[thirdparty/grsecurity-scrape.git] / test / changelog-test.txt

commit c1b2cc5dd5f5ae5c88402c7acbcb270f8d36a9da
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 8 20:25:52 2013 -0400

    User jorgus on the forums:
    http://forums.grsecurity.net/viewtopic.php?f=3&t=3446
    discovered that the upstreamed version of enforcing RLIMIT_NPROC
    at setuid/exec time missed an important corner case:
    If RLIMIT_NPROC is set after a setuid occurs and the user's process
    limit is reached elsewhere, no enforcement of RLIMIT_NPROC will
    happen at exec time for the task with a modified RLIMIT_NPROC.
    
    This patch fixes that.

 kernel/sys.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

commit 85ffce8c95bd1d9114852f74db8c66ddbc2e77ff
Merge: 539fff0 2452d8d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 8 18:13:41 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 2452d8d0416d5c9c32805443dd89e5c9778dea4a
Merge: 6c850d8 9c9ab76
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 8 18:13:31 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/irq.c
        kernel/trace/trace_stack.c

commit 539fff0cf95c3dcc02c5e0ac3ef8da4519efdb9a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue May 7 21:43:00 2013 -0400

    turn counter into a flag

 grsecurity/Kconfig        |    2 +-
 grsecurity/grsec_chroot.c |    8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

commit 3da48c0f89377e1ef76470d4b19f19df793fdf32
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue May 7 21:02:39 2013 -0400

    add GRKERNSEC_CHROOT_INITRD to work around Plymouth stupidity
    useful for Fedora/RHEL users

 grsecurity/Kconfig        |   10 ++++++++++
 grsecurity/grsec_chroot.c |   17 +++++++++++++++--
 2 files changed, 25 insertions(+), 2 deletions(-)

commit 418102925c0cfb0de51b0a021abaa575e28fafa6
Author: Peter Zijlstra <a.p.zijlstra@chello.nl>
Date:   Fri May 3 14:11:25 2013 +0200

    Upstream commit: 7cc23cd6c0c7d7f4bee057607e7ce01568925717
    
    perf/x86/intel/lbr: Demand proper privileges for PERF_SAMPLE_BRANCH_KERNEL
    
    We should always have proper privileges when requesting kernel
    data.
    
    Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Cc: <stable@kernel.org>
    Cc: Andi Kleen <ak@linux.intel.com>
    Cc: eranian@google.com
    Link: http://lkml.kernel.org/r/20130503121256.230745028@chello.nl
    [ Fix build error reported by fengguang.wu@intel.com, propagate error code back. ]
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Link: http://lkml.kernel.org/n/tip-v0x9ky3ahzr6nm3c6ilwrili@git.kernel.org

 arch/x86/kernel/cpu/perf_event_intel_lbr.c |   13 ++++++++++---
 1 files changed, 10 insertions(+), 3 deletions(-)

commit f9e1af27cca1722a4c6a801000b5b3b5410401a2
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon Apr 29 05:58:52 2013 +0000

    Upstream commit: aebda156a570782a86fc4426842152237a19427d
    
    net: defer net_secret[] initialization
    
    Instead of feeding net_secret[] at boot time, defer the init
    at the point first socket is created.
    
    This permits some platforms to use better entropy sources than
    the ones available at boot time.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/net/secure_seq.h |    1 +
 net/core/secure_seq.c    |    4 +---
 net/ipv4/af_inet.c       |    5 ++++-
 3 files changed, 6 insertions(+), 4 deletions(-)

commit a9229d75129cd9744a5e486ec99a0fe6aeaf10ac
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Wed May 1 02:59:23 2013 +0000

    Upstream commit: be3e45810bb1ee0bdfa93f6b9532d8c451e50f48
    
    net: sctp: attribute printl with __printf for gcc fmt checks
    
    Let GCC check for format string errors in sctp's probe printl
    function. This patch fixes the warning when compiled with W=1:
    
    net/sctp/probe.c:73:2: warning: function might be possible candidate
    for 'gnu_printf' format attribute [-Wmissing-format-attribute]
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/probe.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 81b98190c66a90f0ed2de4560f542b1dea7664f2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 2 19:58:54 2013 -0400

    remove no-longer-needed vmware 8 compat fix

 mm/page_alloc.c |    6 ------
 1 files changed, 0 insertions(+), 6 deletions(-)

commit a7716a90c1dbe09a8a6d98c74ea2f7fe2a530e94
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 2 19:55:23 2013 -0400

    remove unnecessary < 0 check

 net/phonet/af_phonet.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a4e8dd5b1cca13c2e4145af75694a04aaa811f3f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 1 18:30:48 2013 -0400

    remove references to CONFIG_X86_WP_WORKS_OK

 arch/um/defconfig |    1 -
 security/Kconfig  |    2 +-
 2 files changed, 1 insertions(+), 2 deletions(-)

commit 408da6791f93ffe00d26bfe919f1b2218fe0804d
Merge: a8dbe8e 6c850d8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 1 18:28:44 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/sparc/mm/ultra.S
        drivers/tty/tty_io.c

commit 6c850d8b76b375e418b6a18a33cc8263f36fabcf
Merge: cdbcbef 9fa1d01
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 1 18:25:18 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test

commit a8dbe8ee7a0a3ace489e2f95d69d33e14d5f0b78
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 29 18:44:23 2013 -0400

    add module.h to silence compiler warning, thanks to
    Sergei Trofimovich

 fs/btrfs/inode.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 55eba82aca97aa56378e000840c48965557721e8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 29 18:43:03 2013 -0400

    compilation fix

 kernel/trace/trace.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit e3bf912b54af6df7fbebc68b5999554562056c5c
Merge: 5b72e37 cdbcbef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 29 18:34:42 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit cdbcbef45c4f003cbee11e10668a35d424c17c60
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 29 18:33:35 2013 -0400

    Update to pax-linux-3.8.10-test21.patch:
    - removed size overflow coverage of resource_size(), reported at http://forums.grsecurity.net/viewtopic.php?f=3&t=3412
    - fixed bad pointer arithmetic in nfsd_cache_update, reported by Jason A. Donenfeld and http://forums.grsecurity.net/viewtopic.php?f=3&t=3438
      note that the false positive is not fixed yet
    - fixed a few unintended bitmask computations found by a not-yet-public gcc plugin
    - fixed the kernel stack leak bug in do_tgkill, found by the size overflow plugin (https://code.google.com/p/chromium/issues/detail?id=223444)
    - reverted the nested NMI fix in search for a real one
    - simplified the arm_delay_ops constification

 arch/arm/include/asm/delay.h     |    8 ++++----
 arch/arm/lib/delay.c             |   17 +++++------------
 arch/x86/kernel/entry_64.S       |   11 ++++++++++-
 arch/x86/kernel/i8259.c          |    2 +-
 arch/x86/kernel/pci-calgary_64.c |    2 +-
 arch/x86/kvm/vmx.c               |    4 ++--
 drivers/block/pktcdvd.c          |    2 +-
 fs/btrfs/extent-tree.c           |    2 +-
 fs/nfsd/nfscache.c               |    6 ++++--
 kernel/trace/trace.c             |    2 +-
 tools/gcc/structleak_plugin.c    |    4 ++++
 11 files changed, 34 insertions(+), 26 deletions(-)

commit 5b72e3790fa0e8a16a09c0ef745d8065620a1e74
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 26 20:53:06 2013 -0400

    don't use file_inode()

 drivers/tty/tty_io.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a2df9595fa2e3c7a0c63b1acac75425fd4feb946
Author: Jiri Slaby <jslaby@suse.cz>
Date:   Fri Apr 26 13:48:53 2013 +0200

    Upstream commit: 37b7f3c76595e23257f61bd80b223de8658617ee
    
    TTY: fix atime/mtime regression
    
    In commit b0de59b5733d ("TTY: do not update atime/mtime on read/write")
    we removed timestamps from tty inodes to fix a security issue and waited
    if something breaks.  Well, 'w', the utility to find out logged users
    and their inactivity time broke.  It shows that users are inactive since
    the time they logged in.
    
    To revert to the old behaviour while still preventing attackers to
    guess the password length, we update the timestamps in one-minute
    intervals by this patch.
    
    Signed-off-by: Jiri Slaby <jslaby@suse.cz>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        drivers/tty/tty_io.c

 drivers/tty/tty_io.c |   15 ++++++++++++++-
 1 files changed, 14 insertions(+), 1 deletions(-)

commit c9c76fe07da7611a5062dd3234e5d2369e0a78ec
Author: Jiri Slaby <jslaby@suse.cz>
Date:   Fri Feb 15 15:25:05 2013 +0100

    Upstream commit: b0de59b5733d
    
    TTY: do not update atime/mtime on read/write
    
    On http://vladz.devzero.fr/013_ptmx-timing.php, we can see how to find
    out length of a password using timestamps of /dev/ptmx. It is
    documented in "Timing Analysis of Keystrokes and Timing Attacks on
    SSH". To avoid that problem, do not update time when reading
    from/writing to a TTY.
    
    I am afraid of regressions as this is a behavior we have since 0.97
    and apps may expect the time to be current, e.g. for monitoring
    whether there was a change on the TTY. Now, there is no change. So
    this would better have a lot of testing before it goes upstream.
    
    References: CVE-2013-0160
    
    Signed-off-by: Jiri Slaby <jslaby@suse.cz>
    Cc: stable <stable@vger.kernel.org> # after 3.9 is out
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/tty/tty_io.c |    8 ++------
 1 files changed, 2 insertions(+), 6 deletions(-)

commit 5344a24e2320d61dbdb88aae04922f0799deefd0
Author: Zhao Hongjiang <zhaohongjiang@huawei.com>
Date:   Fri Apr 26 11:03:53 2013 +0800

    Upstream commit: 91d80a84bbc8f28375cca7e65ec666577b4209ad
    
    aio: fix possible invalid memory access when DEBUG is enabled
    
    dprintk() shouldn't access @ring after it's unmapped.
    
    Signed-off-by: Zhao Hongjiang <zhaohongjiang@huawei.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/aio.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 786841cb279bbd8e458d67e112a1d01a3d4598a7
Author: John David Anglin <dave.anglin@bell.net>
Date:   Tue Apr 23 22:42:07 2013 +0200

    Upstream commit: bda079d336cd8183e1d844a265ea87ae3e1bbe78
    
    parisc: use spin_lock_irqsave/spin_unlock_irqrestore for PTE updates
    
    User applications running on SMP kernels have long suffered from instability
    and random segmentation faults.  This patch improves the situation although
    there is more work to be done.
    
    One of the problems is the various routines in pgtable.h that update page table
    entries use different locking mechanisms, or no lock at all (set_pte_at).  This
    change modifies the routines to all use the same lock pa_dbit_lock.  This lock
    is used for dirty bit updates in the interruption code. The patch also purges
    the TLB entries associated with the PTE to ensure that inconsistent values are
    not used after the page table entry is updated.  The UP and SMP code are now
    identical.
    
    The change also includes a minor update to the purge_tlb_entries function in
    cache.c to improve its efficiency.
    
    Signed-off-by: John David Anglin <dave.anglin@bell.net>
    Cc: Helge Deller <deller@gmx.de>
    Signed-off-by: Helge Deller <deller@gmx.de>

 arch/parisc/include/asm/pgtable.h |   47 +++++++++++++++++++-----------------
 arch/parisc/kernel/cache.c        |    5 +---
 2 files changed, 26 insertions(+), 26 deletions(-)

commit 775a77ad179d4c25bc94e85ef81135cbdffcfdc1
Merge: ba54c97 4d05084
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 26 18:17:20 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/x86/kvm/x86.c
        include/linux/capability.h

commit 4d0508463d0ee3ec4b9eca1ea6bed3be03a3df21
Merge: c664779 bb8dd67
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 26 18:15:45 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test

commit ba54c977fe8c3afc4a9efd7afc3f30cf10b02fa2
Author: David S. Miller <davem@davemloft.net>
Date:   Wed Apr 24 16:52:18 2013 -0700

    Upstream commit: f0af97070acbad5d6a361f485828223a4faaa0ee
    
    sparc64: Fix missing put_cpu_var() in tlb_batch_add_one() when not batching.
    
    Reported-by: Meelis Roos <mroos@linux.ee>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 arch/sparc/mm/tlb.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit dc080cfd57c7cdc426f8c6c2da11911ac99959d8
Author: David S. Miller <davem@davemloft.net>
Date:   Fri Apr 19 17:26:26 2013 -0400

    Upstream commit: f36391d2790d04993f48da6a45810033a2cdf847
    
    sparc64: Fix race in TLB batch processing.
    
    As reported by Dave Kleikamp, when we emit cross calls to do batched
    TLB flush processing we have a race because we do not synchronize on
    the sibling cpus completing the cross call.
    
    So meanwhile the TLB batch can be reset (tb->tlb_nr set to zero, etc.)
    and either flushes are missed or flushes will flush the wrong
    addresses.
    
    Fix this by using generic infrastructure to synchonize on the
    completion of the cross call.
    
    This first required getting the flush_tlb_pending() call out from
    switch_to() which operates with locks held and interrupts disabled.
    The problem is that smp_call_function_many() cannot be invoked with
    IRQs disabled and this is explicitly checked for with WARN_ON_ONCE().
    
    We get the batch processing outside of locked IRQ disabled sections by
    using some ideas from the powerpc port. Namely, we only batch inside
    of arch_{enter,leave}_lazy_mmu_mode() calls.  If we're not in such a
    region, we flush TLBs synchronously.
    
    1) Get rid of xcall_flush_tlb_pending and per-cpu type
       implementations.
    
    2) Do TLB batch cross calls instead via:
    
        smp_call_function_many()
                tlb_pending_func()
                        __flush_tlb_pending()
    
    3) Batch only in lazy mmu sequences:
    
        a) Add 'active' member to struct tlb_batch
        b) Define __HAVE_ARCH_ENTER_LAZY_MMU_MODE
        c) Set 'active' in arch_enter_lazy_mmu_mode()
        d) Run batch and clear 'active' in arch_leave_lazy_mmu_mode()
        e) Check 'active' in tlb_batch_add_one() and do a synchronous
               flush if it's clear.
    
    4) Add infrastructure for synchronous TLB page flushes.
    
        a) Implement __flush_tlb_page and per-cpu variants, patch
           as needed.
        b) Likewise for xcall_flush_tlb_page.
        c) Implement smp_flush_tlb_page() to invoke the cross-call.
        d) Wire up global_flush_tlb_page() to the right routine based
               upon CONFIG_SMP
    
    5) It turns out that singleton batches are very common, 2 out of every
       3 batch flushes have only a single entry in them.
    
       The batch flush waiting is very expensive, both because of the poll
       on sibling cpu completeion, as well as because passing the tlb batch
       pointer to the sibling cpus invokes a shared memory dereference.
    
       Therefore, in flush_tlb_pending(), if there is only one entry in
       the batch perform a completely asynchronous global_flush_tlb_page()
       instead.
    
    Reported-by: Dave Kleikamp <dave.kleikamp@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Acked-by: Dave Kleikamp <dave.kleikamp@oracle.com>

 arch/sparc/include/asm/pgtable_64.h   |    1 +
 arch/sparc/include/asm/switch_to_64.h |    3 +-
 arch/sparc/include/asm/tlbflush_64.h  |   37 +++++++++--
 arch/sparc/kernel/smp_64.c            |   41 ++++++++++-
 arch/sparc/mm/tlb.c                   |   38 +++++++++-
 arch/sparc/mm/tsb.c                   |   57 ++++++++++++----
 arch/sparc/mm/ultra.S                 |  119 ++++++++++++++++++++++++++-------
 7 files changed, 241 insertions(+), 55 deletions(-)

commit cd80cc3cfd122295e6ec6db1e5e16e5b7a5d3b59
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Fri Apr 19 15:32:32 2013 +0000

    Upstream commit: 83f1b4ba917db5dc5a061a44b3403ddb6e783494
    
    net: fix incorrect credentials passing
    
    Commit 257b5358b32f ("scm: Capture the full credentials of the scm
    sender") changed the credentials passing code to pass in the effective
    uid/gid instead of the real uid/gid.
    
    Obviously this doesn't matter most of the time (since normally they are
    the same), but it results in differences for suid binaries when the wrong
    uid/gid ends up being used.
    
    This just undoes that (presumably unintentional) part of the commit.
    
    Reported-by: Andy Lutomirski <luto@amacapital.net>
    Cc: Eric W. Biederman <ebiederm@xmission.com>
    Cc: Serge E. Hallyn <serge@hallyn.com>
    Cc: David S. Miller <davem@davemloft.net>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/net/scm.h |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit e126225d1fcaa405ff2a7f1518d615cffe42e7d5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 18 19:22:40 2013 -0400

    move _etext to only cover kernel code, not read-only data, as reported by Gu1

 arch/arm/kernel/vmlinux.lds.S |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 98ad6adbc48759e4f9eae435d3e51ba487155685
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 18 19:17:24 2013 -0400

    add asm/sections.h for USERCOPY change

 fs/exec.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit c403a6c43da1bcac9b1ef2bca9bba0fb84a40f10
Author: Dmitry Popov <dp@highloadlab.com>
Date:   Thu Apr 11 08:55:07 2013 +0000

    Upstream commit: d66954a066158781ccf9c13c91d0316970fe57b6
    
    tcp: incoming connections might use wrong route under synflood
    
    There is a bug in cookie_v4_check (net/ipv4/syncookies.c):
        flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk),
                           RT_SCOPE_UNIVERSE, IPPROTO_TCP,
                           inet_sk_flowi_flags(sk),
                           (opt && opt->srr) ? opt->faddr : ireq->rmt_addr,
                           ireq->loc_addr, th->source, th->dest);
    
    Here we do not respect sk->sk_bound_dev_if, therefore wrong dst_entry may be
    taken. This dst_entry is used by new socket (get_cookie_sock ->
    tcp_v4_syn_recv_sock), so its packets may take the wrong path.
    
    Signed-off-by: Dmitry Popov <dp@highloadlab.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/syncookies.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 3600395e8fef3ae712e72f9b68c3609639616df8
Author: Thomas Graf <tgraf@suug.ch>
Date:   Thu Apr 11 10:57:18 2013 +0000

    Upstream commit: 50bceae9bd3569d56744882f3012734d48a1d413
    
    tcp: Reallocate headroom if it would overflow csum_start
    
    If a TCP retransmission gets partially ACKed and collapsed multiple
    times it is possible for the headroom to grow beyond 64K which will
    overflow the 16bit skb->csum_start which is based on the start of
    the headroom. It has been observed rarely in the wild with IPoIB due
    to the 64K MTU.
    
    Verify if the acking and collapsing resulted in a headroom exceeding
    what csum_start can cover and reallocate the headroom if so.
    
    A big thank you to Jim Foraker <foraker1@llnl.gov> and the team at
    LLNL for helping out with the investigation and testing.
    
    Reported-by: Jim Foraker <foraker1@llnl.gov>
    Signed-off-by: Thomas Graf <tgraf@suug.ch>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/tcp_output.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

commit 4b0b9a5038da806a2b6eba9efc3f3a53c5188a61
Author: Ivan Vecera <ivecera@redhat.com>
Date:   Fri Apr 12 16:49:24 2013 +0200

    Upstream commit: f11a869d4e38397ac81f2a3d22e8d2aeb3992b0f
    
    be2net: take care of __vlan_put_tag return value
    
    The driver should use return value of __vlan_put_tag with appropriate
    NULL-check instead of old skb pointer.
    
    Signed-off-by: Ivan Vecera <ivecera@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/emulex/benet/be_main.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

commit 8d3aca40a891f13b9b1e0d957913fa788fd1cc55
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Fri Apr 12 03:17:12 2013 +0000

    Upstream commit: 3be8fbab18fbc06b6ff94a56f9c225e29ea64a73
    
    tuntap: fix error return code in tun_set_iff()
    
    Fix to return a negative error code from the error handling
    case instead of 0, as returned elsewhere in this function.
    
    [ Bug added in linux-3.8 , commit 4008e97f866db665
      ("tuntap: fix ambigious multiqueue API") ]
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/tun.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 42cfd101287e0ffa5e8425ca7dd3c4131a7a601c
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Sat Apr 13 15:49:03 2013 +0000

    Upstream commit: 06848c10f720cbc20e3b784c0df24930b7304b93
    
    esp4: fix error return code in esp_output()
    
    Fix to return a negative error code from the error handling
    case instead of 0, as returned elsewhere in this function.
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/esp4.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 2b45b5f52c2a8930f80c62de392a62516c83e225
Author: Bjørn Mork <bjorn@mork.no>
Date:   Tue Apr 16 00:17:07 2013 +0000

    Upstream commit: 32b161aa88aa40a83888a995c6e2ef81140219b1
    
    net: cdc_mbim: remove bogus sizeof()
    
    The intention was to test against the constant, not the size of
    the constant.
    
    Signed-off-by: Bjørn Mork <bjorn@mork.no>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/usb/cdc_mbim.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 17d7408795519037a5a1272c7888238e20830bfe
Author: Vyacheslav Dubeyko <slava@dubeyko.com>
Date:   Wed Apr 17 15:58:33 2013 -0700

    Upstream commit: 12f267a20aecf8b84a2a9069b9011f1661c779b4
    
    hfsplus: fix potential overflow in hfsplus_file_truncate()
    
    Change a u32 to loff_t hfsplus_file_truncate().
    
    Signed-off-by: Vyacheslav Dubeyko <slava@dubeyko.com>
    Cc: Christoph Hellwig <hch@infradead.org>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Hin-Tak Leung <htl10@users.sourceforge.net>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/hfsplus/extents.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 5c9574e7f16e7a9b3ea9b419c46ddc57110a555b
Author: Emese Revfy <re.emese@gmail.com>
Date:   Wed Apr 17 15:58:36 2013 -0700

    Upstream commit: b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f
    
    kernel/signal.c: stop info leak via the tkill and the tgkill syscalls
    
    This fixes a kernel memory contents leak via the tkill and tgkill syscalls
    for compat processes.
    
    This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field
    when handling signals delivered from tkill.
    
    The place of the infoleak:
    
    int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from)
    {
            ...
            put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr);
            ...
    }
    
    Signed-off-by: Emese Revfy <re.emese@gmail.com>
    Reviewed-by: PaX Team <pageexec@freemail.hu>
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Oleg Nesterov <oleg@redhat.com>
    Cc: "Eric W. Biederman" <ebiederm@xmission.com>
    Cc: Serge Hallyn <serge.hallyn@canonical.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 kernel/signal.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 0942d16614b0ef59d50b10151d77ec52fc98c2d0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 17 20:17:00 2013 -0400

    Improve PAX_USERCOPY to reject direct copies to/from main kernel text

 fs/exec.c |   29 +++++++++++++++++++++++++++--
 1 files changed, 27 insertions(+), 2 deletions(-)

commit 3cb37d0c0c77dc3928ff8417f982139f95366eba
Merge: e87c19f c664779
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 17 20:06:08 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit c664779987cb0c27a242029f0e0db812e3236203
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 17 19:54:09 2013 -0400

    add intentional_overflow marking for resource_size() as reasoned by:
    http://forums.grsecurity.net/viewtopic.php?f=3&t=3412

 include/linux/ioport.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit e87c19f8312355b8658e5138c16bfa6043a379c8
Merge: 802d119 d0c636c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 17 16:57:12 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit d0c636ceaaf406e606898ce3e770e32fb043ea8a
Merge: bc88628 2396403
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 17 16:57:01 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/paravirt.c

commit 802d1193dcb507b2a62a2de0a869a7dbadd66b9b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 14 21:39:51 2013 -0400

    move location of RBAC user check on setfsuid until after capability checks
    for consistency with other checks

 kernel/sys.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 1a860d7d67051559ab2e6d10f9888649c92904e6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 14 21:34:46 2013 -0400

    A denied setfsuid by the RBAC system would result in an abort_creds() being called
    with an uninitalized pointer, introduced by a bad forward-port

 kernel/sys.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 9f94b84d0e5e101fe8ea8ebcc8eeb141d8a6edb9
Merge: c38d142 bc88628
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 14 21:28:33 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit bc88628a6a8fcccaabb90908640809b0540df225
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 14 21:26:41 2013 -0400

    Update to pax-linux-3.8.7-test20.patch:
    - fixed KERNEXEC and NMI nesting problem reported by stef&hunger
    - changed PHYSICAL_ALIGN/START to fix http://forums.grsecurity.net/viewtopic.php?f=3&t=3414
    - CONSTIFY depends on KERNEXEC (for the kernel open/close feature)
    - fixed CONSTIFY and powerpc interference, reported by  John Hardin (https://bugs.gentoo.org/show_bug.cgi?id=456364)

 arch/powerpc/include/asm/smp.h |    2 +-
 arch/x86/Kconfig               |    4 ++--
 arch/x86/kernel/entry_64.S     |    8 ++++----
 security/Kconfig               |    2 +-
 4 files changed, 8 insertions(+), 8 deletions(-)

commit c38d142744489fc4d9be80188b6435a278438fd9
Author: Suleiman Souhlal <suleiman@google.com>
Date:   Sat Apr 13 16:03:06 2013 -0700

    Upstream commit: 5b55d708335a9e3e4f61f2dadf7511502205ccd1
    
    vfs: Revert spurious fix to spinning prevention in prune_icache_sb
    
    Revert commit 62a3ddef6181 ("vfs: fix spinning prevention in prune_icache_sb").
    
    This commit doesn't look right: since we are looking at the tail of the
    list (sb->s_inode_lru.prev) if we want to skip an inode, we should put
    it back at the head of the list instead of the tail, otherwise we will
    keep spinning on it.
    
    Discovered when investigating why prune_icache_sb came top in perf
    reports of a swapping load.
    
    Signed-off-by: Suleiman Souhlal <suleiman@google.com>
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Cc: stable@vger.kernel.org # v3.2+
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/inode.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 93019624b80ba59798393942798d7f6ed0c1dbc6
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Sat Apr 13 15:15:30 2013 -0700

    Upstream commit: a49b7e82cab0f9b41f483359be83f44fbb6b4979
    
    kobject: fix kset_find_obj() race with concurrent last kobject_put()
    
    Anatol Pomozov identified a race condition that hits module unloading
    and re-loading.  To quote Anatol:
    
     "This is a race codition that exists between kset_find_obj() and
      kobject_put().  kset_find_obj() might return kobject that has refcount
      equal to 0 if this kobject is freeing by kobject_put() in other
      thread.
    
      Here is timeline for the crash in case if kset_find_obj() searches for
      an object tht nobody holds and other thread is doing kobject_put() on
      the same kobject:
    
        THREAD A (calls kset_find_obj())     THREAD B (calls kobject_put())
        splin_lock()
                                             atomic_dec_return(kobj->kref), counter gets zero here
                                             ... starts kobject cleanup ....
                                             spin_lock() // WAIT thread A in kobj_kset_leave()
        iterate over kset->list
        atomic_inc(kobj->kref) (counter becomes 1)
        spin_unlock()
                                             spin_lock() // taken
                                             // it does not know that thread A increased counter so it
                                             remove obj from list
                                             spin_unlock()
                                             vfree(module) // frees module object with containing kobj
    
        // kobj points to freed memory area!!
        kobject_put(kobj) // OOPS!!!!
    
      The race above happens because module.c tries to use kset_find_obj()
      when somebody unloads module.  The module.c code was introduced in
      commit 6494a93d55fa"
    
    Anatol supplied a patch specific for module.c that worked around the
    problem by simply not using kset_find_obj() at all, but rather than make
    a local band-aid, this just fixes kset_find_obj() to be thread-safe
    using the proper model of refusing the get a new reference if the
    refcount has already dropped to zero.
    
    See examples of this proper refcount handling not only in the kref
    documentation, but in various other equivalent uses of this pattern by
    grepping for atomic_inc_not_zero().
    
    [ Side note: the module race does indicate that module loading and
      unloading is not properly serialized wrt sysfs information using the
      module mutex.  That may require further thought, but this is the
      correct fix at the kobject layer regardless. ]
    
    Reported-analyzed-and-tested-by: Anatol Pomozov <anatol.pomozov@gmail.com>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 lib/kobject.c |    9 ++++++++-
 1 files changed, 8 insertions(+), 1 deletions(-)

commit 5277b052b5fab36729e1255fb3b12f47a4b12867
Author: Dave Hansen <dave@sr71.net>
Date:   Fri Apr 12 16:23:54 2013 -0700

    Upstream commit: 1de14c3c5cbc9bb17e9dcc648cda51c0c85d54b9
    
    x86-32: Fix possible incomplete TLB invalidate with PAE pagetables
    
    This patch attempts to fix:
    
        https://bugzilla.kernel.org/show_bug.cgi?id=56461
    
    The symptom is a crash and messages like this:
    
        chrome: Corrupted page table at address 34a03000
        *pdpt = 0000000000000000 *pde = 0000000000000000
        Bad pagetable: 000f [#1] PREEMPT SMP
    
    Ingo guesses this got introduced by commit 611ae8e3f520 ("x86/tlb:
    enable tlb flush range support for x86") since that code started to free
    unused pagetables.
    
    On x86-32 PAE kernels, that new code has the potential to free an entire
    PMD page and will clear one of the four page-directory-pointer-table
    (aka pgd_t entries).
    
    The hardware aggressively "caches" these top-level entries and invlpg
    does not actually affect the CPU's copy.  If we clear one we *HAVE* to
    do a full TLB flush, otherwise we might continue using a freed pmd page.
    (note, we do this properly on the population side in pud_populate()).
    
    This patch tracks whenever we clear one of these entries in the 'struct
    mmu_gather', and ensures that we follow up with a full tlb flush.
    
    BTW, I disassembled and checked that:
    
        if (tlb->fullmm == 0)
    and
        if (!tlb->fullmm && !tlb->need_flush_all)
    
    generate essentially the same code, so there should be zero impact there
    to the !PAE case.
    
    Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
    Cc: Peter Anvin <hpa@zytor.com>
    Cc: Ingo Molnar <mingo@kernel.org>
    Cc: Artem S Tashkinov <t.artem@mailcity.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 arch/x86/include/asm/tlb.h |    2 +-
 arch/x86/mm/pgtable.c      |    7 +++++++
 include/asm-generic/tlb.h  |    7 ++++++-
 mm/memory.c                |    1 +
 4 files changed, 15 insertions(+), 2 deletions(-)

commit 521e573fc77d1783c1d4636dfbb4617a922f043d
Merge: 032f626 f807619
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 12 19:29:34 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit f80761993b85df96fc142dfc3a317cadc0f8eae5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 12 19:28:21 2013 -0400

    Update to pax-linux-3.8.7-test19.patch:
    - fixed STACKLEAK/XEN interference once again, reported by Jason A. Donenfeld
    - fixed small typo, reported by mlarm (http://forums.grsecurity.net/viewtopic.php?f=3&t=3411)
    - fixed the structleak plugin to compile for gcc 4.5-4.6 as well

 Makefile                      |    2 +-
 arch/x86/xen/enlighten.c      |    6 +++---
 tools/gcc/structleak_plugin.c |    5 +++--
 3 files changed, 7 insertions(+), 6 deletions(-)

commit 032f626a4ae9bc3196313a2e762650c3d9abdc96
Merge: a3a770e 89886f5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 12 18:38:40 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 89886f561cc0d1c42a99624ec8c3704711088155
Merge: 9123489 531ec28
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 12 18:38:30 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test

commit a3a770e18578841e4fbe2aa0831a22811b4812cf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 11 20:46:20 2013 -0400

    Revert "Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot"
    Will be fixed with the next PaX patch
    
    This reverts commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7.

 security/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit fc98763e4f1f1487928750b26a63098b9e0ed5b1
Author: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Date:   Fri Mar 29 10:20:56 2013 -0400

    Upstream commit: b22227944b8fe92b19150b4c36421e37979d9a16
    
    xen/mmu: On early bootup, flush the TLB when changing RO->RW bits Xen provided pagetables.
    
    Occassionaly on a DL380 G4 the guest would crash quite early with this:
    
    (XEN) d244:v0: unhandled page fault (ec=0003)
    (XEN) Pagetable walk from ffffffff84dc7000:
    (XEN)  L4[0x1ff] = 00000000c3f18067 0000000000001789
    (XEN)  L3[0x1fe] = 00000000c3f14067 000000000000178d
    (XEN)  L2[0x026] = 00000000dc8b2067 0000000000004def
    (XEN)  L1[0x1c7] = 00100000dc8da067 0000000000004dc7
    (XEN) domain_crash_sync called from entry.S
    (XEN) Domain 244 (vcpu#0) crashed on cpu#3:
    (XEN) ----[ Xen-4.1.3OVM  x86_64  debug=n  Not tainted ]----
    (XEN) CPU:    3
    (XEN) RIP:    e033:[<ffffffff81263f22>]
    (XEN) RFLAGS: 0000000000000216   EM: 1   CONTEXT: pv guest
    (XEN) rax: 0000000000000000   rbx: ffffffff81785f88   rcx: 000000000000003f
    (XEN) rdx: 0000000000000000   rsi: 00000000dc8da063   rdi: ffffffff84dc7000
    
    The offending code shows it to be a loop writting the value zero
    (%rax) in the %rdi (the L4 provided by Xen) register:
    
       0: 44 00 00             add    %r8b,(%rax)
       3: 31 c0                 xor    %eax,%eax
       5: b9 40 00 00 00       mov    $0x40,%ecx
       a: 66 0f 1f 84 00 00 00 nopw   0x0(%rax,%rax,1)
      11: 00 00
      13: ff c9                 dec    %ecx
      15:* 48 89 07             mov    %rax,(%rdi)     <-- trapping instruction
      18: 48 89 47 08           mov    %rax,0x8(%rdi)
      1c: 48 89 47 10           mov    %rax,0x10(%rdi)
    
    which fails. xen_setup_kernel_pagetable recycles some of the Xen's
    page-table entries when it has switched over to its Linux page-tables.
    
    Right before try to clear the page, we  make a hypercall to change
    it from _RO to  _RW and that works (otherwise we would hit an BUG()).
    And the _RW flag is set for that page:
    (XEN)  L1[0x1c7] = 001000004885f067 0000000000004dc7
    
    The error code is 3, so PFEC_page_present and PFEC_write_access, so page is
    present (correct), and we tried to write to the page, but a violation
    occurred. The one theory is that the the page entries in hardware
    (which are cached) are not up to date with what we just set. Especially
    as we have just done an CR3 write and flushed the multicalls.
    
    This patch does solve the problem by flusing out the TLB page
    entry after changing it from _RO to _RW and we don't hit this
    issue anymore.
    
    Fixed-Oracle-Bug: 16243091 [ON OCCASIONS VM START GOES INTO
    'CRASH' STATE: CLEAR_PAGE+0X12 ON HP DL380 G4]
    Reported-and-Tested-by: Saar Maoz <Saar.Maoz@oracle.com>
    Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

 arch/x86/xen/mmu.c |   12 ++++++++----
 1 files changed, 8 insertions(+), 4 deletions(-)

commit d56bdc2595e76ca48cbfd695def7f82c3ab80c11
Author: Namhyung Kim <namhyung.kim@lge.com>
Date:   Mon Apr 1 21:46:23 2013 +0900

    Upstream commit: 83e03b3fe4daffdebbb42151d5410d730ae50bd1
    
    tracing: Fix double free when function profile init failed
    
    On the failure path, stat->start and stat->pages will refer same page.
    So it'll attempt to free the same page again and get kernel panic.
    
    Link: http://lkml.kernel.org/r/1364820385-32027-1-git-send-email-namhyung@kernel.org
    
    Cc: Frederic Weisbecker <fweisbec@gmail.com>
    Cc: Namhyung Kim <namhyung.kim@lge.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Namhyung Kim <namhyung@kernel.org>
    Signed-off-by: Steven Rostedt <rostedt@goodmis.org>

 kernel/trace/ftrace.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit c86b0de9f4c42a7ede40df5af9436e87ccc784bb
Author: Neil Horman <nhorman@tuxdriver.com>
Date:   Tue Apr 9 23:19:00 2013 +0000

    Upstream commit: 61a0f6efc8932e9914e1782ff3a027e23c687fc6
    
    e100: Add dma mapping error check
    
    e100 uses pci_map_single, but fails to check for a dma mapping error after its
    use, resulting in a stack trace:
    
    [   46.656594] ------------[ cut here ]------------
    [   46.657004] WARNING: at lib/dma-debug.c:933 check_unmap+0x47b/0x950()
    [   46.657004] Hardware name: To Be Filled By O.E.M.
    [   46.657004] e100 0000:00:0e.0: DMA-API: device driver failed to check map
    error[device address=0x000000007a4540fa] [size=90 bytes] [mapped as single]
    [   46.657004] Modules linked in:
    [   46.657004]  w83627hf hwmon_vid snd_via82xx ppdev snd_ac97_codec ac97_bus
    snd_seq snd_pcm snd_mpu401 snd_mpu401_uart ns558 snd_rawmidi gameport parport_pc
    e100 snd_seq_device parport snd_page_alloc snd_timer snd soundcore skge shpchp
    k8temp mii edac_core i2c_viapro edac_mce_amd nfsd auth_rpcgss nfs_acl lockd
    sunrpc binfmt_misc uinput ata_generic pata_acpi radeon i2c_algo_bit
    drm_kms_helper ttm firewire_ohci drm firewire_core pata_via sata_via i2c_core
    sata_promise crc_itu_t
    [   46.657004] Pid: 792, comm: ip Not tainted 3.8.0-0.rc6.git0.1.fc19.x86_64 #1
    [   46.657004] Call Trace:
    [   46.657004]  <IRQ>  [<ffffffff81065ed0>] warn_slowpath_common+0x70/0xa0
    [   46.657004]  [<ffffffff81065f4c>] warn_slowpath_fmt+0x4c/0x50
    [   46.657004]  [<ffffffff81364cfb>] check_unmap+0x47b/0x950
    [   46.657004]  [<ffffffff8136522f>] debug_dma_unmap_page+0x5f/0x70
    [   46.657004]  [<ffffffffa030f0f0>] ? e100_tx_clean+0x30/0x210 [e100]
    [   46.657004]  [<ffffffffa030f1a8>] e100_tx_clean+0xe8/0x210 [e100]
    [   46.657004]  [<ffffffffa030fc6f>] e100_poll+0x56f/0x6c0 [e100]
    [   46.657004]  [<ffffffff8159dce1>] ? net_rx_action+0xa1/0x370
    [   46.657004]  [<ffffffff8159ddb2>] net_rx_action+0x172/0x370
    [   46.657004]  [<ffffffff810703bf>] __do_softirq+0xef/0x3d0
    [   46.657004]  [<ffffffff816e4ebc>] call_softirq+0x1c/0x30
    [   46.657004]  [<ffffffff8101c485>] do_softirq+0x85/0xc0
    [   46.657004]  [<ffffffff81070885>] irq_exit+0xd5/0xe0
    [   46.657004]  [<ffffffff816e5756>] do_IRQ+0x56/0xc0
    [   46.657004]  [<ffffffff816dacb2>] common_interrupt+0x72/0x72
    [   46.657004]  <EOI>  [<ffffffff816da1eb>] ?
    _raw_spin_unlock_irqrestore+0x3b/0x70
    [   46.657004]  [<ffffffff816d124d>] __slab_free+0x58/0x38b
    [   46.657004]  [<ffffffff81214424>] ? fsnotify_clear_marks_by_inode+0x34/0x120
    [   46.657004]  [<ffffffff811b0417>] ? kmem_cache_free+0x97/0x320
    [   46.657004]  [<ffffffff8157fc14>] ? sock_destroy_inode+0x34/0x40
    [   46.657004]  [<ffffffff8157fc14>] ? sock_destroy_inode+0x34/0x40
    [   46.657004]  [<ffffffff811b0692>] kmem_cache_free+0x312/0x320
    [   46.657004]  [<ffffffff8157fc14>] sock_destroy_inode+0x34/0x40
    [   46.657004]  [<ffffffff811e8c28>] destroy_inode+0x38/0x60
    [   46.657004]  [<ffffffff811e8d5e>] evict+0x10e/0x1a0
    [   46.657004]  [<ffffffff811e9605>] iput+0xf5/0x180
    [   46.657004]  [<ffffffff811e4338>] dput+0x248/0x310
    [   46.657004]  [<ffffffff811ce0e1>] __fput+0x171/0x240
    [   46.657004]  [<ffffffff811ce26e>] ____fput+0xe/0x10
    [   46.657004]  [<ffffffff8108d54c>] task_work_run+0xac/0xe0
    [   46.657004]  [<ffffffff8106c6ed>] do_exit+0x26d/0xc30
    [   46.657004]  [<ffffffff8109eccc>] ? finish_task_switch+0x7c/0x120
    [   46.657004]  [<ffffffff816dad58>] ? retint_swapgs+0x13/0x1b
    [   46.657004]  [<ffffffff8106d139>] do_group_exit+0x49/0xc0
    [   46.657004]  [<ffffffff8106d1c4>] sys_exit_group+0x14/0x20
    [   46.657004]  [<ffffffff816e3b19>] system_call_fastpath+0x16/0x1b
    [   46.657004] ---[ end trace 4468c44e2156e7d1 ]---
    [   46.657004] Mapped at:
    [   46.657004]  [<ffffffff813663d1>] debug_dma_map_page+0x91/0x140
    [   46.657004]  [<ffffffffa030e8eb>] e100_xmit_prepare+0x12b/0x1c0 [e100]
    [   46.657004]  [<ffffffffa030c924>] e100_exec_cb+0x84/0x140 [e100]
    [   46.657004]  [<ffffffffa030e56a>] e100_xmit_frame+0x3a/0x190 [e100]
    [   46.657004]  [<ffffffff8159ee89>] dev_hard_start_xmit+0x259/0x6c0
    
    Easy fix, modify the cb paramter to e100_exec_cb to return an error, and do the
    dma_mapping_error check in the obvious place
    
    This was reported previously here:
    http://article.gmane.org/gmane.linux.network/257893
    
    But nobody stepped up and fixed it.
    
