8 insertions(+), 2 deletions(-)
95483
95484commit 60115e8108e508060815bce5ef9504233c81898c
95485Author: Kees Cook <keescook@chromium.org>
95486Date: Tue Aug 13 16:49:01 2013 -0700
95487
95488 HID: LG: validate HID output report details
95489
95490 A HID device could send a malicious output report that would cause the
95491 lg, lg3, and lg4 HID drivers to write beyond the output report allocation
95492 during an event, causing a heap overflow:
95493
95494 [ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287
95495 ...
95496 [ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten
95497
95498 Additionally, while lg2 did correctly validate the report details, it was
95499 cleaned up and shortened.
95500
95501 CVE-2013-2893
95502
95503 Signed-off-by: Kees Cook <keescook@chromium.org>
95504 Cc: stable@kernel.org
95505
95506 drivers/hid/hid-lg2ff.c | 19 +++----------------
95507 drivers/hid/hid-lg3ff.c | 29 ++++++-----------------------
95508 drivers/hid/hid-lg4ff.c | 20 +-------------------
95509 drivers/hid/hid-lgff.c | 17 ++---------------
95510 4 files changed, 12 insertions(+), 73 deletions(-)
95511
95512commit 1814f6ffbd0d5feccce1f03e8cc17882528e8a9f
95513Author: Kees Cook <keescook@chromium.org>
95514Date: Thu Aug 15 23:21:23 2013 -0700
95515
95516 HID: lenovo-tpkbd: validate output report details
95517
95518 A HID device could send a malicious output report that would cause the
95519 lenovo-tpkbd HID driver to write just beyond the output report allocation
95520 during initialization, causing a heap overflow:
95521
95522 [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009
95523 ...
95524 [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
95525
95526 CVE-2013-2894
95527
95528 Signed-off-by: Kees Cook <keescook@chromium.org>
95529 Cc: stable@kernel.org
95530
95531 drivers/hid/hid-lenovo-tpkbd.c | 5 +++++
95532 1 files changed, 5 insertions(+), 0 deletions(-)
95533
95534commit 38627769bb2b9a550e251b2caf1babda7566fb4a
95535Author: Kees Cook <keescook@chromium.org>
95536Date: Thu Aug 15 23:45:03 2013 -0700
95537
95538 HID: logitech-dj: validate output report details
95539
95540 A HID device could send a malicious output report that would cause the
95541 logitech-dj HID driver to leak kernel memory contents to the device, or
95542 trigger a NULL dereference during initialization:
95543
95544 [ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b
95545 ...
95546 [ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
95547 [ 304.781409] IP: [<ffffffff815d50aa>] logi_dj_recv_send_report.isra.11+0x1a/0x90
95548
95549 CVE-2013-2895
95550
95551 Signed-off-by: Kees Cook <keescook@chromium.org>
95552 Cc: stable@kernel.org
95553
95554 drivers/hid/hid-logitech-dj.c | 12 ++++++++++--
95555 1 files changed, 10 insertions(+), 2 deletions(-)
95556
95557commit db334388c9d3f95aeb6aacdcec72169b6edd6f07
95558Author: Kees Cook <keescook@chromium.org>
95559Date: Fri Aug 16 00:18:15 2013 -0700
95560
95561 HID: ntrig: validate feature report details
95562
95563 A HID device could send a malicious feature report that would cause the
95564 ntrig HID driver to trigger a NULL dereference during initialization:
95565
95566 [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
95567 ...
95568 [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
95569 [57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
95570
95571 CVE-2013-2896
95572
95573 Signed-off-by: Kees Cook <keescook@chromium.org>
95574 Cc: stable@kernel.org
95575
95576 drivers/hid/hid-ntrig.c | 3 ++-
95577 1 files changed, 2 insertions(+), 1 deletions(-)
95578
95579commit 86adcfe96ceefd7d64593a493abe07c155bb8f88
95580Author: Kees Cook <keescook@chromium.org>
95581Date: Fri Aug 16 00:11:32 2013 -0700
95582
95583 HID: multitouch: validate feature report details
95584
95585 When working on report indexes, always validate that they are in bounds.
95586 Without this, a HID device could report a malicious feature report that
95587 could trick the driver into a heap overflow:
95588
95589 [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
95590 ...
95591 [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
95592
95593 CVE-2013-2897
95594
95595 Signed-off-by: Kees Cook <keescook@chromium.org>
95596 Cc: stable@kernel.org
95597
95598 drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++-----
95599 1 files changed, 20 insertions(+), 5 deletions(-)
95600
95601commit 813f51e0881e4ea6d221da828b1cced02ad9694d
95602Author: Kees Cook <keescook@chromium.org>
95603Date: Fri Aug 16 08:12:45 2013 -0700
95604
95605 HID: sensor-hub: validate feature report details
95606
95607 A HID device could send a malicious feature report that would cause the
95608 sensor-hub HID driver to read past the end of heap allocation, leaking
95609 kernel memory contents to the caller.
95610
95611 CVE-2013-2898
95612
95613 Signed-off-by: Kees Cook <keescook@chromium.org>
95614 Cc: stable@kernel.org
95615
95616 drivers/hid/hid-sensor-hub.c | 3 ++-
95617 1 files changed, 2 insertions(+), 1 deletions(-)
95618
95619commit 6ed7d602e322c67adcfa3ebe79ca2c4a3376330c
95620Author: Kees Cook <keescook@chromium.org>
95621Date: Fri Aug 16 08:05:10 2013 -0700
95622
95623 HID: picolcd_core: validate output report details
95624
95625 A HID device could send a malicious output report that would cause the
95626 picolcd HID driver to trigger a NULL dereference during attr file writing.
95627
95628 CVE-2013-2899
95629
95630 Signed-off-by: Kees Cook <keescook@chromium.org>
95631 Cc: stable@kernel.org
95632
95633 drivers/hid/hid-picolcd_core.c | 2 +-
95634 1 files changed, 1 insertions(+), 1 deletions(-)
95635
95636commit 95e3cfb5a995dabe45b98cafb77e59d074de151f
95637Author: Kees Cook <keescook@chromium.org>
95638Date: Fri Aug 16 08:09:54 2013 -0700
95639
95640 HID: check for NULL field when setting values
95641
95642 Defensively check that the field to be worked on is not NULL.
95643
95644 Signed-off-by: Kees Cook <keescook@chromium.org>
95645 Cc: stable@kernel.org
95646
95647 drivers/hid/hid-core.c | 7 ++++++-
95648 1 files changed, 6 insertions(+), 1 deletions(-)
95649
95650commit 96a55ce1b2f3af376c400a02059174e79ce4399c
95651Author: Brad Spengler <spender@grsecurity.net>
95652Date: Wed Aug 28 18:09:18 2013 -0400
95653
95654 http://marc.info/?l=linux-input&m=137772180514608&q=raw
95655
95656 From: Kees Cook <keescook@chromium.org>
95657
95658 The "Report ID" field of a HID report is used to build indexes of
95659 reports. The kernel's index of these is limited to 256 entries, so any
95660 malicious device that sets a Report ID greater than 255 will trigger
95661 memory corruption on the host:
95662
95663 [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
95664 [ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b
95665
95666 CVE-2013-2888
95667
95668 Signed-off-by: Kees Cook <keescook@chromium.org>
95669 Cc: stable@kernel.org
95670 ---
95671 drivers/hid/hid-core.c | 10 +++++++---
95672 include/linux/hid.h | 4 +++-
95673 2 files changed, 10 insertions(+), 4 deletions(-)
95674
95675 drivers/hid/hid-core.c | 10 +++++++---
95676 include/linux/hid.h | 4 +++-
95677 2 files changed, 10 insertions(+), 4 deletions(-)
95678
95679commit eb1106eef5f17bfda833ca3cf89e315919173257
95680Author: Dan Carpenter <dan.carpenter@oracle.com>
95681Date: Fri Aug 9 12:52:31 2013 +0300
95682
95683 Upstream commit: 909bd5926d474e275599094acad986af79671ac9
95684
95685 Hostap: copying wrong data prism2_ioctl_giwaplist()
95686
95687 We want the data stored in "addr" and "qual", but the extra ampersands
95688 mean we are copying stack data instead.
95689
95690 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
95691 Cc: stable@vger.kernel.org
95692 Signed-off-by: John W. Linville <linville@tuxdriver.com>
95693
95694 drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++--
95695 1 files changed, 2 insertions(+), 2 deletions(-)
95696
95697commit b12fdddbc01b0d855dd56fa6fea6b4100aae7af4
95698Author: Brad Spengler <spender@grsecurity.net>
95699Date: Wed Aug 28 17:01:21 2013 -0400
95700
95701 fix typo in ipv6 backport
95702
95703 net/ipv6/addrconf.c | 2 +-
95704 1 files changed, 1 insertions(+), 1 deletions(-)
95705
95706commit b42367d45ce67de82c38c5c7cb6f4cf521cca2f4
95707Author: Andy Lutomirski <luto@amacapital.net>
95708Date: Thu Aug 22 11:39:15 2013 -0700
95709
95710 Upstream commit: d661684cf6820331feae71146c35da83d794467e
95711
95712 net: Check the correct namespace when spoofing pid over SCM_RIGHTS
95713
95714 This is a security bug.
95715
95716 The follow-up will fix nsproxy to discourage this type of issue from
95717 happening again.
95718
95719 Cc: stable@vger.kernel.org
95720 Signed-off-by: Andy Lutomirski <luto@amacapital.net>
95721 Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com>
95722 Signed-off-by: David S. Miller <davem@davemloft.net>
95723
95724 net/core/scm.c | 2 +-
95725 1 files changed, 1 insertions(+), 1 deletions(-)
95726
95727commit 10b2e7e1f75d1da2e0bbe0bff04233ea2ec1bed9
95728Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
95729Date: Fri Aug 16 13:02:27 2013 +0200
95730
95731 Upstream commit: 4b08a8f1bd8cb4541c93ec170027b4d0782dab52
95732
95733 ipv6: remove max_addresses check from ipv6_create_tempaddr
95734
95735 Because of the max_addresses check attackers were able to disable privacy
95736 extensions on an interface by creating enough autoconfigured addresses:
95737
95738 <http://seclists.org/oss-sec/2012/q4/292>
95739
95740 But the check is not actually needed: max_addresses protects the
95741 kernel to install too many ipv6 addresses on an interface and guards
95742 addrconf_prefix_rcv to install further addresses as soon as this limit
95743 is reached. We only generate temporary addresses in direct response of
95744 a new address showing up. As soon as we filled up the maximum number of
95745 addresses of an interface, we stop installing more addresses and thus
95746 also stop generating more temp addresses.
95747
95748 Even if the attacker tries to generate a lot of temporary addresses
95749 by announcing a prefix and removing it again (lifetime == 0) we won't
95750 install more temp addresses, because the temporary addresses do count
95751 to the maximum number of addresses, thus we would stop installing new
95752 autoconfigured addresses when the limit is reached.
95753
95754 This patch fixes CVE-2013-0343 (but other layer-2 attacks are still
95755 possible).
95756
95757 Thanks to Ding Tianhong to bring this topic up again.
95758
95759 Cc: Ding Tianhong <dingtianhong@huawei.com>
95760 Cc: George Kargiotakis <kargig@void.gr>
95761 Cc: P J P <ppandit@redhat.com>
95762 Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
95763 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
95764 Acked-by: Ding Tianhong <dingtianhong@huawei.com>
95765 Signed-off-by: David S. Miller <davem@davemloft.net>
95766
95767 Conflicts:
95768
95769 net/ipv6/addrconf.c
95770
95771 net/ipv6/addrconf.c | 10 ++++------
95772 1 files changed, 4 insertions(+), 6 deletions(-)
95773
95774commit 8333e0981469a226a47d0142ff31090a48db95a4
95775Author: David Vrabel <david.vrabel@citrix.com>
95776Date: Thu Aug 15 13:21:06 2013 +0100
95777
95778 Upstream commit: 84ca7a8e45dafb49cd5ca90a343ba033e2885c17
95779
95780 xen/events: initialize local per-cpu mask for all possible events
95781
95782 The sizeof() argument in init_evtchn_cpu_bindings() is incorrect
95783 resulting in only the first 64 (or 32 in 32-bit guests) ports having
95784 their bindings being initialized to VCPU 0.
95785
95786 In most cases this does not cause a problem as request_irq() will set
95787 the irq affinity which will set the correct local per-cpu mask.
95788 However, if the request_irq() is called on a VCPU other than 0, there
95789 is a window between the unmasking of the event and the affinity being
95790 set were an event may be lost because it is not locally unmasked on
95791 any VCPU. If request_irq() is called on VCPU 0 then local irqs are
95792 disabled during the window and the race does not occur.
95793
95794 Fix this by initializing all NR_EVENT_CHANNEL bits in the local
95795 per-cpu masks.
95796
95797 Signed-off-by: David Vrabel <david.vrabel@citrix.com>
95798 Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
95799 CC: stable@vger.kernel.org
95800
95801 drivers/xen/events.c | 2 +-
95802 1 files changed, 1 insertions(+), 1 deletions(-)
95803
95804commit 2a9a83768433937a2b7a97001ba1627156c0efed
95805Author: Roland Dreier <roland@purestorage.com>
95806Date: Mon Aug 5 17:55:01 2013 -0700
95807
95808 Upstream commit: 35dc248383bbab0a7203fca4d722875bc81ef091
95809
95810 [SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a signal
95811
95812 There is a nasty bug in the SCSI SG_IO ioctl that in some circumstances
95813 leads to one process writing data into the address space of some other
95814 random unrelated process if the ioctl is interrupted by a signal.
95815 What happens is the following:
95816
95817 - A process issues an SG_IO ioctl with direction DXFER_FROM_DEV (ie the
95818 underlying SCSI command will transfer data from the SCSI device to
95819 the buffer provided in the ioctl)
95820
95821 - Before the command finishes, a signal is sent to the process waiting
95822 in the ioctl. This will end up waking up the sg_ioctl() code:
95823
95824 result = wait_event_interruptible(sfp->read_wait,
95825 (srp_done(sfp, srp) || sdp->detached));
95826
95827 but neither srp_done() nor sdp->detached is true, so we end up just
95828 setting srp->orphan and returning to userspace:
95829
95830 srp->orphan = 1;
95831 write_unlock_irq(&sfp->rq_list_lock);
95832 return result; /* -ERESTARTSYS because signal hit process */
95833
95834 At this point the original process is done with the ioctl and
95835 blithely goes ahead handling the signal, reissuing the ioctl, etc.
95836
95837 - Eventually, the SCSI command issued by the first ioctl finishes and
95838 ends up in sg_rq_end_io(). At the end of that function, we run through:
95839
95840 write_lock_irqsave(&sfp->rq_list_lock, iflags);
95841 if (unlikely(srp->orphan)) {
95842 if (sfp->keep_orphan)
95843 srp->sg_io_owned = 0;
95844 else
95845 done = 0;
95846 }
95847 srp->done = done;
95848 write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
95849
95850 if (likely(done)) {
95851 /* Now wake up any sg_read() that is waiting for this
95852 * packet.
95853 */
95854 wake_up_interruptible(&sfp->read_wait);
95855 kill_fasync(&sfp->async_qp, SIGPOLL, POLL_IN);
95856 kref_put(&sfp->f_ref, sg_remove_sfp);
95857 } else {
95858 INIT_WORK(&srp->ew.work, sg_rq_end_io_usercontext);
95859 schedule_work(&srp->ew.work);
95860 }
95861
95862 Since srp->orphan *is* set, we set done to 0 (assuming the
95863 userspace app has not set keep_orphan via an SG_SET_KEEP_ORPHAN
95864 ioctl), and therefore we end up scheduling sg_rq_end_io_usercontext()
95865 to run in a workqueue.
95866
95867 - In workqueue context we go through sg_rq_end_io_usercontext() ->
95868 sg_finish_rem_req() -> blk_rq_unmap_user() -> ... ->
95869 bio_uncopy_user() -> __bio_copy_iov() -> copy_to_user().
95870
95871 The key point here is that we are doing copy_to_user() on a
95872 workqueue -- that is, we're on a kernel thread with current->mm
95873 equal to whatever random previous user process was scheduled before
95874 this kernel thread. So we end up copying whatever data the SCSI
95875 command returned to the virtual address of the buffer passed into
95876 the original ioctl, but it's quite likely we do this copying into a
95877 different address space!
95878
95879 As suggested by James Bottomley <James.Bottomley@hansenpartnership.com>,
95880 add a check for current->mm (which is NULL if we're on a kernel thread
95881 without a real userspace address space) in bio_uncopy_user(), and skip
95882 the copy if we're on a kernel thread.
95883
95884 There's no reason that I can think of for any caller of bio_uncopy_user()
95885 to want to do copying on a kernel thread with a random active userspace
95886 address space.
95887
95888 Huge thanks to Costa Sapuntzakis <costa@purestorage.com> for the
95889 original pointer to this bug in the sg code.
95890
95891 Signed-off-by: Roland Dreier <roland@purestorage.com>
95892 Tested-by: David Milburn <dmilburn@redhat.com>
95893 Cc: Jens Axboe <axboe@kernel.dk>
95894 Cc: <stable@vger.kernel.org>
95895 Signed-off-by: James Bottomley <JBottomley@Parallels.com>
95896
95897 fs/bio.c | 20 +++++++++++++++-----
95898 1 files changed, 15 insertions(+), 5 deletions(-)
95899
95900commit e6fe57dee152671afd618d6bc8cbf23155be6c34
95901Merge: cdc8f7d f2095a4
95902Author: Brad Spengler <spender@grsecurity.net>
95903Date: Tue Aug 27 18:13:35 2013 -0400
95904
95905 Merge branch 'pax-test' into grsec-test
95906
95907 Conflicts:
95908 arch/arm/mm/fault.c
95909 security/Kconfig
95910
95911commit f2095a4787f7d332e5919f0bd00f8de6021ad612
95912Author: Brad Spengler <spender@grsecurity.net>
95913Date: Tue Aug 27 18:08:23 2013 -0400
95914
95915 Update to pax-linux-3.10.9-test20.patch:
95916 - removed unnecessary mark_sym_for_renaming calls from the gcc plugins, reported by Emese Revfy
95917 - made some KERNEXEC/UDEREF induced fault handling on arm more robust (IFAR isn't always set on v7), by Corey Minyard <cminyard@mvista.com>
95918 - converted some mips atomic accessor macros to functions in preparation of REFCOUNT support, by Corey Minyard <cminyard@mvista.com>
95919 - __copy_from_user_inatomic on amd64 will now return unsigned long like other userland accessors do
95920 - added REFCOUNT support for mips, by Corey Minyard <cminyard@mvista.com>
95921 - fixed arm compilation with UDEREF disabled, reported by fabled (http://forums.grsecurity.net/viewtopic.php?f=1&t=3720)
95922 - fixed early boot panic due to a INVCPID/PCID mismatch, reported by Patrick McLean (https://bugs.gentoo.org/show_bug.cgi?id=482010)
95923
95924 arch/arm/mm/fault.c | 11 +-
95925 arch/mips/include/asm/atomic.h | 722 +++++++++++++++++++++++++++++++++++--
95926 arch/mips/kernel/traps.c | 14 +-
95927 arch/x86/include/asm/tlbflush.h | 4 +
95928 arch/x86/include/asm/uaccess_64.h | 2 +-
95929 fs/ntfs/file.c | 2 +-
95930 kernel/events/internal.h | 4 +-
95931 kernel/events/uprobes.c | 2 +-
95932 kernel/futex.c | 2 +-
95933 mm/filemap.c | 8 +-
95934 security/Kconfig | 2 +-
95935 tools/gcc/kernexec_plugin.c | 18 +-
95936 tools/gcc/latent_entropy_plugin.c | 26 +-
95937 tools/gcc/size_overflow_plugin.c | 3 +-
95938 14 files changed, 750 insertions(+), 70 deletions(-)
95939
95940commit cdc8f7d7a0d09f5ccec1717d1378ac284b5bb4e9
95941Merge: 5a9ae57 745975e
95942Author: Brad Spengler <spender@grsecurity.net>
95943Date: Mon Aug 26 20:27:33 2013 -0400
95944
95945 Merge branch 'pax-test' into grsec-test
95946
95947commit 745975e3b3b74b64e00e85778f9a22714d1274f2
95948Author: Brad Spengler <spender@grsecurity.net>
95949Date: Mon Aug 26 20:26:33 2013 -0400
95950
95951 Fix compilation when UDEREF is enabled and KERNEXEC is disabled,
95952 as reported by fabled on the forums:
95953 http://forums.grsecurity.net/viewtopic.php?f=1&t=3720
95954
95955 arch/arm/include/asm/pgtable.h | 4 +---
95956 1 files changed, 1 insertions(+), 3 deletions(-)
95957
95958commit 5a9ae577def10802fc8ad6957f05ce2a180dfa36
95959Merge: 486ec00 f68df21
95960Author: Brad Spengler <spender@grsecurity.net>
95961Date: Tue Aug 20 20:15:20 2013 -0400
95962
95963 Merge branch 'pax-test' into grsec-test
95964
95965commit f68df215c8bf7fada2710c14b3f3a0ea53fd9e43
95966Author: Brad Spengler <spender@grsecurity.net>
95967Date: Tue Aug 20 20:14:50 2013 -0400
95968
95969 Update to pax-linux-3.10.9-test18.patch:
95970 - fixed missing export of cpu_pgd, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481786)
95971 - fixed UDEREF regression on !PCID processors, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481790)
95972 - forward port to 3.10.9
95973
95974 arch/x86/kernel/entry_64.S | 18 +++++++++---------
95975 arch/x86/kernel/i386_ksyms_32.c | 4 ++++
95976 arch/x86/kernel/x8664_ksyms_64.c | 4 ++++
95977 3 files changed, 17 insertions(+), 9 deletions(-)
95978
95979commit 486ec00945b5dd8826f625e4af8995c5c8cb2a6f
95980Merge: f47a293 d8fed0e
95981Author: Brad Spengler <spender@grsecurity.net>
95982Date: Tue Aug 20 20:12:47 2013 -0400
95983
95984 Merge branch 'pax-test' into grsec-test
95985
95986commit d8fed0eba89a7607afe296c0caf17bc72311d6e9
95987Merge: f6ace8e 0a4b6d4
95988Author: Brad Spengler <spender@grsecurity.net>
95989Date: Tue Aug 20 20:12:33 2013 -0400
95990
95991 Merge branch 'linux-3.10.y' into pax-test
95992
95993commit f47a293a1440da2a3e2c239d43d636e37ca74f10
95994Merge: f1e8ec7 f6ace8e
95995Author: Brad Spengler <spender@grsecurity.net>
95996Date: Tue Aug 20 18:20:05 2013 -0400
95997
95998 Merge branch 'pax-test' into grsec-test
95999
96000 Conflicts:
96001 arch/arm/kernel/perf_event.c
96002 include/linux/sched.h
96003
96004commit f6ace8e1804aadc296bec38b4c4a2d711b9e7c72
96005Merge: b4fa847 6f54059
96006Author: Brad Spengler <spender@grsecurity.net>
96007Date: Tue Aug 20 18:18:02 2013 -0400
96008
96009 Update to pax-linux-3.10.8-test18.patch
96010
96011 Merge branch 'linux-3.10.y' into pax-test
96012
96013 Conflicts:
96014 arch/x86/kernel/sys_x86_64.c
96015 arch/x86/mm/mmap.c
96016 include/linux/sched.h
96017
96018commit f1e8ec79b6019ca0aa6a6cdde5668c1bbd9f51ca
96019Merge: 6f88011 b4fa847
96020Author: Brad Spengler <spender@grsecurity.net>
96021Date: Tue Aug 20 18:05:12 2013 -0400
96022
96023 Merge branch 'pax-test' into grsec-test
96024
96025commit b4fa84790ec760430818ab9b74a8b5acc6b40e63
96026Author: Brad Spengler <spender@grsecurity.net>
96027Date: Tue Aug 20 18:04:14 2013 -0400
96028
96029 Update to pax-linux-3.10.7-test18.patch:
96030 - reverted constification of zcache, problem reported by Marcin Mirosław (https://bugs.gentoo.org/show_bug.cgi?id=481752)
96031 - fixed a UDEREF resume regression due to the constification of clone_pgd_mask
96032 - fixed suspend/resume regression due to the recent constification of mmu_cr4_features, reported by Mathias Krause
96033
96034 arch/arm/kernel/process.c | 2 +-
96035 arch/x86/include/asm/processor.h | 25 ++-----------------------
96036 arch/x86/kernel/cpu/common.c | 4 ++++
96037 arch/x86/kernel/setup.c | 36 ++++++++++++++++++++++++++++++++++++
96038 drivers/staging/zcache/tmem.c | 4 ++--
96039 drivers/staging/zcache/tmem.h | 6 ++----
96040 6 files changed, 47 insertions(+), 30 deletions(-)
96041
96042commit 6f88011297cb3b1b79ff4d96f8a9b8e2ed5a025f
96043Author: Brad Spengler <spender@grsecurity.net>
96044Date: Mon Aug 19 22:10:04 2013 -0400
96045
96046 fix bad git merge (call to __cpu_disable_lazy_restore was duplicated)
96047 as reported by pipacs
96048
96049 arch/x86/kernel/smpboot.c | 3 ---
96050 1 files changed, 0 insertions(+), 3 deletions(-)
96051
96052commit 07f718e061bc4696b64a98ac1cf56e9ca1275dc3
96053Merge: 6eba999 5de93c8
96054Author: Brad Spengler <spender@grsecurity.net>
96055Date: Sun Aug 18 22:03:19 2013 -0400
96056
96057 Merge branch 'pax-test' into grsec-test
96058
96059commit 5de93c8e2a86865f7a2d62dbcf8702dbf12494db
96060Author: Brad Spengler <spender@grsecurity.net>
96061Date: Sun Aug 18 22:02:47 2013 -0400
96062
96063 Update to pax-linux-3.10.7-test15.patch:
96064 - fixed more PCID fallout, reported by spender, Negres and GBit (http://forums.grsecurity.net/viewtopic.php?f=3&t=3705)
96065 - fixed some new REFCOUNT false positives, caught by inspection
96066
96067 arch/x86/kernel/cpu/common.c | 5 +++--
96068 arch/x86/kernel/entry_64.S | 11 +++++++----
96069 fs/ceph/super.c | 4 ++--
96070 mm/backing-dev.c | 4 ++--
96071 4 files changed, 14 insertions(+), 10 deletions(-)
96072
96073commit 94c119587c76723c1072237b98fff9886ccb7689
96074Author: Brad Spengler <spender@grsecurity.net>
96075Date: Sun Aug 18 20:49:39 2013 -0400
96076
96077 fix pipacs' DEMORGAN typo
96078
96079 arch/x86/include/asm/tlbflush.h | 2 +-
96080 1 files changed, 1 insertions(+), 1 deletions(-)
96081
96082commit 6eba999a3263c2ed3f7e87222a5c9c55315c7f00
96083Merge: df347f6 64a293e
96084Author: Brad Spengler <spender@grsecurity.net>
96085Date: Sun Aug 18 18:13:04 2013 -0400
96086
96087 Merge branch 'pax-test' into grsec-test
96088
96089commit 64a293ebd17bf4a7ce6bd921ed879673e79fe128
96090Author: Brad Spengler <spender@grsecurity.net>
96091Date: Sun Aug 18 18:12:37 2013 -0400
96092
96093 Update to pax-linux-3.10.7-test14.patch:
96094 - fixed compile error introduced by the previous PCID change
96095 - fixed timer_create kernel stack leak, reported by Roman Žilka (https://bugs.gentoo.org/show_bug.cgi?id=470214)
96096
96097 arch/x86/include/asm/tlbflush.h | 2 +-
96098 kernel/posix-timers.c | 2 +-
96099 2 files changed, 2 insertions(+), 2 deletions(-)
96100
96101commit df347f6db6cc0aaa40406d8a8b7284b7c15bc685
96102Merge: d8efbc5 e11b314
96103Author: Brad Spengler <spender@grsecurity.net>
96104Date: Sun Aug 18 08:15:00 2013 -0400
96105
96106 Merge branch 'pax-test' into grsec-test
96107
96108commit e11b314734c5b7317f5468be75305ad812e78c2b
96109Author: Brad Spengler <spender@grsecurity.net>
96110Date: Sun Aug 18 08:14:26 2013 -0400
96111
96112 Update to pax-linux-3.10.7-test13.patch:
96113 - always enable the use of PCID and INVPCID when available in the CPU
96114 - kvm guest kernels can use these features even if the host kernel lacks UDEREF
96115
96116 arch/x86/include/asm/tlbflush.h | 69 ++++++++++++++++++++++----------------
96117 arch/x86/kernel/cpu/common.c | 48 +++++++++++++++++----------
96118 2 files changed, 70 insertions(+), 47 deletions(-)
96119
96120commit d8efbc54f5c8aba589d4d12eed9257a754a67de8
96121Author: Brad Spengler <spender@grsecurity.net>
96122Date: Sat Aug 17 12:00:20 2013 -0400
96123
96124 make kallsyms_lookup_size_offset available to approved source files
96125
96126 include/linux/kallsyms.h | 3 +++
96127 1 files changed, 3 insertions(+), 0 deletions(-)
96128
96129commit 6c8feffa95ce2db280160015027b52bb41a344c8
96130Merge: dbf6930 0bb1c2b
96131Author: Brad Spengler <spender@grsecurity.net>
96132Date: Sat Aug 17 11:57:50 2013 -0400
96133
96134 Merge branch 'pax-test' into grsec-test
96135
96136commit 0bb1c2b2d9ba9a15fb504d47270499e8e2764106
96137Author: Brad Spengler <spender@grsecurity.net>
96138Date: Sat Aug 17 11:56:43 2013 -0400
96139
96140 Update to pax-linux-3.10.7-test12.patch:
96141 - fixed superfluous initializer in __native_flush_tlb_single, reported by Mathias Krause
96142 - fixed some arm compile problems
96143
96144 arch/x86/include/asm/tlbflush.h | 2 +-
96145 drivers/clocksource/bcm_kona_timer.c | 2 +-
96146 kernel/signal.c | 4 ++++
96147 3 files changed, 6 insertions(+), 2 deletions(-)
96148
96149commit dbf69305ad4f8a037aae95af90f9201f556dcb48
96150Author: Brad Spengler <spender@grsecurity.net>
96151Date: Sat Aug 17 11:18:09 2013 -0400
96152
96153 allow use of kallsyms_lookup_name to approved source files
96154
96155 include/linux/kallsyms.h | 1 +
96156 1 files changed, 1 insertions(+), 0 deletions(-)
96157
96158commit a566c5f4dec33f410678c257e95ab6726ce8e4f9
96159Merge: 68bd16f f562e3e
96160Author: Brad Spengler <spender@grsecurity.net>
96161Date: Sat Aug 17 10:35:02 2013 -0400
96162
96163 Merge branch 'pax-test' into grsec-test
96164
96165commit f562e3ef7737ea8d80431a722479b36a12504ace
96166Author: Brad Spengler <spender@grsecurity.net>
96167Date: Sat Aug 17 10:34:51 2013 -0400
96168
96169 add uderef_64.c
96170
96171 arch/x86/mm/uderef_64.c | 37 +++++++++++++++++++++++++++++++++++++
96172 1 files changed, 37 insertions(+), 0 deletions(-)
96173
96174commit 68bd16fce3cf51c4c407e2ac6bc3db0629783622
96175Author: Asbjoern Sloth Toennesen <ast@fiberby.net>
96176Date: Mon Aug 12 16:30:09 2013 +0000
96177
96178 Upstream commit: 3e805ad288c524bb65aad3f1e004402223d3d504
96179
96180 rtnetlink: rtnl_bridge_getlink: Call nlmsg_find_attr() with ifinfomsg header
96181
96182 Fix the iproute2 command `bridge vlan show`, after switching from
96183 rtgenmsg to ifinfomsg.
96184
96185 Let's start with a little history:
96186
96187 Feb 20: Vlad Yasevich got his VLAN-aware bridge patchset included in
96188 the 3.9 merge window.
96189 In the kernel commit 6cbdceeb, he added attribute support to
96190 bridge GETLINK requests sent with rtgenmsg.
96191
96192 Mar 6th: Vlad got this iproute2 reference implementation of the bridge
96193 vlan netlink interface accepted (iproute2 9eff0e5c)
96194
96195 Apr 25th: iproute2 switched from using rtgenmsg to ifinfomsg (63338dca)
96196 http://patchwork.ozlabs.org/patch/239602/
96197 http://marc.info/?t=136680900700007
96198
96199 Apr 28th: Linus released 3.9
96200
96201 Apr 30th: Stephen released iproute2 3.9.0
96202
96203 The `bridge vlan show` command haven't been working since the switch to
96204 ifinfomsg, or in a released version of iproute2. Since the kernel side
96205 only supports rtgenmsg, which iproute2 switched away from just prior to
96206 the iproute2 3.9.0 release.
96207
96208 I haven't been able to find any documentation, about neither rtgenmsg
96209 nor ifinfomsg, and in which situation to use which, but kernel commit
96210 88c5b5ce seams to suggest that ifinfomsg should be used.
96211
96212 Fixing this in kernel will break compatibility, but I doubt that anybody
96213 have been using it due to this bug in the user space reference
96214 implementation, at least not without noticing this bug. That said the
96215 functionality is still fully functional in 3.9, when reversing iproute2
96216 commit 63338dca.
96217
96218 This could also be fixed in iproute2, but thats an ugly patch that would
96219 reintroduce rtgenmsg in iproute2, and from searching in netdev it seams
96220 like rtgenmsg usage is discouraged. I'm assuming that the only reason
96221 that Vlad implemented the kernel side to use rtgenmsg, was because
96222 iproute2 was using it at the time.
96223
96224 Signed-off-by: Asbjoern Sloth Toennesen <ast@fiberby.net>
96225 Reviewed-by: Vlad Yasevich <vyasevich@gmail.com>
96226 Signed-off-by: David S. Miller <davem@davemloft.net>
96227
96228 net/core/rtnetlink.c | 2 +-
96229 1 files changed, 1 insertions(+), 1 deletions(-)
96230
96231commit 8c7bc5bafddddff55ed4687203a977e96f72540a
96232Author: Johannes Berg <johannes.berg@intel.com>
96233Date: Tue Aug 13 09:04:05 2013 +0200
96234
96235 Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db
96236
96237 genetlink: fix family dump race
96238
96239 When dumping generic netlink families, only the first dump call
96240 is locked with genl_lock(), which protects the list of families,
96241 and thus subsequent calls can access the data without locking,
96242 racing against family addition/removal. This can cause a crash.
96243 Fix it - the locking needs to be conditional because the first
96244 time around it's already locked.
96245
96246 A similar bug was reported to me on an old kernel (3.4.47) but
96247 the exact scenario that happened there is no longer possible,
96248 on those kernels the first round wasn't locked either. Looking
96249 at the current code I found the race described above, which had
96250 also existed on the old kernel.
96251
96252 Cc: stable@vger.kernel.org
96253 Reported-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
96254 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
96255 Signed-off-by: David S. Miller <davem@davemloft.net>
96256
96257 net/netlink/genetlink.c | 7 +++++++
96258 1 files changed, 7 insertions(+), 0 deletions(-)
96259
96260commit 0aef405c4f269d1e35abb5393cee4e7d452ed4bb
96261Author: Daniel Borkmann <dborkman@redhat.com>
96262Date: Fri Aug 9 16:25:21 2013 +0200
96263
96264 Upstream commit: 771085d6bf3c52de29fc213e5bad07a82e57c23e
96265
96266 net: sctp: sctp_transport_destroy{, _rcu}: fix potential pointer corruption
96267
96268 Probably this one is quite unlikely to be triggered, but it's more safe
96269 to do the call_rcu() at the end after we have dropped the reference on
96270 the asoc and freed sctp packet chunks. The reason why is because in
96271 sctp_transport_destroy_rcu() the transport is being kfree()'d, and if
96272 we're unlucky enough we could run into corrupted pointers. Probably
96273 that's more of theoretical nature, but it's safer to have this simple fix.
96274
96275 Introduced by commit 8c98653f ("sctp: sctp_close: fix release of bindings
96276 for deferred call_rcu's"). I also did the 8c98653f regression test and
96277 it's fine that way.
96278
96279 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
96280 Acked-by: Vlad Yasevich <vyasevich@gmail.com>
96281 Signed-off-by: David S. Miller <davem@davemloft.net>
96282
96283 net/sctp/transport.c | 4 ++--
96284 1 files changed, 2 insertions(+), 2 deletions(-)
96285
96286commit 3925eab5483946fd746575a46f97bee9d566bb77
96287Author: Stephane Grosjean <s.grosjean@peak-system.com>
96288Date: Fri Aug 9 11:44:06 2013 +0200
96289
96290 Upstream commit: 3c322a56b01695df15c70bfdc2d02e0ccd80654e
96291
96292 can: pcan_usb: fix wrong memcpy() bytes length
96293
96294 Fix possibly wrong memcpy() bytes length since some CAN records received from
96295 PCAN-USB could define a DLC field in range [9..15].
96296 In that case, the real DLC value MUST be used to move forward the record pointer
96297 but, only 8 bytes max. MUST be copied into the data field of the struct
96298 can_frame object of the skb given to the network core.
96299
96300 Cc: linux-stable <stable@vger.kernel.org>
96301 Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
96302 Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
96303 Signed-off-by: David S. Miller <davem@davemloft.net>
96304
96305 drivers/net/can/usb/peak_usb/pcan_usb.c | 2 +-
96306 1 files changed, 1 insertions(+), 1 deletions(-)
96307
96308commit c1ac6642baae4a400d1f87115024d1bb1ef53598
96309Author: Linus Lüssing <linus.luessing@web.de>
96310Date: Tue Aug 6 20:21:15 2013 +0200
96311
96312 Upstream commit: 9d2c9488cedb666bc8206fbdcdc1575e0fbc5929
96313
96314 batman-adv: fix potential kernel paging errors for unicast transmissions
96315
96316 There are several functions which might reallocate skb data. Currently
96317 some places keep reusing their old ethhdr pointer regardless of whether
96318 they became invalid after such a reallocation or not. This potentially
96319 leads to kernel paging errors.
96320
96321 This patch fixes these by refetching the ethdr pointer after the
96322 potential reallocations.
96323
96324 Signed-off-by: Linus Lüssing <linus.luessing@web.de>
96325 Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
96326 Signed-off-by: Antonio Quartulli <ordex@autistici.org>
96327
96328 net/batman-adv/bridge_loop_avoidance.c | 2 ++
96329 net/batman-adv/gateway_client.c | 13 ++++++++++++-
96330 net/batman-adv/gateway_client.h | 3 +--
96331 net/batman-adv/soft-interface.c | 9 ++++++++-
96332 net/batman-adv/unicast.c | 13 ++++++++++---
96333 5 files changed, 33 insertions(+), 7 deletions(-)
96334
96335commit d11ebb55757d366b2e445dea5a96e3ef1b4d22eb
96336Author: Yuchung Cheng <ycheng@google.com>
96337Date: Fri Aug 9 17:21:27 2013 -0700
96338
96339 Upstream commit: 356d7d88e088687b6578ca64601b0a2c9d145296
96340
96341 netfilter: nf_conntrack: fix tcp_in_window for Fast Open
96342
96343 Currently the conntrack checks if the ending sequence of a packet
96344 falls within the observed receive window. However it does so even
96345 if it has not observe any packet from the remote yet and uses an
96346 uninitialized receive window (td_maxwin).
96347
96348 If a connection uses Fast Open to send a SYN-data packet which is
96349 dropped afterward in the network. The subsequent SYNs retransmits
96350 will all fail this check and be discarded, leading to a connection
96351 timeout. This is because the SYN retransmit does not contain data
96352 payload so
96353
96354 end == initial sequence number (isn) + 1
96355 sender->td_end == isn + syn_data_len
96356 receiver->td_maxwin == 0
96357
96358 The fix is to only apply this check after td_maxwin is initialized.
96359
96360 Reported-by: Michael Chan <mcfchan@stanford.edu>
96361 Signed-off-by: Yuchung Cheng <ycheng@google.com>
96362 Acked-by: Eric Dumazet <edumazet@google.com>
96363 Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
96364 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
96365
96366 net/netfilter/nf_conntrack_proto_tcp.c | 12 ++++++++----
96367 1 files changed, 8 insertions(+), 4 deletions(-)
96368
96369commit 94462727d1f151aa2e3f7fbf0dedb19d8545d2ec
96370Author: Dan Carpenter <dan.carpenter@oracle.com>
96371Date: Thu Aug 1 12:36:57 2013 +0300
96372
96373 Upstream commit: e4d091d7bf787cd303383725b8071d0bae76f981
96374
96375 netfilter: nfnetlink_{log,queue}: fix information leaks in netlink message
96376
96377 These structs have a "_pad" member. Also the "phw" structs have an 8
96378 byte "hw_addr[]" array but sometimes only the first 6 bytes are
96379 initialized.
96380
96381 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
96382 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
96383
96384 net/netfilter/nfnetlink_log.c | 6 +++++-
96385 net/netfilter/nfnetlink_queue_core.c | 5 ++++-
96386 2 files changed, 9 insertions(+), 2 deletions(-)
96387
96388commit c5b469d0a0b480a8b2dcac9b4e6532c0ac17f81f
96389Author: Pablo Neira Ayuso <pablo@netfilter.org>
96390Date: Thu Jul 25 10:46:46 2013 +0200
96391
96392 Upstream commit: a206bcb3b02025b23137f3228109d72e0f835c05
96393
96394 netfilter: xt_TCPOPTSTRIP: fix possible off by one access
96395
96396 Fix a possible off by one access since optlen()
96397 touches opt[offset+1] unsafely when i == tcp_hdrlen(skb) - 1.
96398
96399 This patch replaces tcp_hdrlen() by the local variable tcp_hdrlen
96400 that stores the TCP header length, to save some cycles.
96401
96402 Reported-by: Julian Anastasov <ja@ssi.bg>
96403 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
96404
96405 net/netfilter/xt_TCPOPTSTRIP.c | 10 ++++++----
96406 1 files changed, 6 insertions(+), 4 deletions(-)
96407
96408commit 4634def261cf5f635bc60afe8a6ad436b3ec151e
96409Author: Pablo Neira Ayuso <pablo@netfilter.org>
96410Date: Thu Jul 25 10:37:49 2013 +0200
96411
96412 Upstream commit: 71ffe9c77dd7a2b62207953091efa8dafec958dd
96413
96414 netfilter: xt_TCPMSS: fix handling of malformed TCP header and options
96415
96416 Make sure the packet has enough room for the TCP header and
96417 that it is not malformed.
96418
96419 While at it, store tcph->doff*4 in a variable, as it is used
96420 several times.
96421
96422 This patch also fixes a possible off by one in case of malformed
96423 TCP options.
96424
96425 Reported-by: Julian Anastasov <ja@ssi.bg>
96426 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
96427
96428 net/netfilter/xt_TCPMSS.c | 28 ++++++++++++++++------------
96429 1 files changed, 16 insertions(+), 12 deletions(-)
96430
96431commit dc552b7b377b8b0cba23513ee09a2341d6714ae8
96432Author: Dave Jones <davej@redhat.com>
96433Date: Fri Aug 9 11:16:34 2013 -0700
96434
96435 Upstream commit: d06f5187469eee1b2932c02fd093d113cfc60d5e
96436
96437 8139cp: Fix skb leak in rx_status_loop failure path.
96438
96439 Introduced in cf3c4c03060b688cbc389ebc5065ebcce5653e96
96440 ("8139cp: Add dma_mapping_error checking")
96441
96442 Signed-off-by: Dave Jones <davej@redhat.com>
96443 Signed-off-by: David S. Miller <davem@davemloft.net>
96444
96445 drivers/net/ethernet/realtek/8139cp.c | 1 +
96446 1 files changed, 1 insertions(+), 0 deletions(-)
96447
96448commit 227b279491a0bbcc70ca3654f34903282c378600
96449Author: Timo Teräs <timo.teras@iki.fi>
96450Date: Tue Aug 6 13:45:43 2013 +0300
96451
96452 Upstream commit: 77a482bdb2e68d13fae87541b341905ba70d572b
96453
96454 ip_gre: fix ipgre_header to return correct offset
96455
96456 Fix ipgre_header() (header_ops->create) to return the correct
96457 amount of bytes pushed. Most callers of dev_hard_header() seem
96458 to care only if it was success, but af_packet.c uses it as
96459 offset to the skb to copy from userspace only once. In practice
96460 this fixes packet socket sendto()/sendmsg() to gre tunnels.
96461
96462 Regression introduced in c54419321455631079c7d6e60bc732dd0c5914c5
96463 ("GRE: Refactor GRE tunneling code.")
96464
96465 Cc: Pravin B Shelar <pshelar@nicira.com>
96466 Signed-off-by: Timo Teräs <timo.teras@iki.fi>
96467 Acked-by: Eric Dumazet <edumazet@google.com>
96468 Signed-off-by: David S. Miller <davem@davemloft.net>
96469
96470 net/ipv4/ip_gre.c | 2 +-
96471 1 files changed, 1 insertions(+), 1 deletions(-)
96472
96473commit 4b37d11c0ebb440d9335861ce8f1e690a34c10fb
96474Author: Eric Dumazet <edumazet@google.com>
96475Date: Mon Aug 5 11:18:49 2013 -0700
96476
96477 Upstream commit: aab515d7c32a34300312416c50314e755ea6f765
96478
96479 fib_trie: remove potential out of bound access
96480
96481 AddressSanitizer [1] dynamic checker pointed a potential
96482 out of bound access in leaf_walk_rcu()
96483
96484 We could allocate one more slot in tnode_new() to leave the prefetch()
96485 in-place but it looks not worth the pain.
96486
96487 Bug added in commit 82cfbb008572b ("[IPV4] fib_trie: iterator recode")
96488
96489 [1] :
96490 https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel
96491
96492 Reported-by: Andrey Konovalov <andreyknvl@google.com>
96493 Signed-off-by: Eric Dumazet <edumazet@google.com>
96494 Cc: Dmitry Vyukov <dvyukov@google.com>
96495 Signed-off-by: David S. Miller <davem@davemloft.net>
96496
96497 net/ipv4/fib_trie.c | 5 +----
96498 1 files changed, 1 insertions(+), 4 deletions(-)
96499
96500commit 3928184d65fdaf3eef446f0e6c5f305352c1fd02
96501Author: Daniel Borkmann <dborkman@redhat.com>
96502Date: Mon Aug 5 12:49:35 2013 +0200
96503
96504 Upstream commit: 7921895a5e852fc99de347bc0600659997de9298
96505
96506 net: esp{4,6}: fix potential MTU calculation overflows
96507
96508 Commit 91657eafb ("xfrm: take net hdr len into account for esp payload
96509 size calculation") introduced a possible interger overflow in
96510 esp{4,6}_get_mtu() handlers in case of x->props.mode equals
96511 XFRM_MODE_TUNNEL. Thus, the following expression will overflow
96512
96513 unsigned int net_adj;
96514 ...
96515 <case ipv{4,6} XFRM_MODE_TUNNEL>
96516 net_adj = 0;
96517 ...
96518 return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) -
96519 net_adj) & ~(align - 1)) + (net_adj - 2);
96520
96521 where (net_adj - 2) would be evaluated as <foo> + (0 - 2) in an unsigned
96522 context. Fix it by simply removing brackets as those operations here
96523 do not need to have special precedence.
96524
96525 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
96526 Cc: Benjamin Poirier <bpoirier@suse.de>
96527 Cc: Steffen Klassert <steffen.klassert@secunet.com>
96528 Acked-by: Benjamin Poirier <bpoirier@suse.de>
96529 Signed-off-by: David S. Miller <davem@davemloft.net>
96530
96531 net/ipv4/esp4.c | 2 +-
96532 net/ipv6/esp6.c | 2 +-
96533 2 files changed, 2 insertions(+), 2 deletions(-)
96534
96535commit f02bce292d1c2fe610be509c96593e70b3de387b
96536Author: Julia Lawall <Julia.Lawall@lip6.fr>
96537Date: Mon Aug 5 16:47:38 2013 +0200
96538
96539 Upstream commit: d9af2d67e490b48f0d36f448d34e7bab9425f142
96540
96541 net/vmw_vsock/af_vsock.c: drop unneeded semicolon
96542
96543 Drop the semicolon at the end of the list_for_each_entry loop header.
96544
96545 Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
96546 Signed-off-by: David S. Miller <davem@davemloft.net>
96547
96548 net/vmw_vsock/af_vsock.c | 2 +-
96549 1 files changed, 1 insertions(+), 1 deletions(-)
96550
96551commit 4b62f0cbc3f949056e8bbe0af036acfc20e8e049
96552Author: Tiger Yang <tiger.yang@oracle.com>
96553Date: Tue Aug 13 16:00:58 2013 -0700
96554
96555 Upstream commit: c7dd3392ad469e6ba125170ad29f881bed85b678
96556
96557 ocfs2: fix NULL pointer dereference in ocfs2_duplicate_clusters_by_page
96558
96559 Since ocfs2_cow_file_pos will invoke ocfs2_refcount_icow with a NULL as
96560 the struct file pointer, it finally result in a null pointer dereference
96561 in ocfs2_duplicate_clusters_by_page.
96562
96563 This patch replace file pointer with inode pointer in
96564 cow_duplicate_clusters to fix this issue.
96565
96566 [jeff.liu@oracle.com: rebased patch against linux-next tree]
96567 Signed-off-by: Tiger Yang <tiger.yang@oracle.com>
96568 Signed-off-by: Jie Liu <jeff.liu@oracle.com>
96569 Cc: Joel Becker <jlbec@evilplan.org>
96570 Cc: Mark Fasheh <mfasheh@suse.com>
96571 Acked-by: Tao Ma <tm@tao.ma>
96572 Tested-by: David Weber <wb@munzinger.de>
96573 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
96574 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
96575
96576 fs/ocfs2/aops.c | 2 +-
96577 fs/ocfs2/file.c | 6 ++--
96578 fs/ocfs2/move_extents.c | 2 +-
96579 fs/ocfs2/refcounttree.c | 53 +++++++---------------------------------------
96580 fs/ocfs2/refcounttree.h | 6 ++--
96581 5 files changed, 16 insertions(+), 53 deletions(-)
96582
96583commit 433bf493c7472435b328b2bc85b6e54f6dd3d0d3
96584Author: Dan Carpenter <dan.carpenter@oracle.com>
96585Date: Thu Aug 15 15:52:57 2013 +0300
96586
96587 Upstream commit: 15718ea0d844e4816dbd95d57a8a0e3e264ba90e
96588
96589 tun: signedness bug in tun_get_user()
96590
96591 The recent fix d9bf5f1309 "tun: compare with 0 instead of total_len" is
96592 not totally correct. Because "len" and "sizeof()" are size_t type, that
96593 means they are never less than zero.
96594
96595 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
96596 Acked-by: Michael S. Tsirkin <mst@redhat.com>
96597 Acked-by: Neil Horman <nhorman@tuxdriver.com>
96598 Signed-off-by: David S. Miller <davem@davemloft.net>
96599
96600 drivers/net/tun.c | 6 ++++--
96601 1 files changed, 4 insertions(+), 2 deletions(-)
96602
96603commit 26ad267ddda451919357965a0cf271ca24d1bcf2
96604Author: Weiping Pan <wpan@redhat.com>
96605Date: Tue Aug 13 21:46:56 2013 +0800
96606
96607 Upstream commit: d9bf5f130946695063469749bfd190087b7fad39
96608
96609 tun: compare with 0 instead of total_len
96610
96611 Since we set "len = total_len" in the beginning of tun_get_user(),
96612 so we should compare the new len with 0, instead of total_len,
96613 or the if statement always returns false.
96614
96615 Signed-off-by: Weiping Pan <wpan@redhat.com>
96616 Signed-off-by: David S. Miller <davem@davemloft.net>
96617
96618 drivers/net/tun.c | 4 ++--
96619 1 files changed, 2 insertions(+), 2 deletions(-)
96620
96621commit 70023d3ea40fae8b6b6a142a7a5c3db0bcc283f9
96622Author: Guenter Roeck <linux@roeck-us.net>
96623Date: Fri Aug 16 20:50:55 2013 -0700
96624
96625 Upstream commit: 215b28a5308f3d332df2ee09ef11fda45d7e4a92
96626
96627 s390: Fix broken build
96628
96629 Fix this build error:
96630
96631 In file included from fs/exec.c:61:0:
96632 arch/s390/include/asm/tlb.h:35:23: error: expected identifier or '(' before 'unsigned'
96633 arch/s390/include/asm/tlb.h:36:1: warning: no semicolon at end of struct or union [enabled by default]
96634 arch/s390/include/asm/tlb.h: In function 'tlb_gather_mmu':
96635 arch/s390/include/asm/tlb.h:57:5: error: 'struct mmu_gather' has no member named 'end'
96636
96637 Broken due to commit 2b047252d0 ("Fix TLB gather virtual address range
96638 invalidation corner cases").
96639
96640 Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
96641 Cc: stable@vger.kernel.org
96642 Signed-off-by: Guenter Roeck <linux@roeck-us.net>
96643 [ Oh well. We had build testing for ppc amd um, but no s390 - Linus ]
96644 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
96645
96646 arch/s390/include/asm/tlb.h | 2 +-
96647 1 files changed, 1 insertions(+), 1 deletions(-)
96648
96649commit 4e57312c2de2a25ddb181d129dafbc0251062c33
96650Author: Linus Torvalds <torvalds@linux-foundation.org>
96651Date: Thu Aug 15 11:42:25 2013 -0700
96652
96653 Upstream commit: 2b047252d087be7f2ba088b4933cd904f92e6fce
96654
96655 Fix TLB gather virtual address range invalidation corner cases
96656
96657 Ben Tebulin reported:
96658
96659 "Since v3.7.2 on two independent machines a very specific Git
96660 repository fails in 9/10 cases on git-fsck due to an SHA1/memory
96661 failures. This only occurs on a very specific repository and can be
96662 reproduced stably on two independent laptops. Git mailing list ran
96663 out of ideas and for me this looks like some very exotic kernel issue"
96664
96665 and bisected the failure to the backport of commit 53a59fc67f97 ("mm:
96666 limit mmu_gather batching to fix soft lockups on !CONFIG_PREEMPT").
96667
96668 That commit itself is not actually buggy, but what it does is to make it
96669 much more likely to hit the partial TLB invalidation case, since it
96670 introduces a new case in tlb_next_batch() that previously only ever
96671 happened when running out of memory.
96672
96673 The real bug is that the TLB gather virtual memory range setup is subtly
96674 buggered. It was introduced in commit 597e1c3580b7 ("mm/mmu_gather:
96675 enable tlb flush range in generic mmu_gather"), and the range handling
96676 was already fixed at least once in commit e6c495a96ce0 ("mm: fix the TLB
96677 range flushed when __tlb_remove_page() runs out of slots"), but that fix
96678 was not complete.
96679
96680 The problem with the TLB gather virtual address range is that it isn't
96681 set up by the initial tlb_gather_mmu() initialization (which didn't get
96682 the TLB range information), but it is set up ad-hoc later by the
96683 functions that actually flush the TLB. And so any such case that forgot
96684 to update the TLB range entries would potentially miss TLB invalidates.
96685
96686 Rather than try to figure out exactly which particular ad-hoc range
96687 setup was missing (I personally suspect it's the hugetlb case in
96688 zap_huge_pmd(), which didn't have the same logic as zap_pte_range()
96689 did), this patch just gets rid of the problem at the source: make the
96690 TLB range information available to tlb_gather_mmu(), and initialize it
96691 when initializing all the other tlb gather fields.
96692
96693 This makes the patch larger, but conceptually much simpler. And the end
96694 result is much more understandable; even if you want to play games with
96695 partial ranges when invalidating the TLB contents in chunks, now the
96696 range information is always there, and anybody who doesn't want to
96697 bother with it won't introduce subtle bugs.
96698
96699 Ben verified that this fixes his problem.
96700
96701 Reported-bisected-and-tested-by: Ben Tebulin <tebulin@googlemail.com>
96702 Build-testing-by: Stephen Rothwell <sfr@canb.auug.org.au>
96703 Build-testing-by: Richard Weinberger <richard.weinberger@gmail.com>
96704 Reviewed-by: Michal Hocko <mhocko@suse.cz>
96705 Acked-by: Peter Zijlstra <peterz@infradead.org>
96706 Cc: stable@vger.kernel.org
96707 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
96708
96709 arch/arm/include/asm/tlb.h | 7 +++++--
96710 arch/arm64/include/asm/tlb.h | 7 +++++--
96711 arch/ia64/include/asm/tlb.h | 9 ++++++---
96712 arch/s390/include/asm/tlb.h | 8 ++++++--
96713 arch/sh/include/asm/tlb.h | 6 ++++--
96714 arch/um/include/asm/tlb.h | 6 ++++--
96715 fs/exec.c | 4 ++--
96716 include/asm-generic/tlb.h | 2 +-
96717 mm/hugetlb.c | 2 +-
96718 mm/memory.c | 36 +++++++++++++++++++++---------------
96719 mm/mmap.c | 4 ++--
96720 11 files changed, 57 insertions(+), 34 deletions(-)
96721
96722commit 771ed01c6027772eca1a0df8de65043e7f0d94f8
96723Merge: 5568c80 ffceabf
96724Author: Brad Spengler <spender@grsecurity.net>
96725Date: Sat Aug 17 09:11:41 2013 -0400
96726
96727 Merge branch 'pax-test' into grsec-test
96728
96729commit ffceabfcc65c60109ba5fca694d78d4dc7047809
96730Author: Brad Spengler <spender@grsecurity.net>
96731Date: Sat Aug 17 09:10:44 2013 -0400
96732
96733 Update to pax-linux-3.10.7-test11.patch:
96734 - simplified some arm code
96735 - disabled preemption when calling show_regs, reported by Corey Minyard
96736 - added PCID based support for UDEREF on amd64 (blog will have more details)
96737 - requires Westmere/Sandy Bridge/Ivy Bridge/Haswell/etc
96738 - nopcid turns it off
96739 - by default a strong form of UDEREF is used under PCID
96740 - pax_weakuderef switches to the older, less secure UDEREF
96741 - fixed several bugs that would also have manifested under SMAP
96742 - INVPCID is used when available (Haswell)
96743 - added a few more return insn instrumentation in new amd64 crypto code
96744
96745 Documentation/kernel-parameters.txt | 7 +
96746 arch/arm/include/asm/uaccess.h | 3 +
96747 arch/x86/crypto/blowfish-avx2-asm_64.S | 6 +
96748 arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 ++
96749 arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 ++
96750 arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 +
96751 arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 +
96752 arch/x86/crypto/serpent-avx2-asm_64.S | 9 ++
96753 arch/x86/crypto/sha256-avx-asm.S | 2 +
96754 arch/x86/crypto/sha256-avx2-asm.S | 2 +
96755 arch/x86/crypto/sha256-ssse3-asm.S | 2 +
96756 arch/x86/crypto/sha512-avx-asm.S | 2 +
96757 arch/x86/crypto/sha512-avx2-asm.S | 2 +
96758 arch/x86/crypto/sha512-ssse3-asm.S | 2 +
96759 arch/x86/crypto/twofish-avx2-asm_64.S | 8 ++
96760 arch/x86/ia32/ia32_signal.c | 2 +-
96761 arch/x86/ia32/ia32entry.S | 24 ++++-
96762 arch/x86/include/asm/cpufeature.h | 3 +-
96763 arch/x86/include/asm/fpu-internal.h | 2 +
96764 arch/x86/include/asm/futex.h | 4 +
96765 arch/x86/include/asm/mmu_context.h | 80 +++++++++++---
96766 arch/x86/include/asm/pgtable.h | 10 +-
96767 arch/x86/include/asm/processor.h | 15 +++-
96768 arch/x86/include/asm/segment.h | 5 +-
96769 arch/x86/include/asm/smap.h | 64 +++++++++++-
96770 arch/x86/include/asm/tlbflush.h | 63 +++++++++--
96771 arch/x86/include/asm/uaccess.h | 18 +++-
96772 arch/x86/include/asm/xsave.h | 4 +
96773 arch/x86/kernel/cpu/common.c | 38 +++++++
96774 arch/x86/kernel/entry_32.S | 2 +-
96775 arch/x86/kernel/entry_64.S | 152 +++++++++++++++++++++++---
96776 arch/x86/kernel/head_32.S | 2 +-
96777 arch/x86/kernel/head_64.S | 8 +-
96778 arch/x86/kernel/process_64.c | 5 +
96779 arch/x86/kernel/setup.c | 8 +-
96780 arch/x86/kernel/signal.c | 4 +-
96781 arch/x86/kernel/smpboot.c | 15 ++-
96782 arch/x86/lib/copy_user_64.S | 50 +--------
96783 arch/x86/lib/copy_user_nocache_64.S | 2 +
96784 arch/x86/lib/csum-wrappers_64.c | 11 ++-
96785 arch/x86/lib/memcpy_64.S | 4 +-
96786 arch/x86/lib/memmove_64.S | 2 +-
96787 arch/x86/lib/memset_64.S | 4 +-
96788 arch/x86/lib/usercopy_64.c | 5 +-
96789 arch/x86/mm/Makefile | 4 +
96790 arch/x86/mm/fault.c | 29 ++++--
96791 arch/x86/mm/init.c | 7 +-
96792 arch/x86/mm/init_64.c | 9 ++-
96793 arch/x86/mm/pageattr.c | 2 +-
96794 arch/x86/mm/pgtable.c | 3 +
96795 arch/x86/platform/efi/efi_32.c | 2 +-
96796 arch/x86/platform/efi/efi_64.c | 2 +-
96797 arch/x86/realmode/rm/trampoline_64.S | 1 +
96798 fs/exec.c | 2 +
96799 include/asm-generic/uaccess.h | 8 ++
96800 include/linux/compat.h | 1 +
96801 include/linux/preempt.h | 19 +++
96802 include/linux/signal.h | 1 +
96803 include/linux/smp.h | 2 +
96804 init/main.c | 14 ++-
96805 kernel/signal.c | 16 +++
96806 security/Kconfig | 5 +
96807 tools/lib/lk/Makefile | 2 +-
96808 tools/perf/Makefile | 2 +-
96809 64 files changed, 673 insertions(+), 136 deletions(-)
96810
96811commit 5568c8059e78d6d002815409df4e90c83b3b08a8
96812Author: Brad Spengler <spender@grsecurity.net>
96813Date: Sat Aug 17 08:58:34 2013 -0400
96814
96815 Fix two harmless compiler warnings
96816
96817 arch/arm/kernel/process.c | 4 ++--
96818 fs/exec.c | 2 +-
96819 2 files changed, 3 insertions(+), 3 deletions(-)
96820
96821commit e4a41a3eef8c6bdebdbe273cc0fbe372bcb62806
96822Author: Brad Spengler <spender@grsecurity.net>
96823Date: Fri Aug 16 22:55:24 2013 -0400
96824
96825 Upstream commit: c95eb3184ea1a3a2551df57190c81da695e2144b
96826
96827 arch/arm/kernel/perf_event.c | 5 ++++-
96828 1 files changed, 4 insertions(+), 1 deletions(-)
96829
96830commit 3637bc893b57a227b01852fe34685ab237285b10
96831Author: Stephen Boyd <sboyd@codeaurora.org>
96832Date: Wed Aug 7 16:18:08 2013 -0700
96833
96834 Upstream commit: b88a2595b6d8aedbd275c07dfa784657b4f757eb
96835
96836 perf/arm: Fix armpmu_map_hw_event()
96837
96838 Fix constraint check in armpmu_map_hw_event().
96839
96840 Reported-and-tested-by: Vince Weaver <vincent.weaver@maine.edu>
96841 Cc: <stable@kernel.org>
96842 Signed-off-by: Ingo Molnar <mingo@kernel.org>
96843 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
96844
96845 arch/arm/kernel/perf_event.c | 7 ++++++-
96846 1 files changed, 6 insertions(+), 1 deletions(-)
96847
96848commit 11802e1f961a088c39af58d1c1b14d861eedfb35
96849Author: Brad Spengler <spender@grsecurity.net>
96850Date: Fri Aug 16 22:53:30 2013 -0400
96851
96852 More ARM backports
96853
96854 arch/arm/kernel/entry-armv.S | 3 ++-
96855 arch/arm/kernel/fiq.c | 8 ++------
96856 2 files changed, 4 insertions(+), 7 deletions(-)
96857
96858commit bf89938c71ddbd6efb2c2e43bf4f3f99fef623ea
96859Author: Brad Spengler <spender@grsecurity.net>
96860Date: Fri Aug 16 22:46:01 2013 -0400
96861
96862 Fix HIDESYM compatibility with kprobes, as reported by feandil at:
96863 http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376
96864
96865 include/linux/kallsyms.h | 2 +-
96866 kernel/kprobes.c | 3 +++
96867 2 files changed, 4 insertions(+), 1 deletions(-)
96868
96869commit 3d1cf88bbdbe4c0e83dd7d731ecaf1741209d6b7
96870Author: yonghua zheng <younghua.zheng@gmail.com>
96871Date: Tue Aug 13 16:01:03 2013 -0700
96872
96873 fs/proc/task_mmu.c: fix buffer overflow in add_page_map()
96874
96875 Recently we met quite a lot of random kernel panic issues after enabling
96876 CONFIG_PROC_PAGE_MONITOR. After debuggind we found this has something
96877 to do with following bug in pagemap:
96878
96879 In struct pagemapread:
96880
96881 struct pagemapread {
96882 int pos, len;
96883 pagemap_entry_t *buffer;
96884 bool v2;
96885 };
96886
96887 pos is number of PM_ENTRY_BYTES in buffer, but len is the size of
96888 buffer, it is a mistake to compare pos and len in add_page_map() for
96889 checking buffer is full or not, and this can lead to buffer overflow and
96890 random kernel panic issue.
96891
96892 Correct len to be total number of PM_ENTRY_BYTES in buffer.
96893
96894 [akpm@linux-foundation.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition]
96895 Signed-off-by: Yonghua Zheng <younghua.zheng@gmail.com>
96896 Cc: <stable@vger.kernel.org>
96897 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
96898 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
96899
96900 Conflicts:
96901
96902 fs/proc/task_mmu.c
96903
96904 fs/proc/task_mmu.c | 8 ++++----
96905 1 files changed, 4 insertions(+), 4 deletions(-)
96906
96907commit 0a3dac834746de241c10d4978bf61b4f146ba89d
96908Merge: dc19474 e12de30
96909Author: Brad Spengler <spender@grsecurity.net>
96910Date: Fri Aug 16 17:39:01 2013 -0400
96911
96912 Merge branch 'pax-test' into grsec-test
96913
96914commit e12de30aa6b575fc3c9f5cd098dd03623598cb33
96915Author: Brad Spengler <spender@grsecurity.net>
96916Date: Fri Aug 16 17:34:47 2013 -0400
96917
96918 Update to pax-linux-3.10.7-test9.patch:
96919 - Emese fixed a size overflow false positive reported by Sven Vermeulen
96920 - fixed some arm compile problems reported by spender
96921 - added empty unchecked wrappers for local_t accessors on mips, by Corey Minyard <cminyard@mvista.com>
96922 eventually we'll have full REFCOUNT support on mips
96923
96924 arch/arm/kernel/process.c | 5 ++-
96925 arch/arm/mm/Kconfig | 2 +-
96926 arch/arm/mm/fault.c | 3 ++
96927 arch/mips/include/asm/local.h | 57 +++++++++++++++++++++++++++++++++++++++++
96928 mm/internal.h | 2 +-
96929 5 files changed, 65 insertions(+), 4 deletions(-)
96930
96931commit dc19474d0ea6ea3c939544ae5f906067b1784a10
96932Merge: 51b78c0 82266f9
96933Author: Brad Spengler <spender@grsecurity.net>
96934Date: Thu Aug 15 21:47:37 2013 -0400
96935
96936 Merge branch 'pax-test' into grsec-test
96937
96938commit 82266f90a3f87ab5017329fb539aebf94c42253a
96939Author: Brad Spengler <spender@grsecurity.net>
96940Date: Thu Aug 15 21:14:47 2013 -0400
96941
96942 Update to pax-linux-3.10.7-test9.patch
96943
96944 arch/arm/kernel/process.c | 6 ++----
96945 1 files changed, 2 insertions(+), 4 deletions(-)
96946
96947commit 51b78c06d1f41614f593cd36456b4af559e9d7fa
96948Merge: e32d904 cb77ead
96949Author: Brad Spengler <spender@grsecurity.net>
96950Date: Thu Aug 15 20:53:45 2013 -0400
96951
96952 Merge branch 'pax-test' into grsec-test
96953
96954 Conflicts:
96955 security/Kconfig
96956
96957commit cb77ead0eccb5abb75f7e437a3725d0254558ccd
96958Merge: 13675b8 519be45
96959Author: Brad Spengler <spender@grsecurity.net>
96960Date: Thu Aug 15 20:50:47 2013 -0400
96961
96962 Update to pax-linux-3.10.7-test8.patch
96963
96964 Merge branch 'linux-3.10.y' into pax-test
96965
96966commit e32d904b87292288e74e2637b900fd1115687b8e
96967Author: Brad Spengler <spender@grsecurity.net>
96968Date: Sat Aug 10 09:41:40 2013 -0400
96969
96970 propagate the threadstack offset through to the topdown/bottomup allocators
96971 on sparc64 hugepages
96972
96973 arch/sparc/mm/hugetlbpage.c | 12 ++++++++----
96974 1 files changed, 8 insertions(+), 4 deletions(-)
96975
96976commit cefa30759f6c977fff5cc1634ecfbfe0ee44391c
96977Author: Oleg Nesterov <oleg@redhat.com>
96978Date: Thu Aug 8 18:55:32 2013 +0200
96979
96980 Upstream commit: 8742f229b635bf1c1c84a3dfe5e47c814c20b5c8
96981
96982 another local DoS found in reaction to the one I reported,
96983 we don't allow unpriv user ns use so this doesn't matter much to us
96984
96985 userns: limit the maximum depth of user_namespace->parent chain
96986
96987 Ensure that user_namespace->parent chain can't grow too much.
96988 Currently we use the hardroded 32 as limit.
96989
96990 Reported-by: Andy Lutomirski <luto@amacapital.net>
96991 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
96992 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
96993
96994 include/linux/user_namespace.h | 1 +
96995 kernel/user_namespace.c | 4 ++++
96996 2 files changed, 5 insertions(+), 0 deletions(-)
96997
96998commit 223ac007ef18bf3a5095ba0a56675c1f16200149
96999Merge: 1c92de4 13675b8
97000Author: Brad Spengler <spender@grsecurity.net>
97001Date: Thu Aug 8 20:45:24 2013 -0400
97002
97003 Merge branch 'pax-test' into grsec-test
97004
97005 Conflicts:
97006 security/Kconfig
97007
97008commit 13675b848cf02bffd26924b2b84d927095bc253d
97009Author: Brad Spengler <spender@grsecurity.net>
97010Date: Thu Aug 8 20:43:52 2013 -0400
97011
97012 Update to pax-linux-3.10.5-test8.patch:
97013 - Emese fixed a size overflow false positive, reported by markusle (http://forums.grsecurity.net/viewtopic.php?f=3&t=3692)
97014 - fixed the use of PXN for 2-level pages tables on arm, by Corey Minyard <cminyard@mvista.com>
97015 - added PAGEEXEC/XI violation reporting on mips, by Corey Minyard <cminyard@mvista.com>
97016
97017 arch/arm/include/asm/pgtable-2level.h | 4 +++-
97018 arch/arm/mm/proc-v7-2level.S | 3 ---
97019 arch/mips/mm/fault.c | 8 ++++++++
97020 arch/x86/include/asm/processor.h | 3 ++-
97021 include/linux/math64.h | 2 +-
97022 security/Kconfig | 2 --
97023 6 files changed, 14 insertions(+), 8 deletions(-)
97024
97025commit 1c92de4b8811c330af033c31d83c9c45e3d064b2
97026Merge: e65aa3d 1660f49
97027Author: Brad Spengler <spender@grsecurity.net>
97028Date: Mon Aug 5 18:50:45 2013 -0400
97029
97030 Merge branch 'pax-test' into grsec-test
97031
97032commit 1660f496848b8400d263f7920989dae15e72185a
97033Merge: 7f91ba1 dc51cd2
97034Author: Brad Spengler <spender@grsecurity.net>
97035Date: Mon Aug 5 18:50:12 2013 -0400
97036
97037 Update to pax-linux-3.10.5-test7.patch
97038
97039 Merge branch 'linux-3.10.y' into pax-test
97040
97041 Conflicts:
97042 arch/x86/kernel/head_64.S
97043 mm/mempolicy.c
97044
97045commit e65aa3dd447115cb79b4815bc1ceac7b3cacef15
97046Author: Brad Spengler <spender@grsecurity.net>
97047Date: Mon Aug 5 17:58:42 2013 -0400
97048
97049 Disable RANDKSTACK for a VirtualBox host as mentioned on the
97050 gentoo-hardened bugzilla:
97051 https://bugs.gentoo.org/show_bug.cgi?id=382793
97052
97053 security/Kconfig | 2 +-
97054 1 files changed, 1 insertions(+), 1 deletions(-)
97055
97056commit 60d8cffd7740fd1d527790caf9a24a35d8c45858
97057Author: Dan Carpenter <dan.carpenter@oracle.com>
97058Date: Tue Jul 30 13:23:39 2013 +0300
97059
97060 Upstream commit: 8cb3b9c3642c0263d48f31d525bcee7170eedc20
97061
97062 net_sched: info leak in atm_tc_dump_class()
97063
97064 The "pvc" struct has a hole after pvc.sap_family which is not cleared.
97065
97066 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
97067 Reviewed-by: Jiri Pirko <jiri@resnulli.us>
97068 Signed-off-by: David S. Miller <davem@davemloft.net>
97069
97070 net/sched/sch_atm.c | 1 +
97071 1 files changed, 1 insertions(+), 0 deletions(-)
97072
97073commit 50d20ebce56b6e0b9622685930e007e46c7c04bb
97074Author: Daniel Borkmann <dborkman@redhat.com>
97075Date: Fri Aug 2 11:32:43 2013 +0200
97076
97077 Upstream commit: 446266b0c742a2c9ee8f0dce759a0117bce58a86
97078
97079 net: rtm_to_ifaddr: free ifa if ifa_cacheinfo processing fails
97080
97081 Commit 5c766d642 ("ipv4: introduce address lifetime") leaves the ifa
97082 resource that was allocated via inet_alloc_ifa() unfreed when returning
97083 the function with -EINVAL. Thus, free it first via inet_free_ifa().
97084
97085 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
97086 Reviewed-by: Jiri Pirko <jiri@resnulli.us>
97087 Signed-off-by: David S. Miller <davem@davemloft.net>
97088
97089 net/ipv4/devinet.c | 4 +++-
97090 1 files changed, 3 insertions(+), 1 deletions(-)
97091
97092commit 0acaba4eea12097cc59bc61a46ba1ef4a468b260
97093Author: Himanshu Madhani <himanshu.madhani@qlogic.com>
97094Date: Fri Aug 2 23:15:56 2013 -0400
97095
97096 Upstream commit: f91bbcb0b82186b4d5669021b142c263b66505e1
97097
97098 qlcnic: Free up memory in error path.
97099
97100 Signed-off-by: Himanshu Madhani <himanshu.madhani@qlogic.com>
97101 Signed-off-by: Shahed Shaikh <shahed.shaikh@qlogic.com>
97102 Signed-off-by: David S. Miller <davem@davemloft.net>
97103
97104 drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c | 6 +++---
97105 1 files changed, 3 insertions(+), 3 deletions(-)
97106
97107commit 3626ec32c8b24cb38b8db2a1b2f5430bd898408a
97108Author: Shahed Shaikh <shahed.shaikh@qlogic.com>
97109Date: Fri Aug 2 23:15:54 2013 -0400
97110
97111 Upstream commit: 4a99ab56cea66f9f67b9d07ace5cd40a336c8e6f
97112
97113 qlcnic: Fix MAC address filter issue on 82xx adapter
97114
97115 Driver was passing the address of a pointer instead of
97116 the pointer itself.
97117
97118 Signed-off-by: Shahed Shaikh <shahed.shaikh@qlogic.com>
97119 Signed-off-by: David S. Miller <davem@davemloft.net>
97120
97121 drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c | 2 +-
97122 1 files changed, 1 insertions(+), 1 deletions(-)
97123
97124commit 5570df953d6c143e05f1d60d9c23210e60dbbe81
97125Author: Brad Spengler <spender@grsecurity.net>
97126Date: Mon Aug 5 17:26:40 2013 -0400
97127
97128 Move user namespace capability check to shared create_user_ns code so we
97129 cover unshare() as well.
97130
97131 Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to
97132 user namespaces!
97133
97134 kernel/fork.c | 17 -----------------
97135 kernel/user_namespace.c | 24 ++++++++++++++++++++++--
97136 2 files changed, 22 insertions(+), 19 deletions(-)
97137
97138commit 97112fe30de4ca84e79c82ebfa2353b9c9988ca1
97139Author: Brad Spengler <spender@grsecurity.net>
97140Date: Mon Aug 5 16:05:41 2013 -0400
97141
97142 silence a warning on older gcc
97143
97144 grsecurity/gracl.c | 2 +-
97145 1 files changed, 1 insertions(+), 1 deletions(-)
97146
97147commit b8966a5d577e9220fbc63306eee978f819f24e2e
97148Author: Brad Spengler <spender@grsecurity.net>
97149Date: Sat Aug 3 08:31:08 2013 -0400
97150
97151 we only care about mmaps of the beginning of an ELF, filter out
97152 all others as suggested by pipacs
97153
97154 mm/mmap.c | 2 +-
97155 1 files changed, 1 insertions(+), 1 deletions(-)
97156
97157commit 8aea9fe5866dec3c847a34f743f343e18cf1cdcb
97158Author: Brad Spengler <spender@grsecurity.net>
97159Date: Fri Aug 2 23:54:51 2013 -0400
97160
97161 add include
97162
97163 grsecurity/grsec_log.c | 1 +
97164 1 files changed, 1 insertions(+), 0 deletions(-)
97165
97166commit d48425ef8cb3761ab6130e52f1f8e401f5b5a295
97167Author: Brad Spengler <spender@grsecurity.net>
97168Date: Fri Aug 2 23:49:13 2013 -0400
97169
97170 fix compilation
97171
97172 include/linux/grinternal.h | 3 ++-
97173 1 files changed, 2 insertions(+), 1 deletions(-)
97174
97175commit 1704c23fdc55b68f512dc9927940e72237f3f43e
97176Author: Brad Spengler <spender@grsecurity.net>
97177Date: Fri Aug 2 23:34:35 2013 -0400
97178
97179 Improve PaX reporting (tells when anon mapping is stack or heap)
97180 Remove textrel logging option, combine into rwx logging option
97181 Enhance RWX logging option to display when PT_GNU_STACK-enabled library
97182 is loaded under an MPROTECTed binary
97183 Enhance RWX mprotect logging to display stack/heap instead of just
97184 anon mapping
97185
97186 fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++
97187 fs/exec.c | 4 ++++
97188 grsecurity/Kconfig | 21 +++++----------------
97189 grsecurity/grsec_init.c | 4 ----
97190 grsecurity/grsec_log.c | 14 ++++++++++++++
97191 grsecurity/grsec_pax.c | 19 ++++++++++++++-----
97192 grsecurity/grsec_sysctl.c | 9 ---------
97193 include/linux/binfmts.h | 1 +
97194 include/linux/grinternal.h | 2 +-
97195 include/linux/grmsg.h | 3 ++-
97196 include/linux/grsecurity.h | 3 ++-
97197 mm/mmap.c | 7 +++++++
97198 mm/mprotect.c | 2 +-
97199 13 files changed, 88 insertions(+), 38 deletions(-)
97200
97201commit faf81c100c8565524e21c9af780a0ad2ce3fd925
97202Author: Brad Spengler <spender@grsecurity.net>
97203Date: Thu Aug 1 18:52:02 2013 -0400
97204
97205 add missing #define
97206
97207 grsecurity/gracl.c | 1 +
97208 1 files changed, 1 insertions(+), 0 deletions(-)
97209
97210commit e87232d1fcb4da72df971cbc623aac6c9b3871a0
97211Author: Brad Spengler <spender@grsecurity.net>
97212Date: Thu Aug 1 18:43:53 2013 -0400
97213
97214 fix compilation for !COMPAT as reported on the forums
97215
97216 grsecurity/gracl.c | 195 ++++++++++++++++++++++++++--------------------------
97217 1 files changed, 97 insertions(+), 98 deletions(-)
97218
97219commit 65c9b9c6c42939dc55be1b8842e7c2e05733056c
97220Merge: 65019c9 7f91ba1
97221Author: Brad Spengler <spender@grsecurity.net>
97222Date: Wed Jul 31 17:47:31 2013 -0400
97223
97224 Merge branch 'pax-test' into grsec-test
97225
97226commit 65019c9bd05f860437071cbf00e2027fd2d68615
97227Author: Brad Spengler <spender@grsecurity.net>
97228Date: Wed Jul 31 17:47:20 2013 -0400
97229
97230 Revert "revert recent PaX change that causes boot failures with 32bit userland"
97231
97232 This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4.
97233
97234 arch/x86/include/asm/processor.h | 4 ++--
97235 arch/x86/kernel/cpu/common.c | 2 +-
97236 arch/x86/kernel/process_64.c | 2 +-
97237 arch/x86/kernel/smpboot.c | 2 +-
97238 arch/x86/xen/smp.c | 2 +-
97239 5 files changed, 6 insertions(+), 6 deletions(-)
97240
97241commit 7f91ba11122fcaa96fc2dca42bddcd5f8db3b945
97242Author: Brad Spengler <spender@grsecurity.net>
97243Date: Wed Jul 31 17:46:00 2013 -0400
97244
97245 Update to pax-linux-3.10.4-test7.patch:
97246 - added a few more missing format strings
97247 - added reporting of mismatched MPROTECT/EMUTRAMP flags between libraries and the main executable
97248 - reverted the recent amd64 kstack alignment fix, it'll be done the harder way another time
97249 - fixed a UDEREF/i386 regression, __get_user_8 would always fail
97250
97251 arch/x86/include/asm/processor.h | 4 +-
97252 arch/x86/kernel/cpu/common.c | 2 +-
97253 arch/x86/kernel/dumpstack.c | 2 +-
97254 arch/x86/kernel/process_64.c | 2 +-
97255 arch/x86/kernel/reboot_fixups_32.c | 2 +-
97256 arch/x86/kernel/smpboot.c | 2 +-
97257 arch/x86/lib/getuser.S | 4 +-
97258 arch/x86/xen/smp.c | 2 +-
97259 drivers/net/wireless/iwlwifi/dvm/debugfs.c | 8 ++--
97260 drivers/video/backlight/backlight.c | 2 +-
97261 drivers/video/backlight/lcd.c | 2 +-
97262 fs/binfmt_elf.c | 51 +++++++++++++++++++++++++---
97263 fs/exec.c | 50 +++++++++++++--------------
97264 include/linux/sched.h | 2 +
97265 14 files changed, 88 insertions(+), 47 deletions(-)
97266
97267commit 043130da54cb7cc8dc44e0ce889d426e889a0532
97268Author: Brad Spengler <spender@grsecurity.net>
97269Date: Wed Jul 31 16:26:58 2013 -0400
97270
97271 compile fix for !COMPAT as mentioned on forums
97272
97273 grsecurity/gracl.c | 2 ++
97274 1 files changed, 2 insertions(+), 0 deletions(-)
97275
97276commit ed0a195abd4e41c2449a020a53a19c74dc866d78
97277Author: Brad Spengler <spender@grsecurity.net>
97278Date: Tue Jul 30 22:33:14 2013 -0400
97279
97280 perform compat conversion of rlimit infinity
97281
97282 grsecurity/gracl_compat.c | 10 ++++++++--
97283 1 files changed, 8 insertions(+), 2 deletions(-)
97284
97285commit a99c1b9f31678c1c72a63bea65aed1b2d3205259
97286Author: Brad Spengler <spender@grsecurity.net>
97287Date: Tue Jul 30 22:21:40 2013 -0400
97288
97289 remove debugging
97290
97291 grsecurity/gracl_compat.c | 44 +++++++++++---------------------------------
97292 1 files changed, 11 insertions(+), 33 deletions(-)
97293
97294commit e75b3f504692b97960a7530ad0855d91441d79c0
97295Author: Brad Spengler <spender@grsecurity.net>
97296Date: Tue Jul 30 22:20:32 2013 -0400
97297
97298 eliminate compat_dev_t
97299
97300 include/linux/gracl_compat.h | 4 ++--
97301 1 files changed, 2 insertions(+), 2 deletions(-)
97302
97303commit e5abbaf95313066a724e1a843d4fc902a9a6450e
97304Author: Brad Spengler <spender@grsecurity.net>
97305Date: Tue Jul 30 22:13:22 2013 -0400
97306
97307 fix compat rlimit size
97308
97309 grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++-------------
97310 include/linux/gracl_compat.h | 4 +-
97311 2 files changed, 49 insertions(+), 23 deletions(-)
97312
97313commit 877d6c2f8b3518ff39601084560bb33c58d35a1f
97314Author: Brad Spengler <spender@grsecurity.net>
97315Date: Tue Jul 30 21:20:18 2013 -0400
97316
97317 compile fix
97318
97319 grsecurity/gracl.c | 4 ++--
97320 1 files changed, 2 insertions(+), 2 deletions(-)
97321
97322commit a2062eae8d1dc48d338480e599fedee2dc5e2f98
97323Author: Brad Spengler <spender@grsecurity.net>
97324Date: Tue Jul 30 21:14:29 2013 -0400
97325
97326 copy correct pointer size in new compat code
97327
97328 grsecurity/gracl.c | 8 ++++----
97329 grsecurity/gracl_compat.c | 4 ++--
97330 2 files changed, 6 insertions(+), 6 deletions(-)
97331
97332commit 23278a1ee1c7738dd1e7005241394d32b82196e4
97333Author: Brad Spengler <spender@grsecurity.net>
97334Date: Tue Jul 30 19:48:58 2013 -0400
97335
97336 revert recent PaX change that causes boot failures with 32bit userland
97337
97338 arch/x86/include/asm/processor.h | 4 ++--
97339 arch/x86/kernel/cpu/common.c | 2 +-
97340 arch/x86/kernel/process_64.c | 2 +-
97341 arch/x86/kernel/smpboot.c | 2 +-
97342 arch/x86/xen/smp.c | 2 +-
97343 5 files changed, 6 insertions(+), 6 deletions(-)
97344
97345commit ec27f71a813656fea8ab37faecb2b485fe99d08e
97346Merge: 3a11bcf 05f0a61
97347Author: Brad Spengler <spender@grsecurity.net>
97348Date: Tue Jul 30 19:42:21 2013 -0400
97349
97350 Merge branch 'pax-test' into grsec-test
97351
97352commit 05f0a610373fa95df838f97c3fcfb59a3d79c5b8
97353Author: Brad Spengler <spender@grsecurity.net>
97354Date: Tue Jul 30 19:41:44 2013 -0400
97355
97356 Update to pax-linux-3.10.4-test6.patch:
97357 - fixed some size_overflow false positives on i386 caused by __SC_LONG, reported by spender
97358
97359 include/linux/syscalls.h | 8 ++++++--
97360 1 files changed, 6 insertions(+), 2 deletions(-)
97361
97362commit 3a11bcfcc738ed5dbf0d56713db872ed36351a26
97363Author: Brad Spengler <spender@grsecurity.net>
97364Date: Tue Jul 30 19:15:50 2013 -0400
97365
97366 compile fix
97367
97368 grsecurity/gracl_compat.c | 6 ++++++
97369 1 files changed, 6 insertions(+), 0 deletions(-)
97370
97371commit 1dbd99b5cb0b6757eadf22309501e7fdd84f5de7
97372Author: Brad Spengler <spender@grsecurity.net>
97373Date: Tue Jul 30 19:12:46 2013 -0400
97374
97375 remove BUILD_BUG_ONs
97376
97377 grsecurity/gracl_compat.c | 20 --------------------
97378 1 files changed, 0 insertions(+), 20 deletions(-)
97379
97380commit a283b21cbd77622383a1dcb1f7bf1080db3bae88
97381Author: Brad Spengler <spender@grsecurity.net>
97382Date: Tue Jul 30 00:18:36 2013 -0400
97383
97384 compile fixes
97385
97386 grsecurity/gracl_compat.c | 8 ++++----
97387 include/linux/gracl_compat.h | 2 +-
97388 2 files changed, 5 insertions(+), 5 deletions(-)
97389
97390commit 8b744005f8bae565e24c1fd88af77e6e619b9434
97391Author: Brad Spengler <spender@grsecurity.net>
97392Date: Tue Jul 30 00:16:42 2013 -0400
97393
97394 compile fixes
97395
97396 grsecurity/gracl.c | 4 ++--
97397 grsecurity/gracl_compat.c | 2 +-
97398 2 files changed, 3 insertions(+), 3 deletions(-)
97399
97400commit 5cd86afa393bf9bf38c2e9063191709ac2beff2c
97401Author: Brad Spengler <spender@grsecurity.net>
97402Date: Tue Jul 30 00:13:51 2013 -0400
97403
97404 compile fixes
97405
97406 grsecurity/gracl.c | 8 ++++----
97407 1 files changed, 4 insertions(+), 4 deletions(-)
97408
97409commit b93b829afcc98b6108b18d99ff63c53642d0b951
97410Author: Brad Spengler <spender@grsecurity.net>
97411Date: Tue Jul 30 00:11:03 2013 -0400
97412
97413 compile fixes
97414
97415 grsecurity/gracl_compat.c | 3 +++
97416 1 files changed, 3 insertions(+), 0 deletions(-)
97417
97418commit 7da096415fa633c4ad2b1f74bd43d3a58a63b5c0
97419Author: Brad Spengler <spender@grsecurity.net>
97420Date: Tue Jul 30 00:08:21 2013 -0400
97421
97422 more compile fixes
97423
97424 grsecurity/gracl.c | 28 ++++++++++++++--------------
97425 1 files changed, 14 insertions(+), 14 deletions(-)
97426
97427commit 6c1fd80e19f1449b6895f1ed77f23f1245470b3b
97428Author: Brad Spengler <spender@grsecurity.net>
97429Date: Mon Jul 29 23:59:50 2013 -0400
97430
97431 more compile fixes
97432
97433 grsecurity/gracl.c | 10 +++++++++-
97434 1 files changed, 9 insertions(+), 1 deletions(-)
97435
97436commit 89dda536f276dd4bb55fa0f9ea8980ac8b750d29
97437Author: Brad Spengler <spender@grsecurity.net>
97438Date: Mon Jul 29 23:56:47 2013 -0400
97439
97440 additional compile fixes
97441
97442 grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++--------
97443 1 files changed, 49 insertions(+), 10 deletions(-)
97444
97445commit ac695a081d1124fb28bec46814535d34c5e40611
97446Author: Brad Spengler <spender@grsecurity.net>
97447Date: Mon Jul 29 23:47:15 2013 -0400
97448
97449 fix typo
97450
97451 grsecurity/gracl.c | 2 +-
97452 1 files changed, 1 insertions(+), 1 deletions(-)
97453
97454commit d95dd21a8d6d00c5cf34fee3f45dd914b6da6093
97455Author: Brad Spengler <spender@grsecurity.net>
97456Date: Mon Jul 29 23:46:59 2013 -0400
97457
97458 compile fixes
97459
97460 grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++-------------
97461 1 files changed, 39 insertions(+), 14 deletions(-)
97462
97463commit 82631f451cc7432b6c5578cf8d24155473feb25c
97464Author: Brad Spengler <spender@grsecurity.net>
97465Date: Mon Jul 29 23:22:44 2013 -0400
97466
97467 Initial commit of compat RBAC loading
97468 Permits 32bit gradm to load policy for a 64bit kernel
97469
97470 Also removed code duplication for copying strings into the kernel
97471
97472 Work performed as part of sponsorship
97473
97474 grsecurity/Makefile | 4 +
97475 grsecurity/gracl.c | 315 +++++++++++++++++++++++-------------------
97476 grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++
97477 include/linux/gracl_compat.h | 156 +++++++++++++++++++++
97478 4 files changed, 603 insertions(+), 142 deletions(-)
97479
97480commit 84c4a433dfb096e4a1162ee5e68025122c70b421
97481Merge: c9d3ed3 9fe5897
97482Author: Brad Spengler <spender@grsecurity.net>
97483Date: Mon Jul 29 17:08:56 2013 -0400
97484
97485 Merge branch 'pax-test' into grsec-test
97486
97487commit 9fe58978938e357642885866ca48090a7753d403
97488Merge: 8f693ad 6f7bb6b
97489Author: Brad Spengler <spender@grsecurity.net>
97490Date: Mon Jul 29 17:08:43 2013 -0400
97491
97492 Merge branch 'linux-3.10.y' into pax-test
97493
97494commit c9d3ed33c5370bbacfadf86f6a1566828a3d7775
97495Merge: d5e5bfd 8f693ad
97496Author: Brad Spengler <spender@grsecurity.net>
97497Date: Sun Jul 28 10:03:08 2013 -0400
97498
97499 Merge branch 'pax-test' into grsec-test
97500
97501commit 8f693ade9b3e448f92706d34148b00a087637f70
97502Author: Brad Spengler <spender@grsecurity.net>
97503Date: Sun Jul 28 10:02:16 2013 -0400
97504
97505 Update to pax-linux-3.10.3-test5.patch:
97506 - fixed amd64 kstack alignment (caught by some crazy codegen by clang/llvm)
97507 - fixed handling of faulting userland accesses for UDEREF/arm, from spender
97508 - updated the size overflow hash table, from Emese
97509
97510 arch/arm/kernel/entry-armv.S | 3 +-
97511 arch/x86/include/asm/processor.h | 4 +-
97512 arch/x86/kernel/cpu/common.c | 2 +-
97513 arch/x86/kernel/process_64.c | 2 +-
97514 arch/x86/kernel/smpboot.c | 2 +-
97515 arch/x86/xen/smp.c | 2 +-
97516 tools/gcc/size_overflow_hash.data | 553 +++++++++++++++++++++++++++++++++----
97517 7 files changed, 513 insertions(+), 55 deletions(-)
97518
97519commit d5e5bfd6ecc1fc7e86d070df8eb0ce8d0643c558
97520Merge: 19e077b 8a8a0d0
97521Author: Brad Spengler <spender@grsecurity.net>
97522Date: Thu Jul 25 21:05:18 2013 -0400
97523
97524 Merge branch 'pax-test' into grsec-test
97525
97526commit 8a8a0d0b22a86bf65302d03bb6732e42bc0a2e56
97527Author: Brad Spengler <spender@grsecurity.net>
97528Date: Thu Jul 25 21:04:09 2013 -0400
97529
97530 Update to pax-linux-3.10.3-test4.patch:
97531 - introduced per-slab object sanitization, contributed by Mathias Krause and secunet.
97532 this is finer grained sanitization than the existing per-page based approach (which
97533 is still done) at a somewhat higher performance cost. the pax_sanitize_slab command
97534 line option can be used to enable/disable it on boot (it's enabled by default when
97535 CONFIG_PAX_MEMORY_SANITIZE is enabled).
97536
97537 Documentation/kernel-parameters.txt | 4 ++++
97538 fs/buffer.c | 2 +-
97539 fs/dcache.c | 3 ++-
97540 include/linux/slab.h | 7 +++++++
97541 include/linux/slab_def.h | 4 ++++
97542 kernel/fork.c | 2 +-
97543 mm/rmap.c | 6 ++++--
97544 mm/slab.c | 27 +++++++++++++++++++++++++++
97545 mm/slab.h | 12 +++++++++++-
97546 mm/slab_common.c | 14 ++++++++++++++
97547 mm/slob.c | 5 +++++
97548 mm/slub.c | 11 +++++++++++
97549 net/core/skbuff.c | 6 ++++--
97550 security/Kconfig | 23 +++++++++++++++++------
97551 14 files changed, 112 insertions(+), 14 deletions(-)
97552
97553commit 19e077bfff54ca211d0142c07cb6dd88069a390c
97554Merge: 960ec51 c8f7f51
97555Author: Brad Spengler <spender@grsecurity.net>
97556Date: Thu Jul 25 19:53:34 2013 -0400
97557
97558 Merge branch 'pax-test' into grsec-test
97559
97560commit c8f7f51591207b82530214300e86277028919286
97561Merge: d5142e3 81a4648
97562Author: Brad Spengler <spender@grsecurity.net>
97563Date: Thu Jul 25 19:52:29 2013 -0400
97564
97565 Update to pax-linux-3.10.3-test3.patch:
97566 - fixed some compile issues reported by Michael Tremer and spender
97567 - fixed an i386 regression with the lower address space gap on i386, reported by cnu
97568
97569 Merge branch 'linux-3.10.y' into pax-test
97570
97571 Conflicts:
97572 kernel/time/tick-broadcast.c
97573
97574commit 960ec51ab2142544fbae563d4fd5744775408965
97575Author: Al Viro <viro@zeniv.linux.org.uk>
97576Date: Sat Jul 20 03:13:55 2013 +0400
97577
97578 Upstream commit: acfec9a5a892f98461f52ed5770de99a3e571ae2
97579
97580 livelock avoidance in sget()
97581
97582 Eric Sandeen has found a nasty livelock in sget() - take a mount(2) about
97583 to fail. The superblock is on ->fs_supers, ->s_umount is held exclusive,
97584 ->s_active is 1. Along comes two more processes, trying to mount the same
97585 thing; sget() in each is picking that superblock, bumping ->s_count and
97586 trying to grab ->s_umount. ->s_active is 3 now. Original mount(2)
97587 finally gets to deactivate_locked_super() on failure; ->s_active is 2,
97588 superblock is still ->fs_supers because shutdown will *not* happen until
97589 ->s_active hits 0. ->s_umount is dropped and now we have two processes
97590 chasing each other:
97591 s_active = 2, A acquired ->s_umount, B blocked
97592 A sees that the damn thing is stillborn, does deactivate_locked_super()
97593 s_active = 1, A drops ->s_umount, B gets it
97594 A restarts the search and finds the same superblock. And bumps it ->s_active.
97595 s_active = 2, B holds ->s_umount, A blocked on trying to get it
97596 ... and we are in the earlier situation with A and B switched places.
97597
97598 The root cause, of course, is that ->s_active should not grow until we'd
97599 got MS_BORN. Then failing ->mount() will have deactivate_locked_super()
97600 shut the damn thing down. Fortunately, it's easy to do - the key point
97601 is that grab_super() is called only for superblocks currently on ->fs_supers,
97602 so it can bump ->s_count and grab ->s_umount first, then check MS_BORN and
97603 bump ->s_active; we must never increment ->s_count for superblocks past
97604 ->kill_sb(), but grab_super() is never called for those.
97605
97606 The bug is pretty old; we would've caught it by now, if not for accidental
97607 exclusion between sget() for block filesystems; the things like cgroup or
97608 e.g. mtd-based filesystems don't have anything of that sort, so they get
97609 bitten. The right way to deal with that is obviously to fix sget()...
97610
97611 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
97612
97613 fs/super.c | 25 ++++++++++---------------
97614 1 files changed, 10 insertions(+), 15 deletions(-)
97615
97616commit 3540cebbbfa4aef94527ad3e0e49097848147fb9
97617Merge: ab95b58 d5142e3
97618Author: Brad Spengler <spender@grsecurity.net>
97619Date: Sun Jul 21 22:47:46 2013 -0400
97620
97621 Merge branch 'pax-test' into grsec-test
97622
97623commit d5142e31785f8c32c7338c51fcc27313bdd4a84e
97624Merge: f36ae8c 0f4a56e
97625Author: Brad Spengler <spender@grsecurity.net>
97626Date: Sun Jul 21 22:47:34 2013 -0400
97627
97628 Merge branch 'linux-3.10.y' into pax-test
97629
97630commit ab95b5842899d61ff5c30f4582e72029b3155be8
97631Author: Brad Spengler <spender@grsecurity.net>
97632Date: Sun Jul 21 22:28:40 2013 -0400
97633
97634 compile fix with constification reported by Michael Tremer
97635
97636 drivers/gpu/host1x/drm/dc.c | 2 +-
97637 1 files changed, 1 insertions(+), 1 deletions(-)
97638
97639commit 817cd2d1e7a55720326599dd8f542578eef30927
97640Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
97641Date: Fri Jul 12 23:46:33 2013 +0200
97642
97643 Upstream commit: 307f2fb95e9b96b3577916e73d92e104f8f26494
97644
97645 ipv6: only static routes qualify for equal cost multipathing
97646
97647 Static routes in this case are non-expiring routes which did not get
97648 configured by autoconf or by icmpv6 redirects.
97649
97650 To make sure we actually get an ecmp route while searching for the first
97651 one in this fib6_node's leafs, also make sure it matches the ecmp route
97652 assumptions.
97653
97654 v2:
97655 a) Removed RTF_EXPIRE check in dst.from chain. The check of RTF_ADDRCONF
97656 already ensures that this route, even if added again without
97657 RTF_EXPIRES (in case of a RA announcement with infinite timeout),
97658 does not cause the rt6i_nsiblings logic to go wrong if a later RA
97659 updates the expiration time later.
97660
97661 v3:
97662 a) Allow RTF_EXPIRES routes to enter the ecmp route set. We have to do so,
97663 because an pmtu event could update the RTF_EXPIRES flag and we would
97664 not count this route, if another route joins this set. We now filter
97665 only for RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC, which are flags that
97666 don't get changed after rt6_info construction.
97667
97668 Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
97669 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
97670 Signed-off-by: David S. Miller <davem@davemloft.net>
97671
97672 net/ipv6/ip6_fib.c | 15 +++++++++++----
97673 1 files changed, 11 insertions(+), 4 deletions(-)
97674
97675commit 77db8196d51b043e2e2d124094da101b0f01bccb
97676Author: Dan Carpenter <dan.carpenter@oracle.com>
97677Date: Fri Jul 12 09:39:03 2013 +0300
97678
97679 Upstream commit: b2781e1021525649c0b33fffd005ef219da33926
97680
97681 svcrdma: underflow issue in decode_write_list()
97682
97683 My static checker marks everything from ntohl() as untrusted and it
97684 complains we could have an underflow problem doing:
97685
97686 return (u32 *)&ary->wc_array[nchunks];
97687
97688 Also on 32 bit systems the upper bound check could overflow.
97689
97690 Cc: stable@vger.kernel.org
97691 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
97692 Signed-off-by: J. Bruce Fields <bfields@redhat.com>
97693
97694 net/sunrpc/xprtrdma/svc_rdma_marshal.c | 20 ++++++++++++++------
97695 1 files changed, 14 insertions(+), 6 deletions(-)
97696
97697commit 926473317fd7953137ef97835edd36dabc584b01
97698Author: Brad Spengler <spender@grsecurity.net>
97699Date: Wed Jul 17 21:29:02 2013 -0400
97700
97701 add missing asm/pgtable.h include, reported by Michael Tremer
97702
97703 drivers/clk/socfpga/clk.c | 1 +
97704 1 files changed, 1 insertions(+), 0 deletions(-)
97705
97706commit c592ae0001b31932ef1491784dfa374058797c66
97707Author: Brad Spengler <spender@grsecurity.net>
97708Date: Tue Jul 16 20:40:24 2013 -0400
97709
97710 allow viewing of ecryptfs version under SYSFS_RESTRICT
97711
97712 fs/sysfs/dir.c | 2 +-
97713 1 files changed, 1 insertions(+), 1 deletions(-)
97714
97715commit 36db325ef3b07ea8cdb47f549e706e5d71398e14
97716Merge: 9c96441 f36ae8c
97717Author: Brad Spengler <spender@grsecurity.net>
97718Date: Sun Jul 14 19:23:13 2013 -0400
97719
97720 Merge branch 'pax-test' into grsec-test
97721
97722commit f36ae8c741ae32b1caff10825be12c327792c925
97723Author: Brad Spengler <spender@grsecurity.net>
97724Date: Sun Jul 14 19:22:15 2013 -0400
97725
97726 Update to pax-linux-3.10-test2.patch:
97727 - spender fixed a compile regression in a recent arm/UDEREF change, reported by Michael Tremer
97728 - spender fixed arm/KERNEXEC for v5 and older CPUs, reported by Michael Tremer
97729 - spender fixed a new CONSTIFY victim on arm, reported by Michael Tremer
97730 - spender fixed an madvise regression, reported by Peter Keel
97731 - spender fixed a SLAB regression, reported by Thorsten (http://forums.grsecurity.net/viewtopic.php?f=3&t=3614) and Jens (http://forums.grsecurity.net/viewtopic.php?f=1&t=3616)
97732 - fixed a headers_install regression, reported by Mathias Krause
97733 - fixed a SLOB compile regression, reported by Mathias Krause
97734
97735 arch/arm/include/asm/uaccess.h | 4 ++--
97736 arch/arm/mm/mmu.c | 15 +++++++++++++--
97737 drivers/clk/socfpga/clk.c | 6 ++++--
97738 mm/madvise.c | 4 ++--
97739 mm/slab.c | 4 ++--
97740 mm/slob.c | 4 ++--
97741 scripts/headers_install.sh | 2 +-
97742 7 files changed, 26 insertions(+), 13 deletions(-)
97743
97744commit 9c9644156a49637050741d9165df79174e59b0ef
97745Author: Brad Spengler <spender@grsecurity.net>
97746Date: Sun Jul 14 19:19:54 2013 -0400
97747
97748 Fix sparc64 compilation, reported by Blake Self
97749
97750 arch/sparc/kernel/sys_sparc_64.c | 4 ++--
97751 1 files changed, 2 insertions(+), 2 deletions(-)
97752
97753commit 7bcd3db081454768542c3d741bcf32cd61a50cf5
97754Author: Brad Spengler <spender@grsecurity.net>
97755Date: Sun Jul 14 11:49:17 2013 -0400
97756
97757 Update PaX fix, just return the error
97758
97759 mm/madvise.c | 15 +++++++--------
97760 1 files changed, 7 insertions(+), 8 deletions(-)
97761
97762commit a10e377d0eddd37e8a3665b135e546ab03d9d171
97763Author: Brad Spengler <spender@grsecurity.net>
97764Date: Sun Jul 14 11:36:00 2013 -0400
97765
97766 Fix madvise oops reported by Peter Keel
97767
97768 mm/madvise.c | 11 ++++++-----
97769 1 files changed, 6 insertions(+), 5 deletions(-)
97770
97771commit 08c5adca34d408772255b313f90d82c250c1d967
97772Author: Brad Spengler <spender@grsecurity.net>
97773Date: Sun Jul 14 11:26:34 2013 -0400
97774
97775 don't make high vector mapping non-present on old ARM architectures, no
97776 point in emulating some vector entries when the processor doesn't even support XN
97777
97778 arch/arm/mm/mmu.c | 7 +++++--
97779 1 files changed, 5 insertions(+), 2 deletions(-)
97780
97781commit 2b40781d4197a89a003616af584884e36361c5b2
97782Author: Brad Spengler <spender@grsecurity.net>
97783Date: Sun Jul 14 09:51:58 2013 -0400
97784
97785 Temporary compile fix for code incorrectly modifying const data
97786 Wrap a cast version of the code with open/close
97787
97788 Thanks to Michael Tremer for the report
97789
97790 drivers/clk/socfpga/clk.c | 6 ++++--
97791 1 files changed, 4 insertions(+), 2 deletions(-)
97792
97793commit a8258c1b4098c396cd4ea719e20858182feac1c1
97794Author: Brad Spengler <spender@grsecurity.net>
97795Date: Sun Jul 14 09:41:16 2013 -0400
97796
97797 Fix missing right parens in pipacs' "improvement" of my ARM code ;)
97798 Thanks to Michael Tremer for reporting
97799
97800 arch/arm/include/asm/uaccess.h | 4 ++--
97801 1 files changed, 2 insertions(+), 2 deletions(-)
97802
97803commit 8542e1e973be7cc9a009d2ada8033576b2890e6f
97804Merge: 86f446e 2577f8e
97805Author: Brad Spengler <spender@grsecurity.net>
97806Date: Sat Jul 13 20:46:58 2013 -0400
97807
97808 Merge branch 'pax-test' into grsec-test
97809
97810 Conflicts:
97811 mm/memcontrol.c
97812
97813commit 2577f8e4ec41efb347706a59c6838de20f0c90da
97814Merge: 75a36f0 cb5d8be
97815Author: Brad Spengler <spender@grsecurity.net>
97816Date: Sat Jul 13 20:43:42 2013 -0400
97817
97818 Merge branch 'linux-3.10.y' into pax-test
97819
97820 Conflicts:
97821 crypto/algapi.c
97822 drivers/block/nbd.c
97823
97824commit 86f446e9d5c6b475d2e9360cc04f4361ad1b19b8
97825Author: Brad Spengler <spender@grsecurity.net>
97826Date: Fri Jul 12 23:02:11 2013 -0400
97827
97828 we always want the vector page to be noaccess for userland
97829 therefore, when kernexec is disabled, instead of L_PTE_USER | L_PTE_RDONLY
97830 which turns into supervisor rwx, userland rx, we instead omit that entirely,
97831 leaving it as supervisor rwx only
97832
97833 Fixes booting on ARMv5 and earlier, which need to write directly
97834 to the high vector mapping via set_tls when context switching
97835
97836 Thanks to Michael Tremer for the bugreport
97837
97838 arch/arm/mm/mmu.c | 12 ++++++++++--
97839 1 files changed, 10 insertions(+), 2 deletions(-)
97840
97841commit 90cd0827eef656ec884f19c977873fefe2f2e47d
97842Author: Cong Wang <amwang@redhat.com>
97843Date: Sat Jun 29 12:02:59 2013 +0800
97844
97845 Upstream commit: 6c734fb8592f6768170e48e7102cb2f0a1bb9759
97846
97847 gre: fix a regression in ioctl
97848
97849 When testing GRE tunnel, I got:
97850
97851 # ip tunnel show
97852 get tunnel gre0 failed: Invalid argument
97853 get tunnel gre1 failed: Invalid argument
97854
97855 This is a regression introduced by commit c54419321455631079c7d
97856 ("GRE: Refactor GRE tunneling code.") because previously we
97857 only check the parameters for SIOCADDTUNNEL and SIOCCHGTUNNEL,
97858 after that commit, the check is moved for all commands.
97859
97860 So, just check for SIOCADDTUNNEL and SIOCCHGTUNNEL.
97861
97862 After this patch I got:
97863
97864 # ip tunnel show
97865 gre0: gre/ip remote any local any ttl inherit nopmtudisc
97866 gre1: gre/ip remote 192.168.122.101 local 192.168.122.45 ttl inherit
97867
97868 Cc: Pravin B Shelar <pshelar@nicira.com>
97869 Cc: "David S. Miller" <davem@davemloft.net>
97870 Signed-off-by: Cong Wang <amwang@redhat.com>
97871 Signed-off-by: David S. Miller <davem@davemloft.net>
97872
97873 net/ipv4/ip_gre.c | 9 +++++----
97874 1 files changed, 5 insertions(+), 4 deletions(-)
97875
97876commit 50d4e90ec8da630eac8840da9c53b8738a2f98b5
97877Author: Cong Wang <amwang@redhat.com>
97878Date: Sat Jun 29 13:00:57 2013 +0800
97879
97880 Upstream commit: ab6c7a0a43c2eaafa57583822b619b22637b49c7
97881
97882 vti: remove duplicated code to fix a memory leak
97883
97884 vti module allocates dev->tstats twice: in vti_fb_tunnel_init()
97885 and in vti_tunnel_init(), this lead to a memory leak of
97886 dev->tstats.
97887
97888 Just remove the duplicated operations in vti_fb_tunnel_init().
97889
97890 (candidate for -stable)
97891
97892 Cc: Stephen Hemminger <stephen@networkplumber.org>
97893 Cc: Saurabh Mohan <saurabh.mohan@vyatta.com>
97894 Cc: "David S. Miller" <davem@davemloft.net>
97895 Signed-off-by: Cong Wang <amwang@redhat.com>
97896 Acked-by: Stephen Hemminger <stephen@networkplumber.org>
97897 Signed-off-by: David S. Miller <davem@davemloft.net>
97898
97899 net/ipv4/ip_vti.c | 7 -------
97900 1 files changed, 0 insertions(+), 7 deletions(-)
97901
97902commit af9e57897a8fab9bbeceb984bd0aeaedb36aefcd
97903Author: Michal Schmidt <mschmidt@redhat.com>
97904Date: Mon Jul 1 17:23:05 2013 +0200
97905
97906 Upstream commit: 058eec4116935c5640299913e1e0715e87ec622a
97907
97908 bnx2x: remove zeroing of dump data buffer
97909
97910 There is no need to initialize the dump data with zeros.
97911 data is allocated with vzalloc, so it's already zero-filled.
97912
97913 More importantly, the memset is harmful, because dump->len (the length
97914 requested by userspace) can be bigger than the allocated buffer (whose
97915 size is determined by asking the driver's .get_dump_flag method).
97916
97917 Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
97918 Signed-off-by: David S. Miller <davem@davemloft.net>
97919
97920 .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 2 --
97921 1 files changed, 0 insertions(+), 2 deletions(-)
97922
97923commit c771072b72c261f9bddd6734dca6979c1b96e7df
97924Author: Michal Schmidt <mschmidt@redhat.com>
97925Date: Mon Jul 1 17:23:06 2013 +0200
97926
97927 Upstream commit: 5bb680d6cbe36de9d7ba12b05f845c91a8692318
97928
97929 bnx2x: fix dump flag handling
97930
97931 bnx2x interprets the dump flag as an index of a register preset.
97932 It is important to validate the index to avoid out of bounds
97933 memory accesses.
97934
97935 Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
97936 Signed-off-by: David S. Miller <davem@davemloft.net>
97937
97938 .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 3 +++
97939 drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 2 ++
97940 2 files changed, 5 insertions(+), 0 deletions(-)
97941
97942commit aed315c8fad9b2044143b46b239574b1b72135ce
97943Author: Michal Schmidt <mschmidt@redhat.com>
97944Date: Mon Jul 1 17:23:30 2013 +0200
97945
97946 Upstream commit: c590b5e2f05b5e98e614382582b7ae4cddb37599
97947
97948 ethtool: make .get_dump_data() harder to misuse by drivers
97949
97950 As the patch "bnx2x: remove zeroing of dump data buffer" showed,
97951 it is too easy implement .get_dump_data incorrectly in a driver.
97952
97953 Let's make sure drivers cannot get confused by userspace requesting
97954 a too big dump.
97955
97956 Also WARN if the driver sets dump->len to something weird and make
97957 sure the length reported to userspace is the actual length of data
97958 copied to userspace.
97959
97960 Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
97961 Reviewed-by: Ben Hutchings <ben@decadent.org.uk>
97962 Signed-off-by: David S. Miller <davem@davemloft.net>
97963
97964 net/core/ethtool.c | 21 ++++++++++++++++++++-
97965 1 files changed, 20 insertions(+), 1 deletions(-)
97966
97967commit 5c57991e66216e386dcc875d34c33f0edd038569
97968Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
97969Date: Tue Jul 2 09:02:07 2013 +0800
97970
97971 Upstream commit: e1558a93b61962710733dc8c11a2bc765607f1cd
97972
97973 l2tp: add missing .owner to struct pppox_proto
97974
97975 Add missing .owner of struct pppox_proto. This prevents the
97976 module from being removed from underneath its users.
97977
97978 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
97979 Signed-off-by: David S. Miller <davem@davemloft.net>
97980
97981 net/l2tp/l2tp_ppp.c | 3 ++-
97982 1 files changed, 2 insertions(+), 1 deletions(-)
97983
97984commit 4613b8adae32cc774bb727d2ec71f3d0bd7ff1c4
97985Author: Benjamin Herrenschmidt <benh@kernel.crashing.org>
97986Date: Sun Jun 30 14:37:11 2013 +1000
97987
97988 Upstream commit: 7cc47d139f9a815a91bd9e7377063238c69a0423
97989
97990 cxgb3: Missing rtnl lock in error recovery
97991
97992 When exercising error injection on IBM pseries machine, I hit the
97993 following warning:
97994
97995 [ 251.450043] RTAS: event: 89, Type: Platform Error, Severity: 2
97996 [ 253.549822] cxgb3 0006:01:00.0: enabling device (0140 -> 0142)
97997 [ 253.713560] cxgb3 0006:01:00.0: adapter recovering, PEX ERR 0x100
97998 [ 254.895437] RTNL: assertion failed at net/core/dev.c (2031)
97999 [ 254.895467] CPU: 6 PID: 5449 Comm: eehd Tainted: G W 3.10.0-rc7-00157-gea461ab #19
98000 [ 254.895474] Call Trace:
98001 [ 254.895483] [c000000fac56f7d0] [c000000000014dcc] .show_stack+0x7c/0x1f0 (unreliable)
98002 [ 254.895493] [c000000fac56f8a0] [c0000000007ba318] .dump_stack+0x28/0x3c
98003 [ 254.895500] [c000000fac56f910] [c0000000006c0384] .netif_set_real_num_tx_queues+0x224/0x230
98004 [ 254.895515] [c000000fac56f9b0] [d00000000ef35510] .cxgb_open+0x80/0x3f0 [cxgb3]
98005 [ 254.895525] [c000000fac56fa50] [d00000000ef35914] .t3_resume_ports+0x94/0x100 [cxgb3]
98006 [ 254.895533] [c000000fac56fae0] [c00000000005fc8c] .eeh_report_resume+0x8c/0xd0
98007 [ 254.895539] [c000000fac56fb60] [c00000000005e9fc] .eeh_pe_dev_traverse+0x9c/0x190
98008 [ 254.895545] [c000000fac56fc10] [c000000000060000] .eeh_handle_event+0x110/0x330
98009 [ 254.895551] [c000000fac56fca0] [c000000000060350] .eeh_event_handler+0x130/0x1a0
98010 [ 254.895558] [c000000fac56fd30] [c0000000000ad758] .kthread+0xe8/0xf0
98011 [ 254.895566] [c000000fac56fe30] [c00000000000a05c] .ret_from_kernel_thread+0x5c/0x80
98012
98013 It appears that t3_resume_ports() is called with the rtnl_lock held from
98014 the fatal error task but not from the PCI error callbacks. This fixes it.
98015
98016 Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
98017 Signed-off-by: David S. Miller <davem@davemloft.net>
98018
98019 drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 2 ++
98020 1 files changed, 2 insertions(+), 0 deletions(-)
98021
98022commit ea8f4222cddf3250dbcfc7db0437ebf74c352370
98023Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
98024Date: Mon Jul 1 20:21:30 2013 +0200
98025
98026 Upstream commit: 8822b64a0fa64a5dd1dfcf837c5b0be83f8c05d1
98027
98028 ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data
98029
98030 We accidentally call down to ip6_push_pending_frames when uncorking
98031 pending AF_INET data on a ipv6 socket. This results in the following
98032 splat (from Dave Jones):
98033
98034 skbuff: skb_under_panic: text:ffffffff816765f6 len:48 put:40 head:ffff88013deb6df0 data:ffff88013deb6dec tail:0x2c end:0xc0 dev:<NULL>
98035 ------------[ cut here ]------------
98036 kernel BUG at net/core/skbuff.c:126!
98037 invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
98038 Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth
98039 +netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c
98040 CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37
98041 task: ffff8801f52c2520 ti: ffff8801e6430000 task.ti: ffff8801e6430000
98042 RIP: 0010:[<ffffffff816e759c>] [<ffffffff816e759c>] skb_panic+0x63/0x65
98043 RSP: 0018:ffff8801e6431de8 EFLAGS: 00010282
98044 RAX: 0000000000000086 RBX: ffff8802353d3cc0 RCX: 0000000000000006
98045 RDX: 0000000000003b90 RSI: ffff8801f52c2ca0 RDI: ffff8801f52c2520
98046 RBP: ffff8801e6431e08 R08: 0000000000000000 R09: 0000000000000000
98047 R10: 0000000000000001 R11: 0000000000000001 R12: ffff88022ea0c800
98048 R13: ffff88022ea0cdf8 R14: ffff8802353ecb40 R15: ffffffff81cc7800
98049 FS: 00007f5720a10740(0000) GS:ffff880244c00000(0000) knlGS:0000000000000000
98050 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
98051 CR2: 0000000005862000 CR3: 000000022843c000 CR4: 00000000001407e0
98052 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
98053 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
98054 Stack:
98055 ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4
98056 ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6
98057 ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0
98058 Call Trace:
98059 [<ffffffff8159a9aa>] skb_push+0x3a/0x40
98060 [<ffffffff816765f6>] ip6_push_pending_frames+0x1f6/0x4d0
98061 [<ffffffff810b756b>] ? mark_held_locks+0xbb/0x140
98062 [<ffffffff81694919>] udp_v6_push_pending_frames+0x2b9/0x3d0
98063 [<ffffffff81694660>] ? udplite_getfrag+0x20/0x20
98064 [<ffffffff8162092a>] udp_lib_setsockopt+0x1aa/0x1f0
98065 [<ffffffff811cc5e7>] ? fget_light+0x387/0x4f0
98066 [<ffffffff816958a4>] udpv6_setsockopt+0x34/0x40
98067 [<ffffffff815949f4>] sock_common_setsockopt+0x14/0x20
98068 [<ffffffff81593c31>] SyS_setsockopt+0x71/0xd0
98069 [<ffffffff816f5d54>] tracesys+0xdd/0xe2
98070 Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55
98071 RIP [<ffffffff816e759c>] skb_panic+0x63/0x65
98072 RSP <ffff8801e6431de8>
98073
98074 This patch adds a check if the pending data is of address family AF_INET
98075 and directly calls udp_push_ending_frames from udp_v6_push_pending_frames
98076 if that is the case.
98077
98078 This bug was found by Dave Jones with trinity.
98079
98080 (Also move the initialization of fl6 below the AF_INET check, even if
98081 not strictly necessary.)
98082
98083 Cc: Dave Jones <davej@redhat.com>
98084 Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
98085 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
98086 Signed-off-by: David S. Miller <davem@davemloft.net>
98087
98088 include/net/udp.h | 1 +
98089 net/ipv4/udp.c | 3 ++-
98090 net/ipv6/udp.c | 7 ++++++-
98091 3 files changed, 9 insertions(+), 2 deletions(-)
98092
98093commit cd83094a85d9bbd5a67332156407d53cf8835432
98094Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
98095Date: Tue Jul 2 08:04:05 2013 +0200
98096
98097 Upstream commit: 75a493e60ac4bbe2e977e7129d6d8cbb0dd236be
98098
98099 ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size
98100
98101 If the socket had an IPV6_MTU value set, ip6_append_data_mtu lost track
98102 of this when appending the second frame on a corked socket. This results
98103 in the following splat:
98104
98105 [37598.993962] ------------[ cut here ]------------
98106 [37598.994008] kernel BUG at net/core/skbuff.c:2064!
98107 [37598.994008] invalid opcode: 0000 [#1] SMP
98108 [37598.994008] Modules linked in: tcp_lp uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media vfat fat usb_storage fuse ebtable_nat xt_CHECKSUM bridge stp llc ipt_MASQUERADE nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat
98109 +nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi
98110 +scsi_transport_iscsi rfcomm bnep iTCO_wdt iTCO_vendor_support snd_hda_codec_conexant arc4 iwldvm mac80211 snd_hda_intel acpi_cpufreq mperf coretemp snd_hda_codec microcode cdc_wdm cdc_acm
98111 [37598.994008] snd_hwdep cdc_ether snd_seq snd_seq_device usbnet mii joydev btusb snd_pcm bluetooth i2c_i801 e1000e lpc_ich mfd_core ptp iwlwifi pps_core snd_page_alloc mei cfg80211 snd_timer thinkpad_acpi snd tpm_tis soundcore rfkill tpm tpm_bios vhost_net tun macvtap macvlan kvm_intel kvm uinput binfmt_misc
98112 +dm_crypt i915 i2c_algo_bit drm_kms_helper drm i2c_core wmi video
98113 [37598.994008] CPU 0
98114 [37598.994008] Pid: 27320, comm: t2 Not tainted 3.9.6-200.fc18.x86_64 #1 LENOVO 27744PG/27744PG
98115 [37598.994008] RIP: 0010:[<ffffffff815443a5>] [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330
98116 [37598.994008] RSP: 0018:ffff88003670da18 EFLAGS: 00010202
98117 [37598.994008] RAX: ffff88018105c018 RBX: 0000000000000004 RCX: 00000000000006c0
98118 [37598.994008] RDX: ffff88018105a6c0 RSI: ffff88018105a000 RDI: ffff8801e1b0aa00
98119 [37598.994008] RBP: ffff88003670da78 R08: 0000000000000000 R09: ffff88018105c040
98120 [37598.994008] R10: ffff8801e1b0aa00 R11: 0000000000000000 R12: 000000000000fff8
98121 [37598.994008] R13: 00000000000004fc R14: 00000000ffff0504 R15: 0000000000000000
98122 [37598.994008] FS: 00007f28eea59740(0000) GS:ffff88023bc00000(0000) knlGS:0000000000000000
98123 [37598.994008] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
98124 [37598.994008] CR2: 0000003d935789e0 CR3: 00000000365cb000 CR4: 00000000000407f0
98125 [37598.994008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
98126 [37598.994008] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
98127 [37598.994008] Process t2 (pid: 27320, threadinfo ffff88003670c000, task ffff88022c162ee0)
98128 [37598.994008] Stack:
98129 [37598.994008] ffff88022e098a00 ffff88020f973fc0 0000000000000008 00000000000004c8
98130 [37598.994008] ffff88020f973fc0 00000000000004c4 ffff88003670da78 ffff8801e1b0a200
98131 [37598.994008] 0000000000000018 00000000000004c8 ffff88020f973fc0 00000000000004c4
98132 [37598.994008] Call Trace:
98133 [37598.994008] [<ffffffff815fc21f>] ip6_append_data+0xccf/0xfe0
98134 [37598.994008] [<ffffffff8158d9f0>] ? ip_copy_metadata+0x1a0/0x1a0
98135 [37598.994008] [<ffffffff81661f66>] ? _raw_spin_lock_bh+0x16/0x40
98136 [37598.994008] [<ffffffff8161548d>] udpv6_sendmsg+0x1ed/0xc10
98137 [37598.994008] [<ffffffff812a2845>] ? sock_has_perm+0x75/0x90
98138 [37598.994008] [<ffffffff815c3693>] inet_sendmsg+0x63/0xb0
98139 [37598.994008] [<ffffffff812a2973>] ? selinux_socket_sendmsg+0x23/0x30
98140 [37598.994008] [<ffffffff8153a450>] sock_sendmsg+0xb0/0xe0
98141 [37598.994008] [<ffffffff810135d1>] ? __switch_to+0x181/0x4a0
98142 [37598.994008] [<ffffffff8153d97d>] sys_sendto+0x12d/0x180
98143 [37598.994008] [<ffffffff810dfb64>] ? __audit_syscall_entry+0x94/0xf0
98144 [37598.994008] [<ffffffff81020ed1>] ? syscall_trace_enter+0x231/0x240
98145 [37598.994008] [<ffffffff8166a7e7>] tracesys+0xdd/0xe2
98146 [37598.994008] Code: fe 07 00 00 48 c7 c7 04 28 a6 81 89 45 a0 4c 89 4d b8 44 89 5d a8 e8 1b ac b1 ff 44 8b 5d a8 4c 8b 4d b8 8b 45 a0 e9 cf fe ff ff <0f> 0b 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 48
98147 [37598.994008] RIP [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330
98148 [37598.994008] RSP <ffff88003670da18>
98149 [37599.007323] ---[ end trace d69f6a17f8ac8eee ]---
98150
98151 While there, also check if path mtu discovery is activated for this
98152 socket. The logic was adapted from ip6_append_data when first writing
98153 on the corked socket.
98154
98155 This bug was introduced with commit
98156 0c1833797a5a6ec23ea9261d979aa18078720b74 ("ipv6: fix incorrect ipsec
98157 fragment").
98158
98159 v2:
98160 a) Replace IPV6_PMTU_DISC_DO with IPV6_PMTUDISC_PROBE.
98161 b) Don't pass ipv6_pinfo to ip6_append_data_mtu (suggestion by Gao
98162 feng, thanks!).
98163 c) Change mtu to unsigned int, else we get a warning about
98164 non-matching types because of the min()-macro type-check.
98165
98166 Acked-by: Gao feng <gaofeng@cn.fujitsu.com>
98167 Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
98168 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
98169 Signed-off-by: David S. Miller <davem@davemloft.net>
98170
98171 net/ipv6/ip6_output.c | 16 ++++++++++------
98172 1 files changed, 10 insertions(+), 6 deletions(-)
98173
98174commit 23151ca7ca80e58d2616dac7be9fd62943c9a72c
98175Author: Michael S. Tsirkin <mst@redhat.com>
98176Date: Sun Jul 7 14:26:53 2013 +0300
98177
98178 Upstream commit: dd7633ecd553a5e304d349aa6f8eb8a0417098c5
98179
98180 vhost-net: fix use-after-free in vhost_net_flush
98181
98182 vhost_net_ubuf_put_and_wait has a confusing name:
98183 it will actually also free it's argument.
98184 Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01
98185 "vhost-net: flush outstanding DMAs on memory change"
98186 vhost_net_flush tries to use the argument after passing it
98187 to vhost_net_ubuf_put_and_wait, this results
98188 in use after free.
98189 To fix, don't free the argument in vhost_net_ubuf_put_and_wait,
98190 add an new API for callers that want to free ubufs.
98191
98192 Acked-by: Asias He <asias@redhat.com>
98193 Acked-by: Jason Wang <jasowang@redhat.com>
98194 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
98195 Signed-off-by: David S. Miller <davem@davemloft.net>
98196
98197 drivers/vhost/net.c | 9 +++++++--
98198 1 files changed, 7 insertions(+), 2 deletions(-)
98199
98200commit 088806db74ac2f08c106202bc5498585a9ee529f
98201Author: Michal Hocko <mhocko@suse.cz>
98202Date: Mon Jul 8 16:00:29 2013 -0700
98203
98204 Upstream commit: f37a96914d1aea10fed8d9af10251f0b9caea31b
98205
98206 memcg, kmem: fix reference count handling on the error path
98207
98208 mem_cgroup_css_online calls mem_cgroup_put if memcg_init_kmem fails.
98209 This is not correct because only memcg_propagate_kmem takes an
98210 additional reference while mem_cgroup_sockets_init is allowed to fail as
98211 well (although no current implementation fails) but it doesn't take any
98212 reference. This all suggests that it should be memcg_propagate_kmem
98213 that should clean up after itself so this patch moves mem_cgroup_put
98214 over there.
98215
98216 Unfortunately this is not that easy (as pointed out by Li Zefan) because
98217 memcg_kmem_mark_dead marks the group dead (KMEM_ACCOUNTED_DEAD) if it is
98218 marked active (KMEM_ACCOUNTED_ACTIVE) which is the case even if
98219 memcg_propagate_kmem fails so the additional reference is dropped in
98220 that case in kmem_cgroup_destroy which means that the reference would be
98221 dropped two times.
98222
98223 The easiest way then would be to simply remove mem_cgrroup_put from
98224 mem_cgroup_css_online and rely on kmem_cgroup_destroy doing the right
98225 thing.
98226
98227 Signed-off-by: Michal Hocko <mhocko@suse.cz>
98228 Signed-off-by: Li Zefan <lizefan@huawei.com>
98229 Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
98230 Cc: Hugh Dickins <hughd@google.com>
98231 Cc: Tejun Heo <tj@kernel.org>
98232 Cc: Glauber Costa <glommer@openvz.org>
98233 Cc: Johannes Weiner <hannes@cmpxchg.org>
98234 Cc: <stable@vger.kernel.org> [3.8]
98235 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
98236 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
98237
98238 mm/memcontrol.c | 8 --------
98239 1 files changed, 0 insertions(+), 8 deletions(-)
98240
98241commit 08bfb6e700d13886ed722c2236e1ec10f03a95df
98242Author: Michal Hocko <mhocko@suse.cz>
98243Date: Mon Jul 8 16:00:27 2013 -0700
98244
98245 Upstream commit: fa460c2d37870e0a6f94c70e8b76d05ca11b6db0
98246
98247 Revert "memcg: avoid dangling reference count in creation failure"
98248
98249 This reverts commit e4715f01be697a.
98250
98251 mem_cgroup_put is hierarchy aware so mem_cgroup_put(memcg) already drops
98252 an additional reference from all parents so the additional
98253 mem_cgrroup_put(parent) potentially causes use-after-free.
98254
98255 Signed-off-by: Michal Hocko <mhocko@suse.cz>
98256 Signed-off-by: Li Zefan <lizefan@huawei.com>
98257 Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
98258 Cc: Hugh Dickins <hughd@google.com>
98259 Cc: Tejun Heo <tj@kernel.org>
98260 Cc: Glauber Costa <glommer@openvz.org>
98261 Cc: Johannes Weiner <hannes@cmpxchg.org>
98262 Cc: <stable@vger.kernel.org> [3.9+]
98263 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
98264 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
98265
98266 mm/memcontrol.c | 2 --
98267 1 files changed, 0 insertions(+), 2 deletions(-)
98268
98269commit 3267ec559f48327a1836eccecd53215afc5810d0
98270Author: Tyler Hicks <tyhicks@canonical.com>
98271Date: Thu Jun 20 13:13:59 2013 -0700
98272
98273 Upstream commit: 2cb33cac622afde897aa02d3dcd9fbba8bae839e
98274
98275 libceph: Fix NULL pointer dereference in auth client code
98276
98277 A malicious monitor can craft an auth reply message that could cause a
98278 NULL function pointer dereference in the client's kernel.
98279
98280 To prevent this, the auth_none protocol handler needs an empty
98281 ceph_auth_client_ops->build_request() function.
98282
98283 CVE-2013-1059
98284
98285 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
98286 Reported-by: Chanam Park <chanam.park@hkpco.kr>
98287 Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
98288 Reviewed-by: Sage Weil <sage@inktank.com>
98289 Cc: stable@vger.kernel.org
98290
98291 net/ceph/auth_none.c | 6 ++++++
98292 1 files changed, 6 insertions(+), 0 deletions(-)
98293
98294commit cdfeb4049e7cb38702215b2c356ce0407974ac79
98295Author: Eric Paris <eparis@redhat.com>
98296Date: Wed Jul 3 15:08:29 2013 -0700
98297
98298 Upstream commit: b57922b6c76c3ee401bb32fd3f298409dd6e6a53
98299
98300 fork: reorder permissions when violating number of processes limits
98301
98302 When a task is attempting to violate the RLIMIT_NPROC limit we have a
98303 check to see if the task is sufficiently priviledged. The check first
98304 looks at CAP_SYS_ADMIN, then CAP_SYS_RESOURCE, then if the task is uid=0.
