1 commit c1b2cc5dd5f5ae5c88402c7acbcb270f8d36a9da
2 Author: Brad Spengler <spender@grsecurity.net>
3 Date: Wed May 8 20:25:52 2013 -0400
5 User jorgus on the forums:
6 http://forums.grsecurity.net/viewtopic.php?f=3&t=3446
7 discovered that the upstreamed version of enforcing RLIMIT_NPROC
8 at setuid/exec time missed an important corner case:
9 If RLIMIT_NPROC is set after a setuid occurs and the user's process
10 limit is reached elsewhere, no enforcement of RLIMIT_NPROC will
11 happen at exec time for the task with a modified RLIMIT_NPROC.
13 This patch fixes that.
15 kernel/sys.c | 7 +++++++
16 1 files changed, 7 insertions(+), 0 deletions(-)
18 commit 85ffce8c95bd1d9114852f74db8c66ddbc2e77ff
19 Merge: 539fff0 2452d8d
20 Author: Brad Spengler <spender@grsecurity.net>
21 Date: Wed May 8 18:13:41 2013 -0400
23 Merge branch 'pax-test' into grsec-test
25 commit 2452d8d0416d5c9c32805443dd89e5c9778dea4a
26 Merge: 6c850d8 9c9ab76
27 Author: Brad Spengler <spender@grsecurity.net>
28 Date: Wed May 8 18:13:31 2013 -0400
30 Merge branch 'linux-3.8.y' into pax-test
34 kernel/trace/trace_stack.c
36 commit 539fff0cf95c3dcc02c5e0ac3ef8da4519efdb9a
37 Author: Brad Spengler <spender@grsecurity.net>
38 Date: Tue May 7 21:43:00 2013 -0400
40 turn counter into a flag
42 grsecurity/Kconfig | 2 +-
43 grsecurity/grsec_chroot.c | 8 ++++----
44 2 files changed, 5 insertions(+), 5 deletions(-)
46 commit 3da48c0f89377e1ef76470d4b19f19df793fdf32
47 Author: Brad Spengler <spender@grsecurity.net>
48 Date: Tue May 7 21:02:39 2013 -0400
50 add GRKERNSEC_CHROOT_INITRD to work around Plymouth stupidity
51 useful for Fedora/RHEL users
53 grsecurity/Kconfig | 10 ++++++++++
54 grsecurity/grsec_chroot.c | 17 +++++++++++++++--
55 2 files changed, 25 insertions(+), 2 deletions(-)
57 commit 418102925c0cfb0de51b0a021abaa575e28fafa6
58 Author: Peter Zijlstra <a.p.zijlstra@chello.nl>
59 Date: Fri May 3 14:11:25 2013 +0200
61 Upstream commit: 7cc23cd6c0c7d7f4bee057607e7ce01568925717
63 perf/x86/intel/lbr: Demand proper privileges for PERF_SAMPLE_BRANCH_KERNEL
65 We should always have proper privileges when requesting kernel
68 Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
69 Cc: <stable@kernel.org>
70 Cc: Andi Kleen <ak@linux.intel.com>
71 Cc: eranian@google.com
72 Link: http://lkml.kernel.org/r/20130503121256.230745028@chello.nl
73 [ Fix build error reported by fengguang.wu@intel.com, propagate error code back. ]
74 Signed-off-by: Ingo Molnar <mingo@kernel.org>
75 Link: http://lkml.kernel.org/n/tip-v0x9ky3ahzr6nm3c6ilwrili@git.kernel.org
77 arch/x86/kernel/cpu/perf_event_intel_lbr.c | 13 ++++++++++---
78 1 files changed, 10 insertions(+), 3 deletions(-)
80 commit f9e1af27cca1722a4c6a801000b5b3b5410401a2
81 Author: Eric Dumazet <edumazet@google.com>
82 Date: Mon Apr 29 05:58:52 2013 +0000
84 Upstream commit: aebda156a570782a86fc4426842152237a19427d
86 net: defer net_secret[] initialization
88 Instead of feeding net_secret[] at boot time, defer the init
89 at the point first socket is created.
91 This permits some platforms to use better entropy sources than
92 the ones available at boot time.
94 Signed-off-by: Eric Dumazet <edumazet@google.com>
95 Signed-off-by: David S. Miller <davem@davemloft.net>
97 include/net/secure_seq.h | 1 +
98 net/core/secure_seq.c | 4 +---
99 net/ipv4/af_inet.c | 5 ++++-
100 3 files changed, 6 insertions(+), 4 deletions(-)
102 commit a9229d75129cd9744a5e486ec99a0fe6aeaf10ac
103 Author: Daniel Borkmann <dborkman@redhat.com>
104 Date: Wed May 1 02:59:23 2013 +0000
106 Upstream commit: be3e45810bb1ee0bdfa93f6b9532d8c451e50f48
108 net: sctp: attribute printl with __printf for gcc fmt checks
110 Let GCC check for format string errors in sctp's probe printl
111 function. This patch fixes the warning when compiled with W=1:
113 net/sctp/probe.c:73:2: warning: function might be possible candidate
114 for 'gnu_printf' format attribute [-Wmissing-format-attribute]
116 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
117 Signed-off-by: David S. Miller <davem@davemloft.net>
119 net/sctp/probe.c | 2 +-
120 1 files changed, 1 insertions(+), 1 deletions(-)
122 commit 81b98190c66a90f0ed2de4560f542b1dea7664f2
123 Author: Brad Spengler <spender@grsecurity.net>
124 Date: Thu May 2 19:58:54 2013 -0400
126 remove no-longer-needed vmware 8 compat fix
128 mm/page_alloc.c | 6 ------
129 1 files changed, 0 insertions(+), 6 deletions(-)
131 commit a7716a90c1dbe09a8a6d98c74ea2f7fe2a530e94
132 Author: Brad Spengler <spender@grsecurity.net>
133 Date: Thu May 2 19:55:23 2013 -0400
135 remove unnecessary < 0 check
137 net/phonet/af_phonet.c | 2 +-
138 1 files changed, 1 insertions(+), 1 deletions(-)
140 commit a4e8dd5b1cca13c2e4145af75694a04aaa811f3f
141 Author: Brad Spengler <spender@grsecurity.net>
142 Date: Wed May 1 18:30:48 2013 -0400
144 remove references to CONFIG_X86_WP_WORKS_OK
146 arch/um/defconfig | 1 -
147 security/Kconfig | 2 +-
148 2 files changed, 1 insertions(+), 2 deletions(-)
150 commit 408da6791f93ffe00d26bfe919f1b2218fe0804d
151 Merge: a8dbe8e 6c850d8
152 Author: Brad Spengler <spender@grsecurity.net>
153 Date: Wed May 1 18:28:44 2013 -0400
155 Merge branch 'pax-test' into grsec-test
158 arch/sparc/mm/ultra.S
161 commit 6c850d8b76b375e418b6a18a33cc8263f36fabcf
162 Merge: cdbcbef 9fa1d01
163 Author: Brad Spengler <spender@grsecurity.net>
164 Date: Wed May 1 18:25:18 2013 -0400
166 Merge branch 'linux-3.8.y' into pax-test
168 commit a8dbe8ee7a0a3ace489e2f95d69d33e14d5f0b78
169 Author: Brad Spengler <spender@grsecurity.net>
170 Date: Mon Apr 29 18:44:23 2013 -0400
172 add module.h to silence compiler warning, thanks to
175 fs/btrfs/inode.c | 1 +
176 1 files changed, 1 insertions(+), 0 deletions(-)
178 commit 55eba82aca97aa56378e000840c48965557721e8
179 Author: Brad Spengler <spender@grsecurity.net>
180 Date: Mon Apr 29 18:43:03 2013 -0400
184 kernel/trace/trace.h | 2 +-
185 1 files changed, 1 insertions(+), 1 deletions(-)
187 commit e3bf912b54af6df7fbebc68b5999554562056c5c
188 Merge: 5b72e37 cdbcbef
189 Author: Brad Spengler <spender@grsecurity.net>
190 Date: Mon Apr 29 18:34:42 2013 -0400
192 Merge branch 'pax-test' into grsec-test
194 commit cdbcbef45c4f003cbee11e10668a35d424c17c60
195 Author: Brad Spengler <spender@grsecurity.net>
196 Date: Mon Apr 29 18:33:35 2013 -0400
198 Update to pax-linux-3.8.10-test21.patch:
199 - removed size overflow coverage of resource_size(), reported at http://forums.grsecurity.net/viewtopic.php?f=3&t=3412
200 - fixed bad pointer arithmetic in nfsd_cache_update, reported by Jason A. Donenfeld and http://forums.grsecurity.net/viewtopic.php?f=3&t=3438
201 note that the false positive is not fixed yet
202 - fixed a few unintended bitmask computations found by a not-yet-public gcc plugin
203 - fixed the kernel stack leak bug in do_tgkill, found by the size overflow plugin (https://code.google.com/p/chromium/issues/detail?id=223444)
204 - reverted the nested NMI fix in search for a real one
205 - simplified the arm_delay_ops constification
207 arch/arm/include/asm/delay.h | 8 ++++----
208 arch/arm/lib/delay.c | 17 +++++------------
209 arch/x86/kernel/entry_64.S | 11 ++++++++++-
210 arch/x86/kernel/i8259.c | 2 +-
211 arch/x86/kernel/pci-calgary_64.c | 2 +-
212 arch/x86/kvm/vmx.c | 4 ++--
213 drivers/block/pktcdvd.c | 2 +-
214 fs/btrfs/extent-tree.c | 2 +-
215 fs/nfsd/nfscache.c | 6 ++++--
216 kernel/trace/trace.c | 2 +-
217 tools/gcc/structleak_plugin.c | 4 ++++
218 11 files changed, 34 insertions(+), 26 deletions(-)
220 commit 5b72e3790fa0e8a16a09c0ef745d8065620a1e74
221 Author: Brad Spengler <spender@grsecurity.net>
222 Date: Fri Apr 26 20:53:06 2013 -0400
224 don't use file_inode()
226 drivers/tty/tty_io.c | 2 +-
227 1 files changed, 1 insertions(+), 1 deletions(-)
229 commit a2df9595fa2e3c7a0c63b1acac75425fd4feb946
230 Author: Jiri Slaby <jslaby@suse.cz>
231 Date: Fri Apr 26 13:48:53 2013 +0200
233 Upstream commit: 37b7f3c76595e23257f61bd80b223de8658617ee
235 TTY: fix atime/mtime regression
237 In commit b0de59b5733d ("TTY: do not update atime/mtime on read/write")
238 we removed timestamps from tty inodes to fix a security issue and waited
239 if something breaks. Well, 'w', the utility to find out logged users
240 and their inactivity time broke. It shows that users are inactive since
241 the time they logged in.
243 To revert to the old behaviour while still preventing attackers to
244 guess the password length, we update the timestamps in one-minute
245 intervals by this patch.
247 Signed-off-by: Jiri Slaby <jslaby@suse.cz>
248 Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
249 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
255 drivers/tty/tty_io.c | 15 ++++++++++++++-
256 1 files changed, 14 insertions(+), 1 deletions(-)
258 commit c9c76fe07da7611a5062dd3234e5d2369e0a78ec
259 Author: Jiri Slaby <jslaby@suse.cz>
260 Date: Fri Feb 15 15:25:05 2013 +0100
262 Upstream commit: b0de59b5733d
264 TTY: do not update atime/mtime on read/write
266 On http://vladz.devzero.fr/013_ptmx-timing.php, we can see how to find
267 out length of a password using timestamps of /dev/ptmx. It is
268 documented in "Timing Analysis of Keystrokes and Timing Attacks on
269 SSH". To avoid that problem, do not update time when reading
270 from/writing to a TTY.
272 I am afraid of regressions as this is a behavior we have since 0.97
273 and apps may expect the time to be current, e.g. for monitoring
274 whether there was a change on the TTY. Now, there is no change. So
275 this would better have a lot of testing before it goes upstream.
277 References: CVE-2013-0160
279 Signed-off-by: Jiri Slaby <jslaby@suse.cz>
280 Cc: stable <stable@vger.kernel.org> # after 3.9 is out
281 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
283 drivers/tty/tty_io.c | 8 ++------
284 1 files changed, 2 insertions(+), 6 deletions(-)
286 commit 5344a24e2320d61dbdb88aae04922f0799deefd0
287 Author: Zhao Hongjiang <zhaohongjiang@huawei.com>
288 Date: Fri Apr 26 11:03:53 2013 +0800
290 Upstream commit: 91d80a84bbc8f28375cca7e65ec666577b4209ad
292 aio: fix possible invalid memory access when DEBUG is enabled
294 dprintk() shouldn't access @ring after it's unmapped.
296 Signed-off-by: Zhao Hongjiang <zhaohongjiang@huawei.com>
297 Cc: stable@vger.kernel.org
298 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
301 1 files changed, 1 insertions(+), 1 deletions(-)
303 commit 786841cb279bbd8e458d67e112a1d01a3d4598a7
304 Author: John David Anglin <dave.anglin@bell.net>
305 Date: Tue Apr 23 22:42:07 2013 +0200
307 Upstream commit: bda079d336cd8183e1d844a265ea87ae3e1bbe78
309 parisc: use spin_lock_irqsave/spin_unlock_irqrestore for PTE updates
311 User applications running on SMP kernels have long suffered from instability
312 and random segmentation faults. This patch improves the situation although
313 there is more work to be done.
315 One of the problems is the various routines in pgtable.h that update page table
316 entries use different locking mechanisms, or no lock at all (set_pte_at). This
317 change modifies the routines to all use the same lock pa_dbit_lock. This lock
318 is used for dirty bit updates in the interruption code. The patch also purges
319 the TLB entries associated with the PTE to ensure that inconsistent values are
320 not used after the page table entry is updated. The UP and SMP code are now
323 The change also includes a minor update to the purge_tlb_entries function in
324 cache.c to improve its efficiency.