    CC: Josh Boyer <jwboyer@redhat.com>
    CC: e1000-devel@lists.sourceforge.net
    Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
    Reported-by: Michal Jaegermann <michal@harddata.com>
    Tested-by: Aaron Brown <aaron.f.brown@intel.com>
    Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/intel/e100.c |   36 +++++++++++++++++++++++++-----------
 1 files changed, 25 insertions(+), 11 deletions(-)

commit df93708573ce6c512b9a9406a83a6fd4e87ff6a6
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Wed Apr 10 12:44:18 2013 -0400

    Upstream commit: eb04e0ac198cec3bab407ad220438dfa65c19c67
    
    NFSv4: Doh! Typo in the fix to nfs41_walk_client_list
    
    Make sure that we set the status to 0 on success. Missed in testing
    because it never appears when doing multiple mounts to _different_
    servers.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Cc: <stable@vger.kernel.org> # 3.7.x: 7b1f1fd: NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list

 fs/nfs/nfs4client.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 0ea7b7294f627588b0b3dc26a8a0ff8e1e27b5ea
Author: Yuval Mintz <yuvalmin@broadcom.com>
Date:   Wed Apr 10 13:34:39 2013 +0300

    Upstream commit: fea75645342c7ad574214497a78e562db12dfd7b
    
    bnx2x: Prevent null pointer dereference in AFEX mode
    
    The cnic module is responsible for initializing various bnx2x structs
    via callbacks provided by the bnx2x module.
    One such struct is the queue object for the FCoE queue.
    
    If a device is working in AFEX mode and its configuration allows FCoE yet
    the cnic module is not loaded, it's very likely a null pointer dereference
    will occur, as the bnx2x will erroneously access the FCoE's queue object.
    
    Prevent said access until cnic properly registers itself.
    
    Signed-off-by: Yuval Mintz <yuvalmin@broadcom.com>
    Signed-off-by: Ariel Elior <ariele@broadcom.com>
    Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 2908830232725db624aaa052f7ad38d1f98bf541
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Tue Apr 9 14:16:04 2013 +0800

    Upstream commit: 3480a2125923e4b7a56d79efc76743089bf273fc
    
    can: gw: use kmem_cache_free() instead of kfree()
    
    Memory allocated by kmem_cache_alloc() should be freed using
    kmem_cache_free(), not kfree().
    
    Cc: linux-stable <stable@vger.kernel.org> # >= v3.2
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>

 net/can/gw.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit d40b572e845a5fb561e3c4a80cc306cd38888a4e
Author: Christoph Paasch <christoph.paasch@uclouvain.be>
Date:   Sun Apr 7 04:53:15 2013 +0000

    Upstream commit: 50a75a8914539c5dcd441c5f54d237a666a426fd
    
    ipv6/tcp: Stop processing ICMPv6 redirect messages
    
    Tetja Rediske found that if the host receives an ICMPv6 redirect message
    after sending a SYN+ACK, the connection will be reset.
    
    He bisected it down to 093d04d (ipv6: Change skb->data before using
    icmpv6_notify() to propagate redirect), but the origin of the bug comes
    from ec18d9a26 (ipv6: Add redirect support to all protocol icmp error
    handlers.). The bug simply did not trigger prior to 093d04d, because
    skb->data did not point to the inner IP header and thus icmpv6_notify
    did not call the correct err_handler.
    
    This patch adds the missing "goto out;" in tcp_v6_err. After receiving
    an ICMPv6 Redirect, we should not continue processing the ICMP in
    tcp_v6_err, as this may trigger the removal of request-socks or setting
    sk_err(_soft).
    
    Reported-by: Tetja Rediske <tetja@tetja.de>
    Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/tcp_ipv6.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit c7d5c2524456ef3ea9194840e7a9a75069a46824
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 10 20:32:54 2013 -0400

    - fixed typo in Makefile reported by mlarm (https://forums.grsecurity.net/viewtopic.php?t=3411)

 Makefile |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit acac2380fd97acee4367d2aa24c74322dcf1d22b
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Fri Apr 5 16:11:11 2013 -0400

    Upstream commit: 7b1f1fd1842e6ede25183c267ae733a7f67f00bc
    
    NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list
    
    It is unsafe to use list_for_each_entry_safe() here, because
    when we drop the nn->nfs_client_lock, we pin the _current_ list
    entry and ensure that it stays in the list, but we don't do the
    same for the _next_ list entry. Use of list_for_each_entry() is
    therefore the correct thing to do.
    
    Also fix the refcounting in nfs41_walk_client_list().
    
    Finally, ensure that the nfs_client has finished being initialised
    and, in the case of NFSv4.1, that the session is set up.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Cc: Chuck Lever <chuck.lever@oracle.com>
    Cc: Bryan Schumaker <bjschuma@netapp.com>
    Cc: stable@vger.kernel.org [>= 3.7]

 fs/nfs/nfs4client.c |   44 ++++++++++++++++++++++++++++----------------
 1 files changed, 28 insertions(+), 16 deletions(-)

commit a6cf5f387b882ac0ce655b75f623f86c075517be
Author: Chuck Lever <chuck.lever@oracle.com>
Date:   Fri Mar 22 12:52:59 2013 -0400

    Upstream commit: a58e0be6f6b3eb2079b0b8fedc9df6fa86869f1e
    
    SUNRPC: Remove extra xprt_put()
    
    While testing error cases where rpc_new_client() fails, I saw
    some oopses.
    
    If rpc_new_client() fails, it already invokes xprt_put().  Thus
    __rpc_clone_client() does not need to invoke it again.
    
    Introduced by commit 1b63a751 "SUNRPC: Refactor rpc_clone_client()"
    Fri Sep 14, 2012.
    
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
    Cc: stable@vger.kernel.org [>=3.7]
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>

 net/sunrpc/clnt.c |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

commit a744b307c1f65ceb100412dc18cdd7ecc9a8ae00
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Fri Apr 5 14:13:21 2013 -0400

    Upstream commit: f05c124a70a4953a66acbd6d6c601ea1eb5d0fa7
    
    SUNRPC: Fix a potential memory leak in rpc_new_client
    
    If the call to rpciod_up() fails, we currently leak a reference to the
    struct rpc_xprt.
    As part of the fix, we also remove the redundant check for xprt!=NULL.
    This is already taken care of by the callers.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>

 net/sunrpc/clnt.c |    7 ++-----
 1 files changed, 2 insertions(+), 5 deletions(-)

commit 43b9f1b9b8380984c5c100978bd33e8f16da06ac
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 10 19:16:05 2013 -0400

    From https://lkml.org/lkml/2013/4/8/469:
    [PATCH] rtnetlink: call nlmsg_parse() with correct header length

 net/core/rtnetlink.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 9529169b8c405874fd543b785f53c74fa0501c2a
Author: Christopher Harvey <charvey@matrox.com>
Date:   Fri Apr 5 10:51:15 2013 -0400

    Upstream commit: 1812a3db0874be1d1524086da9e84397b800f546
    
    drm/mgag200: Index 24 in extended CRTC registers is 24 in hex, not decimal.
    
    This change properly enables the "requester" in G200ER cards that is
    responsible for getting pixels out of memory and clocking them out to
    the screen.
    
    Signed-off-by: Christopher Harvey <charvey@matrox.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Dave Airlie <airlied@redhat.com>

 drivers/gpu/drm/mgag200/mgag200_mode.c |   13 +++----------
 1 files changed, 3 insertions(+), 10 deletions(-)

commit 07c42243c7b01e2a7a9d168ad491e28b9ef9082a
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Thu Mar 28 13:30:23 2013 -0400

    Upstream commit: 52f21999c7b921a0390708b66ed286282c2e4bee
    
    ecryptfs: close rmmod race
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/ecryptfs/miscdev.c |   14 ++------------
 1 files changed, 2 insertions(+), 12 deletions(-)

commit 2800bdcf9cd642b967e5fdc2a15c1c4aefbadd9b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 10 19:03:45 2013 -0400

    Backport overflow fix from upstream commit: ccf932042fa7785832d8989ba1369cd7c7f5d7a1

 arch/ia64/kernel/palinfo.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 83280e384ae3ceadad30369ced111dc7d4b46085
Author: Andrey Vagin <avagin@openvz.org>
Date:   Tue Apr 9 17:33:29 2013 +0400

    Upstream commit: e9c5d8a562f01b211926d70443378eb14b29a676
    
    mnt: release locks on error path in do_loopback
    
    do_loopback calls lock_mount(path) and forget to unlock_mount
    if clone_mnt or copy_mnt fails.
    
    [   77.661566] ================================================
    [   77.662939] [ BUG: lock held when returning to user space! ]
    [   77.664104] 3.9.0-rc5+ #17 Not tainted
    [   77.664982] ------------------------------------------------
    [   77.666488] mount/514 is leaving the kernel with locks still held!
    [   77.668027] 2 locks held by mount/514:
    [   77.668817]  #0:  (&sb->s_type->i_mutex_key#7){+.+.+.}, at: [<ffffffff811cca22>] lock_mount+0x32/0xe0
    [   77.671755]  #1:  (&namespace_sem){+++++.}, at: [<ffffffff811cca3a>] lock_mount+0x4a/0xe0
    
    Signed-off-by: Andrey Vagin <avagin@openvz.org>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/namespace.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 679e536b9d9536d804f049fe942367a596253e6d
Author: Alex Williamson <alex.williamson@redhat.com>
Date:   Tue Mar 26 11:33:16 2013 -0600

    Upstream commit: 904c680c7bf016a8619a045850937427f8d7368c
    
    vfio-pci: Fix possible integer overflow
    
    The VFIO_DEVICE_SET_IRQS ioctl takes a start and count parameter, both
    of which are unsigned.  We attempt to bounds check these, but fail to
    account for the case where start is a very large number, allowing
    start + count to wrap back into the valid range.  Bounds check both
    start and start + count.
    
    Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Alex Williamson <alex.williamson@redhat.com>

 drivers/vfio/pci/vfio_pci.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 10 18:48:45 2013 -0400

    Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot

 security/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b5261a6384ee42499b29495aaae40b271e77d394
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 9 17:30:45 2013 -0400

    some undefined behavior fixups

 grsecurity/gracl.c      |    4 ++--
 grsecurity/gracl_ip.c   |   10 +++++-----
 grsecurity/gracl_segv.c |    4 ++--
 3 files changed, 9 insertions(+), 9 deletions(-)

commit 9f83caa35e78be1f3e753586ab217555c3b21ff4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 9 17:28:54 2013 -0400

    don't whine about denied ipv6 when it's not enabled

 grsecurity/gracl_ip.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 5a02f8bc96bd0c31f9ff09e63f9d85d560b8be61
Merge: 97bca88 9123489
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 9 17:18:45 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 9123489428c58668a89f316db6619739cbdd2c2a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 9 17:17:46 2013 -0400

    Update to pax-linux-3.8.6-test18.patch:
    - new size overflow plugin from Emese to work around a gcc optimization
      resulting in an intentional overflow, reported by Carlos Carvalho
      (http://forums.grsecurity.net/viewtopic.php?f=3&t=3409)

 tools/gcc/size_overflow_plugin.c |   68 ++++++++++++++++++++++++++++++++++++-
 1 files changed, 66 insertions(+), 2 deletions(-)

commit 97bca8889e0f1e853f16b7026c39c6729a8587ab
Merge: 675a41e e9d6073
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 8 21:32:59 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/sparc/kernel/us3_cpufreq.c

commit e9d6073f15010ccace0b6b0f0a19ed63cf1adeef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 8 21:19:03 2013 -0400

    Update to pax-linux-3.8.6-test17.patch:
    - fixed ia64/ppc/sparc compilation by spender
    - improved the STRUCTLEAK gcc plugin to cover a few more cases (credit to stef for the bugreport)

 arch/ia64/include/asm/uaccess.h    |    2 -
 arch/powerpc/include/asm/uaccess.h |    2 -
 arch/sparc/include/asm/uaccess.h   |    7 ----
 arch/sparc/kernel/prom_common.c    |    2 +-
 arch/sparc/kernel/us3_cpufreq.c    |   69 ++++++++++--------------------------
 tools/gcc/structleak_plugin.c      |   15 ++++----
 6 files changed, 28 insertions(+), 69 deletions(-)

commit 675a41e42a636dcb1e97bffe0f0fa6262242e64b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 7 12:00:50 2013 -0400

    fix similar leaks in sys_recvfrom as fixed in recvmsg, already handled by the new structleak plugin

 net/socket.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 5a216624a06429488f24ce47db093da042f90e48
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Apr 6 13:22:24 2013 -0400

    fix typo

 arch/sparc/kernel/us3_cpufreq.c |    5 +----
 1 files changed, 1 insertions(+), 4 deletions(-)

commit e476ca18d21788898cd3acd1b57049971a2fb70f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Apr 6 13:16:13 2013 -0400

    properly fix cpufreq_driver for ultrasparc III with constification

 arch/sparc/kernel/us3_cpufreq.c |   35 +++++++++++++++++------------------
 1 files changed, 17 insertions(+), 18 deletions(-)

commit 3ef64a33c8a38d17db7d1e6ff13d9036c75598ae
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Apr 6 12:58:48 2013 -0400

    mark prom_sparc_ops __initconst

 arch/sparc/kernel/prom_common.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit daaa8e290cb1eb08e86c6d3f0fb1a8270d897439
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Apr 6 12:53:16 2013 -0400

    fix ia64/powerpc/sparc compilation

 arch/ia64/include/asm/uaccess.h    |    2 --
 arch/powerpc/include/asm/uaccess.h |    2 --
 arch/sparc/include/asm/uaccess.h   |    7 -------
 3 files changed, 0 insertions(+), 11 deletions(-)

commit 4a0cd3af0fd8788bd1c84de775743c8ae51e9a39
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Tue Mar 19 20:26:57 2013 +0100

    Upstream commit: ce1eadda6badef9e4e3460097ede674fca47383d
    
    cfg80211: fix wdev tracing crash
    
    Arend reported a crash in tracing if the driver returns an
    ERR_PTR() value from the add_virtual_intf() callback. This
    is due to the tracing then still attempting to dereference
    the "pointer", fix this by using IS_ERR_OR_NULL().
    
    Reported-by: Arend van Spriel <arend@broadcom.com>
    Tested-by: Arend van Spriel <arend@broadcom.com>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>

 net/wireless/trace.h |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 68e6eafdaf9a3b37c780b3916a35a1961b1559fd
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Mon Mar 25 11:51:14 2013 +0100

    Upstream commit: 3fbd45ca8d1c98f3c2582ef8bc70ade42f70947b
    
    mac80211: fix remain-on-channel cancel crash
    
    If a ROC item is canceled just as it expires, the work
    struct may be scheduled while it is running (and waiting
    for the mutex). This results in it being run after being
    freed, which obviously crashes.
    
    To fix this don't free it when aborting is requested but
    instead mark it as "to be freed", which makes the work a
    no-op and allows freeing it outside.
    
    Cc: stable@vger.kernel.org [3.6+]
    Reported-by: Jouni Malinen <j@w1.fi>
    Tested-by: Jouni Malinen <j@w1.fi>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>

 net/mac80211/cfg.c         |    6 ++++--
 net/mac80211/ieee80211_i.h |    3 ++-
 net/mac80211/offchannel.c  |   23 +++++++++++++++++------
 3 files changed, 23 insertions(+), 9 deletions(-)

commit dd5df32b00e3c2344ba39fe01071e7b67b83e1e4
Author: Stone Piao <piaoyun@marvell.com>
Date:   Fri Mar 29 19:21:21 2013 -0700

    Upstream commit: 901ceba4e81e9dd6b4a3c4c37ee22000a6c5c65f
    
    mwifiex: limit channel number not to overflow memory
    
    Limit the channel number in scan request, or the driver scan
    config structure memory will be overflowed.
    
    Cc: <stable@vger.kernel.org> # 3.5+
    Signed-off-by: Stone Piao <piaoyun@marvell.com>
    Signed-off-by: Bing Zhao <bzhao@marvell.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>

 drivers/net/wireless/mwifiex/cfg80211.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 207c411512bdaf0e4271f93ecac6ca26588da36f
Author: Gao feng <gaofeng@cn.fujitsu.com>
Date:   Thu Mar 21 19:48:41 2013 +0000

    Upstream commit: 130549fed828cc34c22624c6195afcf9e7ae56fe
    
    netfilter: reset nf_trace in nf_reset
    
    We forgot to clear the nf_trace of sk_buff in nf_reset,
    When we use veth device, this nf_trace information will
    be leaked from one net namespace to another net namespace.
    
    Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 include/linux/skbuff.h |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 3b12800d73c763265b2de5f2a7a745d9caa62c6f
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Fri Mar 22 01:28:18 2013 +0000

    Upstream commit: 558724a5b2a73ad0c7638e21e8dffc419d267b6c
    
    netfilter: nfnetlink_queue: fix error return code in nfnetlink_queue_init()
    
    Fix to return a negative error code from the error handling
    case instead of 0, as returned elsewhere in this function.
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/nfnetlink_queue_core.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit a79feb7d3251eca577d83d7f69eee2b961ab2924
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Sat Mar 23 16:57:59 2013 +0100

    Upstream commit: deadcfc3324410726cd6a663fb4fc46be595abe7
    
    netfilter: nfnetlink_acct: return -EINVAL if object name is empty
    
    If user-space tries to create accounting object with an empty
    name, then return -EINVAL.
    
    Reported-by: Michael Zintakis <michael.zintakis@googlemail.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/nfnetlink_acct.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 1a51dca4fc16538d90a7a4c92b1ffe7e0fd76cf7
Author: Matthias Schiffer <mschiffer@universe-factory.net>
Date:   Sat Mar 30 10:23:12 2013 +0000

    Upstream commit: 906b1c394d0906a154fbdc904ca506bceb515756
    
    netfilter: ip6t_NPT: Fix translation for non-multiple of 32 prefix lengths
    
    The bitmask used for the prefix mangling was being calculated
    incorrectly, leading to the wrong part of the address being replaced
    when the prefix length wasn't a multiple of 32.
    
    Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/ipv6/netfilter/ip6t_NPT.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 3425de1e3dc22e1602f9c77fe8d258da58416d5e
Author: Veaceslav Falico <vfalico@redhat.com>
Date:   Wed Apr 3 05:46:33 2013 +0000

    Upstream commit: 4de79c737b200492195ebc54a887075327e1ec1d
    
    bonding: remove sysfs before removing devices
    
    We have a race condition if we try to rmmod bonding and simultaneously add
    a bond master through sysfs. In bonding_exit() we first remove the devices
    (through rtnl_link_unregister() ) and only after that we remove the sysfs.
    If we manage to add a device through sysfs after that the devices were
    removed - we'll end up with that device/sysfs structure and with the module
    unloaded.
    
    Fix this by first removing the sysfs and only after that calling
    rtnl_link_unregister().
    
    Signed-off-by: Veaceslav Falico <vfalico@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/bonding/bond_main.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit d12cae44a9d12441d81c489178803237219d403d
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Wed Apr 3 16:14:47 2013 +0000

    Upstream commit: 0e82e7f6dfeec1013339612f74abc2cdd29d43d2
    
    af_unix: If we don't care about credentials coallesce all messages
    
    It was reported that the following LSB test case failed
    https://lsbbugs.linuxfoundation.org/attachment.cgi?id=2144 because we
    were not coallescing unix stream messages when the application was
    expecting us to.
    
    The problem was that the first send was before the socket was accepted
    and thus sock->sk_socket was NULL in maybe_add_creds, and the second
    send after the socket was accepted had a non-NULL value for sk->socket
    and thus we could tell the credentials were not needed so we did not
    bother.
    
    The unnecessary credentials on the first message cause
    unix_stream_recvmsg to start verifying that all messages had the same
    credentials before coallescing and then the coallescing failed because
    the second message had no credentials.
    
    Ignoring credentials when we don't care in unix_stream_recvmsg fixes a
    long standing pessimization which would fail to coallesce messages when
    reading from a unix stream socket if the senders were different even if
    we did not care about their credentials.
    
    I have tested this and verified that the in the LSB test case mentioned
    above that the messages do coallesce now, while the were failing to
    coallesce without this change.
    
    Reported-by: Karel Srot <ksrot@redhat.com>
    Reported-by: Ding Tianhong <dingtianhong@huawei.com>
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/unix/af_unix.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 126d882492b130da6367f71cdf3ac59bf4f4c1bf
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Wed Apr 3 16:13:35 2013 +0000

    Upstream commit: 25da0e3e9d3fb2b522bc2a598076735850310eb1
    
    Revert "af_unix: dont send SCM_CREDENTIAL when dest socket is NULL"
    
    This reverts commit 14134f6584212d585b310ce95428014b653dfaf6.
    
    The problem that the above patch was meant to address is that af_unix
    messages are not being coallesced because we are sending unnecesarry
    credentials.  Not sending credentials in maybe_add_creds totally
    breaks unconnected unix domain sockets that wish to send credentails
    to other sockets.
    
    In practice this break some versions of udev because they receive a
    message and the sending uid is bogus so they drop the message.
    
    Reported-by: Sven Joachim <svenjoac@gmx.de>
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/unix/af_unix.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 1295b4f600e8f5ab56af71e5a89e4c0e74e95663
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Wed Mar 20 21:31:42 2013 +0000

    Upstream commit: cb0e51d80694fc9964436be1a1a15275e991cb1e
    
    lantiq_etop: use free_netdev(netdev) instead of kfree()
    
    Freeing netdev without free_netdev() leads to net, tx leaks.
    And it may lead to dereferencing freed pointer.
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/lantiq_etop.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 1dcdddf846697fbd0b474e7b12ff92f7b408fe5f
Author: Cong Wang <amwang@redhat.com>
Date:   Fri Mar 22 19:14:07 2013 +0000

    Upstream commit: 4a7df340ed1bac190c124c1601bfc10cde9fb4fb
    
    8021q: fix a potential use-after-free
    
    vlan_vid_del() could possibly free ->vlan_info after a RCU grace
    period, however, we may still refer to the freed memory area
    by 'grp' pointer. Found by code inspection.
    
    This patch moves vlan_vid_del() as behind as possible.
    
    Cc: Patrick McHardy <kaber@trash.net>
    Cc: "David S. Miller" <davem@davemloft.net>
    Signed-off-by: Cong Wang <amwang@redhat.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/8021q/vlan.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

commit fff29c277024a39845d4b535083c8dafc21b45d9
Author: Hong zhi guo <honkiko@gmail.com>
Date:   Sat Mar 23 02:27:50 2013 +0000

    Upstream commit: 9b46922e15f4d9d2aedcd320c3b7f7f54d956da7
    
    bridge: fix crash when set mac address of br interface
    
    When I tried to set mac address of a bridge interface to a mac
    address which already learned on this bridge, I got system hang.
    
    The cause is straight forward: function br_fdb_change_mac_address
    calls fdb_insert with NULL source nbp. Then an fdb lookup is
    performed. If an fdb entry is found and it's local, it's OK. But
    if it's not local, source is dereferenced for printk without NULL
    check.
    
    Signed-off-by: Hong Zhiguo <honkiko@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/bridge/br_fdb.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b72eca0f8495b4b084bcf3eb4fbb425281ba5349
Author: Kumar Amit Mehta <gmate.amit@gmail.com>
Date:   Sat Mar 23 20:10:25 2013 +0000

    Upstream commit: 8fe7f99a9e11a43183bc27420309ae105e1fec1a
    
    bnx2x: fix assignment of signed expression to unsigned variable
    
    fix for incorrect assignment of signed expression to unsigned variable.
    
    Signed-off-by: Kumar Amit Mehta <gmate.amit@gmail.com>
    Acked-by: Dmitry Kravkov <dmitry@broadcom.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/broadcom/bnx2x/bnx2x_dcb.c |   18 +++++++++---------
 1 files changed, 9 insertions(+), 9 deletions(-)

commit 4d2d5e3694574d8e9d7594bf6111f144dccc873e
Author: dingtianhong <dingtianhong@huawei.com>
Date:   Mon Mar 25 17:02:04 2013 +0000

    Upstream commit: 14134f6584212d585b310ce95428014b653dfaf6
    
    af_unix: dont send SCM_CREDENTIAL when dest socket is NULL
    
    SCM_SCREDENTIALS should apply to write() syscalls only either source or destination
    socket asserted SOCK_PASSCRED. The original implememtation in maybe_add_creds is wrong,
    and breaks several LSB testcases ( i.e. /tset/LSB.os/netowkr/recvfrom/T.recvfrom).
    
    Origionally-authored-by: Karel Srot <ksrot@redhat.com>
    Signed-off-by: Ding Tianhong <dingtianhong@huawei.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/unix/af_unix.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit b964e1e61f0f0ccaa380be3342f956c604054bdc
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Thu Mar 21 02:30:41 2013 -0700

    Upstream commit: eddc0a3abff273842a94784d2d022bbc36dc9015
    
    yama:  Better permission check for ptraceme
    
    Change the permission check for yama_ptrace_ptracee to the standard
    ptrace permission check, testing if the traceer has CAP_SYS_PTRACE
    in the tracees user namespace.
    
    Reviewed-by: Kees Cook <keescook@chromium.org>
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>

 security/yama/yama_lsm.c |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

commit b94e71c7b6abe75989edff18aca2781233fa143b
Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
Date:   Mon Apr 1 11:40:51 2013 +0400

    Upstream commit: 2dc958fa2fe6987e7ab106bd97029a09a82fcd8d
    
    ipc: set msg back to -EAGAIN if copy wasn't performed
    
    Make sure that msg pointer is set back to error value in case of
    MSG_COPY flag is set and desired message to copy wasn't found.  This
    garantees that msg is either a error pointer or a copy address.
    
    Otherwise the last message in queue will be freed without unlinking from
    the queue (which leads to memory corruption) and the dummy allocated
    copy won't be released.
    
    Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 ipc/msg.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit a997fbbe7a37ffd805f4784a18b8e530da6978d1
Author: Jan Kara <jack@suse.cz>
Date:   Fri Mar 29 15:39:16 2013 +0100

    Upstream commit: 35e5cbc0af240778e61113286c019837e06aeec6
    
    reiserfs: Fix warning and inode leak when deleting inode with xattrs
    
    After commit 21d8a15a (lookup_one_len: don't accept . and ..) reiserfs
    started failing to delete xattrs from inode. This was due to a buggy
    test for '.' and '..' in fill_with_dentries() which resulted in passing
    '.' and '..' entries to lookup_one_len() in some cases. That returned
    error and so we failed to iterate over all xattrs of and inode.
    
    Fix the test in fill_with_dentries() along the lines of the one in
    lookup_one_len().
    
    Reported-by: Pawel Zawora <pzawora@gmail.com>
    CC: stable@vger.kernel.org
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/reiserfs/xattr.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 9f07957378e0f55abb81da8e23b124a608fbe1cc
Author: Paul Bolle <pebolle@tiscali.nl>
Date:   Wed Apr 3 12:24:45 2013 +0100

    Upstream commit: 4e1db26a0b42e2b6e27c05d68adcc01709c2eed2
    
    ARM: 7690/1: mm: fix CONFIG_LPAE typos
    
    CONFIG_LPAE doesn't exist: the correct option is CONFIG_ARM_LPAE, so fix
    up the two typos under arch/arm/.
    
    The fix to head.S is slightly scary, but this is just for setting up
    an early io-mapping for the serial port when running on a big-endian,
    LPAE system. Since these systems don't exist in the wild (at least, I
    have no access to one outside of kvmtool, which doesn't provide a serial
    port suitable for earlyprintk), then we can revisit the code later if it
    causes any problems.
    
    Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
    Signed-off-by: Will Deacon <will.deacon@arm.com>
    Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>

 arch/arm/kernel/head.S  |    2 +-
 arch/arm/kernel/setup.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit 984ba346b2d8f158473e9723ba145031368431ed
Author: Catalin Marinas <catalin.marinas@arm.com>
Date:   Tue Mar 26 23:35:04 2013 +0100

    Upstream commit: 93dc68876b608da041fe40ed39424b0fcd5aa2fb
    
    ARM: 7684/1: errata: Workaround for Cortex-A15 erratum 798181 (TLBI/DSB operations)
    
    On Cortex-A15 (r0p0..r3p2) the TLBI/DSB are not adequately shooting down
    all use of the old entries. This patch implements the erratum workaround
    which consists of:
    
    1. Dummy TLBIMVAIS and DSB on the CPU doing the TLBI operation.
    2. Send IPI to the CPUs that are running the same mm (and ASID) as the
       one being invalidated (or all the online CPUs for global pages).
    3. CPU receiving the IPI executes a DMB and CLREX (part of the exception
       return code already).
    
    Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
    Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
    
    Conflicts:
    
        arch/arm/include/asm/tlbflush.h
        arch/arm/kernel/smp_tlb.c
        arch/arm/mm/context.c

 arch/arm/Kconfig                   |   10 +++++
 arch/arm/include/asm/highmem.h     |    7 ++++
 arch/arm/include/asm/mmu_context.h |    2 +
 arch/arm/include/asm/tlbflush.h    |   15 ++++++++
 arch/arm/kernel/smp_tlb.c          |   66 ++++++++++++++++++++++++++++++++++++
 arch/arm/mm/context.c              |    6 ++-
 6 files changed, 104 insertions(+), 2 deletions(-)

commit 9a6ef010c38b3d5471886d2dea6e3c1622e2a286
Author: Jan Stancek <jstancek@redhat.com>
Date:   Thu Apr 4 11:35:10 2013 -0700

    Upstream commit: b6a9b7f6b1f21735a7456d534dc0e68e61359d2c
    
    mm: prevent mmap_cache race in find_vma()
    
    find_vma() can be called by multiple threads with read lock
    held on mm->mmap_sem and any of them can update mm->mmap_cache.
    Prevent compiler from re-fetching mm->mmap_cache, because other
    readers could update it in the meantime:
    
                   thread 1                             thread 2
                                            |
      find_vma()                            |  find_vma()
        struct vm_area_struct *vma = NULL;  |
        vma = mm->mmap_cache;               |
        if (!(vma && vma->vm_end > addr     |
            && vma->vm_start <= addr)) {    |
                                            |    mm->mmap_cache = vma;
        return vma;                         |
         ^^ compiler may optimize this      |
            local variable out and re-read  |
            mm->mmap_cache                  |
    
    This issue can be reproduced with gcc-4.8.0-1 on s390x by running
    mallocstress testcase from LTP, which triggers:
    
      kernel BUG at mm/rmap.c:1088!
        Call Trace:
         ([<000003d100c57000>] 0x3d100c57000)
          [<000000000023a1c0>] do_wp_page+0x2fc/0xa88
          [<000000000023baae>] handle_pte_fault+0x41a/0xac8
          [<000000000023d832>] handle_mm_fault+0x17a/0x268
          [<000000000060507a>] do_protection_exception+0x1e2/0x394
          [<0000000000603a04>] pgm_check_handler+0x138/0x13c
          [<000003fffcf1f07a>] 0x3fffcf1f07a
        Last Breaking-Event-Address:
          [<000000000024755e>] page_add_new_anon_rmap+0xc2/0x168
    
    Thanks to Jakub Jelinek for his insight on gcc and helping to
    track this down.
    
    Signed-off-by: Jan Stancek <jstancek@redhat.com>
    Acked-by: David Rientjes <rientjes@google.com>
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/mmap.c  |    2 +-
 mm/nommu.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit 53f5096daa14967938bc154e6c41f9119863fb36
Merge: e988d7c 0a45285
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 5 17:32:31 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        drivers/net/ethernet/broadcom/tg3.c

commit 0a452855444d02502df6eb21ef3083cf303f71e1
Merge: 0277fa1 00cfbb8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 5 17:31:15 2013 -0400

    Update to pax-linux-3.8.6-test16.patch:
    - fixed some attribute leakage into userland headers, patch by Mathias Krause
    - fixed some of the access_*_vm related breakage that trigger size overflows, reported by Hunger
    
    Merge branch 'linux-3.8.y' into pax-test
    
    Conflicts:
        drivers/gpu/drm/i915/intel_display.c

commit e988d7c8d946c816a2cb97f0d38048a1584966b8
Merge: baec40e 0277fa1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 3 22:05:41 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 0277fa123b486cf11420967e4568d7653e225fd3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 3 22:04:48 2013 -0400

    Update to pax-linux-3.8.5-test15.patch:
    - fixed section mismatch error caused by CONSTIFY (http://forums.grsecurity.net/viewtopic.php?f=3&t=3388 and http://forums.grsecurity.net/viewtopic.php?f=3&t=3391)
    - fixed integer type mixup in the cx88 driver (http://forums.grsecurity.net/viewtopic.php?f=3&t=3394)

 drivers/media/pci/cx88/cx88-video.c |    6 +++---
 include/net/net_namespace.h         |    4 ++++
 2 files changed, 7 insertions(+), 3 deletions(-)

commit baec40e6708fd5ae2000cad6c70c5980c998b91c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 2 19:50:32 2013 -0400

    fix compilation as reported on forums for gcc versions lacking plugin
    support

 include/net/net_namespace.h |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit f6da5efca8a7edc9d3af02d6c35fddae0d2fd095
Merge: 6b69c35 0db9d15
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 2 17:47:27 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 0db9d156826bdd50510086fde837648a3dfd370e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 2 17:46:05 2013 -0400

    Update to pax-linux-3.8.5-test14.patch:
    - removed some no longer necessary __size_overflow marks and updated the overflow plugin's hash table

 arch/x86/include/asm/uaccess_64.h |    6 +-
 include/linux/moduleloader.h      |    4 +-
 tools/gcc/size_overflow_hash.data |   98 +++++++++++++++++++++----------------
 3 files changed, 61 insertions(+), 47 deletions(-)

commit 6b69c3589fa97b454a08c28ecfac5a512f610f4d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 2 17:35:06 2013 -0400

    remove duplicate compiler.h

 include/linux/sysrq.h |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit 01e1d503fd2220adaaec0b92ea19441bdff73555
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 19:53:50 2013 -0400

    fix intentional_overflow marking on sys_sendto

 include/linux/syscalls.h |    2 +-
 net/socket.c             |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit cd5ff114d958470f471c63775278e8c05e774630
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 18:46:16 2013 -0400

    fix size_overflow false positive

 kernel/futex_compat.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 295ba16cc53df2375261accbedd6575ea327770a
Merge: 18340f1 278a989
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 17:36:18 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/exec.c
        include/linux/thread_info.h

commit 278a989c831d62193c7b3d119fe2302babd45d12
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 17:34:34 2013 -0400

    Resync with pax-linux-3.8.5-test13.patch

 arch/arm/include/asm/pgtable.h |    3 ++-
 arch/arm/lib/delay.c           |    1 +
 fs/exec.c                      |    8 ++++----
 include/linux/compiler.h       |    1 +
 include/linux/proc_fs.h        |    2 +-
 include/linux/thread_info.h    |    6 +++---
 include/linux/zlib.h           |    3 ++-
 init/main.c                    |    4 ++--
 kernel/user_namespace.c        |    2 +-
 lib/list_debug.c               |    4 ++--
 mm/slab.c                      |    1 +
 mm/slob.c                      |    1 +
 mm/slub.c                      |    1 +
 net/core/sysctl_net_core.c     |    3 +--
 tools/gcc/constify_plugin.c    |    1 +
 15 files changed, 24 insertions(+), 17 deletions(-)

commit 18340f14bd42d06c60995ab04cf6bb235bcaade6
Merge: 05f01ae e8cfeae
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 17:30:57 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit e8cfeae7751abb844911a15114dff5c9b2b9fcd9
Merge: b461cb7 aa4cfde
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 17:30:44 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test
    
    Conflicts:
        drivers/gpu/drm/i915/i915_gem_execbuffer.c
        fs/nfsd/vfs.c

commit 05f01ae4c3479541586a2387f916a6620889c479
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 17:05:39 2013 -0400

    Another infoleak, up to 128 bytes on the stack in __sys_recvmsg
    takes user-provided length, copies up to that amount in a sockaddr_storage
    struct on the stack, then takes an upper-bounded-only user-provided length
    and copies the sockaddr_storage struct back out to userland, complete with
    uninitialized data

 net/socket.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit eea6ade59490784e83e08ec67322288fcf14cb31
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 23:07:37 2013 -0400

    return a proper error, otherwise we could be accessing uninitialized data
    (previous define was a positive value)

 drivers/usb/storage/realtek_cr.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 3cc43b90104c3016adb40f412ce2e4b0dcdd4c9e
Merge: c3dc9a6 b461cb7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 20:54:24 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit b461cb7b1d85490430ef7896c247794af72c3749
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 20:54:11 2013 -0400

    Add structleak plugin

 tools/gcc/structleak_plugin.c |  270 +++++++++++++++++++++++++++++++++++++++++
 1 files changed, 270 insertions(+), 0 deletions(-)

commit c3dc9a6ef10782894bb11fd088fd712db44d8062
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 20:53:22 2013 -0400

    Enable structleak by default for the security auto-config

 security/Kconfig |   11 +++++++----
 1 files changed, 7 insertions(+), 4 deletions(-)

commit 6568e7348222fbe00256c9d337c4c24ee57e3f7e
Merge: d8503a3 74bec16
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 20:47:10 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 74bec16b657147a5575b1f14f4423a717ba317a6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 20:46:13 2013 -0400

    Update to pax-linux-3.8.4-test13.patch:
    - fixed bug with the old PAGEEXEC method and hugetlb, reported by Alex Efros (https://bugs.gentoo.org/show_bug.cgi?id=437722)
    - added a new gcc plugin to plug (pun intended) some of the kernel stack leaks to userland

 Makefile                      |    5 +++-
 arch/x86/include/asm/compat.h |    2 +-
 arch/x86/mm/fault.c           |    3 +-
 fs/binfmt_elf.c               |    2 +-
 include/linux/compiler.h      |   42 ++++++++++++++--------------------------
 security/Kconfig              |   16 +++++++++++++++
 tools/gcc/Makefile            |    2 +
 tools/gcc/constify_plugin.c   |    7 +++++-
 8 files changed, 47 insertions(+), 32 deletions(-)

commit d8503a3a35d68b9ba1615d29335aef3f70d51465
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 20:02:40 2013 -0400

    Fix 8-byte stack infoleak in ia32_rt_sigpending
    User controls length, kernel only performs check on the upper bound, will
    fill in any amount less than sizeof(sigset_t) via a copy_to_user under
    KERNEL_DS in sys_rt_sigpending, then will copy the full size of compat_sigset_t
    regardless of whether the sigset_t content copied into it has been initialized
    or not

 arch/x86/ia32/sys_ia32.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 46a9f4b871ebf298ee67cc3f799dbd6c2382022b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 26 21:05:05 2013 -0400

    commit 814d9d4f9164c3d778dadd093a54bb55d9a0c576
    Author: J. Bruce Fields <bfields@redhat.com>
    Date:   Tue Mar 26 14:11:13 2013 -0400
    
        nfsd4: reject "negative" acl lengths
    
        Since we only enforce an upper bound, not a lower bound, a "negative"
        length can get through here.
    