98305
98306 A result is that tasks which are allowed by the uid=0 check are first
98307 checked against the security subsystem. This results in the security
98308 subsystem auditting a denial for sys_admin and sys_resource and then the
98309 task passing the uid=0 check.
98310
98311 This patch rearranges the code to first check uid=0, since if we pass that
98312 we shouldn't hit the security system at all. We then check sys_resource,
98313 since it is the smallest capability which will solve the problem. Lastly
98314 we check the fallback everything cap_sysadmin. We don't want to give this
98315 capability many places since it is so powerful.
98316
98317 This will eliminate many of the false positive/needless denial messages we
98318 get when a root task tries to violate the nproc limit. (note that
98319 kthreads count against root, so on a sufficiently large machine we can
98320 actually get past the default limits before any userspace tasks are
98321 launched.)
98322
98323 Signed-off-by: Eric Paris <eparis@redhat.com>
98324 Cc: Al Viro <viro@zeniv.linux.org.uk>
98325 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
98326 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
98327
98328 kernel/fork.c | 4 ++--
98329 1 files changed, 2 insertions(+), 2 deletions(-)
98330
98331commit 08c87e049c8a50707908785d950fd48c334f4c09
98332Author: Chen Gang <gang.chen@asianux.com>
98333Date: Sat Jun 22 13:26:09 2013 +0800
98334
98335 Upstream commit: f118e9abddfae94d7ef88858159d7556e1c2f7f6
98336
98337 arch: sparc: kernel: check the memory length before use strcpy().
98338
98339 For the related next strcpy(), the destination length is less than 512,
98340 but the source maximize length may be 'OPROMMAXPARAM' (4096) which is
98341 more than 512.
98342
98343 One work flow may:
98344 openprom_sunos_ioctl() -> if (cmd == OPROMSETOPT)
98345 getstrings() -> will alloc buffer with size 'OPROMMAXPARAM'.
98346 opromsetopt() -> devide the buffer into 'var' and 'value'
98347 of_set_property() -> pass
98348 prom_setprop() -> pass
98349 ldom_set_var()
98350
98351 And do not mind the additional 4 alignment buffer increasing, since
98352 'sizeof(pkt) - sizeof(pkt.header)' is 4 alignment at least.
98353
98354 Signed-off-by: Chen Gang <gang.chen@asianux.com>
98355 Signed-off-by: David S. Miller <davem@davemloft.net>
98356
98357 arch/sparc/kernel/ds.c | 10 ++++++++++
98358 1 files changed, 10 insertions(+), 0 deletions(-)
98359
98360commit 0f5d7e1171c65a8d4e9186b3656e1206121efb13
98361Author: Brad Spengler <spender@grsecurity.net>
98362Date: Fri Jul 12 20:38:45 2013 -0400
98363
98364 Fix SLAB boot errors due to PAX_USERCOPY reported on the forums
98365
98366 Unlike slub, slab can initally create two of the kmalloc_caches
98367 which will be used later for generic kmallocs of their particular
98368 aligned size (since the later loop in the unified allocator code
98369 skips any already-existing kmalloc_caches)
98370
98371 mm/slab.c | 4 ++--
98372 1 files changed, 2 insertions(+), 2 deletions(-)
98373
98374commit 7afc9d07a4c0a676aa5c4ac2b30882f60be6bae3
98375Author: Brad Spengler <spender@grsecurity.net>
98376Date: Tue Jul 9 22:04:59 2013 -0400
98377
98378 compile fixes
98379
98380 fs/exec.c | 2 +-
98381 mm/mmap.c | 4 ++--
98382 2 files changed, 3 insertions(+), 3 deletions(-)
98383
98384commit e2d027c7e0f106be683c0c72482b8285daefcbe6
98385Author: Brad Spengler <spender@grsecurity.net>
98386Date: Tue Jul 9 20:58:40 2013 -0400
98387
98388 commit successful merges
98389
98390 Documentation/kernel-parameters.txt | 4 +
98391 Makefile | 8 +-
98392 arch/alpha/include/asm/cache.h | 4 +-
98393 arch/alpha/kernel/osf_sys.c | 12 +-
98394 arch/arm/include/asm/thread_info.h | 3 +-
98395 arch/arm/kernel/ptrace.c | 9 +
98396 arch/arm/kernel/traps.c | 7 +-
98397 arch/arm/mm/fault.c | 29 +-
98398 arch/arm/mm/mmap.c | 8 +-
98399 arch/avr32/include/asm/cache.h | 4 +-
98400 arch/blackfin/include/asm/cache.h | 3 +-
98401 arch/cris/include/arch-v10/arch/cache.h | 3 +-
98402 arch/cris/include/arch-v32/arch/cache.h | 3 +-
98403 arch/frv/include/asm/cache.h | 3 +-
98404 arch/frv/mm/elf-fdpic.c | 4 +-
98405 arch/hexagon/include/asm/cache.h | 6 +-
98406 arch/ia64/include/asm/cache.h | 3 +-
98407 arch/ia64/kernel/sys_ia64.c | 2 +
98408 arch/ia64/mm/hugetlbpage.c | 2 +
98409 arch/m32r/include/asm/cache.h | 4 +-
98410 arch/m68k/include/asm/cache.h | 4 +-
98411 arch/metag/mm/hugetlbpage.c | 1 +
98412 arch/microblaze/include/asm/cache.h | 3 +-
98413 arch/mips/include/asm/cache.h | 3 +-
98414 arch/mips/include/asm/thread_info.h | 9 +-
98415 arch/mips/kernel/ptrace.c | 9 +
98416 arch/mips/kernel/scall32-o32.S | 2 +-
98417 arch/mips/kernel/scall64-64.S | 2 +-
98418 arch/mips/kernel/scall64-n32.S | 2 +-
98419 arch/mips/kernel/scall64-o32.S | 2 +-
98420 arch/mips/mm/mmap.c | 4 +-
98421 arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +-
98422 arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +-
98423 arch/openrisc/include/asm/cache.h | 4 +-
98424 arch/parisc/include/asm/cache.h | 5 +-
98425 arch/parisc/kernel/sys_parisc.c | 17 +-
98426 arch/powerpc/include/asm/cache.h | 3 +-
98427 arch/powerpc/kernel/process.c | 10 +-
98428 arch/powerpc/kernel/ptrace.c | 14 +
98429 arch/powerpc/kernel/traps.c | 5 +
98430 arch/s390/include/asm/cache.h | 4 +-
98431 arch/score/include/asm/cache.h | 4 +-
98432 arch/sh/include/asm/cache.h | 3 +-
98433 arch/sh/mm/mmap.c | 6 +-
98434 arch/sparc/include/asm/cache.h | 4 +-
98435 arch/sparc/include/asm/thread_info_64.h | 9 +-
98436 arch/sparc/kernel/process_32.c | 6 +-
98437 arch/sparc/kernel/process_64.c | 4 +-
98438 arch/sparc/kernel/ptrace_64.c | 14 +
98439 arch/sparc/kernel/sys_sparc_64.c | 8 +-
98440 arch/sparc/kernel/syscalls.S | 8 +-
98441 arch/sparc/kernel/traps_32.c | 8 +-
98442 arch/sparc/kernel/traps_64.c | 28 +-
98443 arch/sparc/kernel/unaligned_64.c | 2 +-
98444 arch/sparc/mm/fault_64.c | 2 +-
98445 arch/sparc/mm/hugetlbpage.c | 3 +-
98446 arch/tile/include/asm/cache.h | 3 +-
98447 arch/tile/mm/hugetlbpage.c | 2 +
98448 arch/um/defconfig | 1 -
98449 arch/um/include/asm/cache.h | 3 +-
98450 arch/unicore32/include/asm/cache.h | 6 +-
98451 arch/x86/Kconfig | 5 +-
98452 arch/x86/ia32/ia32_aout.c | 2 +
98453 arch/x86/include/asm/thread_info.h | 8 +-
98454 arch/x86/kernel/dumpstack.c | 8 +
98455 arch/x86/kernel/entry_32.S | 2 +-
98456 arch/x86/kernel/entry_64.S | 2 +-
98457 arch/x86/kernel/ioport.c | 13 +
98458 arch/x86/kernel/ptrace.c | 14 +
98459 arch/x86/kernel/signal.c | 9 +-
98460 arch/x86/kernel/smpboot.c | 3 +
98461 arch/x86/kernel/sys_i386_32.c | 9 +-
98462 arch/x86/kernel/sys_x86_64.c | 8 +-
98463 arch/x86/kernel/verify_cpu.S | 1 +
98464 arch/x86/kernel/vm86_32.c | 1 +
98465 arch/x86/mm/fault.c | 12 +-
98466 arch/x86/mm/hugetlbpage.c | 15 +-
98467 arch/x86/mm/init.c | 66 +-
98468 arch/x86/net/bpf_jit_comp.c | 129 +-
98469 arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
98470 arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
98471 arch/xtensa/variants/s6000/include/variant/core.h | 3 +-
98472 drivers/block/cciss.c | 2 +
98473 drivers/block/cpqarray.c | 1 +
98474 drivers/cdrom/cdrom.c | 4 +-
98475 drivers/char/Kconfig | 4 +-
98476 drivers/char/genrtc.c | 1 +
98477 drivers/char/mem.c | 17 +
98478 drivers/char/mwave/tp3780i.c | 1 +
98479 drivers/char/random.c | 12 +
98480 drivers/gpu/drm/drm_info.c | 4 +
98481 drivers/hid/hid-wiimote-debug.c | 2 +-
98482 drivers/media/radio/radio-cadet.c | 2 +-
98483 drivers/message/fusion/mptbase.c | 9 +
98484 drivers/net/bonding/bond_main.c | 2 +-
98485 drivers/net/phy/mdio-bitbang.c | 1 +
98486 drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
98487 drivers/pci/proc.c | 9 +
98488 drivers/rtc/rtc-dev.c | 3 +
98489 drivers/tty/sysrq.c | 2 +-
98490 drivers/tty/vt/keyboard.c | 22 +-
98491 drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++++------------
98492 drivers/xen/xenfs/xenstored.c | 5 +
98493 fs/attr.c | 1 +
98494 fs/autofs4/waitq.c | 9 +
98495 fs/binfmt_aout.c | 7 +
98496 fs/binfmt_elf.c | 8 +-
98497 fs/btrfs/ioctl.c | 6 +-
98498 fs/compat.c | 20 +-
98499 fs/coredump.c | 9 +-
98500 fs/debugfs/inode.c | 4 +
98501 fs/exec.c | 184 ++-
98502 fs/ext2/balloc.c | 4 +-
98503 fs/ext3/balloc.c | 4 +-
98504 fs/ext4/resize.c | 17 +-
98505 fs/fcntl.c | 5 +
98506 fs/file.c | 4 +
98507 fs/filesystems.c | 4 +
98508 fs/fs_struct.c | 13 +-
98509 fs/hugetlbfs/inode.c | 5 +-
98510 fs/namei.c | 234 ++-
98511 fs/namespace.c | 16 +
98512 fs/notify/fanotify/fanotify_user.c | 1 +
98513 fs/open.c | 38 +
98514 fs/proc/Kconfig | 10 +-
98515 fs/proc/array.c | 59 +-
98516 fs/proc/base.c | 168 ++-
98517 fs/proc/cmdline.c | 4 +
98518 fs/proc/devices.c | 4 +
98519 fs/proc/fd.c | 17 +-
98520 fs/proc/inode.c | 4 +
98521 fs/proc/kcore.c | 3 +
98522 fs/proc/proc_net.c | 12 +
98523 fs/proc/proc_sysctl.c | 43 +-
98524 fs/proc/root.c | 8 +
98525 fs/proc/task_mmu.c | 75 +-
98526 fs/readdir.c | 19 +
98527 fs/select.c | 2 +
98528 fs/seq_file.c | 12 +-
98529 fs/stat.c | 19 +-
98530 fs/sysfs/dir.c | 12 +
98531 fs/utimes.c | 7 +
98532 fs/xattr.c | 19 +-
98533 include/linux/capability.h | 5 +
98534 include/linux/cred.h | 3 +
98535 include/linux/fs.h | 10 +
98536 include/linux/fsnotify.h | 6 +
98537 include/linux/kallsyms.h | 14 +-
98538 include/linux/kmod.h | 2 +
98539 include/linux/mm.h | 1 +
98540 include/linux/perf_event.h | 13 +-
98541 include/linux/printk.h | 3 +-
98542 include/linux/sched.h | 24 +-
98543 include/linux/security.h | 1 +
98544 include/linux/seq_file.h | 3 +
98545 include/linux/shm.h | 4 +
98546 include/linux/skbuff.h | 3 +
98547 include/linux/slab.h | 9 -
98548 include/linux/sysctl.h | 2 +
98549 include/linux/thread_info.h | 2 +
98550 include/linux/uidgid.h | 5 +
98551 include/linux/vermagic.h | 9 +-
98552 include/uapi/linux/personality.h | 1 +
98553 init/Kconfig | 3 +-
98554 init/main.c | 14 +
98555 ipc/mqueue.c | 1 +
98556 ipc/shm.c | 28 +
98557 kernel/capability.c | 39 +-
98558 kernel/cgroup.c | 2 +-
98559 kernel/compat.c | 1 +
98560 kernel/configs.c | 11 +
98561 kernel/cred.c | 110 +-
98562 kernel/events/core.c | 14 +-
98563 kernel/exit.c | 10 +-
98564 kernel/fork.c | 41 +-
98565 kernel/futex.c | 1 +
98566 kernel/kallsyms.c | 9 +
98567 kernel/kcmp.c | 4 +
98568 kernel/kmod.c | 64 +-
98569 kernel/kprobes.c | 4 +-
98570 kernel/ksysfs.c | 2 +
98571 kernel/lockdep_proc.c | 10 +-
98572 kernel/module.c | 81 +-
98573 kernel/panic.c | 2 +-
98574 kernel/pid.c | 19 +-
98575 kernel/posix-timers.c | 7 +
98576 kernel/printk.c | 5 +
98577 kernel/ptrace.c | 20 +-
98578 kernel/resource.c | 10 +
98579 kernel/sched/core.c | 6 +-
98580 kernel/signal.c | 37 +-
98581 kernel/sys.c | 45 +-
98582 kernel/sysctl.c | 70 +-
98583 kernel/taskstats.c | 6 +
98584 kernel/time.c | 5 +
98585 kernel/time/timekeeping.c | 1 +
98586 kernel/time/timer_list.c | 12 +
98587 kernel/time/timer_stats.c | 10 +-
98588 lib/Kconfig.debug | 5 +-
98589 lib/is_single_threaded.c | 3 +
98590 mm/Kconfig | 4 +-
98591 mm/filemap.c | 1 +
98592 mm/kmemleak.c | 4 +-
98593 mm/mempolicy.c | 12 +-
98594 mm/migrate.c | 3 +-
98595 mm/mlock.c | 3 +
98596 mm/mmap.c | 63 +-
98597 mm/mprotect.c | 8 +
98598 mm/process_vm_access.c | 6 +
98599 mm/slab.c | 2 +-
98600 mm/slub.c | 14 +-
98601 mm/vmalloc.c | 4 +
98602 mm/vmstat.c | 18 +-
98603 net/core/dev_ioctl.c | 4 +
98604 net/core/sock_diag.c | 7 +
98605 net/ipv4/inet_hashtables.c | 5 +
98606 net/ipv4/ip_sockglue.c | 3 +-
98607 net/ipv4/tcp_input.c | 4 +-
98608 net/ipv4/tcp_ipv4.c | 24 +-
98609 net/ipv4/tcp_minisocks.c | 9 +-
98610 net/ipv4/tcp_timer.c | 11 +
98611 net/ipv4/udp.c | 24 +
98612 net/ipv6/tcp_ipv6.c | 23 +-
98613 net/ipv6/udp.c | 4 +
98614 net/netfilter/Kconfig | 10 +
98615 net/netfilter/Makefile | 1 +
98616 net/netfilter/nf_conntrack_core.c | 8 +
98617 net/netrom/af_netrom.c | 1 -
98618 net/phonet/af_phonet.c | 2 +-
98619 net/sctp/proc.c | 3 +-
98620 net/socket.c | 66 +-
98621 net/sysctl_net.c | 2 +-
98622 net/unix/af_unix.c | 31 +-
98623 security/Kconfig | 343 +++-
98624 security/apparmor/Kconfig | 9 +
98625 security/apparmor/apparmorfs.c | 231 ++
98626 security/commoncap.c | 29 +
98627 security/min_addr.c | 2 +
98628 security/security.c | 2 -
98629 security/selinux/hooks.c | 2 -
98630 security/tomoyo/mount.c | 4 +
98631 security/yama/Kconfig | 2 +-
98632 242 files changed, 4385 insertions(+), 2042 deletions(-)
98633
98634commit 043a378c0f72ed92cc30182c48abce39867ac93f
98635Author: Brad Spengler <spender@grsecurity.net>
98636Date: Tue Jul 9 20:57:40 2013 -0400
98637
98638 Commit merge of new files and rejected patches
98639
98640 arch/arm/include/asm/thread_info.h | 6 +-
98641 arch/arm/kernel/process.c | 4 +-
98642 arch/powerpc/include/asm/thread_info.h | 7 +-
98643 arch/powerpc/mm/slice.c | 2 +-
98644 arch/sparc/kernel/process_64.c | 4 +-
98645 arch/x86/kernel/vm86_32.c | 15 +
98646 fs/coredump.c | 1 +
98647 fs/ext4/balloc.c | 4 +-
98648 fs/namei.c | 7 +
98649 fs/namespace.c | 8 +
98650 fs/pipe.c | 2 +-
98651 fs/proc/inode.c | 13 +
98652 fs/proc/internal.h | 3 +
98653 grsecurity/Kconfig | 1054 +++++++++
98654 grsecurity/Makefile | 38 +
98655 grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++
98656 grsecurity/gracl_alloc.c | 105 +
98657 grsecurity/gracl_cap.c | 110 +
98658 grsecurity/gracl_fs.c | 431 ++++
98659 grsecurity/gracl_ip.c | 387 +++
98660 grsecurity/gracl_learn.c | 207 ++
98661 grsecurity/gracl_res.c | 68 +
98662 grsecurity/gracl_segv.c | 305 +++
98663 grsecurity/gracl_shm.c | 40 +
98664 grsecurity/grsec_chdir.c | 19 +
98665 grsecurity/grsec_chroot.c | 370 +++
98666 grsecurity/grsec_disabled.c | 434 ++++
98667 grsecurity/grsec_exec.c | 187 ++
98668 grsecurity/grsec_fifo.c | 24 +
98669 grsecurity/grsec_fork.c | 23 +
98670 grsecurity/grsec_init.c | 283 +++
98671 grsecurity/grsec_link.c | 58 +
98672 grsecurity/grsec_log.c | 326 +++
98673 grsecurity/grsec_mem.c | 40 +
98674 grsecurity/grsec_mount.c | 62 +
98675 grsecurity/grsec_pax.c | 36 +
98676 grsecurity/grsec_ptrace.c | 30 +
98677 grsecurity/grsec_sig.c | 246 ++
98678 grsecurity/grsec_sock.c | 244 ++
98679 grsecurity/grsec_sysctl.c | 469 ++++
98680 grsecurity/grsec_time.c | 16 +
98681 grsecurity/grsec_tpe.c | 73 +
98682 grsecurity/grsum.c | 61 +
98683 include/linux/gracl.h | 319 +++
98684 include/linux/gralloc.h | 9 +
98685 include/linux/grdefs.h | 140 ++
98686 include/linux/grinternal.h | 227 ++
98687 include/linux/grmsg.h | 112 +
98688 include/linux/grsecurity.h | 241 ++
98689 include/linux/grsock.h | 19 +
98690 include/linux/netfilter/xt_gradm.h | 9 +
98691 include/linux/proc_fs.h | 13 +
98692 include/linux/sched.h | 48 +-
98693 include/trace/events/fs.h | 53 +
98694 kernel/kmod.c | 7 +-
98695 kernel/panic.c | 2 +-
98696 kernel/posix-timers.c | 1 +
98697 kernel/time/timekeeping.c | 2 +
98698 lib/Kconfig.debug | 2 +-
98699 lib/vsprintf.c | 31 +
98700 localversion-grsec | 1 +
98701 mm/mmap.c | 13 +-
98702 mm/shmem.c | 2 +-
98703 net/core/net-procfs.c | 5 +
98704 net/ipv6/udp.c | 3 +
98705 net/netfilter/xt_gradm.c | 51 +
98706 66 files changed, 11184 insertions(+), 21 deletions(-)
98707
98708commit 75a36f058b5abbc82f9b94ba5576eef4b40cd5d6
98709Author: Brad Spengler <spender@grsecurity.net>
98710Date: Tue Jul 9 17:35:47 2013 -0400
98711
98712 Initial import of pax-linux-3.10-test1.patch
98713
98714 Documentation/dontdiff | 46 +-
98715 Documentation/kernel-parameters.txt | 12 +
98716 Makefile | 100 +-
98717 arch/alpha/include/asm/atomic.h | 10 +
98718 arch/alpha/include/asm/elf.h | 7 +
98719 arch/alpha/include/asm/pgalloc.h | 6 +
98720 arch/alpha/include/asm/pgtable.h | 11 +
98721 arch/alpha/kernel/module.c | 2 +-
98722 arch/alpha/kernel/osf_sys.c | 8 +-
98723 arch/alpha/mm/fault.c | 141 +-
98724 arch/arm/Kconfig | 2 +-
98725 arch/arm/include/asm/atomic.h | 444 ++-
98726 arch/arm/include/asm/cache.h | 5 +-
98727 arch/arm/include/asm/cacheflush.h | 2 +-
98728 arch/arm/include/asm/checksum.h | 14 +-
98729 arch/arm/include/asm/cmpxchg.h | 2 +
98730 arch/arm/include/asm/domain.h | 33 +-
98731 arch/arm/include/asm/elf.h | 13 +-
98732 arch/arm/include/asm/fncpy.h | 2 +
98733 arch/arm/include/asm/futex.h | 10 +
98734 arch/arm/include/asm/kmap_types.h | 2 +-
98735 arch/arm/include/asm/mach/dma.h | 2 +-
98736 arch/arm/include/asm/mach/map.h | 7 +-
98737 arch/arm/include/asm/outercache.h | 2 +-
98738 arch/arm/include/asm/page.h | 2 +-
98739 arch/arm/include/asm/pgalloc.h | 22 +-
98740 arch/arm/include/asm/pgtable-2level-hwdef.h | 5 +
98741 arch/arm/include/asm/pgtable-2level.h | 1 +
98742 arch/arm/include/asm/pgtable-3level-hwdef.h | 2 +
98743 arch/arm/include/asm/pgtable-3level.h | 2 +
98744 arch/arm/include/asm/pgtable.h | 56 +-
98745 arch/arm/include/asm/proc-fns.h | 2 +-
98746 arch/arm/include/asm/processor.h | 5 +-
98747 arch/arm/include/asm/psci.h | 2 +-
98748 arch/arm/include/asm/smp.h | 2 +-
98749 arch/arm/include/asm/thread_info.h | 6 +-
98750 arch/arm/include/asm/uaccess.h | 92 +-
98751 arch/arm/include/uapi/asm/ptrace.h | 2 +-
98752 arch/arm/kernel/armksyms.c | 8 +-
98753 arch/arm/kernel/entry-armv.S | 107 +-
98754 arch/arm/kernel/entry-common.S | 41 +-
98755 arch/arm/kernel/entry-header.S | 60 +
98756 arch/arm/kernel/fiq.c | 2 +
98757 arch/arm/kernel/head.S | 6 +-
98758 arch/arm/kernel/hw_breakpoint.c | 2 +-
98759 arch/arm/kernel/module.c | 29 +-
98760 arch/arm/kernel/patch.c | 2 +
98761 arch/arm/kernel/perf_event_cpu.c | 2 +-
98762 arch/arm/kernel/process.c | 14 +-
98763 arch/arm/kernel/psci.c | 2 +-
98764 arch/arm/kernel/setup.c | 22 +-
98765 arch/arm/kernel/signal.c | 24 +-
98766 arch/arm/kernel/smp.c | 2 +-
98767 arch/arm/kernel/traps.c | 15 +-
98768 arch/arm/kernel/vmlinux.lds.S | 22 +-
98769 arch/arm/lib/clear_user.S | 6 +-
98770 arch/arm/lib/copy_from_user.S | 6 +-
98771 arch/arm/lib/copy_page.S | 1 +
98772 arch/arm/lib/copy_to_user.S | 6 +-
98773 arch/arm/lib/csumpartialcopyuser.S | 4 +-
98774 arch/arm/lib/delay.c | 2 +-
98775 arch/arm/lib/uaccess_with_memcpy.c | 2 +-
98776 arch/arm/mach-kirkwood/common.c | 19 +-
98777 arch/arm/mach-omap2/board-n8x0.c | 2 +-
98778 arch/arm/mach-omap2/gpmc.c | 22 +-
98779 arch/arm/mach-omap2/omap-wakeupgen.c | 2 +-
98780 arch/arm/mach-omap2/omap_device.c | 4 +-
98781 arch/arm/mach-omap2/omap_device.h | 4 +-
98782 arch/arm/mach-omap2/omap_hwmod.c | 4 +-
98783 arch/arm/mach-omap2/wd_timer.c | 6 +-
98784 arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +-
98785 arch/arm/mach-ux500/setup.h | 7 -
98786 arch/arm/mm/Kconfig | 3 +-
98787 arch/arm/mm/alignment.c | 8 +
98788 arch/arm/mm/fault.c | 91 +
98789 arch/arm/mm/fault.h | 12 +
98790 arch/arm/mm/init.c | 41 +
98791 arch/arm/mm/ioremap.c | 4 +-
98792 arch/arm/mm/mmap.c | 30 +-
98793 arch/arm/mm/mmu.c | 187 +-
98794 arch/arm/mm/proc-v7-2level.S | 3 +
98795 arch/arm/plat-omap/sram.c | 2 +
98796 arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +-
98797 arch/arm64/kernel/debug-monitors.c | 2 +-
98798 arch/arm64/kernel/hw_breakpoint.c | 2 +-
98799 arch/avr32/include/asm/elf.h | 8 +-
98800 arch/avr32/include/asm/kmap_types.h | 4 +-
98801 arch/avr32/mm/fault.c | 27 +
98802 arch/frv/include/asm/atomic.h | 10 +
98803 arch/frv/include/asm/kmap_types.h | 2 +-
98804 arch/frv/mm/elf-fdpic.c | 3 +-
98805 arch/ia64/include/asm/atomic.h | 10 +
98806 arch/ia64/include/asm/elf.h | 7 +
98807 arch/ia64/include/asm/pgalloc.h | 12 +
98808 arch/ia64/include/asm/pgtable.h | 13 +-
98809 arch/ia64/include/asm/spinlock.h | 2 +-
98810 arch/ia64/include/asm/uaccess.h | 26 +-
98811 arch/ia64/kernel/err_inject.c | 2 +-
98812 arch/ia64/kernel/mca.c | 2 +-
98813 arch/ia64/kernel/module.c | 48 +-
98814 arch/ia64/kernel/palinfo.c | 2 +-
98815 arch/ia64/kernel/salinfo.c | 2 +-
98816 arch/ia64/kernel/sys_ia64.c | 7 +
98817 arch/ia64/kernel/topology.c | 2 +-
98818 arch/ia64/kernel/vmlinux.lds.S | 2 +-
98819 arch/ia64/mm/fault.c | 32 +-
98820 arch/ia64/mm/init.c | 13 +
98821 arch/m32r/lib/usercopy.c | 6 +
98822 arch/mips/include/asm/atomic.h | 14 +
98823 arch/mips/include/asm/elf.h | 11 +-
98824 arch/mips/include/asm/exec.h | 2 +-
98825 arch/mips/include/asm/page.h | 2 +-
98826 arch/mips/include/asm/pgalloc.h | 5 +
98827 arch/mips/kernel/binfmt_elfn32.c | 7 +
98828 arch/mips/kernel/binfmt_elfo32.c | 7 +
98829 arch/mips/kernel/process.c | 12 -
98830 arch/mips/mm/fault.c | 17 +
98831 arch/mips/mm/mmap.c | 51 +-
98832 arch/parisc/include/asm/atomic.h | 10 +
98833 arch/parisc/include/asm/elf.h | 7 +
98834 arch/parisc/include/asm/pgalloc.h | 6 +
98835 arch/parisc/include/asm/pgtable.h | 11 +
98836 arch/parisc/include/asm/uaccess.h | 4 +-
98837 arch/parisc/kernel/module.c | 50 +-
98838 arch/parisc/kernel/sys_parisc.c | 9 +-
98839 arch/parisc/kernel/traps.c | 4 +-
98840 arch/parisc/mm/fault.c | 140 +-
98841 arch/powerpc/include/asm/atomic.h | 10 +
98842 arch/powerpc/include/asm/elf.h | 19 +-
98843 arch/powerpc/include/asm/exec.h | 2 +-
98844 arch/powerpc/include/asm/kmap_types.h | 2 +-
98845 arch/powerpc/include/asm/mman.h | 2 +-
98846 arch/powerpc/include/asm/page.h | 8 +-
98847 arch/powerpc/include/asm/page_64.h | 7 +-
98848 arch/powerpc/include/asm/pgalloc-64.h | 7 +
98849 arch/powerpc/include/asm/pgtable.h | 1 +
98850 arch/powerpc/include/asm/pte-hash32.h | 1 +
98851 arch/powerpc/include/asm/reg.h | 1 +
98852 arch/powerpc/include/asm/smp.h | 2 +-
98853 arch/powerpc/include/asm/uaccess.h | 140 +-
98854 arch/powerpc/kernel/exceptions-64e.S | 4 +-
98855 arch/powerpc/kernel/exceptions-64s.S | 2 +-
98856 arch/powerpc/kernel/module_32.c | 13 +-
98857 arch/powerpc/kernel/process.c | 55 -
98858 arch/powerpc/kernel/signal_32.c | 2 +-
98859 arch/powerpc/kernel/signal_64.c | 2 +-
98860 arch/powerpc/kernel/sysfs.c | 2 +-
98861 arch/powerpc/kernel/vdso.c | 5 +-
98862 arch/powerpc/lib/usercopy_64.c | 18 -
98863 arch/powerpc/mm/fault.c | 54 +-
98864 arch/powerpc/mm/mmap_64.c | 16 +
98865 arch/powerpc/mm/mmu_context_nohash.c | 2 +-
98866 arch/powerpc/mm/numa.c | 2 +-
98867 arch/powerpc/mm/slice.c | 13 +-
98868 arch/powerpc/platforms/cell/spufs/file.c | 4 +-
98869 arch/powerpc/platforms/powermac/smp.c | 2 +-
98870 arch/s390/include/asm/atomic.h | 10 +
98871 arch/s390/include/asm/elf.h | 13 +-
98872 arch/s390/include/asm/exec.h | 2 +-
98873 arch/s390/include/asm/uaccess.h | 15 +-
98874 arch/s390/kernel/module.c | 22 +-
98875 arch/s390/kernel/process.c | 36 -
98876 arch/s390/mm/mmap.c | 24 +
98877 arch/score/include/asm/exec.h | 2 +-
98878 arch/score/kernel/process.c | 5 -
98879 arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +-
98880 arch/sh/mm/mmap.c | 22 +-
98881 arch/sparc/include/asm/atomic_64.h | 106 +-
98882 arch/sparc/include/asm/cache.h | 2 +-
98883 arch/sparc/include/asm/elf_32.h | 7 +
98884 arch/sparc/include/asm/elf_64.h | 7 +
98885 arch/sparc/include/asm/pgalloc_32.h | 1 +
98886 arch/sparc/include/asm/pgalloc_64.h | 1 +
98887 arch/sparc/include/asm/pgtable_32.h | 15 +-
98888 arch/sparc/include/asm/pgtsrmmu.h | 5 +
98889 arch/sparc/include/asm/spinlock_64.h | 35 +-
98890 arch/sparc/include/asm/thread_info_32.h | 2 +
98891 arch/sparc/include/asm/thread_info_64.h | 2 +
98892 arch/sparc/include/asm/uaccess.h | 1 +
98893 arch/sparc/include/asm/uaccess_32.h | 27 +-
98894 arch/sparc/include/asm/uaccess_64.h | 19 +-
98895 arch/sparc/kernel/Makefile | 2 +-
98896 arch/sparc/kernel/prom_common.c | 2 +-
98897 arch/sparc/kernel/sys_sparc_32.c | 2 +-
98898 arch/sparc/kernel/sys_sparc_64.c | 48 +-
98899 arch/sparc/kernel/sysfs.c | 2 +-
98900 arch/sparc/kernel/traps_64.c | 13 +-
98901 arch/sparc/lib/Makefile | 2 +-
98902 arch/sparc/lib/atomic_64.S | 136 +-
98903 arch/sparc/lib/ksyms.c | 6 +
98904 arch/sparc/mm/Makefile | 2 +-
98905 arch/sparc/mm/fault_32.c | 292 +
98906 arch/sparc/mm/fault_64.c | 486 ++
98907 arch/sparc/mm/hugetlbpage.c | 21 +-
98908 arch/tile/include/asm/atomic_64.h | 10 +
98909 arch/tile/include/asm/uaccess.h | 4 +-
98910 arch/um/Makefile | 4 +
98911 arch/um/include/asm/kmap_types.h | 2 +-
98912 arch/um/include/asm/page.h | 3 +
98913 arch/um/include/asm/pgtable-3level.h | 1 +
98914 arch/um/kernel/process.c | 16 -
98915 arch/x86/Kconfig | 10 +-
98916 arch/x86/Kconfig.cpu | 6 +-
98917 arch/x86/Kconfig.debug | 4 +-
98918 arch/x86/Makefile | 10 +
98919 arch/x86/boot/Makefile | 3 +
98920 arch/x86/boot/bitops.h | 4 +-
98921 arch/x86/boot/boot.h | 4 +-
98922 arch/x86/boot/compressed/Makefile | 3 +
98923 arch/x86/boot/compressed/eboot.c | 2 -
98924 arch/x86/boot/compressed/efi_stub_32.S | 16 +-
98925 arch/x86/boot/compressed/head_32.S | 7 +-
98926 arch/x86/boot/compressed/head_64.S | 8 +-
98927 arch/x86/boot/compressed/misc.c | 4 +-
98928 arch/x86/boot/cpucheck.c | 28 +-
98929 arch/x86/boot/header.S | 6 +-
98930 arch/x86/boot/memory.c | 2 +-
98931 arch/x86/boot/video-vesa.c | 1 +
98932 arch/x86/boot/video.c | 2 +-
98933 arch/x86/crypto/aes-x86_64-asm_64.S | 4 +
98934 arch/x86/crypto/aesni-intel_asm.S | 22 +
98935 arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 +
98936 arch/x86/crypto/camellia-x86_64-asm_64.S | 7 +
98937 arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 +
98938 arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 9 +
98939 arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 +
98940 arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 +
98941 arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 +
98942 arch/x86/crypto/sha1_ssse3_asm.S | 2 +
98943 arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 9 +
98944 arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 +
98945 arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
98946 arch/x86/ia32/ia32_signal.c | 14 +-
98947 arch/x86/ia32/ia32entry.S | 141 +-
98948 arch/x86/ia32/sys_ia32.c | 4 +-
98949 arch/x86/include/asm/alternative-asm.h | 39 +
98950 arch/x86/include/asm/alternative.h | 4 +-
98951 arch/x86/include/asm/apic.h | 2 +-
98952 arch/x86/include/asm/apm.h | 4 +-
98953 arch/x86/include/asm/atomic.h | 307 +-
98954 arch/x86/include/asm/atomic64_32.h | 100 +
98955 arch/x86/include/asm/atomic64_64.h | 202 +-
98956 arch/x86/include/asm/bitops.h | 4 +-
98957 arch/x86/include/asm/boot.h | 7 +-
98958 arch/x86/include/asm/cache.h | 5 +-
98959 arch/x86/include/asm/cacheflush.h | 2 +-
98960 arch/x86/include/asm/checksum_32.h | 12 +-
98961 arch/x86/include/asm/cmpxchg.h | 35 +
98962 arch/x86/include/asm/compat.h | 2 +-
98963 arch/x86/include/asm/cpufeature.h | 4 +-
98964 arch/x86/include/asm/desc.h | 67 +-
98965 arch/x86/include/asm/desc_defs.h | 6 +
98966 arch/x86/include/asm/div64.h | 2 +-
98967 arch/x86/include/asm/elf.h | 31 +-
98968 arch/x86/include/asm/emergency-restart.h | 2 +-
98969 arch/x86/include/asm/fpu-internal.h | 6 +-
98970 arch/x86/include/asm/futex.h | 16 +-
98971 arch/x86/include/asm/hw_irq.h | 4 +-
98972 arch/x86/include/asm/i8259.h | 2 +-
98973 arch/x86/include/asm/io.h | 21 +-
98974 arch/x86/include/asm/irqflags.h | 5 +
98975 arch/x86/include/asm/kprobes.h | 9 +-
98976 arch/x86/include/asm/local.h | 142 +-
98977 arch/x86/include/asm/mman.h | 15 +
98978 arch/x86/include/asm/mmu.h | 16 +-
98979 arch/x86/include/asm/mmu_context.h | 76 +-
98980 arch/x86/include/asm/module.h | 17 +-
98981 arch/x86/include/asm/nmi.h | 6 +-
98982 arch/x86/include/asm/page.h | 1 +
98983 arch/x86/include/asm/page_64.h | 4 +-
98984 arch/x86/include/asm/paravirt.h | 46 +-
98985 arch/x86/include/asm/paravirt_types.h | 17 +-
98986 arch/x86/include/asm/pgalloc.h | 23 +
98987 arch/x86/include/asm/pgtable-2level.h | 2 +
98988 arch/x86/include/asm/pgtable-3level.h | 4 +
98989 arch/x86/include/asm/pgtable.h | 122 +-
98990 arch/x86/include/asm/pgtable_32.h | 14 +-
98991 arch/x86/include/asm/pgtable_32_types.h | 15 +-
98992 arch/x86/include/asm/pgtable_64.h | 19 +-
98993 arch/x86/include/asm/pgtable_64_types.h | 5 +
98994 arch/x86/include/asm/pgtable_types.h | 36 +-
98995 arch/x86/include/asm/processor.h | 39 +-
98996 arch/x86/include/asm/ptrace.h | 26 +-
98997 arch/x86/include/asm/realmode.h | 4 +-
98998 arch/x86/include/asm/reboot.h | 10 +-
98999 arch/x86/include/asm/rwsem.h | 60 +-
99000 arch/x86/include/asm/segment.h | 24 +-
99001 arch/x86/include/asm/smp.h | 14 +-
99002 arch/x86/include/asm/spinlock.h | 36 +-
99003 arch/x86/include/asm/stackprotector.h | 4 +-
99004 arch/x86/include/asm/stacktrace.h | 32 +-
99005 arch/x86/include/asm/switch_to.h | 4 +-
99006 arch/x86/include/asm/thread_info.h | 83 +-
99007 arch/x86/include/asm/uaccess.h | 96 +-
99008 arch/x86/include/asm/uaccess_32.h | 106 +-
99009 arch/x86/include/asm/uaccess_64.h | 232 +-
99010 arch/x86/include/asm/word-at-a-time.h | 2 +-
99011 arch/x86/include/asm/x86_init.h | 10 +-
99012 arch/x86/include/asm/xsave.h | 10 +-
99013 arch/x86/include/uapi/asm/e820.h | 2 +-
99014 arch/x86/kernel/Makefile | 2 +-
99015 arch/x86/kernel/acpi/boot.c | 4 +-
99016 arch/x86/kernel/acpi/sleep.c | 4 +
99017 arch/x86/kernel/acpi/wakeup_32.S | 6 +-
99018 arch/x86/kernel/alternative.c | 65 +-
99019 arch/x86/kernel/apic/apic.c | 4 +-
99020 arch/x86/kernel/apic/apic_flat_64.c | 4 +-
99021 arch/x86/kernel/apic/apic_noop.c | 2 +-
99022 arch/x86/kernel/apic/bigsmp_32.c | 2 +-
99023 arch/x86/kernel/apic/es7000_32.c | 5 +-
99024 arch/x86/kernel/apic/io_apic.c | 8 +-
99025 arch/x86/kernel/apic/numaq_32.c | 3 +-
99026 arch/x86/kernel/apic/probe_32.c | 2 +-
99027 arch/x86/kernel/apic/summit_32.c | 2 +-
99028 arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
99029 arch/x86/kernel/apic/x2apic_phys.c | 2 +-
99030 arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
99031 arch/x86/kernel/apm_32.c | 19 +-
99032 arch/x86/kernel/asm-offsets.c | 20 +
99033 arch/x86/kernel/asm-offsets_64.c | 1 +
99034 arch/x86/kernel/cpu/Makefile | 4 -
99035 arch/x86/kernel/cpu/amd.c | 2 +-
99036 arch/x86/kernel/cpu/common.c | 75 +-
99037 arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +-
99038 arch/x86/kernel/cpu/mcheck/mce.c | 33 +-
99039 arch/x86/kernel/cpu/mcheck/p5.c | 3 +
99040 arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +-
99041 arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
99042 arch/x86/kernel/cpu/mtrr/main.c | 2 +-
99043 arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
99044 arch/x86/kernel/cpu/perf_event.c | 8 +-
99045 arch/x86/kernel/cpu/perf_event_intel.c | 6 +-
99046 arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +-
99047 arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
99048 arch/x86/kernel/cpuid.c | 2 +-
99049 arch/x86/kernel/crash.c | 4 +-
99050 arch/x86/kernel/crash_dump_64.c | 2 +-
99051 arch/x86/kernel/doublefault_32.c | 8 +-
99052 arch/x86/kernel/dumpstack.c | 28 +-
99053 arch/x86/kernel/dumpstack_32.c | 34 +-
99054 arch/x86/kernel/dumpstack_64.c | 61 +-
99055 arch/x86/kernel/e820.c | 4 +-
99056 arch/x86/kernel/early_printk.c | 1 +
99057 arch/x86/kernel/entry_32.S | 354 +-
99058 arch/x86/kernel/entry_64.S | 548 ++-
99059 arch/x86/kernel/ftrace.c | 14 +-
99060 arch/x86/kernel/head64.c | 13 +-
99061 arch/x86/kernel/head_32.S | 237 +-
99062 arch/x86/kernel/head_64.S | 143 +-
99063 arch/x86/kernel/i386_ksyms_32.c | 8 +
99064 arch/x86/kernel/i387.c | 2 +-
99065 arch/x86/kernel/i8259.c | 10 +-
99066 arch/x86/kernel/io_delay.c | 2 +-
99067 arch/x86/kernel/ioport.c | 2 +-
99068 arch/x86/kernel/irq.c | 8 +-
99069 arch/x86/kernel/irq_32.c | 69 +-
99070 arch/x86/kernel/irq_64.c | 2 +-
99071 arch/x86/kernel/kdebugfs.c | 2 +-
99072 arch/x86/kernel/kgdb.c | 25 +-
99073 arch/x86/kernel/kprobes/core.c | 30 +-
99074 arch/x86/kernel/kprobes/opt.c | 16 +-
99075 arch/x86/kernel/kvm.c | 2 +-
99076 arch/x86/kernel/ldt.c | 31 +-
99077 arch/x86/kernel/machine_kexec_32.c | 6 +-
99078 arch/x86/kernel/microcode_core.c | 2 +-
99079 arch/x86/kernel/microcode_intel.c | 4 +-
99080 arch/x86/kernel/module.c | 76 +-
99081 arch/x86/kernel/msr.c | 2 +-
99082 arch/x86/kernel/nmi.c | 19 +-
99083 arch/x86/kernel/nmi_selftest.c | 4 +-
99084 arch/x86/kernel/paravirt-spinlocks.c | 2 +-
99085 arch/x86/kernel/paravirt.c | 43 +-
99086 arch/x86/kernel/pci-calgary_64.c | 2 +-
99087 arch/x86/kernel/pci-iommu_table.c | 2 +-
99088 arch/x86/kernel/pci-swiotlb.c | 2 +-
99089 arch/x86/kernel/process.c | 55 +-
99090 arch/x86/kernel/process_32.c | 29 +-
99091 arch/x86/kernel/process_64.c | 15 +-
99092 arch/x86/kernel/ptrace.c | 25 +-
99093 arch/x86/kernel/pvclock.c | 8 +-
99094 arch/x86/kernel/reboot.c | 44 +-
99095 arch/x86/kernel/relocate_kernel_64.S | 2 +
99096 arch/x86/kernel/setup.c | 21 +-
99097 arch/x86/kernel/setup_percpu.c | 29 +-
99098 arch/x86/kernel/signal.c | 15 +-
99099 arch/x86/kernel/smp.c | 2 +-
99100 arch/x86/kernel/smpboot.c | 15 +-
99101 arch/x86/kernel/step.c | 10 +-
99102 arch/x86/kernel/sys_i386_32.c | 184 +
99103 arch/x86/kernel/sys_x86_64.c | 22 +-
99104 arch/x86/kernel/tboot.c | 14 +-
99105 arch/x86/kernel/time.c | 10 +-
99106 arch/x86/kernel/tls.c | 7 +-
99107 arch/x86/kernel/traps.c | 64 +-
99108 arch/x86/kernel/uprobes.c | 4 +-
99109 arch/x86/kernel/vm86_32.c | 6 +-
99110 arch/x86/kernel/vmlinux.lds.S | 148 +-
99111 arch/x86/kernel/vsyscall_64.c | 12 +-
99112 arch/x86/kernel/x8664_ksyms_64.c | 2 -
99113 arch/x86/kernel/x86_init.c | 8 +-
99114 arch/x86/kernel/xsave.c | 2 +
99115 arch/x86/kvm/cpuid.c | 21 +-
99116 arch/x86/kvm/emulate.c | 4 +-
99117 arch/x86/kvm/lapic.c | 2 +-
99118 arch/x86/kvm/paging_tmpl.h | 2 +-
99119 arch/x86/kvm/svm.c | 8 +
99120 arch/x86/kvm/vmx.c | 61 +-
99121 arch/x86/kvm/x86.c | 8 +-
99122 arch/x86/lguest/boot.c | 3 +-
99123 arch/x86/lib/atomic64_386_32.S | 164 +
99124 arch/x86/lib/atomic64_cx8_32.S | 103 +-
99125 arch/x86/lib/checksum_32.S | 100 +-
99126 arch/x86/lib/clear_page_64.S | 5 +-
99127 arch/x86/lib/cmpxchg16b_emu.S | 2 +
99128 arch/x86/lib/copy_page_64.S | 24 +-
99129 arch/x86/lib/copy_user_64.S | 47 +-
99130 arch/x86/lib/copy_user_nocache_64.S | 20 +-
99131 arch/x86/lib/csum-copy_64.S | 2 +
99132 arch/x86/lib/csum-wrappers_64.c | 4 +-
99133 arch/x86/lib/getuser.S | 70 +-
99134 arch/x86/lib/insn.c | 6 +-
99135 arch/x86/lib/iomap_copy_64.S | 2 +
99136 arch/x86/lib/memcpy_64.S | 18 +-
99137 arch/x86/lib/memmove_64.S | 34 +-
99138 arch/x86/lib/memset_64.S | 7 +-
99139 arch/x86/lib/mmx_32.c | 243 +-
99140 arch/x86/lib/msr-reg.S | 18 +-
99141 arch/x86/lib/putuser.S | 90 +-
99142 arch/x86/lib/rwlock.S | 42 +
99143 arch/x86/lib/rwsem.S | 6 +-
99144 arch/x86/lib/thunk_64.S | 2 +
99145 arch/x86/lib/usercopy_32.c | 363 +-
99146 arch/x86/lib/usercopy_64.c | 13 +-
99147 arch/x86/mm/extable.c | 25 +-
99148 arch/x86/mm/fault.c | 556 ++-
99149 arch/x86/mm/gup.c | 2 +-
99150 arch/x86/mm/highmem_32.c | 4 +
99151 arch/x86/mm/hugetlbpage.c | 30 +-
99152 arch/x86/mm/init.c | 98 +-
99153 arch/x86/mm/init_32.c | 113 +-
99154 arch/x86/mm/init_64.c | 38 +-
99155 arch/x86/mm/iomap_32.c | 4 +
99156 arch/x86/mm/ioremap.c | 15 +-
99157 arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
99158 arch/x86/mm/mmap.c | 41 +-
99159 arch/x86/mm/mmio-mod.c | 10 +-
99160 arch/x86/mm/numa.c | 2 +-
99161 arch/x86/mm/pageattr-test.c | 2 +-
99162 arch/x86/mm/pageattr.c | 33 +-
99163 arch/x86/mm/pat.c | 12 +-
99164 arch/x86/mm/pat_rbtree.c | 2 +-
99165 arch/x86/mm/pf_in.c | 10 +-
99166 arch/x86/mm/pgtable.c | 137 +-
99167 arch/x86/mm/pgtable_32.c | 3 +
99168 arch/x86/mm/physaddr.c | 4 +-
99169 arch/x86/mm/setup_nx.c | 7 +
99170 arch/x86/mm/tlb.c | 4 +
99171 arch/x86/net/bpf_jit.S | 14 +
99172 arch/x86/net/bpf_jit_comp.c | 37 +-
99173 arch/x86/oprofile/backtrace.c | 8 +-
99174 arch/x86/oprofile/nmi_int.c | 8 +-
99175 arch/x86/oprofile/op_model_amd.c | 8 +-
99176 arch/x86/oprofile/op_model_ppro.c | 7 +-
99177 arch/x86/oprofile/op_x86_model.h | 2 +-
99178 arch/x86/pci/amd_bus.c | 2 +-
99179 arch/x86/pci/irq.c | 8 +-
99180 arch/x86/pci/mrst.c | 4 +-
99181 arch/x86/pci/pcbios.c | 144 +-
99182 arch/x86/platform/efi/efi_32.c | 24 +
99183 arch/x86/platform/efi/efi_64.c | 10 +
99184 arch/x86/platform/efi/efi_stub_32.S | 64 +-
99185 arch/x86/platform/efi/efi_stub_64.S | 8 +
99186 arch/x86/platform/mrst/mrst.c | 6 +-
99187 arch/x86/platform/olpc/olpc_dt.c | 2 +-
99188 arch/x86/power/cpu.c | 11 +-
99189 arch/x86/realmode/init.c | 10 +-
99190 arch/x86/realmode/rm/Makefile | 3 +
99191 arch/x86/realmode/rm/header.S | 4 +-
99192 arch/x86/realmode/rm/trampoline_32.S | 12 +-
99193 arch/x86/realmode/rm/trampoline_64.S | 2 +-
99194 arch/x86/tools/Makefile | 2 +-
99195 arch/x86/tools/relocs.c | 94 +-
99196 arch/x86/um/tls_32.c | 2 +-
99197 arch/x86/vdso/Makefile | 2 +-
99198 arch/x86/vdso/vdso32-setup.c | 23 +-
99199 arch/x86/vdso/vma.c | 29 +-
99200 arch/x86/xen/enlighten.c | 47 +-
99201 arch/x86/xen/mmu.c | 9 +
99202 arch/x86/xen/smp.c | 18 +-
99203 arch/x86/xen/xen-asm_32.S | 12 +-
99204 arch/x86/xen/xen-head.S | 11 +
99205 arch/x86/xen/xen-ops.h | 2 -
99206 block/blk-iopoll.c | 4 +-
99207 block/blk-map.c | 2 +-
99208 block/blk-softirq.c | 4 +-
99209 block/bsg.c | 12 +-
99210 block/compat_ioctl.c | 2 +-
99211 block/genhd.c | 11 +-
99212 block/partitions/efi.c | 8 +-
99213 block/scsi_ioctl.c | 27 +-
99214 crypto/algapi.c | 2 +-
99215 crypto/cryptd.c | 4 +-
99216 crypto/pcrypt.c | 6 +-
99217 drivers/acpi/apei/apei-internal.h | 2 +-
99218 drivers/acpi/apei/cper.c | 8 +-
99219 drivers/acpi/bgrt.c | 6 +-
99220 drivers/acpi/blacklist.c | 4 +-
99221 drivers/acpi/ec_sys.c | 12 +-
99222 drivers/acpi/processor_idle.c | 2 +-
99223 drivers/acpi/sysfs.c | 4 +-
99224 drivers/ata/libahci.c | 2 +-
99225 drivers/ata/libata-core.c | 8 +-
99226 drivers/ata/pata_arasan_cf.c | 4 +-
99227 drivers/atm/adummy.c | 2 +-
99228 drivers/atm/ambassador.c | 8 +-
99229 drivers/atm/atmtcp.c | 14 +-
99230 drivers/atm/eni.c | 10 +-
99231 drivers/atm/firestream.c | 8 +-
99232 drivers/atm/fore200e.c | 14 +-
99233 drivers/atm/he.c | 18 +-
99234 drivers/atm/horizon.c | 4 +-
99235 drivers/atm/idt77252.c | 36 +-
99236 drivers/atm/iphase.c | 34 +-
99237 drivers/atm/lanai.c | 12 +-
99238 drivers/atm/nicstar.c | 46 +-
99239 drivers/atm/solos-pci.c | 4 +-
99240 drivers/atm/suni.c | 4 +-
99241 drivers/atm/uPD98402.c | 16 +-
99242 drivers/atm/zatm.c | 6 +-
99243 drivers/base/attribute_container.c | 2 +-
99244 drivers/base/bus.c | 4 +-
99245 drivers/base/devtmpfs.c | 8 +-
99246 drivers/base/node.c | 2 +-
99247 drivers/base/power/domain.c | 4 +-
99248 drivers/base/power/sysfs.c | 2 +-
99249 drivers/base/power/wakeup.c | 8 +-
99250 drivers/base/syscore.c | 4 +-
99251 drivers/block/cciss.c | 28 +-
99252 drivers/block/cciss.h | 2 +-
99253 drivers/block/cpqarray.c | 28 +-
99254 drivers/block/cpqarray.h | 2 +-
99255 drivers/block/drbd/drbd_int.h | 6 +-
99256 drivers/block/drbd/drbd_main.c | 8 +-
99257 drivers/block/drbd/drbd_receiver.c | 22 +-
99258 drivers/block/loop.c | 2 +-
99259 drivers/block/nbd.c | 2 +-
99260 drivers/block/pktcdvd.c | 2 +-
99261 drivers/cdrom/cdrom.c | 11 +-
99262 drivers/cdrom/gdrom.c | 1 -
99263 drivers/char/agp/compat_ioctl.c | 2 +-
99264 drivers/char/agp/frontend.c | 4 +-
99265 drivers/char/hpet.c | 2 +-
99266 drivers/char/hw_random/intel-rng.c | 2 +-
99267 drivers/char/ipmi/ipmi_msghandler.c | 8 +-
99268 drivers/char/ipmi/ipmi_si_intf.c | 8 +-
99269 drivers/char/mem.c | 45 +-
99270 drivers/char/nvram.c | 2 +-
99271 drivers/char/pcmcia/synclink_cs.c | 18 +-
99272 drivers/char/random.c | 10 +-
99273 drivers/char/sonypi.c | 9 +-
99274 drivers/char/tpm/tpm_acpi.c | 3 +-
99275 drivers/char/tpm/tpm_eventlog.c | 7 +-
99276 drivers/char/virtio_console.c | 4 +-
99277 drivers/clk/clk-composite.c | 2 +-
99278 drivers/clocksource/arm_arch_timer.c | 2 +-
99279 drivers/clocksource/metag_generic.c | 2 +-
99280 drivers/cpufreq/acpi-cpufreq.c | 20 +-
99281 drivers/cpufreq/cpufreq.c | 9 +-
99282 drivers/cpufreq/cpufreq_governor.c | 6 +-
99283 drivers/cpufreq/cpufreq_governor.h | 2 +-
99284 drivers/cpufreq/cpufreq_ondemand.c | 8 +-
99285 drivers/cpufreq/cpufreq_stats.c | 2 +-
99286 drivers/cpufreq/p4-clockmod.c | 12 +-
99287 drivers/cpufreq/sparc-us3-cpufreq.c | 69 +-
99288 drivers/cpufreq/speedstep-centrino.c | 7 +-
99289 drivers/cpuidle/cpuidle.c | 2 +-
99290 drivers/cpuidle/governor.c | 4 +-
99291 drivers/cpuidle/sysfs.c | 2 +-
99292 drivers/devfreq/devfreq.c | 6 +-
99293 drivers/dma/sh/shdma.c | 2 +-
99294 drivers/edac/edac_mc_sysfs.c | 12 +-
99295 drivers/edac/edac_pci_sysfs.c | 22 +-
99296 drivers/edac/mce_amd.h | 2 +-
99297 drivers/firewire/core-card.c | 2 +-
99298 drivers/firewire/core-device.c | 2 +-
99299 drivers/firewire/core-transaction.c | 1 +
99300 drivers/firewire/core.h | 1 +
99301 drivers/firmware/dmi-id.c | 2 +-
99302 drivers/firmware/dmi_scan.c | 7 +-
99303 drivers/firmware/efi/efi.c | 12 +-
99304 drivers/firmware/efi/efivars.c | 2 +-
99305 drivers/firmware/google/memconsole.c | 4 +-
99306 drivers/gpio/gpio-ich.c | 2 +-
99307 drivers/gpio/gpio-vr41xx.c | 2 +-
99308 drivers/gpu/drm/drm_crtc_helper.c | 2 +-
99309 drivers/gpu/drm/drm_drv.c | 6 +-
99310 drivers/gpu/drm/drm_fops.c | 18 +-
99311 drivers/gpu/drm/drm_global.c | 14 +-
99312 drivers/gpu/drm/drm_info.c | 14 +-
99313 drivers/gpu/drm/drm_ioc32.c | 13 +-
99314 drivers/gpu/drm/drm_ioctl.c | 2 +-
99315 drivers/gpu/drm/drm_lock.c | 4 +-
99316 drivers/gpu/drm/drm_stub.c | 2 +-
99317 drivers/gpu/drm/drm_sysfs.c | 2 +-
99318 drivers/gpu/drm/i810/i810_dma.c | 8 +-
99319 drivers/gpu/drm/i810/i810_drv.h | 4 +-
99320 drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
99321 drivers/gpu/drm/i915/i915_dma.c | 2 +-
99322 drivers/gpu/drm/i915/i915_drv.h | 4 +-
99323 drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +-
99324 drivers/gpu/drm/i915/i915_ioc32.c | 11 +-
99325 drivers/gpu/drm/i915/i915_irq.c | 22 +-
99326 drivers/gpu/drm/i915/intel_display.c | 26 +-
99327 drivers/gpu/drm/mga/mga_drv.h | 4 +-
99328 drivers/gpu/drm/mga/mga_ioc32.c | 11 +-
99329 drivers/gpu/drm/mga/mga_irq.c | 8 +-
99330 drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +-
99331 drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +-
99332 drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +-
99333 drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +-
99334 drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +-
99335 drivers/gpu/drm/qxl/qxl_ttm.c | 38 +-
99336 drivers/gpu/drm/r128/r128_cce.c | 2 +-
99337 drivers/gpu/drm/r128/r128_drv.h | 4 +-
99338 drivers/gpu/drm/r128/r128_ioc32.c | 11 +-
99339 drivers/gpu/drm/r128/r128_irq.c | 4 +-
99340 drivers/gpu/drm/r128/r128_state.c | 4 +-
99341 drivers/gpu/drm/radeon/mkregtable.c | 4 +-
99342 drivers/gpu/drm/radeon/radeon_device.c | 2 +-
99343 drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
99344 drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +-
99345 drivers/gpu/drm/radeon/radeon_irq.c | 6 +-
99346 drivers/gpu/drm/radeon/radeon_state.c | 4 +-
99347 drivers/gpu/drm/radeon/radeon_ttm.c | 57 +-
99348 drivers/gpu/drm/radeon/rs690.c | 4 +-
99349 drivers/gpu/drm/ttm/ttm_memory.c | 4 +-
99350 drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +-
99351 drivers/gpu/drm/udl/udl_fb.c | 1 -
99352 drivers/gpu/drm/via/via_drv.h | 4 +-
99353 drivers/gpu/drm/via/via_irq.c | 18 +-
99354 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
99355 drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
99356 drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +-
99357 drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
99358 drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
99359 drivers/hid/hid-core.c | 4 +-
99360 drivers/hv/channel.c | 4 +-
99361 drivers/hv/hv.c | 2 +-
99362 drivers/hv/hyperv_vmbus.h | 2 +-
99363 drivers/hv/vmbus_drv.c | 4 +-
99364 drivers/hwmon/acpi_power_meter.c | 4 +-
99365 drivers/hwmon/applesmc.c | 2 +-
99366 drivers/hwmon/asus_atk0110.c | 10 +-
99367 drivers/hwmon/coretemp.c | 2 +-
99368 drivers/hwmon/ibmaem.c | 2 +-
99369 drivers/hwmon/iio_hwmon.c | 2 +-
99370 drivers/hwmon/pmbus/pmbus_core.c | 10 +-
99371 drivers/hwmon/sht15.c | 12 +-
99372 drivers/hwmon/via-cputemp.c | 2 +-
99373 drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
99374 drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
99375 drivers/i2c/i2c-dev.c | 2 +-
99376 drivers/ide/ide-cd.c | 2 +-
99377 drivers/iio/industrialio-core.c | 2 +-
99378 drivers/infiniband/core/cm.c | 32 +-
99379 drivers/infiniband/core/fmr_pool.c | 20 +-
99380 drivers/infiniband/hw/cxgb4/mem.c | 4 +-
99381 drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
99382 drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
99383 drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +-
99384 drivers/infiniband/hw/mthca/mthca_mr.c | 2 +-
99385 drivers/infiniband/hw/nes/nes.c | 4 +-
99386 drivers/infiniband/hw/nes/nes.h | 40 +-
99387 drivers/infiniband/hw/nes/nes_cm.c | 62 +-
99388 drivers/infiniband/hw/nes/nes_mgt.c | 8 +-
99389 drivers/infiniband/hw/nes/nes_nic.c | 40 +-
99390 drivers/infiniband/hw/nes/nes_verbs.c | 10 +-
99391 drivers/infiniband/hw/qib/qib.h | 1 +
99392 drivers/input/gameport/gameport.c | 4 +-
99393 drivers/input/input.c | 4 +-
99394 drivers/input/joystick/sidewinder.c | 1 +
99395 drivers/input/joystick/xpad.c | 4 +-
99396 drivers/input/mouse/psmouse.h | 2 +-
99397 drivers/input/mousedev.c | 2 +-
99398 drivers/input/serio/serio.c | 4 +-
99399 drivers/iommu/iommu.c | 2 +-
99400 drivers/iommu/irq_remapping.c | 12 +-
99401 drivers/irqchip/irq-gic.c | 4 +-
99402 drivers/isdn/capi/capi.c | 10 +-
99403 drivers/isdn/gigaset/interface.c | 8 +-
99404 drivers/isdn/hardware/avm/b1.c | 4 +-
99405 drivers/isdn/i4l/isdn_tty.c | 22 +-
99406 drivers/isdn/icn/icn.c | 2 +-
99407 drivers/leds/leds-clevo-mail.c | 2 +-
99408 drivers/leds/leds-ss4200.c | 2 +-
99409 drivers/lguest/core.c | 10 +-
99410 drivers/lguest/page_tables.c | 2 +-
99411 drivers/lguest/x86/core.c | 12 +-
99412 drivers/lguest/x86/switcher_32.S | 27 +-
99413 drivers/md/bcache/closure.h | 2 +-
99414 drivers/md/bitmap.c | 2 +-
99415 drivers/md/dm-ioctl.c | 2 +-
99416 drivers/md/dm-raid1.c | 16 +-
99417 drivers/md/dm-stripe.c | 10 +-
99418 drivers/md/dm-table.c | 2 +-
99419 drivers/md/dm-thin-metadata.c | 4 +-
99420 drivers/md/dm.c | 16 +-
99421 drivers/md/md.c | 26 +-
99422 drivers/md/md.h | 6 +-
99423 drivers/md/persistent-data/dm-space-map.h | 1 +
99424 drivers/md/raid1.c | 4 +-
99425 drivers/md/raid10.c | 16 +-
99426 drivers/md/raid5.c | 10 +-
99427 drivers/media/dvb-core/dvbdev.c | 2 +-
99428 drivers/media/dvb-frontends/dib3000.h | 2 +-
99429 drivers/media/pci/cx88/cx88-video.c | 6 +-
99430 drivers/media/platform/omap/omap_vout.c | 11 +-
99431 drivers/media/platform/s5p-tv/mixer.h | 2 +-
99432 drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +-
99433 drivers/media/platform/s5p-tv/mixer_reg.c | 2 +-
99434 drivers/media/platform/s5p-tv/mixer_video.c | 24 +-
99435 drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +-
99436 drivers/media/radio/radio-cadet.c | 2 +
99437 drivers/media/usb/dvb-usb/cxusb.c | 2 +-
99438 drivers/media/usb/dvb-usb/dw2102.c | 2 +-
99439 drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +-
99440 drivers/media/v4l2-core/v4l2-ioctl.c | 11 +-
99441 drivers/message/fusion/mptsas.c | 34 +-
99442 drivers/message/fusion/mptscsih.c | 19 +-
99443 drivers/message/i2o/i2o_proc.c | 51 +-
99444 drivers/message/i2o/iop.c | 8 +-
99445 drivers/mfd/janz-cmodio.c | 1 +
99446 drivers/mfd/twl4030-irq.c | 9 +-
99447 drivers/mfd/twl6030-irq.c | 10 +-
99448 drivers/misc/c2port/core.c | 4 +-
99449 drivers/misc/kgdbts.c | 4 +-
99450 drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
99451 drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
99452 drivers/misc/sgi-gru/gruhandles.c | 4 +-
99453 drivers/misc/sgi-gru/gruprocfs.c | 8 +-
99454 drivers/misc/sgi-gru/grutables.h | 154 +-
99455 drivers/misc/sgi-xp/xp.h | 2 +-
99456 drivers/misc/sgi-xp/xpc.h | 3 +-
99457 drivers/misc/sgi-xp/xpc_main.c | 4 +-
99458 drivers/mmc/core/mmc_ops.c | 2 +-
99459 drivers/mmc/host/dw_mmc.h | 2 +-
99460 drivers/mmc/host/sdhci-s3c.c | 8 +-
99461 drivers/mtd/nand/denali.c | 1 +
99462 drivers/mtd/nftlmount.c | 1 +
99463 drivers/mtd/sm_ftl.c | 2 +-
99464 drivers/net/bonding/bond_main.c | 2 +-
99465 drivers/net/ethernet/8390/ax88796.c | 4 +-
99466 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
99467 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-
99468 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +-
99469 drivers/net/ethernet/broadcom/tg3.h | 1 +
99470 drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
99471 drivers/net/ethernet/dec/tulip/de4x5.c | 4 +-
99472 drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
99473 drivers/net/ethernet/faraday/ftgmac100.c | 2 +
99474 drivers/net/ethernet/faraday/ftmac100.c | 2 +
99475 drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
99476 drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
99477 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +-
99478 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +-
99479 drivers/net/ethernet/realtek/r8169.c | 8 +-
99480 drivers/net/ethernet/sfc/ptp.c | 2 +-
99481 drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
99482 drivers/net/hyperv/hyperv_net.h | 2 +-
99483 drivers/net/hyperv/rndis_filter.c | 4 +-
99484 drivers/net/ieee802154/fakehard.c | 2 +-
99485 drivers/net/macvlan.c | 18 +-
99486 drivers/net/macvtap.c | 2 +-
99487 drivers/net/ppp/ppp_generic.c | 4 +-
99488 drivers/net/slip/slhc.c | 2 +-
99489 drivers/net/team/team.c | 2 +-
99490 drivers/net/tun.c | 5 +-
99491 drivers/net/usb/hso.c | 23 +-
99492 drivers/net/vxlan.c | 2 +-
99493 drivers/net/wireless/at76c50x-usb.c | 2 +-
99494 drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +-
99495 drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +-
99496 drivers/net/wireless/ath/ath9k/hw.h | 4 +-
99497 drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
99498 drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +-
99499 drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +-
99500 drivers/net/wireless/mac80211_hwsim.c | 32 +-
99501 drivers/net/wireless/rndis_wlan.c | 2 +-
99502 drivers/net/wireless/rt2x00/rt2x00.h | 2 +-
99503 drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +-
99504 drivers/net/wireless/ti/wl1251/sdio.c | 12 +-
99505 drivers/net/wireless/ti/wl12xx/main.c | 8 +-
99506 drivers/net/wireless/ti/wl18xx/main.c | 6 +-
99507 drivers/oprofile/buffer_sync.c | 8 +-
99508 drivers/oprofile/event_buffer.c | 2 +-
99509 drivers/oprofile/oprof.c | 2 +-
99510 drivers/oprofile/oprofile_files.c | 2 +-
99511 drivers/oprofile/oprofile_stats.c | 10 +-
99512 drivers/oprofile/oprofile_stats.h | 10 +-
99513 drivers/oprofile/oprofilefs.c | 2 +-
99514 drivers/oprofile/timer_int.c | 2 +-
99515 drivers/parport/procfs.c | 4 +-
99516 drivers/pci/hotplug/acpiphp_ibm.c | 4 +-
99517 drivers/pci/hotplug/cpcihp_generic.c | 6 +-
99518 drivers/pci/hotplug/cpcihp_zt5550.c | 14 +-
99519 drivers/pci/hotplug/cpqphp_nvram.c | 4 +
99520 drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
99521 drivers/pci/hotplug/pciehp_core.c | 2 +-
99522 drivers/pci/pci-sysfs.c | 6 +-
99523 drivers/pci/pci.h | 2 +-
99524 drivers/pci/pcie/aspm.c | 6 +-
99525 drivers/pci/probe.c | 2 +-
99526 drivers/platform/x86/chromeos_laptop.c | 2 +-
99527 drivers/platform/x86/msi-laptop.c | 14 +-
99528 drivers/platform/x86/sony-laptop.c | 2 +-
99529 drivers/platform/x86/thinkpad_acpi.c | 70 +-
99530 drivers/pnp/pnpbios/bioscalls.c | 14 +-
99531 drivers/pnp/resource.c | 4 +-
99532 drivers/power/pda_power.c | 7 +-
99533 drivers/power/power_supply.h | 4 +-
99534 drivers/power/power_supply_core.c | 7 +-
99535 drivers/power/power_supply_sysfs.c | 6 +-
99536 drivers/regulator/max8660.c | 6 +-
99537 drivers/regulator/max8973-regulator.c | 8 +-
99538 drivers/regulator/mc13892-regulator.c | 6 +-
99539 drivers/rtc/rtc-cmos.c | 4 +-
99540 drivers/rtc/rtc-ds1307.c | 2 +-
99541 drivers/rtc/rtc-m48t59.c | 4 +-
99542 drivers/scsi/bfa/bfa_fcpim.h | 2 +-
99543 drivers/scsi/bfa/bfa_ioc.h | 4 +-
99544 drivers/scsi/hosts.c | 4 +-
99545 drivers/scsi/hpsa.c | 30 +-
99546 drivers/scsi/hpsa.h | 2 +-
99547 drivers/scsi/libfc/fc_exch.c | 50 +-
99548 drivers/scsi/libsas/sas_ata.c | 2 +-
99549 drivers/scsi/lpfc/lpfc.h | 8 +-
99550 drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
99551 drivers/scsi/lpfc/lpfc_init.c | 6 +-
99552 drivers/scsi/lpfc/lpfc_scsi.c | 16 +-
99553 drivers/scsi/pmcraid.c | 20 +-
99554 drivers/scsi/pmcraid.h | 8 +-
99555 drivers/scsi/qla2xxx/qla_attr.c | 4 +-
99556 drivers/scsi/qla2xxx/qla_gbl.h | 4 +-
99557 drivers/scsi/qla2xxx/qla_os.c | 6 +-
99558 drivers/scsi/qla4xxx/ql4_def.h | 2 +-
99559 drivers/scsi/qla4xxx/ql4_os.c | 6 +-
99560 drivers/scsi/scsi.c | 2 +-
99561 drivers/scsi/scsi_lib.c | 6 +-
99562 drivers/scsi/scsi_sysfs.c | 2 +-
99563 drivers/scsi/scsi_tgt_lib.c | 2 +-
99564 drivers/scsi/scsi_transport_fc.c | 8 +-
99565 drivers/scsi/scsi_transport_iscsi.c | 6 +-
99566 drivers/scsi/scsi_transport_srp.c | 6 +-
99567 drivers/scsi/sd.c | 2 +-
99568 drivers/scsi/sg.c | 2 +-
99569 drivers/spi/spi.c | 2 +-
99570 drivers/staging/media/solo6x10/solo6x10-core.c | 2 +-
99571 drivers/staging/octeon/ethernet-rx.c | 12 +-
99572 drivers/staging/octeon/ethernet.c | 8 +-
99573 drivers/staging/rtl8712/rtl871x_io.h | 2 +-
99574 drivers/staging/sbe-2t3e3/netdev.c | 2 +-
99575 drivers/staging/usbip/vhci.h | 2 +-
99576 drivers/staging/usbip/vhci_hcd.c | 6 +-
99577 drivers/staging/usbip/vhci_rx.c | 2 +-
99578 drivers/staging/vt6655/hostap.c | 7 +-
99579 drivers/staging/vt6656/hostap.c | 7 +-
99580 drivers/staging/zcache/tmem.c | 4 +-
99581 drivers/staging/zcache/tmem.h | 2 +
99582 drivers/target/target_core_device.c | 2 +-
99583 drivers/target/target_core_transport.c | 2 +-
99584 drivers/tty/cyclades.c | 6 +-
99585 drivers/tty/hvc/hvc_console.c | 14 +-
99586 drivers/tty/hvc/hvcs.c | 21 +-
99587 drivers/tty/ipwireless/tty.c | 27 +-
99588 drivers/tty/moxa.c | 2 +-
99589 drivers/tty/n_gsm.c | 4 +-
99590 drivers/tty/n_tty.c | 3 +-
99591 drivers/tty/pty.c | 4 +-
99592 drivers/tty/rocket.c | 6 +-
99593 drivers/tty/serial/kgdboc.c | 32 +-
99594 drivers/tty/serial/samsung.c | 9 +-
99595 drivers/tty/serial/serial_core.c | 8 +-
99596 drivers/tty/synclink.c | 34 +-
99597 drivers/tty/synclink_gt.c | 28 +-
99598 drivers/tty/synclinkmp.c | 34 +-
99599 drivers/tty/tty_io.c | 2 +-
99600 drivers/tty/tty_ldisc.c | 10 +-
99601 drivers/tty/tty_port.c | 22 +-
99602 drivers/uio/uio.c | 21 +-
99603 drivers/usb/atm/cxacru.c | 2 +-
99604 drivers/usb/atm/usbatm.c | 24 +-
99605 drivers/usb/core/devices.c | 6 +-
99606 drivers/usb/core/hcd.c | 4 +-
99607 drivers/usb/core/message.c | 2 +-
99608 drivers/usb/core/sysfs.c | 2 +-
99609 drivers/usb/core/usb.c | 2 +-
99610 drivers/usb/early/ehci-dbgp.c | 16 +-
99611 drivers/usb/gadget/u_serial.c | 22 +-
99612 drivers/usb/serial/console.c | 6 +-
99613 drivers/usb/storage/usb.h | 2 +-
99614 drivers/usb/wusbcore/wa-hc.h | 4 +-
99615 drivers/usb/wusbcore/wa-xfer.c | 2 +-
99616 drivers/vhost/vringh.c | 2 +-
99617 drivers/video/aty/aty128fb.c | 2 +-
99618 drivers/video/aty/atyfb_base.c | 8 +-
99619 drivers/video/aty/mach64_cursor.c | 5 +-
99620 drivers/video/backlight/kb3886_bl.c | 2 +-
99621 drivers/video/fb_defio.c | 6 +-
99622 drivers/video/fbcmap.c | 3 +-
99623 drivers/video/fbmem.c | 6 +-
99624 drivers/video/i810/i810_accel.c | 1 +
99625 drivers/video/mb862xx/mb862xxfb_accel.c | 16 +-
99626 drivers/video/nvidia/nvidia.c | 27 +-
99627 drivers/video/output.c | 2 +-
99628 drivers/video/s1d13xxxfb.c | 6 +-
99629 drivers/video/smscufx.c | 4 +-
99630 drivers/video/udlfb.c | 36 +-
99631 drivers/video/uvesafb.c | 53 +-
99632 drivers/video/vesafb.c | 58 +-
99633 drivers/video/via/via_clock.h | 2 +-
99634 fs/9p/vfs_addr.c | 2 +-
99635 fs/9p/vfs_inode.c | 2 +-
99636 fs/Kconfig.binfmt | 2 +-
99637 fs/aio.c | 12 +-
99638 fs/autofs4/waitq.c | 2 +-
99639 fs/befs/endian.h | 4 +-
99640 fs/befs/linuxvfs.c | 2 +-
99641 fs/binfmt_aout.c | 23 +-
99642 fs/binfmt_elf.c | 607 ++-
99643 fs/binfmt_flat.c | 6 +
99644 fs/bio.c | 6 +-
99645 fs/block_dev.c | 2 +-
99646 fs/btrfs/ctree.c | 9 +-
99647 fs/btrfs/super.c | 2 +-
99648 fs/cachefiles/bind.c | 6 +-
99649 fs/cachefiles/daemon.c | 8 +-
99650 fs/cachefiles/internal.h | 12 +-
99651 fs/cachefiles/namei.c | 2 +-
99652 fs/cachefiles/proc.c | 12 +-
99653 fs/cachefiles/rdwr.c | 2 +-
99654 fs/ceph/dir.c | 2 +-
99655 fs/cifs/cifs_debug.c | 12 +-
99656 fs/cifs/cifsfs.c | 8 +-
99657 fs/cifs/cifsglob.h | 54 +-
99658 fs/cifs/link.c | 2 +-
99659 fs/cifs/misc.c | 4 +-
99660 fs/cifs/smb1ops.c | 80 +-
99661 fs/cifs/smb2ops.c | 84 +-
99662 fs/cifs/smb2pdu.c | 3 +-
99663 fs/coda/cache.c | 10 +-
99664 fs/compat.c | 6 +-
99665 fs/compat_binfmt_elf.c | 2 +
99666 fs/compat_ioctl.c | 12 +-
99667 fs/configfs/dir.c | 10 +-
99668 fs/coredump.c | 24 +-
99669 fs/dcache.c | 2 +-
99670 fs/ecryptfs/inode.c | 4 +-
99671 fs/ecryptfs/miscdev.c | 2 +-
99672 fs/exec.c | 362 ++-
99673 fs/ext4/ext4.h | 20 +-
99674 fs/ext4/mballoc.c | 44 +-
99675 fs/ext4/mmp.c | 2 +-
99676 fs/ext4/super.c | 4 +-
99677 fs/fhandle.c | 3 +-
99678 fs/fs_struct.c | 8 +-
99679 fs/fscache/cookie.c | 36 +-
99680 fs/fscache/internal.h | 196 +-
99681 fs/fscache/object.c | 28 +-
99682 fs/fscache/operation.c | 30 +-
99683 fs/fscache/page.c | 110 +-
99684 fs/fscache/stats.c | 344 +-
99685 fs/fuse/cuse.c | 10 +-
99686 fs/fuse/dev.c | 4 +-
99687 fs/fuse/dir.c | 2 +-
99688 fs/gfs2/inode.c | 2 +-
99689 fs/hugetlbfs/inode.c | 13 +-
99690 fs/inode.c | 4 +-
99691 fs/jffs2/erase.c | 3 +-
99692 fs/jffs2/wbuf.c | 3 +-
99693 fs/jfs/super.c | 2 +-
99694 fs/libfs.c | 10 +-
99695 fs/lockd/clntproc.c | 4 +-
99696 fs/lockd/svc.c | 2 +-
99697 fs/locks.c | 8 +-
99698 fs/namei.c | 15 +-
99699 fs/namespace.c | 10 +-
99700 fs/nfs/callback.c | 4 +-
99701 fs/nfs/callback_xdr.c | 2 +-
99702 fs/nfs/inode.c | 6 +-
99703 fs/nfs/nfs4state.c | 2 +-
99704 fs/nfsd/nfs4proc.c | 2 +-
99705 fs/nfsd/nfs4xdr.c | 6 +-
99706 fs/nfsd/nfscache.c | 9 +-
99707 fs/nfsd/vfs.c | 6 +-
99708 fs/nls/nls_base.c | 18 +-
99709 fs/nls/nls_euc-jp.c | 6 +-
99710 fs/nls/nls_koi8-ru.c | 6 +-
99711 fs/notify/fanotify/fanotify_user.c | 4 +-
99712 fs/notify/notification.c | 4 +-
99713 fs/ntfs/dir.c | 2 +-
99714 fs/ntfs/file.c | 4 +-
99715 fs/ocfs2/localalloc.c | 2 +-
99716 fs/ocfs2/ocfs2.h | 10 +-
99717 fs/ocfs2/suballoc.c | 12 +-
99718 fs/ocfs2/super.c | 20 +-
99719 fs/pipe.c | 61 +-
99720 fs/proc/array.c | 20 +
99721 fs/proc/base.c | 4 +-
99722 fs/proc/kcore.c | 32 +-
99723 fs/proc/meminfo.c | 2 +-
99724 fs/proc/nommu.c | 2 +-
99725 fs/proc/proc_sysctl.c | 18 +-
99726 fs/proc/self.c | 2 +-
99727 fs/proc/task_mmu.c | 39 +-
99728 fs/proc/task_nommu.c | 4 +-
99729 fs/proc/vmcore.c | 12 +-
99730 fs/qnx6/qnx6.h | 4 +-
99731 fs/quota/netlink.c | 4 +-
99732 fs/read_write.c | 2 +-
99733 fs/readdir.c | 2 +-
99734 fs/reiserfs/do_balan.c | 2 +-
99735 fs/reiserfs/procfs.c | 2 +-
99736 fs/reiserfs/reiserfs.h | 4 +-
99737 fs/seq_file.c | 2 +-
99738 fs/splice.c | 40 +-
99739 fs/sysfs/bin.c | 6 +-
99740 fs/sysfs/dir.c | 2 +-
99741 fs/sysfs/file.c | 10 +-
99742 fs/sysfs/symlink.c | 2 +-
99743 fs/sysv/sysv.h | 2 +-
99744 fs/ubifs/io.c | 2 +-
99745 fs/udf/misc.c | 2 +-
99746 fs/ufs/swab.h | 4 +-
99747 fs/xattr.c | 21 +
99748 fs/xattr_acl.c | 4 +-
99749 fs/xfs/xfs_bmap.c | 2 +-
99750 fs/xfs/xfs_dir2_sf.c | 10 +-
99751 fs/xfs/xfs_ioctl.c | 2 +-
99752 fs/xfs/xfs_iops.c | 2 +-
99753 include/asm-generic/4level-fixup.h | 2 +
99754 include/asm-generic/atomic-long.h | 210 +
99755 include/asm-generic/atomic.h | 2 +-
99756 include/asm-generic/atomic64.h | 12 +
99757 include/asm-generic/cache.h | 4 +-
99758 include/asm-generic/emergency-restart.h | 2 +-
99759 include/asm-generic/kmap_types.h | 4 +-
99760 include/asm-generic/local.h | 13 +
99761 include/asm-generic/pgtable-nopmd.h | 18 +-
99762 include/asm-generic/pgtable-nopud.h | 15 +-
99763 include/asm-generic/pgtable.h | 8 +
99764 include/asm-generic/vmlinux.lds.h | 10 +-
99765 include/crypto/algapi.h | 2 +-
99766 include/drm/drmP.h | 17 +-
99767 include/drm/drm_crtc_helper.h | 2 +-
99768 include/drm/ttm/ttm_memory.h | 2 +-
99769 include/keys/asymmetric-subtype.h | 2 +-
99770 include/linux/atmdev.h | 4 +-
99771 include/linux/binfmts.h | 3 +-
99772 include/linux/blkdev.h | 2 +-
99773 include/linux/blktrace_api.h | 2 +-
99774 include/linux/cache.h | 4 +
99775 include/linux/cdrom.h | 1 -
99776 include/linux/cleancache.h | 2 +-
99777 include/linux/clk-provider.h | 1 +
99778 include/linux/compat.h | 4 +-
99779 include/linux/compiler-gcc4.h | 20 +
99780 include/linux/compiler.h | 65 +-
99781 include/linux/completion.h | 6 +-
99782 include/linux/configfs.h | 2 +-
99783 include/linux/cpu.h | 2 +-
99784 include/linux/cpufreq.h | 3 +-
99785 include/linux/cpuidle.h | 5 +-
99786 include/linux/cpumask.h | 12 +-
99787 include/linux/crypto.h | 6 +-
99788 include/linux/ctype.h | 2 +-
99789 include/linux/decompress/mm.h | 2 +-
99790 include/linux/devfreq.h | 2 +-
99791 include/linux/device.h | 7 +-
99792 include/linux/dma-mapping.h | 2 +-
99793 include/linux/dmaengine.h | 4 +-
99794 include/linux/efi.h | 1 +
99795 include/linux/elf.h | 2 +
99796 include/linux/err.h | 4 +-
99797 include/linux/extcon.h | 2 +-
99798 include/linux/fb.h | 2 +-
99799 include/linux/filter.h | 4 +
99800 include/linux/frontswap.h | 2 +-
99801 include/linux/fs.h | 3 +-
99802 include/linux/fs_struct.h | 2 +-
99803 include/linux/fscache-cache.h | 4 +-
99804 include/linux/fscache.h | 2 +-
99805 include/linux/fsnotify.h | 2 +-
99806 include/linux/genhd.h | 2 +-
99807 include/linux/genl_magic_func.h | 2 +-
99808 include/linux/gfp.h | 12 +-
99809 include/linux/highmem.h | 12 +
99810 include/linux/hwmon-sysfs.h | 5 +-
99811 include/linux/i2c.h | 1 +
99812 include/linux/i2o.h | 2 +-
99813 include/linux/if_pppox.h | 2 +-
99814 include/linux/init.h | 33 +-
99815 include/linux/init_task.h | 7 +
99816 include/linux/interrupt.h | 8 +-
99817 include/linux/iommu.h | 2 +-
99818 include/linux/ioport.h | 2 +-
99819 include/linux/irq.h | 3 +-
99820 include/linux/irqchip/arm-gic.h | 4 +-
99821 include/linux/key-type.h | 2 +-
99822 include/linux/kgdb.h | 6 +-
99823 include/linux/kobject.h | 3 +-
99824 include/linux/kobject_ns.h | 2 +-
99825 include/linux/kref.h | 2 +-
99826 include/linux/kvm_host.h | 4 +-
99827 include/linux/libata.h | 2 +-
99828 include/linux/list.h | 15 +
99829 include/linux/math64.h | 6 +-
99830 include/linux/mm.h | 116 +-
99831 include/linux/mm_types.h | 20 +
99832 include/linux/mmiotrace.h | 4 +-
99833 include/linux/mmzone.h | 2 +-
99834 include/linux/mod_devicetable.h | 6 +-
99835 include/linux/module.h | 60 +-
99836 include/linux/moduleloader.h | 16 +
99837 include/linux/moduleparam.h | 4 +-
99838 include/linux/namei.h | 6 +-
99839 include/linux/net.h | 2 +-
99840 include/linux/netdevice.h | 3 +-
99841 include/linux/netfilter.h | 2 +-
99842 include/linux/netfilter/ipset/ip_set.h | 2 +-
99843 include/linux/netfilter/nfnetlink.h | 2 +-
99844 include/linux/nls.h | 2 +-
99845 include/linux/notifier.h | 3 +-
99846 include/linux/oprofile.h | 4 +-
99847 include/linux/pci_hotplug.h | 3 +-
99848 include/linux/perf_event.h | 12 +-
99849 include/linux/pipe_fs_i.h | 8 +-
99850 include/linux/platform_data/usb-ehci-s5p.h | 2 +-
99851 include/linux/platform_data/usb-ohci-exynos.h | 2 +-
99852 include/linux/pm_domain.h | 2 +-
99853 include/linux/pm_runtime.h | 2 +-
99854 include/linux/pnp.h | 2 +-
99855 include/linux/poison.h | 4 +-
99856 include/linux/power/smartreflex.h | 2 +-
99857 include/linux/ppp-comp.h | 2 +-
99858 include/linux/proc_ns.h | 2 +-
99859 include/linux/random.h | 5 +
99860 include/linux/rculist.h | 16 +
99861 include/linux/reboot.h | 14 +-
99862 include/linux/regset.h | 3 +-
99863 include/linux/relay.h | 2 +-
99864 include/linux/rio.h | 2 +-
99865 include/linux/rmap.h | 4 +-
99866 include/linux/sched.h | 65 +-
99867 include/linux/sched/sysctl.h | 1 +
99868 include/linux/seq_file.h | 1 +
99869 include/linux/skbuff.h | 12 +-
99870 include/linux/slab.h | 42 +-
99871 include/linux/slab_def.h | 28 +-
99872 include/linux/slob_def.h | 4 +-
99873 include/linux/slub_def.h | 8 +-
99874 include/linux/sock_diag.h | 2 +-
99875 include/linux/sonet.h | 2 +-
99876 include/linux/sunrpc/addr.h | 8 +-
99877 include/linux/sunrpc/clnt.h | 2 +-
99878 include/linux/sunrpc/svc.h | 2 +-
99879 include/linux/sunrpc/svc_rdma.h | 18 +-
99880 include/linux/sunrpc/svcauth.h | 2 +-
99881 include/linux/swiotlb.h | 3 +-
99882 include/linux/syscalls.h | 10 +-
99883 include/linux/syscore_ops.h | 2 +-
99884 include/linux/sysctl.h | 6 +-
99885 include/linux/sysfs.h | 10 +-
99886 include/linux/sysrq.h | 3 +-
99887 include/linux/thread_info.h | 7 +
99888 include/linux/tty.h | 4 +-
99889 include/linux/tty_driver.h | 2 +-
99890 include/linux/tty_ldisc.h | 2 +-
99891 include/linux/types.h | 16 +
99892 include/linux/uaccess.h | 6 +-
99893 include/linux/unaligned/access_ok.h | 24 +-
99894 include/linux/usb.h | 4 +-
99895 include/linux/usb/renesas_usbhs.h | 2 +-
99896 include/linux/vermagic.h | 21 +-
99897 include/linux/vmalloc.h | 11 +-
99898 include/linux/vmstat.h | 20 +-
99899 include/linux/xattr.h | 5 +-
99900 include/linux/zlib.h | 3 +-
99901 include/media/v4l2-dev.h | 2 +-
99902 include/net/9p/transport.h | 2 +-
99903 include/net/bluetooth/l2cap.h | 2 +-
99904 include/net/caif/cfctrl.h | 6 +-
99905 include/net/flow.h | 2 +-
99906 include/net/genetlink.h | 2 +-
99907 include/net/gro_cells.h | 2 +-
99908 include/net/inet_connection_sock.h | 2 +-
99909 include/net/inetpeer.h | 8 +-
99910 include/net/ip.h | 2 +-
99911 include/net/ip_fib.h | 2 +-
99912 include/net/ip_vs.h | 8 +-
99913 include/net/irda/ircomm_tty.h | 1 +
99914 include/net/iucv/af_iucv.h | 2 +-
99915 include/net/llc_c_ac.h | 2 +-
99916 include/net/llc_c_ev.h | 4 +-
99917 include/net/llc_c_st.h | 2 +-
99918 include/net/llc_s_ac.h | 2 +-
99919 include/net/llc_s_st.h | 2 +-
99920 include/net/mac80211.h | 2 +-
99921 include/net/neighbour.h | 2 +-
99922 include/net/net_namespace.h | 12 +-
99923 include/net/netdma.h | 2 +-
99924 include/net/netlink.h | 2 +-
99925 include/net/netns/conntrack.h | 6 +-
99926 include/net/netns/ipv4.h | 2 +-
99927 include/net/netns/ipv6.h | 2 +-
99928 include/net/protocol.h | 4 +-
99929 include/net/rtnetlink.h | 2 +-
99930 include/net/sctp/sctp.h | 6 +-
99931 include/net/sctp/sm.h | 4 +-
99932 include/net/sctp/structs.h | 2 +-
99933 include/net/sock.h | 6 +-
99934 include/net/tcp.h | 8 +-
99935 include/net/xfrm.h | 8 +-
99936 include/rdma/iw_cm.h | 2 +-
99937 include/scsi/libfc.h | 3 +-
99938 include/scsi/scsi_device.h | 6 +-
99939 include/scsi/scsi_transport_fc.h | 3 +-
99940 include/sound/compress_driver.h | 2 +-
99941 include/sound/soc.h | 4 +-
99942 include/target/target_core_base.h | 2 +-
99943 include/trace/events/irq.h | 4 +-
99944 include/uapi/linux/a.out.h | 8 +
99945 include/uapi/linux/byteorder/little_endian.h | 28 +-
99946 include/uapi/linux/elf.h | 28 +
99947 include/uapi/linux/screen_info.h | 3 +-
99948 include/uapi/linux/swab.h | 6 +-
99949 include/uapi/linux/sysctl.h | 6 +-
99950 include/uapi/linux/xattr.h | 4 +
99951 include/video/udlfb.h | 8 +-
99952 include/video/uvesafb.h | 1 +
99953 init/Kconfig | 2 +-
99954 init/Makefile | 3 +
99955 init/do_mounts.c | 14 +-
99956 init/do_mounts.h | 8 +-
99957 init/do_mounts_initrd.c | 30 +-
99958 init/do_mounts_md.c | 6 +-
99959 init/init_task.c | 4 +
99960 init/initramfs.c | 42 +-
99961 init/main.c | 83 +-
99962 ipc/ipc_sysctl.c | 10 +-
99963 ipc/mq_sysctl.c | 2 +-
99964 ipc/msg.c | 11 +-
99965 ipc/sem.c | 11 +-
99966 ipc/shm.c | 17 +-
99967 kernel/acct.c | 2 +-
99968 kernel/audit.c | 8 +-
99969 kernel/auditfilter.c | 2 +-
99970 kernel/auditsc.c | 4 +-
99971 kernel/capability.c | 3 +
99972 kernel/compat.c | 38 +-
99973 kernel/debug/debug_core.c | 16 +-
99974 kernel/debug/kdb/kdb_main.c | 4 +-
99975 kernel/events/core.c | 30 +-
99976 kernel/events/internal.h | 10 +-
99977 kernel/exit.c | 4 +-
99978 kernel/fork.c | 167 +-
99979 kernel/futex.c | 9 +
99980 kernel/futex_compat.c | 2 +-
99981 kernel/gcov/base.c | 7 +-
99982 kernel/hrtimer.c | 4 +-
99983 kernel/irq_work.c | 7 +-
99984 kernel/jump_label.c | 5 +
99985 kernel/kallsyms.c | 39 +-
99986 kernel/kexec.c | 3 +-
99987 kernel/kmod.c | 4 +-
99988 kernel/kprobes.c | 8 +-
99989 kernel/ksysfs.c | 2 +-
99990 kernel/lockdep.c | 7 +-
99991 kernel/module.c | 337 +-
99992 kernel/mutex-debug.c | 12 +-
99993 kernel/mutex-debug.h | 4 +-
99994 kernel/mutex.c | 11 +-
99995 kernel/notifier.c | 17 +-
99996 kernel/panic.c | 3 +-
99997 kernel/pid.c | 2 +-
99998 kernel/pid_namespace.c | 2 +-
99999 kernel/posix-cpu-timers.c | 4 +-
100000 kernel/posix-timers.c | 22 +-
100001 kernel/power/process.c | 12 +-
100002 kernel/profile.c | 14 +-
100003 kernel/ptrace.c | 8 +-
100004 kernel/rcupdate.c | 4 +-
100005 kernel/rcutiny.c | 4 +-
100006 kernel/rcutiny_plugin.h | 2 +-
100007 kernel/rcutorture.c | 56 +-
100008 kernel/rcutree.c | 76 +-
100009 kernel/rcutree.h | 24 +-
100010 kernel/rcutree_plugin.h | 20 +-
100011 kernel/rcutree_trace.c | 22 +-
100012 kernel/rtmutex-tester.c | 24 +-
100013 kernel/sched/auto_group.c | 4 +-
100014 kernel/sched/core.c | 51 +-
100015 kernel/sched/fair.c | 4 +-
100016 kernel/sched/sched.h | 2 +-
100017 kernel/signal.c | 12 +-
100018 kernel/smp.c | 2 +-
100019 kernel/smpboot.c | 4 +-
100020 kernel/softirq.c | 18 +-
100021 kernel/srcu.c | 4 +-
100022 kernel/sys.c | 10 +-
100023 kernel/sysctl.c | 39 +-
100024 kernel/time.c | 2 +-
100025 kernel/time/alarmtimer.c | 2 +-
100026 kernel/time/tick-broadcast.c | 2 +-
100027 kernel/time/timer_stats.c | 10 +-
100028 kernel/timer.c | 6 +-
100029 kernel/trace/blktrace.c | 6 +-
100030 kernel/trace/ftrace.c | 18 +-
100031 kernel/trace/ring_buffer.c | 76 +-
100032 kernel/trace/trace.c | 2 +-
100033 kernel/trace/trace.h | 2 +-
100034 kernel/trace/trace_events.c | 25 +-
100035 kernel/trace/trace_mmiotrace.c | 8 +-
100036 kernel/trace/trace_output.c | 12 +-
100037 kernel/trace/trace_stack.c | 2 +-
100038 kernel/user_namespace.c | 2 +-
100039 kernel/utsname_sysctl.c | 2 +-
100040 kernel/watchdog.c | 2 +-
100041 kernel/workqueue.c | 2 +-
100042 lib/Kconfig.debug | 8 +-
100043 lib/Makefile | 2 +-
100044 lib/bitmap.c | 8 +-
100045 lib/bug.c | 2 +
100046 lib/debugobjects.c | 2 +-
100047 lib/devres.c | 4 +-
100048 lib/div64.c | 4 +-
100049 lib/dma-debug.c | 4 +-
100050 lib/inflate.c | 2 +-
100051 lib/ioremap.c | 4 +-
100052 lib/kobject.c | 6 +-
100053 lib/list_debug.c | 126 +-
100054 lib/radix-tree.c | 2 +-
100055 lib/strncpy_from_user.c | 2 +-
100056 lib/strnlen_user.c | 2 +-
100057 lib/swiotlb.c | 2 +-
100058 lib/usercopy.c | 6 +
100059 lib/vsprintf.c | 12 +-
100060 mm/Kconfig | 6 +-
100061 mm/backing-dev.c | 4 +-
100062 mm/filemap.c | 2 +-
100063 mm/fremap.c | 5 +
100064 mm/highmem.c | 7 +-
100065 mm/hugetlb.c | 70 +-
100066 mm/internal.h | 1 +
100067 mm/maccess.c | 4 +-
100068 mm/madvise.c | 41 +
100069 mm/memory-failure.c | 26 +-
100070 mm/memory.c | 424 ++-
100071 mm/mempolicy.c | 26 +
100072 mm/mlock.c | 15 +-
100073 mm/mmap.c | 606 ++-
100074 mm/mprotect.c | 139 +-
100075 mm/mremap.c | 44 +-
100076 mm/nommu.c | 21 +-
100077 mm/page-writeback.c | 4 +-
100078 mm/page_alloc.c | 41 +-
100079 mm/page_io.c | 2 +-
100080 mm/percpu.c | 2 +-
100081 mm/process_vm_access.c | 14 +-
100082 mm/rmap.c | 38 +-
100083 mm/shmem.c | 19 +-
100084 mm/slab.c | 79 +-
100085 mm/slab.h | 5 +-
100086 mm/slab_common.c | 46 +-
100087 mm/slob.c | 201 +-
100088 mm/slub.c | 79 +-
100089 mm/sparse-vmemmap.c | 4 +-
100090 mm/sparse.c | 2 +-
100091 mm/swap.c | 3 +
100092 mm/swapfile.c | 12 +-
100093 mm/util.c | 6 +
100094 mm/vmalloc.c | 77 +-
100095 mm/vmstat.c | 12 +-
100096 net/8021q/vlan.c | 5 +-
100097 net/9p/mod.c | 4 +-
100098 net/9p/trans_fd.c | 2 +-
100099 net/atm/atm_misc.c | 8 +-
100100 net/atm/lec.h | 2 +-
100101 net/atm/proc.c | 6 +-
100102 net/atm/resources.c | 4 +-
100103 net/ax25/sysctl_net_ax25.c | 2 +-
100104 net/batman-adv/bat_iv_ogm.c | 8 +-
100105 net/batman-adv/hard-interface.c | 4 +-
100106 net/batman-adv/soft-interface.c | 4 +-
100107 net/batman-adv/types.h | 6 +-
100108 net/batman-adv/unicast.c | 2 +-
100109 net/bluetooth/hci_core.c | 8 +-
100110 net/bluetooth/hci_sock.c | 2 +-
100111 net/bluetooth/l2cap_core.c | 6 +-
100112 net/bluetooth/l2cap_sock.c | 12 +-
100113 net/bluetooth/rfcomm/sock.c | 4 +-
100114 net/bluetooth/rfcomm/tty.c | 10 +-
100115 net/bridge/netfilter/ebtables.c | 6 +-
100116 net/caif/cfctrl.c | 11 +-
100117 net/can/af_can.c | 2 +-
100118 net/can/gw.c | 6 +-
100119 net/compat.c | 34 +-
100120 net/core/datagram.c | 2 +-
100121 net/core/dev.c | 16 +-
100122 net/core/flow.c | 8 +-
100123 net/core/iovec.c | 4 +-
100124 net/core/neighbour.c | 2 +-
100125 net/core/net-sysfs.c | 2 +-
100126 net/core/net_namespace.c | 8 +-
100127 net/core/rtnetlink.c | 13 +-
100128 net/core/scm.c | 8 +-
100129 net/core/sock.c | 24 +-
100130 net/core/sock_diag.c | 9 +-
100131 net/core/sysctl_net_core.c | 18 +-
100132 net/decnet/af_decnet.c | 1 +
100133 net/decnet/sysctl_net_decnet.c | 4 +-
100134 net/ipv4/af_inet.c | 8 +-
100135 net/ipv4/ah4.c | 2 +-
100136 net/ipv4/devinet.c | 18 +-
100137 net/ipv4/esp4.c | 2 +-
100138 net/ipv4/fib_frontend.c | 6 +-
100139 net/ipv4/fib_semantics.c | 2 +-
100140 net/ipv4/inet_connection_sock.c | 2 +-
100141 net/ipv4/inetpeer.c | 4 +-
100142 net/ipv4/ip_fragment.c | 15 +-
100143 net/ipv4/ip_gre.c | 6 +-
100144 net/ipv4/ip_sockglue.c | 2 +-
100145 net/ipv4/ip_vti.c | 4 +-
100146 net/ipv4/ipcomp.c | 2 +-
100147 net/ipv4/ipconfig.c | 6 +-
100148 net/ipv4/ipip.c | 4 +-
100149 net/ipv4/netfilter/arp_tables.c | 12 +-
100150 net/ipv4/netfilter/ip_tables.c | 12 +-
100151 net/ipv4/ping.c | 2 +-
100152 net/ipv4/raw.c | 14 +-
100153 net/ipv4/route.c | 18 +-
100154 net/ipv4/sysctl_net_ipv4.c | 45 +-
100155 net/ipv4/tcp_input.c | 2 +-
100156 net/ipv4/tcp_probe.c | 2 +-
100157 net/ipv4/udp.c | 10 +-
100158 net/ipv4/xfrm4_policy.c | 14 +-
100159 net/ipv6/addrconf.c | 12 +-
100160 net/ipv6/icmp.c | 2 +-
100161 net/ipv6/ip6_gre.c | 8 +-
100162 net/ipv6/ip6_tunnel.c | 4 +-
100163 net/ipv6/ipv6_sockglue.c | 2 +-
100164 net/ipv6/netfilter/ip6_tables.c | 12 +-
100165 net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +-
100166 net/ipv6/raw.c | 19 +-
100167 net/ipv6/reassembly.c | 13 +-
100168 net/ipv6/route.c | 2 +-
100169 net/ipv6/sit.c | 4 +-
100170 net/ipv6/sysctl_net_ipv6.c | 2 +-
100171 net/ipv6/udp.c | 8 +-
100172 net/ipv6/xfrm6_policy.c | 13 +-
100173 net/irda/ircomm/ircomm_tty.c | 18 +-
100174 net/iucv/af_iucv.c | 4 +-
100175 net/iucv/iucv.c | 2 +-
100176 net/key/af_key.c | 4 +-
100177 net/mac80211/cfg.c | 8 +-
100178 net/mac80211/ieee80211_i.h | 3 +-
100179 net/mac80211/iface.c | 16 +-
100180 net/mac80211/main.c | 2 +-
100181 net/mac80211/pm.c | 6 +-
100182 net/mac80211/rate.c | 2 +-
100183 net/mac80211/rc80211_pid_debugfs.c | 2 +-
100184 net/mac80211/util.c | 4 +-
100185 net/netfilter/ipset/ip_set_core.c | 2 +-
100186 net/netfilter/ipvs/ip_vs_conn.c | 6 +-
100187 net/netfilter/ipvs/ip_vs_core.c | 4 +-
100188 net/netfilter/ipvs/ip_vs_ctl.c | 14 +-
100189 net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
100190 net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
100191 net/netfilter/ipvs/ip_vs_sync.c | 6 +-
100192 net/netfilter/ipvs/ip_vs_xmit.c | 4 +-
100193 net/netfilter/nf_conntrack_acct.c | 2 +-
100194 net/netfilter/nf_conntrack_ecache.c | 2 +-
100195 net/netfilter/nf_conntrack_helper.c | 2 +-
100196 net/netfilter/nf_conntrack_proto.c | 2 +-
100197 net/netfilter/nf_conntrack_proto_dccp.c | 4 +-
100198 net/netfilter/nf_conntrack_standalone.c | 2 +-
100199 net/netfilter/nf_conntrack_timestamp.c | 2 +-
100200 net/netfilter/nf_log.c | 10 +-
100201 net/netfilter/nf_sockopt.c | 4 +-
100202 net/netfilter/nfnetlink_log.c | 4 +-
100203 net/netfilter/xt_statistic.c | 8 +-
100204 net/netlink/af_netlink.c | 4 +-
100205 net/netlink/genetlink.c | 16 +-
100206 net/packet/af_packet.c | 12 +-
100207 net/phonet/pep.c | 6 +-
100208 net/phonet/socket.c | 2 +-
100209 net/phonet/sysctl.c | 2 +-
100210 net/rds/cong.c | 6 +-
100211 net/rds/ib.h | 2 +-
100212 net/rds/ib_cm.c | 2 +-
100213 net/rds/ib_recv.c | 4 +-
100214 net/rds/iw.h | 2 +-
100215 net/rds/iw_cm.c | 2 +-
100216 net/rds/iw_recv.c | 4 +-
100217 net/rds/rds.h | 2 +-
100218 net/rds/tcp.c | 2 +-
100219 net/rds/tcp_send.c | 2 +-
100220 net/rxrpc/af_rxrpc.c | 2 +-
100221 net/rxrpc/ar-ack.c | 14 +-
100222 net/rxrpc/ar-call.c | 2 +-
100223 net/rxrpc/ar-connection.c | 2 +-
100224 net/rxrpc/ar-connevent.c | 2 +-
100225 net/rxrpc/ar-input.c | 4 +-
100226 net/rxrpc/ar-internal.h | 8 +-
100227 net/rxrpc/ar-local.c | 2 +-
100228 net/rxrpc/ar-output.c | 4 +-
100229 net/rxrpc/ar-peer.c | 2 +-
100230 net/rxrpc/ar-proc.c | 4 +-
100231 net/rxrpc/ar-transport.c | 2 +-
100232 net/rxrpc/rxkad.c | 4 +-
100233 net/sctp/ipv6.c | 6 +-
100234 net/sctp/protocol.c | 10 +-
100235 net/sctp/sm_sideeffect.c | 2 +-
100236 net/sctp/socket.c | 21 +-
100237 net/sctp/sysctl.c | 4 +-
100238 net/socket.c | 18 +-
100239 net/sunrpc/clnt.c | 4 +-
100240 net/sunrpc/sched.c | 4 +-
100241 net/sunrpc/svc.c | 6 +-
100242 net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
100243 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +-
100244 net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
100245 net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +-
100246 net/tipc/link.c | 6 +-
100247 net/tipc/msg.c | 2 +-
100248 net/tipc/subscr.c | 2 +-
100249 net/unix/sysctl_net_unix.c | 2 +-
100250 net/wireless/wext-core.c | 19 +-
100251 net/xfrm/xfrm_policy.c | 27 +-
100252 net/xfrm/xfrm_state.c | 29 +-
100253 net/xfrm/xfrm_sysctl.c | 2 +-
100254 scripts/Makefile.build | 2 +-
100255 scripts/Makefile.clean | 3 +-
100256 scripts/Makefile.host | 28 +-
100257 scripts/basic/fixdep.c | 12 +-
100258 scripts/gcc-plugin.sh | 17 +
100259 scripts/headers_install.sh | 1 +
100260 scripts/link-vmlinux.sh | 2 +-
100261 scripts/mod/file2alias.c | 14 +-
100262 scripts/mod/modpost.c | 25 +-
100263 scripts/mod/modpost.h | 6 +-
100264 scripts/mod/sumversion.c | 2 +-
100265 scripts/package/builddeb | 1 +
100266 scripts/pnmtologo.c | 6 +-
100267 scripts/sortextable.h | 6 +-
100268 security/Kconfig | 676 +++-
100269 security/apparmor/lsm.c | 2 +-
100270 security/integrity/ima/ima.h | 4 +-
100271 security/integrity/ima/ima_api.c | 2 +-
100272 security/integrity/ima/ima_fs.c | 4 +-
100273 security/integrity/ima/ima_queue.c | 2 +-
100274 security/keys/compat.c | 2 +-
100275 security/keys/internal.h | 2 +-
100276 security/keys/key.c | 18 +-
100277 security/keys/keyctl.c | 8 +-
100278 security/keys/keyring.c | 6 +-
100279 security/security.c | 9 +-
100280 security/selinux/hooks.c | 2 +-
100281 security/selinux/include/xfrm.h | 2 +-
100282 security/smack/smack_lsm.c | 2 +-
100283 security/tomoyo/tomoyo.c | 2 +-
100284 security/yama/yama_lsm.c | 22 +-
100285 sound/aoa/codecs/onyx.c | 7 +-
100286 sound/aoa/codecs/onyx.h | 1 +
100287 sound/core/oss/pcm_oss.c | 18 +-
100288 sound/core/pcm_compat.c | 2 +-
100289 sound/core/pcm_native.c | 4 +-
100290 sound/core/seq/seq_device.c | 8 +-
100291 sound/core/sound.c | 2 +-
100292 sound/drivers/mts64.c | 14 +-
100293 sound/drivers/opl4/opl4_lib.c | 2 +-
100294 sound/drivers/portman2x4.c | 3 +-
100295 sound/firewire/amdtp.c | 4 +-
100296 sound/firewire/amdtp.h | 2 +-
100297 sound/firewire/isight.c | 10 +-
100298 sound/firewire/scs1x.c | 8 +-
100299 sound/oss/sb_audio.c | 2 +-
100300 sound/oss/swarm_cs4297a.c | 6 +-
100301 sound/pci/ymfpci/ymfpci.h | 2 +-
100302 sound/pci/ymfpci/ymfpci_main.c | 12 +-
100303 sound/soc/fsl/fsl_ssi.c | 2 +-
100304 sound/sound_core.c | 2 +-
100305 tools/gcc/.gitignore | 1 +
100306 tools/gcc/Makefile | 45 +
100307 tools/gcc/checker_plugin.c | 172 +
100308 tools/gcc/colorize_plugin.c | 151 +
100309 tools/gcc/constify_plugin.c | 560 ++
100310 tools/gcc/generate_size_overflow_hash.sh | 94 +
100311 tools/gcc/kallocstat_plugin.c | 170 +
100312 tools/gcc/kernexec_plugin.c | 465 ++
100313 tools/gcc/latent_entropy_plugin.c | 327 ++
100314 tools/gcc/size_overflow_hash.data | 5893 ++++++++++++++++++++
100315 tools/gcc/size_overflow_plugin.c | 2114 +++++++
100316 tools/gcc/stackleak_plugin.c | 327 ++
100317 tools/gcc/structleak_plugin.c | 277 +
100318 tools/perf/util/include/asm/alternative-asm.h | 3 +
100319 tools/perf/util/include/linux/compiler.h | 8 +
100320 virt/kvm/kvm_main.c | 32 +-
100321 1607 files changed, 30734 insertions(+), 7318 deletions(-)
100322commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
100323Merge: 0949bd4 fc53d63
100324Author: Brad Spengler <spender@grsecurity.net>
100325Date: Thu Mar 22 19:03:44 2012 -0400
100326
100327 Merge branch 'pax-test' into grsec-test
100328
100329commit fc53d6338964741b368070ec5c935bc579b8c2a6
100330Author: Brad Spengler <spender@grsecurity.net>
100331Date: Thu Mar 22 19:02:45 2012 -0400
100332
100333 Update to pax-linux-3.2.12-test33.patch
100334
100335commit 0949bd46a6455b308f66ad7c993bfee62412db35
100336Author: Brad Spengler <spender@grsecurity.net>
100337Date: Thu Mar 22 16:56:09 2012 -0400
100338
100339 Use current_umask() instead of current->fs->umask
100340
100341commit 22f6432d0fe733619cfcb523782ed7d80c46d645
100342Author: Brad Spengler <spender@grsecurity.net>
100343Date: Wed Mar 21 19:42:42 2012 -0400
100344
100345 compile fix
100346
100347commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
100348Author: Brad Spengler <spender@grsecurity.net>
100349Date: Wed Mar 21 19:34:56 2012 -0400
100350
100351 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
100352 uses of domains with particular hash collisions
100353
100354commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
100355Author: Brad Spengler <spender@grsecurity.net>
100356Date: Tue Mar 20 20:25:49 2012 -0400
100357
100358 zero kernel_role
100359
100360commit b00953b43c69238d181d21121ef1577c988d5f6b
100361Author: Brad Spengler <spender@grsecurity.net>
100362Date: Tue Mar 20 19:29:34 2012 -0400
100363
100364 zero real_root after releasing it
100365
100366commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
100367Merge: b724f59 273f98e
100368Author: Brad Spengler <spender@grsecurity.net>
100369Date: Tue Mar 20 19:11:26 2012 -0400
100370
100371 Merge branch 'pax-test' into grsec-test
100372
100373commit 273f98e58cdac555d3b5dce5c1ca168349f95878
100374Author: Brad Spengler <spender@grsecurity.net>
100375Date: Tue Mar 20 19:10:52 2012 -0400
100376
100377 Temporary workaround for (most) size_overflow plugin false-positives
100378 Increase randomization for brk-managed heap to 21 bits
100379 Update to pax-linux-3.2.12-test32.patch
100380
100381commit b724f59125304460c2af8bd4b02921993afbb5d3
100382Author: Brad Spengler <spender@grsecurity.net>
100383Date: Tue Mar 20 18:58:53 2012 -0400
100384
100385 compile fix
100386
100387commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
100388Author: Brad Spengler <spender@grsecurity.net>
100389Date: Tue Mar 20 18:52:23 2012 -0400
100390
100391 Require default and kernel role
100392
100393commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
100394Author: Brad Spengler <spender@grsecurity.net>
100395Date: Tue Mar 20 18:47:28 2012 -0400
100396
100397 Allow policies without special roles
100398 don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)
100399
100400commit 402ec3d24d66d38403dc543c84851f5e72d39e22
100401Merge: 8e012dc f14661a
100402Author: Brad Spengler <spender@grsecurity.net>
100403Date: Mon Mar 19 18:06:59 2012 -0400
100404
100405 Merge branch 'pax-test' into grsec-test
100406
100407 Conflicts:
100408 fs/namei.c
100409
100410commit f14661aaf202155c97f66626cea0269017bb7775
100411Merge: eae671f 058b017
100412Author: Brad Spengler <spender@grsecurity.net>
100413Date: Mon Mar 19 18:05:44 2012 -0400
100414
100415 Merge branch 'linux-3.2.y' into pax-test
100416
100417commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
100418Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
100419Date: Fri Mar 16 17:08:39 2012 -0700
100420
100421 nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
100422
100423 According to the report from Slicky Devil, nilfs caused kernel oops at
100424 nilfs_load_super_block function during mount after he shrank the
100425 partition without resizing the filesystem:
100426
100427 BUG: unable to handle kernel NULL pointer dereference at 00000048
100428 IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
100429 *pde = 00000000
100430 Oops: 0000 [#1] PREEMPT SMP
100431 ...
100432 Call Trace:
100433 [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
100434 [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
100435 [<c0226636>] mount_fs+0x36/0x180
100436 [<c023d961>] vfs_kern_mount+0x51/0xa0
100437 [<c023ddae>] do_kern_mount+0x3e/0xe0
100438 [<c023f189>] do_mount+0x169/0x700
100439 [<c023fa9b>] sys_mount+0x6b/0xa0
100440 [<c04abd1f>] sysenter_do_call+0x12/0x28
100441 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
100442 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
100443 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
100444 EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
100445 CR2: 0000000000000048
100446
100447 This turned out due to a defect in an error path which runs if the
100448 calculated location of the secondary super block was invalid.
100449
100450 This patch fixes it and eliminates the reported oops.
100451
100452 Reported-by: Slicky Devil <slicky.dvl@gmail.com>
100453 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
100454 Tested-by: Slicky Devil <slicky.dvl@gmail.com>
100455 Cc: <stable@vger.kernel.org> [2.6.30+]
100456 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
100457 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
100458
100459commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
100460Author: Haogang Chen <haogangchen@gmail.com>
100461Date: Fri Mar 16 17:08:38 2012 -0700
100462
100463 nilfs2: clamp ns_r_segments_percentage to [1, 99]
100464
100465 ns_r_segments_percentage is read from the disk. Bogus or malicious
100466 value could cause integer overflow and malfunction due to meaningless
100467 disk usage calculation. This patch reports error when mounting such
100468 bogus volumes.
100469
100470 Signed-off-by: Haogang Chen <haogangchen@gmail.com>
100471 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
100472 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
100473 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
100474
100475commit e1a90645643f9b0194a5984ec8febd06360d5c8b
100476Author: Eric Dumazet <eric.dumazet@gmail.com>
100477Date: Sat Mar 10 09:20:21 2012 +0000
100478
100479 tcp: fix syncookie regression
100480
100481 commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
100482 added a serious regression on synflood handling.
100483
100484 Simon Kirby discovered a successful connection was delayed by 20 seconds
100485 before being responsive.
100486
100487 In my tests, I discovered that xmit frames were lost, and needed ~4
100488 retransmits and a socket dst rebuild before being really sent.
100489
100490 In case of syncookie initiated connection, we use a different path to
100491 initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
100492
100493 As ip_queue_xmit() now depends on inet flow being setup, fix this by
100494 copying the temp flowi4 we use in cookie_v4_check().
100495
100496 Reported-by: Simon Kirby <sim@netnation.com>
100497 Bisected-by: Simon Kirby <sim@netnation.com>
100498 Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
100499 Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
100500 Signed-off-by: David S. Miller <davem@davemloft.net>
100501
100502commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
100503Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
100504Date: Mon Mar 12 02:59:41 2012 +0000
100505
100506 tun: don't hold network namespace by tun sockets
100507
100508 v3: added previously removed sock_put() to the tun_release() callback, because
100509 sk_release_kernel() doesn't drop the socket reference.
100510
100511 v2: sk_release_kernel() used for socket release. Dummy tun_release() is
100512 required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
100513 call.
100514
100515 TUN was designed to destroy it's socket on network namesapce shutdown. But this
100516 will never happen for persistent device, because it's socket holds network
100517 namespace.
100518 This patch removes of holding network namespace by TUN socket and replaces it
100519 by creating socket in init_net and then changing it's net it to desired one. On
100520 shutdown socket is moved back to init_net prior to final put.
100521
100522 Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
100523 Signed-off-by: David S. Miller <davem@davemloft.net>
100524
100525commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
100526Author: Tyler Hicks <tyhicks@canonical.com>
100527Date: Mon Dec 12 10:02:30 2011 -0600
100528
100529 vfs: Correctly set the dir i_mutex lockdep class
100530
100531 9a7aa12f3911853a introduced additional logic around setting the i_mutex
100532 lockdep class for directory inodes. The idea was that some filesystems
100533 may want their own special lockdep class for different directory
100534 inodes and calling unlock_new_inode() should not clobber one of
100535 those special classes.
100536
100537 I believe that the added conditional, around the *negated* return value
100538 of lockdep_match_class(), caused directory inodes to be placed in the
100539 wrong lockdep class.
100540
100541 inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
100542 all inodes. If the filesystem did not change the class during inode
100543 initialization, then the conditional mentioned above was false and the
100544 directory inode was incorrectly left in the non-directory lockdep class.
100545 If the filesystem did set a special lockdep class, then the conditional
100546 mentioned above was true and that class was clobbered with
100547 i_mutex_dir_key.
100548
100549 This patch removes the negation from the conditional so that the i_mutex
100550 lockdep class is properly set for directory inodes. Special classes are
100551 preserved and directory inodes with unmodified classes are set with
100552 i_mutex_dir_key.
100553
100554 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
100555 Reviewed-by: Jan Kara <jack@suse.cz>
100556 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
100557
100558commit 603590b0d2eca61ce26499eac9c563bc567a18c9
100559Author: Jan Kara <jack@suse.cz>
100560Date: Mon Feb 20 17:54:00 2012 +0100
100561
100562 udf: Fix deadlock in udf_release_file()
100563
100564 udf_release_file() can be called from munmap() path with mmap_sem held. Thus
100565 we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
100566 i_mutex is not needed in udf_release_file() anymore since protection by
100567 i_data_sem is enough to protect from races with write and truncate.
100568
100569 Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
100570 Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
100571 Signed-off-by: Jan Kara <jack@suse.cz>
100572 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
100573
100574commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
100575Author: Miklos Szeredi <mszeredi@suse.cz>
100576Date: Tue Mar 6 13:56:33 2012 +0100
100577
100578 vfs: fix double put after complete_walk()
100579
100580 complete_walk() already puts nd->path, no need to do it again at cleanup time.
100581
100582 This would result in Oopses if triggered, apparently the codepath is not too
100583 well exercised.
100584
100585 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
100586 CC: stable@vger.kernel.org
100587 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
100588
100589commit 13885ba2b18400f3ef6540497d30f1af896605e5
100590Author: Miklos Szeredi <mszeredi@suse.cz>
100591Date: Tue Mar 6 13:56:34 2012 +0100
100592
100593 vfs: fix return value from do_last()
100594
100595 complete_walk() returns either ECHILD or ESTALE. do_last() turns this into
100596 ECHILD unconditionally. If not in RCU mode, this error will reach userspace
100597 which is complete nonsense.
100598
100599 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
100600 CC: stable@vger.kernel.org
100601 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
100602
100603 Conflicts:
100604
100605 fs/namei.c
100606
100607commit f5ab7572c99ffb58953eb1070622307e904c3b7f
100608Author: Al Viro <viro@zeniv.linux.org.uk>
100609Date: Sat Mar 10 17:07:28 2012 -0500
100610
100611 restore smp_mb() in unlock_new_inode()
100612
100613 wait_on_inode() doesn't have ->i_lock
100614
100615 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
100616
100617commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
100618Author: David S. Miller <davem@davemloft.net>
100619Date: Tue Mar 13 18:19:51 2012 -0700
100620
100621 sparc32: Add -Av8 to assembler command line.
100622
100623 Newer version of binutils are more strict about specifying the
100624 correct options to enable certain classes of instructions.
100625
100626 The sparc32 build is done for v7 in order to support sun4c systems
100627 which lack hardware integer multiply and divide instructions.
100628
100629 So we have to pass -Av8 when building the assembler routines that
100630 use these instructions and get patched into the kernel when we find
100631 out that we have a v8 capable cpu.
100632
100633 Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
100634 Signed-off-by: David S. Miller <davem@davemloft.net>
100635
100636commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
100637Author: Thomas Gleixner <tglx@linutronix.de>
100638Date: Fri Mar 9 20:55:10 2012 +0100
100639
100640 x86: Derandom delay_tsc for 64 bit
100641
100642 Commit f0fbf0abc093 ("x86: integrate delay functions") converted
100643 delay_tsc() into a random delay generator for 64 bit. The reason is
100644 that it merged the mostly identical versions of delay_32.c and
100645 delay_64.c. Though the subtle difference of the result was:
100646
100647 static void delay_tsc(unsigned long loops)
100648 {
100649 - unsigned bclock, now;
100650 + unsigned long bclock, now;
100651
100652 Now the function uses rdtscl() which returns the lower 32bit of the
100653 TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
100654 bit this fails when the lower 32bit are close to wrap around when
100655 bclock is read, because the following check
100656
100657 if ((now - bclock) >= loops)
100658 break;
100659
100660 evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
100661 because the unsigned long (now - bclock) of these values results in
100662 0xffffffff00000001 which is definitely larger than the loops
100663 value. That explains Tvortkos observation:
100664
100665 "Because I am seeing udelay(500) (_occasionally_) being short, and
100666 that by delaying for some duration between 0us (yep) and 491us."
100667
100668 Make those variables explicitely u32 again, so this works for both 32
100669 and 64 bit.
100670
100671 Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
100672 Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
100673 Cc: stable@vger.kernel.org # >= 2.6.27
100674 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
100675
100676commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
100677Author: Al Viro <viro@ZenIV.linux.org.uk>
100678Date: Thu Mar 8 17:51:19 2012 +0000
100679
100680 aio: fix the "too late munmap()" race
100681
100682 Current code has put_ioctx() called asynchronously from aio_fput_routine();
100683 that's done *after* we have killed the request that used to pin ioctx,
100684 so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
100685 from progressing. As the result, we can end up with async call of
100686 put_ioctx() being the last one and possibly happening during exit_mmap()
100687 or elf_core_dump(), neither of which expects stray munmap() being done
100688 to them...
100689
100690 We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
100691 with that, but that's all we care about - neither io_destroy() nor
100692 exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
100693 does really_put_req(), so the ioctx teardown won't be done until then
100694 and we don't care about the contents of ioctx past that point.
100695
100696 Since actual freeing of these suckers is RCU-delayed, we don't need to
100697 bump ioctx refcount when request goes into list for async removal.
100698 All we need is rcu_read_lock held just over the ->ctx_lock-protected
100699 area in aio_fput_routine().
100700
100701 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
100702 Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
100703 Acked-by: Benjamin LaHaise <bcrl@kvack.org>
100704 Cc: stable@vger.kernel.org
100705 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
100706
100707commit 002124c055afbf09b52226af65621999e8316448
100708Author: Al Viro <viro@ZenIV.linux.org.uk>
100709Date: Wed Mar 7 05:16:35 2012 +0000
100710
100711 aio: fix io_setup/io_destroy race
100712
100713 Have ioctx_alloc() return an extra reference, so that caller would drop it
100714 on success and not bother with re-grabbing it on failure exit. The current
100715 code is obviously broken - io_destroy() from another thread that managed
100716 to guess the address io_setup() would've returned would free ioctx right
100717 under us; gets especially interesting if aio_context_t * we pass to
100718 io_setup() points to PROT_READ mapping, so put_user() fails and we end
100719 up doing io_destroy() on kioctx another thread has just got freed...
100720
100721 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
100722 Acked-by: Benjamin LaHaise <bcrl@kvack.org>
100723 Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
100724 Cc: stable@vger.kernel.org
100725 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
100726
100727commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
100728Author: Dan Carpenter <dan.carpenter@oracle.com>
100729Date: Thu Mar 15 15:17:12 2012 -0700
100730
100731 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
100732
100733 strict_strtoul() writes a long but ->gamma_mode only has space to store an
100734 int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
100735 well. I've changed it to use kstrtouint() instead.
100736
100737 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
100738 Acked-by: Inki Dae <inki.dae@samsung.com>
100739 Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
100740 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
100741 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
100742
100743commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
100744Merge: e4b05b6 eae671f
100745Author: Brad Spengler <spender@grsecurity.net>
100746Date: Fri Mar 16 21:04:27 2012 -0400
100747
100748 Merge branch 'pax-test' into grsec-test
100749
100750 Conflicts:
100751 security/Kconfig
100752
100753commit eae671fafe93f04685c04a089cc13efebc05d600
100754Author: Brad Spengler <spender@grsecurity.net>
100755Date: Fri Mar 16 20:58:01 2012 -0400
100756
100757 Update to pax-linux-3.2.11-test31.patch
100758 Introduction of the size_overflow plugin from Emese Revfy
100759 Many thanks to Emese for her hard work :)
100760
100761commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
100762Merge: e55aa68 258c015
100763Author: Brad Spengler <spender@grsecurity.net>
100764Date: Thu Mar 15 20:59:19 2012 -0400
100765
100766 Merge branch 'pax-test' into grsec-test
100767
100768commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
100769Author: Brad Spengler <spender@grsecurity.net>
100770Date: Thu Mar 15 20:59:05 2012 -0400
100771
100772 fix ARM compilation
100773
100774commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
100775Merge: 8f95ea9 55b7573
100776Author: Brad Spengler <spender@grsecurity.net>
100777Date: Wed Mar 14 19:33:41 2012 -0400
100778
100779 Merge branch 'pax-test' into grsec-test
100780
100781commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
100782Author: Brad Spengler <spender@grsecurity.net>
100783Date: Wed Mar 14 19:33:15 2012 -0400
100784
100785 Update to pax-linux-3.2.10-test28.patch
100786
100787commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
100788Merge: c8786a2 886ac5e
100789Author: Brad Spengler <spender@grsecurity.net>
100790Date: Tue Mar 13 17:38:13 2012 -0400
100791
100792 Merge branch 'pax-test' into grsec-test
100793
100794 Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)
100795
100796commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
100797Author: Brad Spengler <spender@grsecurity.net>
100798Date: Tue Mar 13 17:37:44 2012 -0400
100799
100800 Update to pax-linux-3.2.10-test26.patch
100801
100802commit c8786a2abed5e5327f68efa520c04db99bb6a63a
100803Merge: 219c982 c061fcf
100804Author: Brad Spengler <spender@grsecurity.net>
100805Date: Tue Mar 13 17:25:06 2012 -0400
100806
100807 Merge branch 'pax-test' into grsec-test
100808
100809commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
100810Merge: 89373d2 3f4b3b2
100811Author: Brad Spengler <spender@grsecurity.net>
100812Date: Tue Mar 13 17:25:02 2012 -0400
100813
100814 Merge branch 'linux-3.2.y' into pax-test
100815
100816commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
100817Merge: 54e19a3 89373d2
100818Author: Brad Spengler <spender@grsecurity.net>
100819Date: Mon Mar 12 17:23:57 2012 -0400
100820
100821 Merge branch 'pax-test' into grsec-test
100822
100823commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
100824Merge: a778588 7459f11
100825Author: Brad Spengler <spender@grsecurity.net>
100826Date: Mon Mar 12 17:23:49 2012 -0400
100827
100828 Merge branch 'linux-3.2.y' into pax-test
100829
100830commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
100831Merge: c4650f1 a778588
100832Author: Brad Spengler <spender@grsecurity.net>
100833Date: Mon Mar 12 16:51:25 2012 -0400
100834
100835 Merge branch 'pax-test' into grsec-test
100836
100837commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
100838Author: Brad Spengler <spender@grsecurity.net>
100839Date: Mon Mar 12 16:51:12 2012 -0400
100840
100841 Update to pax-linux-3.2.9-test24.patch
100842
100843commit c4650f14b13f84735fe3de06a1f3ff5776473eff
100844Merge: fb2abee 1015790
100845Author: Brad Spengler <spender@grsecurity.net>
100846Date: Sun Mar 11 21:08:28 2012 -0400
100847
100848 Merge branch 'pax-test' into grsec-test
100849
100850 Conflicts:
100851 security/Kconfig
100852
100853commit 101579028a736c224e590c7e12a7357018c424e1
100854Author: Brad Spengler <spender@grsecurity.net>
100855Date: Sun Mar 11 21:07:27 2012 -0400
100856
100857 Update to pax-linux-3.2.9-test22.patch
100858
100859commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
100860Author: Brad Spengler <spender@grsecurity.net>
100861Date: Sun Mar 11 11:02:17 2012 -0400
100862
100863 Allow 4096 CPUs
100864
100865commit 96bae28cbe6a41d48e3b56e5904814096e956000
100866Author: Brad Spengler <spender@grsecurity.net>
100867Date: Sun Mar 11 10:25:58 2012 -0400
100868
100869 Use a per-cpu 48-bit counter instead of a global atomic64
100870 Initialize each counter to have the cpu number in the lower 16 bits
100871 instead of incrementing the counter each time by 1, perform the increments
100872 above the cpu number so that wrapping/exhausting the counter doesn't corrupt
100873 any state
100874 idea from PaX Team
100875
100876commit b975688101da6e966aebb1bc6b8c5c5983974f9c
100877Author: Brad Spengler <spender@grsecurity.net>
100878Date: Sat Mar 10 20:33:12 2012 -0500
100879
100880 Special vnsec edition! :)
100881 Further reduce argv/env allowance for suid/sgid apps to 512KB
100882 Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
100883 Clear 3GB personality on suid/sgid binaries
100884 Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
100885 with the main purpose of throwing off program stack -> arg/env alignment
100886 Update documentation
100887
100888commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
100889Author: Brad Spengler <spender@grsecurity.net>
100890Date: Sat Mar 10 19:54:47 2012 -0500
100891
100892 Resolve skbuff.h warnings that turn into errors during compilation in
100893 the grsecurity directory with -Werror
100894
100895commit 2023210ad43a944033fcacc660ce410888f562ee
100896Merge: ece4383 5f66adf
100897Author: Brad Spengler <spender@grsecurity.net>
100898Date: Fri Mar 9 19:48:01 2012 -0500
100899
100900 Merge branch 'pax-test' into grsec-test
100901
100902commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
100903Author: Brad Spengler <spender@grsecurity.net>
100904Date: Fri Mar 9 19:47:06 2012 -0500
100905
100906 Add colorize plugin
100907
100908commit ece4383e5e91c92d138c4df84225a70b552f4d69
100909Merge: a366d0e ab4a5a1
100910Author: Brad Spengler <spender@grsecurity.net>
100911Date: Fri Mar 9 17:56:46 2012 -0500
100912
100913 Merge branch 'pax-test' into grsec-test
100914
100915commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
100916Author: Brad Spengler <spender@grsecurity.net>
100917Date: Fri Mar 9 17:56:26 2012 -0500
100918
100919 Update to pax-linux-3.2.9-test21.patch
100920
100921commit a366d0ed963ce93fce10121c1100989d5f064e75
100922Author: Mikulas Patocka <mpatocka@redhat.com>
100923Date: Sun Mar 4 19:52:03 2012 -0500
100924
100925 mm: fix find_vma_prev
100926
100927 Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
100928 management on PA-RISC.