326 Signed-off-by: John David Anglin <dave.anglin@bell.net>
327 Cc: Helge Deller <deller@gmx.de>
328 Signed-off-by: Helge Deller <deller@gmx.de>
330 arch/parisc/include/asm/pgtable.h | 47 +++++++++++++++++++-----------------
331 arch/parisc/kernel/cache.c | 5 +---
332 2 files changed, 26 insertions(+), 26 deletions(-)
334 commit 775a77ad179d4c25bc94e85ef81135cbdffcfdc1
335 Merge: ba54c97 4d05084
336 Author: Brad Spengler <spender@grsecurity.net>
337 Date: Fri Apr 26 18:17:20 2013 -0400
339 Merge branch 'pax-test' into grsec-test
343 include/linux/capability.h
345 commit 4d0508463d0ee3ec4b9eca1ea6bed3be03a3df21
346 Merge: c664779 bb8dd67
347 Author: Brad Spengler <spender@grsecurity.net>
348 Date: Fri Apr 26 18:15:45 2013 -0400
350 Merge branch 'linux-3.8.y' into pax-test
352 commit ba54c977fe8c3afc4a9efd7afc3f30cf10b02fa2
353 Author: David S. Miller <davem@davemloft.net>
354 Date: Wed Apr 24 16:52:18 2013 -0700
356 Upstream commit: f0af97070acbad5d6a361f485828223a4faaa0ee
358 sparc64: Fix missing put_cpu_var() in tlb_batch_add_one() when not batching.
360 Reported-by: Meelis Roos <mroos@linux.ee>
361 Signed-off-by: David S. Miller <davem@davemloft.net>
363 arch/sparc/mm/tlb.c | 3 ++-
364 1 files changed, 2 insertions(+), 1 deletions(-)
366 commit dc080cfd57c7cdc426f8c6c2da11911ac99959d8
367 Author: David S. Miller <davem@davemloft.net>
368 Date: Fri Apr 19 17:26:26 2013 -0400
370 Upstream commit: f36391d2790d04993f48da6a45810033a2cdf847
372 sparc64: Fix race in TLB batch processing.
374 As reported by Dave Kleikamp, when we emit cross calls to do batched
375 TLB flush processing we have a race because we do not synchronize on
376 the sibling cpus completing the cross call.
378 So meanwhile the TLB batch can be reset (tb->tlb_nr set to zero, etc.)
379 and either flushes are missed or flushes will flush the wrong
382 Fix this by using generic infrastructure to synchonize on the
383 completion of the cross call.
385 This first required getting the flush_tlb_pending() call out from
386 switch_to() which operates with locks held and interrupts disabled.
387 The problem is that smp_call_function_many() cannot be invoked with
388 IRQs disabled and this is explicitly checked for with WARN_ON_ONCE().
390 We get the batch processing outside of locked IRQ disabled sections by
391 using some ideas from the powerpc port. Namely, we only batch inside
392 of arch_{enter,leave}_lazy_mmu_mode() calls. If we're not in such a
393 region, we flush TLBs synchronously.
395 1) Get rid of xcall_flush_tlb_pending and per-cpu type
398 2) Do TLB batch cross calls instead via:
400 smp_call_function_many()
402 __flush_tlb_pending()
404 3) Batch only in lazy mmu sequences:
406 a) Add 'active' member to struct tlb_batch
407 b) Define __HAVE_ARCH_ENTER_LAZY_MMU_MODE
408 c) Set 'active' in arch_enter_lazy_mmu_mode()
409 d) Run batch and clear 'active' in arch_leave_lazy_mmu_mode()
410 e) Check 'active' in tlb_batch_add_one() and do a synchronous
413 4) Add infrastructure for synchronous TLB page flushes.
415 a) Implement __flush_tlb_page and per-cpu variants, patch
417 b) Likewise for xcall_flush_tlb_page.
418 c) Implement smp_flush_tlb_page() to invoke the cross-call.
419 d) Wire up global_flush_tlb_page() to the right routine based
422 5) It turns out that singleton batches are very common, 2 out of every
423 3 batch flushes have only a single entry in them.
425 The batch flush waiting is very expensive, both because of the poll
426 on sibling cpu completeion, as well as because passing the tlb batch
427 pointer to the sibling cpus invokes a shared memory dereference.
429 Therefore, in flush_tlb_pending(), if there is only one entry in
430 the batch perform a completely asynchronous global_flush_tlb_page()
433 Reported-by: Dave Kleikamp <dave.kleikamp@oracle.com>
434 Signed-off-by: David S. Miller <davem@davemloft.net>
435 Acked-by: Dave Kleikamp <dave.kleikamp@oracle.com>
437 arch/sparc/include/asm/pgtable_64.h | 1 +
438 arch/sparc/include/asm/switch_to_64.h | 3 +-
439 arch/sparc/include/asm/tlbflush_64.h | 37 +++++++++--
440 arch/sparc/kernel/smp_64.c | 41 ++++++++++-
441 arch/sparc/mm/tlb.c | 38 +++++++++-
442 arch/sparc/mm/tsb.c | 57 ++++++++++++----
443 arch/sparc/mm/ultra.S | 119 ++++++++++++++++++++++++++-------
444 7 files changed, 241 insertions(+), 55 deletions(-)
446 commit cd80cc3cfd122295e6ec6db1e5e16e5b7a5d3b59
447 Author: Linus Torvalds <torvalds@linux-foundation.org>
448 Date: Fri Apr 19 15:32:32 2013 +0000
450 Upstream commit: 83f1b4ba917db5dc5a061a44b3403ddb6e783494
452 net: fix incorrect credentials passing
454 Commit 257b5358b32f ("scm: Capture the full credentials of the scm
455 sender") changed the credentials passing code to pass in the effective
456 uid/gid instead of the real uid/gid.
458 Obviously this doesn't matter most of the time (since normally they are
459 the same), but it results in differences for suid binaries when the wrong
460 uid/gid ends up being used.
462 This just undoes that (presumably unintentional) part of the commit.
464 Reported-by: Andy Lutomirski <luto@amacapital.net>
465 Cc: Eric W. Biederman <ebiederm@xmission.com>
466 Cc: Serge E. Hallyn <serge@hallyn.com>
467 Cc: David S. Miller <davem@davemloft.net>
468 Cc: stable@vger.kernel.org
469 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
470 Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
471 Signed-off-by: David S. Miller <davem@davemloft.net>
473 include/net/scm.h | 4 ++--
474 1 files changed, 2 insertions(+), 2 deletions(-)
476 commit e126225d1fcaa405ff2a7f1518d615cffe42e7d5
477 Author: Brad Spengler <spender@grsecurity.net>
478 Date: Thu Apr 18 19:22:40 2013 -0400
480 move _etext to only cover kernel code, not read-only data, as reported by Gu1
482 arch/arm/kernel/vmlinux.lds.S | 4 ++--
483 1 files changed, 2 insertions(+), 2 deletions(-)
485 commit 98ad6adbc48759e4f9eae435d3e51ba487155685
486 Author: Brad Spengler <spender@grsecurity.net>
487 Date: Thu Apr 18 19:17:24 2013 -0400
489 add asm/sections.h for USERCOPY change
492 1 files changed, 1 insertions(+), 0 deletions(-)
494 commit c403a6c43da1bcac9b1ef2bca9bba0fb84a40f10
495 Author: Dmitry Popov <dp@highloadlab.com>
496 Date: Thu Apr 11 08:55:07 2013 +0000
498 Upstream commit: d66954a066158781ccf9c13c91d0316970fe57b6
500 tcp: incoming connections might use wrong route under synflood
502 There is a bug in cookie_v4_check (net/ipv4/syncookies.c):
503 flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk),
504 RT_SCOPE_UNIVERSE, IPPROTO_TCP,
505 inet_sk_flowi_flags(sk),
506 (opt && opt->srr) ? opt->faddr : ireq->rmt_addr,
507 ireq->loc_addr, th->source, th->dest);
509 Here we do not respect sk->sk_bound_dev_if, therefore wrong dst_entry may be
510 taken. This dst_entry is used by new socket (get_cookie_sock ->
511 tcp_v4_syn_recv_sock), so its packets may take the wrong path.
513 Signed-off-by: Dmitry Popov <dp@highloadlab.com>
514 Signed-off-by: David S. Miller <davem@davemloft.net>
516 net/ipv4/syncookies.c | 4 ++--
517 1 files changed, 2 insertions(+), 2 deletions(-)
519 commit 3600395e8fef3ae712e72f9b68c3609639616df8
520 Author: Thomas Graf <tgraf@suug.ch>
521 Date: Thu Apr 11 10:57:18 2013 +0000
523 Upstream commit: 50bceae9bd3569d56744882f3012734d48a1d413
525 tcp: Reallocate headroom if it would overflow csum_start
527 If a TCP retransmission gets partially ACKed and collapsed multiple
528 times it is possible for the headroom to grow beyond 64K which will
529 overflow the 16bit skb->csum_start which is based on the start of
530 the headroom. It has been observed rarely in the wild with IPoIB due
533 Verify if the acking and collapsing resulted in a headroom exceeding
534 what csum_start can cover and reallocate the headroom if so.
536 A big thank you to Jim Foraker <foraker1@llnl.gov> and the team at
537 LLNL for helping out with the investigation and testing.
539 Reported-by: Jim Foraker <foraker1@llnl.gov>
540 Signed-off-by: Thomas Graf <tgraf@suug.ch>
541 Acked-by: Eric Dumazet <edumazet@google.com>
542 Signed-off-by: David S. Miller <davem@davemloft.net>
544 net/ipv4/tcp_output.c | 8 ++++++--
545 1 files changed, 6 insertions(+), 2 deletions(-)
547 commit 4b0b9a5038da806a2b6eba9efc3f3a53c5188a61
548 Author: Ivan Vecera <ivecera@redhat.com>
549 Date: Fri Apr 12 16:49:24 2013 +0200
551 Upstream commit: f11a869d4e38397ac81f2a3d22e8d2aeb3992b0f
553 be2net: take care of __vlan_put_tag return value
555 The driver should use return value of __vlan_put_tag with appropriate
556 NULL-check instead of old skb pointer.
558 Signed-off-by: Ivan Vecera <ivecera@redhat.com>
559 Signed-off-by: David S. Miller <davem@davemloft.net>
561 drivers/net/ethernet/emulex/benet/be_main.c | 5 +++--
562 1 files changed, 3 insertions(+), 2 deletions(-)
564 commit 8d3aca40a891f13b9b1e0d957913fa788fd1cc55
565 Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
566 Date: Fri Apr 12 03:17:12 2013 +0000
568 Upstream commit: 3be8fbab18fbc06b6ff94a56f9c225e29ea64a73
570 tuntap: fix error return code in tun_set_iff()
572 Fix to return a negative error code from the error handling
573 case instead of 0, as returned elsewhere in this function.
575 [ Bug added in linux-3.8 , commit 4008e97f866db665
576 ("tuntap: fix ambigious multiqueue API") ]
578 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
579 Acked-by: Eric Dumazet <edumazet@google.com>
580 Signed-off-by: David S. Miller <davem@davemloft.net>
582 drivers/net/tun.c | 2 +-
583 1 files changed, 1 insertions(+), 1 deletions(-)
585 commit 42cfd101287e0ffa5e8425ca7dd3c4131a7a601c
586 Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
587 Date: Sat Apr 13 15:49:03 2013 +0000
589 Upstream commit: 06848c10f720cbc20e3b784c0df24930b7304b93
591 esp4: fix error return code in esp_output()
593 Fix to return a negative error code from the error handling
594 case instead of 0, as returned elsewhere in this function.
596 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
597 Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
598 Signed-off-by: David S. Miller <davem@davemloft.net>
600 net/ipv4/esp4.c | 6 +++---
601 1 files changed, 3 insertions(+), 3 deletions(-)
603 commit 2b45b5f52c2a8930f80c62de392a62516c83e225
604 Author: Bjørn Mork <bjorn@mork.no>
605 Date: Tue Apr 16 00:17:07 2013 +0000
607 Upstream commit: 32b161aa88aa40a83888a995c6e2ef81140219b1
609 net: cdc_mbim: remove bogus sizeof()
611 The intention was to test against the constant, not the size of
614 Signed-off-by: Bjørn Mork <bjorn@mork.no>
615 Signed-off-by: David S. Miller <davem@davemloft.net>
617 drivers/net/usb/cdc_mbim.c | 2 +-
618 1 files changed, 1 insertions(+), 1 deletions(-)
620 commit 17d7408795519037a5a1272c7888238e20830bfe
621 Author: Vyacheslav Dubeyko <slava@dubeyko.com>
622 Date: Wed Apr 17 15:58:33 2013 -0700
624 Upstream commit: 12f267a20aecf8b84a2a9069b9011f1661c779b4
626 hfsplus: fix potential overflow in hfsplus_file_truncate()
628 Change a u32 to loff_t hfsplus_file_truncate().
630 Signed-off-by: Vyacheslav Dubeyko <slava@dubeyko.com>
631 Cc: Christoph Hellwig <hch@infradead.org>
632 Cc: Al Viro <viro@zeniv.linux.org.uk>
633 Cc: Hin-Tak Leung <htl10@users.sourceforge.net>
634 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
635 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
637 fs/hfsplus/extents.c | 2 +-
638 1 files changed, 1 insertions(+), 1 deletions(-)
640 commit 5c9574e7f16e7a9b3ea9b419c46ddc57110a555b
641 Author: Emese Revfy <re.emese@gmail.com>
642 Date: Wed Apr 17 15:58:36 2013 -0700
644 Upstream commit: b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f
646 kernel/signal.c: stop info leak via the tkill and the tgkill syscalls
648 This fixes a kernel memory contents leak via the tkill and tgkill syscalls
649 for compat processes.