        The symptom seen was a warning when we attempt to a kmalloc with an
        excessive size.
    
        Reported-by: Toralf Förster <toralf.foerster@gmx.de>
        Signed-off-by: J. Bruce Fields <bfields@redhat.com>

 fs/nfsd/nfs4xdr.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 2cf84a1843bfdf9298e2a1dc8df4e52d11a1af89
Author: Jeff Layton <jlayton@redhat.com>
Date:   Mon Mar 11 09:52:19 2013 -0400

    Upstream commit: f853c616883a8de966873a1dab283f1369e275a1
    
    cifs: ignore everything in SPNEGO blob after mechTypes
    
    We've had several reports of people attempting to mount Windows 8 shares
    and getting failures with a return code of -EINVAL. The default sec=
    mode changed recently to sec=ntlmssp. With that, we expect and parse a
    SPNEGO blob from the server in the NEGOTIATE reply.
    
    The current decode_negTokenInit function first parses all of the
    mechTypes and then tries to parse the rest of the negTokenInit reply.
    The parser however currently expects a mechListMIC or nothing to follow the
    mechTypes, but Windows 8 puts a mechToken field there instead to carry
    some info for the new NegoEx stuff.
    
    In practice, we don't do anything with the fields after the mechTypes
    anyway so I don't see any real benefit in continuing to parse them.
    This patch just has the kernel ignore the fields after the mechTypes.
    We'll probably need to reinstate some of this if we ever want to support
    NegoEx.
    
    Reported-by: Jason Burgess <jason@jacknife2.dns2go.com>
    Reported-by: Yan Li <elliot.li.tech@gmail.com>
    Signed-off-by: Jeff Layton <jlayton@redhat.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Steve French <sfrench@us.ibm.com>

 fs/cifs/asn1.c |   53 +++++------------------------------------------------
 1 files changed, 5 insertions(+), 48 deletions(-)

commit 0b1c6223105a05d5a84e39a5e951868e37610e1c
Merge: 93ff726 0deb54c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 25 18:35:15 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 0deb54c1f47145aef38f4d2bf0b7de3e9fbab959
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 25 18:35:05 2013 -0400

    fix typo

 arch/x86/mm/ioremap.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 93ff72680353534d4b0b213aecb61f1fc2f9a152
Merge: be9f8b8 f95e53a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 25 18:30:06 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit f95e53abadb6e4665866e4502ff9f518514193e1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 25 18:29:25 2013 -0400

    Update to pax-linux-3.8.4-test12.patch:
    
    - fixed perf compilation reported by Michael Tremer
    - fixed USERCOPY reports triggered by SCTP, reported by mcp
    - last fix for aslr gap accounting, promise (thanks to spender)

 arch/x86/mm/ioremap.c                    |    3 +++
 fs/binfmt_elf.c                          |    5 ++---
 mm/mmap.c                                |    2 +-
 net/sctp/socket.c                        |   19 +++++++++++++++----
 tools/perf/util/include/linux/compiler.h |    8 ++++++++
 5 files changed, 29 insertions(+), 8 deletions(-)

commit be9f8b82b0d8a21d7515fb6e44a907623381c5df
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 25 16:48:34 2013 -0400

    From: Al Viro <viro@ZenIV.linux.org.uk>
    To: Brad Spengler <spender@grsecurity.net>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    
    Umm...  I see what you are describing, and AFAICS you are correct; let me
    see if I am misreading your analysis:
            * vfsmount_lock may act fair; A holding it shared, with B spinning
    on attempt to take it exclusive may lead to C spinning on attempt to take
    it shared.
            * path_is_under() tries get rename_lock while holding vfsmount_lock
    shared.
            * d_path() et.al. try to take vfsmount_lock shared, while holding
    rename_lock.
    
    All true and yes, it's a bug (I'd probably classify it as a livelock, but
    that doesn't make any real difference).  There are three possible solutions,
    AFAICS:
            1) two-liner in path_is_under() replacing the use of vfsmount_lock
    with that of namespace_sem; trivial, but results in function unexpectedly
    blocking.  The current callers are fine with that, but it's a trouble
    waiting to happen.
            2) replace write_seqlock() in prepend_path() callers with
    read_seqbegin/read_seqretry loops; bigger and more brittle, since unlike
    is_subdir() we need more than just ->d_parent not pointing to something
    freed - we also care about ->d_name.len being in sync with ->d_name.name.
    It probably can be worked around, but...
    
            3) declare that rename_lock nests inside vfsmount_lock and let
    the callers of prepend_path() take vfsmount_lock().  I'd probably prefer
    that one...
    
    Nest rename_lock inside vfsmount_lock
    
    ... lest we get livelocks between path_is_under() and d_path() and friends.
    
    [ add grsec-specific bits, thanks to Alexey Vlasov for his patience in reproducing
      the issue ]
    
    Spotted-by: Brad Spengler <spender@grsecurity.net>
    Cc: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/dcache.c        |   16 +++++++++++-----
 grsecurity/gracl.c |   20 ++++++++++----------
 2 files changed, 21 insertions(+), 15 deletions(-)

commit d9253ae96e0e88510ae7b8adb8ab3ef089be6dee
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Fri Mar 22 11:44:04 2013 -0700

    Upstream commit: 51f0885e5415b4cc6535e9cdcc5145bfbc134353
    
    vfs,proc: guarantee unique inodes in /proc
    
    Dave Jones found another /proc issue with his Trinity tool: thanks to
    the namespace model, we can have multiple /proc dentries that point to
    the same inode, aliasing directories in /proc/<pid>/net/ for example.
    
    This ends up being a total disaster, because it acts like hardlinked
    directories, and causes locking problems.  We rely on the topological
    sort of the inodes pointed to by dentries, and if we have aliased
    directories, that odering becomes unreliable.
    
    In short: don't do this.  Multiple dentries with the same (directory)
    inode is just a bad idea, and the namespace code should never have
    exposed things this way.  But we're kind of stuck with it.
    
    This solves things by just always allocating a new inode during /proc
    dentry lookup, instead of using "iget_locked()" to look up existing
    inodes by superblock and number.  That actually simplies the code a bit,
    at the cost of potentially doing more inode [de]allocations.
    
    That said, the inode lookup wasn't free either (and did a lot of locking
    of inodes), so it is probably not that noticeable.  We could easily keep
    the old lookup model for non-directory entries, but rather than try to
    be excessively clever this just implements the minimal and simplest
    workaround for the problem.
    
    Reported-and-tested-by: Dave Jones <davej@redhat.com>
    Analyzed-by: Al Viro <viro@zeniv.linux.org.uk>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        fs/proc/inode.c

 fs/proc/inode.c |    9 +++------
 1 files changed, 3 insertions(+), 6 deletions(-)

commit 399d3bbdb82db765c86118ae5a0bf1d2d17762fb
Author: Vladimir Davydov <vdavydov@parallels.com>
Date:   Fri Mar 22 15:04:51 2013 -0700

    Upstream commit: 38d78e587d4960d0db94add518d27ee74bad2301
    
    mqueue: sys_mq_open: do not call mnt_drop_write() if read-only
    
    mnt_drop_write() must be called only if mnt_want_write() succeeded,
    otherwise the mnt_writers counter will diverge.
    
    mnt_writers counters are used to check if remounting FS as read-only is
    OK, so after an extra mnt_drop_write() call, it would be impossible to
    remount mqueue FS as read-only.  Besides, on umount a warning would be
    printed like this one:
    
      =====================================
      [ BUG: bad unlock balance detected! ]
      3.9.0-rc3 #5 Not tainted
      -------------------------------------
      a.out/12486 is trying to release lock (sb_writers) at:
      mnt_drop_write+0x1f/0x30
      but there are no more locks to release!
    
    Signed-off-by: Vladimir Davydov <vdavydov@parallels.com>
    Cc: Doug Ledford <dledford@redhat.com>
    Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Cc: "Eric W. Biederman" <ebiederm@xmission.com>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 ipc/mqueue.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit d3859c71e2ec174b6f3e5cbe06d3011cdddaa59e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 23 13:02:32 2013 -0400

    Don't use constify plugin if not enabled in config,
    reported by Alexey Vlasov

 Makefile |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 3afb82e020593249ac394e9859397c3e0ef5341c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 23 12:50:13 2013 -0400

    oded 0day #2
    http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
    slide 20

 drivers/net/ethernet/broadcom/tg3.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 4cc4b98b29faff2530540be16e0fcd8a74800b06
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 23 12:15:50 2013 -0400

    oded 0day #1
    http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
    slide 18

 drivers/net/wireless/zd1211rw/zd_usb.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 8a3292af6fdae4b88b49a2a4ef96eee145b4d479
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 23 12:13:12 2013 -0400

    remove warning on accessing this /proc entry, HIDESYM already caught the infoleak

 drivers/gpu/drm/i915/i915_debugfs.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 44cb11a9470f72157601d0ad4d572d111f90f504
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 22 18:11:42 2013 -0400

    use VM_DONTDUMP

 fs/binfmt_elf.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 92dd7f850ae63e3ddc3d262f2b7134cf54b51abb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 22 17:53:09 2013 -0400

    fix recent RLIMIT_AS changes (due to vm_flags typo)
    
    Conflicts:
    
        fs/binfmt_elf.c

 fs/binfmt_elf.c |    2 +-
 mm/mmap.c       |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit fd5f0d92b0fbec02029dad124501a9c80e527a32
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 22 17:08:48 2013 -0400

    complete_walk drops rcu-walk mode, no need for our own dropping
    method outside of generic_permission

 fs/namei.c |   30 ------------------------------
 1 files changed, 0 insertions(+), 30 deletions(-)

commit b49ab1c73edb6442eec609b26bba4d850b3111b6
Merge: 5e9a707 783ade9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 21 21:56:28 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 783ade9f97f0f736e3c83275b7c9fcb2d6e9d9c4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 21 21:55:31 2013 -0400

    Update to pax-linux-3.8.3-test11.patch:
    - rewrote the ASLR gap accounting code once again
    - fixed ptrace compat bug found by the size overflow plugin

 fs/binfmt_elf.c          |   25 ++++++++++++-------------
 fs/exec.c                |    7 ++-----
 include/linux/compat.h   |    2 +-
 include/linux/mm.h       |    5 +++++
 include/linux/mm_types.h |    2 +-
 kernel/ptrace.c          |    2 +-
 mm/mmap.c                |   15 ++++++++++-----
 7 files changed, 32 insertions(+), 26 deletions(-)

commit 5e9a7077d935b2279f25428c5d32fd53cbbfb92a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 21 19:37:33 2013 -0400

    Make the constify plugin usage actually depend on the introduced config option
    (it was still forced on)

 tools/gcc/Makefile |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 1974b4f58d9d729c80ac1987785446115304a54c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 21 16:12:38 2013 -0400

    fix failed merge

 arch/arm/mm/fault.c |   15 +++------------
 1 files changed, 3 insertions(+), 12 deletions(-)

commit 675a8ab4a8fe8315df348735a37a302a7535224c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 20 23:36:14 2013 -0400

    From c4dab66c31612717f798e1e8ff11b57253a81a31 Mon Sep 17 00:00:00 2001
    From: Kees Cook <keescook@chromium.org>
    Date: Sun, 10 Mar 2013 20:09:31 +0000
    Subject: drm/i915: bounds check execbuffer relocation count
    
    It is possible to wrap the counter used to allocate the buffer for
    relocation copies. This could lead to heap writing overflows.
    
    CVE-2013-0913
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Reported-by: Pinkie Pie
    Cc: stable@vger.kernel.org

 drivers/gpu/drm/i915/i915_gem_execbuffer.c |   11 ++++++++---
 1 files changed, 8 insertions(+), 3 deletions(-)

commit ddeac12cbb9076bffd51c544e03463f94c9eaa39
Author: Andy Honig <ahonig@google.com>
Date:   Wed Feb 20 14:48:10 2013 -0800

    Upstream commit: 0b79459b482e85cb7426aa7da683a9f2c97aeae1
    
    KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797)
    
    There is a potential use after free issue with the handling of
    MSR_KVM_SYSTEM_TIME.  If the guest specifies a GPA in a movable or removable
    memory such as frame buffers then KVM might continue to write to that
    address even after it's removed via KVM_SET_USER_MEMORY_REGION.  KVM pins
    the page in memory so it's unlikely to cause an issue, but if the user
    space component re-purposes the memory previously used for the guest, then
    the guest will be able to corrupt that memory.
    
    Tested: Tested against kvmclock unit test
    
    Signed-off-by: Andrew Honig <ahonig@google.com>
    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

 arch/x86/include/asm/kvm_host.h |    4 +-
 arch/x86/kvm/x86.c              |   47 ++++++++++++++++----------------------
 2 files changed, 22 insertions(+), 29 deletions(-)

commit 0bcac31b57c381001feb69fd6ec8069e61e03432
Author: Andy Honig <ahonig@google.com>
Date:   Mon Mar 11 09:34:52 2013 -0700

    Upstream commit: c300aa64ddf57d9c5d9c898a64b36877345dd4a9
    
    KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796)
    
    If the guest sets the GPA of the time_page so that the request to update the
    time straddles a page then KVM will write onto an incorrect page.  The
    write is done byusing kmap atomic to get a pointer to the page for the time
    structure and then performing a memcpy to that page starting at an offset
    that the guest controls.  Well behaved guests always provide a 32-byte aligned
    address, however a malicious guest could use this to corrupt host kernel
    memory.
    
    Tested: Tested against kvmclock unit test.
    
    Signed-off-by: Andrew Honig <ahonig@google.com>
    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

 arch/x86/kvm/x86.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 695c59887e4ec10b0b695ab4f645d1226c433be0
Author: Andy Honig <ahonig@google.com>
Date:   Wed Feb 20 14:49:16 2013 -0800

    Upstream commit: a2c118bfab8bc6b8bb213abfc35201e441693d55
    
    KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798)
    
    If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows
    that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate
    that request.  ioapic_read_indirect contains an
    ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in
    non-debug builds.  In recent kernels this allows a guest to cause a kernel
    oops by reading invalid memory.  In older kernels (pre-3.3) this allows a
    guest to read from large ranges of host memory.
    
    Tested: tested against apic unit tests.
    
    Signed-off-by: Andrew Honig <ahonig@google.com>
    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

 virt/kvm/ioapic.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

commit c77e4017f6f372ac09751b6fcd85c35781dc2d9e
Merge: aec3cd4 c522e3a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 20 19:38:25 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit c522e3a2167ff5e18996e55ca8cca5ca6f6d29e3
Merge: c57d855 405acc3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 20 19:38:11 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test

commit aec3cd4d2bd54673b155d9ae3fb9c44becc790d1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 19:56:04 2013 -0400

    include linux/compiler.h

 include/linux/zlib.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 1f1109e97bc609218e52e4bb57683d3b23cf2e8e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 18:42:20 2013 -0400

    fix missing sock_release()

 net/irda/af_irda.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit dd65c05cd24faf8946d4941434a553ee285c35a3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 18:36:17 2013 -0400

    fix mpt fusion infoleak

 drivers/message/fusion/mptbase.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit e297b4f150b769efdc4c547d3caf1e3c0f24735f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 18:33:45 2013 -0400

    Fix size_overflow false positive reported by slashbeast

 include/linux/zlib.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 5b9982733764361c7102c2b1a9cbe42e5bf4f4be
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 17:35:36 2013 -0400

    fix up failed merge

 arch/arm/mm/fault.c |    9 ++-------
 1 files changed, 2 insertions(+), 7 deletions(-)

commit a1bdc34d1d882da3abf47923a760e5b0bbdaf0bd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 17:34:36 2013 -0400

    update documentation on consequences of building without gcc plugin support

 Makefile |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit f49ae0f6c3bbedf6b3817ee2b1b232e0da7fa537
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 17:18:13 2013 -0400

    fix compilation failure associated with the latent entropy plugin and lack of gcc plugin support reported on the forums

 init/main.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit f00195c633f91cfbd8c1f530d2c371b713026e20
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 18 22:27:33 2013 -0400

    Fix compile error reported by KDE on the forums

 kernel/user_namespace.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 2979c6ee78aabb4421873ea53581380c6bb6ed05
Merge: 0949569 c57d855
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 18 22:20:46 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/arm/mm/fault.c
        arch/x86/mm/fault.c
        fs/exec.c

commit c57d8557f5f2d77c2c7fa1f58316819a5e1f9293
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 18 21:22:03 2013 -0400

    Update to pax-linux-3.8.2-test9.patch:
     arm changes from spender
      - removed userland access to the vectors page
      - removed obsolete sigreturn trampoline handling
      - added emulation for __kuser_get_tls
      - fixed missing uderef instrumentation in unaligned memory accessors (failed safe)
    - fixed recent sysfs/power_supply attr breakage reported by Steven Allen
    - hopefully fixed the remaining issues with aslr_gap accounting (http://forums.grsecurity.net/viewtopic.php?f=3&t=2960)
    - changed debian packager rules to include the compiler plugins, from Tyler Coumbes <coumbes@gmail.com>
    - fixed the sa_restorer leak discovered and reported by Emese Revfy (CVE-2013-0914, google chromium bug #177956)
    - new size overflow plugin from Emese that instruments a whole lot more code due to tracking function return values
      and more type casts as well. this found the above mentioned sa_restorer leak and would have protected against CVE-2013-0913.

 arch/arm/kernel/process.c                     |    5 +-
 arch/arm/kernel/signal.c                      |   24 +-
 arch/arm/kernel/traps.c                       |    7 -
 arch/arm/mm/alignment.c                       |    8 +
 arch/arm/mm/fault.c                           |   23 +-
 arch/arm/mm/mmu.c                             |    2 +-
 arch/x86/include/asm/bitops.h                 |    2 +-
 arch/x86/include/asm/desc.h                   |    2 +-
 arch/x86/include/asm/div64.h                  |    2 +-
 arch/x86/include/asm/io.h                     |    8 +-
 arch/x86/include/asm/paravirt.h               |    2 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.c |   16 +-
 arch/x86/kernel/setup_percpu.c                |    2 +-
 arch/x86/mm/fault.c                           |    4 +-
 arch/x86/mm/numa.c                            |    2 +-
 arch/x86/mm/physaddr.c                        |    4 +-
 drivers/ata/libahci.c                         |    2 +-
 drivers/gpu/drm/i915/i915_gem_execbuffer.c    |    2 +-
 drivers/infiniband/hw/mthca/mthca_cmd.c       |    2 +-
 drivers/infiniband/hw/mthca/mthca_mr.c        |    2 +-
 drivers/lguest/page_tables.c                  |    2 +-
 drivers/net/wireless/at76c50x-usb.c           |    2 +-
 drivers/oprofile/oprofile_files.c             |    2 +-
 drivers/power/power_supply_core.c             |    1 +
 drivers/usb/core/message.c                    |    2 +-
 fs/befs/endian.h                              |    4 +-
 fs/binfmt_elf.c                               |    5 +-
 fs/exec.c                                     |    4 +-
 fs/qnx6/qnx6.h                                |    4 +-
 fs/sysv/sysv.h                                |    2 +-
 fs/ubifs/io.c                                 |    2 +-
 fs/ufs/swab.h                                 |    4 +-
 include/linux/compat.h                        |    4 +-
 include/linux/completion.h                    |    6 +-
 include/linux/cpumask.h                       |   12 +-
 include/linux/ctype.h                         |    2 +-
 include/linux/err.h                           |    4 +-
 include/linux/math64.h                        |    6 +-
 include/linux/sched.h                         |    2 +-
 include/linux/unaligned/access_ok.h           |   12 +-
 include/linux/usb.h                           |    2 +-
 include/uapi/linux/byteorder/little_endian.h  |    4 +-
 include/uapi/linux/swab.h                     |    6 +-
 kernel/sched/core.c                           |    6 +-
 kernel/signal.c                               |    3 +
 kernel/time.c                                 |    2 +-
 kernel/timer.c                                |    2 +-
 lib/div64.c                                   |    4 +-
 mm/page-writeback.c                           |    2 +-
 net/socket.c                                  |    2 +
 scripts/package/builddeb                      |    1 +
 tools/gcc/size_overflow_hash.data             | 8869 +++++++++++++++----------
 tools/gcc/size_overflow_plugin.c              | 1072 ++--
 53 files changed, 6227 insertions(+), 3951 deletions(-)

commit 09495691bb31f11ec14d9127429f9a0f3f716f22
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 17 20:51:50 2013 -0400

    fix typo

 grsecurity/gracl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit deb85b00d0f9f886e264e116313f298401ec5c59
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 17 20:03:33 2013 -0400

    Call update_rlimit_cpu to immediately change RLIMIT_CPU on the task
    with a subject applied to it with RES_CPU.  Otherwise, the limit will only
    begin to be applied at fork time.
    
    Thanks to Bjornar Ness for the report.

 grsecurity/gracl.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 2126421f123513f604ceef2b23ba9ed516de7e58
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 16 22:07:43 2013 -0400

    Move inode auditing prior to our refcnt dropping

 fs/namei.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 4d4e665885aab4bacfe662ad6d2190fc9d817146
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 16 22:00:30 2013 -0400

    Drop reference on completed path walked in RCU mode or when violating
    the chroot fchdir check inside a chroot -- possible culprit for a reported
    vfsmount_lock hang during unmount

 fs/namei.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

commit 53a8a413f45340ee176dd36dd283de3a1ebb7417
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 16 16:43:45 2013 -0400

    add user_arg_ptr back to exec.c

 fs/exec.c |   12 ++++++++++++
 1 files changed, 12 insertions(+), 0 deletions(-)

commit 83d285953c7e75db388c7f65be5cf1e16fcedec8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 16 11:22:36 2013 -0400

    Don't globally include compat.h -- with the new X32 support it
    changes some definitions involving ELF binaries resulting in invalid
    coredumps, as reported by KDE on the forums:
    http://forums.grsecurity.net/viewtopic.php?f=3&t=3310
    Thanks to the PaX Team for debugging

 fs/exec.c                  |    3 +++
 grsecurity/grsec_exec.c    |   13 +++++++++++++
 include/linux/grsecurity.h |   15 ---------------
 3 files changed, 16 insertions(+), 15 deletions(-)

commit 67a94583659cf6c583fbbb023ec2a8ed471ba94a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 14 20:59:26 2013 -0400

    Add peer information to /proc/net/unix from Kenan Kalajdzic:
    http://marc.info/?l=linux-netdev&m=126745636809191&w=2
    
    We use a "P" prefix to the inode number instead of "peer=".  This
    additional information can be used, for instance, to find what processes
    are connected to MySQL's unix domain socket.

 net/unix/af_unix.c |   12 +++++++++---
 1 files changed, 9 insertions(+), 3 deletions(-)

commit 1cd623d11a462d151ea8a5cace4521e1724911a3
Author: Oliver Neukum <oneukum@suse.de>
Date:   Tue Mar 12 14:52:42 2013 +0100

    Upstream commit: c0f5ecee4e741667b2493c742b60b6218d40b3aa
    
    USB: cdc-wdm: fix buffer overflow
    
    The buffer for responses must not overflow.
    If this would happen, set a flag, drop the data and return
    an error after user space has read all remaining data.
    
    Signed-off-by: Oliver Neukum <oliver@neukum.org>
    CC: stable@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/usb/class/cdc-wdm.c |   23 ++++++++++++++++++++---
 1 files changed, 20 insertions(+), 3 deletions(-)

commit 3e9e7beb379eaf424d0634c0c556e47c07d367fc
Merge: 9cdf9bc db4cb92
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 14 20:23:14 2013 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/keys/compat.c

commit db4cb924546e3fec3a59f78d056f48176eaf7100
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 14 20:22:24 2013 -0400

    Update to pax-linux-3.8.2-test8.patch

 arch/arm/include/asm/cache.h                |    2 ++
 arch/arm/mach-omap2/gpmc.c                  |   22 ++++++++++++----------
 arch/arm/mach-omap2/omap_device.c           |    4 ++--
 arch/arm/mach-omap2/omap_device.h           |    4 ++--
 arch/arm/plat-orion/include/plat/addr-map.h |    2 +-
 5 files changed, 19 insertions(+), 15 deletions(-)

commit 5e72fcce7c468d29168c64c72c18ff5ff0d3b4ae
Merge: 3c865f9 1a45c31
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 14 20:20:54 2013 -0400

    Merge branch 'linux-3.8.y' into pax-test
    
    Conflicts:
        arch/arm/include/asm/delay.h
        arch/arm/include/asm/pgtable.h
        arch/arm/lib/delay.c
        security/keys/compat.c

commit 9cdf9bccf22d6a6741e4152bb5d32335beb8caf1
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Tue Mar 12 02:59:49 2013 +0000

    Upstream commit: a930d8790552658140d7d0d2e316af4f0d76a512
    
    vfs: fix pipe counter breakage
    
    If you open a pipe for neither read nor write, the pipe code will not
    add any usage counters to the pipe, causing the 'struct pipe_inode_info"
    to be potentially released early.
    
    That doesn't normally matter, since you cannot actually use the pipe,
    but the pipe release code - particularly fasync handling - still expects
    the actual pipe infrastructure to all be there.  And rather than adding
    NULL pointer checks, let's just disallow this case, the same way we
    already do for the named pipe ("fifo") case.
    
    This is ancient going back to pre-2.4 days, and until trinity, nobody
    naver noticed.
    
    Reported-by: Dave Jones <davej@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/pipe.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit c11fa4be226659a40a6c73f0fa09fee074fba1b2
Author: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Date:   Mon Feb 25 10:20:36 2013 -0500

    Upstream commit: 8aec0f5d4137532de14e6554fd5dd201ff3a3c49
    
    Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys
    
    Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to
    compat_process_vm_rw() shows that the compatibility code requires an
    explicit "access_ok()" check before calling
    compat_rw_copy_check_uvector(). The same difference seems to appear when
    we compare fs/read_write.c:do_readv_writev() to
    fs/compat.c:compat_do_readv_writev().
    
    This subtle difference between the compat and non-compat requirements
    should probably be debated, as it seems to be error-prone. In fact,
    there are two others sites that use this function in the Linux kernel,
    and they both seem to get it wrong:
    
    Now shifting our attention to fs/aio.c, we see that aio_setup_iocb()
    also ends up calling compat_rw_copy_check_uvector() through
    aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to
    be missing. Same situation for
    security/keys/compat.c:compat_keyctl_instantiate_key_iov().
    
    I propose that we add the access_ok() check directly into
    compat_rw_copy_check_uvector(), so callers don't have to worry about it,
    and it therefore makes the compat call code similar to its non-compat
    counterpart. Place the access_ok() check in the same location where
    copy_from_user() can trigger a -EFAULT error in the non-compat code, so
    the ABI behaviors are alike on both compat and non-compat.
    
    While we are here, fix compat_do_readv_writev() so it checks for
    compat_rw_copy_check_uvector() negative return values.
    
    And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error
    handling.
    
    Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
    Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
    Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        security/keys/compat.c

 fs/compat.c            |   15 +++++++--------
 mm/process_vm_access.c |    8 --------
 security/keys/compat.c |    3 ++-
 3 files changed, 9 insertions(+), 17 deletions(-)

commit 13487f197ab2d5bc76156224c24c45a44bbd6a11
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 11 18:38:38 2013 -0400

    Fix leak of signal handler addresses across execve, found by Emese Revfy

 kernel/signal.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 79b130c4b11c7940daf2b33d653a17666331c634
Merge: 6480ce9 3c865f9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 10 20:04:03 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 3c865f9184c6fd56c634bce0096cfc8039d5c43d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 10 20:03:12 2013 -0400

    Update to pax-linux-3.8.2-test7.patch:
    - fixed gcc asserts reported by KDE (http://forums.grsecurity.net/viewtopic.php?f=3&t=3342)
    - adjusted RLIMIT_AS accounting for the extra ASLR gap mappings, reported by Alexander Stoll (https://bugs.gentoo.org/show_bug.cgi?id=459268)

 fs/binfmt_elf.c                   |    3 ++-
 fs/exec.c                         |    3 +++
 include/linux/mm_types.h          |    2 +-
 init/main.c                       |    4 ++--
 mm/mmap.c                         |    2 +-
 mm/page_alloc.c                   |    4 ++--
 tools/gcc/latent_entropy_plugin.c |   11 +++++++----
 7 files changed, 18 insertions(+), 11 deletions(-)

commit 6480ce919bd7d68ba14f3194e4bdd7b61bc8e491
Merge: 4a5305e 25b3569
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 10 10:41:16 2013 -0400

    Merge branch 'pax-test' into grsec-test

commit 25b356980568bed9958315bb5a551fdc610055ed
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 10 10:40:48 2013 -0400

    Update to pax-linux-3.8.2-test6.patch:
    - fixed a KERNEXEC false positive on arm reported by Gu1
    - fixed various compile errors reported by x14sg1 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3340)
    - fixed too strict mmap parameter checking on i386, reported by browndav (http://forums.grsecurity.net/viewtopic.php?f=1&t=3339)
    - added fix from spender for some namespace breakage reported by zakalwe
    - small latent entropy improvement: pass pax_extra_latent_entropy to the kernel to extract entropy from RAM content during boot

 Documentation/kernel-parameters.txt |    5 +++++
 arch/arm/kernel/patch.c             |    2 ++
 arch/x86/kernel/sys_i386_32.c       |    5 +++--
 drivers/acpi/blacklist.c            |    2 +-
 drivers/video/aty/mach64_cursor.c   |    1 +
 init/main.c                         |    4 ----
 mm/page_alloc.c                     |   27 +++++++++++++++++++++++++++
 net/ipv4/ip_fragment.c              |    2 +-
 security/Kconfig                    |    5 +++++
 tools/gcc/latent_entropy_plugin.c   |    7 +++++--
 10 files changed, 50 insertions(+), 10 deletions(-)

commit 4a5305eb7b6c5e49c332feeca9b6bfead9ab917f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 9 11:19:06 2013 -0500

    From: Mathias Krause <minipli@googlemail.com>
    To: "David S. Miller" <davem@davemloft.net>
    Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>,
            Stephen Hemminger <stephen@networkplumber.org>
    Subject: [PATCH 1/3] bridge: fix mdb info leaks
    Date: Sat,  9 Mar 2013 16:52:19 +0100
    
    The bridging code discloses heap and stack bytes via the RTM_GETMDB
    netlink interface and via the notify messages send to group RTNLGRP_MDB
    afer a successful add/del.
    
    Fix both cases by initializing all unset members/padding bytes with
    memset(0).
    
    Cc: Stephen Hemminger <stephen@networkplumber.org>
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    
    From: Mathias Krause <minipli@googlemail.com>
    To: "David S. Miller" <davem@davemloft.net>
    Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>
    Subject: [PATCH 2/3] rtnl: fix info leak on RTM_GETLINK request for VF devices
    Date: Sat,  9 Mar 2013 16:52:20 +0100
    
    Initialize the mac address buffer with 0 as the driver specific function
    will probably not fill the whole buffer. In fact, all in-kernel drivers
    fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible
    bytes. Therefore we currently leak 26 bytes of stack memory to userland
    via the netlink interface.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    
    From: Mathias Krause <minipli@googlemail.com>
    To: "David S. Miller" <davem@davemloft.net>
    Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>
    Subject: [PATCH 3/3] dcbnl: fix various netlink info leaks
    Date: Sat,  9 Mar 2013 16:52:21 +0100
    
    The dcb netlink interface leaks stack memory in various places:
    * perm_addr[] buffer is only filled at max with 12 of the 32 bytes but
      copied completely,
    * no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand,
      so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes
      for ieee_pfc structs, etc.,
    * the same is true for CEE -- no in-kernel driver fills the whole
      struct,
    
    Prevent all of the above stack info leaks by properly initializing the
    buffers/structures involved.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>

 net/bridge/br_mdb.c  |    4 ++++
 net/core/rtnetlink.c |    1 +
 net/dcb/dcbnl.c      |    8 ++++++++
 3 files changed, 13 insertions(+), 0 deletions(-)

commit 601dd446f896e3a362f706943df18a68d50420a1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 9 09:35:25 2013 -0500

    add open/close wrappers in __patch_text() as reported by Gu1 on IRC

 arch/arm/kernel/patch.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit ae39966fd85a493e9079b357e3faa62245a41222
Author: Peter Hurley <peter@hurleysoftware.com>
Date:   Fri Mar 8 12:43:27 2013 -0800

    Upstream commit: 88b9e456b1649722673ffa147914299799dc9041
    
    ipc: don't allocate a copy larger than max
    
    When MSG_COPY is set, a duplicate message must be allocated for the copy
    before locking the queue.  However, the copy could not be larger than was
    sent which is limited to msg_ctlmax.
    
    Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
    Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 ipc/msg.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 61240e99650ea3e540a03a3e994349c5086f166b
Author: Peter Hurley <peter@hurleysoftware.com>
Date:   Fri Mar 8 12:43:26 2013 -0800

    Upstream commit: e1082f45f1e2bbf6e25f6b614fc6616ebf709d19
    
    ipc: fix potential oops when src msg > 4k w/ MSG_COPY
    
    If the src msg is > 4k, then dest->next points to the
    next allocated segment; resetting it just prior to dereferencing
    is bad.
    
    Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
    Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 ipc/msgutil.c |    3 ---
 1 files changed, 0 insertions(+), 3 deletions(-)

commit 51727f602a267f34fb2e0dc9557f1714028d51a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 8 22:14:06 2013 -0500

    add missing 'else' in recent constify fixups

 net/ipv4/ip_fragment.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a38c1a640729b3d8e584d1ab98e908c221bc12cf
Merge: 1580bb3 47c3f47
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 8 18:18:37 2013 -0500

    Merge branch 'pax-test' into grsec-test

commit 47c3f47ba4f874f5c72e4c04b76b6b92e44daebe
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 8 18:17:22 2013 -0500

    Update to pax-linux-3.8.2-test5.patch:
    - fixed some fallout after the last round of constification changes, reported by several people

 arch/arm/common/gic.c                   |    4 ++--
 arch/arm/include/asm/hardware/gic.h     |    3 ++-
 arch/x86/include/asm/nmi.h              |    2 +-
 arch/x86/kernel/nmi.c                   |    2 +-
 arch/x86/pci/irq.c                      |    2 +-
 drivers/base/power/domain.c             |    4 ++--
 drivers/cpufreq/cpufreq_governor.c      |    4 ++--
 drivers/mfd/twl4030-irq.c               |    1 +
 drivers/video/vesafb.c                  |    7 +++++--
 include/linux/irq.h                     |    1 +
 include/linux/pm_domain.h               |    2 +-
 kernel/sched/core.c                     |    4 ++++
 lib/Kconfig.debug                       |    4 ++--
 net/core/sysctl_net_core.c              |    2 +-
 net/decnet/af_decnet.c                  |    1 +
 net/ipv4/devinet.c                      |    2 +-
 net/ipv4/ip_fragment.c                  |    2 +-
 net/ipv4/route.c                        |    2 +-
 net/ipv4/sysctl_net_ipv4.c              |    2 +-
 net/ipv6/netfilter/nf_conntrack_reasm.c |    2 +-
 net/ipv6/reassembly.c                   |    2 +-
 scripts/sortextable.h                   |    6 +++---
 22 files changed, 36 insertions(+), 25 deletions(-)

commit 1580bb38b4db0bf2a46316599815e8b234edad81
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 22:02:59 2013 -0500

    add an additional open/close wrapper

 kernel/sched/core.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 21622672d28d58e0d93a805cd1f9650a894a752a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 21:58:24 2013 -0500

    fix oops at shutdown with new constify code

 kernel/sched/core.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit f6b9ab9fcc747bb1b14a4857d59e6681936220ec
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 21:18:44 2013 -0500

    Add PAX_CONSTIFY_PLUGIN, which we previously enabled unconditionally
    it currently conflicts with some lock debugging options, so made as an
    option to allow for debugging when necessary

 Makefile          |    2 --
 lib/Kconfig.debug |    6 +++---
 security/Kconfig  |   18 ++++++++++++++++++
 3 files changed, 21 insertions(+), 5 deletions(-)

commit 0885b00b8373a1597b69c38032a0c9eee279303b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 20:55:19 2013 -0500

    disable DEBUG_LOCK_ALLOC, as it conflicts with the new constify

 lib/Kconfig.debug |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit c8a2617165e7127a54f293cbf57d22d50dd83abd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 20:30:41 2013 -0500

    Fix error:
    drivers/video/vesafb.c:502:3: error: assignment of member ‘fb_pan_display’ in read-only object
    with cast and proper kernexec accessors

 drivers/video/vesafb.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

commit 99f2814d3e2a6db25985edc47c7e09c4a2d8c408
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 20:20:28 2013 -0500

    fix typo

 grsecurity/gracl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 399674de6c42bbcae2d01b082d6d9ce9d183b000
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 20:12:17 2013 -0500

    fix compilation error -- no reason for task_pid_nr to not take a const task ptr

 include/linux/sched.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a6c239eacf683f9dd2aeebb1b1adb71e5eedbd9f
Author: Kees Cook <keescook@chromium.org>
Date:   Mon Feb 25 21:32:25 2013 +0000

    Upstream commit: e70ab977991964a5a7ad1182799451d067e62669
    
    proc connector: reject unprivileged listener bumps
    
    While PROC_CN_MCAST_LISTEN/IGNORE is entirely advisory, it was possible
    for an unprivileged user to turn off notifications for all listeners by
    sending PROC_CN_MCAST_IGNORE. Instead, require the same privileges as
    required for a multicast bind.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: Evgeniy Polyakov <zbr@ioremap.net>
    Cc: Matt Helsley <matthltc@us.ibm.com>
    Cc: stable@vger.kernel.org
    Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
    Acked-by: Matt Helsley <matthltc@us.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/connector/cn_proc.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

commit ac6014ded57101e3e608941555ff507e20c1ece3
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Feb 26 19:15:02 2013 +0000

    Upstream commit: 90c7881ecee1f08e0a49172cf61371cf2509ee4a
    
    irda: small read beyond end of array in debug code
    
    charset comes from skb->data.  It's a number in the 0-255 range.
    If we have debugging turned on then this could cause a read beyond
    the end of the array.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/irda/iriap.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

commit e60bd2aad9bfdb68731cc888eae14a7600bd2ffe
Author: Guenter Roeck <linux@roeck-us.net>
Date:   Wed Feb 27 10:57:31 2013 +0000

    Upstream commit: 726bc6b092da4c093eb74d13c07184b18c1af0f1
    
    net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS
    
    Building sctp may fail with:
    
    In function ‘copy_from_user’,
        inlined from ‘sctp_getsockopt_assoc_stats’ at
        net/sctp/socket.c:5656:20:
    arch/x86/include/asm/uaccess_32.h:211:26: error: call to
        ‘copy_from_user_overflow’ declared with attribute error: copy_from_user()
        buffer size is not provably correct
    
    if built with W=1 due to a missing parameter size validation
    before the call to copy_from_user.
    
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/socket.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit be49e0ae9a4d0e8daa831d7d8d6f3a56beda3e3c
Author: Guillaume Nault <g.nault@alphalink.fr>
Date:   Fri Mar 1 05:02:02 2013 +0000

    Upstream commit: 8b82547e33e85fc24d4d172a93c796de1fefa81a
    
    l2tp: Restore socket refcount when sendmsg succeeds
    
    The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket
    reference counter after successful transmissions. Any successful
    sendmsg() call from userspace will then increase the reference counter
    forever, thus preventing the kernel's session and tunnel data from
    being freed later on.
    
    The problem only happens when writing directly on L2TP sockets.
    PPP sockets attached to L2TP are unaffected as the PPP subsystem
    uses pppol2tp_xmit() which symmetrically increase/decrease reference
    counters.
    
    This patch adds the missing call to sock_put() before returning from
    pppol2tp_sendmsg().
    
    Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/l2tp/l2tp_ppp.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 98a9a5f981f5deda4059a255c1196886f2f27e2f
Author: Cong Wang <amwang@redhat.com>
Date:   Sun Mar 3 16:18:11 2013 +0000

    Upstream commit: ece6b0a2b25652d684a7ced4ae680a863af041e0
    
    rds: limit the size allocated by rds_message_alloc()
    
    Dave Jones reported the following bug:
    
    "When fed mangled socket data, rds will trust what userspace gives it,
    and tries to allocate enormous amounts of memory larger than what
    kmalloc can satisfy."
    
    WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0()
    Hardware name: GA-MA78GM-S2H
    Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s
    Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65
    Call Trace:
     [<ffffffff81044155>] warn_slowpath_common+0x75/0xa0
     [<ffffffff8104419a>] warn_slowpath_null+0x1a/0x20
     [<ffffffff811444ad>] __alloc_pages_nodemask+0xa0d/0xbe0
     [<ffffffff8100a196>] ? native_sched_clock+0x26/0x90
     [<ffffffff810b2128>] ? trace_hardirqs_off_caller+0x28/0xc0
     [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
     [<ffffffff811861f8>] alloc_pages_current+0xb8/0x180
     [<ffffffff8113eaaa>] __get_free_pages+0x2a/0x80
     [<ffffffff811934fe>] kmalloc_order_trace+0x3e/0x1a0
     [<ffffffff81193955>] __kmalloc+0x2f5/0x3a0
     [<ffffffff8104df0c>] ? local_bh_enable_ip+0x7c/0xf0
     [<ffffffffa0401ab3>] rds_message_alloc+0x23/0xb0 [rds]
     [<ffffffffa04043a1>] rds_sendmsg+0x2b1/0x990 [rds]
     [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
     [<ffffffff81564620>] sock_sendmsg+0xb0/0xe0
     [<ffffffff810b2052>] ? get_lock_stats+0x22/0x70
     [<ffffffff810b24be>] ? put_lock_stats.isra.23+0xe/0x40
     [<ffffffff81567f30>] sys_sendto+0x130/0x180
     [<ffffffff810b872d>] ? trace_hardirqs_on+0xd/0x10
     [<ffffffff816c547b>] ? _raw_spin_unlock_irq+0x3b/0x60
     [<ffffffff816cd767>] ? sysret_check+0x1b/0x56
     [<ffffffff810b8695>] ? trace_hardirqs_on_caller+0x115/0x1a0
     [<ffffffff81341d8e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
     [<ffffffff816cd742>] system_call_fastpath+0x16/0x1b
    ---[ end trace eed6ae990d018c8b ]---
    
    Reported-by: Dave Jones <davej@redhat.com>
    Cc: Dave Jones <davej@redhat.com>
    Cc: David S. Miller <davem@davemloft.net>
    Cc: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
    Signed-off-by: Cong Wang <amwang@redhat.com>
    Acked-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/rds/message.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit b46df323e01c63c62fdb82cf2c47e4386f5a0499
Author: Cong Wang <amwang@redhat.com>
Date:   Sun Mar 3 16:28:27 2013 +0000

    Upstream commit: 3f736868b47687d1336fe88185560b22bb92021e
    
    sctp: use KMALLOC_MAX_SIZE instead of its own MAX_KMALLOC_SIZE
    
    Don't definite its own MAX_KMALLOC_SIZE, use the one
    defined in mm.
    
    Cc: Vlad Yasevich <vyasevich@gmail.com>
    Cc: Sridhar Samudrala <sri@us.ibm.com>
    Cc: Neil Horman <nhorman@tuxdriver.com>
    Cc: David S. Miller <davem@davemloft.net>
    Signed-off-by: Cong Wang <amwang@redhat.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/ssnmap.c |    8 +++-----
 1 files changed, 3 insertions(+), 5 deletions(-)

commit 4295a024e812f903fc580c81de5e81cc149503fa
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 17:57:49 2013 -0500

    Upstream commit: https://lkml.org/lkml/2013/3/6/535

 security/keys/process_keys.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 33edd486a9899a145a15586d7134636b0300aaee
Merge: 4eeeaf3 a2a2094
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 17:53:00 2013 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        arch/arm/include/asm/domain.h

commit a2a20947f5e1332e474160a39af520738b3c8c19
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 17:51:04 2013 -0500

    Update to pax-linux-3.8.2-test4.patch:
     fixed arm compilation problems reported by Michael Tremer
    - the constify plugin got smarter that enabled, with some additional patching,
      the elimination of about half the static function pointers on amd64/allmod
      (up from about 18%), depending on the kernel config it can be even more (70%)

 Documentation/dontdiff                        |    2 +
 arch/arm/include/asm/domain.h                 |    1 +
 arch/x86/include/asm/i8259.h                  |    2 +-
 arch/x86/include/asm/nmi.h                    |    4 +-
 arch/x86/kernel/acpi/boot.c                   |    4 +-
 arch/x86/kernel/apic/apic_noop.c              |    2 +-
 arch/x86/kernel/apic/es7000_32.c              |    2 +-
 arch/x86/kernel/apic/io_apic.c                |   10 +-
 arch/x86/kernel/cpu/mcheck/mce.c              |    2 +-
 arch/x86/kernel/cpu/perf_event.c              |    6 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.c |    2 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.h |    2 +-
 arch/x86/kernel/i8259.c                       |    6 +-
 arch/x86/kernel/io_delay.c                    |    2 +-
 arch/x86/kernel/nmi.c                         |    6 +-
 arch/x86/kernel/nmi_selftest.c                |    4 +-
 arch/x86/kernel/pci-swiotlb.c                 |    2 +-
 arch/x86/oprofile/nmi_int.c                   |    8 +-
 arch/x86/oprofile/op_model_amd.c              |    8 +-
 arch/x86/oprofile/op_model_ppro.c             |    7 +-
 arch/x86/oprofile/op_x86_model.h              |    2 +-
 arch/x86/pci/irq.c                            |    6 +-
 drivers/acpi/apei/apei-internal.h             |    2 +-
 drivers/acpi/bgrt.c                           |    6 +-
 drivers/acpi/blacklist.c                      |    2 +-
 drivers/acpi/processor_idle.c                 |    2 +-
 drivers/acpi/sysfs.c                          |    4 +-
 drivers/base/bus.c                            |    4 +-
 drivers/base/node.c                           |    2 +-
 drivers/base/syscore.c                        |    4 +-
 drivers/block/drbd/drbd_receiver.c            |    4 +-
 drivers/char/random.c                         |    2 +-
 drivers/cpufreq/acpi-cpufreq.c                |   20 ++-
 drivers/cpufreq/cpufreq.c                     |    7 +-
 drivers/cpufreq/cpufreq_governor.c            |    4 +-
 drivers/cpufreq/cpufreq_governor.h            |    2 +-
 drivers/cpufreq/p4-clockmod.c                 |   12 +-
 drivers/cpufreq/speedstep-centrino.c          |    7 +-
 drivers/cpuidle/cpuidle.c                     |    2 +-
 drivers/cpuidle/governor.c                    |    4 +-
 drivers/cpuidle/sysfs.c                       |    2 +-
 drivers/devfreq/devfreq.c                     |    4 +-
 drivers/edac/edac_mc_sysfs.c                  |    2 +-
 drivers/edac/edac_pci_sysfs.c                 |    2 +-
 drivers/firewire/core-device.c                |    2 +-
 drivers/firmware/dmi-id.c                     |    2 +-
 drivers/firmware/efivars.c                    |    2 +-
 drivers/firmware/google/memconsole.c          |    4 +-
 drivers/gpio/gpio-ich.c                       |    2 +-
 drivers/gpu/drm/drm_drv.c                     |    2 +-
 drivers/gpu/drm/drm_ioc32.c                   |    9 +-
 drivers/gpu/drm/i915/i915_ioc32.c             |   11 +-
 drivers/gpu/drm/i915/intel_display.c          |   26 ++-
 drivers/gpu/drm/mga/mga_ioc32.c               |   11 +-
 drivers/gpu/drm/nouveau/nouveau_ioc32.c       |    2 +-
 drivers/gpu/drm/r128/r128_ioc32.c             |   11 +-
 drivers/gpu/drm/radeon/radeon_ioc32.c         |   11 +-
 drivers/gpu/drm/radeon/radeon_ttm.c           |   33 ++--
 drivers/gpu/drm/udl/udl_fb.c                  |    1 -
 drivers/hwmon/acpi_power_meter.c              |    4 +-
 drivers/hwmon/applesmc.c                      |    2 +-
 drivers/hwmon/asus_atk0110.c                  |   10 +-
 drivers/hwmon/ibmaem.c                        |    2 +-
 drivers/hwmon/pmbus/pmbus_core.c              |    2 +-
 drivers/iio/industrialio-core.c               |    2 +-
 drivers/input/mouse/psmouse.h                 |    2 +-
 drivers/iommu/iommu.c                         |    2 +-
 drivers/leds/leds-clevo-mail.c                |    2 +-
 drivers/leds/leds-ss4200.c                    |    2 +-
 drivers/media/v4l2-core/v4l2-ioctl.c          |    5 +-
 drivers/mfd/twl4030-irq.c                     |    8 +-
 drivers/mfd/twl6030-irq.c                     |   10 +-
 drivers/misc/c2port/core.c                    |    4 +-
 drivers/mtd/sm_ftl.c                          |    2 +-
 drivers/net/bonding/bond_main.c               |    2 +-
 drivers/net/macvlan.c                         |   16 +-
 drivers/net/vxlan.c                           |    2 +-
 drivers/pci/hotplug/acpiphp_ibm.c             |    4 +-
 drivers/pci/hotplug/pci_hotplug_core.c        |    6 +-
 drivers/pci/hotplug/pciehp_core.c             |    2 +-
 drivers/pci/pci-sysfs.c                       |    6 +-
 drivers/pci/pci.h                             |    2 +-
 drivers/platform/x86/msi-laptop.c             |   14 +-
 drivers/platform/x86/sony-laptop.c            |    2 +-
 drivers/power/power_supply.h                  |    4 +-
 drivers/power/power_supply_core.c             |    6 +-
 drivers/power/power_supply_sysfs.c            |    6 +-
 drivers/rtc/rtc-cmos.c                        |    4 +-
 drivers/rtc/rtc-ds1307.c                      |    2 +-
 drivers/rtc/rtc-m48t59.c                      |    4 +-
 drivers/scsi/bfa/bfa.h                        |    2 +-
 drivers/staging/iio/iio_hwmon.c               |    2 +-
 drivers/usb/storage/usb.h                     |    2 +-
 drivers/video/aty/atyfb_base.c                |    8 +-
 drivers/video/aty/mach64_cursor.c             |    4 +-
 drivers/video/backlight/kb3886_bl.c           |    2 +-
 drivers/video/fb_defio.c                      |    6 +-
 drivers/video/mb862xx/mb862xxfb_accel.c       |   16 +-
 drivers/video/nvidia/nvidia.c                 |   27 ++-
 drivers/video/s1d13xxxfb.c                    |    6 +-
 drivers/video/smscufx.c                       |    4 +-
 drivers/video/udlfb.c                         |    4 +-
 drivers/video/uvesafb.c                       |   14 +-
 fs/exec.c                                     |    6 +-
 fs/ext4/super.c                               |    2 +-
 fs/jfs/super.c                                |    4 +-
 fs/nfs/callback_xdr.c                         |    2 +-
 fs/nfsd/nfs4proc.c                            |    2 +-
 fs/nfsd/nfs4xdr.c                             |    6 +-
 fs/nls/nls_base.c                             |   18 +-
 fs/nls/nls_euc-jp.c                           |    6 +-
 fs/nls/nls_koi8-ru.c                          |    6 +-
 fs/proc/proc_sysctl.c                         |   18 +-
 include/drm/drmP.h                            |   12 +-
 include/keys/asymmetric-subtype.h             |    2 +-
 include/linux/atmdev.h                        |    2 +-
 include/linux/binfmts.h                       |    2 +-
 include/linux/configfs.h                      |    2 +-
 include/linux/cpufreq.h                       |    3 +-
 include/linux/cpuidle.h                       |    5 +-
 include/linux/devfreq.h                       |    2 +-
 include/linux/device.h                        |    7 +-
 include/linux/extcon.h                        |    2 +-
 include/linux/fb.h                            |    2 +-
 include/linux/fscache.h                       |    2 +-
 include/linux/genl_magic_func.h               |    2 +-
 include/linux/hwmon-sysfs.h                   |    5 +-
 include/linux/iommu.h                         |    2 +-
 include/linux/irq.h                           |    2 +-
 include/linux/key-type.h                      |    2 +-
 include/linux/kobject.h                       |    1 +
 include/linux/kobject_ns.h                    |    2 +-
 include/linux/list.h                          |   14 +-
 include/linux/mod_devicetable.h               |    2 +-
 include/linux/module.h                        |    5 +-
 include/linux/net.h                           |    2 +-
 include/linux/netfilter.h                     |    2 +-
 include/linux/nls.h                           |    2 +-
 include/linux/pci_hotplug.h                   |    3 +-
 include/linux/platform_data/usb-exynos.h      |    2 +-
 include/linux/pnp.h                           |    2 +-
 include/linux/ppp-comp.h                      |    2 +-
 include/linux/rculist.h                       |   16 ++
 include/linux/sched.h                         |    2 +-
 include/linux/sock_diag.h                     |    2 +-
 include/linux/sunrpc/clnt.h                   |    2 +-
 include/linux/sunrpc/svc.h                    |    2 +-
 include/linux/sunrpc/svcauth.h                |    2 +-
 include/linux/swiotlb.h                       |    3 +-
 include/linux/syscore_ops.h                   |    2 +-
 include/linux/sysctl.h                        |    6 +-
 include/linux/sysfs.h                         |   10 +-
 include/linux/sysrq.h                         |    1 +
 include/linux/xattr.h                         |    2 +-
 include/net/9p/transport.h                    |    2 +-
 include/net/bluetooth/l2cap.h                 |    2 +-
 include/net/genetlink.h                       |    2 +-
 include/net/ip.h                              |    2 +-
 include/net/ip_vs.h                           |    4 +-
 include/net/llc_c_ac.h                        |    2 +-
 include/net/llc_c_ev.h                        |    4 +-
 include/net/llc_c_st.h                        |    2 +-
 include/net/llc_s_ac.h                        |    2 +-
 include/net/llc_s_st.h                        |    2 +-
 include/net/mac80211.h                        |    2 +-
 include/net/net_namespace.h                   |    2 +-
 include/net/netns/conntrack.h                 |    6 +-
 include/net/rtnetlink.h                       |    2 +-
 include/net/sctp/sm.h                         |    4 +-
 include/net/sctp/structs.h                    |    2 +-
 include/net/xfrm.h                            |    4 +-
 ipc/ipc_sysctl.c                              |   10 +-
 ipc/mq_sysctl.c                               |    2 +-
 kernel/kmod.c                                 |    2 +-
 kernel/ksysfs.c                               |    2 +-
 kernel/module.c                               |    4 +-
 kernel/pid_namespace.c                        |    2 +-
 kernel/rcutree_plugin.h                       |    2 +-
 kernel/sched/core.c                           |   39 ++--
 kernel/smpboot.c                              |    4 +-
 kernel/softirq.c                              |    2 +-
 kernel/sysctl.c                               |    2 +-
 kernel/utsname_sysctl.c                       |    2 +-
 kernel/watchdog.c                             |    2 +-
 lib/Kconfig.debug                             |    2 +-
 lib/kobject.c                                 |    4 +-
 lib/list_debug.c                              |   57 ++++-
 lib/swiotlb.c                                 |    2 +-
 mm/hugetlb.c                                  |   16 +-
 mm/memory-failure.c                           |    2 +-
 mm/slab_common.c                              |    2 +-
 net/9p/mod.c                                  |    4 +-
 net/ax25/sysctl_net_ax25.c                    |    2 +-
 net/core/neighbour.c                          |    2 +-
 net/core/net-sysfs.c                          |    2 +-
 net/core/net_namespace.c                      |    8 +-
 net/core/rtnetlink.c                          |   11 +-
 net/core/sock_diag.c                          |    9 +-
 net/core/sysctl_net_core.c                    |   15 +-
 net/ipv4/af_inet.c                            |    8 +-
 net/ipv4/devinet.c                            |   12 +-
 net/ipv4/inet_connection_sock.c               |    2 +-
 net/ipv4/ip_fragment.c                        |    9 +-
 net/ipv4/ip_gre.c                             |    6 +-
 net/ipv4/ip_vti.c                             |    4 +-
 net/ipv4/ipip.c                               |    4 +-
 net/ipv4/route.c                              |   14 +-
 net/ipv4/sysctl_net_ipv4.c                    |   43 ++--
 net/ipv6/addrconf.c                           |    4 +-
 net/ipv6/icmp.c                               |    2 +-
 net/ipv6/ip6_gre.c                            |    6 +-
 net/ipv6/ip6_tunnel.c                         |    4 +-
 net/ipv6/netfilter/nf_conntrack_reasm.c       |   12 +-
 net/ipv6/reassembly.c                         |   11 +-
 net/ipv6/route.c                              |    2 +-
 net/ipv6/sit.c                                |    4 +-
 net/ipv6/sysctl_net_ipv6.c                    |    2 +-
 net/netfilter/ipset/ip_set_core.c             |    2 +-
 net/netfilter/ipvs/ip_vs_ctl.c                |    4 +-
 net/netfilter/ipvs/ip_vs_lblc.c               |    2 +-
 net/netfilter/ipvs/ip_vs_lblcr.c              |    2 +-
 net/netfilter/nf_conntrack_acct.c             |    2 +-
 net/netfilter/nf_conntrack_ecache.c           |    2 +-
 net/netfilter/nf_conntrack_helper.c           |    2 +-
 net/netfilter/nf_conntrack_proto.c            |    2 +-
 net/netfilter/nf_conntrack_standalone.c       |    2 +-
 net/netfilter/nf_conntrack_timestamp.c        |    2 +-
 net/netfilter/nf_log.c                        |   10 +-
 net/netfilter/nf_sockopt.c                    |    4 +-
 net/netlink/genetlink.c                       |   16 +-
 net/phonet/sysctl.c                           |    2 +-
 net/rds/rds.h                                 |    2 +-
 net/sctp/ipv6.c                               |    6 +-
 net/sctp/protocol.c                           |   10 +-
 net/sctp/sm_sideeffect.c                      |    2 +-
 net/sctp/sysctl.c                             |    4 +-
 net/sunrpc/clnt.c                             |    4 +-
 net/sunrpc/svc.c                              |    4 +-
 net/unix/sysctl_net_unix.c                    |    2 +-
 net/xfrm/xfrm_policy.c                        |   11 +-
 net/xfrm/xfrm_state.c                         |   29 ++-
 net/xfrm/xfrm_sysctl.c                        |    2 +-
 security/apparmor/lsm.c                       |    2 +-
 security/keys/key.c                           |   18 +-
 security/yama/yama_lsm.c                      |   22 +-
 tools/gcc/Makefile                            |    4 +-
 tools/gcc/constify_plugin.c                   |  299 +++++++++++++++++++------
 tools/gcc/size_overflow_plugin.c              |    7 +-
 248 files changed, 994 insertions(+), 668 deletions(-)

commit 4eeeaf3a560e25d1685f8973ef676b205efaa81b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 6 12:58:21 2013 -0500

    Make slab_state __read_only, it's only written to during init

 mm/slab_common.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit e7067b68d36fb9e0e8818de5d9ce1b4ba19ce24a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 6 12:31:35 2013 -0500

    Make two new helper functions:
    gr_is_global_root() and gr_is_global_nonroot()

 grsecurity/gracl.c      |   10 +++++-----
 grsecurity/gracl_segv.c |    2 +-
 grsecurity/grsec_link.c |    4 ++--
 grsecurity/grsec_sig.c  |   10 +++++-----
 grsecurity/grsec_tpe.c  |    6 +++---
 include/linux/uidgid.h  |    2 ++
 6 files changed, 18 insertions(+), 16 deletions(-)

commit d45d88eddd4998b280b1e5b5384289ee11ca7088
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 6 12:14:41 2013 -0500

    convert remaining task->pid to task_pid_nr(task)

 grsecurity/gracl.c        |   22 +++++++++++-----------
 grsecurity/gracl_shm.c    |    2 +-
 grsecurity/grsec_chroot.c |    4 ++--
 grsecurity/grsec_sig.c    |    4 ++--
 4 files changed, 16 insertions(+), 16 deletions(-)

commit c877f2ece03ee2232dd281c1977ae59507297124
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 5 17:29:54 2013 -0500

    compat-log is only used anymore by vm86-on-64bit and allows unlimited
    spamming of the kernel log buffer (and since it includes the changable
    process name, can avoid syslog log deduplication)
    Turn it off by default

 fs/compat.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 7c1964c4b7276889d7967bee70e46918cdca1b14
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 4 17:19:10 2013 -0500

    fix compilation error reported on IRC and forums when GRKERNSEC_PROC_USERGROUP
    is enabled, introduced with recent userns support

 init/main.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit c3ce01b94d8dd42b9c7942c0d513b152613e0656
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 18:46:12 2013 -0500

    Prevent TOMOYO from auto-loading modules by unprivileged users
    (Only reachable if TOMOYO is actually used)

 security/tomoyo/mount.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 79e142f9455b398759ff9d93d4963a21b98dddda
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 18:28:45 2013 -0500

    For now, don't permit any special access to /proc in a user namespace
    Later we can go back and allow a userns-uid0 special access to a /proc
    with a non-global pid namespace

 fs/proc/base.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 8b91fb393049ce5f3c0a86f62247409853fd9700
Merge: d931eb8 603ef05
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 17:42:09 2013 -0500

    Merge branch 'pax-test' into grsec-test

commit 603ef0579b9c3765d999c1938cb7a120d8c8e00b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 17:41:31 2013 -0500

    Fix compilation error on ARM reported by Michael Tremer

 arch/arm/mach-omap2/wd_timer.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit b4c9ce81fdd7839a150c97873c710c479e788280
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 17:39:53 2013 -0500

    Fix compilation error on ARM reported by Michael Tremer

 arch/arm/kernel/armksyms.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit d931eb81ab3da46896268fd61373a6aa7bbea930
Merge: bfa7f44 5948f93
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 17:34:36 2013 -0500

    Merge branch 'pax-test' into grsec-test

commit 5948f930bc1c2d22138c1c76ca7e1bc94b6a3ce0
Merge: ab30472 19b00d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 17:34:08 2013 -0500

    Merge branch 'linux-3.8.y' into pax-test

commit bfa7f445c5d484de51a5828b92ad2ff65053cc87
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 3 15:12:12 2013 -0500

    Initial support for user namespaces, as we previously didn't allow
    the option to be enabled at all.
    
    RBAC will act on the global uids/gids only, so all uids/gids in user
    namespaces will be converted
    
    Because Eric Biederman is insulted that I didn't support his
    backdoor prior to it receiving proper review.  I still have the CAP_SYS_ADMIN
    check in for user namespaces, so this is generally irrelevant.

 fs/exec.c                   |    6 +-
 fs/proc/base.c              |    2 +-
 fs/proc/proc_net.c          |    4 +-
 grsecurity/gracl.c          |  128 +++++++++++++++++++++++++++++-------------
 grsecurity/gracl_cap.c      |    4 +-
 grsecurity/gracl_ip.c       |   16 +++---
 grsecurity/gracl_segv.c     |   12 +++-
 grsecurity/gracl_shm.c      |    4 +-
 grsecurity/grsec_disabled.c |   10 ++--
 grsecurity/grsec_fifo.c     |    6 +-
 grsecurity/grsec_init.c     |   24 ++++----
 grsecurity/grsec_log.c      |    3 -
 grsecurity/grsec_tpe.c      |    6 +-
 include/linux/grinternal.h  |   12 ++--
 include/linux/grsecurity.h  |   12 ++--
 include/linux/uidgid.h      |    3 +
 init/Kconfig                |    2 -
 ipc/shm.c                   |    2 +-
 kernel/cred.c               |    5 +-
 kernel/kallsyms.c           |    2 +-
 kernel/kmod.c               |    6 +-
 kernel/sys.c                |   12 ++--
 22 files changed, 166 insertions(+), 115 deletions(-)

commit 27a8cc1a9f22f95de6fe8740bdc900a160274dff
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Wed Feb 27 08:36:04 2013 -0800

    Upstream commit: 09884964335e85e897876d17783c2ad33cf8a2e0
    
    mm: do not grow the stack vma just because of an overrun on preceding vma
    
    The stack vma is designed to grow automatically (marked with VM_GROWSUP
    or VM_GROWSDOWN depending on architecture) when an access is made beyond
    the existing boundary.  However, particularly if you have not limited
    your stack at all ("ulimit -s unlimited"), this can cause the stack to
    grow even if the access was really just one past *another* segment.
    
    And that's wrong, especially since we first grow the segment, but then
    immediately later enforce the stack guard page on the last page of the
    segment.  So _despite_ first growing the stack segment as a result of
    the access, the kernel will then make the access cause a SIGSEGV anyway!
    
    So do the same logic as the guard page check does, and consider an
    access to within one page of the next segment to be a bad access, rather
    than growing the stack to abut the next segment.
    
    Reported-and-tested-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/mmap.c |   27 +++++++++++++++++++++++++++
 1 files changed, 27 insertions(+), 0 deletions(-)

commit 5596211af754867ca825f58e6e0300a8439950fe
Author: H. Peter Anvin <hpa@linux.intel.com>
Date:   Wed Feb 27 12:46:40 2013 -0800

    Upstream commit: 7c10093692ed2e6f318387d96b829320aa0ca64c
    
    x86: Make sure we can boot in the case the BDA contains pure garbage
    
    On non-BIOS platforms it is possible that the BIOS data area contains
    garbage instead of being zeroed or something equivalent (firmware
    people: we are talking of 1.5K here, so please do the sane thing.)
    
    We need on the order of 20-30K of low memory in order to boot, which
    may grow up to < 64K in the future.  We probably want to avoid the
    lowest of the low memory.  At the same time, it seems extremely
    unlikely that a legitimate EBDA would ever reach down to the 128K
    (which would require it to be over half a megabyte in size.)  Thus,
    pick 128K as the cutoff for "this is insane, ignore."  We may still
    end up reserving a bunch of extra memory on the low megabyte, but that
    is not really a major issue these days.  In the worst case we lose
    512K of RAM.
    
    This code really should be merged with trim_bios_range() in
    arch/x86/kernel/setup.c, but that is a bigger patch for a later merge
    window.
    
    Reported-by: Darren Hart <dvhart@linux.intel.com>
    Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
    Cc: Matt Fleming <matt.fleming@intel.com>
    Cc: <stable@vger.kernel.org>
    Link: http://lkml.kernel.org/n/tip-oebml055yyfm8yxmria09rja@git.kernel.org

 arch/x86/kernel/head.c |   53 ++++++++++++++++++++++++++++++-----------------
 1 files changed, 34 insertions(+), 19 deletions(-)

commit 10eb1dabfb743fb22dcbcf186bb8d2192d2d55ea
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Wed Feb 27 17:05:46 2013 -0800

    Upstream commit: 940da353a83e895ea600cb8ab17dceefb1bcb469
    
    memstick: move the dereference below the NULL test
    
    The dereference should be moved below the NULL test.
    
    spatch with a semantic match is used to found this.
    (http://coccinelle.lip6.fr/)
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Cc: Maxim Levitsky <maximlevitsky@gmail.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/memstick/host/r592.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 1a63cb1ca50a10748cbf766894ecedf34a89baa3
Author: Xi Wang <xi.wang@gmail.com>
Date:   Wed Feb 27 17:05:21 2013 -0800

    Upstream commit: df1778be1a33edffa51d094eeda87c858ded6560
    
    sysctl: fix null checking in bin_dn_node_address()
    
    The null check of `strchr() + 1' is broken, which is always non-null,
    leading to OOB read.  Instead, check the result of strchr().
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Cc: "Eric W. Biederman" <ebiederm@xmission.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 kernel/sysctl_binary.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 7ca96db0817416fd40761e7437d1939fc0731380
Author: Tejun Heo <tj@kernel.org>
Date:   Wed Feb 27 17:03:34 2013 -0800

    Upstream commit: 6cdae7416a1c45c2ce105a78187d9b7e8feb9e24
    
    idr: fix a subtle bug in idr_get_next()
    
    The iteration logic of idr_get_next() is borrowed mostly verbatim from
    idr_for_each().  It walks down the tree looking for the slot matching
    the current ID.  If the matching slot is not found, the ID is
    incremented by the distance of single slot at the given level and
    repeats.
    
    The implementation assumes that during the whole iteration id is aligned
    to the layer boundaries of the level closest to the leaf, which is true
    for all iterations starting from zero or an existing element and thus is
    fine for idr_for_each().
    
    However, idr_get_next() may be given any point and if the starting id
    hits in the middle of a non-existent layer, increment to the next layer
    will end up skipping the same offset into it.  For example, an IDR with
    IDs filled between [64, 127] would look like the following.
    
              [  0  64 ... ]
           /----/   |
           |        |
          NULL    [ 64 ... 127 ]
    
    If idr_get_next() is called with 63 as the starting point, it will try
    to follow down the pointer from 0.  As it is NULL, it will then try to
    proceed to the next slot in the same level by adding the slot distance
    at that level which is 64 - making the next try 127.  It goes around the
    loop and finds and returns 127 skipping [64, 126].
    
    Note that this bug also triggers in idr_for_each_entry() loop which
    deletes during iteration as deletions can make layers go away leaving
    the iteration with unaligned ID into missing layers.
    
    Fix it by ensuring proceeding to the next slot doesn't carry over the
    unaligned offset - ie.  use round_up(id + 1, slot_distance) instead of
    id += slot_distance.
    
    Signed-off-by: Tejun Heo <tj@kernel.org>
    Reported-by: David Teigland <teigland@redhat.com>
    Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 lib/idr.c |    9 ++++++++-
 1 files changed, 8 insertions(+), 1 deletions(-)

commit 745362f28034f54242ba2e64eaa7374ab9869613
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 1 20:31:42 2013 -0500

    Fix dentry use-after-free after failed complete_walk() with RBAC enabled
    Many thanks to zakalwe from #grsecurity for the report and debugging help

 fs/namei.c |    8 +++-----
 1 files changed, 3 insertions(+), 5 deletions(-)

commit b53b3b14330920c6f7cfb74c8508a3026e1be620
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 28 18:29:26 2013 -0500

    Fix bad git merge

 fs/namespace.c |    8 --------
 1 files changed, 0 insertions(+), 8 deletions(-)

commit 71886f69ea10fa22e593dba1bdbe5c0334c6fede
Merge: 1cce1dd ab30472
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 28 17:45:14 2013 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        net/core/sock_diag.c

commit ab3047280e1dfb43f1b301a296123757b4ac4f6e
Merge: 4b61d21 4c91a0e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 28 17:43:56 2013 -0500

    Merge branch 'linux-3.8.y' into pax-test

commit 1cce1ddd17c584c80465521834c3faf1a7c607d7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 27 22:20:22 2013 -0500

    add compiler.h to sysrq.h to fix compilation problem reported by micu on forums

 include/linux/sysrq.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 9f1e7fe130803fde83eb903b575335f59cd2bd18
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 27 17:52:31 2013 -0500

    declare check_syslog_permissions() earlier in file, fix bug in syslog_action_restricted() in upstream kernel

 kernel/printk.c |   12 +++++++-----
 1 files changed, 7 insertions(+), 5 deletions(-)

commit 11dd499888fa76f3466821ce4daa5e0c55e43d39
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 27 17:23:46 2013 -0500

    Fix upstream vulnerability from addition of a /dev/kmsg device
    while neglecting to add the same set of existing permission checks
    from do_syslog.  This bit both dmesg_restrict and GRKERNSEC_DMESG.
    A temporary workaround without this patch would be to
    chmod 0600 /dev/kmsg (and is likely a good idea anyway).
    
    Notified in #grsecurity IRC by Jason A. Donenfeld and Petr Matousek
    Initially reported to Redhat bugzilla by Christian Kujau:
    https://bugzilla.redhat.com/show_bug.cgi?id=903192

 kernel/printk.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 66c04806f5660988c3cb4855e60de294e77e3d0e
Author: David Howells <dhowells@redhat.com>
Date:   Thu Feb 21 12:00:25 2013 +0000

    Upstream commit: fe9453a1dcb5fb146f9653267e78f4a558066f6f
    
    KEYS: Revert one application of "Fix unreachable code" patch
    
    A patch to fix some unreachable code in search_my_process_keyrings() got
    applied twice by two different routes upstream as commits e67eab39bee2
    and b010520ab3d2 (both "fix unreachable code").
    
    Unfortunately, the second application removed something it shouldn't
    have and this wasn't detected by GIT.  This is due to the patch not
    having sufficient lines of context to distinguish the two places of
    application.
    
    The effect of this is relatively minor: inside the kernel, the keyring
    search routines may search multiple keyrings and then prioritise the
    errors if no keys or negative keys are found in any of them.  With the
    extra deletion, the presence of a negative key in the thread keyring
    (causing ENOKEY) is incorrectly overridden by an error searching the
    process keyring.
    
    So revert the second application of the patch.
    
    Signed-off-by: David Howells <dhowells@redhat.com>
    Cc: Jiri Kosina <jkosina@suse.cz>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 security/keys/process_keys.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 954b0c8a95b08c09c3d15ec38106ce403bf714da
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Thu Feb 21 16:42:43 2013 -0800

    Upstream commit: 49deb4bc227cb9db5b8ebf9434367f8bed057c7a
    
    configfs: move the dereference below the NULL test
    
    The dereference should be moved below the NULL test.
    
    spatch with a semantic match is used to found this.
    (http://coccinelle.lip6.fr/)
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Cc: Joel Becker <jlbec@evilplan.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/configfs/dir.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

commit d16d42c4fdc8baca5816d75b4a115102bf3d3423
Author: Nicolas Pitre <nicolas.pitre@linaro.org>
Date:   Sun Feb 24 20:06:09 2013 -0500

    Upstream commit: a883b70d8e0a88278c0a1f80753b4dc99962b541
    
    tty vt: fix character insertion overflow
    
    Commit 81732c3b2fed ("tty vt: Fix line garbage in virtual console on
    command line edition") broke insert_char() in multiple ways.  Then
    commit b1a925f44a3a ("tty vt: Fix a regression in command line edition")
    partially fixed it.  However, the buffer being moved is still too large
    and overflowing beyond the end of the current line, corrupting existing
    characters on the next line.
    
    Example test case:
    
    echo -e "abc\nde\x1b[A\x1b[4h \x1b[4l\x1b[B"
    
    Expected result:
    
    ab c
    de
    
    Current result:
    
    ab c
     e
    
    Needless to say that this is very annoying when inserting words in the
    middle of paragraphs with certain text editors.
    
    Signed-off-by: Nicolas Pitre <nico@linaro.org>
    Cc: Jean-François Moine <moinejf@free.fr>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/tty/vt/vt.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 6cda35071669b4aabde081bd039e0ffea36f997a
Author: Robin Holt <holt@sgi.com>
Date:   Fri Feb 22 16:35:34 2013 -0800

    Upstream commit: 751efd8610d3d7d67b7bdf7f62646edea7365dd7
    
    mmu_notifier_unregister NULL Pointer deref and multiple ->release() callouts
    
    There is a race condition between mmu_notifier_unregister() and
    __mmu_notifier_release().
    
    Assume two tasks, one calling mmu_notifier_unregister() as a result of a
    filp_close() ->flush() callout (task A), and the other calling
    mmu_notifier_release() from an mmput() (task B).
    
                    A                               B
    t1                                              srcu_read_lock()
    t2              if (!hlist_unhashed())
    t3                                              srcu_read_unlock()
    t4              srcu_read_lock()
    t5                                              hlist_del_init_rcu()
    t6                                              synchronize_srcu()
    t7              srcu_read_unlock()
    t8              hlist_del_rcu()  <--- NULL pointer deref.
    
    Additionally, the list traversal in __mmu_notifier_release() is not
    protected by the by the mmu_notifier_mm->hlist_lock which can result in
    callouts to the ->release() notifier from both mmu_notifier_unregister()
    and __mmu_notifier_release().
    
    -stable suggestions:
    
    The stable trees prior to 3.7.y need commits 21a92735f660 and
    70400303ce0c cherry-picked in that order prior to cherry-picking this
    commit.  The 3.7.y tree already has those two commits.
    
    Signed-off-by: Robin Holt <holt@sgi.com>
    Cc: Andrea Arcangeli <aarcange@redhat.com>
    Cc: Wanpeng Li <liwanp@linux.vnet.ibm.com>
    Cc: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
    Cc: Avi Kivity <avi@redhat.com>
    Cc: Hugh Dickins <hughd@google.com>
    Cc: Marcelo Tosatti <mtosatti@redhat.com>
    Cc: Sagi Grimberg <sagig@mellanox.co.il>
    Cc: Haggai Eran <haggaie@mellanox.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/mmu_notifier.c |   82 +++++++++++++++++++++++++++--------------------------
 1 files changed, 42 insertions(+), 40 deletions(-)

commit bf5167ed78ba6131c6874887f714bda50c2cab83
Author: Mike Galbraith <bitbucket@online.de>
Date:   Mon Jan 28 12:19:25 2013 +0100

    Upstream commit: e0a79f529d5ba2507486d498b25da40911d95cf6
    
    sched: Fix select_idle_sibling() bouncing cow syndrome
    
    If the previous CPU is cache affine and idle, select it.
    
    The current implementation simply traverses the sd_llc domain,
    taking the first idle CPU encountered, which walks buddy pairs
    hand in hand over the package, inflicting excruciating pain.
    
    1 tbench pair (worst case) in a 10 core + SMT package:
    
      pre   15.22 MB/sec 1 procs
      post 252.01 MB/sec 1 procs
    
    Signed-off-by: Mike Galbraith <bitbucket@online.de>
    Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Link: http://lkml.kernel.org/r/1359371965.5783.127.camel@marge.simpson.net
    Signed-off-by: Ingo Molnar <mingo@kernel.org>

 kernel/sched/fair.c |   21 +++++++--------------
 1 files changed, 7 insertions(+), 14 deletions(-)

commit cf7c2d257836fdcb5d51ad142cbc56ac12f7a37c
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Fri Dec 28 18:58:39 2012 -0800

    Upstream commit: c61a2810a2161986353705b44d9503e6bb079f4f
    
    userns: Avoid recursion in put_user_ns
    
    When freeing a deeply nested user namespace free_user_ns calls
    put_user_ns on it's parent which may in turn call free_user_ns again.
    When -fno-optimize-sibling-calls is passed to gcc one stack frame per
    user namespace is left on the stack, potentially overflowing the
    kernel stack.  CONFIG_FRAME_POINTER forces -fno-optimize-sibling-calls
    so we can't count on gcc to optimize this code.
    
    Remove struct kref and use a plain atomic_t.  Making the code more
    flexible and easier to comprehend.  Make the loop in free_user_ns
    explict to guarantee that the stack does not overflow with
    CONFIG_FRAME_POINTER enabled.
    
    I have tested this fix with a simple program that uses unshare to
    create a deeply nested user namespace structure and then calls exit.
    With 1000 nesteuser namespaces before this change running my test
    program causes the kernel to die a horrible death.  With 10,000,000
    nested user namespaces after this change my test program runs to
    completion and causes no harm.
    
    Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
    Pointed-out-by: Vasily Kulikov <segoon@openwall.com>
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>

 include/linux/user_namespace.h |   10 +++++-----
 kernel/user.c                  |    4 +---
 kernel/user_namespace.c        |   17 +++++++++--------
 3 files changed, 15 insertions(+), 16 deletions(-)

commit 81501c7106ccc186c94806f4db954626295b5ebe
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Feb 26 17:12:30 2013 -0500

    Pass the same flags to kern_path_create as the original function

 fs/namei.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit a677c8eee35afe48868f92c7d6745bfe809cd481
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Fri Feb 22 22:45:42 2013 -0500

    Upstream commit: 9b40bc90abd126bcc5da5658059b8e72e285e559
    
    get rid of unprotected dereferencing of mnt->mnt_ns
    
    It's safe only under namespace_sem or vfsmount_lock; all places
    in fs/namespace.c that want mnt->mnt_ns->user_ns actually want to use
    current->nsproxy->mnt_ns->user_ns (note the calls of check_mnt() in
    there).
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/namespace.c |   29 +++++++++++++++++------------
 1 files changed, 17 insertions(+), 12 deletions(-)

commit 89298124d0c96dc34a60377e7a1308f8f532ff75
Author: Greg Thelen <gthelen@google.com>
Date:   Fri Feb 22 16:36:01 2013 -0800

    Upstream fix: 5f00110f7273f9ff04ac69a5f85bb535a4fd0987
    
    tmpfs: fix use-after-free of mempolicy object
    
    The tmpfs remount logic preserves filesystem mempolicy if the mpol=M
    option is not specified in the remount request.  A new policy can be
    specified if mpol=M is given.
    