100929
100930 After application of the patch, programs that allocate big arrays on the
100931 stack crash with segfault, for example, this will crash if compiled
100932 without optimization:
100933
100934 int main()
100935 {
100936 char array[200000];
100937 array[199999] = 0;
100938 return 0;
100939 }
100940
100941 The reason is that PA-RISC has up-growing stack and the stack is usually
100942 the last memory area. In the above example, a page fault happens above
100943 the stack.
100944
100945 Previously, if we passed too high address to find_vma_prev, it returned
100946 NULL and stored the last VMA in *pprev. After "simplify find_vma_prev"
100947 change, it stores NULL in *pprev. Consequently, the stack area is not
100948 found and it is not expanded, as it used to be before the change.
100949
100950 This patch restores the old behavior and makes it return the last VMA in
100951 *pprev if the requested address is higher than address of any other VMA.
100952
100953 Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
100954 Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
100955 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
100956
100957commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
100958Author: Hugh Dickins <hughd@google.com>
100959Date: Tue Mar 6 12:28:52 2012 -0800
100960
100961 mmap: EINVAL not ENOMEM when rejecting VM_GROWS
100962
100963 Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
100964 from shared anonymous: hoist the file case's -EINVAL up for both.
100965
100966 Signed-off-by: Hugh Dickins <hughd@google.com>
100967 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
100968
100969commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
100970Author: Al Viro <viro@ZenIV.linux.org.uk>
100971Date: Mon Mar 5 06:38:42 2012 +0000
100972
100973 aout: move setup_arg_pages() prior to reading/mapping the binary
100974
100975 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
100976 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
100977
100978commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
100979Author: Jan Beulich <JBeulich@suse.com>
100980Date: Mon Mar 5 16:49:24 2012 +0000
100981
100982 vsprintf: make %pV handling compatible with kasprintf()
100983
100984 kasprintf() (and potentially other functions that I didn't run across so
100985 far) want to evaluate argument lists twice. Caring to do so for the
100986 primary list is obviously their job, but they can't reasonably be
100987 expected to check the format string for instances of %pV, which however
100988 need special handling too: On architectures like x86-64 (as opposed to
100989 e.g. ix86), using the same argument list twice doesn't produce the
100990 expected results, as an internally managed cursor gets updated during
100991 the first run.
100992
100993 Fix the problem by always acting on a copy of the original list when
100994 handling %pV.
100995
100996 Signed-off-by: Jan Beulich <jbeulich@suse.com>
100997 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
100998
100999commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
101000Author: Al Viro <viro@ZenIV.linux.org.uk>
101001Date: Mon Mar 5 06:39:47 2012 +0000
101002
101003 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
101004
101005 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
101006 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
101007
101008commit a831bd53764695ea680cc1fa3c98759a610ed2ac
101009Author: Christian König <deathsimple@vodafone.de>
101010Date: Tue Feb 28 23:19:20 2012 +0100
101011
101012 drm/radeon: fix uninitialized variable
101013
101014 Without this fix the driver randomly treats
101015 textures as arrays and I'm really wondering
101016 why gcc isn't complaining about it.
101017
101018 Signed-off-by: Christian König <deathsimple@vodafone.de>
101019 Reviewed-by: Jerome Glisse <jglisse@redhat.com>
101020 Signed-off-by: Dave Airlie <airlied@redhat.com>
101021
101022commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
101023Author: H. Peter Anvin <hpa@zytor.com>
101024Date: Fri Mar 2 10:43:48 2012 -0800
101025
101026 regset: Prevent null pointer reference on readonly regsets
101027
101028 The regset common infrastructure assumed that regsets would always
101029 have .get and .set methods, but not necessarily .active methods.
101030 Unfortunately people have since written regsets without .set methods.
101031
101032 Rather than putting in stub functions everywhere, handle regsets with
101033 null .get or .set methods explicitly.
101034
101035 Signed-off-by: H. Peter Anvin <hpa@zytor.com>
101036 Reviewed-by: Oleg Nesterov <oleg@redhat.com>
101037 Acked-by: Roland McGrath <roland@hack.frob.com>
101038 Cc: <stable@vger.kernel.org>
101039 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
101040
101041commit 072ddd99401c79b53c6bf6bff9deb93022124c79
101042Author: Brad Spengler <spender@grsecurity.net>
101043Date: Mon Mar 5 18:12:57 2012 -0500
101044
101045 Fix compiler errors reported on forums
101046
101047commit 1606774b48af24e6f99d99c624c0e447d4b66474
101048Merge: 3127bd5 4ca2ffd
101049Author: Brad Spengler <spender@grsecurity.net>
101050Date: Mon Mar 5 17:31:35 2012 -0500
101051
101052 Merge branch 'pax-test' into grsec-test
101053
101054commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
101055Author: Brad Spengler <spender@grsecurity.net>
101056Date: Mon Mar 5 17:31:21 2012 -0500
101057
101058 Update to pax-linux-3.2.9-test20.patch
101059
101060commit 3127bd581a292966b1057c7433219dac188c3720
101061Author: Brad Spengler <spender@grsecurity.net>
101062Date: Fri Mar 2 21:30:37 2012 -0500
101063
101064 Fix memory leak on logged exec_id check failure in /proc/pid/statm
101065 Thanks to Djalal Harouni for the report
101066
101067commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
101068Merge: 0a56be8 9aa8288
101069Author: Brad Spengler <spender@grsecurity.net>
101070Date: Fri Mar 2 18:38:22 2012 -0500
101071
101072 Merge branch 'pax-test' into grsec-test
101073
101074commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
101075Author: Brad Spengler <spender@grsecurity.net>
101076Date: Fri Mar 2 18:37:43 2012 -0500
101077
101078 Update to pax-linux-3.2.9-test19.patch
101079
101080commit 0a56be884bbd7ce733cac0b879c45383494d73b0
101081Merge: 9e66745 3f5c52a
101082Author: Brad Spengler <spender@grsecurity.net>
101083Date: Thu Mar 1 20:18:01 2012 -0500
101084
101085 Merge branch 'pax-test' into grsec-test
101086
101087commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
101088Author: Brad Spengler <spender@grsecurity.net>
101089Date: Thu Mar 1 20:16:56 2012 -0500
101090
101091 Update to pax-linux-3.2.9-test18.patch
101092
101093commit ae53ec231d12719a36bf871f8c5841020ed692ee
101094Merge: b255baf 44fb317
101095Author: Brad Spengler <spender@grsecurity.net>
101096Date: Thu Mar 1 20:15:31 2012 -0500
101097
101098 Merge branch 'linux-3.2.y' into pax-test
101099
101100commit 9e667456c03eadea2f305be761abe4de9a5877a3
101101Merge: 5e4e200 b255baf
101102Author: Brad Spengler <spender@grsecurity.net>
101103Date: Mon Feb 27 20:53:59 2012 -0500
101104
101105 Merge branch 'pax-test' into grsec-test
101106
101107commit b255baf50365d39b406f43aab2c64745607baaa2
101108Merge: 340ce90 1de504e
101109Author: Brad Spengler <spender@grsecurity.net>
101110Date: Mon Feb 27 20:53:29 2012 -0500
101111
101112 Merge branch 'linux-3.2.y' into pax-test
101113 Update to pax-linux-3.2.8-test17.patch
101114
101115 Conflicts:
101116 arch/x86/include/asm/i387.h
101117 arch/x86/kernel/process_32.c
101118 arch/x86/kernel/traps.c
101119
101120commit 5e4e200ac530452884b625cb75de240e1e98c731
101121Merge: 44306d7 340ce90
101122Author: Brad Spengler <spender@grsecurity.net>
101123Date: Mon Feb 27 18:02:13 2012 -0500
101124
101125 Merge branch 'pax-test' into grsec-test
101126
101127commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
101128Author: Brad Spengler <spender@grsecurity.net>
101129Date: Mon Feb 27 18:01:48 2012 -0500
101130
101131 Update to pax-linux-3.2.7-test17.patch
101132
101133commit 44306d7b3097f77e73040dd25f4f6750751bae7a
101134Merge: 29d0b07 521c411
101135Author: Brad Spengler <spender@grsecurity.net>
101136Date: Sun Feb 26 19:04:15 2012 -0500
101137
101138 Merge branch 'pax-test' into grsec-test
101139
101140 Conflicts:
101141 Makefile
101142
101143commit 521c411bb4ca66ce01146fde8bac9dd22414076d
101144Author: Brad Spengler <spender@grsecurity.net>
101145Date: Sun Feb 26 19:03:33 2012 -0500
101146
101147 Update to pax-linux-3.2.7-test16.patch
101148
101149commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
101150Author: Brad Spengler <spender@grsecurity.net>
101151Date: Sun Feb 26 17:12:44 2012 -0500
101152
101153 fix typo
101154
101155commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
101156Merge: f45b3be caa8f83
101157Author: Brad Spengler <spender@grsecurity.net>
101158Date: Sat Feb 25 20:59:27 2012 -0500
101159
101160 Merge branch 'pax-test' into grsec-test
101161
101162commit caa8f83456c4d0b204beefffaa1d1993f2348d08
101163Author: Brad Spengler <spender@grsecurity.net>
101164Date: Sat Feb 25 20:59:12 2012 -0500
101165
101166 Update to pax-linux-3.2.7-test15.patch
101167
101168commit f45b3be34a345502a302e736af9a65742ddef7cb
101169Merge: 62f35fd 9f1309b
101170Author: Brad Spengler <spender@grsecurity.net>
101171Date: Sat Feb 25 11:40:15 2012 -0500
101172
101173 Merge branch 'pax-test' into grsec-test
101174
101175commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
101176Author: Brad Spengler <spender@grsecurity.net>
101177Date: Sat Feb 25 11:39:57 2012 -0500
101178
101179 Update to pax-linux-3.2.7-test14.patch
101180
101181commit 62f35fdbecc58f2988fe13638d907b87a15776bb
101182Author: Brad Spengler <spender@grsecurity.net>
101183Date: Sat Feb 25 09:08:55 2012 -0500
101184
101185 We could log on attempted exploits of writing /proc/self/mem, but the current
101186 log function declares the access a read, so just swap the ordering for now
101187
101188commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
101189Author: Brad Spengler <spender@grsecurity.net>
101190Date: Sat Feb 25 08:46:14 2012 -0500
101191
101192 Log /proc/pid/mem attempts
101193
101194commit 674471e581893a94d475acac3e3c4496209b3ac9
101195Author: Brad Spengler <spender@grsecurity.net>
101196Date: Sat Feb 25 08:15:00 2012 -0500
101197
101198 Make use of f_version for protecting /proc file structs (fine since we're not a directory
101199 or seq_file)
101200
101201commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
101202Author: Brad Spengler <spender@grsecurity.net>
101203Date: Fri Feb 24 20:02:19 2012 -0500
101204
101205 Fix ia64 compilation
101206
101207commit 50dfea412fd395e0183c2ade368efa525d38b267
101208Merge: 12db845 4c6f99b
101209Author: Brad Spengler <spender@grsecurity.net>
101210Date: Fri Feb 24 19:00:53 2012 -0500
101211
101212 Merge branch 'pax-test' into grsec-test
101213
101214commit 4c6f99bf338e03966356b147d0360cb3b522a44f
101215Author: Brad Spengler <spender@grsecurity.net>
101216Date: Fri Feb 24 19:00:36 2012 -0500
101217
101218 (6:57:09 PM) pipacs: but you can be proactive
101219 (Fix other-arch atomic64/REFCOUNT compilation failures)
101220
101221commit 12db8453f6bb0a756f369c9151668ba1249bc478
101222Author: Brad Spengler <spender@grsecurity.net>
101223Date: Thu Feb 23 21:10:12 2012 -0500
101224
101225 Remove unnecessary copies, as suggested by solar
101226
101227commit cc02cab84368467ea03cb35f861a8a7092d91ab4
101228Author: Brad Spengler <spender@grsecurity.net>
101229Date: Thu Feb 23 20:59:35 2012 -0500
101230
101231 Make global_exec_counter static, as suggested by solar
101232
101233commit e642091a475ebb3a30e81f85e7751233d0c2af43
101234Author: Brad Spengler <spender@grsecurity.net>
101235Date: Thu Feb 23 19:00:26 2012 -0500
101236
101237 sync with stable tree
101238
101239commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
101240Author: Brad Spengler <spender@grsecurity.net>
101241Date: Thu Feb 23 18:48:47 2012 -0500
101242
101243 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
101244 Remove handling of old kludge in chmod/fchmod
101245
101246commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
101247Author: Brad Spengler <spender@grsecurity.net>
101248Date: Thu Feb 23 18:18:49 2012 -0500
101249
101250 Apply umask checks to chmod/fchmod as well, as requested by sponsor
101251 Union the enforced umask with the existing one to produce minimal privilege
101252 Change umask type to u16
101253
101254commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
101255Author: Brad Spengler <spender@grsecurity.net>
101256Date: Wed Feb 22 18:16:11 2012 -0500
101257
101258 Add per-role umask enforcement to RBAC, requested by a sponsor
101259
101260commit ad5ac943fe58199f1cc475912a39edb157acb77b
101261Merge: dda0bb5 41722e3
101262Author: Brad Spengler <spender@grsecurity.net>
101263Date: Mon Feb 20 20:04:42 2012 -0500
101264
101265 Merge branch 'pax-test' into grsec-test
101266
101267commit 41722e342e116d95f3d3556d66c97c888d752d39
101268Author: Brad Spengler <spender@grsecurity.net>
101269Date: Mon Feb 20 20:04:00 2012 -0500
101270
101271 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
101272 KERNEXEC plugin
101273
101274commit dda0bb57137846a476a866c60db2681aaf6052c0
101275Merge: 4fd554e d70927a
101276Author: Brad Spengler <spender@grsecurity.net>
101277Date: Mon Feb 20 20:01:41 2012 -0500
101278
101279 Merge branch 'pax-test' into grsec-test
101280
101281commit d70927afec977d489a54c106a3c3ddc32e953050
101282Merge: 1daebf1 9d0231c
101283Author: Brad Spengler <spender@grsecurity.net>
101284Date: Mon Feb 20 20:01:33 2012 -0500
101285
101286 Merge branch 'linux-3.2.y' into pax-test
101287
101288commit 4fd554e3a097b22c5049fcdc423897477deff5ef
101289Author: Brad Spengler <spender@grsecurity.net>
101290Date: Mon Feb 20 09:17:57 2012 -0500
101291
101292 Fix wrong logic on capability checks for switching roles, broke policies
101293 Thanks to Richard Kojedzinszky for reporting
101294
101295commit 12f97d52ac603f24344f8d71569c412a307e9422
101296Author: Brad Spengler <spender@grsecurity.net>
101297Date: Thu Feb 16 21:20:10 2012 -0500
101298
101299 sparc64 compile fix
101300
101301commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
101302Author: Brad Spengler <spender@grsecurity.net>
101303Date: Thu Feb 16 18:38:32 2012 -0500
101304
101305 Update configuration help and name for GRKERNSEC_PROC_MEMMAP
101306
101307commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
101308Author: Brad Spengler <spender@grsecurity.net>
101309Date: Thu Feb 16 18:18:01 2012 -0500
101310
101311 optimize the check a bit
101312
101313commit 03159050f64989be44ae03be769cbed62a7cd2e5
101314Author: Brad Spengler <spender@grsecurity.net>
101315Date: Thu Feb 16 18:00:45 2012 -0500
101316
101317 smile VUPEN :D
101318 (limit argv+env to 1MB for suid/sgid binaries)
101319
101320commit dd759d8800d225a397e4de49fe729c7d601298d2
101321Author: Brad Spengler <spender@grsecurity.net>
101322Date: Thu Feb 16 17:49:33 2012 -0500
101323
101324 Address Space Protection -> Memory Protections (suggested on IRC for consistency)
101325
101326commit 4de635bda8ebfb85312e3bf851bdbff93de400da
101327Author: Brad Spengler <spender@grsecurity.net>
101328Date: Thu Feb 16 17:45:06 2012 -0500
101329
101330 Change the long long type for exec_id to the proper u64
101331
101332commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
101333Author: Dan Carpenter <dan.carpenter@oracle.com>
101334Date: Thu Feb 9 00:46:47 2012 +0000
101335
101336 isdn: type bug in isdn_net_header()
101337
101338 We use len to store the return value from eth_header(). eth_header()
101339 can return -ETH_HLEN (-14). We want to pass this back instead of
101340 truncating it to 65522 and returning that.
101341
101342 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
101343 Acked-by: Neil Horman <nhorman@tuxdriver.com>
101344 Signed-off-by: David S. Miller <davem@davemloft.net>
101345
101346commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
101347Author: Heiko Carstens <heiko.carstens@de.ibm.com>
101348Date: Sat Feb 4 10:47:10 2012 +0100
101349
101350 exec: fix use-after-free bug in setup_new_exec()
101351
101352 Setting the task name is done within setup_new_exec() by accessing
101353 bprm->filename. However this happens after flush_old_exec().
101354 This may result in a use after free bug, flush_old_exec() may
101355 "complete" vfork_done, which will wake up the parent which in turn
101356 may free the passed in filename.
101357 To fix this add a new tcomm field in struct linux_binprm which
101358 contains the now early generated task name until it is used.
101359
101360 Fixes this bug on s390:
101361
101362 Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
101363 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
101364 Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
101365 Call Trace:
101366 ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
101367 [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
101368 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
101369 [<0000000000282b6c>] do_execve_common+0x410/0x514
101370 [<0000000000282cb6>] do_execve+0x46/0x58
101371 [<00000000005bce58>] kernel_execve+0x28/0x70
101372 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
101373 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
101374 [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
101375 Last Breaking-Event-Address:
101376 [<00000000002830f0>] setup_new_exec+0x2fc/0x374
101377
101378 Kernel panic - not syncing: Fatal exception: panic_on_oops
101379
101380 Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
101381 Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
101382 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
101383
101384commit d758ee9f5230893dabb5aab737b3109684bde196
101385Author: Dan Carpenter <dan.carpenter@oracle.com>
101386Date: Fri Feb 10 09:03:58 2012 +0100
101387
101388 relay: prevent integer overflow in relay_open()
101389
101390 "subbuf_size" and "n_subbufs" come from the user and they need to be
101391 capped to prevent an integer overflow.
101392
101393 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
101394 Cc: stable@kernel.org
101395 Signed-off-by: Jens Axboe <axboe@kernel.dk>
101396
101397commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
101398Merge: b1baadf 1daebf1
101399Author: Brad Spengler <spender@grsecurity.net>
101400Date: Mon Feb 13 17:47:04 2012 -0500
101401
101402 Merge branch 'pax-test' into grsec-test
101403
101404 Conflicts:
101405 fs/proc/base.c
101406
101407commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
101408Merge: 1413df2 c2db2e2
101409Author: Brad Spengler <spender@grsecurity.net>
101410Date: Mon Feb 13 17:45:54 2012 -0500
101411
101412 Merge branch 'linux-3.2.y' into pax-test
101413
101414commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
101415Author: Brad Spengler <spender@grsecurity.net>
101416Date: Sun Feb 12 16:44:05 2012 -0500
101417
101418 add missing declaration
101419
101420commit 3981059c35e8463002517935c28f3d74b8e3703c
101421Author: Brad Spengler <spender@grsecurity.net>
101422Date: Sun Feb 12 16:36:04 2012 -0500
101423
101424 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
101425 in addition to existing checks (this handles the setresuid ruid = euid case)
101426
101427commit 0beab03263c773f463412c350ad9064b44b6ede0
101428Author: Brad Spengler <spender@grsecurity.net>
101429Date: Sun Feb 12 16:13:40 2012 -0500
101430
101431 Revert setreuid changes when RBAC is enabled, breaks freeradius
101432 I'll fix the learning issue Lavish reported a different way through
101433 gradm modifications
101434
101435 This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.
101436
101437commit 0c61cb1cfbbfec7d07647268c922d51434d22621
101438Author: Brad Spengler <spender@grsecurity.net>
101439Date: Sat Feb 11 14:22:46 2012 -0500
101440
101441 copy exec_id on fork
101442
101443commit 000c08e0890630086b2ed04084050ed856a7ec31
101444Author: Brad Spengler <spender@grsecurity.net>
101445Date: Fri Feb 10 20:00:36 2012 -0500
101446
101447 compile fix
101448
101449commit 54b8c8f54484e5ee18040657827158bc4b63bccc
101450Author: Brad Spengler <spender@grsecurity.net>
101451Date: Fri Feb 10 19:19:52 2012 -0500
101452
101453 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
101454 denies reading of sensitive /proc/pid entries where the file descriptor
101455 was opened in a different task than the one performing the read
101456
101457commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
101458Author: Brad Spengler <spender@grsecurity.net>
101459Date: Fri Feb 10 17:43:24 2012 -0500
101460
101461 Remove duplicate signal check
101462
101463commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
101464Merge: 4eba97e 1413df2
101465Author: Brad Spengler <spender@grsecurity.net>
101466Date: Wed Feb 8 19:24:34 2012 -0500
101467
101468 Merge branch 'pax-test' into grsec-test
101469
101470commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
101471Author: Brad Spengler <spender@grsecurity.net>
101472Date: Wed Feb 8 19:24:08 2012 -0500
101473
101474 Merge changes from pax-linux-3.2.4-test11.patch
101475
101476commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
101477Merge: 0e058dd 8dd90a2
101478Author: Brad Spengler <spender@grsecurity.net>
101479Date: Mon Feb 6 17:50:12 2012 -0500
101480
101481 Merge branch 'pax-test' into grsec-test
101482
101483commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
101484Author: Brad Spengler <spender@grsecurity.net>
101485Date: Mon Feb 6 17:49:07 2012 -0500
101486
101487 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free
101488
101489commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
101490Merge: 7e4169c 6133971
101491Author: Brad Spengler <spender@grsecurity.net>
101492Date: Mon Feb 6 17:48:57 2012 -0500
101493
101494 Merge branch 'linux-3.2.y' into pax-test
101495
101496commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
101497Author: Brad Spengler <spender@grsecurity.net>
101498Date: Sun Feb 5 19:24:45 2012 -0500
101499
101500 We now allow configurations with no PaX markings, giving the system no way to override the defaults
101501
101502commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
101503Author: Brad Spengler <spender@grsecurity.net>
101504Date: Sun Feb 5 10:01:23 2012 -0500
101505
101506 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory
101507
101508commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
101509Author: Brad Spengler <spender@grsecurity.net>
101510Date: Sat Feb 4 21:01:16 2012 -0500
101511
101512 Improve security of ptrace-based monitoring/sandboxing
101513 See:
101514 http://article.gmane.org/gmane.linux.kernel.lsm/15156
101515
101516commit ca4ca5a1027b41f9528794e52a53ce9c47926101
101517Author: Brad Spengler <spender@grsecurity.net>
101518Date: Fri Feb 3 20:42:55 2012 -0500
101519
101520 fix typo
101521
101522commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
101523Author: Brad Spengler <spender@grsecurity.net>
101524Date: Fri Feb 3 20:25:38 2012 -0500
101525
101526 Reported by lavish on IRC:
101527 If a suid/sgid binary did not learn any setuid/setgid call during learning,
101528 we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
101529 any restrictions on uid/gid changes. uid and gid can however be changed
101530 within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
101531 euid/egid.
101532
101533 My fix:
101534 POSIX doesn't specify whether unprivileged users can perform the above
101535 setresuid/setresgid as an unprivileged user, though Linux has historically
101536 permitted them. Modify this behavior when RBAC is enabled to require
101537 CAP_SETUID/CAP_SETGID for these operations.
101538
101539 Thanks to Lavish for the report!
101540
101541 Conflicts:
101542
101543 kernel/sys.c
101544
101545commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
101546Merge: ba586eb 7e4169c
101547Author: Brad Spengler <spender@grsecurity.net>
101548Date: Fri Feb 3 20:10:21 2012 -0500
101549
101550 Merge branch 'pax-test' into grsec-test
101551
101552commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
101553Author: Brad Spengler <spender@grsecurity.net>
101554Date: Fri Feb 3 20:10:05 2012 -0500
101555
101556 Merge changes from pax-linux-3.2.4-test9.patch
101557
101558commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
101559Author: Christopher Yeoh <cyeoh@au1.ibm.com>
101560Date: Thu Feb 2 11:34:09 2012 +1030
101561
101562 Fix race in process_vm_rw_core
101563
101564 This fixes the race in process_vm_core found by Oleg (see
101565
101566 http://article.gmane.org/gmane.linux.kernel/1235667/
101567
101568 for details).
101569
101570 This has been updated since I last sent it as the creation of the new
101571 mm_access() function did almost exactly the same thing as parts of the
101572 previous version of this patch did.
101573
101574 In order to use mm_access() even when /proc isn't enabled, we move it to
101575 kernel/fork.c where other related process mm access functions already
101576 are.
101577
101578 Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
101579 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
101580
101581 Conflicts:
101582
101583 fs/proc/base.c
101584 mm/process_vm_access.c
101585
101586commit b9194d60fb9fe579f5c34817ed822abde18939a0
101587Author: Oleg Nesterov <oleg@redhat.com>
101588Date: Tue Jan 31 17:15:11 2012 +0100
101589
101590 proc: make sure mem_open() doesn't pin the target's memory
101591
101592 Once /proc/pid/mem is opened, the memory can't be released until
101593 mem_release() even if its owner exits.
101594
101595 Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
101596 pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
101597 before access_remote_vm(), this verifies that this mm is still alive.
101598
101599 I am not sure what should mem_rw() return if atomic_inc_not_zero()
101600 fails. With this patch it returns zero to match the "mm == NULL" case,
101601 may be it should return -EINVAL like it did before e268337d.
101602
101603 Perhaps it makes sense to add the additional fatal_signal_pending()
101604 check into the main loop, to ensure we do not hold this memory if
101605 the target task was oom-killed.
101606
101607 Cc: stable@kernel.org
101608 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
101609 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
101610
101611commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
101612Author: Oleg Nesterov <oleg@redhat.com>
101613Date: Tue Jan 31 17:14:38 2012 +0100
101614
101615 proc: mem_release() should check mm != NULL
101616
101617 mem_release() can hit mm == NULL, add the necessary check.
101618
101619 Cc: stable@kernel.org
101620 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
101621 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
101622
101623commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
101624Author: Oleg Nesterov <oleg@redhat.com>
101625Date: Tue Jan 31 17:14:54 2012 +0100
101626
101627 note: redisabled mem_write
101628
101629 proc: unify mem_read() and mem_write()
101630
101631 No functional changes, cleanup and preparation.
101632
101633 mem_read() and mem_write() are very similar. Move this code into the
101634 new common helper, mem_rw(), which takes the additional "int write"
101635 argument.
101636
101637 Cc: stable@kernel.org
101638 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
101639 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
101640
101641 Conflicts:
101642
101643 fs/proc/base.c
101644
101645commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
101646Merge: 3903f01 01fee18
101647Author: Brad Spengler <spender@grsecurity.net>
101648Date: Fri Feb 3 19:50:40 2012 -0500
101649
101650 Merge branch 'pax-test' into grsec-test
101651
101652commit 01fee1851aef26b898ccba5312cabf1f919b74cb
101653Author: Brad Spengler <spender@grsecurity.net>
101654Date: Fri Feb 3 19:49:46 2012 -0500
101655
101656 Merge changes from pax-linux-3.2.4-test8.patch
101657
101658commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
101659Merge: 201c0db 141936c
101660Author: Brad Spengler <spender@grsecurity.net>
101661Date: Fri Feb 3 19:49:01 2012 -0500
101662
101663 Merge branch 'linux-3.2.y' into pax-test
101664
101665commit 3903f0172ecadf7a575ba3535402a1506133640a
101666Author: Brad Spengler <spender@grsecurity.net>
101667Date: Mon Jan 30 23:26:44 2012 -0500
101668
101669 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
101670
101671 We'll whitelist required directories for compatibility instead of requiring
101672 that people disable the feature entirely if they use SELinux, fuse, etc
101673
101674 Conflicts:
101675
101676 fs/sysfs/mount.c
101677
101678commit e3618feaa7e63807f1b88c199882075b3ec9bd05
101679Author: Brad Spengler <spender@grsecurity.net>
101680Date: Sun Jan 29 01:12:19 2012 -0500
101681
101682 perform RBAC check if TPE is on but match fails, matches previous behavior
101683
101684commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
101685Author: Brad Spengler <spender@grsecurity.net>
101686Date: Sat Jan 28 13:17:06 2012 -0500
101687
101688 log more information about the reason for a TPE denial for novice users, requested by a sponsor
101689
101690commit efefd67008cbad8a8591e2484410966a300a39a5
101691Author: Brad Spengler <spender@grsecurity.net>
101692Date: Fri Jan 27 19:58:53 2012 -0500
101693
101694 merge upstream sha512 changes
101695
101696commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
101697Author: Brad Spengler <spender@grsecurity.net>
101698Date: Fri Jan 27 19:49:07 2012 -0500
101699
101700 drop lock on error in xfs_readlink
101701
101702 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0
101703
101704commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
101705Author: Li Wang <liwang@nudt.edu.cn>
101706Date: Thu Jan 19 09:44:36 2012 +0800
101707
101708 eCryptfs: Infinite loop due to overflow in ecryptfs_write()
101709
101710 ecryptfs_write() can enter an infinite loop when truncating a file to a
101711 size larger than 4G. This only happens on architectures where size_t is
101712 represented by 32 bits.
101713
101714 This was caused by a size_t overflow due to it incorrectly being used to
101715 store the result of a calculation which uses potentially large values of
101716 type loff_t.
101717
101718 [tyhicks@canonical.com: rewrite subject and commit message]
101719 Signed-off-by: Li Wang <liwang@nudt.edu.cn>
101720 Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
101721 Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
101722 Cc: <stable@vger.kernel.org>
101723 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
101724
101725commit a7607747d0f74f357d78bb796d70635dd05f46e8
101726Author: Tyler Hicks <tyhicks@canonical.com>
101727Date: Thu Jan 19 20:33:44 2012 -0600
101728
101729 eCryptfs: Check inode changes in setattr
101730
101731 Most filesystems call inode_change_ok() very early in ->setattr(), but
101732 eCryptfs didn't call it at all. It allowed the lower filesystem to make
101733 the call in its ->setattr() function. Then, eCryptfs would copy the
101734 appropriate inode attributes from the lower inode to the eCryptfs inode.
101735
101736 This patch changes that and actually calls inode_change_ok() on the
101737 eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
101738 would happen earlier in ecryptfs_setattr(), but there are some possible
101739 inode initialization steps that must happen first.
101740
101741 Since the call was already being made on the lower inode, the change in
101742 functionality should be minimal, except for the case of a file extending
101743 truncate call. In that case, inode_newsize_ok() was never being
101744 called on the eCryptfs inode. Rather than inode_newsize_ok() catching
101745 maximum file size errors early on, eCryptfs would encrypt zeroed pages
101746 and write them to the lower filesystem until the lower filesystem's
101747 write path caught the error in generic_write_checks(). This patch
101748 introduces a new function, called ecryptfs_inode_newsize_ok(), which
101749 checks if the new lower file size is within the appropriate limits when
101750 the truncate operation will be growing the lower file.
101751
101752 In summary this change prevents eCryptfs truncate operations (and the
101753 resulting page encryptions), which would exceed the lower filesystem
101754 limits or FSIZE rlimits, from ever starting.
101755
101756 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
101757 Reviewed-by: Li Wang <liwang@nudt.edu.cn>
101758 Cc: <stable@vger.kernel.org>
101759
101760commit 0d96f190a39505254ace4e9330219aaeda9b64e3
101761Author: Tyler Hicks <tyhicks@canonical.com>
101762Date: Wed Jan 18 18:30:04 2012 -0600
101763
101764 eCryptfs: Make truncate path killable
101765
101766 ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
101767 page, zeroes out the appropriate portions, and then encrypts the page
101768 before writing it to the lower filesystem. It was unkillable and due to
101769 the lack of sparse file support could result in tying up a large portion
101770 of system resources, while encrypting pages of zeros, with no way for
101771 the truncate operation to be stopped from userspace.
101772
101773 This patch adds the ability for ecryptfs_write() to detect a pending
101774 fatal signal and return as gracefully as possible. The intent is to
101775 leave the lower file in a useable state, while still allowing a user to
101776 break out of the encryption loop. If a pending fatal signal is detected,
101777 the eCryptfs inode size is updated to reflect the modified inode size
101778 and then -EINTR is returned.
101779
101780 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
101781 Cc: <stable@vger.kernel.org>
101782
101783commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
101784Author: Tyler Hicks <tyhicks@canonical.com>
101785Date: Tue Jan 24 10:02:22 2012 -0600
101786
101787 eCryptfs: Fix oops when printing debug info in extent crypto functions
101788
101789 If pages passed to the eCryptfs extent-based crypto functions are not
101790 mapped and the module parameter ecryptfs_verbosity=1 was specified at
101791 loading time, a NULL pointer dereference will occur.
101792
101793 Note that this wouldn't happen on a production system, as you wouldn't
101794 pass ecryptfs_verbosity=1 on a production system. It leaks private
101795 information to the system logs and is for debugging only.
101796
101797 The debugging info printed in these messages is no longer very useful
101798 and rather than doing a kmap() in these debugging paths, it will be
101799 better to simply remove the debugging paths completely.
101800
101801 https://launchpad.net/bugs/913651
101802
101803 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
101804 Reported-by: Daniel DeFreez
101805 Cc: <stable@vger.kernel.org>
101806
101807commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
101808Author: Tyler Hicks <tyhicks@canonical.com>
101809Date: Thu Jan 12 11:30:44 2012 +0100
101810
101811 eCryptfs: Sanitize write counts of /dev/ecryptfs
101812
101813 A malicious count value specified when writing to /dev/ecryptfs may
101814 result in a a very large kernel memory allocation.
101815
101816 This patch peeks at the specified packet payload size, adds that to the
101817 size of the packet headers and compares the result with the write count
101818 value. The resulting maximum memory allocation size is approximately 532
101819 bytes.
101820
101821 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
101822 Reported-by: Sasha Levin <levinsasha928@gmail.com>
101823 Cc: <stable@vger.kernel.org>
101824
101825commit 96dcb7282d323813181a1791f51c0ab7696b675b
101826Merge: 6c09fa5 201c0db
101827Author: Brad Spengler <spender@grsecurity.net>
101828Date: Fri Jan 27 19:44:15 2012 -0500
101829
101830 Merge branch 'pax-test' into grsec-test
101831
101832commit 201c0dbf177527367676028151e36d340923f033
101833Author: Brad Spengler <spender@grsecurity.net>
101834Date: Fri Jan 27 19:43:24 2012 -0500
101835
101836 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
101837 on loading modules with empty sections
101838
101839commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
101840Author: Brad Spengler <spender@grsecurity.net>
101841Date: Fri Jan 27 19:42:13 2012 -0500
101842
101843 compile fix
101844
101845commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
101846Author: Brad Spengler <spender@grsecurity.net>
101847Date: Fri Jan 27 19:39:28 2012 -0500
101848
101849 use LSM flags instead of duplicating checks
101850
101851commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
101852Merge: 44b9f11 558718b
101853Author: Brad Spengler <spender@grsecurity.net>
101854Date: Fri Jan 27 18:56:23 2012 -0500
101855
101856 Merge branch 'pax-test' into grsec-test
101857
101858commit 558718b2217beff69edf60f34a6f9893d910e9ac
101859Author: Brad Spengler <spender@grsecurity.net>
101860Date: Fri Jan 27 18:56:04 2012 -0500
101861
101862 Merge changes from pax-linux-3.2.2-test6.patch
101863
101864commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
101865Author: Brad Spengler <spender@grsecurity.net>
101866Date: Fri Jan 27 18:53:55 2012 -0500
101867
101868 don't increase the size of task_struct when unnecessary
101869 change ptrace_readexec log message
101870
101871commit a9c9626e054adb885883aa64f85506852894dd33
101872Author: Brad Spengler <spender@grsecurity.net>
101873Date: Fri Jan 27 18:16:28 2012 -0500
101874
101875 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
101876 the protection applies to all unreadable binaries.
101877
101878commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
101879Merge: 7b3f3af 05a1349
101880Author: Brad Spengler <spender@grsecurity.net>
101881Date: Wed Jan 25 20:52:09 2012 -0500
101882
101883 Merge branch 'pax-test' into grsec-test
101884
101885 Conflicts:
101886 block/scsi_ioctl.c
101887 drivers/scsi/sd.c
101888 fs/proc/base.c
101889
101890commit 05a134966efb9cb9346ad3422888969ffc79ac1d
101891Author: Brad Spengler <spender@grsecurity.net>
101892Date: Wed Jan 25 20:47:36 2012 -0500
101893
101894 Resync with pax-linux-3.2.2-test5.patch
101895
101896commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
101897Merge: c6d443d 3499d64
101898Author: Brad Spengler <spender@grsecurity.net>
101899Date: Wed Jan 25 20:45:16 2012 -0500
101900
101901 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
101902
101903 Conflicts:
101904 ipc/shm.c
101905
101906commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
101907Author: Brad Spengler <spender@grsecurity.net>
101908Date: Tue Jan 24 19:42:01 2012 -0500
101909
101910 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
101911 (may be changed if it breaks some userland), the other has its own
101912 config option
101913
101914 First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
101915 the syscall or /proc/sys.
101916
101917 Second feature requires read access to a suid/sgid binary in order
101918 to ptrace it, preventing infoleaking of binaries in situations where
101919 the admin has specified 4711 or 2711 perms. Feature has been
101920 given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
101921 a sysctl entry of ptrace_readexec
101922
101923commit 11a7bb25c411c9dccfdca5718639b4becdffd388
101924Author: Brad Spengler <spender@grsecurity.net>
101925Date: Sun Jan 22 14:37:10 2012 -0500
101926
101927 Compilation fixes
101928
101929commit cd400e21c7c352baba47d6f375297a7847afb33a
101930Author: Brad Spengler <spender@grsecurity.net>
101931Date: Sun Jan 22 14:20:27 2012 -0500
101932
101933 Initial port of grsecurity 2.2.2 for Linux 3.2.1
101934 Note that the new syscalls added to this kernel for remote process read/write
101935 are subject to ptrace hardening/other relevant RBAC features
101936 /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
101937 as well
101938 pax_track_stack has been removed from support for this kernel -- if you're running this kernel
101939 you should be using a version of gcc with plugin support
101940
101941commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
101942Author: Brad Spengler <spender@grsecurity.net>
101943Date: Sun Jan 22 11:47:31 2012 -0500
101944
101945 Import pax-linux-3.2.1-test5.patch
101946commit bfd7db842f835f9837cd43644459b3a95b0b488d
101947Author: Brad Spengler <spender@grsecurity.net>
101948Date: Sun Jan 22 11:02:02 2012 -0500
101949
101950 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
101951 instead of returning -EACCES
101952 thanks to Wraith from irc for the report
101953
101954commit 873ac13576506cd48ddb527c2540f274e249da50
101955Merge: 34083dd 8a44fcc
101956Author: Brad Spengler <spender@grsecurity.net>
101957Date: Fri Jan 20 18:04:02 2012 -0500
101958
101959 Merge branch 'pax-test' into grsec-test
101960
101961commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
101962Author: Brad Spengler <spender@grsecurity.net>
101963Date: Fri Jan 20 18:02:15 2012 -0500
101964
101965 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
101966 Denies executable shared memory when MPROTECT is active
101967 Fixes ia32 emulation crash on 64bit host introduced in a recent patch
101968
101969commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
101970Author: Brad Spengler <spender@grsecurity.net>
101971Date: Thu Jan 19 20:23:14 2012 -0500
101972
101973 Introduce new GRKERNSEC_SETXID implementation
101974 We're not able to change the credentials of other threads in the process until at most
101975 one syscall after the first thread does it, since we mark the threads as needing rescheduling
101976 and such work occurs on syscall exit.
101977 This does however ensure that we're only modifying the current task's credentials
101978 which upholds RCU expectations
101979
101980 Many thanks to corsac for testing
101981
101982commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
101983Author: Brad Spengler <spender@grsecurity.net>
101984Date: Thu Jan 19 17:42:48 2012 -0500
101985
101986 Simplify backport
101987
101988commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
101989Author: Brad Spengler <spender@grsecurity.net>
101990Date: Thu Jan 19 17:08:16 2012 -0500
101991
101992 Commit the latest silent fix for a local privilege escalation from Linus
101993 Also disable writing to /proc/pid/mem
101994 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc
101995
101996commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
101997Merge: 0394a3f 7e6299b
101998Author: Brad Spengler <spender@grsecurity.net>
101999Date: Wed Jan 18 20:22:09 2012 -0500
102000
102001 Merge branch 'pax-test' into grsec-test
102002
102003commit 7e6299b4733c082dde930375dd207b63237751ec
102004Merge: 83555fb 9bb1282
102005Author: Brad Spengler <spender@grsecurity.net>
102006Date: Wed Jan 18 20:21:37 2012 -0500
102007
102008 Merge branch 'linux-3.1.y' into pax-test
102009
102010commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
102011Author: Jesper Juhl <jj@chaosbits.net>
102012Date: Sun Jan 8 22:44:29 2012 +0100
102013
102014 audit: always follow va_copy() with va_end()
102015
102016 A call to va_copy() should always be followed by a call to va_end() in
102017 the same function. In kernel/autit.c::audit_log_vformat() this is not
102018 always done. This patch makes sure va_end() is always called.
102019
102020 Signed-off-by: Jesper Juhl <jj@chaosbits.net>
102021 Cc: Al Viro <viro@zeniv.linux.org.uk>
102022 Cc: Eric Paris <eparis@redhat.com>
102023 Cc: Andrew Morton <akpm@linux-foundation.org>
102024 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
102025
102026commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
102027Author: Andi Kleen <ak@linux.intel.com>
102028Date: Thu Jan 12 17:20:30 2012 -0800
102029
102030 panic: don't print redundant backtraces on oops
102031
102032 When an oops causes a panic and panic prints another backtrace it's pretty
102033 common to have the original oops data be scrolled away on a 80x50 screen.
102034
102035 The second backtrace is quite redundant and not needed anyways.
102036
102037 So don't print the panic backtrace when oops_in_progress is true.
102038
102039 [akpm@linux-foundation.org: add comment]
102040 Signed-off-by: Andi Kleen <ak@linux.intel.com>
102041 Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
102042 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
102043 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
102044
102045commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
102046Author: Miklos Szeredi <mszeredi@suse.cz>
102047Date: Thu Jan 12 17:59:46 2012 +0100
102048
102049 fsnotify: don't BUG in fsnotify_destroy_mark()
102050
102051 Removing the parent of a watched file results in "kernel BUG at
102052 fs/notify/mark.c:139".
102053
102054 To reproduce
102055
102056 add "-w /tmp/audit/dir/watched_file" to audit.rules
102057 rm -rf /tmp/audit/dir
102058
102059 This is caused by fsnotify_destroy_mark() being called without an
102060 extra reference taken by the caller.
102061
102062 Reported by Francesco Cosoleto here:
102063
102064 https://bugzilla.novell.com/show_bug.cgi?id=689860
102065
102066 Fix by removing the BUG_ON and adding a comment about not accessing mark after
102067 the iput.
102068
102069 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
102070 CC: stable@vger.kernel.org
102071 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
102072
102073commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
102074Author: Paolo Bonzini <pbonzini@redhat.com>
102075Date: Thu Jan 12 16:01:28 2012 +0100
102076
102077 block: fail SCSI passthrough ioctls on partition devices
102078
102079 Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
102080 will pass the command to the underlying block device. This is
102081 well-known, but it is also a large security problem when (via Unix
102082 permissions, ACLs, SELinux or a combination thereof) a program or user
102083 needs to be granted access only to part of the disk.
102084
102085 This patch lets partitions forward a small set of harmless ioctls;
102086 others are logged with printk so that we can see which ioctls are
102087 actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred.
102088 Of course it was being sent to a (partition on a) hard disk, so it would
102089 have failed with ENOTTY and the patch isn't changing anything in
102090 practice. Still, I'm treating it specially to avoid spamming the logs.
102091
102092 In principle, this restriction should include programs running with
102093 CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and
102094 /dev/sdb, it still should not be able to read/write outside the
102095 boundaries of /dev/sda2 independent of the capabilities. However, for
102096 now programs with CAP_SYS_RAWIO will still be allowed to send the
102097 ioctls. Their actions will still be logged.
102098
102099 This patch does not affect the non-libata IDE driver. That driver
102100 however already tests for bd != bd->bd_contains before issuing some
102101 ioctl; it could be restricted further to forbid these ioctls even for
102102 programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
102103
102104 Cc: linux-scsi@vger.kernel.org
102105 Cc: Jens Axboe <axboe@kernel.dk>
102106 Cc: James Bottomley <JBottomley@parallels.com>
102107 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
102108 [ Make it also print the command name when warning - Linus ]
102109 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
102110
102111commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
102112Author: Paolo Bonzini <pbonzini@redhat.com>
102113Date: Thu Jan 12 16:01:27 2012 +0100
102114
102115 block: add and use scsi_blk_cmd_ioctl
102116
102117 Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
102118
102119 The function will then be enhanced to detect partition block devices
102120 and, in that case, subject the ioctls to whitelisting.
102121
102122 Cc: linux-scsi@vger.kernel.org
102123 Cc: Jens Axboe <axboe@kernel.dk>
102124 Cc: James Bottomley <JBottomley@parallels.com>
102125 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
102126 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
102127
102128commit 97a79814903fc350e1d13704ea31528a42705401
102129Author: Kees Cook <keescook@chromium.org>
102130Date: Sat Jan 7 10:41:04 2012 -0800
102131
102132 audit: treat s_id as an untrusted string
102133
102134 The use of s_id should go through the untrusted string path, just to be
102135 extra careful.
102136
102137 Signed-off-by: Kees Cook <keescook@chromium.org>
102138 Acked-by: Mimi Zohar <zohar@us.ibm.com>
102139 Signed-off-by: Eric Paris <eparis@redhat.com>
102140
102141commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
102142Author: Xi Wang <xi.wang@gmail.com>
102143Date: Tue Dec 20 18:39:41 2011 -0500
102144
102145 audit: fix signedness bug in audit_log_execve_info()
102146
102147 In the loop, a size_t "len" is used to hold the return value of
102148 audit_log_single_execve_arg(), which returns -1 on error. In that
102149 case the error handling (len <= 0) will be bypassed since "len" is
102150 unsigned, and the loop continues with (p += len) being wrapped.
102151 Change the type of "len" to signed int to fix the error handling.
102152
102153 size_t len;
102154 ...
102155 for (...) {
102156 len = audit_log_single_execve_arg(...);
102157 if (len <= 0)
102158 break;
102159 p += len;
102160 }
102161
102162 Signed-off-by: Xi Wang <xi.wang@gmail.com>
102163 Signed-off-by: Eric Paris <eparis@redhat.com>
102164
102165commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
102166Author: Dan Carpenter <dan.carpenter@oracle.com>
102167Date: Tue Jan 17 03:28:51 2012 -0300
102168
102169 [media] ds3000: using logical && instead of bitwise &
102170
102171 The intent here was to test if the FE_HAS_LOCK was set. The current
102172 test is equivalent to "if (status) { ..."
102173
102174 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
102175 Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
102176
102177commit 36522330dc59d2fc70c042f3f081d75c32b6259a
102178Author: Brad Spengler <spender@grsecurity.net>
102179Date: Mon Jan 16 13:10:38 2012 -0500
102180
102181 Ignore the 0 signal for protected task RBAC checks
102182
102183commit d513acd55f7a683f6e146a4f570cdb63300479ab
102184Author: Brad Spengler <spender@grsecurity.net>
102185Date: Mon Jan 16 11:56:13 2012 -0500
102186
102187 whitespace cleanup
102188
102189commit ced261c4b82818c700aff8487f647f6f3e5b5122
102190Merge: d48751f 83555fb
102191Author: Brad Spengler <spender@grsecurity.net>
102192Date: Fri Jan 13 20:12:54 2012 -0500
102193
102194 Merge branch 'pax-test' into grsec-test
102195
102196commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
102197Merge: fcd8129 93dad39
102198Author: Brad Spengler <spender@grsecurity.net>
102199Date: Fri Jan 13 20:12:43 2012 -0500
102200
102201 Merge branch 'linux-3.1.y' into pax-test
102202
102203commit d48751f3919ae855fda0ff6c149db82442329253
102204Author: Brad Spengler <spender@grsecurity.net>
102205Date: Wed Jan 11 19:05:47 2012 -0500
102206
102207 Call our own set_user when forcing change to new id
102208
102209commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
102210Merge: e6578ff fcd8129
102211Author: Brad Spengler <spender@grsecurity.net>
102212Date: Tue Jan 10 16:00:10 2012 -0500
102213
102214 Merge branch 'pax-test' into grsec-test
102215
102216commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
102217Author: Brad Spengler <spender@grsecurity.net>
102218Date: Tue Jan 10 15:58:43 2012 -0500
102219
102220 Merge changes from pax-linux-3.1.8-test23.patch
102221
102222commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
102223Merge: 8859ec3 a120549
102224Author: Brad Spengler <spender@grsecurity.net>
102225Date: Fri Jan 6 21:45:56 2012 -0500
102226
102227 Merge branch 'pax-test' into grsec-test
102228
102229commit a12054967a77090de1caa07c41e694a77db4e237
102230Author: Brad Spengler <spender@grsecurity.net>
102231Date: Fri Jan 6 21:45:30 2012 -0500
102232
102233 Merge changes from pax-linux-3.1.8-test22.patch
102234
102235commit 8859ec32f9815c274df65448f9f2960176c380d3
102236Merge: a5016b4 ddd4114
102237Author: Brad Spengler <spender@grsecurity.net>
102238Date: Fri Jan 6 21:26:08 2012 -0500
102239
102240 Merge branch 'pax-test' into grsec-test
102241
102242 Conflicts:
102243 fs/binfmt_elf.c
102244 security/Kconfig
102245
102246commit ddd41147e158a79704983a409b7433eba797cf66
102247Author: Brad Spengler <spender@grsecurity.net>
102248Date: Fri Jan 6 21:12:42 2012 -0500
102249
102250 Resync with PaX patch (whitespace difference)
102251
102252commit 29e569df8205c5f0e043fe4803aa984406c8b118
102253Author: Brad Spengler <spender@grsecurity.net>
102254Date: Fri Jan 6 21:09:47 2012 -0500
102255
102256 Merge changes from pax-linux-3.1.8-test21.patch
102257
102258commit a5016b4f9c09c337b17e063a7f369af1e86d944d
102259Merge: 0124c92 04231d5
102260Author: Brad Spengler <spender@grsecurity.net>
102261Date: Fri Jan 6 18:52:20 2012 -0500
102262
102263 Merge branch 'pax-test' into grsec-test
102264
102265commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
102266Merge: 7bdddeb a919904
102267Author: Brad Spengler <spender@grsecurity.net>
102268Date: Fri Jan 6 18:51:50 2012 -0500
102269
102270 Merge branch 'linux-3.1.y' into pax-test
102271
102272 Conflicts:
102273 include/net/flow.h
102274
102275commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
102276Author: Brad Spengler <spender@grsecurity.net>
102277Date: Fri Jan 6 18:33:05 2012 -0500
102278
102279 Make GRKERNSEC_SETXID option compatible with credential debugging
102280
102281commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
102282Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
102283Date: Wed Dec 28 15:57:11 2011 -0800
102284
102285 mm/mempolicy.c: refix mbind_range() vma issue
102286
102287 commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
102288 slightly incorrect fix.
102289
102290 Why? Think following case.
102291
102292 1. map 4 pages of a file at offset 0
102293
102294 [0123]
102295
102296 2. map 2 pages just after the first mapping of the same file but with
102297 page offset 2
102298
102299 [0123][23]
102300
102301 3. mbind() 2 pages from the first mapping at offset 2.
102302 mbind_range() should treat new vma is,
102303
102304 [0123][23]
102305 |23|
102306 mbind vma
102307
102308 but it does
102309
102310 [0123][23]
102311 |01|
102312 mbind vma
102313
102314 Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
102315
102316 This patch fixes it.
102317
102318 [testcase]
102319 test result - before the patch
102320
102321 case4: 126: test failed. expect '2,4', actual '2,2,2'
102322 case5: passed
102323 case6: passed
102324 case7: passed
102325 case8: passed
102326 case_n: 246: test failed. expect '4,2', actual '1,4'
102327
102328 ------------[ cut here ]------------
102329 kernel BUG at mm/filemap.c:135!
102330 invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
102331
102332 (snip long bug on messages)
102333
102334 test result - after the patch
102335
102336 case4: passed
102337 case5: passed
102338 case6: passed
102339 case7: passed
102340 case8: passed
102341 case_n: passed
102342
102343 source: mbind_vma_test.c
102344 ============================================================
102345 #include <numaif.h>
102346 #include <numa.h>
102347 #include <sys/mman.h>
102348 #include <stdio.h>
102349 #include <unistd.h>
102350 #include <stdlib.h>
102351 #include <string.h>
102352
102353 static unsigned long pagesize;
102354 void* mmap_addr;
102355 struct bitmask *nmask;
102356 char buf[1024];
102357 FILE *file;
102358 char retbuf[10240] = "";
102359 int mapped_fd;
102360
102361 char *rubysrc = "ruby -e '\
102362 pid = %d; \
102363 vstart = 0x%llx; \
102364 vend = 0x%llx; \
102365 s = `pmap -q #{pid}`; \
102366 rary = []; \
102367 s.each_line {|line|; \
102368 ary=line.split(\" \"); \
102369 addr = ary[0].to_i(16); \
102370 if(vstart <= addr && addr < vend) then \
102371 rary.push(ary[1].to_i()/4); \
102372 end; \
102373 }; \
102374 print rary.join(\",\"); \
102375 '";
102376
102377 void init(void)
102378 {
102379 void* addr;
102380 char buf[128];
102381
102382 nmask = numa_allocate_nodemask();
102383 numa_bitmask_setbit(nmask, 0);
102384
102385 pagesize = getpagesize();
102386
102387 sprintf(buf, "%s", "mbind_vma_XXXXXX");
102388 mapped_fd = mkstemp(buf);
102389 if (mapped_fd == -1)
102390 perror("mkstemp "), exit(1);
102391 unlink(buf);
102392
102393 if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
102394 perror("lseek "), exit(1);
102395 if (write(mapped_fd, "\0", 1) < 0)
102396 perror("write "), exit(1);
102397
102398 addr = mmap(NULL, pagesize*8, PROT_NONE,
102399 MAP_SHARED, mapped_fd, 0);
102400 if (addr == MAP_FAILED)
102401 perror("mmap "), exit(1);
102402
102403 if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
102404 perror("mprotect "), exit(1);
102405
102406 mmap_addr = addr + pagesize;
102407
102408 /* make page populate */
102409 memset(mmap_addr, 0, pagesize*6);
102410 }
102411
102412 void fin(void)
102413 {
102414 void* addr = mmap_addr - pagesize;
102415 munmap(addr, pagesize*8);
102416
102417 memset(buf, 0, sizeof(buf));
102418 memset(retbuf, 0, sizeof(retbuf));
102419 }
102420
102421 void mem_bind(int index, int len)
102422 {
102423 int err;
102424
102425 err = mbind(mmap_addr+pagesize*index, pagesize*len,
102426 MPOL_BIND, nmask->maskp, nmask->size, 0);
102427 if (err)
102428 perror("mbind "), exit(err);
102429 }
102430
102431 void mem_interleave(int index, int len)
102432 {
102433 int err;
102434
102435 err = mbind(mmap_addr+pagesize*index, pagesize*len,
102436 MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
102437 if (err)
102438 perror("mbind "), exit(err);
102439 }
102440
102441 void mem_unbind(int index, int len)
102442 {
102443 int err;
102444
102445 err = mbind(mmap_addr+pagesize*index, pagesize*len,
102446 MPOL_DEFAULT, NULL, 0, 0);
102447 if (err)
102448 perror("mbind "), exit(err);
102449 }
102450
102451 void Assert(char *expected, char *value, char *name, int line)
102452 {
102453 if (strcmp(expected, value) == 0) {
102454 fprintf(stderr, "%s: passed\n", name);
102455 return;
102456 }
102457 else {
102458 fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
102459 name, line,
102460 expected, value);
102461 // exit(1);
102462 }
102463 }
102464
102465 /*
102466 AAAA
102467 PPPPPPNNNNNN
102468 might become
102469 PPNNNNNNNNNN
102470 case 4 below
102471 */
102472 void case4(void)
102473 {
102474 init();
102475 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
102476
102477 mem_bind(0, 4);
102478 mem_unbind(2, 2);
102479
102480 file = popen(buf, "r");
102481 fread(retbuf, sizeof(retbuf), 1, file);
102482 Assert("2,4", retbuf, "case4", __LINE__);
102483
102484 fin();
102485 }
102486
102487 /*
102488 AAAA
102489 PPPPPPNNNNNN
102490 might become
102491 PPPPPPPPPPNN
102492 case 5 below
102493 */
102494 void case5(void)
102495 {
102496 init();
102497 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
102498
102499 mem_bind(0, 2);
102500 mem_bind(2, 2);
102501
102502 file = popen(buf, "r");
102503 fread(retbuf, sizeof(retbuf), 1, file);
102504 Assert("4,2", retbuf, "case5", __LINE__);
102505
102506 fin();
102507 }
102508
102509 /*
102510 AAAA
102511 PPPPNNNNXXXX
102512 might become
102513 PPPPPPPPPPPP 6
102514 */
102515 void case6(void)
102516 {
102517 init();
102518 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
102519
102520 mem_bind(0, 2);
102521 mem_bind(4, 2);
102522 mem_bind(2, 2);
102523
102524 file = popen(buf, "r");
102525 fread(retbuf, sizeof(retbuf), 1, file);
102526 Assert("6", retbuf, "case6", __LINE__);
102527
102528 fin();
102529 }
102530
102531 /*
102532 AAAA
102533 PPPPNNNNXXXX
102534 might become
102535 PPPPPPPPXXXX 7
102536 */
102537 void case7(void)
102538 {
102539 init();
102540 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
102541
102542 mem_bind(0, 2);
102543 mem_interleave(4, 2);
102544 mem_bind(2, 2);
102545
102546 file = popen(buf, "r");
102547 fread(retbuf, sizeof(retbuf), 1, file);
102548 Assert("4,2", retbuf, "case7", __LINE__);
102549
102550 fin();
102551 }
102552
102553 /*
102554 AAAA
102555 PPPPNNNNXXXX
102556 might become
102557 PPPPNNNNNNNN 8
102558 */
102559 void case8(void)
102560 {
102561 init();
102562 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
102563
102564 mem_bind(0, 2);
102565 mem_interleave(4, 2);
102566 mem_interleave(2, 2);
102567
102568 file = popen(buf, "r");
102569 fread(retbuf, sizeof(retbuf), 1, file);
102570 Assert("2,4", retbuf, "case8", __LINE__);
102571
102572 fin();
102573 }
102574
102575 void case_n(void)
102576 {
102577 init();
102578 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
102579
102580 /* make redundunt mappings [0][1234][34][7] */
102581 mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
102582 MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
102583
102584 /* Expect to do nothing. */
102585 mem_unbind(2, 2);
102586
102587 file = popen(buf, "r");
102588 fread(retbuf, sizeof(retbuf), 1, file);
102589 Assert("4,2", retbuf, "case_n", __LINE__);
102590
102591 fin();
102592 }
102593
102594 int main(int argc, char** argv)
102595 {
102596 case4();
102597 case5();
102598 case6();
102599 case7();
102600 case8();
102601 case_n();
102602
102603 return 0;
102604 }
102605 =============================================================
102606
102607 Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
102608 Acked-by: Johannes Weiner <hannes@cmpxchg.org>
102609 Cc: Minchan Kim <minchan.kim@gmail.com>
102610 Cc: Caspar Zhang <caspar@casparzhang.com>
102611 Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
102612 Cc: Christoph Lameter <cl@linux.com>
102613 Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
102614 Cc: Mel Gorman <mel@csn.ul.ie>
102615 Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
102616 Cc: <stable@vger.kernel.org> [3.1.x]
102617 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
102618 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
102619
102620commit f3a1082005781777086df235049f8c0b7efe524e
102621Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
102622Date: Tue Dec 27 22:32:41 2011 -0500
102623
102624 packet: fix possible dev refcnt leak when bind fail
102625
102626 If bind is fail when bind is called after set PACKET_FANOUT
102627 sock option, the dev refcnt will leak.
102628
102629 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
102630 Signed-off-by: David S. Miller <davem@davemloft.net>
102631
102632commit 915f8b08dac68839dc7204ee81cf9852fda16d24
102633Author: Haogang Chen <haogangchen@gmail.com>
102634Date: Mon Dec 19 17:11:56 2011 -0800
102635
102636 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
102637
102638 There is a potential integer overflow in nilfs_ioctl_clean_segments().
102639 When a large argv[n].v_nmembs is passed from the userspace, the subsequent
102640 call to vmalloc() will allocate a buffer smaller than expected, which
102641 leads to out-of-bound access in nilfs_ioctl_move_blocks() and
102642 lfs_clean_segments().
102643
102644 The following check does not prevent the overflow because nsegs is also
102645 controlled by the userspace and could be very large.
102646
102647 if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
102648 goto out_free;
102649
102650 This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
102651 returns -EINVAL when overflow.
102652
102653 Signed-off-by: Haogang Chen <haogangchen@gmail.com>
102654 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
102655 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
102656 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
102657
102658commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
102659Author: Kautuk Consul <consul.kautuk@gmail.com>
102660Date: Mon Dec 19 17:12:04 2011 -0800
102661
102662 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
102663
102664 Static storage is not required for the struct vmap_area in
102665 __get_vm_area_node.
102666
102667 Removing "static" to store this variable on the stack instead.
102668
102669 Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
102670 Acked-by: David Rientjes <rientjes@google.com>
102671 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
102672 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
102673
102674commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
102675Author: Michel Lespinasse <walken@google.com>
102676Date: Mon Dec 19 17:12:06 2011 -0800
102677
102678 binary_sysctl(): fix memory leak
102679
102680 binary_sysctl() calls sysctl_getname() which allocates from names_cache
102681 slab usin __getname()
102682
102683 The matching function to free the name is __putname(), and not putname()
102684 which should be used only to match getname() allocations.
102685
102686 This is because when auditing is enabled, putname() calls audit_putname
102687 *instead* (not in addition) to __putname(). Then, if a syscall is in
102688 progress, audit_putname does not release the name - instead, it expects
102689 the name to get released when the syscall completes, but that will happen
102690 only if audit_getname() was called previously, i.e. if the name was
102691 allocated with getname() rather than the naked __getname(). So,
102692 __getname() followed by putname() ends up leaking memory.
102693
102694 Signed-off-by: Michel Lespinasse <walken@google.com>
102695 Acked-by: Al Viro <viro@zeniv.linux.org.uk>
102696 Cc: Christoph Hellwig <hch@infradead.org>
102697 Cc: Eric Paris <eparis@redhat.com>
102698 Cc: <stable@vger.kernel.org>
102699 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
102700 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
102701
102702commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
102703Author: Sean Hefty <sean.hefty@intel.com>
102704Date: Tue Dec 6 21:17:11 2011 +0000
102705
102706 RDMA/cma: Verify private data length
102707
102708 private_data_len is defined as a u8. If the user specifies a large
102709 private_data size (> 220 bytes), we will calculate a total length that
102710 exceeds 255, resulting in private_data_len wrapping back to 0. This
102711 can lead to overwriting random kernel memory. Avoid this by verifying
102712 that the resulting size fits into a u8.
102713
102714 Reported-by: B. Thery <benjamin.thery@bull.net>
102715 Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
102716 Signed-off-by: Sean Hefty <sean.hefty@intel.com>
102717 Signed-off-by: Roland Dreier <roland@purestorage.com>
102718
102719commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
102720Author: Xi Wang <xi.wang@gmail.com>
102721Date: Sun Dec 11 23:40:56 2011 -0800
102722
102723 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
102724
102725 The error check (intr_status < 0) didn't work because intr_status is
102726 a u8. Change its type to signed int.
102727
102728 Signed-off-by: Xi Wang <xi.wang@gmail.com>
102729 Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
102730
102731commit e27f34e383d7863b2528a63b81b23db09781f6b6
102732Author: Xi Wang <xi.wang@gmail.com>
102733Date: Fri Dec 16 12:44:15 2011 +0000
102734
102735 sctp: fix incorrect overflow check on autoclose
102736
102737 Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
102738 limiting the autoclose value. If userspace passes in -1 on 32-bit
102739 platform, the overflow check didn't work and autoclose would be set
102740 to 0xffffffff.
102741
102742 This patch defines a max_autoclose (in seconds) for limiting the value
102743 and exposes it through sysctl, with the following intentions.
102744
102745 1) Avoid overflowing autoclose * HZ.
102746
102747 2) Keep the default autoclose bound consistent across 32- and 64-bit
102748 platforms (INT_MAX / HZ in this patch).
102749
102750 3) Keep the autoclose value consistent between setsockopt() and
102751 getsockopt() calls.
102752
102753 Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
102754 Signed-off-by: Xi Wang <xi.wang@gmail.com>
102755 Signed-off-by: David S. Miller <davem@davemloft.net>
102756
102757commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
102758Author: Xi Wang <xi.wang@gmail.com>
102759Date: Wed Dec 21 05:18:33 2011 -0500
102760
102761 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
102762
102763 Commit e133e737 didn't correctly fix the integer overflow issue.
102764
102765 - unsigned int required_size;
102766 + u64 required_size;
102767 ...
102768 required_size = mode_cmd->pitch * mode_cmd->height;
102769 - if (unlikely(required_size > dev_priv->vram_size)) {
102770 + if (unlikely(required_size > (u64) dev_priv->vram_size)) {
102771
102772 Note that both pitch and height are u32. Their product is still u32 and
102773 would overflow before being assigned to required_size. A correct way is
102774 to convert pitch and height to u64 before the multiplication.
102775
102776 required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
102777
102778 This patch calls the existing vmw_kms_validate_mode_vram() for
102779 validation.
102780
102781 Signed-off-by: Xi Wang <xi.wang@gmail.com>
102782 Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
102783 Signed-off-by: Dave Airlie <airlied@redhat.com>
102784
102785 Conflicts:
102786
102787 drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
102788
102789commit eb8f0bd01fb994c9abc77dc84729794cd841753d
102790Author: Xi Wang <xi.wang@gmail.com>
102791Date: Thu Dec 22 13:35:22 2011 +0000
102792
102793 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
102794
102795 Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
102796 cause a kernel oops due to insufficient bounds checking.
102797
102798 if (count > 1<<30) {
102799 /* Enforce a limit to prevent overflow */
102800 return -EINVAL;
102801 }
102802 count = roundup_pow_of_two(count);
102803 table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
102804
102805 Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
102806
102807 ... + (count * sizeof(struct rps_dev_flow))
102808
102809 where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow
102810 32 bits.
102811
102812 This patch replaces the magic number (1 << 30) with a symbolic bound.
102813
102814 Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
102815 Signed-off-by: Xi Wang <xi.wang@gmail.com>
102816 Signed-off-by: David S. Miller <davem@davemloft.net>
102817
102818commit 648188958672024b616c42c1f6c98c8cfc85619d
102819Author: Xi Wang <xi.wang@gmail.com>
102820Date: Fri Dec 30 10:40:17 2011 -0500
102821
102822 netfilter: ctnetlink: fix timeout calculation
102823
102824 The sanity check (timeout < 0) never works; the dividend is unsigned
102825 and so is the division, which should have been a signed division.
102826
102827 long timeout = (ct->timeout.expires - jiffies) / HZ;
102828 if (timeout < 0)
102829 timeout = 0;
102830
102831 This patch converts the time values to signed for the division.
102832
102833 Signed-off-by: Xi Wang <xi.wang@gmail.com>
102834 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
102835
102836commit ab03a0973cee73f88655ff4981812ad316a6cd59
102837Merge: 76f82df 7bdddeb
102838Author: Brad Spengler <spender@grsecurity.net>
102839Date: Tue Jan 3 17:42:50 2012 -0500
102840
102841 Merge branch 'pax-test' into grsec-test
102842
102843commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
102844Merge: 3e59cb5 55cc81a
102845Author: Brad Spengler <spender@grsecurity.net>
102846Date: Tue Jan 3 17:42:36 2012 -0500
102847
102848 Merge branch 'linux-3.1.y' into pax-test
102849
102850commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
102851Author: Brad Spengler <spender@grsecurity.net>
102852Date: Thu Dec 22 20:15:02 2011 -0500
102853
102854 Only further restrict futex targeting another process -- our modified
102855 permission check also happened to allow a case where a process retaining
102856 uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
102857 being non-zero (reported on forums by ben_w)
102858
102859commit 6b235a4450a5fea41663ec35fa0608988b6078c6
102860Merge: 97c16f0 3e59cb5
102861Author: Brad Spengler <spender@grsecurity.net>
102862Date: Thu Dec 22 19:11:06 2011 -0500
102863
102864 Merge branch 'pax-test' into grsec-test
102865
102866 Conflicts:
102867 fs/hfs/btree.c
102868
102869commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
102870Merge: 285eb4e c26f60b
102871Author: Brad Spengler <spender@grsecurity.net>
102872Date: Thu Dec 22 19:09:57 2011 -0500
102873
102874 Merge branch 'linux-3.1.y' into pax-test
102875
102876 Conflicts:
102877 arch/x86/kernel/process.c
102878
102879commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
102880Author: Brad Spengler <spender@grsecurity.net>
102881Date: Mon Dec 19 21:54:01 2011 -0500
102882
102883 Add new option: "Enforce consistent multithreaded privileges"
102884
102885commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
102886Author: Brad Spengler <spender@grsecurity.net>
102887Date: Wed Dec 7 19:58:31 2011 -0500
102888
102889 Remove harmless duplicate code -- exec_file would be null already so the
102890 second check would never pass.
102891
102892commit 4e3304e94aa72737810bc50169519af157dce4ce
102893Author: Brad Spengler <spender@grsecurity.net>
102894Date: Wed Dec 7 19:50:39 2011 -0500
102895
102896 Revert back to (possibly?) undocumented /proc/pid behavior that gdb
102897 depended on for attaching to a thread. Entries exist in /proc for
102898 threads, but are not visible in a readdir.
102899
102900commit 1bd899335f23815cfe8deac44c6b346398f3b95e
102901Author: Brad Spengler <spender@grsecurity.net>
102902Date: Sun Dec 4 18:03:28 2011 -0500
102903
102904 Put the already-walked path if in RCU-walk mode
102905
102906commit ec7ae36b7159f10649709779443a988662965d66
102907Author: Brad Spengler <spender@grsecurity.net>
102908Date: Sun Dec 4 17:35:21 2011 -0500
102909
102910 Fix memory leak introduced by recent (unpublished) commit
102911 75ab998b94a29d464518d6d501bdde3fbfcbfa14
102912
102913commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
102914Author: Brad Spengler <spender@grsecurity.net>
102915Date: Sun Dec 4 13:56:10 2011 -0500
102916
102917 Explicitly check size copied to userland in override_release to silence gcc
102918
102919commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
102920Author: Brad Spengler <spender@grsecurity.net>
102921Date: Sun Dec 4 13:54:02 2011 -0500
102922
102923 Initialize variable to silence erroneous gcc warning
102924
102925commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
102926Author: Brad Spengler <spender@grsecurity.net>
102927Date: Sun Dec 4 13:47:47 2011 -0500
102928
102929 Future-proof other potential RCU-aware locations where we can log.
102930
102931commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
102932Author: Brad Spengler <spender@grsecurity.net>
102933Date: Sun Dec 4 13:02:54 2011 -0500
102934
102935 Fix freeze reported by 'vs' on the forums. Bug occurred due to
102936 MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used
102937 in generic_permission() was in the task's effective set but disallowed by
102938 RBAC, would block when acquiring locks resulting in the freeze.
102939
102940 Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
102941 as being required when CAP_DAC_OVERRIDE is present (consistent with
102942 older patches).
102943
102944commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
102945Author: Xi Wang <xi.wang@gmail.com>
102946Date: Tue Nov 29 09:26:30 2011 +0000
102947
102948 sctp: better integer overflow check in sctp_auth_create_key()
102949
102950 The check from commit 30c2235c is incomplete and cannot prevent
102951 cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the
102952 left-hand side of the check (INT_MAX - key_len), which is unsigned,
102953 becomes 0xffffffff (UINT_MAX) and bypasses the check.
102954
102955 However this shouldn't be a security issue. The function is called
102956 from the following two code paths:
102957
102958 1) setsockopt()
102959
102960 2) sctp_auth_asoc_set_secret()
102961
102962 In case (1), sca_keylength is never going to exceed 65535 since it's
102963 bounded by a u16 from the user API. As such, the key length will
102964 never overflow.
102965
102966 In case (2), sca_keylength is computed based on the user key (1 short)
102967 and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
102968 will not overflow.
102969
102970 In other words, this overflow check is not really necessary. Just
102971 make it more correct.
102972
102973 Signed-off-by: Xi Wang <xi.wang@gmail.com>
102974 Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
102975 Signed-off-by: David S. Miller <davem@davemloft.net>
102976
102977commit e565e28c3635a1d50f80541fbf6b606d742fec76
102978Author: Josh Boyer <jwboyer@redhat.com>
102979Date: Fri Aug 19 14:50:26 2011 -0400
102980
102981 fs/minix: Verify bitmap block counts before mounting
102982
102983 Newer versions of MINIX can create filesystems that allocate an extra
102984 bitmap block. Mounting of this succeeds, but doing a statfs call will
102985 result in an oops in count_free because of a negative number being used
102986 for the bh index.
102987
102988 Avoid this by verifying the number of allocated blocks at mount time,
102989 erroring out if there are not enough and make statfs ignore the extras
102990 if there are too many.
102991
102992 This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
102993
102994 Signed-off-by: Josh Boyer <jwboyer@redhat.com>
102995 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
102996
102997commit 6e134e398ec1a3f428261680e83df4319e64bed9
102998Author: Julia Lawall <julia@diku.dk>
102999Date: Tue Nov 15 14:53:11 2011 -0800
103000
103001 drivers/gpu/vga/vgaarb.c: add missing kfree
103002
103003 kbuf is a buffer that is local to this function, so all of the error paths
103004 leaving the function should release it.
103005
103006 Signed-off-by: Julia Lawall <julia@diku.dk>
103007 Cc: Jesper Juhl <jj@chaosbits.net>
103008 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
103009 Signed-off-by: Dave Airlie <airlied@redhat.com>
103010
103011commit 2b9057b321e36860e8d63985b5c4e496f254b717
103012Author: Brad Spengler <spender@grsecurity.net>
103013Date: Sat Dec 3 21:33:28 2011 -0500
103014
103015 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch
103016
103017commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
103018Author: Brad Spengler <spender@grsecurity.net>
103019Date: Sat Dec 3 21:29:37 2011 -0500
103020
103021 Import pax-linux-3.1.4-test18.patch
103022
103023commit 285eb4ea45d853ae00426b3315a61c1368080dad
103024Author: Brad Spengler <spender@grsecurity.net>
103025Date: Sat Dec 10 18:33:46 2011 -0500
103026
103027 Import changes from pax-linux-3.1.5-test20.patch
103028
103029commit a6bda918fc90ec1d5c387e978d147ad2044153f1
103030Author: Brad Spengler <spender@grsecurity.net>
103031Date: Thu Dec 8 20:55:54 2011 -0500
103032
103033 Import changes from pax-linux-3.1.4-test19.patch
103034
103035commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
103036Author: Brad Spengler <spender@grsecurity.net>
103037Date: Sat Dec 3 21:29:37 2011 -0500
103038
103039 Import pax-linux-3.1.4-test18.patch
103040commit d92091aac493a547d85ddf1b98bd9aaa8c7112a5
103041Author: Brad Spengler <spender@grsecurity.net>
103042Date: Thu Jul 4 23:05:14 2013 -0400
103043
103044 always enforce a non-zero gap for RAND_THREADSTACK
103045
103046 mm/mmap.c | 2 +-
103047 1 files changed, 1 insertions(+), 1 deletions(-)
103048
103049commit 40d67e38a42d4e94b43b3d7400addc662b9857dc
103050Author: Brad Spengler <spender@grsecurity.net>
103051Date: Thu Jul 4 16:09:28 2013 -0400
103052
103053 fix up file comparisons
103054
103055 grsecurity/gracl_segv.c | 2 +-
103056 grsecurity/grsec_sig.c | 4 ++--
103057 include/linux/grinternal.h | 12 ++++++++++++
103058 3 files changed, 15 insertions(+), 3 deletions(-)
103059
103060commit a1fff2c95162314626dd96bec71d951a8c1c4708
103061Author: Brad Spengler <spender@grsecurity.net>
103062Date: Thu Jul 4 15:33:18 2013 -0400
103063
103064 fix suid binary matching
103065
103066 grsecurity/grsec_sig.c | 2 +-
103067 1 files changed, 1 insertions(+), 1 deletions(-)
103068
103069commit 00131c458eea5200971c8fc326e90fdb6c2d0baa
103070Merge: 37b97a9 47beb61
103071Author: Brad Spengler <spender@grsecurity.net>
103072Date: Thu Jul 4 15:02:31 2013 -0400
103073
103074 Merge branch 'pax-test' into grsec-test
103075
103076commit 47beb61be9d430ab3fdb79a3b1e2099b4cfcf798
103077Author: Brad Spengler <spender@grsecurity.net>
103078Date: Thu Jul 4 15:01:37 2013 -0400
103079
103080 Update to pax-linux-3.9.9-test13.patch:
103081 - hopefully fixed the EFI boot regression (https://bugs.gentoo.org/show_bug.cgi?id=471626)
103082 - fixed some arm compilation issues (http://forums.grsecurity.net/viewtopic.php?f=1&t=3586 and http://forums.grsecurity.net/viewtopic.php?f=1&t=3587)
103083
103084 arch/arm/include/asm/uaccess.h | 20 ++++++++++----------
103085 arch/arm/kernel/armksyms.c | 2 +-
103086 arch/arm/kernel/entry-armv.S | 4 ++--
103087 arch/arm/mm/Kconfig | 2 +-
103088 arch/x86/ia32/ia32entry.S | 4 ++--
103089 arch/x86/include/asm/page.h | 1 +
103090 arch/x86/kernel/entry_32.S | 4 ++--
103091 arch/x86/kernel/entry_64.S | 8 ++++----
103092 arch/x86/kernel/head64.c | 12 ++++++------
103093 arch/x86/kernel/head_64.S | 16 ++++++++++++----
103094 arch/x86/mm/init.c | 8 ++++++++
103095 arch/x86/mm/init_32.c | 6 ------
103096 arch/x86/mm/init_64.c | 6 ------
103097 arch/x86/platform/efi/efi_32.c | 5 +++++
103098 arch/x86/platform/efi/efi_64.c | 10 ++++++++++
103099 15 files changed, 64 insertions(+), 44 deletions(-)
103100
103101commit 89085d2d0643813a62f23d1199a335dc1e129bc0
103102Merge: 963af7f 0adf2e7
103103Author: Brad Spengler <spender@grsecurity.net>
103104Date: Thu Jul 4 14:55:44 2013 -0400
103105
103106 Merge branch 'linux-3.9.y' into pax-test
103107
103108commit 37b97a95e97badc79cc8b6e092f0f94ac24e4ae4
103109Author: Brad Spengler <spender@grsecurity.net>
103110Date: Thu Jul 4 13:46:02 2013 -0400
103111
103112 fix typo
103113
103114 grsecurity/gracl.c | 2 +-
103115 1 files changed, 1 insertions(+), 1 deletions(-)
103116
103117commit 32538dba4959a290a1de81a7f8eeaba99f952aa6
103118Author: Brad Spengler <spender@grsecurity.net>
103119Date: Thu Jul 4 13:29:51 2013 -0400
103120
103121 update log arguments
103122
103123 grsecurity/grsec_sig.c | 3 ++-
103124 1 files changed, 2 insertions(+), 1 deletions(-)
103125
103126commit 5c7ee197d6ecb3ec9b3b9588d2b0cb8541d9fa71
103127Author: Brad Spengler <spender@grsecurity.net>
103128Date: Thu Jul 4 13:20:23 2013 -0400
103129
103130 Update logging of suid exec ban
103131
103132 Conflicts:
103133
103134 grsecurity/grsec_sig.c
103135
103136 grsecurity/grsec_sig.c | 3 +--
103137 include/linux/grmsg.h | 1 +
103138 2 files changed, 2 insertions(+), 2 deletions(-)
103139
103140commit ef808866c070aa1901bd2224521baaf5d145a3a7
103141Author: Brad Spengler <spender@grsecurity.net>
103142Date: Thu Jul 4 12:58:33 2013 -0400
103143
103144 Additional improvements to the user banning code:
103145
103146 Separate the kernel-bruteforcing case from the suid bruteforcing case
103147 In the suid bruteforcing case, only kill existing copies of the bruteforced
103148 binary. Instead of preventing all future execs by this user, prevent them
103149 from executing any suid/sgid binaries for the next 15 minutes.
103150
103151 Kernel case is mostly unchanged from before, except the task trying to change
103152 real uid to the banned user will be terminated instead of failing the setuid
103153 call.
103154
103155 Configuration help has been updated to reflect the new changes.
103156
103157 fs/exec.c | 13 +++++---
103158 grsecurity/Kconfig | 5 ++-
103159 grsecurity/gracl.c | 6 ++--
103160 grsecurity/grsec_sig.c | 76 ++++++++++++++++++++++++++------------------
103161 include/linux/grsecurity.h | 1 -
103162 include/linux/sched.h | 9 +++--
103163 6 files changed, 65 insertions(+), 45 deletions(-)
103164
103165commit 0f0b6c9d67d429364621b8784ef4a048b7e40736
103166Author: Brad Spengler <spender@grsecurity.net>
103167Date: Wed Jul 3 16:14:09 2013 -0400
103168
103169 fix renamed export of csum_partial_copy_from_user, as reported by fabled
103170 on the forums
103171
103172 arch/arm/kernel/armksyms.c | 2 +-
103173 1 files changed, 1 insertions(+), 1 deletions(-)
103174
103175commit 318235973c2a548c3d25562645d6b69f66e85934
103176Author: Brad Spengler <spender@grsecurity.net>
103177Date: Wed Jul 3 16:09:16 2013 -0400
103178
103179 make CPU_USE_DOMAINS depend on !PAX_MEMORY_UDEREF, fixes compile error
103180 reported on the forums by fabled
103181
103182 arch/arm/mm/Kconfig | 2 +-
103183 1 files changed, 1 insertions(+), 1 deletions(-)
103184
103185commit b569a7f60fab7a522d8c142765c8b847bbce8a1e
103186Author: Brad Spengler <spender@grsecurity.net>
103187Date: Wed Jul 3 15:53:12 2013 -0400
103188
103189 Revise the user ban code to kill the process issuing a banned
103190 set*id instead of returning an error. For the sake of keeping
103191 unified user banning between the suid and kernel bruteforce case,
103192 we will apply this killing to the suid bruteforce case, despite
103193 a check just at exec time (that already existed) being sufficient.
103194
103195 Returning an error could enable exploitation of the "failure to check
103196 setuid return value" case which was recently effectively closed
103197 upstream, albeit in a rare situation with a suitable binary and
103198 two colluding users.
103199
103200 Many thanks to stealth for reviewing the user ban code.
103201
103202 grsecurity/gracl.c | 4 ++--
103203 grsecurity/grsec_sig.c | 16 +++++++++++++---
103204 2 files changed, 15 insertions(+), 5 deletions(-)
103205
103206commit 4a0808a0aa34bf3692f9ade0f11f6fbe30418c4f
103207Author: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
103208Date: Fri Jun 28 14:15:15 2013 +0300
103209
103210 Upstream commit: 605c912bb843c024b1ed173dc427cd5c08e5d54d
103211
103212 UBIFS: fix a horrid bug
103213
103214 Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no
103215 mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are
103216 in the middle of 'ubifs_readdir()'.
103217
103218 This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses
103219 it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage,
103220 but this may corrupt memory and lead to all kinds of problems like crashes an
103221 security holes.
103222
103223 This patch fixes the problem by using the 'file->f_version' field, which
103224 '->llseek()' always unconditionally sets to zero. We set it to 1 in
103225 'ubifs_readdir()' and whenever we detect that it became 0, we know there was a
103226 seek and it is time to clear the state saved in 'file->private_data'.
103227
103228 I tested this patch by writing a user-space program which runds readdir and
103229 seek in parallell. I could easily crash the kernel without these patches, but
103230 could not crash it with these patches.
103231
103232 Cc: stable@vger.kernel.org
103233 Reported-by: Al Viro <viro@zeniv.linux.org.uk>
103234 Tested-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
103235 Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
103236 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
103237
103238 fs/ubifs/dir.c | 30 +++++++++++++++++++++++++++---
103239 1 files changed, 27 insertions(+), 3 deletions(-)
103240
103241commit c22280b85088978bd8b45bd23096879459b48008
103242Author: Stephane Eranian <eranian@google.com>
103243Date: Thu Jun 20 11:36:28 2013 +0200
103244
103245 Upstream commit: 2976b10f05bd7f6dab9f9e7524451ddfed656a89
103246
103247 perf: Disable monitoring on setuid processes for regular users
103248
103249 There was a a bug in setup_new_exec(), whereby
103250 the test to disabled perf monitoring was not
103251 correct because the new credentials for the
103252 process were not yet committed and therefore
103253 the get_dumpable() test was never firing.
103254
103255 The patch fixes the problem by moving the
103256 perf_event test until after the credentials
103257 are committed.
103258
103259 Signed-off-by: Stephane Eranian <eranian@google.com>
103260 Tested-by: Jiri Olsa <jolsa@redhat.com>
103261 Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
103262 Cc: <stable@kernel.org>
103263 Signed-off-by: Ingo Molnar <mingo@kernel.org>
103264
103265 fs/exec.c | 16 +++++++++-------
103266 1 files changed, 9 insertions(+), 7 deletions(-)
103267
103268commit 16e6a61c34ae5ed0fbfa9151b24dc6a751cca7c0
103269Author: Brad Spengler <spender@grsecurity.net>
103270Date: Sat Jun 29 13:10:02 2013 -0400
103271
103272 on context switch, make sure we switch DACR when domain support and
103273 KERNEXEC is disabled but UDEREF is enabled
103274
103275 arch/arm/kernel/entry-armv.S | 4 ++--
103276 1 files changed, 2 insertions(+), 2 deletions(-)
103277
103278commit 08d017fa51370921694ce087b28c96fec92993d4
103279Author: Michael S. Tsirkin <mst@redhat.com>
103280Date: Sun Jun 23 17:26:58 2013 +0300
103281
103282 Upstream commit: 4c7ab054ab4f5d63625508ed6f8a607184cae7c2
103283
103284 macvtap: fix recovery from gup errors
103285
103286 get user pages might fail partially in macvtap zero copy
103287 mode. To recover we need to put all pages that we got,
103288 but code used a wrong index resulting in double-free
103289 errors.
103290
103291 Reported-by: Brad Hubbard <bhubbard@redhat.com>
103292 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
103293 Acked-by: Jason Wang <jasowang@redhat.com>
103294 Signed-off-by: David S. Miller <davem@davemloft.net>
103295
103296 drivers/net/macvtap.c | 6 ++++--
103297 1 files changed, 4 insertions(+), 2 deletions(-)
103298
103299commit 8118c60e6478b9d0687c2aa7779e45ac7859b1be
103300Author: Michael S. Tsirkin <mst@redhat.com>
103301Date: Sun Jun 23 17:19:03 2013 +0300
103302
103303 Upstream commit: 7e24bfbe43b545b1689a5f134ed83645b9e34b86
103304
103305 tun: fix recovery from gup errors
103306
103307 get user pages might fail partially in tun zero copy
103308 mode. To recover we need to put all pages that we got,
103309 but code used a wrong index resulting in double-free
103310 errors.
103311
103312 Reported-by: Brad Hubbard <bhubbard@redhat.com>
103313 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
103314 Acked-by: Jason Wang <jasowang@redhat.com>
103315 Acked-by: Neil Horman <nhorman@tuxdriver.com>
103316 Signed-off-by: David S. Miller <davem@davemloft.net>
103317
103318 drivers/net/tun.c | 6 ++++--
103319 1 files changed, 4 insertions(+), 2 deletions(-)
103320
103321commit c71e53d3b87fba6f7ba29a440d4c835f03aadf28
103322Author: Balazs Peter Odor <balazs@obiserver.hu>
103323Date: Sat Jun 22 19:24:43 2013 +0200
103324
103325 Upstream commit: 5aed93875cd88502f04a0d4517b8a2d89a849773
103326
103327 netfilter: nf_nat_sip: fix mangling
103328
103329 In (b20ab9c netfilter: nf_ct_helper: better logging for dropped packets)
103330 there were some missing brackets around the logging information, thus
103331 always returning drop.
103332
103333 Closes https://bugzilla.kernel.org/show_bug.cgi?id=60061
103334
103335 Signed-off-by: Balazs Peter Odor <balazs@obiserver.hu>
103336 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
103337
103338 net/netfilter/nf_nat_sip.c | 3 ++-
103339 1 files changed, 2 insertions(+), 1 deletions(-)
103340
103341commit 87c18924aecb841586b8972fabb20c5b75ca2fc9
103342Author: Anderson Lizardo <anderson.lizardo@openbossa.org>
103343Date: Sun Jun 2 16:30:40 2013 -0400
103344
103345 Upstream commit: 300b962e5244a1ea010df7e88595faa0085b461d
103346
103347 Bluetooth: Fix crash in l2cap_build_cmd() with small MTU
103348
103349 If a too small MTU value is set with ioctl(HCISETACLMTU) or by a bogus
103350 controller, memory corruption happens due to a memcpy() call with
103351 negative length.
103352
103353 Fix this crash on either incoming or outgoing connections with a MTU
103354 smaller than L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE:
103355
103356 [ 46.885433] BUG: unable to handle kernel paging request at f56ad000
103357 [ 46.888037] IP: [<c03d94cd>] memcpy+0x1d/0x40
103358 [ 46.888037] *pdpt = 0000000000ac3001 *pde = 00000000373f8067 *pte = 80000000356ad060
103359 [ 46.888037] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC
103360 [ 46.888037] Modules linked in: hci_vhci bluetooth virtio_balloon i2c_piix4 uhci_hcd usbcore usb_common
103361 [ 46.888037] CPU: 0 PID: 1044 Comm: kworker/u3:0 Not tainted 3.10.0-rc1+ #12
103362 [ 46.888037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
103363 [ 46.888037] Workqueue: hci0 hci_rx_work [bluetooth]
103364 [ 46.888037] task: f59b15b0 ti: f55c4000 task.ti: f55c4000
103365 [ 46.888037] EIP: 0060:[<c03d94cd>] EFLAGS: 00010212 CPU: 0
103366 [ 46.888037] EIP is at memcpy+0x1d/0x40
103367 [ 46.888037] EAX: f56ac1c0 EBX: fffffff8 ECX: 3ffffc6e EDX: f55c5cf2
103368 [ 46.888037] ESI: f55c6b32 EDI: f56ad000 EBP: f55c5c68 ESP: f55c5c5c
103369 [ 46.888037] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
103370 [ 46.888037] CR0: 8005003b CR2: f56ad000 CR3: 3557d000 CR4: 000006f0
103371 [ 46.888037] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
103372 [ 46.888037] DR6: ffff0ff0 DR7: 00000400
103373 [ 46.888037] Stack:
103374 [ 46.888037] fffffff8 00000010 00000003 f55c5cac f8c6a54c ffffffff f8c69eb2 00000000
103375 [ 46.888037] f4783cdc f57f0070 f759c590 1001c580 00000003 0200000a 00000000 f5a88560
103376 [ 46.888037] f5ba2600 f5a88560 00000041 00000000 f55c5d90 f8c6f4c7 00000008 f55c5cf2
103377 [ 46.888037] Call Trace:
103378 [ 46.888037] [<f8c6a54c>] l2cap_send_cmd+0x1cc/0x230 [bluetooth]
103379 [ 46.888037] [<f8c69eb2>] ? l2cap_global_chan_by_psm+0x152/0x1a0 [bluetooth]
103380 [ 46.888037] [<f8c6f4c7>] l2cap_connect+0x3f7/0x540 [bluetooth]
103381 [ 46.888037] [<c019b37b>] ? trace_hardirqs_off+0xb/0x10
103382 [ 46.888037] [<c01a0ff8>] ? mark_held_locks+0x68/0x110
103383 [ 46.888037] [<c064ad20>] ? mutex_lock_nested+0x280/0x360
103384 [ 46.888037] [<c064b9d9>] ? __mutex_unlock_slowpath+0xa9/0x150
103385 [ 46.888037] [<c01a118c>] ? trace_hardirqs_on_caller+0xec/0x1b0
103386 [ 46.888037] [<c064ad08>] ? mutex_lock_nested+0x268/0x360
103387 [ 46.888037] [<c01a125b>] ? trace_hardirqs_on+0xb/0x10
103388 [ 46.888037] [<f8c72f8d>] l2cap_recv_frame+0xb2d/0x1d30 [bluetooth]
103389 [ 46.888037] [<c01a0ff8>] ? mark_held_locks+0x68/0x110
103390 [ 46.888037] [<c064b9d9>] ? __mutex_unlock_slowpath+0xa9/0x150
103391 [ 46.888037] [<c01a118c>] ? trace_hardirqs_on_caller+0xec/0x1b0
103392 [ 46.888037] [<f8c754f1>] l2cap_recv_acldata+0x2a1/0x320 [bluetooth]
103393 [ 46.888037] [<f8c491d8>] hci_rx_work+0x518/0x810 [bluetooth]
103394 [ 46.888037] [<f8c48df2>] ? hci_rx_work+0x132/0x810 [bluetooth]
103395 [ 46.888037] [<c0158979>] process_one_work+0x1a9/0x600
103396 [ 46.888037] [<c01588fb>] ? process_one_work+0x12b/0x600
103397 [ 46.888037] [<c015922e>] ? worker_thread+0x19e/0x320
103398 [ 46.888037] [<c015922e>] ? worker_thread+0x19e/0x320
103399 [ 46.888037] [<c0159187>] worker_thread+0xf7/0x320
103400 [ 46.888037] [<c0159090>] ? rescuer_thread+0x290/0x290
103401 [ 46.888037] [<c01602f8>] kthread+0xa8/0xb0
103402 [ 46.888037] [<c0656777>] ret_from_kernel_thread+0x1b/0x28
103403 [ 46.888037] [<c0160250>] ? flush_kthread_worker+0x120/0x120
103404 [ 46.888037] Code: c3 90 8d 74 26 00 e8 63 fc ff ff eb e8 90 55 89 e5 83 ec 0c 89 5d f4 89 75 f8 89 7d fc 3e 8d 74 26 00 89 cb 89 c7 c1 e9 02 89 d6 <f3> a5 89 d9 83 e1 03 74 02 f3 a4 8b 5d f4 8b 75 f8 8b 7d fc 89
103405 [ 46.888037] EIP: [<c03d94cd>] memcpy+0x1d/0x40 SS:ESP 0068:f55c5c5c
103406 [ 46.888037] CR2: 00000000f56ad000
103407 [ 46.888037] ---[ end trace 0217c1f4d78714a9 ]---
103408
103409 Signed-off-by: Anderson Lizardo <anderson.lizardo@openbossa.org>
103410 Cc: stable@vger.kernel.org
103411 Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
103412 Signed-off-by: John W. Linville <linville@tuxdriver.com>
103413
103414 net/bluetooth/l2cap_core.c | 3 +++
103415 1 files changed, 3 insertions(+), 0 deletions(-)
103416
103417commit b0471b6c1160858fc646d8e94628fd1299f61692
103418Author: Jaganath Kanakkassery <jaganath.k@samsung.com>
103419Date: Fri Jun 21 19:55:11 2013 +0530
103420
103421 Upstream commit: 3f6fa3d489e127ca5a5b298eabac3ff5dbe0e112
103422
103423 Bluetooth: Fix invalid length check in l2cap_information_rsp()
103424
103425 The length check is invalid since the length varies with type of
103426 info response.
103427
103428 This was introduced by the commit cb3b3152b2f5939d67005cff841a1ca748b19888
103429
103430 Because of this, l2cap info rsp is not handled and command reject is sent.
103431
103432 > ACL data: handle 11 flags 0x02 dlen 16
103433 L2CAP(s): Info rsp: type 2 result 0
103434 Extended feature mask 0x00b8
103435 Enhanced Retransmission mode
103436 Streaming mode
103437 FCS Option
103438 Fixed Channels
103439 < ACL data: handle 11 flags 0x00 dlen 10
103440 L2CAP(s): Command rej: reason 0
103441 Command not understood
103442
103443 Cc: stable@vger.kernel.org
103444 Signed-off-by: Jaganath Kanakkassery <jaganath.k@samsung.com>
103445 Signed-off-by: Chan-Yeol Park <chanyeol.park@samsung.com>
103446 Acked-by: Johan Hedberg <johan.hedberg@intel.com>
103447 Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
103448
103449 net/bluetooth/l2cap_core.c | 2 +-
103450 1 files changed, 1 insertions(+), 1 deletions(-)
103451
103452commit 4184af98c360d825e638b268b1a9847232e8d299
103453Author: Eric Dumazet <edumazet@google.com>
103454Date: Wed Jun 26 04:15:07 2013 -0700
103455
103456 Upstream commit: a963a37d384d71ad43b3e9e79d68d42fbe0901f3
103457
103458 ipv6: ip6_sk_dst_check() must not assume ipv6 dst
103459
103460 It's possible to use AF_INET6 sockets and to connect to an IPv4
103461 destination. After this, socket dst cache is a pointer to a rtable,
103462 not rt6_info.
103463
103464 ip6_sk_dst_check() should check the socket dst cache is IPv6, or else
103465 various corruptions/crashes can happen.
103466
103467 Dave Jones can reproduce immediate crash with
103468 trinity -q -l off -n -c sendmsg -c connect
103469
103470 With help from Hannes Frederic Sowa
103471
103472 Reported-by: Dave Jones <davej@redhat.com>
103473 Reported-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
103474 Signed-off-by: Eric Dumazet <edumazet@google.com>
103475 Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
103476 Signed-off-by: David S. Miller <davem@davemloft.net>
103477
103478 net/ipv6/ip6_output.c | 8 +++++++-
103479 1 files changed, 7 insertions(+), 1 deletions(-)
103480
103481commit a9909c4993e8547ebeeafc4a4f5ff8570a941eb2
103482Author: Zefan Li <lizefan@huawei.com>
103483Date: Wed Jun 26 15:29:54 2013 +0800
103484
103485 Upstream commit: 11eb2645cbf38a08ae491bf6c602eea900ec0bb5
103486
103487 dlci: acquire rtnl_lock before calling __dev_get_by_name()
103488
103489 Otherwise the net device returned can be freed at anytime.
103490
103491 Signed-off-by: Li Zefan <lizefan@huawei.com>
103492 Cc: stable@vger.kernel.org
103493 Signed-off-by: David S. Miller <davem@davemloft.net>
103494
103495 drivers/net/wan/dlci.c | 14 +++++++++-----
103496 1 files changed, 9 insertions(+), 5 deletions(-)
103497
103498commit 1fe6f23c9acd14d832d056909ff326bde418e645
103499Author: Zefan Li <lizefan@huawei.com>
103500Date: Wed Jun 26 15:31:58 2013 +0800
103501
103502 Upstream commit: 578a1310f2592ba90c5674bca21c1dbd1adf3f0a
103503
103504 dlci: validate the net device in dlci_del()
103505
103506 We triggered an oops while running trinity with 3.4 kernel:
103507
103508 BUG: unable to handle kernel paging request at 0000000100000d07
103509 IP: [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci]
103510 PGD 640c0d067 PUD 0
103511 Oops: 0000 [#1] PREEMPT SMP
103512 CPU 3
103513 ...
103514 Pid: 7302, comm: trinity-child3 Not tainted 3.4.24.09+ 40 Huawei Technologies Co., Ltd. Tecal RH2285 /BC11BTSA
103515 RIP: 0010:[<ffffffffa0109738>] [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci]
103516 ...
103517 Call Trace:
103518 [<ffffffff8137c5c3>] sock_ioctl+0x153/0x280
103519 [<ffffffff81195494>] do_vfs_ioctl+0xa4/0x5e0
103520 [<ffffffff8118354a>] ? fget_light+0x3ea/0x490
103521 [<ffffffff81195a1f>] sys_ioctl+0x4f/0x80
103522 [<ffffffff81478b69>] system_call_fastpath+0x16/0x1b
103523 ...
103524
103525 It's because the net device is not a dlci device.
103526
103527 Reported-by: Li Jinyue <lijinyue@huawei.com>
103528 Signed-off-by: Li Zefan <lizefan@huawei.com>
103529 Cc: stable@vger.kernel.org
103530 Signed-off-by: David S. Miller <davem@davemloft.net>
103531
103532 drivers/net/wan/dlci.c | 12 ++++++++++++
103533 1 files changed, 12 insertions(+), 0 deletions(-)
103534
103535commit 4d4464407611527ef6b6b5475cfcab6121b3da66
103536Merge: 59571a9 963af7f
103537Author: Brad Spengler <spender@grsecurity.net>
103538Date: Thu Jun 27 18:54:52 2013 -0400
103539
103540 Merge branch 'pax-test' into grsec-test
103541
103542commit 963af7f7f591759b731ce6325ceb583a72fcf423
103543Merge: c51e25a 55db48a
103544Author: Brad Spengler <spender@grsecurity.net>
103545Date: Thu Jun 27 18:54:42 2013 -0400
103546
103547 Merge branch 'linux-3.9.y' into pax-test
103548
103549commit 59571a9db7485f530a1e865a13cacc4c991ec41f
103550Author: Brad Spengler <spender@grsecurity.net>
103551Date: Wed Jun 26 18:39:08 2013 -0400
103552
103553 From: Mathias Krause <minipli@googlemail.com>
103554 To: Steffen Klassert <steffen.klassert@secunet.com>,
103555 "David S. Miller" <davem@davemloft.net>
103556 Cc: Mathias Krause <minipli@googlemail.com>, netdev@vger.kernel.org,
103557 Herbert Xu <herbert@gondor.apana.org.au>
103558 Subject: [PATCH] af_key: fix info leaks in notify messages
103559
103560 key_notify_sa_flush() and key_notify_policy_flush() miss to initialize
103561 the sadb_msg_reserved member of the broadcasted message and thereby
103562 leak 2 bytes of heap memory to listeners. Fix that.
103563
103564 Signed-off-by: Mathias Krause <minipli@googlemail.com>
103565 Cc: Steffen Klassert <steffen.klassert@secunet.com>
103566 Cc: "David S. Miller" <davem@davemloft.net>
103567 Cc: Herbert Xu <herbert@gondor.apana.org.au>
103568
103569 net/key/af_key.c | 2 ++
103570 1 files changed, 2 insertions(+), 0 deletions(-)
103571
103572commit e1dd9fb168b3597f15fd5bd4bc88a7dd4cce5fd9
103573Author: Brad Spengler <spender@grsecurity.net>
103574Date: Wed Jun 26 18:33:06 2013 -0400
103575
103576 update rand_threadstack code to continue the search for a gap if the first
103577 choice doesn't have enough space, instead of returning ENOMEM
103578
103579 mm/mmap.c | 17 ++++++++++-------
103580 1 files changed, 10 insertions(+), 7 deletions(-)
103581
103582commit 87020d4a4d83038d65ff1fd519938840f6888b9e
103583Merge: 2682346 c51e25a
103584Author: Brad Spengler <spender@grsecurity.net>
103585Date: Wed Jun 26 18:25:32 2013 -0400
103586
103587 Merge branch 'pax-test' into grsec-test
103588
103589commit c51e25a23f30a1198076bd085f19b2073caf164d
103590Author: Brad Spengler <spender@grsecurity.net>
103591Date: Wed Jun 26 18:24:54 2013 -0400
103592
103593 Update to pax-linux-3.9.7-test12.patch:
103594 - fixed a regression on PARAVIRT/amd64 kernels
103595 - simplified the recent vm_unmapped_area_info based change
103596
103597 arch/x86/kernel/entry_64.S | 8 ++++----
103598 mm/mmap.c | 22 ++++++++++++----------
103599 2 files changed, 16 insertions(+), 14 deletions(-)
103600
103601commit 26823469a08e59cb67bea18d448d9e8c65f82e08
103602Author: Brad Spengler <spender@grsecurity.net>
103603Date: Tue Jun 25 21:26:51 2013 -0400
103604
103605 re-enable GRKERNSEC_RAND_THREADSTACK now that the generic PaX
103606 vm_unmapped_area code is complete
103607
103608 arch/x86/kernel/sys_i386_32.c | 5 +++++
103609 grsecurity/Kconfig | 2 +-
103610 mm/mmap.c | 11 ++++++++++-
103611 3 files changed, 16 insertions(+), 2 deletions(-)
103612
103613commit bcd93cc348a8faba1716f5cc137a48f25d6a67e7
103614Merge: e58fe8c c4e0704
103615Author: Brad Spengler <spender@grsecurity.net>
103616Date: Tue Jun 25 19:08:52 2013 -0400
103617
103618 Merge branch 'pax-test' into grsec-test
103619
103620 Conflicts:
103621 arch/x86/kernel/sys_i386_32.c
103622
103623commit c4e07040c2c32c9eb2b093e5ae6e5bb050cb7511
103624Author: Brad Spengler <spender@grsecurity.net>
103625Date: Tue Jun 25 19:05:39 2013 -0400
103626
103627 Update to pax-linux-3.9.7-test11.patch:
103628 - fixed some fallout from the recent executable vmalloc changes (http://forums.grsecurity.net/viewtopic.php?t=3562#p13111)
103629 - moved the PaX specific heap-stack gap check code over to the vm_unmapped_area_info based infrastructure
103630 - fixed the recent nested nmi related fixes some more
103631 - fixed a regression in kernel memory initialization on relocatable i386 kernels
103632 - empty_zero_page can be read-only on amd64 as well
103633
103634 arch/arm/mm/mmap.c | 6 --
103635 arch/x86/kernel/entry_64.S | 8 +--
103636 arch/x86/kernel/head_64.S | 1 -
103637 arch/x86/kernel/setup.c | 2 +-
103638 arch/x86/kernel/sys_i386_32.c | 160 ++++++++++++----------------------------
103639 drivers/lguest/core.c | 2 +-
103640 include/linux/mm.h | 6 +-
103641 include/linux/vmalloc.h | 2 +-
103642 mm/mmap.c | 30 +++++++-
103643 9 files changed, 83 insertions(+), 134 deletions(-)
103644
103645commit e58fe8c43f6ee7047ac830ebfa9a70626b7ed11d
103646Author: Brad Spengler <spender@grsecurity.net>
103647Date: Sun Jun 23 14:37:14 2013 -0400
103648
103649 second compile fix, reported by forsaken on forums
103650
103651 include/linux/vmalloc.h | 2 +-
103652 1 files changed, 1 insertions(+), 1 deletions(-)
103653
103654commit 0ee10d89b09b56b46bc242ce760a1d9598276e2f
103655Author: Brad Spengler <spender@grsecurity.net>
103656Date: Sun Jun 23 14:36:35 2013 -0400
103657
103658 compile fix, reported by KDE on forums
103659
103660 kernel/printk.c | 7 -------
103661 1 files changed, 0 insertions(+), 7 deletions(-)
103662
103663commit 1fc9a5e2e267205d28302e1e86ca0da434561111
103664Author: Ben Hutchings <ben@decadent.org.uk>
103665Date: Sun Jun 16 21:27:12 2013 +0100
103666
103667 Upstream commit: b8cb62f82103083a6e8fa5470bfe634a2c06514d
103668
103669 x86/efi: Fix dummy variable buffer allocation
103670
103671 1. Check for allocation failure
103672 2. Clear the buffer contents, as they may actually be written to flash
103673 3. Don't leak the buffer
103674
103675 Compile-tested only.
103676
103677 [ Tested successfully on my buggy ASUS machine - Matt ]
103678
103679 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
103680 Cc: stable@vger.kernel.org
103681 Signed-off-by: Matt Fleming <matt.fleming@intel.com>
103682
103683 arch/x86/platform/efi/efi.c | 7 ++++++-
103684 1 files changed, 6 insertions(+), 1 deletions(-)
103685
103686commit 83e15c8baaa620d8c777e84aa037b4302f0487c5
103687Author: Dave Kleikamp <dave.kleikamp@oracle.com>
103688Date: Tue Jun 18 09:05:36 2013 -0500
103689
103690 Upstream commit: 23a01138efe216f8084cfaa74b0b90dd4b097441
103691
103692 sparc: tsb must be flushed before tlb
103693
103694 This fixes a race where a cpu may re-load a tlb from a stale tsb right
103695 after it has been flushed by a remote function call.
103696
103697 I still see some instability when stressing the system with parallel
103698 kernel builds while creating memory pressure by writing to
103699 /proc/sys/vm/nr_hugepages, but this patch improves the stability
103700 significantly.
103701
103702 Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
103703 Acked-by: Bob Picco <bob.picco@oracle.com>
103704 Signed-off-by: David S. Miller <davem@davemloft.net>
103705
103706 arch/sparc/mm/tlb.c | 2 +-
103707 1 files changed, 1 insertions(+), 1 deletions(-)
103708
103709commit d93b62f6485db9aadda34322a6867868db07f56f
103710Merge: 4ef62f5 71d83e9
103711Author: Brad Spengler <spender@grsecurity.net>
103712Date: Fri Jun 21 16:52:55 2013 -0400
103713
103714 Merge branch 'pax-test' into grsec-test
103715
103716 Conflicts:
103717 security/Kconfig
103718
103719commit 71d83e97c936563913bcfb5a25c45b2021a331eb
103720Author: Brad Spengler <spender@grsecurity.net>
103721Date: Fri Jun 21 16:48:42 2013 -0400
103722
103723 Update to pax-linux-3.9.7-test10.patch:
103724 - fixed a few format string problems uncovered by -Wformat-nonliteral
103725 - another attempt at fixing the nested nmi/cr0.wp problem
103726 - fixed vmalloc when used for allocating executable memory on non-modular kernels, reported by Lorand Kelemen (https://bugs.gentoo.org/show_bug.cgi?id=473866)
103727 - worked around an intentional gcc overflow in nfscache that tripped up the size overflow plugin (https://bugs.gentoo.org/show_bug.cgi?id=472274)
103728 - fixed a locking issue with track_exec_limit reported by spender
103729 - hunger reported a size overflow event in kobj_map that turned out to be a real bug, fix by Tejun Heo (https://patchwork.kernel.org/patch/2676631/)
103730
103731 Documentation/dontdiff | 1 +
103732 arch/x86/boot/compressed/efi_stub_32.S | 16 ++-----
103733 arch/x86/kernel/cpu/mcheck/mce.c | 2 +-
103734 arch/x86/kernel/e820.c | 4 +-
103735 arch/x86/kernel/entry_64.S | 74 ++++++++++++++++++------------
103736 arch/x86/kernel/vmlinux.lds.S | 2 +-
103737 block/genhd.c | 11 +++--
103738 crypto/algapi.c | 2 +-
103739 crypto/pcrypt.c | 6 +-
103740 drivers/base/attribute_container.c | 2 +-
103741 drivers/base/power/sysfs.c | 2 +-
103742 drivers/block/nbd.c | 2 +-
103743 drivers/cdrom/cdrom.c | 2 +-
103744 drivers/char/hw_random/intel-rng.c | 2 +-
103745 drivers/char/mem.c | 2 +-
103746 drivers/devfreq/devfreq.c | 2 +-
103747 drivers/gpu/drm/drm_encoder_slave.c | 6 +--
103748 drivers/gpu/drm/drm_sysfs.c | 2 +-
103749 drivers/gpu/drm/ttm/ttm_memory.c | 4 +-
103750 drivers/iommu/irq_remapping.c | 2 +-
103751 drivers/video/output.c | 2 +-
103752 fs/ext4/mmp.c | 2 +-
103753 fs/ext4/super.c | 2 +-
103754 fs/lockd/svc.c | 2 +-
103755 fs/nfs/callback.c | 4 +-
103756 fs/nfs/nfs4state.c | 2 +-
103757 fs/nfsd/nfscache.c | 3 +-
103758 init/initramfs.c | 2 +-
103759 kernel/rcutree.c | 2 +-
103760 lib/kobject.c | 2 +-
103761 mm/backing-dev.c | 4 +-
103762 mm/mmap.c | 4 +-
103763 mm/slub.c | 2 +-
103764 mm/vmalloc.c | 15 +++----
103765 net/bluetooth/hci_core.c | 8 ++--
103766 net/netfilter/nf_conntrack_proto_dccp.c | 4 +-
103767 net/sunrpc/svc.c | 2 +-
103768 security/Kconfig | 15 +++---
103769 sound/core/sound.c | 2 +-
103770 sound/sound_core.c | 2 +-
103771 40 files changed, 116 insertions(+), 111 deletions(-)
103772
103773commit 4ef62f52ab23ed87aaf0106be3eddf2019bc7d2c
103774Merge: 39efd8f 256eff7
103775Author: Brad Spengler <spender@grsecurity.net>
103776Date: Fri Jun 21 16:45:15 2013 -0400
103777
103778 Merge branch 'pax-test' into grsec-test
103779
103780 Conflicts:
103781 kernel/printk.c
103782
103783commit 256eff7a817d5faa18cd56fb97cc8c25112ec0a6
103784Merge: e6e3059 485f25f
103785Author: Brad Spengler <spender@grsecurity.net>
103786Date: Thu Jun 20 22:14:24 2013 -0400
103787
103788 Merge branch 'linux-3.9.y' into pax-test
103789
103790commit 39efd8f4b9573d1ce31f47cdbea00b6c12054d4d
103791Author: Brad Spengler <spender@grsecurity.net>
103792Date: Tue Jun 18 17:20:18 2013 -0400
103793
103794 add apparmor compat patch
103795
103796 security/apparmor/Kconfig | 9 ++
103797 security/apparmor/apparmorfs.c | 231 ++++++++++++++++++++++++++++++++++++++++
103798 2 files changed, 240 insertions(+), 0 deletions(-)
103799
103800commit 49bee3c5341687504669bf62becf4a419a226ba0
103801Author: Brad Spengler <spender@grsecurity.net>
103802Date: Mon Jun 17 18:48:04 2013 -0400
103803
103804 Revert "Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db"
103805
103806 This reverts commit 066d9226bc6c569d5f420c978b758e0bddd23444.
103807
103808 kernel/sys.c | 29 +++--------------------------
103809 1 files changed, 3 insertions(+), 26 deletions(-)
103810
103811commit bece88b4276babb2039a3e4f3e3b0cdeb8cd8328
103812Author: Al Viro <viro@ZenIV.linux.org.uk>
103813Date: Sun Jun 16 18:06:06 2013 +0100
103814
103815 Upstream commit: 8177a9d79c0e942dcac3312f15585d0344d505a5
103816
103817 lseek(fd, n, SEEK_END) does *not* go to eof - n
103818
103819 When you copy some code, you are supposed to read it. If nothing else,
103820 there's a chance to spot and fix an obvious bug instead of sharing it...
103821
103822 X-Song: "I Got It From Agnes", by Tom Lehrer
103823 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
103824 [ Tom Lehrer? You're dating yourself, Al ]
103825 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
103826
103827 drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 2 +-
103828 drivers/scsi/bfa/bfad_debugfs.c | 2 +-
103829 drivers/scsi/fnic/fnic_debugfs.c | 2 +-
103830 drivers/scsi/lpfc/lpfc_debugfs.c | 2 +-
103831 4 files changed, 4 insertions(+), 4 deletions(-)
103832
103833commit 5a450f1c46f0c84379518aee878993d3f4a331b6
103834Author: Theodore Ts'o <tytso@mit.edu>
103835Date: Thu Jun 6 11:14:31 2013 -0400
103836
103837 Upstream commit: 40c87e7a5404861cef33f6ced9809525a5ee2c50
103838
103839 ext4: verify group number in verify_group_input() before using it
103840
103841 Check the group number for sanity earilier, before calling routines
103842 such as ext4_bg_has_super() or ext4_group_overhead_blocks().
103843
103844 Reported-by: Jonathan Salwan <jonathan.salwan@gmail.com>
103845 Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
103846
103847 fs/ext4/resize.c | 17 +++++++++++------
103848 1 files changed, 11 insertions(+), 6 deletions(-)
103849
103850commit e2700ce1305cc746d2d9000392f00d96fdf28fb8
103851Author: Neil Horman <nhorman@tuxdriver.com>
103852Date: Wed Jun 12 14:26:44 2013 -0400
103853
103854 Upstream commit: c5c7774d7eb4397891edca9ebdf750ba90977a69
103855
103856 sctp: fully initialize sctp_outq in sctp_outq_init
103857
103858 In commit 2f94aabd9f6c925d77aecb3ff020f1cc12ed8f86
103859 (refactor sctp_outq_teardown to insure proper re-initalization)
103860 we modified sctp_outq_teardown to use sctp_outq_init to fully re-initalize the
103861 outq structure. Steve West recently asked me why I removed the q->error = 0
103862 initalization from sctp_outq_teardown. I did so because I was operating under
103863 the impression that sctp_outq_init would properly initalize that value for us,
103864 but it doesn't. sctp_outq_init operates under the assumption that the outq
103865 struct is all 0's (as it is when called from sctp_association_init), but using
103866 it in __sctp_outq_teardown violates that assumption. We should do a memset in
103867 sctp_outq_init to ensure that the entire structure is in a known state there
103868 instead.
103869
103870 Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
103871 Reported-by: "West, Steve (NSN - US/Fort Worth)" <steve.west@nsn.com>
103872 CC: Vlad Yasevich <vyasevich@gmail.com>
103873 CC: netdev@vger.kernel.org
103874 CC: davem@davemloft.net
103875 Acked-by: Vlad Yasevich <vyasevich@gmail.com>
103876 Signed-off-by: David S. Miller <davem@davemloft.net>
103877
103878 Conflicts:
103879
103880 net/sctp/outqueue.c
103881
103882 net/sctp/outqueue.c | 8 ++------
103883 1 files changed, 2 insertions(+), 6 deletions(-)
103884
103885commit e13515ad7a9c7634599a105b2527752e527a905d
103886Author: Saurabh Mohan <saurabh@vyatta.com>
103887Date: Mon Jun 10 17:45:10 2013 -0700
103888
103889 Upstream commit: baafc77b32f647daa7c45825f7af8cdd55d00817
103890
103891 net/ipv4: ip_vti clear skb cb before tunneling.
103892
103893 If users apply shaper to vti tunnel then it will cause a kernel crash. The
103894 problem seems to be due to the vti_tunnel_xmit function not clearing
103895 skb->opt field before passing the packet to xfrm tunneling code.
103896
103897 Signed-off-by: Saurabh Mohan <saurabh@vyatta.com>
103898 Acked-by: Stephen Hemminger <stephen@networkplumber.org>
103899 Signed-off-by: David S. Miller <davem@davemloft.net>
103900
103901 net/ipv4/ip_vti.c | 3 +--
103902 1 files changed, 1 insertions(+), 2 deletions(-)
103903
103904commit e63056a252ed6fc0f16ab158d7c34cb57bd762e4
103905Author: Guillaume Nault <g.nault@alphalink.fr>
103906Date: Wed Jun 12 16:07:36 2013 +0200
103907
103908 Upstream commit: a6f79d0f26704214b5b702bbac525cb72997f984
103909
103910 l2tp: Fix sendmsg() return value
103911
103912 PPPoL2TP sockets should comply with the standard send*() return values
103913 (i.e. return number of bytes sent instead of 0 upon success).
103914
103915 Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
103916 Signed-off-by: David S. Miller <davem@davemloft.net>
103917
103918 net/l2tp/l2tp_ppp.c | 2 +-
103919 1 files changed, 1 insertions(+), 1 deletions(-)
103920
103921commit af361b412e816e894fb42ddff7a0545b7def64c0
103922Author: Guillaume Nault <g.nault@alphalink.fr>
103923Date: Wed Jun 12 16:07:23 2013 +0200
103924
103925 Upstream commit: 55b92b7a11690bc377b5d373872a6b650ae88e64
103926
103927 l2tp: Fix PPP header erasure and memory leak
103928
103929 Copy user data after PPP framing header. This prevents erasure of the
103930 added PPP header and avoids leaking two bytes of uninitialised memory
103931 at the end of skb's data buffer.
103932
103933 Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
103934 Signed-off-by: David S. Miller <davem@davemloft.net>
103935
103936 net/l2tp/l2tp_ppp.c | 4 ++--
103937 1 files changed, 2 insertions(+), 2 deletions(-)
103938
103939commit 1f43aca088c35dda35abf76e08544e534c71fed4
103940Author: Daniel Borkmann <dborkman@redhat.com>
103941Date: Wed Jun 12 16:02:27 2013 +0200
103942
103943 Upstream commit: 2dc85bf323515e59e15dfa858d1472bb25cad0fe
103944
103945 packet: packet_getname_spkt: make sure string is always 0-terminated
103946
103947 uaddr->sa_data is exactly of size 14, which is hard-coded here and
103948 passed as a size argument to strncpy(). A device name can be of size
103949 IFNAMSIZ (== 16), meaning we might leave the destination string
103950 unterminated. Thus, use strlcpy() and also sizeof() while we're
103951 at it. We need to memset the data area beforehand, since strlcpy
103952 does not padd the remaining buffer with zeroes for user space, so
103953 that we do not possibly leak anything.
103954
103955 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
103956 Signed-off-by: David S. Miller <davem@davemloft.net>
103957
103958 net/packet/af_packet.c | 5 ++---
103959 1 files changed, 2 insertions(+), 3 deletions(-)
103960
103961commit d0ae62fae5528bf2a393377f50b8dd9888d1e49f
103962Author: Andy Lutomirski <luto@amacapital.net>
103963Date: Wed Jun 5 19:38:26 2013 +0000
103964
103965 Upstream commit: a7526eb5d06b0084ef12d7b168d008fcf516caab
103966
103967 net: Unbreak compat_sys_{send,recv}msg
103968
103969 I broke them in this commit:
103970
103971 commit 1be374a0518a288147c6a7398792583200a67261
103972 Author: Andy Lutomirski <luto@amacapital.net>
103973 Date: Wed May 22 14:07:44 2013 -0700
103974
103975 net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
103976
103977 This patch adds __sys_sendmsg and __sys_sendmsg as common helpers that accept
103978 MSG_CMSG_COMPAT and blocks MSG_CMSG_COMPAT at the syscall entrypoints. It
103979 also reverts some unnecessary checks in sys_socketcall.
103980
103981 Apparently I was suffering from underscore blindness the first time around.
103982
103983 Signed-off-by: Andy Lutomirski <luto@amacapital.net>
103984 Tested-by: Eric Dumazet <edumazet@google.com>
103985 Signed-off-by: David S. Miller <davem@davemloft.net>
103986
103987 include/linux/socket.h | 3 ++
103988 net/compat.c | 13 +++++++-
103989 net/socket.c | 72 ++++++++++++++++++++++--------------------------
103990 3 files changed, 47 insertions(+), 41 deletions(-)
103991
103992commit b481a366021e5db07a9ea138bc0c1fe598a5ba2f
103993Author: Andy Lutomirski <luto@amacapital.net>
103994Date: Wed May 22 14:07:44 2013 -0700
103995
103996 Upstream commit: 1be374a0518a288147c6a7398792583200a67261
103997
103998 net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
103999
104000 To: linux-kernel@vger.kernel.org
104001 Cc: x86@kernel.org, trinity@vger.kernel.org, Andy Lutomirski <luto@amacapital.net>, netdev@vger.kernel.org, "David S.
104002 Miller" <davem@davemloft.net>
104003 Subject: [PATCH 5/5] net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
104004
104005 MSG_CMSG_COMPAT is (AFAIK) not intended to be part of the API --
104006 it's a hack that steals a bit to indicate to other networking code
104007 that a compat entry was used. So don't allow it from a non-compat
104008 syscall.
104009
104010 This prevents an oops when running this code:
104011
104012 int main()
104013 {
104014 int s;
104015 struct sockaddr_in addr;
104016 struct msghdr *hdr;
104017
104018 char *highpage = mmap((void*)(TASK_SIZE_MAX - 4096), 4096,
104019 PROT_READ | PROT_WRITE,
104020 MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
104021 if (highpage == MAP_FAILED)
104022 err(1, "mmap");
104023
104024 s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
104025 if (s == -1)
104026 err(1, "socket");
104027
104028 addr.sin_family = AF_INET;
104029 addr.sin_port = htons(1);
104030 addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
104031 if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) != 0)
104032 err(1, "connect");
104033
104034 void *evil = highpage + 4096 - COMPAT_MSGHDR_SIZE;
104035 printf("Evil address is %p\n", evil);
104036
104037 if (syscall(__NR_sendmmsg, s, evil, 1, MSG_CMSG_COMPAT) < 0)
104038 err(1, "sendmmsg");
104039
104040 return 0;
104041 }
104042
104043 Cc: David S. Miller <davem@davemloft.net>
104044 Signed-off-by: Andy Lutomirski <luto@amacapital.net>
104045 Signed-off-by: David S. Miller <davem@davemloft.net>
104046
104047 net/socket.c | 33 +++++++++++++++++++++++++++++++--
104048 1 files changed, 31 insertions(+), 2 deletions(-)
104049
104050commit 6ccb09f408cc4ff23adbf68c7d2307f5fffcf88e
104051Author: Kees Cook <keescook@chromium.org>
104052Date: Fri May 10 14:48:21 2013 -0700
104053
104054 Upstream commit: e0e29b683d6784ef59bbc914eac85a04b650e63c
104055
104056 b43: stop format string leaking into error msgs
104057
104058 The module parameter "fwpostfix" is userspace controllable, unfiltered,
104059 and is used to define the firmware filename. b43_do_request_fw() populates
104060 ctx->errors[] on error, containing the firmware filename. b43err()
104061 parses its arguments as a format string. For systems with b43 hardware,
104062 this could lead to a uid-0 to ring-0 escalation.
104063
104064 CVE-2013-2852
104065
104066 Signed-off-by: Kees Cook <keescook@chromium.org>
104067 Cc: stable@vger.kernel.org
104068 Signed-off-by: John W. Linville <linville@tuxdriver.com>
104069
104070 drivers/net/wireless/b43/main.c | 2 +-
104071 1 files changed, 1 insertions(+), 1 deletions(-)
104072
104073commit dfb67a67049ace7b94ad7e2febfac69816d50d85
104074Author: Mark A. Greer <mgreer@animalcreek.com>
104075Date: Wed May 29 12:25:34 2013 -0700
104076
104077 Upstream commit: f873ded213d6d8c36354c0fc903af44da4fd6ac5
104078
104079 mwifiex: debugfs: Fix out of bounds array access
104080
104081 When reading the contents of '/sys/kernel/debug/mwifiex/p2p0/info',
104082 the following panic occurs:
104083
104084 $ cat /sys/kernel/debug/mwifiex/p2p0/info
104085 Unable to handle kernel paging request at virtual address 74706164
104086 pgd = de530000
104087 [74706164] *pgd=00000000
104088 Internal error: Oops: 5 [#1] SMP ARM
104089 Modules linked in: phy_twl4030_usb omap2430 musb_hdrc mwifiex_sdio mwifiex
104090 CPU: 0 PID: 1635 Comm: cat Not tainted 3.10.0-rc1-00010-g1268390 #1
104091 task: de16b6c0 ti: de048000 task.ti: de048000
104092 PC is at strnlen+0xc/0x4c
104093 LR is at string+0x3c/0xf8
104094 pc : [<c02c123c>] lr : [<c02c2d1c>] psr: a0000013
104095 sp : de049e10 ip : c06efba0 fp : de6d2092
104096 r10: bf01a260 r9 : ffffffff r8 : 74706164
104097 r7 : 0000ffff r6 : ffffffff r5 : de6d209c r4 : 00000000
104098 r3 : ff0a0004 r2 : 74706164 r1 : ffffffff r0 : 74706164
104099 Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
104100 Control: 10c5387d Table: 9e530019 DAC: 00000015
104101 Process cat (pid: 1635, stack limit = 0xde048240)
104102 Stack: (0xde049e10 to 0xde04a000)
104103 9e00: de6d2092 00000002 bf01a25e de6d209c
104104 9e20: de049e80 c02c438c 0000000a ff0a0004 ffffffff 00000000 00000000 de049e48
104105 9e40: 00000000 2192df6d ff0a0004 ffffffff 00000000 de6d2092 de049ef8 bef3cc00
104106 9e60: de6b0000 dc358000 de6d2000 00000000 00000003 c02c45a4 bf01790c bf01a254
104107 9e80: 74706164 bf018698 00000000 de59c3c0 de048000 de049f80 00001000 bef3cc00
104108 9ea0: 00000008 00000000 00000000 00000000 00000000 00000000 00000000 00000000
104109 9ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
104110 9ee0: 00000000 00000000 00000000 00000001 00000000 00000000 6669776d 20786569
104111 9f00: 20302e31 2e343128 392e3636 3231702e 00202933 00000000 00000003 c0294898
104112 9f20: 00000000 00000000 00000000 00000000 de59c3c0 c0107c04 de554000 de59c3c0
104113 9f40: 00001000 bef3cc00 de049f80 bef3cc00 de049f80 00000000 00000003 c0108a00
104114 9f60: de048000 de59c3c0 00000000 00000000 de59c3c0 00001000 bef3cc00 c0108b60
104115 9f80: 00000000 00000000 00001000 bef3cc00 00000003 00000003 c0014128 de048000
104116 9fa0: 00000000 c0013f80 00001000 bef3cc00 00000003 bef3cc00 00001000 00000000
104117 9fc0: 00001000 bef3cc00 00000003 00000003 00000001 00000001 00000001 00000003
104118 9fe0: 00000000 bef3cbdc 00011984 b6f1127c 60000010 00000003 18dbdd2c 7f7bfffd
104119 [<c02c123c>] (strnlen+0xc/0x4c) from [<c02c2d1c>] (string+0x3c/0xf8)
104120 [<c02c2d1c>] (string+0x3c/0xf8) from [<c02c438c>] (vsnprintf+0x1e8/0x3e8)
104121 [<c02c438c>] (vsnprintf+0x1e8/0x3e8) from [<c02c45a4>] (sprintf+0x18/0x24)
104122 [<c02c45a4>] (sprintf+0x18/0x24) from [<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex])
104123 [<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) from [<c0108a00>] (vfs_read+0xb0/0x144)
104124 [<c0108a00>] (vfs_read+0xb0/0x144) from [<c0108b60>] (SyS_read+0x44/0x70)
104125 [<c0108b60>] (SyS_read+0x44/0x70) from [<c0013f80>] (ret_fast_syscall+0x0/0x30)
104126 Code: e12fff1e e3510000 e1a02000 0a00000d (e5d03000)
104127 ---[ end trace ca98273dc605a04f ]---
104128
104129 The panic is caused by the mwifiex_info_read() routine assuming that
104130 there can only be four modes (0-3) which is an invalid assumption.
104131 For example, when testing P2P, the mode is '8' (P2P_CLIENT) so the
104132 code accesses data beyond the bounds of the bss_modes[] array which
104133 causes the panic. Fix this by updating bss_modes[] to support the
104134 current list of modes and adding a check to prevent the out-of-bounds
104135 access from occuring in the future when more modes are added.
104136
104137 Signed-off-by: Mark A. Greer <mgreer@animalcreek.com>
104138 Acked-by: Bing Zhao <bzhao@marvell.com>
104139 Signed-off-by: John W. Linville <linville@tuxdriver.com>
104140
104141 drivers/net/wireless/mwifiex/debugfs.c | 22 +++++++++++++++++-----
104142 1 files changed, 17 insertions(+), 5 deletions(-)
104143
104144commit 04152dec6e99ca4c0fc52219f7cf2152dafe6b52
104145Author: Johan Hedberg <johan.hedberg@intel.com>
104146Date: Tue May 28 13:46:30 2013 +0300
104147
104148 Upstream commit: cb3b3152b2f5939d67005cff841a1ca748b19888
104149
104150 Bluetooth: Fix missing length checks for L2CAP signalling PDUs
104151
104152 There has been code in place to check that the L2CAP length header
104153 matches the amount of data received, but many PDU handlers have not been
104154 checking that the data received actually matches that expected by the
104155 specific PDU. This patch adds passing the length header to the specific
104156 handler functions and ensures that those functions fail cleanly in the
104157 case of an incorrect amount of data.
104158
104159 Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
104160 Cc: stable@vger.kernel.org
104161 Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
104162 Signed-off-by: John W. Linville <linville@tuxdriver.com>
104163
104164 net/bluetooth/l2cap_core.c | 70 ++++++++++++++++++++++++++++++++-----------
104165 1 files changed, 52 insertions(+), 18 deletions(-)
104166
104167commit 628be2427afb241b5a1aa24bc5907d05287e1f25
104168Author: Dan Carpenter <dan.carpenter@oracle.com>
104169Date: Mon Jun 3 12:00:49 2013 +0300
104170
104171 Upstream commit: a8241c63517ec0b900695daa9003cddc41c536a1
104172
104173 ipvs: info leak in __ip_vs_get_dest_entries()
104174
104175 The entry struct has a 2 byte hole after ->port and another 4 byte
104176 hole after ->stats.outpkts. You must have CAP_NET_ADMIN in your
104177 namespace to hit this information leak.