651 This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field
652 when handling signals delivered from tkill.
654 The place of the infoleak:
656 int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from)
659 put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr);
663 Signed-off-by: Emese Revfy <re.emese@gmail.com>
664 Reviewed-by: PaX Team <pageexec@freemail.hu>
665 Signed-off-by: Kees Cook <keescook@chromium.org>
666 Cc: Al Viro <viro@zeniv.linux.org.uk>
667 Cc: Oleg Nesterov <oleg@redhat.com>
668 Cc: "Eric W. Biederman" <ebiederm@xmission.com>
669 Cc: Serge Hallyn <serge.hallyn@canonical.com>
670 Cc: <stable@vger.kernel.org>
671 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
672 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
674 kernel/signal.c | 2 +-
675 1 files changed, 1 insertions(+), 1 deletions(-)
677 commit 0942d16614b0ef59d50b10151d77ec52fc98c2d0
678 Author: Brad Spengler <spender@grsecurity.net>
679 Date: Wed Apr 17 20:17:00 2013 -0400
681 Improve PAX_USERCOPY to reject direct copies to/from main kernel text
683 fs/exec.c | 29 +++++++++++++++++++++++++++--
684 1 files changed, 27 insertions(+), 2 deletions(-)
686 commit 3cb37d0c0c77dc3928ff8417f982139f95366eba
687 Merge: e87c19f c664779
688 Author: Brad Spengler <spender@grsecurity.net>
689 Date: Wed Apr 17 20:06:08 2013 -0400
691 Merge branch 'pax-test' into grsec-test
693 commit c664779987cb0c27a242029f0e0db812e3236203
694 Author: Brad Spengler <spender@grsecurity.net>
695 Date: Wed Apr 17 19:54:09 2013 -0400
697 add intentional_overflow marking for resource_size() as reasoned by:
698 http://forums.grsecurity.net/viewtopic.php?f=3&t=3412
700 include/linux/ioport.h | 2 +-
701 1 files changed, 1 insertions(+), 1 deletions(-)
703 commit e87c19f8312355b8658e5138c16bfa6043a379c8
704 Merge: 802d119 d0c636c
705 Author: Brad Spengler <spender@grsecurity.net>
706 Date: Wed Apr 17 16:57:12 2013 -0400
708 Merge branch 'pax-test' into grsec-test
710 commit d0c636ceaaf406e606898ce3e770e32fb043ea8a
711 Merge: bc88628 2396403
712 Author: Brad Spengler <spender@grsecurity.net>
713 Date: Wed Apr 17 16:57:01 2013 -0400
715 Merge branch 'linux-3.8.y' into pax-test
718 arch/x86/kernel/paravirt.c
720 commit 802d1193dcb507b2a62a2de0a869a7dbadd66b9b
721 Author: Brad Spengler <spender@grsecurity.net>
722 Date: Sun Apr 14 21:39:51 2013 -0400
724 move location of RBAC user check on setfsuid until after capability checks
725 for consistency with other checks
727 kernel/sys.c | 6 +++---
728 1 files changed, 3 insertions(+), 3 deletions(-)
730 commit 1a860d7d67051559ab2e6d10f9888649c92904e6
731 Author: Brad Spengler <spender@grsecurity.net>
732 Date: Sun Apr 14 21:34:46 2013 -0400
734 A denied setfsuid by the RBAC system would result in an abort_creds() being called
735 with an uninitalized pointer, introduced by a bad forward-port
737 kernel/sys.c | 6 +++---
738 1 files changed, 3 insertions(+), 3 deletions(-)
740 commit 9f94b84d0e5e101fe8ea8ebcc8eeb141d8a6edb9
741 Merge: c38d142 bc88628
742 Author: Brad Spengler <spender@grsecurity.net>
743 Date: Sun Apr 14 21:28:33 2013 -0400
745 Merge branch 'pax-test' into grsec-test
750 commit bc88628a6a8fcccaabb90908640809b0540df225
751 Author: Brad Spengler <spender@grsecurity.net>
752 Date: Sun Apr 14 21:26:41 2013 -0400
754 Update to pax-linux-3.8.7-test20.patch:
755 - fixed KERNEXEC and NMI nesting problem reported by stef&hunger
756 - changed PHYSICAL_ALIGN/START to fix http://forums.grsecurity.net/viewtopic.php?f=3&t=3414
757 - CONSTIFY depends on KERNEXEC (for the kernel open/close feature)
758 - fixed CONSTIFY and powerpc interference, reported by John Hardin (https://bugs.gentoo.org/show_bug.cgi?id=456364)
760 arch/powerpc/include/asm/smp.h | 2 +-
761 arch/x86/Kconfig | 4 ++--
762 arch/x86/kernel/entry_64.S | 8 ++++----
763 security/Kconfig | 2 +-
764 4 files changed, 8 insertions(+), 8 deletions(-)
766 commit c38d142744489fc4d9be80188b6435a278438fd9
767 Author: Suleiman Souhlal <suleiman@google.com>
768 Date: Sat Apr 13 16:03:06 2013 -0700
770 Upstream commit: 5b55d708335a9e3e4f61f2dadf7511502205ccd1
772 vfs: Revert spurious fix to spinning prevention in prune_icache_sb
774 Revert commit 62a3ddef6181 ("vfs: fix spinning prevention in prune_icache_sb").
776 This commit doesn't look right: since we are looking at the tail of the
777 list (sb->s_inode_lru.prev) if we want to skip an inode, we should put
778 it back at the head of the list instead of the tail, otherwise we will
781 Discovered when investigating why prune_icache_sb came top in perf
782 reports of a swapping load.
784 Signed-off-by: Suleiman Souhlal <suleiman@google.com>
785 Signed-off-by: Hugh Dickins <hughd@google.com>
786 Cc: stable@vger.kernel.org # v3.2+
787 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
790 1 files changed, 1 insertions(+), 1 deletions(-)
792 commit 93019624b80ba59798393942798d7f6ed0c1dbc6
793 Author: Linus Torvalds <torvalds@linux-foundation.org>
794 Date: Sat Apr 13 15:15:30 2013 -0700
796 Upstream commit: a49b7e82cab0f9b41f483359be83f44fbb6b4979
798 kobject: fix kset_find_obj() race with concurrent last kobject_put()
800 Anatol Pomozov identified a race condition that hits module unloading
801 and re-loading. To quote Anatol:
803 "This is a race codition that exists between kset_find_obj() and
804 kobject_put(). kset_find_obj() might return kobject that has refcount
805 equal to 0 if this kobject is freeing by kobject_put() in other
808 Here is timeline for the crash in case if kset_find_obj() searches for
809 an object tht nobody holds and other thread is doing kobject_put() on
812 THREAD A (calls kset_find_obj()) THREAD B (calls kobject_put())
814 atomic_dec_return(kobj->kref), counter gets zero here
815 ... starts kobject cleanup ....
816 spin_lock() // WAIT thread A in kobj_kset_leave()
817 iterate over kset->list
818 atomic_inc(kobj->kref) (counter becomes 1)
821 // it does not know that thread A increased counter so it
824 vfree(module) // frees module object with containing kobj
826 // kobj points to freed memory area!!
827 kobject_put(kobj) // OOPS!!!!
829 The race above happens because module.c tries to use kset_find_obj()
830 when somebody unloads module. The module.c code was introduced in
833 Anatol supplied a patch specific for module.c that worked around the
834 problem by simply not using kset_find_obj() at all, but rather than make
835 a local band-aid, this just fixes kset_find_obj() to be thread-safe
836 using the proper model of refusing the get a new reference if the
837 refcount has already dropped to zero.
839 See examples of this proper refcount handling not only in the kref
840 documentation, but in various other equivalent uses of this pattern by
841 grepping for atomic_inc_not_zero().
843 [ Side note: the module race does indicate that module loading and
844 unloading is not properly serialized wrt sysfs information using the
845 module mutex. That may require further thought, but this is the
846 correct fix at the kobject layer regardless. ]
848 Reported-analyzed-and-tested-by: Anatol Pomozov <anatol.pomozov@gmail.com>
849 Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
850 Cc: Al Viro <viro@zeniv.linux.org.uk>
851 Cc: stable@vger.kernel.org
852 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
854 lib/kobject.c | 9 ++++++++-
855 1 files changed, 8 insertions(+), 1 deletions(-)
857 commit 5277b052b5fab36729e1255fb3b12f47a4b12867
858 Author: Dave Hansen <dave@sr71.net>
859 Date: Fri Apr 12 16:23:54 2013 -0700
861 Upstream commit: 1de14c3c5cbc9bb17e9dcc648cda51c0c85d54b9
863 x86-32: Fix possible incomplete TLB invalidate with PAE pagetables
865 This patch attempts to fix:
867 https://bugzilla.kernel.org/show_bug.cgi?id=56461
869 The symptom is a crash and messages like this:
871 chrome: Corrupted page table at address 34a03000
872 *pdpt = 0000000000000000 *pde = 0000000000000000
873 Bad pagetable: 000f [#1] PREEMPT SMP
875 Ingo guesses this got introduced by commit 611ae8e3f520 ("x86/tlb:
876 enable tlb flush range support for x86") since that code started to free
879 On x86-32 PAE kernels, that new code has the potential to free an entire
880 PMD page and will clear one of the four page-directory-pointer-table
883 The hardware aggressively "caches" these top-level entries and invlpg
884 does not actually affect the CPU's copy. If we clear one we *HAVE* to
885 do a full TLB flush, otherwise we might continue using a freed pmd page.
886 (note, we do this properly on the population side in pud_populate()).
888 This patch tracks whenever we clear one of these entries in the 'struct
889 mmu_gather', and ensures that we follow up with a full tlb flush.
891 BTW, I disassembled and checked that:
893 if (tlb->fullmm == 0)
895 if (!tlb->fullmm && !tlb->need_flush_all)
897 generate essentially the same code, so there should be zero impact there
900 Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
901 Cc: Peter Anvin <hpa@zytor.com>
902 Cc: Ingo Molnar <mingo@kernel.org>
903 Cc: Artem S Tashkinov <t.artem@mailcity.com>
904 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
906 arch/x86/include/asm/tlb.h | 2 +-
907 arch/x86/mm/pgtable.c | 7 +++++++
908 include/asm-generic/tlb.h | 7 ++++++-
910 4 files changed, 15 insertions(+), 2 deletions(-)
912 commit 521e573fc77d1783c1d4636dfbb4617a922f043d
913 Merge: 032f626 f807619
914 Author: Brad Spengler <spender@grsecurity.net>
915 Date: Fri Apr 12 19:29:34 2013 -0400
917 Merge branch 'pax-test' into grsec-test
919 commit f80761993b85df96fc142dfc3a317cadc0f8eae5
920 Author: Brad Spengler <spender@grsecurity.net>
921 Date: Fri Apr 12 19:28:21 2013 -0400
923 Update to pax-linux-3.8.7-test19.patch:
924 - fixed STACKLEAK/XEN interference once again, reported by Jason A. Donenfeld
925 - fixed small typo, reported by mlarm (http://forums.grsecurity.net/viewtopic.php?f=3&t=3411)
926 - fixed the structleak plugin to compile for gcc 4.5-4.6 as well
929 arch/x86/xen/enlighten.c | 6 +++---
930 tools/gcc/structleak_plugin.c | 5 +++--
931 3 files changed, 7 insertions(+), 6 deletions(-)
933 commit 032f626a4ae9bc3196313a2e762650c3d9abdc96
934 Merge: a3a770e 89886f5
935 Author: Brad Spengler <spender@grsecurity.net>
936 Date: Fri Apr 12 18:38:40 2013 -0400
938 Merge branch 'pax-test' into grsec-test
940 commit 89886f561cc0d1c42a99624ec8c3704711088155
941 Merge: 9123489 531ec28
942 Author: Brad Spengler <spender@grsecurity.net>
943 Date: Fri Apr 12 18:38:30 2013 -0400
945 Merge branch 'linux-3.8.y' into pax-test
947 commit a3a770e18578841e4fbe2aa0831a22811b4812cf
948 Author: Brad Spengler <spender@grsecurity.net>
949 Date: Thu Apr 11 20:46:20 2013 -0400
951 Revert "Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot"
952 Will be fixed with the next PaX patch
954 This reverts commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7.
956 security/Kconfig | 2 +-
957 1 files changed, 1 insertions(+), 1 deletions(-)
959 commit fc98763e4f1f1487928750b26a63098b9e0ed5b1
960 Author: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
961 Date: Fri Mar 29 10:20:56 2013 -0400
963 Upstream commit: b22227944b8fe92b19150b4c36421e37979d9a16
965 xen/mmu: On early bootup, flush the TLB when changing RO->RW bits Xen provided pagetables.
967 Occassionaly on a DL380 G4 the guest would crash quite early with this:
969 (XEN) d244:v0: unhandled page fault (ec=0003)
970 (XEN) Pagetable walk from ffffffff84dc7000:
971 (XEN) L4[0x1ff] = 00000000c3f18067 0000000000001789
972 (XEN) L3[0x1fe] = 00000000c3f14067 000000000000178d
973 (XEN) L2[0x026] = 00000000dc8b2067 0000000000004def
974 (XEN) L1[0x1c7] = 00100000dc8da067 0000000000004dc7
975 (XEN) domain_crash_sync called from entry.S
976 (XEN) Domain 244 (vcpu#0) crashed on cpu#3:
977 (XEN) ----[ Xen-4.1.3OVM x86_64 debug=n Not tainted ]----
979 (XEN) RIP: e033:[<ffffffff81263f22>]
980 (XEN) RFLAGS: 0000000000000216 EM: 1 CONTEXT: pv guest
981 (XEN) rax: 0000000000000000 rbx: ffffffff81785f88 rcx: 000000000000003f
982 (XEN) rdx: 0000000000000000 rsi: 00000000dc8da063 rdi: ffffffff84dc7000
984 The offending code shows it to be a loop writting the value zero
985 (%rax) in the %rdi (the L4 provided by Xen) register:
987 0: 44 00 00 add %r8b,(%rax)
988 3: 31 c0 xor %eax,%eax
989 5: b9 40 00 00 00 mov $0x40,%ecx
990 a: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1)
993 15:* 48 89 07 mov %rax,(%rdi) <-- trapping instruction
994 18: 48 89 47 08 mov %rax,0x8(%rdi)
995 1c: 48 89 47 10 mov %rax,0x10(%rdi)
997 which fails. xen_setup_kernel_pagetable recycles some of the Xen's
998 page-table entries when it has switched over to its Linux page-tables.