    Before this patch remounting an mpol bound tmpfs without specifying
    mpol= mount option in the remount request would set the filesystem's
    mempolicy object to a freed mempolicy object.
    
    To reproduce the problem boot a DEBUG_PAGEALLOC kernel and run:
        # mkdir /tmp/x
    
        # mount -t tmpfs -o size=100M,mpol=interleave nodev /tmp/x
    
        # grep /tmp/x /proc/mounts
        nodev /tmp/x tmpfs rw,relatime,size=102400k,mpol=interleave:0-3 0 0
    
        # mount -o remount,size=200M nodev /tmp/x
    
        # grep /tmp/x /proc/mounts
        nodev /tmp/x tmpfs rw,relatime,size=204800k,mpol=??? 0 0
            # note ? garbage in mpol=... output above
    
        # dd if=/dev/zero of=/tmp/x/f count=1
            # panic here
    
    Panic:
        BUG: unable to handle kernel NULL pointer dereference at           (null)
        IP: [<          (null)>]           (null)
        [...]
        Oops: 0010 [#1] SMP DEBUG_PAGEALLOC
        Call Trace:
          mpol_shared_policy_init+0xa5/0x160
          shmem_get_inode+0x209/0x270
          shmem_mknod+0x3e/0xf0
          shmem_create+0x18/0x20
          vfs_create+0xb5/0x130
          do_last+0x9a1/0xea0
          path_openat+0xb3/0x4d0
          do_filp_open+0x42/0xa0
          do_sys_open+0xfe/0x1e0
          compat_sys_open+0x1b/0x20
          cstar_dispatch+0x7/0x1f
    
    Non-debug kernels will not crash immediately because referencing the
    dangling mpol will not cause a fault.  Instead the filesystem will
    reference a freed mempolicy object, which will cause unpredictable
    behavior.
    
    The problem boils down to a dropped mpol reference below if
    shmem_parse_options() does not allocate a new mpol:
    
        config = *sbinfo
        shmem_parse_options(data, &config, true)
        mpol_put(sbinfo->mpol)
        sbinfo->mpol = config.mpol  /* BUG: saves unreferenced mpol */
    
    This patch avoids the crash by not releasing the mempolicy if
    shmem_parse_options() doesn't create a new mpol.
    
    How far back does this issue go? I see it in both 2.6.36 and 3.3.  I did
    not look back further.
    
    Signed-off-by: Greg Thelen <gthelen@google.com>
    Acked-by: Hugh Dickins <hughd@google.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/shmem.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

commit 614943c76d9e49f12f3e1154f1dea80dc4bb2743
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 23 11:08:05 2013 -0500

    Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY
    with a family greater or equal then AF_MAX -- the array size of
    sock_diag_handlers[]. The current code does not test for this
    condition therefore is vulnerable to an out-of-bound access opening
    doors for a privilege escalation.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    
    The sock_diag_lock_handler() and sock_diag_unlock_handler() actually
    make the code less readable. Get rid of them and make the lock usage
    and access to sock_diag_handlers[] clear on the first sight.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>

 net/core/sock_diag.c |   27 ++++++++++-----------------
 1 files changed, 10 insertions(+), 17 deletions(-)

commit e8d44970f8ac5ceda7b0e3f2c2ab33cefb800990
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 23 10:58:52 2013 -0500

    Fix compilation failure reported by Hinnerk van Bruinehsen when CPU_USE_DOMAINS is not defined

 arch/arm/include/asm/domain.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 7b729586eb81f344fdedf0942fab0acc738a6725
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 22 19:02:51 2013 -0500

    Add back capability check for user namespaces.  They have not seen enough proper review and needlessly exposes additional attack surface for all users.

 kernel/fork.c |   17 +++++++++++++++++
 1 files changed, 17 insertions(+), 0 deletions(-)

commit fadc560d0c486af88da83177735f5515e88acdcc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 21 23:06:48 2013 -0500

    put is_hugetlbfs_mnt inside ifdefs

 grsecurity/gracl.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 8252176922d405484f986eb2cc350b7cd3ae586e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 21 23:02:07 2013 -0500

    remove unused label

 kernel/module.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit dad4a980f0b625059e215d13da728aa7fd02a374
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 21 23:00:52 2013 -0500

    compile fix

 fs/open.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 13e3266c41b98a40f3d8a4a7fb8ee5c0983156b7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 21 22:57:49 2013 -0500

    remove kmalloc_array_error for the same reasons as kcalloc_error

 include/linux/slab.h |    9 ---------
 1 files changed, 0 insertions(+), 9 deletions(-)

commit 0c24df0e81ae880c4523cc78ff91609b9aa6133a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 21 22:49:35 2013 -0500

    Initial port of grsecurity for Linux 3.8

 Documentation/kernel-parameters.txt                |    4 +
 Makefile                                           |   10 +-
 arch/alpha/include/asm/cache.h                     |    4 +-
 arch/alpha/kernel/osf_sys.c                        |   14 +-
 arch/arm/include/asm/cache.h                       |    2 +
 arch/arm/include/asm/thread_info.h                 |    9 +-
 arch/arm/kernel/process.c                          |    4 +-
 arch/arm/kernel/ptrace.c                           |    9 +
 arch/arm/kernel/traps.c                            |    7 +-
 arch/arm/mm/fault.c                                |   27 +-
 arch/arm/mm/mmap.c                                 |    6 +-
 arch/avr32/include/asm/cache.h                     |    4 +-
 arch/blackfin/include/asm/cache.h                  |    3 +-
 arch/cris/include/arch-v10/arch/cache.h            |    3 +-
 arch/cris/include/arch-v32/arch/cache.h            |    3 +-
 arch/frv/include/asm/cache.h                       |    3 +-
 arch/frv/mm/elf-fdpic.c                            |    7 +-
 arch/hexagon/include/asm/cache.h                   |    6 +-
 arch/ia64/include/asm/cache.h                      |    3 +-
 arch/ia64/kernel/sys_ia64.c                        |    3 +-
 arch/ia64/mm/hugetlbpage.c                         |    3 +-
 arch/m32r/include/asm/cache.h                      |    4 +-
 arch/m68k/include/asm/cache.h                      |    4 +-
 arch/microblaze/include/asm/cache.h                |    3 +-
 arch/mips/include/asm/cache.h                      |    3 +-
 arch/mips/include/asm/thread_info.h                |    9 +-
 arch/mips/kernel/ptrace.c                          |    9 +
 arch/mips/kernel/scall32-o32.S                     |    2 +-
 arch/mips/kernel/scall64-64.S                      |    2 +-
 arch/mips/kernel/scall64-n32.S                     |    2 +-
 arch/mips/kernel/scall64-o32.S                     |    2 +-
 arch/mips/mm/mmap.c                                |    3 +-
 arch/mn10300/proc-mn103e010/include/proc/cache.h   |    4 +-
 arch/mn10300/proc-mn2ws0050/include/proc/cache.h   |    4 +-
 arch/openrisc/include/asm/cache.h                  |    4 +-
 arch/parisc/include/asm/cache.h                    |    5 +-
 arch/parisc/kernel/sys_parisc.c                    |   19 +-
 arch/powerpc/include/asm/cache.h                   |    3 +-
 arch/powerpc/include/asm/thread_info.h             |    8 +-
 arch/powerpc/kernel/process.c                      |   10 +-
 arch/powerpc/kernel/ptrace.c                       |   14 +
 arch/powerpc/kernel/traps.c                        |    5 +
 arch/powerpc/mm/slice.c                            |    8 +-
 arch/s390/include/asm/cache.h                      |    4 +-
 arch/score/include/asm/cache.h                     |    4 +-
 arch/sh/include/asm/cache.h                        |    3 +-
 arch/sh/mm/mmap.c                                  |    6 +-
 arch/sparc/include/asm/cache.h                     |    4 +-
 arch/sparc/include/asm/thread_info_64.h            |    9 +-
 arch/sparc/kernel/process_32.c                     |    6 +-
 arch/sparc/kernel/process_64.c                     |    8 +-
 arch/sparc/kernel/ptrace_64.c                      |   14 +
 arch/sparc/kernel/sys_sparc_64.c                   |    6 +-
 arch/sparc/kernel/syscalls.S                       |    8 +-
 arch/sparc/kernel/traps_32.c                       |    8 +-
 arch/sparc/kernel/traps_64.c                       |   28 +-
 arch/sparc/kernel/unaligned_64.c                   |    2 +-
 arch/sparc/mm/fault_64.c                           |    2 +-
 arch/sparc/mm/hugetlbpage.c                        |    3 +-
 arch/tile/include/asm/cache.h                      |    3 +-
 arch/um/include/asm/cache.h                        |    3 +-
 arch/unicore32/include/asm/cache.h                 |    6 +-
 arch/x86/Kconfig                                   |    5 +-
 arch/x86/Kconfig.debug                             |    2 +-
 arch/x86/ia32/ia32_aout.c                          |    2 +
 arch/x86/include/asm/thread_info.h                 |    8 +-
 arch/x86/kernel/dumpstack.c                        |    8 +
 arch/x86/kernel/entry_32.S                         |    2 +-
 arch/x86/kernel/entry_64.S                         |    2 +-
 arch/x86/kernel/ioport.c                           |   13 +
 arch/x86/kernel/ptrace.c                           |   14 +
 arch/x86/kernel/smpboot.c                          |    3 +
 arch/x86/kernel/sys_i386_32.c                      |   14 +-
 arch/x86/kernel/sys_x86_64.c                       |    3 +-
 arch/x86/kernel/verify_cpu.S                       |    1 +
 arch/x86/kernel/vm86_32.c                          |   16 +
 arch/x86/mm/fault.c                                |   12 +-
 arch/x86/mm/hugetlbpage.c                          |    3 +-
 arch/x86/mm/init.c                                 |   66 +-
 arch/x86/net/bpf_jit_comp.c                        |  126 +-
 arch/xtensa/variants/dc232b/include/variant/core.h |    2 +-
 arch/xtensa/variants/fsf/include/variant/core.h    |    3 +-
 arch/xtensa/variants/s6000/include/variant/core.h  |    3 +-
 crypto/ablkcipher.c                                |   12 +-
 crypto/aead.c                                      |    9 +-
 crypto/ahash.c                                     |    2 +-
 crypto/blkcipher.c                                 |    6 +-
 crypto/crypto_user.c                               |   38 +-
 crypto/pcompress.c                                 |    3 +-
 crypto/rng.c                                       |    2 +-
 crypto/shash.c                                     |    3 +-
 drivers/block/cciss.c                              |    2 +
 drivers/char/Kconfig                               |    4 +-
 drivers/char/genrtc.c                              |    1 +
 drivers/char/mem.c                                 |   17 +
 drivers/char/random.c                              |   12 +
 drivers/gpu/drm/drm_info.c                         |    4 +
 drivers/hid/hid-wiimote-debug.c                    |    2 +-
 drivers/media/radio/radio-cadet.c                  |    2 +-
 drivers/message/fusion/mptbase.c                   |    5 +
 drivers/net/phy/mdio-bitbang.c                     |    1 +
 drivers/pci/proc.c                                 |    9 +
 drivers/rtc/rtc-dev.c                              |    3 +
 drivers/tty/sysrq.c                                |    2 +-
 drivers/tty/vt/keyboard.c                          |   22 +-
 drivers/video/logo/logo_linux_clut224.ppm          | 2721 ++++++--------
 drivers/xen/xenfs/xenstored.c                      |    5 +
 fs/attr.c                                          |    1 +
 fs/autofs4/waitq.c                                 |    9 +
 fs/binfmt_aout.c                                   |    7 +
 fs/binfmt_elf.c                                    |    6 +
 fs/btrfs/inode.c                                   |   10 +-
 fs/btrfs/ioctl.c                                   |    6 +-
 fs/compat.c                                        |   18 +
 fs/coredump.c                                      |   10 +-
 fs/debugfs/inode.c                                 |    4 +
 fs/exec.c                                          |  155 +-
 fs/ext2/balloc.c                                   |    4 +-
 fs/ext3/balloc.c                                   |    4 +-
 fs/ext4/balloc.c                                   |    4 +-
 fs/fcntl.c                                         |    5 +
 fs/file.c                                          |    4 +
 fs/filesystems.c                                   |    5 +
 fs/fs_struct.c                                     |   26 +-
 fs/hugetlbfs/inode.c                               |    5 +-
 fs/namei.c                                         |  269 ++-
 fs/namespace.c                                     |   24 +
 fs/open.c                                          |   38 +
 fs/pipe.c                                          |    2 +-
 fs/proc/Kconfig                                    |   10 +-
 fs/proc/array.c                                    |   59 +-
 fs/proc/base.c                                     |  168 +-
 fs/proc/cmdline.c                                  |    4 +
 fs/proc/devices.c                                  |    4 +
 fs/proc/fd.c                                       |   17 +-
 fs/proc/inode.c                                    |   17 +
 fs/proc/internal.h                                 |    3 +
 fs/proc/kcore.c                                    |    3 +
 fs/proc/proc_net.c                                 |   12 +
 fs/proc/proc_sysctl.c                              |   43 +-
 fs/proc/root.c                                     |    8 +
 fs/proc/task_mmu.c                                 |   75 +-
 fs/readdir.c                                       |   19 +
 fs/select.c                                        |    2 +
 fs/seq_file.c                                      |   12 +-
 fs/stat.c                                          |   19 +-
 fs/sysfs/dir.c                                     |   12 +
 fs/utimes.c                                        |    7 +
 fs/xattr.c                                         |   19 +-
 grsecurity/Kconfig                                 | 1021 +++++
 grsecurity/Makefile                                |   38 +
 grsecurity/gracl.c                                 | 4017 ++++++++++++++++++++
 grsecurity/gracl_alloc.c                           |  105 +
 grsecurity/gracl_cap.c                             |  110 +
 grsecurity/gracl_fs.c                              |  431 +++
 grsecurity/gracl_ip.c                              |  384 ++
 grsecurity/gracl_learn.c                           |  207 +
 grsecurity/gracl_res.c                             |   68 +
 grsecurity/gracl_segv.c                            |  299 ++
 grsecurity/gracl_shm.c                             |   40 +
 grsecurity/grsec_chdir.c                           |   19 +
 grsecurity/grsec_chroot.c                          |  357 ++
 grsecurity/grsec_disabled.c                        |  434 +++
 grsecurity/grsec_exec.c                            |  174 +
 grsecurity/grsec_fifo.c                            |   24 +
 grsecurity/grsec_fork.c                            |   23 +
 grsecurity/grsec_init.c                            |  283 ++
 grsecurity/grsec_link.c                            |   58 +
 grsecurity/grsec_log.c                             |  329 ++
 grsecurity/grsec_mem.c                             |   40 +
 grsecurity/grsec_mount.c                           |   62 +
 grsecurity/grsec_pax.c                             |   36 +
 grsecurity/grsec_ptrace.c                          |   30 +
 grsecurity/grsec_sig.c                             |  222 ++
 grsecurity/grsec_sock.c                            |  244 ++
 grsecurity/grsec_sysctl.c                          |  469 +++
 grsecurity/grsec_time.c                            |   16 +
 grsecurity/grsec_tpe.c                             |   73 +
 grsecurity/grsum.c                                 |   61 +
 include/linux/capability.h                         |    5 +
 include/linux/cred.h                               |    3 +
 include/linux/fs.h                                 |   10 +
 include/linux/fsnotify.h                           |    6 +
 include/linux/gracl.h                              |  319 ++
 include/linux/gralloc.h                            |    9 +
 include/linux/grdefs.h                             |  140 +
 include/linux/grinternal.h                         |  215 ++
 include/linux/grmsg.h                              |  111 +
 include/linux/grsecurity.h                         |  257 ++
 include/linux/grsock.h                             |   19 +
 include/linux/kallsyms.h                           |   14 +-
 include/linux/kmod.h                               |    2 +
 include/linux/netfilter/xt_gradm.h                 |    9 +
 include/linux/printk.h                             |    3 +-
 include/linux/proc_fs.h                            |   12 +
 include/linux/sched.h                              |   66 +-
 include/linux/security.h                           |    1 +
 include/linux/seq_file.h                           |    3 +
 include/linux/shm.h                                |    4 +
 include/linux/sysctl.h                             |    2 +
 include/linux/thread_info.h                        |    2 +
 include/linux/vermagic.h                           |    9 +-
 include/trace/events/fs.h                          |   53 +
 include/uapi/linux/personality.h                   |    1 +
 init/Kconfig                                       |    5 +-
 init/main.c                                        |   14 +
 ipc/mqueue.c                                       |    1 +
 ipc/shm.c                                          |   28 +
 kernel/capability.c                                |   39 +-
 kernel/cgroup.c                                    |    2 +-
 kernel/compat.c                                    |    1 +
 kernel/configs.c                                   |   11 +
 kernel/cred.c                                      |  109 +-
 kernel/exit.c                                      |   10 +-
 kernel/fork.c                                      |   24 +-
 kernel/futex.c                                     |    1 +
 kernel/kallsyms.c                                  |    9 +
 kernel/kcmp.c                                      |    4 +
 kernel/kmod.c                                      |   71 +-
 kernel/kprobes.c                                   |    4 +-
 kernel/ksysfs.c                                    |    2 +
 kernel/lockdep_proc.c                              |   10 +-
 kernel/module.c                                    |   80 +-
 kernel/panic.c                                     |    4 +-
 kernel/pid.c                                       |   19 +-
 kernel/posix-timers.c                              |    8 +
 kernel/printk.c                                    |    5 +
 kernel/ptrace.c                                    |   20 +-
 kernel/resource.c                                  |   10 +
 kernel/sched/core.c                                |    6 +-
 kernel/signal.c                                    |   37 +-
 kernel/sys.c                                       |   38 +-
 kernel/sysctl.c                                    |   39 +-
 kernel/taskstats.c                                 |    6 +
 kernel/time.c                                      |    5 +
 kernel/time/timekeeping.c                          |    3 +
 kernel/time/timer_list.c                           |   12 +
 kernel/time/timer_stats.c                          |   10 +-
 lib/Kconfig.debug                                  |    5 +-
 lib/is_single_threaded.c                           |    3 +
 lib/vsprintf.c                                     |   35 +-
 localversion-grsec                                 |    1 +
 mm/Kconfig                                         |    4 +-
 mm/filemap.c                                       |    1 +
 mm/kmemleak.c                                      |    4 +-
 mm/mempolicy.c                                     |   12 +-
 mm/migrate.c                                       |    3 +-
 mm/mlock.c                                         |    3 +
 mm/mmap.c                                          |   62 +-
 mm/mprotect.c                                      |    8 +
 mm/page_alloc.c                                    |    6 +
 mm/process_vm_access.c                             |    6 +
 mm/shmem.c                                         |    2 +-
 mm/slab.c                                          |    2 +-
 mm/slub.c                                          |   14 +-
 mm/vmalloc.c                                       |    4 +
 mm/vmstat.c                                        |   18 +-
 net/core/dev.c                                     |    9 +
 net/core/sock_diag.c                               |    7 +
 net/ipv4/inet_hashtables.c                         |    5 +
 net/ipv4/ip_sockglue.c                             |    3 +-
 net/ipv4/tcp_input.c                               |    4 +-
 net/ipv4/tcp_ipv4.c                                |   24 +-
 net/ipv4/tcp_minisocks.c                           |    9 +-
 net/ipv4/tcp_timer.c                               |   11 +
 net/ipv4/udp.c                                     |   24 +
 net/ipv6/tcp_ipv6.c                                |   23 +-
 net/ipv6/udp.c                                     |    7 +
 net/netfilter/Kconfig                              |   10 +
 net/netfilter/Makefile                             |    1 +
 net/netfilter/nf_conntrack_core.c                  |    8 +
 net/netfilter/xt_gradm.c                           |   51 +
 net/netrom/af_netrom.c                             |    2 +-
 net/phonet/af_phonet.c                             |    4 +-
 net/sctp/proc.c                                    |    3 +-
 net/socket.c                                       |   62 +-
 net/sysctl_net.c                                   |    2 +-
 net/unix/af_unix.c                                 |   19 +
 security/Kconfig                                   |  320 ++-
 security/apparmor/lsm.c                            |    2 +-
 security/commoncap.c                               |   29 +
 security/min_addr.c                                |    2 +
 security/security.c                                |    2 -
 security/selinux/hooks.c                           |    2 -
 security/yama/Kconfig                              |    2 +-
 tools/gcc/Makefile                                 |    2 +-
 286 files changed, 15083 insertions(+), 2067 deletions(-)

commit 4b61d2188de70da9dc9b3e67fc0565077370eb27
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 20 21:00:42 2013 -0500