104178
104179 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
104180 Acked-by: Julian Anastasov <ja@ssi.bg>
104181 Signed-off-by: Simon Horman <horms@verge.net.au>
104182 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
104183
104184 net/netfilter/ipvs/ip_vs_ctl.c | 1 +
104185 1 files changed, 1 insertions(+), 0 deletions(-)
104186
104187commit 066d9226bc6c569d5f420c978b758e0bddd23444
104188Author: Robin Holt <holt@sgi.com>
104189Date: Wed Jun 12 14:04:37 2013 -0700
104190
104191 Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db
104192
104193 reboot: rigrate shutdown/reboot to boot cpu
104194
104195 We recently noticed that reboot of a 1024 cpu machine takes approx 16
104196 minutes of just stopping the cpus. The slowdown was tracked to commit
104197 f96972f2dc63 ("kernel/sys.c: call disable_nonboot_cpus() in
104198 kernel_restart()").
104199
104200 The current implementation does all the work of hot removing the cpus
104201 before halting the system. We are switching to just migrating to the
104202 boot cpu and then continuing with shutdown/reboot.
104203
104204 This also has the effect of not breaking x86's command line parameter
104205 for specifying the reboot cpu. Note, this code was shamelessly copied
104206 from arch/x86/kernel/reboot.c with bits removed pertaining to the
104207 reboot_cpu command line parameter.
104208
104209 Signed-off-by: Robin Holt <holt@sgi.com>
104210 Tested-by: Shawn Guo <shawn.guo@linaro.org>
104211 Cc: "Srivatsa S. Bhat" <srivatsa.bhat@linux.vnet.ibm.com>
104212 Cc: H. Peter Anvin <hpa@zytor.com>
104213 Cc: Thomas Gleixner <tglx@linutronix.de>
104214 Cc: Ingo Molnar <mingo@elte.hu>
104215 Cc: Russ Anderson <rja@sgi.com>
104216 Cc: Robin Holt <holt@sgi.com>
104217 Cc: Russell King <linux@arm.linux.org.uk>
104218 Cc: Guan Xuetao <gxt@mprc.pku.edu.cn>
104219 Cc: <stable@vger.kernel.org>
104220 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
104221 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
104222
104223 kernel/sys.c | 29 ++++++++++++++++++++++++++---
104224 1 files changed, 26 insertions(+), 3 deletions(-)
104225
104226commit 94e2a91600b07d39825e7059195f35eb611a39a2
104227Merge: 20cc761 e6e3059
104228Author: Brad Spengler <spender@grsecurity.net>
104229Date: Thu Jun 13 16:23:46 2013 -0400
104230
104231 Merge branch 'pax-test' into grsec-test
104232
104233commit e6e3059de5525ebcd55af43b20c9cdbf43b9d30a
104234Merge: c6aadb1 4b73feb
104235Author: Brad Spengler <spender@grsecurity.net>
104236Date: Thu Jun 13 16:23:39 2013 -0400
104237
104238 Merge branch 'linux-3.9.y' into pax-test
104239
104240commit 20cc7613e38cde07adc73179a91d6c15292e8d43
104241Author: Daniel Borkmann <dborkman@redhat.com>
104242Date: Thu Jun 6 15:53:47 2013 +0200
104243
104244 Upstream commit: 1abd165ed757db1afdefaac0a4bc8a70f97d258c
104245
104246 net: sctp: fix NULL pointer dereference in socket destruction
104247
104248 While stress testing sctp sockets, I hit the following panic:
104249
104250 BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
104251 IP: [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
104252 PGD 7cead067 PUD 7ce76067 PMD 0
104253 Oops: 0000 [#1] SMP
104254 Modules linked in: sctp(F) libcrc32c(F) [...]
104255 CPU: 7 PID: 2950 Comm: acc Tainted: GF 3.10.0-rc2+ #1
104256 Hardware name: Dell Inc. PowerEdge T410/0H19HD, BIOS 1.6.3 02/01/2011
104257 task: ffff88007ce0e0c0 ti: ffff88007b568000 task.ti: ffff88007b568000
104258 RIP: 0010:[<ffffffffa0490c4e>] [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
104259 RSP: 0018:ffff88007b569e08 EFLAGS: 00010292
104260 RAX: 0000000000000000 RBX: ffff88007db78a00 RCX: dead000000200200
104261 RDX: ffffffffa049fdb0 RSI: ffff8800379baf38 RDI: 0000000000000000
104262 RBP: ffff88007b569e18 R08: ffff88007c230da0 R09: 0000000000000001
104263 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
104264 R13: ffff880077990d00 R14: 0000000000000084 R15: ffff88007db78a00
104265 FS: 00007fc18ab61700(0000) GS:ffff88007fc60000(0000) knlGS:0000000000000000
104266 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
104267 CR2: 0000000000000020 CR3: 000000007cf9d000 CR4: 00000000000007e0
104268 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
104269 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
104270 Stack:
104271 ffff88007b569e38 ffff88007db78a00 ffff88007b569e38 ffffffffa049fded
104272 ffffffff81abf0c0 ffff88007db78a00 ffff88007b569e58 ffffffff8145b60e
104273 0000000000000000 0000000000000000 ffff88007b569eb8 ffffffff814df36e
104274 Call Trace:
104275 [<ffffffffa049fded>] sctp_destroy_sock+0x3d/0x80 [sctp]
104276 [<ffffffff8145b60e>] sk_common_release+0x1e/0xf0
104277 [<ffffffff814df36e>] inet_create+0x2ae/0x350
104278 [<ffffffff81455a6f>] __sock_create+0x11f/0x240
104279 [<ffffffff81455bf0>] sock_create+0x30/0x40
104280 [<ffffffff8145696c>] SyS_socket+0x4c/0xc0
104281 [<ffffffff815403be>] ? do_page_fault+0xe/0x10
104282 [<ffffffff8153cb32>] ? page_fault+0x22/0x30
104283 [<ffffffff81544e02>] system_call_fastpath+0x16/0x1b
104284 Code: 0c c9 c3 66 2e 0f 1f 84 00 00 00 00 00 e8 fb fe ff ff c9 c3 66 0f
104285 1f 84 00 00 00 00 00 55 48 89 e5 53 48 83 ec 08 66 66 66 66 90 <48>
104286 8b 47 20 48 89 fb c6 47 1c 01 c6 40 12 07 e8 9e 68 01 00 48
104287 RIP [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
104288 RSP <ffff88007b569e08>
104289 CR2: 0000000000000020
104290 ---[ end trace e0d71ec1108c1dd9 ]---
104291
104292 I did not hit this with the lksctp-tools functional tests, but with a
104293 small, multi-threaded test program, that heavily allocates, binds,
104294 listens and waits in accept on sctp sockets, and then randomly kills
104295 some of them (no need for an actual client in this case to hit this).
104296 Then, again, allocating, binding, etc, and then killing child processes.
104297
104298 This panic then only occurs when ``echo 1 > /proc/sys/net/sctp/auth_enable''
104299 is set. The cause for that is actually very simple: in sctp_endpoint_init()
104300 we enter the path of sctp_auth_init_hmacs(). There, we try to allocate
104301 our crypto transforms through crypto_alloc_hash(). In our scenario,
104302 it then can happen that crypto_alloc_hash() fails with -EINTR from
104303 crypto_larval_wait(), thus we bail out and release the socket via
104304 sk_common_release(), sctp_destroy_sock() and hit the NULL pointer
104305 dereference as soon as we try to access members in the endpoint during
104306 sctp_endpoint_free(), since endpoint at that time is still NULL. Now,
104307 if we have that case, we do not need to do any cleanup work and just
104308 leave the destruction handler.
104309
104310 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
104311 Acked-by: Neil Horman <nhorman@tuxdriver.com>
104312 Acked-by: Vlad Yasevich <vyasevich@gmail.com>
104313 Signed-off-by: David S. Miller <davem@davemloft.net>
104314
104315 net/sctp/socket.c | 6 ++++++
104316 1 files changed, 6 insertions(+), 0 deletions(-)
104317
104318commit 386ba837978cc8a1111440bdcd8600f2df4634a4
104319Author: Brad Spengler <spender@grsecurity.net>
104320Date: Wed Jun 12 20:37:48 2013 -0400
104321
104322 fix deadlock when booting i386 kernel without NX
104323
104324 mm/mmap.c | 4 +++-
104325 1 files changed, 3 insertions(+), 1 deletions(-)
104326
104327commit fe96e11acb36fcda9a9e6f6439557db4aa4e8da0
104328Author: Brad Spengler <spender@grsecurity.net>
104329Date: Tue Jun 11 22:18:07 2013 -0400
104330
104331 fix elif / elif defined() typo in recent change
104332
104333 kernel/events/core.c | 2 +-
104334 1 files changed, 1 insertions(+), 1 deletions(-)
104335
104336commit bc43377e1e757cd37a06be0187884a42af718aab
104337Merge: 3cdea63 c6aadb1
104338Author: Brad Spengler <spender@grsecurity.net>
104339Date: Tue Jun 11 18:50:39 2013 -0400
104340
104341 Merge branch 'pax-test' into grsec-test
104342
104343commit c6aadb12ae8dd3d12c2d6b8fbe80d29e514d60c0
104344Author: Brad Spengler <spender@grsecurity.net>
104345Date: Tue Jun 11 18:49:36 2013 -0400
104346
104347 Update to pax-linux-3.9.4-test9.patch:
104348 - fixed a KERNEXEC regression resulting in unusable RAM regions (http://forums.grsecurity.net/viewtopic.php?f=3&t=3506)
104349 - removed a user-triggerable BUG_ON, fixing it properly wasn't worth the effort
104350
104351 arch/x86/kernel/setup.c | 2 +-
104352 mm/mlock.c | 1 -
104353 2 files changed, 1 insertions(+), 2 deletions(-)
104354
104355commit 3cdea63e90607d8d55820b101854091623feedb8
104356Author: Brad Spengler <spender@grsecurity.net>
104357Date: Mon Jun 10 21:21:44 2013 -0400
104358
104359 Fix fanotify infoleak reported by Dan Carpenter at:
104360 https://lkml.org/lkml/2013/6/3/128
104361
104362 Requires CAP_SYS_ADMIN, so this is about as low priority as it gets
104363
104364 fs/notify/fanotify/fanotify_user.c | 1 +
104365 1 files changed, 1 insertions(+), 0 deletions(-)
104366
104367commit 373a2b5df78f82b9d3db72bd6577e29a71591323
104368Author: Brad Spengler <spender@grsecurity.net>
104369Date: Mon Jun 10 21:16:46 2013 -0400
104370
104371 Backport infoleak fix by Dan Carpenter in cpqarray:
104372 https://lkml.org/lkml/2013/6/3/131
104373
104374 drivers/block/cpqarray.c | 1 +
104375 1 files changed, 1 insertions(+), 0 deletions(-)
104376
104377commit 251e84b9b05e063981b20be154c9389862f94759
104378Author: Brad Spengler <spender@grsecurity.net>
104379Date: Mon Jun 10 21:04:17 2013 -0400
104380
104381 Backport 050e4b8fb7cdd7096c987a9cd556029c622c7fe2
104382
104383 drivers/cdrom/cdrom.c | 4 ++--
104384 1 files changed, 2 insertions(+), 2 deletions(-)
104385
104386commit 383d89bf95818b05a485a6e8b118963b5bcbc83e
104387Author: Brad Spengler <spender@grsecurity.net>
104388Date: Mon Jun 10 18:34:32 2013 -0400
104389
104390 change const to __read_only
104391
104392 kernel/sysctl.c | 18 +++++++++---------
104393 1 files changed, 9 insertions(+), 9 deletions(-)
104394
104395commit 8f08f803f605649e63f0857a1b9a9805b629eaa4
104396Author: Brad Spengler <spender@grsecurity.net>
104397Date: Mon Jun 10 17:34:13 2013 -0400
104398
104399 compile fix, make const values const
104400
104401 kernel/sysctl.c | 18 +++++++++---------
104402 1 files changed, 9 insertions(+), 9 deletions(-)
104403
104404commit 6b90c228f6d4a3c2cc9c2b9a6a7ac14534ebd42d
104405Author: Brad Spengler <spender@grsecurity.net>
104406Date: Mon Jun 10 17:37:13 2013 -0400
104407
104408 Backport upstream commit: af733960ca59f7d59ea337e1f633771c9e67101a
104409
104410 drivers/char/mwave/tp3780i.c | 1 +
104411 1 files changed, 1 insertions(+), 0 deletions(-)
104412
104413commit 1c590aa70c95ebd76ba9672aa23d800b81780615
104414Author: Brad Spengler <spender@grsecurity.net>
104415Date: Sun Jun 9 19:50:35 2013 -0400
104416
104417 allow -1 perf_event_paranoid
104418
104419 kernel/sysctl.c | 2 +-
104420 1 files changed, 1 insertions(+), 1 deletions(-)
104421
104422commit defdc4a2bd3efda4af2bb6f3aa8f495fa8078584
104423Merge: 4e85539 117c3fa
104424Author: Brad Spengler <spender@grsecurity.net>
104425Date: Sun Jun 9 17:30:12 2013 -0400
104426
104427 Merge branch 'pax-test' into grsec-test
104428
104429commit 117c3fa8d26c3806103123560f807d99071b60b6
104430Merge: ed9b427 5dd2e98
104431Author: Brad Spengler <spender@grsecurity.net>
104432Date: Sun Jun 9 17:30:00 2013 -0400
104433
104434 Merge branch 'linux-3.9.y' into pax-test
104435
104436commit 4e8553989b0406f15be4a2dccdbc7599cc2b4f42
104437Author: Eric Dumazet <edumazet@google.com>
104438Date: Mon May 13 21:25:52 2013 +0000
104439
104440 Upstream commit: 54d27fcb338bd9c42d1dfc5a39e18f6f9d373c2e
104441
104442 tcp: fix tcp_md5_hash_skb_data()
104443
104444 TCP md5 communications fail [1] for some devices, because sg/crypto code
104445 assume page offsets are below PAGE_SIZE.
104446
104447 This was discovered using mlx4 driver [2], but I suspect loopback
104448 might trigger the same bug now we use order-3 pages in tcp_sendmsg()
104449
104450 [1] Failure is giving following messages.
104451
104452 huh, entered softirq 3 NET_RX ffffffff806ad230 preempt_count 00000100,
104453 exited with 00000101?
104454
104455 [2] mlx4 driver uses order-2 pages to allocate RX frags
104456
104457 Reported-by: Matt Schnall <mischnal@google.com>
104458 Signed-off-by: Eric Dumazet <edumazet@google.com>
104459 Cc: Bernhard Beck <bbeck@google.com>
104460 Signed-off-by: David S. Miller <davem@davemloft.net>
104461
104462 net/ipv4/tcp.c | 7 +++++--
104463 1 files changed, 5 insertions(+), 2 deletions(-)
104464
104465commit 4f1ed254c28a1b3e03c0b0b744c5042661c295eb
104466Author: Eric Dumazet <edumazet@google.com>
104467Date: Fri May 17 04:53:13 2013 +0000
104468
104469 Upstream commit: 284041ef21fdf2e0d216ab6b787bc9072b4eb58a
104470
104471 ipv6: fix possible crashes in ip6_cork_release()
104472
104473 commit 0178b695fd6b4 ("ipv6: Copy cork options in ip6_append_data")
104474 added some code duplication and bad error recovery, leading to potential
104475 crash in ip6_cork_release() as kfree() could be called with garbage.
104476
104477 use kzalloc() to make sure this wont happen.
104478
104479 Signed-off-by: Eric Dumazet <edumazet@google.com>
104480 Signed-off-by: David S. Miller <davem@davemloft.net>
104481 Cc: Herbert Xu <herbert@gondor.apana.org.au>
104482 Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
104483 Cc: Neal Cardwell <ncardwell@google.com>
104484
104485 net/ipv6/ip6_output.c | 2 +-
104486 1 files changed, 1 insertions(+), 1 deletions(-)
104487
104488commit 5771263fe368cd384127dd17d7596a7e1a4e2eec
104489Author: Chen Gang <gang.chen@asianux.com>
104490Date: Thu May 16 23:13:04 2013 +0000
104491
104492 Upstream commit: ff0102ee104847023c36357e2b9f133f3f40d211
104493
104494 net: irda: using kzalloc() instead of kmalloc() to avoid strncpy() issue.
104495
104496 'discovery->data.info' length is 22, NICKNAME_MAX_LEN is 21, so the
104497 strncpy() will always left the last byte of 'discovery->data.info'
104498 uninitialized.
104499
104500 When 'text' length is longer than 21 (NICKNAME_MAX_LEN), if still left
104501 the last byte of 'discovery->data.info' uninitialized, the next
104502 strlen() will cause issue.
104503
104504 Also 'discovery->data' is 'struct irda_device_info' which defined in
104505 "include/uapi/...", it may copy to user mode, so need whole initialized.
104506
104507 All together, need use kzalloc() instead of kmalloc() to initialize all
104508 members firstly.
104509
104510 Signed-off-by: Chen Gang <gang.chen@asianux.com>
104511 Signed-off-by: David S. Miller <davem@davemloft.net>
104512
104513 net/irda/irlap_frame.c | 2 +-
104514 1 files changed, 1 insertions(+), 1 deletions(-)
104515
104516commit c01c9af268cb066f240aec53454b8b74d8d01688
104517Author: Dan Carpenter <dan.carpenter@oracle.com>
104518Date: Sun May 19 08:36:36 2013 +0000
104519
104520 Upstream commit: 25dff94ff9df40d4d663bb6ea3193a7758cc50e5
104521
104522 isdn/kcapi: fix a small underflow
104523
104524 In get_capi_ctr_by_nr() and get_capi_appl_by_nr() the parameter comes
104525 from skb->data. The current code can underflow to one space before the
104526 start of the array.
104527
104528 The sanity check isn't needed in __get_capi_appl_by_nr() but I changed
104529 it to match the others.
104530
104531 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
104532 Signed-off-by: David S. Miller <davem@davemloft.net>
104533
104534 drivers/isdn/capi/kcapi.c | 6 +++---
104535 1 files changed, 3 insertions(+), 3 deletions(-)
104536
104537commit 4a3f12a9df775147b0c4b0277de1aa99eddc5c66
104538Author: Timo Teräs <timo.teras@iki.fi>
104539Date: Wed May 22 01:40:47 2013 +0000
104540
104541 Upstream commit: 497574c72c9922cf20c12aed15313c389f722fa0
104542
104543 xfrm: properly handle invalid states as an error
104544
104545 The error exit path needs err explicitly set. Otherwise it
104546 returns success and the only caller, xfrm_output_resume(),
104547 would oops in skb_dst(skb)->ops derefence as skb_dst(skb) is
104548 NULL.
104549
104550 Bug introduced in commit bb65a9cb (xfrm: removes a superfluous
104551 check and add a statistic).
104552
104553 Signed-off-by: Timo Teräs <timo.teras@iki.fi>
104554 Cc: Li RongQing <roy.qing.li@gmail.com>
104555 Cc: Steffen Klassert <steffen.klassert@secunet.com>
104556 Signed-off-by: David S. Miller <davem@davemloft.net>
104557
104558 net/xfrm/xfrm_output.c | 1 +
104559 1 files changed, 1 insertions(+), 0 deletions(-)
104560
104561commit 61d8e1e848afa93cd971f6d1da875ad98b6ddfbd
104562Author: Jeff Mahoney <jeffm@jeffreymahoney.com>
104563Date: Fri May 31 15:07:52 2013 -0400
104564
104565 Upstream commit: 0bdc7acba56a7ca4232f15f37b16f7ec079385ab
104566
104567 reiserfs: fix spurious multiple-fill in reiserfs_readdir_dentry
104568
104569 After sleeping for filldir(), we check to see if the file system has
104570 changed and research. The next_pos pointer is updated but its value
104571 isn't pushed into the key used for the search itself. As a result,
104572 the search returns the same item that the last cycle of the loop did
104573 and filldir() is called multiple times with the same data.
104574
104575 The end result is that the buffer can contain the same name multiple
104576 times. This can be returned to userspace or used internally in the
104577 xattr code where it can manifest with the following warning:
104578
104579 jdm-20004 reiserfs_delete_xattrs: Couldn't delete all xattrs (-2)
104580
104581 reiserfs_for_each_xattr uses reiserfs_readdir_dentry to iterate over
104582 the xattr names and ends up trying to unlink the same name twice. The
104583 second attempt fails with -ENOENT and the error is returned. At some
104584 point I'll need to add support into reiserfsck to remove the orphaned
104585 directories left behind when this occurs.
104586
104587 The fix is to push the value into the key before researching.
104588
104589 Signed-off-by: Jeff Mahoney <jeffm@suse.com>
104590 Signed-off-by: Jan Kara <jack@suse.cz>
104591
104592 fs/reiserfs/dir.c | 2 ++
104593 1 files changed, 2 insertions(+), 0 deletions(-)
104594
104595commit ca0746bf380eec77d75d1741ac4742ded0e55ec7
104596Author: Jeff Mahoney <jeffm@suse.com>
104597Date: Fri May 31 15:51:17 2013 -0400
104598
104599 Upstream commit: a1457c0ce976bad1356b9b0437f2a5c3ab8a9cfc
104600
104601 reiserfs: fix deadlock with nfs racing on create/lookup
104602
104603 Reiserfs is currently able to be deadlocked by having two NFS clients
104604 where one has removed and recreated a file and another is accessing the
104605 file with an open file handle.
104606
104607 If one client deletes and recreates a file with timing such that the
104608 recreated file obtains the same [dirid, objectid] pair as the original
104609 file while another client accesses the file via file handle, the create
104610 and lookup can race and deadlock if the lookup manages to create the
104611 in-memory inode first.
104612
104613 The create thread, in insert_inode_locked4, will hold the write lock
104614 while waiting on the other inode to be unlocked. The lookup thread,
104615 anywhere in the iget path, will release and reacquire the write lock while
104616 it schedules. If it needs to reacquire the lock while the create thread
104617 has it, it will never be able to make forward progress because it needs
104618 to reacquire the lock before ultimately unlocking the inode.
104619
104620 This patch drops the write lock across the insert_inode_locked4 call so
104621 that the ordering of inode_wait -> write lock is retained. Since this
104622 would have been the case before the BKL push-down, this is safe.
104623
104624 Signed-off-by: Jeff Mahoney <jeffm@suse.com>
104625 Signed-off-by: Jan Kara <jack@suse.cz>
104626
104627 fs/reiserfs/inode.c | 9 +++++++--
104628 1 files changed, 7 insertions(+), 2 deletions(-)
104629
104630commit cd21c0eb4950498be46a07257426c0cea4aa2bf1
104631Author: Jeff Mahoney <jeffm@suse.com>
104632Date: Fri May 31 15:54:17 2013 -0400
104633
104634 Upstream commit: 4a8570112b76a63ad21cfcbe2783f98f7fd5ba1b
104635
104636 reiserfs: fix problems with chowning setuid file w/ xattrs
104637
104638 reiserfs_chown_xattrs() takes the iattr struct passed into ->setattr
104639 and uses it to iterate over all the attrs associated with a file to change
104640 ownership of xattrs (and transfer quota associated with the xattr files).
104641
104642 When the setuid bit is cleared during chown, ATTR_MODE and iattr->ia_mode
104643 are passed to all the xattrs as well. This means that the xattr directory
104644 will have S_IFREG added to its mode bits.
104645
104646 This has been prevented in practice by a missing IS_PRIVATE check
104647 in reiserfs_acl_chmod, which caused a double-lock to occur while holding
104648 the write lock. Since the file system was completely locked up, the
104649 writeout of the corrupted mode never happened.
104650
104651 This patch temporarily clears everything but ATTR_UID|ATTR_GID for the
104652 calls to reiserfs_setattr and adds the missing IS_PRIVATE check.
104653
104654 Signed-off-by: Jeff Mahoney <jeffm@suse.com>
104655 Signed-off-by: Jan Kara <jack@suse.cz>
104656
104657 fs/reiserfs/xattr.c | 14 +++++++++++++-
104658 fs/reiserfs/xattr_acl.c | 3 +++
104659 2 files changed, 16 insertions(+), 1 deletions(-)
104660
104661commit c18cef940310c06bdf86d64d8cb227e56e165300
104662Author: Dave Chinner <dchinner@redhat.com>
104663Date: Mon May 27 16:38:25 2013 +1000
104664
104665 Upstream commit: 2962f5a5dcc56f69cbf62121a7be67cc15d6940b
104666
104667 xfs: kill suid/sgid through the truncate path.
104668
104669 XFS has failed to kill suid/sgid bits correctly when truncating
104670 files of non-zero size since commit c4ed4243 ("xfs: split
104671 xfs_setattr") introduced in the 3.1 kernel. Fix it.
104672
104673 Fix it.
104674
104675 cc: stable kernel <stable@vger.kernel.org>
104676 Signed-off-by: Dave Chinner <dchinner@redhat.com>
104677 Reviewed-by: Brian Foster <bfoster@redhat.com>
104678 Signed-off-by: Ben Myers <bpm@sgi.com>
104679
104680 (cherry picked from commit 56c19e89b38618390addfc743d822f99519055c6)
104681
104682 fs/xfs/xfs_iops.c | 47 ++++++++++++++++++++++++++++++++---------------
104683 1 files changed, 32 insertions(+), 15 deletions(-)
104684
104685commit 8e62c6a0946a4b11a55540094a0ee5d3a222dbcc
104686Author: Trond Myklebust <Trond.Myklebust@netapp.com>
104687Date: Wed May 29 15:36:40 2013 -0400
104688
104689 Upstream commit: f448badd34700ae728a32ba024249626d49c10e1
104690
104691 NFSv4: Fix a thinko in nfs4_try_open_cached
104692
104693 We need to pass the full open mode flags to nfs_may_open() when doing
104694 a delegated open.
104695
104696 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
104697 Cc: stable@vger.kernel.org
104698
104699 fs/nfs/nfs4proc.c | 2 +-
104700 1 files changed, 1 insertions(+), 1 deletions(-)
104701
104702commit c47de62893a9f269be0a272c2840aac1e2a35c68
104703Author: Chen Gang <gang.chen@asianux.com>
104704Date: Thu May 30 01:18:43 2013 +0000
104705
104706 Upstream commit: ea99b1adf22abd62bdcf14b1c9a0a4d3664eefd8
104707
104708 parisc: kernel: using strlcpy() instead of strcpy()
104709
104710 'boot_args' is an input args, and 'boot_command_line' has a fix length.
104711 So use strlcpy() instead of strcpy() to avoid memory overflow.
104712
104713 Signed-off-by: Chen Gang <gang.chen@asianux.com>
104714 Acked-by: Kyle McMartin <kyle@mcmartin.ca>
104715 Signed-off-by: Helge Deller <deller@gmx.de>
104716
104717 arch/parisc/kernel/setup.c | 3 ++-
104718 1 files changed, 2 insertions(+), 1 deletions(-)
104719
104720commit ce869e6f799f95fcac340420ba3612503df80dbf
104721Author: Chen Gang <gang.chen@asianux.com>
104722Date: Mon May 27 04:57:09 2013 +0000
104723
104724 Upstream commit: 3f108de96ba449a8df3d7e3c053bf890fee2cb95
104725
104726 parisc: memory overflow, 'name' length is too short for using
104727
104728 'path.bc[i]' can be asigned by PCI_SLOT() which can '> 10', so sizeof(6
104729 * "%u:" + "%u" + '\0') may be 21.
104730
104731 Since 'name' length is 20, it may be memory overflow.
104732
104733 And 'path.bc[i]' is 'unsigned char' for printing, we can be sure the
104734 max length of 'name' must be less than 28.
104735
104736 So simplify thinking, we can use 28 instead of 20 directly, and do not
104737 think of whether 'patchc.bc[i]' can '> 100'.
104738
104739 Signed-off-by: Chen Gang <gang.chen@asianux.com>
104740 Signed-off-by: Helge Deller <deller@gmx.de>
104741
104742 arch/parisc/kernel/drivers.c | 2 +-
104743 1 files changed, 1 insertions(+), 1 deletions(-)
104744
104745commit 5dc65cd34d442783118a17c518e2daedb90a31d0
104746Author: Brad Spengler <spender@grsecurity.net>
104747Date: Tue Jun 4 17:52:23 2013 -0400
104748
104749 add PERF_HARDEN recommendation
104750
104751 grsecurity/Kconfig | 3 +++
104752 1 files changed, 3 insertions(+), 0 deletions(-)
104753
104754commit 45b0f6e97666ca330b9a69e7fd2d2d9345d9618c
104755Author: Brad Spengler <spender@grsecurity.net>
104756Date: Tue Jun 4 17:22:44 2013 -0400
104757
104758 Introduce new feature: CONFIG_GRKERNSEC_PERF_HARDEN
104759
104760 grsecurity/Kconfig | 19 +++++++++++++++++++
104761 include/linux/perf_event.h | 5 +++++
104762 kernel/events/core.c | 10 +++++++++-
104763 kernel/sysctl.c | 9 ++++++++-
104764 4 files changed, 41 insertions(+), 2 deletions(-)
104765
104766commit 84619a3501fd38285a72d9e963f58d1827beedd6
104767Author: Brad Spengler <spender@grsecurity.net>
104768Date: Sat Jun 1 14:23:31 2013 -0400
104769
104770 remove user-triggerable BUG_ON in do_munlockall()
104771
104772 mm/mlock.c | 1 -
104773 1 files changed, 0 insertions(+), 1 deletions(-)
104774
104775commit f4bcf6087bd7b9a5b9c9021790396865c5362da0
104776Author: Brad Spengler <spender@grsecurity.net>
104777Date: Sat Jun 1 13:44:05 2013 -0400
104778
104779 Upstream commit: cea4dcfdad926a27a18e188720efe0f2c9403456
104780
104781 From: Kees Cook <keescook@chromium.org>
104782 Date: Thu, 23 May 2013 17:32:17 +0000
104783 Subject: iscsi-target: fix heap buffer overflow on error
104784
104785 If a key was larger than 64 bytes, as checked by iscsi_check_key(), the
104786 error response packet, generated by iscsi_add_notunderstood_response(),
104787 would still attempt to copy the entire key into the packet, overflowing
104788 the structure on the heap.
104789
104790 Remote preauthentication kernel memory corruption was possible if a
104791 target was configured and listening on the network.
104792
104793 CVE-2013-2850
104794
104795 Embargo-screwup-by: Kees Cook <keescook@chromium.org>
104796 Cc: stable@vger.kernel.org
104797 Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
104798
104799 drivers/target/iscsi/iscsi_target_parameters.c | 8 +++-----
104800 drivers/target/iscsi/iscsi_target_parameters.h | 4 +++-
104801 2 files changed, 6 insertions(+), 6 deletions(-)
104802
104803commit 2fdc3e0a0ecd44f22d49ea2230638ed650dd5e7e
104804Author: Brad Spengler <spender@grsecurity.net>
104805Date: Sat Jun 1 13:43:26 2013 -0400
104806
104807 Revert "Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters"
104808 Applying upstream fix instead
104809
104810 This reverts commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291.
104811
104812 drivers/target/iscsi/iscsi_target_parameters.c | 5 +++--
104813 1 files changed, 3 insertions(+), 2 deletions(-)
104814
104815commit 8ad50b7b6bbaaec7f07f894c15d76abe801f0769
104816Author: Dan Carpenter <dan.carpenter@oracle.com>
104817Date: Sun May 19 21:52:20 2013 +0300
104818
104819 Upstream commit: e75b61897276c5100e61c9c74fd55ded28f31431
104820
104821 USB: cxacru: potential underflow in cxacru_cm_get_array()
104822
104823 commit 2a0ebf80aa95cc758d4725f74a7016e992606a39 upstream.
104824
104825 The value of "offd" comes off the instance->rcv_buf[] and we used it as
104826 the offset into an array. The problem is that we check the upper bound
104827 but not for negative values.
104828
104829 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
104830 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
104831 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
104832
104833 drivers/usb/atm/cxacru.c | 3 ++-
104834 1 files changed, 2 insertions(+), 1 deletions(-)
104835
104836commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291
104837Author: Brad Spengler <spender@grsecurity.net>
104838Date: Sat Jun 1 11:30:17 2013 -0400
104839
104840 Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters
104841
104842 drivers/target/iscsi/iscsi_target_parameters.c | 5 ++---
104843 1 files changed, 2 insertions(+), 3 deletions(-)
104844
104845commit 8578566969d91678a3d7d5251b4eafc6d7775314
104846Author: Brad Spengler <spender@grsecurity.net>
104847Date: Thu May 30 17:44:15 2013 -0400
104848
104849 Apply compatibility fix to previous RLIMIT_NPROC change
104850 don't enforce the rlimit check at exec time if the user is root
104851 Prevents problems with sudo if root is listed as part of a group
104852 in limits.conf with process limits enforced
104853
104854 kernel/sys.c | 2 +-
104855 1 files changed, 1 insertions(+), 1 deletions(-)
104856
104857commit 0ed0c927ce3db94e2d0c0f328e24a28fe4f143e7
104858Merge: 643b294 ed9b427
104859Author: Brad Spengler <spender@grsecurity.net>
104860Date: Wed May 29 19:19:28 2013 -0400
104861
104862 Merge branch 'pax-test' into grsec-test
104863
104864commit ed9b4276488528d0c3803df1dc0df804238241e0
104865Author: Brad Spengler <spender@grsecurity.net>
104866Date: Wed May 29 19:18:45 2013 -0400
104867
104868 Updated to pax-linux-3.9.4-test8.patch:
104869 - fixed some fallout detected by the checker plugin
104870
104871 arch/x86/kernel/crash_dump_64.c | 2 +-
104872 drivers/base/devtmpfs.c | 6 +++---
104873 drivers/char/agp/compat_ioctl.c | 2 +-
104874 drivers/char/agp/frontend.c | 2 +-
104875 drivers/char/mem.c | 2 +-
104876 drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 ++--
104877 drivers/i2c/i2c-dev.c | 2 +-
104878 drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +++---
104879 drivers/media/v4l2-core/v4l2-ioctl.c | 20 ++++++++++++--------
104880 fs/9p/vfs_addr.c | 2 +-
104881 fs/binfmt_elf.c | 4 ++--
104882 fs/compat_ioctl.c | 4 ++--
104883 fs/exec.c | 2 +-
104884 fs/namespace.c | 8 ++++----
104885 fs/proc/vmcore.c | 12 ++++++++----
104886 fs/read_write.c | 2 +-
104887 include/linux/syscalls.h | 8 ++++----
104888 init/do_mounts_initrd.c | 8 ++++----
104889 init/main.c | 4 ++--
104890 kernel/events/core.c | 2 +-
104891 kernel/events/internal.h | 10 +++++-----
104892 mm/page_io.c | 2 +-
104893 security/keys/internal.h | 2 +-
104894 tools/gcc/checker_plugin.c | 1 +
104895 24 files changed, 63 insertions(+), 54 deletions(-)
104896
104897commit 643b294b41c6adcad1cf107efe4ae52a834e6f15
104898Author: Brad Spengler <spender@grsecurity.net>
104899Date: Wed May 29 18:51:31 2013 -0400
104900
104901 eliminate gcc warning
104902
104903 fs/exec.c | 4 ++--
104904 1 files changed, 2 insertions(+), 2 deletions(-)
104905
104906commit cf6f73059387ffeddb7b1de3e97a3cf588bcef86
104907Author: Brad Spengler <spender@grsecurity.net>
104908Date: Wed May 29 18:30:20 2013 -0400
104909
104910 use BUILD_BUG() instead of BUILD_BUG_ON(1)
104911
104912 arch/x86/net/bpf_jit_comp.c | 4 ++--
104913 1 files changed, 2 insertions(+), 2 deletions(-)
104914
104915commit 5343410354267368e5809f3ad8d9a264f141be18
104916Author: Brad Spengler <spender@grsecurity.net>
104917Date: Wed May 29 17:57:41 2013 -0400
104918
104919 defensively handle additions to the BPF JIT by introducing a BUILD_BUG_ON
104920 for unknown opcodes
104921
104922 arch/x86/net/bpf_jit_comp.c | 11 +++++++----
104923 1 files changed, 7 insertions(+), 4 deletions(-)
104924
104925commit 01f78a604b47c93fb26e8aeb68ef619bb3b8579d
104926Author: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
104927Date: Fri May 24 15:55:11 2013 -0700
104928
104929 Upstream commit: d34883d4e35c0a994e91dd847a82b4c9e0c31d83
104930
104931 mm: mmu_notifier: re-fix freed page still mapped in secondary MMU
104932
104933 Commit 751efd8610d3 ("mmu_notifier_unregister NULL Pointer deref and
104934 multiple ->release()") breaks the fix 3ad3d901bbcf ("mm: mmu_notifier:
104935 fix freed page still mapped in secondary MMU").
104936
104937 Since hlist_for_each_entry_rcu() is changed now, we can not revert that
104938 patch directly, so this patch reverts the commit and simply fix the bug
104939 spotted by that patch
104940
104941 This bug spotted by commit 751efd8610d3 is:
104942
104943 There is a race condition between mmu_notifier_unregister() and
104944 __mmu_notifier_release().
104945
104946 Assume two tasks, one calling mmu_notifier_unregister() as a result
104947 of a filp_close() ->flush() callout (task A), and the other calling
104948 mmu_notifier_release() from an mmput() (task B).
104949
104950 A B
104951 t1 srcu_read_lock()
104952 t2 if (!hlist_unhashed())
104953 t3 srcu_read_unlock()
104954 t4 srcu_read_lock()
104955 t5 hlist_del_init_rcu()
104956 t6 synchronize_srcu()
104957 t7 srcu_read_unlock()
104958 t8 hlist_del_rcu() <--- NULL pointer deref.
104959
104960 This can be fixed by using hlist_del_init_rcu instead of hlist_del_rcu.
104961
104962 The another issue spotted in the commit is "multiple ->release()
104963 callouts", we needn't care it too much because it is really rare (e.g,
104964 can not happen on kvm since mmu-notify is unregistered after
104965 exit_mmap()) and the later call of multiple ->release should be fast
104966 since all the pages have already been released by the first call.
104967 Anyway, this issue should be fixed in a separate patch.
104968
104969 -stable suggestions: Any version that has commit 751efd8610d3 need to be
104970 backported. I find the oldest version has this commit is 3.0-stable.
104971
104972 [akpm@linux-foundation.org: tweak comments]
104973 Signed-off-by: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
104974 Tested-by: Robin Holt <holt@sgi.com>
104975 Cc: <stable@vger.kernel.org>
104976 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
104977 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
104978
104979 mm/mmu_notifier.c | 79 ++++++++++++++++++++++++++---------------------------
104980 1 files changed, 39 insertions(+), 40 deletions(-)
104981
104982commit 163a5539b36247865d39b2bcfa8efc03a62124a6
104983Author: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
104984Date: Fri May 24 15:55:21 2013 -0700
104985
104986 Upstream commit: 7c3425123ddfdc5f48e7913ff59d908789712b18
104987
104988 mm/THP: use pmd_populate() to update the pmd with pgtable_t pointer
104989
104990 We should not use set_pmd_at to update pmd_t with pgtable_t pointer.
104991 set_pmd_at is used to set pmd with huge pte entries and architectures
104992 like ppc64, clear few flags from the pte when saving a new entry.
104993 Without this change we observe bad pte errors like below on ppc64 with
104994 THP enabled.
104995
104996 BUG: Bad page map in process ld mm=0xc000001ee39f4780 pte:7fc3f37848000001 pmd:c000001ec0000000
104997
104998 Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
104999 Cc: Hugh Dickins <hughd@google.com>
105000 Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
105001 Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
105002 Cc: <stable@vger.kernel.org>
105003 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
105004 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
105005
105006 mm/huge_memory.c | 7 ++++++-
105007 1 files changed, 6 insertions(+), 1 deletions(-)
105008
105009commit 3e54faf888d324d5f362dcba16173ea7bba61e8a
105010Author: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
105011Date: Fri May 24 15:55:08 2013 -0700
105012
105013 Upstream commit: 7b92d03c3239f43e5b86c9cc9630f026d36ee995
105014
105015 fat: fix possible overflow for fat_clusters
105016
105017 Intermediate value of fat_clusters can be overflowed on 32bits arch.
105018
105019 Reported-by: Krzysztof Strasburger <strasbur@chkw386.ch.pwr.wroc.pl>
105020 Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
105021 Cc: <stable@vger.kernel.org>
105022 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
105023 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
105024
105025 fs/fat/inode.c | 15 ++++++++++++++-
105026 1 files changed, 14 insertions(+), 1 deletions(-)
105027
105028commit 2d9fc67d9d63641e6bbf389edba8d8514c68655d
105029Author: Jarod Wilson <jarod@redhat.com>
105030Date: Fri May 24 15:55:31 2013 -0700
105031
105032 Upstream commit: 1e7e2e05c179a68aaf8830fe91547a87f4589e53
105033
105034 drivers/char/random.c: fix priming of last_data
105035
105036 Commit ec8f02da9ea5 ("random: prime last_data value per fips
105037 requirements") added priming of last_data per fips requirements.
105038
105039 Unfortuantely, it did so in a way that can lead to multiple threads all
105040 incrementing nbytes, but only one actually doing anything with the extra
105041 data, which leads to some fun random corruption and panics.
105042
105043 The fix is to simply do everything needed to prime last_data in a single
105044 shot, so there's no window for multiple cpus to increment nbytes -- in
105045 fact, we won't even increment or decrement nbytes anymore, we'll just
105046 extract the needed EXTRACT_SIZE one time per pool and then carry on with
105047 the normal routine.
105048
105049 All these changes have been tested across multiple hosts and
105050 architectures where panics were previously encoutered. The code changes
105051 are are strictly limited to areas only touched when when booted in fips
105052 mode.
105053
105054 This change should also go into 3.8-stable, to make the myriads of fips
105055 users on 3.8.x happy.
105056
105057 Signed-off-by: Jarod Wilson <jarod@redhat.com>
105058 Tested-by: Jan Stancek <jstancek@redhat.com>
105059 Tested-by: Jan Stodola <jstodola@redhat.com>
105060 Cc: Herbert Xu <herbert@gondor.apana.org.au>
105061 Acked-by: Neil Horman <nhorman@tuxdriver.com>
105062 Cc: "David S. Miller" <davem@davemloft.net>
105063 Cc: Matt Mackall <mpm@selenic.com>
105064 Cc: "Theodore Ts'o" <tytso@mit.edu>
105065 Cc: <stable@vger.kernel.org>
105066 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
105067 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
105068
105069 drivers/char/random.c | 30 +++++++++++++++---------------
105070 1 files changed, 15 insertions(+), 15 deletions(-)
105071
105072commit 2d74639040ba6ce47f57ec010714ec06529c4b42
105073Author: Jiri Kosina <jkosina@suse.cz>
105074Date: Fri May 24 15:55:33 2013 -0700
105075
105076 Upstream commit: 10b3a32d292c21ea5b3ad5ca5975e88bb20b8d68
105077
105078 random: fix accounting race condition with lockless irq entropy_count update
105079
105080 Commit 902c098a3663 ("random: use lockless techniques in the interrupt
105081 path") turned IRQ path from being spinlock protected into lockless
105082 cmpxchg-retry update.
105083
105084 That commit removed r->lock serialization between crediting entropy bits
105085 from IRQ context and accounting when extracting entropy on userspace
105086 read path, but didn't turn the r->entropy_count reads/updates in
105087 account() to use cmpxchg as well.
105088
105089 It has been observed, that under certain circumstances this leads to
105090 read() on /dev/urandom to return 0 (EOF), as r->entropy_count gets
105091 corrupted and becomes negative, which in turn results in propagating 0
105092 all the way from account() to the actual read() call.
105093
105094 Convert the accounting code to be the proper lockless counterpart of
105095 what has been partially done by 902c098a3663.
105096
105097 Signed-off-by: Jiri Kosina <jkosina@suse.cz>
105098 Cc: Theodore Ts'o <tytso@mit.edu>
105099 Cc: Greg KH <greg@kroah.com>
105100 Cc: <stable@vger.kernel.org>
105101 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
105102 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
105103
105104 drivers/char/random.c | 26 +++++++++++++++++---------
105105 1 files changed, 17 insertions(+), 9 deletions(-)
105106
105107commit 65d05c7ea468c23c175105526dd4f163302a92cf
105108Merge: 1a98d0a 6ce3a135
105109Author: Brad Spengler <spender@grsecurity.net>
105110Date: Sat May 25 07:48:15 2013 -0400
105111
105112 Merge branch 'pax-test' into grsec-test
105113
105114 Conflicts:
105115 arch/x86/kernel/vm86_32.c
105116
105117commit 6ce3a13567ec17c1e72a88871ddf46da61ad5166
105118Merge: 79bdd65 0bfd8ff
105119Author: Brad Spengler <spender@grsecurity.net>
105120Date: Sat May 25 07:46:55 2013 -0400
105121
105122 Merge branch 'linux-3.9.y' into pax-test
105123
105124commit 1a98d0a10ede55ae99fabfb2d67eb536d3de9444
105125Author: Brad Spengler <spender@grsecurity.net>
105126Date: Thu May 23 18:42:23 2013 -0400
105127
105128 use existing local variable
105129
105130 fs/exec.c | 2 +-
105131 1 files changed, 1 insertions(+), 1 deletions(-)
105132
105133commit b2b80ef8586061e32e986b31608717c25d1e7c54
105134Merge: cb45fbd 79bdd65
105135Author: Brad Spengler <spender@grsecurity.net>
105136Date: Thu May 23 17:58:53 2013 -0400
105137
105138 Merge branch 'pax-test' into grsec-test
105139
105140commit 79bdd65dac68267bc1b201c6b4a99966a373c305
105141Author: Brad Spengler <spender@grsecurity.net>
105142Date: Thu May 23 17:57:46 2013 -0400
105143
105144 Update to pax-linux-3.9.3-test7.patch:
105145 - fixed some size overflow related warnings (hash table, attributes)
105146 - fixed a gcc bug/feature exposed by constification, the investigation was prompted by http://rikiji.it/2013/05/10/CVE-2013-2094-x86.html
105147
105148 arch/x86/include/asm/page_64.h | 2 +-
105149 arch/x86/kernel/head64.c | 2 +-
105150 tools/gcc/constify_plugin.c | 48 ++-
105151 tools/gcc/size_overflow_hash.data | 1191 +++++++++++++++++++------------------
105152 4 files changed, 651 insertions(+), 592 deletions(-)
105153
105154commit cb45fbda4967b1b544a754fbdc92d73283379522
105155Merge: 62588fa 57c11b8
105156Author: Brad Spengler <spender@grsecurity.net>
105157Date: Mon May 20 17:32:17 2013 -0400
105158
105159 Merge branch 'pax-test' into grsec-test
105160
105161commit 57c11b85acd841a088aa4df8e60be337880df8cd
105162Merge: 0598b37 4bb0869
105163Author: Brad Spengler <spender@grsecurity.net>
105164Date: Mon May 20 17:32:08 2013 -0400
105165
105166 Merge branch 'linux-3.9.y' into pax-test
105167
105168commit 62588fa72b82a8ff7027f52dc2a05729f41e0f53
105169Merge: e261c7b 0598b37
105170Author: Brad Spengler <spender@grsecurity.net>
105171Date: Fri May 17 22:57:36 2013 -0400
105172
105173 Merge branch 'pax-test' into grsec-test
105174
105175commit 0598b3778624dbc6c3887af025c040dbd6e92ba5
105176Author: Brad Spengler <spender@grsecurity.net>
105177Date: Fri May 17 22:57:07 2013 -0400
105178
105179 Update to pax-linux-3.9.2-test6.patch:
105180 - fixed a gcc assert in the structleak plugin, reported by Emese Revfy
105181 - fixed pfn extraction from pud/pgd entries, reported by ousado
105182
105183 arch/x86/include/asm/pgtable.h | 9 +++++++--
105184 tools/gcc/structleak_plugin.c | 3 ++-
105185 2 files changed, 9 insertions(+), 3 deletions(-)
105186
105187commit e261c7bc611e9127bbb7bd95cddd51524bf255ae
105188Author: Brad Spengler <spender@grsecurity.net>
105189Date: Thu May 16 22:54:12 2013 -0400
105190
105191 add offset to topdown check, fixes compilation
105192
105193 arch/x86/kernel/sys_x86_64.c | 2 +-
105194 1 files changed, 1 insertions(+), 1 deletions(-)
105195
105196commit 455c5ed5279cf546f5d5c3844fb16f17300b2219
105197Author: Brad Spengler <spender@grsecurity.net>
105198Date: Thu May 16 20:57:41 2013 -0400
105199
105200 CONFIG_GRKERNSEC depends on the recently-introduced CONFIG_TTY,
105201 reported by lulzh3ad on irc
105202
105203 security/Kconfig | 1 +
105204 1 files changed, 1 insertions(+), 0 deletions(-)
105205
105206commit 0d4593e84707cdf6deb6b925c18c676a476b1613
105207Merge: 43cd0c0 39a877f
105208Author: Brad Spengler <spender@grsecurity.net>
105209Date: Thu May 16 20:39:11 2013 -0400
105210
105211 Merge branch 'pax-test' into grsec-test
105212
105213commit 39a877f192ed305d88edac10a14a9e8e1e161f3f
105214Author: Brad Spengler <spender@grsecurity.net>
105215Date: Thu May 16 20:37:35 2013 -0400
105216
105217 Update to pax-linux-3.9.2-test105.patch:
105218 - fixed !EFI boot problem, reported by spender
105219 - fixed a few compile warnings
105220 - fixed some more compile errors due to constification
105221 - fixed some arm fallout, reported by Michael Tremer
105222
105223 arch/arm/include/asm/psci.h | 2 +-
105224 arch/arm/kernel/psci.c | 2 +-
105225 arch/x86/kernel/sys_x86_64.c | 3 +--
105226 arch/x86/realmode/init.c | 2 +-
105227 drivers/hwmon/pmbus/pmbus_core.c | 10 +++++-----
105228 drivers/irqchip/irq-gic.c | 2 +-
105229 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +++-
105230 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +++++++++---
105231 drivers/platform/x86/chromeos_laptop.c | 2 +-
105232 fs/jfs/super.c | 4 ++--
105233 include/linux/irqchip/arm-gic.h | 2 ++
105234 include/sound/compress_driver.h | 2 +-
105235 net/mac80211/cfg.c | 4 ++--
105236 sound/soc/fsl/fsl_ssi.c | 2 +-
105237 14 files changed, 31 insertions(+), 22 deletions(-)
105238
105239commit 43cd0c0c7bf3f3331689f88130a8e8ce58fc8540
105240Author: Brad Spengler <spender@grsecurity.net>
105241Date: Thu May 16 20:35:22 2013 -0400
105242
105243 Fix usercopy false positive under gcc 4.1
105244
105245 arch/x86/kernel/signal.c | 9 +++++++--
105246 1 files changed, 7 insertions(+), 2 deletions(-)
105247
105248commit 56a166129d817f6634c8c230e6ec497669bdfaca
105249Author: Amerigo Wang <amwang@redhat.com>
105250Date: Thu May 9 21:56:37 2013 +0000
105251
105252 Upstream commit: 5dbd5068430b8bd1c19387d46d6c1a88b261257f
105253
105254 ipv6,gre: do not leak info to user-space
105255
105256 There is a hole in struct ip6_tnl_parm2, so we have to
105257 zero the struct on stack before copying it to user-space.
105258
105259 Cc: David S. Miller <davem@davemloft.net>
105260 Signed-off-by: Cong Wang <amwang@redhat.com>
105261 Signed-off-by: David S. Miller <davem@davemloft.net>
105262
105263 net/ipv6/ip6_gre.c | 2 ++
105264 1 files changed, 2 insertions(+), 0 deletions(-)
105265
105266commit d6f50dae2653ad912952da40417a8ccbd59c7699
105267Author: Brad Spengler <spender@grsecurity.net>
105268Date: Tue May 14 16:52:35 2013 -0400
105269
105270 disable unprivileged kernel profiling under HIDESYM, rename
105271 the variable to something more appropriate
105272
105273 include/linux/perf_event.h | 8 ++++----
105274 kernel/events/core.c | 6 +++++-
105275 kernel/sysctl.c | 4 ++--
105276 3 files changed, 11 insertions(+), 7 deletions(-)
105277
105278commit 01322c6951bed4eedefbd2178dbd99292b365d99
105279Author: Brad Spengler <spender@grsecurity.net>
105280Date: Mon May 13 17:19:57 2013 -0400
105281
105282 mark GRKERNSEC_RAND_THREADSTACK broken until PaX fixes its
105283 existing stack-heap gap code for the new unified vm_unmapped_area
105284
105285 grsecurity/Kconfig | 2 +-
105286 1 files changed, 1 insertions(+), 1 deletions(-)
105287
105288commit 8e576ddc2196770ba2b86ba8f7b9e76c141d1083
105289Author: Brad Spengler <spender@grsecurity.net>
105290Date: Mon May 13 15:40:32 2013 -0400
105291
105292 fix NX fault on early boot
105293
105294 arch/x86/realmode/init.c | 2 +-
105295 1 files changed, 1 insertions(+), 1 deletions(-)
105296
105297commit 85ce9b6f668f9b02f21d23ae61a1bacc8804f615
105298Author: Brad Spengler <spender@grsecurity.net>
105299Date: Mon May 13 10:48:13 2013 -0400
105300
105301 compile fix, we weren't using %pa anyway and it's now being used
105302 by upstream for physical address printing
105303
105304 lib/vsprintf.c | 3 +--
105305 1 files changed, 1 insertions(+), 2 deletions(-)
105306
105307commit 4eeaeea04d4776b8263f0e9b018edcdbe66c929d
105308Author: Brad Spengler <spender@grsecurity.net>
105309Date: Mon May 13 10:39:52 2013 -0400
105310
105311 compile fix
105312
105313 grsecurity/grsec_chroot.c | 2 +-
105314 1 files changed, 1 insertions(+), 1 deletions(-)
105315
105316commit 155fe84d0b966e41b077781e6b3bc6f6ed5b294b
105317Author: Brad Spengler <spender@grsecurity.net>
105318Date: Mon May 13 10:35:36 2013 -0400
105319
105320 compile fixes
105321
105322 grsecurity/grsec_chroot.c | 2 +-
105323 include/linux/grinternal.h | 8 ++++----
105324 include/linux/grsecurity.h | 4 ++--
105325 3 files changed, 7 insertions(+), 7 deletions(-)
105326
105327commit f92047409f0a843ec0b44033ca4c37e539f9a1d5
105328Author: Brad Spengler <spender@grsecurity.net>
105329Date: Mon May 13 10:27:18 2013 -0400
105330
105331 compile fix
105332
105333 fs/exec.c | 6 +++---
105334 1 files changed, 3 insertions(+), 3 deletions(-)
105335
105336commit 0e4123608755ab6af3f448cca6f6a8a57dbdcff1
105337Author: Brad Spengler <spender@grsecurity.net>
105338Date: Mon May 13 10:23:17 2013 -0400
105339
105340 Initial port of grsecurity for 3.9.2
105341
105342 Documentation/kernel-parameters.txt | 4 +
105343 Makefile | 8 +-
105344 arch/alpha/include/asm/cache.h | 4 +-
105345 arch/alpha/kernel/osf_sys.c | 12 +-
105346 arch/arm/include/asm/thread_info.h | 9 +-
105347 arch/arm/kernel/process.c | 4 +-
105348 arch/arm/kernel/ptrace.c | 9 +
105349 arch/arm/kernel/traps.c | 7 +-
105350 arch/arm/mm/fault.c | 29 +-
105351 arch/arm/mm/mmap.c | 8 +-
105352 arch/avr32/include/asm/cache.h | 4 +-
105353 arch/blackfin/include/asm/cache.h | 3 +-
105354 arch/cris/include/arch-v10/arch/cache.h | 3 +-
105355 arch/cris/include/arch-v32/arch/cache.h | 3 +-
105356 arch/frv/include/asm/cache.h | 3 +-
105357 arch/frv/mm/elf-fdpic.c | 4 +-
105358 arch/hexagon/include/asm/cache.h | 6 +-
105359 arch/ia64/include/asm/cache.h | 3 +-
105360 arch/ia64/kernel/sys_ia64.c | 2 +
105361 arch/ia64/mm/hugetlbpage.c | 2 +
105362 arch/m32r/include/asm/cache.h | 4 +-
105363 arch/m68k/include/asm/cache.h | 4 +-
105364 arch/metag/mm/hugetlbpage.c | 1 +
105365 arch/microblaze/include/asm/cache.h | 3 +-
105366 arch/mips/include/asm/cache.h | 3 +-
105367 arch/mips/include/asm/thread_info.h | 9 +-
105368 arch/mips/kernel/ptrace.c | 9 +
105369 arch/mips/kernel/scall32-o32.S | 2 +-
105370 arch/mips/kernel/scall64-64.S | 2 +-
105371 arch/mips/kernel/scall64-n32.S | 2 +-
105372 arch/mips/kernel/scall64-o32.S | 2 +-
105373 arch/mips/mm/mmap.c | 4 +-
105374 arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +-
105375 arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +-
105376 arch/openrisc/include/asm/cache.h | 4 +-
105377 arch/parisc/include/asm/cache.h | 5 +-
105378 arch/parisc/kernel/sys_parisc.c | 17 +-
105379 arch/powerpc/include/asm/cache.h | 3 +-
105380 arch/powerpc/include/asm/thread_info.h | 8 +-
105381 arch/powerpc/kernel/process.c | 10 +-
105382 arch/powerpc/kernel/ptrace.c | 14 +
105383 arch/powerpc/kernel/traps.c | 5 +
105384 arch/powerpc/mm/slice.c | 8 +-
105385 arch/s390/include/asm/cache.h | 4 +-
105386 arch/score/include/asm/cache.h | 4 +-
105387 arch/sh/include/asm/cache.h | 3 +-
105388 arch/sh/mm/mmap.c | 6 +-
105389 arch/sparc/include/asm/cache.h | 4 +-
105390 arch/sparc/include/asm/thread_info_64.h | 9 +-
105391 arch/sparc/kernel/process_32.c | 6 +-
105392 arch/sparc/kernel/process_64.c | 8 +-
105393 arch/sparc/kernel/ptrace_64.c | 14 +
105394 arch/sparc/kernel/sys_sparc_64.c | 8 +-
105395 arch/sparc/kernel/syscalls.S | 8 +-
105396 arch/sparc/kernel/traps_32.c | 8 +-
105397 arch/sparc/kernel/traps_64.c | 28 +-
105398 arch/sparc/kernel/unaligned_64.c | 2 +-
105399 arch/sparc/mm/fault_64.c | 2 +-
105400 arch/sparc/mm/hugetlbpage.c | 3 +-
105401 arch/tile/include/asm/cache.h | 3 +-
105402 arch/tile/mm/hugetlbpage.c | 2 +
105403 arch/um/defconfig | 1 -
105404 arch/um/include/asm/cache.h | 3 +-
105405 arch/unicore32/include/asm/cache.h | 6 +-
105406 arch/x86/Kconfig | 5 +-
105407 arch/x86/Kconfig.debug | 2 +-
105408 arch/x86/ia32/ia32_aout.c | 2 +
105409 arch/x86/include/asm/thread_info.h | 8 +-
105410 arch/x86/kernel/dumpstack.c | 8 +
105411 arch/x86/kernel/entry_32.S | 2 +-
105412 arch/x86/kernel/entry_64.S | 2 +-
105413 arch/x86/kernel/ioport.c | 13 +
105414 arch/x86/kernel/ptrace.c | 14 +
105415 arch/x86/kernel/smpboot.c | 3 +
105416 arch/x86/kernel/sys_i386_32.c | 14 +-
105417 arch/x86/kernel/sys_x86_64.c | 6 +-
105418 arch/x86/kernel/verify_cpu.S | 1 +
105419 arch/x86/kernel/vm86_32.c | 16 +
105420 arch/x86/mm/fault.c | 12 +-
105421 arch/x86/mm/hugetlbpage.c | 15 +-
105422 arch/x86/mm/init.c | 66 +-
105423 arch/x86/net/bpf_jit_comp.c | 126 +-
105424 arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
105425 arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
105426 arch/xtensa/variants/s6000/include/variant/core.h | 3 +-
105427 drivers/block/cciss.c | 2 +
105428 drivers/char/Kconfig | 4 +-
105429 drivers/char/genrtc.c | 1 +
105430 drivers/char/mem.c | 17 +
105431 drivers/char/random.c | 12 +
105432 drivers/gpu/drm/drm_info.c | 4 +
105433 drivers/hid/hid-wiimote-debug.c | 2 +-
105434 drivers/media/radio/radio-cadet.c | 2 +-
105435 drivers/message/fusion/mptbase.c | 9 +
105436 drivers/net/bonding/bond_main.c | 2 +-
105437 drivers/net/phy/mdio-bitbang.c | 1 +
105438 drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
105439 drivers/pci/proc.c | 9 +
105440 drivers/rtc/rtc-dev.c | 3 +
105441 drivers/tty/sysrq.c | 2 +-
105442 drivers/tty/vt/keyboard.c | 22 +-
105443 drivers/usb/storage/realtek_cr.c | 2 +-
105444 drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++--------
105445 drivers/xen/xenfs/xenstored.c | 5 +
105446 fs/attr.c | 1 +
105447 fs/autofs4/waitq.c | 9 +
105448 fs/binfmt_aout.c | 7 +
105449 fs/binfmt_elf.c | 8 +-
105450 fs/btrfs/ioctl.c | 6 +-
105451 fs/compat.c | 20 +-
105452 fs/coredump.c | 10 +-
105453 fs/debugfs/inode.c | 4 +
105454 fs/exec.c | 181 +-
105455 fs/ext2/balloc.c | 4 +-
105456 fs/ext3/balloc.c | 4 +-
105457 fs/ext4/balloc.c | 4 +-
105458 fs/fcntl.c | 5 +
105459 fs/file.c | 4 +
105460 fs/filesystems.c | 4 +
105461 fs/fs_struct.c | 13 +-
105462 fs/hugetlbfs/inode.c | 5 +-
105463 fs/namei.c | 241 ++-
105464 fs/namespace.c | 24 +
105465 fs/open.c | 38 +
105466 fs/pipe.c | 2 +-
105467 fs/proc/Kconfig | 10 +-
105468 fs/proc/array.c | 59 +-
105469 fs/proc/base.c | 168 +-
105470 fs/proc/cmdline.c | 4 +
105471 fs/proc/devices.c | 4 +
105472 fs/proc/fd.c | 17 +-
105473 fs/proc/inode.c | 17 +
105474 fs/proc/internal.h | 3 +
105475 fs/proc/kcore.c | 3 +
105476 fs/proc/proc_net.c | 12 +
105477 fs/proc/proc_sysctl.c | 43 +-
105478 fs/proc/root.c | 8 +
105479 fs/proc/task_mmu.c | 75 +-
105480 fs/readdir.c | 19 +
105481 fs/select.c | 2 +
105482 fs/seq_file.c | 12 +-
105483 fs/stat.c | 19 +-
105484 fs/sysfs/dir.c | 12 +
105485 fs/utimes.c | 7 +
105486 fs/xattr.c | 19 +-
105487 grsecurity/Kconfig | 1031 +++++
105488 grsecurity/Makefile | 38 +
105489 grsecurity/gracl.c | 4073 ++++++++++++++++++++
105490 grsecurity/gracl_alloc.c | 105 +
105491 grsecurity/gracl_cap.c | 110 +
105492 grsecurity/gracl_fs.c | 431 +++
105493 grsecurity/gracl_ip.c | 387 ++
105494 grsecurity/gracl_learn.c | 207 +
105495 grsecurity/gracl_res.c | 68 +
105496 grsecurity/gracl_segv.c | 305 ++
105497 grsecurity/gracl_shm.c | 40 +
105498 grsecurity/grsec_chdir.c | 19 +
105499 grsecurity/grsec_chroot.c | 370 ++
105500 grsecurity/grsec_disabled.c | 434 +++
105501 grsecurity/grsec_exec.c | 187 +
105502 grsecurity/grsec_fifo.c | 24 +
105503 grsecurity/grsec_fork.c | 23 +
105504 grsecurity/grsec_init.c | 283 ++
105505 grsecurity/grsec_link.c | 58 +
105506 grsecurity/grsec_log.c | 326 ++
105507 grsecurity/grsec_mem.c | 40 +
105508 grsecurity/grsec_mount.c | 62 +
105509 grsecurity/grsec_pax.c | 36 +
105510 grsecurity/grsec_ptrace.c | 30 +
105511 grsecurity/grsec_sig.c | 222 ++
105512 grsecurity/grsec_sock.c | 244 ++
105513 grsecurity/grsec_sysctl.c | 469 +++
105514 grsecurity/grsec_time.c | 16 +
105515 grsecurity/grsec_tpe.c | 73 +
105516 grsecurity/grsum.c | 61 +
105517 include/linux/capability.h | 5 +
105518 include/linux/cred.h | 3 +
105519 include/linux/fs.h | 10 +
105520 include/linux/fsnotify.h | 6 +
105521 include/linux/gracl.h | 319 ++
105522 include/linux/gralloc.h | 9 +
105523 include/linux/grdefs.h | 140 +
105524 include/linux/grinternal.h | 215 +
105525 include/linux/grmsg.h | 111 +
105526 include/linux/grsecurity.h | 242 ++
105527 include/linux/grsock.h | 19 +
105528 include/linux/kallsyms.h | 14 +-
105529 include/linux/kmod.h | 2 +
105530 include/linux/mm.h | 1 +
105531 include/linux/netfilter/xt_gradm.h | 9 +
105532 include/linux/printk.h | 3 +-
105533 include/linux/proc_fs.h | 12 +
105534 include/linux/sched.h | 68 +-
105535 include/linux/security.h | 1 +
105536 include/linux/seq_file.h | 3 +
105537 include/linux/shm.h | 4 +
105538 include/linux/skbuff.h | 3 +
105539 include/linux/slab.h | 9 -
105540 include/linux/sysctl.h | 2 +
105541 include/linux/thread_info.h | 2 +
105542 include/linux/uidgid.h | 5 +
105543 include/linux/vermagic.h | 9 +-
105544 include/net/secure_seq.h | 1 +
105545 include/trace/events/fs.h | 53 +
105546 include/uapi/linux/personality.h | 1 +
105547 init/Kconfig | 3 +-
105548 init/main.c | 14 +
105549 ipc/mqueue.c | 1 +
105550 ipc/shm.c | 28 +
105551 kernel/capability.c | 39 +-
105552 kernel/cgroup.c | 2 +-
105553 kernel/compat.c | 1 +
105554 kernel/configs.c | 11 +
105555 kernel/cred.c | 110 +-
105556 kernel/exit.c | 10 +-
105557 kernel/fork.c | 41 +-
105558 kernel/futex.c | 1 +
105559 kernel/kallsyms.c | 9 +
105560 kernel/kcmp.c | 4 +
105561 kernel/kmod.c | 71 +-
105562 kernel/kprobes.c | 4 +-
105563 kernel/ksysfs.c | 2 +
105564 kernel/lockdep_proc.c | 10 +-
105565 kernel/module.c | 81 +-
105566 kernel/panic.c | 4 +-
105567 kernel/pid.c | 19 +-
105568 kernel/posix-timers.c | 8 +
105569 kernel/printk.c | 13 +-
105570 kernel/ptrace.c | 20 +-
105571 kernel/resource.c | 10 +
105572 kernel/sched/core.c | 6 +-
105573 kernel/signal.c | 37 +-
105574 kernel/sys.c | 45 +-
105575 kernel/sysctl.c | 39 +-
105576 kernel/taskstats.c | 6 +
105577 kernel/time.c | 5 +
105578 kernel/time/timekeeping.c | 3 +
105579 kernel/time/timer_list.c | 12 +
105580 kernel/time/timer_stats.c | 10 +-
105581 lib/Kconfig.debug | 5 +-
105582 lib/is_single_threaded.c | 3 +
105583 lib/vsprintf.c | 35 +-
105584 localversion-grsec | 1 +
105585 mm/Kconfig | 4 +-
105586 mm/filemap.c | 1 +
105587 mm/kmemleak.c | 4 +-
105588 mm/mempolicy.c | 12 +-
105589 mm/migrate.c | 3 +-
105590 mm/mlock.c | 3 +
105591 mm/mmap.c | 64 +-
105592 mm/mprotect.c | 8 +
105593 mm/process_vm_access.c | 6 +
105594 mm/shmem.c | 2 +-
105595 mm/slab.c | 2 +-
105596 mm/slub.c | 14 +-
105597 mm/vmalloc.c | 4 +
105598 mm/vmstat.c | 18 +-
105599 net/8021q/vlan.c | 7 +
105600 net/core/dev_ioctl.c | 4 +
105601 net/core/net-procfs.c | 5 +
105602 net/core/secure_seq.c | 4 +-
105603 net/core/sock_diag.c | 7 +
105604 net/ipv4/af_inet.c | 5 +-
105605 net/ipv4/inet_hashtables.c | 5 +
105606 net/ipv4/ip_sockglue.c | 3 +-
105607 net/ipv4/tcp_input.c | 4 +-
105608 net/ipv4/tcp_ipv4.c | 24 +-
105609 net/ipv4/tcp_minisocks.c | 9 +-
105610 net/ipv4/tcp_timer.c | 11 +
105611 net/ipv4/udp.c | 24 +
105612 net/ipv6/tcp_ipv6.c | 23 +-
105613 net/ipv6/udp.c | 7 +
105614 net/netfilter/Kconfig | 10 +
105615 net/netfilter/Makefile | 1 +
105616 net/netfilter/nf_conntrack_core.c | 8 +
105617 net/netfilter/xt_gradm.c | 51 +
105618 net/netrom/af_netrom.c | 2 +-
105619 net/phonet/af_phonet.c | 2 +-
105620 net/sctp/probe.c | 2 +-
105621 net/sctp/proc.c | 3 +-
105622 net/socket.c | 66 +-
105623 net/sysctl_net.c | 2 +-
105624 net/tipc/link.c | 11 +-
105625 net/unix/af_unix.c | 31 +-
105626 security/Kconfig | 342 ++-
105627 security/commoncap.c | 29 +
105628 security/min_addr.c | 2 +
105629 security/security.c | 2 -
105630 security/selinux/hooks.c | 2 -
105631 security/tomoyo/mount.c | 4 +
105632 security/yama/Kconfig | 2 +-
105633 291 files changed, 15221 insertions(+), 2052 deletions(-)
105634
105635commit 88854c350c899bceca4a94598c42bed44d0dc91b
105636Author: Brad Spengler <spender@grsecurity.net>
105637Date: Mon May 13 07:37:47 2013 -0400
105638
105639 Initial import of pax-linux-3.9.2-test2.patch
105640
105641 Documentation/dontdiff | 45 +-
105642 Documentation/kernel-parameters.txt | 12 +
105643 Makefile | 100 +-
105644 arch/alpha/include/asm/atomic.h | 10 +
105645 arch/alpha/include/asm/elf.h | 7 +
105646 arch/alpha/include/asm/pgalloc.h | 6 +
105647 arch/alpha/include/asm/pgtable.h | 11 +
105648 arch/alpha/kernel/module.c | 2 +-
105649 arch/alpha/kernel/osf_sys.c | 8 +-
105650 arch/alpha/mm/fault.c | 141 +-
105651 arch/arm/Kconfig | 2 +-
105652 arch/arm/include/asm/atomic.h | 421 ++-
105653 arch/arm/include/asm/cache.h | 5 +-
105654 arch/arm/include/asm/cacheflush.h | 2 +-
105655 arch/arm/include/asm/checksum.h | 14 +-
105656 arch/arm/include/asm/cmpxchg.h | 2 +
105657 arch/arm/include/asm/domain.h | 33 +-
105658 arch/arm/include/asm/elf.h | 13 +-
105659 arch/arm/include/asm/fncpy.h | 2 +
105660 arch/arm/include/asm/futex.h | 10 +
105661 arch/arm/include/asm/kmap_types.h | 2 +-
105662 arch/arm/include/asm/mach/dma.h | 2 +-
105663 arch/arm/include/asm/mach/map.h | 7 +-
105664 arch/arm/include/asm/outercache.h | 2 +-
105665 arch/arm/include/asm/page.h | 2 +-
105666 arch/arm/include/asm/pgalloc.h | 22 +-
105667 arch/arm/include/asm/pgtable-2level-hwdef.h | 5 +
105668 arch/arm/include/asm/pgtable-2level.h | 1 +
105669 arch/arm/include/asm/pgtable-3level-hwdef.h | 2 +
105670 arch/arm/include/asm/pgtable-3level.h | 2 +
105671 arch/arm/include/asm/pgtable.h | 56 +-
105672 arch/arm/include/asm/proc-fns.h | 2 +-
105673 arch/arm/include/asm/processor.h | 5 +-
105674 arch/arm/include/asm/smp.h | 2 +-
105675 arch/arm/include/asm/thread_info.h | 6 +-
105676 arch/arm/include/asm/uaccess.h | 92 +-
105677 arch/arm/include/uapi/asm/ptrace.h | 2 +-
105678 arch/arm/kernel/armksyms.c | 6 +-
105679 arch/arm/kernel/entry-armv.S | 107 +-
105680 arch/arm/kernel/entry-common.S | 41 +-
105681 arch/arm/kernel/entry-header.S | 60 +
105682 arch/arm/kernel/fiq.c | 2 +
105683 arch/arm/kernel/head.S | 6 +-
105684 arch/arm/kernel/hw_breakpoint.c | 2 +-
105685 arch/arm/kernel/module.c | 29 +-
105686 arch/arm/kernel/patch.c | 2 +
105687 arch/arm/kernel/perf_event_cpu.c | 2 +-
105688 arch/arm/kernel/process.c | 15 +-
105689 arch/arm/kernel/setup.c | 22 +-
105690 arch/arm/kernel/signal.c | 24 +-
105691 arch/arm/kernel/smp.c | 2 +-
105692 arch/arm/kernel/traps.c | 15 +-
105693 arch/arm/kernel/vmlinux.lds.S | 22 +-
105694 arch/arm/lib/clear_user.S | 6 +-
105695 arch/arm/lib/copy_from_user.S | 6 +-
105696 arch/arm/lib/copy_page.S | 1 +
105697 arch/arm/lib/copy_to_user.S | 6 +-
105698 arch/arm/lib/csumpartialcopyuser.S | 4 +-
105699 arch/arm/lib/delay.c | 2 +-
105700 arch/arm/lib/uaccess_with_memcpy.c | 2 +-
105701 arch/arm/mach-kirkwood/common.c | 19 +-
105702 arch/arm/mach-omap2/board-n8x0.c | 2 +-
105703 arch/arm/mach-omap2/gpmc.c | 22 +-
105704 arch/arm/mach-omap2/omap-wakeupgen.c | 2 +-
105705 arch/arm/mach-omap2/omap_device.c | 4 +-
105706 arch/arm/mach-omap2/omap_device.h | 4 +-
105707 arch/arm/mach-omap2/omap_hwmod.c | 4 +-
105708 arch/arm/mach-omap2/wd_timer.c | 6 +-
105709 arch/arm/mach-ux500/include/mach/setup.h | 7 -
105710 arch/arm/mm/Kconfig | 3 +-
105711 arch/arm/mm/alignment.c | 8 +
105712 arch/arm/mm/fault.c | 91 +
105713 arch/arm/mm/fault.h | 12 +
105714 arch/arm/mm/init.c | 41 +
105715 arch/arm/mm/ioremap.c | 4 +-
105716 arch/arm/mm/mmap.c | 36 +-
105717 arch/arm/mm/mmu.c | 187 +-
105718 arch/arm/mm/proc-v7-2level.S | 3 +
105719 arch/arm/plat-omap/sram.c | 2 +
105720 arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +-
105721 arch/arm64/kernel/debug-monitors.c | 2 +-
105722 arch/arm64/kernel/hw_breakpoint.c | 2 +-
105723 arch/avr32/include/asm/elf.h | 8 +-
105724 arch/avr32/include/asm/kmap_types.h | 4 +-
105725 arch/avr32/mm/fault.c | 27 +
105726 arch/frv/include/asm/atomic.h | 10 +
105727 arch/frv/include/asm/kmap_types.h | 2 +-
105728 arch/frv/mm/elf-fdpic.c | 3 +-
105729 arch/ia64/include/asm/atomic.h | 10 +
105730 arch/ia64/include/asm/elf.h | 7 +
105731 arch/ia64/include/asm/pgalloc.h | 12 +
105732 arch/ia64/include/asm/pgtable.h | 13 +-
105733 arch/ia64/include/asm/spinlock.h | 2 +-
105734 arch/ia64/include/asm/uaccess.h | 26 +-
105735 arch/ia64/kernel/err_inject.c | 2 +-
105736 arch/ia64/kernel/mca.c | 2 +-
105737 arch/ia64/kernel/module.c | 48 +-
105738 arch/ia64/kernel/palinfo.c | 2 +-
105739 arch/ia64/kernel/salinfo.c | 2 +-
105740 arch/ia64/kernel/sys_ia64.c | 7 +
105741 arch/ia64/kernel/topology.c | 2 +-
105742 arch/ia64/kernel/vmlinux.lds.S | 2 +-
105743 arch/ia64/mm/fault.c | 32 +-
105744 arch/ia64/mm/init.c | 13 +
105745 arch/m32r/lib/usercopy.c | 6 +
105746 arch/mips/include/asm/atomic.h | 14 +
105747 arch/mips/include/asm/elf.h | 11 +-
105748 arch/mips/include/asm/exec.h | 2 +-
105749 arch/mips/include/asm/page.h | 2 +-
105750 arch/mips/include/asm/pgalloc.h | 5 +
105751 arch/mips/kernel/binfmt_elfn32.c | 7 +
105752 arch/mips/kernel/binfmt_elfo32.c | 7 +
105753 arch/mips/kernel/process.c | 12 -
105754 arch/mips/mm/fault.c | 17 +
105755 arch/mips/mm/mmap.c | 51 +-
105756 arch/parisc/include/asm/atomic.h | 10 +
105757 arch/parisc/include/asm/elf.h | 7 +
105758 arch/parisc/include/asm/pgalloc.h | 6 +
105759 arch/parisc/include/asm/pgtable.h | 11 +
105760 arch/parisc/include/asm/uaccess.h | 4 +-
105761 arch/parisc/kernel/module.c | 50 +-
105762 arch/parisc/kernel/sys_parisc.c | 9 +-
105763 arch/parisc/kernel/traps.c | 4 +-
105764 arch/parisc/mm/fault.c | 140 +-
105765 arch/powerpc/include/asm/atomic.h | 10 +
105766 arch/powerpc/include/asm/elf.h | 19 +-
105767 arch/powerpc/include/asm/exec.h | 2 +-
105768 arch/powerpc/include/asm/kmap_types.h | 2 +-
105769 arch/powerpc/include/asm/mman.h | 2 +-
105770 arch/powerpc/include/asm/page.h | 8 +-
105771 arch/powerpc/include/asm/page_64.h | 7 +-
105772 arch/powerpc/include/asm/pgalloc-64.h | 7 +
105773 arch/powerpc/include/asm/pgtable.h | 1 +
105774 arch/powerpc/include/asm/pte-hash32.h | 1 +
105775 arch/powerpc/include/asm/reg.h | 1 +
105776 arch/powerpc/include/asm/smp.h | 2 +-
105777 arch/powerpc/include/asm/uaccess.h | 140 +-
105778 arch/powerpc/kernel/exceptions-64e.S | 4 +-
105779 arch/powerpc/kernel/exceptions-64s.S | 2 +-
105780 arch/powerpc/kernel/module_32.c | 13 +-
105781 arch/powerpc/kernel/process.c | 55 -
105782 arch/powerpc/kernel/signal_32.c | 2 +-
105783 arch/powerpc/kernel/signal_64.c | 2 +-
105784 arch/powerpc/kernel/sysfs.c | 2 +-
105785 arch/powerpc/kernel/vdso.c | 5 +-
105786 arch/powerpc/lib/usercopy_64.c | 18 -
105787 arch/powerpc/mm/fault.c | 54 +-
105788 arch/powerpc/mm/mmap_64.c | 16 +
105789 arch/powerpc/mm/mmu_context_nohash.c | 2 +-
105790 arch/powerpc/mm/numa.c | 2 +-
105791 arch/powerpc/mm/slice.c | 23 +-
105792 arch/powerpc/platforms/cell/spufs/file.c | 4 +-
105793 arch/powerpc/platforms/powermac/smp.c | 2 +-
105794 arch/s390/include/asm/atomic.h | 10 +
105795 arch/s390/include/asm/elf.h | 13 +-
105796 arch/s390/include/asm/exec.h | 2 +-
105797 arch/s390/include/asm/uaccess.h | 15 +-
105798 arch/s390/kernel/module.c | 22 +-
105799 arch/s390/kernel/process.c | 36 -
105800 arch/s390/mm/mmap.c | 24 +
105801 arch/score/include/asm/exec.h | 2 +-
105802 arch/score/kernel/process.c | 5 -
105803 arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +-
105804 arch/sh/mm/mmap.c | 22 +-
105805 arch/sparc/include/asm/atomic_64.h | 106 +-
105806 arch/sparc/include/asm/cache.h | 2 +-
105807 arch/sparc/include/asm/elf_32.h | 7 +
105808 arch/sparc/include/asm/elf_64.h | 7 +
105809 arch/sparc/include/asm/pgalloc_32.h | 1 +
105810 arch/sparc/include/asm/pgalloc_64.h | 1 +
105811 arch/sparc/include/asm/pgtable_32.h | 15 +-
105812 arch/sparc/include/asm/pgtsrmmu.h | 5 +
105813 arch/sparc/include/asm/spinlock_64.h | 35 +-
105814 arch/sparc/include/asm/thread_info_32.h | 2 +
105815 arch/sparc/include/asm/thread_info_64.h | 2 +
105816 arch/sparc/include/asm/uaccess.h | 1 +
105817 arch/sparc/include/asm/uaccess_32.h | 27 +-
105818 arch/sparc/include/asm/uaccess_64.h | 19 +-
105819 arch/sparc/kernel/Makefile | 2 +-
105820 arch/sparc/kernel/prom_common.c | 2 +-
105821 arch/sparc/kernel/sys_sparc_32.c | 2 +-
105822 arch/sparc/kernel/sys_sparc_64.c | 48 +-
105823 arch/sparc/kernel/sysfs.c | 2 +-
105824 arch/sparc/kernel/traps_64.c | 13 +-
105825 arch/sparc/kernel/us3_cpufreq.c | 69 +-
105826 arch/sparc/lib/Makefile | 2 +-
105827 arch/sparc/lib/atomic_64.S | 136 +-
105828 arch/sparc/lib/ksyms.c | 6 +
105829 arch/sparc/mm/Makefile | 2 +-
105830 arch/sparc/mm/fault_32.c | 292 ++
105831 arch/sparc/mm/fault_64.c | 486 ++
105832 arch/sparc/mm/hugetlbpage.c | 21 +-
105833 arch/tile/include/asm/atomic_64.h | 10 +
105834 arch/tile/include/asm/uaccess.h | 4 +-
105835 arch/um/Makefile | 4 +
105836 arch/um/include/asm/kmap_types.h | 2 +-
105837 arch/um/include/asm/page.h | 3 +
105838 arch/um/include/asm/pgtable-3level.h | 1 +
105839 arch/um/kernel/process.c | 16 -
105840 arch/x86/Kconfig | 10 +-
105841 arch/x86/Kconfig.cpu | 6 +-
105842 arch/x86/Kconfig.debug | 6 +-
105843 arch/x86/Makefile | 10 +
105844 arch/x86/boot/Makefile | 3 +
105845 arch/x86/boot/bitops.h | 4 +-
105846 arch/x86/boot/boot.h | 4 +-
105847 arch/x86/boot/compressed/Makefile | 3 +
105848 arch/x86/boot/compressed/eboot.c | 2 -
105849 arch/x86/boot/compressed/head_32.S | 7 +-
105850 arch/x86/boot/compressed/head_64.S | 8 +-
105851 arch/x86/boot/compressed/misc.c | 4 +-
105852 arch/x86/boot/cpucheck.c | 28 +-
105853 arch/x86/boot/header.S | 6 +-
105854 arch/x86/boot/memory.c | 2 +-
105855 arch/x86/boot/video-vesa.c | 1 +
105856 arch/x86/boot/video.c | 2 +-
105857 arch/x86/crypto/aes-x86_64-asm_64.S | 4 +
105858 arch/x86/crypto/aesni-intel_asm.S | 21 +
105859 arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 +
105860 arch/x86/crypto/camellia-x86_64-asm_64.S | 7 +
105861 arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 +
105862 arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 7 +
105863 arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 +
105864 arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 7 +
105865 arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 +
105866 arch/x86/crypto/sha1_ssse3_asm.S | 2 +
105867 arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 7 +
105868 arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 +
105869 arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
105870 arch/x86/ia32/ia32_signal.c | 14 +-
105871 arch/x86/ia32/ia32entry.S | 141 +-
105872 arch/x86/ia32/sys_ia32.c | 6 +-
105873 arch/x86/include/asm/alternative-asm.h | 39 +
105874 arch/x86/include/asm/alternative.h | 4 +-
105875 arch/x86/include/asm/apic.h | 2 +-
105876 arch/x86/include/asm/apm.h | 4 +-
105877 arch/x86/include/asm/atomic.h | 307 ++-
105878 arch/x86/include/asm/atomic64_32.h | 100 +
105879 arch/x86/include/asm/atomic64_64.h | 202 +-
105880 arch/x86/include/asm/bitops.h | 4 +-
105881 arch/x86/include/asm/boot.h | 7 +-
105882 arch/x86/include/asm/cache.h | 5 +-
105883 arch/x86/include/asm/cacheflush.h | 2 +-
105884 arch/x86/include/asm/checksum_32.h | 12 +-
105885 arch/x86/include/asm/cmpxchg.h | 35 +
105886 arch/x86/include/asm/compat.h | 2 +-
105887 arch/x86/include/asm/cpufeature.h | 4 +-
105888 arch/x86/include/asm/desc.h | 67 +-
105889 arch/x86/include/asm/desc_defs.h | 6 +
105890 arch/x86/include/asm/div64.h | 2 +-
105891 arch/x86/include/asm/elf.h | 31 +-
105892 arch/x86/include/asm/emergency-restart.h | 2 +-
105893 arch/x86/include/asm/fpu-internal.h | 6 +-
105894 arch/x86/include/asm/futex.h | 16 +-
105895 arch/x86/include/asm/hw_irq.h | 4 +-
105896 arch/x86/include/asm/i8259.h | 2 +-
105897 arch/x86/include/asm/io.h | 21 +-
105898 arch/x86/include/asm/irqflags.h | 5 +
105899 arch/x86/include/asm/kprobes.h | 9 +-
105900 arch/x86/include/asm/local.h | 142 +-
105901 arch/x86/include/asm/mman.h | 15 +
105902 arch/x86/include/asm/mmu.h | 16 +-
105903 arch/x86/include/asm/mmu_context.h | 76 +-
105904 arch/x86/include/asm/module.h | 17 +-
105905 arch/x86/include/asm/nmi.h | 6 +-
105906 arch/x86/include/asm/page_64.h | 2 +-
105907 arch/x86/include/asm/paravirt.h | 46 +-
105908 arch/x86/include/asm/paravirt_types.h | 17 +-
105909 arch/x86/include/asm/pgalloc.h | 23 +
105910 arch/x86/include/asm/pgtable-2level.h | 2 +
105911 arch/x86/include/asm/pgtable-3level.h | 4 +
105912 arch/x86/include/asm/pgtable.h | 113 +-
105913 arch/x86/include/asm/pgtable_32.h | 14 +-
105914 arch/x86/include/asm/pgtable_32_types.h | 15 +-
105915 arch/x86/include/asm/pgtable_64.h | 19 +-
105916 arch/x86/include/asm/pgtable_64_types.h | 5 +
105917 arch/x86/include/asm/pgtable_types.h | 36 +-
105918 arch/x86/include/asm/processor.h | 39 +-
105919 arch/x86/include/asm/ptrace.h | 26 +-
105920 arch/x86/include/asm/realmode.h | 4 +-
105921 arch/x86/include/asm/reboot.h | 10 +-
105922 arch/x86/include/asm/rwsem.h | 60 +-
105923 arch/x86/include/asm/segment.h | 24 +-
105924 arch/x86/include/asm/smp.h | 14 +-
105925 arch/x86/include/asm/spinlock.h | 36 +-
105926 arch/x86/include/asm/stackprotector.h | 4 +-
105927 arch/x86/include/asm/stacktrace.h | 32 +-
105928 arch/x86/include/asm/switch_to.h | 4 +-
105929 arch/x86/include/asm/thread_info.h | 83 +-
105930 arch/x86/include/asm/uaccess.h | 96 +-
105931 arch/x86/include/asm/uaccess_32.h | 106 +-
105932 arch/x86/include/asm/uaccess_64.h | 232 +-
105933 arch/x86/include/asm/word-at-a-time.h | 2 +-
105934 arch/x86/include/asm/x86_init.h | 10 +-
105935 arch/x86/include/asm/xsave.h | 10 +-
105936 arch/x86/include/uapi/asm/e820.h | 2 +-
105937 arch/x86/kernel/Makefile | 2 +-
105938 arch/x86/kernel/acpi/boot.c | 4 +-
105939 arch/x86/kernel/acpi/sleep.c | 4 +
105940 arch/x86/kernel/acpi/wakeup_32.S | 6 +-
105941 arch/x86/kernel/alternative.c | 65 +-
105942 arch/x86/kernel/apic/apic.c | 4 +-
105943 arch/x86/kernel/apic/apic_flat_64.c | 4 +-
105944 arch/x86/kernel/apic/apic_noop.c | 2 +-
105945 arch/x86/kernel/apic/bigsmp_32.c | 2 +-
105946 arch/x86/kernel/apic/es7000_32.c | 5 +-
105947 arch/x86/kernel/apic/io_apic.c | 8 +-
105948 arch/x86/kernel/apic/numaq_32.c | 3 +-
105949 arch/x86/kernel/apic/probe_32.c | 2 +-
105950 arch/x86/kernel/apic/summit_32.c | 2 +-
105951 arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
105952 arch/x86/kernel/apic/x2apic_phys.c | 2 +-
105953 arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
105954 arch/x86/kernel/apm_32.c | 19 +-
105955 arch/x86/kernel/asm-offsets.c | 20 +
105956 arch/x86/kernel/asm-offsets_64.c | 1 +
105957 arch/x86/kernel/cpu/Makefile | 4 -
105958 arch/x86/kernel/cpu/amd.c | 2 +-
105959 arch/x86/kernel/cpu/common.c | 75 +-
105960 arch/x86/kernel/cpu/intel.c | 2 +-
105961 arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +-
105962 arch/x86/kernel/cpu/mcheck/mce.c | 31 +-
105963 arch/x86/kernel/cpu/mcheck/p5.c | 3 +
105964 arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +-
105965 arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
105966 arch/x86/kernel/cpu/mtrr/main.c | 2 +-
105967 arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
105968 arch/x86/kernel/cpu/perf_event.c | 8 +-
105969 arch/x86/kernel/cpu/perf_event_intel.c | 6 +-
105970 arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +-
105971 arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
105972 arch/x86/kernel/cpuid.c | 2 +-
105973 arch/x86/kernel/crash.c | 4 +-
105974 arch/x86/kernel/doublefault_32.c | 8 +-
105975 arch/x86/kernel/dumpstack.c | 30 +-
105976 arch/x86/kernel/dumpstack_32.c | 34 +-
105977 arch/x86/kernel/dumpstack_64.c | 63 +-
105978 arch/x86/kernel/early_printk.c | 1 +
105979 arch/x86/kernel/entry_32.S | 354 ++-
105980 arch/x86/kernel/entry_64.S | 530 ++-
105981 arch/x86/kernel/ftrace.c | 14 +-
105982 arch/x86/kernel/head64.c | 1 -
105983 arch/x86/kernel/head_32.S | 237 +-
105984 arch/x86/kernel/head_64.S | 120 +-
105985 arch/x86/kernel/i386_ksyms_32.c | 8 +
105986 arch/x86/kernel/i387.c | 2 +-
105987 arch/x86/kernel/i8259.c | 10 +-
105988 arch/x86/kernel/io_delay.c | 2 +-
105989 arch/x86/kernel/ioport.c | 2 +-
105990 arch/x86/kernel/irq.c | 8 +-
105991 arch/x86/kernel/irq_32.c | 69 +-
105992 arch/x86/kernel/irq_64.c | 2 +-
105993 arch/x86/kernel/kdebugfs.c | 2 +-
105994 arch/x86/kernel/kgdb.c | 25 +-
105995 arch/x86/kernel/kprobes/core.c | 30 +-
105996 arch/x86/kernel/kprobes/opt.c | 16 +-
105997 arch/x86/kernel/kvm.c | 2 +-
105998 arch/x86/kernel/ldt.c | 31 +-
105999 arch/x86/kernel/machine_kexec_32.c | 6 +-
106000 arch/x86/kernel/microcode_core.c | 2 +-
106001 arch/x86/kernel/microcode_intel.c | 4 +-
106002 arch/x86/kernel/module.c | 76 +-
106003 arch/x86/kernel/msr.c | 2 +-
106004 arch/x86/kernel/nmi.c | 19 +-
106005 arch/x86/kernel/nmi_selftest.c | 4 +-
106006 arch/x86/kernel/paravirt-spinlocks.c | 2 +-
106007 arch/x86/kernel/paravirt.c | 43 +-
106008 arch/x86/kernel/pci-calgary_64.c | 2 +-
106009 arch/x86/kernel/pci-iommu_table.c | 2 +-
106010 arch/x86/kernel/pci-swiotlb.c | 2 +-
106011 arch/x86/kernel/process.c | 57 +-
106012 arch/x86/kernel/process_32.c | 29 +-
106013 arch/x86/kernel/process_64.c | 15 +-
106014 arch/x86/kernel/ptrace.c | 25 +-
106015 arch/x86/kernel/pvclock.c | 8 +-
106016 arch/x86/kernel/reboot.c | 44 +-
106017 arch/x86/kernel/relocate_kernel_64.S | 4 +-
106018 arch/x86/kernel/setup.c | 19 +-
106019 arch/x86/kernel/setup_percpu.c | 29 +-
106020 arch/x86/kernel/signal.c | 15 +-
106021 arch/x86/kernel/smp.c | 2 +-
106022 arch/x86/kernel/smpboot.c | 15 +-
106023 arch/x86/kernel/step.c | 10 +-
106024 arch/x86/kernel/sys_i386_32.c | 248 +
106025 arch/x86/kernel/sys_x86_64.c | 19 +-
106026 arch/x86/kernel/tboot.c | 14 +-
106027 arch/x86/kernel/time.c | 10 +-
106028 arch/x86/kernel/tls.c | 7 +-
106029 arch/x86/kernel/traps.c | 64 +-
106030 arch/x86/kernel/uprobes.c | 2 +-
106031 arch/x86/kernel/vm86_32.c | 6 +-
106032 arch/x86/kernel/vmlinux.lds.S | 148 +-
106033 arch/x86/kernel/vsyscall_64.c | 12 +-
106034 arch/x86/kernel/x8664_ksyms_64.c | 2 -
106035 arch/x86/kernel/x86_init.c | 8 +-
106036 arch/x86/kernel/xsave.c | 2 +
106037 arch/x86/kvm/cpuid.c | 21 +-
106038 arch/x86/kvm/emulate.c | 4 +-
106039 arch/x86/kvm/lapic.c | 2 +-
106040 arch/x86/kvm/paging_tmpl.h | 2 +-
106041 arch/x86/kvm/svm.c | 8 +
106042 arch/x86/kvm/vmx.c | 57 +-
106043 arch/x86/kvm/x86.c | 10 +-
106044 arch/x86/lguest/boot.c | 3 +-
106045 arch/x86/lib/atomic64_386_32.S | 164 +
106046 arch/x86/lib/atomic64_cx8_32.S | 103 +-
106047 arch/x86/lib/checksum_32.S | 100 +-
106048 arch/x86/lib/clear_page_64.S | 5 +-
106049 arch/x86/lib/cmpxchg16b_emu.S | 2 +
106050 arch/x86/lib/copy_page_64.S | 24 +-
106051 arch/x86/lib/copy_user_64.S | 47 +-
106052 arch/x86/lib/copy_user_nocache_64.S | 20 +-
106053 arch/x86/lib/csum-copy_64.S | 2 +
106054 arch/x86/lib/csum-wrappers_64.c | 4 +-
106055 arch/x86/lib/getuser.S | 70 +-
106056 arch/x86/lib/insn.c | 6 +-
106057 arch/x86/lib/iomap_copy_64.S | 2 +
106058 arch/x86/lib/memcpy_64.S | 18 +-
106059 arch/x86/lib/memmove_64.S | 34 +-
106060 arch/x86/lib/memset_64.S | 7 +-
106061 arch/x86/lib/mmx_32.c | 243 +-
106062 arch/x86/lib/msr-reg.S | 18 +-
106063 arch/x86/lib/putuser.S | 90 +-
106064 arch/x86/lib/rwlock.S | 42 +
106065 arch/x86/lib/rwsem.S | 6 +-
106066 arch/x86/lib/thunk_64.S | 2 +
106067 arch/x86/lib/usercopy_32.c | 376 +-
106068 arch/x86/lib/usercopy_64.c | 25 +-
106069 arch/x86/mm/extable.c | 25 +-
106070 arch/x86/mm/fault.c | 556 ++-
106071 arch/x86/mm/gup.c | 2 +-
106072 arch/x86/mm/highmem_32.c | 4 +
106073 arch/x86/mm/hugetlbpage.c | 30 +-
106074 arch/x86/mm/init.c | 90 +-
106075 arch/x86/mm/init_32.c | 119 +-
106076 arch/x86/mm/init_64.c | 44 +-
106077 arch/x86/mm/iomap_32.c | 4 +
106078 arch/x86/mm/ioremap.c | 15 +-
106079 arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
106080 arch/x86/mm/mmap.c | 41 +-
106081 arch/x86/mm/mmio-mod.c | 10 +-
106082 arch/x86/mm/numa.c | 2 +-
106083 arch/x86/mm/pageattr-test.c | 2 +-
106084 arch/x86/mm/pageattr.c | 33 +-
106085 arch/x86/mm/pat.c | 12 +-
106086 arch/x86/mm/pf_in.c | 10 +-
106087 arch/x86/mm/pgtable.c | 137 +-
106088 arch/x86/mm/pgtable_32.c | 3 +
106089 arch/x86/mm/physaddr.c | 4 +-
106090 arch/x86/mm/setup_nx.c | 7 +
106091 arch/x86/mm/tlb.c | 4 +
106092 arch/x86/net/bpf_jit.S | 14 +
106093 arch/x86/net/bpf_jit_comp.c | 37 +-
106094 arch/x86/oprofile/backtrace.c | 8 +-
106095 arch/x86/oprofile/nmi_int.c | 8 +-
106096 arch/x86/oprofile/op_model_amd.c | 8 +-
106097 arch/x86/oprofile/op_model_ppro.c | 7 +-
106098 arch/x86/oprofile/op_x86_model.h | 2 +-
106099 arch/x86/pci/amd_bus.c | 2 +-
106100 arch/x86/pci/irq.c | 8 +-
106101 arch/x86/pci/mrst.c | 4 +-
106102 arch/x86/pci/pcbios.c | 144 +-
106103 arch/x86/platform/efi/efi_32.c | 19 +
106104 arch/x86/platform/efi/efi_stub_32.S | 64 +-
106105 arch/x86/platform/efi/efi_stub_64.S | 8 +
106106 arch/x86/platform/mrst/mrst.c | 6 +-
106107 arch/x86/platform/olpc/olpc_dt.c | 2 +-
106108 arch/x86/power/cpu.c | 4 +-
106109 arch/x86/realmode/init.c | 8 +-
106110 arch/x86/realmode/rm/Makefile | 3 +
106111 arch/x86/realmode/rm/header.S | 4 +-
106112 arch/x86/realmode/rm/trampoline_32.S | 12 +-
106113 arch/x86/realmode/rm/trampoline_64.S | 2 +-
106114 arch/x86/tools/relocs.c | 95 +-
106115 arch/x86/vdso/Makefile | 2 +-
106116 arch/x86/vdso/vdso32-setup.c | 23 +-
106117 arch/x86/vdso/vma.c | 29 +-
106118 arch/x86/xen/enlighten.c | 47 +-
106119 arch/x86/xen/mmu.c | 9 +
106120 arch/x86/xen/smp.c | 18 +-
106121 arch/x86/xen/xen-asm_32.S | 12 +-
106122 arch/x86/xen/xen-head.S | 11 +
106123 arch/x86/xen/xen-ops.h | 2 -
106124 block/blk-iopoll.c | 4 +-
106125 block/blk-map.c | 2 +-
106126 block/blk-softirq.c | 4 +-
106127 block/bsg.c | 12 +-
106128 block/compat_ioctl.c | 2 +-
106129 block/partitions/efi.c | 8 +-
106130 block/scsi_ioctl.c | 27 +-
106131 crypto/cryptd.c | 4 +-
106132 drivers/acpi/apei/apei-internal.h | 2 +-
106133 drivers/acpi/apei/cper.c | 8 +-
106134 drivers/acpi/bgrt.c | 6 +-
106135 drivers/acpi/blacklist.c | 4 +-
106136 drivers/acpi/ec_sys.c | 12 +-
106137 drivers/acpi/processor_idle.c | 2 +-
106138 drivers/acpi/sysfs.c | 4 +-
106139 drivers/ata/libahci.c | 2 +-
106140 drivers/ata/libata-core.c | 8 +-
106141 drivers/ata/pata_arasan_cf.c | 4 +-
106142 drivers/atm/adummy.c | 2 +-
106143 drivers/atm/ambassador.c | 8 +-
106144 drivers/atm/atmtcp.c | 14 +-
106145 drivers/atm/eni.c | 10 +-
106146 drivers/atm/firestream.c | 8 +-
106147 drivers/atm/fore200e.c | 14 +-
106148 drivers/atm/he.c | 18 +-
106149 drivers/atm/horizon.c | 4 +-
106150 drivers/atm/idt77252.c | 36 +-
106151 drivers/atm/iphase.c | 34 +-
106152 drivers/atm/lanai.c | 12 +-
106153 drivers/atm/nicstar.c | 46 +-
106154 drivers/atm/solos-pci.c | 4 +-
106155 drivers/atm/suni.c | 4 +-
106156 drivers/atm/uPD98402.c | 16 +-
106157 drivers/atm/zatm.c | 6 +-
106158 drivers/base/bus.c | 4 +-
106159 drivers/base/devtmpfs.c | 2 +-
106160 drivers/base/node.c | 2 +-
106161 drivers/base/power/domain.c | 4 +-
106162 drivers/base/power/wakeup.c | 8 +-
106163 drivers/base/syscore.c | 4 +-
106164 drivers/block/cciss.c | 28 +-
106165 drivers/block/cciss.h | 2 +-
106166 drivers/block/cpqarray.c | 28 +-
106167 drivers/block/cpqarray.h | 2 +-
106168 drivers/block/drbd/drbd_int.h | 6 +-
106169 drivers/block/drbd/drbd_main.c | 8 +-
106170 drivers/block/drbd/drbd_receiver.c | 22 +-
106171 drivers/block/loop.c | 2 +-
106172 drivers/block/pktcdvd.c | 2 +-
106173 drivers/cdrom/cdrom.c | 9 +-
106174 drivers/cdrom/gdrom.c | 1 -
106175 drivers/char/agp/frontend.c | 2 +-
106176 drivers/char/hpet.c | 2 +-
106177 drivers/char/ipmi/ipmi_msghandler.c | 8 +-
106178 drivers/char/ipmi/ipmi_si_intf.c | 8 +-
106179 drivers/char/mem.c | 41 +-
106180 drivers/char/nvram.c | 2 +-
106181 drivers/char/pcmcia/synclink_cs.c | 18 +-
106182 drivers/char/random.c | 10 +-
106183 drivers/char/sonypi.c | 9 +-
106184 drivers/char/tpm/tpm_acpi.c | 3 +-
106185 drivers/char/tpm/tpm_eventlog.c | 7 +-
106186 drivers/char/virtio_console.c | 4 +-
106187 drivers/clocksource/arm_arch_timer.c | 2 +-
106188 drivers/clocksource/metag_generic.c | 2 +-
106189 drivers/cpufreq/acpi-cpufreq.c | 20 +-
106190 drivers/cpufreq/cpufreq.c | 9 +-
106191 drivers/cpufreq/cpufreq_governor.c | 4 +-
106192 drivers/cpufreq/cpufreq_governor.h | 2 +-
106193 drivers/cpufreq/cpufreq_stats.c | 2 +-
106194 drivers/cpufreq/p4-clockmod.c | 12 +-
106195 drivers/cpufreq/speedstep-centrino.c | 7 +-
106196 drivers/cpuidle/cpuidle.c | 2 +-
106197 drivers/cpuidle/governor.c | 4 +-
106198 drivers/cpuidle/sysfs.c | 2 +-
106199 drivers/devfreq/devfreq.c | 4 +-
106200 drivers/dma/sh/shdma.c | 2 +-
106201 drivers/edac/edac_mc_sysfs.c | 12 +-
106202 drivers/edac/edac_pci_sysfs.c | 22 +-
106203 drivers/edac/mce_amd.h | 2 +-
106204 drivers/firewire/core-card.c | 2 +-
106205 drivers/firewire/core-cdev.c | 3 +-
106206 drivers/firewire/core-device.c | 2 +-
106207 drivers/firewire/core-transaction.c | 1 +
106208 drivers/firewire/core.h | 1 +
106209 drivers/firmware/dmi-id.c | 2 +-
106210 drivers/firmware/dmi_scan.c | 7 +-
106211 drivers/firmware/efivars.c | 4 +-
106212 drivers/firmware/google/memconsole.c | 4 +-
106213 drivers/gpio/gpio-ich.c | 2 +-
106214 drivers/gpio/gpio-vr41xx.c | 2 +-
106215 drivers/gpu/drm/drm_crtc_helper.c | 2 +-
106216 drivers/gpu/drm/drm_drv.c | 6 +-
106217 drivers/gpu/drm/drm_fops.c | 18 +-
106218 drivers/gpu/drm/drm_global.c | 14 +-
106219 drivers/gpu/drm/drm_info.c | 14 +-
106220 drivers/gpu/drm/drm_ioc32.c | 13 +-
106221 drivers/gpu/drm/drm_ioctl.c | 2 +-
106222 drivers/gpu/drm/drm_lock.c | 4 +-
106223 drivers/gpu/drm/drm_stub.c | 2 +-
106224 drivers/gpu/drm/i810/i810_dma.c | 8 +-
106225 drivers/gpu/drm/i810/i810_drv.h | 4 +-
106226 drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
106227 drivers/gpu/drm/i915/i915_dma.c | 2 +-
106228 drivers/gpu/drm/i915/i915_drv.h | 4 +-
106229 drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +-
106230 drivers/gpu/drm/i915/i915_ioc32.c | 11 +-
106231 drivers/gpu/drm/i915/i915_irq.c | 22 +-
106232 drivers/gpu/drm/i915/intel_display.c | 26 +-
106233 drivers/gpu/drm/mga/mga_drv.h | 4 +-
106234 drivers/gpu/drm/mga/mga_ioc32.c | 11 +-
106235 drivers/gpu/drm/mga/mga_irq.c | 8 +-
106236 drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +-
106237 drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +-
106238 drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +-
106239 drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +-
106240 drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +-
106241 drivers/gpu/drm/r128/r128_cce.c | 2 +-
106242 drivers/gpu/drm/r128/r128_drv.h | 4 +-
106243 drivers/gpu/drm/r128/r128_ioc32.c | 11 +-
106244 drivers/gpu/drm/r128/r128_irq.c | 4 +-
106245 drivers/gpu/drm/r128/r128_state.c | 4 +-
106246 drivers/gpu/drm/radeon/mkregtable.c | 4 +-
106247 drivers/gpu/drm/radeon/radeon_device.c | 2 +-
106248 drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
106249 drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +-
106250 drivers/gpu/drm/radeon/radeon_irq.c | 6 +-
106251 drivers/gpu/drm/radeon/radeon_state.c | 4 +-
106252 drivers/gpu/drm/radeon/radeon_ttm.c | 37 +-
106253 drivers/gpu/drm/radeon/rs690.c | 4 +-
106254 drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +-
106255 drivers/gpu/drm/udl/udl_fb.c | 1 -
106256 drivers/gpu/drm/via/via_drv.h | 4 +-
106257 drivers/gpu/drm/via/via_irq.c | 18 +-
106258 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
106259 drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
106260 drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
106261 drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
106262 drivers/hid/hid-core.c | 4 +-
106263 drivers/hv/channel.c | 4 +-
106264 drivers/hv/hv.c | 2 +-
106265 drivers/hv/hyperv_vmbus.h | 2 +-
106266 drivers/hv/vmbus_drv.c | 4 +-
106267 drivers/hwmon/acpi_power_meter.c | 4 +-
106268 drivers/hwmon/applesmc.c | 2 +-
106269 drivers/hwmon/asus_atk0110.c | 10 +-
106270 drivers/hwmon/coretemp.c | 2 +-
106271 drivers/hwmon/ibmaem.c | 2 +-
106272 drivers/hwmon/sht15.c | 12 +-
106273 drivers/hwmon/via-cputemp.c | 2 +-
106274 drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
106275 drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
106276 drivers/ide/ide-cd.c | 2 +-
106277 drivers/iio/industrialio-core.c | 2 +-
106278 drivers/infiniband/core/cm.c | 32 +-
106279 drivers/infiniband/core/fmr_pool.c | 20 +-
106280 drivers/infiniband/hw/cxgb4/mem.c | 4 +-
106281 drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
106282 drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
106283 drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +-
106284 drivers/infiniband/hw/mthca/mthca_mr.c | 2 +-
106285 drivers/infiniband/hw/nes/nes.c | 4 +-
106286 drivers/infiniband/hw/nes/nes.h | 40 +-
106287 drivers/infiniband/hw/nes/nes_cm.c | 62 +-
106288 drivers/infiniband/hw/nes/nes_mgt.c | 8 +-
106289 drivers/infiniband/hw/nes/nes_nic.c | 40 +-
106290 drivers/infiniband/hw/nes/nes_verbs.c | 10 +-
106291 drivers/infiniband/hw/qib/qib.h | 1 +
106292 drivers/input/gameport/gameport.c | 4 +-
106293 drivers/input/input.c | 4 +-
106294 drivers/input/joystick/sidewinder.c | 1 +
106295 drivers/input/joystick/xpad.c | 4 +-
106296 drivers/input/mouse/psmouse.h | 2 +-
106297 drivers/input/mousedev.c | 2 +-
106298 drivers/input/serio/serio.c | 4 +-
106299 drivers/iommu/iommu.c | 2 +-
106300 drivers/iommu/irq_remapping.c | 10 +-
106301 drivers/irqchip/irq-gic.c | 4 +-
106302 drivers/isdn/capi/capi.c | 10 +-
106303 drivers/isdn/gigaset/interface.c | 8 +-
106304 drivers/isdn/hardware/avm/b1.c | 4 +-
106305 drivers/isdn/i4l/isdn_tty.c | 22 +-
106306 drivers/isdn/icn/icn.c | 2 +-
106307 drivers/leds/leds-clevo-mail.c | 2 +-
106308 drivers/leds/leds-ss4200.c | 2 +-
106309 drivers/lguest/core.c | 10 +-
106310 drivers/lguest/page_tables.c | 2 +-
106311 drivers/lguest/x86/core.c | 12 +-
106312 drivers/lguest/x86/switcher_32.S | 27 +-
106313 drivers/md/bitmap.c | 2 +-
106314 drivers/md/dm-ioctl.c | 2 +-
106315 drivers/md/dm-raid1.c | 16 +-
106316 drivers/md/dm-stripe.c | 10 +-
106317 drivers/md/dm-table.c | 2 +-
106318 drivers/md/dm-thin-metadata.c | 4 +-
106319 drivers/md/dm.c | 16 +-
106320 drivers/md/md.c | 26 +-
106321 drivers/md/md.h | 6 +-
106322 drivers/md/persistent-data/dm-space-map.h | 1 +
106323 drivers/md/raid1.c | 4 +-
106324 drivers/md/raid10.c | 16 +-
106325 drivers/md/raid5.c | 10 +-
106326 drivers/media/dvb-core/dvbdev.c | 2 +-
106327 drivers/media/dvb-frontends/dib3000.h | 2 +-
106328 drivers/media/pci/cx88/cx88-video.c | 6 +-
106329 drivers/media/platform/omap/omap_vout.c | 11 +-
106330 drivers/media/platform/s5p-tv/mixer.h | 2 +-
106331 drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +-
106332 drivers/media/platform/s5p-tv/mixer_reg.c | 2 +-
106333 drivers/media/platform/s5p-tv/mixer_video.c | 24 +-
106334 drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +-
106335 drivers/media/radio/radio-cadet.c | 2 +
106336 drivers/media/usb/dvb-usb/cxusb.c | 2 +-
106337 drivers/media/usb/dvb-usb/dw2102.c | 2 +-
106338 drivers/media/v4l2-core/v4l2-ioctl.c | 5 +-
106339 drivers/message/fusion/mptsas.c | 34 +-
106340 drivers/message/fusion/mptscsih.c | 19 +-
106341 drivers/message/i2o/i2o_proc.c | 51 +-
106342 drivers/message/i2o/iop.c | 8 +-
106343 drivers/mfd/janz-cmodio.c | 1 +
106344 drivers/mfd/twl4030-irq.c | 9 +-
106345 drivers/mfd/twl6030-irq.c | 10 +-
106346 drivers/misc/c2port/core.c | 4 +-
106347 drivers/misc/kgdbts.c | 4 +-
106348 drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
106349 drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
106350 drivers/misc/sgi-gru/gruhandles.c | 4 +-
106351 drivers/misc/sgi-gru/gruprocfs.c | 8 +-
106352 drivers/misc/sgi-gru/grutables.h | 154 +-
106353 drivers/misc/sgi-xp/xp.h | 2 +-
106354 drivers/misc/sgi-xp/xpc.h | 3 +-
106355 drivers/misc/sgi-xp/xpc_main.c | 4 +-
106356 drivers/mmc/core/mmc_ops.c | 2 +-
106357 drivers/mmc/host/dw_mmc.h | 2 +-
106358 drivers/mmc/host/sdhci-s3c.c | 8 +-
106359 drivers/mtd/devices/doc2000.c | 2 +-
106360 drivers/mtd/nand/denali.c | 1 +
106361 drivers/mtd/nftlmount.c | 1 +
106362 drivers/mtd/sm_ftl.c | 2 +-
106363 drivers/net/bonding/bond_main.c | 2 +-
106364 drivers/net/ethernet/8390/ax88796.c | 4 +-
106365 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
106366 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-
106367 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +-
106368 drivers/net/ethernet/broadcom/tg3.h | 1 +
106369 drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
106370 drivers/net/ethernet/dec/tulip/de4x5.c | 4 +-
106371 drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
106372 drivers/net/ethernet/faraday/ftgmac100.c | 2 +
106373 drivers/net/ethernet/faraday/ftmac100.c | 2 +
106374 drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
106375 drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
106376 drivers/net/ethernet/realtek/r8169.c | 8 +-
106377 drivers/net/ethernet/sfc/ptp.c | 2 +-
106378 drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
106379 drivers/net/hyperv/hyperv_net.h | 2 +-
106380 drivers/net/hyperv/rndis_filter.c | 4 +-
106381 drivers/net/ieee802154/fakehard.c | 2 +-
106382 drivers/net/macvlan.c | 18 +-
106383 drivers/net/macvtap.c | 2 +-
106384 drivers/net/ppp/ppp_generic.c | 4 +-
106385 drivers/net/slip/slhc.c | 2 +-
106386 drivers/net/team/team.c | 2 +-
106387 drivers/net/tun.c | 5 +-
106388 drivers/net/usb/hso.c | 23 +-
106389 drivers/net/vxlan.c | 2 +-
106390 drivers/net/wireless/at76c50x-usb.c | 2 +-
106391 drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +-
106392 drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +-
106393 drivers/net/wireless/ath/ath9k/hw.h | 4 +-
106394 drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
106395 drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +-
106396 drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +-
106397 drivers/net/wireless/mac80211_hwsim.c | 32 +-
106398 drivers/net/wireless/rndis_wlan.c | 2 +-
106399 drivers/net/wireless/rt2x00/rt2x00.h | 2 +-
106400 drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +-
106401 drivers/net/wireless/ti/wl1251/sdio.c | 12 +-
106402 drivers/net/wireless/ti/wl12xx/main.c | 8 +-
106403 drivers/net/wireless/ti/wl18xx/main.c | 6 +-
106404 drivers/oprofile/buffer_sync.c | 8 +-
106405 drivers/oprofile/event_buffer.c | 2 +-
106406 drivers/oprofile/oprof.c | 2 +-
106407 drivers/oprofile/oprofile_files.c | 2 +-
106408 drivers/oprofile/oprofile_stats.c | 10 +-
106409 drivers/oprofile/oprofile_stats.h | 10 +-
106410 drivers/oprofile/oprofilefs.c | 2 +-
106411 drivers/oprofile/timer_int.c | 2 +-
106412 drivers/parport/procfs.c | 4 +-
106413 drivers/pci/hotplug/acpiphp_ibm.c | 4 +-
106414 drivers/pci/hotplug/cpcihp_generic.c | 6 +-
106415 drivers/pci/hotplug/cpcihp_zt5550.c | 14 +-
106416 drivers/pci/hotplug/cpqphp_nvram.c | 4 +
106417 drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
106418 drivers/pci/hotplug/pciehp_core.c | 2 +-
106419 drivers/pci/pci-sysfs.c | 6 +-
106420 drivers/pci/pci.h | 2 +-
106421 drivers/pci/pcie/aspm.c | 6 +-
106422 drivers/pci/probe.c | 2 +-
106423 drivers/platform/x86/msi-laptop.c | 14 +-
106424 drivers/platform/x86/sony-laptop.c | 2 +-
106425 drivers/platform/x86/thinkpad_acpi.c | 70 +-
106426 drivers/pnp/pnpbios/bioscalls.c | 14 +-
106427 drivers/pnp/resource.c | 4 +-
106428 drivers/power/pda_power.c | 7 +-
106429 drivers/power/power_supply.h | 4 +-
106430 drivers/power/power_supply_core.c | 7 +-
106431 drivers/power/power_supply_sysfs.c | 6 +-
106432 drivers/regulator/max8660.c | 6 +-
106433 drivers/regulator/max8973-regulator.c | 8 +-
106434 drivers/regulator/mc13892-regulator.c | 6 +-
106435 drivers/rtc/rtc-cmos.c | 4 +-
106436 drivers/rtc/rtc-ds1307.c | 2 +-
106437 drivers/rtc/rtc-m48t59.c | 4 +-
106438 drivers/scsi/bfa/bfa_fcpim.h | 2 +-
106439 drivers/scsi/bfa/bfa_ioc.h | 4 +-
106440 drivers/scsi/hosts.c | 4 +-
106441 drivers/scsi/hpsa.c | 30 +-
106442 drivers/scsi/hpsa.h | 2 +-
106443 drivers/scsi/libfc/fc_exch.c | 50 +-
106444 drivers/scsi/libsas/sas_ata.c | 2 +-
106445 drivers/scsi/lpfc/lpfc.h | 8 +-
106446 drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
106447 drivers/scsi/lpfc/lpfc_init.c | 6 +-
106448 drivers/scsi/lpfc/lpfc_scsi.c | 16 +-
106449 drivers/scsi/pmcraid.c | 20 +-
106450 drivers/scsi/pmcraid.h | 8 +-
106451 drivers/scsi/qla2xxx/qla_attr.c | 4 +-
106452 drivers/scsi/qla2xxx/qla_gbl.h | 4 +-
106453 drivers/scsi/qla2xxx/qla_os.c | 6 +-
106454 drivers/scsi/qla4xxx/ql4_def.h | 2 +-
106455 drivers/scsi/qla4xxx/ql4_os.c | 6 +-
106456 drivers/scsi/scsi.c | 2 +-
106457 drivers/scsi/scsi_lib.c | 6 +-
106458 drivers/scsi/scsi_sysfs.c | 2 +-
106459 drivers/scsi/scsi_tgt_lib.c | 2 +-
106460 drivers/scsi/scsi_transport_fc.c | 8 +-
106461 drivers/scsi/scsi_transport_iscsi.c | 6 +-
106462 drivers/scsi/scsi_transport_srp.c | 6 +-
106463 drivers/scsi/sd.c | 2 +-
106464 drivers/scsi/sg.c | 2 +-
106465 drivers/spi/spi.c | 2 +-
106466 drivers/staging/iio/iio_hwmon.c | 2 +-
106467 drivers/staging/octeon/ethernet-rx.c | 12 +-
106468 drivers/staging/octeon/ethernet.c | 8 +-
106469 drivers/staging/rtl8712/rtl871x_io.h | 2 +-
106470 drivers/staging/sbe-2t3e3/netdev.c | 2 +-
106471 drivers/staging/usbip/vhci.h | 2 +-
106472 drivers/staging/usbip/vhci_hcd.c | 6 +-
106473 drivers/staging/usbip/vhci_rx.c | 2 +-
106474 drivers/staging/vt6655/hostap.c | 7 +-
106475 drivers/staging/vt6656/hostap.c | 7 +-
106476 drivers/staging/zcache/tmem.c | 4 +-
106477 drivers/staging/zcache/tmem.h | 2 +
106478 drivers/target/target_core_device.c | 2 +-
106479 drivers/target/target_core_transport.c | 2 +-
106480 drivers/tty/cyclades.c | 6 +-
106481 drivers/tty/hvc/hvc_console.c | 14 +-
106482 drivers/tty/hvc/hvcs.c | 21 +-
106483 drivers/tty/ipwireless/tty.c | 27 +-
106484 drivers/tty/moxa.c | 2 +-
106485 drivers/tty/n_gsm.c | 4 +-
106486 drivers/tty/n_tty.c | 3 +-
106487 drivers/tty/pty.c | 4 +-
106488 drivers/tty/rocket.c | 6 +-
106489 drivers/tty/serial/kgdboc.c | 32 +-
106490 drivers/tty/serial/samsung.c | 9 +-
106491 drivers/tty/serial/serial_core.c | 8 +-
106492 drivers/tty/synclink.c | 34 +-
106493 drivers/tty/synclink_gt.c | 28 +-
106494 drivers/tty/synclinkmp.c | 34 +-
106495 drivers/tty/tty_io.c | 2 +-
106496 drivers/tty/tty_ldisc.c | 10 +-
106497 drivers/tty/tty_port.c | 22 +-
106498 drivers/uio/uio.c | 21 +-
106499 drivers/usb/atm/cxacru.c | 2 +-
106500 drivers/usb/atm/usbatm.c | 24 +-
106501 drivers/usb/core/devices.c | 6 +-
106502 drivers/usb/core/hcd.c | 4 +-
106503 drivers/usb/core/message.c | 2 +-
106504 drivers/usb/core/sysfs.c | 2 +-
106505 drivers/usb/core/usb.c | 2 +-
106506 drivers/usb/early/ehci-dbgp.c | 16 +-
106507 drivers/usb/gadget/u_serial.c | 22 +-
106508 drivers/usb/serial/console.c | 6 +-
106509 drivers/usb/storage/usb.h | 2 +-
106510 drivers/usb/wusbcore/wa-hc.h | 4 +-
106511 drivers/usb/wusbcore/wa-xfer.c | 2 +-
106512 drivers/video/aty/aty128fb.c | 2 +-
106513 drivers/video/aty/atyfb_base.c | 8 +-
106514 drivers/video/aty/mach64_cursor.c | 5 +-
106515 drivers/video/backlight/kb3886_bl.c | 2 +-
106516 drivers/video/fb_defio.c | 6 +-
106517 drivers/video/fbcmap.c | 3 +-
106518 drivers/video/fbmem.c | 6 +-
106519 drivers/video/i810/i810_accel.c | 1 +
106520 drivers/video/mb862xx/mb862xxfb_accel.c | 16 +-
106521 drivers/video/nvidia/nvidia.c | 27 +-
106522 drivers/video/s1d13xxxfb.c | 6 +-
106523 drivers/video/smscufx.c | 4 +-
106524 drivers/video/udlfb.c | 36 +-
106525 drivers/video/uvesafb.c | 53 +-
106526 drivers/video/vesafb.c | 58 +-
106527 drivers/video/via/via_clock.h | 2 +-
106528 fs/9p/vfs_inode.c | 2 +-
106529 fs/Kconfig.binfmt | 2 +-
106530 fs/aio.c | 11 +-
106531 fs/autofs4/waitq.c | 2 +-
106532 fs/befs/endian.h | 4 +-
106533 fs/befs/linuxvfs.c | 2 +-
106534 fs/binfmt_aout.c | 23 +-
106535 fs/binfmt_elf.c | 605 +++-
106536 fs/binfmt_flat.c | 6 +
106537 fs/bio.c | 6 +-
106538 fs/block_dev.c | 2 +-
106539 fs/btrfs/ctree.c | 9 +-
106540 fs/btrfs/super.c | 2 +-
106541 fs/cachefiles/bind.c | 6 +-
106542 fs/cachefiles/daemon.c | 8 +-
106543 fs/cachefiles/internal.h | 12 +-
106544 fs/cachefiles/namei.c | 2 +-
106545 fs/cachefiles/proc.c | 12 +-
106546 fs/cachefiles/rdwr.c | 2 +-
106547 fs/ceph/dir.c | 2 +-
106548 fs/cifs/cifs_debug.c | 12 +-
106549 fs/cifs/cifsfs.c | 8 +-
106550 fs/cifs/cifsglob.h | 54 +-
106551 fs/cifs/link.c | 2 +-
106552 fs/cifs/misc.c | 4 +-
106553 fs/cifs/smb1ops.c | 80 +-
106554 fs/cifs/smb2ops.c | 84 +-
106555 fs/cifs/smb2pdu.c | 3 +-
106556 fs/coda/cache.c | 10 +-
106557 fs/compat.c | 6 +-
106558 fs/compat_binfmt_elf.c | 2 +
106559 fs/compat_ioctl.c | 8 +-
106560 fs/configfs/dir.c | 10 +-
106561 fs/coredump.c | 24 +-
106562 fs/dcache.c | 2 +-
106563 fs/ecryptfs/inode.c | 4 +-
106564 fs/ecryptfs/miscdev.c | 2 +-
106565 fs/ecryptfs/read_write.c | 2 +-
106566 fs/exec.c | 362 ++-
106567 fs/ext4/ext4.h | 20 +-
106568 fs/ext4/mballoc.c | 44 +-
106569 fs/ext4/super.c | 2 +-
106570 fs/fhandle.c | 3 +-
106571 fs/fifo.c | 22 +-
106572 fs/fs_struct.c | 8 +-
106573 fs/fscache/cookie.c | 36 +-
106574 fs/fscache/internal.h | 196 +-
106575 fs/fscache/object.c | 28 +-
106576 fs/fscache/operation.c | 30 +-
106577 fs/fscache/page.c | 110 +-
106578 fs/fscache/stats.c | 344 +-
106579 fs/fuse/cuse.c | 10 +-
106580 fs/fuse/dev.c | 2 +-
106581 fs/fuse/dir.c | 2 +-
106582 fs/gfs2/inode.c | 2 +-
106583 fs/hugetlbfs/inode.c | 13 +-
106584 fs/inode.c | 4 +-
106585 fs/jffs2/erase.c | 3 +-
106586 fs/jffs2/wbuf.c | 3 +-
106587 fs/jfs/super.c | 6 +-
106588 fs/libfs.c | 10 +-
106589 fs/lockd/clntproc.c | 4 +-
106590 fs/locks.c | 8 +-
106591 fs/namei.c | 15 +-
106592 fs/namespace.c | 2 +-
106593 fs/nfs/callback_xdr.c | 2 +-
106594 fs/nfs/inode.c | 6 +-
106595 fs/nfsd/nfs4proc.c | 2 +-
106596 fs/nfsd/nfs4xdr.c | 6 +-
106597 fs/nfsd/nfscache.c | 8 +-
106598 fs/nfsd/vfs.c | 6 +-
106599 fs/nls/nls_base.c | 18 +-
106600 fs/nls/nls_euc-jp.c | 6 +-
106601 fs/nls/nls_koi8-ru.c | 6 +-
106602 fs/notify/fanotify/fanotify_user.c | 4 +-
106603 fs/notify/notification.c | 4 +-
106604 fs/ntfs/dir.c | 2 +-
106605 fs/ntfs/file.c | 4 +-
106606 fs/ocfs2/localalloc.c | 2 +-
106607 fs/ocfs2/ocfs2.h | 10 +-
106608 fs/ocfs2/suballoc.c | 12 +-
106609 fs/ocfs2/super.c | 20 +-
106610 fs/pipe.c | 33 +-
106611 fs/proc/array.c | 20 +
106612 fs/proc/base.c | 4 +-
106613 fs/proc/kcore.c | 32 +-
106614 fs/proc/meminfo.c | 2 +-
106615 fs/proc/nommu.c | 2 +-
106616 fs/proc/proc_sysctl.c | 18 +-
106617 fs/proc/self.c | 2 +-
106618 fs/proc/task_mmu.c | 39 +-
106619 fs/proc/task_nommu.c | 4 +-
106620 fs/qnx6/qnx6.h | 4 +-
106621 fs/quota/netlink.c | 4 +-
106622 fs/readdir.c | 2 +-
106623 fs/reiserfs/do_balan.c | 2 +-
106624 fs/reiserfs/procfs.c | 2 +-
106625 fs/reiserfs/reiserfs.h | 4 +-
106626 fs/seq_file.c | 2 +-
106627 fs/splice.c | 36 +-
106628 fs/sysfs/bin.c | 6 +-
106629 fs/sysfs/dir.c | 2 +-
106630 fs/sysfs/file.c | 10 +-
106631 fs/sysfs/symlink.c | 2 +-
106632 fs/sysv/sysv.h | 2 +-
106633 fs/ubifs/io.c | 2 +-
106634 fs/udf/misc.c | 2 +-
106635 fs/ufs/swab.h | 4 +-
106636 fs/xattr.c | 21 +
106637 fs/xattr_acl.c | 4 +-
106638 fs/xfs/xfs_bmap.c | 2 +-
106639 fs/xfs/xfs_dir2_sf.c | 10 +-
106640 fs/xfs/xfs_ioctl.c | 2 +-
106641 fs/xfs/xfs_iops.c | 2 +-
106642 include/asm-generic/4level-fixup.h | 2 +
106643 include/asm-generic/atomic-long.h | 210 +
106644 include/asm-generic/atomic.h | 2 +-
106645 include/asm-generic/atomic64.h | 12 +
106646 include/asm-generic/cache.h | 4 +-
106647 include/asm-generic/emergency-restart.h | 2 +-
106648 include/asm-generic/kmap_types.h | 4 +-
106649 include/asm-generic/local.h | 13 +
106650 include/asm-generic/pgtable-nopmd.h | 18 +-
106651 include/asm-generic/pgtable-nopud.h | 15 +-
106652 include/asm-generic/pgtable.h | 8 +
106653 include/asm-generic/vmlinux.lds.h | 10 +-
106654 include/crypto/algapi.h | 2 +-
106655 include/drm/drmP.h | 17 +-
106656 include/drm/drm_crtc_helper.h | 2 +-
106657 include/drm/ttm/ttm_memory.h | 2 +-
106658 include/keys/asymmetric-subtype.h | 2 +-
106659 include/linux/atmdev.h | 4 +-
106660 include/linux/binfmts.h | 3 +-
106661 include/linux/blkdev.h | 2 +-
106662 include/linux/blktrace_api.h | 2 +-
106663 include/linux/cache.h | 4 +
106664 include/linux/cdrom.h | 1 -
106665 include/linux/cleancache.h | 2 +-
106666 include/linux/compat.h | 6 +-
106667 include/linux/compiler-gcc4.h | 20 +
106668 include/linux/compiler.h | 65 +-
106669 include/linux/completion.h | 6 +-
106670 include/linux/configfs.h | 2 +-
106671 include/linux/cpu.h | 2 +-
106672 include/linux/cpufreq.h | 3 +-
106673 include/linux/cpuidle.h | 5 +-
106674 include/linux/cpumask.h | 12 +-
106675 include/linux/crypto.h | 6 +-
106676 include/linux/ctype.h | 2 +-
106677 include/linux/decompress/mm.h | 2 +-
106678 include/linux/devfreq.h | 2 +-
106679 include/linux/device.h | 7 +-
106680 include/linux/dma-mapping.h | 2 +-
106681 include/linux/dmaengine.h | 4 +-
106682 include/linux/efi.h | 1 +
106683 include/linux/elf.h | 2 +
106684 include/linux/err.h | 4 +-
106685 include/linux/extcon.h | 2 +-
106686 include/linux/fb.h | 2 +-
106687 include/linux/filter.h | 4 +
106688 include/linux/frontswap.h | 2 +-
106689 include/linux/fs.h | 3 +-
106690 include/linux/fs_struct.h | 2 +-
106691 include/linux/fscache-cache.h | 4 +-
106692 include/linux/fscache.h | 2 +-
106693 include/linux/fsnotify.h | 2 +-
106694 include/linux/ftrace_event.h | 2 +-
106695 include/linux/genhd.h | 2 +-
106696 include/linux/genl_magic_func.h | 2 +-
106697 include/linux/gfp.h | 12 +-
106698 include/linux/highmem.h | 12 +
106699 include/linux/hwmon-sysfs.h | 5 +-
106700 include/linux/i2c.h | 1 +
106701 include/linux/i2o.h | 2 +-
106702 include/linux/if_pppox.h | 2 +-
106703 include/linux/init.h | 33 +-
106704 include/linux/init_task.h | 7 +
106705 include/linux/interrupt.h | 8 +-
106706 include/linux/iommu.h | 2 +-
106707 include/linux/ioport.h | 2 +-
106708 include/linux/irq.h | 3 +-
106709 include/linux/irqchip/arm-gic.h | 2 +-
106710 include/linux/key-type.h | 2 +-
106711 include/linux/kgdb.h | 6 +-
106712 include/linux/kobject.h | 3 +-
106713 include/linux/kobject_ns.h | 2 +-
106714 include/linux/kref.h | 2 +-
106715 include/linux/kvm_host.h | 4 +-
106716 include/linux/libata.h | 2 +-
106717 include/linux/list.h | 15 +
106718 include/linux/math64.h | 6 +-
106719 include/linux/mm.h | 110 +-
106720 include/linux/mm_types.h | 20 +
106721 include/linux/mmiotrace.h | 4 +-
106722 include/linux/mmzone.h | 2 +-
106723 include/linux/mod_devicetable.h | 6 +-
106724 include/linux/module.h | 60 +-
106725 include/linux/moduleloader.h | 16 +
106726 include/linux/moduleparam.h | 4 +-
106727 include/linux/namei.h | 6 +-
106728 include/linux/net.h | 2 +-
106729 include/linux/netdevice.h | 3 +-
106730 include/linux/netfilter.h | 2 +-
106731 include/linux/netfilter/ipset/ip_set.h | 2 +-
106732 include/linux/netfilter/nfnetlink.h | 2 +-
106733 include/linux/nls.h | 2 +-
106734 include/linux/notifier.h | 3 +-
106735 include/linux/oprofile.h | 4 +-
106736 include/linux/pci_hotplug.h | 3 +-
106737 include/linux/perf_event.h | 12 +-
106738 include/linux/pipe_fs_i.h | 6 +-
106739 include/linux/platform_data/usb-ehci-s5p.h | 2 +-
106740 include/linux/platform_data/usb-exynos.h | 2 +-
106741 include/linux/pm_domain.h | 2 +-
106742 include/linux/pm_runtime.h | 2 +-
106743 include/linux/pnp.h | 2 +-
106744 include/linux/poison.h | 4 +-
106745 include/linux/power/smartreflex.h | 2 +-
106746 include/linux/ppp-comp.h | 2 +-
106747 include/linux/proc_fs.h | 2 +-
106748 include/linux/random.h | 5 +
106749 include/linux/rculist.h | 16 +
106750 include/linux/reboot.h | 14 +-
106751 include/linux/regset.h | 3 +-
106752 include/linux/relay.h | 2 +-
106753 include/linux/rio.h | 2 +-
106754 include/linux/rmap.h | 4 +-
106755 include/linux/sched.h | 67 +-
106756 include/linux/sched/sysctl.h | 1 +
106757 include/linux/seq_file.h | 1 +
106758 include/linux/skbuff.h | 12 +-
106759 include/linux/slab.h | 36 +-
106760 include/linux/slab_def.h | 33 +-
106761 include/linux/slob_def.h | 4 +-
106762 include/linux/slub_def.h | 10 +-
106763 include/linux/sock_diag.h | 2 +-
106764 include/linux/sonet.h | 2 +-
106765 include/linux/sunrpc/addr.h | 8 +-
106766 include/linux/sunrpc/clnt.h | 2 +-
106767 include/linux/sunrpc/svc.h | 2 +-
106768 include/linux/sunrpc/svc_rdma.h | 18 +-
106769 include/linux/sunrpc/svcauth.h | 2 +-
106770 include/linux/swiotlb.h | 3 +-
106771 include/linux/syscalls.h | 2 +-
106772 include/linux/syscore_ops.h | 2 +-
106773 include/linux/sysctl.h | 6 +-
106774 include/linux/sysfs.h | 10 +-
106775 include/linux/sysrq.h | 3 +-
106776 include/linux/thread_info.h | 7 +
106777 include/linux/tty.h | 4 +-
106778 include/linux/tty_driver.h | 2 +-
106779 include/linux/tty_ldisc.h | 2 +-
106780 include/linux/types.h | 16 +
106781 include/linux/uaccess.h | 6 +-
106782 include/linux/unaligned/access_ok.h | 24 +-
106783 include/linux/usb.h | 4 +-
106784 include/linux/usb/renesas_usbhs.h | 2 +-
106785 include/linux/vermagic.h | 21 +-
106786 include/linux/vmalloc.h | 11 +-
106787 include/linux/vmstat.h | 20 +-
106788 include/linux/xattr.h | 5 +-
106789 include/linux/zlib.h | 3 +-
106790 include/media/v4l2-dev.h | 2 +-
106791 include/media/v4l2-ioctl.h | 1 -
106792 include/net/9p/transport.h | 2 +-
106793 include/net/bluetooth/l2cap.h | 2 +-
106794 include/net/caif/cfctrl.h | 6 +-
106795 include/net/flow.h | 2 +-
106796 include/net/genetlink.h | 2 +-
106797 include/net/gro_cells.h | 2 +-
106798 include/net/inet_connection_sock.h | 2 +-
106799 include/net/inetpeer.h | 8 +-
106800 include/net/ip.h | 2 +-
106801 include/net/ip_fib.h | 2 +-
106802 include/net/ip_vs.h | 8 +-
106803 include/net/irda/ircomm_tty.h | 1 +
106804 include/net/iucv/af_iucv.h | 2 +-
106805 include/net/llc_c_ac.h | 2 +-
106806 include/net/llc_c_ev.h | 4 +-
106807 include/net/llc_c_st.h | 2 +-
106808 include/net/llc_s_ac.h | 2 +-
106809 include/net/llc_s_st.h | 2 +-
106810 include/net/mac80211.h | 2 +-
106811 include/net/neighbour.h | 2 +-
106812 include/net/net_namespace.h | 12 +-
106813 include/net/netdma.h | 2 +-
106814 include/net/netlink.h | 2 +-
106815 include/net/netns/conntrack.h | 6 +-
106816 include/net/netns/ipv4.h | 2 +-
106817 include/net/protocol.h | 4 +-
106818 include/net/rtnetlink.h | 2 +-
106819 include/net/sctp/sctp.h | 6 +-
106820 include/net/sctp/sm.h | 4 +-
106821 include/net/sctp/structs.h | 2 +-
106822 include/net/sock.h | 6 +-
106823 include/net/tcp.h | 8 +-
106824 include/net/xfrm.h | 8 +-
106825 include/rdma/iw_cm.h | 2 +-
106826 include/scsi/libfc.h | 3 +-
106827 include/scsi/scsi_device.h | 6 +-
106828 include/scsi/scsi_transport_fc.h | 3 +-
106829 include/sound/soc.h | 4 +-
106830 include/target/target_core_base.h | 2 +-
106831 include/trace/events/irq.h | 4 +-
106832 include/uapi/linux/a.out.h | 8 +
106833 include/uapi/linux/byteorder/little_endian.h | 28 +-
106834 include/uapi/linux/elf.h | 28 +
106835 include/uapi/linux/screen_info.h | 3 +-
106836 include/uapi/linux/swab.h | 6 +-
106837 include/uapi/linux/sysctl.h | 6 +-
106838 include/uapi/linux/xattr.h | 4 +
106839 include/video/udlfb.h | 8 +-
106840 include/video/uvesafb.h | 1 +
106841 init/Kconfig | 2 +-
106842 init/Makefile | 3 +
106843 init/do_mounts.c | 14 +-
106844 init/do_mounts.h | 8 +-
106845 init/do_mounts_initrd.c | 22 +-
106846 init/do_mounts_md.c | 6 +-
106847 init/init_task.c | 4 +
106848 init/initramfs.c | 40 +-
106849 init/main.c | 77 +-
106850 ipc/ipc_sysctl.c | 10 +-
106851 ipc/mq_sysctl.c | 2 +-
106852 ipc/msg.c | 11 +-
106853 ipc/sem.c | 11 +-
106854 ipc/shm.c | 17 +-
106855 kernel/acct.c | 2 +-
106856 kernel/audit.c | 8 +-
106857 kernel/auditsc.c | 4 +-
106858 kernel/capability.c | 3 +
106859 kernel/compat.c | 40 +-
106860 kernel/debug/debug_core.c | 16 +-
106861 kernel/debug/kdb/kdb_main.c | 4 +-
106862 kernel/events/core.c | 28 +-
106863 kernel/exit.c | 4 +-
106864 kernel/fork.c | 167 +-
106865 kernel/futex.c | 9 +
106866 kernel/futex_compat.c | 2 +-
106867 kernel/gcov/base.c | 7 +-
106868 kernel/hrtimer.c | 4 +-
106869 kernel/irq_work.c | 7 +-
106870 kernel/jump_label.c | 5 +
106871 kernel/kallsyms.c | 39 +-
106872 kernel/kexec.c | 3 +-
106873 kernel/kmod.c | 4 +-
106874 kernel/kprobes.c | 8 +-
106875 kernel/ksysfs.c | 2 +-
106876 kernel/lockdep.c | 7 +-
106877 kernel/module.c | 337 +-
106878 kernel/mutex-debug.c | 12 +-
106879 kernel/mutex-debug.h | 4 +-
106880 kernel/mutex.c | 7 +-
106881 kernel/notifier.c | 17 +-
106882 kernel/panic.c | 3 +-
106883 kernel/pid.c | 2 +-
106884 kernel/pid_namespace.c | 2 +-
106885 kernel/posix-cpu-timers.c | 4 +-
106886 kernel/posix-timers.c | 20 +-
106887 kernel/power/process.c | 12 +-
106888 kernel/profile.c | 14 +-
106889 kernel/ptrace.c | 8 +-
106890 kernel/rcupdate.c | 4 +-
106891 kernel/rcutiny.c | 4 +-
106892 kernel/rcutiny_plugin.h | 2 +-
106893 kernel/rcutorture.c | 56 +-
106894 kernel/rcutree.c | 68 +-
106895 kernel/rcutree.h | 24 +-
106896 kernel/rcutree_plugin.h | 20 +-
106897 kernel/rcutree_trace.c | 22 +-
106898 kernel/rtmutex-tester.c | 24 +-
106899 kernel/sched/auto_group.c | 4 +-
106900 kernel/sched/core.c | 51 +-
106901 kernel/sched/fair.c | 4 +-
106902 kernel/signal.c | 12 +-
106903 kernel/smp.c | 2 +-
106904 kernel/smpboot.c | 4 +-
106905 kernel/softirq.c | 18 +-
106906 kernel/srcu.c | 4 +-
106907 kernel/sys.c | 10 +-
106908 kernel/sysctl.c | 39 +-
106909 kernel/time.c | 2 +-
106910 kernel/time/alarmtimer.c | 2 +-
106911 kernel/time/tick-broadcast.c | 2 +-
106912 kernel/time/timer_stats.c | 10 +-
106913 kernel/timer.c | 6 +-
106914 kernel/trace/blktrace.c | 6 +-
106915 kernel/trace/ftrace.c | 20 +-
106916 kernel/trace/ring_buffer.c | 76 +-
106917 kernel/trace/trace.c | 8 +-
106918 kernel/trace/trace.h | 2 +-
106919 kernel/trace/trace_events.c | 25 +-
106920 kernel/trace/trace_mmiotrace.c | 8 +-
106921 kernel/trace/trace_output.c | 12 +-
106922 kernel/trace/trace_stack.c | 2 +-
106923 kernel/user_namespace.c | 2 +-
106924 kernel/utsname_sysctl.c | 2 +-
106925 kernel/watchdog.c | 2 +-
106926 lib/Kconfig.debug | 6 +-
106927 lib/Makefile | 2 +-
106928 lib/bitmap.c | 8 +-
106929 lib/bug.c | 2 +
106930 lib/debugobjects.c | 2 +-
106931 lib/devres.c | 4 +-
106932 lib/div64.c | 4 +-
106933 lib/dma-debug.c | 4 +-
106934 lib/inflate.c | 2 +-
106935 lib/ioremap.c | 4 +-
106936 lib/kobject.c | 4 +-
106937 lib/list_debug.c | 126 +-
106938 lib/radix-tree.c | 2 +-
106939 lib/strncpy_from_user.c | 2 +-
106940 lib/strnlen_user.c | 2 +-
106941 lib/swiotlb.c | 2 +-
106942 lib/vsprintf.c | 12 +-
106943 mm/Kconfig | 6 +-
106944 mm/filemap.c | 2 +-
106945 mm/fremap.c | 5 +
106946 mm/highmem.c | 7 +-
106947 mm/hugetlb.c | 70 +-
106948 mm/internal.h | 1 +
106949 mm/maccess.c | 4 +-
106950 mm/madvise.c | 41 +
106951 mm/memory-failure.c | 26 +-
106952 mm/memory.c | 424 ++-
106953 mm/mempolicy.c | 26 +
106954 mm/mlock.c | 16 +-
106955 mm/mmap.c | 576 ++-
106956 mm/mprotect.c | 139 +-
106957 mm/mremap.c | 44 +-
106958 mm/nommu.c | 21 +-
106959 mm/page-writeback.c | 4 +-
106960 mm/page_alloc.c | 41 +-
106961 mm/percpu.c | 2 +-
106962 mm/process_vm_access.c | 14 +-
106963 mm/rmap.c | 38 +-
106964 mm/shmem.c | 19 +-
106965 mm/slab.c | 105 +-
106966 mm/slab.h | 5 +-
106967 mm/slab_common.c | 11 +-
106968 mm/slob.c | 201 +-
106969 mm/slub.c | 99 +-
106970 mm/sparse-vmemmap.c | 4 +-
106971 mm/sparse.c | 2 +-
106972 mm/swap.c | 3 +
106973 mm/swapfile.c | 12 +-
106974 mm/util.c | 6 +
106975 mm/vmalloc.c | 82 +-
106976 mm/vmstat.c | 12 +-
106977 net/8021q/vlan.c | 5 +-
106978 net/9p/mod.c | 4 +-
106979 net/9p/trans_fd.c | 2 +-
106980 net/atm/atm_misc.c | 8 +-
106981 net/atm/lec.h | 2 +-
106982 net/atm/proc.c | 6 +-
106983 net/atm/resources.c | 4 +-
106984 net/ax25/sysctl_net_ax25.c | 2 +-
106985 net/batman-adv/bat_iv_ogm.c | 8 +-
106986 net/batman-adv/hard-interface.c | 4 +-
106987 net/batman-adv/soft-interface.c | 4 +-
106988 net/batman-adv/types.h | 6 +-
106989 net/batman-adv/unicast.c | 2 +-
106990 net/bluetooth/hci_sock.c | 2 +-
106991 net/bluetooth/l2cap_core.c | 6 +-
106992 net/bluetooth/l2cap_sock.c | 12 +-
106993 net/bluetooth/rfcomm/sock.c | 4 +-
106994 net/bluetooth/rfcomm/tty.c | 10 +-
106995 net/bridge/netfilter/ebtables.c | 6 +-
106996 net/caif/cfctrl.c | 11 +-
106997 net/can/af_can.c | 2 +-
106998 net/can/gw.c | 6 +-
106999 net/compat.c | 34 +-
107000 net/core/datagram.c | 2 +-
107001 net/core/dev.c | 16 +-
107002 net/core/flow.c | 8 +-
107003 net/core/iovec.c | 4 +-
107004 net/core/neighbour.c | 2 +-
107005 net/core/net-sysfs.c | 2 +-
107006 net/core/net_namespace.c | 8 +-
107007 net/core/rtnetlink.c | 13 +-
107008 net/core/scm.c | 8 +-
107009 net/core/sock.c | 24 +-
107010 net/core/sock_diag.c | 9 +-
107011 net/core/sysctl_net_core.c | 18 +-
107012 net/decnet/af_decnet.c | 1 +
107013 net/decnet/sysctl_net_decnet.c | 4 +-
107014 net/ipv4/af_inet.c | 8 +-
107015 net/ipv4/ah4.c | 2 +-
107016 net/ipv4/devinet.c | 14 +-
107017 net/ipv4/esp4.c | 2 +-
107018 net/ipv4/fib_frontend.c | 6 +-
107019 net/ipv4/fib_semantics.c | 2 +-
107020 net/ipv4/inet_connection_sock.c | 2 +-
107021 net/ipv4/inetpeer.c | 4 +-
107022 net/ipv4/ip_fragment.c | 15 +-
107023 net/ipv4/ip_gre.c | 6 +-
107024 net/ipv4/ip_sockglue.c | 2 +-
107025 net/ipv4/ip_vti.c | 4 +-
107026 net/ipv4/ipcomp.c | 2 +-
107027 net/ipv4/ipconfig.c | 6 +-
107028 net/ipv4/ipip.c | 4 +-
107029 net/ipv4/netfilter/arp_tables.c | 12 +-
107030 net/ipv4/netfilter/ip_tables.c | 12 +-
107031 net/ipv4/ping.c | 2 +-
107032 net/ipv4/raw.c | 14 +-
107033 net/ipv4/route.c | 18 +-
107034 net/ipv4/sysctl_net_ipv4.c | 45 +-
107035 net/ipv4/tcp_input.c | 2 +-
107036 net/ipv4/tcp_probe.c | 2 +-
107037 net/ipv4/udp.c | 10 +-
107038 net/ipv4/xfrm4_policy.c | 14 +-
107039 net/ipv6/addrconf.c | 6 +-
107040 net/ipv6/icmp.c | 2 +-
107041 net/ipv6/ip6_gre.c | 8 +-
107042 net/ipv6/ip6_tunnel.c | 4 +-
107043 net/ipv6/ipv6_sockglue.c | 2 +-
107044 net/ipv6/netfilter/ip6_tables.c | 12 +-
107045 net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +-
107046 net/ipv6/raw.c | 19 +-
107047 net/ipv6/reassembly.c | 13 +-
107048 net/ipv6/route.c | 2 +-
107049 net/ipv6/sit.c | 4 +-
107050 net/ipv6/sysctl_net_ipv6.c | 2 +-
107051 net/ipv6/udp.c | 8 +-
107052 net/ipv6/xfrm6_policy.c | 13 +-
107053 net/irda/ircomm/ircomm_tty.c | 18 +-
107054 net/iucv/af_iucv.c | 4 +-
107055 net/iucv/iucv.c | 2 +-
107056 net/key/af_key.c | 4 +-
107057 net/mac80211/cfg.c | 8 +-
107058 net/mac80211/ieee80211_i.h | 3 +-
107059 net/mac80211/iface.c | 14 +-
107060 net/mac80211/main.c | 2 +-
107061 net/mac80211/pm.c | 6 +-
107062 net/mac80211/rate.c | 2 +-
107063 net/mac80211/rc80211_pid_debugfs.c | 2 +-
107064 net/mac80211/util.c | 2 +-
107065 net/netfilter/ipset/ip_set_core.c | 2 +-
107066 net/netfilter/ipvs/ip_vs_conn.c | 6 +-
107067 net/netfilter/ipvs/ip_vs_core.c | 4 +-
107068 net/netfilter/ipvs/ip_vs_ctl.c | 14 +-
107069 net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
107070 net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
107071 net/netfilter/ipvs/ip_vs_sync.c | 6 +-
107072 net/netfilter/ipvs/ip_vs_xmit.c | 4 +-
107073 net/netfilter/nf_conntrack_acct.c | 2 +-
107074 net/netfilter/nf_conntrack_ecache.c | 2 +-
107075 net/netfilter/nf_conntrack_helper.c | 2 +-
107076 net/netfilter/nf_conntrack_proto.c | 2 +-
107077 net/netfilter/nf_conntrack_standalone.c | 2 +-
107078 net/netfilter/nf_conntrack_timestamp.c | 2 +-
107079 net/netfilter/nf_log.c | 10 +-
107080 net/netfilter/nf_sockopt.c | 4 +-
107081 net/netfilter/nfnetlink_log.c | 4 +-
107082 net/netfilter/xt_statistic.c | 8 +-
107083 net/netlink/af_netlink.c | 4 +-
107084 net/netlink/genetlink.c | 16 +-
107085 net/packet/af_packet.c | 12 +-
107086 net/phonet/pep.c | 6 +-
107087 net/phonet/socket.c | 2 +-
107088 net/phonet/sysctl.c | 2 +-
107089 net/rds/cong.c | 6 +-
107090 net/rds/ib.h | 2 +-
107091 net/rds/ib_cm.c | 2 +-
107092 net/rds/ib_recv.c | 4 +-
107093 net/rds/iw.h | 2 +-
107094 net/rds/iw_cm.c | 2 +-
107095 net/rds/iw_recv.c | 4 +-
107096 net/rds/rds.h | 2 +-
107097 net/rds/tcp.c | 2 +-
107098 net/rds/tcp_send.c | 2 +-
107099 net/rxrpc/af_rxrpc.c | 2 +-
107100 net/rxrpc/ar-ack.c | 14 +-
107101 net/rxrpc/ar-call.c | 2 +-
107102 net/rxrpc/ar-connection.c | 2 +-
107103 net/rxrpc/ar-connevent.c | 2 +-
107104 net/rxrpc/ar-input.c | 4 +-
107105 net/rxrpc/ar-internal.h | 8 +-
107106 net/rxrpc/ar-local.c | 2 +-
107107 net/rxrpc/ar-output.c | 4 +-
107108 net/rxrpc/ar-peer.c | 2 +-
107109 net/rxrpc/ar-proc.c | 4 +-
107110 net/rxrpc/ar-transport.c | 2 +-
107111 net/rxrpc/rxkad.c | 4 +-
107112 net/sctp/ipv6.c | 6 +-
107113 net/sctp/protocol.c | 10 +-
107114 net/sctp/sm_sideeffect.c | 2 +-
107115 net/sctp/socket.c | 21 +-
107116 net/sctp/sysctl.c | 4 +-
107117 net/socket.c | 18 +-
107118 net/sunrpc/clnt.c | 4 +-
107119 net/sunrpc/sched.c | 4 +-
107120 net/sunrpc/svc.c | 4 +-
107121 net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
107122 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +-
107123 net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
107124 net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +-
107125 net/tipc/link.c | 6 +-
107126 net/tipc/msg.c | 2 +-
107127 net/tipc/subscr.c | 2 +-
107128 net/unix/sysctl_net_unix.c | 2 +-
107129 net/wireless/wext-core.c | 19 +-
107130 net/xfrm/xfrm_policy.c | 27 +-
107131 net/xfrm/xfrm_state.c | 29 +-
107132 net/xfrm/xfrm_sysctl.c | 2 +-
107133 scripts/Makefile.build | 2 +-
107134 scripts/Makefile.clean | 3 +-
107135 scripts/Makefile.host | 28 +-
107136 scripts/basic/fixdep.c | 12 +-
107137 scripts/gcc-plugin.sh | 17 +
107138 scripts/headers_install.pl | 1 +
107139 scripts/link-vmlinux.sh | 2 +-
107140 scripts/mod/file2alias.c | 14 +-
107141 scripts/mod/modpost.c | 25 +-
107142 scripts/mod/modpost.h | 6 +-
107143 scripts/mod/sumversion.c | 2 +-
107144 scripts/package/builddeb | 1 +
107145 scripts/pnmtologo.c | 6 +-
107146 scripts/sortextable.h | 6 +-
107147 security/Kconfig | 675 +++-
107148 security/apparmor/lsm.c | 2 +-
107149 security/integrity/ima/ima.h | 4 +-
107150 security/integrity/ima/ima_api.c | 2 +-
107151 security/integrity/ima/ima_fs.c | 4 +-
107152 security/integrity/ima/ima_queue.c | 2 +-
107153 security/keys/compat.c | 2 +-
107154 security/keys/key.c | 18 +-
107155 security/keys/keyctl.c | 8 +-
107156 security/keys/keyring.c | 6 +-
107157 security/security.c | 9 +-
107158 security/selinux/hooks.c | 2 +-
107159 security/selinux/include/xfrm.h | 2 +-
107160 security/smack/smack_lsm.c | 2 +-
107161 security/tomoyo/tomoyo.c | 2 +-
107162 security/yama/yama_lsm.c | 22 +-
107163 sound/aoa/codecs/onyx.c | 7 +-
107164 sound/aoa/codecs/onyx.h | 1 +
107165 sound/core/oss/pcm_oss.c | 18 +-
107166 sound/core/pcm_compat.c | 2 +-
107167 sound/core/pcm_native.c | 4 +-
107168 sound/core/seq/seq_device.c | 8 +-
107169 sound/drivers/mts64.c | 14 +-
107170 sound/drivers/opl4/opl4_lib.c | 2 +-
107171 sound/drivers/portman2x4.c | 3 +-
107172 sound/firewire/amdtp.c | 4 +-
107173 sound/firewire/amdtp.h | 2 +-
107174 sound/firewire/isight.c | 10 +-
107175 sound/firewire/scs1x.c | 8 +-
107176 sound/oss/sb_audio.c | 2 +-
107177 sound/oss/swarm_cs4297a.c | 6 +-
107178 sound/pci/ymfpci/ymfpci.h | 2 +-
107179 sound/pci/ymfpci/ymfpci_main.c | 12 +-
107180 tools/gcc/.gitignore | 1 +
107181 tools/gcc/Makefile | 45 +
107182 tools/gcc/checker_plugin.c | 171 +
107183 tools/gcc/colorize_plugin.c | 151 +
107184 tools/gcc/constify_plugin.c | 518 ++
107185 tools/gcc/generate_size_overflow_hash.sh | 94 +
107186 tools/gcc/kallocstat_plugin.c | 170 +
107187 tools/gcc/kernexec_plugin.c | 465 ++
107188 tools/gcc/latent_entropy_plugin.c | 327 ++
107189 tools/gcc/size_overflow_hash.data | 5876 ++++++++++++++++++++++
107190 tools/gcc/size_overflow_plugin.c | 2114 ++++++++
107191 tools/gcc/stackleak_plugin.c | 327 ++
107192 tools/gcc/structleak_plugin.c | 276 +
107193 tools/perf/util/include/asm/alternative-asm.h | 3 +
107194 tools/perf/util/include/linux/compiler.h | 8 +
107195 virt/kvm/kvm_main.c | 32 +-
107196 1555 files changed, 30474 insertions(+), 7126 deletions(-)
107197commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
107198Merge: 0949bd4 fc53d63
107199Author: Brad Spengler <spender@grsecurity.net>
107200Date: Thu Mar 22 19:03:44 2012 -0400
107201
107202 Merge branch 'pax-test' into grsec-test
107203
107204commit fc53d6338964741b368070ec5c935bc579b8c2a6
107205Author: Brad Spengler <spender@grsecurity.net>
107206Date: Thu Mar 22 19:02:45 2012 -0400
107207
107208 Update to pax-linux-3.2.12-test33.patch
107209
107210commit 0949bd46a6455b308f66ad7c993bfee62412db35
107211Author: Brad Spengler <spender@grsecurity.net>
107212Date: Thu Mar 22 16:56:09 2012 -0400
107213
107214 Use current_umask() instead of current->fs->umask
107215
107216commit 22f6432d0fe733619cfcb523782ed7d80c46d645
107217Author: Brad Spengler <spender@grsecurity.net>
107218Date: Wed Mar 21 19:42:42 2012 -0400
107219
107220 compile fix
107221
107222commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
107223Author: Brad Spengler <spender@grsecurity.net>
107224Date: Wed Mar 21 19:34:56 2012 -0400
107225
107226 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
107227 uses of domains with particular hash collisions
107228
107229commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
107230Author: Brad Spengler <spender@grsecurity.net>
107231Date: Tue Mar 20 20:25:49 2012 -0400
107232
107233 zero kernel_role
107234
107235commit b00953b43c69238d181d21121ef1577c988d5f6b
107236Author: Brad Spengler <spender@grsecurity.net>
107237Date: Tue Mar 20 19:29:34 2012 -0400
107238
107239 zero real_root after releasing it
107240
107241commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
107242Merge: b724f59 273f98e
107243Author: Brad Spengler <spender@grsecurity.net>
107244Date: Tue Mar 20 19:11:26 2012 -0400
107245
107246 Merge branch 'pax-test' into grsec-test
107247
107248commit 273f98e58cdac555d3b5dce5c1ca168349f95878
107249Author: Brad Spengler <spender@grsecurity.net>
107250Date: Tue Mar 20 19:10:52 2012 -0400
107251
107252 Temporary workaround for (most) size_overflow plugin false-positives
107253 Increase randomization for brk-managed heap to 21 bits
107254 Update to pax-linux-3.2.12-test32.patch
107255
107256commit b724f59125304460c2af8bd4b02921993afbb5d3
107257Author: Brad Spengler <spender@grsecurity.net>
107258Date: Tue Mar 20 18:58:53 2012 -0400
107259
107260 compile fix
107261
107262commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
107263Author: Brad Spengler <spender@grsecurity.net>
107264Date: Tue Mar 20 18:52:23 2012 -0400
107265
107266 Require default and kernel role
107267
107268commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
107269Author: Brad Spengler <spender@grsecurity.net>
107270Date: Tue Mar 20 18:47:28 2012 -0400
107271
107272 Allow policies without special roles
107273 don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)
107274
107275commit 402ec3d24d66d38403dc543c84851f5e72d39e22
107276Merge: 8e012dc f14661a
107277Author: Brad Spengler <spender@grsecurity.net>
107278Date: Mon Mar 19 18:06:59 2012 -0400
107279
107280 Merge branch 'pax-test' into grsec-test
107281
107282 Conflicts:
107283 fs/namei.c
107284
107285commit f14661aaf202155c97f66626cea0269017bb7775
107286Merge: eae671f 058b017
107287Author: Brad Spengler <spender@grsecurity.net>
107288Date: Mon Mar 19 18:05:44 2012 -0400
107289
107290 Merge branch 'linux-3.2.y' into pax-test
107291
107292commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
107293Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
107294Date: Fri Mar 16 17:08:39 2012 -0700
107295
107296 nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
107297
107298 According to the report from Slicky Devil, nilfs caused kernel oops at
107299 nilfs_load_super_block function during mount after he shrank the
107300 partition without resizing the filesystem:
107301
107302 BUG: unable to handle kernel NULL pointer dereference at 00000048
107303 IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
107304 *pde = 00000000
107305 Oops: 0000 [#1] PREEMPT SMP
107306 ...