1000 Right before try to clear the page, we make a hypercall to change
1001 it from _RO to _RW and that works (otherwise we would hit an BUG()).
1002 And the _RW flag is set for that page:
1003 (XEN) L1[0x1c7] = 001000004885f067 0000000000004dc7
1005 The error code is 3, so PFEC_page_present and PFEC_write_access, so page is
1006 present (correct), and we tried to write to the page, but a violation
1007 occurred. The one theory is that the the page entries in hardware
1008 (which are cached) are not up to date with what we just set. Especially
1009 as we have just done an CR3 write and flushed the multicalls.
1011 This patch does solve the problem by flusing out the TLB page
1012 entry after changing it from _RO to _RW and we don't hit this
1015 Fixed-Oracle-Bug: 16243091 [ON OCCASIONS VM START GOES INTO
1016 'CRASH' STATE: CLEAR_PAGE+0X12 ON HP DL380 G4]
1017 Reported-and-Tested-by: Saar Maoz <Saar.Maoz@oracle.com>
1018 Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
1020 arch/x86/xen/mmu.c | 12 ++++++++----
1021 1 files changed, 8 insertions(+), 4 deletions(-)
1023 commit d56bdc2595e76ca48cbfd695def7f82c3ab80c11
1024 Author: Namhyung Kim <namhyung.kim@lge.com>
1025 Date: Mon Apr 1 21:46:23 2013 +0900
1027 Upstream commit: 83e03b3fe4daffdebbb42151d5410d730ae50bd1
1029 tracing: Fix double free when function profile init failed
1031 On the failure path, stat->start and stat->pages will refer same page.
1032 So it'll attempt to free the same page again and get kernel panic.
1034 Link: http://lkml.kernel.org/r/1364820385-32027-1-git-send-email-namhyung@kernel.org
1036 Cc: Frederic Weisbecker <fweisbec@gmail.com>
1037 Cc: Namhyung Kim <namhyung.kim@lge.com>
1038 Cc: stable@vger.kernel.org
1039 Signed-off-by: Namhyung Kim <namhyung@kernel.org>
1040 Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
1042 kernel/trace/ftrace.c | 1 -
1043 1 files changed, 0 insertions(+), 1 deletions(-)
1045 commit c86b0de9f4c42a7ede40df5af9436e87ccc784bb
1046 Author: Neil Horman <nhorman@tuxdriver.com>
1047 Date: Tue Apr 9 23:19:00 2013 +0000
1049 Upstream commit: 61a0f6efc8932e9914e1782ff3a027e23c687fc6
1051 e100: Add dma mapping error check
1053 e100 uses pci_map_single, but fails to check for a dma mapping error after its
1054 use, resulting in a stack trace:
1056 [ 46.656594] ------------[ cut here ]------------
1057 [ 46.657004] WARNING: at lib/dma-debug.c:933 check_unmap+0x47b/0x950()
1058 [ 46.657004] Hardware name: To Be Filled By O.E.M.
1059 [ 46.657004] e100 0000:00:0e.0: DMA-API: device driver failed to check map
1060 error[device address=0x000000007a4540fa] [size=90 bytes] [mapped as single]
1061 [ 46.657004] Modules linked in:
1062 [ 46.657004] w83627hf hwmon_vid snd_via82xx ppdev snd_ac97_codec ac97_bus
1063 snd_seq snd_pcm snd_mpu401 snd_mpu401_uart ns558 snd_rawmidi gameport parport_pc
1064 e100 snd_seq_device parport snd_page_alloc snd_timer snd soundcore skge shpchp
1065 k8temp mii edac_core i2c_viapro edac_mce_amd nfsd auth_rpcgss nfs_acl lockd
1066 sunrpc binfmt_misc uinput ata_generic pata_acpi radeon i2c_algo_bit
1067 drm_kms_helper ttm firewire_ohci drm firewire_core pata_via sata_via i2c_core
1068 sata_promise crc_itu_t
1069 [ 46.657004] Pid: 792, comm: ip Not tainted 3.8.0-0.rc6.git0.1.fc19.x86_64 #1
1070 [ 46.657004] Call Trace:
1071 [ 46.657004] <IRQ> [<ffffffff81065ed0>] warn_slowpath_common+0x70/0xa0
1072 [ 46.657004] [<ffffffff81065f4c>] warn_slowpath_fmt+0x4c/0x50
1073 [ 46.657004] [<ffffffff81364cfb>] check_unmap+0x47b/0x950
1074 [ 46.657004] [<ffffffff8136522f>] debug_dma_unmap_page+0x5f/0x70
1075 [ 46.657004] [<ffffffffa030f0f0>] ? e100_tx_clean+0x30/0x210 [e100]
1076 [ 46.657004] [<ffffffffa030f1a8>] e100_tx_clean+0xe8/0x210 [e100]
1077 [ 46.657004] [<ffffffffa030fc6f>] e100_poll+0x56f/0x6c0 [e100]
1078 [ 46.657004] [<ffffffff8159dce1>] ? net_rx_action+0xa1/0x370
1079 [ 46.657004] [<ffffffff8159ddb2>] net_rx_action+0x172/0x370
1080 [ 46.657004] [<ffffffff810703bf>] __do_softirq+0xef/0x3d0
1081 [ 46.657004] [<ffffffff816e4ebc>] call_softirq+0x1c/0x30
1082 [ 46.657004] [<ffffffff8101c485>] do_softirq+0x85/0xc0
1083 [ 46.657004] [<ffffffff81070885>] irq_exit+0xd5/0xe0
1084 [ 46.657004] [<ffffffff816e5756>] do_IRQ+0x56/0xc0
1085 [ 46.657004] [<ffffffff816dacb2>] common_interrupt+0x72/0x72
1086 [ 46.657004] <EOI> [<ffffffff816da1eb>] ?
1087 _raw_spin_unlock_irqrestore+0x3b/0x70
1088 [ 46.657004] [<ffffffff816d124d>] __slab_free+0x58/0x38b
1089 [ 46.657004] [<ffffffff81214424>] ? fsnotify_clear_marks_by_inode+0x34/0x120
1090 [ 46.657004] [<ffffffff811b0417>] ? kmem_cache_free+0x97/0x320
1091 [ 46.657004] [<ffffffff8157fc14>] ? sock_destroy_inode+0x34/0x40
1092 [ 46.657004] [<ffffffff8157fc14>] ? sock_destroy_inode+0x34/0x40
1093 [ 46.657004] [<ffffffff811b0692>] kmem_cache_free+0x312/0x320
1094 [ 46.657004] [<ffffffff8157fc14>] sock_destroy_inode+0x34/0x40
1095 [ 46.657004] [<ffffffff811e8c28>] destroy_inode+0x38/0x60
1096 [ 46.657004] [<ffffffff811e8d5e>] evict+0x10e/0x1a0
1097 [ 46.657004] [<ffffffff811e9605>] iput+0xf5/0x180
1098 [ 46.657004] [<ffffffff811e4338>] dput+0x248/0x310
1099 [ 46.657004] [<ffffffff811ce0e1>] __fput+0x171/0x240
1100 [ 46.657004] [<ffffffff811ce26e>] ____fput+0xe/0x10
1101 [ 46.657004] [<ffffffff8108d54c>] task_work_run+0xac/0xe0
1102 [ 46.657004] [<ffffffff8106c6ed>] do_exit+0x26d/0xc30
1103 [ 46.657004] [<ffffffff8109eccc>] ? finish_task_switch+0x7c/0x120
1104 [ 46.657004] [<ffffffff816dad58>] ? retint_swapgs+0x13/0x1b
1105 [ 46.657004] [<ffffffff8106d139>] do_group_exit+0x49/0xc0
1106 [ 46.657004] [<ffffffff8106d1c4>] sys_exit_group+0x14/0x20
1107 [ 46.657004] [<ffffffff816e3b19>] system_call_fastpath+0x16/0x1b
1108 [ 46.657004] ---[ end trace 4468c44e2156e7d1 ]---
1109 [ 46.657004] Mapped at:
1110 [ 46.657004] [<ffffffff813663d1>] debug_dma_map_page+0x91/0x140
1111 [ 46.657004] [<ffffffffa030e8eb>] e100_xmit_prepare+0x12b/0x1c0 [e100]
1112 [ 46.657004] [<ffffffffa030c924>] e100_exec_cb+0x84/0x140 [e100]
1113 [ 46.657004] [<ffffffffa030e56a>] e100_xmit_frame+0x3a/0x190 [e100]
1114 [ 46.657004] [<ffffffff8159ee89>] dev_hard_start_xmit+0x259/0x6c0
1116 Easy fix, modify the cb paramter to e100_exec_cb to return an error, and do the
1117 dma_mapping_error check in the obvious place
1119 This was reported previously here:
1120 http://article.gmane.org/gmane.linux.network/257893
1122 But nobody stepped up and fixed it.
1124 CC: Josh Boyer <jwboyer@redhat.com>
1125 CC: e1000-devel@lists.sourceforge.net
1126 Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
1127 Reported-by: Michal Jaegermann <michal@harddata.com>
1128 Tested-by: Aaron Brown <aaron.f.brown@intel.com>
1129 Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
1130 Signed-off-by: David S. Miller <davem@davemloft.net>
1132 drivers/net/ethernet/intel/e100.c | 36 +++++++++++++++++++++++++-----------
1133 1 files changed, 25 insertions(+), 11 deletions(-)
1135 commit df93708573ce6c512b9a9406a83a6fd4e87ff6a6
1136 Author: Trond Myklebust <Trond.Myklebust@netapp.com>
1137 Date: Wed Apr 10 12:44:18 2013 -0400
1139 Upstream commit: eb04e0ac198cec3bab407ad220438dfa65c19c67
1141 NFSv4: Doh! Typo in the fix to nfs41_walk_client_list
1143 Make sure that we set the status to 0 on success. Missed in testing
1144 because it never appears when doing multiple mounts to _different_
1147 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
1148 Cc: <stable@vger.kernel.org> # 3.7.x: 7b1f1fd: NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list
1150 fs/nfs/nfs4client.c | 1 +
1151 1 files changed, 1 insertions(+), 0 deletions(-)
1153 commit 0ea7b7294f627588b0b3dc26a8a0ff8e1e27b5ea
1154 Author: Yuval Mintz <yuvalmin@broadcom.com>
1155 Date: Wed Apr 10 13:34:39 2013 +0300
1157 Upstream commit: fea75645342c7ad574214497a78e562db12dfd7b
1159 bnx2x: Prevent null pointer dereference in AFEX mode
1161 The cnic module is responsible for initializing various bnx2x structs
1162 via callbacks provided by the bnx2x module.
1163 One such struct is the queue object for the FCoE queue.
1165 If a device is working in AFEX mode and its configuration allows FCoE yet
1166 the cnic module is not loaded, it's very likely a null pointer dereference
1167 will occur, as the bnx2x will erroneously access the FCoE's queue object.
1169 Prevent said access until cnic properly registers itself.
1171 Signed-off-by: Yuval Mintz <yuvalmin@broadcom.com>
1172 Signed-off-by: Ariel Elior <ariele@broadcom.com>
1173 Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
1174 Signed-off-by: David S. Miller <davem@davemloft.net>
1176 drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 3 ++-
1177 1 files changed, 2 insertions(+), 1 deletions(-)
1179 commit 2908830232725db624aaa052f7ad38d1f98bf541
1180 Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
1181 Date: Tue Apr 9 14:16:04 2013 +0800
1183 Upstream commit: 3480a2125923e4b7a56d79efc76743089bf273fc
1185 can: gw: use kmem_cache_free() instead of kfree()
1187 Memory allocated by kmem_cache_alloc() should be freed using
1188 kmem_cache_free(), not kfree().
1190 Cc: linux-stable <stable@vger.kernel.org> # >= v3.2
1191 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
1192 Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
1193 Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
1195 net/can/gw.c | 6 +++---
1196 1 files changed, 3 insertions(+), 3 deletions(-)
1198 commit d40b572e845a5fb561e3c4a80cc306cd38888a4e
1199 Author: Christoph Paasch <christoph.paasch@uclouvain.be>
1200 Date: Sun Apr 7 04:53:15 2013 +0000
1202 Upstream commit: 50a75a8914539c5dcd441c5f54d237a666a426fd
1204 ipv6/tcp: Stop processing ICMPv6 redirect messages
1206 Tetja Rediske found that if the host receives an ICMPv6 redirect message
1207 after sending a SYN+ACK, the connection will be reset.
1209 He bisected it down to 093d04d (ipv6: Change skb->data before using
1210 icmpv6_notify() to propagate redirect), but the origin of the bug comes
1211 from ec18d9a26 (ipv6: Add redirect support to all protocol icmp error
1212 handlers.). The bug simply did not trigger prior to 093d04d, because
1213 skb->data did not point to the inner IP header and thus icmpv6_notify
1214 did not call the correct err_handler.