    Initial import of pax-linux-3.8-test3.patch

 Documentation/dontdiff                           |   43 +-
 Documentation/kernel-parameters.txt              |    7 +
 Makefile                                         |   97 +-
 arch/alpha/include/asm/atomic.h                  |   10 +
 arch/alpha/include/asm/elf.h                     |    7 +
 arch/alpha/include/asm/pgalloc.h                 |    6 +
 arch/alpha/include/asm/pgtable.h                 |   11 +
 arch/alpha/kernel/module.c                       |    2 +-
 arch/alpha/kernel/osf_sys.c                      |   10 +-
 arch/alpha/mm/fault.c                            |  141 +-
 arch/arm/Kconfig                                 |    2 +-
 arch/arm/include/asm/atomic.h                    |  421 +++-
 arch/arm/include/asm/cache.h                     |    3 +-
 arch/arm/include/asm/cacheflush.h                |    2 +-
 arch/arm/include/asm/checksum.h                  |   14 +-
 arch/arm/include/asm/cmpxchg.h                   |    2 +
 arch/arm/include/asm/delay.h                     |    8 +-
 arch/arm/include/asm/domain.h                    |   32 +-
 arch/arm/include/asm/elf.h                       |   13 +-
 arch/arm/include/asm/fncpy.h                     |    2 +
 arch/arm/include/asm/futex.h                     |   10 +
 arch/arm/include/asm/kmap_types.h                |    2 +-
 arch/arm/include/asm/mach/dma.h                  |    2 +-
 arch/arm/include/asm/mach/map.h                  |    7 +-
 arch/arm/include/asm/outercache.h                |    2 +-
 arch/arm/include/asm/page.h                      |    2 +-
 arch/arm/include/asm/pgalloc.h                   |   22 +-
 arch/arm/include/asm/pgtable-2level-hwdef.h      |    5 +
 arch/arm/include/asm/pgtable-2level.h            |    1 +
 arch/arm/include/asm/pgtable-3level-hwdef.h      |    4 +
 arch/arm/include/asm/pgtable-3level.h            |    2 +
 arch/arm/include/asm/pgtable.h                   |   56 +-
 arch/arm/include/asm/proc-fns.h                  |    2 +-
 arch/arm/include/asm/processor.h                 |    5 +-
 arch/arm/include/asm/smp.h                       |    2 +-
 arch/arm/include/asm/thread_info.h               |    6 +-
 arch/arm/include/asm/uaccess.h                   |   92 +-
 arch/arm/include/uapi/asm/ptrace.h               |    2 +-
 arch/arm/kernel/armksyms.c                       |    4 +-
 arch/arm/kernel/entry-armv.S                     |  107 +-
 arch/arm/kernel/entry-common.S                   |   41 +-
 arch/arm/kernel/entry-header.S                   |   60 +
 arch/arm/kernel/fiq.c                            |    2 +
 arch/arm/kernel/head.S                           |    6 +-
 arch/arm/kernel/hw_breakpoint.c                  |    2 +-
 arch/arm/kernel/module.c                         |   29 +-
 arch/arm/kernel/perf_event_cpu.c                 |    2 +-
 arch/arm/kernel/process.c                        |   10 +-
 arch/arm/kernel/setup.c                          |   22 +-
 arch/arm/kernel/smp.c                            |    2 +-
 arch/arm/kernel/traps.c                          |    8 +-
 arch/arm/kernel/vmlinux.lds.S                    |   20 +-
 arch/arm/lib/clear_user.S                        |    6 +-
 arch/arm/lib/copy_from_user.S                    |    6 +-
 arch/arm/lib/copy_page.S                         |    1 +
 arch/arm/lib/copy_to_user.S                      |    6 +-
 arch/arm/lib/csumpartialcopyuser.S               |    4 +-
 arch/arm/lib/delay.c                             |   14 +-
 arch/arm/lib/uaccess_with_memcpy.c               |    2 +-
 arch/arm/mach-kirkwood/common.c                  |   19 +-
 arch/arm/mach-omap2/board-n8x0.c                 |    2 +-
 arch/arm/mach-omap2/omap-wakeupgen.c             |    2 +-
 arch/arm/mach-omap2/omap_hwmod.c                 |    4 +-
 arch/arm/mach-ux500/include/mach/setup.h         |    7 -
 arch/arm/mm/Kconfig                              |    3 +-
 arch/arm/mm/fault.c                              |   78 +
 arch/arm/mm/fault.h                              |   12 +
 arch/arm/mm/init.c                               |   41 +
 arch/arm/mm/ioremap.c                            |    4 +-
 arch/arm/mm/mmap.c                               |   36 +-
 arch/arm/mm/mmu.c                                |  186 +-
 arch/arm/mm/proc-v7-2level.S                     |    3 +
 arch/arm/plat-omap/sram.c                        |    2 +
 arch/arm/plat-orion/include/plat/addr-map.h      |    2 +-
 arch/arm/plat-samsung/include/plat/dma-ops.h     |    2 +-
 arch/arm64/kernel/debug-monitors.c               |    2 +-
 arch/arm64/kernel/hw_breakpoint.c                |    2 +-
 arch/avr32/include/asm/elf.h                     |    8 +-
 arch/avr32/include/asm/kmap_types.h              |    4 +-
 arch/avr32/mm/fault.c                            |   27 +
 arch/frv/include/asm/atomic.h                    |   10 +
 arch/frv/include/asm/kmap_types.h                |    2 +-
 arch/frv/mm/elf-fdpic.c                          |    7 +-
 arch/ia64/include/asm/atomic.h                   |   10 +
 arch/ia64/include/asm/elf.h                      |    7 +
 arch/ia64/include/asm/pgalloc.h                  |   12 +
 arch/ia64/include/asm/pgtable.h                  |   13 +-
 arch/ia64/include/asm/spinlock.h                 |    2 +-
 arch/ia64/include/asm/uaccess.h                  |   28 +-
 arch/ia64/kernel/err_inject.c                    |    2 +-
 arch/ia64/kernel/mca.c                           |    2 +-
 arch/ia64/kernel/module.c                        |   48 +-
 arch/ia64/kernel/palinfo.c                       |    2 +-
 arch/ia64/kernel/salinfo.c                       |    2 +-
 arch/ia64/kernel/sys_ia64.c                      |   13 +-
 arch/ia64/kernel/topology.c                      |    2 +-
 arch/ia64/kernel/vmlinux.lds.S                   |    2 +-
 arch/ia64/mm/fault.c                             |   32 +-
 arch/ia64/mm/hugetlbpage.c                       |    2 +-
 arch/ia64/mm/init.c                              |   13 +
 arch/m32r/lib/usercopy.c                         |    6 +
 arch/mips/include/asm/atomic.h                   |   14 +
 arch/mips/include/asm/elf.h                      |   11 +-
 arch/mips/include/asm/exec.h                     |    2 +-
 arch/mips/include/asm/page.h                     |    2 +-
 arch/mips/include/asm/pgalloc.h                  |    5 +
 arch/mips/kernel/binfmt_elfn32.c                 |    7 +
 arch/mips/kernel/binfmt_elfo32.c                 |    7 +
 arch/mips/kernel/process.c                       |   12 -
 arch/mips/mm/fault.c                             |   17 +
 arch/mips/mm/mmap.c                              |   51 +-
 arch/parisc/include/asm/atomic.h                 |   10 +
 arch/parisc/include/asm/elf.h                    |    7 +
 arch/parisc/include/asm/pgalloc.h                |    6 +
 arch/parisc/include/asm/pgtable.h                |   11 +
 arch/parisc/include/asm/uaccess.h                |    4 +-
 arch/parisc/kernel/module.c                      |   50 +-
 arch/parisc/kernel/sys_parisc.c                  |    6 +-
 arch/parisc/kernel/traps.c                       |    4 +-
 arch/parisc/mm/fault.c                           |  140 +-
 arch/powerpc/include/asm/atomic.h                |   10 +
 arch/powerpc/include/asm/elf.h                   |   19 +-
 arch/powerpc/include/asm/exec.h                  |    2 +-
 arch/powerpc/include/asm/kmap_types.h            |    2 +-
 arch/powerpc/include/asm/mman.h                  |    2 +-
 arch/powerpc/include/asm/page.h                  |    8 +-
 arch/powerpc/include/asm/page_64.h               |    7 +-
 arch/powerpc/include/asm/pgalloc-64.h            |    7 +
 arch/powerpc/include/asm/pgtable.h               |    1 +
 arch/powerpc/include/asm/pte-hash32.h            |    1 +
 arch/powerpc/include/asm/reg.h                   |    1 +
 arch/powerpc/include/asm/uaccess.h               |  142 +-
 arch/powerpc/kernel/exceptions-64e.S             |    4 +-
 arch/powerpc/kernel/exceptions-64s.S             |    2 +-
 arch/powerpc/kernel/module_32.c                  |   13 +-
 arch/powerpc/kernel/process.c                    |   55 -
 arch/powerpc/kernel/signal_32.c                  |    2 +-
 arch/powerpc/kernel/signal_64.c                  |    2 +-
 arch/powerpc/kernel/sysfs.c                      |    2 +-
 arch/powerpc/kernel/vdso.c                       |    5 +-
 arch/powerpc/lib/usercopy_64.c                   |   18 -
 arch/powerpc/mm/fault.c                          |   54 +-
 arch/powerpc/mm/mmap_64.c                        |   16 +
 arch/powerpc/mm/mmu_context_nohash.c             |    2 +-
 arch/powerpc/mm/numa.c                           |    2 +-
 arch/powerpc/mm/slice.c                          |   23 +-
 arch/powerpc/platforms/powermac/smp.c            |    2 +-
 arch/s390/include/asm/atomic.h                   |   10 +
 arch/s390/include/asm/elf.h                      |   13 +-
 arch/s390/include/asm/exec.h                     |    2 +-
 arch/s390/include/asm/uaccess.h                  |   15 +-
 arch/s390/kernel/module.c                        |   22 +-
 arch/s390/kernel/process.c                       |   36 -
 arch/s390/mm/mmap.c                              |   24 +
 arch/score/include/asm/exec.h                    |    2 +-
 arch/score/kernel/process.c                      |    5 -
 arch/sh/kernel/cpu/sh4a/smp-shx3.c               |    2 +-
 arch/sh/mm/mmap.c                                |   22 +-
 arch/sparc/include/asm/atomic_64.h               |  106 +-
 arch/sparc/include/asm/cache.h                   |    2 +-
 arch/sparc/include/asm/elf_32.h                  |    7 +
 arch/sparc/include/asm/elf_64.h                  |    7 +
 arch/sparc/include/asm/pgalloc_32.h              |    1 +
 arch/sparc/include/asm/pgalloc_64.h              |    1 +
 arch/sparc/include/asm/pgtable_32.h              |   15 +-
 arch/sparc/include/asm/pgtsrmmu.h                |    5 +
 arch/sparc/include/asm/spinlock_64.h             |   35 +-
 arch/sparc/include/asm/thread_info_32.h          |    2 +
 arch/sparc/include/asm/thread_info_64.h          |    2 +
 arch/sparc/include/asm/uaccess.h                 |    8 +
 arch/sparc/include/asm/uaccess_32.h              |   27 +-
 arch/sparc/include/asm/uaccess_64.h              |   19 +-
 arch/sparc/kernel/Makefile                       |    2 +-
 arch/sparc/kernel/sys_sparc_32.c                 |    2 +-
 arch/sparc/kernel/sys_sparc_64.c                 |   48 +-
 arch/sparc/kernel/sysfs.c                        |    2 +-
 arch/sparc/kernel/traps_64.c                     |   13 +-
 arch/sparc/lib/Makefile                          |    2 +-
 arch/sparc/lib/atomic_64.S                       |  136 +-
 arch/sparc/lib/ksyms.c                           |    6 +
 arch/sparc/mm/Makefile                           |    2 +-
 arch/sparc/mm/fault_32.c                         |  292 ++
 arch/sparc/mm/fault_64.c                         |  486 +++
 arch/sparc/mm/hugetlbpage.c                      |   21 +-
 arch/tile/include/asm/atomic_64.h                |   10 +
 arch/tile/include/asm/uaccess.h                  |    4 +-
 arch/um/Makefile                                 |    4 +
 arch/um/include/asm/kmap_types.h                 |    2 +-
 arch/um/include/asm/page.h                       |    3 +
 arch/um/include/asm/pgtable-3level.h             |    1 +
 arch/um/kernel/process.c                         |   16 -
 arch/x86/Kconfig                                 |   10 +-
 arch/x86/Kconfig.cpu                             |    6 +-
 arch/x86/Kconfig.debug                           |    6 +-
 arch/x86/Makefile                                |   10 +
 arch/x86/boot/Makefile                           |    3 +
 arch/x86/boot/bitops.h                           |    4 +-
 arch/x86/boot/boot.h                             |    4 +-
 arch/x86/boot/compressed/Makefile                |    3 +
 arch/x86/boot/compressed/eboot.c                 |    2 -
 arch/x86/boot/compressed/head_32.S               |    7 +-
 arch/x86/boot/compressed/head_64.S               |    4 +-
 arch/x86/boot/compressed/misc.c                  |    4 +-
 arch/x86/boot/cpucheck.c                         |   28 +-
 arch/x86/boot/header.S                           |    6 +-
 arch/x86/boot/memory.c                           |    2 +-
 arch/x86/boot/video-vesa.c                       |    1 +
 arch/x86/boot/video.c                            |    2 +-
 arch/x86/crypto/aes-x86_64-asm_64.S              |    4 +
 arch/x86/crypto/aesni-intel_asm.S                |   31 +
 arch/x86/crypto/blowfish-x86_64-asm_64.S         |    8 +
 arch/x86/crypto/camellia-x86_64-asm_64.S         |    8 +
 arch/x86/crypto/cast5-avx-x86_64-asm_64.S        |    8 +
 arch/x86/crypto/cast6-avx-x86_64-asm_64.S        |    8 +
 arch/x86/crypto/salsa20-x86_64-asm_64.S          |    5 +
 arch/x86/crypto/serpent-avx-x86_64-asm_64.S      |    8 +
 arch/x86/crypto/serpent-sse2-x86_64-asm_64.S     |    5 +
 arch/x86/crypto/sha1_ssse3_asm.S                 |    3 +
 arch/x86/crypto/twofish-avx-x86_64-asm_64.S      |    8 +
 arch/x86/crypto/twofish-x86_64-asm_64-3way.S     |    5 +
 arch/x86/crypto/twofish-x86_64-asm_64.S          |    3 +
 arch/x86/ia32/ia32_signal.c                      |   14 +-
 arch/x86/ia32/ia32entry.S                        |  141 +-
 arch/x86/ia32/sys_ia32.c                         |   12 +-
 arch/x86/include/asm/alternative-asm.h           |   39 +
 arch/x86/include/asm/alternative.h               |    4 +-
 arch/x86/include/asm/apic.h                      |    2 +-
 arch/x86/include/asm/apm.h                       |    4 +-
 arch/x86/include/asm/atomic.h                    |  307 ++-
 arch/x86/include/asm/atomic64_32.h               |  100 +
 arch/x86/include/asm/atomic64_64.h               |  202 ++-
 arch/x86/include/asm/bitops.h                    |    2 +-
 arch/x86/include/asm/boot.h                      |    7 +-
 arch/x86/include/asm/cache.h                     |    5 +-
 arch/x86/include/asm/cacheflush.h                |    2 +-
 arch/x86/include/asm/checksum_32.h               |   12 +-
 arch/x86/include/asm/cmpxchg.h                   |   35 +
 arch/x86/include/asm/cpufeature.h                |    4 +-
 arch/x86/include/asm/desc.h                      |   65 +-
 arch/x86/include/asm/desc_defs.h                 |    6 +
 arch/x86/include/asm/elf.h                       |   31 +-
 arch/x86/include/asm/emergency-restart.h         |    2 +-
 arch/x86/include/asm/fpu-internal.h              |    6 +-
 arch/x86/include/asm/futex.h                     |   16 +-
 arch/x86/include/asm/hw_irq.h                    |    4 +-
 arch/x86/include/asm/io.h                        |   13 +-
 arch/x86/include/asm/irqflags.h                  |    5 +
 arch/x86/include/asm/kprobes.h                   |    9 +-
 arch/x86/include/asm/local.h                     |  142 +-
 arch/x86/include/asm/mman.h                      |   15 +
 arch/x86/include/asm/mmu.h                       |   16 +-
 arch/x86/include/asm/mmu_context.h               |   76 +-
 arch/x86/include/asm/module.h                    |   17 +-
 arch/x86/include/asm/page_64_types.h             |    2 +-
 arch/x86/include/asm/paravirt.h                  |   44 +-
 arch/x86/include/asm/paravirt_types.h            |   17 +-
 arch/x86/include/asm/pgalloc.h                   |   23 +
 arch/x86/include/asm/pgtable-2level.h            |    2 +
 arch/x86/include/asm/pgtable-3level.h            |    4 +
 arch/x86/include/asm/pgtable.h                   |  110 +-
 arch/x86/include/asm/pgtable_32.h                |   14 +-
 arch/x86/include/asm/pgtable_32_types.h          |   15 +-
 arch/x86/include/asm/pgtable_64.h                |   19 +-
 arch/x86/include/asm/pgtable_64_types.h          |    5 +
 arch/x86/include/asm/pgtable_types.h             |   36 +-
 arch/x86/include/asm/processor.h                 |   39 +-
 arch/x86/include/asm/ptrace.h                    |   26 +-
 arch/x86/include/asm/realmode.h                  |    4 +-
 arch/x86/include/asm/reboot.h                    |   10 +-
 arch/x86/include/asm/rwsem.h                     |   60 +-
 arch/x86/include/asm/segment.h                   |   24 +-
 arch/x86/include/asm/smp.h                       |   14 +-
 arch/x86/include/asm/spinlock.h                  |   36 +-
 arch/x86/include/asm/stackprotector.h            |    4 +-
 arch/x86/include/asm/stacktrace.h                |   32 +-
 arch/x86/include/asm/switch_to.h                 |    4 +-
 arch/x86/include/asm/thread_info.h               |   83 +-
 arch/x86/include/asm/uaccess.h                   |   96 +-
 arch/x86/include/asm/uaccess_32.h                |  106 +-
 arch/x86/include/asm/uaccess_64.h                |  232 +-
 arch/x86/include/asm/word-at-a-time.h            |    2 +-
 arch/x86/include/asm/x86_init.h                  |   10 +-
 arch/x86/include/asm/xsave.h                     |   10 +-
 arch/x86/include/uapi/asm/e820.h                 |    2 +-
 arch/x86/kernel/Makefile                         |    2 +-
 arch/x86/kernel/acpi/sleep.c                     |    4 +
 arch/x86/kernel/acpi/wakeup_32.S                 |    6 +-
 arch/x86/kernel/alternative.c                    |   65 +-
 arch/x86/kernel/apic/apic.c                      |    6 +-
 arch/x86/kernel/apic/apic_flat_64.c              |    4 +-
 arch/x86/kernel/apic/bigsmp_32.c                 |    2 +-
 arch/x86/kernel/apic/es7000_32.c                 |    5 +-
 arch/x86/kernel/apic/io_apic.c                   |    8 +-
 arch/x86/kernel/apic/numaq_32.c                  |    3 +-
 arch/x86/kernel/apic/probe_32.c                  |    2 +-
 arch/x86/kernel/apic/summit_32.c                 |    2 +-
 arch/x86/kernel/apic/x2apic_cluster.c            |    4 +-
 arch/x86/kernel/apic/x2apic_phys.c               |    2 +-
 arch/x86/kernel/apic/x2apic_uv_x.c               |    2 +-
 arch/x86/kernel/apm_32.c                         |   19 +-
 arch/x86/kernel/asm-offsets.c                    |   20 +
 arch/x86/kernel/asm-offsets_64.c                 |    1 +
 arch/x86/kernel/cpu/Makefile                     |    4 -
 arch/x86/kernel/cpu/amd.c                        |    2 +-
 arch/x86/kernel/cpu/common.c                     |   75 +-
 arch/x86/kernel/cpu/intel.c                      |    2 +-
 arch/x86/kernel/cpu/intel_cacheinfo.c            |   50 +-
 arch/x86/kernel/cpu/mcheck/mce.c                 |   29 +-
 arch/x86/kernel/cpu/mcheck/p5.c                  |    3 +
 arch/x86/kernel/cpu/mcheck/therm_throt.c         |    2 +-
 arch/x86/kernel/cpu/mcheck/winchip.c             |    3 +
 arch/x86/kernel/cpu/mtrr/main.c                  |    2 +-
 arch/x86/kernel/cpu/mtrr/mtrr.h                  |    2 +-
 arch/x86/kernel/cpu/perf_event.c                 |    4 +-
 arch/x86/kernel/cpu/perf_event_intel.c           |    6 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.c    |    2 +-
 arch/x86/kernel/cpuid.c                          |    2 +-
 arch/x86/kernel/crash.c                          |    4 +-
 arch/x86/kernel/doublefault_32.c                 |    8 +-
 arch/x86/kernel/dumpstack.c                      |   30 +-
 arch/x86/kernel/dumpstack_32.c                   |   34 +-
 arch/x86/kernel/dumpstack_64.c                   |   63 +-
 arch/x86/kernel/early_printk.c                   |    1 +
 arch/x86/kernel/entry_32.S                       |  354 ++-
 arch/x86/kernel/entry_64.S                       |  512 +++-
 arch/x86/kernel/ftrace.c                         |   14 +-
 arch/x86/kernel/head32.c                         |    4 +-
 arch/x86/kernel/head_32.S                        |  237 ++-
 arch/x86/kernel/head_64.S                        |  158 +-
 arch/x86/kernel/i386_ksyms_32.c                  |    8 +
 arch/x86/kernel/i387.c                           |    2 +-
 arch/x86/kernel/i8259.c                          |    2 +-
 arch/x86/kernel/ioport.c                         |    2 +-
 arch/x86/kernel/irq.c                            |   10 +-
 arch/x86/kernel/irq_32.c                         |   69 +-
 arch/x86/kernel/irq_64.c                         |    2 +-
 arch/x86/kernel/kdebugfs.c                       |    2 +-
 arch/x86/kernel/kgdb.c                           |   25 +-
 arch/x86/kernel/kprobes-opt.c                    |   12 +-
 arch/x86/kernel/kprobes.c                        |   30 +-
 arch/x86/kernel/kvm.c                            |    2 +-
 arch/x86/kernel/ldt.c                            |   31 +-
 arch/x86/kernel/machine_kexec_32.c               |    6 +-
 arch/x86/kernel/microcode_core.c                 |    2 +-
 arch/x86/kernel/microcode_intel.c                |    4 +-
 arch/x86/kernel/module.c                         |   76 +-
 arch/x86/kernel/msr.c                            |    2 +-
 arch/x86/kernel/nmi.c                            |   11 +
 arch/x86/kernel/paravirt-spinlocks.c             |    2 +-
 arch/x86/kernel/paravirt.c                       |   43 +-
 arch/x86/kernel/pci-iommu_table.c                |    2 +-
 arch/x86/kernel/process.c                        |   57 +-
 arch/x86/kernel/process_32.c                     |   29 +-
 arch/x86/kernel/process_64.c                     |   15 +-
 arch/x86/kernel/ptrace.c                         |   25 +-
 arch/x86/kernel/pvclock.c                        |    8 +-
 arch/x86/kernel/reboot.c                         |   44 +-
 arch/x86/kernel/relocate_kernel_64.S             |    4 +-
 arch/x86/kernel/setup.c                          |   14 +-
 arch/x86/kernel/setup_percpu.c                   |   27 +-
 arch/x86/kernel/signal.c                         |   15 +-
 arch/x86/kernel/smp.c                            |    2 +-
 arch/x86/kernel/smpboot.c                        |   15 +-
 arch/x86/kernel/step.c                           |   10 +-
 arch/x86/kernel/sys_i386_32.c                    |  247 ++
 arch/x86/kernel/sys_x86_64.c                     |   19 +-
 arch/x86/kernel/tboot.c                          |   14 +-
 arch/x86/kernel/time.c                           |   10 +-
 arch/x86/kernel/tls.c                            |    7 +-
 arch/x86/kernel/traps.c                          |   64 +-
 arch/x86/kernel/uprobes.c                        |    2 +-
 arch/x86/kernel/vm86_32.c                        |    6 +-
 arch/x86/kernel/vmlinux.lds.S                    |  148 +-
 arch/x86/kernel/vsyscall_64.c                    |   12 +-
 arch/x86/kernel/x8664_ksyms_64.c                 |    2 -
 arch/x86/kernel/x86_init.c                       |    8 +-
 arch/x86/kernel/xsave.c                          |    2 +
 arch/x86/kvm/cpuid.c                             |   21 +-
 arch/x86/kvm/emulate.c                           |    4 +-
 arch/x86/kvm/lapic.c                             |    2 +-
 arch/x86/kvm/paging_tmpl.h                       |    2 +-
 arch/x86/kvm/svm.c                               |    8 +
 arch/x86/kvm/vmx.c                               |   47 +-
 arch/x86/kvm/x86.c                               |   10 +-
 arch/x86/lguest/boot.c                           |    3 +-
 arch/x86/lib/atomic64_386_32.S                   |  164 +
 arch/x86/lib/atomic64_cx8_32.S                   |  103 +-
 arch/x86/lib/checksum_32.S                       |  100 +-
 arch/x86/lib/clear_page_64.S                     |    5 +-
 arch/x86/lib/cmpxchg16b_emu.S                    |    2 +
 arch/x86/lib/copy_page_64.S                      |   24 +-
 arch/x86/lib/copy_user_64.S                      |   47 +-
 arch/x86/lib/copy_user_nocache_64.S              |   20 +-
 arch/x86/lib/csum-copy_64.S                      |    2 +
 arch/x86/lib/csum-wrappers_64.c                  |    4 +-
 arch/x86/lib/getuser.S                           |   68 +-
 arch/x86/lib/insn.c                              |    6 +-
 arch/x86/lib/iomap_copy_64.S                     |    2 +
 arch/x86/lib/memcpy_64.S                         |   18 +-
 arch/x86/lib/memmove_64.S                        |   34 +-
 arch/x86/lib/memset_64.S                         |    7 +-
 arch/x86/lib/mmx_32.c                            |  243 +-
 arch/x86/lib/msr-reg.S                           |   18 +-
 arch/x86/lib/putuser.S                           |   90 +-
 arch/x86/lib/rwlock.S                            |   42 +
 arch/x86/lib/rwsem.S                             |    6 +-
 arch/x86/lib/thunk_64.S                          |    2 +
 arch/x86/lib/usercopy_32.c                       |  376 ++-
 arch/x86/lib/usercopy_64.c                       |   25 +-
 arch/x86/mm/extable.c                            |   25 +-
 arch/x86/mm/fault.c                              |  555 +++-
 arch/x86/mm/gup.c                                |    2 +-
 arch/x86/mm/highmem_32.c                         |    4 +
 arch/x86/mm/hugetlbpage.c                        |   30 +-
 arch/x86/mm/init.c                               |   92 +-
 arch/x86/mm/init_32.c                            |  122 +-
 arch/x86/mm/init_64.c                            |   48 +-
 arch/x86/mm/iomap_32.c                           |    4 +
 arch/x86/mm/ioremap.c                            |   12 +-
 arch/x86/mm/kmemcheck/kmemcheck.c                |    4 +-
 arch/x86/mm/mmap.c                               |   41 +-
 arch/x86/mm/mmio-mod.c                           |   10 +-
 arch/x86/mm/pageattr-test.c                      |    2 +-
 arch/x86/mm/pageattr.c                           |   33 +-
 arch/x86/mm/pat.c                                |   12 +-
 arch/x86/mm/pf_in.c                              |   10 +-
 arch/x86/mm/pgtable.c                            |  137 +-
 arch/x86/mm/pgtable_32.c                         |    3 +
 arch/x86/mm/setup_nx.c                           |    7 +
 arch/x86/mm/tlb.c                                |    4 +
 arch/x86/net/bpf_jit.S                           |   14 +
 arch/x86/net/bpf_jit_comp.c                      |   37 +-
 arch/x86/oprofile/backtrace.c                    |    8 +-
 arch/x86/pci/amd_bus.c                           |    2 +-
 arch/x86/pci/mrst.c                              |    4 +-
 arch/x86/pci/pcbios.c                            |  144 +-
 arch/x86/platform/efi/efi_32.c                   |   19 +
 arch/x86/platform/efi/efi_stub_32.S              |   64 +-
 arch/x86/platform/efi/efi_stub_64.S              |    8 +
 arch/x86/platform/mrst/mrst.c                    |    6 +-
 arch/x86/platform/olpc/olpc_dt.c                 |    2 +-
 arch/x86/power/cpu.c                             |    4 +-
 arch/x86/realmode/init.c                         |    8 +-
 arch/x86/realmode/rm/Makefile                    |    3 +
 arch/x86/realmode/rm/header.S                    |    4 +-
 arch/x86/realmode/rm/trampoline_32.S             |   12 +-
 arch/x86/realmode/rm/trampoline_64.S             |    2 +-
 arch/x86/tools/relocs.c                          |   95 +-
 arch/x86/vdso/Makefile                           |    2 +-
 arch/x86/vdso/vdso32-setup.c                     |   23 +-
 arch/x86/vdso/vma.c                              |   29 +-
 arch/x86/xen/enlighten.c                         |   47 +-
 arch/x86/xen/mmu.c                               |    9 +
 arch/x86/xen/smp.c                               |   18 +-
 arch/x86/xen/xen-asm_32.S                        |   12 +-
 arch/x86/xen/xen-head.S                          |   11 +
 arch/x86/xen/xen-ops.h                           |    2 -
 block/blk-iopoll.c                               |    4 +-
 block/blk-map.c                                  |    2 +-
 block/blk-softirq.c                              |    4 +-
 block/bsg.c                                      |   12 +-
 block/compat_ioctl.c                             |    2 +-
 block/partitions/efi.c                           |    8 +-
 block/scsi_ioctl.c                               |   27 +-
 crypto/cryptd.c                                  |    4 +-
 drivers/acpi/apei/cper.c                         |    8 +-
 drivers/acpi/ec_sys.c                            |   12 +-
 drivers/acpi/processor_driver.c                  |    2 +-
 drivers/ata/libata-core.c                        |    8 +-
 drivers/ata/pata_arasan_cf.c                     |    4 +-
 drivers/atm/adummy.c                             |    2 +-
 drivers/atm/ambassador.c                         |    8 +-
 drivers/atm/atmtcp.c                             |   14 +-
 drivers/atm/eni.c                                |   10 +-
 drivers/atm/firestream.c                         |    8 +-
 drivers/atm/fore200e.c                           |   14 +-
 drivers/atm/he.c                                 |   18 +-
 drivers/atm/horizon.c                            |    4 +-
 drivers/atm/idt77252.c                           |   36 +-
 drivers/atm/iphase.c                             |   34 +-
 drivers/atm/lanai.c                              |   12 +-
 drivers/atm/nicstar.c                            |   46 +-
 drivers/atm/solos-pci.c                          |    4 +-
 drivers/atm/suni.c                               |    4 +-
 drivers/atm/uPD98402.c                           |   16 +-
 drivers/atm/zatm.c                               |    6 +-
 drivers/base/devtmpfs.c                          |    2 +-
 drivers/base/power/wakeup.c                      |    8 +-
 drivers/block/cciss.c                            |   28 +-
 drivers/block/cciss.h                            |    2 +-
 drivers/block/cpqarray.c                         |   28 +-
 drivers/block/cpqarray.h                         |    2 +-
 drivers/block/drbd/drbd_int.h                    |    6 +-
 drivers/block/drbd/drbd_main.c                   |    8 +-
 drivers/block/drbd/drbd_receiver.c               |   18 +-
 drivers/block/loop.c                             |    2 +-
 drivers/cdrom/cdrom.c                            |    9 +-
 drivers/cdrom/gdrom.c                            |    1 -
 drivers/char/agp/frontend.c                      |    2 +-
 drivers/char/hpet.c                              |    2 +-
 drivers/char/ipmi/ipmi_msghandler.c              |    8 +-
 drivers/char/ipmi/ipmi_si_intf.c                 |    8 +-
 drivers/char/mem.c                               |   41 +-
 drivers/char/nvram.c                             |    2 +-
 drivers/char/pcmcia/synclink_cs.c                |   18 +-
 drivers/char/random.c                            |    8 +-
 drivers/char/sonypi.c                            |    9 +-
 drivers/char/tpm/tpm.c                           |    2 +-
 drivers/char/tpm/tpm_acpi.c                      |    3 +-
 drivers/char/tpm/tpm_eventlog.c                  |    7 +-
 drivers/char/virtio_console.c                    |    4 +-
 drivers/clocksource/arm_generic.c                |    2 +-
 drivers/cpufreq/cpufreq.c                        |    2 +-
 drivers/cpufreq/cpufreq_stats.c                  |    2 +-
 drivers/dma/sh/shdma.c                           |    2 +-
 drivers/edac/edac_pci_sysfs.c                    |   20 +-
 drivers/edac/mce_amd.h                           |    2 +-
 drivers/firewire/core-card.c                     |    2 +-
 drivers/firewire/core-cdev.c                     |    3 +-
 drivers/firewire/core-transaction.c              |    1 +
 drivers/firewire/core.h                          |    1 +
 drivers/firmware/dmi_scan.c                      |    7 +-
 drivers/firmware/efivars.c                       |    2 +-
 drivers/gpio/gpio-vr41xx.c                       |    2 +-
 drivers/gpu/drm/drm_crtc_helper.c                |    2 +-
 drivers/gpu/drm/drm_drv.c                        |    4 +-
 drivers/gpu/drm/drm_fops.c                       |   18 +-
 drivers/gpu/drm/drm_global.c                     |   14 +-
 drivers/gpu/drm/drm_info.c                       |   14 +-
 drivers/gpu/drm/drm_ioc32.c                      |    4 +-
 drivers/gpu/drm/drm_ioctl.c                      |    2 +-
 drivers/gpu/drm/drm_lock.c                       |    4 +-
 drivers/gpu/drm/drm_stub.c                       |    2 +-
 drivers/gpu/drm/i810/i810_dma.c                  |    8 +-
 drivers/gpu/drm/i810/i810_drv.h                  |    4 +-
 drivers/gpu/drm/i915/i915_debugfs.c              |    2 +-
 drivers/gpu/drm/i915/i915_dma.c                  |    2 +-
 drivers/gpu/drm/i915/i915_drv.h                  |    6 +-
 drivers/gpu/drm/i915/i915_gem_execbuffer.c       |    6 +-
 drivers/gpu/drm/i915/i915_irq.c                  |   22 +-
 drivers/gpu/drm/i915/intel_display.c             |    9 +-
 drivers/gpu/drm/mga/mga_drv.h                    |    4 +-
 drivers/gpu/drm/mga/mga_irq.c                    |    8 +-
 drivers/gpu/drm/nouveau/nouveau_bios.c           |    2 +-
 drivers/gpu/drm/nouveau/nouveau_drm.h            |    2 +-
 drivers/gpu/drm/nouveau/nouveau_fence.h          |    2 +-
 drivers/gpu/drm/nouveau/nouveau_gem.c            |    2 +-
 drivers/gpu/drm/nouveau/nouveau_vga.c            |    2 +-
 drivers/gpu/drm/r128/r128_cce.c                  |    2 +-
 drivers/gpu/drm/r128/r128_drv.h                  |    4 +-
 drivers/gpu/drm/r128/r128_irq.c                  |    4 +-
 drivers/gpu/drm/r128/r128_state.c                |    4 +-
 drivers/gpu/drm/radeon/mkregtable.c              |    4 +-
 drivers/gpu/drm/radeon/radeon_device.c           |    2 +-
 drivers/gpu/drm/radeon/radeon_drv.h              |    2 +-
 drivers/gpu/drm/radeon/radeon_ioc32.c            |    2 +-
 drivers/gpu/drm/radeon/radeon_irq.c              |    6 +-
 drivers/gpu/drm/radeon/radeon_state.c            |    4 +-
 drivers/gpu/drm/radeon/radeon_ttm.c              |    4 +-
 drivers/gpu/drm/radeon/rs690.c                   |    4 +-
 drivers/gpu/drm/ttm/ttm_page_alloc.c             |    4 +-
 drivers/gpu/drm/via/via_drv.h                    |    4 +-
 drivers/gpu/drm/via/via_irq.c                    |   18 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h              |    2 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c             |    8 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_irq.c              |    4 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_marker.c           |    2 +-
 drivers/hid/hid-core.c                           |    4 +-
 drivers/hv/channel.c                             |    4 +-
 drivers/hv/hv.c                                  |    2 +-
 drivers/hv/hyperv_vmbus.h                        |    2 +-
 drivers/hv/vmbus_drv.c                           |    4 +-
 drivers/hwmon/coretemp.c                         |    2 +-
 drivers/hwmon/sht15.c                            |   12 +-
 drivers/hwmon/via-cputemp.c                      |    2 +-
 drivers/i2c/busses/i2c-amd756-s4882.c            |    2 +-
 drivers/i2c/busses/i2c-nforce2-s4985.c           |    2 +-
 drivers/ide/ide-cd.c                             |    2 +-
 drivers/infiniband/core/cm.c                     |   32 +-
 drivers/infiniband/core/fmr_pool.c               |   20 +-
 drivers/infiniband/hw/cxgb4/mem.c                |    4 +-
 drivers/infiniband/hw/ipath/ipath_rc.c           |    6 +-
 drivers/infiniband/hw/ipath/ipath_ruc.c          |    6 +-
 drivers/infiniband/hw/nes/nes.c                  |    4 +-
 drivers/infiniband/hw/nes/nes.h                  |   40 +-
 drivers/infiniband/hw/nes/nes_cm.c               |   62 +-
 drivers/infiniband/hw/nes/nes_mgt.c              |    8 +-
 drivers/infiniband/hw/nes/nes_nic.c              |   40 +-
 drivers/infiniband/hw/nes/nes_verbs.c            |   10 +-
 drivers/infiniband/hw/qib/qib.h                  |    1 +
 drivers/input/gameport/gameport.c                |    4 +-
 drivers/input/input.c                            |    4 +-
 drivers/input/joystick/sidewinder.c              |    1 +
 drivers/input/joystick/xpad.c                    |    4 +-
 drivers/input/mousedev.c                         |    2 +-
 drivers/input/serio/serio.c                      |    4 +-
 drivers/isdn/capi/capi.c                         |   10 +-
 drivers/isdn/gigaset/interface.c                 |    8 +-
 drivers/isdn/hardware/avm/b1.c                   |    4 +-
 drivers/isdn/i4l/isdn_tty.c                      |   22 +-
 drivers/isdn/icn/icn.c                           |    2 +-
 drivers/lguest/core.c                            |   10 +-
 drivers/lguest/x86/core.c                        |   12 +-
 drivers/lguest/x86/switcher_32.S                 |   27 +-
 drivers/md/bitmap.c                              |    2 +-
 drivers/md/dm-ioctl.c                            |    2 +-
 drivers/md/dm-raid1.c                            |   16 +-
 drivers/md/dm-stripe.c                           |   10 +-
 drivers/md/dm-table.c                            |    2 +-
 drivers/md/dm-thin-metadata.c                    |    4 +-
 drivers/md/dm.c                                  |   16 +-
 drivers/md/md.c                                  |   26 +-
 drivers/md/md.h                                  |    6 +-
 drivers/md/persistent-data/dm-space-map.h        |    1 +
 drivers/md/raid1.c                               |    4 +-
 drivers/md/raid10.c                              |   16 +-
 drivers/md/raid5.c                               |   10 +-
 drivers/media/dvb-core/dvbdev.c                  |    2 +-
 drivers/media/dvb-frontends/dib3000.h            |    2 +-
 drivers/media/platform/omap/omap_vout.c          |   11 +-
 drivers/media/platform/s5p-tv/mixer.h            |    2 +-
 drivers/media/platform/s5p-tv/mixer_grp_layer.c  |    2 +-
 drivers/media/platform/s5p-tv/mixer_reg.c        |    2 +-
 drivers/media/platform/s5p-tv/mixer_video.c      |   24 +-
 drivers/media/platform/s5p-tv/mixer_vp_layer.c   |    2 +-
 drivers/media/radio/radio-cadet.c                |    2 +
 drivers/media/usb/dvb-usb/cxusb.c                |    2 +-
 drivers/media/usb/dvb-usb/dw2102.c               |    2 +-
 drivers/message/fusion/mptsas.c                  |   34 +-
 drivers/message/fusion/mptscsih.c                |   19 +-
 drivers/message/i2o/i2o_proc.c                   |   51 +-
 drivers/message/i2o/iop.c                        |    8 +-
 drivers/mfd/janz-cmodio.c                        |    1 +
 drivers/misc/kgdbts.c                            |    4 +-
 drivers/misc/lis3lv02d/lis3lv02d.c               |    8 +-
 drivers/misc/lis3lv02d/lis3lv02d.h               |    2 +-
 drivers/misc/sgi-gru/gruhandles.c                |    4 +-
 drivers/misc/sgi-gru/gruprocfs.c                 |    8 +-
 drivers/misc/sgi-gru/grutables.h                 |  154 +-
 drivers/misc/sgi-xp/xp.h                         |    2 +-
 drivers/misc/sgi-xp/xpc.h                        |    3 +-
 drivers/misc/sgi-xp/xpc_main.c                   |    4 +-
 drivers/mmc/core/mmc_ops.c                       |    2 +-
 drivers/mmc/host/dw_mmc.h                        |    2 +-
 drivers/mmc/host/sdhci-s3c.c                     |    8 +-
 drivers/mtd/devices/doc2000.c                    |    2 +-
 drivers/mtd/nand/denali.c                        |    1 +
 drivers/mtd/nftlmount.c                          |    1 +
 drivers/net/ethernet/8390/ax88796.c              |    4 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h  |    2 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c   |   11 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h   |    3 +-
 drivers/net/ethernet/broadcom/tg3.h              |    1 +
 drivers/net/ethernet/chelsio/cxgb3/l2t.h         |    2 +-
 drivers/net/ethernet/dec/tulip/de4x5.c           |    4 +-
 drivers/net/ethernet/emulex/benet/be_main.c      |    2 +-
 drivers/net/ethernet/faraday/ftgmac100.c         |    2 +
 drivers/net/ethernet/faraday/ftmac100.c          |    2 +
 drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c     |    2 +-
 drivers/net/ethernet/neterion/vxge/vxge-config.c |    7 +-
 drivers/net/ethernet/realtek/r8169.c             |    8 +-
 drivers/net/ethernet/sfc/ptp.c                   |    2 +-
 drivers/net/ethernet/stmicro/stmmac/mmc_core.c   |    4 +-
 drivers/net/hyperv/hyperv_net.h                  |    2 +-
 drivers/net/hyperv/rndis_filter.c                |    4 +-
 drivers/net/ieee802154/fakehard.c                |    2 +-
 drivers/net/macvlan.c                            |    2 +-
 drivers/net/macvtap.c                            |    2 +-
 drivers/net/ppp/ppp_generic.c                    |    4 +-
 drivers/net/team/team.c                          |    2 +-
 drivers/net/tun.c                                |    5 +-
 drivers/net/usb/hso.c                            |   23 +-
 drivers/net/wireless/ath/ath9k/ar9002_mac.c      |   30 +-
 drivers/net/wireless/ath/ath9k/ar9003_mac.c      |   58 +-
 drivers/net/wireless/ath/ath9k/hw.h              |    4 +-
 drivers/net/wireless/iwlegacy/3945-mac.c         |    4 +-
 drivers/net/wireless/iwlwifi/dvm/debugfs.c       |   26 +-
 drivers/net/wireless/iwlwifi/pcie/trans.c        |    4 +-
 drivers/net/wireless/mac80211_hwsim.c            |   32 +-
 drivers/net/wireless/rndis_wlan.c                |    2 +-
 drivers/net/wireless/rt2x00/rt2x00.h             |    2 +-
 drivers/net/wireless/rt2x00/rt2x00queue.c        |    4 +-
 drivers/net/wireless/ti/wl1251/sdio.c            |   12 +-
 drivers/net/wireless/ti/wl12xx/main.c            |    8 +-
 drivers/net/wireless/ti/wl18xx/main.c            |    6 +-
 drivers/oprofile/buffer_sync.c                   |    8 +-
 drivers/oprofile/event_buffer.c                  |    2 +-
 drivers/oprofile/oprof.c                         |    2 +-
 drivers/oprofile/oprofile_stats.c                |   10 +-
 drivers/oprofile/oprofile_stats.h                |   10 +-
 drivers/oprofile/oprofilefs.c                    |    2 +-
 drivers/oprofile/timer_int.c                     |    2 +-
 drivers/parport/procfs.c                         |    4 +-
 drivers/pci/hotplug/cpcihp_generic.c             |    6 +-
 drivers/pci/hotplug/cpcihp_zt5550.c              |   14 +-
 drivers/pci/hotplug/cpqphp_nvram.c               |    4 +
 drivers/pci/pcie/aspm.c                          |    6 +-
 drivers/pci/probe.c                              |    2 +-
 drivers/platform/x86/thinkpad_acpi.c             |   70 +-
 drivers/pnp/pnpbios/bioscalls.c                  |   14 +-
 drivers/pnp/resource.c                           |    4 +-
 drivers/power/pda_power.c                        |    7 +-
 drivers/regulator/max8660.c                      |    6 +-
 drivers/regulator/max8973-regulator.c            |    8 +-
 drivers/regulator/mc13892-regulator.c            |    6 +-
 drivers/scsi/bfa/bfa.h                           |    2 +-
 drivers/scsi/bfa/bfa_fcpim.h                     |    2 +-
 drivers/scsi/bfa/bfa_ioc.h                       |    4 +-
 drivers/scsi/hosts.c                             |    4 +-
 drivers/scsi/hpsa.c                              |   30 +-
 drivers/scsi/hpsa.h                              |    2 +-
 drivers/scsi/libfc/fc_exch.c                     |   50 +-
 drivers/scsi/libsas/sas_ata.c                    |    2 +-
 drivers/scsi/lpfc/lpfc.h                         |    8 +-
 drivers/scsi/lpfc/lpfc_debugfs.c                 |   18 +-
 drivers/scsi/lpfc/lpfc_init.c                    |    6 +-
 drivers/scsi/lpfc/lpfc_scsi.c                    |   16 +-
 drivers/scsi/pmcraid.c                           |   20 +-
 drivers/scsi/pmcraid.h                           |    8 +-
 drivers/scsi/qla2xxx/qla_attr.c                  |    4 +-
 drivers/scsi/qla2xxx/qla_gbl.h                   |    4 +-
 drivers/scsi/qla2xxx/qla_os.c                    |    6 +-
 drivers/scsi/qla4xxx/ql4_def.h                   |    2 +-
 drivers/scsi/qla4xxx/ql4_os.c                    |    6 +-
 drivers/scsi/scsi.c                              |    2 +-
 drivers/scsi/scsi_lib.c                          |    6 +-
 drivers/scsi/scsi_sysfs.c                        |    2 +-
 drivers/scsi/scsi_tgt_lib.c                      |    2 +-
 drivers/scsi/scsi_transport_fc.c                 |    8 +-
 drivers/scsi/scsi_transport_iscsi.c              |    6 +-
 drivers/scsi/scsi_transport_srp.c                |    6 +-
 drivers/scsi/sd.c                                |    2 +-
 drivers/scsi/sg.c                                |    2 +-
 drivers/spi/spi.c                                |    2 +-
 drivers/staging/octeon/ethernet-rx.c             |   12 +-
 drivers/staging/octeon/ethernet.c                |    8 +-
 drivers/staging/ramster/tmem.c                   |   54 +-
 drivers/staging/rtl8712/rtl871x_io.h             |    2 +-
 drivers/staging/sbe-2t3e3/netdev.c               |    2 +-
 drivers/staging/usbip/vhci.h                     |    2 +-
 drivers/staging/usbip/vhci_hcd.c                 |    6 +-
 drivers/staging/usbip/vhci_rx.c                  |    2 +-
 drivers/staging/vt6655/hostap.c                  |    7 +-
 drivers/staging/vt6656/hostap.c                  |    7 +-
 drivers/staging/zcache/tmem.c                    |    4 +-
 drivers/staging/zcache/tmem.h                    |    2 +
 drivers/target/target_core_device.c              |    2 +-
 drivers/target/target_core_transport.c           |    2 +-
 drivers/tty/cyclades.c                           |    6 +-
 drivers/tty/hvc/hvc_console.c                    |   14 +-
 drivers/tty/hvc/hvcs.c                           |   21 +-
 drivers/tty/ipwireless/tty.c                     |   27 +-
 drivers/tty/moxa.c                               |    2 +-
 drivers/tty/n_gsm.c                              |    4 +-
 drivers/tty/n_tty.c                              |    3 +-
 drivers/tty/pty.c                                |    4 +-
 drivers/tty/rocket.c                             |    6 +-
 drivers/tty/serial/kgdboc.c                      |   32 +-
 drivers/tty/serial/samsung.c                     |    9 +-
 drivers/tty/serial/serial_core.c                 |    8 +-
 drivers/tty/synclink.c                           |   34 +-
 drivers/tty/synclink_gt.c                        |   28 +-
 drivers/tty/synclinkmp.c                         |   34 +-
 drivers/tty/tty_io.c                             |    2 +-
 drivers/tty/tty_ldisc.c                          |   10 +-
 drivers/tty/tty_port.c                           |   22 +-
 drivers/uio/uio.c                                |   21 +-
 drivers/usb/atm/cxacru.c                         |    2 +-
 drivers/usb/atm/usbatm.c                         |   24 +-
 drivers/usb/core/devices.c                       |    6 +-
 drivers/usb/core/hcd.c                           |    4 +-
 drivers/usb/core/sysfs.c                         |    2 +-
 drivers/usb/core/usb.c                           |    2 +-
 drivers/usb/early/ehci-dbgp.c                    |   16 +-
 drivers/usb/gadget/u_serial.c                    |   22 +-
 drivers/usb/serial/console.c                     |    6 +-
 drivers/usb/wusbcore/wa-hc.h                     |    4 +-
 drivers/usb/wusbcore/wa-xfer.c                   |    2 +-
 drivers/video/aty/aty128fb.c                     |    2 +-
 drivers/video/fbcmap.c                           |    3 +-
 drivers/video/fbmem.c                            |    6 +-
 drivers/video/i810/i810_accel.c                  |    1 +
 drivers/video/udlfb.c                            |   32 +-
 drivers/video/uvesafb.c                          |   39 +-
 drivers/video/vesafb.c                           |   51 +-
 drivers/video/via/via_clock.h                    |    2 +-
 fs/9p/vfs_inode.c                                |    2 +-
 fs/Kconfig.binfmt                                |    2 +-
 fs/aio.c                                         |   11 +-
 fs/autofs4/waitq.c                               |    2 +-
 fs/befs/linuxvfs.c                               |    2 +-
 fs/binfmt_aout.c                                 |   23 +-
 fs/binfmt_elf.c                                  |  604 ++++-
 fs/binfmt_flat.c                                 |    6 +
 fs/bio.c                                         |    6 +-
 fs/block_dev.c                                   |    2 +-
 fs/btrfs/ctree.c                                 |    9 +-
 fs/btrfs/relocation.c                            |    2 +-
 fs/btrfs/super.c                                 |    2 +-
 fs/cachefiles/bind.c                             |    6 +-
 fs/cachefiles/daemon.c                           |    8 +-
 fs/cachefiles/internal.h                         |   12 +-
 fs/cachefiles/namei.c                            |    2 +-
 fs/cachefiles/proc.c                             |   12 +-
 fs/cachefiles/rdwr.c                             |    2 +-
 fs/ceph/dir.c                                    |    2 +-
 fs/cifs/cifs_debug.c                             |   12 +-
 fs/cifs/cifsfs.c                                 |    8 +-
 fs/cifs/cifsglob.h                               |   54 +-
 fs/cifs/link.c                                   |    2 +-
 fs/cifs/misc.c                                   |    4 +-
 fs/cifs/smb1ops.c                                |   80 +-
 fs/cifs/smb2ops.c                                |   84 +-
 fs/cifs/smb2pdu.c                                |    3 +-
 fs/coda/cache.c                                  |   10 +-
 fs/compat.c                                      |    6 +-
 fs/compat_binfmt_elf.c                           |    2 +
 fs/compat_ioctl.c                                |    8 +-
 fs/configfs/dir.c                                |   10 +-
 fs/coredump.c                                    |   24 +-
 fs/dcache.c                                      |    2 +-
 fs/ecryptfs/inode.c                              |    4 +-
 fs/ecryptfs/miscdev.c                            |    2 +-
 fs/ecryptfs/read_write.c                         |    4 +-
 fs/exec.c                                        |  356 ++-
 fs/ext4/ext4.h                                   |   20 +-
 fs/ext4/mballoc.c                                |   44 +-
 fs/fhandle.c                                     |    3 +-
 fs/fifo.c                                        |   22 +-
 fs/fs_struct.c                                   |    8 +-
 fs/fscache/cookie.c                              |   36 +-
 fs/fscache/internal.h                            |  196 +-
 fs/fscache/object.c                              |   28 +-
 fs/fscache/operation.c                           |   30 +-
 fs/fscache/page.c                                |  110 +-
 fs/fscache/stats.c                               |  344 +-
 fs/fuse/cuse.c                                   |   10 +-
 fs/fuse/dev.c                                    |    2 +-
 fs/fuse/dir.c                                    |    2 +-
 fs/gfs2/inode.c                                  |    2 +-
 fs/hugetlbfs/inode.c                             |   13 +-
 fs/inode.c                                       |    4 +-
 fs/jffs2/erase.c                                 |    3 +-
 fs/jffs2/wbuf.c                                  |    3 +-
 fs/jfs/super.c                                   |    2 +-
 fs/libfs.c                                       |   10 +-
 fs/lockd/clntproc.c                              |    4 +-
 fs/locks.c                                       |    8 +-
 fs/namei.c                                       |   15 +-
 fs/namespace.c                                   |    2 +-
 fs/nfs/inode.c                                   |    6 +-
 fs/nfsd/vfs.c                                    |    6 +-
 fs/notify/fanotify/fanotify_user.c               |    4 +-
 fs/notify/notification.c                         |    4 +-
 fs/ntfs/dir.c                                    |    2 +-
 fs/ntfs/file.c                                   |    4 +-
 fs/ocfs2/localalloc.c                            |    2 +-
 fs/ocfs2/ocfs2.h                                 |   10 +-
 fs/ocfs2/suballoc.c                              |   12 +-
 fs/ocfs2/super.c                                 |   20 +-
 fs/pipe.c                                        |   33 +-
 fs/proc/array.c                                  |   20 +
 fs/proc/kcore.c                                  |   32 +-
 fs/proc/meminfo.c                                |    2 +-
 fs/proc/nommu.c                                  |    2 +-
 fs/proc/self.c                                   |    2 +-
 fs/proc/task_mmu.c                               |   39 +-
 fs/proc/task_nommu.c                             |    4 +-
 fs/quota/netlink.c                               |    4 +-
 fs/readdir.c                                     |    2 +-
 fs/reiserfs/do_balan.c                           |    2 +-
 fs/reiserfs/procfs.c                             |    2 +-
 fs/reiserfs/reiserfs.h                           |    4 +-
 fs/seq_file.c                                    |    2 +-
 fs/splice.c                                      |   36 +-
 fs/sysfs/file.c                                  |   10 +-
 fs/sysfs/symlink.c                               |    2 +-
 fs/udf/misc.c                                    |    2 +-
 fs/xattr_acl.c                                   |    4 +-
 fs/xfs/xfs_bmap.c                                |    2 +-
 fs/xfs/xfs_dir2_sf.c                             |   10 +-
 fs/xfs/xfs_ioctl.c                               |    2 +-
 fs/xfs/xfs_iops.c                                |    2 +-
 include/asm-generic/4level-fixup.h               |    2 +
 include/asm-generic/atomic-long.h                |  210 ++
 include/asm-generic/atomic.h                     |    2 +-
 include/asm-generic/atomic64.h                   |   12 +
 include/asm-generic/cache.h                      |    4 +-
 include/asm-generic/emergency-restart.h          |    2 +-
 include/asm-generic/kmap_types.h                 |    4 +-
 include/asm-generic/local.h                      |   13 +
 include/asm-generic/pgtable-nopmd.h              |   18 +-
 include/asm-generic/pgtable-nopud.h              |   15 +-
 include/asm-generic/pgtable.h                    |    8 +
 include/asm-generic/vmlinux.lds.h                |   10 +-
 include/crypto/algapi.h                          |    2 +-
 include/drm/drmP.h                               |    5 +-
 include/drm/drm_crtc_helper.h                    |    2 +-
 include/drm/ttm/ttm_memory.h                     |    2 +-
 include/linux/atmdev.h                           |    2 +-
 include/linux/binfmts.h                          |    1 +
 include/linux/blkdev.h                           |    2 +-
 include/linux/blktrace_api.h                     |    2 +-
 include/linux/cache.h                            |    4 +
 include/linux/cdrom.h                            |    1 -
 include/linux/cleancache.h                       |    2 +-
 include/linux/compiler-gcc4.h                    |   20 +
 include/linux/compiler.h                         |   72 +-
 include/linux/cpu.h                              |    2 +-
 include/linux/crypto.h                           |    6 +-
 include/linux/decompress/mm.h                    |    2 +-
 include/linux/dma-mapping.h                      |    2 +-
 include/linux/dmaengine.h                        |    4 +-
 include/linux/efi.h                              |    1 +
 include/linux/elf.h                              |    2 +
 include/linux/filter.h                           |    4 +
 include/linux/frontswap.h                        |    2 +-
 include/linux/fs.h                               |    3 +-
 include/linux/fs_struct.h                        |    2 +-
 include/linux/fscache-cache.h                    |    4 +-
 include/linux/fsnotify.h                         |    2 +-
 include/linux/ftrace_event.h                     |    2 +-
 include/linux/genhd.h                            |    2 +-
 include/linux/gfp.h                              |   12 +-
 include/linux/highmem.h                          |   12 +
 include/linux/i2c.h                              |    1 +
 include/linux/i2o.h                              |    2 +-
 include/linux/if_pppox.h                         |    2 +-
 include/linux/init.h                             |   33 +-
 include/linux/init_task.h                        |    7 +
 include/linux/interrupt.h                        |    8 +-
 include/linux/kgdb.h                             |    6 +-
 include/linux/kobject.h                          |    2 +-
 include/linux/kref.h                             |    2 +-
 include/linux/kvm_host.h                         |    4 +-
 include/linux/libata.h                           |    2 +-
 include/linux/list.h                             |    3 +
 include/linux/mm.h                               |   91 +-
 include/linux/mm_types.h                         |   22 +-
 include/linux/mmiotrace.h                        |    4 +-
 include/linux/mmzone.h                           |    2 +-
 include/linux/mod_devicetable.h                  |    4 +-
 include/linux/module.h                           |   55 +-
 include/linux/moduleloader.h                     |   18 +-
 include/linux/moduleparam.h                      |    4 +-
 include/linux/namei.h                            |    6 +-
 include/linux/netdevice.h                        |    3 +-
 include/linux/netfilter/ipset/ip_set.h           |    2 +-
 include/linux/netfilter/nfnetlink.h              |    2 +-
 include/linux/notifier.h                         |    3 +-
 include/linux/oprofile.h                         |    4 +-
 include/linux/perf_event.h                       |   10 +-
 include/linux/pipe_fs_i.h                        |    6 +-
 include/linux/platform_data/usb-ehci-s5p.h       |    2 +-
 include/linux/pm_runtime.h                       |    2 +-
 include/linux/poison.h                           |    4 +-
 include/linux/power/smartreflex.h                |    2 +-
 include/linux/random.h                           |    5 +
 include/linux/reboot.h                           |   14 +-
 include/linux/regset.h                           |    3 +-
 include/linux/relay.h                            |    2 +-
 include/linux/rio.h                              |    2 +-
 include/linux/rmap.h                             |    4 +-
 include/linux/sched.h                            |   64 +-
 include/linux/seq_file.h                         |    1 +
 include/linux/skbuff.h                           |   12 +-
 include/linux/slab.h                             |   36 +-
 include/linux/slab_def.h                         |   33 +-
 include/linux/slob_def.h                         |    4 +-
 include/linux/slub_def.h                         |   10 +-
 include/linux/sonet.h                            |    2 +-
 include/linux/sunrpc/clnt.h                      |    8 +-
 include/linux/sunrpc/svc_rdma.h                  |   18 +-
 include/linux/sysrq.h                            |    2 +-
 include/linux/thread_info.h                      |    7 +
 include/linux/tty.h                              |    4 +-
 include/linux/tty_driver.h                       |    2 +-
 include/linux/tty_ldisc.h                        |    2 +-
 include/linux/types.h                            |   16 +
 include/linux/uaccess.h                          |    6 +-
 include/linux/unaligned/access_ok.h              |   12 +-
 include/linux/usb.h                              |    2 +-
 include/linux/usb/renesas_usbhs.h                |    2 +-
 include/linux/vermagic.h                         |   21 +-
 include/linux/vmalloc.h                          |   11 +-
 include/linux/vmstat.h                           |   20 +-
 include/media/v4l2-dev.h                         |    2 +-
 include/media/v4l2-ioctl.h                       |    1 -
 include/net/caif/cfctrl.h                        |    6 +-
 include/net/flow.h                               |    2 +-
 include/net/gro_cells.h                          |    6 +-
 include/net/inet_connection_sock.h               |    2 +-
 include/net/inetpeer.h                           |    8 +-
 include/net/ip_fib.h                             |    2 +-
 include/net/ip_vs.h                              |    4 +-
 include/net/irda/ircomm_tty.h                    |    1 +
 include/net/iucv/af_iucv.h                       |    2 +-
 include/net/neighbour.h                          |    2 +-
 include/net/net_namespace.h                      |    6 +-
 include/net/netdma.h                             |    2 +-
 include/net/netlink.h                            |    2 +-
 include/net/netns/ipv4.h                         |    2 +-
 include/net/protocol.h                           |    4 +-
 include/net/sctp/sctp.h                          |    6 +-
 include/net/sctp/structs.h                       |    4 +-
 include/net/sock.h                               |    6 +-
 include/net/tcp.h                                |    8 +-
 include/net/xfrm.h                               |    4 +-
 include/rdma/iw_cm.h                             |    2 +-
 include/scsi/libfc.h                             |    3 +-
 include/scsi/scsi_device.h                       |    6 +-
 include/scsi/scsi_transport_fc.h                 |    3 +-
 include/sound/soc.h                              |    4 +-
 include/target/target_core_base.h                |    2 +-
 include/trace/events/irq.h                       |    4 +-
 include/uapi/linux/a.out.h                       |    8 +
 include/uapi/linux/byteorder/little_endian.h     |   24 +-
 include/uapi/linux/elf.h                         |   28 +
 include/uapi/linux/screen_info.h                 |    3 +-
 include/uapi/linux/sysctl.h                      |    6 +-
 include/uapi/linux/xattr.h                       |    4 +
 include/video/udlfb.h                            |    8 +-
 include/video/uvesafb.h                          |    1 +
 init/Kconfig                                     |    2 +-
 init/Makefile                                    |    3 +
 init/do_mounts.c                                 |   14 +-
 init/do_mounts.h                                 |    8 +-
 init/do_mounts_initrd.c                          |   22 +-
 init/do_mounts_md.c                              |    6 +-
 init/init_task.c                                 |    4 +
 init/initramfs.c                                 |   40 +-
 init/main.c                                      |   78 +-
 ipc/msg.c                                        |   11 +-
 ipc/sem.c                                        |   11 +-
 ipc/shm.c                                        |   17 +-
 kernel/acct.c                                    |    2 +-
 kernel/audit.c                                   |    8 +-
 kernel/auditsc.c                                 |    4 +-
 kernel/capability.c                              |    3 +
 kernel/compat.c                                  |   40 +-
 kernel/debug/debug_core.c                        |   16 +-
 kernel/debug/kdb/kdb_main.c                      |    4 +-
 kernel/events/core.c                             |   28 +-
 kernel/exit.c                                    |    4 +-
 kernel/fork.c                                    |  167 +-
 kernel/futex.c                                   |    9 +
 kernel/gcov/base.c                               |    7 +-
 kernel/hrtimer.c                                 |    4 +-
 kernel/jump_label.c                              |    5 +
 kernel/kallsyms.c                                |   39 +-
 kernel/kexec.c                                   |    3 +-
 kernel/kmod.c                                    |    2 +-
 kernel/kprobes.c                                 |    8 +-
 kernel/lockdep.c                                 |    7 +-
 kernel/module.c                                  |  333 ++-
 kernel/mutex-debug.c                             |   12 +-
 kernel/mutex-debug.h                             |    4 +-
 kernel/mutex.c                                   |    7 +-
 kernel/notifier.c                                |   17 +-
 kernel/panic.c                                   |    3 +-
 kernel/pid.c                                     |    2 +-
 kernel/posix-cpu-timers.c                        |    4 +-
 kernel/posix-timers.c                            |   20 +-
 kernel/power/process.c                           |   12 +-
 kernel/profile.c                                 |   14 +-
 kernel/ptrace.c                                  |    6 +-
 kernel/rcutiny.c                                 |    4 +-
 kernel/rcutiny_plugin.h                          |    2 +-
 kernel/rcutorture.c                              |   56 +-
 kernel/rcutree.c                                 |   72 +-
 kernel/rcutree.h                                 |   24 +-
 kernel/rcutree_plugin.h                          |   18 +-
 kernel/rcutree_trace.c                           |   22 +-
 kernel/rtmutex-tester.c                          |   24 +-
 kernel/sched/auto_group.c                        |    4 +-
 kernel/sched/core.c                              |    2 +-
 kernel/sched/fair.c                              |    4 +-
 kernel/signal.c                                  |   12 +-
 kernel/smp.c                                     |    2 +-
 kernel/softirq.c                                 |   16 +-
 kernel/srcu.c                                    |    6 +-
 kernel/stop_machine.c                            |    2 +-
 kernel/sys.c                                     |   12 +-
 kernel/sysctl.c                                  |   37 +-
 kernel/sysctl_binary.c                           |   14 +-
 kernel/time/alarmtimer.c                         |    2 +-
 kernel/time/tick-broadcast.c                     |    2 +-
 kernel/time/timer_stats.c                        |   10 +-
 kernel/timer.c                                   |    4 +-
 kernel/trace/blktrace.c                          |    6 +-
 kernel/trace/ftrace.c                            |   20 +-
 kernel/trace/ring_buffer.c                       |   76 +-
 kernel/trace/trace.c                             |    6 +-
 kernel/trace/trace_events.c                      |   25 +-
 kernel/trace/trace_mmiotrace.c                   |    8 +-
 kernel/trace/trace_output.c                      |   12 +-
 kernel/trace/trace_stack.c                       |    2 +-
 lib/Makefile                                     |    2 +-
 lib/bitmap.c                                     |    8 +-
 lib/bug.c                                        |    2 +
 lib/debugobjects.c                               |    2 +-
 lib/devres.c                                     |    4 +-
 lib/dma-debug.c                                  |    4 +-
 lib/inflate.c                                    |    2 +-
 lib/ioremap.c                                    |    4 +-
 lib/list_debug.c                                 |   89 +-
 lib/radix-tree.c                                 |    2 +-
 lib/strncpy_from_user.c                          |    2 +-
 lib/strnlen_user.c                               |    2 +-
 lib/vsprintf.c                                   |   12 +-
 mm/Kconfig                                       |    6 +-
 mm/filemap.c                                     |    2 +-
 mm/fremap.c                                      |    5 +
 mm/highmem.c                                     |    7 +-
 mm/hugetlb.c                                     |   54 +
 mm/internal.h                                    |    1 +
 mm/maccess.c                                     |    4 +-
 mm/madvise.c                                     |   41 +
 mm/memory-failure.c                              |   18 +-
 mm/memory.c                                      |  404 ++-
 mm/mempolicy.c                                   |   26 +
 mm/mlock.c                                       |   16 +-
 mm/mmap.c                                        |  573 +++-
 mm/mprotect.c                                    |  138 +-
 mm/mremap.c                                      |   44 +-
 mm/nommu.c                                       |   11 +-
 mm/page-writeback.c                              |    2 +-
 mm/page_alloc.c                                  |   14 +-
 mm/percpu.c                                      |    2 +-
 mm/process_vm_access.c                           |   14 +-
 mm/rmap.c                                        |   38 +-
 mm/shmem.c                                       |   19 +-
 mm/slab.c                                        |  104 +-
 mm/slab.h                                        |    5 +-
 mm/slab_common.c                                 |    9 +-
 mm/slob.c                                        |  200 +-
 mm/slub.c                                        |   98 +-
 mm/sparse-vmemmap.c                              |    4 +-
 mm/sparse.c                                      |    2 +-
 mm/swap.c                                        |    3 +
 mm/swapfile.c                                    |   12 +-
 mm/util.c                                        |    6 +
 mm/vmalloc.c                                     |   82 +-
 mm/vmstat.c                                      |   12 +-
 net/8021q/vlan.c                                 |    5 +-
 net/9p/trans_fd.c                                |    2 +-
 net/atm/atm_misc.c                               |    8 +-
 net/atm/lec.h                                    |    2 +-
 net/atm/proc.c                                   |    6 +-
 net/atm/resources.c                              |    4 +-
 net/batman-adv/bat_iv_ogm.c                      |    8 +-
 net/batman-adv/hard-interface.c                  |    4 +-
 net/batman-adv/soft-interface.c                  |    4 +-
 net/batman-adv/types.h                           |    6 +-
 net/batman-adv/unicast.c                         |    2 +-
 net/bluetooth/hci_sock.c                         |    2 +-
 net/bluetooth/l2cap_core.c                       |    6 +-
 net/bluetooth/l2cap_sock.c                       |   12 +-
 net/bluetooth/rfcomm/sock.c                      |    4 +-
 net/bluetooth/rfcomm/tty.c                       |   10 +-
 net/bridge/netfilter/ebtables.c                  |    6 +-
 net/caif/cfctrl.c                                |   11 +-
 net/can/af_can.c                                 |    2 +-
 net/can/gw.c                                     |    6 +-
 net/compat.c                                     |   34 +-
 net/core/datagram.c                              |    2 +-
 net/core/dev.c                                   |   16 +-
 net/core/flow.c                                  |    8 +-
 net/core/iovec.c                                 |    4 +-
 net/core/rtnetlink.c                             |    2 +-
 net/core/scm.c                                   |    8 +-
 net/core/sock.c                                  |   24 +-
 net/decnet/sysctl_net_decnet.c                   |    4 +-
 net/ipv4/ah4.c                                   |    2 +-
 net/ipv4/esp4.c                                  |    2 +-
 net/ipv4/fib_frontend.c                          |    6 +-
 net/ipv4/fib_semantics.c                         |    2 +-
 net/ipv4/inetpeer.c                              |    4 +-
 net/ipv4/ip_fragment.c                           |    2 +-
 net/ipv4/ip_sockglue.c                           |    2 +-
 net/ipv4/ipcomp.c                                |    2 +-
 net/ipv4/ipconfig.c                              |    6 +-
 net/ipv4/netfilter/arp_tables.c                  |   12 +-
 net/ipv4/netfilter/ip_tables.c                   |   12 +-
 net/ipv4/ping.c                                  |    2 +-
 net/ipv4/raw.c                                   |   14 +-
 net/ipv4/route.c                                 |    2 +-
 net/ipv4/tcp_input.c                             |    2 +-
 net/ipv4/tcp_probe.c                             |    2 +-
 net/ipv4/udp.c                                   |   10 +-
 net/ipv6/addrconf.c                              |    2 +-
 net/ipv6/ip6_gre.c                               |    2 +-
 net/ipv6/ipv6_sockglue.c                         |    2 +-
 net/ipv6/netfilter/ip6_tables.c                  |   12 +-
 net/ipv6/raw.c                                   |   19 +-
 net/ipv6/udp.c                                   |    8 +-
 net/irda/ircomm/ircomm_tty.c                     |   18 +-
 net/iucv/af_iucv.c                               |    4 +-
 net/iucv/iucv.c                                  |    2 +-
 net/key/af_key.c                                 |    4 +-
 net/mac80211/cfg.c                               |    4 +-
 net/mac80211/ieee80211_i.h                       |    3 +-
 net/mac80211/iface.c                             |   14 +-
 net/mac80211/main.c                              |    2 +-
 net/mac80211/pm.c                                |    6 +-
 net/mac80211/rate.c                              |    2 +-
 net/mac80211/rc80211_pid_debugfs.c               |    2 +-
 net/mac80211/util.c                              |    2 +-
 net/netfilter/ipvs/ip_vs_conn.c                  |    6 +-
 net/netfilter/ipvs/ip_vs_core.c                  |    4 +-
 net/netfilter/ipvs/ip_vs_ctl.c                   |   10 +-
 net/netfilter/ipvs/ip_vs_sync.c                  |    6 +-
 net/netfilter/ipvs/ip_vs_xmit.c                  |    4 +-
 net/netfilter/nfnetlink_log.c                    |    4 +-
 net/netfilter/xt_statistic.c                     |    8 +-
 net/netlink/af_netlink.c                         |    4 +-
 net/packet/af_packet.c                           |   12 +-
 net/phonet/pep.c                                 |    6 +-
 net/phonet/socket.c                              |    2 +-
 net/rds/cong.c                                   |    6 +-
 net/rds/ib.h                                     |    2 +-
 net/rds/ib_cm.c                                  |    2 +-
 net/rds/ib_recv.c                                |    4 +-
 net/rds/iw.h                                     |    2 +-
 net/rds/iw_cm.c                                  |    2 +-
 net/rds/iw_recv.c                                |    4 +-
 net/rds/tcp.c                                    |    2 +-
 net/rds/tcp_send.c                               |    2 +-
 net/rxrpc/af_rxrpc.c                             |    2 +-
 net/rxrpc/ar-ack.c                               |   14 +-
 net/rxrpc/ar-call.c                              |    2 +-
 net/rxrpc/ar-connection.c                        |    2 +-
 net/rxrpc/ar-connevent.c                         |    2 +-
 net/rxrpc/ar-input.c                             |    4 +-
 net/rxrpc/ar-internal.h                          |    8 +-
 net/rxrpc/ar-local.c                             |    2 +-
 net/rxrpc/ar-output.c                            |    4 +-
 net/rxrpc/ar-peer.c                              |    2 +-
 net/rxrpc/ar-proc.c                              |    4 +-
 net/rxrpc/ar-transport.c                         |    2 +-
 net/rxrpc/rxkad.c                                |    4 +-
 net/sctp/ipv6.c                                  |    2 +-
 net/sctp/protocol.c                              |    8 +-
 net/sctp/socket.c                                |    2 +
 net/socket.c                                     |   34 +-
 net/sunrpc/sched.c                               |    4 +-
 net/sunrpc/xprtrdma/svc_rdma.c                   |   38 +-
 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c          |    6 +-
 net/sunrpc/xprtrdma/svc_rdma_sendto.c            |    2 +-
 net/sunrpc/xprtrdma/svc_rdma_transport.c         |   10 +-
 net/tipc/link.c                                  |    6 +-
 net/tipc/msg.c                                   |    2 +-
 net/tipc/subscr.c                                |    2 +-
 net/wireless/wext-core.c                         |   19 +-
 net/xfrm/xfrm_policy.c                           |   16 +-
 net/xfrm/xfrm_state.c                            |    4 +-
 scripts/Makefile.build                           |    2 +-
 scripts/Makefile.clean                           |    3 +-
 scripts/Makefile.host                            |   28 +-
 scripts/basic/fixdep.c                           |   12 +-
 scripts/gcc-plugin.sh                            |   17 +
 scripts/link-vmlinux.sh                          |    2 +-
 scripts/mod/file2alias.c                         |   14 +-
 scripts/mod/modpost.c                            |   25 +-
 scripts/mod/modpost.h                            |    6 +-
 scripts/mod/sumversion.c                         |    2 +-
 scripts/pnmtologo.c                              |    6 +-
 security/Kconfig                                 |  654 ++++-
 security/integrity/ima/ima.h                     |    4 +-
 security/integrity/ima/ima_api.c                 |    2 +-
 security/integrity/ima/ima_fs.c                  |    4 +-
 security/integrity/ima/ima_queue.c               |    2 +-
 security/keys/compat.c                           |    2 +-
 security/keys/keyctl.c                           |    8 +-
 security/keys/keyring.c                          |    6 +-
 security/security.c                              |    9 +-
 security/selinux/hooks.c                         |    2 +-
 security/selinux/include/xfrm.h                  |    2 +-
 security/smack/smack_lsm.c                       |    2 +-
 security/tomoyo/tomoyo.c                         |    2 +-
 sound/aoa/codecs/onyx.c                          |    7 +-
 sound/aoa/codecs/onyx.h                          |    1 +
 sound/core/oss/pcm_oss.c                         |   18 +-
 sound/core/pcm_compat.c                          |    2 +-
 sound/core/pcm_native.c                          |    4 +-
 sound/core/seq/seq_device.c                      |    8 +-
 sound/drivers/mts64.c                            |   14 +-
 sound/drivers/opl4/opl4_lib.c                    |    2 +-
 sound/drivers/portman2x4.c                       |    3 +-
 sound/firewire/amdtp.c                           |    4 +-
 sound/firewire/amdtp.h                           |    2 +-
 sound/firewire/isight.c                          |   10 +-
 sound/firewire/scs1x.c                           |    8 +-
 sound/oss/sb_audio.c                             |    2 +-
 sound/oss/swarm_cs4297a.c                        |    6 +-
 sound/pci/ymfpci/ymfpci.h                        |    2 +-
 sound/pci/ymfpci/ymfpci_main.c                   |   12 +-
 tools/gcc/.gitignore                             |    1 +
 tools/gcc/Makefile                               |   43 +
 tools/gcc/checker_plugin.c                       |  171 +
 tools/gcc/colorize_plugin.c                      |  151 +
 tools/gcc/constify_plugin.c                      |  359 +++
 tools/gcc/generate_size_overflow_hash.sh         |   94 +
 tools/gcc/kallocstat_plugin.c                    |  170 +
 tools/gcc/kernexec_plugin.c                      |  465 +++
 tools/gcc/latent_entropy_plugin.c                |  321 ++
 tools/gcc/size_overflow_hash.data                | 3713 ++++++++++++++++++++++
 tools/gcc/size_overflow_plugin.c                 | 1941 +++++++++++
 tools/gcc/stackleak_plugin.c                     |  327 ++
 tools/perf/util/include/asm/alternative-asm.h    |    3 +
 virt/kvm/kvm_main.c                              |   32 +-
 1311 files changed, 26668 insertions(+), 6394 deletions(-)
commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
Merge: 0949bd4 fc53d63
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 19:03:44 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit fc53d6338964741b368070ec5c935bc579b8c2a6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 19:02:45 2012 -0400