107307 Call Trace:
107308 [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
107309 [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
107310 [<c0226636>] mount_fs+0x36/0x180
107311 [<c023d961>] vfs_kern_mount+0x51/0xa0
107312 [<c023ddae>] do_kern_mount+0x3e/0xe0
107313 [<c023f189>] do_mount+0x169/0x700
107314 [<c023fa9b>] sys_mount+0x6b/0xa0
107315 [<c04abd1f>] sysenter_do_call+0x12/0x28
107316 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
107317 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
107318 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
107319 EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
107320 CR2: 0000000000000048
107321
107322 This turned out due to a defect in an error path which runs if the
107323 calculated location of the secondary super block was invalid.
107324
107325 This patch fixes it and eliminates the reported oops.
107326
107327 Reported-by: Slicky Devil <slicky.dvl@gmail.com>
107328 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
107329 Tested-by: Slicky Devil <slicky.dvl@gmail.com>
107330 Cc: <stable@vger.kernel.org> [2.6.30+]
107331 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
107332 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
107333
107334commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
107335Author: Haogang Chen <haogangchen@gmail.com>
107336Date: Fri Mar 16 17:08:38 2012 -0700
107337
107338 nilfs2: clamp ns_r_segments_percentage to [1, 99]
107339
107340 ns_r_segments_percentage is read from the disk. Bogus or malicious
107341 value could cause integer overflow and malfunction due to meaningless
107342 disk usage calculation. This patch reports error when mounting such
107343 bogus volumes.
107344
107345 Signed-off-by: Haogang Chen <haogangchen@gmail.com>
107346 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
107347 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
107348 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
107349
107350commit e1a90645643f9b0194a5984ec8febd06360d5c8b
107351Author: Eric Dumazet <eric.dumazet@gmail.com>
107352Date: Sat Mar 10 09:20:21 2012 +0000
107353
107354 tcp: fix syncookie regression
107355
107356 commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
107357 added a serious regression on synflood handling.
107358
107359 Simon Kirby discovered a successful connection was delayed by 20 seconds
107360 before being responsive.
107361
107362 In my tests, I discovered that xmit frames were lost, and needed ~4
107363 retransmits and a socket dst rebuild before being really sent.
107364
107365 In case of syncookie initiated connection, we use a different path to
107366 initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
107367
107368 As ip_queue_xmit() now depends on inet flow being setup, fix this by
107369 copying the temp flowi4 we use in cookie_v4_check().
107370
107371 Reported-by: Simon Kirby <sim@netnation.com>
107372 Bisected-by: Simon Kirby <sim@netnation.com>
107373 Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
107374 Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
107375 Signed-off-by: David S. Miller <davem@davemloft.net>
107376
107377commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
107378Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
107379Date: Mon Mar 12 02:59:41 2012 +0000
107380
107381 tun: don't hold network namespace by tun sockets
107382
107383 v3: added previously removed sock_put() to the tun_release() callback, because
107384 sk_release_kernel() doesn't drop the socket reference.
107385
107386 v2: sk_release_kernel() used for socket release. Dummy tun_release() is
107387 required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
107388 call.
107389
107390 TUN was designed to destroy it's socket on network namesapce shutdown. But this
107391 will never happen for persistent device, because it's socket holds network
107392 namespace.
107393 This patch removes of holding network namespace by TUN socket and replaces it
107394 by creating socket in init_net and then changing it's net it to desired one. On
107395 shutdown socket is moved back to init_net prior to final put.
107396
107397 Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
107398 Signed-off-by: David S. Miller <davem@davemloft.net>
107399
107400commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
107401Author: Tyler Hicks <tyhicks@canonical.com>
107402Date: Mon Dec 12 10:02:30 2011 -0600
107403
107404 vfs: Correctly set the dir i_mutex lockdep class
107405
107406 9a7aa12f3911853a introduced additional logic around setting the i_mutex
107407 lockdep class for directory inodes. The idea was that some filesystems
107408 may want their own special lockdep class for different directory
107409 inodes and calling unlock_new_inode() should not clobber one of
107410 those special classes.
107411
107412 I believe that the added conditional, around the *negated* return value
107413 of lockdep_match_class(), caused directory inodes to be placed in the
107414 wrong lockdep class.
107415
107416 inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
107417 all inodes. If the filesystem did not change the class during inode
107418 initialization, then the conditional mentioned above was false and the
107419 directory inode was incorrectly left in the non-directory lockdep class.
107420 If the filesystem did set a special lockdep class, then the conditional
107421 mentioned above was true and that class was clobbered with
107422 i_mutex_dir_key.
107423
107424 This patch removes the negation from the conditional so that the i_mutex
107425 lockdep class is properly set for directory inodes. Special classes are
107426 preserved and directory inodes with unmodified classes are set with
107427 i_mutex_dir_key.
107428
107429 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
107430 Reviewed-by: Jan Kara <jack@suse.cz>
107431 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
107432
107433commit 603590b0d2eca61ce26499eac9c563bc567a18c9
107434Author: Jan Kara <jack@suse.cz>
107435Date: Mon Feb 20 17:54:00 2012 +0100
107436
107437 udf: Fix deadlock in udf_release_file()
107438
107439 udf_release_file() can be called from munmap() path with mmap_sem held. Thus
107440 we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
107441 i_mutex is not needed in udf_release_file() anymore since protection by
107442 i_data_sem is enough to protect from races with write and truncate.
107443
107444 Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
107445 Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
107446 Signed-off-by: Jan Kara <jack@suse.cz>
107447 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
107448
107449commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
107450Author: Miklos Szeredi <mszeredi@suse.cz>
107451Date: Tue Mar 6 13:56:33 2012 +0100
107452
107453 vfs: fix double put after complete_walk()
107454
107455 complete_walk() already puts nd->path, no need to do it again at cleanup time.
107456
107457 This would result in Oopses if triggered, apparently the codepath is not too
107458 well exercised.
107459
107460 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
107461 CC: stable@vger.kernel.org
107462 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
107463
107464commit 13885ba2b18400f3ef6540497d30f1af896605e5
107465Author: Miklos Szeredi <mszeredi@suse.cz>
107466Date: Tue Mar 6 13:56:34 2012 +0100
107467
107468 vfs: fix return value from do_last()
107469
107470 complete_walk() returns either ECHILD or ESTALE. do_last() turns this into
107471 ECHILD unconditionally. If not in RCU mode, this error will reach userspace
107472 which is complete nonsense.
107473
107474 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
107475 CC: stable@vger.kernel.org
107476 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
107477
107478 Conflicts:
107479
107480 fs/namei.c
107481
107482commit f5ab7572c99ffb58953eb1070622307e904c3b7f
107483Author: Al Viro <viro@zeniv.linux.org.uk>
107484Date: Sat Mar 10 17:07:28 2012 -0500
107485
107486 restore smp_mb() in unlock_new_inode()
107487
107488 wait_on_inode() doesn't have ->i_lock
107489
107490 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
107491
107492commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
107493Author: David S. Miller <davem@davemloft.net>
107494Date: Tue Mar 13 18:19:51 2012 -0700
107495
107496 sparc32: Add -Av8 to assembler command line.
107497
107498 Newer version of binutils are more strict about specifying the
107499 correct options to enable certain classes of instructions.
107500
107501 The sparc32 build is done for v7 in order to support sun4c systems
107502 which lack hardware integer multiply and divide instructions.
107503
107504 So we have to pass -Av8 when building the assembler routines that
107505 use these instructions and get patched into the kernel when we find
107506 out that we have a v8 capable cpu.
107507
107508 Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
107509 Signed-off-by: David S. Miller <davem@davemloft.net>
107510
107511commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
107512Author: Thomas Gleixner <tglx@linutronix.de>
107513Date: Fri Mar 9 20:55:10 2012 +0100
107514
107515 x86: Derandom delay_tsc for 64 bit
107516
107517 Commit f0fbf0abc093 ("x86: integrate delay functions") converted
107518 delay_tsc() into a random delay generator for 64 bit. The reason is
107519 that it merged the mostly identical versions of delay_32.c and
107520 delay_64.c. Though the subtle difference of the result was:
107521
107522 static void delay_tsc(unsigned long loops)
107523 {
107524 - unsigned bclock, now;
107525 + unsigned long bclock, now;
107526
107527 Now the function uses rdtscl() which returns the lower 32bit of the
107528 TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
107529 bit this fails when the lower 32bit are close to wrap around when
107530 bclock is read, because the following check
107531
107532 if ((now - bclock) >= loops)
107533 break;
107534
107535 evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
107536 because the unsigned long (now - bclock) of these values results in
107537 0xffffffff00000001 which is definitely larger than the loops
107538 value. That explains Tvortkos observation:
107539
107540 "Because I am seeing udelay(500) (_occasionally_) being short, and
107541 that by delaying for some duration between 0us (yep) and 491us."
107542
107543 Make those variables explicitely u32 again, so this works for both 32
107544 and 64 bit.
107545
107546 Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
107547 Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
107548 Cc: stable@vger.kernel.org # >= 2.6.27
107549 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
107550
107551commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
107552Author: Al Viro <viro@ZenIV.linux.org.uk>
107553Date: Thu Mar 8 17:51:19 2012 +0000
107554
107555 aio: fix the "too late munmap()" race
107556
107557 Current code has put_ioctx() called asynchronously from aio_fput_routine();
107558 that's done *after* we have killed the request that used to pin ioctx,
107559 so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
107560 from progressing. As the result, we can end up with async call of
107561 put_ioctx() being the last one and possibly happening during exit_mmap()
107562 or elf_core_dump(), neither of which expects stray munmap() being done
107563 to them...
107564
107565 We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
107566 with that, but that's all we care about - neither io_destroy() nor
107567 exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
107568 does really_put_req(), so the ioctx teardown won't be done until then
107569 and we don't care about the contents of ioctx past that point.
107570
107571 Since actual freeing of these suckers is RCU-delayed, we don't need to
107572 bump ioctx refcount when request goes into list for async removal.
107573 All we need is rcu_read_lock held just over the ->ctx_lock-protected
107574 area in aio_fput_routine().
107575
107576 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
107577 Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
107578 Acked-by: Benjamin LaHaise <bcrl@kvack.org>
107579 Cc: stable@vger.kernel.org
107580 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
107581
107582commit 002124c055afbf09b52226af65621999e8316448
107583Author: Al Viro <viro@ZenIV.linux.org.uk>
107584Date: Wed Mar 7 05:16:35 2012 +0000
107585
107586 aio: fix io_setup/io_destroy race
107587
107588 Have ioctx_alloc() return an extra reference, so that caller would drop it
107589 on success and not bother with re-grabbing it on failure exit. The current
107590 code is obviously broken - io_destroy() from another thread that managed
107591 to guess the address io_setup() would've returned would free ioctx right
107592 under us; gets especially interesting if aio_context_t * we pass to
107593 io_setup() points to PROT_READ mapping, so put_user() fails and we end
107594 up doing io_destroy() on kioctx another thread has just got freed...
107595
107596 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
107597 Acked-by: Benjamin LaHaise <bcrl@kvack.org>
107598 Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
107599 Cc: stable@vger.kernel.org
107600 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
107601
107602commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
107603Author: Dan Carpenter <dan.carpenter@oracle.com>
107604Date: Thu Mar 15 15:17:12 2012 -0700
107605
107606 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
107607
107608 strict_strtoul() writes a long but ->gamma_mode only has space to store an
107609 int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
107610 well. I've changed it to use kstrtouint() instead.
107611
107612 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
107613 Acked-by: Inki Dae <inki.dae@samsung.com>
107614 Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
107615 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
107616 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
107617
107618commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
107619Merge: e4b05b6 eae671f
107620Author: Brad Spengler <spender@grsecurity.net>
107621Date: Fri Mar 16 21:04:27 2012 -0400
107622
107623 Merge branch 'pax-test' into grsec-test
107624
107625 Conflicts:
107626 security/Kconfig
107627
107628commit eae671fafe93f04685c04a089cc13efebc05d600
107629Author: Brad Spengler <spender@grsecurity.net>
107630Date: Fri Mar 16 20:58:01 2012 -0400
107631
107632 Update to pax-linux-3.2.11-test31.patch
107633 Introduction of the size_overflow plugin from Emese Revfy
107634 Many thanks to Emese for her hard work :)
107635
107636commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
107637Merge: e55aa68 258c015
107638Author: Brad Spengler <spender@grsecurity.net>
107639Date: Thu Mar 15 20:59:19 2012 -0400
107640
107641 Merge branch 'pax-test' into grsec-test
107642
107643commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
107644Author: Brad Spengler <spender@grsecurity.net>
107645Date: Thu Mar 15 20:59:05 2012 -0400
107646
107647 fix ARM compilation
107648
107649commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
107650Merge: 8f95ea9 55b7573
107651Author: Brad Spengler <spender@grsecurity.net>
107652Date: Wed Mar 14 19:33:41 2012 -0400
107653
107654 Merge branch 'pax-test' into grsec-test
107655
107656commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
107657Author: Brad Spengler <spender@grsecurity.net>
107658Date: Wed Mar 14 19:33:15 2012 -0400
107659
107660 Update to pax-linux-3.2.10-test28.patch
107661
107662commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
107663Merge: c8786a2 886ac5e
107664Author: Brad Spengler <spender@grsecurity.net>
107665Date: Tue Mar 13 17:38:13 2012 -0400
107666
107667 Merge branch 'pax-test' into grsec-test
107668
107669 Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)
107670
107671commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
107672Author: Brad Spengler <spender@grsecurity.net>
107673Date: Tue Mar 13 17:37:44 2012 -0400
107674
107675 Update to pax-linux-3.2.10-test26.patch
107676
107677commit c8786a2abed5e5327f68efa520c04db99bb6a63a
107678Merge: 219c982 c061fcf
107679Author: Brad Spengler <spender@grsecurity.net>
107680Date: Tue Mar 13 17:25:06 2012 -0400
107681
107682 Merge branch 'pax-test' into grsec-test
107683
107684commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
107685Merge: 89373d2 3f4b3b2
107686Author: Brad Spengler <spender@grsecurity.net>
107687Date: Tue Mar 13 17:25:02 2012 -0400
107688
107689 Merge branch 'linux-3.2.y' into pax-test
107690
107691commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
107692Merge: 54e19a3 89373d2
107693Author: Brad Spengler <spender@grsecurity.net>
107694Date: Mon Mar 12 17:23:57 2012 -0400
107695
107696 Merge branch 'pax-test' into grsec-test
107697
107698commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
107699Merge: a778588 7459f11
107700Author: Brad Spengler <spender@grsecurity.net>
107701Date: Mon Mar 12 17:23:49 2012 -0400
107702
107703 Merge branch 'linux-3.2.y' into pax-test
107704
107705commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
107706Merge: c4650f1 a778588
107707Author: Brad Spengler <spender@grsecurity.net>
107708Date: Mon Mar 12 16:51:25 2012 -0400
107709
107710 Merge branch 'pax-test' into grsec-test
107711
107712commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
107713Author: Brad Spengler <spender@grsecurity.net>
107714Date: Mon Mar 12 16:51:12 2012 -0400
107715
107716 Update to pax-linux-3.2.9-test24.patch
107717
107718commit c4650f14b13f84735fe3de06a1f3ff5776473eff
107719Merge: fb2abee 1015790
107720Author: Brad Spengler <spender@grsecurity.net>
107721Date: Sun Mar 11 21:08:28 2012 -0400
107722
107723 Merge branch 'pax-test' into grsec-test
107724
107725 Conflicts:
107726 security/Kconfig
107727
107728commit 101579028a736c224e590c7e12a7357018c424e1
107729Author: Brad Spengler <spender@grsecurity.net>
107730Date: Sun Mar 11 21:07:27 2012 -0400
107731
107732 Update to pax-linux-3.2.9-test22.patch
107733
107734commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
107735Author: Brad Spengler <spender@grsecurity.net>
107736Date: Sun Mar 11 11:02:17 2012 -0400
107737
107738 Allow 4096 CPUs
107739
107740commit 96bae28cbe6a41d48e3b56e5904814096e956000
107741Author: Brad Spengler <spender@grsecurity.net>
107742Date: Sun Mar 11 10:25:58 2012 -0400
107743
107744 Use a per-cpu 48-bit counter instead of a global atomic64
107745 Initialize each counter to have the cpu number in the lower 16 bits
107746 instead of incrementing the counter each time by 1, perform the increments
107747 above the cpu number so that wrapping/exhausting the counter doesn't corrupt
107748 any state
107749 idea from PaX Team
107750
107751commit b975688101da6e966aebb1bc6b8c5c5983974f9c
107752Author: Brad Spengler <spender@grsecurity.net>
107753Date: Sat Mar 10 20:33:12 2012 -0500
107754
107755 Special vnsec edition! :)
107756 Further reduce argv/env allowance for suid/sgid apps to 512KB
107757 Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
107758 Clear 3GB personality on suid/sgid binaries
107759 Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
107760 with the main purpose of throwing off program stack -> arg/env alignment
107761 Update documentation
107762
107763commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
107764Author: Brad Spengler <spender@grsecurity.net>
107765Date: Sat Mar 10 19:54:47 2012 -0500
107766
107767 Resolve skbuff.h warnings that turn into errors during compilation in
107768 the grsecurity directory with -Werror
107769
107770commit 2023210ad43a944033fcacc660ce410888f562ee
107771Merge: ece4383 5f66adf
107772Author: Brad Spengler <spender@grsecurity.net>
107773Date: Fri Mar 9 19:48:01 2012 -0500
107774
107775 Merge branch 'pax-test' into grsec-test
107776
107777commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
107778Author: Brad Spengler <spender@grsecurity.net>
107779Date: Fri Mar 9 19:47:06 2012 -0500
107780
107781 Add colorize plugin
107782
107783commit ece4383e5e91c92d138c4df84225a70b552f4d69
107784Merge: a366d0e ab4a5a1
107785Author: Brad Spengler <spender@grsecurity.net>
107786Date: Fri Mar 9 17:56:46 2012 -0500
107787
107788 Merge branch 'pax-test' into grsec-test
107789
107790commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
107791Author: Brad Spengler <spender@grsecurity.net>
107792Date: Fri Mar 9 17:56:26 2012 -0500
107793
107794 Update to pax-linux-3.2.9-test21.patch
107795
107796commit a366d0ed963ce93fce10121c1100989d5f064e75
107797Author: Mikulas Patocka <mpatocka@redhat.com>
107798Date: Sun Mar 4 19:52:03 2012 -0500
107799
107800 mm: fix find_vma_prev
107801
107802 Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
107803 management on PA-RISC.
107804
107805 After application of the patch, programs that allocate big arrays on the
107806 stack crash with segfault, for example, this will crash if compiled
107807 without optimization:
107808
107809 int main()
107810 {
107811 char array[200000];
107812 array[199999] = 0;
107813 return 0;
107814 }
107815
107816 The reason is that PA-RISC has up-growing stack and the stack is usually
107817 the last memory area. In the above example, a page fault happens above
107818 the stack.
107819
107820 Previously, if we passed too high address to find_vma_prev, it returned
107821 NULL and stored the last VMA in *pprev. After "simplify find_vma_prev"
107822 change, it stores NULL in *pprev. Consequently, the stack area is not
107823 found and it is not expanded, as it used to be before the change.
107824
107825 This patch restores the old behavior and makes it return the last VMA in
107826 *pprev if the requested address is higher than address of any other VMA.
107827
107828 Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
107829 Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
107830 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
107831
107832commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
107833Author: Hugh Dickins <hughd@google.com>
107834Date: Tue Mar 6 12:28:52 2012 -0800
107835
107836 mmap: EINVAL not ENOMEM when rejecting VM_GROWS
107837
107838 Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
107839 from shared anonymous: hoist the file case's -EINVAL up for both.
107840
107841 Signed-off-by: Hugh Dickins <hughd@google.com>
107842 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
107843
107844commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
107845Author: Al Viro <viro@ZenIV.linux.org.uk>
107846Date: Mon Mar 5 06:38:42 2012 +0000
107847
107848 aout: move setup_arg_pages() prior to reading/mapping the binary
107849
107850 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
107851 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
107852
107853commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
107854Author: Jan Beulich <JBeulich@suse.com>
107855Date: Mon Mar 5 16:49:24 2012 +0000
107856
107857 vsprintf: make %pV handling compatible with kasprintf()
107858
107859 kasprintf() (and potentially other functions that I didn't run across so
107860 far) want to evaluate argument lists twice. Caring to do so for the
107861 primary list is obviously their job, but they can't reasonably be
107862 expected to check the format string for instances of %pV, which however
107863 need special handling too: On architectures like x86-64 (as opposed to
107864 e.g. ix86), using the same argument list twice doesn't produce the
107865 expected results, as an internally managed cursor gets updated during
107866 the first run.
107867
107868 Fix the problem by always acting on a copy of the original list when
107869 handling %pV.
107870
107871 Signed-off-by: Jan Beulich <jbeulich@suse.com>
107872 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
107873
107874commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
107875Author: Al Viro <viro@ZenIV.linux.org.uk>
107876Date: Mon Mar 5 06:39:47 2012 +0000
107877
107878 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
107879
107880 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
107881 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
107882
107883commit a831bd53764695ea680cc1fa3c98759a610ed2ac
107884Author: Christian König <deathsimple@vodafone.de>
107885Date: Tue Feb 28 23:19:20 2012 +0100
107886
107887 drm/radeon: fix uninitialized variable
107888
107889 Without this fix the driver randomly treats
107890 textures as arrays and I'm really wondering
107891 why gcc isn't complaining about it.
107892
107893 Signed-off-by: Christian König <deathsimple@vodafone.de>
107894 Reviewed-by: Jerome Glisse <jglisse@redhat.com>
107895 Signed-off-by: Dave Airlie <airlied@redhat.com>
107896
107897commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
107898Author: H. Peter Anvin <hpa@zytor.com>
107899Date: Fri Mar 2 10:43:48 2012 -0800
107900
107901 regset: Prevent null pointer reference on readonly regsets
107902
107903 The regset common infrastructure assumed that regsets would always
107904 have .get and .set methods, but not necessarily .active methods.
107905 Unfortunately people have since written regsets without .set methods.
107906
107907 Rather than putting in stub functions everywhere, handle regsets with
107908 null .get or .set methods explicitly.
107909
107910 Signed-off-by: H. Peter Anvin <hpa@zytor.com>
107911 Reviewed-by: Oleg Nesterov <oleg@redhat.com>
107912 Acked-by: Roland McGrath <roland@hack.frob.com>
107913 Cc: <stable@vger.kernel.org>
107914 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
107915
107916commit 072ddd99401c79b53c6bf6bff9deb93022124c79
107917Author: Brad Spengler <spender@grsecurity.net>
107918Date: Mon Mar 5 18:12:57 2012 -0500
107919
107920 Fix compiler errors reported on forums
107921
107922commit 1606774b48af24e6f99d99c624c0e447d4b66474
107923Merge: 3127bd5 4ca2ffd
107924Author: Brad Spengler <spender@grsecurity.net>
107925Date: Mon Mar 5 17:31:35 2012 -0500
107926
107927 Merge branch 'pax-test' into grsec-test
107928
107929commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
107930Author: Brad Spengler <spender@grsecurity.net>
107931Date: Mon Mar 5 17:31:21 2012 -0500
107932
107933 Update to pax-linux-3.2.9-test20.patch
107934
107935commit 3127bd581a292966b1057c7433219dac188c3720
107936Author: Brad Spengler <spender@grsecurity.net>
107937Date: Fri Mar 2 21:30:37 2012 -0500
107938
107939 Fix memory leak on logged exec_id check failure in /proc/pid/statm
107940 Thanks to Djalal Harouni for the report
107941
107942commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
107943Merge: 0a56be8 9aa8288
107944Author: Brad Spengler <spender@grsecurity.net>
107945Date: Fri Mar 2 18:38:22 2012 -0500
107946
107947 Merge branch 'pax-test' into grsec-test
107948
107949commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
107950Author: Brad Spengler <spender@grsecurity.net>
107951Date: Fri Mar 2 18:37:43 2012 -0500
107952
107953 Update to pax-linux-3.2.9-test19.patch
107954
107955commit 0a56be884bbd7ce733cac0b879c45383494d73b0
107956Merge: 9e66745 3f5c52a
107957Author: Brad Spengler <spender@grsecurity.net>
107958Date: Thu Mar 1 20:18:01 2012 -0500
107959
107960 Merge branch 'pax-test' into grsec-test
107961
107962commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
107963Author: Brad Spengler <spender@grsecurity.net>
107964Date: Thu Mar 1 20:16:56 2012 -0500
107965
107966 Update to pax-linux-3.2.9-test18.patch
107967
107968commit ae53ec231d12719a36bf871f8c5841020ed692ee
107969Merge: b255baf 44fb317
107970Author: Brad Spengler <spender@grsecurity.net>
107971Date: Thu Mar 1 20:15:31 2012 -0500
107972
107973 Merge branch 'linux-3.2.y' into pax-test
107974
107975commit 9e667456c03eadea2f305be761abe4de9a5877a3
107976Merge: 5e4e200 b255baf
107977Author: Brad Spengler <spender@grsecurity.net>
107978Date: Mon Feb 27 20:53:59 2012 -0500
107979
107980 Merge branch 'pax-test' into grsec-test
107981
107982commit b255baf50365d39b406f43aab2c64745607baaa2
107983Merge: 340ce90 1de504e
107984Author: Brad Spengler <spender@grsecurity.net>
107985Date: Mon Feb 27 20:53:29 2012 -0500
107986
107987 Merge branch 'linux-3.2.y' into pax-test
107988 Update to pax-linux-3.2.8-test17.patch
107989
107990 Conflicts:
107991 arch/x86/include/asm/i387.h
107992 arch/x86/kernel/process_32.c
107993 arch/x86/kernel/traps.c
107994
107995commit 5e4e200ac530452884b625cb75de240e1e98c731
107996Merge: 44306d7 340ce90
107997Author: Brad Spengler <spender@grsecurity.net>
107998Date: Mon Feb 27 18:02:13 2012 -0500
107999
108000 Merge branch 'pax-test' into grsec-test
108001
108002commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
108003Author: Brad Spengler <spender@grsecurity.net>
108004Date: Mon Feb 27 18:01:48 2012 -0500
108005
108006 Update to pax-linux-3.2.7-test17.patch
108007
108008commit 44306d7b3097f77e73040dd25f4f6750751bae7a
108009Merge: 29d0b07 521c411
108010Author: Brad Spengler <spender@grsecurity.net>
108011Date: Sun Feb 26 19:04:15 2012 -0500
108012
108013 Merge branch 'pax-test' into grsec-test
108014
108015 Conflicts:
108016 Makefile
108017
108018commit 521c411bb4ca66ce01146fde8bac9dd22414076d
108019Author: Brad Spengler <spender@grsecurity.net>
108020Date: Sun Feb 26 19:03:33 2012 -0500
108021
108022 Update to pax-linux-3.2.7-test16.patch
108023
108024commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
108025Author: Brad Spengler <spender@grsecurity.net>
108026Date: Sun Feb 26 17:12:44 2012 -0500
108027
108028 fix typo
108029
108030commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
108031Merge: f45b3be caa8f83
108032Author: Brad Spengler <spender@grsecurity.net>
108033Date: Sat Feb 25 20:59:27 2012 -0500
108034
108035 Merge branch 'pax-test' into grsec-test
108036
108037commit caa8f83456c4d0b204beefffaa1d1993f2348d08
108038Author: Brad Spengler <spender@grsecurity.net>
108039Date: Sat Feb 25 20:59:12 2012 -0500
108040
108041 Update to pax-linux-3.2.7-test15.patch
108042
108043commit f45b3be34a345502a302e736af9a65742ddef7cb
108044Merge: 62f35fd 9f1309b
108045Author: Brad Spengler <spender@grsecurity.net>
108046Date: Sat Feb 25 11:40:15 2012 -0500
108047
108048 Merge branch 'pax-test' into grsec-test
108049
108050commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
108051Author: Brad Spengler <spender@grsecurity.net>
108052Date: Sat Feb 25 11:39:57 2012 -0500
108053
108054 Update to pax-linux-3.2.7-test14.patch
108055
108056commit 62f35fdbecc58f2988fe13638d907b87a15776bb
108057Author: Brad Spengler <spender@grsecurity.net>
108058Date: Sat Feb 25 09:08:55 2012 -0500
108059
108060 We could log on attempted exploits of writing /proc/self/mem, but the current
108061 log function declares the access a read, so just swap the ordering for now
108062
108063commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
108064Author: Brad Spengler <spender@grsecurity.net>
108065Date: Sat Feb 25 08:46:14 2012 -0500
108066
108067 Log /proc/pid/mem attempts
108068
108069commit 674471e581893a94d475acac3e3c4496209b3ac9
108070Author: Brad Spengler <spender@grsecurity.net>
108071Date: Sat Feb 25 08:15:00 2012 -0500
108072
108073 Make use of f_version for protecting /proc file structs (fine since we're not a directory
108074 or seq_file)
108075
108076commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
108077Author: Brad Spengler <spender@grsecurity.net>
108078Date: Fri Feb 24 20:02:19 2012 -0500
108079
108080 Fix ia64 compilation
108081
108082commit 50dfea412fd395e0183c2ade368efa525d38b267
108083Merge: 12db845 4c6f99b
108084Author: Brad Spengler <spender@grsecurity.net>
108085Date: Fri Feb 24 19:00:53 2012 -0500
108086
108087 Merge branch 'pax-test' into grsec-test
108088
108089commit 4c6f99bf338e03966356b147d0360cb3b522a44f
108090Author: Brad Spengler <spender@grsecurity.net>
108091Date: Fri Feb 24 19:00:36 2012 -0500
108092
108093 (6:57:09 PM) pipacs: but you can be proactive
108094 (Fix other-arch atomic64/REFCOUNT compilation failures)
108095
108096commit 12db8453f6bb0a756f369c9151668ba1249bc478
108097Author: Brad Spengler <spender@grsecurity.net>
108098Date: Thu Feb 23 21:10:12 2012 -0500
108099
108100 Remove unnecessary copies, as suggested by solar
108101
108102commit cc02cab84368467ea03cb35f861a8a7092d91ab4
108103Author: Brad Spengler <spender@grsecurity.net>
108104Date: Thu Feb 23 20:59:35 2012 -0500
108105
108106 Make global_exec_counter static, as suggested by solar
108107
108108commit e642091a475ebb3a30e81f85e7751233d0c2af43
108109Author: Brad Spengler <spender@grsecurity.net>
108110Date: Thu Feb 23 19:00:26 2012 -0500
108111
108112 sync with stable tree
108113
108114commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
108115Author: Brad Spengler <spender@grsecurity.net>
108116Date: Thu Feb 23 18:48:47 2012 -0500
108117
108118 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
108119 Remove handling of old kludge in chmod/fchmod
108120
108121commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
108122Author: Brad Spengler <spender@grsecurity.net>
108123Date: Thu Feb 23 18:18:49 2012 -0500
108124
108125 Apply umask checks to chmod/fchmod as well, as requested by sponsor
108126 Union the enforced umask with the existing one to produce minimal privilege
108127 Change umask type to u16
108128
108129commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
108130Author: Brad Spengler <spender@grsecurity.net>
108131Date: Wed Feb 22 18:16:11 2012 -0500
108132
108133 Add per-role umask enforcement to RBAC, requested by a sponsor
108134
108135commit ad5ac943fe58199f1cc475912a39edb157acb77b
108136Merge: dda0bb5 41722e3
108137Author: Brad Spengler <spender@grsecurity.net>
108138Date: Mon Feb 20 20:04:42 2012 -0500
108139
108140 Merge branch 'pax-test' into grsec-test
108141
108142commit 41722e342e116d95f3d3556d66c97c888d752d39
108143Author: Brad Spengler <spender@grsecurity.net>
108144Date: Mon Feb 20 20:04:00 2012 -0500
108145
108146 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
108147 KERNEXEC plugin
108148
108149commit dda0bb57137846a476a866c60db2681aaf6052c0
108150Merge: 4fd554e d70927a
108151Author: Brad Spengler <spender@grsecurity.net>
108152Date: Mon Feb 20 20:01:41 2012 -0500
108153
108154 Merge branch 'pax-test' into grsec-test
108155
108156commit d70927afec977d489a54c106a3c3ddc32e953050
108157Merge: 1daebf1 9d0231c
108158Author: Brad Spengler <spender@grsecurity.net>
108159Date: Mon Feb 20 20:01:33 2012 -0500
108160
108161 Merge branch 'linux-3.2.y' into pax-test
108162
108163commit 4fd554e3a097b22c5049fcdc423897477deff5ef
108164Author: Brad Spengler <spender@grsecurity.net>
108165Date: Mon Feb 20 09:17:57 2012 -0500
108166
108167 Fix wrong logic on capability checks for switching roles, broke policies
108168 Thanks to Richard Kojedzinszky for reporting
108169
108170commit 12f97d52ac603f24344f8d71569c412a307e9422
108171Author: Brad Spengler <spender@grsecurity.net>
108172Date: Thu Feb 16 21:20:10 2012 -0500
108173
108174 sparc64 compile fix
108175
108176commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
108177Author: Brad Spengler <spender@grsecurity.net>
108178Date: Thu Feb 16 18:38:32 2012 -0500
108179
108180 Update configuration help and name for GRKERNSEC_PROC_MEMMAP
108181
108182commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
108183Author: Brad Spengler <spender@grsecurity.net>
108184Date: Thu Feb 16 18:18:01 2012 -0500
108185
108186 optimize the check a bit
108187
108188commit 03159050f64989be44ae03be769cbed62a7cd2e5
108189Author: Brad Spengler <spender@grsecurity.net>
108190Date: Thu Feb 16 18:00:45 2012 -0500
108191
108192 smile VUPEN :D
108193 (limit argv+env to 1MB for suid/sgid binaries)
108194
108195commit dd759d8800d225a397e4de49fe729c7d601298d2
108196Author: Brad Spengler <spender@grsecurity.net>
108197Date: Thu Feb 16 17:49:33 2012 -0500
108198
108199 Address Space Protection -> Memory Protections (suggested on IRC for consistency)
108200
108201commit 4de635bda8ebfb85312e3bf851bdbff93de400da
108202Author: Brad Spengler <spender@grsecurity.net>
108203Date: Thu Feb 16 17:45:06 2012 -0500
108204
108205 Change the long long type for exec_id to the proper u64
108206
108207commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
108208Author: Dan Carpenter <dan.carpenter@oracle.com>
108209Date: Thu Feb 9 00:46:47 2012 +0000
108210
108211 isdn: type bug in isdn_net_header()
108212
108213 We use len to store the return value from eth_header(). eth_header()
108214 can return -ETH_HLEN (-14). We want to pass this back instead of
108215 truncating it to 65522 and returning that.
108216
108217 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
108218 Acked-by: Neil Horman <nhorman@tuxdriver.com>
108219 Signed-off-by: David S. Miller <davem@davemloft.net>
108220
108221commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
108222Author: Heiko Carstens <heiko.carstens@de.ibm.com>
108223Date: Sat Feb 4 10:47:10 2012 +0100
108224
108225 exec: fix use-after-free bug in setup_new_exec()
108226
108227 Setting the task name is done within setup_new_exec() by accessing
108228 bprm->filename. However this happens after flush_old_exec().
108229 This may result in a use after free bug, flush_old_exec() may
108230 "complete" vfork_done, which will wake up the parent which in turn
108231 may free the passed in filename.
108232 To fix this add a new tcomm field in struct linux_binprm which
108233 contains the now early generated task name until it is used.
108234
108235 Fixes this bug on s390:
108236
108237 Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
108238 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
108239 Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
108240 Call Trace:
108241 ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
108242 [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
108243 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
108244 [<0000000000282b6c>] do_execve_common+0x410/0x514
108245 [<0000000000282cb6>] do_execve+0x46/0x58
108246 [<00000000005bce58>] kernel_execve+0x28/0x70
108247 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
108248 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
108249 [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
108250 Last Breaking-Event-Address:
108251 [<00000000002830f0>] setup_new_exec+0x2fc/0x374
108252
108253 Kernel panic - not syncing: Fatal exception: panic_on_oops
108254
108255 Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
108256 Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
108257 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
108258
108259commit d758ee9f5230893dabb5aab737b3109684bde196
108260Author: Dan Carpenter <dan.carpenter@oracle.com>
108261Date: Fri Feb 10 09:03:58 2012 +0100
108262
108263 relay: prevent integer overflow in relay_open()
108264
108265 "subbuf_size" and "n_subbufs" come from the user and they need to be
108266 capped to prevent an integer overflow.
108267
108268 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
108269 Cc: stable@kernel.org
108270 Signed-off-by: Jens Axboe <axboe@kernel.dk>
108271
108272commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
108273Merge: b1baadf 1daebf1
108274Author: Brad Spengler <spender@grsecurity.net>
108275Date: Mon Feb 13 17:47:04 2012 -0500
108276
108277 Merge branch 'pax-test' into grsec-test
108278
108279 Conflicts:
108280 fs/proc/base.c
108281
108282commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
108283Merge: 1413df2 c2db2e2
108284Author: Brad Spengler <spender@grsecurity.net>
108285Date: Mon Feb 13 17:45:54 2012 -0500
108286
108287 Merge branch 'linux-3.2.y' into pax-test
108288
108289commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
108290Author: Brad Spengler <spender@grsecurity.net>
108291Date: Sun Feb 12 16:44:05 2012 -0500
108292
108293 add missing declaration
108294
108295commit 3981059c35e8463002517935c28f3d74b8e3703c
108296Author: Brad Spengler <spender@grsecurity.net>
108297Date: Sun Feb 12 16:36:04 2012 -0500
108298
108299 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
108300 in addition to existing checks (this handles the setresuid ruid = euid case)
108301
108302commit 0beab03263c773f463412c350ad9064b44b6ede0
108303Author: Brad Spengler <spender@grsecurity.net>
108304Date: Sun Feb 12 16:13:40 2012 -0500
108305
108306 Revert setreuid changes when RBAC is enabled, breaks freeradius
108307 I'll fix the learning issue Lavish reported a different way through
108308 gradm modifications
108309
108310 This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.
108311
108312commit 0c61cb1cfbbfec7d07647268c922d51434d22621
108313Author: Brad Spengler <spender@grsecurity.net>
108314Date: Sat Feb 11 14:22:46 2012 -0500
108315
108316 copy exec_id on fork
108317
108318commit 000c08e0890630086b2ed04084050ed856a7ec31
108319Author: Brad Spengler <spender@grsecurity.net>
108320Date: Fri Feb 10 20:00:36 2012 -0500
108321
108322 compile fix
108323
108324commit 54b8c8f54484e5ee18040657827158bc4b63bccc
108325Author: Brad Spengler <spender@grsecurity.net>
108326Date: Fri Feb 10 19:19:52 2012 -0500
108327
108328 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
108329 denies reading of sensitive /proc/pid entries where the file descriptor
108330 was opened in a different task than the one performing the read
108331
108332commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
108333Author: Brad Spengler <spender@grsecurity.net>
108334Date: Fri Feb 10 17:43:24 2012 -0500
108335
108336 Remove duplicate signal check
108337
108338commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
108339Merge: 4eba97e 1413df2
108340Author: Brad Spengler <spender@grsecurity.net>
108341Date: Wed Feb 8 19:24:34 2012 -0500
108342
108343 Merge branch 'pax-test' into grsec-test
108344
108345commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
108346Author: Brad Spengler <spender@grsecurity.net>
108347Date: Wed Feb 8 19:24:08 2012 -0500
108348
108349 Merge changes from pax-linux-3.2.4-test11.patch
108350
108351commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
108352Merge: 0e058dd 8dd90a2
108353Author: Brad Spengler <spender@grsecurity.net>
108354Date: Mon Feb 6 17:50:12 2012 -0500
108355
108356 Merge branch 'pax-test' into grsec-test
108357
108358commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
108359Author: Brad Spengler <spender@grsecurity.net>
108360Date: Mon Feb 6 17:49:07 2012 -0500
108361
108362 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free
108363
108364commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
108365Merge: 7e4169c 6133971
108366Author: Brad Spengler <spender@grsecurity.net>
108367Date: Mon Feb 6 17:48:57 2012 -0500
108368
108369 Merge branch 'linux-3.2.y' into pax-test
108370
108371commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
108372Author: Brad Spengler <spender@grsecurity.net>
108373Date: Sun Feb 5 19:24:45 2012 -0500
108374
108375 We now allow configurations with no PaX markings, giving the system no way to override the defaults
108376
108377commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
108378Author: Brad Spengler <spender@grsecurity.net>
108379Date: Sun Feb 5 10:01:23 2012 -0500
108380
108381 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory
108382
108383commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
108384Author: Brad Spengler <spender@grsecurity.net>
108385Date: Sat Feb 4 21:01:16 2012 -0500
108386
108387 Improve security of ptrace-based monitoring/sandboxing
108388 See:
108389 http://article.gmane.org/gmane.linux.kernel.lsm/15156
108390
108391commit ca4ca5a1027b41f9528794e52a53ce9c47926101
108392Author: Brad Spengler <spender@grsecurity.net>
108393Date: Fri Feb 3 20:42:55 2012 -0500
108394
108395 fix typo
108396
108397commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
108398Author: Brad Spengler <spender@grsecurity.net>
108399Date: Fri Feb 3 20:25:38 2012 -0500
108400
108401 Reported by lavish on IRC:
108402 If a suid/sgid binary did not learn any setuid/setgid call during learning,
108403 we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
108404 any restrictions on uid/gid changes. uid and gid can however be changed
108405 within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
108406 euid/egid.
108407
108408 My fix:
108409 POSIX doesn't specify whether unprivileged users can perform the above
108410 setresuid/setresgid as an unprivileged user, though Linux has historically
108411 permitted them. Modify this behavior when RBAC is enabled to require
108412 CAP_SETUID/CAP_SETGID for these operations.
108413
108414 Thanks to Lavish for the report!
108415
108416 Conflicts:
108417
108418 kernel/sys.c
108419
108420commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
108421Merge: ba586eb 7e4169c
108422Author: Brad Spengler <spender@grsecurity.net>
108423Date: Fri Feb 3 20:10:21 2012 -0500
108424
108425 Merge branch 'pax-test' into grsec-test
108426
108427commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
108428Author: Brad Spengler <spender@grsecurity.net>
108429Date: Fri Feb 3 20:10:05 2012 -0500
108430
108431 Merge changes from pax-linux-3.2.4-test9.patch
108432
108433commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
108434Author: Christopher Yeoh <cyeoh@au1.ibm.com>
108435Date: Thu Feb 2 11:34:09 2012 +1030
108436
108437 Fix race in process_vm_rw_core
108438
108439 This fixes the race in process_vm_core found by Oleg (see
108440
108441 http://article.gmane.org/gmane.linux.kernel/1235667/
108442
108443 for details).
108444
108445 This has been updated since I last sent it as the creation of the new
108446 mm_access() function did almost exactly the same thing as parts of the
108447 previous version of this patch did.
108448
108449 In order to use mm_access() even when /proc isn't enabled, we move it to
108450 kernel/fork.c where other related process mm access functions already
108451 are.
108452
108453 Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
108454 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
108455
108456 Conflicts:
108457
108458 fs/proc/base.c
108459 mm/process_vm_access.c
108460
108461commit b9194d60fb9fe579f5c34817ed822abde18939a0
108462Author: Oleg Nesterov <oleg@redhat.com>
108463Date: Tue Jan 31 17:15:11 2012 +0100
108464
108465 proc: make sure mem_open() doesn't pin the target's memory
108466
108467 Once /proc/pid/mem is opened, the memory can't be released until
108468 mem_release() even if its owner exits.
108469
108470 Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
108471 pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
108472 before access_remote_vm(), this verifies that this mm is still alive.
108473
108474 I am not sure what should mem_rw() return if atomic_inc_not_zero()
108475 fails. With this patch it returns zero to match the "mm == NULL" case,
108476 may be it should return -EINVAL like it did before e268337d.
108477
108478 Perhaps it makes sense to add the additional fatal_signal_pending()
108479 check into the main loop, to ensure we do not hold this memory if
108480 the target task was oom-killed.
108481
108482 Cc: stable@kernel.org
108483 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
108484 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
108485
108486commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
108487Author: Oleg Nesterov <oleg@redhat.com>
108488Date: Tue Jan 31 17:14:38 2012 +0100
108489
108490 proc: mem_release() should check mm != NULL
108491
108492 mem_release() can hit mm == NULL, add the necessary check.
108493
108494 Cc: stable@kernel.org
108495 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
108496 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
108497
108498commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
108499Author: Oleg Nesterov <oleg@redhat.com>
108500Date: Tue Jan 31 17:14:54 2012 +0100
108501
108502 note: redisabled mem_write
108503
108504 proc: unify mem_read() and mem_write()
108505
108506 No functional changes, cleanup and preparation.
108507
108508 mem_read() and mem_write() are very similar. Move this code into the
108509 new common helper, mem_rw(), which takes the additional "int write"
108510 argument.
108511
108512 Cc: stable@kernel.org
108513 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
108514 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
108515
108516 Conflicts:
108517
108518 fs/proc/base.c
108519
108520commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
108521Merge: 3903f01 01fee18
108522Author: Brad Spengler <spender@grsecurity.net>
108523Date: Fri Feb 3 19:50:40 2012 -0500
108524
108525 Merge branch 'pax-test' into grsec-test
108526
108527commit 01fee1851aef26b898ccba5312cabf1f919b74cb
108528Author: Brad Spengler <spender@grsecurity.net>
108529Date: Fri Feb 3 19:49:46 2012 -0500
108530
108531 Merge changes from pax-linux-3.2.4-test8.patch
108532
108533commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
108534Merge: 201c0db 141936c
108535Author: Brad Spengler <spender@grsecurity.net>
108536Date: Fri Feb 3 19:49:01 2012 -0500
108537
108538 Merge branch 'linux-3.2.y' into pax-test
108539
108540commit 3903f0172ecadf7a575ba3535402a1506133640a
108541Author: Brad Spengler <spender@grsecurity.net>
108542Date: Mon Jan 30 23:26:44 2012 -0500
108543
108544 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
108545
108546 We'll whitelist required directories for compatibility instead of requiring
108547 that people disable the feature entirely if they use SELinux, fuse, etc
108548
108549 Conflicts:
108550
108551 fs/sysfs/mount.c
108552
108553commit e3618feaa7e63807f1b88c199882075b3ec9bd05
108554Author: Brad Spengler <spender@grsecurity.net>
108555Date: Sun Jan 29 01:12:19 2012 -0500
108556
108557 perform RBAC check if TPE is on but match fails, matches previous behavior
108558
108559commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
108560Author: Brad Spengler <spender@grsecurity.net>
108561Date: Sat Jan 28 13:17:06 2012 -0500
108562
108563 log more information about the reason for a TPE denial for novice users, requested by a sponsor
108564
108565commit efefd67008cbad8a8591e2484410966a300a39a5
108566Author: Brad Spengler <spender@grsecurity.net>
108567Date: Fri Jan 27 19:58:53 2012 -0500
108568
108569 merge upstream sha512 changes
108570
108571commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
108572Author: Brad Spengler <spender@grsecurity.net>
108573Date: Fri Jan 27 19:49:07 2012 -0500
108574
108575 drop lock on error in xfs_readlink
108576
108577 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0
108578
108579commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
108580Author: Li Wang <liwang@nudt.edu.cn>
108581Date: Thu Jan 19 09:44:36 2012 +0800
108582
108583 eCryptfs: Infinite loop due to overflow in ecryptfs_write()
108584
108585 ecryptfs_write() can enter an infinite loop when truncating a file to a
108586 size larger than 4G. This only happens on architectures where size_t is
108587 represented by 32 bits.
108588
108589 This was caused by a size_t overflow due to it incorrectly being used to
108590 store the result of a calculation which uses potentially large values of
108591 type loff_t.
108592
108593 [tyhicks@canonical.com: rewrite subject and commit message]
108594 Signed-off-by: Li Wang <liwang@nudt.edu.cn>
108595 Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
108596 Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
108597 Cc: <stable@vger.kernel.org>
108598 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
108599
108600commit a7607747d0f74f357d78bb796d70635dd05f46e8
108601Author: Tyler Hicks <tyhicks@canonical.com>
108602Date: Thu Jan 19 20:33:44 2012 -0600
108603
108604 eCryptfs: Check inode changes in setattr
108605
108606 Most filesystems call inode_change_ok() very early in ->setattr(), but
108607 eCryptfs didn't call it at all. It allowed the lower filesystem to make
108608 the call in its ->setattr() function. Then, eCryptfs would copy the
108609 appropriate inode attributes from the lower inode to the eCryptfs inode.
108610
108611 This patch changes that and actually calls inode_change_ok() on the
108612 eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
108613 would happen earlier in ecryptfs_setattr(), but there are some possible
108614 inode initialization steps that must happen first.
108615
108616 Since the call was already being made on the lower inode, the change in
108617 functionality should be minimal, except for the case of a file extending
108618 truncate call. In that case, inode_newsize_ok() was never being
108619 called on the eCryptfs inode. Rather than inode_newsize_ok() catching
108620 maximum file size errors early on, eCryptfs would encrypt zeroed pages
108621 and write them to the lower filesystem until the lower filesystem's
108622 write path caught the error in generic_write_checks(). This patch
108623 introduces a new function, called ecryptfs_inode_newsize_ok(), which
108624 checks if the new lower file size is within the appropriate limits when
108625 the truncate operation will be growing the lower file.
108626
108627 In summary this change prevents eCryptfs truncate operations (and the
108628 resulting page encryptions), which would exceed the lower filesystem
108629 limits or FSIZE rlimits, from ever starting.
108630
108631 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
108632 Reviewed-by: Li Wang <liwang@nudt.edu.cn>
108633 Cc: <stable@vger.kernel.org>
108634
108635commit 0d96f190a39505254ace4e9330219aaeda9b64e3
108636Author: Tyler Hicks <tyhicks@canonical.com>
108637Date: Wed Jan 18 18:30:04 2012 -0600
108638
108639 eCryptfs: Make truncate path killable
108640
108641 ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
108642 page, zeroes out the appropriate portions, and then encrypts the page
108643 before writing it to the lower filesystem. It was unkillable and due to
108644 the lack of sparse file support could result in tying up a large portion
108645 of system resources, while encrypting pages of zeros, with no way for
108646 the truncate operation to be stopped from userspace.
108647
108648 This patch adds the ability for ecryptfs_write() to detect a pending
108649 fatal signal and return as gracefully as possible. The intent is to
108650 leave the lower file in a useable state, while still allowing a user to
108651 break out of the encryption loop. If a pending fatal signal is detected,
108652 the eCryptfs inode size is updated to reflect the modified inode size
108653 and then -EINTR is returned.
108654
108655 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
108656 Cc: <stable@vger.kernel.org>
108657
108658commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
108659Author: Tyler Hicks <tyhicks@canonical.com>
108660Date: Tue Jan 24 10:02:22 2012 -0600
108661
108662 eCryptfs: Fix oops when printing debug info in extent crypto functions
108663
108664 If pages passed to the eCryptfs extent-based crypto functions are not
108665 mapped and the module parameter ecryptfs_verbosity=1 was specified at
108666 loading time, a NULL pointer dereference will occur.
108667
108668 Note that this wouldn't happen on a production system, as you wouldn't
108669 pass ecryptfs_verbosity=1 on a production system. It leaks private
108670 information to the system logs and is for debugging only.
108671
108672 The debugging info printed in these messages is no longer very useful
108673 and rather than doing a kmap() in these debugging paths, it will be
108674 better to simply remove the debugging paths completely.
108675
108676 https://launchpad.net/bugs/913651
108677
108678 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
108679 Reported-by: Daniel DeFreez
108680 Cc: <stable@vger.kernel.org>
108681
108682commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
108683Author: Tyler Hicks <tyhicks@canonical.com>
108684Date: Thu Jan 12 11:30:44 2012 +0100
108685
108686 eCryptfs: Sanitize write counts of /dev/ecryptfs
108687
108688 A malicious count value specified when writing to /dev/ecryptfs may
108689 result in a a very large kernel memory allocation.
108690
108691 This patch peeks at the specified packet payload size, adds that to the
108692 size of the packet headers and compares the result with the write count
108693 value. The resulting maximum memory allocation size is approximately 532
108694 bytes.
108695
108696 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
108697 Reported-by: Sasha Levin <levinsasha928@gmail.com>
108698 Cc: <stable@vger.kernel.org>
108699
108700commit 96dcb7282d323813181a1791f51c0ab7696b675b
108701Merge: 6c09fa5 201c0db
108702Author: Brad Spengler <spender@grsecurity.net>
108703Date: Fri Jan 27 19:44:15 2012 -0500
108704
108705 Merge branch 'pax-test' into grsec-test
108706
108707commit 201c0dbf177527367676028151e36d340923f033
108708Author: Brad Spengler <spender@grsecurity.net>
108709Date: Fri Jan 27 19:43:24 2012 -0500
108710
108711 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
108712 on loading modules with empty sections
108713
108714commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
108715Author: Brad Spengler <spender@grsecurity.net>
108716Date: Fri Jan 27 19:42:13 2012 -0500
108717
108718 compile fix
108719
108720commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
108721Author: Brad Spengler <spender@grsecurity.net>
108722Date: Fri Jan 27 19:39:28 2012 -0500
108723
108724 use LSM flags instead of duplicating checks
108725
108726commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
108727Merge: 44b9f11 558718b
108728Author: Brad Spengler <spender@grsecurity.net>
108729Date: Fri Jan 27 18:56:23 2012 -0500
108730
108731 Merge branch 'pax-test' into grsec-test
108732
108733commit 558718b2217beff69edf60f34a6f9893d910e9ac
108734Author: Brad Spengler <spender@grsecurity.net>
108735Date: Fri Jan 27 18:56:04 2012 -0500
108736
108737 Merge changes from pax-linux-3.2.2-test6.patch
108738
108739commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
108740Author: Brad Spengler <spender@grsecurity.net>
108741Date: Fri Jan 27 18:53:55 2012 -0500
108742
108743 don't increase the size of task_struct when unnecessary
108744 change ptrace_readexec log message
108745
108746commit a9c9626e054adb885883aa64f85506852894dd33
108747Author: Brad Spengler <spender@grsecurity.net>
108748Date: Fri Jan 27 18:16:28 2012 -0500
108749
108750 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
108751 the protection applies to all unreadable binaries.
108752
108753commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
108754Merge: 7b3f3af 05a1349
108755Author: Brad Spengler <spender@grsecurity.net>
108756Date: Wed Jan 25 20:52:09 2012 -0500
108757
108758 Merge branch 'pax-test' into grsec-test
108759
108760 Conflicts:
108761 block/scsi_ioctl.c
108762 drivers/scsi/sd.c
108763 fs/proc/base.c
108764
108765commit 05a134966efb9cb9346ad3422888969ffc79ac1d
108766Author: Brad Spengler <spender@grsecurity.net>
108767Date: Wed Jan 25 20:47:36 2012 -0500
108768
108769 Resync with pax-linux-3.2.2-test5.patch
108770
108771commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
108772Merge: c6d443d 3499d64
108773Author: Brad Spengler <spender@grsecurity.net>
108774Date: Wed Jan 25 20:45:16 2012 -0500
108775
108776 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
108777
108778 Conflicts:
108779 ipc/shm.c
108780
108781commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
108782Author: Brad Spengler <spender@grsecurity.net>
108783Date: Tue Jan 24 19:42:01 2012 -0500
108784
108785 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
108786 (may be changed if it breaks some userland), the other has its own
108787 config option
108788
108789 First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
108790 the syscall or /proc/sys.
108791
108792 Second feature requires read access to a suid/sgid binary in order
108793 to ptrace it, preventing infoleaking of binaries in situations where
108794 the admin has specified 4711 or 2711 perms. Feature has been
108795 given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
108796 a sysctl entry of ptrace_readexec
108797
108798commit 11a7bb25c411c9dccfdca5718639b4becdffd388
108799Author: Brad Spengler <spender@grsecurity.net>
108800Date: Sun Jan 22 14:37:10 2012 -0500
108801
108802 Compilation fixes
108803
108804commit cd400e21c7c352baba47d6f375297a7847afb33a
108805Author: Brad Spengler <spender@grsecurity.net>
108806Date: Sun Jan 22 14:20:27 2012 -0500
108807
108808 Initial port of grsecurity 2.2.2 for Linux 3.2.1
108809 Note that the new syscalls added to this kernel for remote process read/write
108810 are subject to ptrace hardening/other relevant RBAC features
108811 /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
108812 as well
108813 pax_track_stack has been removed from support for this kernel -- if you're running this kernel
108814 you should be using a version of gcc with plugin support
108815
108816commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
108817Author: Brad Spengler <spender@grsecurity.net>
108818Date: Sun Jan 22 11:47:31 2012 -0500
108819
108820 Import pax-linux-3.2.1-test5.patch
108821commit bfd7db842f835f9837cd43644459b3a95b0b488d
108822Author: Brad Spengler <spender@grsecurity.net>
108823Date: Sun Jan 22 11:02:02 2012 -0500
108824
108825 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
108826 instead of returning -EACCES
108827 thanks to Wraith from irc for the report
108828
108829commit 873ac13576506cd48ddb527c2540f274e249da50
108830Merge: 34083dd 8a44fcc
108831Author: Brad Spengler <spender@grsecurity.net>
108832Date: Fri Jan 20 18:04:02 2012 -0500
108833
108834 Merge branch 'pax-test' into grsec-test
108835
108836commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
108837Author: Brad Spengler <spender@grsecurity.net>
108838Date: Fri Jan 20 18:02:15 2012 -0500
108839
108840 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
108841 Denies executable shared memory when MPROTECT is active
108842 Fixes ia32 emulation crash on 64bit host introduced in a recent patch
108843
108844commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
108845Author: Brad Spengler <spender@grsecurity.net>
108846Date: Thu Jan 19 20:23:14 2012 -0500
108847
108848 Introduce new GRKERNSEC_SETXID implementation
108849 We're not able to change the credentials of other threads in the process until at most
108850 one syscall after the first thread does it, since we mark the threads as needing rescheduling
108851 and such work occurs on syscall exit.
108852 This does however ensure that we're only modifying the current task's credentials
108853 which upholds RCU expectations
108854
108855 Many thanks to corsac for testing
108856
108857commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
108858Author: Brad Spengler <spender@grsecurity.net>
108859Date: Thu Jan 19 17:42:48 2012 -0500
108860
108861 Simplify backport
108862
108863commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
108864Author: Brad Spengler <spender@grsecurity.net>
108865Date: Thu Jan 19 17:08:16 2012 -0500
108866
108867 Commit the latest silent fix for a local privilege escalation from Linus
108868 Also disable writing to /proc/pid/mem
108869 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc
108870
108871commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
108872Merge: 0394a3f 7e6299b
108873Author: Brad Spengler <spender@grsecurity.net>
108874Date: Wed Jan 18 20:22:09 2012 -0500
108875
108876 Merge branch 'pax-test' into grsec-test
108877
108878commit 7e6299b4733c082dde930375dd207b63237751ec
108879Merge: 83555fb 9bb1282
108880Author: Brad Spengler <spender@grsecurity.net>
108881Date: Wed Jan 18 20:21:37 2012 -0500
108882
108883 Merge branch 'linux-3.1.y' into pax-test
108884
108885commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
108886Author: Jesper Juhl <jj@chaosbits.net>
108887Date: Sun Jan 8 22:44:29 2012 +0100
108888
108889 audit: always follow va_copy() with va_end()
108890
108891 A call to va_copy() should always be followed by a call to va_end() in
108892 the same function. In kernel/autit.c::audit_log_vformat() this is not
108893 always done. This patch makes sure va_end() is always called.
108894
108895 Signed-off-by: Jesper Juhl <jj@chaosbits.net>
108896 Cc: Al Viro <viro@zeniv.linux.org.uk>
108897 Cc: Eric Paris <eparis@redhat.com>
108898 Cc: Andrew Morton <akpm@linux-foundation.org>
108899 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
108900
108901commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
108902Author: Andi Kleen <ak@linux.intel.com>
108903Date: Thu Jan 12 17:20:30 2012 -0800
108904
108905 panic: don't print redundant backtraces on oops
108906
108907 When an oops causes a panic and panic prints another backtrace it's pretty
108908 common to have the original oops data be scrolled away on a 80x50 screen.
108909
108910 The second backtrace is quite redundant and not needed anyways.
108911
108912 So don't print the panic backtrace when oops_in_progress is true.
108913
108914 [akpm@linux-foundation.org: add comment]
108915 Signed-off-by: Andi Kleen <ak@linux.intel.com>
108916 Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
108917 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
108918 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
108919
108920commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
108921Author: Miklos Szeredi <mszeredi@suse.cz>
108922Date: Thu Jan 12 17:59:46 2012 +0100
108923
108924 fsnotify: don't BUG in fsnotify_destroy_mark()
108925
108926 Removing the parent of a watched file results in "kernel BUG at
108927 fs/notify/mark.c:139".
108928
108929 To reproduce
108930
108931 add "-w /tmp/audit/dir/watched_file" to audit.rules
108932 rm -rf /tmp/audit/dir
108933
108934 This is caused by fsnotify_destroy_mark() being called without an
108935 extra reference taken by the caller.
108936
108937 Reported by Francesco Cosoleto here:
108938
108939 https://bugzilla.novell.com/show_bug.cgi?id=689860
108940
108941 Fix by removing the BUG_ON and adding a comment about not accessing mark after
108942 the iput.
108943
108944 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
108945 CC: stable@vger.kernel.org
108946 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
108947
108948commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
108949Author: Paolo Bonzini <pbonzini@redhat.com>
108950Date: Thu Jan 12 16:01:28 2012 +0100
108951
108952 block: fail SCSI passthrough ioctls on partition devices
108953
108954 Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
108955 will pass the command to the underlying block device. This is
108956 well-known, but it is also a large security problem when (via Unix
108957 permissions, ACLs, SELinux or a combination thereof) a program or user
108958 needs to be granted access only to part of the disk.
108959
108960 This patch lets partitions forward a small set of harmless ioctls;
108961 others are logged with printk so that we can see which ioctls are
108962 actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred.
108963 Of course it was being sent to a (partition on a) hard disk, so it would
108964 have failed with ENOTTY and the patch isn't changing anything in
108965 practice. Still, I'm treating it specially to avoid spamming the logs.
108966
108967 In principle, this restriction should include programs running with
108968 CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and
108969 /dev/sdb, it still should not be able to read/write outside the
108970 boundaries of /dev/sda2 independent of the capabilities. However, for
108971 now programs with CAP_SYS_RAWIO will still be allowed to send the
108972 ioctls. Their actions will still be logged.
108973
108974 This patch does not affect the non-libata IDE driver. That driver
108975 however already tests for bd != bd->bd_contains before issuing some
108976 ioctl; it could be restricted further to forbid these ioctls even for
108977 programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
108978
108979 Cc: linux-scsi@vger.kernel.org
108980 Cc: Jens Axboe <axboe@kernel.dk>
108981 Cc: James Bottomley <JBottomley@parallels.com>
108982 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
108983 [ Make it also print the command name when warning - Linus ]
108984 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
108985
108986commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
108987Author: Paolo Bonzini <pbonzini@redhat.com>
108988Date: Thu Jan 12 16:01:27 2012 +0100
108989
108990 block: add and use scsi_blk_cmd_ioctl
108991
108992 Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
108993
108994 The function will then be enhanced to detect partition block devices
108995 and, in that case, subject the ioctls to whitelisting.
108996
108997 Cc: linux-scsi@vger.kernel.org
108998 Cc: Jens Axboe <axboe@kernel.dk>
108999 Cc: James Bottomley <JBottomley@parallels.com>
109000 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
109001 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
109002
109003commit 97a79814903fc350e1d13704ea31528a42705401
109004Author: Kees Cook <keescook@chromium.org>
109005Date: Sat Jan 7 10:41:04 2012 -0800
109006
109007 audit: treat s_id as an untrusted string
109008
109009 The use of s_id should go through the untrusted string path, just to be
109010 extra careful.
109011
109012 Signed-off-by: Kees Cook <keescook@chromium.org>
109013 Acked-by: Mimi Zohar <zohar@us.ibm.com>
109014 Signed-off-by: Eric Paris <eparis@redhat.com>
109015
109016commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
109017Author: Xi Wang <xi.wang@gmail.com>
109018Date: Tue Dec 20 18:39:41 2011 -0500
109019
109020 audit: fix signedness bug in audit_log_execve_info()
109021
109022 In the loop, a size_t "len" is used to hold the return value of
109023 audit_log_single_execve_arg(), which returns -1 on error. In that
109024 case the error handling (len <= 0) will be bypassed since "len" is
109025 unsigned, and the loop continues with (p += len) being wrapped.
109026 Change the type of "len" to signed int to fix the error handling.
109027
109028 size_t len;
109029 ...
109030 for (...) {
109031 len = audit_log_single_execve_arg(...);
109032 if (len <= 0)
109033 break;
109034 p += len;
109035 }
109036
109037 Signed-off-by: Xi Wang <xi.wang@gmail.com>
109038 Signed-off-by: Eric Paris <eparis@redhat.com>
109039
109040commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
109041Author: Dan Carpenter <dan.carpenter@oracle.com>
109042Date: Tue Jan 17 03:28:51 2012 -0300
109043
109044 [media] ds3000: using logical && instead of bitwise &
109045
109046 The intent here was to test if the FE_HAS_LOCK was set. The current
109047 test is equivalent to "if (status) { ..."
109048
109049 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
109050 Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
109051
109052commit 36522330dc59d2fc70c042f3f081d75c32b6259a
109053Author: Brad Spengler <spender@grsecurity.net>
109054Date: Mon Jan 16 13:10:38 2012 -0500
109055
109056 Ignore the 0 signal for protected task RBAC checks
109057
109058commit d513acd55f7a683f6e146a4f570cdb63300479ab
109059Author: Brad Spengler <spender@grsecurity.net>
109060Date: Mon Jan 16 11:56:13 2012 -0500
109061
109062 whitespace cleanup
109063
109064commit ced261c4b82818c700aff8487f647f6f3e5b5122
109065Merge: d48751f 83555fb
109066Author: Brad Spengler <spender@grsecurity.net>
109067Date: Fri Jan 13 20:12:54 2012 -0500
109068
109069 Merge branch 'pax-test' into grsec-test
109070
109071commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
109072Merge: fcd8129 93dad39
109073Author: Brad Spengler <spender@grsecurity.net>
109074Date: Fri Jan 13 20:12:43 2012 -0500
109075
109076 Merge branch 'linux-3.1.y' into pax-test
109077
109078commit d48751f3919ae855fda0ff6c149db82442329253
109079Author: Brad Spengler <spender@grsecurity.net>
109080Date: Wed Jan 11 19:05:47 2012 -0500
109081
109082 Call our own set_user when forcing change to new id
109083
109084commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
109085Merge: e6578ff fcd8129
109086Author: Brad Spengler <spender@grsecurity.net>
109087Date: Tue Jan 10 16:00:10 2012 -0500
109088
109089 Merge branch 'pax-test' into grsec-test
109090
109091commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
109092Author: Brad Spengler <spender@grsecurity.net>
109093Date: Tue Jan 10 15:58:43 2012 -0500
109094
109095 Merge changes from pax-linux-3.1.8-test23.patch
109096
109097commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
109098Merge: 8859ec3 a120549
109099Author: Brad Spengler <spender@grsecurity.net>
109100Date: Fri Jan 6 21:45:56 2012 -0500
109101
109102 Merge branch 'pax-test' into grsec-test
109103
109104commit a12054967a77090de1caa07c41e694a77db4e237
109105Author: Brad Spengler <spender@grsecurity.net>
109106Date: Fri Jan 6 21:45:30 2012 -0500
109107
109108 Merge changes from pax-linux-3.1.8-test22.patch
109109
109110commit 8859ec32f9815c274df65448f9f2960176c380d3
109111Merge: a5016b4 ddd4114
109112Author: Brad Spengler <spender@grsecurity.net>
109113Date: Fri Jan 6 21:26:08 2012 -0500
109114
109115 Merge branch 'pax-test' into grsec-test
109116
109117 Conflicts:
109118 fs/binfmt_elf.c
109119 security/Kconfig
109120
109121commit ddd41147e158a79704983a409b7433eba797cf66
109122Author: Brad Spengler <spender@grsecurity.net>
109123Date: Fri Jan 6 21:12:42 2012 -0500
109124
109125 Resync with PaX patch (whitespace difference)
109126
109127commit 29e569df8205c5f0e043fe4803aa984406c8b118
109128Author: Brad Spengler <spender@grsecurity.net>
109129Date: Fri Jan 6 21:09:47 2012 -0500
109130
109131 Merge changes from pax-linux-3.1.8-test21.patch
109132
109133commit a5016b4f9c09c337b17e063a7f369af1e86d944d
109134Merge: 0124c92 04231d5
109135Author: Brad Spengler <spender@grsecurity.net>
109136Date: Fri Jan 6 18:52:20 2012 -0500
109137
109138 Merge branch 'pax-test' into grsec-test
109139
109140commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
109141Merge: 7bdddeb a919904
109142Author: Brad Spengler <spender@grsecurity.net>
109143Date: Fri Jan 6 18:51:50 2012 -0500
109144
109145 Merge branch 'linux-3.1.y' into pax-test
109146
109147 Conflicts:
109148 include/net/flow.h
109149
109150commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
109151Author: Brad Spengler <spender@grsecurity.net>
109152Date: Fri Jan 6 18:33:05 2012 -0500
109153
109154 Make GRKERNSEC_SETXID option compatible with credential debugging
109155
109156commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
109157Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
109158Date: Wed Dec 28 15:57:11 2011 -0800
109159
109160 mm/mempolicy.c: refix mbind_range() vma issue
109161
109162 commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
109163 slightly incorrect fix.
109164
109165 Why? Think following case.
109166
109167 1. map 4 pages of a file at offset 0
109168
109169 [0123]
109170
109171 2. map 2 pages just after the first mapping of the same file but with
109172 page offset 2
109173
109174 [0123][23]
109175
109176 3. mbind() 2 pages from the first mapping at offset 2.
109177 mbind_range() should treat new vma is,
109178
109179 [0123][23]
109180 |23|
109181 mbind vma
109182
109183 but it does
109184
109185 [0123][23]
109186 |01|
109187 mbind vma
109188
109189 Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
109190
109191 This patch fixes it.
109192
109193 [testcase]
109194 test result - before the patch
109195
109196 case4: 126: test failed. expect '2,4', actual '2,2,2'
109197 case5: passed
109198 case6: passed
109199 case7: passed
109200 case8: passed
109201 case_n: 246: test failed. expect '4,2', actual '1,4'
109202
109203 ------------[ cut here ]------------
109204 kernel BUG at mm/filemap.c:135!
109205 invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
109206
109207 (snip long bug on messages)
109208
109209 test result - after the patch
109210
109211 case4: passed
109212 case5: passed
109213 case6: passed
109214 case7: passed
109215 case8: passed
109216 case_n: passed
109217
109218 source: mbind_vma_test.c
109219 ============================================================
109220 #include <numaif.h>
109221 #include <numa.h>
109222 #include <sys/mman.h>
109223 #include <stdio.h>
109224 #include <unistd.h>
109225 #include <stdlib.h>
109226 #include <string.h>
109227
109228 static unsigned long pagesize;
109229 void* mmap_addr;
109230 struct bitmask *nmask;
109231 char buf[1024];
109232 FILE *file;
109233 char retbuf[10240] = "";
109234 int mapped_fd;
109235
109236 char *rubysrc = "ruby -e '\
109237 pid = %d; \
109238 vstart = 0x%llx; \
109239 vend = 0x%llx; \
109240 s = `pmap -q #{pid}`; \
109241 rary = []; \
109242 s.each_line {|line|; \
109243 ary=line.split(\" \"); \
109244 addr = ary[0].to_i(16); \
109245 if(vstart <= addr && addr < vend) then \
109246 rary.push(ary[1].to_i()/4); \
109247 end; \
109248 }; \
109249 print rary.join(\",\"); \
109250 '";
109251
109252 void init(void)
109253 {
109254 void* addr;
109255 char buf[128];
109256
109257 nmask = numa_allocate_nodemask();
109258 numa_bitmask_setbit(nmask, 0);
109259
109260 pagesize = getpagesize();
109261
109262 sprintf(buf, "%s", "mbind_vma_XXXXXX");
109263 mapped_fd = mkstemp(buf);
109264 if (mapped_fd == -1)
109265 perror("mkstemp "), exit(1);
109266 unlink(buf);
109267
109268 if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
109269 perror("lseek "), exit(1);
109270 if (write(mapped_fd, "\0", 1) < 0)
109271 perror("write "), exit(1);
109272
109273 addr = mmap(NULL, pagesize*8, PROT_NONE,
109274 MAP_SHARED, mapped_fd, 0);
109275 if (addr == MAP_FAILED)
109276 perror("mmap "), exit(1);
109277
109278 if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
109279 perror("mprotect "), exit(1);
109280
109281 mmap_addr = addr + pagesize;
109282
109283 /* make page populate */
109284 memset(mmap_addr, 0, pagesize*6);
109285 }
109286
109287 void fin(void)
109288 {
109289 void* addr = mmap_addr - pagesize;
109290 munmap(addr, pagesize*8);
109291
109292 memset(buf, 0, sizeof(buf));
109293 memset(retbuf, 0, sizeof(retbuf));
109294 }
109295
109296 void mem_bind(int index, int len)
109297 {
109298 int err;
109299
109300 err = mbind(mmap_addr+pagesize*index, pagesize*len,
109301 MPOL_BIND, nmask->maskp, nmask->size, 0);
109302 if (err)
109303 perror("mbind "), exit(err);
109304 }
109305
109306 void mem_interleave(int index, int len)
109307 {
109308 int err;
109309
109310 err = mbind(mmap_addr+pagesize*index, pagesize*len,
109311 MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
109312 if (err)
109313 perror("mbind "), exit(err);
109314 }
109315
109316 void mem_unbind(int index, int len)
109317 {
109318 int err;
109319
109320 err = mbind(mmap_addr+pagesize*index, pagesize*len,
109321 MPOL_DEFAULT, NULL, 0, 0);
109322 if (err)
109323 perror("mbind "), exit(err);
109324 }
109325
109326 void Assert(char *expected, char *value, char *name, int line)
109327 {
109328 if (strcmp(expected, value) == 0) {
109329 fprintf(stderr, "%s: passed\n", name);
109330 return;
109331 }
109332 else {
109333 fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
109334 name, line,
109335 expected, value);
109336 // exit(1);
109337 }
109338 }
109339
109340 /*
109341 AAAA
109342 PPPPPPNNNNNN
109343 might become
109344 PPNNNNNNNNNN
109345 case 4 below
109346 */
109347 void case4(void)
109348 {
109349 init();
109350 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
109351
109352 mem_bind(0, 4);
109353 mem_unbind(2, 2);
109354
109355 file = popen(buf, "r");
109356 fread(retbuf, sizeof(retbuf), 1, file);
109357 Assert("2,4", retbuf, "case4", __LINE__);
109358
109359 fin();
109360 }
109361
109362 /*
109363 AAAA
109364 PPPPPPNNNNNN
109365 might become
109366 PPPPPPPPPPNN
109367 case 5 below
109368 */
109369 void case5(void)
109370 {
109371 init();
109372 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
109373
109374 mem_bind(0, 2);
109375 mem_bind(2, 2);
109376
109377 file = popen(buf, "r");
109378 fread(retbuf, sizeof(retbuf), 1, file);
109379 Assert("4,2", retbuf, "case5", __LINE__);
109380
109381 fin();
109382 }
109383
109384 /*
109385 AAAA
109386 PPPPNNNNXXXX
109387 might become
109388 PPPPPPPPPPPP 6
109389 */
109390 void case6(void)
109391 {
109392 init();
109393 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
109394
109395 mem_bind(0, 2);
109396 mem_bind(4, 2);
109397 mem_bind(2, 2);
109398
109399 file = popen(buf, "r");
109400 fread(retbuf, sizeof(retbuf), 1, file);
109401 Assert("6", retbuf, "case6", __LINE__);
109402
109403 fin();
109404 }
109405
109406 /*
109407 AAAA
109408 PPPPNNNNXXXX
109409 might become
109410 PPPPPPPPXXXX 7
109411 */
109412 void case7(void)
109413 {
109414 init();
109415 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
109416
109417 mem_bind(0, 2);
109418 mem_interleave(4, 2);
109419 mem_bind(2, 2);
109420
109421 file = popen(buf, "r");
109422 fread(retbuf, sizeof(retbuf), 1, file);
109423 Assert("4,2", retbuf, "case7", __LINE__);
109424
109425 fin();
109426 }
109427
109428 /*
109429 AAAA
109430 PPPPNNNNXXXX
109431 might become
109432 PPPPNNNNNNNN 8
109433 */
109434 void case8(void)
109435 {
109436 init();
109437 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
109438
109439 mem_bind(0, 2);
109440 mem_interleave(4, 2);
109441 mem_interleave(2, 2);
109442
109443 file = popen(buf, "r");
109444 fread(retbuf, sizeof(retbuf), 1, file);
109445 Assert("2,4", retbuf, "case8", __LINE__);
109446
109447 fin();
109448 }
109449
109450 void case_n(void)
109451 {
109452 init();
109453 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
109454
109455 /* make redundunt mappings [0][1234][34][7] */
109456 mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
109457 MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
109458
109459 /* Expect to do nothing. */
109460 mem_unbind(2, 2);
109461
109462 file = popen(buf, "r");
109463 fread(retbuf, sizeof(retbuf), 1, file);
109464 Assert("4,2", retbuf, "case_n", __LINE__);
109465
109466 fin();
109467 }
109468
109469 int main(int argc, char** argv)
109470 {
109471 case4();
109472 case5();
109473 case6();
109474 case7();
109475 case8();
109476 case_n();
109477
109478 return 0;
109479 }
109480 =============================================================
109481
109482 Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
109483 Acked-by: Johannes Weiner <hannes@cmpxchg.org>
109484 Cc: Minchan Kim <minchan.kim@gmail.com>
109485 Cc: Caspar Zhang <caspar@casparzhang.com>
109486 Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
109487 Cc: Christoph Lameter <cl@linux.com>
109488 Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
109489 Cc: Mel Gorman <mel@csn.ul.ie>
109490 Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
109491 Cc: <stable@vger.kernel.org> [3.1.x]
109492 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
109493 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
109494
109495commit f3a1082005781777086df235049f8c0b7efe524e
109496Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
109497Date: Tue Dec 27 22:32:41 2011 -0500
109498
109499 packet: fix possible dev refcnt leak when bind fail
109500
109501 If bind is fail when bind is called after set PACKET_FANOUT
109502 sock option, the dev refcnt will leak.
109503
109504 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
109505 Signed-off-by: David S. Miller <davem@davemloft.net>
109506
109507commit 915f8b08dac68839dc7204ee81cf9852fda16d24
109508Author: Haogang Chen <haogangchen@gmail.com>
109509Date: Mon Dec 19 17:11:56 2011 -0800
109510
109511 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
109512
109513 There is a potential integer overflow in nilfs_ioctl_clean_segments().
109514 When a large argv[n].v_nmembs is passed from the userspace, the subsequent
109515 call to vmalloc() will allocate a buffer smaller than expected, which
109516 leads to out-of-bound access in nilfs_ioctl_move_blocks() and
109517 lfs_clean_segments().
109518
109519 The following check does not prevent the overflow because nsegs is also
109520 controlled by the userspace and could be very large.
109521
109522 if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
109523 goto out_free;
109524
109525 This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
109526 returns -EINVAL when overflow.
109527
109528 Signed-off-by: Haogang Chen <haogangchen@gmail.com>
109529 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
109530 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
109531 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
109532
109533commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
109534Author: Kautuk Consul <consul.kautuk@gmail.com>
109535Date: Mon Dec 19 17:12:04 2011 -0800
109536
109537 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
109538
109539 Static storage is not required for the struct vmap_area in
109540 __get_vm_area_node.
109541
109542 Removing "static" to store this variable on the stack instead.
109543
109544 Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
109545 Acked-by: David Rientjes <rientjes@google.com>
109546 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
109547 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
109548
109549commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
109550Author: Michel Lespinasse <walken@google.com>
109551Date: Mon Dec 19 17:12:06 2011 -0800
109552
109553 binary_sysctl(): fix memory leak
109554
109555 binary_sysctl() calls sysctl_getname() which allocates from names_cache
109556 slab usin __getname()
109557
109558 The matching function to free the name is __putname(), and not putname()
109559 which should be used only to match getname() allocations.
109560
109561 This is because when auditing is enabled, putname() calls audit_putname
109562 *instead* (not in addition) to __putname(). Then, if a syscall is in
109563 progress, audit_putname does not release the name - instead, it expects
109564 the name to get released when the syscall completes, but that will happen
109565 only if audit_getname() was called previously, i.e. if the name was
109566 allocated with getname() rather than the naked __getname(). So,
109567 __getname() followed by putname() ends up leaking memory.
109568
109569 Signed-off-by: Michel Lespinasse <walken@google.com>
109570 Acked-by: Al Viro <viro@zeniv.linux.org.uk>
109571 Cc: Christoph Hellwig <hch@infradead.org>
109572 Cc: Eric Paris <eparis@redhat.com>
109573 Cc: <stable@vger.kernel.org>
109574 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
109575 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
109576
109577commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
109578Author: Sean Hefty <sean.hefty@intel.com>
109579Date: Tue Dec 6 21:17:11 2011 +0000
109580
109581 RDMA/cma: Verify private data length
109582
109583 private_data_len is defined as a u8. If the user specifies a large
109584 private_data size (> 220 bytes), we will calculate a total length that
109585 exceeds 255, resulting in private_data_len wrapping back to 0. This
109586 can lead to overwriting random kernel memory. Avoid this by verifying
109587 that the resulting size fits into a u8.
109588
109589 Reported-by: B. Thery <benjamin.thery@bull.net>
109590 Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
109591 Signed-off-by: Sean Hefty <sean.hefty@intel.com>
109592 Signed-off-by: Roland Dreier <roland@purestorage.com>
109593
109594commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
109595Author: Xi Wang <xi.wang@gmail.com>
109596Date: Sun Dec 11 23:40:56 2011 -0800
109597
109598 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
109599
109600 The error check (intr_status < 0) didn't work because intr_status is
109601 a u8. Change its type to signed int.
109602
109603 Signed-off-by: Xi Wang <xi.wang@gmail.com>
109604 Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
109605
109606commit e27f34e383d7863b2528a63b81b23db09781f6b6
109607Author: Xi Wang <xi.wang@gmail.com>
109608Date: Fri Dec 16 12:44:15 2011 +0000
109609
109610 sctp: fix incorrect overflow check on autoclose
109611
109612 Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
109613 limiting the autoclose value. If userspace passes in -1 on 32-bit
109614 platform, the overflow check didn't work and autoclose would be set
109615 to 0xffffffff.
109616
109617 This patch defines a max_autoclose (in seconds) for limiting the value
109618 and exposes it through sysctl, with the following intentions.
109619
109620 1) Avoid overflowing autoclose * HZ.
109621
109622 2) Keep the default autoclose bound consistent across 32- and 64-bit
109623 platforms (INT_MAX / HZ in this patch).
109624
109625 3) Keep the autoclose value consistent between setsockopt() and
109626 getsockopt() calls.
109627
109628 Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
109629 Signed-off-by: Xi Wang <xi.wang@gmail.com>
109630 Signed-off-by: David S. Miller <davem@davemloft.net>
109631
109632commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
109633Author: Xi Wang <xi.wang@gmail.com>
109634Date: Wed Dec 21 05:18:33 2011 -0500
109635
109636 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
109637
109638 Commit e133e737 didn't correctly fix the integer overflow issue.
109639
109640 - unsigned int required_size;
109641 + u64 required_size;
109642 ...
109643 required_size = mode_cmd->pitch * mode_cmd->height;
109644 - if (unlikely(required_size > dev_priv->vram_size)) {
109645 + if (unlikely(required_size > (u64) dev_priv->vram_size)) {
109646
109647 Note that both pitch and height are u32. Their product is still u32 and
109648 would overflow before being assigned to required_size. A correct way is
109649 to convert pitch and height to u64 before the multiplication.
109650
109651 required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
109652
109653 This patch calls the existing vmw_kms_validate_mode_vram() for
109654 validation.
109655
109656 Signed-off-by: Xi Wang <xi.wang@gmail.com>
109657 Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
109658 Signed-off-by: Dave Airlie <airlied@redhat.com>
109659
109660 Conflicts:
109661
109662 drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
109663
109664commit eb8f0bd01fb994c9abc77dc84729794cd841753d
109665Author: Xi Wang <xi.wang@gmail.com>
109666Date: Thu Dec 22 13:35:22 2011 +0000
109667
109668 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
109669
109670 Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
109671 cause a kernel oops due to insufficient bounds checking.
109672
109673 if (count > 1<<30) {
109674 /* Enforce a limit to prevent overflow */
109675 return -EINVAL;
109676 }
109677 count = roundup_pow_of_two(count);
109678 table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
109679
109680 Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
109681
109682 ... + (count * sizeof(struct rps_dev_flow))
109683
109684 where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow
109685 32 bits.
109686
109687 This patch replaces the magic number (1 << 30) with a symbolic bound.
109688
109689 Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
109690 Signed-off-by: Xi Wang <xi.wang@gmail.com>
109691 Signed-off-by: David S. Miller <davem@davemloft.net>
109692
109693commit 648188958672024b616c42c1f6c98c8cfc85619d
109694Author: Xi Wang <xi.wang@gmail.com>
109695Date: Fri Dec 30 10:40:17 2011 -0500
109696
109697 netfilter: ctnetlink: fix timeout calculation
109698
109699 The sanity check (timeout < 0) never works; the dividend is unsigned
109700 and so is the division, which should have been a signed division.
109701
109702 long timeout = (ct->timeout.expires - jiffies) / HZ;
109703 if (timeout < 0)
109704 timeout = 0;
109705
109706 This patch converts the time values to signed for the division.
109707
109708 Signed-off-by: Xi Wang <xi.wang@gmail.com>
109709 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
109710
109711commit ab03a0973cee73f88655ff4981812ad316a6cd59
109712Merge: 76f82df 7bdddeb
109713Author: Brad Spengler <spender@grsecurity.net>
109714Date: Tue Jan 3 17:42:50 2012 -0500
109715
109716 Merge branch 'pax-test' into grsec-test
109717
109718commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
109719Merge: 3e59cb5 55cc81a
109720Author: Brad Spengler <spender@grsecurity.net>
109721Date: Tue Jan 3 17:42:36 2012 -0500
109722
109723 Merge branch 'linux-3.1.y' into pax-test
109724
109725commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
109726Author: Brad Spengler <spender@grsecurity.net>
109727Date: Thu Dec 22 20:15:02 2011 -0500
109728
109729 Only further restrict futex targeting another process -- our modified
109730 permission check also happened to allow a case where a process retaining
109731 uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
109732 being non-zero (reported on forums by ben_w)
109733
109734commit 6b235a4450a5fea41663ec35fa0608988b6078c6
109735Merge: 97c16f0 3e59cb5
109736Author: Brad Spengler <spender@grsecurity.net>
109737Date: Thu Dec 22 19:11:06 2011 -0500
109738
109739 Merge branch 'pax-test' into grsec-test
109740
109741 Conflicts:
109742 fs/hfs/btree.c
109743
109744commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
109745Merge: 285eb4e c26f60b
109746Author: Brad Spengler <spender@grsecurity.net>
109747Date: Thu Dec 22 19:09:57 2011 -0500
109748
109749 Merge branch 'linux-3.1.y' into pax-test
109750
109751 Conflicts:
109752 arch/x86/kernel/process.c
109753
109754commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
109755Author: Brad Spengler <spender@grsecurity.net>
109756Date: Mon Dec 19 21:54:01 2011 -0500
109757
109758 Add new option: "Enforce consistent multithreaded privileges"
109759
109760commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
109761Author: Brad Spengler <spender@grsecurity.net>
109762Date: Wed Dec 7 19:58:31 2011 -0500
109763
109764 Remove harmless duplicate code -- exec_file would be null already so the
109765 second check would never pass.
109766
109767commit 4e3304e94aa72737810bc50169519af157dce4ce
109768Author: Brad Spengler <spender@grsecurity.net>
109769Date: Wed Dec 7 19:50:39 2011 -0500
109770
109771 Revert back to (possibly?) undocumented /proc/pid behavior that gdb
109772 depended on for attaching to a thread. Entries exist in /proc for
109773 threads, but are not visible in a readdir.
109774
109775commit 1bd899335f23815cfe8deac44c6b346398f3b95e
109776Author: Brad Spengler <spender@grsecurity.net>
109777Date: Sun Dec 4 18:03:28 2011 -0500
109778
109779 Put the already-walked path if in RCU-walk mode
109780
109781commit ec7ae36b7159f10649709779443a988662965d66
109782Author: Brad Spengler <spender@grsecurity.net>
109783Date: Sun Dec 4 17:35:21 2011 -0500
109784
109785 Fix memory leak introduced by recent (unpublished) commit
109786 75ab998b94a29d464518d6d501bdde3fbfcbfa14
109787
109788commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
109789Author: Brad Spengler <spender@grsecurity.net>
109790Date: Sun Dec 4 13:56:10 2011 -0500
109791
109792 Explicitly check size copied to userland in override_release to silence gcc
109793
109794commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
109795Author: Brad Spengler <spender@grsecurity.net>
109796Date: Sun Dec 4 13:54:02 2011 -0500
109797
109798 Initialize variable to silence erroneous gcc warning
109799
109800commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
109801Author: Brad Spengler <spender@grsecurity.net>
109802Date: Sun Dec 4 13:47:47 2011 -0500
109803
109804 Future-proof other potential RCU-aware locations where we can log.
109805
109806commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
109807Author: Brad Spengler <spender@grsecurity.net>
109808Date: Sun Dec 4 13:02:54 2011 -0500
109809
109810 Fix freeze reported by 'vs' on the forums. Bug occurred due to
109811 MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used
109812 in generic_permission() was in the task's effective set but disallowed by
109813 RBAC, would block when acquiring locks resulting in the freeze.
109814
109815 Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
109816 as being required when CAP_DAC_OVERRIDE is present (consistent with
109817 older patches).
109818
109819commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
109820Author: Xi Wang <xi.wang@gmail.com>
109821Date: Tue Nov 29 09:26:30 2011 +0000
109822
109823 sctp: better integer overflow check in sctp_auth_create_key()
109824
109825 The check from commit 30c2235c is incomplete and cannot prevent
109826 cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the
109827 left-hand side of the check (INT_MAX - key_len), which is unsigned,
109828 becomes 0xffffffff (UINT_MAX) and bypasses the check.
109829
109830 However this shouldn't be a security issue. The function is called
109831 from the following two code paths:
109832
109833 1) setsockopt()
109834
109835 2) sctp_auth_asoc_set_secret()
109836
109837 In case (1), sca_keylength is never going to exceed 65535 since it's
109838 bounded by a u16 from the user API. As such, the key length will
109839 never overflow.
109840
109841 In case (2), sca_keylength is computed based on the user key (1 short)
109842 and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
109843 will not overflow.
109844
109845 In other words, this overflow check is not really necessary. Just
109846 make it more correct.
109847
109848 Signed-off-by: Xi Wang <xi.wang@gmail.com>
109849 Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
109850 Signed-off-by: David S. Miller <davem@davemloft.net>
109851
109852commit e565e28c3635a1d50f80541fbf6b606d742fec76
109853Author: Josh Boyer <jwboyer@redhat.com>
109854Date: Fri Aug 19 14:50:26 2011 -0400
109855
109856 fs/minix: Verify bitmap block counts before mounting
109857
109858 Newer versions of MINIX can create filesystems that allocate an extra
109859 bitmap block. Mounting of this succeeds, but doing a statfs call will
109860 result in an oops in count_free because of a negative number being used
109861 for the bh index.
109862
109863 Avoid this by verifying the number of allocated blocks at mount time,
109864 erroring out if there are not enough and make statfs ignore the extras
109865 if there are too many.
109866
109867 This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
109868
109869 Signed-off-by: Josh Boyer <jwboyer@redhat.com>
109870 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
109871
109872commit 6e134e398ec1a3f428261680e83df4319e64bed9
109873Author: Julia Lawall <julia@diku.dk>
109874Date: Tue Nov 15 14:53:11 2011 -0800
109875
109876 drivers/gpu/vga/vgaarb.c: add missing kfree
109877
109878 kbuf is a buffer that is local to this function, so all of the error paths
109879 leaving the function should release it.
109880
109881 Signed-off-by: Julia Lawall <julia@diku.dk>
109882 Cc: Jesper Juhl <jj@chaosbits.net>
109883 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
109884 Signed-off-by: Dave Airlie <airlied@redhat.com>
109885
109886commit 2b9057b321e36860e8d63985b5c4e496f254b717
109887Author: Brad Spengler <spender@grsecurity.net>
109888Date: Sat Dec 3 21:33:28 2011 -0500
109889
109890 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch
109891
109892commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
109893Author: Brad Spengler <spender@grsecurity.net>
109894Date: Sat Dec 3 21:29:37 2011 -0500
109895
109896 Import pax-linux-3.1.4-test18.patch
109897
109898commit 285eb4ea45d853ae00426b3315a61c1368080dad
109899Author: Brad Spengler <spender@grsecurity.net>
109900Date: Sat Dec 10 18:33:46 2011 -0500
109901
109902 Import changes from pax-linux-3.1.5-test20.patch
109903
109904commit a6bda918fc90ec1d5c387e978d147ad2044153f1
109905Author: Brad Spengler <spender@grsecurity.net>
109906Date: Thu Dec 8 20:55:54 2011 -0500
109907
109908 Import changes from pax-linux-3.1.4-test19.patch
109909
109910commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
109911Author: Brad Spengler <spender@grsecurity.net>
109912Date: Sat Dec 3 21:29:37 2011 -0500
109913
109914 Import pax-linux-3.1.4-test18.patch
109915commit c982acca364cbd7677bad7e53b9c7ecfaa6dfeb7
109916Merge: 814820a 3a59a59
109917Author: Brad Spengler <spender@grsecurity.net>
109918Date: Sun May 12 21:51:18 2013 -0400
109919
109920 Merge branch 'pax-test' into grsec-test
109921
109922 Conflicts:
109923 security/Kconfig
109924
109925commit 3a59a59cf5e1bf88f96b05c64f7969e97f7f051f
109926Author: Brad Spengler <spender@grsecurity.net>
109927Date: Sun May 12 21:50:07 2013 -0400
109928
109929 Update to pax-linux-3.8.13-test24.patch:
109930 - fixed sparc/constification compile error, reported by blake
109931 - UDEREF/amd64 should be a bit more efficient when disabled at boot time
109932 - fixed some unnecessary integer truncations that could trip up the size overflow plugin
109933
109934 arch/arm/kernel/vmlinux.lds.S | 4 ++--
109935 arch/sparc/kernel/us3_cpufreq.c | 4 ++--
109936 arch/x86/ia32/ia32entry.S | 4 ++--
109937 arch/x86/include/asm/pgtable.h | 6 ++++--
109938 arch/x86/include/asm/uaccess.h | 6 +++---
109939 arch/x86/kernel/kprobes-opt.c | 4 ++++
109940 arch/x86/lib/copy_user_nocache_64.S | 2 +-
109941 arch/x86/lib/getuser.S | 8 ++++----
109942 arch/x86/lib/putuser.S | 8 ++++----
109943 arch/x86/mm/fault.c | 6 +++---
109944 drivers/net/slip/slhc.c | 2 +-
109945 drivers/staging/iio/ring_sw.c | 2 +-
109946 fs/binfmt_elf.c | 6 +++---
109947 fs/nfsd/nfscache.c | 2 +-
109948 fs/xattr.c | 21 +++++++++++++++++++++
109949 include/linux/syscalls.h | 2 +-
109950 include/linux/xattr.h | 3 +++
109951 init/main.c | 3 +++
109952 kernel/futex_compat.c | 2 +-
109953 kernel/trace/trace.h | 2 +-
109954 net/socket.c | 2 +-
109955 security/Kconfig | 2 +-
109956 22 files changed, 67 insertions(+), 34 deletions(-)
109957
109958commit 814820abfe5b9a34401d838b2510431a4cd92be9
109959Author: Dan Carpenter <dan.carpenter@oracle.com>
109960Date: Mon May 6 09:31:17 2013 +0000
109961
109962 Upstream commit: 6bf15191f666c5965d212561d7a5c7b78b808dfa
109963
109964 tipc: potential divide by zero in tipc_link_recv_fragment()
109965
109966 The worry here is that fragm_sz could be zero since it comes from
109967 skb->data.
109968
109969 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
109970 Signed-off-by: David S. Miller <davem@davemloft.net>
109971
109972 net/tipc/link.c | 6 ++++--
109973 1 files changed, 4 insertions(+), 2 deletions(-)
109974
109975commit b58503d2784f0a4dbf4d9dbef9bdcc7bf163e3c1
109976Author: Dan Carpenter <dan.carpenter@oracle.com>
109977Date: Mon May 6 08:28:41 2013 +0000
109978
109979 Upstream commit: cb4b102f0ab29fcbaf945c6b1f85ef006cdb8edc
109980
109981 tipc: add a bounds check in link_recv_changeover_msg()
109982
109983 The bearer_id here comes from skb->data and it can be a number from 0 to
109984 7. The problem is that the ->links[] array has only 2 elements so I
109985 have added a range check.
109986
109987 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
109988 Signed-off-by: David S. Miller <davem@davemloft.net>
109989
109990 net/tipc/link.c | 5 ++++-
109991 1 files changed, 4 insertions(+), 1 deletions(-)
109992
109993commit ed0428c4ef6c5498870772f212ac651216eb8d0c
109994Merge: 2452d8d dbf932a
109995Author: Brad Spengler <spender@grsecurity.net>
109996Date: Sun May 12 21:18:25 2013 -0400
109997
109998 Merge branch 'linux-3.8.y' into pax-test
109999
110000 Conflicts:
110001 arch/x86/kernel/cpu/perf_event_intel_uncore.c
110002 arch/x86/mm/init.c
110003
110004commit a113d6ac19303cd76d405df5aef5a4d190e6e7d7
110005Author: Brad Spengler <spender@grsecurity.net>
110006Date: Sun May 12 20:24:01 2013 -0400
110007
110008 compile fix
110009
110010 grsecurity/gracl.c | 1 +
110011 grsecurity/gracl_segv.c | 1 +
110012 2 files changed, 2 insertions(+), 0 deletions(-)
110013
110014commit 1bd664ee9054a28bbcf1dad6f9ffbc9e8500bb00
110015Author: Brad Spengler <spender@grsecurity.net>
110016Date: Sun May 12 18:25:26 2013 -0400
110017
110018 fix btrfs support here as well
110019
110020 grsecurity/gracl_segv.c | 17 +++++++++--------
110021 1 files changed, 9 insertions(+), 8 deletions(-)
110022
110023commit c75e4664fe4d20da1639f70d9def097c4f20856b
110024Author: Brad Spengler <spender@grsecurity.net>
110025Date: Sun May 12 18:12:57 2013 -0400
110026
110027 Fix RBAC compatibility with btrfs compiled as a module, as
110028 reported on the forums by YuHg at:
110029 http://forums.grsecurity.net/viewtopic.php?t=2575&p=12952#p12952
110030
110031 fs/btrfs/inode.c | 11 +----------
110032 grsecurity/gracl.c | 19 ++++++++++---------
110033 grsecurity/gracl_segv.c | 2 +-
110034 grsecurity/grsec_disabled.c | 2 +-
110035 4 files changed, 13 insertions(+), 21 deletions(-)
110036
110037commit e40c5804acc5b83e10d16ca3ba92502a3e5f7f27
110038Author: Brad Spengler <spender@grsecurity.net>
110039Date: Sat May 11 12:12:00 2013 -0400
110040
110041 allow copies just up to the start of kernel code
110042
110043 fs/exec.c | 2 +-
110044 1 files changed, 1 insertions(+), 1 deletions(-)
110045
110046commit 04638852588cf243f865f5a73aa9dab94fab53b7
110047Author: Brad Spengler <spender@grsecurity.net>
110048Date: Fri May 10 16:53:07 2013 -0400
110049
110050 MODULES_EXEC_VADDR is a virtual address
110051
110052 fs/exec.c | 2 +-
110053 1 files changed, 1 insertions(+), 1 deletions(-)
110054
110055commit 017fc58a177b8b3fd9c2a7a4366f3590c9d49435
110056Author: Brad Spengler <spender@grsecurity.net>
110057Date: Fri May 10 16:51:03 2013 -0400
110058
110059 exempt module rx areas from usercopy protection under i386 kernexec
110060 their .rodata will be placed between stext/etext causing copies of
110061 constant strings to trigger usercopy reports/terminations
110062
110063 fs/exec.c | 5 +++++
110064 1 files changed, 5 insertions(+), 0 deletions(-)
110065
110066commit c1b2cc5dd5f5ae5c88402c7acbcb270f8d36a9da
110067Author: Brad Spengler <spender@grsecurity.net>
110068Date: Wed May 8 20:25:52 2013 -0400
110069
110070 User jorgus on the forums:
110071 http://forums.grsecurity.net/viewtopic.php?f=3&t=3446
110072 discovered that the upstreamed version of enforcing RLIMIT_NPROC
110073 at setuid/exec time missed an important corner case:
110074 If RLIMIT_NPROC is set after a setuid occurs and the user's process
110075 limit is reached elsewhere, no enforcement of RLIMIT_NPROC will
110076 happen at exec time for the task with a modified RLIMIT_NPROC.
110077
110078 This patch fixes that.
110079
110080 kernel/sys.c | 7 +++++++
110081 1 files changed, 7 insertions(+), 0 deletions(-)
110082
110083commit 85ffce8c95bd1d9114852f74db8c66ddbc2e77ff
110084Merge: 539fff0 2452d8d
110085Author: Brad Spengler <spender@grsecurity.net>
110086Date: Wed May 8 18:13:41 2013 -0400
110087
110088 Merge branch 'pax-test' into grsec-test
110089
110090commit 2452d8d0416d5c9c32805443dd89e5c9778dea4a
110091Merge: 6c850d8 9c9ab76
110092Author: Brad Spengler <spender@grsecurity.net>
110093Date: Wed May 8 18:13:31 2013 -0400
110094
110095 Merge branch 'linux-3.8.y' into pax-test
110096
110097 Conflicts:
110098 arch/x86/kernel/irq.c
110099 kernel/trace/trace_stack.c
110100
110101commit 539fff0cf95c3dcc02c5e0ac3ef8da4519efdb9a
110102Author: Brad Spengler <spender@grsecurity.net>
110103Date: Tue May 7 21:43:00 2013 -0400
110104
110105 turn counter into a flag
110106
110107 grsecurity/Kconfig | 2 +-
110108 grsecurity/grsec_chroot.c | 8 ++++----
110109 2 files changed, 5 insertions(+), 5 deletions(-)
110110
110111commit 3da48c0f89377e1ef76470d4b19f19df793fdf32
110112Author: Brad Spengler <spender@grsecurity.net>
110113Date: Tue May 7 21:02:39 2013 -0400
110114
110115 add GRKERNSEC_CHROOT_INITRD to work around Plymouth stupidity
110116 useful for Fedora/RHEL users
110117
110118 grsecurity/Kconfig | 10 ++++++++++
110119 grsecurity/grsec_chroot.c | 17 +++++++++++++++--
110120 2 files changed, 25 insertions(+), 2 deletions(-)
110121
110122commit 418102925c0cfb0de51b0a021abaa575e28fafa6
110123Author: Peter Zijlstra <a.p.zijlstra@chello.nl>
110124Date: Fri May 3 14:11:25 2013 +0200
110125
110126 Upstream commit: 7cc23cd6c0c7d7f4bee057607e7ce01568925717
110127
110128 perf/x86/intel/lbr: Demand proper privileges for PERF_SAMPLE_BRANCH_KERNEL
110129
110130 We should always have proper privileges when requesting kernel
110131 data.
110132
110133 Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
110134 Cc: <stable@kernel.org>
110135 Cc: Andi Kleen <ak@linux.intel.com>
110136 Cc: eranian@google.com
110137 Link: http://lkml.kernel.org/r/20130503121256.230745028@chello.nl
110138 [ Fix build error reported by fengguang.wu@intel.com, propagate error code back. ]
110139 Signed-off-by: Ingo Molnar <mingo@kernel.org>
110140 Link: http://lkml.kernel.org/n/tip-v0x9ky3ahzr6nm3c6ilwrili@git.kernel.org
110141
110142 arch/x86/kernel/cpu/perf_event_intel_lbr.c | 13 ++++++++++---
110143 1 files changed, 10 insertions(+), 3 deletions(-)
110144
110145commit f9e1af27cca1722a4c6a801000b5b3b5410401a2
110146Author: Eric Dumazet <edumazet@google.com>
110147Date: Mon Apr 29 05:58:52 2013 +0000
110148
110149 Upstream commit: aebda156a570782a86fc4426842152237a19427d
110150
110151 net: defer net_secret[] initialization
110152
110153 Instead of feeding net_secret[] at boot time, defer the init
110154 at the point first socket is created.