1216 This patch adds the missing "goto out;" in tcp_v6_err. After receiving
1217 an ICMPv6 Redirect, we should not continue processing the ICMP in
1218 tcp_v6_err, as this may trigger the removal of request-socks or setting
1221 Reported-by: Tetja Rediske <tetja@tetja.de>
1222 Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be>
1223 Acked-by: Eric Dumazet <edumazet@google.com>
1224 Signed-off-by: David S. Miller <davem@davemloft.net>
1226 net/ipv6/tcp_ipv6.c | 1 +
1227 1 files changed, 1 insertions(+), 0 deletions(-)
1229 commit c7d5c2524456ef3ea9194840e7a9a75069a46824
1230 Author: Brad Spengler <spender@grsecurity.net>
1231 Date: Wed Apr 10 20:32:54 2013 -0400
1233 - fixed typo in Makefile reported by mlarm (https://forums.grsecurity.net/viewtopic.php?t=3411)
1236 1 files changed, 1 insertions(+), 1 deletions(-)
1238 commit acac2380fd97acee4367d2aa24c74322dcf1d22b
1239 Author: Trond Myklebust <Trond.Myklebust@netapp.com>
1240 Date: Fri Apr 5 16:11:11 2013 -0400
1242 Upstream commit: 7b1f1fd1842e6ede25183c267ae733a7f67f00bc
1244 NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list
1246 It is unsafe to use list_for_each_entry_safe() here, because
1247 when we drop the nn->nfs_client_lock, we pin the _current_ list
1248 entry and ensure that it stays in the list, but we don't do the
1249 same for the _next_ list entry. Use of list_for_each_entry() is
1250 therefore the correct thing to do.
1252 Also fix the refcounting in nfs41_walk_client_list().
1254 Finally, ensure that the nfs_client has finished being initialised
1255 and, in the case of NFSv4.1, that the session is set up.
1257 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
1258 Cc: Chuck Lever <chuck.lever@oracle.com>
1259 Cc: Bryan Schumaker <bjschuma@netapp.com>
1260 Cc: stable@vger.kernel.org [>= 3.7]
1262 fs/nfs/nfs4client.c | 44 ++++++++++++++++++++++++++++----------------
1263 1 files changed, 28 insertions(+), 16 deletions(-)
1265 commit a6cf5f387b882ac0ce655b75f623f86c075517be
1266 Author: Chuck Lever <chuck.lever@oracle.com>
1267 Date: Fri Mar 22 12:52:59 2013 -0400
1269 Upstream commit: a58e0be6f6b3eb2079b0b8fedc9df6fa86869f1e
1271 SUNRPC: Remove extra xprt_put()
1273 While testing error cases where rpc_new_client() fails, I saw
1276 If rpc_new_client() fails, it already invokes xprt_put(). Thus
1277 __rpc_clone_client() does not need to invoke it again.
1279 Introduced by commit 1b63a751 "SUNRPC: Refactor rpc_clone_client()"
1282 Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
1283 Cc: stable@vger.kernel.org [>=3.7]
1284 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
1286 net/sunrpc/clnt.c | 4 +---
1287 1 files changed, 1 insertions(+), 3 deletions(-)
1289 commit a744b307c1f65ceb100412dc18cdd7ecc9a8ae00
1290 Author: Trond Myklebust <Trond.Myklebust@netapp.com>
1291 Date: Fri Apr 5 14:13:21 2013 -0400
1293 Upstream commit: f05c124a70a4953a66acbd6d6c601ea1eb5d0fa7
1295 SUNRPC: Fix a potential memory leak in rpc_new_client
1297 If the call to rpciod_up() fails, we currently leak a reference to the
1299 As part of the fix, we also remove the redundant check for xprt!=NULL.
1300 This is already taken care of by the callers.
1302 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
1304 net/sunrpc/clnt.c | 7 ++-----
1305 1 files changed, 2 insertions(+), 5 deletions(-)
1307 commit 43b9f1b9b8380984c5c100978bd33e8f16da06ac
1308 Author: Brad Spengler <spender@grsecurity.net>
1309 Date: Wed Apr 10 19:16:05 2013 -0400
1311 From https://lkml.org/lkml/2013/4/8/469:
1312 [PATCH] rtnetlink: call nlmsg_parse() with correct header length
1314 net/core/rtnetlink.c | 4 ++--
1315 1 files changed, 2 insertions(+), 2 deletions(-)
1317 commit 9529169b8c405874fd543b785f53c74fa0501c2a
1318 Author: Christopher Harvey <charvey@matrox.com>
1319 Date: Fri Apr 5 10:51:15 2013 -0400
1321 Upstream commit: 1812a3db0874be1d1524086da9e84397b800f546
1323 drm/mgag200: Index 24 in extended CRTC registers is 24 in hex, not decimal.
1325 This change properly enables the "requester" in G200ER cards that is
1326 responsible for getting pixels out of memory and clocking them out to
1329 Signed-off-by: Christopher Harvey <charvey@matrox.com>
1330 Cc: stable@vger.kernel.org
1331 Signed-off-by: Dave Airlie <airlied@redhat.com>
1333 drivers/gpu/drm/mgag200/mgag200_mode.c | 13 +++----------
1334 1 files changed, 3 insertions(+), 10 deletions(-)
1336 commit 07c42243c7b01e2a7a9d168ad491e28b9ef9082a
1337 Author: Al Viro <viro@zeniv.linux.org.uk>
1338 Date: Thu Mar 28 13:30:23 2013 -0400
1340 Upstream commit: 52f21999c7b921a0390708b66ed286282c2e4bee
1342 ecryptfs: close rmmod race
1344 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
1346 fs/ecryptfs/miscdev.c | 14 ++------------
1347 1 files changed, 2 insertions(+), 12 deletions(-)
1349 commit 2800bdcf9cd642b967e5fdc2a15c1c4aefbadd9b
1350 Author: Brad Spengler <spender@grsecurity.net>
1351 Date: Wed Apr 10 19:03:45 2013 -0400
1353 Backport overflow fix from upstream commit: ccf932042fa7785832d8989ba1369cd7c7f5d7a1
1355 arch/ia64/kernel/palinfo.c | 2 +-
1356 1 files changed, 1 insertions(+), 1 deletions(-)
1358 commit 83280e384ae3ceadad30369ced111dc7d4b46085
1359 Author: Andrey Vagin <avagin@openvz.org>
1360 Date: Tue Apr 9 17:33:29 2013 +0400
1362 Upstream commit: e9c5d8a562f01b211926d70443378eb14b29a676
1364 mnt: release locks on error path in do_loopback
1366 do_loopback calls lock_mount(path) and forget to unlock_mount
1367 if clone_mnt or copy_mnt fails.
1369 [ 77.661566] ================================================
1370 [ 77.662939] [ BUG: lock held when returning to user space! ]
1371 [ 77.664104] 3.9.0-rc5+ #17 Not tainted
1372 [ 77.664982] ------------------------------------------------
1373 [ 77.666488] mount/514 is leaving the kernel with locks still held!
1374 [ 77.668027] 2 locks held by mount/514:
1375 [ 77.668817] #0: (&sb->s_type->i_mutex_key#7){+.+.+.}, at: [<ffffffff811cca22>] lock_mount+0x32/0xe0
1376 [ 77.671755] #1: (&namespace_sem){+++++.}, at: [<ffffffff811cca3a>] lock_mount+0x4a/0xe0
1378 Signed-off-by: Andrey Vagin <avagin@openvz.org>
1379 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
1381 fs/namespace.c | 2 +-
1382 1 files changed, 1 insertions(+), 1 deletions(-)
1384 commit 679e536b9d9536d804f049fe942367a596253e6d
1385 Author: Alex Williamson <alex.williamson@redhat.com>
1386 Date: Tue Mar 26 11:33:16 2013 -0600
1388 Upstream commit: 904c680c7bf016a8619a045850937427f8d7368c
1390 vfio-pci: Fix possible integer overflow
1392 The VFIO_DEVICE_SET_IRQS ioctl takes a start and count parameter, both
1393 of which are unsigned. We attempt to bounds check these, but fail to
1394 account for the case where start is a very large number, allowing
1395 start + count to wrap back into the valid range. Bounds check both
1396 start and start + count.
1398 Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
1399 Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
1401 drivers/vfio/pci/vfio_pci.c | 3 ++-
1402 1 files changed, 2 insertions(+), 1 deletions(-)
1404 commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7
1405 Author: Brad Spengler <spender@grsecurity.net>
1406 Date: Wed Apr 10 18:48:45 2013 -0400
1408 Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot
1410 security/Kconfig | 2 +-
1411 1 files changed, 1 insertions(+), 1 deletions(-)
1413 commit b5261a6384ee42499b29495aaae40b271e77d394
1414 Author: Brad Spengler <spender@grsecurity.net>
1415 Date: Tue Apr 9 17:30:45 2013 -0400
1417 some undefined behavior fixups
1419 grsecurity/gracl.c | 4 ++--
1420 grsecurity/gracl_ip.c | 10 +++++-----
1421 grsecurity/gracl_segv.c | 4 ++--
1422 3 files changed, 9 insertions(+), 9 deletions(-)
1424 commit 9f83caa35e78be1f3e753586ab217555c3b21ff4
1425 Author: Brad Spengler <spender@grsecurity.net>
1426 Date: Tue Apr 9 17:28:54 2013 -0400
1428 don't whine about denied ipv6 when it's not enabled
1430 grsecurity/gracl_ip.c | 3 +++
1431 1 files changed, 3 insertions(+), 0 deletions(-)
1433 commit 5a02f8bc96bd0c31f9ff09e63f9d85d560b8be61
1434 Merge: 97bca88 9123489
1435 Author: Brad Spengler <spender@grsecurity.net>
1436 Date: Tue Apr 9 17:18:45 2013 -0400
1438 Merge branch 'pax-test' into grsec-test
1440 commit 9123489428c58668a89f316db6619739cbdd2c2a
1441 Author: Brad Spengler <spender@grsecurity.net>
1442 Date: Tue Apr 9 17:17:46 2013 -0400
1444 Update to pax-linux-3.8.6-test18.patch:
1445 - new size overflow plugin from Emese to work around a gcc optimization
1446 resulting in an intentional overflow, reported by Carlos Carvalho
1447 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3409)
1449 tools/gcc/size_overflow_plugin.c | 68 ++++++++++++++++++++++++++++++++++++-
1450 1 files changed, 66 insertions(+), 2 deletions(-)
1452 commit 97bca8889e0f1e853f16b7026c39c6729a8587ab
1453 Merge: 675a41e e9d6073
1454 Author: Brad Spengler <spender@grsecurity.net>
1455 Date: Mon Apr 8 21:32:59 2013 -0400
1457 Merge branch 'pax-test' into grsec-test
1460 arch/sparc/kernel/us3_cpufreq.c
1462 commit e9d6073f15010ccace0b6b0f0a19ed63cf1adeef
1463 Author: Brad Spengler <spender@grsecurity.net>
1464 Date: Mon Apr 8 21:19:03 2013 -0400
1466 Update to pax-linux-3.8.6-test17.patch:
1467 - fixed ia64/ppc/sparc compilation by spender
1468 - improved the STRUCTLEAK gcc plugin to cover a few more cases (credit to stef for the bugreport)
1470 arch/ia64/include/asm/uaccess.h | 2 -
1471 arch/powerpc/include/asm/uaccess.h | 2 -
1472 arch/sparc/include/asm/uaccess.h | 7 ----
1473 arch/sparc/kernel/prom_common.c | 2 +-
1474 arch/sparc/kernel/us3_cpufreq.c | 69 ++++++++++--------------------------
1475 tools/gcc/structleak_plugin.c | 15 ++++----
1476 6 files changed, 28 insertions(+), 69 deletions(-)
1478 commit 675a41e42a636dcb1e97bffe0f0fa6262242e64b
1479 Author: Brad Spengler <spender@grsecurity.net>
1480 Date: Sun Apr 7 12:00:50 2013 -0400
1482 fix similar leaks in sys_recvfrom as fixed in recvmsg, already handled by the new structleak plugin
1485 1 files changed, 1 insertions(+), 1 deletions(-)
1487 commit 5a216624a06429488f24ce47db093da042f90e48
1488 Author: Brad Spengler <spender@grsecurity.net>
1489 Date: Sat Apr 6 13:22:24 2013 -0400
1493 arch/sparc/kernel/us3_cpufreq.c | 5 +----
1494 1 files changed, 1 insertions(+), 4 deletions(-)
1496 commit e476ca18d21788898cd3acd1b57049971a2fb70f
1497 Author: Brad Spengler <spender@grsecurity.net>
1498 Date: Sat Apr 6 13:16:13 2013 -0400
1500 properly fix cpufreq_driver for ultrasparc III with constification
1502 arch/sparc/kernel/us3_cpufreq.c | 35 +++++++++++++++++------------------
1503 1 files changed, 17 insertions(+), 18 deletions(-)
1505 commit 3ef64a33c8a38d17db7d1e6ff13d9036c75598ae
1506 Author: Brad Spengler <spender@grsecurity.net>
1507 Date: Sat Apr 6 12:58:48 2013 -0400
1509 mark prom_sparc_ops __initconst
1511 arch/sparc/kernel/prom_common.c | 2 +-
1512 1 files changed, 1 insertions(+), 1 deletions(-)
1514 commit daaa8e290cb1eb08e86c6d3f0fb1a8270d897439
1515 Author: Brad Spengler <spender@grsecurity.net>
1516 Date: Sat Apr 6 12:53:16 2013 -0400
1518 fix ia64/powerpc/sparc compilation
1520 arch/ia64/include/asm/uaccess.h | 2 --
1521 arch/powerpc/include/asm/uaccess.h | 2 --
1522 arch/sparc/include/asm/uaccess.h | 7 -------
1523 3 files changed, 0 insertions(+), 11 deletions(-)
1525 commit 4a0cd3af0fd8788bd1c84de775743c8ae51e9a39
1526 Author: Johannes Berg <johannes.berg@intel.com>
1527 Date: Tue Mar 19 20:26:57 2013 +0100
1529 Upstream commit: ce1eadda6badef9e4e3460097ede674fca47383d
1531 cfg80211: fix wdev tracing crash
1533 Arend reported a crash in tracing if the driver returns an
1534 ERR_PTR() value from the add_virtual_intf() callback. This
1535 is due to the tracing then still attempting to dereference
1536 the "pointer", fix this by using IS_ERR_OR_NULL().