    Update to pax-linux-3.2.12-test33.patch

commit 0949bd46a6455b308f66ad7c993bfee62412db35
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 22 16:56:09 2012 -0400

    Use current_umask() instead of current->fs->umask

commit 22f6432d0fe733619cfcb523782ed7d80c46d645
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 21 19:42:42 2012 -0400

    compile fix

commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 21 19:34:56 2012 -0400

    Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
    uses of domains with particular hash collisions

commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 20:25:49 2012 -0400

    zero kernel_role

commit b00953b43c69238d181d21121ef1577c988d5f6b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:29:34 2012 -0400

    zero real_root after releasing it

commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
Merge: b724f59 273f98e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:11:26 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 273f98e58cdac555d3b5dce5c1ca168349f95878
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 19:10:52 2012 -0400

    Temporary workaround for (most) size_overflow plugin false-positives
    Increase randomization for brk-managed heap to 21 bits
    Update to pax-linux-3.2.12-test32.patch

commit b724f59125304460c2af8bd4b02921993afbb5d3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:58:53 2012 -0400

    compile fix

commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:52:23 2012 -0400

    Require default and kernel role

commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 20 18:47:28 2012 -0400

    Allow policies without special roles
    don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)

commit 402ec3d24d66d38403dc543c84851f5e72d39e22
Merge: 8e012dc f14661a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 19 18:06:59 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/namei.c

commit f14661aaf202155c97f66626cea0269017bb7775
Merge: eae671f 058b017
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 19 18:05:44 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Date:   Fri Mar 16 17:08:39 2012 -0700

    nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
    
    According to the report from Slicky Devil, nilfs caused kernel oops at
    nilfs_load_super_block function during mount after he shrank the
    partition without resizing the filesystem:
    
     BUG: unable to handle kernel NULL pointer dereference at 00000048
     IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
     *pde = 00000000
     Oops: 0000 [#1] PREEMPT SMP
     ...
     Call Trace:
      [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
      [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
      [<c0226636>] mount_fs+0x36/0x180
      [<c023d961>] vfs_kern_mount+0x51/0xa0
      [<c023ddae>] do_kern_mount+0x3e/0xe0
      [<c023f189>] do_mount+0x169/0x700
      [<c023fa9b>] sys_mount+0x6b/0xa0
      [<c04abd1f>] sysenter_do_call+0x12/0x28
     Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
     20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
     48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
     EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
     CR2: 0000000000000048
    
    This turned out due to a defect in an error path which runs if the
    calculated location of the secondary super block was invalid.
    
    This patch fixes it and eliminates the reported oops.
    
    Reported-by: Slicky Devil <slicky.dvl@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Tested-by: Slicky Devil <slicky.dvl@gmail.com>
    Cc: <stable@vger.kernel.org>        [2.6.30+]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
Author: Haogang Chen <haogangchen@gmail.com>
Date:   Fri Mar 16 17:08:38 2012 -0700

    nilfs2: clamp ns_r_segments_percentage to [1, 99]
    
    ns_r_segments_percentage is read from the disk.  Bogus or malicious
    value could cause integer overflow and malfunction due to meaningless
    disk usage calculation.  This patch reports error when mounting such
    bogus volumes.
    
    Signed-off-by: Haogang Chen <haogangchen@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit e1a90645643f9b0194a5984ec8febd06360d5c8b
Author: Eric Dumazet <eric.dumazet@gmail.com>
Date:   Sat Mar 10 09:20:21 2012 +0000

    tcp: fix syncookie regression
    
    commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
    added a serious regression on synflood handling.
    
    Simon Kirby discovered a successful connection was delayed by 20 seconds
    before being responsive.
    
    In my tests, I discovered that xmit frames were lost, and needed ~4
    retransmits and a socket dst rebuild before being really sent.
    
    In case of syncookie initiated connection, we use a different path to
    initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
    
    As ip_queue_xmit() now depends on inet flow being setup, fix this by
    copying the temp flowi4 we use in cookie_v4_check().
    
    Reported-by: Simon Kirby <sim@netnation.com>
    Bisected-by: Simon Kirby <sim@netnation.com>
    Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
    Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
Date:   Mon Mar 12 02:59:41 2012 +0000

    tun: don't hold network namespace by tun sockets
    
    v3: added previously removed sock_put() to the tun_release() callback, because
    sk_release_kernel() doesn't drop the socket reference.
    
    v2: sk_release_kernel() used for socket release. Dummy tun_release() is
    required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
    call.
    
    TUN was designed to destroy it's socket on network namesapce shutdown. But this
    will never happen for persistent device, because it's socket holds network
    namespace.
    This patch removes of holding network namespace by TUN socket and replaces it
    by creating socket in init_net and then changing it's net it to desired one. On
    shutdown socket is moved back to init_net prior to final put.
    
    Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Mon Dec 12 10:02:30 2011 -0600

    vfs: Correctly set the dir i_mutex lockdep class
    
    9a7aa12f3911853a introduced additional logic around setting the i_mutex
    lockdep class for directory inodes. The idea was that some filesystems
    may want their own special lockdep class for different directory
    inodes and calling unlock_new_inode() should not clobber one of
    those special classes.
    
    I believe that the added conditional, around the *negated* return value
    of lockdep_match_class(), caused directory inodes to be placed in the
    wrong lockdep class.
    
    inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
    all inodes. If the filesystem did not change the class during inode
    initialization, then the conditional mentioned above was false and the
    directory inode was incorrectly left in the non-directory lockdep class.
    If the filesystem did set a special lockdep class, then the conditional
    mentioned above was true and that class was clobbered with
    i_mutex_dir_key.
    
    This patch removes the negation from the conditional so that the i_mutex
    lockdep class is properly set for directory inodes. Special classes are
    preserved and directory inodes with unmodified classes are set with
    i_mutex_dir_key.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 603590b0d2eca61ce26499eac9c563bc567a18c9
Author: Jan Kara <jack@suse.cz>
Date:   Mon Feb 20 17:54:00 2012 +0100

    udf: Fix deadlock in udf_release_file()
    
    udf_release_file() can be called from munmap() path with mmap_sem held.  Thus
    we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
    i_mutex is not needed in udf_release_file() anymore since protection by
    i_data_sem is enough to protect from races with write and truncate.
    
    Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
    Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Tue Mar 6 13:56:33 2012 +0100

    vfs: fix double put after complete_walk()
    
    complete_walk() already puts nd->path, no need to do it again at cleanup time.
    
    This would result in Oopses if triggered, apparently the codepath is not too
    well exercised.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 13885ba2b18400f3ef6540497d30f1af896605e5
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Tue Mar 6 13:56:34 2012 +0100

    vfs: fix return value from do_last()
    
    complete_walk() returns either ECHILD or ESTALE.  do_last() turns this into
    ECHILD unconditionally.  If not in RCU mode, this error will reach userspace
    which is complete nonsense.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    
    Conflicts:
    
        fs/namei.c

commit f5ab7572c99ffb58953eb1070622307e904c3b7f
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Sat Mar 10 17:07:28 2012 -0500

    restore smp_mb() in unlock_new_inode()
    
    wait_on_inode() doesn't have ->i_lock
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
Author: David S. Miller <davem@davemloft.net>
Date:   Tue Mar 13 18:19:51 2012 -0700

    sparc32: Add -Av8 to assembler command line.
    
    Newer version of binutils are more strict about specifying the
    correct options to enable certain classes of instructions.
    
    The sparc32 build is done for v7 in order to support sun4c systems
    which lack hardware integer multiply and divide instructions.
    
    So we have to pass -Av8 when building the assembler routines that
    use these instructions and get patched into the kernel when we find
    out that we have a v8 capable cpu.
    
    Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Fri Mar 9 20:55:10 2012 +0100

    x86: Derandom delay_tsc for 64 bit
    
    Commit f0fbf0abc093 ("x86: integrate delay functions") converted
    delay_tsc() into a random delay generator for 64 bit.  The reason is
    that it merged the mostly identical versions of delay_32.c and
    delay_64.c.  Though the subtle difference of the result was:
    
     static void delay_tsc(unsigned long loops)
     {
    -   unsigned bclock, now;
    +   unsigned long bclock, now;
    
    Now the function uses rdtscl() which returns the lower 32bit of the
    TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
    bit this fails when the lower 32bit are close to wrap around when
    bclock is read, because the following check
    
           if ((now - bclock) >= loops)
                        break;
    
    evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
    because the unsigned long (now - bclock) of these values results in
    0xffffffff00000001 which is definitely larger than the loops
    value. That explains Tvortkos observation:
    
    "Because I am seeing udelay(500) (_occasionally_) being short, and
     that by delaying for some duration between 0us (yep) and 491us."
    
    Make those variables explicitely u32 again, so this works for both 32
    and 64 bit.
    
    Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: stable@vger.kernel.org # >= 2.6.27
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Thu Mar 8 17:51:19 2012 +0000

    aio: fix the "too late munmap()" race
    
    Current code has put_ioctx() called asynchronously from aio_fput_routine();
    that's done *after* we have killed the request that used to pin ioctx,
    so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
    from progressing.  As the result, we can end up with async call of
    put_ioctx() being the last one and possibly happening during exit_mmap()
    or elf_core_dump(), neither of which expects stray munmap() being done
    to them...
    
    We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
    with that, but that's all we care about - neither io_destroy() nor
    exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
    does really_put_req(), so the ioctx teardown won't be done until then
    and we don't care about the contents of ioctx past that point.
    
    Since actual freeing of these suckers is RCU-delayed, we don't need to
    bump ioctx refcount when request goes into list for async removal.
    All we need is rcu_read_lock held just over the ->ctx_lock-protected
    area in aio_fput_routine().
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
    Acked-by: Benjamin LaHaise <bcrl@kvack.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 002124c055afbf09b52226af65621999e8316448
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Wed Mar 7 05:16:35 2012 +0000

    aio: fix io_setup/io_destroy race
    
    Have ioctx_alloc() return an extra reference, so that caller would drop it
    on success and not bother with re-grabbing it on failure exit.  The current
    code is obviously broken - io_destroy() from another thread that managed
    to guess the address io_setup() would've returned would free ioctx right
    under us; gets especially interesting if aio_context_t * we pass to
    io_setup() points to PROT_READ mapping, so put_user() fails and we end
    up doing io_destroy() on kioctx another thread has just got freed...
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Acked-by: Benjamin LaHaise <bcrl@kvack.org>
    Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Mar 15 15:17:12 2012 -0700

    drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
    
    strict_strtoul() writes a long but ->gamma_mode only has space to store an
    int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
    well.  I've changed it to use kstrtouint() instead.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Inki Dae <inki.dae@samsung.com>
    Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
Merge: e4b05b6 eae671f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 16 21:04:27 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit eae671fafe93f04685c04a089cc13efebc05d600
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 16 20:58:01 2012 -0400

    Update to pax-linux-3.2.11-test31.patch
    Introduction of the size_overflow plugin from Emese Revfy
    Many thanks to Emese for her hard work :)

commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
Merge: e55aa68 258c015
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 15 20:59:19 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 15 20:59:05 2012 -0400

    fix ARM compilation

commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
Merge: 8f95ea9 55b7573
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 14 19:33:41 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 14 19:33:15 2012 -0400

    Update to pax-linux-3.2.10-test28.patch

commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
Merge: c8786a2 886ac5e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:38:13 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)

commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:37:44 2012 -0400

    Update to pax-linux-3.2.10-test26.patch

commit c8786a2abed5e5327f68efa520c04db99bb6a63a
Merge: 219c982 c061fcf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:25:06 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
Merge: 89373d2 3f4b3b2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 13 17:25:02 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
Merge: 54e19a3 89373d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 17:23:57 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
Merge: a778588 7459f11
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 17:23:49 2012 -0400

    Merge branch 'linux-3.2.y' into pax-test

commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
Merge: c4650f1 a778588
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 16:51:25 2012 -0400

    Merge branch 'pax-test' into grsec-test

commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 12 16:51:12 2012 -0400

    Update to pax-linux-3.2.9-test24.patch

commit c4650f14b13f84735fe3de06a1f3ff5776473eff
Merge: fb2abee 1015790
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 21:08:28 2012 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        security/Kconfig

commit 101579028a736c224e590c7e12a7357018c424e1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 21:07:27 2012 -0400

    Update to pax-linux-3.2.9-test22.patch

commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 11:02:17 2012 -0400

    Allow 4096 CPUs

commit 96bae28cbe6a41d48e3b56e5904814096e956000
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 11 10:25:58 2012 -0400

    Use a per-cpu 48-bit counter instead of a global atomic64
    Initialize each counter to have the cpu number in the lower 16 bits
    instead of incrementing the counter each time by 1, perform the increments
    above the cpu number so that wrapping/exhausting the counter doesn't corrupt
    any state
    idea from PaX Team

commit b975688101da6e966aebb1bc6b8c5c5983974f9c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 10 20:33:12 2012 -0500

    Special vnsec edition! :)
    Further reduce argv/env allowance for suid/sgid apps to 512KB
    Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
    Clear 3GB personality on suid/sgid binaries
    Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
      with the main purpose of throwing off program stack -> arg/env alignment
    Update documentation

commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 10 19:54:47 2012 -0500

    Resolve skbuff.h warnings that turn into errors during compilation in
    the grsecurity directory with -Werror

commit 2023210ad43a944033fcacc660ce410888f562ee
Merge: ece4383 5f66adf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 19:48:01 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 19:47:06 2012 -0500

    Add colorize plugin

commit ece4383e5e91c92d138c4df84225a70b552f4d69
Merge: a366d0e ab4a5a1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 17:56:46 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 9 17:56:26 2012 -0500

    Update to pax-linux-3.2.9-test21.patch

commit a366d0ed963ce93fce10121c1100989d5f064e75
Author: Mikulas Patocka <mpatocka@redhat.com>
Date:   Sun Mar 4 19:52:03 2012 -0500

    mm: fix find_vma_prev
    
    Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
    management on PA-RISC.
    
    After application of the patch, programs that allocate big arrays on the
    stack crash with segfault, for example, this will crash if compiled
    without optimization:
    
      int main()
      {
        char array[200000];
        array[199999] = 0;
        return 0;
      }
    
    The reason is that PA-RISC has up-growing stack and the stack is usually
    the last memory area.  In the above example, a page fault happens above
    the stack.
    
    Previously, if we passed too high address to find_vma_prev, it returned
    NULL and stored the last VMA in *pprev.  After "simplify find_vma_prev"
    change, it stores NULL in *pprev.  Consequently, the stack area is not
    found and it is not expanded, as it used to be before the change.
    
    This patch restores the old behavior and makes it return the last VMA in
    *pprev if the requested address is higher than address of any other VMA.
    
    Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
    Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
Author: Hugh Dickins <hughd@google.com>
Date:   Tue Mar 6 12:28:52 2012 -0800

    mmap: EINVAL not ENOMEM when rejecting VM_GROWS
    
    Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
    from shared anonymous: hoist the file case's -EINVAL up for both.
    
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Mon Mar 5 06:38:42 2012 +0000

    aout: move setup_arg_pages() prior to reading/mapping the binary
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
Author: Jan Beulich <JBeulich@suse.com>
Date:   Mon Mar 5 16:49:24 2012 +0000

    vsprintf: make %pV handling compatible with kasprintf()
    
    kasprintf() (and potentially other functions that I didn't run across so
    far) want to evaluate argument lists twice.  Caring to do so for the
    primary list is obviously their job, but they can't reasonably be
    expected to check the format string for instances of %pV, which however
    need special handling too: On architectures like x86-64 (as opposed to
    e.g.  ix86), using the same argument list twice doesn't produce the
    expected results, as an internally managed cursor gets updated during
    the first run.
    
    Fix the problem by always acting on a copy of the original list when
    handling %pV.
    
    Signed-off-by: Jan Beulich <jbeulich@suse.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Mon Mar 5 06:39:47 2012 +0000

    VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit a831bd53764695ea680cc1fa3c98759a610ed2ac
Author: Christian König <deathsimple@vodafone.de>
Date:   Tue Feb 28 23:19:20 2012 +0100

    drm/radeon: fix uninitialized variable
    
    Without this fix the driver randomly treats
    textures as arrays and I'm really wondering
    why gcc isn't complaining about it.
    
    Signed-off-by: Christian König <deathsimple@vodafone.de>
    Reviewed-by: Jerome Glisse <jglisse@redhat.com>
    Signed-off-by: Dave Airlie <airlied@redhat.com>

commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
Author: H. Peter Anvin <hpa@zytor.com>
Date:   Fri Mar 2 10:43:48 2012 -0800

    regset: Prevent null pointer reference on readonly regsets
    
    The regset common infrastructure assumed that regsets would always
    have .get and .set methods, but not necessarily .active methods.
    Unfortunately people have since written regsets without .set methods.
    
    Rather than putting in stub functions everywhere, handle regsets with
    null .get or .set methods explicitly.
    
    Signed-off-by: H. Peter Anvin <hpa@zytor.com>
    Reviewed-by: Oleg Nesterov <oleg@redhat.com>
    Acked-by: Roland McGrath <roland@hack.frob.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 072ddd99401c79b53c6bf6bff9deb93022124c79
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 18:12:57 2012 -0500

    Fix compiler errors reported on forums

commit 1606774b48af24e6f99d99c624c0e447d4b66474
Merge: 3127bd5 4ca2ffd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 17:31:35 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 5 17:31:21 2012 -0500

    Update to pax-linux-3.2.9-test20.patch

commit 3127bd581a292966b1057c7433219dac188c3720
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 21:30:37 2012 -0500

    Fix memory leak on logged exec_id check failure in /proc/pid/statm
    Thanks to Djalal Harouni for the report

commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
Merge: 0a56be8 9aa8288
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 18:38:22 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 2 18:37:43 2012 -0500

    Update to pax-linux-3.2.9-test19.patch

commit 0a56be884bbd7ce733cac0b879c45383494d73b0
Merge: 9e66745 3f5c52a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:18:01 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:16:56 2012 -0500

    Update to pax-linux-3.2.9-test18.patch

commit ae53ec231d12719a36bf871f8c5841020ed692ee
Merge: b255baf 44fb317
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 1 20:15:31 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 9e667456c03eadea2f305be761abe4de9a5877a3
Merge: 5e4e200 b255baf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 20:53:59 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit b255baf50365d39b406f43aab2c64745607baaa2
Merge: 340ce90 1de504e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 20:53:29 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test
    Update to pax-linux-3.2.8-test17.patch
    
    Conflicts:
        arch/x86/include/asm/i387.h
        arch/x86/kernel/process_32.c
        arch/x86/kernel/traps.c

commit 5e4e200ac530452884b625cb75de240e1e98c731
Merge: 44306d7 340ce90
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 18:02:13 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 27 18:01:48 2012 -0500

    Update to pax-linux-3.2.7-test17.patch

commit 44306d7b3097f77e73040dd25f4f6750751bae7a
Merge: 29d0b07 521c411
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 19:04:15 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        Makefile

commit 521c411bb4ca66ce01146fde8bac9dd22414076d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 19:03:33 2012 -0500

    Update to pax-linux-3.2.7-test16.patch

commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 26 17:12:44 2012 -0500

    fix typo

commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
Merge: f45b3be caa8f83
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 20:59:27 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit caa8f83456c4d0b204beefffaa1d1993f2348d08
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 20:59:12 2012 -0500

    Update to pax-linux-3.2.7-test15.patch

commit f45b3be34a345502a302e736af9a65742ddef7cb
Merge: 62f35fd 9f1309b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 11:40:15 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 11:39:57 2012 -0500

    Update to pax-linux-3.2.7-test14.patch

commit 62f35fdbecc58f2988fe13638d907b87a15776bb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 09:08:55 2012 -0500

    We could log on attempted exploits of writing /proc/self/mem, but the current
    log function declares the access a read, so just swap the ordering for now

commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 08:46:14 2012 -0500

    Log /proc/pid/mem attempts

commit 674471e581893a94d475acac3e3c4496209b3ac9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 25 08:15:00 2012 -0500

    Make use of f_version for protecting /proc file structs (fine since we're not a directory
    or seq_file)

commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 20:02:19 2012 -0500

    Fix ia64 compilation

commit 50dfea412fd395e0183c2ade368efa525d38b267
Merge: 12db845 4c6f99b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 19:00:53 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 4c6f99bf338e03966356b147d0360cb3b522a44f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 24 19:00:36 2012 -0500

    (6:57:09 PM) pipacs: but you can be proactive
    (Fix other-arch atomic64/REFCOUNT compilation failures)

commit 12db8453f6bb0a756f369c9151668ba1249bc478
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 21:10:12 2012 -0500

    Remove unnecessary copies, as suggested by solar

commit cc02cab84368467ea03cb35f861a8a7092d91ab4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 20:59:35 2012 -0500

    Make global_exec_counter static, as suggested by solar

commit e642091a475ebb3a30e81f85e7751233d0c2af43
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 19:00:26 2012 -0500

    sync with stable tree

commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 18:48:47 2012 -0500

    Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
    Remove handling of old kludge in chmod/fchmod

commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 23 18:18:49 2012 -0500

    Apply umask checks to chmod/fchmod as well, as requested by sponsor
    Union the enforced umask with the existing one to produce minimal privilege
    Change umask type to u16

commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 22 18:16:11 2012 -0500

    Add per-role umask enforcement to RBAC, requested by a sponsor

commit ad5ac943fe58199f1cc475912a39edb157acb77b
Merge: dda0bb5 41722e3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:04:42 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 41722e342e116d95f3d3556d66c97c888d752d39
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:04:00 2012 -0500

    Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
    KERNEXEC plugin

commit dda0bb57137846a476a866c60db2681aaf6052c0
Merge: 4fd554e d70927a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:01:41 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit d70927afec977d489a54c106a3c3ddc32e953050
Merge: 1daebf1 9d0231c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 20:01:33 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 4fd554e3a097b22c5049fcdc423897477deff5ef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 20 09:17:57 2012 -0500

    Fix wrong logic on capability checks for switching roles, broke policies
    Thanks to Richard Kojedzinszky for reporting

commit 12f97d52ac603f24344f8d71569c412a307e9422
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 21:20:10 2012 -0500

    sparc64 compile fix

commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:38:32 2012 -0500

    Update configuration help and name for GRKERNSEC_PROC_MEMMAP

commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:18:01 2012 -0500

    optimize the check a bit

commit 03159050f64989be44ae03be769cbed62a7cd2e5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 18:00:45 2012 -0500

    smile VUPEN :D
    (limit argv+env to 1MB for suid/sgid binaries)

commit dd759d8800d225a397e4de49fe729c7d601298d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 17:49:33 2012 -0500

    Address Space Protection -> Memory Protections (suggested on IRC for consistency)

commit 4de635bda8ebfb85312e3bf851bdbff93de400da
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 16 17:45:06 2012 -0500

    Change the long long type for exec_id to the proper u64

commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Feb 9 00:46:47 2012 +0000

    isdn: type bug in isdn_net_header()
    
    We use len to store the return value from eth_header().  eth_header()
    can return -ETH_HLEN (-14).  We want to pass this back instead of
    truncating it to 65522 and returning that.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
Author: Heiko Carstens <heiko.carstens@de.ibm.com>
Date:   Sat Feb 4 10:47:10 2012 +0100

    exec: fix use-after-free bug in setup_new_exec()
    
    Setting the task name is done within setup_new_exec() by accessing
    bprm->filename. However this happens after flush_old_exec().
    This may result in a use after free bug, flush_old_exec() may
    "complete" vfork_done, which will wake up the parent which in turn
    may free the passed in filename.
    To fix this add a new tcomm field in struct linux_binprm which
    contains the now early generated task name until it is used.
    