110155
110156 This permits some platforms to use better entropy sources than
110157 the ones available at boot time.
110158
110159 Signed-off-by: Eric Dumazet <edumazet@google.com>
110160 Signed-off-by: David S. Miller <davem@davemloft.net>
110161
110162 include/net/secure_seq.h | 1 +
110163 net/core/secure_seq.c | 4 +---
110164 net/ipv4/af_inet.c | 5 ++++-
110165 3 files changed, 6 insertions(+), 4 deletions(-)
110166
110167commit a9229d75129cd9744a5e486ec99a0fe6aeaf10ac
110168Author: Daniel Borkmann <dborkman@redhat.com>
110169Date: Wed May 1 02:59:23 2013 +0000
110170
110171 Upstream commit: be3e45810bb1ee0bdfa93f6b9532d8c451e50f48
110172
110173 net: sctp: attribute printl with __printf for gcc fmt checks
110174
110175 Let GCC check for format string errors in sctp's probe printl
110176 function. This patch fixes the warning when compiled with W=1:
110177
110178 net/sctp/probe.c:73:2: warning: function might be possible candidate
110179 for 'gnu_printf' format attribute [-Wmissing-format-attribute]
110180
110181 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
110182 Signed-off-by: David S. Miller <davem@davemloft.net>
110183
110184 net/sctp/probe.c | 2 +-
110185 1 files changed, 1 insertions(+), 1 deletions(-)
110186
110187commit 81b98190c66a90f0ed2de4560f542b1dea7664f2
110188Author: Brad Spengler <spender@grsecurity.net>
110189Date: Thu May 2 19:58:54 2013 -0400
110190
110191 remove no-longer-needed vmware 8 compat fix
110192
110193 mm/page_alloc.c | 6 ------
110194 1 files changed, 0 insertions(+), 6 deletions(-)
110195
110196commit a7716a90c1dbe09a8a6d98c74ea2f7fe2a530e94
110197Author: Brad Spengler <spender@grsecurity.net>
110198Date: Thu May 2 19:55:23 2013 -0400
110199
110200 remove unnecessary < 0 check
110201
110202 net/phonet/af_phonet.c | 2 +-
110203 1 files changed, 1 insertions(+), 1 deletions(-)
110204
110205commit a4e8dd5b1cca13c2e4145af75694a04aaa811f3f
110206Author: Brad Spengler <spender@grsecurity.net>
110207Date: Wed May 1 18:30:48 2013 -0400
110208
110209 remove references to CONFIG_X86_WP_WORKS_OK
110210
110211 arch/um/defconfig | 1 -
110212 security/Kconfig | 2 +-
110213 2 files changed, 1 insertions(+), 2 deletions(-)
110214
110215commit 408da6791f93ffe00d26bfe919f1b2218fe0804d
110216Merge: a8dbe8e 6c850d8
110217Author: Brad Spengler <spender@grsecurity.net>
110218Date: Wed May 1 18:28:44 2013 -0400
110219
110220 Merge branch 'pax-test' into grsec-test
110221
110222 Conflicts:
110223 arch/sparc/mm/ultra.S
110224 drivers/tty/tty_io.c
110225
110226commit 6c850d8b76b375e418b6a18a33cc8263f36fabcf
110227Merge: cdbcbef 9fa1d01
110228Author: Brad Spengler <spender@grsecurity.net>
110229Date: Wed May 1 18:25:18 2013 -0400
110230
110231 Merge branch 'linux-3.8.y' into pax-test
110232
110233commit a8dbe8ee7a0a3ace489e2f95d69d33e14d5f0b78
110234Author: Brad Spengler <spender@grsecurity.net>
110235Date: Mon Apr 29 18:44:23 2013 -0400
110236
110237 add module.h to silence compiler warning, thanks to
110238 Sergei Trofimovich
110239
110240 fs/btrfs/inode.c | 1 +
110241 1 files changed, 1 insertions(+), 0 deletions(-)
110242
110243commit 55eba82aca97aa56378e000840c48965557721e8
110244Author: Brad Spengler <spender@grsecurity.net>
110245Date: Mon Apr 29 18:43:03 2013 -0400
110246
110247 compilation fix
110248
110249 kernel/trace/trace.h | 2 +-
110250 1 files changed, 1 insertions(+), 1 deletions(-)
110251
110252commit e3bf912b54af6df7fbebc68b5999554562056c5c
110253Merge: 5b72e37 cdbcbef
110254Author: Brad Spengler <spender@grsecurity.net>
110255Date: Mon Apr 29 18:34:42 2013 -0400
110256
110257 Merge branch 'pax-test' into grsec-test
110258
110259commit cdbcbef45c4f003cbee11e10668a35d424c17c60
110260Author: Brad Spengler <spender@grsecurity.net>
110261Date: Mon Apr 29 18:33:35 2013 -0400
110262
110263 Update to pax-linux-3.8.10-test21.patch:
110264 - removed size overflow coverage of resource_size(), reported at http://forums.grsecurity.net/viewtopic.php?f=3&t=3412
110265 - fixed bad pointer arithmetic in nfsd_cache_update, reported by Jason A. Donenfeld and http://forums.grsecurity.net/viewtopic.php?f=3&t=3438
110266 note that the false positive is not fixed yet
110267 - fixed a few unintended bitmask computations found by a not-yet-public gcc plugin
110268 - fixed the kernel stack leak bug in do_tgkill, found by the size overflow plugin (https://code.google.com/p/chromium/issues/detail?id=223444)
110269 - reverted the nested NMI fix in search for a real one
110270 - simplified the arm_delay_ops constification
110271
110272 arch/arm/include/asm/delay.h | 8 ++++----
110273 arch/arm/lib/delay.c | 17 +++++------------
110274 arch/x86/kernel/entry_64.S | 11 ++++++++++-
110275 arch/x86/kernel/i8259.c | 2 +-
110276 arch/x86/kernel/pci-calgary_64.c | 2 +-
110277 arch/x86/kvm/vmx.c | 4 ++--
110278 drivers/block/pktcdvd.c | 2 +-
110279 fs/btrfs/extent-tree.c | 2 +-
110280 fs/nfsd/nfscache.c | 6 ++++--
110281 kernel/trace/trace.c | 2 +-
110282 tools/gcc/structleak_plugin.c | 4 ++++
110283 11 files changed, 34 insertions(+), 26 deletions(-)
110284
110285commit 5b72e3790fa0e8a16a09c0ef745d8065620a1e74
110286Author: Brad Spengler <spender@grsecurity.net>
110287Date: Fri Apr 26 20:53:06 2013 -0400
110288
110289 don't use file_inode()
110290
110291 drivers/tty/tty_io.c | 2 +-
110292 1 files changed, 1 insertions(+), 1 deletions(-)
110293
110294commit a2df9595fa2e3c7a0c63b1acac75425fd4feb946
110295Author: Jiri Slaby <jslaby@suse.cz>
110296Date: Fri Apr 26 13:48:53 2013 +0200
110297
110298 Upstream commit: 37b7f3c76595e23257f61bd80b223de8658617ee
110299
110300 TTY: fix atime/mtime regression
110301
110302 In commit b0de59b5733d ("TTY: do not update atime/mtime on read/write")
110303 we removed timestamps from tty inodes to fix a security issue and waited
110304 if something breaks. Well, 'w', the utility to find out logged users
110305 and their inactivity time broke. It shows that users are inactive since
110306 the time they logged in.
110307
110308 To revert to the old behaviour while still preventing attackers to
110309 guess the password length, we update the timestamps in one-minute
110310 intervals by this patch.
110311
110312 Signed-off-by: Jiri Slaby <jslaby@suse.cz>
110313 Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
110314 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
110315
110316 Conflicts:
110317
110318 drivers/tty/tty_io.c
110319
110320 drivers/tty/tty_io.c | 15 ++++++++++++++-
110321 1 files changed, 14 insertions(+), 1 deletions(-)
110322
110323commit c9c76fe07da7611a5062dd3234e5d2369e0a78ec
110324Author: Jiri Slaby <jslaby@suse.cz>
110325Date: Fri Feb 15 15:25:05 2013 +0100
110326
110327 Upstream commit: b0de59b5733d
110328
110329 TTY: do not update atime/mtime on read/write
110330
110331 On http://vladz.devzero.fr/013_ptmx-timing.php, we can see how to find
110332 out length of a password using timestamps of /dev/ptmx. It is
110333 documented in "Timing Analysis of Keystrokes and Timing Attacks on
110334 SSH". To avoid that problem, do not update time when reading
110335 from/writing to a TTY.
110336
110337 I am afraid of regressions as this is a behavior we have since 0.97
110338 and apps may expect the time to be current, e.g. for monitoring
110339 whether there was a change on the TTY. Now, there is no change. So
110340 this would better have a lot of testing before it goes upstream.
110341
110342 References: CVE-2013-0160
110343
110344 Signed-off-by: Jiri Slaby <jslaby@suse.cz>
110345 Cc: stable <stable@vger.kernel.org> # after 3.9 is out
110346 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
110347
110348 drivers/tty/tty_io.c | 8 ++------
110349 1 files changed, 2 insertions(+), 6 deletions(-)
110350
110351commit 5344a24e2320d61dbdb88aae04922f0799deefd0
110352Author: Zhao Hongjiang <zhaohongjiang@huawei.com>
110353Date: Fri Apr 26 11:03:53 2013 +0800
110354
110355 Upstream commit: 91d80a84bbc8f28375cca7e65ec666577b4209ad
110356
110357 aio: fix possible invalid memory access when DEBUG is enabled
110358
110359 dprintk() shouldn't access @ring after it's unmapped.
110360
110361 Signed-off-by: Zhao Hongjiang <zhaohongjiang@huawei.com>
110362 Cc: stable@vger.kernel.org
110363 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
110364
110365 fs/aio.c | 2 +-
110366 1 files changed, 1 insertions(+), 1 deletions(-)
110367
110368commit 786841cb279bbd8e458d67e112a1d01a3d4598a7
110369Author: John David Anglin <dave.anglin@bell.net>
110370Date: Tue Apr 23 22:42:07 2013 +0200
110371
110372 Upstream commit: bda079d336cd8183e1d844a265ea87ae3e1bbe78
110373
110374 parisc: use spin_lock_irqsave/spin_unlock_irqrestore for PTE updates
110375
110376 User applications running on SMP kernels have long suffered from instability
110377 and random segmentation faults. This patch improves the situation although
110378 there is more work to be done.
110379
110380 One of the problems is the various routines in pgtable.h that update page table
110381 entries use different locking mechanisms, or no lock at all (set_pte_at). This
110382 change modifies the routines to all use the same lock pa_dbit_lock. This lock
110383 is used for dirty bit updates in the interruption code. The patch also purges
110384 the TLB entries associated with the PTE to ensure that inconsistent values are
110385 not used after the page table entry is updated. The UP and SMP code are now
110386 identical.
110387
110388 The change also includes a minor update to the purge_tlb_entries function in
110389 cache.c to improve its efficiency.
110390
110391 Signed-off-by: John David Anglin <dave.anglin@bell.net>
110392 Cc: Helge Deller <deller@gmx.de>
110393 Signed-off-by: Helge Deller <deller@gmx.de>
110394
110395 arch/parisc/include/asm/pgtable.h | 47 +++++++++++++++++++-----------------
110396 arch/parisc/kernel/cache.c | 5 +---
110397 2 files changed, 26 insertions(+), 26 deletions(-)
110398
110399commit 775a77ad179d4c25bc94e85ef81135cbdffcfdc1
110400Merge: ba54c97 4d05084
110401Author: Brad Spengler <spender@grsecurity.net>
110402Date: Fri Apr 26 18:17:20 2013 -0400
110403
110404 Merge branch 'pax-test' into grsec-test
110405
110406 Conflicts:
110407 arch/x86/kvm/x86.c
110408 include/linux/capability.h
110409
110410commit 4d0508463d0ee3ec4b9eca1ea6bed3be03a3df21
110411Merge: c664779 bb8dd67
110412Author: Brad Spengler <spender@grsecurity.net>
110413Date: Fri Apr 26 18:15:45 2013 -0400
110414
110415 Merge branch 'linux-3.8.y' into pax-test
110416
110417commit ba54c977fe8c3afc4a9efd7afc3f30cf10b02fa2
110418Author: David S. Miller <davem@davemloft.net>
110419Date: Wed Apr 24 16:52:18 2013 -0700
110420
110421 Upstream commit: f0af97070acbad5d6a361f485828223a4faaa0ee
110422
110423 sparc64: Fix missing put_cpu_var() in tlb_batch_add_one() when not batching.
110424
110425 Reported-by: Meelis Roos <mroos@linux.ee>
110426 Signed-off-by: David S. Miller <davem@davemloft.net>
110427
110428 arch/sparc/mm/tlb.c | 3 ++-
110429 1 files changed, 2 insertions(+), 1 deletions(-)
110430
110431commit dc080cfd57c7cdc426f8c6c2da11911ac99959d8
110432Author: David S. Miller <davem@davemloft.net>
110433Date: Fri Apr 19 17:26:26 2013 -0400
110434
110435 Upstream commit: f36391d2790d04993f48da6a45810033a2cdf847
110436
110437 sparc64: Fix race in TLB batch processing.
110438
110439 As reported by Dave Kleikamp, when we emit cross calls to do batched
110440 TLB flush processing we have a race because we do not synchronize on
110441 the sibling cpus completing the cross call.
110442
110443 So meanwhile the TLB batch can be reset (tb->tlb_nr set to zero, etc.)
110444 and either flushes are missed or flushes will flush the wrong
110445 addresses.
110446
110447 Fix this by using generic infrastructure to synchonize on the
110448 completion of the cross call.
110449
110450 This first required getting the flush_tlb_pending() call out from
110451 switch_to() which operates with locks held and interrupts disabled.
110452 The problem is that smp_call_function_many() cannot be invoked with
110453 IRQs disabled and this is explicitly checked for with WARN_ON_ONCE().
110454
110455 We get the batch processing outside of locked IRQ disabled sections by
110456 using some ideas from the powerpc port. Namely, we only batch inside
110457 of arch_{enter,leave}_lazy_mmu_mode() calls. If we're not in such a
110458 region, we flush TLBs synchronously.
110459
110460 1) Get rid of xcall_flush_tlb_pending and per-cpu type
110461 implementations.
110462
110463 2) Do TLB batch cross calls instead via:
110464
110465 smp_call_function_many()
110466 tlb_pending_func()
110467 __flush_tlb_pending()
110468
110469 3) Batch only in lazy mmu sequences:
110470
110471 a) Add 'active' member to struct tlb_batch
110472 b) Define __HAVE_ARCH_ENTER_LAZY_MMU_MODE
110473 c) Set 'active' in arch_enter_lazy_mmu_mode()
110474 d) Run batch and clear 'active' in arch_leave_lazy_mmu_mode()
110475 e) Check 'active' in tlb_batch_add_one() and do a synchronous
110476 flush if it's clear.
110477
110478 4) Add infrastructure for synchronous TLB page flushes.
110479
110480 a) Implement __flush_tlb_page and per-cpu variants, patch
110481 as needed.
110482 b) Likewise for xcall_flush_tlb_page.
110483 c) Implement smp_flush_tlb_page() to invoke the cross-call.
110484 d) Wire up global_flush_tlb_page() to the right routine based
110485 upon CONFIG_SMP
110486
110487 5) It turns out that singleton batches are very common, 2 out of every
110488 3 batch flushes have only a single entry in them.
110489
110490 The batch flush waiting is very expensive, both because of the poll
110491 on sibling cpu completeion, as well as because passing the tlb batch
110492 pointer to the sibling cpus invokes a shared memory dereference.
110493
110494 Therefore, in flush_tlb_pending(), if there is only one entry in
110495 the batch perform a completely asynchronous global_flush_tlb_page()
110496 instead.
110497
110498 Reported-by: Dave Kleikamp <dave.kleikamp@oracle.com>
110499 Signed-off-by: David S. Miller <davem@davemloft.net>
110500 Acked-by: Dave Kleikamp <dave.kleikamp@oracle.com>
110501
110502 arch/sparc/include/asm/pgtable_64.h | 1 +
110503 arch/sparc/include/asm/switch_to_64.h | 3 +-
110504 arch/sparc/include/asm/tlbflush_64.h | 37 +++++++++--
110505 arch/sparc/kernel/smp_64.c | 41 ++++++++++-
110506 arch/sparc/mm/tlb.c | 38 +++++++++-
110507 arch/sparc/mm/tsb.c | 57 ++++++++++++----
110508 arch/sparc/mm/ultra.S | 119 ++++++++++++++++++++++++++-------
110509 7 files changed, 241 insertions(+), 55 deletions(-)
110510
110511commit cd80cc3cfd122295e6ec6db1e5e16e5b7a5d3b59
110512Author: Linus Torvalds <torvalds@linux-foundation.org>
110513Date: Fri Apr 19 15:32:32 2013 +0000
110514
110515 Upstream commit: 83f1b4ba917db5dc5a061a44b3403ddb6e783494
110516
110517 net: fix incorrect credentials passing
110518
110519 Commit 257b5358b32f ("scm: Capture the full credentials of the scm
110520 sender") changed the credentials passing code to pass in the effective
110521 uid/gid instead of the real uid/gid.
110522
110523 Obviously this doesn't matter most of the time (since normally they are
110524 the same), but it results in differences for suid binaries when the wrong
110525 uid/gid ends up being used.
110526
110527 This just undoes that (presumably unintentional) part of the commit.
110528
110529 Reported-by: Andy Lutomirski <luto@amacapital.net>
110530 Cc: Eric W. Biederman <ebiederm@xmission.com>
110531 Cc: Serge E. Hallyn <serge@hallyn.com>
110532 Cc: David S. Miller <davem@davemloft.net>
110533 Cc: stable@vger.kernel.org
110534 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
110535 Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
110536 Signed-off-by: David S. Miller <davem@davemloft.net>
110537
110538 include/net/scm.h | 4 ++--
110539 1 files changed, 2 insertions(+), 2 deletions(-)
110540
110541commit e126225d1fcaa405ff2a7f1518d615cffe42e7d5
110542Author: Brad Spengler <spender@grsecurity.net>
110543Date: Thu Apr 18 19:22:40 2013 -0400
110544
110545 move _etext to only cover kernel code, not read-only data, as reported by Gu1
110546
110547 arch/arm/kernel/vmlinux.lds.S | 4 ++--
110548 1 files changed, 2 insertions(+), 2 deletions(-)
110549
110550commit 98ad6adbc48759e4f9eae435d3e51ba487155685
110551Author: Brad Spengler <spender@grsecurity.net>
110552Date: Thu Apr 18 19:17:24 2013 -0400
110553
110554 add asm/sections.h for USERCOPY change
110555
110556 fs/exec.c | 1 +
110557 1 files changed, 1 insertions(+), 0 deletions(-)
110558
110559commit c403a6c43da1bcac9b1ef2bca9bba0fb84a40f10
110560Author: Dmitry Popov <dp@highloadlab.com>
110561Date: Thu Apr 11 08:55:07 2013 +0000
110562
110563 Upstream commit: d66954a066158781ccf9c13c91d0316970fe57b6
110564
110565 tcp: incoming connections might use wrong route under synflood
110566
110567 There is a bug in cookie_v4_check (net/ipv4/syncookies.c):
110568 flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk),
110569 RT_SCOPE_UNIVERSE, IPPROTO_TCP,
110570 inet_sk_flowi_flags(sk),
110571 (opt && opt->srr) ? opt->faddr : ireq->rmt_addr,
110572 ireq->loc_addr, th->source, th->dest);
110573
110574 Here we do not respect sk->sk_bound_dev_if, therefore wrong dst_entry may be
110575 taken. This dst_entry is used by new socket (get_cookie_sock ->
110576 tcp_v4_syn_recv_sock), so its packets may take the wrong path.
110577
110578 Signed-off-by: Dmitry Popov <dp@highloadlab.com>
110579 Signed-off-by: David S. Miller <davem@davemloft.net>
110580
110581 net/ipv4/syncookies.c | 4 ++--
110582 1 files changed, 2 insertions(+), 2 deletions(-)
110583
110584commit 3600395e8fef3ae712e72f9b68c3609639616df8
110585Author: Thomas Graf <tgraf@suug.ch>
110586Date: Thu Apr 11 10:57:18 2013 +0000
110587
110588 Upstream commit: 50bceae9bd3569d56744882f3012734d48a1d413
110589
110590 tcp: Reallocate headroom if it would overflow csum_start
110591
110592 If a TCP retransmission gets partially ACKed and collapsed multiple
110593 times it is possible for the headroom to grow beyond 64K which will
110594 overflow the 16bit skb->csum_start which is based on the start of
110595 the headroom. It has been observed rarely in the wild with IPoIB due
110596 to the 64K MTU.
110597
110598 Verify if the acking and collapsing resulted in a headroom exceeding
110599 what csum_start can cover and reallocate the headroom if so.
110600
110601 A big thank you to Jim Foraker <foraker1@llnl.gov> and the team at
110602 LLNL for helping out with the investigation and testing.
110603
110604 Reported-by: Jim Foraker <foraker1@llnl.gov>
110605 Signed-off-by: Thomas Graf <tgraf@suug.ch>
110606 Acked-by: Eric Dumazet <edumazet@google.com>
110607 Signed-off-by: David S. Miller <davem@davemloft.net>
110608
110609 net/ipv4/tcp_output.c | 8 ++++++--
110610 1 files changed, 6 insertions(+), 2 deletions(-)
110611
110612commit 4b0b9a5038da806a2b6eba9efc3f3a53c5188a61
110613Author: Ivan Vecera <ivecera@redhat.com>
110614Date: Fri Apr 12 16:49:24 2013 +0200
110615
110616 Upstream commit: f11a869d4e38397ac81f2a3d22e8d2aeb3992b0f
110617
110618 be2net: take care of __vlan_put_tag return value
110619
110620 The driver should use return value of __vlan_put_tag with appropriate
110621 NULL-check instead of old skb pointer.
110622
110623 Signed-off-by: Ivan Vecera <ivecera@redhat.com>
110624 Signed-off-by: David S. Miller <davem@davemloft.net>
110625
110626 drivers/net/ethernet/emulex/benet/be_main.c | 5 +++--
110627 1 files changed, 3 insertions(+), 2 deletions(-)
110628
110629commit 8d3aca40a891f13b9b1e0d957913fa788fd1cc55
110630Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
110631Date: Fri Apr 12 03:17:12 2013 +0000
110632
110633 Upstream commit: 3be8fbab18fbc06b6ff94a56f9c225e29ea64a73
110634
110635 tuntap: fix error return code in tun_set_iff()
110636
110637 Fix to return a negative error code from the error handling
110638 case instead of 0, as returned elsewhere in this function.
110639
110640 [ Bug added in linux-3.8 , commit 4008e97f866db665
110641 ("tuntap: fix ambigious multiqueue API") ]
110642
110643 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
110644 Acked-by: Eric Dumazet <edumazet@google.com>
110645 Signed-off-by: David S. Miller <davem@davemloft.net>
110646
110647 drivers/net/tun.c | 2 +-
110648 1 files changed, 1 insertions(+), 1 deletions(-)
110649
110650commit 42cfd101287e0ffa5e8425ca7dd3c4131a7a601c
110651Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
110652Date: Sat Apr 13 15:49:03 2013 +0000
110653
110654 Upstream commit: 06848c10f720cbc20e3b784c0df24930b7304b93
110655
110656 esp4: fix error return code in esp_output()
110657
110658 Fix to return a negative error code from the error handling
110659 case instead of 0, as returned elsewhere in this function.
110660
110661 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
110662 Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
110663 Signed-off-by: David S. Miller <davem@davemloft.net>
110664
110665 net/ipv4/esp4.c | 6 +++---
110666 1 files changed, 3 insertions(+), 3 deletions(-)
110667
110668commit 2b45b5f52c2a8930f80c62de392a62516c83e225
110669Author: Bjørn Mork <bjorn@mork.no>
110670Date: Tue Apr 16 00:17:07 2013 +0000
110671
110672 Upstream commit: 32b161aa88aa40a83888a995c6e2ef81140219b1
110673
110674 net: cdc_mbim: remove bogus sizeof()
110675
110676 The intention was to test against the constant, not the size of
110677 the constant.
110678
110679 Signed-off-by: Bjørn Mork <bjorn@mork.no>
110680 Signed-off-by: David S. Miller <davem@davemloft.net>
110681
110682 drivers/net/usb/cdc_mbim.c | 2 +-
110683 1 files changed, 1 insertions(+), 1 deletions(-)
110684
110685commit 17d7408795519037a5a1272c7888238e20830bfe
110686Author: Vyacheslav Dubeyko <slava@dubeyko.com>
110687Date: Wed Apr 17 15:58:33 2013 -0700
110688
110689 Upstream commit: 12f267a20aecf8b84a2a9069b9011f1661c779b4
110690
110691 hfsplus: fix potential overflow in hfsplus_file_truncate()
110692
110693 Change a u32 to loff_t hfsplus_file_truncate().
110694
110695 Signed-off-by: Vyacheslav Dubeyko <slava@dubeyko.com>
110696 Cc: Christoph Hellwig <hch@infradead.org>
110697 Cc: Al Viro <viro@zeniv.linux.org.uk>
110698 Cc: Hin-Tak Leung <htl10@users.sourceforge.net>
110699 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
110700 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
110701
110702 fs/hfsplus/extents.c | 2 +-
110703 1 files changed, 1 insertions(+), 1 deletions(-)
110704
110705commit 5c9574e7f16e7a9b3ea9b419c46ddc57110a555b
110706Author: Emese Revfy <re.emese@gmail.com>
110707Date: Wed Apr 17 15:58:36 2013 -0700
110708
110709 Upstream commit: b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f
110710
110711 kernel/signal.c: stop info leak via the tkill and the tgkill syscalls
110712
110713 This fixes a kernel memory contents leak via the tkill and tgkill syscalls
110714 for compat processes.
110715
110716 This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field
110717 when handling signals delivered from tkill.
110718
110719 The place of the infoleak:
110720
110721 int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from)
110722 {
110723 ...
110724 put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr);
110725 ...
110726 }
110727
110728 Signed-off-by: Emese Revfy <re.emese@gmail.com>
110729 Reviewed-by: PaX Team <pageexec@freemail.hu>
110730 Signed-off-by: Kees Cook <keescook@chromium.org>
110731 Cc: Al Viro <viro@zeniv.linux.org.uk>
110732 Cc: Oleg Nesterov <oleg@redhat.com>
110733 Cc: "Eric W. Biederman" <ebiederm@xmission.com>
110734 Cc: Serge Hallyn <serge.hallyn@canonical.com>
110735 Cc: <stable@vger.kernel.org>
110736 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
110737 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
110738
110739 kernel/signal.c | 2 +-
110740 1 files changed, 1 insertions(+), 1 deletions(-)
110741
110742commit 0942d16614b0ef59d50b10151d77ec52fc98c2d0
110743Author: Brad Spengler <spender@grsecurity.net>
110744Date: Wed Apr 17 20:17:00 2013 -0400
110745
110746 Improve PAX_USERCOPY to reject direct copies to/from main kernel text
110747
110748 fs/exec.c | 29 +++++++++++++++++++++++++++--
110749 1 files changed, 27 insertions(+), 2 deletions(-)
110750
110751commit 3cb37d0c0c77dc3928ff8417f982139f95366eba
110752Merge: e87c19f c664779
110753Author: Brad Spengler <spender@grsecurity.net>
110754Date: Wed Apr 17 20:06:08 2013 -0400
110755
110756 Merge branch 'pax-test' into grsec-test
110757
110758commit c664779987cb0c27a242029f0e0db812e3236203
110759Author: Brad Spengler <spender@grsecurity.net>
110760Date: Wed Apr 17 19:54:09 2013 -0400
110761
110762 add intentional_overflow marking for resource_size() as reasoned by:
110763 http://forums.grsecurity.net/viewtopic.php?f=3&t=3412
110764
110765 include/linux/ioport.h | 2 +-
110766 1 files changed, 1 insertions(+), 1 deletions(-)
110767
110768commit e87c19f8312355b8658e5138c16bfa6043a379c8
110769Merge: 802d119 d0c636c
110770Author: Brad Spengler <spender@grsecurity.net>
110771Date: Wed Apr 17 16:57:12 2013 -0400
110772
110773 Merge branch 'pax-test' into grsec-test
110774
110775commit d0c636ceaaf406e606898ce3e770e32fb043ea8a
110776Merge: bc88628 2396403
110777Author: Brad Spengler <spender@grsecurity.net>
110778Date: Wed Apr 17 16:57:01 2013 -0400
110779
110780 Merge branch 'linux-3.8.y' into pax-test
110781
110782 Conflicts:
110783 arch/x86/kernel/paravirt.c
110784
110785commit 802d1193dcb507b2a62a2de0a869a7dbadd66b9b
110786Author: Brad Spengler <spender@grsecurity.net>
110787Date: Sun Apr 14 21:39:51 2013 -0400
110788
110789 move location of RBAC user check on setfsuid until after capability checks
110790 for consistency with other checks
110791
110792 kernel/sys.c | 6 +++---
110793 1 files changed, 3 insertions(+), 3 deletions(-)
110794
110795commit 1a860d7d67051559ab2e6d10f9888649c92904e6
110796Author: Brad Spengler <spender@grsecurity.net>
110797Date: Sun Apr 14 21:34:46 2013 -0400
110798
110799 A denied setfsuid by the RBAC system would result in an abort_creds() being called
110800 with an uninitalized pointer, introduced by a bad forward-port
110801
110802 kernel/sys.c | 6 +++---
110803 1 files changed, 3 insertions(+), 3 deletions(-)
110804
110805commit 9f94b84d0e5e101fe8ea8ebcc8eeb141d8a6edb9
110806Merge: c38d142 bc88628
110807Author: Brad Spengler <spender@grsecurity.net>
110808Date: Sun Apr 14 21:28:33 2013 -0400
110809
110810 Merge branch 'pax-test' into grsec-test
110811
110812 Conflicts:
110813 security/Kconfig
110814
110815commit bc88628a6a8fcccaabb90908640809b0540df225
110816Author: Brad Spengler <spender@grsecurity.net>
110817Date: Sun Apr 14 21:26:41 2013 -0400
110818
110819 Update to pax-linux-3.8.7-test20.patch:
110820 - fixed KERNEXEC and NMI nesting problem reported by stef&hunger
110821 - changed PHYSICAL_ALIGN/START to fix http://forums.grsecurity.net/viewtopic.php?f=3&t=3414
110822 - CONSTIFY depends on KERNEXEC (for the kernel open/close feature)
110823 - fixed CONSTIFY and powerpc interference, reported by John Hardin (https://bugs.gentoo.org/show_bug.cgi?id=456364)
110824
110825 arch/powerpc/include/asm/smp.h | 2 +-
110826 arch/x86/Kconfig | 4 ++--
110827 arch/x86/kernel/entry_64.S | 8 ++++----
110828 security/Kconfig | 2 +-
110829 4 files changed, 8 insertions(+), 8 deletions(-)
110830
110831commit c38d142744489fc4d9be80188b6435a278438fd9
110832Author: Suleiman Souhlal <suleiman@google.com>
110833Date: Sat Apr 13 16:03:06 2013 -0700
110834
110835 Upstream commit: 5b55d708335a9e3e4f61f2dadf7511502205ccd1
110836
110837 vfs: Revert spurious fix to spinning prevention in prune_icache_sb
110838
110839 Revert commit 62a3ddef6181 ("vfs: fix spinning prevention in prune_icache_sb").
110840
110841 This commit doesn't look right: since we are looking at the tail of the
110842 list (sb->s_inode_lru.prev) if we want to skip an inode, we should put
110843 it back at the head of the list instead of the tail, otherwise we will
110844 keep spinning on it.
110845
110846 Discovered when investigating why prune_icache_sb came top in perf
110847 reports of a swapping load.
110848
110849 Signed-off-by: Suleiman Souhlal <suleiman@google.com>
110850 Signed-off-by: Hugh Dickins <hughd@google.com>
110851 Cc: stable@vger.kernel.org # v3.2+
110852 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
110853
110854 fs/inode.c | 2 +-
110855 1 files changed, 1 insertions(+), 1 deletions(-)
110856
110857commit 93019624b80ba59798393942798d7f6ed0c1dbc6
110858Author: Linus Torvalds <torvalds@linux-foundation.org>
110859Date: Sat Apr 13 15:15:30 2013 -0700
110860
110861 Upstream commit: a49b7e82cab0f9b41f483359be83f44fbb6b4979
110862
110863 kobject: fix kset_find_obj() race with concurrent last kobject_put()
110864
110865 Anatol Pomozov identified a race condition that hits module unloading
110866 and re-loading. To quote Anatol:
110867
110868 "This is a race codition that exists between kset_find_obj() and
110869 kobject_put(). kset_find_obj() might return kobject that has refcount
110870 equal to 0 if this kobject is freeing by kobject_put() in other
110871 thread.
110872
110873 Here is timeline for the crash in case if kset_find_obj() searches for
110874 an object tht nobody holds and other thread is doing kobject_put() on
110875 the same kobject:
110876
110877 THREAD A (calls kset_find_obj()) THREAD B (calls kobject_put())
110878 splin_lock()
110879 atomic_dec_return(kobj->kref), counter gets zero here
110880 ... starts kobject cleanup ....
110881 spin_lock() // WAIT thread A in kobj_kset_leave()
110882 iterate over kset->list
110883 atomic_inc(kobj->kref) (counter becomes 1)
110884 spin_unlock()
110885 spin_lock() // taken
110886 // it does not know that thread A increased counter so it
110887 remove obj from list
110888 spin_unlock()
110889 vfree(module) // frees module object with containing kobj
110890
110891 // kobj points to freed memory area!!
110892 kobject_put(kobj) // OOPS!!!!
110893
110894 The race above happens because module.c tries to use kset_find_obj()
110895 when somebody unloads module. The module.c code was introduced in
110896 commit 6494a93d55fa"
110897
110898 Anatol supplied a patch specific for module.c that worked around the
110899 problem by simply not using kset_find_obj() at all, but rather than make
110900 a local band-aid, this just fixes kset_find_obj() to be thread-safe
110901 using the proper model of refusing the get a new reference if the
110902 refcount has already dropped to zero.
110903
110904 See examples of this proper refcount handling not only in the kref
110905 documentation, but in various other equivalent uses of this pattern by
110906 grepping for atomic_inc_not_zero().
110907
110908 [ Side note: the module race does indicate that module loading and
110909 unloading is not properly serialized wrt sysfs information using the
110910 module mutex. That may require further thought, but this is the
110911 correct fix at the kobject layer regardless. ]
110912
110913 Reported-analyzed-and-tested-by: Anatol Pomozov <anatol.pomozov@gmail.com>
110914 Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
110915 Cc: Al Viro <viro@zeniv.linux.org.uk>
110916 Cc: stable@vger.kernel.org
110917 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
110918
110919 lib/kobject.c | 9 ++++++++-
110920 1 files changed, 8 insertions(+), 1 deletions(-)
110921
110922commit 5277b052b5fab36729e1255fb3b12f47a4b12867
110923Author: Dave Hansen <dave@sr71.net>
110924Date: Fri Apr 12 16:23:54 2013 -0700
110925
110926 Upstream commit: 1de14c3c5cbc9bb17e9dcc648cda51c0c85d54b9
110927
110928 x86-32: Fix possible incomplete TLB invalidate with PAE pagetables
110929
110930 This patch attempts to fix:
110931
110932 https://bugzilla.kernel.org/show_bug.cgi?id=56461
110933
110934 The symptom is a crash and messages like this:
110935
110936 chrome: Corrupted page table at address 34a03000
110937 *pdpt = 0000000000000000 *pde = 0000000000000000
110938 Bad pagetable: 000f [#1] PREEMPT SMP
110939
110940 Ingo guesses this got introduced by commit 611ae8e3f520 ("x86/tlb:
110941 enable tlb flush range support for x86") since that code started to free
110942 unused pagetables.
110943
110944 On x86-32 PAE kernels, that new code has the potential to free an entire
110945 PMD page and will clear one of the four page-directory-pointer-table
110946 (aka pgd_t entries).
110947
110948 The hardware aggressively "caches" these top-level entries and invlpg
110949 does not actually affect the CPU's copy. If we clear one we *HAVE* to
110950 do a full TLB flush, otherwise we might continue using a freed pmd page.
110951 (note, we do this properly on the population side in pud_populate()).
110952
110953 This patch tracks whenever we clear one of these entries in the 'struct
110954 mmu_gather', and ensures that we follow up with a full tlb flush.
110955
110956 BTW, I disassembled and checked that:
110957
110958 if (tlb->fullmm == 0)
110959 and
110960 if (!tlb->fullmm && !tlb->need_flush_all)
110961
110962 generate essentially the same code, so there should be zero impact there
110963 to the !PAE case.
110964
110965 Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
110966 Cc: Peter Anvin <hpa@zytor.com>
110967 Cc: Ingo Molnar <mingo@kernel.org>
110968 Cc: Artem S Tashkinov <t.artem@mailcity.com>
110969 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
110970
110971 arch/x86/include/asm/tlb.h | 2 +-
110972 arch/x86/mm/pgtable.c | 7 +++++++
110973 include/asm-generic/tlb.h | 7 ++++++-
110974 mm/memory.c | 1 +
110975 4 files changed, 15 insertions(+), 2 deletions(-)
110976
110977commit 521e573fc77d1783c1d4636dfbb4617a922f043d
110978Merge: 032f626 f807619
110979Author: Brad Spengler <spender@grsecurity.net>
110980Date: Fri Apr 12 19:29:34 2013 -0400
110981
110982 Merge branch 'pax-test' into grsec-test
110983
110984commit f80761993b85df96fc142dfc3a317cadc0f8eae5
110985Author: Brad Spengler <spender@grsecurity.net>
110986Date: Fri Apr 12 19:28:21 2013 -0400
110987
110988 Update to pax-linux-3.8.7-test19.patch:
110989 - fixed STACKLEAK/XEN interference once again, reported by Jason A. Donenfeld
110990 - fixed small typo, reported by mlarm (http://forums.grsecurity.net/viewtopic.php?f=3&t=3411)
110991 - fixed the structleak plugin to compile for gcc 4.5-4.6 as well
110992
110993 Makefile | 2 +-
110994 arch/x86/xen/enlighten.c | 6 +++---
110995 tools/gcc/structleak_plugin.c | 5 +++--
110996 3 files changed, 7 insertions(+), 6 deletions(-)
110997
110998commit 032f626a4ae9bc3196313a2e762650c3d9abdc96
110999Merge: a3a770e 89886f5
111000Author: Brad Spengler <spender@grsecurity.net>
111001Date: Fri Apr 12 18:38:40 2013 -0400
111002
111003 Merge branch 'pax-test' into grsec-test
111004
111005commit 89886f561cc0d1c42a99624ec8c3704711088155
111006Merge: 9123489 531ec28
111007Author: Brad Spengler <spender@grsecurity.net>
111008Date: Fri Apr 12 18:38:30 2013 -0400
111009
111010 Merge branch 'linux-3.8.y' into pax-test
111011
111012commit a3a770e18578841e4fbe2aa0831a22811b4812cf
111013Author: Brad Spengler <spender@grsecurity.net>
111014Date: Thu Apr 11 20:46:20 2013 -0400
111015
111016 Revert "Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot"
111017 Will be fixed with the next PaX patch
111018
111019 This reverts commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7.
111020
111021 security/Kconfig | 2 +-
111022 1 files changed, 1 insertions(+), 1 deletions(-)
111023
111024commit fc98763e4f1f1487928750b26a63098b9e0ed5b1
111025Author: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
111026Date: Fri Mar 29 10:20:56 2013 -0400
111027
111028 Upstream commit: b22227944b8fe92b19150b4c36421e37979d9a16
111029
111030 xen/mmu: On early bootup, flush the TLB when changing RO->RW bits Xen provided pagetables.
111031
111032 Occassionaly on a DL380 G4 the guest would crash quite early with this:
111033
111034 (XEN) d244:v0: unhandled page fault (ec=0003)
111035 (XEN) Pagetable walk from ffffffff84dc7000:
111036 (XEN) L4[0x1ff] = 00000000c3f18067 0000000000001789
111037 (XEN) L3[0x1fe] = 00000000c3f14067 000000000000178d
111038 (XEN) L2[0x026] = 00000000dc8b2067 0000000000004def
111039 (XEN) L1[0x1c7] = 00100000dc8da067 0000000000004dc7
111040 (XEN) domain_crash_sync called from entry.S
111041 (XEN) Domain 244 (vcpu#0) crashed on cpu#3:
111042 (XEN) ----[ Xen-4.1.3OVM x86_64 debug=n Not tainted ]----
111043 (XEN) CPU: 3
111044 (XEN) RIP: e033:[<ffffffff81263f22>]
111045 (XEN) RFLAGS: 0000000000000216 EM: 1 CONTEXT: pv guest
111046 (XEN) rax: 0000000000000000 rbx: ffffffff81785f88 rcx: 000000000000003f
111047 (XEN) rdx: 0000000000000000 rsi: 00000000dc8da063 rdi: ffffffff84dc7000
111048
111049 The offending code shows it to be a loop writting the value zero
111050 (%rax) in the %rdi (the L4 provided by Xen) register:
111051
111052 0: 44 00 00 add %r8b,(%rax)
111053 3: 31 c0 xor %eax,%eax
111054 5: b9 40 00 00 00 mov $0x40,%ecx
111055 a: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1)
111056 11: 00 00
111057 13: ff c9 dec %ecx
111058 15:* 48 89 07 mov %rax,(%rdi) <-- trapping instruction
111059 18: 48 89 47 08 mov %rax,0x8(%rdi)
111060 1c: 48 89 47 10 mov %rax,0x10(%rdi)
111061
111062 which fails. xen_setup_kernel_pagetable recycles some of the Xen's
111063 page-table entries when it has switched over to its Linux page-tables.
111064
111065 Right before try to clear the page, we make a hypercall to change
111066 it from _RO to _RW and that works (otherwise we would hit an BUG()).
111067 And the _RW flag is set for that page:
111068 (XEN) L1[0x1c7] = 001000004885f067 0000000000004dc7
111069
111070 The error code is 3, so PFEC_page_present and PFEC_write_access, so page is
111071 present (correct), and we tried to write to the page, but a violation
111072 occurred. The one theory is that the the page entries in hardware
111073 (which are cached) are not up to date with what we just set. Especially
111074 as we have just done an CR3 write and flushed the multicalls.
111075
111076 This patch does solve the problem by flusing out the TLB page
111077 entry after changing it from _RO to _RW and we don't hit this
111078 issue anymore.
111079
111080 Fixed-Oracle-Bug: 16243091 [ON OCCASIONS VM START GOES INTO
111081 'CRASH' STATE: CLEAR_PAGE+0X12 ON HP DL380 G4]
111082 Reported-and-Tested-by: Saar Maoz <Saar.Maoz@oracle.com>
111083 Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
111084
111085 arch/x86/xen/mmu.c | 12 ++++++++----
111086 1 files changed, 8 insertions(+), 4 deletions(-)
111087
111088commit d56bdc2595e76ca48cbfd695def7f82c3ab80c11
111089Author: Namhyung Kim <namhyung.kim@lge.com>
111090Date: Mon Apr 1 21:46:23 2013 +0900
111091
111092 Upstream commit: 83e03b3fe4daffdebbb42151d5410d730ae50bd1
111093
111094 tracing: Fix double free when function profile init failed
111095
111096 On the failure path, stat->start and stat->pages will refer same page.
111097 So it'll attempt to free the same page again and get kernel panic.
111098
111099 Link: http://lkml.kernel.org/r/1364820385-32027-1-git-send-email-namhyung@kernel.org
111100
111101 Cc: Frederic Weisbecker <fweisbec@gmail.com>
111102 Cc: Namhyung Kim <namhyung.kim@lge.com>
111103 Cc: stable@vger.kernel.org
111104 Signed-off-by: Namhyung Kim <namhyung@kernel.org>
111105 Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
111106
111107 kernel/trace/ftrace.c | 1 -
111108 1 files changed, 0 insertions(+), 1 deletions(-)
111109
111110commit c86b0de9f4c42a7ede40df5af9436e87ccc784bb
111111Author: Neil Horman <nhorman@tuxdriver.com>
111112Date: Tue Apr 9 23:19:00 2013 +0000
111113
111114 Upstream commit: 61a0f6efc8932e9914e1782ff3a027e23c687fc6
111115
111116 e100: Add dma mapping error check
111117
111118 e100 uses pci_map_single, but fails to check for a dma mapping error after its
111119 use, resulting in a stack trace:
111120
111121 [ 46.656594] ------------[ cut here ]------------
111122 [ 46.657004] WARNING: at lib/dma-debug.c:933 check_unmap+0x47b/0x950()
111123 [ 46.657004] Hardware name: To Be Filled By O.E.M.
111124 [ 46.657004] e100 0000:00:0e.0: DMA-API: device driver failed to check map
111125 error[device address=0x000000007a4540fa] [size=90 bytes] [mapped as single]
111126 [ 46.657004] Modules linked in:
111127 [ 46.657004] w83627hf hwmon_vid snd_via82xx ppdev snd_ac97_codec ac97_bus
111128 snd_seq snd_pcm snd_mpu401 snd_mpu401_uart ns558 snd_rawmidi gameport parport_pc
111129 e100 snd_seq_device parport snd_page_alloc snd_timer snd soundcore skge shpchp
111130 k8temp mii edac_core i2c_viapro edac_mce_amd nfsd auth_rpcgss nfs_acl lockd
111131 sunrpc binfmt_misc uinput ata_generic pata_acpi radeon i2c_algo_bit
111132 drm_kms_helper ttm firewire_ohci drm firewire_core pata_via sata_via i2c_core
111133 sata_promise crc_itu_t
111134 [ 46.657004] Pid: 792, comm: ip Not tainted 3.8.0-0.rc6.git0.1.fc19.x86_64 #1
111135 [ 46.657004] Call Trace:
111136 [ 46.657004] <IRQ> [<ffffffff81065ed0>] warn_slowpath_common+0x70/0xa0
111137 [ 46.657004] [<ffffffff81065f4c>] warn_slowpath_fmt+0x4c/0x50
111138 [ 46.657004] [<ffffffff81364cfb>] check_unmap+0x47b/0x950
111139 [ 46.657004] [<ffffffff8136522f>] debug_dma_unmap_page+0x5f/0x70
111140 [ 46.657004] [<ffffffffa030f0f0>] ? e100_tx_clean+0x30/0x210 [e100]
111141 [ 46.657004] [<ffffffffa030f1a8>] e100_tx_clean+0xe8/0x210 [e100]
111142 [ 46.657004] [<ffffffffa030fc6f>] e100_poll+0x56f/0x6c0 [e100]
111143 [ 46.657004] [<ffffffff8159dce1>] ? net_rx_action+0xa1/0x370
111144 [ 46.657004] [<ffffffff8159ddb2>] net_rx_action+0x172/0x370
111145 [ 46.657004] [<ffffffff810703bf>] __do_softirq+0xef/0x3d0
111146 [ 46.657004] [<ffffffff816e4ebc>] call_softirq+0x1c/0x30
111147 [ 46.657004] [<ffffffff8101c485>] do_softirq+0x85/0xc0
111148 [ 46.657004] [<ffffffff81070885>] irq_exit+0xd5/0xe0
111149 [ 46.657004] [<ffffffff816e5756>] do_IRQ+0x56/0xc0
111150 [ 46.657004] [<ffffffff816dacb2>] common_interrupt+0x72/0x72
111151 [ 46.657004] <EOI> [<ffffffff816da1eb>] ?
111152 _raw_spin_unlock_irqrestore+0x3b/0x70
111153 [ 46.657004] [<ffffffff816d124d>] __slab_free+0x58/0x38b
111154 [ 46.657004] [<ffffffff81214424>] ? fsnotify_clear_marks_by_inode+0x34/0x120
111155 [ 46.657004] [<ffffffff811b0417>] ? kmem_cache_free+0x97/0x320
111156 [ 46.657004] [<ffffffff8157fc14>] ? sock_destroy_inode+0x34/0x40
111157 [ 46.657004] [<ffffffff8157fc14>] ? sock_destroy_inode+0x34/0x40
111158 [ 46.657004] [<ffffffff811b0692>] kmem_cache_free+0x312/0x320
111159 [ 46.657004] [<ffffffff8157fc14>] sock_destroy_inode+0x34/0x40
111160 [ 46.657004] [<ffffffff811e8c28>] destroy_inode+0x38/0x60
111161 [ 46.657004] [<ffffffff811e8d5e>] evict+0x10e/0x1a0
111162 [ 46.657004] [<ffffffff811e9605>] iput+0xf5/0x180
111163 [ 46.657004] [<ffffffff811e4338>] dput+0x248/0x310
111164 [ 46.657004] [<ffffffff811ce0e1>] __fput+0x171/0x240
111165 [ 46.657004] [<ffffffff811ce26e>] ____fput+0xe/0x10
111166 [ 46.657004] [<ffffffff8108d54c>] task_work_run+0xac/0xe0
111167 [ 46.657004] [<ffffffff8106c6ed>] do_exit+0x26d/0xc30
111168 [ 46.657004] [<ffffffff8109eccc>] ? finish_task_switch+0x7c/0x120
111169 [ 46.657004] [<ffffffff816dad58>] ? retint_swapgs+0x13/0x1b
111170 [ 46.657004] [<ffffffff8106d139>] do_group_exit+0x49/0xc0
111171 [ 46.657004] [<ffffffff8106d1c4>] sys_exit_group+0x14/0x20
111172 [ 46.657004] [<ffffffff816e3b19>] system_call_fastpath+0x16/0x1b
111173 [ 46.657004] ---[ end trace 4468c44e2156e7d1 ]---
111174 [ 46.657004] Mapped at:
111175 [ 46.657004] [<ffffffff813663d1>] debug_dma_map_page+0x91/0x140
111176 [ 46.657004] [<ffffffffa030e8eb>] e100_xmit_prepare+0x12b/0x1c0 [e100]
111177 [ 46.657004] [<ffffffffa030c924>] e100_exec_cb+0x84/0x140 [e100]
111178 [ 46.657004] [<ffffffffa030e56a>] e100_xmit_frame+0x3a/0x190 [e100]
111179 [ 46.657004] [<ffffffff8159ee89>] dev_hard_start_xmit+0x259/0x6c0
111180
111181 Easy fix, modify the cb paramter to e100_exec_cb to return an error, and do the
111182 dma_mapping_error check in the obvious place
111183
111184 This was reported previously here:
111185 http://article.gmane.org/gmane.linux.network/257893
111186
111187 But nobody stepped up and fixed it.
111188
111189 CC: Josh Boyer <jwboyer@redhat.com>
111190 CC: e1000-devel@lists.sourceforge.net
111191 Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
111192 Reported-by: Michal Jaegermann <michal@harddata.com>
111193 Tested-by: Aaron Brown <aaron.f.brown@intel.com>
111194 Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
111195 Signed-off-by: David S. Miller <davem@davemloft.net>
111196
111197 drivers/net/ethernet/intel/e100.c | 36 +++++++++++++++++++++++++-----------
111198 1 files changed, 25 insertions(+), 11 deletions(-)
111199
111200commit df93708573ce6c512b9a9406a83a6fd4e87ff6a6
111201Author: Trond Myklebust <Trond.Myklebust@netapp.com>
111202Date: Wed Apr 10 12:44:18 2013 -0400
111203
111204 Upstream commit: eb04e0ac198cec3bab407ad220438dfa65c19c67
111205
111206 NFSv4: Doh! Typo in the fix to nfs41_walk_client_list
111207
111208 Make sure that we set the status to 0 on success. Missed in testing
111209 because it never appears when doing multiple mounts to _different_
111210 servers.
111211
111212 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
111213 Cc: <stable@vger.kernel.org> # 3.7.x: 7b1f1fd: NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list
111214
111215 fs/nfs/nfs4client.c | 1 +
111216 1 files changed, 1 insertions(+), 0 deletions(-)
111217
111218commit 0ea7b7294f627588b0b3dc26a8a0ff8e1e27b5ea
111219Author: Yuval Mintz <yuvalmin@broadcom.com>
111220Date: Wed Apr 10 13:34:39 2013 +0300
111221
111222 Upstream commit: fea75645342c7ad574214497a78e562db12dfd7b
111223
111224 bnx2x: Prevent null pointer dereference in AFEX mode
111225
111226 The cnic module is responsible for initializing various bnx2x structs
111227 via callbacks provided by the bnx2x module.
111228 One such struct is the queue object for the FCoE queue.
111229
111230 If a device is working in AFEX mode and its configuration allows FCoE yet
111231 the cnic module is not loaded, it's very likely a null pointer dereference
111232 will occur, as the bnx2x will erroneously access the FCoE's queue object.
111233
111234 Prevent said access until cnic properly registers itself.
111235
111236 Signed-off-by: Yuval Mintz <yuvalmin@broadcom.com>
111237 Signed-off-by: Ariel Elior <ariele@broadcom.com>
111238 Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
111239 Signed-off-by: David S. Miller <davem@davemloft.net>
111240
111241 drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 3 ++-
111242 1 files changed, 2 insertions(+), 1 deletions(-)
111243
111244commit 2908830232725db624aaa052f7ad38d1f98bf541
111245Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
111246Date: Tue Apr 9 14:16:04 2013 +0800
111247
111248 Upstream commit: 3480a2125923e4b7a56d79efc76743089bf273fc
111249
111250 can: gw: use kmem_cache_free() instead of kfree()
111251
111252 Memory allocated by kmem_cache_alloc() should be freed using
111253 kmem_cache_free(), not kfree().
111254
111255 Cc: linux-stable <stable@vger.kernel.org> # >= v3.2
111256 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
111257 Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
111258 Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
111259
111260 net/can/gw.c | 6 +++---
111261 1 files changed, 3 insertions(+), 3 deletions(-)
111262
111263commit d40b572e845a5fb561e3c4a80cc306cd38888a4e
111264Author: Christoph Paasch <christoph.paasch@uclouvain.be>
111265Date: Sun Apr 7 04:53:15 2013 +0000
111266
111267 Upstream commit: 50a75a8914539c5dcd441c5f54d237a666a426fd
111268
111269 ipv6/tcp: Stop processing ICMPv6 redirect messages
111270
111271 Tetja Rediske found that if the host receives an ICMPv6 redirect message
111272 after sending a SYN+ACK, the connection will be reset.
111273
111274 He bisected it down to 093d04d (ipv6: Change skb->data before using
111275 icmpv6_notify() to propagate redirect), but the origin of the bug comes
111276 from ec18d9a26 (ipv6: Add redirect support to all protocol icmp error
111277 handlers.). The bug simply did not trigger prior to 093d04d, because
111278 skb->data did not point to the inner IP header and thus icmpv6_notify
111279 did not call the correct err_handler.
111280
111281 This patch adds the missing "goto out;" in tcp_v6_err. After receiving
111282 an ICMPv6 Redirect, we should not continue processing the ICMP in
111283 tcp_v6_err, as this may trigger the removal of request-socks or setting
111284 sk_err(_soft).
111285
111286 Reported-by: Tetja Rediske <tetja@tetja.de>
111287 Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be>
111288 Acked-by: Eric Dumazet <edumazet@google.com>
111289 Signed-off-by: David S. Miller <davem@davemloft.net>
111290
111291 net/ipv6/tcp_ipv6.c | 1 +
111292 1 files changed, 1 insertions(+), 0 deletions(-)
111293
111294commit c7d5c2524456ef3ea9194840e7a9a75069a46824
111295Author: Brad Spengler <spender@grsecurity.net>
111296Date: Wed Apr 10 20:32:54 2013 -0400
111297
111298 - fixed typo in Makefile reported by mlarm (https://forums.grsecurity.net/viewtopic.php?t=3411)
111299
111300 Makefile | 2 +-
111301 1 files changed, 1 insertions(+), 1 deletions(-)
111302
111303commit acac2380fd97acee4367d2aa24c74322dcf1d22b
111304Author: Trond Myklebust <Trond.Myklebust@netapp.com>
111305Date: Fri Apr 5 16:11:11 2013 -0400
111306
111307 Upstream commit: 7b1f1fd1842e6ede25183c267ae733a7f67f00bc
111308
111309 NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list
111310
111311 It is unsafe to use list_for_each_entry_safe() here, because
111312 when we drop the nn->nfs_client_lock, we pin the _current_ list
111313 entry and ensure that it stays in the list, but we don't do the
111314 same for the _next_ list entry. Use of list_for_each_entry() is
111315 therefore the correct thing to do.
111316
111317 Also fix the refcounting in nfs41_walk_client_list().
111318
111319 Finally, ensure that the nfs_client has finished being initialised
111320 and, in the case of NFSv4.1, that the session is set up.
111321
111322 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
111323 Cc: Chuck Lever <chuck.lever@oracle.com>
111324 Cc: Bryan Schumaker <bjschuma@netapp.com>
111325 Cc: stable@vger.kernel.org [>= 3.7]
111326
111327 fs/nfs/nfs4client.c | 44 ++++++++++++++++++++++++++++----------------
111328 1 files changed, 28 insertions(+), 16 deletions(-)
111329
111330commit a6cf5f387b882ac0ce655b75f623f86c075517be
111331Author: Chuck Lever <chuck.lever@oracle.com>
111332Date: Fri Mar 22 12:52:59 2013 -0400
111333
111334 Upstream commit: a58e0be6f6b3eb2079b0b8fedc9df6fa86869f1e
111335
111336 SUNRPC: Remove extra xprt_put()
111337
111338 While testing error cases where rpc_new_client() fails, I saw
111339 some oopses.
111340
111341 If rpc_new_client() fails, it already invokes xprt_put(). Thus
111342 __rpc_clone_client() does not need to invoke it again.
111343
111344 Introduced by commit 1b63a751 "SUNRPC: Refactor rpc_clone_client()"
111345 Fri Sep 14, 2012.
111346
111347 Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
111348 Cc: stable@vger.kernel.org [>=3.7]
111349 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
111350
111351 net/sunrpc/clnt.c | 4 +---
111352 1 files changed, 1 insertions(+), 3 deletions(-)
111353
111354commit a744b307c1f65ceb100412dc18cdd7ecc9a8ae00
111355Author: Trond Myklebust <Trond.Myklebust@netapp.com>
111356Date: Fri Apr 5 14:13:21 2013 -0400
111357
111358 Upstream commit: f05c124a70a4953a66acbd6d6c601ea1eb5d0fa7
111359
111360 SUNRPC: Fix a potential memory leak in rpc_new_client
111361
111362 If the call to rpciod_up() fails, we currently leak a reference to the
111363 struct rpc_xprt.
111364 As part of the fix, we also remove the redundant check for xprt!=NULL.
111365 This is already taken care of by the callers.
111366
111367 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
111368
111369 net/sunrpc/clnt.c | 7 ++-----
111370 1 files changed, 2 insertions(+), 5 deletions(-)
111371
111372commit 43b9f1b9b8380984c5c100978bd33e8f16da06ac
111373Author: Brad Spengler <spender@grsecurity.net>
111374Date: Wed Apr 10 19:16:05 2013 -0400
111375
111376 From https://lkml.org/lkml/2013/4/8/469:
111377 [PATCH] rtnetlink: call nlmsg_parse() with correct header length
111378
111379 net/core/rtnetlink.c | 4 ++--
111380 1 files changed, 2 insertions(+), 2 deletions(-)
111381
111382commit 9529169b8c405874fd543b785f53c74fa0501c2a
111383Author: Christopher Harvey <charvey@matrox.com>
111384Date: Fri Apr 5 10:51:15 2013 -0400
111385
111386 Upstream commit: 1812a3db0874be1d1524086da9e84397b800f546
111387
111388 drm/mgag200: Index 24 in extended CRTC registers is 24 in hex, not decimal.
111389
111390 This change properly enables the "requester" in G200ER cards that is
111391 responsible for getting pixels out of memory and clocking them out to
111392 the screen.
111393
111394 Signed-off-by: Christopher Harvey <charvey@matrox.com>
111395 Cc: stable@vger.kernel.org
111396 Signed-off-by: Dave Airlie <airlied@redhat.com>
111397
111398 drivers/gpu/drm/mgag200/mgag200_mode.c | 13 +++----------
111399 1 files changed, 3 insertions(+), 10 deletions(-)
111400
111401commit 07c42243c7b01e2a7a9d168ad491e28b9ef9082a
111402Author: Al Viro <viro@zeniv.linux.org.uk>
111403Date: Thu Mar 28 13:30:23 2013 -0400
111404
111405 Upstream commit: 52f21999c7b921a0390708b66ed286282c2e4bee
111406
111407 ecryptfs: close rmmod race
111408
111409 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
111410
111411 fs/ecryptfs/miscdev.c | 14 ++------------
111412 1 files changed, 2 insertions(+), 12 deletions(-)
111413
111414commit 2800bdcf9cd642b967e5fdc2a15c1c4aefbadd9b
111415Author: Brad Spengler <spender@grsecurity.net>
111416Date: Wed Apr 10 19:03:45 2013 -0400
111417
111418 Backport overflow fix from upstream commit: ccf932042fa7785832d8989ba1369cd7c7f5d7a1
111419
111420 arch/ia64/kernel/palinfo.c | 2 +-
111421 1 files changed, 1 insertions(+), 1 deletions(-)
111422
111423commit 83280e384ae3ceadad30369ced111dc7d4b46085
111424Author: Andrey Vagin <avagin@openvz.org>
111425Date: Tue Apr 9 17:33:29 2013 +0400
111426
111427 Upstream commit: e9c5d8a562f01b211926d70443378eb14b29a676
111428
111429 mnt: release locks on error path in do_loopback
111430
111431 do_loopback calls lock_mount(path) and forget to unlock_mount
111432 if clone_mnt or copy_mnt fails.
111433
111434 [ 77.661566] ================================================
111435 [ 77.662939] [ BUG: lock held when returning to user space! ]
111436 [ 77.664104] 3.9.0-rc5+ #17 Not tainted
111437 [ 77.664982] ------------------------------------------------
111438 [ 77.666488] mount/514 is leaving the kernel with locks still held!
111439 [ 77.668027] 2 locks held by mount/514:
111440 [ 77.668817] #0: (&sb->s_type->i_mutex_key#7){+.+.+.}, at: [<ffffffff811cca22>] lock_mount+0x32/0xe0
111441 [ 77.671755] #1: (&namespace_sem){+++++.}, at: [<ffffffff811cca3a>] lock_mount+0x4a/0xe0
111442
111443 Signed-off-by: Andrey Vagin <avagin@openvz.org>
111444 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
111445
111446 fs/namespace.c | 2 +-
111447 1 files changed, 1 insertions(+), 1 deletions(-)
111448
111449commit 679e536b9d9536d804f049fe942367a596253e6d
111450Author: Alex Williamson <alex.williamson@redhat.com>
111451Date: Tue Mar 26 11:33:16 2013 -0600
111452
111453 Upstream commit: 904c680c7bf016a8619a045850937427f8d7368c
111454
111455 vfio-pci: Fix possible integer overflow
111456
111457 The VFIO_DEVICE_SET_IRQS ioctl takes a start and count parameter, both
111458 of which are unsigned. We attempt to bounds check these, but fail to
111459 account for the case where start is a very large number, allowing
111460 start + count to wrap back into the valid range. Bounds check both
111461 start and start + count.
111462
111463 Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
111464 Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
111465
111466 drivers/vfio/pci/vfio_pci.c | 3 ++-
111467 1 files changed, 2 insertions(+), 1 deletions(-)
111468
111469commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7
111470Author: Brad Spengler <spender@grsecurity.net>
111471Date: Wed Apr 10 18:48:45 2013 -0400
111472
111473 Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot
111474
111475 security/Kconfig | 2 +-
111476 1 files changed, 1 insertions(+), 1 deletions(-)
111477
111478commit b5261a6384ee42499b29495aaae40b271e77d394
111479Author: Brad Spengler <spender@grsecurity.net>
111480Date: Tue Apr 9 17:30:45 2013 -0400
111481
111482 some undefined behavior fixups
111483
111484 grsecurity/gracl.c | 4 ++--
111485 grsecurity/gracl_ip.c | 10 +++++-----
111486 grsecurity/gracl_segv.c | 4 ++--
111487 3 files changed, 9 insertions(+), 9 deletions(-)
111488
111489commit 9f83caa35e78be1f3e753586ab217555c3b21ff4
111490Author: Brad Spengler <spender@grsecurity.net>
111491Date: Tue Apr 9 17:28:54 2013 -0400
111492
111493 don't whine about denied ipv6 when it's not enabled
111494
111495 grsecurity/gracl_ip.c | 3 +++
111496 1 files changed, 3 insertions(+), 0 deletions(-)
111497
111498commit 5a02f8bc96bd0c31f9ff09e63f9d85d560b8be61
111499Merge: 97bca88 9123489
111500Author: Brad Spengler <spender@grsecurity.net>
111501Date: Tue Apr 9 17:18:45 2013 -0400
111502
111503 Merge branch 'pax-test' into grsec-test
111504
111505commit 9123489428c58668a89f316db6619739cbdd2c2a
111506Author: Brad Spengler <spender@grsecurity.net>
111507Date: Tue Apr 9 17:17:46 2013 -0400
111508
111509 Update to pax-linux-3.8.6-test18.patch:
111510 - new size overflow plugin from Emese to work around a gcc optimization
111511 resulting in an intentional overflow, reported by Carlos Carvalho
111512 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3409)
111513
111514 tools/gcc/size_overflow_plugin.c | 68 ++++++++++++++++++++++++++++++++++++-
111515 1 files changed, 66 insertions(+), 2 deletions(-)
111516
111517commit 97bca8889e0f1e853f16b7026c39c6729a8587ab
111518Merge: 675a41e e9d6073
111519Author: Brad Spengler <spender@grsecurity.net>
111520Date: Mon Apr 8 21:32:59 2013 -0400
111521
111522 Merge branch 'pax-test' into grsec-test
111523
111524 Conflicts:
111525 arch/sparc/kernel/us3_cpufreq.c
111526
111527commit e9d6073f15010ccace0b6b0f0a19ed63cf1adeef
111528Author: Brad Spengler <spender@grsecurity.net>
111529Date: Mon Apr 8 21:19:03 2013 -0400
111530
111531 Update to pax-linux-3.8.6-test17.patch:
111532 - fixed ia64/ppc/sparc compilation by spender
111533 - improved the STRUCTLEAK gcc plugin to cover a few more cases (credit to stef for the bugreport)
111534
111535 arch/ia64/include/asm/uaccess.h | 2 -
111536 arch/powerpc/include/asm/uaccess.h | 2 -
111537 arch/sparc/include/asm/uaccess.h | 7 ----
111538 arch/sparc/kernel/prom_common.c | 2 +-
111539 arch/sparc/kernel/us3_cpufreq.c | 69 ++++++++++--------------------------
111540 tools/gcc/structleak_plugin.c | 15 ++++----
111541 6 files changed, 28 insertions(+), 69 deletions(-)
111542
111543commit 675a41e42a636dcb1e97bffe0f0fa6262242e64b
111544Author: Brad Spengler <spender@grsecurity.net>
111545Date: Sun Apr 7 12:00:50 2013 -0400
111546
111547 fix similar leaks in sys_recvfrom as fixed in recvmsg, already handled by the new structleak plugin
111548
111549 net/socket.c | 2 +-
111550 1 files changed, 1 insertions(+), 1 deletions(-)
111551
111552commit 5a216624a06429488f24ce47db093da042f90e48
111553Author: Brad Spengler <spender@grsecurity.net>
111554Date: Sat Apr 6 13:22:24 2013 -0400
111555
111556 fix typo
111557
111558 arch/sparc/kernel/us3_cpufreq.c | 5 +----
111559 1 files changed, 1 insertions(+), 4 deletions(-)
111560
111561commit e476ca18d21788898cd3acd1b57049971a2fb70f
111562Author: Brad Spengler <spender@grsecurity.net>
111563Date: Sat Apr 6 13:16:13 2013 -0400
111564
111565 properly fix cpufreq_driver for ultrasparc III with constification
111566
111567 arch/sparc/kernel/us3_cpufreq.c | 35 +++++++++++++++++------------------
111568 1 files changed, 17 insertions(+), 18 deletions(-)
111569
111570commit 3ef64a33c8a38d17db7d1e6ff13d9036c75598ae
111571Author: Brad Spengler <spender@grsecurity.net>
111572Date: Sat Apr 6 12:58:48 2013 -0400
111573
111574 mark prom_sparc_ops __initconst
111575
111576 arch/sparc/kernel/prom_common.c | 2 +-
111577 1 files changed, 1 insertions(+), 1 deletions(-)
111578
111579commit daaa8e290cb1eb08e86c6d3f0fb1a8270d897439
111580Author: Brad Spengler <spender@grsecurity.net>
111581Date: Sat Apr 6 12:53:16 2013 -0400
111582
111583 fix ia64/powerpc/sparc compilation
111584
111585 arch/ia64/include/asm/uaccess.h | 2 --
111586 arch/powerpc/include/asm/uaccess.h | 2 --
111587 arch/sparc/include/asm/uaccess.h | 7 -------
111588 3 files changed, 0 insertions(+), 11 deletions(-)
111589
111590commit 4a0cd3af0fd8788bd1c84de775743c8ae51e9a39
111591Author: Johannes Berg <johannes.berg@intel.com>
111592Date: Tue Mar 19 20:26:57 2013 +0100
111593
111594 Upstream commit: ce1eadda6badef9e4e3460097ede674fca47383d
111595
111596 cfg80211: fix wdev tracing crash
111597
111598 Arend reported a crash in tracing if the driver returns an
111599 ERR_PTR() value from the add_virtual_intf() callback. This
111600 is due to the tracing then still attempting to dereference
111601 the "pointer", fix this by using IS_ERR_OR_NULL().
111602
111603 Reported-by: Arend van Spriel <arend@broadcom.com>
111604 Tested-by: Arend van Spriel <arend@broadcom.com>
111605 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
111606
111607 net/wireless/trace.h | 3 ++-
111608 1 files changed, 2 insertions(+), 1 deletions(-)
111609
111610commit 68e6eafdaf9a3b37c780b3916a35a1961b1559fd
111611Author: Johannes Berg <johannes.berg@intel.com>
111612Date: Mon Mar 25 11:51:14 2013 +0100
111613
111614 Upstream commit: 3fbd45ca8d1c98f3c2582ef8bc70ade42f70947b
111615
111616 mac80211: fix remain-on-channel cancel crash
111617
111618 If a ROC item is canceled just as it expires, the work
111619 struct may be scheduled while it is running (and waiting
111620 for the mutex). This results in it being run after being
111621 freed, which obviously crashes.
111622
111623 To fix this don't free it when aborting is requested but
111624 instead mark it as "to be freed", which makes the work a
111625 no-op and allows freeing it outside.
111626
111627 Cc: stable@vger.kernel.org [3.6+]
111628 Reported-by: Jouni Malinen <j@w1.fi>
111629 Tested-by: Jouni Malinen <j@w1.fi>
111630 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
111631
111632 net/mac80211/cfg.c | 6 ++++--
111633 net/mac80211/ieee80211_i.h | 3 ++-
111634 net/mac80211/offchannel.c | 23 +++++++++++++++++------
111635 3 files changed, 23 insertions(+), 9 deletions(-)
111636
111637commit dd5df32b00e3c2344ba39fe01071e7b67b83e1e4
111638Author: Stone Piao <piaoyun@marvell.com>
111639Date: Fri Mar 29 19:21:21 2013 -0700
111640
111641 Upstream commit: 901ceba4e81e9dd6b4a3c4c37ee22000a6c5c65f
111642
111643 mwifiex: limit channel number not to overflow memory
111644
111645 Limit the channel number in scan request, or the driver scan
111646 config structure memory will be overflowed.
111647
111648 Cc: <stable@vger.kernel.org> # 3.5+
111649 Signed-off-by: Stone Piao <piaoyun@marvell.com>
111650 Signed-off-by: Bing Zhao <bzhao@marvell.com>
111651 Signed-off-by: John W. Linville <linville@tuxdriver.com>
111652
111653 drivers/net/wireless/mwifiex/cfg80211.c | 3 ++-
111654 1 files changed, 2 insertions(+), 1 deletions(-)
111655
111656commit 207c411512bdaf0e4271f93ecac6ca26588da36f
111657Author: Gao feng <gaofeng@cn.fujitsu.com>
111658Date: Thu Mar 21 19:48:41 2013 +0000
111659
111660 Upstream commit: 130549fed828cc34c22624c6195afcf9e7ae56fe
111661
111662 netfilter: reset nf_trace in nf_reset
111663
111664 We forgot to clear the nf_trace of sk_buff in nf_reset,
111665 When we use veth device, this nf_trace information will
111666 be leaked from one net namespace to another net namespace.
111667
111668 Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
111669 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
111670
111671 include/linux/skbuff.h | 3 +++
111672 1 files changed, 3 insertions(+), 0 deletions(-)
111673
111674commit 3b12800d73c763265b2de5f2a7a745d9caa62c6f
111675Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
111676Date: Fri Mar 22 01:28:18 2013 +0000
111677
111678 Upstream commit: 558724a5b2a73ad0c7638e21e8dffc419d267b6c
111679
111680 netfilter: nfnetlink_queue: fix error return code in nfnetlink_queue_init()
111681
111682 Fix to return a negative error code from the error handling
111683 case instead of 0, as returned elsewhere in this function.
111684
111685 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
111686 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
111687
111688 net/netfilter/nfnetlink_queue_core.c | 4 +++-
111689 1 files changed, 3 insertions(+), 1 deletions(-)
111690
111691commit a79feb7d3251eca577d83d7f69eee2b961ab2924
111692Author: Pablo Neira Ayuso <pablo@netfilter.org>
111693Date: Sat Mar 23 16:57:59 2013 +0100
111694
111695 Upstream commit: deadcfc3324410726cd6a663fb4fc46be595abe7
111696
111697 netfilter: nfnetlink_acct: return -EINVAL if object name is empty
111698
111699 If user-space tries to create accounting object with an empty
111700 name, then return -EINVAL.
111701
111702 Reported-by: Michael Zintakis <michael.zintakis@googlemail.com>
111703 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
111704
111705 net/netfilter/nfnetlink_acct.c | 2 ++
111706 1 files changed, 2 insertions(+), 0 deletions(-)
111707
111708commit 1a51dca4fc16538d90a7a4c92b1ffe7e0fd76cf7
111709Author: Matthias Schiffer <mschiffer@universe-factory.net>
111710Date: Sat Mar 30 10:23:12 2013 +0000
111711
111712 Upstream commit: 906b1c394d0906a154fbdc904ca506bceb515756
111713
111714 netfilter: ip6t_NPT: Fix translation for non-multiple of 32 prefix lengths
111715
111716 The bitmask used for the prefix mangling was being calculated
111717 incorrectly, leading to the wrong part of the address being replaced
111718 when the prefix length wasn't a multiple of 32.
111719
111720 Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
111721 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
111722
111723 net/ipv6/netfilter/ip6t_NPT.c | 2 +-
111724 1 files changed, 1 insertions(+), 1 deletions(-)
111725
111726commit 3425de1e3dc22e1602f9c77fe8d258da58416d5e
111727Author: Veaceslav Falico <vfalico@redhat.com>
111728Date: Wed Apr 3 05:46:33 2013 +0000
111729
111730 Upstream commit: 4de79c737b200492195ebc54a887075327e1ec1d
111731
111732 bonding: remove sysfs before removing devices
111733
111734 We have a race condition if we try to rmmod bonding and simultaneously add
111735 a bond master through sysfs. In bonding_exit() we first remove the devices
111736 (through rtnl_link_unregister() ) and only after that we remove the sysfs.
111737 If we manage to add a device through sysfs after that the devices were
111738 removed - we'll end up with that device/sysfs structure and with the module
111739 unloaded.
111740
111741 Fix this by first removing the sysfs and only after that calling
111742 rtnl_link_unregister().
111743
111744 Signed-off-by: Veaceslav Falico <vfalico@redhat.com>
111745 Signed-off-by: David S. Miller <davem@davemloft.net>
111746
111747 drivers/net/bonding/bond_main.c | 2 +-
111748 1 files changed, 1 insertions(+), 1 deletions(-)
111749
111750commit d12cae44a9d12441d81c489178803237219d403d
111751Author: Eric W. Biederman <ebiederm@xmission.com>
111752Date: Wed Apr 3 16:14:47 2013 +0000
111753
111754 Upstream commit: 0e82e7f6dfeec1013339612f74abc2cdd29d43d2
111755
111756 af_unix: If we don't care about credentials coallesce all messages
111757
111758 It was reported that the following LSB test case failed
111759 https://lsbbugs.linuxfoundation.org/attachment.cgi?id=2144 because we
111760 were not coallescing unix stream messages when the application was
111761 expecting us to.
111762
111763 The problem was that the first send was before the socket was accepted
111764 and thus sock->sk_socket was NULL in maybe_add_creds, and the second
111765 send after the socket was accepted had a non-NULL value for sk->socket
111766 and thus we could tell the credentials were not needed so we did not
111767 bother.
111768
111769 The unnecessary credentials on the first message cause
111770 unix_stream_recvmsg to start verifying that all messages had the same
111771 credentials before coallescing and then the coallescing failed because
111772 the second message had no credentials.
111773
111774 Ignoring credentials when we don't care in unix_stream_recvmsg fixes a
111775 long standing pessimization which would fail to coallesce messages when
111776 reading from a unix stream socket if the senders were different even if
111777 we did not care about their credentials.
111778
111779 I have tested this and verified that the in the LSB test case mentioned
111780 above that the messages do coallesce now, while the were failing to
111781 coallesce without this change.
111782
111783 Reported-by: Karel Srot <ksrot@redhat.com>
111784 Reported-by: Ding Tianhong <dingtianhong@huawei.com>
111785 Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
111786 Signed-off-by: David S. Miller <davem@davemloft.net>
111787
111788 net/unix/af_unix.c | 2 +-
111789 1 files changed, 1 insertions(+), 1 deletions(-)
111790
111791commit 126d882492b130da6367f71cdf3ac59bf4f4c1bf
111792Author: Eric W. Biederman <ebiederm@xmission.com>
111793Date: Wed Apr 3 16:13:35 2013 +0000
111794
111795 Upstream commit: 25da0e3e9d3fb2b522bc2a598076735850310eb1
111796
111797 Revert "af_unix: dont send SCM_CREDENTIAL when dest socket is NULL"
111798
111799 This reverts commit 14134f6584212d585b310ce95428014b653dfaf6.
111800
111801 The problem that the above patch was meant to address is that af_unix
111802 messages are not being coallesced because we are sending unnecesarry
111803 credentials. Not sending credentials in maybe_add_creds totally
111804 breaks unconnected unix domain sockets that wish to send credentails
111805 to other sockets.
111806
111807 In practice this break some versions of udev because they receive a
111808 message and the sending uid is bogus so they drop the message.
111809
111810 Reported-by: Sven Joachim <svenjoac@gmx.de>
111811 Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
111812 Signed-off-by: David S. Miller <davem@davemloft.net>
111813
111814 net/unix/af_unix.c | 4 ++--
111815 1 files changed, 2 insertions(+), 2 deletions(-)
111816
111817commit 1295b4f600e8f5ab56af71e5a89e4c0e74e95663
111818Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
111819Date: Wed Mar 20 21:31:42 2013 +0000
111820
111821 Upstream commit: cb0e51d80694fc9964436be1a1a15275e991cb1e
111822
111823 lantiq_etop: use free_netdev(netdev) instead of kfree()
111824
111825 Freeing netdev without free_netdev() leads to net, tx leaks.
111826 And it may lead to dereferencing freed pointer.
111827
111828 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
111829 Signed-off-by: David S. Miller <davem@davemloft.net>
111830
111831 drivers/net/ethernet/lantiq_etop.c | 2 +-
111832 1 files changed, 1 insertions(+), 1 deletions(-)
111833
111834commit 1dcdddf846697fbd0b474e7b12ff92f7b408fe5f
111835Author: Cong Wang <amwang@redhat.com>
111836Date: Fri Mar 22 19:14:07 2013 +0000
111837
111838 Upstream commit: 4a7df340ed1bac190c124c1601bfc10cde9fb4fb
111839
111840 8021q: fix a potential use-after-free
111841
111842 vlan_vid_del() could possibly free ->vlan_info after a RCU grace
111843 period, however, we may still refer to the freed memory area
111844 by 'grp' pointer. Found by code inspection.
111845
111846 This patch moves vlan_vid_del() as behind as possible.
111847
111848 Cc: Patrick McHardy <kaber@trash.net>
111849 Cc: "David S. Miller" <davem@davemloft.net>
111850 Signed-off-by: Cong Wang <amwang@redhat.com>
111851 Acked-by: Eric Dumazet <edumazet@google.com>
111852 Signed-off-by: David S. Miller <davem@davemloft.net>
111853
111854 net/8021q/vlan.c | 7 +++++++
111855 1 files changed, 7 insertions(+), 0 deletions(-)
111856
111857commit fff29c277024a39845d4b535083c8dafc21b45d9
111858Author: Hong zhi guo <honkiko@gmail.com>
111859Date: Sat Mar 23 02:27:50 2013 +0000
111860
111861 Upstream commit: 9b46922e15f4d9d2aedcd320c3b7f7f54d956da7
111862
111863 bridge: fix crash when set mac address of br interface
111864
111865 When I tried to set mac address of a bridge interface to a mac
111866 address which already learned on this bridge, I got system hang.
111867
111868 The cause is straight forward: function br_fdb_change_mac_address
111869 calls fdb_insert with NULL source nbp. Then an fdb lookup is
111870 performed. If an fdb entry is found and it's local, it's OK. But
111871 if it's not local, source is dereferenced for printk without NULL
111872 check.
111873
111874 Signed-off-by: Hong Zhiguo <honkiko@gmail.com>
111875 Signed-off-by: David S. Miller <davem@davemloft.net>
111876
111877 net/bridge/br_fdb.c | 2 +-
111878 1 files changed, 1 insertions(+), 1 deletions(-)
111879
111880commit b72eca0f8495b4b084bcf3eb4fbb425281ba5349
111881Author: Kumar Amit Mehta <gmate.amit@gmail.com>
111882Date: Sat Mar 23 20:10:25 2013 +0000
111883
111884 Upstream commit: 8fe7f99a9e11a43183bc27420309ae105e1fec1a
111885
111886 bnx2x: fix assignment of signed expression to unsigned variable
111887
111888 fix for incorrect assignment of signed expression to unsigned variable.
111889
111890 Signed-off-by: Kumar Amit Mehta <gmate.amit@gmail.com>
111891 Acked-by: Dmitry Kravkov <dmitry@broadcom.com>
111892 Signed-off-by: David S. Miller <davem@davemloft.net>
111893
111894 drivers/net/ethernet/broadcom/bnx2x/bnx2x_dcb.c | 18 +++++++++---------
111895 1 files changed, 9 insertions(+), 9 deletions(-)
111896
111897commit 4d2d5e3694574d8e9d7594bf6111f144dccc873e
111898Author: dingtianhong <dingtianhong@huawei.com>
111899Date: Mon Mar 25 17:02:04 2013 +0000
111900
111901 Upstream commit: 14134f6584212d585b310ce95428014b653dfaf6
111902
111903 af_unix: dont send SCM_CREDENTIAL when dest socket is NULL
111904
111905 SCM_SCREDENTIALS should apply to write() syscalls only either source or destination
111906 socket asserted SOCK_PASSCRED. The original implememtation in maybe_add_creds is wrong,
111907 and breaks several LSB testcases ( i.e. /tset/LSB.os/netowkr/recvfrom/T.recvfrom).
111908
111909 Origionally-authored-by: Karel Srot <ksrot@redhat.com>
111910 Signed-off-by: Ding Tianhong <dingtianhong@huawei.com>
111911 Acked-by: Eric Dumazet <edumazet@google.com>
111912 Signed-off-by: David S. Miller <davem@davemloft.net>
111913
111914 net/unix/af_unix.c | 4 ++--
111915 1 files changed, 2 insertions(+), 2 deletions(-)
111916
111917commit b964e1e61f0f0ccaa380be3342f956c604054bdc
111918Author: Eric W. Biederman <ebiederm@xmission.com>
111919Date: Thu Mar 21 02:30:41 2013 -0700
111920
111921 Upstream commit: eddc0a3abff273842a94784d2d022bbc36dc9015
111922
111923 yama: Better permission check for ptraceme
111924
111925 Change the permission check for yama_ptrace_ptracee to the standard
111926 ptrace permission check, testing if the traceer has CAP_SYS_PTRACE
111927 in the tracees user namespace.
111928
111929 Reviewed-by: Kees Cook <keescook@chromium.org>
111930 Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
111931
111932 security/yama/yama_lsm.c | 4 +---
111933 1 files changed, 1 insertions(+), 3 deletions(-)
111934
111935commit b94e71c7b6abe75989edff18aca2781233fa143b
111936Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
111937Date: Mon Apr 1 11:40:51 2013 +0400
111938
111939 Upstream commit: 2dc958fa2fe6987e7ab106bd97029a09a82fcd8d
111940
111941 ipc: set msg back to -EAGAIN if copy wasn't performed
111942
111943 Make sure that msg pointer is set back to error value in case of
111944 MSG_COPY flag is set and desired message to copy wasn't found. This
111945 garantees that msg is either a error pointer or a copy address.
111946
111947 Otherwise the last message in queue will be freed without unlinking from
111948 the queue (which leads to memory corruption) and the dummy allocated
111949 copy won't be released.
111950
111951 Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
111952 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
111953
111954 ipc/msg.c | 1 +
111955 1 files changed, 1 insertions(+), 0 deletions(-)
111956
111957commit a997fbbe7a37ffd805f4784a18b8e530da6978d1
111958Author: Jan Kara <jack@suse.cz>
111959Date: Fri Mar 29 15:39:16 2013 +0100
111960
111961 Upstream commit: 35e5cbc0af240778e61113286c019837e06aeec6
111962
111963 reiserfs: Fix warning and inode leak when deleting inode with xattrs
111964
111965 After commit 21d8a15a (lookup_one_len: don't accept . and ..) reiserfs
111966 started failing to delete xattrs from inode. This was due to a buggy
111967 test for '.' and '..' in fill_with_dentries() which resulted in passing
111968 '.' and '..' entries to lookup_one_len() in some cases. That returned
111969 error and so we failed to iterate over all xattrs of and inode.
111970
111971 Fix the test in fill_with_dentries() along the lines of the one in
111972 lookup_one_len().
111973
111974 Reported-by: Pawel Zawora <pzawora@gmail.com>
111975 CC: stable@vger.kernel.org
111976 Signed-off-by: Jan Kara <jack@suse.cz>
111977
111978 fs/reiserfs/xattr.c | 4 ++--
111979 1 files changed, 2 insertions(+), 2 deletions(-)
111980
111981commit 9f07957378e0f55abb81da8e23b124a608fbe1cc
111982Author: Paul Bolle <pebolle@tiscali.nl>
111983Date: Wed Apr 3 12:24:45 2013 +0100
111984
111985 Upstream commit: 4e1db26a0b42e2b6e27c05d68adcc01709c2eed2
111986
111987 ARM: 7690/1: mm: fix CONFIG_LPAE typos
111988
111989 CONFIG_LPAE doesn't exist: the correct option is CONFIG_ARM_LPAE, so fix
111990 up the two typos under arch/arm/.
111991
111992 The fix to head.S is slightly scary, but this is just for setting up
111993 an early io-mapping for the serial port when running on a big-endian,
111994 LPAE system. Since these systems don't exist in the wild (at least, I
111995 have no access to one outside of kvmtool, which doesn't provide a serial
111996 port suitable for earlyprintk), then we can revisit the code later if it
111997 causes any problems.
111998
111999 Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
112000 Signed-off-by: Will Deacon <will.deacon@arm.com>
112001 Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
112002
112003 arch/arm/kernel/head.S | 2 +-
112004 arch/arm/kernel/setup.c | 2 +-
112005 2 files changed, 2 insertions(+), 2 deletions(-)
112006
112007commit 984ba346b2d8f158473e9723ba145031368431ed
112008Author: Catalin Marinas <catalin.marinas@arm.com>
112009Date: Tue Mar 26 23:35:04 2013 +0100
112010
112011 Upstream commit: 93dc68876b608da041fe40ed39424b0fcd5aa2fb
112012
112013 ARM: 7684/1: errata: Workaround for Cortex-A15 erratum 798181 (TLBI/DSB operations)
112014
112015 On Cortex-A15 (r0p0..r3p2) the TLBI/DSB are not adequately shooting down
112016 all use of the old entries. This patch implements the erratum workaround
112017 which consists of:
112018
112019 1. Dummy TLBIMVAIS and DSB on the CPU doing the TLBI operation.
112020 2. Send IPI to the CPUs that are running the same mm (and ASID) as the
112021 one being invalidated (or all the online CPUs for global pages).
112022 3. CPU receiving the IPI executes a DMB and CLREX (part of the exception
112023 return code already).
112024
112025 Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
112026 Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
112027
112028 Conflicts:
112029
112030 arch/arm/include/asm/tlbflush.h
112031 arch/arm/kernel/smp_tlb.c
112032 arch/arm/mm/context.c
112033
112034 arch/arm/Kconfig | 10 +++++
112035 arch/arm/include/asm/highmem.h | 7 ++++
112036 arch/arm/include/asm/mmu_context.h | 2 +
112037 arch/arm/include/asm/tlbflush.h | 15 ++++++++
112038 arch/arm/kernel/smp_tlb.c | 66 ++++++++++++++++++++++++++++++++++++
112039 arch/arm/mm/context.c | 6 ++-
112040 6 files changed, 104 insertions(+), 2 deletions(-)
112041
112042commit 9a6ef010c38b3d5471886d2dea6e3c1622e2a286
112043Author: Jan Stancek <jstancek@redhat.com>
112044Date: Thu Apr 4 11:35:10 2013 -0700
112045
112046 Upstream commit: b6a9b7f6b1f21735a7456d534dc0e68e61359d2c
112047
112048 mm: prevent mmap_cache race in find_vma()
112049
112050 find_vma() can be called by multiple threads with read lock
112051 held on mm->mmap_sem and any of them can update mm->mmap_cache.
112052 Prevent compiler from re-fetching mm->mmap_cache, because other
112053 readers could update it in the meantime:
112054
112055 thread 1 thread 2
112056 |
112057 find_vma() | find_vma()
112058 struct vm_area_struct *vma = NULL; |
112059 vma = mm->mmap_cache; |
112060 if (!(vma && vma->vm_end > addr |
112061 && vma->vm_start <= addr)) { |
112062 | mm->mmap_cache = vma;
112063 return vma; |
112064 ^^ compiler may optimize this |
112065 local variable out and re-read |
112066 mm->mmap_cache |
112067
112068 This issue can be reproduced with gcc-4.8.0-1 on s390x by running
112069 mallocstress testcase from LTP, which triggers:
112070
112071 kernel BUG at mm/rmap.c:1088!
112072 Call Trace:
112073 ([<000003d100c57000>] 0x3d100c57000)
112074 [<000000000023a1c0>] do_wp_page+0x2fc/0xa88
112075 [<000000000023baae>] handle_pte_fault+0x41a/0xac8
112076 [<000000000023d832>] handle_mm_fault+0x17a/0x268
112077 [<000000000060507a>] do_protection_exception+0x1e2/0x394
112078 [<0000000000603a04>] pgm_check_handler+0x138/0x13c
112079 [<000003fffcf1f07a>] 0x3fffcf1f07a
112080 Last Breaking-Event-Address:
112081 [<000000000024755e>] page_add_new_anon_rmap+0xc2/0x168
112082
112083 Thanks to Jakub Jelinek for his insight on gcc and helping to
112084 track this down.
112085
112086 Signed-off-by: Jan Stancek <jstancek@redhat.com>
112087 Acked-by: David Rientjes <rientjes@google.com>
112088 Signed-off-by: Hugh Dickins <hughd@google.com>
112089 Cc: stable@vger.kernel.org
112090 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
112091
112092 mm/mmap.c | 2 +-
112093 mm/nommu.c | 2 +-
112094 2 files changed, 2 insertions(+), 2 deletions(-)
112095
112096commit 53f5096daa14967938bc154e6c41f9119863fb36
112097Merge: e988d7c 0a45285
112098Author: Brad Spengler <spender@grsecurity.net>
112099Date: Fri Apr 5 17:32:31 2013 -0400
112100
112101 Merge branch 'pax-test' into grsec-test
112102
112103 Conflicts:
112104 drivers/net/ethernet/broadcom/tg3.c
112105
112106commit 0a452855444d02502df6eb21ef3083cf303f71e1
112107Merge: 0277fa1 00cfbb8
112108Author: Brad Spengler <spender@grsecurity.net>
112109Date: Fri Apr 5 17:31:15 2013 -0400
112110
112111 Update to pax-linux-3.8.6-test16.patch:
112112 - fixed some attribute leakage into userland headers, patch by Mathias Krause
112113 - fixed some of the access_*_vm related breakage that trigger size overflows, reported by Hunger
112114
112115 Merge branch 'linux-3.8.y' into pax-test
112116
112117 Conflicts:
112118 drivers/gpu/drm/i915/intel_display.c
112119
112120commit e988d7c8d946c816a2cb97f0d38048a1584966b8
112121Merge: baec40e 0277fa1
112122Author: Brad Spengler <spender@grsecurity.net>
112123Date: Wed Apr 3 22:05:41 2013 -0400
112124
112125 Merge branch 'pax-test' into grsec-test
112126
112127commit 0277fa123b486cf11420967e4568d7653e225fd3
112128Author: Brad Spengler <spender@grsecurity.net>
112129Date: Wed Apr 3 22:04:48 2013 -0400
112130
112131 Update to pax-linux-3.8.5-test15.patch:
112132 - fixed section mismatch error caused by CONSTIFY (http://forums.grsecurity.net/viewtopic.php?f=3&t=3388 and http://forums.grsecurity.net/viewtopic.php?f=3&t=3391)
112133 - fixed integer type mixup in the cx88 driver (http://forums.grsecurity.net/viewtopic.php?f=3&t=3394)
112134
112135 drivers/media/pci/cx88/cx88-video.c | 6 +++---
112136 include/net/net_namespace.h | 4 ++++
112137 2 files changed, 7 insertions(+), 3 deletions(-)
112138
112139commit baec40e6708fd5ae2000cad6c70c5980c998b91c
112140Author: Brad Spengler <spender@grsecurity.net>
112141Date: Tue Apr 2 19:50:32 2013 -0400
112142
112143 fix compilation as reported on forums for gcc versions lacking plugin
112144 support
112145
112146 include/net/net_namespace.h | 4 ++++
112147 1 files changed, 4 insertions(+), 0 deletions(-)
112148
112149commit f6da5efca8a7edc9d3af02d6c35fddae0d2fd095
112150Merge: 6b69c35 0db9d15
112151Author: Brad Spengler <spender@grsecurity.net>
112152Date: Tue Apr 2 17:47:27 2013 -0400
112153
112154 Merge branch 'pax-test' into grsec-test
112155
112156commit 0db9d156826bdd50510086fde837648a3dfd370e
112157Author: Brad Spengler <spender@grsecurity.net>
112158Date: Tue Apr 2 17:46:05 2013 -0400
112159
112160 Update to pax-linux-3.8.5-test14.patch:
112161 - removed some no longer necessary __size_overflow marks and updated the overflow plugin's hash table
112162
112163 arch/x86/include/asm/uaccess_64.h | 6 +-
112164 include/linux/moduleloader.h | 4 +-
112165 tools/gcc/size_overflow_hash.data | 98 +++++++++++++++++++++----------------
112166 3 files changed, 61 insertions(+), 47 deletions(-)
112167
112168commit 6b69c3589fa97b454a08c28ecfac5a512f610f4d
112169Author: Brad Spengler <spender@grsecurity.net>
112170Date: Tue Apr 2 17:35:06 2013 -0400
112171
112172 remove duplicate compiler.h
112173
112174 include/linux/sysrq.h | 1 -
112175 1 files changed, 0 insertions(+), 1 deletions(-)
112176
112177commit 01e1d503fd2220adaaec0b92ea19441bdff73555
112178Author: Brad Spengler <spender@grsecurity.net>
112179Date: Fri Mar 29 19:53:50 2013 -0400
112180
112181 fix intentional_overflow marking on sys_sendto
112182
112183 include/linux/syscalls.h | 2 +-
112184 net/socket.c | 2 +-
112185 2 files changed, 2 insertions(+), 2 deletions(-)
112186
112187commit cd5ff114d958470f471c63775278e8c05e774630
112188Author: Brad Spengler <spender@grsecurity.net>
112189Date: Fri Mar 29 18:46:16 2013 -0400
112190
112191 fix size_overflow false positive
112192
112193 kernel/futex_compat.c | 2 +-
112194 1 files changed, 1 insertions(+), 1 deletions(-)
112195
112196commit 295ba16cc53df2375261accbedd6575ea327770a
112197Merge: 18340f1 278a989
112198Author: Brad Spengler <spender@grsecurity.net>
112199Date: Fri Mar 29 17:36:18 2013 -0400
112200
112201 Merge branch 'pax-test' into grsec-test
112202
112203 Conflicts:
112204 fs/exec.c
112205 include/linux/thread_info.h
112206
112207commit 278a989c831d62193c7b3d119fe2302babd45d12
112208Author: Brad Spengler <spender@grsecurity.net>
112209Date: Fri Mar 29 17:34:34 2013 -0400
112210
112211 Resync with pax-linux-3.8.5-test13.patch
112212
112213 arch/arm/include/asm/pgtable.h | 3 ++-
112214 arch/arm/lib/delay.c | 1 +
112215 fs/exec.c | 8 ++++----
112216 include/linux/compiler.h | 1 +
112217 include/linux/proc_fs.h | 2 +-
112218 include/linux/thread_info.h | 6 +++---
112219 include/linux/zlib.h | 3 ++-
112220 init/main.c | 4 ++--
112221 kernel/user_namespace.c | 2 +-
112222 lib/list_debug.c | 4 ++--
112223 mm/slab.c | 1 +
112224 mm/slob.c | 1 +
112225 mm/slub.c | 1 +
112226 net/core/sysctl_net_core.c | 3 +--
112227 tools/gcc/constify_plugin.c | 1 +
112228 15 files changed, 24 insertions(+), 17 deletions(-)
112229
112230commit 18340f14bd42d06c60995ab04cf6bb235bcaade6
112231Merge: 05f01ae e8cfeae
112232Author: Brad Spengler <spender@grsecurity.net>
112233Date: Fri Mar 29 17:30:57 2013 -0400
112234
112235 Merge branch 'pax-test' into grsec-test
112236
112237commit e8cfeae7751abb844911a15114dff5c9b2b9fcd9
112238Merge: b461cb7 aa4cfde
112239Author: Brad Spengler <spender@grsecurity.net>
112240Date: Fri Mar 29 17:30:44 2013 -0400
112241
112242 Merge branch 'linux-3.8.y' into pax-test
112243
112244 Conflicts:
112245 drivers/gpu/drm/i915/i915_gem_execbuffer.c
112246 fs/nfsd/vfs.c
112247
112248commit 05f01ae4c3479541586a2387f916a6620889c479
112249Author: Brad Spengler <spender@grsecurity.net>
112250Date: Fri Mar 29 17:05:39 2013 -0400
112251
112252 Another infoleak, up to 128 bytes on the stack in __sys_recvmsg
112253 takes user-provided length, copies up to that amount in a sockaddr_storage
112254 struct on the stack, then takes an upper-bounded-only user-provided length
112255 and copies the sockaddr_storage struct back out to userland, complete with
112256 uninitialized data
112257
112258 net/socket.c | 2 +-
112259 1 files changed, 1 insertions(+), 1 deletions(-)
112260
112261commit eea6ade59490784e83e08ec67322288fcf14cb31
112262Author: Brad Spengler <spender@grsecurity.net>
112263Date: Thu Mar 28 23:07:37 2013 -0400
112264
112265 return a proper error, otherwise we could be accessing uninitialized data
112266 (previous define was a positive value)
112267
112268 drivers/usb/storage/realtek_cr.c | 2 +-
112269 1 files changed, 1 insertions(+), 1 deletions(-)
112270
112271commit 3cc43b90104c3016adb40f412ce2e4b0dcdd4c9e
112272Merge: c3dc9a6 b461cb7
112273Author: Brad Spengler <spender@grsecurity.net>
112274Date: Thu Mar 28 20:54:24 2013 -0400
112275
112276 Merge branch 'pax-test' into grsec-test
112277
112278commit b461cb7b1d85490430ef7896c247794af72c3749
112279Author: Brad Spengler <spender@grsecurity.net>
112280Date: Thu Mar 28 20:54:11 2013 -0400
112281
112282 Add structleak plugin
112283
112284 tools/gcc/structleak_plugin.c | 270 +++++++++++++++++++++++++++++++++++++++++
112285 1 files changed, 270 insertions(+), 0 deletions(-)
112286
112287commit c3dc9a6ef10782894bb11fd088fd712db44d8062
112288Author: Brad Spengler <spender@grsecurity.net>
112289Date: Thu Mar 28 20:53:22 2013 -0400
112290
112291 Enable structleak by default for the security auto-config
112292
112293 security/Kconfig | 11 +++++++----
112294 1 files changed, 7 insertions(+), 4 deletions(-)
112295
112296commit 6568e7348222fbe00256c9d337c4c24ee57e3f7e
112297Merge: d8503a3 74bec16
112298Author: Brad Spengler <spender@grsecurity.net>
112299Date: Thu Mar 28 20:47:10 2013 -0400
112300
112301 Merge branch 'pax-test' into grsec-test
112302
112303commit 74bec16b657147a5575b1f14f4423a717ba317a6
112304Author: Brad Spengler <spender@grsecurity.net>
112305Date: Thu Mar 28 20:46:13 2013 -0400
112306
112307 Update to pax-linux-3.8.4-test13.patch:
112308 - fixed bug with the old PAGEEXEC method and hugetlb, reported by Alex Efros (https://bugs.gentoo.org/show_bug.cgi?id=437722)
112309 - added a new gcc plugin to plug (pun intended) some of the kernel stack leaks to userland
112310
112311 Makefile | 5 +++-
112312 arch/x86/include/asm/compat.h | 2 +-
112313 arch/x86/mm/fault.c | 3 +-
112314 fs/binfmt_elf.c | 2 +-
112315 include/linux/compiler.h | 42 ++++++++++++++--------------------------
112316 security/Kconfig | 16 +++++++++++++++
112317 tools/gcc/Makefile | 2 +
112318 tools/gcc/constify_plugin.c | 7 +++++-
112319 8 files changed, 47 insertions(+), 32 deletions(-)
112320
112321commit d8503a3a35d68b9ba1615d29335aef3f70d51465
112322Author: Brad Spengler <spender@grsecurity.net>
112323Date: Thu Mar 28 20:02:40 2013 -0400
112324
112325 Fix 8-byte stack infoleak in ia32_rt_sigpending
112326 User controls length, kernel only performs check on the upper bound, will
112327 fill in any amount less than sizeof(sigset_t) via a copy_to_user under
112328 KERNEL_DS in sys_rt_sigpending, then will copy the full size of compat_sigset_t
112329 regardless of whether the sigset_t content copied into it has been initialized
112330 or not
112331
112332 arch/x86/ia32/sys_ia32.c | 2 +-
112333 1 files changed, 1 insertions(+), 1 deletions(-)
112334
112335commit 46a9f4b871ebf298ee67cc3f799dbd6c2382022b
112336Author: Brad Spengler <spender@grsecurity.net>
112337Date: Tue Mar 26 21:05:05 2013 -0400
112338
112339 commit 814d9d4f9164c3d778dadd093a54bb55d9a0c576
112340 Author: J. Bruce Fields <bfields@redhat.com>
112341 Date: Tue Mar 26 14:11:13 2013 -0400
112342
112343 nfsd4: reject "negative" acl lengths
112344
112345 Since we only enforce an upper bound, not a lower bound, a "negative"
112346 length can get through here.
112347
112348 The symptom seen was a warning when we attempt to a kmalloc with an
112349 excessive size.
112350
112351 Reported-by: Toralf Förster <toralf.foerster@gmx.de>
112352 Signed-off-by: J. Bruce Fields <bfields@redhat.com>
112353
112354 fs/nfsd/nfs4xdr.c | 2 +-
112355 1 files changed, 1 insertions(+), 1 deletions(-)
112356
112357commit 2cf84a1843bfdf9298e2a1dc8df4e52d11a1af89
112358Author: Jeff Layton <jlayton@redhat.com>
112359Date: Mon Mar 11 09:52:19 2013 -0400
112360
112361 Upstream commit: f853c616883a8de966873a1dab283f1369e275a1
112362
112363 cifs: ignore everything in SPNEGO blob after mechTypes
112364
112365 We've had several reports of people attempting to mount Windows 8 shares
112366 and getting failures with a return code of -EINVAL. The default sec=
112367 mode changed recently to sec=ntlmssp. With that, we expect and parse a
112368 SPNEGO blob from the server in the NEGOTIATE reply.
112369
112370 The current decode_negTokenInit function first parses all of the
112371 mechTypes and then tries to parse the rest of the negTokenInit reply.
112372 The parser however currently expects a mechListMIC or nothing to follow the
112373 mechTypes, but Windows 8 puts a mechToken field there instead to carry
112374 some info for the new NegoEx stuff.
112375
112376 In practice, we don't do anything with the fields after the mechTypes
112377 anyway so I don't see any real benefit in continuing to parse them.
112378 This patch just has the kernel ignore the fields after the mechTypes.
112379 We'll probably need to reinstate some of this if we ever want to support
112380 NegoEx.
112381
112382 Reported-by: Jason Burgess <jason@jacknife2.dns2go.com>
112383 Reported-by: Yan Li <elliot.li.tech@gmail.com>
112384 Signed-off-by: Jeff Layton <jlayton@redhat.com>
112385 Cc: <stable@vger.kernel.org>
112386 Signed-off-by: Steve French <sfrench@us.ibm.com>
112387
112388 fs/cifs/asn1.c | 53 +++++------------------------------------------------
112389 1 files changed, 5 insertions(+), 48 deletions(-)
112390
112391commit 0b1c6223105a05d5a84e39a5e951868e37610e1c
112392Merge: 93ff726 0deb54c
112393Author: Brad Spengler <spender@grsecurity.net>
112394Date: Mon Mar 25 18:35:15 2013 -0400
112395
112396 Merge branch 'pax-test' into grsec-test
112397
112398commit 0deb54c1f47145aef38f4d2bf0b7de3e9fbab959
112399Author: Brad Spengler <spender@grsecurity.net>
112400Date: Mon Mar 25 18:35:05 2013 -0400
112401
112402 fix typo
112403
112404 arch/x86/mm/ioremap.c | 2 +-
112405 1 files changed, 1 insertions(+), 1 deletions(-)
112406
112407commit 93ff72680353534d4b0b213aecb61f1fc2f9a152
112408Merge: be9f8b8 f95e53a
112409Author: Brad Spengler <spender@grsecurity.net>
112410Date: Mon Mar 25 18:30:06 2013 -0400
112411
112412 Merge branch 'pax-test' into grsec-test
112413
112414commit f95e53abadb6e4665866e4502ff9f518514193e1
112415Author: Brad Spengler <spender@grsecurity.net>
112416Date: Mon Mar 25 18:29:25 2013 -0400
112417
112418 Update to pax-linux-3.8.4-test12.patch:
112419
112420 - fixed perf compilation reported by Michael Tremer
112421 - fixed USERCOPY reports triggered by SCTP, reported by mcp
112422 - last fix for aslr gap accounting, promise (thanks to spender)
112423
112424 arch/x86/mm/ioremap.c | 3 +++
112425 fs/binfmt_elf.c | 5 ++---
112426 mm/mmap.c | 2 +-
112427 net/sctp/socket.c | 19 +++++++++++++++----
112428 tools/perf/util/include/linux/compiler.h | 8 ++++++++
112429 5 files changed, 29 insertions(+), 8 deletions(-)
112430
112431commit be9f8b82b0d8a21d7515fb6e44a907623381c5df
112432Author: Brad Spengler <spender@grsecurity.net>
112433Date: Mon Mar 25 16:48:34 2013 -0400
112434
112435 From: Al Viro <viro@ZenIV.linux.org.uk>
112436 To: Brad Spengler <spender@grsecurity.net>
112437 Cc: Linus Torvalds <torvalds@linux-foundation.org>
112438
112439 Umm... I see what you are describing, and AFAICS you are correct; let me
112440 see if I am misreading your analysis:
112441 * vfsmount_lock may act fair; A holding it shared, with B spinning
112442 on attempt to take it exclusive may lead to C spinning on attempt to take
112443 it shared.
112444 * path_is_under() tries get rename_lock while holding vfsmount_lock
112445 shared.
112446 * d_path() et.al. try to take vfsmount_lock shared, while holding
112447 rename_lock.
112448
112449 All true and yes, it's a bug (I'd probably classify it as a livelock, but
112450 that doesn't make any real difference). There are three possible solutions,
112451 AFAICS:
112452 1) two-liner in path_is_under() replacing the use of vfsmount_lock
112453 with that of namespace_sem; trivial, but results in function unexpectedly
112454 blocking. The current callers are fine with that, but it's a trouble
112455 waiting to happen.
112456 2) replace write_seqlock() in prepend_path() callers with
112457 read_seqbegin/read_seqretry loops; bigger and more brittle, since unlike
112458 is_subdir() we need more than just ->d_parent not pointing to something
112459 freed - we also care about ->d_name.len being in sync with ->d_name.name.
112460 It probably can be worked around, but...
112461
112462 3) declare that rename_lock nests inside vfsmount_lock and let
112463 the callers of prepend_path() take vfsmount_lock(). I'd probably prefer
112464 that one...
112465
112466 Nest rename_lock inside vfsmount_lock
112467
112468 ... lest we get livelocks between path_is_under() and d_path() and friends.
112469
112470 [ add grsec-specific bits, thanks to Alexey Vlasov for his patience in reproducing
112471 the issue ]
112472
112473 Spotted-by: Brad Spengler <spender@grsecurity.net>
112474 Cc: stable@vger.kernel.org
112475 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
112476
112477 fs/dcache.c | 16 +++++++++++-----
112478 grsecurity/gracl.c | 20 ++++++++++----------
112479 2 files changed, 21 insertions(+), 15 deletions(-)
112480
112481commit d9253ae96e0e88510ae7b8adb8ab3ef089be6dee
112482Author: Linus Torvalds <torvalds@linux-foundation.org>
112483Date: Fri Mar 22 11:44:04 2013 -0700
112484
112485 Upstream commit: 51f0885e5415b4cc6535e9cdcc5145bfbc134353
112486
112487 vfs,proc: guarantee unique inodes in /proc
112488
112489 Dave Jones found another /proc issue with his Trinity tool: thanks to
112490 the namespace model, we can have multiple /proc dentries that point to
112491 the same inode, aliasing directories in /proc/<pid>/net/ for example.
112492
112493 This ends up being a total disaster, because it acts like hardlinked
112494 directories, and causes locking problems. We rely on the topological
112495 sort of the inodes pointed to by dentries, and if we have aliased
112496 directories, that odering becomes unreliable.
112497
112498 In short: don't do this. Multiple dentries with the same (directory)
112499 inode is just a bad idea, and the namespace code should never have
112500 exposed things this way. But we're kind of stuck with it.
112501
112502 This solves things by just always allocating a new inode during /proc
112503 dentry lookup, instead of using "iget_locked()" to look up existing
112504 inodes by superblock and number. That actually simplies the code a bit,
112505 at the cost of potentially doing more inode [de]allocations.
112506
112507 That said, the inode lookup wasn't free either (and did a lot of locking
112508 of inodes), so it is probably not that noticeable. We could easily keep
112509 the old lookup model for non-directory entries, but rather than try to
112510 be excessively clever this just implements the minimal and simplest
112511 workaround for the problem.
112512
112513 Reported-and-tested-by: Dave Jones <davej@redhat.com>
112514 Analyzed-by: Al Viro <viro@zeniv.linux.org.uk>
112515 Cc: stable@vger.kernel.org
112516 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
112517
112518 Conflicts:
112519
112520 fs/proc/inode.c
112521
112522 fs/proc/inode.c | 9 +++------
112523 1 files changed, 3 insertions(+), 6 deletions(-)
112524
112525commit 399d3bbdb82db765c86118ae5a0bf1d2d17762fb
112526Author: Vladimir Davydov <vdavydov@parallels.com>
112527Date: Fri Mar 22 15:04:51 2013 -0700
112528
112529 Upstream commit: 38d78e587d4960d0db94add518d27ee74bad2301
112530
112531 mqueue: sys_mq_open: do not call mnt_drop_write() if read-only
112532
112533 mnt_drop_write() must be called only if mnt_want_write() succeeded,
112534 otherwise the mnt_writers counter will diverge.
112535
112536 mnt_writers counters are used to check if remounting FS as read-only is
112537 OK, so after an extra mnt_drop_write() call, it would be impossible to
112538 remount mqueue FS as read-only. Besides, on umount a warning would be
112539 printed like this one:
112540
112541 =====================================
112542 [ BUG: bad unlock balance detected! ]
112543 3.9.0-rc3 #5 Not tainted
112544 -------------------------------------
112545 a.out/12486 is trying to release lock (sb_writers) at:
112546 mnt_drop_write+0x1f/0x30
112547 but there are no more locks to release!
112548
112549 Signed-off-by: Vladimir Davydov <vdavydov@parallels.com>
112550 Cc: Doug Ledford <dledford@redhat.com>
112551 Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
112552 Cc: "Eric W. Biederman" <ebiederm@xmission.com>
112553 Cc: Al Viro <viro@zeniv.linux.org.uk>
112554 Cc: <stable@vger.kernel.org>
112555 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
112556 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
112557
112558 ipc/mqueue.c | 3 ++-
112559 1 files changed, 2 insertions(+), 1 deletions(-)
112560
112561commit d3859c71e2ec174b6f3e5cbe06d3011cdddaa59e
112562Author: Brad Spengler <spender@grsecurity.net>
112563Date: Sat Mar 23 13:02:32 2013 -0400
112564
112565 Don't use constify plugin if not enabled in config,
112566 reported by Alexey Vlasov
112567
112568 Makefile | 2 +-
112569 1 files changed, 1 insertions(+), 1 deletions(-)
112570
112571commit 3afb82e020593249ac394e9859397c3e0ef5341c
112572Author: Brad Spengler <spender@grsecurity.net>
112573Date: Sat Mar 23 12:50:13 2013 -0400
112574
112575 oded 0day #2
112576 http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
112577 slide 20
112578
112579 drivers/net/ethernet/broadcom/tg3.c | 6 ++++--
112580 1 files changed, 4 insertions(+), 2 deletions(-)
112581
112582commit 4cc4b98b29faff2530540be16e0fcd8a74800b06
112583Author: Brad Spengler <spender@grsecurity.net>
112584Date: Sat Mar 23 12:15:50 2013 -0400
112585
112586 oded 0day #1
112587 http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
112588 slide 18
112589
112590 drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
112591 1 files changed, 1 insertions(+), 1 deletions(-)
112592
112593commit 8a3292af6fdae4b88b49a2a4ef96eee145b4d479
112594Author: Brad Spengler <spender@grsecurity.net>
112595Date: Sat Mar 23 12:13:12 2013 -0400
112596
112597 remove warning on accessing this /proc entry, HIDESYM already caught the infoleak
112598
112599 drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
112600 1 files changed, 1 insertions(+), 1 deletions(-)
112601
112602commit 44cb11a9470f72157601d0ad4d572d111f90f504
112603Author: Brad Spengler <spender@grsecurity.net>
112604Date: Fri Mar 22 18:11:42 2013 -0400
112605
112606 use VM_DONTDUMP
112607
112608 fs/binfmt_elf.c | 2 +-
112609 1 files changed, 1 insertions(+), 1 deletions(-)
112610
112611commit 92dd7f850ae63e3ddc3d262f2b7134cf54b51abb
112612Author: Brad Spengler <spender@grsecurity.net>
112613Date: Fri Mar 22 17:53:09 2013 -0400
112614
112615 fix recent RLIMIT_AS changes (due to vm_flags typo)
112616
112617 Conflicts:
112618
112619 fs/binfmt_elf.c
112620
112621 fs/binfmt_elf.c | 2 +-
112622 mm/mmap.c | 2 +-
112623 2 files changed, 2 insertions(+), 2 deletions(-)
112624
112625commit fd5f0d92b0fbec02029dad124501a9c80e527a32
112626Author: Brad Spengler <spender@grsecurity.net>
112627Date: Fri Mar 22 17:08:48 2013 -0400
112628
112629 complete_walk drops rcu-walk mode, no need for our own dropping
112630 method outside of generic_permission
112631
112632 fs/namei.c | 30 ------------------------------
112633 1 files changed, 0 insertions(+), 30 deletions(-)
112634
112635commit b49ab1c73edb6442eec609b26bba4d850b3111b6
112636Merge: 5e9a707 783ade9
112637Author: Brad Spengler <spender@grsecurity.net>
112638Date: Thu Mar 21 21:56:28 2013 -0400
112639
112640 Merge branch 'pax-test' into grsec-test
112641
112642commit 783ade9f97f0f736e3c83275b7c9fcb2d6e9d9c4
112643Author: Brad Spengler <spender@grsecurity.net>
112644Date: Thu Mar 21 21:55:31 2013 -0400
112645
112646 Update to pax-linux-3.8.3-test11.patch:
112647 - rewrote the ASLR gap accounting code once again
112648 - fixed ptrace compat bug found by the size overflow plugin
112649
112650 fs/binfmt_elf.c | 25 ++++++++++++-------------
112651 fs/exec.c | 7 ++-----
112652 include/linux/compat.h | 2 +-
112653 include/linux/mm.h | 5 +++++
112654 include/linux/mm_types.h | 2 +-
112655 kernel/ptrace.c | 2 +-
112656 mm/mmap.c | 15 ++++++++++-----
112657 7 files changed, 32 insertions(+), 26 deletions(-)
112658
112659commit 5e9a7077d935b2279f25428c5d32fd53cbbfb92a
112660Author: Brad Spengler <spender@grsecurity.net>
112661Date: Thu Mar 21 19:37:33 2013 -0400
112662
112663 Make the constify plugin usage actually depend on the introduced config option
112664 (it was still forced on)
112665
112666 tools/gcc/Makefile | 2 +-
112667 1 files changed, 1 insertions(+), 1 deletions(-)
112668
112669commit 1974b4f58d9d729c80ac1987785446115304a54c
112670Author: Brad Spengler <spender@grsecurity.net>
112671Date: Thu Mar 21 16:12:38 2013 -0400
112672
112673 fix failed merge
112674
112675 arch/arm/mm/fault.c | 15 +++------------
112676 1 files changed, 3 insertions(+), 12 deletions(-)
112677
112678commit 675a8ab4a8fe8315df348735a37a302a7535224c
112679Author: Brad Spengler <spender@grsecurity.net>
112680Date: Wed Mar 20 23:36:14 2013 -0400
112681
112682 From c4dab66c31612717f798e1e8ff11b57253a81a31 Mon Sep 17 00:00:00 2001
112683 From: Kees Cook <keescook@chromium.org>
112684 Date: Sun, 10 Mar 2013 20:09:31 +0000
112685 Subject: drm/i915: bounds check execbuffer relocation count
112686
112687 It is possible to wrap the counter used to allocate the buffer for
112688 relocation copies. This could lead to heap writing overflows.
112689
112690 CVE-2013-0913
112691
112692 Signed-off-by: Kees Cook <keescook@chromium.org>
112693 Reported-by: Pinkie Pie
112694 Cc: stable@vger.kernel.org
112695
112696 drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++---
112697 1 files changed, 8 insertions(+), 3 deletions(-)
112698
112699commit ddeac12cbb9076bffd51c544e03463f94c9eaa39
112700Author: Andy Honig <ahonig@google.com>
112701Date: Wed Feb 20 14:48:10 2013 -0800
112702
112703 Upstream commit: 0b79459b482e85cb7426aa7da683a9f2c97aeae1
112704
112705 KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797)
112706
112707 There is a potential use after free issue with the handling of
112708 MSR_KVM_SYSTEM_TIME. If the guest specifies a GPA in a movable or removable
112709 memory such as frame buffers then KVM might continue to write to that
112710 address even after it's removed via KVM_SET_USER_MEMORY_REGION. KVM pins
112711 the page in memory so it's unlikely to cause an issue, but if the user
112712 space component re-purposes the memory previously used for the guest, then
112713 the guest will be able to corrupt that memory.
112714
112715 Tested: Tested against kvmclock unit test
112716
112717 Signed-off-by: Andrew Honig <ahonig@google.com>
112718 Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
112719
112720 arch/x86/include/asm/kvm_host.h | 4 +-
112721 arch/x86/kvm/x86.c | 47 ++++++++++++++++----------------------
112722 2 files changed, 22 insertions(+), 29 deletions(-)
112723
112724commit 0bcac31b57c381001feb69fd6ec8069e61e03432
112725Author: Andy Honig <ahonig@google.com>
112726Date: Mon Mar 11 09:34:52 2013 -0700
112727
112728 Upstream commit: c300aa64ddf57d9c5d9c898a64b36877345dd4a9
112729
112730 KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796)
112731
112732 If the guest sets the GPA of the time_page so that the request to update the
112733 time straddles a page then KVM will write onto an incorrect page. The
112734 write is done byusing kmap atomic to get a pointer to the page for the time
112735 structure and then performing a memcpy to that page starting at an offset
112736 that the guest controls. Well behaved guests always provide a 32-byte aligned
112737 address, however a malicious guest could use this to corrupt host kernel
112738 memory.
112739
112740 Tested: Tested against kvmclock unit test.
112741
112742 Signed-off-by: Andrew Honig <ahonig@google.com>
112743 Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
112744
112745 arch/x86/kvm/x86.c | 5 +++++
112746 1 files changed, 5 insertions(+), 0 deletions(-)
112747
112748commit 695c59887e4ec10b0b695ab4f645d1226c433be0
112749Author: Andy Honig <ahonig@google.com>
112750Date: Wed Feb 20 14:49:16 2013 -0800
112751
112752 Upstream commit: a2c118bfab8bc6b8bb213abfc35201e441693d55
112753
112754 KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798)
112755
112756 If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows
112757 that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate
112758 that request. ioapic_read_indirect contains an
112759 ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in
112760 non-debug builds. In recent kernels this allows a guest to cause a kernel
112761 oops by reading invalid memory. In older kernels (pre-3.3) this allows a
112762 guest to read from large ranges of host memory.
112763
112764 Tested: tested against apic unit tests.
112765
112766 Signed-off-by: Andrew Honig <ahonig@google.com>
112767 Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
112768
112769 virt/kvm/ioapic.c | 7 +++++--
112770 1 files changed, 5 insertions(+), 2 deletions(-)
112771
112772commit c77e4017f6f372ac09751b6fcd85c35781dc2d9e
112773Merge: aec3cd4 c522e3a
112774Author: Brad Spengler <spender@grsecurity.net>
112775Date: Wed Mar 20 19:38:25 2013 -0400
112776
112777 Merge branch 'pax-test' into grsec-test
112778
112779commit c522e3a2167ff5e18996e55ca8cca5ca6f6d29e3
112780Merge: c57d855 405acc3
112781Author: Brad Spengler <spender@grsecurity.net>
112782Date: Wed Mar 20 19:38:11 2013 -0400
112783
112784 Merge branch 'linux-3.8.y' into pax-test
112785
112786commit aec3cd4d2bd54673b155d9ae3fb9c44becc790d1
112787Author: Brad Spengler <spender@grsecurity.net>
112788Date: Tue Mar 19 19:56:04 2013 -0400
112789
112790 include linux/compiler.h
112791
112792 include/linux/zlib.h | 1 +
112793 1 files changed, 1 insertions(+), 0 deletions(-)
112794
112795commit 1f1109e97bc609218e52e4bb57683d3b23cf2e8e
112796Author: Brad Spengler <spender@grsecurity.net>
112797Date: Tue Mar 19 18:42:20 2013 -0400
112798
112799 fix missing sock_release()
112800
112801 net/irda/af_irda.c | 6 ++++--
112802 1 files changed, 4 insertions(+), 2 deletions(-)
112803
112804commit dd65c05cd24faf8946d4941434a553ee285c35a3
112805Author: Brad Spengler <spender@grsecurity.net>
112806Date: Tue Mar 19 18:36:17 2013 -0400
112807
112808 fix mpt fusion infoleak
112809
112810 drivers/message/fusion/mptbase.c | 4 ++++
112811 1 files changed, 4 insertions(+), 0 deletions(-)
112812
112813commit e297b4f150b769efdc4c547d3caf1e3c0f24735f
112814Author: Brad Spengler <spender@grsecurity.net>
112815Date: Tue Mar 19 18:33:45 2013 -0400
112816
112817 Fix size_overflow false positive reported by slashbeast
112818
112819 include/linux/zlib.h | 2 +-
112820 1 files changed, 1 insertions(+), 1 deletions(-)
112821
112822commit 5b9982733764361c7102c2b1a9cbe42e5bf4f4be
112823Author: Brad Spengler <spender@grsecurity.net>
112824Date: Tue Mar 19 17:35:36 2013 -0400
112825
112826 fix up failed merge
112827
112828 arch/arm/mm/fault.c | 9 ++-------
112829 1 files changed, 2 insertions(+), 7 deletions(-)
112830
112831commit a1bdc34d1d882da3abf47923a760e5b0bbdaf0bd
112832Author: Brad Spengler <spender@grsecurity.net>
112833Date: Tue Mar 19 17:34:36 2013 -0400
112834
112835 update documentation on consequences of building without gcc plugin support
112836
112837 Makefile | 2 +-
112838 1 files changed, 1 insertions(+), 1 deletions(-)
112839
112840commit f49ae0f6c3bbedf6b3817ee2b1b232e0da7fa537
112841Author: Brad Spengler <spender@grsecurity.net>
112842Date: Tue Mar 19 17:18:13 2013 -0400
112843
112844 fix compilation failure associated with the latent entropy plugin and lack of gcc plugin support reported on the forums
112845
112846 init/main.c | 4 ++--
112847 1 files changed, 2 insertions(+), 2 deletions(-)
112848
112849commit f00195c633f91cfbd8c1f530d2c371b713026e20
112850Author: Brad Spengler <spender@grsecurity.net>
112851Date: Mon Mar 18 22:27:33 2013 -0400
112852
112853 Fix compile error reported by KDE on the forums
112854
112855 kernel/user_namespace.c | 2 +-
112856 1 files changed, 1 insertions(+), 1 deletions(-)
112857
112858commit 2979c6ee78aabb4421873ea53581380c6bb6ed05
112859Merge: 0949569 c57d855
112860Author: Brad Spengler <spender@grsecurity.net>
112861Date: Mon Mar 18 22:20:46 2013 -0400
112862
112863 Merge branch 'pax-test' into grsec-test
112864
112865 Conflicts:
112866 arch/arm/mm/fault.c
112867 arch/x86/mm/fault.c
112868 fs/exec.c
112869
112870commit c57d8557f5f2d77c2c7fa1f58316819a5e1f9293
112871Author: Brad Spengler <spender@grsecurity.net>
112872Date: Mon Mar 18 21:22:03 2013 -0400
112873
112874 Update to pax-linux-3.8.2-test9.patch:
112875 arm changes from spender
112876 - removed userland access to the vectors page
112877 - removed obsolete sigreturn trampoline handling
112878 - added emulation for __kuser_get_tls
112879 - fixed missing uderef instrumentation in unaligned memory accessors (failed safe)
112880 - fixed recent sysfs/power_supply attr breakage reported by Steven Allen
112881 - hopefully fixed the remaining issues with aslr_gap accounting (http://forums.grsecurity.net/viewtopic.php?f=3&t=2960)
112882 - changed debian packager rules to include the compiler plugins, from Tyler Coumbes <coumbes@gmail.com>
112883 - fixed the sa_restorer leak discovered and reported by Emese Revfy (CVE-2013-0914, google chromium bug #177956)
112884 - new size overflow plugin from Emese that instruments a whole lot more code due to tracking function return values
112885 and more type casts as well. this found the above mentioned sa_restorer leak and would have protected against CVE-2013-0913.
112886
112887 arch/arm/kernel/process.c | 5 +-
112888 arch/arm/kernel/signal.c | 24 +-
112889 arch/arm/kernel/traps.c | 7 -
112890 arch/arm/mm/alignment.c | 8 +
112891 arch/arm/mm/fault.c | 23 +-
112892 arch/arm/mm/mmu.c | 2 +-
112893 arch/x86/include/asm/bitops.h | 2 +-
112894 arch/x86/include/asm/desc.h | 2 +-
112895 arch/x86/include/asm/div64.h | 2 +-
112896 arch/x86/include/asm/io.h | 8 +-
112897 arch/x86/include/asm/paravirt.h | 2 +-
112898 arch/x86/kernel/cpu/perf_event_intel_uncore.c | 16 +-
112899 arch/x86/kernel/setup_percpu.c | 2 +-
112900 arch/x86/mm/fault.c | 4 +-
112901 arch/x86/mm/numa.c | 2 +-
112902 arch/x86/mm/physaddr.c | 4 +-
112903 drivers/ata/libahci.c | 2 +-
112904 drivers/gpu/drm/i915/i915_gem_execbuffer.c | 2 +-
112905 drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +-
112906 drivers/infiniband/hw/mthca/mthca_mr.c | 2 +-
112907 drivers/lguest/page_tables.c | 2 +-
112908 drivers/net/wireless/at76c50x-usb.c | 2 +-
112909 drivers/oprofile/oprofile_files.c | 2 +-
112910 drivers/power/power_supply_core.c | 1 +
112911 drivers/usb/core/message.c | 2 +-
112912 fs/befs/endian.h | 4 +-
112913 fs/binfmt_elf.c | 5 +-
112914 fs/exec.c | 4 +-
112915 fs/qnx6/qnx6.h | 4 +-
112916 fs/sysv/sysv.h | 2 +-
112917 fs/ubifs/io.c | 2 +-
112918 fs/ufs/swab.h | 4 +-
112919 include/linux/compat.h | 4 +-
112920 include/linux/completion.h | 6 +-
112921 include/linux/cpumask.h | 12 +-
112922 include/linux/ctype.h | 2 +-
112923 include/linux/err.h | 4 +-
112924 include/linux/math64.h | 6 +-
112925 include/linux/sched.h | 2 +-
112926 include/linux/unaligned/access_ok.h | 12 +-
112927 include/linux/usb.h | 2 +-
112928 include/uapi/linux/byteorder/little_endian.h | 4 +-
112929 include/uapi/linux/swab.h | 6 +-
112930 kernel/sched/core.c | 6 +-
112931 kernel/signal.c | 3 +
112932 kernel/time.c | 2 +-
112933 kernel/timer.c | 2 +-
112934 lib/div64.c | 4 +-
112935 mm/page-writeback.c | 2 +-
112936 net/socket.c | 2 +
112937 scripts/package/builddeb | 1 +
112938 tools/gcc/size_overflow_hash.data | 8869 +++++++++++++++----------
112939 tools/gcc/size_overflow_plugin.c | 1072 ++--
112940 53 files changed, 6227 insertions(+), 3951 deletions(-)
112941
112942commit 09495691bb31f11ec14d9127429f9a0f3f716f22
112943Author: Brad Spengler <spender@grsecurity.net>
112944Date: Sun Mar 17 20:51:50 2013 -0400
112945
112946 fix typo
112947
112948 grsecurity/gracl.c | 2 +-
112949 1 files changed, 1 insertions(+), 1 deletions(-)
112950
112951commit deb85b00d0f9f886e264e116313f298401ec5c59
112952Author: Brad Spengler <spender@grsecurity.net>
112953Date: Sun Mar 17 20:03:33 2013 -0400
112954
112955 Call update_rlimit_cpu to immediately change RLIMIT_CPU on the task
112956 with a subject applied to it with RES_CPU. Otherwise, the limit will only
112957 begin to be applied at fork time.
112958
112959 Thanks to Bjornar Ness for the report.
112960
112961 grsecurity/gracl.c | 4 ++++
112962 1 files changed, 4 insertions(+), 0 deletions(-)
112963
112964commit 2126421f123513f604ceef2b23ba9ed516de7e58
112965Author: Brad Spengler <spender@grsecurity.net>
112966Date: Sat Mar 16 22:07:43 2013 -0400
112967
112968 Move inode auditing prior to our refcnt dropping
112969
112970 fs/namei.c | 2 +-
112971 1 files changed, 1 insertions(+), 1 deletions(-)
112972
112973commit 4d4e665885aab4bacfe662ad6d2190fc9d817146
112974Author: Brad Spengler <spender@grsecurity.net>
112975Date: Sat Mar 16 22:00:30 2013 -0400
112976
112977 Drop reference on completed path walked in RCU mode or when violating
112978 the chroot fchdir check inside a chroot -- possible culprit for a reported
112979 vfsmount_lock hang during unmount
112980
112981 fs/namei.c | 8 ++++++--
112982 1 files changed, 6 insertions(+), 2 deletions(-)
112983
112984commit 53a8a413f45340ee176dd36dd283de3a1ebb7417
112985Author: Brad Spengler <spender@grsecurity.net>
112986Date: Sat Mar 16 16:43:45 2013 -0400
112987
112988 add user_arg_ptr back to exec.c
112989
112990 fs/exec.c | 12 ++++++++++++
112991 1 files changed, 12 insertions(+), 0 deletions(-)
112992
112993commit 83d285953c7e75db388c7f65be5cf1e16fcedec8
112994Author: Brad Spengler <spender@grsecurity.net>
112995Date: Sat Mar 16 11:22:36 2013 -0400
112996
112997 Don't globally include compat.h -- with the new X32 support it
112998 changes some definitions involving ELF binaries resulting in invalid
112999 coredumps, as reported by KDE on the forums:
113000 http://forums.grsecurity.net/viewtopic.php?f=3&t=3310
113001 Thanks to the PaX Team for debugging
113002
113003 fs/exec.c | 3 +++
113004 grsecurity/grsec_exec.c | 13 +++++++++++++
113005 include/linux/grsecurity.h | 15 ---------------
113006 3 files changed, 16 insertions(+), 15 deletions(-)
113007
113008commit 67a94583659cf6c583fbbb023ec2a8ed471ba94a
113009Author: Brad Spengler <spender@grsecurity.net>
113010Date: Thu Mar 14 20:59:26 2013 -0400
113011
113012 Add peer information to /proc/net/unix from Kenan Kalajdzic:
113013 http://marc.info/?l=linux-netdev&m=126745636809191&w=2
113014
113015 We use a "P" prefix to the inode number instead of "peer=". This
113016 additional information can be used, for instance, to find what processes
113017 are connected to MySQL's unix domain socket.