1538 Reported-by: Arend van Spriel <arend@broadcom.com>
1539 Tested-by: Arend van Spriel <arend@broadcom.com>
1540 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
1542 net/wireless/trace.h | 3 ++-
1543 1 files changed, 2 insertions(+), 1 deletions(-)
1545 commit 68e6eafdaf9a3b37c780b3916a35a1961b1559fd
1546 Author: Johannes Berg <johannes.berg@intel.com>
1547 Date: Mon Mar 25 11:51:14 2013 +0100
1549 Upstream commit: 3fbd45ca8d1c98f3c2582ef8bc70ade42f70947b
1551 mac80211: fix remain-on-channel cancel crash
1553 If a ROC item is canceled just as it expires, the work
1554 struct may be scheduled while it is running (and waiting
1555 for the mutex). This results in it being run after being
1556 freed, which obviously crashes.
1558 To fix this don't free it when aborting is requested but
1559 instead mark it as "to be freed", which makes the work a
1560 no-op and allows freeing it outside.
1562 Cc: stable@vger.kernel.org [3.6+]
1563 Reported-by: Jouni Malinen <j@w1.fi>
1564 Tested-by: Jouni Malinen <j@w1.fi>
1565 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
1567 net/mac80211/cfg.c | 6 ++++--
1568 net/mac80211/ieee80211_i.h | 3 ++-
1569 net/mac80211/offchannel.c | 23 +++++++++++++++++------
1570 3 files changed, 23 insertions(+), 9 deletions(-)
1572 commit dd5df32b00e3c2344ba39fe01071e7b67b83e1e4
1573 Author: Stone Piao <piaoyun@marvell.com>
1574 Date: Fri Mar 29 19:21:21 2013 -0700
1576 Upstream commit: 901ceba4e81e9dd6b4a3c4c37ee22000a6c5c65f
1578 mwifiex: limit channel number not to overflow memory
1580 Limit the channel number in scan request, or the driver scan
1581 config structure memory will be overflowed.
1583 Cc: <stable@vger.kernel.org> # 3.5+
1584 Signed-off-by: Stone Piao <piaoyun@marvell.com>
1585 Signed-off-by: Bing Zhao <bzhao@marvell.com>
1586 Signed-off-by: John W. Linville <linville@tuxdriver.com>
1588 drivers/net/wireless/mwifiex/cfg80211.c | 3 ++-
1589 1 files changed, 2 insertions(+), 1 deletions(-)
1591 commit 207c411512bdaf0e4271f93ecac6ca26588da36f
1592 Author: Gao feng <gaofeng@cn.fujitsu.com>
1593 Date: Thu Mar 21 19:48:41 2013 +0000
1595 Upstream commit: 130549fed828cc34c22624c6195afcf9e7ae56fe
1597 netfilter: reset nf_trace in nf_reset
1599 We forgot to clear the nf_trace of sk_buff in nf_reset,
1600 When we use veth device, this nf_trace information will
1601 be leaked from one net namespace to another net namespace.
1603 Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
1604 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
1606 include/linux/skbuff.h | 3 +++
1607 1 files changed, 3 insertions(+), 0 deletions(-)
1609 commit 3b12800d73c763265b2de5f2a7a745d9caa62c6f
1610 Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
1611 Date: Fri Mar 22 01:28:18 2013 +0000
1613 Upstream commit: 558724a5b2a73ad0c7638e21e8dffc419d267b6c
1615 netfilter: nfnetlink_queue: fix error return code in nfnetlink_queue_init()
1617 Fix to return a negative error code from the error handling
1618 case instead of 0, as returned elsewhere in this function.
1620 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
1621 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
1623 net/netfilter/nfnetlink_queue_core.c | 4 +++-
1624 1 files changed, 3 insertions(+), 1 deletions(-)
1626 commit a79feb7d3251eca577d83d7f69eee2b961ab2924
1627 Author: Pablo Neira Ayuso <pablo@netfilter.org>
1628 Date: Sat Mar 23 16:57:59 2013 +0100
1630 Upstream commit: deadcfc3324410726cd6a663fb4fc46be595abe7
1632 netfilter: nfnetlink_acct: return -EINVAL if object name is empty
1634 If user-space tries to create accounting object with an empty
1635 name, then return -EINVAL.
1637 Reported-by: Michael Zintakis <michael.zintakis@googlemail.com>
1638 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
1640 net/netfilter/nfnetlink_acct.c | 2 ++
1641 1 files changed, 2 insertions(+), 0 deletions(-)
1643 commit 1a51dca4fc16538d90a7a4c92b1ffe7e0fd76cf7
1644 Author: Matthias Schiffer <mschiffer@universe-factory.net>
1645 Date: Sat Mar 30 10:23:12 2013 +0000
1647 Upstream commit: 906b1c394d0906a154fbdc904ca506bceb515756
1649 netfilter: ip6t_NPT: Fix translation for non-multiple of 32 prefix lengths
1651 The bitmask used for the prefix mangling was being calculated
1652 incorrectly, leading to the wrong part of the address being replaced
1653 when the prefix length wasn't a multiple of 32.
1655 Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
1656 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
1658 net/ipv6/netfilter/ip6t_NPT.c | 2 +-
1659 1 files changed, 1 insertions(+), 1 deletions(-)
1661 commit 3425de1e3dc22e1602f9c77fe8d258da58416d5e
1662 Author: Veaceslav Falico <vfalico@redhat.com>
1663 Date: Wed Apr 3 05:46:33 2013 +0000
1665 Upstream commit: 4de79c737b200492195ebc54a887075327e1ec1d
1667 bonding: remove sysfs before removing devices
1669 We have a race condition if we try to rmmod bonding and simultaneously add
1670 a bond master through sysfs. In bonding_exit() we first remove the devices
1671 (through rtnl_link_unregister() ) and only after that we remove the sysfs.
1672 If we manage to add a device through sysfs after that the devices were
1673 removed - we'll end up with that device/sysfs structure and with the module
1676 Fix this by first removing the sysfs and only after that calling
1677 rtnl_link_unregister().
1679 Signed-off-by: Veaceslav Falico <vfalico@redhat.com>
1680 Signed-off-by: David S. Miller <davem@davemloft.net>
1682 drivers/net/bonding/bond_main.c | 2 +-
1683 1 files changed, 1 insertions(+), 1 deletions(-)
1685 commit d12cae44a9d12441d81c489178803237219d403d
1686 Author: Eric W. Biederman <ebiederm@xmission.com>
1687 Date: Wed Apr 3 16:14:47 2013 +0000
1689 Upstream commit: 0e82e7f6dfeec1013339612f74abc2cdd29d43d2
1691 af_unix: If we don't care about credentials coallesce all messages
1693 It was reported that the following LSB test case failed
1694 https://lsbbugs.linuxfoundation.org/attachment.cgi?id=2144 because we
1695 were not coallescing unix stream messages when the application was
1698 The problem was that the first send was before the socket was accepted
1699 and thus sock->sk_socket was NULL in maybe_add_creds, and the second
1700 send after the socket was accepted had a non-NULL value for sk->socket
1701 and thus we could tell the credentials were not needed so we did not
1704 The unnecessary credentials on the first message cause
1705 unix_stream_recvmsg to start verifying that all messages had the same
1706 credentials before coallescing and then the coallescing failed because
1707 the second message had no credentials.
1709 Ignoring credentials when we don't care in unix_stream_recvmsg fixes a
1710 long standing pessimization which would fail to coallesce messages when
1711 reading from a unix stream socket if the senders were different even if
1712 we did not care about their credentials.
1714 I have tested this and verified that the in the LSB test case mentioned
1715 above that the messages do coallesce now, while the were failing to
1716 coallesce without this change.
1718 Reported-by: Karel Srot <ksrot@redhat.com>
1719 Reported-by: Ding Tianhong <dingtianhong@huawei.com>
1720 Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
1721 Signed-off-by: David S. Miller <davem@davemloft.net>
1723 net/unix/af_unix.c | 2 +-
1724 1 files changed, 1 insertions(+), 1 deletions(-)
1726 commit 126d882492b130da6367f71cdf3ac59bf4f4c1bf
1727 Author: Eric W. Biederman <ebiederm@xmission.com>
1728 Date: Wed Apr 3 16:13:35 2013 +0000
1730 Upstream commit: 25da0e3e9d3fb2b522bc2a598076735850310eb1
1732 Revert "af_unix: dont send SCM_CREDENTIAL when dest socket is NULL"
1734 This reverts commit 14134f6584212d585b310ce95428014b653dfaf6.
1736 The problem that the above patch was meant to address is that af_unix
1737 messages are not being coallesced because we are sending unnecesarry
1738 credentials. Not sending credentials in maybe_add_creds totally
1739 breaks unconnected unix domain sockets that wish to send credentails
1742 In practice this break some versions of udev because they receive a
1743 message and the sending uid is bogus so they drop the message.
1745 Reported-by: Sven Joachim <svenjoac@gmx.de>
1746 Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
1747 Signed-off-by: David S. Miller <davem@davemloft.net>
1749 net/unix/af_unix.c | 4 ++--
1750 1 files changed, 2 insertions(+), 2 deletions(-)
1752 commit 1295b4f600e8f5ab56af71e5a89e4c0e74e95663
1753 Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
1754 Date: Wed Mar 20 21:31:42 2013 +0000
1756 Upstream commit: cb0e51d80694fc9964436be1a1a15275e991cb1e
1758 lantiq_etop: use free_netdev(netdev) instead of kfree()
1760 Freeing netdev without free_netdev() leads to net, tx leaks.
1761 And it may lead to dereferencing freed pointer.
1763 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
1764 Signed-off-by: David S. Miller <davem@davemloft.net>
1766 drivers/net/ethernet/lantiq_etop.c | 2 +-
1767 1 files changed, 1 insertions(+), 1 deletions(-)
1769 commit 1dcdddf846697fbd0b474e7b12ff92f7b408fe5f
1770 Author: Cong Wang <amwang@redhat.com>
1771 Date: Fri Mar 22 19:14:07 2013 +0000
1773 Upstream commit: 4a7df340ed1bac190c124c1601bfc10cde9fb4fb
1775 8021q: fix a potential use-after-free
1777 vlan_vid_del() could possibly free ->vlan_info after a RCU grace
1778 period, however, we may still refer to the freed memory area
1779 by 'grp' pointer. Found by code inspection.
1781 This patch moves vlan_vid_del() as behind as possible.
1783 Cc: Patrick McHardy <kaber@trash.net>
1784 Cc: "David S. Miller" <davem@davemloft.net>
1785 Signed-off-by: Cong Wang <amwang@redhat.com>
1786 Acked-by: Eric Dumazet <edumazet@google.com>
1787 Signed-off-by: David S. Miller <davem@davemloft.net>
1789 net/8021q/vlan.c | 7 +++++++
1790 1 files changed, 7 insertions(+), 0 deletions(-)
1792 commit fff29c277024a39845d4b535083c8dafc21b45d9
1793 Author: Hong zhi guo <honkiko@gmail.com>
1794 Date: Sat Mar 23 02:27:50 2013 +0000
1796 Upstream commit: 9b46922e15f4d9d2aedcd320c3b7f7f54d956da7
1798 bridge: fix crash when set mac address of br interface
1800 When I tried to set mac address of a bridge interface to a mac
1801 address which already learned on this bridge, I got system hang.
1803 The cause is straight forward: function br_fdb_change_mac_address
1804 calls fdb_insert with NULL source nbp. Then an fdb lookup is
1805 performed. If an fdb entry is found and it's local, it's OK. But
1806 if it's not local, source is dereferenced for printk without NULL
1809 Signed-off-by: Hong Zhiguo <honkiko@gmail.com>
1810 Signed-off-by: David S. Miller <davem@davemloft.net>
1812 net/bridge/br_fdb.c | 2 +-
1813 1 files changed, 1 insertions(+), 1 deletions(-)
1815 commit b72eca0f8495b4b084bcf3eb4fbb425281ba5349
1816 Author: Kumar Amit Mehta <gmate.amit@gmail.com>
1817 Date: Sat Mar 23 20:10:25 2013 +0000
1819 Upstream commit: 8fe7f99a9e11a43183bc27420309ae105e1fec1a
1821 bnx2x: fix assignment of signed expression to unsigned variable
1823 fix for incorrect assignment of signed expression to unsigned variable.
1825 Signed-off-by: Kumar Amit Mehta <gmate.amit@gmail.com>
1826 Acked-by: Dmitry Kravkov <dmitry@broadcom.com>
1827 Signed-off-by: David S. Miller <davem@davemloft.net>
1829 drivers/net/ethernet/broadcom/bnx2x/bnx2x_dcb.c | 18 +++++++++---------
1830 1 files changed, 9 insertions(+), 9 deletions(-)
1832 commit 4d2d5e3694574d8e9d7594bf6111f144dccc873e
1833 Author: dingtianhong <dingtianhong@huawei.com>
1834 Date: Mon Mar 25 17:02:04 2013 +0000
1836 Upstream commit: 14134f6584212d585b310ce95428014b653dfaf6
1838 af_unix: dont send SCM_CREDENTIAL when dest socket is NULL
1840 SCM_SCREDENTIALS should apply to write() syscalls only either source or destination
1841 socket asserted SOCK_PASSCRED. The original implememtation in maybe_add_creds is wrong,
1842 and breaks several LSB testcases ( i.e. /tset/LSB.os/netowkr/recvfrom/T.recvfrom).