    Fixes this bug on s390:
    
      Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
      Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
      Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
      Call Trace:
      ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
       [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
       [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
       [<0000000000282b6c>] do_execve_common+0x410/0x514
       [<0000000000282cb6>] do_execve+0x46/0x58
       [<00000000005bce58>] kernel_execve+0x28/0x70
       [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
       [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
       [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
      Last Breaking-Event-Address:
       [<00000000002830f0>] setup_new_exec+0x2fc/0x374
    
      Kernel panic - not syncing: Fatal exception: panic_on_oops
    
    Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
    Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit d758ee9f5230893dabb5aab737b3109684bde196
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Fri Feb 10 09:03:58 2012 +0100

    relay: prevent integer overflow in relay_open()
    
    "subbuf_size" and "n_subbufs" come from the user and they need to be
    capped to prevent an integer overflow.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable@kernel.org
    Signed-off-by: Jens Axboe <axboe@kernel.dk>

commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
Merge: b1baadf 1daebf1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 13 17:47:04 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/proc/base.c

commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
Merge: 1413df2 c2db2e2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 13 17:45:54 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:44:05 2012 -0500

    add missing declaration

commit 3981059c35e8463002517935c28f3d74b8e3703c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:36:04 2012 -0500

    Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
    in addition to existing checks (this handles the setresuid ruid = euid case)

commit 0beab03263c773f463412c350ad9064b44b6ede0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 12 16:13:40 2012 -0500

    Revert setreuid changes when RBAC is enabled, breaks freeradius
    I'll fix the learning issue Lavish reported a different way through
    gradm modifications
    
    This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.

commit 0c61cb1cfbbfec7d07647268c922d51434d22621
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 11 14:22:46 2012 -0500

    copy exec_id on fork

commit 000c08e0890630086b2ed04084050ed856a7ec31
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 20:00:36 2012 -0500

    compile fix

commit 54b8c8f54484e5ee18040657827158bc4b63bccc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 19:19:52 2012 -0500

    Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
    denies reading of sensitive /proc/pid entries where the file descriptor
    was opened in a different task than the one performing the read

commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 10 17:43:24 2012 -0500

    Remove duplicate signal check

commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
Merge: 4eba97e 1413df2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 8 19:24:34 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 8 19:24:08 2012 -0500

    Merge changes from pax-linux-3.2.4-test11.patch

commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
Merge: 0e058dd 8dd90a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:50:12 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:49:07 2012 -0500

    Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free

commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
Merge: 7e4169c 6133971
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 6 17:48:57 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 5 19:24:45 2012 -0500

    We now allow configurations with no PaX markings, giving the system no way to override the defaults

commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 5 10:01:23 2012 -0500

    Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory

commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 4 21:01:16 2012 -0500

    Improve security of ptrace-based monitoring/sandboxing
    See:
    http://article.gmane.org/gmane.linux.kernel.lsm/15156

commit ca4ca5a1027b41f9528794e52a53ce9c47926101
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:42:55 2012 -0500

    fix typo

commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:25:38 2012 -0500

    Reported by lavish on IRC:
    If a suid/sgid binary did not learn any setuid/setgid call during learning,
    we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
    any restrictions on uid/gid changes.  uid and gid can however be changed
    within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
    euid/egid.
    
    My fix:
    POSIX doesn't specify whether unprivileged users can perform the above
    setresuid/setresgid as an unprivileged user, though Linux has historically
    permitted them.  Modify this behavior when RBAC is enabled to require
    CAP_SETUID/CAP_SETGID for these operations.
    
    Thanks to Lavish for the report!
    
    Conflicts:
    
        kernel/sys.c

commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
Merge: ba586eb 7e4169c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:10:21 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 20:10:05 2012 -0500

    Merge changes from pax-linux-3.2.4-test9.patch

commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
Author: Christopher Yeoh <cyeoh@au1.ibm.com>
Date:   Thu Feb 2 11:34:09 2012 +1030

    Fix race in process_vm_rw_core
    
    This fixes the race in process_vm_core found by Oleg (see
    
      http://article.gmane.org/gmane.linux.kernel/1235667/
    
    for details).
    
    This has been updated since I last sent it as the creation of the new
    mm_access() function did almost exactly the same thing as parts of the
    previous version of this patch did.
    
    In order to use mm_access() even when /proc isn't enabled, we move it to
    kernel/fork.c where other related process mm access functions already
    are.
    
    Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        fs/proc/base.c
        mm/process_vm_access.c

commit b9194d60fb9fe579f5c34817ed822abde18939a0
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:15:11 2012 +0100

    proc: make sure mem_open() doesn't pin the target's memory
    
    Once /proc/pid/mem is opened, the memory can't be released until
    mem_release() even if its owner exits.
    
    Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
    pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
    before access_remote_vm(), this verifies that this mm is still alive.
    
    I am not sure what should mem_rw() return if atomic_inc_not_zero()
    fails. With this patch it returns zero to match the "mm == NULL" case,
    may be it should return -EINVAL like it did before e268337d.
    
    Perhaps it makes sense to add the additional fatal_signal_pending()
    check into the main loop, to ensure we do not hold this memory if
    the target task was oom-killed.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:14:38 2012 +0100

    proc: mem_release() should check mm != NULL
    
    mem_release() can hit mm == NULL, add the necessary check.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Tue Jan 31 17:14:54 2012 +0100

    note: redisabled mem_write
    
    proc: unify mem_read() and mem_write()
    
    No functional changes, cleanup and preparation.
    
    mem_read() and mem_write() are very similar. Move this code into the
    new common helper, mem_rw(), which takes the additional "int write"
    argument.
    
    Cc: stable@kernel.org
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
        fs/proc/base.c

commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
Merge: 3903f01 01fee18
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:50:40 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 01fee1851aef26b898ccba5312cabf1f919b74cb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:49:46 2012 -0500

    Merge changes from pax-linux-3.2.4-test8.patch

commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
Merge: 201c0db 141936c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 3 19:49:01 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test

commit 3903f0172ecadf7a575ba3535402a1506133640a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 30 23:26:44 2012 -0500

    Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
    
    We'll whitelist required directories for compatibility instead of requiring
    that people disable the feature entirely if they use SELinux, fuse, etc
    
    Conflicts:
    
        fs/sysfs/mount.c

commit e3618feaa7e63807f1b88c199882075b3ec9bd05
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 29 01:12:19 2012 -0500

    perform RBAC check if TPE is on but match fails, matches previous behavior

commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 28 13:17:06 2012 -0500

    log more information about the reason for a TPE denial for novice users, requested by a sponsor

commit efefd67008cbad8a8591e2484410966a300a39a5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:58:53 2012 -0500

    merge upstream sha512 changes

commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:49:07 2012 -0500

    drop lock on error in xfs_readlink
    
    http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0

commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
Author: Li Wang <liwang@nudt.edu.cn>
Date:   Thu Jan 19 09:44:36 2012 +0800

    eCryptfs: Infinite loop due to overflow in ecryptfs_write()
    
    ecryptfs_write() can enter an infinite loop when truncating a file to a
    size larger than 4G. This only happens on architectures where size_t is
    represented by 32 bits.
    
    This was caused by a size_t overflow due to it incorrectly being used to
    store the result of a calculation which uses potentially large values of
    type loff_t.
    
    [tyhicks@canonical.com: rewrite subject and commit message]
    Signed-off-by: Li Wang <liwang@nudt.edu.cn>
    Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
    Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>

commit a7607747d0f74f357d78bb796d70635dd05f46e8
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Thu Jan 19 20:33:44 2012 -0600

    eCryptfs: Check inode changes in setattr
    
    Most filesystems call inode_change_ok() very early in ->setattr(), but
    eCryptfs didn't call it at all. It allowed the lower filesystem to make
    the call in its ->setattr() function. Then, eCryptfs would copy the
    appropriate inode attributes from the lower inode to the eCryptfs inode.
    
    This patch changes that and actually calls inode_change_ok() on the
    eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
    would happen earlier in ecryptfs_setattr(), but there are some possible
    inode initialization steps that must happen first.
    
    Since the call was already being made on the lower inode, the change in
    functionality should be minimal, except for the case of a file extending
    truncate call. In that case, inode_newsize_ok() was never being
    called on the eCryptfs inode. Rather than inode_newsize_ok() catching
    maximum file size errors early on, eCryptfs would encrypt zeroed pages
    and write them to the lower filesystem until the lower filesystem's
    write path caught the error in generic_write_checks(). This patch
    introduces a new function, called ecryptfs_inode_newsize_ok(), which
    checks if the new lower file size is within the appropriate limits when
    the truncate operation will be growing the lower file.
    
    In summary this change prevents eCryptfs truncate operations (and the
    resulting page encryptions), which would exceed the lower filesystem
    limits or FSIZE rlimits, from ever starting.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reviewed-by: Li Wang <liwang@nudt.edu.cn>
    Cc: <stable@vger.kernel.org>

commit 0d96f190a39505254ace4e9330219aaeda9b64e3
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Wed Jan 18 18:30:04 2012 -0600

    eCryptfs: Make truncate path killable
    
    ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
    page, zeroes out the appropriate portions, and then encrypts the page
    before writing it to the lower filesystem. It was unkillable and due to
    the lack of sparse file support could result in tying up a large portion
    of system resources, while encrypting pages of zeros, with no way for
    the truncate operation to be stopped from userspace.
    
    This patch adds the ability for ecryptfs_write() to detect a pending
    fatal signal and return as gracefully as possible. The intent is to
    leave the lower file in a useable state, while still allowing a user to
    break out of the encryption loop. If a pending fatal signal is detected,
    the eCryptfs inode size is updated to reflect the modified inode size
    and then -EINTR is returned.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Cc: <stable@vger.kernel.org>

commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Tue Jan 24 10:02:22 2012 -0600

    eCryptfs: Fix oops when printing debug info in extent crypto functions
    
    If pages passed to the eCryptfs extent-based crypto functions are not
    mapped and the module parameter ecryptfs_verbosity=1 was specified at
    loading time, a NULL pointer dereference will occur.
    
    Note that this wouldn't happen on a production system, as you wouldn't
    pass ecryptfs_verbosity=1 on a production system. It leaks private
    information to the system logs and is for debugging only.
    
    The debugging info printed in these messages is no longer very useful
    and rather than doing a kmap() in these debugging paths, it will be
    better to simply remove the debugging paths completely.
    
    https://launchpad.net/bugs/913651
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reported-by: Daniel DeFreez
    Cc: <stable@vger.kernel.org>

commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Thu Jan 12 11:30:44 2012 +0100

    eCryptfs: Sanitize write counts of /dev/ecryptfs
    
    A malicious count value specified when writing to /dev/ecryptfs may
    result in a a very large kernel memory allocation.
    
    This patch peeks at the specified packet payload size, adds that to the
    size of the packet headers and compares the result with the write count
    value. The resulting maximum memory allocation size is approximately 532
    bytes.
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reported-by: Sasha Levin <levinsasha928@gmail.com>
    Cc: <stable@vger.kernel.org>

commit 96dcb7282d323813181a1791f51c0ab7696b675b
Merge: 6c09fa5 201c0db
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:44:15 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 201c0dbf177527367676028151e36d340923f033
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:43:24 2012 -0500

    Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
    on loading modules with empty sections

commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:42:13 2012 -0500

    compile fix

commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 19:39:28 2012 -0500

    use LSM flags instead of duplicating checks

commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
Merge: 44b9f11 558718b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:56:23 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 558718b2217beff69edf60f34a6f9893d910e9ac
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:56:04 2012 -0500

    Merge changes from pax-linux-3.2.2-test6.patch

commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:53:55 2012 -0500

    don't increase the size of task_struct when unnecessary
    change ptrace_readexec log message

commit a9c9626e054adb885883aa64f85506852894dd33
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 27 18:16:28 2012 -0500

    Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
    the protection applies to all unreadable binaries.

commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
Merge: 7b3f3af 05a1349
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:52:09 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        block/scsi_ioctl.c
        drivers/scsi/sd.c
        fs/proc/base.c

commit 05a134966efb9cb9346ad3422888969ffc79ac1d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:47:36 2012 -0500

    Resync with pax-linux-3.2.2-test5.patch

commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
Merge: c6d443d 3499d64
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 25 20:45:16 2012 -0500

    Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
    
    Conflicts:
        ipc/shm.c

commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 24 19:42:01 2012 -0500

    Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
    (may be changed if it breaks some userland), the other has its own
    config option
    
    First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
    the syscall or /proc/sys.
    
    Second feature requires read access to a suid/sgid binary in order
    to ptrace it, preventing infoleaking of binaries in situations where
    the admin has specified 4711 or 2711 perms.  Feature has been
    given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
    a sysctl entry of ptrace_readexec

commit 11a7bb25c411c9dccfdca5718639b4becdffd388
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 14:37:10 2012 -0500

    Compilation fixes

commit cd400e21c7c352baba47d6f375297a7847afb33a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 14:20:27 2012 -0500

    Initial port of grsecurity 2.2.2 for Linux 3.2.1
    Note that the new syscalls added to this kernel for remote process read/write
    are subject to ptrace hardening/other relevant RBAC features
    /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
    as well
    pax_track_stack has been removed from support for this kernel -- if you're running this kernel
    you should be using a version of gcc with plugin support

commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 11:47:31 2012 -0500

    Import pax-linux-3.2.1-test5.patch
commit bfd7db842f835f9837cd43644459b3a95b0b488d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 22 11:02:02 2012 -0500

    Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
    instead of returning -EACCES
    thanks to Wraith from irc for the report

commit 873ac13576506cd48ddb527c2540f274e249da50
Merge: 34083dd 8a44fcc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 20 18:04:02 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 20 18:02:15 2012 -0500

    Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
    Denies executable shared memory when MPROTECT is active
    Fixes ia32 emulation crash on 64bit host introduced in a recent patch

commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 20:23:14 2012 -0500

    Introduce new GRKERNSEC_SETXID implementation
    We're not able to change the credentials of other threads in the process until at most
    one syscall after the first thread does it, since we mark the threads as needing rescheduling
    and such work occurs on syscall exit.
    This does however ensure that we're only modifying the current task's credentials
    which upholds RCU expectations
    
    Many thanks to corsac for testing

commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 17:42:48 2012 -0500

    Simplify backport

commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 19 17:08:16 2012 -0500

    Commit the latest silent fix for a local privilege escalation from Linus
    Also disable writing to /proc/pid/mem
    http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc

commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
Merge: 0394a3f 7e6299b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 18 20:22:09 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7e6299b4733c082dde930375dd207b63237751ec
Merge: 83555fb 9bb1282
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 18 20:21:37 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
Author: Jesper Juhl <jj@chaosbits.net>
Date:   Sun Jan 8 22:44:29 2012 +0100

    audit: always follow va_copy() with va_end()
    
    A call to va_copy() should always be followed by a call to va_end() in
    the same function.  In kernel/autit.c::audit_log_vformat() this is not
    always done.  This patch makes sure va_end() is always called.
    
    Signed-off-by: Jesper Juhl <jj@chaosbits.net>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Eric Paris <eparis@redhat.com>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
Author: Andi Kleen <ak@linux.intel.com>
Date:   Thu Jan 12 17:20:30 2012 -0800

    panic: don't print redundant backtraces on oops
    
    When an oops causes a panic and panic prints another backtrace it's pretty
    common to have the original oops data be scrolled away on a 80x50 screen.
    
    The second backtrace is quite redundant and not needed anyways.
    
    So don't print the panic backtrace when oops_in_progress is true.
    
    [akpm@linux-foundation.org: add comment]
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
    Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Thu Jan 12 17:59:46 2012 +0100

    fsnotify: don't BUG in fsnotify_destroy_mark()
    
    Removing the parent of a watched file results in "kernel BUG at
    fs/notify/mark.c:139".
    
    To reproduce
    
      add "-w /tmp/audit/dir/watched_file" to audit.rules
      rm -rf /tmp/audit/dir
    
    This is caused by fsnotify_destroy_mark() being called without an
    extra reference taken by the caller.
    
    Reported by Francesco Cosoleto here:
    
      https://bugzilla.novell.com/show_bug.cgi?id=689860
    
    Fix by removing the BUG_ON and adding a comment about not accessing mark after
    the iput.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Thu Jan 12 16:01:28 2012 +0100

    block: fail SCSI passthrough ioctls on partition devices
    
    Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
    will pass the command to the underlying block device.  This is
    well-known, but it is also a large security problem when (via Unix
    permissions, ACLs, SELinux or a combination thereof) a program or user
    needs to be granted access only to part of the disk.
    
    This patch lets partitions forward a small set of harmless ioctls;
    others are logged with printk so that we can see which ioctls are
    actually sent.  In my tests only CDROM_GET_CAPABILITY actually occurred.
    Of course it was being sent to a (partition on a) hard disk, so it would
    have failed with ENOTTY and the patch isn't changing anything in
    practice.  Still, I'm treating it specially to avoid spamming the logs.
    
    In principle, this restriction should include programs running with
    CAP_SYS_RAWIO.  If for example I let a program access /dev/sda2 and
    /dev/sdb, it still should not be able to read/write outside the
    boundaries of /dev/sda2 independent of the capabilities.  However, for
    now programs with CAP_SYS_RAWIO will still be allowed to send the
    ioctls.  Their actions will still be logged.
    
    This patch does not affect the non-libata IDE driver.  That driver
    however already tests for bd != bd->bd_contains before issuing some
    ioctl; it could be restricted further to forbid these ioctls even for
    programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
    
    Cc: linux-scsi@vger.kernel.org
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: James Bottomley <JBottomley@parallels.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    [ Make it also print the command name when warning - Linus ]
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Thu Jan 12 16:01:27 2012 +0100

    block: add and use scsi_blk_cmd_ioctl
    
    Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
    
    The function will then be enhanced to detect partition block devices
    and, in that case, subject the ioctls to whitelisting.
    
    Cc: linux-scsi@vger.kernel.org
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: James Bottomley <JBottomley@parallels.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 97a79814903fc350e1d13704ea31528a42705401
Author: Kees Cook <keescook@chromium.org>
Date:   Sat Jan 7 10:41:04 2012 -0800

    audit: treat s_id as an untrusted string
    
    The use of s_id should go through the untrusted string path, just to be
    extra careful.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Acked-by: Mimi Zohar <zohar@us.ibm.com>
    Signed-off-by: Eric Paris <eparis@redhat.com>

commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
Author: Xi Wang <xi.wang@gmail.com>
Date:   Tue Dec 20 18:39:41 2011 -0500

    audit: fix signedness bug in audit_log_execve_info()
    
    In the loop, a size_t "len" is used to hold the return value of
    audit_log_single_execve_arg(), which returns -1 on error.  In that
    case the error handling (len <= 0) will be bypassed since "len" is
    unsigned, and the loop continues with (p += len) being wrapped.
    Change the type of "len" to signed int to fix the error handling.
    
        size_t len;
        ...
        for (...) {
                len = audit_log_single_execve_arg(...);
                if (len <= 0)
                        break;
                p += len;
        }
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Eric Paris <eparis@redhat.com>

commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Jan 17 03:28:51 2012 -0300

    [media] ds3000: using logical && instead of bitwise &
    
    The intent here was to test if the FE_HAS_LOCK was set.  The current
    test is equivalent to "if (status) { ..."
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

commit 36522330dc59d2fc70c042f3f081d75c32b6259a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 16 13:10:38 2012 -0500

    Ignore the 0 signal for protected task RBAC checks

commit d513acd55f7a683f6e146a4f570cdb63300479ab
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 16 11:56:13 2012 -0500

    whitespace cleanup

commit ced261c4b82818c700aff8487f647f6f3e5b5122
Merge: d48751f 83555fb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 13 20:12:54 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
Merge: fcd8129 93dad39
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 13 20:12:43 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit d48751f3919ae855fda0ff6c149db82442329253
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 11 19:05:47 2012 -0500

    Call our own set_user when forcing change to new id

commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
Merge: e6578ff fcd8129
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 10 16:00:10 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 10 15:58:43 2012 -0500

    Merge changes from pax-linux-3.1.8-test23.patch

commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
Merge: 8859ec3 a120549
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:45:56 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit a12054967a77090de1caa07c41e694a77db4e237
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:45:30 2012 -0500

    Merge changes from pax-linux-3.1.8-test22.patch

commit 8859ec32f9815c274df65448f9f2960176c380d3
Merge: a5016b4 ddd4114
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:26:08 2012 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/binfmt_elf.c
        security/Kconfig

commit ddd41147e158a79704983a409b7433eba797cf66
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:12:42 2012 -0500

    Resync with PaX patch (whitespace difference)

commit 29e569df8205c5f0e043fe4803aa984406c8b118
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 21:09:47 2012 -0500

    Merge changes from pax-linux-3.1.8-test21.patch

commit a5016b4f9c09c337b17e063a7f369af1e86d944d
Merge: 0124c92 04231d5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:52:20 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
Merge: 7bdddeb a919904
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:51:50 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test
    
    Conflicts:
        include/net/flow.h

commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 6 18:33:05 2012 -0500

    Make GRKERNSEC_SETXID option compatible with credential debugging

commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Date:   Wed Dec 28 15:57:11 2011 -0800

    mm/mempolicy.c: refix mbind_range() vma issue
    
    commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
    slightly incorrect fix.
    
    Why? Think following case.
    
    1. map 4 pages of a file at offset 0
    
       [0123]
    
    2. map 2 pages just after the first mapping of the same file but with
       page offset 2
    
       [0123][23]
    
    3. mbind() 2 pages from the first mapping at offset 2.
       mbind_range() should treat new vma is,
    
       [0123][23]
         |23|
         mbind vma
    
       but it does
    
       [0123][23]
         |01|
         mbind vma
    
       Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
    
    This patch fixes it.
    
    [testcase]
      test result - before the patch
    
        case4: 126: test failed. expect '2,4', actual '2,2,2'
                case5: passed
        case6: passed
        case7: passed
        case8: passed
        case_n: 246: test failed. expect '4,2', actual '1,4'
    
        ------------[ cut here ]------------
        kernel BUG at mm/filemap.c:135!
        invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
    
        (snip long bug on messages)
    
      test result - after the patch
    
        case4: passed
                case5: passed
        case6: passed
        case7: passed
        case8: passed
        case_n: passed
    
      source:  mbind_vma_test.c
    ============================================================
     #include <numaif.h>
     #include <numa.h>
     #include <sys/mman.h>
     #include <stdio.h>
     #include <unistd.h>
     #include <stdlib.h>
     #include <string.h>
    
    static unsigned long pagesize;
    void* mmap_addr;
    struct bitmask *nmask;
    char buf[1024];
    FILE *file;
    char retbuf[10240] = "";
    int mapped_fd;
    
    char *rubysrc = "ruby -e '\
      pid = %d; \
      vstart = 0x%llx; \
      vend = 0x%llx; \
      s = `pmap -q #{pid}`; \
      rary = []; \
      s.each_line {|line|; \
        ary=line.split(\" \"); \
        addr = ary[0].to_i(16); \
        if(vstart <= addr && addr < vend) then \
          rary.push(ary[1].to_i()/4); \
        end; \
      }; \
      print rary.join(\",\"); \
    '";
    
    void init(void)
    {
        void* addr;
        char buf[128];
    
        nmask = numa_allocate_nodemask();
        numa_bitmask_setbit(nmask, 0);
    
        pagesize = getpagesize();
    
        sprintf(buf, "%s", "mbind_vma_XXXXXX");
        mapped_fd = mkstemp(buf);
        if (mapped_fd == -1)
                perror("mkstemp "), exit(1);
        unlink(buf);
    
        if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
                perror("lseek "), exit(1);
        if (write(mapped_fd, "\0", 1) < 0)
                perror("write "), exit(1);
    
        addr = mmap(NULL, pagesize*8, PROT_NONE,
                    MAP_SHARED, mapped_fd, 0);
        if (addr == MAP_FAILED)
                perror("mmap "), exit(1);
    
        if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
                perror("mprotect "), exit(1);
    
        mmap_addr = addr + pagesize;
    
        /* make page populate */
        memset(mmap_addr, 0, pagesize*6);
    }
    
    void fin(void)
    {
        void* addr = mmap_addr - pagesize;
        munmap(addr, pagesize*8);
    
        memset(buf, 0, sizeof(buf));
        memset(retbuf, 0, sizeof(retbuf));
    }
    
    void mem_bind(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_BIND, nmask->maskp, nmask->size, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void mem_interleave(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void mem_unbind(int index, int len)
    {
        int err;
    
        err = mbind(mmap_addr+pagesize*index, pagesize*len,
                    MPOL_DEFAULT, NULL, 0, 0);
        if (err)
                perror("mbind "), exit(err);
    }
    
    void Assert(char *expected, char *value, char *name, int line)
    {
        if (strcmp(expected, value) == 0) {
                fprintf(stderr, "%s: passed\n", name);
                return;
        }
        else {
                fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
                        name, line,
                        expected, value);
    //          exit(1);
        }
    }
    
    /*
          AAAA
        PPPPPPNNNNNN
        might become
        PPNNNNNNNNNN
        case 4 below
    */
    void case4(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 4);
        mem_unbind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("2,4", retbuf, "case4", __LINE__);
    
        fin();
    }
    
    /*
           AAAA
     PPPPPPNNNNNN
     might become
     PPPPPPPPPPNN
     case 5 below
    */
    void case5(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case5", __LINE__);
    
        fin();
    }
    
    /*
            AAAA
        PPPPNNNNXXXX
        might become
        PPPPPPPPPPPP 6
    */
    void case6(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_bind(4, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("6", retbuf, "case6", __LINE__);
    
        fin();
    }
    
    /*
        AAAA
    PPPPNNNNXXXX
    might become
    PPPPPPPPXXXX 7
    */
    void case7(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_interleave(4, 2);
        mem_bind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case7", __LINE__);
    
        fin();
    }
    
    /*
        AAAA
    PPPPNNNNXXXX
    might become
    PPPPNNNNNNNN 8
    */
    void case8(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        mem_bind(0, 2);
        mem_interleave(4, 2);
        mem_interleave(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("2,4", retbuf, "case8", __LINE__);
    
        fin();
    }
    
    void case_n(void)
    {
        init();
        sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
    
        /* make redundunt mappings [0][1234][34][7] */
        mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
             MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
    
        /* Expect to do nothing. */
        mem_unbind(2, 2);
    
        file = popen(buf, "r");
        fread(retbuf, sizeof(retbuf), 1, file);
        Assert("4,2", retbuf, "case_n", __LINE__);
    
        fin();
    }
    
    int main(int argc, char** argv)
    {
        case4();
        case5();
        case6();
        case7();
        case8();
        case_n();
    
        return 0;
    }
    =============================================================
    
    Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Acked-by: Johannes Weiner <hannes@cmpxchg.org>
    Cc: Minchan Kim <minchan.kim@gmail.com>
    Cc: Caspar Zhang <caspar@casparzhang.com>
    Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Cc: Christoph Lameter <cl@linux.com>
    Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
    Cc: Mel Gorman <mel@csn.ul.ie>
    Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
    Cc: <stable@vger.kernel.org>                [3.1.x]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit f3a1082005781777086df235049f8c0b7efe524e
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Tue Dec 27 22:32:41 2011 -0500

    packet: fix possible dev refcnt leak when bind fail
    
    If bind is fail when bind is called after set PACKET_FANOUT
    sock option, the dev refcnt will leak.
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 915f8b08dac68839dc7204ee81cf9852fda16d24
Author: Haogang Chen <haogangchen@gmail.com>
Date:   Mon Dec 19 17:11:56 2011 -0800

    nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
    
    There is a potential integer overflow in nilfs_ioctl_clean_segments().
    When a large argv[n].v_nmembs is passed from the userspace, the subsequent
    call to vmalloc() will allocate a buffer smaller than expected, which
    leads to out-of-bound access in nilfs_ioctl_move_blocks() and
    lfs_clean_segments().
    
    The following check does not prevent the overflow because nsegs is also
    controlled by the userspace and could be very large.
    
                if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
                        goto out_free;
    
    This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
    returns -EINVAL when overflow.
    
    Signed-off-by: Haogang Chen <haogangchen@gmail.com>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
Author: Kautuk Consul <consul.kautuk@gmail.com>
Date:   Mon Dec 19 17:12:04 2011 -0800

    mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
    
    Static storage is not required for the struct vmap_area in
    __get_vm_area_node.
    
    Removing "static" to store this variable on the stack instead.
    
    Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
    Acked-by: David Rientjes <rientjes@google.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
Author: Michel Lespinasse <walken@google.com>
Date:   Mon Dec 19 17:12:06 2011 -0800

    binary_sysctl(): fix memory leak
    
    binary_sysctl() calls sysctl_getname() which allocates from names_cache
    slab usin __getname()
    
    The matching function to free the name is __putname(), and not putname()
    which should be used only to match getname() allocations.
    
    This is because when auditing is enabled, putname() calls audit_putname
    *instead* (not in addition) to __putname().  Then, if a syscall is in
    progress, audit_putname does not release the name - instead, it expects
    the name to get released when the syscall completes, but that will happen
    only if audit_getname() was called previously, i.e.  if the name was
    allocated with getname() rather than the naked __getname().  So,
    __getname() followed by putname() ends up leaking memory.
    
    Signed-off-by: Michel Lespinasse <walken@google.com>
    Acked-by: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Christoph Hellwig <hch@infradead.org>
    Cc: Eric Paris <eparis@redhat.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
Author: Sean Hefty <sean.hefty@intel.com>
Date:   Tue Dec 6 21:17:11 2011 +0000

    RDMA/cma: Verify private data length
    
    private_data_len is defined as a u8.  If the user specifies a large
    private_data size (> 220 bytes), we will calculate a total length that
    exceeds 255, resulting in private_data_len wrapping back to 0.  This
    can lead to overwriting random kernel memory.  Avoid this by verifying
    that the resulting size fits into a u8.
    
    Reported-by: B. Thery <benjamin.thery@bull.net>
    Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
    Signed-off-by: Sean Hefty <sean.hefty@intel.com>
    Signed-off-by: Roland Dreier <roland@purestorage.com>

commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
Author: Xi Wang <xi.wang@gmail.com>
Date:   Sun Dec 11 23:40:56 2011 -0800

    Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
    
    The error check (intr_status < 0) didn't work because intr_status is
    a u8.  Change its type to signed int.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Dmitry Torokhov <dtor@mail.ru>

commit e27f34e383d7863b2528a63b81b23db09781f6b6
Author: Xi Wang <xi.wang@gmail.com>
Date:   Fri Dec 16 12:44:15 2011 +0000

    sctp: fix incorrect overflow check on autoclose
    
    Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
    limiting the autoclose value.  If userspace passes in -1 on 32-bit
    platform, the overflow check didn't work and autoclose would be set
    to 0xffffffff.
    
    This patch defines a max_autoclose (in seconds) for limiting the value
    and exposes it through sysctl, with the following intentions.
    
    1) Avoid overflowing autoclose * HZ.
    
    2) Keep the default autoclose bound consistent across 32- and 64-bit
       platforms (INT_MAX / HZ in this patch).
    
    3) Keep the autoclose value consistent between setsockopt() and
       getsockopt() calls.
    
    Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
Author: Xi Wang <xi.wang@gmail.com>
Date:   Wed Dec 21 05:18:33 2011 -0500

    vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
    
    Commit e133e737 didn't correctly fix the integer overflow issue.
    
    -   unsigned int required_size;
    +   u64 required_size;
        ...
        required_size = mode_cmd->pitch * mode_cmd->height;
    -   if (unlikely(required_size > dev_priv->vram_size)) {
    +   if (unlikely(required_size > (u64) dev_priv->vram_size)) {
    
    Note that both pitch and height are u32.  Their product is still u32 and
    would overflow before being assigned to required_size.  A correct way is
    to convert pitch and height to u64 before the multiplication.
    
        required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
    
    This patch calls the existing vmw_kms_validate_mode_vram() for
    validation.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
    Signed-off-by: Dave Airlie <airlied@redhat.com>
    
    Conflicts:
    
        drivers/gpu/drm/vmwgfx/vmwgfx_kms.c

commit eb8f0bd01fb994c9abc77dc84729794cd841753d
Author: Xi Wang <xi.wang@gmail.com>
Date:   Thu Dec 22 13:35:22 2011 +0000

    rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
    
    Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
    cause a kernel oops due to insufficient bounds checking.
    
        if (count > 1<<30) {
                /* Enforce a limit to prevent overflow */
                return -EINVAL;
        }
        count = roundup_pow_of_two(count);
        table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
    
    Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
    
        ... + (count * sizeof(struct rps_dev_flow))
    
    where sizeof(struct rps_dev_flow) is 8.  (1 << 30) * 8 will overflow
    32 bits.
    
    This patch replaces the magic number (1 << 30) with a symbolic bound.
    
    Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit 648188958672024b616c42c1f6c98c8cfc85619d
Author: Xi Wang <xi.wang@gmail.com>
Date:   Fri Dec 30 10:40:17 2011 -0500

    netfilter: ctnetlink: fix timeout calculation
    
    The sanity check (timeout < 0) never works; the dividend is unsigned
    and so is the division, which should have been a signed division.
    
        long timeout = (ct->timeout.expires - jiffies) / HZ;
        if (timeout < 0)
                timeout = 0;
    
    This patch converts the time values to signed for the division.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

commit ab03a0973cee73f88655ff4981812ad316a6cd59
Merge: 76f82df 7bdddeb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 3 17:42:50 2012 -0500

    Merge branch 'pax-test' into grsec-test

commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
Merge: 3e59cb5 55cc81a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 3 17:42:36 2012 -0500

    Merge branch 'linux-3.1.y' into pax-test

commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 20:15:02 2011 -0500

    Only further restrict futex targeting another process -- our modified
    permission check also happened to allow a case where a process retaining
    uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
    being non-zero (reported on forums by ben_w)

commit 6b235a4450a5fea41663ec35fa0608988b6078c6
Merge: 97c16f0 3e59cb5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 19:11:06 2011 -0500

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
        fs/hfs/btree.c

commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
Merge: 285eb4e c26f60b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 22 19:09:57 2011 -0500

    Merge branch 'linux-3.1.y' into pax-test
    
    Conflicts:
        arch/x86/kernel/process.c

commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Dec 19 21:54:01 2011 -0500

    Add new option: "Enforce consistent multithreaded privileges"

commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 7 19:58:31 2011 -0500

    Remove harmless duplicate code -- exec_file would be null already so the
    second check would never pass.

commit 4e3304e94aa72737810bc50169519af157dce4ce
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 7 19:50:39 2011 -0500

    Revert back to (possibly?) undocumented /proc/pid behavior that gdb
    depended on for attaching to a thread.  Entries exist in /proc for
    threads, but are not visible in a readdir.

commit 1bd899335f23815cfe8deac44c6b346398f3b95e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 18:03:28 2011 -0500

    Put the already-walked path if in RCU-walk mode

commit ec7ae36b7159f10649709779443a988662965d66
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 17:35:21 2011 -0500

    Fix memory leak introduced by recent (unpublished) commit
    75ab998b94a29d464518d6d501bdde3fbfcbfa14

commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:56:10 2011 -0500

    Explicitly check size copied to userland in override_release to silence gcc

commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:54:02 2011 -0500

    Initialize variable to silence erroneous gcc warning

commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:47:47 2011 -0500

    Future-proof other potential RCU-aware locations where we can log.

commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 4 13:02:54 2011 -0500

    Fix freeze reported by 'vs' on the forums.  Bug occurred due to
    MAY_NOT_BLOCK added to Linux 3.1.  Our logging code, when a capability used
    in generic_permission() was in the task's effective set but disallowed by
    RBAC, would block when acquiring locks resulting in the freeze.
    
    Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
    as being required when CAP_DAC_OVERRIDE is present (consistent with
    older patches).

commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
Author: Xi Wang <xi.wang@gmail.com>
Date:   Tue Nov 29 09:26:30 2011 +0000

    sctp: better integer overflow check in sctp_auth_create_key()
    
    The check from commit 30c2235c is incomplete and cannot prevent
    cases like key_len = 0x80000000 (INT_MAX + 1).  In that case, the
    left-hand side of the check (INT_MAX - key_len), which is unsigned,
    becomes 0xffffffff (UINT_MAX) and bypasses the check.
    
    However this shouldn't be a security issue.  The function is called
    from the following two code paths:
    
     1) setsockopt()
    
     2) sctp_auth_asoc_set_secret()
    
    In case (1), sca_keylength is never going to exceed 65535 since it's
    bounded by a u16 from the user API.  As such, the key length will
    never overflow.
    
    In case (2), sca_keylength is computed based on the user key (1 short)
    and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
    will not overflow.
    
    In other words, this overflow check is not really necessary.  Just
    make it more correct.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

commit e565e28c3635a1d50f80541fbf6b606d742fec76
Author: Josh Boyer <jwboyer@redhat.com>
Date:   Fri Aug 19 14:50:26 2011 -0400

    fs/minix: Verify bitmap block counts before mounting
    
    Newer versions of MINIX can create filesystems that allocate an extra
    bitmap block.  Mounting of this succeeds, but doing a statfs call will
    result in an oops in count_free because of a negative number being used
    for the bh index.
    
    Avoid this by verifying the number of allocated blocks at mount time,
    erroring out if there are not enough and make statfs ignore the extras
    if there are too many.
    
    This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
    
    Signed-off-by: Josh Boyer <jwboyer@redhat.com>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit 6e134e398ec1a3f428261680e83df4319e64bed9
Author: Julia Lawall <julia@diku.dk>
Date:   Tue Nov 15 14:53:11 2011 -0800

    drivers/gpu/vga/vgaarb.c: add missing kfree
    
    kbuf is a buffer that is local to this function, so all of the error paths
    leaving the function should release it.
    
    Signed-off-by: Julia Lawall <julia@diku.dk>
    Cc: Jesper Juhl <jj@chaosbits.net>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Dave Airlie <airlied@redhat.com>

commit 2b9057b321e36860e8d63985b5c4e496f254b717
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:33:28 2011 -0500

    Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch

commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:29:37 2011 -0500

    Import pax-linux-3.1.4-test18.patch

commit 285eb4ea45d853ae00426b3315a61c1368080dad
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 10 18:33:46 2011 -0500

    Import changes from pax-linux-3.1.5-test20.patch

commit a6bda918fc90ec1d5c387e978d147ad2044153f1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 8 20:55:54 2011 -0500

    Import changes from pax-linux-3.1.4-test19.patch

commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 3 21:29:37 2011 -0500

    Import pax-linux-3.1.4-test18.patch