113018
113019 net/unix/af_unix.c | 12 +++++++++---
113020 1 files changed, 9 insertions(+), 3 deletions(-)
113021
113022commit 1cd623d11a462d151ea8a5cace4521e1724911a3
113023Author: Oliver Neukum <oneukum@suse.de>
113024Date: Tue Mar 12 14:52:42 2013 +0100
113025
113026 Upstream commit: c0f5ecee4e741667b2493c742b60b6218d40b3aa
113027
113028 USB: cdc-wdm: fix buffer overflow
113029
113030 The buffer for responses must not overflow.
113031 If this would happen, set a flag, drop the data and return
113032 an error after user space has read all remaining data.
113033
113034 Signed-off-by: Oliver Neukum <oliver@neukum.org>
113035 CC: stable@kernel.org
113036 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
113037
113038 drivers/usb/class/cdc-wdm.c | 23 ++++++++++++++++++++---
113039 1 files changed, 20 insertions(+), 3 deletions(-)
113040
113041commit 3e9e7beb379eaf424d0634c0c556e47c07d367fc
113042Merge: 9cdf9bc db4cb92
113043Author: Brad Spengler <spender@grsecurity.net>
113044Date: Thu Mar 14 20:23:14 2013 -0400
113045
113046 Merge branch 'pax-test' into grsec-test
113047
113048 Conflicts:
113049 security/keys/compat.c
113050
113051commit db4cb924546e3fec3a59f78d056f48176eaf7100
113052Author: Brad Spengler <spender@grsecurity.net>
113053Date: Thu Mar 14 20:22:24 2013 -0400
113054
113055 Update to pax-linux-3.8.2-test8.patch
113056
113057 arch/arm/include/asm/cache.h | 2 ++
113058 arch/arm/mach-omap2/gpmc.c | 22 ++++++++++++----------
113059 arch/arm/mach-omap2/omap_device.c | 4 ++--
113060 arch/arm/mach-omap2/omap_device.h | 4 ++--
113061 arch/arm/plat-orion/include/plat/addr-map.h | 2 +-
113062 5 files changed, 19 insertions(+), 15 deletions(-)
113063
113064commit 5e72fcce7c468d29168c64c72c18ff5ff0d3b4ae
113065Merge: 3c865f9 1a45c31
113066Author: Brad Spengler <spender@grsecurity.net>
113067Date: Thu Mar 14 20:20:54 2013 -0400
113068
113069 Merge branch 'linux-3.8.y' into pax-test
113070
113071 Conflicts:
113072 arch/arm/include/asm/delay.h
113073 arch/arm/include/asm/pgtable.h
113074 arch/arm/lib/delay.c
113075 security/keys/compat.c
113076
113077commit 9cdf9bccf22d6a6741e4152bb5d32335beb8caf1
113078Author: Al Viro <viro@ZenIV.linux.org.uk>
113079Date: Tue Mar 12 02:59:49 2013 +0000
113080
113081 Upstream commit: a930d8790552658140d7d0d2e316af4f0d76a512
113082
113083 vfs: fix pipe counter breakage
113084
113085 If you open a pipe for neither read nor write, the pipe code will not
113086 add any usage counters to the pipe, causing the 'struct pipe_inode_info"
113087 to be potentially released early.
113088
113089 That doesn't normally matter, since you cannot actually use the pipe,
113090 but the pipe release code - particularly fasync handling - still expects
113091 the actual pipe infrastructure to all be there. And rather than adding
113092 NULL pointer checks, let's just disallow this case, the same way we
113093 already do for the named pipe ("fifo") case.
113094
113095 This is ancient going back to pre-2.4 days, and until trinity, nobody
113096 naver noticed.
113097
113098 Reported-by: Dave Jones <davej@redhat.com>
113099 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
113100
113101 fs/pipe.c | 3 +++
113102 1 files changed, 3 insertions(+), 0 deletions(-)
113103
113104commit c11fa4be226659a40a6c73f0fa09fee074fba1b2
113105Author: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
113106Date: Mon Feb 25 10:20:36 2013 -0500
113107
113108 Upstream commit: 8aec0f5d4137532de14e6554fd5dd201ff3a3c49
113109
113110 Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys
113111
113112 Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to
113113 compat_process_vm_rw() shows that the compatibility code requires an
113114 explicit "access_ok()" check before calling
113115 compat_rw_copy_check_uvector(). The same difference seems to appear when
113116 we compare fs/read_write.c:do_readv_writev() to
113117 fs/compat.c:compat_do_readv_writev().
113118
113119 This subtle difference between the compat and non-compat requirements
113120 should probably be debated, as it seems to be error-prone. In fact,
113121 there are two others sites that use this function in the Linux kernel,
113122 and they both seem to get it wrong:
113123
113124 Now shifting our attention to fs/aio.c, we see that aio_setup_iocb()
113125 also ends up calling compat_rw_copy_check_uvector() through
113126 aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to
113127 be missing. Same situation for
113128 security/keys/compat.c:compat_keyctl_instantiate_key_iov().
113129
113130 I propose that we add the access_ok() check directly into
113131 compat_rw_copy_check_uvector(), so callers don't have to worry about it,
113132 and it therefore makes the compat call code similar to its non-compat
113133 counterpart. Place the access_ok() check in the same location where
113134 copy_from_user() can trigger a -EFAULT error in the non-compat code, so
113135 the ABI behaviors are alike on both compat and non-compat.
113136
113137 While we are here, fix compat_do_readv_writev() so it checks for
113138 compat_rw_copy_check_uvector() negative return values.
113139
113140 And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error
113141 handling.
113142
113143 Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
113144 Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
113145 Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
113146 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
113147
113148 Conflicts:
113149
113150 security/keys/compat.c
113151
113152 fs/compat.c | 15 +++++++--------
113153 mm/process_vm_access.c | 8 --------
113154 security/keys/compat.c | 3 ++-
113155 3 files changed, 9 insertions(+), 17 deletions(-)
113156
113157commit 13487f197ab2d5bc76156224c24c45a44bbd6a11
113158Author: Brad Spengler <spender@grsecurity.net>
113159Date: Mon Mar 11 18:38:38 2013 -0400
113160
113161 Fix leak of signal handler addresses across execve, found by Emese Revfy
113162
113163 kernel/signal.c | 3 +++
113164 1 files changed, 3 insertions(+), 0 deletions(-)
113165
113166commit 79b130c4b11c7940daf2b33d653a17666331c634
113167Merge: 6480ce9 3c865f9
113168Author: Brad Spengler <spender@grsecurity.net>
113169Date: Sun Mar 10 20:04:03 2013 -0400
113170
113171 Merge branch 'pax-test' into grsec-test
113172
113173commit 3c865f9184c6fd56c634bce0096cfc8039d5c43d
113174Author: Brad Spengler <spender@grsecurity.net>
113175Date: Sun Mar 10 20:03:12 2013 -0400
113176
113177 Update to pax-linux-3.8.2-test7.patch:
113178 - fixed gcc asserts reported by KDE (http://forums.grsecurity.net/viewtopic.php?f=3&t=3342)
113179 - adjusted RLIMIT_AS accounting for the extra ASLR gap mappings, reported by Alexander Stoll (https://bugs.gentoo.org/show_bug.cgi?id=459268)
113180
113181 fs/binfmt_elf.c | 3 ++-
113182 fs/exec.c | 3 +++
113183 include/linux/mm_types.h | 2 +-
113184 init/main.c | 4 ++--
113185 mm/mmap.c | 2 +-
113186 mm/page_alloc.c | 4 ++--
113187 tools/gcc/latent_entropy_plugin.c | 11 +++++++----
113188 7 files changed, 18 insertions(+), 11 deletions(-)
113189
113190commit 6480ce919bd7d68ba14f3194e4bdd7b61bc8e491
113191Merge: 4a5305e 25b3569
113192Author: Brad Spengler <spender@grsecurity.net>
113193Date: Sun Mar 10 10:41:16 2013 -0400
113194
113195 Merge branch 'pax-test' into grsec-test
113196
113197commit 25b356980568bed9958315bb5a551fdc610055ed
113198Author: Brad Spengler <spender@grsecurity.net>
113199Date: Sun Mar 10 10:40:48 2013 -0400
113200
113201 Update to pax-linux-3.8.2-test6.patch:
113202 - fixed a KERNEXEC false positive on arm reported by Gu1
113203 - fixed various compile errors reported by x14sg1 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3340)
113204 - fixed too strict mmap parameter checking on i386, reported by browndav (http://forums.grsecurity.net/viewtopic.php?f=1&t=3339)
113205 - added fix from spender for some namespace breakage reported by zakalwe
113206 - small latent entropy improvement: pass pax_extra_latent_entropy to the kernel to extract entropy from RAM content during boot
113207
113208 Documentation/kernel-parameters.txt | 5 +++++
113209 arch/arm/kernel/patch.c | 2 ++
113210 arch/x86/kernel/sys_i386_32.c | 5 +++--
113211 drivers/acpi/blacklist.c | 2 +-
113212 drivers/video/aty/mach64_cursor.c | 1 +
113213 init/main.c | 4 ----
113214 mm/page_alloc.c | 27 +++++++++++++++++++++++++++
113215 net/ipv4/ip_fragment.c | 2 +-
113216 security/Kconfig | 5 +++++
113217 tools/gcc/latent_entropy_plugin.c | 7 +++++--
113218 10 files changed, 50 insertions(+), 10 deletions(-)
113219
113220commit 4a5305eb7b6c5e49c332feeca9b6bfead9ab917f
113221Author: Brad Spengler <spender@grsecurity.net>
113222Date: Sat Mar 9 11:19:06 2013 -0500
113223
113224 From: Mathias Krause <minipli@googlemail.com>
113225 To: "David S. Miller" <davem@davemloft.net>
113226 Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>,
113227 Stephen Hemminger <stephen@networkplumber.org>
113228 Subject: [PATCH 1/3] bridge: fix mdb info leaks
113229 Date: Sat, 9 Mar 2013 16:52:19 +0100
113230
113231 The bridging code discloses heap and stack bytes via the RTM_GETMDB
113232 netlink interface and via the notify messages send to group RTNLGRP_MDB
113233 afer a successful add/del.
113234
113235 Fix both cases by initializing all unset members/padding bytes with
113236 memset(0).
113237
113238 Cc: Stephen Hemminger <stephen@networkplumber.org>
113239 Signed-off-by: Mathias Krause <minipli@googlemail.com>
113240
113241 From: Mathias Krause <minipli@googlemail.com>
113242 To: "David S. Miller" <davem@davemloft.net>
113243 Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>
113244 Subject: [PATCH 2/3] rtnl: fix info leak on RTM_GETLINK request for VF devices
113245 Date: Sat, 9 Mar 2013 16:52:20 +0100
113246
113247 Initialize the mac address buffer with 0 as the driver specific function
113248 will probably not fill the whole buffer. In fact, all in-kernel drivers
113249 fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible
113250 bytes. Therefore we currently leak 26 bytes of stack memory to userland
113251 via the netlink interface.
113252
113253 Signed-off-by: Mathias Krause <minipli@googlemail.com>
113254
113255 From: Mathias Krause <minipli@googlemail.com>
113256 To: "David S. Miller" <davem@davemloft.net>
113257 Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>
113258 Subject: [PATCH 3/3] dcbnl: fix various netlink info leaks
113259 Date: Sat, 9 Mar 2013 16:52:21 +0100
113260
113261 The dcb netlink interface leaks stack memory in various places:
113262 * perm_addr[] buffer is only filled at max with 12 of the 32 bytes but
113263 copied completely,
113264 * no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand,
113265 so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes
113266 for ieee_pfc structs, etc.,
113267 * the same is true for CEE -- no in-kernel driver fills the whole
113268 struct,
113269
113270 Prevent all of the above stack info leaks by properly initializing the
113271 buffers/structures involved.
113272
113273 Signed-off-by: Mathias Krause <minipli@googlemail.com>
113274
113275 net/bridge/br_mdb.c | 4 ++++
113276 net/core/rtnetlink.c | 1 +
113277 net/dcb/dcbnl.c | 8 ++++++++
113278 3 files changed, 13 insertions(+), 0 deletions(-)
113279
113280commit 601dd446f896e3a362f706943df18a68d50420a1
113281Author: Brad Spengler <spender@grsecurity.net>
113282Date: Sat Mar 9 09:35:25 2013 -0500
113283
113284 add open/close wrappers in __patch_text() as reported by Gu1 on IRC
113285
113286 arch/arm/kernel/patch.c | 2 ++
113287 1 files changed, 2 insertions(+), 0 deletions(-)
113288
113289commit ae39966fd85a493e9079b357e3faa62245a41222
113290Author: Peter Hurley <peter@hurleysoftware.com>
113291Date: Fri Mar 8 12:43:27 2013 -0800
113292
113293 Upstream commit: 88b9e456b1649722673ffa147914299799dc9041
113294
113295 ipc: don't allocate a copy larger than max
113296
113297 When MSG_COPY is set, a duplicate message must be allocated for the copy
113298 before locking the queue. However, the copy could not be larger than was
113299 sent which is limited to msg_ctlmax.
113300
113301 Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
113302 Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
113303 Cc: <stable@vger.kernel.org>
113304 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
113305 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
113306
113307 ipc/msg.c | 6 ++++--
113308 1 files changed, 4 insertions(+), 2 deletions(-)
113309
113310commit 61240e99650ea3e540a03a3e994349c5086f166b
113311Author: Peter Hurley <peter@hurleysoftware.com>
113312Date: Fri Mar 8 12:43:26 2013 -0800
113313
113314 Upstream commit: e1082f45f1e2bbf6e25f6b614fc6616ebf709d19
113315
113316 ipc: fix potential oops when src msg > 4k w/ MSG_COPY
113317
113318 If the src msg is > 4k, then dest->next points to the
113319 next allocated segment; resetting it just prior to dereferencing
113320 is bad.
113321
113322 Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
113323 Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
113324 Cc: <stable@vger.kernel.org>
113325 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
113326 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
113327
113328 ipc/msgutil.c | 3 ---
113329 1 files changed, 0 insertions(+), 3 deletions(-)
113330
113331commit 51727f602a267f34fb2e0dc9557f1714028d51a2
113332Author: Brad Spengler <spender@grsecurity.net>
113333Date: Fri Mar 8 22:14:06 2013 -0500
113334
113335 add missing 'else' in recent constify fixups
113336
113337 net/ipv4/ip_fragment.c | 2 +-
113338 1 files changed, 1 insertions(+), 1 deletions(-)
113339
113340commit a38c1a640729b3d8e584d1ab98e908c221bc12cf
113341Merge: 1580bb3 47c3f47
113342Author: Brad Spengler <spender@grsecurity.net>
113343Date: Fri Mar 8 18:18:37 2013 -0500
113344
113345 Merge branch 'pax-test' into grsec-test
113346
113347commit 47c3f47ba4f874f5c72e4c04b76b6b92e44daebe
113348Author: Brad Spengler <spender@grsecurity.net>
113349Date: Fri Mar 8 18:17:22 2013 -0500
113350
113351 Update to pax-linux-3.8.2-test5.patch:
113352 - fixed some fallout after the last round of constification changes, reported by several people
113353
113354 arch/arm/common/gic.c | 4 ++--
113355 arch/arm/include/asm/hardware/gic.h | 3 ++-
113356 arch/x86/include/asm/nmi.h | 2 +-
113357 arch/x86/kernel/nmi.c | 2 +-
113358 arch/x86/pci/irq.c | 2 +-
113359 drivers/base/power/domain.c | 4 ++--
113360 drivers/cpufreq/cpufreq_governor.c | 4 ++--
113361 drivers/mfd/twl4030-irq.c | 1 +
113362 drivers/video/vesafb.c | 7 +++++--
113363 include/linux/irq.h | 1 +
113364 include/linux/pm_domain.h | 2 +-
113365 kernel/sched/core.c | 4 ++++
113366 lib/Kconfig.debug | 4 ++--
113367 net/core/sysctl_net_core.c | 2 +-
113368 net/decnet/af_decnet.c | 1 +
113369 net/ipv4/devinet.c | 2 +-
113370 net/ipv4/ip_fragment.c | 2 +-
113371 net/ipv4/route.c | 2 +-
113372 net/ipv4/sysctl_net_ipv4.c | 2 +-
113373 net/ipv6/netfilter/nf_conntrack_reasm.c | 2 +-
113374 net/ipv6/reassembly.c | 2 +-
113375 scripts/sortextable.h | 6 +++---
113376 22 files changed, 36 insertions(+), 25 deletions(-)
113377
113378commit 1580bb38b4db0bf2a46316599815e8b234edad81
113379Author: Brad Spengler <spender@grsecurity.net>
113380Date: Thu Mar 7 22:02:59 2013 -0500
113381
113382 add an additional open/close wrapper
113383
113384 kernel/sched/core.c | 2 ++
113385 1 files changed, 2 insertions(+), 0 deletions(-)
113386
113387commit 21622672d28d58e0d93a805cd1f9650a894a752a
113388Author: Brad Spengler <spender@grsecurity.net>
113389Date: Thu Mar 7 21:58:24 2013 -0500
113390
113391 fix oops at shutdown with new constify code
113392
113393 kernel/sched/core.c | 2 ++
113394 1 files changed, 2 insertions(+), 0 deletions(-)
113395
113396commit f6b9ab9fcc747bb1b14a4857d59e6681936220ec
113397Author: Brad Spengler <spender@grsecurity.net>
113398Date: Thu Mar 7 21:18:44 2013 -0500
113399
113400 Add PAX_CONSTIFY_PLUGIN, which we previously enabled unconditionally
113401 it currently conflicts with some lock debugging options, so made as an
113402 option to allow for debugging when necessary
113403
113404 Makefile | 2 --
113405 lib/Kconfig.debug | 6 +++---
113406 security/Kconfig | 18 ++++++++++++++++++
113407 3 files changed, 21 insertions(+), 5 deletions(-)
113408
113409commit 0885b00b8373a1597b69c38032a0c9eee279303b
113410Author: Brad Spengler <spender@grsecurity.net>
113411Date: Thu Mar 7 20:55:19 2013 -0500
113412
113413 disable DEBUG_LOCK_ALLOC, as it conflicts with the new constify
113414
113415 lib/Kconfig.debug | 2 +-
113416 1 files changed, 1 insertions(+), 1 deletions(-)
113417
113418commit c8a2617165e7127a54f293cbf57d22d50dd83abd
113419Author: Brad Spengler <spender@grsecurity.net>
113420Date: Thu Mar 7 20:30:41 2013 -0500
113421
113422 Fix error:
113423 drivers/video/vesafb.c:502:3: error: assignment of member ‘fb_pan_display’ in read-only object
113424 with cast and proper kernexec accessors
113425
113426 drivers/video/vesafb.c | 7 +++++--
113427 1 files changed, 5 insertions(+), 2 deletions(-)
113428
113429commit 99f2814d3e2a6db25985edc47c7e09c4a2d8c408
113430Author: Brad Spengler <spender@grsecurity.net>
113431Date: Thu Mar 7 20:20:28 2013 -0500
113432
113433 fix typo
113434
113435 grsecurity/gracl.c | 2 +-
113436 1 files changed, 1 insertions(+), 1 deletions(-)
113437
113438commit 399674de6c42bbcae2d01b082d6d9ce9d183b000
113439Author: Brad Spengler <spender@grsecurity.net>
113440Date: Thu Mar 7 20:12:17 2013 -0500
113441
113442 fix compilation error -- no reason for task_pid_nr to not take a const task ptr
113443
113444 include/linux/sched.h | 2 +-
113445 1 files changed, 1 insertions(+), 1 deletions(-)
113446
113447commit a6c239eacf683f9dd2aeebb1b1adb71e5eedbd9f
113448Author: Kees Cook <keescook@chromium.org>
113449Date: Mon Feb 25 21:32:25 2013 +0000
113450
113451 Upstream commit: e70ab977991964a5a7ad1182799451d067e62669
113452
113453 proc connector: reject unprivileged listener bumps
113454
113455 While PROC_CN_MCAST_LISTEN/IGNORE is entirely advisory, it was possible
113456 for an unprivileged user to turn off notifications for all listeners by
113457 sending PROC_CN_MCAST_IGNORE. Instead, require the same privileges as
113458 required for a multicast bind.
113459
113460 Signed-off-by: Kees Cook <keescook@chromium.org>
113461 Cc: Evgeniy Polyakov <zbr@ioremap.net>
113462 Cc: Matt Helsley <matthltc@us.ibm.com>
113463 Cc: stable@vger.kernel.org
113464 Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
113465 Acked-by: Matt Helsley <matthltc@us.ibm.com>
113466 Signed-off-by: David S. Miller <davem@davemloft.net>
113467
113468 drivers/connector/cn_proc.c | 8 ++++++++
113469 1 files changed, 8 insertions(+), 0 deletions(-)
113470
113471commit ac6014ded57101e3e608941555ff507e20c1ece3
113472Author: Dan Carpenter <dan.carpenter@oracle.com>
113473Date: Tue Feb 26 19:15:02 2013 +0000
113474
113475 Upstream commit: 90c7881ecee1f08e0a49172cf61371cf2509ee4a
113476
113477 irda: small read beyond end of array in debug code
113478
113479 charset comes from skb->data. It's a number in the 0-255 range.
113480 If we have debugging turned on then this could cause a read beyond
113481 the end of the array.
113482
113483 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
113484 Signed-off-by: David S. Miller <davem@davemloft.net>
113485
113486 net/irda/iriap.c | 7 +++++--
113487 1 files changed, 5 insertions(+), 2 deletions(-)
113488
113489commit e60bd2aad9bfdb68731cc888eae14a7600bd2ffe
113490Author: Guenter Roeck <linux@roeck-us.net>
113491Date: Wed Feb 27 10:57:31 2013 +0000
113492
113493 Upstream commit: 726bc6b092da4c093eb74d13c07184b18c1af0f1
113494
113495 net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS
113496
113497 Building sctp may fail with:
113498
113499 In function ‘copy_from_user’,
113500 inlined from ‘sctp_getsockopt_assoc_stats’ at
113501 net/sctp/socket.c:5656:20:
113502 arch/x86/include/asm/uaccess_32.h:211:26: error: call to
113503 ‘copy_from_user_overflow’ declared with attribute error: copy_from_user()
113504 buffer size is not provably correct
113505
113506 if built with W=1 due to a missing parameter size validation
113507 before the call to copy_from_user.
113508
113509 Signed-off-by: Guenter Roeck <linux@roeck-us.net>
113510 Acked-by: Vlad Yasevich <vyasevich@gmail.com>
113511 Signed-off-by: David S. Miller <davem@davemloft.net>
113512
113513 net/sctp/socket.c | 6 +++---
113514 1 files changed, 3 insertions(+), 3 deletions(-)
113515
113516commit be49e0ae9a4d0e8daa831d7d8d6f3a56beda3e3c
113517Author: Guillaume Nault <g.nault@alphalink.fr>
113518Date: Fri Mar 1 05:02:02 2013 +0000
113519
113520 Upstream commit: 8b82547e33e85fc24d4d172a93c796de1fefa81a
113521
113522 l2tp: Restore socket refcount when sendmsg succeeds
113523
113524 The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket
113525 reference counter after successful transmissions. Any successful
113526 sendmsg() call from userspace will then increase the reference counter
113527 forever, thus preventing the kernel's session and tunnel data from
113528 being freed later on.
113529
113530 The problem only happens when writing directly on L2TP sockets.
113531 PPP sockets attached to L2TP are unaffected as the PPP subsystem
113532 uses pppol2tp_xmit() which symmetrically increase/decrease reference
113533 counters.
113534
113535 This patch adds the missing call to sock_put() before returning from
113536 pppol2tp_sendmsg().
113537
113538 Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
113539 Signed-off-by: David S. Miller <davem@davemloft.net>
113540
113541 net/l2tp/l2tp_ppp.c | 1 +
113542 1 files changed, 1 insertions(+), 0 deletions(-)
113543
113544commit 98a9a5f981f5deda4059a255c1196886f2f27e2f
113545Author: Cong Wang <amwang@redhat.com>
113546Date: Sun Mar 3 16:18:11 2013 +0000
113547
113548 Upstream commit: ece6b0a2b25652d684a7ced4ae680a863af041e0
113549
113550 rds: limit the size allocated by rds_message_alloc()
113551
113552 Dave Jones reported the following bug:
113553
113554 "When fed mangled socket data, rds will trust what userspace gives it,
113555 and tries to allocate enormous amounts of memory larger than what
113556 kmalloc can satisfy."
113557
113558 WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0()
113559 Hardware name: GA-MA78GM-S2H
113560 Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s
113561 Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65
113562 Call Trace:
113563 [<ffffffff81044155>] warn_slowpath_common+0x75/0xa0
113564 [<ffffffff8104419a>] warn_slowpath_null+0x1a/0x20
113565 [<ffffffff811444ad>] __alloc_pages_nodemask+0xa0d/0xbe0
113566 [<ffffffff8100a196>] ? native_sched_clock+0x26/0x90
113567 [<ffffffff810b2128>] ? trace_hardirqs_off_caller+0x28/0xc0
113568 [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
113569 [<ffffffff811861f8>] alloc_pages_current+0xb8/0x180
113570 [<ffffffff8113eaaa>] __get_free_pages+0x2a/0x80
113571 [<ffffffff811934fe>] kmalloc_order_trace+0x3e/0x1a0
113572 [<ffffffff81193955>] __kmalloc+0x2f5/0x3a0
113573 [<ffffffff8104df0c>] ? local_bh_enable_ip+0x7c/0xf0
113574 [<ffffffffa0401ab3>] rds_message_alloc+0x23/0xb0 [rds]
113575 [<ffffffffa04043a1>] rds_sendmsg+0x2b1/0x990 [rds]
113576 [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
113577 [<ffffffff81564620>] sock_sendmsg+0xb0/0xe0
113578 [<ffffffff810b2052>] ? get_lock_stats+0x22/0x70
113579 [<ffffffff810b24be>] ? put_lock_stats.isra.23+0xe/0x40
113580 [<ffffffff81567f30>] sys_sendto+0x130/0x180
113581 [<ffffffff810b872d>] ? trace_hardirqs_on+0xd/0x10
113582 [<ffffffff816c547b>] ? _raw_spin_unlock_irq+0x3b/0x60
113583 [<ffffffff816cd767>] ? sysret_check+0x1b/0x56
113584 [<ffffffff810b8695>] ? trace_hardirqs_on_caller+0x115/0x1a0
113585 [<ffffffff81341d8e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
113586 [<ffffffff816cd742>] system_call_fastpath+0x16/0x1b
113587 ---[ end trace eed6ae990d018c8b ]---
113588
113589 Reported-by: Dave Jones <davej@redhat.com>
113590 Cc: Dave Jones <davej@redhat.com>
113591 Cc: David S. Miller <davem@davemloft.net>
113592 Cc: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
113593 Signed-off-by: Cong Wang <amwang@redhat.com>
113594 Acked-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
113595 Signed-off-by: David S. Miller <davem@davemloft.net>
113596
113597 net/rds/message.c | 3 +++
113598 1 files changed, 3 insertions(+), 0 deletions(-)
113599
113600commit b46df323e01c63c62fdb82cf2c47e4386f5a0499
113601Author: Cong Wang <amwang@redhat.com>
113602Date: Sun Mar 3 16:28:27 2013 +0000
113603
113604 Upstream commit: 3f736868b47687d1336fe88185560b22bb92021e
113605
113606 sctp: use KMALLOC_MAX_SIZE instead of its own MAX_KMALLOC_SIZE
113607
113608 Don't definite its own MAX_KMALLOC_SIZE, use the one
113609 defined in mm.
113610
113611 Cc: Vlad Yasevich <vyasevich@gmail.com>
113612 Cc: Sridhar Samudrala <sri@us.ibm.com>
113613 Cc: Neil Horman <nhorman@tuxdriver.com>
113614 Cc: David S. Miller <davem@davemloft.net>
113615 Signed-off-by: Cong Wang <amwang@redhat.com>
113616 Acked-by: Neil Horman <nhorman@tuxdriver.com>
113617 Signed-off-by: David S. Miller <davem@davemloft.net>
113618
113619 net/sctp/ssnmap.c | 8 +++-----
113620 1 files changed, 3 insertions(+), 5 deletions(-)
113621
113622commit 4295a024e812f903fc580c81de5e81cc149503fa
113623Author: Brad Spengler <spender@grsecurity.net>
113624Date: Thu Mar 7 17:57:49 2013 -0500
113625
113626 Upstream commit: https://lkml.org/lkml/2013/3/6/535
113627
113628 security/keys/process_keys.c | 2 +-
113629 1 files changed, 1 insertions(+), 1 deletions(-)
113630
113631commit 33edd486a9899a145a15586d7134636b0300aaee
113632Merge: 4eeeaf3 a2a2094
113633Author: Brad Spengler <spender@grsecurity.net>
113634Date: Thu Mar 7 17:53:00 2013 -0500
113635
113636 Merge branch 'pax-test' into grsec-test
113637
113638 Conflicts:
113639 arch/arm/include/asm/domain.h
113640
113641commit a2a20947f5e1332e474160a39af520738b3c8c19
113642Author: Brad Spengler <spender@grsecurity.net>
113643Date: Thu Mar 7 17:51:04 2013 -0500
113644
113645 Update to pax-linux-3.8.2-test4.patch:
113646 fixed arm compilation problems reported by Michael Tremer
113647 - the constify plugin got smarter that enabled, with some additional patching,
113648 the elimination of about half the static function pointers on amd64/allmod
113649 (up from about 18%), depending on the kernel config it can be even more (70%)
113650
113651 Documentation/dontdiff | 2 +
113652 arch/arm/include/asm/domain.h | 1 +
113653 arch/x86/include/asm/i8259.h | 2 +-
113654 arch/x86/include/asm/nmi.h | 4 +-
113655 arch/x86/kernel/acpi/boot.c | 4 +-
113656 arch/x86/kernel/apic/apic_noop.c | 2 +-
113657 arch/x86/kernel/apic/es7000_32.c | 2 +-
113658 arch/x86/kernel/apic/io_apic.c | 10 +-
113659 arch/x86/kernel/cpu/mcheck/mce.c | 2 +-
113660 arch/x86/kernel/cpu/perf_event.c | 6 +-
113661 arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +-
113662 arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
113663 arch/x86/kernel/i8259.c | 6 +-
113664 arch/x86/kernel/io_delay.c | 2 +-
113665 arch/x86/kernel/nmi.c | 6 +-
113666 arch/x86/kernel/nmi_selftest.c | 4 +-
113667 arch/x86/kernel/pci-swiotlb.c | 2 +-
113668 arch/x86/oprofile/nmi_int.c | 8 +-
113669 arch/x86/oprofile/op_model_amd.c | 8 +-
113670 arch/x86/oprofile/op_model_ppro.c | 7 +-
113671 arch/x86/oprofile/op_x86_model.h | 2 +-
113672 arch/x86/pci/irq.c | 6 +-
113673 drivers/acpi/apei/apei-internal.h | 2 +-
113674 drivers/acpi/bgrt.c | 6 +-
113675 drivers/acpi/blacklist.c | 2 +-
113676 drivers/acpi/processor_idle.c | 2 +-
113677 drivers/acpi/sysfs.c | 4 +-
113678 drivers/base/bus.c | 4 +-
113679 drivers/base/node.c | 2 +-
113680 drivers/base/syscore.c | 4 +-
113681 drivers/block/drbd/drbd_receiver.c | 4 +-
113682 drivers/char/random.c | 2 +-
113683 drivers/cpufreq/acpi-cpufreq.c | 20 ++-
113684 drivers/cpufreq/cpufreq.c | 7 +-
113685 drivers/cpufreq/cpufreq_governor.c | 4 +-
113686 drivers/cpufreq/cpufreq_governor.h | 2 +-
113687 drivers/cpufreq/p4-clockmod.c | 12 +-
113688 drivers/cpufreq/speedstep-centrino.c | 7 +-
113689 drivers/cpuidle/cpuidle.c | 2 +-
113690 drivers/cpuidle/governor.c | 4 +-
113691 drivers/cpuidle/sysfs.c | 2 +-
113692 drivers/devfreq/devfreq.c | 4 +-
113693 drivers/edac/edac_mc_sysfs.c | 2 +-
113694 drivers/edac/edac_pci_sysfs.c | 2 +-
113695 drivers/firewire/core-device.c | 2 +-
113696 drivers/firmware/dmi-id.c | 2 +-
113697 drivers/firmware/efivars.c | 2 +-
113698 drivers/firmware/google/memconsole.c | 4 +-
113699 drivers/gpio/gpio-ich.c | 2 +-
113700 drivers/gpu/drm/drm_drv.c | 2 +-
113701 drivers/gpu/drm/drm_ioc32.c | 9 +-
113702 drivers/gpu/drm/i915/i915_ioc32.c | 11 +-
113703 drivers/gpu/drm/i915/intel_display.c | 26 ++-
113704 drivers/gpu/drm/mga/mga_ioc32.c | 11 +-
113705 drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +-
113706 drivers/gpu/drm/r128/r128_ioc32.c | 11 +-
113707 drivers/gpu/drm/radeon/radeon_ioc32.c | 11 +-
113708 drivers/gpu/drm/radeon/radeon_ttm.c | 33 ++--
113709 drivers/gpu/drm/udl/udl_fb.c | 1 -
113710 drivers/hwmon/acpi_power_meter.c | 4 +-
113711 drivers/hwmon/applesmc.c | 2 +-
113712 drivers/hwmon/asus_atk0110.c | 10 +-
113713 drivers/hwmon/ibmaem.c | 2 +-
113714 drivers/hwmon/pmbus/pmbus_core.c | 2 +-
113715 drivers/iio/industrialio-core.c | 2 +-
113716 drivers/input/mouse/psmouse.h | 2 +-
113717 drivers/iommu/iommu.c | 2 +-
113718 drivers/leds/leds-clevo-mail.c | 2 +-
113719 drivers/leds/leds-ss4200.c | 2 +-
113720 drivers/media/v4l2-core/v4l2-ioctl.c | 5 +-
113721 drivers/mfd/twl4030-irq.c | 8 +-
113722 drivers/mfd/twl6030-irq.c | 10 +-
113723 drivers/misc/c2port/core.c | 4 +-
113724 drivers/mtd/sm_ftl.c | 2 +-
113725 drivers/net/bonding/bond_main.c | 2 +-
113726 drivers/net/macvlan.c | 16 +-
113727 drivers/net/vxlan.c | 2 +-
113728 drivers/pci/hotplug/acpiphp_ibm.c | 4 +-
113729 drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
113730 drivers/pci/hotplug/pciehp_core.c | 2 +-
113731 drivers/pci/pci-sysfs.c | 6 +-
113732 drivers/pci/pci.h | 2 +-
113733 drivers/platform/x86/msi-laptop.c | 14 +-
113734 drivers/platform/x86/sony-laptop.c | 2 +-
113735 drivers/power/power_supply.h | 4 +-
113736 drivers/power/power_supply_core.c | 6 +-
113737 drivers/power/power_supply_sysfs.c | 6 +-
113738 drivers/rtc/rtc-cmos.c | 4 +-
113739 drivers/rtc/rtc-ds1307.c | 2 +-
113740 drivers/rtc/rtc-m48t59.c | 4 +-
113741 drivers/scsi/bfa/bfa.h | 2 +-
113742 drivers/staging/iio/iio_hwmon.c | 2 +-
113743 drivers/usb/storage/usb.h | 2 +-
113744 drivers/video/aty/atyfb_base.c | 8 +-
113745 drivers/video/aty/mach64_cursor.c | 4 +-
113746 drivers/video/backlight/kb3886_bl.c | 2 +-
113747 drivers/video/fb_defio.c | 6 +-
113748 drivers/video/mb862xx/mb862xxfb_accel.c | 16 +-
113749 drivers/video/nvidia/nvidia.c | 27 ++-
113750 drivers/video/s1d13xxxfb.c | 6 +-
113751 drivers/video/smscufx.c | 4 +-
113752 drivers/video/udlfb.c | 4 +-
113753 drivers/video/uvesafb.c | 14 +-
113754 fs/exec.c | 6 +-
113755 fs/ext4/super.c | 2 +-
113756 fs/jfs/super.c | 4 +-
113757 fs/nfs/callback_xdr.c | 2 +-
113758 fs/nfsd/nfs4proc.c | 2 +-
113759 fs/nfsd/nfs4xdr.c | 6 +-
113760 fs/nls/nls_base.c | 18 +-
113761 fs/nls/nls_euc-jp.c | 6 +-
113762 fs/nls/nls_koi8-ru.c | 6 +-
113763 fs/proc/proc_sysctl.c | 18 +-
113764 include/drm/drmP.h | 12 +-
113765 include/keys/asymmetric-subtype.h | 2 +-
113766 include/linux/atmdev.h | 2 +-
113767 include/linux/binfmts.h | 2 +-
113768 include/linux/configfs.h | 2 +-
113769 include/linux/cpufreq.h | 3 +-
113770 include/linux/cpuidle.h | 5 +-
113771 include/linux/devfreq.h | 2 +-
113772 include/linux/device.h | 7 +-
113773 include/linux/extcon.h | 2 +-
113774 include/linux/fb.h | 2 +-
113775 include/linux/fscache.h | 2 +-
113776 include/linux/genl_magic_func.h | 2 +-
113777 include/linux/hwmon-sysfs.h | 5 +-
113778 include/linux/iommu.h | 2 +-
113779 include/linux/irq.h | 2 +-
113780 include/linux/key-type.h | 2 +-
113781 include/linux/kobject.h | 1 +
113782 include/linux/kobject_ns.h | 2 +-
113783 include/linux/list.h | 14 +-
113784 include/linux/mod_devicetable.h | 2 +-
113785 include/linux/module.h | 5 +-
113786 include/linux/net.h | 2 +-
113787 include/linux/netfilter.h | 2 +-
113788 include/linux/nls.h | 2 +-
113789 include/linux/pci_hotplug.h | 3 +-
113790 include/linux/platform_data/usb-exynos.h | 2 +-
113791 include/linux/pnp.h | 2 +-
113792 include/linux/ppp-comp.h | 2 +-
113793 include/linux/rculist.h | 16 ++
113794 include/linux/sched.h | 2 +-
113795 include/linux/sock_diag.h | 2 +-
113796 include/linux/sunrpc/clnt.h | 2 +-
113797 include/linux/sunrpc/svc.h | 2 +-
113798 include/linux/sunrpc/svcauth.h | 2 +-
113799 include/linux/swiotlb.h | 3 +-
113800 include/linux/syscore_ops.h | 2 +-
113801 include/linux/sysctl.h | 6 +-
113802 include/linux/sysfs.h | 10 +-
113803 include/linux/sysrq.h | 1 +
113804 include/linux/xattr.h | 2 +-
113805 include/net/9p/transport.h | 2 +-
113806 include/net/bluetooth/l2cap.h | 2 +-
113807 include/net/genetlink.h | 2 +-
113808 include/net/ip.h | 2 +-
113809 include/net/ip_vs.h | 4 +-
113810 include/net/llc_c_ac.h | 2 +-
113811 include/net/llc_c_ev.h | 4 +-
113812 include/net/llc_c_st.h | 2 +-
113813 include/net/llc_s_ac.h | 2 +-
113814 include/net/llc_s_st.h | 2 +-
113815 include/net/mac80211.h | 2 +-
113816 include/net/net_namespace.h | 2 +-
113817 include/net/netns/conntrack.h | 6 +-
113818 include/net/rtnetlink.h | 2 +-
113819 include/net/sctp/sm.h | 4 +-
113820 include/net/sctp/structs.h | 2 +-
113821 include/net/xfrm.h | 4 +-
113822 ipc/ipc_sysctl.c | 10 +-
113823 ipc/mq_sysctl.c | 2 +-
113824 kernel/kmod.c | 2 +-
113825 kernel/ksysfs.c | 2 +-
113826 kernel/module.c | 4 +-
113827 kernel/pid_namespace.c | 2 +-
113828 kernel/rcutree_plugin.h | 2 +-
113829 kernel/sched/core.c | 39 ++--
113830 kernel/smpboot.c | 4 +-
113831 kernel/softirq.c | 2 +-
113832 kernel/sysctl.c | 2 +-
113833 kernel/utsname_sysctl.c | 2 +-
113834 kernel/watchdog.c | 2 +-
113835 lib/Kconfig.debug | 2 +-
113836 lib/kobject.c | 4 +-
113837 lib/list_debug.c | 57 ++++-
113838 lib/swiotlb.c | 2 +-
113839 mm/hugetlb.c | 16 +-
113840 mm/memory-failure.c | 2 +-
113841 mm/slab_common.c | 2 +-
113842 net/9p/mod.c | 4 +-
113843 net/ax25/sysctl_net_ax25.c | 2 +-
113844 net/core/neighbour.c | 2 +-
113845 net/core/net-sysfs.c | 2 +-
113846 net/core/net_namespace.c | 8 +-
113847 net/core/rtnetlink.c | 11 +-
113848 net/core/sock_diag.c | 9 +-
113849 net/core/sysctl_net_core.c | 15 +-
113850 net/ipv4/af_inet.c | 8 +-
113851 net/ipv4/devinet.c | 12 +-
113852 net/ipv4/inet_connection_sock.c | 2 +-
113853 net/ipv4/ip_fragment.c | 9 +-
113854 net/ipv4/ip_gre.c | 6 +-
113855 net/ipv4/ip_vti.c | 4 +-
113856 net/ipv4/ipip.c | 4 +-
113857 net/ipv4/route.c | 14 +-
113858 net/ipv4/sysctl_net_ipv4.c | 43 ++--
113859 net/ipv6/addrconf.c | 4 +-
113860 net/ipv6/icmp.c | 2 +-
113861 net/ipv6/ip6_gre.c | 6 +-
113862 net/ipv6/ip6_tunnel.c | 4 +-
113863 net/ipv6/netfilter/nf_conntrack_reasm.c | 12 +-
113864 net/ipv6/reassembly.c | 11 +-
113865 net/ipv6/route.c | 2 +-
113866 net/ipv6/sit.c | 4 +-
113867 net/ipv6/sysctl_net_ipv6.c | 2 +-
113868 net/netfilter/ipset/ip_set_core.c | 2 +-
113869 net/netfilter/ipvs/ip_vs_ctl.c | 4 +-
113870 net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
113871 net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
113872 net/netfilter/nf_conntrack_acct.c | 2 +-
113873 net/netfilter/nf_conntrack_ecache.c | 2 +-
113874 net/netfilter/nf_conntrack_helper.c | 2 +-
113875 net/netfilter/nf_conntrack_proto.c | 2 +-
113876 net/netfilter/nf_conntrack_standalone.c | 2 +-
113877 net/netfilter/nf_conntrack_timestamp.c | 2 +-
113878 net/netfilter/nf_log.c | 10 +-
113879 net/netfilter/nf_sockopt.c | 4 +-
113880 net/netlink/genetlink.c | 16 +-
113881 net/phonet/sysctl.c | 2 +-
113882 net/rds/rds.h | 2 +-
113883 net/sctp/ipv6.c | 6 +-
113884 net/sctp/protocol.c | 10 +-
113885 net/sctp/sm_sideeffect.c | 2 +-
113886 net/sctp/sysctl.c | 4 +-
113887 net/sunrpc/clnt.c | 4 +-
113888 net/sunrpc/svc.c | 4 +-
113889 net/unix/sysctl_net_unix.c | 2 +-
113890 net/xfrm/xfrm_policy.c | 11 +-
113891 net/xfrm/xfrm_state.c | 29 ++-
113892 net/xfrm/xfrm_sysctl.c | 2 +-
113893 security/apparmor/lsm.c | 2 +-
113894 security/keys/key.c | 18 +-
113895 security/yama/yama_lsm.c | 22 +-
113896 tools/gcc/Makefile | 4 +-
113897 tools/gcc/constify_plugin.c | 299 +++++++++++++++++++------
113898 tools/gcc/size_overflow_plugin.c | 7 +-
113899 248 files changed, 994 insertions(+), 668 deletions(-)
113900
113901commit 4eeeaf3a560e25d1685f8973ef676b205efaa81b
113902Author: Brad Spengler <spender@grsecurity.net>
113903Date: Wed Mar 6 12:58:21 2013 -0500
113904
113905 Make slab_state __read_only, it's only written to during init
113906
113907 mm/slab_common.c | 2 +-
113908 1 files changed, 1 insertions(+), 1 deletions(-)
113909
113910commit e7067b68d36fb9e0e8818de5d9ce1b4ba19ce24a
113911Author: Brad Spengler <spender@grsecurity.net>
113912Date: Wed Mar 6 12:31:35 2013 -0500
113913
113914 Make two new helper functions:
113915 gr_is_global_root() and gr_is_global_nonroot()
113916
113917 grsecurity/gracl.c | 10 +++++-----
113918 grsecurity/gracl_segv.c | 2 +-
113919 grsecurity/grsec_link.c | 4 ++--
113920 grsecurity/grsec_sig.c | 10 +++++-----
113921 grsecurity/grsec_tpe.c | 6 +++---
113922 include/linux/uidgid.h | 2 ++
113923 6 files changed, 18 insertions(+), 16 deletions(-)
113924
113925commit d45d88eddd4998b280b1e5b5384289ee11ca7088
113926Author: Brad Spengler <spender@grsecurity.net>
113927Date: Wed Mar 6 12:14:41 2013 -0500
113928
113929 convert remaining task->pid to task_pid_nr(task)
113930
113931 grsecurity/gracl.c | 22 +++++++++++-----------
113932 grsecurity/gracl_shm.c | 2 +-
113933 grsecurity/grsec_chroot.c | 4 ++--
113934 grsecurity/grsec_sig.c | 4 ++--
113935 4 files changed, 16 insertions(+), 16 deletions(-)
113936
113937commit c877f2ece03ee2232dd281c1977ae59507297124
113938Author: Brad Spengler <spender@grsecurity.net>
113939Date: Tue Mar 5 17:29:54 2013 -0500
113940
113941 compat-log is only used anymore by vm86-on-64bit and allows unlimited
113942 spamming of the kernel log buffer (and since it includes the changable
113943 process name, can avoid syslog log deduplication)
113944 Turn it off by default
113945
113946 fs/compat.c | 2 +-
113947 1 files changed, 1 insertions(+), 1 deletions(-)
113948
113949commit 7c1964c4b7276889d7967bee70e46918cdca1b14
113950Author: Brad Spengler <spender@grsecurity.net>
113951Date: Mon Mar 4 17:19:10 2013 -0500
113952
113953 fix compilation error reported on IRC and forums when GRKERNSEC_PROC_USERGROUP
113954 is enabled, introduced with recent userns support
113955
113956 init/main.c | 4 ++--
113957 1 files changed, 2 insertions(+), 2 deletions(-)
113958
113959commit c3ce01b94d8dd42b9c7942c0d513b152613e0656
113960Author: Brad Spengler <spender@grsecurity.net>
113961Date: Sun Mar 3 18:46:12 2013 -0500
113962
113963 Prevent TOMOYO from auto-loading modules by unprivileged users
113964 (Only reachable if TOMOYO is actually used)
113965
113966 security/tomoyo/mount.c | 4 ++++
113967 1 files changed, 4 insertions(+), 0 deletions(-)
113968
113969commit 79e142f9455b398759ff9d93d4963a21b98dddda
113970Author: Brad Spengler <spender@grsecurity.net>
113971Date: Sun Mar 3 18:28:45 2013 -0500
113972
113973 For now, don't permit any special access to /proc in a user namespace
113974 Later we can go back and allow a userns-uid0 special access to a /proc
113975 with a non-global pid namespace
113976
113977 fs/proc/base.c | 2 +-
113978 1 files changed, 1 insertions(+), 1 deletions(-)
113979
113980commit 8b91fb393049ce5f3c0a86f62247409853fd9700
113981Merge: d931eb8 603ef05
113982Author: Brad Spengler <spender@grsecurity.net>
113983Date: Sun Mar 3 17:42:09 2013 -0500
113984
113985 Merge branch 'pax-test' into grsec-test
113986
113987commit 603ef0579b9c3765d999c1938cb7a120d8c8e00b
113988Author: Brad Spengler <spender@grsecurity.net>
113989Date: Sun Mar 3 17:41:31 2013 -0500
113990
113991 Fix compilation error on ARM reported by Michael Tremer
113992
113993 arch/arm/mach-omap2/wd_timer.c | 6 +++---
113994 1 files changed, 3 insertions(+), 3 deletions(-)
113995
113996commit b4c9ce81fdd7839a150c97873c710c479e788280
113997Author: Brad Spengler <spender@grsecurity.net>
113998Date: Sun Mar 3 17:39:53 2013 -0500
113999
114000 Fix compilation error on ARM reported by Michael Tremer
114001
114002 arch/arm/kernel/armksyms.c | 2 +-
114003 1 files changed, 1 insertions(+), 1 deletions(-)
114004
114005commit d931eb81ab3da46896268fd61373a6aa7bbea930
114006Merge: bfa7f44 5948f93
114007Author: Brad Spengler <spender@grsecurity.net>
114008Date: Sun Mar 3 17:34:36 2013 -0500
114009
114010 Merge branch 'pax-test' into grsec-test
114011
114012commit 5948f930bc1c2d22138c1c76ca7e1bc94b6a3ce0
114013Merge: ab30472 19b00d2
114014Author: Brad Spengler <spender@grsecurity.net>
114015Date: Sun Mar 3 17:34:08 2013 -0500
114016
114017 Merge branch 'linux-3.8.y' into pax-test
114018
114019commit bfa7f445c5d484de51a5828b92ad2ff65053cc87
114020Author: Brad Spengler <spender@grsecurity.net>
114021Date: Sun Mar 3 15:12:12 2013 -0500
114022
114023 Initial support for user namespaces, as we previously didn't allow
114024 the option to be enabled at all.
114025
114026 RBAC will act on the global uids/gids only, so all uids/gids in user
114027 namespaces will be converted
114028
114029 Because Eric Biederman is insulted that I didn't support his
114030 backdoor prior to it receiving proper review. I still have the CAP_SYS_ADMIN
114031 check in for user namespaces, so this is generally irrelevant.
114032
114033 fs/exec.c | 6 +-
114034 fs/proc/base.c | 2 +-
114035 fs/proc/proc_net.c | 4 +-
114036 grsecurity/gracl.c | 128 +++++++++++++++++++++++++++++-------------
114037 grsecurity/gracl_cap.c | 4 +-
114038 grsecurity/gracl_ip.c | 16 +++---
114039 grsecurity/gracl_segv.c | 12 +++-
114040 grsecurity/gracl_shm.c | 4 +-
114041 grsecurity/grsec_disabled.c | 10 ++--
114042 grsecurity/grsec_fifo.c | 6 +-
114043 grsecurity/grsec_init.c | 24 ++++----
114044 grsecurity/grsec_log.c | 3 -
114045 grsecurity/grsec_tpe.c | 6 +-
114046 include/linux/grinternal.h | 12 ++--
114047 include/linux/grsecurity.h | 12 ++--
114048 include/linux/uidgid.h | 3 +
114049 init/Kconfig | 2 -
114050 ipc/shm.c | 2 +-
114051 kernel/cred.c | 5 +-
114052 kernel/kallsyms.c | 2 +-
114053 kernel/kmod.c | 6 +-
114054 kernel/sys.c | 12 ++--
114055 22 files changed, 166 insertions(+), 115 deletions(-)
114056
114057commit 27a8cc1a9f22f95de6fe8740bdc900a160274dff
114058Author: Linus Torvalds <torvalds@linux-foundation.org>
114059Date: Wed Feb 27 08:36:04 2013 -0800
114060
114061 Upstream commit: 09884964335e85e897876d17783c2ad33cf8a2e0
114062
114063 mm: do not grow the stack vma just because of an overrun on preceding vma
114064
114065 The stack vma is designed to grow automatically (marked with VM_GROWSUP
114066 or VM_GROWSDOWN depending on architecture) when an access is made beyond
114067 the existing boundary. However, particularly if you have not limited
114068 your stack at all ("ulimit -s unlimited"), this can cause the stack to
114069 grow even if the access was really just one past *another* segment.
114070
114071 And that's wrong, especially since we first grow the segment, but then
114072 immediately later enforce the stack guard page on the last page of the
114073 segment. So _despite_ first growing the stack segment as a result of
114074 the access, the kernel will then make the access cause a SIGSEGV anyway!
114075
114076 So do the same logic as the guard page check does, and consider an
114077 access to within one page of the next segment to be a bad access, rather
114078 than growing the stack to abut the next segment.
114079
114080 Reported-and-tested-by: Heiko Carstens <heiko.carstens@de.ibm.com>
114081 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
114082
114083 mm/mmap.c | 27 +++++++++++++++++++++++++++
114084 1 files changed, 27 insertions(+), 0 deletions(-)
114085
114086commit 5596211af754867ca825f58e6e0300a8439950fe
114087Author: H. Peter Anvin <hpa@linux.intel.com>
114088Date: Wed Feb 27 12:46:40 2013 -0800
114089
114090 Upstream commit: 7c10093692ed2e6f318387d96b829320aa0ca64c
114091
114092 x86: Make sure we can boot in the case the BDA contains pure garbage
114093
114094 On non-BIOS platforms it is possible that the BIOS data area contains
114095 garbage instead of being zeroed or something equivalent (firmware
114096 people: we are talking of 1.5K here, so please do the sane thing.)
114097
114098 We need on the order of 20-30K of low memory in order to boot, which
114099 may grow up to < 64K in the future. We probably want to avoid the
114100 lowest of the low memory. At the same time, it seems extremely
114101 unlikely that a legitimate EBDA would ever reach down to the 128K
114102 (which would require it to be over half a megabyte in size.) Thus,
114103 pick 128K as the cutoff for "this is insane, ignore." We may still
114104 end up reserving a bunch of extra memory on the low megabyte, but that
114105 is not really a major issue these days. In the worst case we lose
114106 512K of RAM.
114107
114108 This code really should be merged with trim_bios_range() in
114109 arch/x86/kernel/setup.c, but that is a bigger patch for a later merge
114110 window.
114111
114112 Reported-by: Darren Hart <dvhart@linux.intel.com>
114113 Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
114114 Cc: Matt Fleming <matt.fleming@intel.com>
114115 Cc: <stable@vger.kernel.org>
114116 Link: http://lkml.kernel.org/n/tip-oebml055yyfm8yxmria09rja@git.kernel.org
114117
114118 arch/x86/kernel/head.c | 53 ++++++++++++++++++++++++++++++-----------------
114119 1 files changed, 34 insertions(+), 19 deletions(-)
114120
114121commit 10eb1dabfb743fb22dcbcf186bb8d2192d2d55ea
114122Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
114123Date: Wed Feb 27 17:05:46 2013 -0800
114124
114125 Upstream commit: 940da353a83e895ea600cb8ab17dceefb1bcb469
114126
114127 memstick: move the dereference below the NULL test
114128
114129 The dereference should be moved below the NULL test.
114130
114131 spatch with a semantic match is used to found this.
114132 (http://coccinelle.lip6.fr/)
114133
114134 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
114135 Cc: Maxim Levitsky <maximlevitsky@gmail.com>
114136 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
114137 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
114138
114139 drivers/memstick/host/r592.c | 3 ++-
114140 1 files changed, 2 insertions(+), 1 deletions(-)
114141
114142commit 1a63cb1ca50a10748cbf766894ecedf34a89baa3
114143Author: Xi Wang <xi.wang@gmail.com>
114144Date: Wed Feb 27 17:05:21 2013 -0800
114145
114146 Upstream commit: df1778be1a33edffa51d094eeda87c858ded6560
114147
114148 sysctl: fix null checking in bin_dn_node_address()
114149
114150 The null check of `strchr() + 1' is broken, which is always non-null,
114151 leading to OOB read. Instead, check the result of strchr().
114152
114153 Signed-off-by: Xi Wang <xi.wang@gmail.com>
114154 Cc: "Eric W. Biederman" <ebiederm@xmission.com>
114155 Cc: <stable@vger.kernel.org>
114156 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
114157 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
114158
114159 kernel/sysctl_binary.c | 3 ++-
114160 1 files changed, 2 insertions(+), 1 deletions(-)
114161
114162commit 7ca96db0817416fd40761e7437d1939fc0731380
114163Author: Tejun Heo <tj@kernel.org>
114164Date: Wed Feb 27 17:03:34 2013 -0800
114165
114166 Upstream commit: 6cdae7416a1c45c2ce105a78187d9b7e8feb9e24
114167
114168 idr: fix a subtle bug in idr_get_next()
114169
114170 The iteration logic of idr_get_next() is borrowed mostly verbatim from
114171 idr_for_each(). It walks down the tree looking for the slot matching
114172 the current ID. If the matching slot is not found, the ID is
114173 incremented by the distance of single slot at the given level and
114174 repeats.
114175
114176 The implementation assumes that during the whole iteration id is aligned
114177 to the layer boundaries of the level closest to the leaf, which is true
114178 for all iterations starting from zero or an existing element and thus is
114179 fine for idr_for_each().
114180
114181 However, idr_get_next() may be given any point and if the starting id
114182 hits in the middle of a non-existent layer, increment to the next layer
114183 will end up skipping the same offset into it. For example, an IDR with
114184 IDs filled between [64, 127] would look like the following.
114185
114186 [ 0 64 ... ]
114187 /----/ |
114188 | |
114189 NULL [ 64 ... 127 ]
114190
114191 If idr_get_next() is called with 63 as the starting point, it will try
114192 to follow down the pointer from 0. As it is NULL, it will then try to
114193 proceed to the next slot in the same level by adding the slot distance
114194 at that level which is 64 - making the next try 127. It goes around the
114195 loop and finds and returns 127 skipping [64, 126].
114196
114197 Note that this bug also triggers in idr_for_each_entry() loop which
114198 deletes during iteration as deletions can make layers go away leaving
114199 the iteration with unaligned ID into missing layers.
114200
114201 Fix it by ensuring proceeding to the next slot doesn't carry over the
114202 unaligned offset - ie. use round_up(id + 1, slot_distance) instead of
114203 id += slot_distance.
114204
114205 Signed-off-by: Tejun Heo <tj@kernel.org>
114206 Reported-by: David Teigland <teigland@redhat.com>
114207 Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
114208 Cc: <stable@vger.kernel.org>
114209 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
114210 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
114211
114212 lib/idr.c | 9 ++++++++-
114213 1 files changed, 8 insertions(+), 1 deletions(-)
114214
114215commit 745362f28034f54242ba2e64eaa7374ab9869613
114216Author: Brad Spengler <spender@grsecurity.net>
114217Date: Fri Mar 1 20:31:42 2013 -0500
114218
114219 Fix dentry use-after-free after failed complete_walk() with RBAC enabled
114220 Many thanks to zakalwe from #grsecurity for the report and debugging help
114221
114222 fs/namei.c | 8 +++-----
114223 1 files changed, 3 insertions(+), 5 deletions(-)
114224
114225commit b53b3b14330920c6f7cfb74c8508a3026e1be620
114226Author: Brad Spengler <spender@grsecurity.net>
114227Date: Thu Feb 28 18:29:26 2013 -0500
114228
114229 Fix bad git merge
114230
114231 fs/namespace.c | 8 --------
114232 1 files changed, 0 insertions(+), 8 deletions(-)
114233
114234commit 71886f69ea10fa22e593dba1bdbe5c0334c6fede
114235Merge: 1cce1dd ab30472
114236Author: Brad Spengler <spender@grsecurity.net>
114237Date: Thu Feb 28 17:45:14 2013 -0500
114238
114239 Merge branch 'pax-test' into grsec-test
114240
114241 Conflicts:
114242 net/core/sock_diag.c
114243
114244commit ab3047280e1dfb43f1b301a296123757b4ac4f6e
114245Merge: 4b61d21 4c91a0e
114246Author: Brad Spengler <spender@grsecurity.net>
114247Date: Thu Feb 28 17:43:56 2013 -0500
114248
114249 Merge branch 'linux-3.8.y' into pax-test
114250
114251commit 1cce1ddd17c584c80465521834c3faf1a7c607d7
114252Author: Brad Spengler <spender@grsecurity.net>
114253Date: Wed Feb 27 22:20:22 2013 -0500
114254
114255 add compiler.h to sysrq.h to fix compilation problem reported by micu on forums
114256
114257 include/linux/sysrq.h | 1 +
114258 1 files changed, 1 insertions(+), 0 deletions(-)
114259
114260commit 9f1e7fe130803fde83eb903b575335f59cd2bd18
114261Author: Brad Spengler <spender@grsecurity.net>
114262Date: Wed Feb 27 17:52:31 2013 -0500
114263
114264 declare check_syslog_permissions() earlier in file, fix bug in syslog_action_restricted() in upstream kernel
114265
114266 kernel/printk.c | 12 +++++++-----
114267 1 files changed, 7 insertions(+), 5 deletions(-)
114268
114269commit 11dd499888fa76f3466821ce4daa5e0c55e43d39
114270Author: Brad Spengler <spender@grsecurity.net>
114271Date: Wed Feb 27 17:23:46 2013 -0500
114272
114273 Fix upstream vulnerability from addition of a /dev/kmsg device
114274 while neglecting to add the same set of existing permission checks
114275 from do_syslog. This bit both dmesg_restrict and GRKERNSEC_DMESG.
114276 A temporary workaround without this patch would be to
114277 chmod 0600 /dev/kmsg (and is likely a good idea anyway).
114278
114279 Notified in #grsecurity IRC by Jason A. Donenfeld and Petr Matousek
114280 Initially reported to Redhat bugzilla by Christian Kujau:
114281 https://bugzilla.redhat.com/show_bug.cgi?id=903192
114282
114283 kernel/printk.c | 4 ++++
114284 1 files changed, 4 insertions(+), 0 deletions(-)
114285
114286commit 66c04806f5660988c3cb4855e60de294e77e3d0e
114287Author: David Howells <dhowells@redhat.com>
114288Date: Thu Feb 21 12:00:25 2013 +0000
114289
114290 Upstream commit: fe9453a1dcb5fb146f9653267e78f4a558066f6f
114291
114292 KEYS: Revert one application of "Fix unreachable code" patch
114293
114294 A patch to fix some unreachable code in search_my_process_keyrings() got
114295 applied twice by two different routes upstream as commits e67eab39bee2
114296 and b010520ab3d2 (both "fix unreachable code").
114297
114298 Unfortunately, the second application removed something it shouldn't
114299 have and this wasn't detected by GIT. This is due to the patch not
114300 having sufficient lines of context to distinguish the two places of
114301 application.
114302
114303 The effect of this is relatively minor: inside the kernel, the keyring
114304 search routines may search multiple keyrings and then prioritise the
114305 errors if no keys or negative keys are found in any of them. With the
114306 extra deletion, the presence of a negative key in the thread keyring
114307 (causing ENOKEY) is incorrectly overridden by an error searching the
114308 process keyring.
114309
114310 So revert the second application of the patch.
114311
114312 Signed-off-by: David Howells <dhowells@redhat.com>
114313 Cc: Jiri Kosina <jkosina@suse.cz>
114314 Cc: Andrew Morton <akpm@linux-foundation.org>
114315 Cc: stable@vger.kernel.org
114316 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
114317
114318 security/keys/process_keys.c | 2 ++
114319 1 files changed, 2 insertions(+), 0 deletions(-)
114320
114321commit 954b0c8a95b08c09c3d15ec38106ce403bf714da
114322Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
114323Date: Thu Feb 21 16:42:43 2013 -0800
114324
114325 Upstream commit: 49deb4bc227cb9db5b8ebf9434367f8bed057c7a
114326
114327 configfs: move the dereference below the NULL test
114328
114329 The dereference should be moved below the NULL test.
114330
114331 spatch with a semantic match is used to found this.
114332 (http://coccinelle.lip6.fr/)
114333
114334 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
114335 Cc: Joel Becker <jlbec@evilplan.org>
114336 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
114337 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
114338
114339 fs/configfs/dir.c | 5 +++--
114340 1 files changed, 3 insertions(+), 2 deletions(-)
114341
114342commit d16d42c4fdc8baca5816d75b4a115102bf3d3423
114343Author: Nicolas Pitre <nicolas.pitre@linaro.org>
114344Date: Sun Feb 24 20:06:09 2013 -0500
114345
114346 Upstream commit: a883b70d8e0a88278c0a1f80753b4dc99962b541
114347
114348 tty vt: fix character insertion overflow
114349
114350 Commit 81732c3b2fed ("tty vt: Fix line garbage in virtual console on
114351 command line edition") broke insert_char() in multiple ways. Then
114352 commit b1a925f44a3a ("tty vt: Fix a regression in command line edition")
114353 partially fixed it. However, the buffer being moved is still too large
114354 and overflowing beyond the end of the current line, corrupting existing
114355 characters on the next line.
114356
114357 Example test case:
114358
114359 echo -e "abc\nde\x1b[A\x1b[4h \x1b[4l\x1b[B"
114360
114361 Expected result:
114362
114363 ab c
114364 de
114365
114366 Current result:
114367
114368 ab c
114369 e
114370
114371 Needless to say that this is very annoying when inserting words in the
114372 middle of paragraphs with certain text editors.
114373
114374 Signed-off-by: Nicolas Pitre <nico@linaro.org>
114375 Cc: Jean-François Moine <moinejf@free.fr>
114376 Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
114377 Cc: <stable@vger.kernel.org>
114378 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
114379
114380 drivers/tty/vt/vt.c | 2 +-
114381 1 files changed, 1 insertions(+), 1 deletions(-)
114382
114383commit 6cda35071669b4aabde081bd039e0ffea36f997a
114384Author: Robin Holt <holt@sgi.com>
114385Date: Fri Feb 22 16:35:34 2013 -0800
114386
114387 Upstream commit: 751efd8610d3d7d67b7bdf7f62646edea7365dd7
114388
114389 mmu_notifier_unregister NULL Pointer deref and multiple ->release() callouts
114390
114391 There is a race condition between mmu_notifier_unregister() and
114392 __mmu_notifier_release().
114393
114394 Assume two tasks, one calling mmu_notifier_unregister() as a result of a
114395 filp_close() ->flush() callout (task A), and the other calling
114396 mmu_notifier_release() from an mmput() (task B).
114397
114398 A B
114399 t1 srcu_read_lock()
114400 t2 if (!hlist_unhashed())
114401 t3 srcu_read_unlock()
114402 t4 srcu_read_lock()
114403 t5 hlist_del_init_rcu()
114404 t6 synchronize_srcu()
114405 t7 srcu_read_unlock()
114406 t8 hlist_del_rcu() <--- NULL pointer deref.
114407
114408 Additionally, the list traversal in __mmu_notifier_release() is not
114409 protected by the by the mmu_notifier_mm->hlist_lock which can result in
114410 callouts to the ->release() notifier from both mmu_notifier_unregister()
114411 and __mmu_notifier_release().
114412
114413 -stable suggestions:
114414
114415 The stable trees prior to 3.7.y need commits 21a92735f660 and
114416 70400303ce0c cherry-picked in that order prior to cherry-picking this
114417 commit. The 3.7.y tree already has those two commits.
114418
114419 Signed-off-by: Robin Holt <holt@sgi.com>
114420 Cc: Andrea Arcangeli <aarcange@redhat.com>
114421 Cc: Wanpeng Li <liwanp@linux.vnet.ibm.com>
114422 Cc: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
114423 Cc: Avi Kivity <avi@redhat.com>
114424 Cc: Hugh Dickins <hughd@google.com>
114425 Cc: Marcelo Tosatti <mtosatti@redhat.com>
114426 Cc: Sagi Grimberg <sagig@mellanox.co.il>
114427 Cc: Haggai Eran <haggaie@mellanox.com>
114428 Cc: <stable@vger.kernel.org>
114429 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
114430 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
114431
114432 mm/mmu_notifier.c | 82 +++++++++++++++++++++++++++--------------------------
114433 1 files changed, 42 insertions(+), 40 deletions(-)
114434
114435commit bf5167ed78ba6131c6874887f714bda50c2cab83
114436Author: Mike Galbraith <bitbucket@online.de>
114437Date: Mon Jan 28 12:19:25 2013 +0100
114438
114439 Upstream commit: e0a79f529d5ba2507486d498b25da40911d95cf6
114440
114441 sched: Fix select_idle_sibling() bouncing cow syndrome
114442
114443 If the previous CPU is cache affine and idle, select it.
114444
114445 The current implementation simply traverses the sd_llc domain,
114446 taking the first idle CPU encountered, which walks buddy pairs
114447 hand in hand over the package, inflicting excruciating pain.
114448
114449 1 tbench pair (worst case) in a 10 core + SMT package:
114450
114451 pre 15.22 MB/sec 1 procs
114452 post 252.01 MB/sec 1 procs
114453
114454 Signed-off-by: Mike Galbraith <bitbucket@online.de>
114455 Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
114456 Link: http://lkml.kernel.org/r/1359371965.5783.127.camel@marge.simpson.net
114457 Signed-off-by: Ingo Molnar <mingo@kernel.org>
114458
114459 kernel/sched/fair.c | 21 +++++++--------------
114460 1 files changed, 7 insertions(+), 14 deletions(-)
114461
114462commit cf7c2d257836fdcb5d51ad142cbc56ac12f7a37c
114463Author: Eric W. Biederman <ebiederm@xmission.com>
114464Date: Fri Dec 28 18:58:39 2012 -0800
114465
114466 Upstream commit: c61a2810a2161986353705b44d9503e6bb079f4f
114467
114468 userns: Avoid recursion in put_user_ns
114469
114470 When freeing a deeply nested user namespace free_user_ns calls
114471 put_user_ns on it's parent which may in turn call free_user_ns again.
114472 When -fno-optimize-sibling-calls is passed to gcc one stack frame per
114473 user namespace is left on the stack, potentially overflowing the
114474 kernel stack. CONFIG_FRAME_POINTER forces -fno-optimize-sibling-calls
114475 so we can't count on gcc to optimize this code.
114476
114477 Remove struct kref and use a plain atomic_t. Making the code more
114478 flexible and easier to comprehend. Make the loop in free_user_ns
114479 explict to guarantee that the stack does not overflow with
114480 CONFIG_FRAME_POINTER enabled.
114481
114482 I have tested this fix with a simple program that uses unshare to
114483 create a deeply nested user namespace structure and then calls exit.
114484 With 1000 nesteuser namespaces before this change running my test
114485 program causes the kernel to die a horrible death. With 10,000,000
114486 nested user namespaces after this change my test program runs to
114487 completion and causes no harm.
114488
114489 Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
114490 Pointed-out-by: Vasily Kulikov <segoon@openwall.com>
114491 Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
114492
114493 include/linux/user_namespace.h | 10 +++++-----
114494 kernel/user.c | 4 +---
114495 kernel/user_namespace.c | 17 +++++++++--------
114496 3 files changed, 15 insertions(+), 16 deletions(-)
114497
114498commit 81501c7106ccc186c94806f4db954626295b5ebe
114499Author: Brad Spengler <spender@grsecurity.net>
114500Date: Tue Feb 26 17:12:30 2013 -0500
114501
114502 Pass the same flags to kern_path_create as the original function
114503
114504 fs/namei.c | 4 ++--
114505 1 files changed, 2 insertions(+), 2 deletions(-)
114506
114507commit a677c8eee35afe48868f92c7d6745bfe809cd481
114508Author: Al Viro <viro@zeniv.linux.org.uk>
114509Date: Fri Feb 22 22:45:42 2013 -0500
114510
114511 Upstream commit: 9b40bc90abd126bcc5da5658059b8e72e285e559
114512
114513 get rid of unprotected dereferencing of mnt->mnt_ns
114514
114515 It's safe only under namespace_sem or vfsmount_lock; all places
114516 in fs/namespace.c that want mnt->mnt_ns->user_ns actually want to use
114517 current->nsproxy->mnt_ns->user_ns (note the calls of check_mnt() in
114518 there).
114519
114520 Cc: stable@vger.kernel.org
114521 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
114522
114523 fs/namespace.c | 29 +++++++++++++++++------------
114524 1 files changed, 17 insertions(+), 12 deletions(-)
114525
114526commit 89298124d0c96dc34a60377e7a1308f8f532ff75
114527Author: Greg Thelen <gthelen@google.com>
114528Date: Fri Feb 22 16:36:01 2013 -0800
114529
114530 Upstream fix: 5f00110f7273f9ff04ac69a5f85bb535a4fd0987
114531
114532 tmpfs: fix use-after-free of mempolicy object
114533
114534 The tmpfs remount logic preserves filesystem mempolicy if the mpol=M
114535 option is not specified in the remount request. A new policy can be
114536 specified if mpol=M is given.
114537
114538 Before this patch remounting an mpol bound tmpfs without specifying
114539 mpol= mount option in the remount request would set the filesystem's
114540 mempolicy object to a freed mempolicy object.
114541
114542 To reproduce the problem boot a DEBUG_PAGEALLOC kernel and run:
114543 # mkdir /tmp/x
114544
114545 # mount -t tmpfs -o size=100M,mpol=interleave nodev /tmp/x
114546
114547 # grep /tmp/x /proc/mounts
114548 nodev /tmp/x tmpfs rw,relatime,size=102400k,mpol=interleave:0-3 0 0
114549
114550 # mount -o remount,size=200M nodev /tmp/x
114551
114552 # grep /tmp/x /proc/mounts
114553 nodev /tmp/x tmpfs rw,relatime,size=204800k,mpol=??? 0 0
114554 # note ? garbage in mpol=... output above
114555
114556 # dd if=/dev/zero of=/tmp/x/f count=1
114557 # panic here
114558
114559 Panic:
114560 BUG: unable to handle kernel NULL pointer dereference at (null)
114561 IP: [< (null)>] (null)
114562 [...]
114563 Oops: 0010 [#1] SMP DEBUG_PAGEALLOC
114564 Call Trace:
114565 mpol_shared_policy_init+0xa5/0x160
114566 shmem_get_inode+0x209/0x270
114567 shmem_mknod+0x3e/0xf0
114568 shmem_create+0x18/0x20
114569 vfs_create+0xb5/0x130
114570 do_last+0x9a1/0xea0
114571 path_openat+0xb3/0x4d0
114572 do_filp_open+0x42/0xa0
114573 do_sys_open+0xfe/0x1e0
114574 compat_sys_open+0x1b/0x20
114575 cstar_dispatch+0x7/0x1f
114576
114577 Non-debug kernels will not crash immediately because referencing the
114578 dangling mpol will not cause a fault. Instead the filesystem will
114579 reference a freed mempolicy object, which will cause unpredictable
114580 behavior.
114581
114582 The problem boils down to a dropped mpol reference below if
114583 shmem_parse_options() does not allocate a new mpol:
114584
114585 config = *sbinfo
114586 shmem_parse_options(data, &config, true)
114587 mpol_put(sbinfo->mpol)
114588 sbinfo->mpol = config.mpol /* BUG: saves unreferenced mpol */
114589
114590 This patch avoids the crash by not releasing the mempolicy if
114591 shmem_parse_options() doesn't create a new mpol.
114592
114593 How far back does this issue go? I see it in both 2.6.36 and 3.3. I did
114594 not look back further.
114595
114596 Signed-off-by: Greg Thelen <gthelen@google.com>
114597 Acked-by: Hugh Dickins <hughd@google.com>
114598 Cc: <stable@vger.kernel.org>
114599 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
114600 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
114601
114602 mm/shmem.c | 10 ++++++++--
114603 1 files changed, 8 insertions(+), 2 deletions(-)
114604
114605commit 614943c76d9e49f12f3e1154f1dea80dc4bb2743
114606Author: Brad Spengler <spender@grsecurity.net>
114607Date: Sat Feb 23 11:08:05 2013 -0500
114608
114609 Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY
114610 with a family greater or equal then AF_MAX -- the array size of
114611 sock_diag_handlers[]. The current code does not test for this
114612 condition therefore is vulnerable to an out-of-bound access opening
114613 doors for a privilege escalation.
114614
114615 Signed-off-by: Mathias Krause <minipli@googlemail.com>
114616
114617 The sock_diag_lock_handler() and sock_diag_unlock_handler() actually
114618 make the code less readable. Get rid of them and make the lock usage
114619 and access to sock_diag_handlers[] clear on the first sight.
114620
114621 Signed-off-by: Mathias Krause <minipli@googlemail.com>
114622
114623 net/core/sock_diag.c | 27 ++++++++++-----------------
114624 1 files changed, 10 insertions(+), 17 deletions(-)
114625
114626commit e8d44970f8ac5ceda7b0e3f2c2ab33cefb800990
114627Author: Brad Spengler <spender@grsecurity.net>
114628Date: Sat Feb 23 10:58:52 2013 -0500
114629
114630 Fix compilation failure reported by Hinnerk van Bruinehsen when CPU_USE_DOMAINS is not defined
114631
114632 arch/arm/include/asm/domain.h | 1 +
114633 1 files changed, 1 insertions(+), 0 deletions(-)
114634
114635commit 7b729586eb81f344fdedf0942fab0acc738a6725
114636Author: Brad Spengler <spender@grsecurity.net>
114637Date: Fri Feb 22 19:02:51 2013 -0500
114638
114639 Add back capability check for user namespaces. They have not seen enough proper review and needlessly exposes additional attack surface for all users.
114640
114641 kernel/fork.c | 17 +++++++++++++++++
114642 1 files changed, 17 insertions(+), 0 deletions(-)
114643
114644commit fadc560d0c486af88da83177735f5515e88acdcc
114645Author: Brad Spengler <spender@grsecurity.net>
114646Date: Thu Feb 21 23:06:48 2013 -0500
114647
114648 put is_hugetlbfs_mnt inside ifdefs
114649
114650 grsecurity/gracl.c | 2 ++
114651 1 files changed, 2 insertions(+), 0 deletions(-)
114652
114653commit 8252176922d405484f986eb2cc350b7cd3ae586e
114654Author: Brad Spengler <spender@grsecurity.net>
114655Date: Thu Feb 21 23:02:07 2013 -0500
114656
114657 remove unused label
114658
114659 kernel/module.c | 1 -
114660 1 files changed, 0 insertions(+), 1 deletions(-)
114661
114662commit dad4a980f0b625059e215d13da728aa7fd02a374
114663Author: Brad Spengler <spender@grsecurity.net>
114664Date: Thu Feb 21 23:00:52 2013 -0500
114665
114666 compile fix
114667
114668 fs/open.c | 2 +-
114669 1 files changed, 1 insertions(+), 1 deletions(-)
114670
114671commit 13e3266c41b98a40f3d8a4a7fb8ee5c0983156b7
114672Author: Brad Spengler <spender@grsecurity.net>
114673Date: Thu Feb 21 22:57:49 2013 -0500
114674
114675 remove kmalloc_array_error for the same reasons as kcalloc_error
114676
114677 include/linux/slab.h | 9 ---------
114678 1 files changed, 0 insertions(+), 9 deletions(-)
114679
114680commit 0c24df0e81ae880c4523cc78ff91609b9aa6133a
114681Author: Brad Spengler <spender@grsecurity.net>
114682Date: Thu Feb 21 22:49:35 2013 -0500
114683
114684 Initial port of grsecurity for Linux 3.8
114685
114686 Documentation/kernel-parameters.txt | 4 +
114687 Makefile | 10 +-
114688 arch/alpha/include/asm/cache.h | 4 +-
114689 arch/alpha/kernel/osf_sys.c | 14 +-
114690 arch/arm/include/asm/cache.h | 2 +
114691 arch/arm/include/asm/thread_info.h | 9 +-
114692 arch/arm/kernel/process.c | 4 +-
114693 arch/arm/kernel/ptrace.c | 9 +
114694 arch/arm/kernel/traps.c | 7 +-
114695 arch/arm/mm/fault.c | 27 +-
114696 arch/arm/mm/mmap.c | 6 +-
114697 arch/avr32/include/asm/cache.h | 4 +-
114698 arch/blackfin/include/asm/cache.h | 3 +-
114699 arch/cris/include/arch-v10/arch/cache.h | 3 +-
114700 arch/cris/include/arch-v32/arch/cache.h | 3 +-
114701 arch/frv/include/asm/cache.h | 3 +-
114702 arch/frv/mm/elf-fdpic.c | 7 +-
114703 arch/hexagon/include/asm/cache.h | 6 +-
114704 arch/ia64/include/asm/cache.h | 3 +-
114705 arch/ia64/kernel/sys_ia64.c | 3 +-
114706 arch/ia64/mm/hugetlbpage.c | 3 +-
114707 arch/m32r/include/asm/cache.h | 4 +-
114708 arch/m68k/include/asm/cache.h | 4 +-
114709 arch/microblaze/include/asm/cache.h | 3 +-
114710 arch/mips/include/asm/cache.h | 3 +-
114711 arch/mips/include/asm/thread_info.h | 9 +-
114712 arch/mips/kernel/ptrace.c | 9 +
114713 arch/mips/kernel/scall32-o32.S | 2 +-
114714 arch/mips/kernel/scall64-64.S | 2 +-
114715 arch/mips/kernel/scall64-n32.S | 2 +-
114716 arch/mips/kernel/scall64-o32.S | 2 +-
114717 arch/mips/mm/mmap.c | 3 +-
114718 arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +-
114719 arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +-
114720 arch/openrisc/include/asm/cache.h | 4 +-
114721 arch/parisc/include/asm/cache.h | 5 +-
114722 arch/parisc/kernel/sys_parisc.c | 19 +-
114723 arch/powerpc/include/asm/cache.h | 3 +-
114724 arch/powerpc/include/asm/thread_info.h | 8 +-
114725 arch/powerpc/kernel/process.c | 10 +-
114726 arch/powerpc/kernel/ptrace.c | 14 +
114727 arch/powerpc/kernel/traps.c | 5 +
114728 arch/powerpc/mm/slice.c | 8 +-
114729 arch/s390/include/asm/cache.h | 4 +-
114730 arch/score/include/asm/cache.h | 4 +-
114731 arch/sh/include/asm/cache.h | 3 +-
114732 arch/sh/mm/mmap.c | 6 +-
114733 arch/sparc/include/asm/cache.h | 4 +-
114734 arch/sparc/include/asm/thread_info_64.h | 9 +-
114735 arch/sparc/kernel/process_32.c | 6 +-
114736 arch/sparc/kernel/process_64.c | 8 +-
114737 arch/sparc/kernel/ptrace_64.c | 14 +
114738 arch/sparc/kernel/sys_sparc_64.c | 6 +-
114739 arch/sparc/kernel/syscalls.S | 8 +-
114740 arch/sparc/kernel/traps_32.c | 8 +-
114741 arch/sparc/kernel/traps_64.c | 28 +-
114742 arch/sparc/kernel/unaligned_64.c | 2 +-
114743 arch/sparc/mm/fault_64.c | 2 +-
114744 arch/sparc/mm/hugetlbpage.c | 3 +-
114745 arch/tile/include/asm/cache.h | 3 +-
114746 arch/um/include/asm/cache.h | 3 +-
114747 arch/unicore32/include/asm/cache.h | 6 +-
114748 arch/x86/Kconfig | 5 +-
114749 arch/x86/Kconfig.debug | 2 +-
114750 arch/x86/ia32/ia32_aout.c | 2 +
114751 arch/x86/include/asm/thread_info.h | 8 +-
114752 arch/x86/kernel/dumpstack.c | 8 +
114753 arch/x86/kernel/entry_32.S | 2 +-
114754 arch/x86/kernel/entry_64.S | 2 +-
114755 arch/x86/kernel/ioport.c | 13 +
114756 arch/x86/kernel/ptrace.c | 14 +
114757 arch/x86/kernel/smpboot.c | 3 +
114758 arch/x86/kernel/sys_i386_32.c | 14 +-
114759 arch/x86/kernel/sys_x86_64.c | 3 +-
114760 arch/x86/kernel/verify_cpu.S | 1 +
114761 arch/x86/kernel/vm86_32.c | 16 +
114762 arch/x86/mm/fault.c | 12 +-
114763 arch/x86/mm/hugetlbpage.c | 3 +-
114764 arch/x86/mm/init.c | 66 +-
114765 arch/x86/net/bpf_jit_comp.c | 126 +-
114766 arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
114767 arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
114768 arch/xtensa/variants/s6000/include/variant/core.h | 3 +-
114769 crypto/ablkcipher.c | 12 +-
114770 crypto/aead.c | 9 +-
114771 crypto/ahash.c | 2 +-
114772 crypto/blkcipher.c | 6 +-
114773 crypto/crypto_user.c | 38 +-
114774 crypto/pcompress.c | 3 +-
114775 crypto/rng.c | 2 +-
114776 crypto/shash.c | 3 +-
114777 drivers/block/cciss.c | 2 +
114778 drivers/char/Kconfig | 4 +-
114779 drivers/char/genrtc.c | 1 +
114780 drivers/char/mem.c | 17 +
114781 drivers/char/random.c | 12 +
114782 drivers/gpu/drm/drm_info.c | 4 +
114783 drivers/hid/hid-wiimote-debug.c | 2 +-
114784 drivers/media/radio/radio-cadet.c | 2 +-
114785 drivers/message/fusion/mptbase.c | 5 +
114786 drivers/net/phy/mdio-bitbang.c | 1 +
114787 drivers/pci/proc.c | 9 +
114788 drivers/rtc/rtc-dev.c | 3 +
114789 drivers/tty/sysrq.c | 2 +-
114790 drivers/tty/vt/keyboard.c | 22 +-
114791 drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++--------
114792 drivers/xen/xenfs/xenstored.c | 5 +
114793 fs/attr.c | 1 +
114794 fs/autofs4/waitq.c | 9 +
114795 fs/binfmt_aout.c | 7 +
114796 fs/binfmt_elf.c | 6 +
114797 fs/btrfs/inode.c | 10 +-
114798 fs/btrfs/ioctl.c | 6 +-
114799 fs/compat.c | 18 +
114800 fs/coredump.c | 10 +-
114801 fs/debugfs/inode.c | 4 +
114802 fs/exec.c | 155 +-
114803 fs/ext2/balloc.c | 4 +-
114804 fs/ext3/balloc.c | 4 +-
114805 fs/ext4/balloc.c | 4 +-
114806 fs/fcntl.c | 5 +
114807 fs/file.c | 4 +
114808 fs/filesystems.c | 5 +
114809 fs/fs_struct.c | 26 +-
114810 fs/hugetlbfs/inode.c | 5 +-
114811 fs/namei.c | 269 ++-
114812 fs/namespace.c | 24 +
114813 fs/open.c | 38 +
114814 fs/pipe.c | 2 +-
114815 fs/proc/Kconfig | 10 +-
114816 fs/proc/array.c | 59 +-
114817 fs/proc/base.c | 168 +-
114818 fs/proc/cmdline.c | 4 +
114819 fs/proc/devices.c | 4 +
114820 fs/proc/fd.c | 17 +-
114821 fs/proc/inode.c | 17 +
114822 fs/proc/internal.h | 3 +
114823 fs/proc/kcore.c | 3 +
114824 fs/proc/proc_net.c | 12 +
114825 fs/proc/proc_sysctl.c | 43 +-
114826 fs/proc/root.c | 8 +
114827 fs/proc/task_mmu.c | 75 +-
114828 fs/readdir.c | 19 +
114829 fs/select.c | 2 +
114830 fs/seq_file.c | 12 +-
114831 fs/stat.c | 19 +-
114832 fs/sysfs/dir.c | 12 +
114833 fs/utimes.c | 7 +
114834 fs/xattr.c | 19 +-
114835 grsecurity/Kconfig | 1021 +++++
114836 grsecurity/Makefile | 38 +
114837 grsecurity/gracl.c | 4017 ++++++++++++++++++++
114838 grsecurity/gracl_alloc.c | 105 +
114839 grsecurity/gracl_cap.c | 110 +
114840 grsecurity/gracl_fs.c | 431 +++
114841 grsecurity/gracl_ip.c | 384 ++
114842 grsecurity/gracl_learn.c | 207 +
114843 grsecurity/gracl_res.c | 68 +
114844 grsecurity/gracl_segv.c | 299 ++
114845 grsecurity/gracl_shm.c | 40 +
114846 grsecurity/grsec_chdir.c | 19 +
114847 grsecurity/grsec_chroot.c | 357 ++
114848 grsecurity/grsec_disabled.c | 434 +++
114849 grsecurity/grsec_exec.c | 174 +
114850 grsecurity/grsec_fifo.c | 24 +
114851 grsecurity/grsec_fork.c | 23 +
114852 grsecurity/grsec_init.c | 283 ++
114853 grsecurity/grsec_link.c | 58 +
114854 grsecurity/grsec_log.c | 329 ++
114855 grsecurity/grsec_mem.c | 40 +
114856 grsecurity/grsec_mount.c | 62 +
114857 grsecurity/grsec_pax.c | 36 +
114858 grsecurity/grsec_ptrace.c | 30 +
114859 grsecurity/grsec_sig.c | 222 ++
114860 grsecurity/grsec_sock.c | 244 ++
114861 grsecurity/grsec_sysctl.c | 469 +++
114862 grsecurity/grsec_time.c | 16 +
114863 grsecurity/grsec_tpe.c | 73 +
114864 grsecurity/grsum.c | 61 +
114865 include/linux/capability.h | 5 +
114866 include/linux/cred.h | 3 +
114867 include/linux/fs.h | 10 +
114868 include/linux/fsnotify.h | 6 +
114869 include/linux/gracl.h | 319 ++
114870 include/linux/gralloc.h | 9 +
114871 include/linux/grdefs.h | 140 +
114872 include/linux/grinternal.h | 215 ++
114873 include/linux/grmsg.h | 111 +
114874 include/linux/grsecurity.h | 257 ++
114875 include/linux/grsock.h | 19 +
114876 include/linux/kallsyms.h | 14 +-
114877 include/linux/kmod.h | 2 +
114878 include/linux/netfilter/xt_gradm.h | 9 +
114879 include/linux/printk.h | 3 +-
114880 include/linux/proc_fs.h | 12 +
114881 include/linux/sched.h | 66 +-
114882 include/linux/security.h | 1 +
114883 include/linux/seq_file.h | 3 +
114884 include/linux/shm.h | 4 +
114885 include/linux/sysctl.h | 2 +
114886 include/linux/thread_info.h | 2 +
114887 include/linux/vermagic.h | 9 +-
114888 include/trace/events/fs.h | 53 +
114889 include/uapi/linux/personality.h | 1 +
114890 init/Kconfig | 5 +-
114891 init/main.c | 14 +
114892 ipc/mqueue.c | 1 +
114893 ipc/shm.c | 28 +
114894 kernel/capability.c | 39 +-
114895 kernel/cgroup.c | 2 +-
114896 kernel/compat.c | 1 +
114897 kernel/configs.c | 11 +
114898 kernel/cred.c | 109 +-
114899 kernel/exit.c | 10 +-
114900 kernel/fork.c | 24 +-
114901 kernel/futex.c | 1 +
114902 kernel/kallsyms.c | 9 +
114903 kernel/kcmp.c | 4 +
114904 kernel/kmod.c | 71 +-
114905 kernel/kprobes.c | 4 +-
114906 kernel/ksysfs.c | 2 +
114907 kernel/lockdep_proc.c | 10 +-
114908 kernel/module.c | 80 +-
114909 kernel/panic.c | 4 +-
114910 kernel/pid.c | 19 +-
114911 kernel/posix-timers.c | 8 +
114912 kernel/printk.c | 5 +
114913 kernel/ptrace.c | 20 +-
114914 kernel/resource.c | 10 +
114915 kernel/sched/core.c | 6 +-
114916 kernel/signal.c | 37 +-
114917 kernel/sys.c | 38 +-
114918 kernel/sysctl.c | 39 +-
114919 kernel/taskstats.c | 6 +
114920 kernel/time.c | 5 +
114921 kernel/time/timekeeping.c | 3 +
114922 kernel/time/timer_list.c | 12 +
114923 kernel/time/timer_stats.c | 10 +-
114924 lib/Kconfig.debug | 5 +-
114925 lib/is_single_threaded.c | 3 +
114926 lib/vsprintf.c | 35 +-
114927 localversion-grsec | 1 +
114928 mm/Kconfig | 4 +-
114929 mm/filemap.c | 1 +
114930 mm/kmemleak.c | 4 +-
114931 mm/mempolicy.c | 12 +-
114932 mm/migrate.c | 3 +-
114933 mm/mlock.c | 3 +
114934 mm/mmap.c | 62 +-
114935 mm/mprotect.c | 8 +
114936 mm/page_alloc.c | 6 +
114937 mm/process_vm_access.c | 6 +
114938 mm/shmem.c | 2 +-
114939 mm/slab.c | 2 +-
114940 mm/slub.c | 14 +-
114941 mm/vmalloc.c | 4 +
114942 mm/vmstat.c | 18 +-
114943 net/core/dev.c | 9 +
114944 net/core/sock_diag.c | 7 +
114945 net/ipv4/inet_hashtables.c | 5 +
114946 net/ipv4/ip_sockglue.c | 3 +-
114947 net/ipv4/tcp_input.c | 4 +-
114948 net/ipv4/tcp_ipv4.c | 24 +-
114949 net/ipv4/tcp_minisocks.c | 9 +-
114950 net/ipv4/tcp_timer.c | 11 +
114951 net/ipv4/udp.c | 24 +
114952 net/ipv6/tcp_ipv6.c | 23 +-
114953 net/ipv6/udp.c | 7 +
114954 net/netfilter/Kconfig | 10 +
114955 net/netfilter/Makefile | 1 +
114956 net/netfilter/nf_conntrack_core.c | 8 +
114957 net/netfilter/xt_gradm.c | 51 +
114958 net/netrom/af_netrom.c | 2 +-
114959 net/phonet/af_phonet.c | 4 +-
114960 net/sctp/proc.c | 3 +-
114961 net/socket.c | 62 +-
114962 net/sysctl_net.c | 2 +-
114963 net/unix/af_unix.c | 19 +
114964 security/Kconfig | 320 ++-
114965 security/apparmor/lsm.c | 2 +-
114966 security/commoncap.c | 29 +
114967 security/min_addr.c | 2 +
114968 security/security.c | 2 -
114969 security/selinux/hooks.c | 2 -
114970 security/yama/Kconfig | 2 +-
114971 tools/gcc/Makefile | 2 +-
114972 286 files changed, 15083 insertions(+), 2067 deletions(-)
114973
114974commit 4b61d2188de70da9dc9b3e67fc0565077370eb27
114975Author: Brad Spengler <spender@grsecurity.net>
114976Date: Wed Feb 20 21:00:42 2013 -0500
114977
114978 Initial import of pax-linux-3.8-test3.patch
114979
114980 Documentation/dontdiff | 43 +-
114981 Documentation/kernel-parameters.txt | 7 +
114982 Makefile | 97 +-
114983 arch/alpha/include/asm/atomic.h | 10 +
114984 arch/alpha/include/asm/elf.h | 7 +
114985 arch/alpha/include/asm/pgalloc.h | 6 +
114986 arch/alpha/include/asm/pgtable.h | 11 +
114987 arch/alpha/kernel/module.c | 2 +-
114988 arch/alpha/kernel/osf_sys.c | 10 +-
114989 arch/alpha/mm/fault.c | 141 +-
114990 arch/arm/Kconfig | 2 +-
114991 arch/arm/include/asm/atomic.h | 421 +++-
114992 arch/arm/include/asm/cache.h | 3 +-
114993 arch/arm/include/asm/cacheflush.h | 2 +-
114994 arch/arm/include/asm/checksum.h | 14 +-
114995 arch/arm/include/asm/cmpxchg.h | 2 +
114996 arch/arm/include/asm/delay.h | 8 +-
114997 arch/arm/include/asm/domain.h | 32 +-
114998 arch/arm/include/asm/elf.h | 13 +-
114999 arch/arm/include/asm/fncpy.h | 2 +
115000 arch/arm/include/asm/futex.h | 10 +
115001 arch/arm/include/asm/kmap_types.h | 2 +-
115002 arch/arm/include/asm/mach/dma.h | 2 +-
115003 arch/arm/include/asm/mach/map.h | 7 +-
115004 arch/arm/include/asm/outercache.h | 2 +-
115005 arch/arm/include/asm/page.h | 2 +-
115006 arch/arm/include/asm/pgalloc.h | 22 +-
115007 arch/arm/include/asm/pgtable-2level-hwdef.h | 5 +
115008 arch/arm/include/asm/pgtable-2level.h | 1 +
115009 arch/arm/include/asm/pgtable-3level-hwdef.h | 4 +
115010 arch/arm/include/asm/pgtable-3level.h | 2 +
115011 arch/arm/include/asm/pgtable.h | 56 +-
115012 arch/arm/include/asm/proc-fns.h | 2 +-
115013 arch/arm/include/asm/processor.h | 5 +-
115014 arch/arm/include/asm/smp.h | 2 +-
115015 arch/arm/include/asm/thread_info.h | 6 +-
115016 arch/arm/include/asm/uaccess.h | 92 +-
115017 arch/arm/include/uapi/asm/ptrace.h | 2 +-
115018 arch/arm/kernel/armksyms.c | 4 +-
115019 arch/arm/kernel/entry-armv.S | 107 +-
115020 arch/arm/kernel/entry-common.S | 41 +-
115021 arch/arm/kernel/entry-header.S | 60 +
115022 arch/arm/kernel/fiq.c | 2 +
115023 arch/arm/kernel/head.S | 6 +-
115024 arch/arm/kernel/hw_breakpoint.c | 2 +-
115025 arch/arm/kernel/module.c | 29 +-
115026 arch/arm/kernel/perf_event_cpu.c | 2 +-
115027 arch/arm/kernel/process.c | 10 +-
115028 arch/arm/kernel/setup.c | 22 +-
115029 arch/arm/kernel/smp.c | 2 +-
115030 arch/arm/kernel/traps.c | 8 +-
115031 arch/arm/kernel/vmlinux.lds.S | 20 +-
115032 arch/arm/lib/clear_user.S | 6 +-
115033 arch/arm/lib/copy_from_user.S | 6 +-
115034 arch/arm/lib/copy_page.S | 1 +
115035 arch/arm/lib/copy_to_user.S | 6 +-
115036 arch/arm/lib/csumpartialcopyuser.S | 4 +-
115037 arch/arm/lib/delay.c | 14 +-
115038 arch/arm/lib/uaccess_with_memcpy.c | 2 +-
115039 arch/arm/mach-kirkwood/common.c | 19 +-
115040 arch/arm/mach-omap2/board-n8x0.c | 2 +-
115041 arch/arm/mach-omap2/omap-wakeupgen.c | 2 +-
115042 arch/arm/mach-omap2/omap_hwmod.c | 4 +-
115043 arch/arm/mach-ux500/include/mach/setup.h | 7 -
115044 arch/arm/mm/Kconfig | 3 +-
115045 arch/arm/mm/fault.c | 78 +
115046 arch/arm/mm/fault.h | 12 +
115047 arch/arm/mm/init.c | 41 +
115048 arch/arm/mm/ioremap.c | 4 +-
115049 arch/arm/mm/mmap.c | 36 +-
115050 arch/arm/mm/mmu.c | 186 +-
115051 arch/arm/mm/proc-v7-2level.S | 3 +
115052 arch/arm/plat-omap/sram.c | 2 +
115053 arch/arm/plat-orion/include/plat/addr-map.h | 2 +-
115054 arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +-
115055 arch/arm64/kernel/debug-monitors.c | 2 +-
115056 arch/arm64/kernel/hw_breakpoint.c | 2 +-
115057 arch/avr32/include/asm/elf.h | 8 +-
115058 arch/avr32/include/asm/kmap_types.h | 4 +-
115059 arch/avr32/mm/fault.c | 27 +
115060 arch/frv/include/asm/atomic.h | 10 +
115061 arch/frv/include/asm/kmap_types.h | 2 +-
115062 arch/frv/mm/elf-fdpic.c | 7 +-
115063 arch/ia64/include/asm/atomic.h | 10 +
115064 arch/ia64/include/asm/elf.h | 7 +
115065 arch/ia64/include/asm/pgalloc.h | 12 +
115066 arch/ia64/include/asm/pgtable.h | 13 +-
115067 arch/ia64/include/asm/spinlock.h | 2 +-
115068 arch/ia64/include/asm/uaccess.h | 28 +-
115069 arch/ia64/kernel/err_inject.c | 2 +-
115070 arch/ia64/kernel/mca.c | 2 +-
115071 arch/ia64/kernel/module.c | 48 +-
115072 arch/ia64/kernel/palinfo.c | 2 +-
115073 arch/ia64/kernel/salinfo.c | 2 +-
115074 arch/ia64/kernel/sys_ia64.c | 13 +-
115075 arch/ia64/kernel/topology.c | 2 +-
115076 arch/ia64/kernel/vmlinux.lds.S | 2 +-
115077 arch/ia64/mm/fault.c | 32 +-
115078 arch/ia64/mm/hugetlbpage.c | 2 +-
115079 arch/ia64/mm/init.c | 13 +
115080 arch/m32r/lib/usercopy.c | 6 +
115081 arch/mips/include/asm/atomic.h | 14 +
115082 arch/mips/include/asm/elf.h | 11 +-
115083 arch/mips/include/asm/exec.h | 2 +-
115084 arch/mips/include/asm/page.h | 2 +-
115085 arch/mips/include/asm/pgalloc.h | 5 +
115086 arch/mips/kernel/binfmt_elfn32.c | 7 +
115087 arch/mips/kernel/binfmt_elfo32.c | 7 +
115088 arch/mips/kernel/process.c | 12 -
115089 arch/mips/mm/fault.c | 17 +
115090 arch/mips/mm/mmap.c | 51 +-
115091 arch/parisc/include/asm/atomic.h | 10 +
115092 arch/parisc/include/asm/elf.h | 7 +
115093 arch/parisc/include/asm/pgalloc.h | 6 +
115094 arch/parisc/include/asm/pgtable.h | 11 +
115095 arch/parisc/include/asm/uaccess.h | 4 +-
115096 arch/parisc/kernel/module.c | 50 +-
115097 arch/parisc/kernel/sys_parisc.c | 6 +-
115098 arch/parisc/kernel/traps.c | 4 +-
115099 arch/parisc/mm/fault.c | 140 +-
115100 arch/powerpc/include/asm/atomic.h | 10 +
115101 arch/powerpc/include/asm/elf.h | 19 +-
115102 arch/powerpc/include/asm/exec.h | 2 +-
115103 arch/powerpc/include/asm/kmap_types.h | 2 +-
115104 arch/powerpc/include/asm/mman.h | 2 +-
115105 arch/powerpc/include/asm/page.h | 8 +-
115106 arch/powerpc/include/asm/page_64.h | 7 +-
115107 arch/powerpc/include/asm/pgalloc-64.h | 7 +
115108 arch/powerpc/include/asm/pgtable.h | 1 +
115109 arch/powerpc/include/asm/pte-hash32.h | 1 +
115110 arch/powerpc/include/asm/reg.h | 1 +
115111 arch/powerpc/include/asm/uaccess.h | 142 +-
115112 arch/powerpc/kernel/exceptions-64e.S | 4 +-
115113 arch/powerpc/kernel/exceptions-64s.S | 2 +-
115114 arch/powerpc/kernel/module_32.c | 13 +-
115115 arch/powerpc/kernel/process.c | 55 -
115116 arch/powerpc/kernel/signal_32.c | 2 +-
115117 arch/powerpc/kernel/signal_64.c | 2 +-
115118 arch/powerpc/kernel/sysfs.c | 2 +-
115119 arch/powerpc/kernel/vdso.c | 5 +-
115120 arch/powerpc/lib/usercopy_64.c | 18 -
115121 arch/powerpc/mm/fault.c | 54 +-
115122 arch/powerpc/mm/mmap_64.c | 16 +
115123 arch/powerpc/mm/mmu_context_nohash.c | 2 +-
115124 arch/powerpc/mm/numa.c | 2 +-
115125 arch/powerpc/mm/slice.c | 23 +-
115126 arch/powerpc/platforms/powermac/smp.c | 2 +-
115127 arch/s390/include/asm/atomic.h | 10 +
115128 arch/s390/include/asm/elf.h | 13 +-
115129 arch/s390/include/asm/exec.h | 2 +-
115130 arch/s390/include/asm/uaccess.h | 15 +-
115131 arch/s390/kernel/module.c | 22 +-
115132 arch/s390/kernel/process.c | 36 -
115133 arch/s390/mm/mmap.c | 24 +
115134 arch/score/include/asm/exec.h | 2 +-
115135 arch/score/kernel/process.c | 5 -
115136 arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +-
115137 arch/sh/mm/mmap.c | 22 +-
115138 arch/sparc/include/asm/atomic_64.h | 106 +-
115139 arch/sparc/include/asm/cache.h | 2 +-
115140 arch/sparc/include/asm/elf_32.h | 7 +
115141 arch/sparc/include/asm/elf_64.h | 7 +
115142 arch/sparc/include/asm/pgalloc_32.h | 1 +
115143 arch/sparc/include/asm/pgalloc_64.h | 1 +
115144 arch/sparc/include/asm/pgtable_32.h | 15 +-
115145 arch/sparc/include/asm/pgtsrmmu.h | 5 +
115146 arch/sparc/include/asm/spinlock_64.h | 35 +-
115147 arch/sparc/include/asm/thread_info_32.h | 2 +
115148 arch/sparc/include/asm/thread_info_64.h | 2 +
115149 arch/sparc/include/asm/uaccess.h | 8 +
115150 arch/sparc/include/asm/uaccess_32.h | 27 +-
115151 arch/sparc/include/asm/uaccess_64.h | 19 +-
115152 arch/sparc/kernel/Makefile | 2 +-
115153 arch/sparc/kernel/sys_sparc_32.c | 2 +-
115154 arch/sparc/kernel/sys_sparc_64.c | 48 +-
115155 arch/sparc/kernel/sysfs.c | 2 +-
115156 arch/sparc/kernel/traps_64.c | 13 +-
115157 arch/sparc/lib/Makefile | 2 +-
115158 arch/sparc/lib/atomic_64.S | 136 +-
115159 arch/sparc/lib/ksyms.c | 6 +
115160 arch/sparc/mm/Makefile | 2 +-
115161 arch/sparc/mm/fault_32.c | 292 ++
115162 arch/sparc/mm/fault_64.c | 486 +++
115163 arch/sparc/mm/hugetlbpage.c | 21 +-
115164 arch/tile/include/asm/atomic_64.h | 10 +
115165 arch/tile/include/asm/uaccess.h | 4 +-
115166 arch/um/Makefile | 4 +
115167 arch/um/include/asm/kmap_types.h | 2 +-
115168 arch/um/include/asm/page.h | 3 +
115169 arch/um/include/asm/pgtable-3level.h | 1 +
115170 arch/um/kernel/process.c | 16 -
115171 arch/x86/Kconfig | 10 +-
115172 arch/x86/Kconfig.cpu | 6 +-
115173 arch/x86/Kconfig.debug | 6 +-
115174 arch/x86/Makefile | 10 +
115175 arch/x86/boot/Makefile | 3 +
115176 arch/x86/boot/bitops.h | 4 +-
115177 arch/x86/boot/boot.h | 4 +-
115178 arch/x86/boot/compressed/Makefile | 3 +
115179 arch/x86/boot/compressed/eboot.c | 2 -
115180 arch/x86/boot/compressed/head_32.S | 7 +-
115181 arch/x86/boot/compressed/head_64.S | 4 +-
115182 arch/x86/boot/compressed/misc.c | 4 +-
115183 arch/x86/boot/cpucheck.c | 28 +-
115184 arch/x86/boot/header.S | 6 +-
115185 arch/x86/boot/memory.c | 2 +-
115186 arch/x86/boot/video-vesa.c | 1 +
115187 arch/x86/boot/video.c | 2 +-
115188 arch/x86/crypto/aes-x86_64-asm_64.S | 4 +
115189 arch/x86/crypto/aesni-intel_asm.S | 31 +
115190 arch/x86/crypto/blowfish-x86_64-asm_64.S | 8 +
115191 arch/x86/crypto/camellia-x86_64-asm_64.S | 8 +
115192 arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 8 +
115193 arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 8 +
115194 arch/x86/crypto/salsa20-x86_64-asm_64.S | 5 +
115195 arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 8 +
115196 arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 5 +
115197 arch/x86/crypto/sha1_ssse3_asm.S | 3 +
115198 arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 8 +
115199 arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 5 +
115200 arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
115201 arch/x86/ia32/ia32_signal.c | 14 +-
115202 arch/x86/ia32/ia32entry.S | 141 +-
115203 arch/x86/ia32/sys_ia32.c | 12 +-
115204 arch/x86/include/asm/alternative-asm.h | 39 +
115205 arch/x86/include/asm/alternative.h | 4 +-
115206 arch/x86/include/asm/apic.h | 2 +-
115207 arch/x86/include/asm/apm.h | 4 +-
115208 arch/x86/include/asm/atomic.h | 307 ++-
115209 arch/x86/include/asm/atomic64_32.h | 100 +
115210 arch/x86/include/asm/atomic64_64.h | 202 ++-
115211 arch/x86/include/asm/bitops.h | 2 +-
115212 arch/x86/include/asm/boot.h | 7 +-
115213 arch/x86/include/asm/cache.h | 5 +-
115214 arch/x86/include/asm/cacheflush.h | 2 +-
115215 arch/x86/include/asm/checksum_32.h | 12 +-
115216 arch/x86/include/asm/cmpxchg.h | 35 +
115217 arch/x86/include/asm/cpufeature.h | 4 +-
115218 arch/x86/include/asm/desc.h | 65 +-
115219 arch/x86/include/asm/desc_defs.h | 6 +
115220 arch/x86/include/asm/elf.h | 31 +-
115221 arch/x86/include/asm/emergency-restart.h | 2 +-
115222 arch/x86/include/asm/fpu-internal.h | 6 +-
115223 arch/x86/include/asm/futex.h | 16 +-
115224 arch/x86/include/asm/hw_irq.h | 4 +-
115225 arch/x86/include/asm/io.h | 13 +-
115226 arch/x86/include/asm/irqflags.h | 5 +
115227 arch/x86/include/asm/kprobes.h | 9 +-
115228 arch/x86/include/asm/local.h | 142 +-
115229 arch/x86/include/asm/mman.h | 15 +
115230 arch/x86/include/asm/mmu.h | 16 +-
115231 arch/x86/include/asm/mmu_context.h | 76 +-
115232 arch/x86/include/asm/module.h | 17 +-
115233 arch/x86/include/asm/page_64_types.h | 2 +-
115234 arch/x86/include/asm/paravirt.h | 44 +-
115235 arch/x86/include/asm/paravirt_types.h | 17 +-
115236 arch/x86/include/asm/pgalloc.h | 23 +
115237 arch/x86/include/asm/pgtable-2level.h | 2 +
115238 arch/x86/include/asm/pgtable-3level.h | 4 +
115239 arch/x86/include/asm/pgtable.h | 110 +-
115240 arch/x86/include/asm/pgtable_32.h | 14 +-
115241 arch/x86/include/asm/pgtable_32_types.h | 15 +-
115242 arch/x86/include/asm/pgtable_64.h | 19 +-
115243 arch/x86/include/asm/pgtable_64_types.h | 5 +
115244 arch/x86/include/asm/pgtable_types.h | 36 +-
115245 arch/x86/include/asm/processor.h | 39 +-
115246 arch/x86/include/asm/ptrace.h | 26 +-
115247 arch/x86/include/asm/realmode.h | 4 +-
115248 arch/x86/include/asm/reboot.h | 10 +-
115249 arch/x86/include/asm/rwsem.h | 60 +-
115250 arch/x86/include/asm/segment.h | 24 +-
115251 arch/x86/include/asm/smp.h | 14 +-
115252 arch/x86/include/asm/spinlock.h | 36 +-
115253 arch/x86/include/asm/stackprotector.h | 4 +-
115254 arch/x86/include/asm/stacktrace.h | 32 +-
115255 arch/x86/include/asm/switch_to.h | 4 +-
115256 arch/x86/include/asm/thread_info.h | 83 +-
115257 arch/x86/include/asm/uaccess.h | 96 +-
115258 arch/x86/include/asm/uaccess_32.h | 106 +-
115259 arch/x86/include/asm/uaccess_64.h | 232 +-
115260 arch/x86/include/asm/word-at-a-time.h | 2 +-
115261 arch/x86/include/asm/x86_init.h | 10 +-
115262 arch/x86/include/asm/xsave.h | 10 +-
115263 arch/x86/include/uapi/asm/e820.h | 2 +-
115264 arch/x86/kernel/Makefile | 2 +-
115265 arch/x86/kernel/acpi/sleep.c | 4 +
115266 arch/x86/kernel/acpi/wakeup_32.S | 6 +-
115267 arch/x86/kernel/alternative.c | 65 +-
115268 arch/x86/kernel/apic/apic.c | 6 +-
115269 arch/x86/kernel/apic/apic_flat_64.c | 4 +-
115270 arch/x86/kernel/apic/bigsmp_32.c | 2 +-
115271 arch/x86/kernel/apic/es7000_32.c | 5 +-
115272 arch/x86/kernel/apic/io_apic.c | 8 +-
115273 arch/x86/kernel/apic/numaq_32.c | 3 +-
115274 arch/x86/kernel/apic/probe_32.c | 2 +-
115275 arch/x86/kernel/apic/summit_32.c | 2 +-
115276 arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
115277 arch/x86/kernel/apic/x2apic_phys.c | 2 +-
115278 arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
115279 arch/x86/kernel/apm_32.c | 19 +-
115280 arch/x86/kernel/asm-offsets.c | 20 +
115281 arch/x86/kernel/asm-offsets_64.c | 1 +
115282 arch/x86/kernel/cpu/Makefile | 4 -
115283 arch/x86/kernel/cpu/amd.c | 2 +-
115284 arch/x86/kernel/cpu/common.c | 75 +-
115285 arch/x86/kernel/cpu/intel.c | 2 +-
115286 arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +-
115287 arch/x86/kernel/cpu/mcheck/mce.c | 29 +-
115288 arch/x86/kernel/cpu/mcheck/p5.c | 3 +
115289 arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +-
115290 arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
115291 arch/x86/kernel/cpu/mtrr/main.c | 2 +-
115292 arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
115293 arch/x86/kernel/cpu/perf_event.c | 4 +-
115294 arch/x86/kernel/cpu/perf_event_intel.c | 6 +-
115295 arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +-
115296 arch/x86/kernel/cpuid.c | 2 +-
115297 arch/x86/kernel/crash.c | 4 +-
115298 arch/x86/kernel/doublefault_32.c | 8 +-
115299 arch/x86/kernel/dumpstack.c | 30 +-
115300 arch/x86/kernel/dumpstack_32.c | 34 +-
115301 arch/x86/kernel/dumpstack_64.c | 63 +-
115302 arch/x86/kernel/early_printk.c | 1 +
115303 arch/x86/kernel/entry_32.S | 354 ++-
115304 arch/x86/kernel/entry_64.S | 512 +++-
115305 arch/x86/kernel/ftrace.c | 14 +-
115306 arch/x86/kernel/head32.c | 4 +-
115307 arch/x86/kernel/head_32.S | 237 ++-
115308 arch/x86/kernel/head_64.S | 158 +-
115309 arch/x86/kernel/i386_ksyms_32.c | 8 +
115310 arch/x86/kernel/i387.c | 2 +-
115311 arch/x86/kernel/i8259.c | 2 +-
115312 arch/x86/kernel/ioport.c | 2 +-
115313 arch/x86/kernel/irq.c | 10 +-
115314 arch/x86/kernel/irq_32.c | 69 +-
115315 arch/x86/kernel/irq_64.c | 2 +-
115316 arch/x86/kernel/kdebugfs.c | 2 +-
115317 arch/x86/kernel/kgdb.c | 25 +-
115318 arch/x86/kernel/kprobes-opt.c | 12 +-
115319 arch/x86/kernel/kprobes.c | 30 +-
115320 arch/x86/kernel/kvm.c | 2 +-
115321 arch/x86/kernel/ldt.c | 31 +-
115322 arch/x86/kernel/machine_kexec_32.c | 6 +-
115323 arch/x86/kernel/microcode_core.c | 2 +-
115324 arch/x86/kernel/microcode_intel.c | 4 +-
115325 arch/x86/kernel/module.c | 76 +-
115326 arch/x86/kernel/msr.c | 2 +-
115327 arch/x86/kernel/nmi.c | 11 +
115328 arch/x86/kernel/paravirt-spinlocks.c | 2 +-
115329 arch/x86/kernel/paravirt.c | 43 +-
115330 arch/x86/kernel/pci-iommu_table.c | 2 +-
115331 arch/x86/kernel/process.c | 57 +-
115332 arch/x86/kernel/process_32.c | 29 +-
115333 arch/x86/kernel/process_64.c | 15 +-
115334 arch/x86/kernel/ptrace.c | 25 +-
115335 arch/x86/kernel/pvclock.c | 8 +-
115336 arch/x86/kernel/reboot.c | 44 +-
115337 arch/x86/kernel/relocate_kernel_64.S | 4 +-
115338 arch/x86/kernel/setup.c | 14 +-
115339 arch/x86/kernel/setup_percpu.c | 27 +-
115340 arch/x86/kernel/signal.c | 15 +-
115341 arch/x86/kernel/smp.c | 2 +-
115342 arch/x86/kernel/smpboot.c | 15 +-
115343 arch/x86/kernel/step.c | 10 +-
115344 arch/x86/kernel/sys_i386_32.c | 247 ++
115345 arch/x86/kernel/sys_x86_64.c | 19 +-
115346 arch/x86/kernel/tboot.c | 14 +-
115347 arch/x86/kernel/time.c | 10 +-
115348 arch/x86/kernel/tls.c | 7 +-
115349 arch/x86/kernel/traps.c | 64 +-
115350 arch/x86/kernel/uprobes.c | 2 +-
115351 arch/x86/kernel/vm86_32.c | 6 +-
115352 arch/x86/kernel/vmlinux.lds.S | 148 +-
115353 arch/x86/kernel/vsyscall_64.c | 12 +-
115354 arch/x86/kernel/x8664_ksyms_64.c | 2 -
115355 arch/x86/kernel/x86_init.c | 8 +-
115356 arch/x86/kernel/xsave.c | 2 +
115357 arch/x86/kvm/cpuid.c | 21 +-
115358 arch/x86/kvm/emulate.c | 4 +-
115359 arch/x86/kvm/lapic.c | 2 +-
115360 arch/x86/kvm/paging_tmpl.h | 2 +-
115361 arch/x86/kvm/svm.c | 8 +
115362 arch/x86/kvm/vmx.c | 47 +-
115363 arch/x86/kvm/x86.c | 10 +-
115364 arch/x86/lguest/boot.c | 3 +-
115365 arch/x86/lib/atomic64_386_32.S | 164 +
115366 arch/x86/lib/atomic64_cx8_32.S | 103 +-
115367 arch/x86/lib/checksum_32.S | 100 +-
115368 arch/x86/lib/clear_page_64.S | 5 +-
115369 arch/x86/lib/cmpxchg16b_emu.S | 2 +
115370 arch/x86/lib/copy_page_64.S | 24 +-
115371 arch/x86/lib/copy_user_64.S | 47 +-
115372 arch/x86/lib/copy_user_nocache_64.S | 20 +-
115373 arch/x86/lib/csum-copy_64.S | 2 +
115374 arch/x86/lib/csum-wrappers_64.c | 4 +-
115375 arch/x86/lib/getuser.S | 68 +-
115376 arch/x86/lib/insn.c | 6 +-
115377 arch/x86/lib/iomap_copy_64.S | 2 +
115378 arch/x86/lib/memcpy_64.S | 18 +-
115379 arch/x86/lib/memmove_64.S | 34 +-
115380 arch/x86/lib/memset_64.S | 7 +-
115381 arch/x86/lib/mmx_32.c | 243 +-
115382 arch/x86/lib/msr-reg.S | 18 +-
115383 arch/x86/lib/putuser.S | 90 +-
115384 arch/x86/lib/rwlock.S | 42 +
115385 arch/x86/lib/rwsem.S | 6 +-
115386 arch/x86/lib/thunk_64.S | 2 +
115387 arch/x86/lib/usercopy_32.c | 376 ++-
115388 arch/x86/lib/usercopy_64.c | 25 +-
115389 arch/x86/mm/extable.c | 25 +-
115390 arch/x86/mm/fault.c | 555 +++-
115391 arch/x86/mm/gup.c | 2 +-
115392 arch/x86/mm/highmem_32.c | 4 +
115393 arch/x86/mm/hugetlbpage.c | 30 +-
115394 arch/x86/mm/init.c | 92 +-
115395 arch/x86/mm/init_32.c | 122 +-
115396 arch/x86/mm/init_64.c | 48 +-
115397 arch/x86/mm/iomap_32.c | 4 +
115398 arch/x86/mm/ioremap.c | 12 +-
115399 arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
115400 arch/x86/mm/mmap.c | 41 +-
115401 arch/x86/mm/mmio-mod.c | 10 +-
115402 arch/x86/mm/pageattr-test.c | 2 +-
115403 arch/x86/mm/pageattr.c | 33 +-
115404 arch/x86/mm/pat.c | 12 +-
115405 arch/x86/mm/pf_in.c | 10 +-
115406 arch/x86/mm/pgtable.c | 137 +-
115407 arch/x86/mm/pgtable_32.c | 3 +
115408 arch/x86/mm/setup_nx.c | 7 +
115409 arch/x86/mm/tlb.c | 4 +
115410 arch/x86/net/bpf_jit.S | 14 +
115411 arch/x86/net/bpf_jit_comp.c | 37 +-
115412 arch/x86/oprofile/backtrace.c | 8 +-
115413 arch/x86/pci/amd_bus.c | 2 +-
115414 arch/x86/pci/mrst.c | 4 +-
115415 arch/x86/pci/pcbios.c | 144 +-
115416 arch/x86/platform/efi/efi_32.c | 19 +
115417 arch/x86/platform/efi/efi_stub_32.S | 64 +-
115418 arch/x86/platform/efi/efi_stub_64.S | 8 +
115419 arch/x86/platform/mrst/mrst.c | 6 +-
115420 arch/x86/platform/olpc/olpc_dt.c | 2 +-
115421 arch/x86/power/cpu.c | 4 +-
115422 arch/x86/realmode/init.c | 8 +-
115423 arch/x86/realmode/rm/Makefile | 3 +
115424 arch/x86/realmode/rm/header.S | 4 +-
115425 arch/x86/realmode/rm/trampoline_32.S | 12 +-
115426 arch/x86/realmode/rm/trampoline_64.S | 2 +-
115427 arch/x86/tools/relocs.c | 95 +-
115428 arch/x86/vdso/Makefile | 2 +-
115429 arch/x86/vdso/vdso32-setup.c | 23 +-
115430 arch/x86/vdso/vma.c | 29 +-
115431 arch/x86/xen/enlighten.c | 47 +-
115432 arch/x86/xen/mmu.c | 9 +
115433 arch/x86/xen/smp.c | 18 +-
115434 arch/x86/xen/xen-asm_32.S | 12 +-
115435 arch/x86/xen/xen-head.S | 11 +
115436 arch/x86/xen/xen-ops.h | 2 -
115437 block/blk-iopoll.c | 4 +-
115438 block/blk-map.c | 2 +-
115439 block/blk-softirq.c | 4 +-
115440 block/bsg.c | 12 +-
115441 block/compat_ioctl.c | 2 +-
115442 block/partitions/efi.c | 8 +-
115443 block/scsi_ioctl.c | 27 +-
115444 crypto/cryptd.c | 4 +-
115445 drivers/acpi/apei/cper.c | 8 +-
115446 drivers/acpi/ec_sys.c | 12 +-
115447 drivers/acpi/processor_driver.c | 2 +-
115448 drivers/ata/libata-core.c | 8 +-
115449 drivers/ata/pata_arasan_cf.c | 4 +-
115450 drivers/atm/adummy.c | 2 +-
115451 drivers/atm/ambassador.c | 8 +-
115452 drivers/atm/atmtcp.c | 14 +-
115453 drivers/atm/eni.c | 10 +-
115454 drivers/atm/firestream.c | 8 +-
115455 drivers/atm/fore200e.c | 14 +-
115456 drivers/atm/he.c | 18 +-
115457 drivers/atm/horizon.c | 4 +-
115458 drivers/atm/idt77252.c | 36 +-
115459 drivers/atm/iphase.c | 34 +-
115460 drivers/atm/lanai.c | 12 +-
115461 drivers/atm/nicstar.c | 46 +-
115462 drivers/atm/solos-pci.c | 4 +-
115463 drivers/atm/suni.c | 4 +-
115464 drivers/atm/uPD98402.c | 16 +-
115465 drivers/atm/zatm.c | 6 +-
115466 drivers/base/devtmpfs.c | 2 +-
115467 drivers/base/power/wakeup.c | 8 +-
115468 drivers/block/cciss.c | 28 +-
115469 drivers/block/cciss.h | 2 +-
115470 drivers/block/cpqarray.c | 28 +-
115471 drivers/block/cpqarray.h | 2 +-
115472 drivers/block/drbd/drbd_int.h | 6 +-
115473 drivers/block/drbd/drbd_main.c | 8 +-
115474 drivers/block/drbd/drbd_receiver.c | 18 +-
115475 drivers/block/loop.c | 2 +-
115476 drivers/cdrom/cdrom.c | 9 +-
115477 drivers/cdrom/gdrom.c | 1 -
115478 drivers/char/agp/frontend.c | 2 +-
115479 drivers/char/hpet.c | 2 +-
115480 drivers/char/ipmi/ipmi_msghandler.c | 8 +-
115481 drivers/char/ipmi/ipmi_si_intf.c | 8 +-
115482 drivers/char/mem.c | 41 +-
115483 drivers/char/nvram.c | 2 +-
115484 drivers/char/pcmcia/synclink_cs.c | 18 +-
115485 drivers/char/random.c | 8 +-
115486 drivers/char/sonypi.c | 9 +-
115487 drivers/char/tpm/tpm.c | 2 +-
115488 drivers/char/tpm/tpm_acpi.c | 3 +-
115489 drivers/char/tpm/tpm_eventlog.c | 7 +-
115490 drivers/char/virtio_console.c | 4 +-
115491 drivers/clocksource/arm_generic.c | 2 +-
115492 drivers/cpufreq/cpufreq.c | 2 +-
115493 drivers/cpufreq/cpufreq_stats.c | 2 +-
115494 drivers/dma/sh/shdma.c | 2 +-
115495 drivers/edac/edac_pci_sysfs.c | 20 +-
115496 drivers/edac/mce_amd.h | 2 +-
115497 drivers/firewire/core-card.c | 2 +-
115498 drivers/firewire/core-cdev.c | 3 +-
115499 drivers/firewire/core-transaction.c | 1 +
115500 drivers/firewire/core.h | 1 +
115501 drivers/firmware/dmi_scan.c | 7 +-
115502 drivers/firmware/efivars.c | 2 +-
115503 drivers/gpio/gpio-vr41xx.c | 2 +-
115504 drivers/gpu/drm/drm_crtc_helper.c | 2 +-
115505 drivers/gpu/drm/drm_drv.c | 4 +-
115506 drivers/gpu/drm/drm_fops.c | 18 +-
115507 drivers/gpu/drm/drm_global.c | 14 +-
115508 drivers/gpu/drm/drm_info.c | 14 +-
115509 drivers/gpu/drm/drm_ioc32.c | 4 +-
115510 drivers/gpu/drm/drm_ioctl.c | 2 +-
115511 drivers/gpu/drm/drm_lock.c | 4 +-
115512 drivers/gpu/drm/drm_stub.c | 2 +-
115513 drivers/gpu/drm/i810/i810_dma.c | 8 +-
115514 drivers/gpu/drm/i810/i810_drv.h | 4 +-
115515 drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
115516 drivers/gpu/drm/i915/i915_dma.c | 2 +-
115517 drivers/gpu/drm/i915/i915_drv.h | 6 +-
115518 drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +-
115519 drivers/gpu/drm/i915/i915_irq.c | 22 +-
115520 drivers/gpu/drm/i915/intel_display.c | 9 +-
115521 drivers/gpu/drm/mga/mga_drv.h | 4 +-
115522 drivers/gpu/drm/mga/mga_irq.c | 8 +-
115523 drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +-
115524 drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +-
115525 drivers/gpu/drm/nouveau/nouveau_fence.h | 2 +-
115526 drivers/gpu/drm/nouveau/nouveau_gem.c | 2 +-
115527 drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +-
115528 drivers/gpu/drm/r128/r128_cce.c | 2 +-
115529 drivers/gpu/drm/r128/r128_drv.h | 4 +-
115530 drivers/gpu/drm/r128/r128_irq.c | 4 +-
115531 drivers/gpu/drm/r128/r128_state.c | 4 +-
115532 drivers/gpu/drm/radeon/mkregtable.c | 4 +-
115533 drivers/gpu/drm/radeon/radeon_device.c | 2 +-
115534 drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
115535 drivers/gpu/drm/radeon/radeon_ioc32.c | 2 +-
115536 drivers/gpu/drm/radeon/radeon_irq.c | 6 +-
115537 drivers/gpu/drm/radeon/radeon_state.c | 4 +-
115538 drivers/gpu/drm/radeon/radeon_ttm.c | 4 +-
115539 drivers/gpu/drm/radeon/rs690.c | 4 +-
115540 drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +-
115541 drivers/gpu/drm/via/via_drv.h | 4 +-
115542 drivers/gpu/drm/via/via_irq.c | 18 +-
115543 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
115544 drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
115545 drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
115546 drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
115547 drivers/hid/hid-core.c | 4 +-
115548 drivers/hv/channel.c | 4 +-
115549 drivers/hv/hv.c | 2 +-
115550 drivers/hv/hyperv_vmbus.h | 2 +-
115551 drivers/hv/vmbus_drv.c | 4 +-
115552 drivers/hwmon/coretemp.c | 2 +-
115553 drivers/hwmon/sht15.c | 12 +-
115554 drivers/hwmon/via-cputemp.c | 2 +-
115555 drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
115556 drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
115557 drivers/ide/ide-cd.c | 2 +-
115558 drivers/infiniband/core/cm.c | 32 +-
115559 drivers/infiniband/core/fmr_pool.c | 20 +-
115560 drivers/infiniband/hw/cxgb4/mem.c | 4 +-
115561 drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
115562 drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
115563 drivers/infiniband/hw/nes/nes.c | 4 +-
115564 drivers/infiniband/hw/nes/nes.h | 40 +-
115565 drivers/infiniband/hw/nes/nes_cm.c | 62 +-
115566 drivers/infiniband/hw/nes/nes_mgt.c | 8 +-
115567 drivers/infiniband/hw/nes/nes_nic.c | 40 +-
115568 drivers/infiniband/hw/nes/nes_verbs.c | 10 +-
115569 drivers/infiniband/hw/qib/qib.h | 1 +
115570 drivers/input/gameport/gameport.c | 4 +-
115571 drivers/input/input.c | 4 +-
115572 drivers/input/joystick/sidewinder.c | 1 +
115573 drivers/input/joystick/xpad.c | 4 +-
115574 drivers/input/mousedev.c | 2 +-
115575 drivers/input/serio/serio.c | 4 +-
115576 drivers/isdn/capi/capi.c | 10 +-
115577 drivers/isdn/gigaset/interface.c | 8 +-
115578 drivers/isdn/hardware/avm/b1.c | 4 +-
115579 drivers/isdn/i4l/isdn_tty.c | 22 +-
115580 drivers/isdn/icn/icn.c | 2 +-
115581 drivers/lguest/core.c | 10 +-
115582 drivers/lguest/x86/core.c | 12 +-
115583 drivers/lguest/x86/switcher_32.S | 27 +-
115584 drivers/md/bitmap.c | 2 +-
115585 drivers/md/dm-ioctl.c | 2 +-
115586 drivers/md/dm-raid1.c | 16 +-
115587 drivers/md/dm-stripe.c | 10 +-
115588 drivers/md/dm-table.c | 2 +-
115589 drivers/md/dm-thin-metadata.c | 4 +-
115590 drivers/md/dm.c | 16 +-
115591 drivers/md/md.c | 26 +-
115592 drivers/md/md.h | 6 +-
115593 drivers/md/persistent-data/dm-space-map.h | 1 +
115594 drivers/md/raid1.c | 4 +-
115595 drivers/md/raid10.c | 16 +-
115596 drivers/md/raid5.c | 10 +-
115597 drivers/media/dvb-core/dvbdev.c | 2 +-
115598 drivers/media/dvb-frontends/dib3000.h | 2 +-
115599 drivers/media/platform/omap/omap_vout.c | 11 +-
115600 drivers/media/platform/s5p-tv/mixer.h | 2 +-
115601 drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +-
115602 drivers/media/platform/s5p-tv/mixer_reg.c | 2 +-
115603 drivers/media/platform/s5p-tv/mixer_video.c | 24 +-
115604 drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +-
115605 drivers/media/radio/radio-cadet.c | 2 +
115606 drivers/media/usb/dvb-usb/cxusb.c | 2 +-
115607 drivers/media/usb/dvb-usb/dw2102.c | 2 +-
115608 drivers/message/fusion/mptsas.c | 34 +-
115609 drivers/message/fusion/mptscsih.c | 19 +-
115610 drivers/message/i2o/i2o_proc.c | 51 +-
115611 drivers/message/i2o/iop.c | 8 +-
115612 drivers/mfd/janz-cmodio.c | 1 +
115613 drivers/misc/kgdbts.c | 4 +-
115614 drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
115615 drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
115616 drivers/misc/sgi-gru/gruhandles.c | 4 +-
115617 drivers/misc/sgi-gru/gruprocfs.c | 8 +-
115618 drivers/misc/sgi-gru/grutables.h | 154 +-
115619 drivers/misc/sgi-xp/xp.h | 2 +-
115620 drivers/misc/sgi-xp/xpc.h | 3 +-
115621 drivers/misc/sgi-xp/xpc_main.c | 4 +-
115622 drivers/mmc/core/mmc_ops.c | 2 +-
115623 drivers/mmc/host/dw_mmc.h | 2 +-
115624 drivers/mmc/host/sdhci-s3c.c | 8 +-
115625 drivers/mtd/devices/doc2000.c | 2 +-
115626 drivers/mtd/nand/denali.c | 1 +
115627 drivers/mtd/nftlmount.c | 1 +
115628 drivers/net/ethernet/8390/ax88796.c | 4 +-
115629 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
115630 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-
115631 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +-
115632 drivers/net/ethernet/broadcom/tg3.h | 1 +
115633 drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
115634 drivers/net/ethernet/dec/tulip/de4x5.c | 4 +-
115635 drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
115636 drivers/net/ethernet/faraday/ftgmac100.c | 2 +
115637 drivers/net/ethernet/faraday/ftmac100.c | 2 +
115638 drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
115639 drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
115640 drivers/net/ethernet/realtek/r8169.c | 8 +-
115641 drivers/net/ethernet/sfc/ptp.c | 2 +-
115642 drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
115643 drivers/net/hyperv/hyperv_net.h | 2 +-
115644 drivers/net/hyperv/rndis_filter.c | 4 +-
115645 drivers/net/ieee802154/fakehard.c | 2 +-
115646 drivers/net/macvlan.c | 2 +-
115647 drivers/net/macvtap.c | 2 +-
115648 drivers/net/ppp/ppp_generic.c | 4 +-
115649 drivers/net/team/team.c | 2 +-
115650 drivers/net/tun.c | 5 +-
115651 drivers/net/usb/hso.c | 23 +-
115652 drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +-
115653 drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +-
115654 drivers/net/wireless/ath/ath9k/hw.h | 4 +-
115655 drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
115656 drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +-
115657 drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +-
115658 drivers/net/wireless/mac80211_hwsim.c | 32 +-
115659 drivers/net/wireless/rndis_wlan.c | 2 +-
115660 drivers/net/wireless/rt2x00/rt2x00.h | 2 +-
115661 drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +-
115662 drivers/net/wireless/ti/wl1251/sdio.c | 12 +-
115663 drivers/net/wireless/ti/wl12xx/main.c | 8 +-
115664 drivers/net/wireless/ti/wl18xx/main.c | 6 +-
115665 drivers/oprofile/buffer_sync.c | 8 +-
115666 drivers/oprofile/event_buffer.c | 2 +-
115667 drivers/oprofile/oprof.c | 2 +-
115668 drivers/oprofile/oprofile_stats.c | 10 +-
115669 drivers/oprofile/oprofile_stats.h | 10 +-
115670 drivers/oprofile/oprofilefs.c | 2 +-
115671 drivers/oprofile/timer_int.c | 2 +-
115672 drivers/parport/procfs.c | 4 +-
115673 drivers/pci/hotplug/cpcihp_generic.c | 6 +-
115674 drivers/pci/hotplug/cpcihp_zt5550.c | 14 +-
115675 drivers/pci/hotplug/cpqphp_nvram.c | 4 +
115676 drivers/pci/pcie/aspm.c | 6 +-
115677 drivers/pci/probe.c | 2 +-
115678 drivers/platform/x86/thinkpad_acpi.c | 70 +-
115679 drivers/pnp/pnpbios/bioscalls.c | 14 +-
115680 drivers/pnp/resource.c | 4 +-
115681 drivers/power/pda_power.c | 7 +-
115682 drivers/regulator/max8660.c | 6 +-
115683 drivers/regulator/max8973-regulator.c | 8 +-
115684 drivers/regulator/mc13892-regulator.c | 6 +-
115685 drivers/scsi/bfa/bfa.h | 2 +-
115686 drivers/scsi/bfa/bfa_fcpim.h | 2 +-
115687 drivers/scsi/bfa/bfa_ioc.h | 4 +-
115688 drivers/scsi/hosts.c | 4 +-
115689 drivers/scsi/hpsa.c | 30 +-
115690 drivers/scsi/hpsa.h | 2 +-
115691 drivers/scsi/libfc/fc_exch.c | 50 +-
115692 drivers/scsi/libsas/sas_ata.c | 2 +-
115693 drivers/scsi/lpfc/lpfc.h | 8 +-
115694 drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
115695 drivers/scsi/lpfc/lpfc_init.c | 6 +-
115696 drivers/scsi/lpfc/lpfc_scsi.c | 16 +-
115697 drivers/scsi/pmcraid.c | 20 +-
115698 drivers/scsi/pmcraid.h | 8 +-
115699 drivers/scsi/qla2xxx/qla_attr.c | 4 +-
115700 drivers/scsi/qla2xxx/qla_gbl.h | 4 +-
115701 drivers/scsi/qla2xxx/qla_os.c | 6 +-
115702 drivers/scsi/qla4xxx/ql4_def.h | 2 +-
115703 drivers/scsi/qla4xxx/ql4_os.c | 6 +-
115704 drivers/scsi/scsi.c | 2 +-
115705 drivers/scsi/scsi_lib.c | 6 +-
115706 drivers/scsi/scsi_sysfs.c | 2 +-
115707 drivers/scsi/scsi_tgt_lib.c | 2 +-
115708 drivers/scsi/scsi_transport_fc.c | 8 +-
115709 drivers/scsi/scsi_transport_iscsi.c | 6 +-
115710 drivers/scsi/scsi_transport_srp.c | 6 +-
115711 drivers/scsi/sd.c | 2 +-
115712 drivers/scsi/sg.c | 2 +-
115713 drivers/spi/spi.c | 2 +-
115714 drivers/staging/octeon/ethernet-rx.c | 12 +-
115715 drivers/staging/octeon/ethernet.c | 8 +-
115716 drivers/staging/ramster/tmem.c | 54 +-
115717 drivers/staging/rtl8712/rtl871x_io.h | 2 +-
115718 drivers/staging/sbe-2t3e3/netdev.c | 2 +-
115719 drivers/staging/usbip/vhci.h | 2 +-
115720 drivers/staging/usbip/vhci_hcd.c | 6 +-
115721 drivers/staging/usbip/vhci_rx.c | 2 +-
115722 drivers/staging/vt6655/hostap.c | 7 +-
115723 drivers/staging/vt6656/hostap.c | 7 +-
115724 drivers/staging/zcache/tmem.c | 4 +-
115725 drivers/staging/zcache/tmem.h | 2 +
115726 drivers/target/target_core_device.c | 2 +-
115727 drivers/target/target_core_transport.c | 2 +-
115728 drivers/tty/cyclades.c | 6 +-
115729 drivers/tty/hvc/hvc_console.c | 14 +-
115730 drivers/tty/hvc/hvcs.c | 21 +-
115731 drivers/tty/ipwireless/tty.c | 27 +-
115732 drivers/tty/moxa.c | 2 +-
115733 drivers/tty/n_gsm.c | 4 +-
115734 drivers/tty/n_tty.c | 3 +-
115735 drivers/tty/pty.c | 4 +-
115736 drivers/tty/rocket.c | 6 +-
115737 drivers/tty/serial/kgdboc.c | 32 +-
115738 drivers/tty/serial/samsung.c | 9 +-
115739 drivers/tty/serial/serial_core.c | 8 +-
115740 drivers/tty/synclink.c | 34 +-
115741 drivers/tty/synclink_gt.c | 28 +-
115742 drivers/tty/synclinkmp.c | 34 +-
115743 drivers/tty/tty_io.c | 2 +-
115744 drivers/tty/tty_ldisc.c | 10 +-
115745 drivers/tty/tty_port.c | 22 +-
115746 drivers/uio/uio.c | 21 +-
115747 drivers/usb/atm/cxacru.c | 2 +-
115748 drivers/usb/atm/usbatm.c | 24 +-
115749 drivers/usb/core/devices.c | 6 +-
115750 drivers/usb/core/hcd.c | 4 +-
115751 drivers/usb/core/sysfs.c | 2 +-
115752 drivers/usb/core/usb.c | 2 +-
115753 drivers/usb/early/ehci-dbgp.c | 16 +-
115754 drivers/usb/gadget/u_serial.c | 22 +-
115755 drivers/usb/serial/console.c | 6 +-
115756 drivers/usb/wusbcore/wa-hc.h | 4 +-
115757 drivers/usb/wusbcore/wa-xfer.c | 2 +-
115758 drivers/video/aty/aty128fb.c | 2 +-
115759 drivers/video/fbcmap.c | 3 +-
115760 drivers/video/fbmem.c | 6 +-
115761 drivers/video/i810/i810_accel.c | 1 +
115762 drivers/video/udlfb.c | 32 +-
115763 drivers/video/uvesafb.c | 39 +-
115764 drivers/video/vesafb.c | 51 +-
115765 drivers/video/via/via_clock.h | 2 +-
115766 fs/9p/vfs_inode.c | 2 +-
115767 fs/Kconfig.binfmt | 2 +-
115768 fs/aio.c | 11 +-
115769 fs/autofs4/waitq.c | 2 +-
115770 fs/befs/linuxvfs.c | 2 +-
115771 fs/binfmt_aout.c | 23 +-
115772 fs/binfmt_elf.c | 604 ++++-
115773 fs/binfmt_flat.c | 6 +
115774 fs/bio.c | 6 +-
115775 fs/block_dev.c | 2 +-
115776 fs/btrfs/ctree.c | 9 +-
115777 fs/btrfs/relocation.c | 2 +-
115778 fs/btrfs/super.c | 2 +-
115779 fs/cachefiles/bind.c | 6 +-
115780 fs/cachefiles/daemon.c | 8 +-
115781 fs/cachefiles/internal.h | 12 +-
115782 fs/cachefiles/namei.c | 2 +-
115783 fs/cachefiles/proc.c | 12 +-
115784 fs/cachefiles/rdwr.c | 2 +-
115785 fs/ceph/dir.c | 2 +-
115786 fs/cifs/cifs_debug.c | 12 +-
115787 fs/cifs/cifsfs.c | 8 +-
115788 fs/cifs/cifsglob.h | 54 +-
115789 fs/cifs/link.c | 2 +-
115790 fs/cifs/misc.c | 4 +-
115791 fs/cifs/smb1ops.c | 80 +-
115792 fs/cifs/smb2ops.c | 84 +-
115793 fs/cifs/smb2pdu.c | 3 +-
115794 fs/coda/cache.c | 10 +-
115795 fs/compat.c | 6 +-
115796 fs/compat_binfmt_elf.c | 2 +
115797 fs/compat_ioctl.c | 8 +-
115798 fs/configfs/dir.c | 10 +-
115799 fs/coredump.c | 24 +-
115800 fs/dcache.c | 2 +-
115801 fs/ecryptfs/inode.c | 4 +-
115802 fs/ecryptfs/miscdev.c | 2 +-
115803 fs/ecryptfs/read_write.c | 4 +-
115804 fs/exec.c | 356 ++-
115805 fs/ext4/ext4.h | 20 +-
115806 fs/ext4/mballoc.c | 44 +-
115807 fs/fhandle.c | 3 +-
115808 fs/fifo.c | 22 +-
115809 fs/fs_struct.c | 8 +-
115810 fs/fscache/cookie.c | 36 +-
115811 fs/fscache/internal.h | 196 +-
115812 fs/fscache/object.c | 28 +-
115813 fs/fscache/operation.c | 30 +-
115814 fs/fscache/page.c | 110 +-
115815 fs/fscache/stats.c | 344 +-
115816 fs/fuse/cuse.c | 10 +-
115817 fs/fuse/dev.c | 2 +-
115818 fs/fuse/dir.c | 2 +-
115819 fs/gfs2/inode.c | 2 +-
115820 fs/hugetlbfs/inode.c | 13 +-
115821 fs/inode.c | 4 +-
115822 fs/jffs2/erase.c | 3 +-
115823 fs/jffs2/wbuf.c | 3 +-
115824 fs/jfs/super.c | 2 +-
115825 fs/libfs.c | 10 +-
115826 fs/lockd/clntproc.c | 4 +-
115827 fs/locks.c | 8 +-
115828 fs/namei.c | 15 +-
115829 fs/namespace.c | 2 +-
115830 fs/nfs/inode.c | 6 +-
115831 fs/nfsd/vfs.c | 6 +-
115832 fs/notify/fanotify/fanotify_user.c | 4 +-
115833 fs/notify/notification.c | 4 +-
115834 fs/ntfs/dir.c | 2 +-
115835 fs/ntfs/file.c | 4 +-
115836 fs/ocfs2/localalloc.c | 2 +-
115837 fs/ocfs2/ocfs2.h | 10 +-
115838 fs/ocfs2/suballoc.c | 12 +-
115839 fs/ocfs2/super.c | 20 +-
115840 fs/pipe.c | 33 +-
115841 fs/proc/array.c | 20 +
115842 fs/proc/kcore.c | 32 +-
115843 fs/proc/meminfo.c | 2 +-
115844 fs/proc/nommu.c | 2 +-
115845 fs/proc/self.c | 2 +-
115846 fs/proc/task_mmu.c | 39 +-
115847 fs/proc/task_nommu.c | 4 +-
115848 fs/quota/netlink.c | 4 +-
115849 fs/readdir.c | 2 +-
115850 fs/reiserfs/do_balan.c | 2 +-
115851 fs/reiserfs/procfs.c | 2 +-
115852 fs/reiserfs/reiserfs.h | 4 +-
115853 fs/seq_file.c | 2 +-
115854 fs/splice.c | 36 +-
115855 fs/sysfs/file.c | 10 +-
115856 fs/sysfs/symlink.c | 2 +-
115857 fs/udf/misc.c | 2 +-
115858 fs/xattr_acl.c | 4 +-
115859 fs/xfs/xfs_bmap.c | 2 +-
115860 fs/xfs/xfs_dir2_sf.c | 10 +-
115861 fs/xfs/xfs_ioctl.c | 2 +-
115862 fs/xfs/xfs_iops.c | 2 +-
115863 include/asm-generic/4level-fixup.h | 2 +
115864 include/asm-generic/atomic-long.h | 210 ++
115865 include/asm-generic/atomic.h | 2 +-
115866 include/asm-generic/atomic64.h | 12 +
115867 include/asm-generic/cache.h | 4 +-
115868 include/asm-generic/emergency-restart.h | 2 +-
115869 include/asm-generic/kmap_types.h | 4 +-
115870 include/asm-generic/local.h | 13 +
115871 include/asm-generic/pgtable-nopmd.h | 18 +-
115872 include/asm-generic/pgtable-nopud.h | 15 +-
115873 include/asm-generic/pgtable.h | 8 +
115874 include/asm-generic/vmlinux.lds.h | 10 +-
115875 include/crypto/algapi.h | 2 +-
115876 include/drm/drmP.h | 5 +-
115877 include/drm/drm_crtc_helper.h | 2 +-
115878 include/drm/ttm/ttm_memory.h | 2 +-
115879 include/linux/atmdev.h | 2 +-
115880 include/linux/binfmts.h | 1 +
115881 include/linux/blkdev.h | 2 +-
115882 include/linux/blktrace_api.h | 2 +-
115883 include/linux/cache.h | 4 +
115884 include/linux/cdrom.h | 1 -
115885 include/linux/cleancache.h | 2 +-
115886 include/linux/compiler-gcc4.h | 20 +
115887 include/linux/compiler.h | 72 +-
115888 include/linux/cpu.h | 2 +-
115889 include/linux/crypto.h | 6 +-
115890 include/linux/decompress/mm.h | 2 +-
115891 include/linux/dma-mapping.h | 2 +-
115892 include/linux/dmaengine.h | 4 +-
115893 include/linux/efi.h | 1 +
115894 include/linux/elf.h | 2 +
115895 include/linux/filter.h | 4 +
115896 include/linux/frontswap.h | 2 +-
115897 include/linux/fs.h | 3 +-
115898 include/linux/fs_struct.h | 2 +-
115899 include/linux/fscache-cache.h | 4 +-
115900 include/linux/fsnotify.h | 2 +-
115901 include/linux/ftrace_event.h | 2 +-
115902 include/linux/genhd.h | 2 +-
115903 include/linux/gfp.h | 12 +-
115904 include/linux/highmem.h | 12 +
115905 include/linux/i2c.h | 1 +
115906 include/linux/i2o.h | 2 +-
115907 include/linux/if_pppox.h | 2 +-
115908 include/linux/init.h | 33 +-
115909 include/linux/init_task.h | 7 +
115910 include/linux/interrupt.h | 8 +-
115911 include/linux/kgdb.h | 6 +-
115912 include/linux/kobject.h | 2 +-
115913 include/linux/kref.h | 2 +-
115914 include/linux/kvm_host.h | 4 +-
115915 include/linux/libata.h | 2 +-
115916 include/linux/list.h | 3 +
115917 include/linux/mm.h | 91 +-
115918 include/linux/mm_types.h | 22 +-
115919 include/linux/mmiotrace.h | 4 +-
115920 include/linux/mmzone.h | 2 +-
115921 include/linux/mod_devicetable.h | 4 +-
115922 include/linux/module.h | 55 +-
115923 include/linux/moduleloader.h | 18 +-
115924 include/linux/moduleparam.h | 4 +-
115925 include/linux/namei.h | 6 +-
115926 include/linux/netdevice.h | 3 +-
115927 include/linux/netfilter/ipset/ip_set.h | 2 +-
115928 include/linux/netfilter/nfnetlink.h | 2 +-
115929 include/linux/notifier.h | 3 +-
115930 include/linux/oprofile.h | 4 +-
115931 include/linux/perf_event.h | 10 +-
115932 include/linux/pipe_fs_i.h | 6 +-
115933 include/linux/platform_data/usb-ehci-s5p.h | 2 +-
115934 include/linux/pm_runtime.h | 2 +-
115935 include/linux/poison.h | 4 +-
115936 include/linux/power/smartreflex.h | 2 +-
115937 include/linux/random.h | 5 +
115938 include/linux/reboot.h | 14 +-
115939 include/linux/regset.h | 3 +-
115940 include/linux/relay.h | 2 +-
115941 include/linux/rio.h | 2 +-
115942 include/linux/rmap.h | 4 +-
115943 include/linux/sched.h | 64 +-
115944 include/linux/seq_file.h | 1 +
115945 include/linux/skbuff.h | 12 +-
115946 include/linux/slab.h | 36 +-
115947 include/linux/slab_def.h | 33 +-
115948 include/linux/slob_def.h | 4 +-
115949 include/linux/slub_def.h | 10 +-
115950 include/linux/sonet.h | 2 +-
115951 include/linux/sunrpc/clnt.h | 8 +-
115952 include/linux/sunrpc/svc_rdma.h | 18 +-
115953 include/linux/sysrq.h | 2 +-
115954 include/linux/thread_info.h | 7 +
115955 include/linux/tty.h | 4 +-
115956 include/linux/tty_driver.h | 2 +-
115957 include/linux/tty_ldisc.h | 2 +-
115958 include/linux/types.h | 16 +
115959 include/linux/uaccess.h | 6 +-
115960 include/linux/unaligned/access_ok.h | 12 +-
115961 include/linux/usb.h | 2 +-
115962 include/linux/usb/renesas_usbhs.h | 2 +-
115963 include/linux/vermagic.h | 21 +-
115964 include/linux/vmalloc.h | 11 +-
115965 include/linux/vmstat.h | 20 +-
115966 include/media/v4l2-dev.h | 2 +-
115967 include/media/v4l2-ioctl.h | 1 -
115968 include/net/caif/cfctrl.h | 6 +-
115969 include/net/flow.h | 2 +-
115970 include/net/gro_cells.h | 6 +-
115971 include/net/inet_connection_sock.h | 2 +-
115972 include/net/inetpeer.h | 8 +-
115973 include/net/ip_fib.h | 2 +-
115974 include/net/ip_vs.h | 4 +-
115975 include/net/irda/ircomm_tty.h | 1 +
115976 include/net/iucv/af_iucv.h | 2 +-
115977 include/net/neighbour.h | 2 +-
115978 include/net/net_namespace.h | 6 +-
115979 include/net/netdma.h | 2 +-
115980 include/net/netlink.h | 2 +-
115981 include/net/netns/ipv4.h | 2 +-
115982 include/net/protocol.h | 4 +-
115983 include/net/sctp/sctp.h | 6 +-
115984 include/net/sctp/structs.h | 4 +-
115985 include/net/sock.h | 6 +-
115986 include/net/tcp.h | 8 +-
115987 include/net/xfrm.h | 4 +-
115988 include/rdma/iw_cm.h | 2 +-
115989 include/scsi/libfc.h | 3 +-
115990 include/scsi/scsi_device.h | 6 +-
115991 include/scsi/scsi_transport_fc.h | 3 +-
115992 include/sound/soc.h | 4 +-
115993 include/target/target_core_base.h | 2 +-
115994 include/trace/events/irq.h | 4 +-
115995 include/uapi/linux/a.out.h | 8 +
115996 include/uapi/linux/byteorder/little_endian.h | 24 +-
115997 include/uapi/linux/elf.h | 28 +
115998 include/uapi/linux/screen_info.h | 3 +-
115999 include/uapi/linux/sysctl.h | 6 +-
116000 include/uapi/linux/xattr.h | 4 +
116001 include/video/udlfb.h | 8 +-
116002 include/video/uvesafb.h | 1 +
116003 init/Kconfig | 2 +-
116004 init/Makefile | 3 +
116005 init/do_mounts.c | 14 +-
116006 init/do_mounts.h | 8 +-
116007 init/do_mounts_initrd.c | 22 +-
116008 init/do_mounts_md.c | 6 +-
116009 init/init_task.c | 4 +
116010 init/initramfs.c | 40 +-
116011 init/main.c | 78 +-
116012 ipc/msg.c | 11 +-
116013 ipc/sem.c | 11 +-
116014 ipc/shm.c | 17 +-
116015 kernel/acct.c | 2 +-
116016 kernel/audit.c | 8 +-
116017 kernel/auditsc.c | 4 +-
116018 kernel/capability.c | 3 +
116019 kernel/compat.c | 40 +-
116020 kernel/debug/debug_core.c | 16 +-
116021 kernel/debug/kdb/kdb_main.c | 4 +-
116022 kernel/events/core.c | 28 +-
116023 kernel/exit.c | 4 +-
116024 kernel/fork.c | 167 +-
116025 kernel/futex.c | 9 +
116026 kernel/gcov/base.c | 7 +-
116027 kernel/hrtimer.c | 4 +-
116028 kernel/jump_label.c | 5 +
116029 kernel/kallsyms.c | 39 +-
116030 kernel/kexec.c | 3 +-
116031 kernel/kmod.c | 2 +-
116032 kernel/kprobes.c | 8 +-
116033 kernel/lockdep.c | 7 +-
116034 kernel/module.c | 333 ++-
116035 kernel/mutex-debug.c | 12 +-
116036 kernel/mutex-debug.h | 4 +-
116037 kernel/mutex.c | 7 +-
116038 kernel/notifier.c | 17 +-
116039 kernel/panic.c | 3 +-
116040 kernel/pid.c | 2 +-
116041 kernel/posix-cpu-timers.c | 4 +-
116042 kernel/posix-timers.c | 20 +-
116043 kernel/power/process.c | 12 +-
116044 kernel/profile.c | 14 +-
116045 kernel/ptrace.c | 6 +-
116046 kernel/rcutiny.c | 4 +-
116047 kernel/rcutiny_plugin.h | 2 +-
116048 kernel/rcutorture.c | 56 +-
116049 kernel/rcutree.c | 72 +-
116050 kernel/rcutree.h | 24 +-
116051 kernel/rcutree_plugin.h | 18 +-
116052 kernel/rcutree_trace.c | 22 +-
116053 kernel/rtmutex-tester.c | 24 +-
116054 kernel/sched/auto_group.c | 4 +-
116055 kernel/sched/core.c | 2 +-
116056 kernel/sched/fair.c | 4 +-
116057 kernel/signal.c | 12 +-
116058 kernel/smp.c | 2 +-
116059 kernel/softirq.c | 16 +-
116060 kernel/srcu.c | 6 +-
116061 kernel/stop_machine.c | 2 +-
116062 kernel/sys.c | 12 +-
116063 kernel/sysctl.c | 37 +-
116064 kernel/sysctl_binary.c | 14 +-
116065 kernel/time/alarmtimer.c | 2 +-
116066 kernel/time/tick-broadcast.c | 2 +-
116067 kernel/time/timer_stats.c | 10 +-
116068 kernel/timer.c | 4 +-
116069 kernel/trace/blktrace.c | 6 +-
116070 kernel/trace/ftrace.c | 20 +-
116071 kernel/trace/ring_buffer.c | 76 +-
116072 kernel/trace/trace.c | 6 +-
116073 kernel/trace/trace_events.c | 25 +-
116074 kernel/trace/trace_mmiotrace.c | 8 +-
116075 kernel/trace/trace_output.c | 12 +-
116076 kernel/trace/trace_stack.c | 2 +-
116077 lib/Makefile | 2 +-
116078 lib/bitmap.c | 8 +-
116079 lib/bug.c | 2 +
116080 lib/debugobjects.c | 2 +-
116081 lib/devres.c | 4 +-
116082 lib/dma-debug.c | 4 +-
116083 lib/inflate.c | 2 +-
116084 lib/ioremap.c | 4 +-
116085 lib/list_debug.c | 89 +-
116086 lib/radix-tree.c | 2 +-
116087 lib/strncpy_from_user.c | 2 +-
116088 lib/strnlen_user.c | 2 +-
116089 lib/vsprintf.c | 12 +-
116090 mm/Kconfig | 6 +-
116091 mm/filemap.c | 2 +-
116092 mm/fremap.c | 5 +
116093 mm/highmem.c | 7 +-
116094 mm/hugetlb.c | 54 +
116095 mm/internal.h | 1 +
116096 mm/maccess.c | 4 +-
116097 mm/madvise.c | 41 +
116098 mm/memory-failure.c | 18 +-
116099 mm/memory.c | 404 ++-
116100 mm/mempolicy.c | 26 +
116101 mm/mlock.c | 16 +-
116102 mm/mmap.c | 573 +++-
116103 mm/mprotect.c | 138 +-
116104 mm/mremap.c | 44 +-
116105 mm/nommu.c | 11 +-
116106 mm/page-writeback.c | 2 +-
116107 mm/page_alloc.c | 14 +-
116108 mm/percpu.c | 2 +-
116109 mm/process_vm_access.c | 14 +-
116110 mm/rmap.c | 38 +-
116111 mm/shmem.c | 19 +-
116112 mm/slab.c | 104 +-
116113 mm/slab.h | 5 +-
116114 mm/slab_common.c | 9 +-
116115 mm/slob.c | 200 +-
116116 mm/slub.c | 98 +-
116117 mm/sparse-vmemmap.c | 4 +-
116118 mm/sparse.c | 2 +-
116119 mm/swap.c | 3 +
116120 mm/swapfile.c | 12 +-
116121 mm/util.c | 6 +
116122 mm/vmalloc.c | 82 +-
116123 mm/vmstat.c | 12 +-
116124 net/8021q/vlan.c | 5 +-
116125 net/9p/trans_fd.c | 2 +-
116126 net/atm/atm_misc.c | 8 +-
116127 net/atm/lec.h | 2 +-
116128 net/atm/proc.c | 6 +-
116129 net/atm/resources.c | 4 +-
116130 net/batman-adv/bat_iv_ogm.c | 8 +-
116131 net/batman-adv/hard-interface.c | 4 +-
116132 net/batman-adv/soft-interface.c | 4 +-
116133 net/batman-adv/types.h | 6 +-
116134 net/batman-adv/unicast.c | 2 +-
116135 net/bluetooth/hci_sock.c | 2 +-
116136 net/bluetooth/l2cap_core.c | 6 +-
116137 net/bluetooth/l2cap_sock.c | 12 +-
116138 net/bluetooth/rfcomm/sock.c | 4 +-
116139 net/bluetooth/rfcomm/tty.c | 10 +-
116140 net/bridge/netfilter/ebtables.c | 6 +-
116141 net/caif/cfctrl.c | 11 +-
116142 net/can/af_can.c | 2 +-
116143 net/can/gw.c | 6 +-
116144 net/compat.c | 34 +-
116145 net/core/datagram.c | 2 +-
116146 net/core/dev.c | 16 +-
116147 net/core/flow.c | 8 +-
116148 net/core/iovec.c | 4 +-
116149 net/core/rtnetlink.c | 2 +-
116150 net/core/scm.c | 8 +-
116151 net/core/sock.c | 24 +-
116152 net/decnet/sysctl_net_decnet.c | 4 +-
116153 net/ipv4/ah4.c | 2 +-
116154 net/ipv4/esp4.c | 2 +-
116155 net/ipv4/fib_frontend.c | 6 +-
116156 net/ipv4/fib_semantics.c | 2 +-
116157 net/ipv4/inetpeer.c | 4 +-
116158 net/ipv4/ip_fragment.c | 2 +-
116159 net/ipv4/ip_sockglue.c | 2 +-
116160 net/ipv4/ipcomp.c | 2 +-
116161 net/ipv4/ipconfig.c | 6 +-
116162 net/ipv4/netfilter/arp_tables.c | 12 +-
116163 net/ipv4/netfilter/ip_tables.c | 12 +-
116164 net/ipv4/ping.c | 2 +-
116165 net/ipv4/raw.c | 14 +-
116166 net/ipv4/route.c | 2 +-
116167 net/ipv4/tcp_input.c | 2 +-
116168 net/ipv4/tcp_probe.c | 2 +-
116169 net/ipv4/udp.c | 10 +-
116170 net/ipv6/addrconf.c | 2 +-
116171 net/ipv6/ip6_gre.c | 2 +-
116172 net/ipv6/ipv6_sockglue.c | 2 +-
116173 net/ipv6/netfilter/ip6_tables.c | 12 +-
116174 net/ipv6/raw.c | 19 +-
116175 net/ipv6/udp.c | 8 +-
116176 net/irda/ircomm/ircomm_tty.c | 18 +-
116177 net/iucv/af_iucv.c | 4 +-
116178 net/iucv/iucv.c | 2 +-
116179 net/key/af_key.c | 4 +-
116180 net/mac80211/cfg.c | 4 +-
116181 net/mac80211/ieee80211_i.h | 3 +-
116182 net/mac80211/iface.c | 14 +-
116183 net/mac80211/main.c | 2 +-
116184 net/mac80211/pm.c | 6 +-
116185 net/mac80211/rate.c | 2 +-
116186 net/mac80211/rc80211_pid_debugfs.c | 2 +-
116187 net/mac80211/util.c | 2 +-
116188 net/netfilter/ipvs/ip_vs_conn.c | 6 +-
116189 net/netfilter/ipvs/ip_vs_core.c | 4 +-
116190 net/netfilter/ipvs/ip_vs_ctl.c | 10 +-
116191 net/netfilter/ipvs/ip_vs_sync.c | 6 +-
116192 net/netfilter/ipvs/ip_vs_xmit.c | 4 +-
116193 net/netfilter/nfnetlink_log.c | 4 +-
116194 net/netfilter/xt_statistic.c | 8 +-
116195 net/netlink/af_netlink.c | 4 +-
116196 net/packet/af_packet.c | 12 +-
116197 net/phonet/pep.c | 6 +-
116198 net/phonet/socket.c | 2 +-
116199 net/rds/cong.c | 6 +-
116200 net/rds/ib.h | 2 +-
116201 net/rds/ib_cm.c | 2 +-
116202 net/rds/ib_recv.c | 4 +-
116203 net/rds/iw.h | 2 +-
116204 net/rds/iw_cm.c | 2 +-
116205 net/rds/iw_recv.c | 4 +-
116206 net/rds/tcp.c | 2 +-
116207 net/rds/tcp_send.c | 2 +-
116208 net/rxrpc/af_rxrpc.c | 2 +-
116209 net/rxrpc/ar-ack.c | 14 +-
116210 net/rxrpc/ar-call.c | 2 +-
116211 net/rxrpc/ar-connection.c | 2 +-
116212 net/rxrpc/ar-connevent.c | 2 +-
116213 net/rxrpc/ar-input.c | 4 +-
116214 net/rxrpc/ar-internal.h | 8 +-
116215 net/rxrpc/ar-local.c | 2 +-
116216 net/rxrpc/ar-output.c | 4 +-
116217 net/rxrpc/ar-peer.c | 2 +-
116218 net/rxrpc/ar-proc.c | 4 +-
116219 net/rxrpc/ar-transport.c | 2 +-
116220 net/rxrpc/rxkad.c | 4 +-
116221 net/sctp/ipv6.c | 2 +-
116222 net/sctp/protocol.c | 8 +-
116223 net/sctp/socket.c | 2 +
116224 net/socket.c | 34 +-
116225 net/sunrpc/sched.c | 4 +-
116226 net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
116227 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +-
116228 net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
116229 net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +-
116230 net/tipc/link.c | 6 +-
116231 net/tipc/msg.c | 2 +-
116232 net/tipc/subscr.c | 2 +-
116233 net/wireless/wext-core.c | 19 +-
116234 net/xfrm/xfrm_policy.c | 16 +-
116235 net/xfrm/xfrm_state.c | 4 +-
116236 scripts/Makefile.build | 2 +-
116237 scripts/Makefile.clean | 3 +-
116238 scripts/Makefile.host | 28 +-
116239 scripts/basic/fixdep.c | 12 +-
116240 scripts/gcc-plugin.sh | 17 +
116241 scripts/link-vmlinux.sh | 2 +-
116242 scripts/mod/file2alias.c | 14 +-
116243 scripts/mod/modpost.c | 25 +-
116244 scripts/mod/modpost.h | 6 +-
116245 scripts/mod/sumversion.c | 2 +-
116246 scripts/pnmtologo.c | 6 +-
116247 security/Kconfig | 654 ++++-
116248 security/integrity/ima/ima.h | 4 +-
116249 security/integrity/ima/ima_api.c | 2 +-
116250 security/integrity/ima/ima_fs.c | 4 +-
116251 security/integrity/ima/ima_queue.c | 2 +-
116252 security/keys/compat.c | 2 +-
116253 security/keys/keyctl.c | 8 +-
116254 security/keys/keyring.c | 6 +-
116255 security/security.c | 9 +-
116256 security/selinux/hooks.c | 2 +-
116257 security/selinux/include/xfrm.h | 2 +-
116258 security/smack/smack_lsm.c | 2 +-
116259 security/tomoyo/tomoyo.c | 2 +-
116260 sound/aoa/codecs/onyx.c | 7 +-
116261 sound/aoa/codecs/onyx.h | 1 +
116262 sound/core/oss/pcm_oss.c | 18 +-
116263 sound/core/pcm_compat.c | 2 +-
116264 sound/core/pcm_native.c | 4 +-
116265 sound/core/seq/seq_device.c | 8 +-
116266 sound/drivers/mts64.c | 14 +-
116267 sound/drivers/opl4/opl4_lib.c | 2 +-
116268 sound/drivers/portman2x4.c | 3 +-
116269 sound/firewire/amdtp.c | 4 +-
116270 sound/firewire/amdtp.h | 2 +-
116271 sound/firewire/isight.c | 10 +-
116272 sound/firewire/scs1x.c | 8 +-
116273 sound/oss/sb_audio.c | 2 +-
116274 sound/oss/swarm_cs4297a.c | 6 +-
116275 sound/pci/ymfpci/ymfpci.h | 2 +-
116276 sound/pci/ymfpci/ymfpci_main.c | 12 +-
116277 tools/gcc/.gitignore | 1 +
116278 tools/gcc/Makefile | 43 +
116279 tools/gcc/checker_plugin.c | 171 +
116280 tools/gcc/colorize_plugin.c | 151 +
116281 tools/gcc/constify_plugin.c | 359 +++
116282 tools/gcc/generate_size_overflow_hash.sh | 94 +
116283 tools/gcc/kallocstat_plugin.c | 170 +
116284 tools/gcc/kernexec_plugin.c | 465 +++
116285 tools/gcc/latent_entropy_plugin.c | 321 ++
116286 tools/gcc/size_overflow_hash.data | 3713 ++++++++++++++++++++++
116287 tools/gcc/size_overflow_plugin.c | 1941 +++++++++++
116288 tools/gcc/stackleak_plugin.c | 327 ++
116289 tools/perf/util/include/asm/alternative-asm.h | 3 +
116290 virt/kvm/kvm_main.c | 32 +-
116291 1311 files changed, 26668 insertions(+), 6394 deletions(-)
116292commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
116293Merge: 0949bd4 fc53d63
116294Author: Brad Spengler <spender@grsecurity.net>
116295Date: Thu Mar 22 19:03:44 2012 -0400
116296
116297 Merge branch 'pax-test' into grsec-test
116298
116299commit fc53d6338964741b368070ec5c935bc579b8c2a6
116300Author: Brad Spengler <spender@grsecurity.net>
116301Date: Thu Mar 22 19:02:45 2012 -0400
116302
116303 Update to pax-linux-3.2.12-test33.patch
116304
116305commit 0949bd46a6455b308f66ad7c993bfee62412db35
116306Author: Brad Spengler <spender@grsecurity.net>
116307Date: Thu Mar 22 16:56:09 2012 -0400
116308
116309 Use current_umask() instead of current->fs->umask
116310
116311commit 22f6432d0fe733619cfcb523782ed7d80c46d645
116312Author: Brad Spengler <spender@grsecurity.net>
116313Date: Wed Mar 21 19:42:42 2012 -0400
116314
116315 compile fix
116316
116317commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
116318Author: Brad Spengler <spender@grsecurity.net>
116319Date: Wed Mar 21 19:34:56 2012 -0400
116320
116321 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
116322 uses of domains with particular hash collisions
116323
116324commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
116325Author: Brad Spengler <spender@grsecurity.net>
116326Date: Tue Mar 20 20:25:49 2012 -0400
116327
116328 zero kernel_role
116329
116330commit b00953b43c69238d181d21121ef1577c988d5f6b
116331Author: Brad Spengler <spender@grsecurity.net>
116332Date: Tue Mar 20 19:29:34 2012 -0400
116333
116334 zero real_root after releasing it
116335
116336commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
116337Merge: b724f59 273f98e
116338Author: Brad Spengler <spender@grsecurity.net>
116339Date: Tue Mar 20 19:11:26 2012 -0400
116340
116341 Merge branch 'pax-test' into grsec-test
116342
116343commit 273f98e58cdac555d3b5dce5c1ca168349f95878
116344Author: Brad Spengler <spender@grsecurity.net>
116345Date: Tue Mar 20 19:10:52 2012 -0400
116346
116347 Temporary workaround for (most) size_overflow plugin false-positives
116348 Increase randomization for brk-managed heap to 21 bits
116349 Update to pax-linux-3.2.12-test32.patch
116350
116351commit b724f59125304460c2af8bd4b02921993afbb5d3
116352Author: Brad Spengler <spender@grsecurity.net>
116353Date: Tue Mar 20 18:58:53 2012 -0400
116354
116355 compile fix
116356
116357commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
116358Author: Brad Spengler <spender@grsecurity.net>
116359Date: Tue Mar 20 18:52:23 2012 -0400
116360
116361 Require default and kernel role
116362
116363commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
116364Author: Brad Spengler <spender@grsecurity.net>
116365Date: Tue Mar 20 18:47:28 2012 -0400
116366
116367 Allow policies without special roles
116368 don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)
116369
116370commit 402ec3d24d66d38403dc543c84851f5e72d39e22
116371Merge: 8e012dc f14661a
116372Author: Brad Spengler <spender@grsecurity.net>
116373Date: Mon Mar 19 18:06:59 2012 -0400
116374
116375 Merge branch 'pax-test' into grsec-test
116376
116377 Conflicts:
116378 fs/namei.c
116379
116380commit f14661aaf202155c97f66626cea0269017bb7775
116381Merge: eae671f 058b017
116382Author: Brad Spengler <spender@grsecurity.net>
116383Date: Mon Mar 19 18:05:44 2012 -0400
116384
116385 Merge branch 'linux-3.2.y' into pax-test
116386
116387commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
116388Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
116389Date: Fri Mar 16 17:08:39 2012 -0700
116390
116391 nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
116392
116393 According to the report from Slicky Devil, nilfs caused kernel oops at
116394 nilfs_load_super_block function during mount after he shrank the
116395 partition without resizing the filesystem:
116396
116397 BUG: unable to handle kernel NULL pointer dereference at 00000048
116398 IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
116399 *pde = 00000000
116400 Oops: 0000 [#1] PREEMPT SMP
116401 ...