1844 Origionally-authored-by: Karel Srot <ksrot@redhat.com>
1845 Signed-off-by: Ding Tianhong <dingtianhong@huawei.com>
1846 Acked-by: Eric Dumazet <edumazet@google.com>
1847 Signed-off-by: David S. Miller <davem@davemloft.net>
1849 net/unix/af_unix.c | 4 ++--
1850 1 files changed, 2 insertions(+), 2 deletions(-)
1852 commit b964e1e61f0f0ccaa380be3342f956c604054bdc
1853 Author: Eric W. Biederman <ebiederm@xmission.com>
1854 Date: Thu Mar 21 02:30:41 2013 -0700
1856 Upstream commit: eddc0a3abff273842a94784d2d022bbc36dc9015
1858 yama: Better permission check for ptraceme
1860 Change the permission check for yama_ptrace_ptracee to the standard
1861 ptrace permission check, testing if the traceer has CAP_SYS_PTRACE
1862 in the tracees user namespace.
1864 Reviewed-by: Kees Cook <keescook@chromium.org>
1865 Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
1867 security/yama/yama_lsm.c | 4 +---
1868 1 files changed, 1 insertions(+), 3 deletions(-)
1870 commit b94e71c7b6abe75989edff18aca2781233fa143b
1871 Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
1872 Date: Mon Apr 1 11:40:51 2013 +0400
1874 Upstream commit: 2dc958fa2fe6987e7ab106bd97029a09a82fcd8d
1876 ipc: set msg back to -EAGAIN if copy wasn't performed
1878 Make sure that msg pointer is set back to error value in case of
1879 MSG_COPY flag is set and desired message to copy wasn't found. This
1880 garantees that msg is either a error pointer or a copy address.
1882 Otherwise the last message in queue will be freed without unlinking from
1883 the queue (which leads to memory corruption) and the dummy allocated
1884 copy won't be released.
1886 Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
1887 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1890 1 files changed, 1 insertions(+), 0 deletions(-)
1892 commit a997fbbe7a37ffd805f4784a18b8e530da6978d1
1893 Author: Jan Kara <jack@suse.cz>
1894 Date: Fri Mar 29 15:39:16 2013 +0100
1896 Upstream commit: 35e5cbc0af240778e61113286c019837e06aeec6
1898 reiserfs: Fix warning and inode leak when deleting inode with xattrs
1900 After commit 21d8a15a (lookup_one_len: don't accept . and ..) reiserfs
1901 started failing to delete xattrs from inode. This was due to a buggy
1902 test for '.' and '..' in fill_with_dentries() which resulted in passing
1903 '.' and '..' entries to lookup_one_len() in some cases. That returned
1904 error and so we failed to iterate over all xattrs of and inode.
1906 Fix the test in fill_with_dentries() along the lines of the one in
1909 Reported-by: Pawel Zawora <pzawora@gmail.com>
1910 CC: stable@vger.kernel.org
1911 Signed-off-by: Jan Kara <jack@suse.cz>
1913 fs/reiserfs/xattr.c | 4 ++--
1914 1 files changed, 2 insertions(+), 2 deletions(-)
1916 commit 9f07957378e0f55abb81da8e23b124a608fbe1cc
1917 Author: Paul Bolle <pebolle@tiscali.nl>
1918 Date: Wed Apr 3 12:24:45 2013 +0100
1920 Upstream commit: 4e1db26a0b42e2b6e27c05d68adcc01709c2eed2
1922 ARM: 7690/1: mm: fix CONFIG_LPAE typos
1924 CONFIG_LPAE doesn't exist: the correct option is CONFIG_ARM_LPAE, so fix
1925 up the two typos under arch/arm/.
1927 The fix to head.S is slightly scary, but this is just for setting up
1928 an early io-mapping for the serial port when running on a big-endian,
1929 LPAE system. Since these systems don't exist in the wild (at least, I
1930 have no access to one outside of kvmtool, which doesn't provide a serial
1931 port suitable for earlyprintk), then we can revisit the code later if it
1932 causes any problems.
1934 Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
1935 Signed-off-by: Will Deacon <will.deacon@arm.com>
1936 Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
1938 arch/arm/kernel/head.S | 2 +-
1939 arch/arm/kernel/setup.c | 2 +-
1940 2 files changed, 2 insertions(+), 2 deletions(-)
1942 commit 984ba346b2d8f158473e9723ba145031368431ed
1943 Author: Catalin Marinas <catalin.marinas@arm.com>
1944 Date: Tue Mar 26 23:35:04 2013 +0100
1946 Upstream commit: 93dc68876b608da041fe40ed39424b0fcd5aa2fb
1948 ARM: 7684/1: errata: Workaround for Cortex-A15 erratum 798181 (TLBI/DSB operations)
1950 On Cortex-A15 (r0p0..r3p2) the TLBI/DSB are not adequately shooting down
1951 all use of the old entries. This patch implements the erratum workaround
1954 1. Dummy TLBIMVAIS and DSB on the CPU doing the TLBI operation.
1955 2. Send IPI to the CPUs that are running the same mm (and ASID) as the
1956 one being invalidated (or all the online CPUs for global pages).
1957 3. CPU receiving the IPI executes a DMB and CLREX (part of the exception
1958 return code already).
1960 Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
1961 Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
1965 arch/arm/include/asm/tlbflush.h
1966 arch/arm/kernel/smp_tlb.c
1967 arch/arm/mm/context.c
1969 arch/arm/Kconfig | 10 +++++
1970 arch/arm/include/asm/highmem.h | 7 ++++
1971 arch/arm/include/asm/mmu_context.h | 2 +
1972 arch/arm/include/asm/tlbflush.h | 15 ++++++++
1973 arch/arm/kernel/smp_tlb.c | 66 ++++++++++++++++++++++++++++++++++++
1974 arch/arm/mm/context.c | 6 ++-
1975 6 files changed, 104 insertions(+), 2 deletions(-)
1977 commit 9a6ef010c38b3d5471886d2dea6e3c1622e2a286
1978 Author: Jan Stancek <jstancek@redhat.com>
1979 Date: Thu Apr 4 11:35:10 2013 -0700
1981 Upstream commit: b6a9b7f6b1f21735a7456d534dc0e68e61359d2c
1983 mm: prevent mmap_cache race in find_vma()
1985 find_vma() can be called by multiple threads with read lock
1986 held on mm->mmap_sem and any of them can update mm->mmap_cache.
1987 Prevent compiler from re-fetching mm->mmap_cache, because other
1988 readers could update it in the meantime:
1992 find_vma() | find_vma()
1993 struct vm_area_struct *vma = NULL; |
1994 vma = mm->mmap_cache; |
1995 if (!(vma && vma->vm_end > addr |
1996 && vma->vm_start <= addr)) { |
1997 | mm->mmap_cache = vma;
1999 ^^ compiler may optimize this |
2000 local variable out and re-read |
2003 This issue can be reproduced with gcc-4.8.0-1 on s390x by running
2004 mallocstress testcase from LTP, which triggers:
2006 kernel BUG at mm/rmap.c:1088!
2008 ([<000003d100c57000>] 0x3d100c57000)
2009 [<000000000023a1c0>] do_wp_page+0x2fc/0xa88
2010 [<000000000023baae>] handle_pte_fault+0x41a/0xac8
2011 [<000000000023d832>] handle_mm_fault+0x17a/0x268
2012 [<000000000060507a>] do_protection_exception+0x1e2/0x394
2013 [<0000000000603a04>] pgm_check_handler+0x138/0x13c
2014 [<000003fffcf1f07a>] 0x3fffcf1f07a
2015 Last Breaking-Event-Address:
2016 [<000000000024755e>] page_add_new_anon_rmap+0xc2/0x168
2018 Thanks to Jakub Jelinek for his insight on gcc and helping to
2021 Signed-off-by: Jan Stancek <jstancek@redhat.com>
2022 Acked-by: David Rientjes <rientjes@google.com>
2023 Signed-off-by: Hugh Dickins <hughd@google.com>
2024 Cc: stable@vger.kernel.org
2025 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2029 2 files changed, 2 insertions(+), 2 deletions(-)
2031 commit 53f5096daa14967938bc154e6c41f9119863fb36
2032 Merge: e988d7c 0a45285
2033 Author: Brad Spengler <spender@grsecurity.net>
2034 Date: Fri Apr 5 17:32:31 2013 -0400
2036 Merge branch 'pax-test' into grsec-test
2039 drivers/net/ethernet/broadcom/tg3.c
2041 commit 0a452855444d02502df6eb21ef3083cf303f71e1
2042 Merge: 0277fa1 00cfbb8
2043 Author: Brad Spengler <spender@grsecurity.net>
2044 Date: Fri Apr 5 17:31:15 2013 -0400
2046 Update to pax-linux-3.8.6-test16.patch:
2047 - fixed some attribute leakage into userland headers, patch by Mathias Krause
2048 - fixed some of the access_*_vm related breakage that trigger size overflows, reported by Hunger
2050 Merge branch 'linux-3.8.y' into pax-test
2053 drivers/gpu/drm/i915/intel_display.c
2055 commit e988d7c8d946c816a2cb97f0d38048a1584966b8
2056 Merge: baec40e 0277fa1
2057 Author: Brad Spengler <spender@grsecurity.net>
2058 Date: Wed Apr 3 22:05:41 2013 -0400
2060 Merge branch 'pax-test' into grsec-test
2062 commit 0277fa123b486cf11420967e4568d7653e225fd3
2063 Author: Brad Spengler <spender@grsecurity.net>
2064 Date: Wed Apr 3 22:04:48 2013 -0400
2066 Update to pax-linux-3.8.5-test15.patch:
2067 - fixed section mismatch error caused by CONSTIFY (http://forums.grsecurity.net/viewtopic.php?f=3&t=3388 and http://forums.grsecurity.net/viewtopic.php?f=3&t=3391)
2068 - fixed integer type mixup in the cx88 driver (http://forums.grsecurity.net/viewtopic.php?f=3&t=3394)
2070 drivers/media/pci/cx88/cx88-video.c | 6 +++---
2071 include/net/net_namespace.h | 4 ++++
2072 2 files changed, 7 insertions(+), 3 deletions(-)
2074 commit baec40e6708fd5ae2000cad6c70c5980c998b91c
2075 Author: Brad Spengler <spender@grsecurity.net>
2076 Date: Tue Apr 2 19:50:32 2013 -0400
2078 fix compilation as reported on forums for gcc versions lacking plugin
2081 include/net/net_namespace.h | 4 ++++
2082 1 files changed, 4 insertions(+), 0 deletions(-)
2084 commit f6da5efca8a7edc9d3af02d6c35fddae0d2fd095
2085 Merge: 6b69c35 0db9d15
2086 Author: Brad Spengler <spender@grsecurity.net>
2087 Date: Tue Apr 2 17:47:27 2013 -0400
2089 Merge branch 'pax-test' into grsec-test
2091 commit 0db9d156826bdd50510086fde837648a3dfd370e
2092 Author: Brad Spengler <spender@grsecurity.net>
2093 Date: Tue Apr 2 17:46:05 2013 -0400
2095 Update to pax-linux-3.8.5-test14.patch:
2096 - removed some no longer necessary __size_overflow marks and updated the overflow plugin's hash table
2098 arch/x86/include/asm/uaccess_64.h | 6 +-
2099 include/linux/moduleloader.h | 4 +-
2100 tools/gcc/size_overflow_hash.data | 98 +++++++++++++++++++++----------------
2101 3 files changed, 61 insertions(+), 47 deletions(-)
2103 commit 6b69c3589fa97b454a08c28ecfac5a512f610f4d
2104 Author: Brad Spengler <spender@grsecurity.net>
2105 Date: Tue Apr 2 17:35:06 2013 -0400
2107 remove duplicate compiler.h
2109 include/linux/sysrq.h | 1 -
2110 1 files changed, 0 insertions(+), 1 deletions(-)
2112 commit 01e1d503fd2220adaaec0b92ea19441bdff73555
2113 Author: Brad Spengler <spender@grsecurity.net>
2114 Date: Fri Mar 29 19:53:50 2013 -0400
2116 fix intentional_overflow marking on sys_sendto
2118 include/linux/syscalls.h | 2 +-
2120 2 files changed, 2 insertions(+), 2 deletions(-)
2122 commit cd5ff114d958470f471c63775278e8c05e774630
2123 Author: Brad Spengler <spender@grsecurity.net>
2124 Date: Fri Mar 29 18:46:16 2013 -0400
2126 fix size_overflow false positive
2128 kernel/futex_compat.c | 2 +-
2129 1 files changed, 1 insertions(+), 1 deletions(-)
2131 commit 295ba16cc53df2375261accbedd6575ea327770a
2132 Merge: 18340f1 278a989
2133 Author: Brad Spengler <spender@grsecurity.net>
2134 Date: Fri Mar 29 17:36:18 2013 -0400
2136 Merge branch 'pax-test' into grsec-test
2140 include/linux/thread_info.h
2142 commit 278a989c831d62193c7b3d119fe2302babd45d12
2143 Author: Brad Spengler <spender@grsecurity.net>
2144 Date: Fri Mar 29 17:34:34 2013 -0400
2146 Resync with pax-linux-3.8.5-test13.patch
2148 arch/arm/include/asm/pgtable.h | 3 ++-
2149 arch/arm/lib/delay.c | 1 +
2150 fs/exec.c | 8 ++++----
2151 include/linux/compiler.h | 1 +
2152 include/linux/proc_fs.h | 2 +-
2153 include/linux/thread_info.h | 6 +++---
2154 include/linux/zlib.h | 3 ++-
2155 init/main.c | 4 ++--
2156 kernel/user_namespace.c | 2 +-
2157 lib/list_debug.c | 4 ++--
2161 net/core/sysctl_net_core.c | 3 +--
2162 tools/gcc/constify_plugin.c | 1 +
2163 15 files changed, 24 insertions(+), 17 deletions(-)
2165 commit 18340f14bd42d06c60995ab04cf6bb235bcaade6