116402 Call Trace:
116403 [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
116404 [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
116405 [<c0226636>] mount_fs+0x36/0x180
116406 [<c023d961>] vfs_kern_mount+0x51/0xa0
116407 [<c023ddae>] do_kern_mount+0x3e/0xe0
116408 [<c023f189>] do_mount+0x169/0x700
116409 [<c023fa9b>] sys_mount+0x6b/0xa0
116410 [<c04abd1f>] sysenter_do_call+0x12/0x28
116411 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
116412 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
116413 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
116414 EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
116415 CR2: 0000000000000048
116416
116417 This turned out due to a defect in an error path which runs if the
116418 calculated location of the secondary super block was invalid.
116419
116420 This patch fixes it and eliminates the reported oops.
116421
116422 Reported-by: Slicky Devil <slicky.dvl@gmail.com>
116423 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
116424 Tested-by: Slicky Devil <slicky.dvl@gmail.com>
116425 Cc: <stable@vger.kernel.org> [2.6.30+]
116426 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
116427 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
116428
116429commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
116430Author: Haogang Chen <haogangchen@gmail.com>
116431Date: Fri Mar 16 17:08:38 2012 -0700
116432
116433 nilfs2: clamp ns_r_segments_percentage to [1, 99]
116434
116435 ns_r_segments_percentage is read from the disk. Bogus or malicious
116436 value could cause integer overflow and malfunction due to meaningless
116437 disk usage calculation. This patch reports error when mounting such
116438 bogus volumes.
116439
116440 Signed-off-by: Haogang Chen <haogangchen@gmail.com>
116441 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
116442 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
116443 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
116444
116445commit e1a90645643f9b0194a5984ec8febd06360d5c8b
116446Author: Eric Dumazet <eric.dumazet@gmail.com>
116447Date: Sat Mar 10 09:20:21 2012 +0000
116448
116449 tcp: fix syncookie regression
116450
116451 commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
116452 added a serious regression on synflood handling.
116453
116454 Simon Kirby discovered a successful connection was delayed by 20 seconds
116455 before being responsive.
116456
116457 In my tests, I discovered that xmit frames were lost, and needed ~4
116458 retransmits and a socket dst rebuild before being really sent.
116459
116460 In case of syncookie initiated connection, we use a different path to
116461 initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
116462
116463 As ip_queue_xmit() now depends on inet flow being setup, fix this by
116464 copying the temp flowi4 we use in cookie_v4_check().
116465
116466 Reported-by: Simon Kirby <sim@netnation.com>
116467 Bisected-by: Simon Kirby <sim@netnation.com>
116468 Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
116469 Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
116470 Signed-off-by: David S. Miller <davem@davemloft.net>
116471
116472commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
116473Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
116474Date: Mon Mar 12 02:59:41 2012 +0000
116475
116476 tun: don't hold network namespace by tun sockets
116477
116478 v3: added previously removed sock_put() to the tun_release() callback, because
116479 sk_release_kernel() doesn't drop the socket reference.
116480
116481 v2: sk_release_kernel() used for socket release. Dummy tun_release() is
116482 required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
116483 call.
116484
116485 TUN was designed to destroy it's socket on network namesapce shutdown. But this
116486 will never happen for persistent device, because it's socket holds network
116487 namespace.
116488 This patch removes of holding network namespace by TUN socket and replaces it
116489 by creating socket in init_net and then changing it's net it to desired one. On
116490 shutdown socket is moved back to init_net prior to final put.
116491
116492 Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
116493 Signed-off-by: David S. Miller <davem@davemloft.net>
116494
116495commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
116496Author: Tyler Hicks <tyhicks@canonical.com>
116497Date: Mon Dec 12 10:02:30 2011 -0600
116498
116499 vfs: Correctly set the dir i_mutex lockdep class
116500
116501 9a7aa12f3911853a introduced additional logic around setting the i_mutex
116502 lockdep class for directory inodes. The idea was that some filesystems
116503 may want their own special lockdep class for different directory
116504 inodes and calling unlock_new_inode() should not clobber one of
116505 those special classes.
116506
116507 I believe that the added conditional, around the *negated* return value
116508 of lockdep_match_class(), caused directory inodes to be placed in the
116509 wrong lockdep class.
116510
116511 inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
116512 all inodes. If the filesystem did not change the class during inode
116513 initialization, then the conditional mentioned above was false and the
116514 directory inode was incorrectly left in the non-directory lockdep class.
116515 If the filesystem did set a special lockdep class, then the conditional
116516 mentioned above was true and that class was clobbered with
116517 i_mutex_dir_key.
116518
116519 This patch removes the negation from the conditional so that the i_mutex
116520 lockdep class is properly set for directory inodes. Special classes are
116521 preserved and directory inodes with unmodified classes are set with
116522 i_mutex_dir_key.
116523
116524 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
116525 Reviewed-by: Jan Kara <jack@suse.cz>
116526 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
116527
116528commit 603590b0d2eca61ce26499eac9c563bc567a18c9
116529Author: Jan Kara <jack@suse.cz>
116530Date: Mon Feb 20 17:54:00 2012 +0100
116531
116532 udf: Fix deadlock in udf_release_file()
116533
116534 udf_release_file() can be called from munmap() path with mmap_sem held. Thus
116535 we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
116536 i_mutex is not needed in udf_release_file() anymore since protection by
116537 i_data_sem is enough to protect from races with write and truncate.
116538
116539 Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
116540 Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
116541 Signed-off-by: Jan Kara <jack@suse.cz>
116542 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
116543
116544commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
116545Author: Miklos Szeredi <mszeredi@suse.cz>
116546Date: Tue Mar 6 13:56:33 2012 +0100
116547
116548 vfs: fix double put after complete_walk()
116549
116550 complete_walk() already puts nd->path, no need to do it again at cleanup time.
116551
116552 This would result in Oopses if triggered, apparently the codepath is not too
116553 well exercised.
116554
116555 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
116556 CC: stable@vger.kernel.org
116557 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
116558
116559commit 13885ba2b18400f3ef6540497d30f1af896605e5
116560Author: Miklos Szeredi <mszeredi@suse.cz>
116561Date: Tue Mar 6 13:56:34 2012 +0100
116562
116563 vfs: fix return value from do_last()
116564
116565 complete_walk() returns either ECHILD or ESTALE. do_last() turns this into
116566 ECHILD unconditionally. If not in RCU mode, this error will reach userspace
116567 which is complete nonsense.
116568
116569 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
116570 CC: stable@vger.kernel.org
116571 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
116572
116573 Conflicts:
116574
116575 fs/namei.c
116576
116577commit f5ab7572c99ffb58953eb1070622307e904c3b7f
116578Author: Al Viro <viro@zeniv.linux.org.uk>
116579Date: Sat Mar 10 17:07:28 2012 -0500
116580
116581 restore smp_mb() in unlock_new_inode()
116582
116583 wait_on_inode() doesn't have ->i_lock
116584
116585 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
116586
116587commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
116588Author: David S. Miller <davem@davemloft.net>
116589Date: Tue Mar 13 18:19:51 2012 -0700
116590
116591 sparc32: Add -Av8 to assembler command line.
116592
116593 Newer version of binutils are more strict about specifying the
116594 correct options to enable certain classes of instructions.
116595
116596 The sparc32 build is done for v7 in order to support sun4c systems
116597 which lack hardware integer multiply and divide instructions.
116598
116599 So we have to pass -Av8 when building the assembler routines that
116600 use these instructions and get patched into the kernel when we find
116601 out that we have a v8 capable cpu.
116602
116603 Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
116604 Signed-off-by: David S. Miller <davem@davemloft.net>
116605
116606commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
116607Author: Thomas Gleixner <tglx@linutronix.de>
116608Date: Fri Mar 9 20:55:10 2012 +0100
116609
116610 x86: Derandom delay_tsc for 64 bit
116611
116612 Commit f0fbf0abc093 ("x86: integrate delay functions") converted
116613 delay_tsc() into a random delay generator for 64 bit. The reason is
116614 that it merged the mostly identical versions of delay_32.c and
116615 delay_64.c. Though the subtle difference of the result was:
116616
116617 static void delay_tsc(unsigned long loops)
116618 {
116619 - unsigned bclock, now;
116620 + unsigned long bclock, now;
116621
116622 Now the function uses rdtscl() which returns the lower 32bit of the
116623 TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
116624 bit this fails when the lower 32bit are close to wrap around when
116625 bclock is read, because the following check
116626
116627 if ((now - bclock) >= loops)
116628 break;
116629
116630 evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
116631 because the unsigned long (now - bclock) of these values results in
116632 0xffffffff00000001 which is definitely larger than the loops
116633 value. That explains Tvortkos observation:
116634
116635 "Because I am seeing udelay(500) (_occasionally_) being short, and
116636 that by delaying for some duration between 0us (yep) and 491us."
116637
116638 Make those variables explicitely u32 again, so this works for both 32
116639 and 64 bit.
116640
116641 Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
116642 Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
116643 Cc: stable@vger.kernel.org # >= 2.6.27
116644 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
116645
116646commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
116647Author: Al Viro <viro@ZenIV.linux.org.uk>
116648Date: Thu Mar 8 17:51:19 2012 +0000
116649
116650 aio: fix the "too late munmap()" race
116651
116652 Current code has put_ioctx() called asynchronously from aio_fput_routine();
116653 that's done *after* we have killed the request that used to pin ioctx,
116654 so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
116655 from progressing. As the result, we can end up with async call of
116656 put_ioctx() being the last one and possibly happening during exit_mmap()
116657 or elf_core_dump(), neither of which expects stray munmap() being done
116658 to them...
116659
116660 We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
116661 with that, but that's all we care about - neither io_destroy() nor
116662 exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
116663 does really_put_req(), so the ioctx teardown won't be done until then
116664 and we don't care about the contents of ioctx past that point.
116665
116666 Since actual freeing of these suckers is RCU-delayed, we don't need to
116667 bump ioctx refcount when request goes into list for async removal.
116668 All we need is rcu_read_lock held just over the ->ctx_lock-protected
116669 area in aio_fput_routine().
116670
116671 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
116672 Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
116673 Acked-by: Benjamin LaHaise <bcrl@kvack.org>
116674 Cc: stable@vger.kernel.org
116675 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
116676
116677commit 002124c055afbf09b52226af65621999e8316448
116678Author: Al Viro <viro@ZenIV.linux.org.uk>
116679Date: Wed Mar 7 05:16:35 2012 +0000
116680
116681 aio: fix io_setup/io_destroy race
116682
116683 Have ioctx_alloc() return an extra reference, so that caller would drop it
116684 on success and not bother with re-grabbing it on failure exit. The current
116685 code is obviously broken - io_destroy() from another thread that managed
116686 to guess the address io_setup() would've returned would free ioctx right
116687 under us; gets especially interesting if aio_context_t * we pass to
116688 io_setup() points to PROT_READ mapping, so put_user() fails and we end
116689 up doing io_destroy() on kioctx another thread has just got freed...
116690
116691 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
116692 Acked-by: Benjamin LaHaise <bcrl@kvack.org>
116693 Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
116694 Cc: stable@vger.kernel.org
116695 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
116696
116697commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
116698Author: Dan Carpenter <dan.carpenter@oracle.com>
116699Date: Thu Mar 15 15:17:12 2012 -0700
116700
116701 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
116702
116703 strict_strtoul() writes a long but ->gamma_mode only has space to store an
116704 int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
116705 well. I've changed it to use kstrtouint() instead.
116706
116707 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
116708 Acked-by: Inki Dae <inki.dae@samsung.com>
116709 Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
116710 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
116711 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
116712
116713commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
116714Merge: e4b05b6 eae671f
116715Author: Brad Spengler <spender@grsecurity.net>
116716Date: Fri Mar 16 21:04:27 2012 -0400
116717
116718 Merge branch 'pax-test' into grsec-test
116719
116720 Conflicts:
116721 security/Kconfig
116722
116723commit eae671fafe93f04685c04a089cc13efebc05d600
116724Author: Brad Spengler <spender@grsecurity.net>
116725Date: Fri Mar 16 20:58:01 2012 -0400
116726
116727 Update to pax-linux-3.2.11-test31.patch
116728 Introduction of the size_overflow plugin from Emese Revfy
116729 Many thanks to Emese for her hard work :)
116730
116731commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
116732Merge: e55aa68 258c015
116733Author: Brad Spengler <spender@grsecurity.net>
116734Date: Thu Mar 15 20:59:19 2012 -0400
116735
116736 Merge branch 'pax-test' into grsec-test
116737
116738commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
116739Author: Brad Spengler <spender@grsecurity.net>
116740Date: Thu Mar 15 20:59:05 2012 -0400
116741
116742 fix ARM compilation
116743
116744commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
116745Merge: 8f95ea9 55b7573
116746Author: Brad Spengler <spender@grsecurity.net>
116747Date: Wed Mar 14 19:33:41 2012 -0400
116748
116749 Merge branch 'pax-test' into grsec-test
116750
116751commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
116752Author: Brad Spengler <spender@grsecurity.net>
116753Date: Wed Mar 14 19:33:15 2012 -0400
116754
116755 Update to pax-linux-3.2.10-test28.patch
116756
116757commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
116758Merge: c8786a2 886ac5e
116759Author: Brad Spengler <spender@grsecurity.net>
116760Date: Tue Mar 13 17:38:13 2012 -0400
116761
116762 Merge branch 'pax-test' into grsec-test
116763
116764 Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)
116765
116766commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
116767Author: Brad Spengler <spender@grsecurity.net>
116768Date: Tue Mar 13 17:37:44 2012 -0400
116769
116770 Update to pax-linux-3.2.10-test26.patch
116771
116772commit c8786a2abed5e5327f68efa520c04db99bb6a63a
116773Merge: 219c982 c061fcf
116774Author: Brad Spengler <spender@grsecurity.net>
116775Date: Tue Mar 13 17:25:06 2012 -0400
116776
116777 Merge branch 'pax-test' into grsec-test
116778
116779commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
116780Merge: 89373d2 3f4b3b2
116781Author: Brad Spengler <spender@grsecurity.net>
116782Date: Tue Mar 13 17:25:02 2012 -0400
116783
116784 Merge branch 'linux-3.2.y' into pax-test
116785
116786commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
116787Merge: 54e19a3 89373d2
116788Author: Brad Spengler <spender@grsecurity.net>
116789Date: Mon Mar 12 17:23:57 2012 -0400
116790
116791 Merge branch 'pax-test' into grsec-test
116792
116793commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
116794Merge: a778588 7459f11
116795Author: Brad Spengler <spender@grsecurity.net>
116796Date: Mon Mar 12 17:23:49 2012 -0400
116797
116798 Merge branch 'linux-3.2.y' into pax-test
116799
116800commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
116801Merge: c4650f1 a778588
116802Author: Brad Spengler <spender@grsecurity.net>
116803Date: Mon Mar 12 16:51:25 2012 -0400
116804
116805 Merge branch 'pax-test' into grsec-test
116806
116807commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
116808Author: Brad Spengler <spender@grsecurity.net>
116809Date: Mon Mar 12 16:51:12 2012 -0400
116810
116811 Update to pax-linux-3.2.9-test24.patch
116812
116813commit c4650f14b13f84735fe3de06a1f3ff5776473eff
116814Merge: fb2abee 1015790
116815Author: Brad Spengler <spender@grsecurity.net>
116816Date: Sun Mar 11 21:08:28 2012 -0400
116817
116818 Merge branch 'pax-test' into grsec-test
116819
116820 Conflicts:
116821 security/Kconfig
116822
116823commit 101579028a736c224e590c7e12a7357018c424e1
116824Author: Brad Spengler <spender@grsecurity.net>
116825Date: Sun Mar 11 21:07:27 2012 -0400
116826
116827 Update to pax-linux-3.2.9-test22.patch
116828
116829commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
116830Author: Brad Spengler <spender@grsecurity.net>
116831Date: Sun Mar 11 11:02:17 2012 -0400
116832
116833 Allow 4096 CPUs
116834
116835commit 96bae28cbe6a41d48e3b56e5904814096e956000
116836Author: Brad Spengler <spender@grsecurity.net>
116837Date: Sun Mar 11 10:25:58 2012 -0400
116838
116839 Use a per-cpu 48-bit counter instead of a global atomic64
116840 Initialize each counter to have the cpu number in the lower 16 bits
116841 instead of incrementing the counter each time by 1, perform the increments
116842 above the cpu number so that wrapping/exhausting the counter doesn't corrupt
116843 any state
116844 idea from PaX Team
116845
116846commit b975688101da6e966aebb1bc6b8c5c5983974f9c
116847Author: Brad Spengler <spender@grsecurity.net>
116848Date: Sat Mar 10 20:33:12 2012 -0500
116849
116850 Special vnsec edition! :)
116851 Further reduce argv/env allowance for suid/sgid apps to 512KB
116852 Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
116853 Clear 3GB personality on suid/sgid binaries
116854 Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
116855 with the main purpose of throwing off program stack -> arg/env alignment
116856 Update documentation
116857
116858commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
116859Author: Brad Spengler <spender@grsecurity.net>
116860Date: Sat Mar 10 19:54:47 2012 -0500
116861
116862 Resolve skbuff.h warnings that turn into errors during compilation in
116863 the grsecurity directory with -Werror
116864
116865commit 2023210ad43a944033fcacc660ce410888f562ee
116866Merge: ece4383 5f66adf
116867Author: Brad Spengler <spender@grsecurity.net>
116868Date: Fri Mar 9 19:48:01 2012 -0500
116869
116870 Merge branch 'pax-test' into grsec-test
116871
116872commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
116873Author: Brad Spengler <spender@grsecurity.net>
116874Date: Fri Mar 9 19:47:06 2012 -0500
116875
116876 Add colorize plugin
116877
116878commit ece4383e5e91c92d138c4df84225a70b552f4d69
116879Merge: a366d0e ab4a5a1
116880Author: Brad Spengler <spender@grsecurity.net>
116881Date: Fri Mar 9 17:56:46 2012 -0500
116882
116883 Merge branch 'pax-test' into grsec-test
116884
116885commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
116886Author: Brad Spengler <spender@grsecurity.net>
116887Date: Fri Mar 9 17:56:26 2012 -0500
116888
116889 Update to pax-linux-3.2.9-test21.patch
116890
116891commit a366d0ed963ce93fce10121c1100989d5f064e75
116892Author: Mikulas Patocka <mpatocka@redhat.com>
116893Date: Sun Mar 4 19:52:03 2012 -0500
116894
116895 mm: fix find_vma_prev
116896
116897 Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
116898 management on PA-RISC.
116899
116900 After application of the patch, programs that allocate big arrays on the
116901 stack crash with segfault, for example, this will crash if compiled
116902 without optimization:
116903
116904 int main()
116905 {
116906 char array[200000];
116907 array[199999] = 0;
116908 return 0;
116909 }
116910
116911 The reason is that PA-RISC has up-growing stack and the stack is usually
116912 the last memory area. In the above example, a page fault happens above
116913 the stack.
116914
116915 Previously, if we passed too high address to find_vma_prev, it returned
116916 NULL and stored the last VMA in *pprev. After "simplify find_vma_prev"
116917 change, it stores NULL in *pprev. Consequently, the stack area is not
116918 found and it is not expanded, as it used to be before the change.
116919
116920 This patch restores the old behavior and makes it return the last VMA in
116921 *pprev if the requested address is higher than address of any other VMA.
116922
116923 Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
116924 Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
116925 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
116926
116927commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
116928Author: Hugh Dickins <hughd@google.com>
116929Date: Tue Mar 6 12:28:52 2012 -0800
116930
116931 mmap: EINVAL not ENOMEM when rejecting VM_GROWS
116932
116933 Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
116934 from shared anonymous: hoist the file case's -EINVAL up for both.
116935
116936 Signed-off-by: Hugh Dickins <hughd@google.com>
116937 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
116938
116939commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
116940Author: Al Viro <viro@ZenIV.linux.org.uk>
116941Date: Mon Mar 5 06:38:42 2012 +0000
116942
116943 aout: move setup_arg_pages() prior to reading/mapping the binary
116944
116945 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
116946 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
116947
116948commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
116949Author: Jan Beulich <JBeulich@suse.com>
116950Date: Mon Mar 5 16:49:24 2012 +0000
116951
116952 vsprintf: make %pV handling compatible with kasprintf()
116953
116954 kasprintf() (and potentially other functions that I didn't run across so
116955 far) want to evaluate argument lists twice. Caring to do so for the
116956 primary list is obviously their job, but they can't reasonably be
116957 expected to check the format string for instances of %pV, which however
116958 need special handling too: On architectures like x86-64 (as opposed to
116959 e.g. ix86), using the same argument list twice doesn't produce the
116960 expected results, as an internally managed cursor gets updated during
116961 the first run.
116962
116963 Fix the problem by always acting on a copy of the original list when
116964 handling %pV.
116965
116966 Signed-off-by: Jan Beulich <jbeulich@suse.com>
116967 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
116968
116969commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
116970Author: Al Viro <viro@ZenIV.linux.org.uk>
116971Date: Mon Mar 5 06:39:47 2012 +0000
116972
116973 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
116974
116975 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
116976 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
116977
116978commit a831bd53764695ea680cc1fa3c98759a610ed2ac
116979Author: Christian König <deathsimple@vodafone.de>
116980Date: Tue Feb 28 23:19:20 2012 +0100
116981
116982 drm/radeon: fix uninitialized variable
116983
116984 Without this fix the driver randomly treats
116985 textures as arrays and I'm really wondering
116986 why gcc isn't complaining about it.
116987
116988 Signed-off-by: Christian König <deathsimple@vodafone.de>
116989 Reviewed-by: Jerome Glisse <jglisse@redhat.com>
116990 Signed-off-by: Dave Airlie <airlied@redhat.com>
116991
116992commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
116993Author: H. Peter Anvin <hpa@zytor.com>
116994Date: Fri Mar 2 10:43:48 2012 -0800
116995
116996 regset: Prevent null pointer reference on readonly regsets
116997
116998 The regset common infrastructure assumed that regsets would always
116999 have .get and .set methods, but not necessarily .active methods.
117000 Unfortunately people have since written regsets without .set methods.
117001
117002 Rather than putting in stub functions everywhere, handle regsets with
117003 null .get or .set methods explicitly.
117004
117005 Signed-off-by: H. Peter Anvin <hpa@zytor.com>
117006 Reviewed-by: Oleg Nesterov <oleg@redhat.com>
117007 Acked-by: Roland McGrath <roland@hack.frob.com>
117008 Cc: <stable@vger.kernel.org>
117009 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
117010
117011commit 072ddd99401c79b53c6bf6bff9deb93022124c79
117012Author: Brad Spengler <spender@grsecurity.net>
117013Date: Mon Mar 5 18:12:57 2012 -0500
117014
117015 Fix compiler errors reported on forums
117016
117017commit 1606774b48af24e6f99d99c624c0e447d4b66474
117018Merge: 3127bd5 4ca2ffd
117019Author: Brad Spengler <spender@grsecurity.net>
117020Date: Mon Mar 5 17:31:35 2012 -0500
117021
117022 Merge branch 'pax-test' into grsec-test
117023
117024commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
117025Author: Brad Spengler <spender@grsecurity.net>
117026Date: Mon Mar 5 17:31:21 2012 -0500
117027
117028 Update to pax-linux-3.2.9-test20.patch
117029
117030commit 3127bd581a292966b1057c7433219dac188c3720
117031Author: Brad Spengler <spender@grsecurity.net>
117032Date: Fri Mar 2 21:30:37 2012 -0500
117033
117034 Fix memory leak on logged exec_id check failure in /proc/pid/statm
117035 Thanks to Djalal Harouni for the report
117036
117037commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
117038Merge: 0a56be8 9aa8288
117039Author: Brad Spengler <spender@grsecurity.net>
117040Date: Fri Mar 2 18:38:22 2012 -0500
117041
117042 Merge branch 'pax-test' into grsec-test
117043
117044commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
117045Author: Brad Spengler <spender@grsecurity.net>
117046Date: Fri Mar 2 18:37:43 2012 -0500
117047
117048 Update to pax-linux-3.2.9-test19.patch
117049
117050commit 0a56be884bbd7ce733cac0b879c45383494d73b0
117051Merge: 9e66745 3f5c52a
117052Author: Brad Spengler <spender@grsecurity.net>
117053Date: Thu Mar 1 20:18:01 2012 -0500
117054
117055 Merge branch 'pax-test' into grsec-test
117056
117057commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
117058Author: Brad Spengler <spender@grsecurity.net>
117059Date: Thu Mar 1 20:16:56 2012 -0500
117060
117061 Update to pax-linux-3.2.9-test18.patch
117062
117063commit ae53ec231d12719a36bf871f8c5841020ed692ee
117064Merge: b255baf 44fb317
117065Author: Brad Spengler <spender@grsecurity.net>
117066Date: Thu Mar 1 20:15:31 2012 -0500
117067
117068 Merge branch 'linux-3.2.y' into pax-test
117069
117070commit 9e667456c03eadea2f305be761abe4de9a5877a3
117071Merge: 5e4e200 b255baf
117072Author: Brad Spengler <spender@grsecurity.net>
117073Date: Mon Feb 27 20:53:59 2012 -0500
117074
117075 Merge branch 'pax-test' into grsec-test
117076
117077commit b255baf50365d39b406f43aab2c64745607baaa2
117078Merge: 340ce90 1de504e
117079Author: Brad Spengler <spender@grsecurity.net>
117080Date: Mon Feb 27 20:53:29 2012 -0500
117081
117082 Merge branch 'linux-3.2.y' into pax-test
117083 Update to pax-linux-3.2.8-test17.patch
117084
117085 Conflicts:
117086 arch/x86/include/asm/i387.h
117087 arch/x86/kernel/process_32.c
117088 arch/x86/kernel/traps.c
117089
117090commit 5e4e200ac530452884b625cb75de240e1e98c731
117091Merge: 44306d7 340ce90
117092Author: Brad Spengler <spender@grsecurity.net>
117093Date: Mon Feb 27 18:02:13 2012 -0500
117094
117095 Merge branch 'pax-test' into grsec-test
117096
117097commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
117098Author: Brad Spengler <spender@grsecurity.net>
117099Date: Mon Feb 27 18:01:48 2012 -0500
117100
117101 Update to pax-linux-3.2.7-test17.patch
117102
117103commit 44306d7b3097f77e73040dd25f4f6750751bae7a
117104Merge: 29d0b07 521c411
117105Author: Brad Spengler <spender@grsecurity.net>
117106Date: Sun Feb 26 19:04:15 2012 -0500
117107
117108 Merge branch 'pax-test' into grsec-test
117109
117110 Conflicts:
117111 Makefile
117112
117113commit 521c411bb4ca66ce01146fde8bac9dd22414076d
117114Author: Brad Spengler <spender@grsecurity.net>
117115Date: Sun Feb 26 19:03:33 2012 -0500
117116
117117 Update to pax-linux-3.2.7-test16.patch
117118
117119commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
117120Author: Brad Spengler <spender@grsecurity.net>
117121Date: Sun Feb 26 17:12:44 2012 -0500
117122
117123 fix typo
117124
117125commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
117126Merge: f45b3be caa8f83
117127Author: Brad Spengler <spender@grsecurity.net>
117128Date: Sat Feb 25 20:59:27 2012 -0500
117129
117130 Merge branch 'pax-test' into grsec-test
117131
117132commit caa8f83456c4d0b204beefffaa1d1993f2348d08
117133Author: Brad Spengler <spender@grsecurity.net>
117134Date: Sat Feb 25 20:59:12 2012 -0500
117135
117136 Update to pax-linux-3.2.7-test15.patch
117137
117138commit f45b3be34a345502a302e736af9a65742ddef7cb
117139Merge: 62f35fd 9f1309b
117140Author: Brad Spengler <spender@grsecurity.net>
117141Date: Sat Feb 25 11:40:15 2012 -0500
117142
117143 Merge branch 'pax-test' into grsec-test
117144
117145commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
117146Author: Brad Spengler <spender@grsecurity.net>
117147Date: Sat Feb 25 11:39:57 2012 -0500
117148
117149 Update to pax-linux-3.2.7-test14.patch
117150
117151commit 62f35fdbecc58f2988fe13638d907b87a15776bb
117152Author: Brad Spengler <spender@grsecurity.net>
117153Date: Sat Feb 25 09:08:55 2012 -0500
117154
117155 We could log on attempted exploits of writing /proc/self/mem, but the current
117156 log function declares the access a read, so just swap the ordering for now
117157
117158commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
117159Author: Brad Spengler <spender@grsecurity.net>
117160Date: Sat Feb 25 08:46:14 2012 -0500
117161
117162 Log /proc/pid/mem attempts
117163
117164commit 674471e581893a94d475acac3e3c4496209b3ac9
117165Author: Brad Spengler <spender@grsecurity.net>
117166Date: Sat Feb 25 08:15:00 2012 -0500
117167
117168 Make use of f_version for protecting /proc file structs (fine since we're not a directory
117169 or seq_file)
117170
117171commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
117172Author: Brad Spengler <spender@grsecurity.net>
117173Date: Fri Feb 24 20:02:19 2012 -0500
117174
117175 Fix ia64 compilation
117176
117177commit 50dfea412fd395e0183c2ade368efa525d38b267
117178Merge: 12db845 4c6f99b
117179Author: Brad Spengler <spender@grsecurity.net>
117180Date: Fri Feb 24 19:00:53 2012 -0500
117181
117182 Merge branch 'pax-test' into grsec-test
117183
117184commit 4c6f99bf338e03966356b147d0360cb3b522a44f
117185Author: Brad Spengler <spender@grsecurity.net>
117186Date: Fri Feb 24 19:00:36 2012 -0500
117187
117188 (6:57:09 PM) pipacs: but you can be proactive
117189 (Fix other-arch atomic64/REFCOUNT compilation failures)
117190
117191commit 12db8453f6bb0a756f369c9151668ba1249bc478
117192Author: Brad Spengler <spender@grsecurity.net>
117193Date: Thu Feb 23 21:10:12 2012 -0500
117194
117195 Remove unnecessary copies, as suggested by solar
117196
117197commit cc02cab84368467ea03cb35f861a8a7092d91ab4
117198Author: Brad Spengler <spender@grsecurity.net>
117199Date: Thu Feb 23 20:59:35 2012 -0500
117200
117201 Make global_exec_counter static, as suggested by solar
117202
117203commit e642091a475ebb3a30e81f85e7751233d0c2af43
117204Author: Brad Spengler <spender@grsecurity.net>
117205Date: Thu Feb 23 19:00:26 2012 -0500
117206
117207 sync with stable tree
117208
117209commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
117210Author: Brad Spengler <spender@grsecurity.net>
117211Date: Thu Feb 23 18:48:47 2012 -0500
117212
117213 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
117214 Remove handling of old kludge in chmod/fchmod
117215
117216commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
117217Author: Brad Spengler <spender@grsecurity.net>
117218Date: Thu Feb 23 18:18:49 2012 -0500
117219
117220 Apply umask checks to chmod/fchmod as well, as requested by sponsor
117221 Union the enforced umask with the existing one to produce minimal privilege
117222 Change umask type to u16
117223
117224commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
117225Author: Brad Spengler <spender@grsecurity.net>
117226Date: Wed Feb 22 18:16:11 2012 -0500
117227
117228 Add per-role umask enforcement to RBAC, requested by a sponsor
117229
117230commit ad5ac943fe58199f1cc475912a39edb157acb77b
117231Merge: dda0bb5 41722e3
117232Author: Brad Spengler <spender@grsecurity.net>
117233Date: Mon Feb 20 20:04:42 2012 -0500
117234
117235 Merge branch 'pax-test' into grsec-test
117236
117237commit 41722e342e116d95f3d3556d66c97c888d752d39
117238Author: Brad Spengler <spender@grsecurity.net>
117239Date: Mon Feb 20 20:04:00 2012 -0500
117240
117241 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
117242 KERNEXEC plugin
117243
117244commit dda0bb57137846a476a866c60db2681aaf6052c0
117245Merge: 4fd554e d70927a
117246Author: Brad Spengler <spender@grsecurity.net>
117247Date: Mon Feb 20 20:01:41 2012 -0500
117248
117249 Merge branch 'pax-test' into grsec-test
117250
117251commit d70927afec977d489a54c106a3c3ddc32e953050
117252Merge: 1daebf1 9d0231c
117253Author: Brad Spengler <spender@grsecurity.net>
117254Date: Mon Feb 20 20:01:33 2012 -0500
117255
117256 Merge branch 'linux-3.2.y' into pax-test
117257
117258commit 4fd554e3a097b22c5049fcdc423897477deff5ef
117259Author: Brad Spengler <spender@grsecurity.net>
117260Date: Mon Feb 20 09:17:57 2012 -0500
117261
117262 Fix wrong logic on capability checks for switching roles, broke policies
117263 Thanks to Richard Kojedzinszky for reporting
117264
117265commit 12f97d52ac603f24344f8d71569c412a307e9422
117266Author: Brad Spengler <spender@grsecurity.net>
117267Date: Thu Feb 16 21:20:10 2012 -0500
117268
117269 sparc64 compile fix
117270
117271commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
117272Author: Brad Spengler <spender@grsecurity.net>
117273Date: Thu Feb 16 18:38:32 2012 -0500
117274
117275 Update configuration help and name for GRKERNSEC_PROC_MEMMAP
117276
117277commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
117278Author: Brad Spengler <spender@grsecurity.net>
117279Date: Thu Feb 16 18:18:01 2012 -0500
117280
117281 optimize the check a bit
117282
117283commit 03159050f64989be44ae03be769cbed62a7cd2e5
117284Author: Brad Spengler <spender@grsecurity.net>
117285Date: Thu Feb 16 18:00:45 2012 -0500
117286
117287 smile VUPEN :D
117288 (limit argv+env to 1MB for suid/sgid binaries)
117289
117290commit dd759d8800d225a397e4de49fe729c7d601298d2
117291Author: Brad Spengler <spender@grsecurity.net>
117292Date: Thu Feb 16 17:49:33 2012 -0500
117293
117294 Address Space Protection -> Memory Protections (suggested on IRC for consistency)
117295
117296commit 4de635bda8ebfb85312e3bf851bdbff93de400da
117297Author: Brad Spengler <spender@grsecurity.net>
117298Date: Thu Feb 16 17:45:06 2012 -0500
117299
117300 Change the long long type for exec_id to the proper u64
117301
117302commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
117303Author: Dan Carpenter <dan.carpenter@oracle.com>
117304Date: Thu Feb 9 00:46:47 2012 +0000
117305
117306 isdn: type bug in isdn_net_header()
117307
117308 We use len to store the return value from eth_header(). eth_header()
117309 can return -ETH_HLEN (-14). We want to pass this back instead of
117310 truncating it to 65522 and returning that.
117311
117312 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
117313 Acked-by: Neil Horman <nhorman@tuxdriver.com>
117314 Signed-off-by: David S. Miller <davem@davemloft.net>
117315
117316commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
117317Author: Heiko Carstens <heiko.carstens@de.ibm.com>
117318Date: Sat Feb 4 10:47:10 2012 +0100
117319
117320 exec: fix use-after-free bug in setup_new_exec()
117321
117322 Setting the task name is done within setup_new_exec() by accessing
117323 bprm->filename. However this happens after flush_old_exec().
117324 This may result in a use after free bug, flush_old_exec() may
117325 "complete" vfork_done, which will wake up the parent which in turn
117326 may free the passed in filename.
117327 To fix this add a new tcomm field in struct linux_binprm which
117328 contains the now early generated task name until it is used.
117329
117330 Fixes this bug on s390:
117331
117332 Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
117333 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
117334 Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
117335 Call Trace:
117336 ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
117337 [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
117338 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
117339 [<0000000000282b6c>] do_execve_common+0x410/0x514
117340 [<0000000000282cb6>] do_execve+0x46/0x58
117341 [<00000000005bce58>] kernel_execve+0x28/0x70
117342 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
117343 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
117344 [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
117345 Last Breaking-Event-Address:
117346 [<00000000002830f0>] setup_new_exec+0x2fc/0x374
117347
117348 Kernel panic - not syncing: Fatal exception: panic_on_oops
117349
117350 Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
117351 Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
117352 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
117353
117354commit d758ee9f5230893dabb5aab737b3109684bde196
117355Author: Dan Carpenter <dan.carpenter@oracle.com>
117356Date: Fri Feb 10 09:03:58 2012 +0100
117357
117358 relay: prevent integer overflow in relay_open()
117359
117360 "subbuf_size" and "n_subbufs" come from the user and they need to be
117361 capped to prevent an integer overflow.
117362
117363 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
117364 Cc: stable@kernel.org
117365 Signed-off-by: Jens Axboe <axboe@kernel.dk>
117366
117367commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
117368Merge: b1baadf 1daebf1
117369Author: Brad Spengler <spender@grsecurity.net>
117370Date: Mon Feb 13 17:47:04 2012 -0500
117371
117372 Merge branch 'pax-test' into grsec-test
117373
117374 Conflicts:
117375 fs/proc/base.c
117376
117377commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
117378Merge: 1413df2 c2db2e2
117379Author: Brad Spengler <spender@grsecurity.net>
117380Date: Mon Feb 13 17:45:54 2012 -0500
117381
117382 Merge branch 'linux-3.2.y' into pax-test
117383
117384commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
117385Author: Brad Spengler <spender@grsecurity.net>
117386Date: Sun Feb 12 16:44:05 2012 -0500
117387
117388 add missing declaration
117389
117390commit 3981059c35e8463002517935c28f3d74b8e3703c
117391Author: Brad Spengler <spender@grsecurity.net>
117392Date: Sun Feb 12 16:36:04 2012 -0500
117393
117394 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
117395 in addition to existing checks (this handles the setresuid ruid = euid case)
117396
117397commit 0beab03263c773f463412c350ad9064b44b6ede0
117398Author: Brad Spengler <spender@grsecurity.net>
117399Date: Sun Feb 12 16:13:40 2012 -0500
117400
117401 Revert setreuid changes when RBAC is enabled, breaks freeradius
117402 I'll fix the learning issue Lavish reported a different way through
117403 gradm modifications
117404
117405 This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.
117406
117407commit 0c61cb1cfbbfec7d07647268c922d51434d22621
117408Author: Brad Spengler <spender@grsecurity.net>
117409Date: Sat Feb 11 14:22:46 2012 -0500
117410
117411 copy exec_id on fork
117412
117413commit 000c08e0890630086b2ed04084050ed856a7ec31
117414Author: Brad Spengler <spender@grsecurity.net>
117415Date: Fri Feb 10 20:00:36 2012 -0500
117416
117417 compile fix
117418
117419commit 54b8c8f54484e5ee18040657827158bc4b63bccc
117420Author: Brad Spengler <spender@grsecurity.net>
117421Date: Fri Feb 10 19:19:52 2012 -0500
117422
117423 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
117424 denies reading of sensitive /proc/pid entries where the file descriptor
117425 was opened in a different task than the one performing the read
117426
117427commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
117428Author: Brad Spengler <spender@grsecurity.net>
117429Date: Fri Feb 10 17:43:24 2012 -0500
117430
117431 Remove duplicate signal check
117432
117433commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
117434Merge: 4eba97e 1413df2
117435Author: Brad Spengler <spender@grsecurity.net>
117436Date: Wed Feb 8 19:24:34 2012 -0500
117437
117438 Merge branch 'pax-test' into grsec-test
117439
117440commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
117441Author: Brad Spengler <spender@grsecurity.net>
117442Date: Wed Feb 8 19:24:08 2012 -0500
117443
117444 Merge changes from pax-linux-3.2.4-test11.patch
117445
117446commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
117447Merge: 0e058dd 8dd90a2
117448Author: Brad Spengler <spender@grsecurity.net>
117449Date: Mon Feb 6 17:50:12 2012 -0500
117450
117451 Merge branch 'pax-test' into grsec-test
117452
117453commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
117454Author: Brad Spengler <spender@grsecurity.net>
117455Date: Mon Feb 6 17:49:07 2012 -0500
117456
117457 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free
117458
117459commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
117460Merge: 7e4169c 6133971
117461Author: Brad Spengler <spender@grsecurity.net>
117462Date: Mon Feb 6 17:48:57 2012 -0500
117463
117464 Merge branch 'linux-3.2.y' into pax-test
117465
117466commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
117467Author: Brad Spengler <spender@grsecurity.net>
117468Date: Sun Feb 5 19:24:45 2012 -0500
117469
117470 We now allow configurations with no PaX markings, giving the system no way to override the defaults
117471
117472commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
117473Author: Brad Spengler <spender@grsecurity.net>
117474Date: Sun Feb 5 10:01:23 2012 -0500
117475
117476 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory
117477
117478commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
117479Author: Brad Spengler <spender@grsecurity.net>
117480Date: Sat Feb 4 21:01:16 2012 -0500
117481
117482 Improve security of ptrace-based monitoring/sandboxing
117483 See:
117484 http://article.gmane.org/gmane.linux.kernel.lsm/15156
117485
117486commit ca4ca5a1027b41f9528794e52a53ce9c47926101
117487Author: Brad Spengler <spender@grsecurity.net>
117488Date: Fri Feb 3 20:42:55 2012 -0500
117489
117490 fix typo
117491
117492commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
117493Author: Brad Spengler <spender@grsecurity.net>
117494Date: Fri Feb 3 20:25:38 2012 -0500
117495
117496 Reported by lavish on IRC:
117497 If a suid/sgid binary did not learn any setuid/setgid call during learning,
117498 we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
117499 any restrictions on uid/gid changes. uid and gid can however be changed
117500 within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
117501 euid/egid.
117502
117503 My fix:
117504 POSIX doesn't specify whether unprivileged users can perform the above
117505 setresuid/setresgid as an unprivileged user, though Linux has historically
117506 permitted them. Modify this behavior when RBAC is enabled to require
117507 CAP_SETUID/CAP_SETGID for these operations.
117508
117509 Thanks to Lavish for the report!
117510
117511 Conflicts:
117512
117513 kernel/sys.c
117514
117515commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
117516Merge: ba586eb 7e4169c
117517Author: Brad Spengler <spender@grsecurity.net>
117518Date: Fri Feb 3 20:10:21 2012 -0500
117519
117520 Merge branch 'pax-test' into grsec-test
117521
117522commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
117523Author: Brad Spengler <spender@grsecurity.net>
117524Date: Fri Feb 3 20:10:05 2012 -0500
117525
117526 Merge changes from pax-linux-3.2.4-test9.patch
117527
117528commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
117529Author: Christopher Yeoh <cyeoh@au1.ibm.com>
117530Date: Thu Feb 2 11:34:09 2012 +1030
117531
117532 Fix race in process_vm_rw_core
117533
117534 This fixes the race in process_vm_core found by Oleg (see
117535
117536 http://article.gmane.org/gmane.linux.kernel/1235667/
117537
117538 for details).
117539
117540 This has been updated since I last sent it as the creation of the new
117541 mm_access() function did almost exactly the same thing as parts of the
117542 previous version of this patch did.
117543
117544 In order to use mm_access() even when /proc isn't enabled, we move it to
117545 kernel/fork.c where other related process mm access functions already
117546 are.
117547
117548 Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
117549 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
117550
117551 Conflicts:
117552
117553 fs/proc/base.c
117554 mm/process_vm_access.c
117555
117556commit b9194d60fb9fe579f5c34817ed822abde18939a0
117557Author: Oleg Nesterov <oleg@redhat.com>
117558Date: Tue Jan 31 17:15:11 2012 +0100
117559
117560 proc: make sure mem_open() doesn't pin the target's memory
117561
117562 Once /proc/pid/mem is opened, the memory can't be released until
117563 mem_release() even if its owner exits.
117564
117565 Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
117566 pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
117567 before access_remote_vm(), this verifies that this mm is still alive.
117568
117569 I am not sure what should mem_rw() return if atomic_inc_not_zero()
117570 fails. With this patch it returns zero to match the "mm == NULL" case,
117571 may be it should return -EINVAL like it did before e268337d.
117572
117573 Perhaps it makes sense to add the additional fatal_signal_pending()
117574 check into the main loop, to ensure we do not hold this memory if
117575 the target task was oom-killed.
117576
117577 Cc: stable@kernel.org
117578 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
117579 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
117580
117581commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
117582Author: Oleg Nesterov <oleg@redhat.com>
117583Date: Tue Jan 31 17:14:38 2012 +0100
117584
117585 proc: mem_release() should check mm != NULL
117586
117587 mem_release() can hit mm == NULL, add the necessary check.
117588
117589 Cc: stable@kernel.org
117590 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
117591 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
117592
117593commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
117594Author: Oleg Nesterov <oleg@redhat.com>
117595Date: Tue Jan 31 17:14:54 2012 +0100
117596
117597 note: redisabled mem_write
117598
117599 proc: unify mem_read() and mem_write()
117600
117601 No functional changes, cleanup and preparation.
117602
117603 mem_read() and mem_write() are very similar. Move this code into the
117604 new common helper, mem_rw(), which takes the additional "int write"
117605 argument.
117606
117607 Cc: stable@kernel.org
117608 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
117609 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
117610
117611 Conflicts:
117612
117613 fs/proc/base.c
117614
117615commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
117616Merge: 3903f01 01fee18
117617Author: Brad Spengler <spender@grsecurity.net>
117618Date: Fri Feb 3 19:50:40 2012 -0500
117619
117620 Merge branch 'pax-test' into grsec-test
117621
117622commit 01fee1851aef26b898ccba5312cabf1f919b74cb
117623Author: Brad Spengler <spender@grsecurity.net>
117624Date: Fri Feb 3 19:49:46 2012 -0500
117625
117626 Merge changes from pax-linux-3.2.4-test8.patch
117627
117628commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
117629Merge: 201c0db 141936c
117630Author: Brad Spengler <spender@grsecurity.net>
117631Date: Fri Feb 3 19:49:01 2012 -0500
117632
117633 Merge branch 'linux-3.2.y' into pax-test
117634
117635commit 3903f0172ecadf7a575ba3535402a1506133640a
117636Author: Brad Spengler <spender@grsecurity.net>
117637Date: Mon Jan 30 23:26:44 2012 -0500
117638
117639 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
117640
117641 We'll whitelist required directories for compatibility instead of requiring
117642 that people disable the feature entirely if they use SELinux, fuse, etc
117643
117644 Conflicts:
117645
117646 fs/sysfs/mount.c
117647
117648commit e3618feaa7e63807f1b88c199882075b3ec9bd05
117649Author: Brad Spengler <spender@grsecurity.net>
117650Date: Sun Jan 29 01:12:19 2012 -0500
117651
117652 perform RBAC check if TPE is on but match fails, matches previous behavior
117653
117654commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
117655Author: Brad Spengler <spender@grsecurity.net>
117656Date: Sat Jan 28 13:17:06 2012 -0500
117657
117658 log more information about the reason for a TPE denial for novice users, requested by a sponsor
117659
117660commit efefd67008cbad8a8591e2484410966a300a39a5
117661Author: Brad Spengler <spender@grsecurity.net>
117662Date: Fri Jan 27 19:58:53 2012 -0500
117663
117664 merge upstream sha512 changes
117665
117666commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
117667Author: Brad Spengler <spender@grsecurity.net>
117668Date: Fri Jan 27 19:49:07 2012 -0500
117669
117670 drop lock on error in xfs_readlink
117671
117672 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0
117673
117674commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
117675Author: Li Wang <liwang@nudt.edu.cn>
117676Date: Thu Jan 19 09:44:36 2012 +0800
117677
117678 eCryptfs: Infinite loop due to overflow in ecryptfs_write()
117679
117680 ecryptfs_write() can enter an infinite loop when truncating a file to a
117681 size larger than 4G. This only happens on architectures where size_t is
117682 represented by 32 bits.
117683
117684 This was caused by a size_t overflow due to it incorrectly being used to
117685 store the result of a calculation which uses potentially large values of
117686 type loff_t.
117687
117688 [tyhicks@canonical.com: rewrite subject and commit message]
117689 Signed-off-by: Li Wang <liwang@nudt.edu.cn>
117690 Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
117691 Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
117692 Cc: <stable@vger.kernel.org>
117693 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
117694
117695commit a7607747d0f74f357d78bb796d70635dd05f46e8
117696Author: Tyler Hicks <tyhicks@canonical.com>
117697Date: Thu Jan 19 20:33:44 2012 -0600
117698
117699 eCryptfs: Check inode changes in setattr
117700
117701 Most filesystems call inode_change_ok() very early in ->setattr(), but
117702 eCryptfs didn't call it at all. It allowed the lower filesystem to make
117703 the call in its ->setattr() function. Then, eCryptfs would copy the
117704 appropriate inode attributes from the lower inode to the eCryptfs inode.
117705
117706 This patch changes that and actually calls inode_change_ok() on the
117707 eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
117708 would happen earlier in ecryptfs_setattr(), but there are some possible
117709 inode initialization steps that must happen first.
117710
117711 Since the call was already being made on the lower inode, the change in
117712 functionality should be minimal, except for the case of a file extending
117713 truncate call. In that case, inode_newsize_ok() was never being
117714 called on the eCryptfs inode. Rather than inode_newsize_ok() catching
117715 maximum file size errors early on, eCryptfs would encrypt zeroed pages
117716 and write them to the lower filesystem until the lower filesystem's
117717 write path caught the error in generic_write_checks(). This patch
117718 introduces a new function, called ecryptfs_inode_newsize_ok(), which
117719 checks if the new lower file size is within the appropriate limits when
117720 the truncate operation will be growing the lower file.
117721
117722 In summary this change prevents eCryptfs truncate operations (and the
117723 resulting page encryptions), which would exceed the lower filesystem
117724 limits or FSIZE rlimits, from ever starting.
117725
117726 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
117727 Reviewed-by: Li Wang <liwang@nudt.edu.cn>
117728 Cc: <stable@vger.kernel.org>
117729
117730commit 0d96f190a39505254ace4e9330219aaeda9b64e3
117731Author: Tyler Hicks <tyhicks@canonical.com>
117732Date: Wed Jan 18 18:30:04 2012 -0600
117733
117734 eCryptfs: Make truncate path killable
117735
117736 ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
117737 page, zeroes out the appropriate portions, and then encrypts the page
117738 before writing it to the lower filesystem. It was unkillable and due to
117739 the lack of sparse file support could result in tying up a large portion
117740 of system resources, while encrypting pages of zeros, with no way for
117741 the truncate operation to be stopped from userspace.
117742
117743 This patch adds the ability for ecryptfs_write() to detect a pending
117744 fatal signal and return as gracefully as possible. The intent is to
117745 leave the lower file in a useable state, while still allowing a user to
117746 break out of the encryption loop. If a pending fatal signal is detected,
117747 the eCryptfs inode size is updated to reflect the modified inode size
117748 and then -EINTR is returned.
117749
117750 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
117751 Cc: <stable@vger.kernel.org>
117752
117753commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
117754Author: Tyler Hicks <tyhicks@canonical.com>
117755Date: Tue Jan 24 10:02:22 2012 -0600
117756
117757 eCryptfs: Fix oops when printing debug info in extent crypto functions
117758
117759 If pages passed to the eCryptfs extent-based crypto functions are not
117760 mapped and the module parameter ecryptfs_verbosity=1 was specified at
117761 loading time, a NULL pointer dereference will occur.
117762
117763 Note that this wouldn't happen on a production system, as you wouldn't
117764 pass ecryptfs_verbosity=1 on a production system. It leaks private
117765 information to the system logs and is for debugging only.
117766
117767 The debugging info printed in these messages is no longer very useful
117768 and rather than doing a kmap() in these debugging paths, it will be
117769 better to simply remove the debugging paths completely.
117770
117771 https://launchpad.net/bugs/913651
117772
117773 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
117774 Reported-by: Daniel DeFreez
117775 Cc: <stable@vger.kernel.org>
117776
117777commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
117778Author: Tyler Hicks <tyhicks@canonical.com>
117779Date: Thu Jan 12 11:30:44 2012 +0100
117780
117781 eCryptfs: Sanitize write counts of /dev/ecryptfs
117782
117783 A malicious count value specified when writing to /dev/ecryptfs may
117784 result in a a very large kernel memory allocation.
117785
117786 This patch peeks at the specified packet payload size, adds that to the
117787 size of the packet headers and compares the result with the write count
117788 value. The resulting maximum memory allocation size is approximately 532
117789 bytes.
117790
117791 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
117792 Reported-by: Sasha Levin <levinsasha928@gmail.com>
117793 Cc: <stable@vger.kernel.org>
117794
117795commit 96dcb7282d323813181a1791f51c0ab7696b675b
117796Merge: 6c09fa5 201c0db
117797Author: Brad Spengler <spender@grsecurity.net>
117798Date: Fri Jan 27 19:44:15 2012 -0500
117799
117800 Merge branch 'pax-test' into grsec-test
117801
117802commit 201c0dbf177527367676028151e36d340923f033
117803Author: Brad Spengler <spender@grsecurity.net>
117804Date: Fri Jan 27 19:43:24 2012 -0500
117805
117806 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
117807 on loading modules with empty sections
117808
117809commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
117810Author: Brad Spengler <spender@grsecurity.net>
117811Date: Fri Jan 27 19:42:13 2012 -0500
117812
117813 compile fix
117814
117815commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
117816Author: Brad Spengler <spender@grsecurity.net>
117817Date: Fri Jan 27 19:39:28 2012 -0500
117818
117819 use LSM flags instead of duplicating checks
117820
117821commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
117822Merge: 44b9f11 558718b
117823Author: Brad Spengler <spender@grsecurity.net>
117824Date: Fri Jan 27 18:56:23 2012 -0500
117825
117826 Merge branch 'pax-test' into grsec-test
117827
117828commit 558718b2217beff69edf60f34a6f9893d910e9ac
117829Author: Brad Spengler <spender@grsecurity.net>
117830Date: Fri Jan 27 18:56:04 2012 -0500
117831
117832 Merge changes from pax-linux-3.2.2-test6.patch
117833
117834commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
117835Author: Brad Spengler <spender@grsecurity.net>
117836Date: Fri Jan 27 18:53:55 2012 -0500
117837
117838 don't increase the size of task_struct when unnecessary
117839 change ptrace_readexec log message
117840
117841commit a9c9626e054adb885883aa64f85506852894dd33
117842Author: Brad Spengler <spender@grsecurity.net>
117843Date: Fri Jan 27 18:16:28 2012 -0500
117844
117845 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
117846 the protection applies to all unreadable binaries.
117847
117848commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
117849Merge: 7b3f3af 05a1349
117850Author: Brad Spengler <spender@grsecurity.net>
117851Date: Wed Jan 25 20:52:09 2012 -0500
117852
117853 Merge branch 'pax-test' into grsec-test
117854
117855 Conflicts:
117856 block/scsi_ioctl.c
117857 drivers/scsi/sd.c
117858 fs/proc/base.c
117859
117860commit 05a134966efb9cb9346ad3422888969ffc79ac1d
117861Author: Brad Spengler <spender@grsecurity.net>
117862Date: Wed Jan 25 20:47:36 2012 -0500
117863
117864 Resync with pax-linux-3.2.2-test5.patch
117865
117866commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
117867Merge: c6d443d 3499d64
117868Author: Brad Spengler <spender@grsecurity.net>
117869Date: Wed Jan 25 20:45:16 2012 -0500
117870
117871 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
117872
117873 Conflicts:
117874 ipc/shm.c
117875
117876commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
117877Author: Brad Spengler <spender@grsecurity.net>
117878Date: Tue Jan 24 19:42:01 2012 -0500
117879
117880 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
117881 (may be changed if it breaks some userland), the other has its own
117882 config option
117883
117884 First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
117885 the syscall or /proc/sys.
117886
117887 Second feature requires read access to a suid/sgid binary in order
117888 to ptrace it, preventing infoleaking of binaries in situations where
117889 the admin has specified 4711 or 2711 perms. Feature has been
117890 given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
117891 a sysctl entry of ptrace_readexec
117892
117893commit 11a7bb25c411c9dccfdca5718639b4becdffd388
117894Author: Brad Spengler <spender@grsecurity.net>
117895Date: Sun Jan 22 14:37:10 2012 -0500
117896
117897 Compilation fixes
117898
117899commit cd400e21c7c352baba47d6f375297a7847afb33a
117900Author: Brad Spengler <spender@grsecurity.net>
117901Date: Sun Jan 22 14:20:27 2012 -0500
117902
117903 Initial port of grsecurity 2.2.2 for Linux 3.2.1
117904 Note that the new syscalls added to this kernel for remote process read/write
117905 are subject to ptrace hardening/other relevant RBAC features
117906 /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
117907 as well
117908 pax_track_stack has been removed from support for this kernel -- if you're running this kernel
117909 you should be using a version of gcc with plugin support
117910
117911commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
117912Author: Brad Spengler <spender@grsecurity.net>
117913Date: Sun Jan 22 11:47:31 2012 -0500
117914
117915 Import pax-linux-3.2.1-test5.patch
117916commit bfd7db842f835f9837cd43644459b3a95b0b488d
117917Author: Brad Spengler <spender@grsecurity.net>
117918Date: Sun Jan 22 11:02:02 2012 -0500
117919
117920 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
117921 instead of returning -EACCES
117922 thanks to Wraith from irc for the report
117923
117924commit 873ac13576506cd48ddb527c2540f274e249da50
117925Merge: 34083dd 8a44fcc
117926Author: Brad Spengler <spender@grsecurity.net>
117927Date: Fri Jan 20 18:04:02 2012 -0500
117928
117929 Merge branch 'pax-test' into grsec-test
117930
117931commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
117932Author: Brad Spengler <spender@grsecurity.net>
117933Date: Fri Jan 20 18:02:15 2012 -0500
117934
117935 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
117936 Denies executable shared memory when MPROTECT is active
117937 Fixes ia32 emulation crash on 64bit host introduced in a recent patch
117938
117939commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
117940Author: Brad Spengler <spender@grsecurity.net>
117941Date: Thu Jan 19 20:23:14 2012 -0500
117942
117943 Introduce new GRKERNSEC_SETXID implementation
117944 We're not able to change the credentials of other threads in the process until at most
117945 one syscall after the first thread does it, since we mark the threads as needing rescheduling
117946 and such work occurs on syscall exit.
117947 This does however ensure that we're only modifying the current task's credentials
117948 which upholds RCU expectations
117949
117950 Many thanks to corsac for testing
117951
117952commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
117953Author: Brad Spengler <spender@grsecurity.net>
117954Date: Thu Jan 19 17:42:48 2012 -0500
117955
117956 Simplify backport
117957
117958commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
117959Author: Brad Spengler <spender@grsecurity.net>
117960Date: Thu Jan 19 17:08:16 2012 -0500
117961
117962 Commit the latest silent fix for a local privilege escalation from Linus
117963 Also disable writing to /proc/pid/mem
117964 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc
117965
117966commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
117967Merge: 0394a3f 7e6299b
117968Author: Brad Spengler <spender@grsecurity.net>
117969Date: Wed Jan 18 20:22:09 2012 -0500
117970
117971 Merge branch 'pax-test' into grsec-test
117972
117973commit 7e6299b4733c082dde930375dd207b63237751ec
117974Merge: 83555fb 9bb1282
117975Author: Brad Spengler <spender@grsecurity.net>
117976Date: Wed Jan 18 20:21:37 2012 -0500
117977
117978 Merge branch 'linux-3.1.y' into pax-test
117979
117980commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
117981Author: Jesper Juhl <jj@chaosbits.net>
117982Date: Sun Jan 8 22:44:29 2012 +0100
117983
117984 audit: always follow va_copy() with va_end()
117985
117986 A call to va_copy() should always be followed by a call to va_end() in
117987 the same function. In kernel/autit.c::audit_log_vformat() this is not
117988 always done. This patch makes sure va_end() is always called.
117989
117990 Signed-off-by: Jesper Juhl <jj@chaosbits.net>
117991 Cc: Al Viro <viro@zeniv.linux.org.uk>
117992 Cc: Eric Paris <eparis@redhat.com>
117993 Cc: Andrew Morton <akpm@linux-foundation.org>
117994 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
117995
117996commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
117997Author: Andi Kleen <ak@linux.intel.com>
117998Date: Thu Jan 12 17:20:30 2012 -0800
117999
118000 panic: don't print redundant backtraces on oops
118001
118002 When an oops causes a panic and panic prints another backtrace it's pretty
118003 common to have the original oops data be scrolled away on a 80x50 screen.
118004
118005 The second backtrace is quite redundant and not needed anyways.
118006
118007 So don't print the panic backtrace when oops_in_progress is true.
118008
118009 [akpm@linux-foundation.org: add comment]
118010 Signed-off-by: Andi Kleen <ak@linux.intel.com>
118011 Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
118012 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
118013 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
118014
118015commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
118016Author: Miklos Szeredi <mszeredi@suse.cz>
118017Date: Thu Jan 12 17:59:46 2012 +0100
118018
118019 fsnotify: don't BUG in fsnotify_destroy_mark()
118020
118021 Removing the parent of a watched file results in "kernel BUG at
118022 fs/notify/mark.c:139".
118023
118024 To reproduce
118025
118026 add "-w /tmp/audit/dir/watched_file" to audit.rules
118027 rm -rf /tmp/audit/dir
118028
118029 This is caused by fsnotify_destroy_mark() being called without an
118030 extra reference taken by the caller.
118031
118032 Reported by Francesco Cosoleto here:
118033
118034 https://bugzilla.novell.com/show_bug.cgi?id=689860
118035
118036 Fix by removing the BUG_ON and adding a comment about not accessing mark after
118037 the iput.
118038
118039 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
118040 CC: stable@vger.kernel.org
118041 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
118042
118043commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
118044Author: Paolo Bonzini <pbonzini@redhat.com>
118045Date: Thu Jan 12 16:01:28 2012 +0100
118046
118047 block: fail SCSI passthrough ioctls on partition devices
118048
118049 Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
118050 will pass the command to the underlying block device. This is
118051 well-known, but it is also a large security problem when (via Unix
118052 permissions, ACLs, SELinux or a combination thereof) a program or user
118053 needs to be granted access only to part of the disk.
118054
118055 This patch lets partitions forward a small set of harmless ioctls;
118056 others are logged with printk so that we can see which ioctls are
118057 actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred.
118058 Of course it was being sent to a (partition on a) hard disk, so it would
118059 have failed with ENOTTY and the patch isn't changing anything in
118060 practice. Still, I'm treating it specially to avoid spamming the logs.
118061
118062 In principle, this restriction should include programs running with
118063 CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and
118064 /dev/sdb, it still should not be able to read/write outside the
118065 boundaries of /dev/sda2 independent of the capabilities. However, for
118066 now programs with CAP_SYS_RAWIO will still be allowed to send the
118067 ioctls. Their actions will still be logged.
118068
118069 This patch does not affect the non-libata IDE driver. That driver
118070 however already tests for bd != bd->bd_contains before issuing some
118071 ioctl; it could be restricted further to forbid these ioctls even for
118072 programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
118073
118074 Cc: linux-scsi@vger.kernel.org
118075 Cc: Jens Axboe <axboe@kernel.dk>
118076 Cc: James Bottomley <JBottomley@parallels.com>
118077 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
118078 [ Make it also print the command name when warning - Linus ]
118079 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
118080
118081commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
118082Author: Paolo Bonzini <pbonzini@redhat.com>
118083Date: Thu Jan 12 16:01:27 2012 +0100
118084
118085 block: add and use scsi_blk_cmd_ioctl
118086
118087 Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
118088
118089 The function will then be enhanced to detect partition block devices
118090 and, in that case, subject the ioctls to whitelisting.
118091
118092 Cc: linux-scsi@vger.kernel.org
118093 Cc: Jens Axboe <axboe@kernel.dk>
118094 Cc: James Bottomley <JBottomley@parallels.com>
118095 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
118096 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
118097
118098commit 97a79814903fc350e1d13704ea31528a42705401
118099Author: Kees Cook <keescook@chromium.org>
118100Date: Sat Jan 7 10:41:04 2012 -0800
118101
118102 audit: treat s_id as an untrusted string
118103
118104 The use of s_id should go through the untrusted string path, just to be
118105 extra careful.
118106
118107 Signed-off-by: Kees Cook <keescook@chromium.org>
118108 Acked-by: Mimi Zohar <zohar@us.ibm.com>
118109 Signed-off-by: Eric Paris <eparis@redhat.com>
118110
118111commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
118112Author: Xi Wang <xi.wang@gmail.com>
118113Date: Tue Dec 20 18:39:41 2011 -0500
118114
118115 audit: fix signedness bug in audit_log_execve_info()
118116
118117 In the loop, a size_t "len" is used to hold the return value of
118118 audit_log_single_execve_arg(), which returns -1 on error. In that
118119 case the error handling (len <= 0) will be bypassed since "len" is
118120 unsigned, and the loop continues with (p += len) being wrapped.
118121 Change the type of "len" to signed int to fix the error handling.
118122
118123 size_t len;
118124 ...
118125 for (...) {
118126 len = audit_log_single_execve_arg(...);
118127 if (len <= 0)
118128 break;
118129 p += len;
118130 }
118131
118132 Signed-off-by: Xi Wang <xi.wang@gmail.com>
118133 Signed-off-by: Eric Paris <eparis@redhat.com>
118134
118135commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
118136Author: Dan Carpenter <dan.carpenter@oracle.com>
118137Date: Tue Jan 17 03:28:51 2012 -0300
118138
118139 [media] ds3000: using logical && instead of bitwise &
118140
118141 The intent here was to test if the FE_HAS_LOCK was set. The current
118142 test is equivalent to "if (status) { ..."
118143
118144 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
118145 Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
118146
118147commit 36522330dc59d2fc70c042f3f081d75c32b6259a
118148Author: Brad Spengler <spender@grsecurity.net>
118149Date: Mon Jan 16 13:10:38 2012 -0500
118150
118151 Ignore the 0 signal for protected task RBAC checks
118152
118153commit d513acd55f7a683f6e146a4f570cdb63300479ab
118154Author: Brad Spengler <spender@grsecurity.net>
118155Date: Mon Jan 16 11:56:13 2012 -0500
118156
118157 whitespace cleanup
118158
118159commit ced261c4b82818c700aff8487f647f6f3e5b5122
118160Merge: d48751f 83555fb
118161Author: Brad Spengler <spender@grsecurity.net>
118162Date: Fri Jan 13 20:12:54 2012 -0500
118163
118164 Merge branch 'pax-test' into grsec-test
118165
118166commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
118167Merge: fcd8129 93dad39
118168Author: Brad Spengler <spender@grsecurity.net>
118169Date: Fri Jan 13 20:12:43 2012 -0500
118170
118171 Merge branch 'linux-3.1.y' into pax-test
118172
118173commit d48751f3919ae855fda0ff6c149db82442329253
118174Author: Brad Spengler <spender@grsecurity.net>
118175Date: Wed Jan 11 19:05:47 2012 -0500
118176
118177 Call our own set_user when forcing change to new id
118178
118179commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
118180Merge: e6578ff fcd8129
118181Author: Brad Spengler <spender@grsecurity.net>
118182Date: Tue Jan 10 16:00:10 2012 -0500
118183
118184 Merge branch 'pax-test' into grsec-test
118185
118186commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
118187Author: Brad Spengler <spender@grsecurity.net>
118188Date: Tue Jan 10 15:58:43 2012 -0500
118189
118190 Merge changes from pax-linux-3.1.8-test23.patch
118191
118192commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
118193Merge: 8859ec3 a120549
118194Author: Brad Spengler <spender@grsecurity.net>
118195Date: Fri Jan 6 21:45:56 2012 -0500
118196
118197 Merge branch 'pax-test' into grsec-test
118198
118199commit a12054967a77090de1caa07c41e694a77db4e237
118200Author: Brad Spengler <spender@grsecurity.net>
118201Date: Fri Jan 6 21:45:30 2012 -0500
118202
118203 Merge changes from pax-linux-3.1.8-test22.patch
118204
118205commit 8859ec32f9815c274df65448f9f2960176c380d3
118206Merge: a5016b4 ddd4114
118207Author: Brad Spengler <spender@grsecurity.net>
118208Date: Fri Jan 6 21:26:08 2012 -0500
118209
118210 Merge branch 'pax-test' into grsec-test
118211
118212 Conflicts:
118213 fs/binfmt_elf.c
118214 security/Kconfig
118215
118216commit ddd41147e158a79704983a409b7433eba797cf66
118217Author: Brad Spengler <spender@grsecurity.net>
118218Date: Fri Jan 6 21:12:42 2012 -0500
118219
118220 Resync with PaX patch (whitespace difference)
118221
118222commit 29e569df8205c5f0e043fe4803aa984406c8b118
118223Author: Brad Spengler <spender@grsecurity.net>
118224Date: Fri Jan 6 21:09:47 2012 -0500
118225
118226 Merge changes from pax-linux-3.1.8-test21.patch
118227
118228commit a5016b4f9c09c337b17e063a7f369af1e86d944d
118229Merge: 0124c92 04231d5
118230Author: Brad Spengler <spender@grsecurity.net>
118231Date: Fri Jan 6 18:52:20 2012 -0500
118232
118233 Merge branch 'pax-test' into grsec-test
118234
118235commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
118236Merge: 7bdddeb a919904
118237Author: Brad Spengler <spender@grsecurity.net>
118238Date: Fri Jan 6 18:51:50 2012 -0500
118239
118240 Merge branch 'linux-3.1.y' into pax-test
118241
118242 Conflicts:
118243 include/net/flow.h
118244
118245commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
118246Author: Brad Spengler <spender@grsecurity.net>
118247Date: Fri Jan 6 18:33:05 2012 -0500
118248
118249 Make GRKERNSEC_SETXID option compatible with credential debugging
118250
118251commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
118252Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
118253Date: Wed Dec 28 15:57:11 2011 -0800
118254
118255 mm/mempolicy.c: refix mbind_range() vma issue
118256
118257 commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
118258 slightly incorrect fix.
118259
118260 Why? Think following case.
118261
118262 1. map 4 pages of a file at offset 0
118263
118264 [0123]
118265
118266 2. map 2 pages just after the first mapping of the same file but with
118267 page offset 2
118268
118269 [0123][23]
118270
118271 3. mbind() 2 pages from the first mapping at offset 2.
118272 mbind_range() should treat new vma is,
118273
118274 [0123][23]
118275 |23|
118276 mbind vma
118277
118278 but it does
118279
118280 [0123][23]
118281 |01|
118282 mbind vma
118283
118284 Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
118285
118286 This patch fixes it.
118287
118288 [testcase]
118289 test result - before the patch
118290
118291 case4: 126: test failed. expect '2,4', actual '2,2,2'
118292 case5: passed
118293 case6: passed
118294 case7: passed
118295 case8: passed
118296 case_n: 246: test failed. expect '4,2', actual '1,4'
118297
118298 ------------[ cut here ]------------
118299 kernel BUG at mm/filemap.c:135!
118300 invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
118301
118302 (snip long bug on messages)
118303
118304 test result - after the patch
118305
118306 case4: passed
118307 case5: passed
118308 case6: passed
118309 case7: passed
118310 case8: passed
118311 case_n: passed
118312
118313 source: mbind_vma_test.c
118314 ============================================================
118315 #include <numaif.h>
118316 #include <numa.h>
118317 #include <sys/mman.h>
118318 #include <stdio.h>
118319 #include <unistd.h>
118320 #include <stdlib.h>
118321 #include <string.h>
118322
118323 static unsigned long pagesize;
118324 void* mmap_addr;
118325 struct bitmask *nmask;
118326 char buf[1024];
118327 FILE *file;
118328 char retbuf[10240] = "";
118329 int mapped_fd;
118330
118331 char *rubysrc = "ruby -e '\
118332 pid = %d; \
118333 vstart = 0x%llx; \
118334 vend = 0x%llx; \
118335 s = `pmap -q #{pid}`; \
118336 rary = []; \
118337 s.each_line {|line|; \
118338 ary=line.split(\" \"); \
118339 addr = ary[0].to_i(16); \
118340 if(vstart <= addr && addr < vend) then \
118341 rary.push(ary[1].to_i()/4); \
118342 end; \
118343 }; \
118344 print rary.join(\",\"); \
118345 '";
118346
118347 void init(void)
118348 {
118349 void* addr;
118350 char buf[128];
118351
118352 nmask = numa_allocate_nodemask();
118353 numa_bitmask_setbit(nmask, 0);
118354
118355 pagesize = getpagesize();
118356
118357 sprintf(buf, "%s", "mbind_vma_XXXXXX");
118358 mapped_fd = mkstemp(buf);
118359 if (mapped_fd == -1)
118360 perror("mkstemp "), exit(1);
118361 unlink(buf);
118362
118363 if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
118364 perror("lseek "), exit(1);
118365 if (write(mapped_fd, "\0", 1) < 0)
118366 perror("write "), exit(1);
118367
118368 addr = mmap(NULL, pagesize*8, PROT_NONE,
118369 MAP_SHARED, mapped_fd, 0);
118370 if (addr == MAP_FAILED)
118371 perror("mmap "), exit(1);
118372
118373 if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
118374 perror("mprotect "), exit(1);
118375
118376 mmap_addr = addr + pagesize;
118377
118378 /* make page populate */
118379 memset(mmap_addr, 0, pagesize*6);
118380 }
118381
118382 void fin(void)
118383 {
118384 void* addr = mmap_addr - pagesize;
118385 munmap(addr, pagesize*8);
118386
118387 memset(buf, 0, sizeof(buf));
118388 memset(retbuf, 0, sizeof(retbuf));
118389 }
118390
118391 void mem_bind(int index, int len)
118392 {
118393 int err;
118394
118395 err = mbind(mmap_addr+pagesize*index, pagesize*len,
118396 MPOL_BIND, nmask->maskp, nmask->size, 0);
118397 if (err)
118398 perror("mbind "), exit(err);
118399 }
118400
118401 void mem_interleave(int index, int len)
118402 {
118403 int err;
118404
118405 err = mbind(mmap_addr+pagesize*index, pagesize*len,
118406 MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
118407 if (err)
118408 perror("mbind "), exit(err);
118409 }
118410
118411 void mem_unbind(int index, int len)
118412 {
118413 int err;
118414
118415 err = mbind(mmap_addr+pagesize*index, pagesize*len,
118416 MPOL_DEFAULT, NULL, 0, 0);
118417 if (err)
118418 perror("mbind "), exit(err);
118419 }
118420
118421 void Assert(char *expected, char *value, char *name, int line)
118422 {
118423 if (strcmp(expected, value) == 0) {
118424 fprintf(stderr, "%s: passed\n", name);
118425 return;
118426 }
118427 else {
118428 fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
118429 name, line,
118430 expected, value);
118431 // exit(1);
118432 }
118433 }
118434
118435 /*
118436 AAAA
118437 PPPPPPNNNNNN
118438 might become
118439 PPNNNNNNNNNN
118440 case 4 below
118441 */
118442 void case4(void)
118443 {
118444 init();
118445 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
118446
118447 mem_bind(0, 4);
118448 mem_unbind(2, 2);
118449
118450 file = popen(buf, "r");
118451 fread(retbuf, sizeof(retbuf), 1, file);
118452 Assert("2,4", retbuf, "case4", __LINE__);
118453
118454 fin();
118455 }
118456
118457 /*
118458 AAAA
118459 PPPPPPNNNNNN
118460 might become
118461 PPPPPPPPPPNN
118462 case 5 below
118463 */
118464 void case5(void)
118465 {
118466 init();
118467 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
118468
118469 mem_bind(0, 2);
118470 mem_bind(2, 2);
118471
118472 file = popen(buf, "r");
118473 fread(retbuf, sizeof(retbuf), 1, file);
118474 Assert("4,2", retbuf, "case5", __LINE__);
118475
118476 fin();
118477 }
118478
118479 /*
118480 AAAA
118481 PPPPNNNNXXXX
118482 might become
118483 PPPPPPPPPPPP 6
118484 */
118485 void case6(void)
118486 {
118487 init();
118488 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
118489
118490 mem_bind(0, 2);
118491 mem_bind(4, 2);
118492 mem_bind(2, 2);
118493
118494 file = popen(buf, "r");
118495 fread(retbuf, sizeof(retbuf), 1, file);
118496 Assert("6", retbuf, "case6", __LINE__);
118497
118498 fin();
118499 }
118500
118501 /*
118502 AAAA
118503 PPPPNNNNXXXX
118504 might become
118505 PPPPPPPPXXXX 7
118506 */
118507 void case7(void)
118508 {
118509 init();
118510 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
118511
118512 mem_bind(0, 2);
118513 mem_interleave(4, 2);
118514 mem_bind(2, 2);
118515
118516 file = popen(buf, "r");
118517 fread(retbuf, sizeof(retbuf), 1, file);
118518 Assert("4,2", retbuf, "case7", __LINE__);
118519
118520 fin();
118521 }
118522
118523 /*
118524 AAAA
118525 PPPPNNNNXXXX
118526 might become
118527 PPPPNNNNNNNN 8
118528 */
118529 void case8(void)
118530 {
118531 init();
118532 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
118533
118534 mem_bind(0, 2);
118535 mem_interleave(4, 2);
118536 mem_interleave(2, 2);
118537
118538 file = popen(buf, "r");
118539 fread(retbuf, sizeof(retbuf), 1, file);
118540 Assert("2,4", retbuf, "case8", __LINE__);
118541
118542 fin();
118543 }
118544
118545 void case_n(void)
118546 {
118547 init();
118548 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
118549
118550 /* make redundunt mappings [0][1234][34][7] */
118551 mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
118552 MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
118553
118554 /* Expect to do nothing. */
118555 mem_unbind(2, 2);
118556
118557 file = popen(buf, "r");
118558 fread(retbuf, sizeof(retbuf), 1, file);
118559 Assert("4,2", retbuf, "case_n", __LINE__);
118560
118561 fin();
118562 }
118563
118564 int main(int argc, char** argv)
118565 {
118566 case4();
118567 case5();
118568 case6();
118569 case7();
118570 case8();
118571 case_n();
118572
118573 return 0;
118574 }
118575 =============================================================
118576
118577 Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
118578 Acked-by: Johannes Weiner <hannes@cmpxchg.org>
118579 Cc: Minchan Kim <minchan.kim@gmail.com>
118580 Cc: Caspar Zhang <caspar@casparzhang.com>
118581 Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
118582 Cc: Christoph Lameter <cl@linux.com>
118583 Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
118584 Cc: Mel Gorman <mel@csn.ul.ie>
118585 Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
118586 Cc: <stable@vger.kernel.org> [3.1.x]
118587 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
118588 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
118589
118590commit f3a1082005781777086df235049f8c0b7efe524e
118591Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
118592Date: Tue Dec 27 22:32:41 2011 -0500
118593
118594 packet: fix possible dev refcnt leak when bind fail
118595
118596 If bind is fail when bind is called after set PACKET_FANOUT
118597 sock option, the dev refcnt will leak.
118598
118599 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
118600 Signed-off-by: David S. Miller <davem@davemloft.net>
118601
118602commit 915f8b08dac68839dc7204ee81cf9852fda16d24
118603Author: Haogang Chen <haogangchen@gmail.com>
118604Date: Mon Dec 19 17:11:56 2011 -0800
118605
118606 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
118607
118608 There is a potential integer overflow in nilfs_ioctl_clean_segments().
118609 When a large argv[n].v_nmembs is passed from the userspace, the subsequent
118610 call to vmalloc() will allocate a buffer smaller than expected, which
118611 leads to out-of-bound access in nilfs_ioctl_move_blocks() and
118612 lfs_clean_segments().
118613
118614 The following check does not prevent the overflow because nsegs is also
118615 controlled by the userspace and could be very large.
118616
118617 if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
118618 goto out_free;
118619
118620 This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
118621 returns -EINVAL when overflow.
118622
118623 Signed-off-by: Haogang Chen <haogangchen@gmail.com>
118624 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
118625 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
118626 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
118627
118628commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
118629Author: Kautuk Consul <consul.kautuk@gmail.com>
118630Date: Mon Dec 19 17:12:04 2011 -0800
118631
118632 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
118633
118634 Static storage is not required for the struct vmap_area in
118635 __get_vm_area_node.
118636
118637 Removing "static" to store this variable on the stack instead.
118638
118639 Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
118640 Acked-by: David Rientjes <rientjes@google.com>
118641 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
118642 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
118643
118644commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
118645Author: Michel Lespinasse <walken@google.com>
118646Date: Mon Dec 19 17:12:06 2011 -0800
118647
118648 binary_sysctl(): fix memory leak
118649
118650 binary_sysctl() calls sysctl_getname() which allocates from names_cache
118651 slab usin __getname()
118652
118653 The matching function to free the name is __putname(), and not putname()
118654 which should be used only to match getname() allocations.
118655
118656 This is because when auditing is enabled, putname() calls audit_putname
118657 *instead* (not in addition) to __putname(). Then, if a syscall is in
118658 progress, audit_putname does not release the name - instead, it expects
118659 the name to get released when the syscall completes, but that will happen
118660 only if audit_getname() was called previously, i.e. if the name was
118661 allocated with getname() rather than the naked __getname(). So,
118662 __getname() followed by putname() ends up leaking memory.
118663
118664 Signed-off-by: Michel Lespinasse <walken@google.com>
118665 Acked-by: Al Viro <viro@zeniv.linux.org.uk>
118666 Cc: Christoph Hellwig <hch@infradead.org>
118667 Cc: Eric Paris <eparis@redhat.com>
118668 Cc: <stable@vger.kernel.org>
118669 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
118670 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
118671
118672commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
118673Author: Sean Hefty <sean.hefty@intel.com>
118674Date: Tue Dec 6 21:17:11 2011 +0000
118675
118676 RDMA/cma: Verify private data length
118677
118678 private_data_len is defined as a u8. If the user specifies a large
118679 private_data size (> 220 bytes), we will calculate a total length that
118680 exceeds 255, resulting in private_data_len wrapping back to 0. This
118681 can lead to overwriting random kernel memory. Avoid this by verifying
118682 that the resulting size fits into a u8.
118683
118684 Reported-by: B. Thery <benjamin.thery@bull.net>
118685 Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
118686 Signed-off-by: Sean Hefty <sean.hefty@intel.com>
118687 Signed-off-by: Roland Dreier <roland@purestorage.com>
118688
118689commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
118690Author: Xi Wang <xi.wang@gmail.com>
118691Date: Sun Dec 11 23:40:56 2011 -0800
118692
118693 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
118694
118695 The error check (intr_status < 0) didn't work because intr_status is
118696 a u8. Change its type to signed int.
118697
118698 Signed-off-by: Xi Wang <xi.wang@gmail.com>
118699 Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
118700
118701commit e27f34e383d7863b2528a63b81b23db09781f6b6
118702Author: Xi Wang <xi.wang@gmail.com>
118703Date: Fri Dec 16 12:44:15 2011 +0000
118704
118705 sctp: fix incorrect overflow check on autoclose
118706
118707 Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
118708 limiting the autoclose value. If userspace passes in -1 on 32-bit
118709 platform, the overflow check didn't work and autoclose would be set
118710 to 0xffffffff.
118711
118712 This patch defines a max_autoclose (in seconds) for limiting the value
118713 and exposes it through sysctl, with the following intentions.
118714
118715 1) Avoid overflowing autoclose * HZ.
118716
118717 2) Keep the default autoclose bound consistent across 32- and 64-bit
118718 platforms (INT_MAX / HZ in this patch).
118719
118720 3) Keep the autoclose value consistent between setsockopt() and
118721 getsockopt() calls.
118722
118723 Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
118724 Signed-off-by: Xi Wang <xi.wang@gmail.com>
118725 Signed-off-by: David S. Miller <davem@davemloft.net>
118726
118727commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
118728Author: Xi Wang <xi.wang@gmail.com>
118729Date: Wed Dec 21 05:18:33 2011 -0500
118730
118731 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
118732
118733 Commit e133e737 didn't correctly fix the integer overflow issue.
118734
118735 - unsigned int required_size;
118736 + u64 required_size;
118737 ...
118738 required_size = mode_cmd->pitch * mode_cmd->height;
118739 - if (unlikely(required_size > dev_priv->vram_size)) {
118740 + if (unlikely(required_size > (u64) dev_priv->vram_size)) {
118741
118742 Note that both pitch and height are u32. Their product is still u32 and
118743 would overflow before being assigned to required_size. A correct way is
118744 to convert pitch and height to u64 before the multiplication.
118745
118746 required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
118747
118748 This patch calls the existing vmw_kms_validate_mode_vram() for
118749 validation.
118750
118751 Signed-off-by: Xi Wang <xi.wang@gmail.com>
118752 Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
118753 Signed-off-by: Dave Airlie <airlied@redhat.com>
118754
118755 Conflicts:
118756
118757 drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
118758
118759commit eb8f0bd01fb994c9abc77dc84729794cd841753d
118760Author: Xi Wang <xi.wang@gmail.com>
118761Date: Thu Dec 22 13:35:22 2011 +0000
118762
118763 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
118764
118765 Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
118766 cause a kernel oops due to insufficient bounds checking.
118767
118768 if (count > 1<<30) {
118769 /* Enforce a limit to prevent overflow */
118770 return -EINVAL;
118771 }
118772 count = roundup_pow_of_two(count);
118773 table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
118774
118775 Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
118776
118777 ... + (count * sizeof(struct rps_dev_flow))
118778
118779 where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow
118780 32 bits.
118781
118782 This patch replaces the magic number (1 << 30) with a symbolic bound.
118783
118784 Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
118785 Signed-off-by: Xi Wang <xi.wang@gmail.com>
118786 Signed-off-by: David S. Miller <davem@davemloft.net>
118787
118788commit 648188958672024b616c42c1f6c98c8cfc85619d
118789Author: Xi Wang <xi.wang@gmail.com>
118790Date: Fri Dec 30 10:40:17 2011 -0500
118791
118792 netfilter: ctnetlink: fix timeout calculation
118793
118794 The sanity check (timeout < 0) never works; the dividend is unsigned
118795 and so is the division, which should have been a signed division.
118796
118797 long timeout = (ct->timeout.expires - jiffies) / HZ;
118798 if (timeout < 0)
118799 timeout = 0;
118800
118801 This patch converts the time values to signed for the division.
118802
118803 Signed-off-by: Xi Wang <xi.wang@gmail.com>
118804 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
118805
118806commit ab03a0973cee73f88655ff4981812ad316a6cd59
118807Merge: 76f82df 7bdddeb
118808Author: Brad Spengler <spender@grsecurity.net>
118809Date: Tue Jan 3 17:42:50 2012 -0500
118810
118811 Merge branch 'pax-test' into grsec-test
118812
118813commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
118814Merge: 3e59cb5 55cc81a
118815Author: Brad Spengler <spender@grsecurity.net>
118816Date: Tue Jan 3 17:42:36 2012 -0500
118817
118818 Merge branch 'linux-3.1.y' into pax-test
118819
118820commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
118821Author: Brad Spengler <spender@grsecurity.net>
118822Date: Thu Dec 22 20:15:02 2011 -0500
118823
118824 Only further restrict futex targeting another process -- our modified
118825 permission check also happened to allow a case where a process retaining
118826 uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
118827 being non-zero (reported on forums by ben_w)
118828
118829commit 6b235a4450a5fea41663ec35fa0608988b6078c6
118830Merge: 97c16f0 3e59cb5
118831Author: Brad Spengler <spender@grsecurity.net>
118832Date: Thu Dec 22 19:11:06 2011 -0500
118833
118834 Merge branch 'pax-test' into grsec-test
118835
118836 Conflicts:
118837 fs/hfs/btree.c
118838
118839commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
118840Merge: 285eb4e c26f60b
118841Author: Brad Spengler <spender@grsecurity.net>
118842Date: Thu Dec 22 19:09:57 2011 -0500
118843
118844 Merge branch 'linux-3.1.y' into pax-test
118845
118846 Conflicts:
118847 arch/x86/kernel/process.c
118848
118849commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
118850Author: Brad Spengler <spender@grsecurity.net>
118851Date: Mon Dec 19 21:54:01 2011 -0500
118852
118853 Add new option: "Enforce consistent multithreaded privileges"
118854
118855commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
118856Author: Brad Spengler <spender@grsecurity.net>
118857Date: Wed Dec 7 19:58:31 2011 -0500
118858
118859 Remove harmless duplicate code -- exec_file would be null already so the
118860 second check would never pass.
118861
118862commit 4e3304e94aa72737810bc50169519af157dce4ce
118863Author: Brad Spengler <spender@grsecurity.net>
118864Date: Wed Dec 7 19:50:39 2011 -0500
118865
118866 Revert back to (possibly?) undocumented /proc/pid behavior that gdb
118867 depended on for attaching to a thread. Entries exist in /proc for
118868 threads, but are not visible in a readdir.
118869
118870commit 1bd899335f23815cfe8deac44c6b346398f3b95e
118871Author: Brad Spengler <spender@grsecurity.net>
118872Date: Sun Dec 4 18:03:28 2011 -0500
118873
118874 Put the already-walked path if in RCU-walk mode
118875
118876commit ec7ae36b7159f10649709779443a988662965d66
118877Author: Brad Spengler <spender@grsecurity.net>
118878Date: Sun Dec 4 17:35:21 2011 -0500
118879
118880 Fix memory leak introduced by recent (unpublished) commit
118881 75ab998b94a29d464518d6d501bdde3fbfcbfa14
118882
118883commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
118884Author: Brad Spengler <spender@grsecurity.net>
118885Date: Sun Dec 4 13:56:10 2011 -0500
118886
118887 Explicitly check size copied to userland in override_release to silence gcc
118888
118889commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
118890Author: Brad Spengler <spender@grsecurity.net>
118891Date: Sun Dec 4 13:54:02 2011 -0500
118892
118893 Initialize variable to silence erroneous gcc warning
118894
118895commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
118896Author: Brad Spengler <spender@grsecurity.net>
118897Date: Sun Dec 4 13:47:47 2011 -0500
118898
118899 Future-proof other potential RCU-aware locations where we can log.
118900
118901commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
118902Author: Brad Spengler <spender@grsecurity.net>
118903Date: Sun Dec 4 13:02:54 2011 -0500
118904
118905 Fix freeze reported by 'vs' on the forums. Bug occurred due to
118906 MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used
118907 in generic_permission() was in the task's effective set but disallowed by
118908 RBAC, would block when acquiring locks resulting in the freeze.
118909
118910 Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
118911 as being required when CAP_DAC_OVERRIDE is present (consistent with
118912 older patches).
118913
118914commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
118915Author: Xi Wang <xi.wang@gmail.com>
118916Date: Tue Nov 29 09:26:30 2011 +0000
118917
118918 sctp: better integer overflow check in sctp_auth_create_key()
118919
118920 The check from commit 30c2235c is incomplete and cannot prevent
118921 cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the
118922 left-hand side of the check (INT_MAX - key_len), which is unsigned,
118923 becomes 0xffffffff (UINT_MAX) and bypasses the check.
118924
118925 However this shouldn't be a security issue. The function is called
118926 from the following two code paths:
118927
118928 1) setsockopt()
118929
118930 2) sctp_auth_asoc_set_secret()
118931
118932 In case (1), sca_keylength is never going to exceed 65535 since it's
118933 bounded by a u16 from the user API. As such, the key length will
118934 never overflow.
118935
118936 In case (2), sca_keylength is computed based on the user key (1 short)
118937 and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
118938 will not overflow.
118939
118940 In other words, this overflow check is not really necessary. Just
118941 make it more correct.
118942
118943 Signed-off-by: Xi Wang <xi.wang@gmail.com>
118944 Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
118945 Signed-off-by: David S. Miller <davem@davemloft.net>
118946
118947commit e565e28c3635a1d50f80541fbf6b606d742fec76
118948Author: Josh Boyer <jwboyer@redhat.com>
118949Date: Fri Aug 19 14:50:26 2011 -0400
118950
118951 fs/minix: Verify bitmap block counts before mounting
118952
118953 Newer versions of MINIX can create filesystems that allocate an extra
118954 bitmap block. Mounting of this succeeds, but doing a statfs call will
118955 result in an oops in count_free because of a negative number being used
118956 for the bh index.
118957
118958 Avoid this by verifying the number of allocated blocks at mount time,
118959 erroring out if there are not enough and make statfs ignore the extras
118960 if there are too many.
118961
118962 This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
118963
118964 Signed-off-by: Josh Boyer <jwboyer@redhat.com>
118965 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
118966
118967commit 6e134e398ec1a3f428261680e83df4319e64bed9
118968Author: Julia Lawall <julia@diku.dk>
118969Date: Tue Nov 15 14:53:11 2011 -0800
118970
118971 drivers/gpu/vga/vgaarb.c: add missing kfree
118972
118973 kbuf is a buffer that is local to this function, so all of the error paths
118974 leaving the function should release it.
118975
118976 Signed-off-by: Julia Lawall <julia@diku.dk>
118977 Cc: Jesper Juhl <jj@chaosbits.net>
118978 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
118979 Signed-off-by: Dave Airlie <airlied@redhat.com>
118980
118981commit 2b9057b321e36860e8d63985b5c4e496f254b717
118982Author: Brad Spengler <spender@grsecurity.net>
118983Date: Sat Dec 3 21:33:28 2011 -0500
118984
118985 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch
118986
118987commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
118988Author: Brad Spengler <spender@grsecurity.net>
118989Date: Sat Dec 3 21:29:37 2011 -0500
118990
118991 Import pax-linux-3.1.4-test18.patch
118992
118993commit 285eb4ea45d853ae00426b3315a61c1368080dad
118994Author: Brad Spengler <spender@grsecurity.net>
118995Date: Sat Dec 10 18:33:46 2011 -0500
118996
118997 Import changes from pax-linux-3.1.5-test20.patch
118998
118999commit a6bda918fc90ec1d5c387e978d147ad2044153f1
119000Author: Brad Spengler <spender@grsecurity.net>
119001Date: Thu Dec 8 20:55:54 2011 -0500
119002
119003 Import changes from pax-linux-3.1.4-test19.patch
119004
119005commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
119006Author: Brad Spengler <spender@grsecurity.net>
119007Date: Sat Dec 3 21:29:37 2011 -0500
119008
119009 Import pax-linux-3.1.4-test18.patch
Unofficial grsecurity patch archive (https://github.com/slashbeast/grsecurity-scrape)