2166 Merge: 05f01ae e8cfeae
2167 Author: Brad Spengler <spender@grsecurity.net>
2168 Date: Fri Mar 29 17:30:57 2013 -0400
2170 Merge branch 'pax-test' into grsec-test
2172 commit e8cfeae7751abb844911a15114dff5c9b2b9fcd9
2173 Merge: b461cb7 aa4cfde
2174 Author: Brad Spengler <spender@grsecurity.net>
2175 Date: Fri Mar 29 17:30:44 2013 -0400
2177 Merge branch 'linux-3.8.y' into pax-test
2180 drivers/gpu/drm/i915/i915_gem_execbuffer.c
2183 commit 05f01ae4c3479541586a2387f916a6620889c479
2184 Author: Brad Spengler <spender@grsecurity.net>
2185 Date: Fri Mar 29 17:05:39 2013 -0400
2187 Another infoleak, up to 128 bytes on the stack in __sys_recvmsg
2188 takes user-provided length, copies up to that amount in a sockaddr_storage
2189 struct on the stack, then takes an upper-bounded-only user-provided length
2190 and copies the sockaddr_storage struct back out to userland, complete with
2194 1 files changed, 1 insertions(+), 1 deletions(-)
2196 commit eea6ade59490784e83e08ec67322288fcf14cb31
2197 Author: Brad Spengler <spender@grsecurity.net>
2198 Date: Thu Mar 28 23:07:37 2013 -0400
2200 return a proper error, otherwise we could be accessing uninitialized data
2201 (previous define was a positive value)
2203 drivers/usb/storage/realtek_cr.c | 2 +-
2204 1 files changed, 1 insertions(+), 1 deletions(-)
2206 commit 3cc43b90104c3016adb40f412ce2e4b0dcdd4c9e
2207 Merge: c3dc9a6 b461cb7
2208 Author: Brad Spengler <spender@grsecurity.net>
2209 Date: Thu Mar 28 20:54:24 2013 -0400
2211 Merge branch 'pax-test' into grsec-test
2213 commit b461cb7b1d85490430ef7896c247794af72c3749
2214 Author: Brad Spengler <spender@grsecurity.net>
2215 Date: Thu Mar 28 20:54:11 2013 -0400
2217 Add structleak plugin
2219 tools/gcc/structleak_plugin.c | 270 +++++++++++++++++++++++++++++++++++++++++
2220 1 files changed, 270 insertions(+), 0 deletions(-)
2222 commit c3dc9a6ef10782894bb11fd088fd712db44d8062
2223 Author: Brad Spengler <spender@grsecurity.net>
2224 Date: Thu Mar 28 20:53:22 2013 -0400
2226 Enable structleak by default for the security auto-config
2228 security/Kconfig | 11 +++++++----
2229 1 files changed, 7 insertions(+), 4 deletions(-)
2231 commit 6568e7348222fbe00256c9d337c4c24ee57e3f7e
2232 Merge: d8503a3 74bec16
2233 Author: Brad Spengler <spender@grsecurity.net>
2234 Date: Thu Mar 28 20:47:10 2013 -0400
2236 Merge branch 'pax-test' into grsec-test
2238 commit 74bec16b657147a5575b1f14f4423a717ba317a6
2239 Author: Brad Spengler <spender@grsecurity.net>
2240 Date: Thu Mar 28 20:46:13 2013 -0400
2242 Update to pax-linux-3.8.4-test13.patch:
2243 - fixed bug with the old PAGEEXEC method and hugetlb, reported by Alex Efros (https://bugs.gentoo.org/show_bug.cgi?id=437722)
2244 - added a new gcc plugin to plug (pun intended) some of the kernel stack leaks to userland
2247 arch/x86/include/asm/compat.h | 2 +-
2248 arch/x86/mm/fault.c | 3 +-
2249 fs/binfmt_elf.c | 2 +-
2250 include/linux/compiler.h | 42 ++++++++++++++--------------------------
2251 security/Kconfig | 16 +++++++++++++++
2252 tools/gcc/Makefile | 2 +
2253 tools/gcc/constify_plugin.c | 7 +++++-
2254 8 files changed, 47 insertions(+), 32 deletions(-)
2256 commit d8503a3a35d68b9ba1615d29335aef3f70d51465
2257 Author: Brad Spengler <spender@grsecurity.net>
2258 Date: Thu Mar 28 20:02:40 2013 -0400
2260 Fix 8-byte stack infoleak in ia32_rt_sigpending
2261 User controls length, kernel only performs check on the upper bound, will
2262 fill in any amount less than sizeof(sigset_t) via a copy_to_user under
2263 KERNEL_DS in sys_rt_sigpending, then will copy the full size of compat_sigset_t
2264 regardless of whether the sigset_t content copied into it has been initialized
2267 arch/x86/ia32/sys_ia32.c | 2 +-
2268 1 files changed, 1 insertions(+), 1 deletions(-)
2270 commit 46a9f4b871ebf298ee67cc3f799dbd6c2382022b
2271 Author: Brad Spengler <spender@grsecurity.net>
2272 Date: Tue Mar 26 21:05:05 2013 -0400
2274 commit 814d9d4f9164c3d778dadd093a54bb55d9a0c576
2275 Author: J. Bruce Fields <bfields@redhat.com>
2276 Date: Tue Mar 26 14:11:13 2013 -0400
2278 nfsd4: reject "negative" acl lengths
2280 Since we only enforce an upper bound, not a lower bound, a "negative"
2281 length can get through here.
2283 The symptom seen was a warning when we attempt to a kmalloc with an
2286 Reported-by: Toralf Förster <toralf.foerster@gmx.de>
2287 Signed-off-by: J. Bruce Fields <bfields@redhat.com>
2289 fs/nfsd/nfs4xdr.c | 2 +-
2290 1 files changed, 1 insertions(+), 1 deletions(-)
2292 commit 2cf84a1843bfdf9298e2a1dc8df4e52d11a1af89
2293 Author: Jeff Layton <jlayton@redhat.com>
2294 Date: Mon Mar 11 09:52:19 2013 -0400
2296 Upstream commit: f853c616883a8de966873a1dab283f1369e275a1
2298 cifs: ignore everything in SPNEGO blob after mechTypes
2300 We've had several reports of people attempting to mount Windows 8 shares
2301 and getting failures with a return code of -EINVAL. The default sec=
2302 mode changed recently to sec=ntlmssp. With that, we expect and parse a
2303 SPNEGO blob from the server in the NEGOTIATE reply.
2305 The current decode_negTokenInit function first parses all of the
2306 mechTypes and then tries to parse the rest of the negTokenInit reply.
2307 The parser however currently expects a mechListMIC or nothing to follow the
2308 mechTypes, but Windows 8 puts a mechToken field there instead to carry
2309 some info for the new NegoEx stuff.
2311 In practice, we don't do anything with the fields after the mechTypes
2312 anyway so I don't see any real benefit in continuing to parse them.
2313 This patch just has the kernel ignore the fields after the mechTypes.
2314 We'll probably need to reinstate some of this if we ever want to support
2317 Reported-by: Jason Burgess <jason@jacknife2.dns2go.com>
2318 Reported-by: Yan Li <elliot.li.tech@gmail.com>
2319 Signed-off-by: Jeff Layton <jlayton@redhat.com>
2320 Cc: <stable@vger.kernel.org>
2321 Signed-off-by: Steve French <sfrench@us.ibm.com>
2323 fs/cifs/asn1.c | 53 +++++------------------------------------------------
2324 1 files changed, 5 insertions(+), 48 deletions(-)
2326 commit 0b1c6223105a05d5a84e39a5e951868e37610e1c
2327 Merge: 93ff726 0deb54c
2328 Author: Brad Spengler <spender@grsecurity.net>
2329 Date: Mon Mar 25 18:35:15 2013 -0400
2331 Merge branch 'pax-test' into grsec-test
2333 commit 0deb54c1f47145aef38f4d2bf0b7de3e9fbab959
2334 Author: Brad Spengler <spender@grsecurity.net>
2335 Date: Mon Mar 25 18:35:05 2013 -0400
2339 arch/x86/mm/ioremap.c | 2 +-
2340 1 files changed, 1 insertions(+), 1 deletions(-)
2342 commit 93ff72680353534d4b0b213aecb61f1fc2f9a152
2343 Merge: be9f8b8 f95e53a
2344 Author: Brad Spengler <spender@grsecurity.net>
2345 Date: Mon Mar 25 18:30:06 2013 -0400
2347 Merge branch 'pax-test' into grsec-test
2349 commit f95e53abadb6e4665866e4502ff9f518514193e1
2350 Author: Brad Spengler <spender@grsecurity.net>
2351 Date: Mon Mar 25 18:29:25 2013 -0400
2353 Update to pax-linux-3.8.4-test12.patch:
2355 - fixed perf compilation reported by Michael Tremer
2356 - fixed USERCOPY reports triggered by SCTP, reported by mcp
2357 - last fix for aslr gap accounting, promise (thanks to spender)
2359 arch/x86/mm/ioremap.c | 3 +++
2360 fs/binfmt_elf.c | 5 ++---
2362 net/sctp/socket.c | 19 +++++++++++++++----
2363 tools/perf/util/include/linux/compiler.h | 8 ++++++++
2364 5 files changed, 29 insertions(+), 8 deletions(-)
2366 commit be9f8b82b0d8a21d7515fb6e44a907623381c5df
2367 Author: Brad Spengler <spender@grsecurity.net>
2368 Date: Mon Mar 25 16:48:34 2013 -0400
2370 From: Al Viro <viro@ZenIV.linux.org.uk>
2371 To: Brad Spengler <spender@grsecurity.net>
2372 Cc: Linus Torvalds <torvalds@linux-foundation.org>
2374 Umm... I see what you are describing, and AFAICS you are correct; let me
2375 see if I am misreading your analysis:
2376 * vfsmount_lock may act fair; A holding it shared, with B spinning
2377 on attempt to take it exclusive may lead to C spinning on attempt to take
2379 * path_is_under() tries get rename_lock while holding vfsmount_lock
2381 * d_path() et.al. try to take vfsmount_lock shared, while holding
2384 All true and yes, it's a bug (I'd probably classify it as a livelock, but
2385 that doesn't make any real difference). There are three possible solutions,
2387 1) two-liner in path_is_under() replacing the use of vfsmount_lock
2388 with that of namespace_sem; trivial, but results in function unexpectedly
2389 blocking. The current callers are fine with that, but it's a trouble
2391 2) replace write_seqlock() in prepend_path() callers with
2392 read_seqbegin/read_seqretry loops; bigger and more brittle, since unlike
2393 is_subdir() we need more than just ->d_parent not pointing to something
2394 freed - we also care about ->d_name.len being in sync with ->d_name.name.
2395 It probably can be worked around, but...
2397 3) declare that rename_lock nests inside vfsmount_lock and let
2398 the callers of prepend_path() take vfsmount_lock(). I'd probably prefer
2401 Nest rename_lock inside vfsmount_lock
2403 ... lest we get livelocks between path_is_under() and d_path() and friends.
2405 [ add grsec-specific bits, thanks to Alexey Vlasov for his patience in reproducing
2408 Spotted-by: Brad Spengler <spender@grsecurity.net>
2409 Cc: stable@vger.kernel.org
2410 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2412 fs/dcache.c | 16 +++++++++++-----
2413 grsecurity/gracl.c | 20 ++++++++++----------
2414 2 files changed, 21 insertions(+), 15 deletions(-)
2416 commit d9253ae96e0e88510ae7b8adb8ab3ef089be6dee
2417 Author: Linus Torvalds <torvalds@linux-foundation.org>
2418 Date: Fri Mar 22 11:44:04 2013 -0700
2420 Upstream commit: 51f0885e5415b4cc6535e9cdcc5145bfbc134353
2422 vfs,proc: guarantee unique inodes in /proc
2424 Dave Jones found another /proc issue with his Trinity tool: thanks to
2425 the namespace model, we can have multiple /proc dentries that point to
2426 the same inode, aliasing directories in /proc/<pid>/net/ for example.
2428 This ends up being a total disaster, because it acts like hardlinked
2429 directories, and causes locking problems. We rely on the topological
2430 sort of the inodes pointed to by dentries, and if we have aliased
2431 directories, that odering becomes unreliable.
2433 In short: don't do this. Multiple dentries with the same (directory)
2434 inode is just a bad idea, and the namespace code should never have
2435 exposed things this way. But we're kind of stuck with it.
2437 This solves things by just always allocating a new inode during /proc
2438 dentry lookup, instead of using "iget_locked()" to look up existing
2439 inodes by superblock and number. That actually simplies the code a bit,
2440 at the cost of potentially doing more inode [de]allocations.
2442 That said, the inode lookup wasn't free either (and did a lot of locking
2443 of inodes), so it is probably not that noticeable. We could easily keep
2444 the old lookup model for non-directory entries, but rather than try to
2445 be excessively clever this just implements the minimal and simplest
2446 workaround for the problem.
2448 Reported-and-tested-by: Dave Jones <davej@redhat.com>
2449 Analyzed-by: Al Viro <viro@zeniv.linux.org.uk>
2450 Cc: stable@vger.kernel.org
2451 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2457 fs/proc/inode.c | 9 +++------
2458 1 files changed, 3 insertions(+), 6 deletions(-)
2460 commit 399d3bbdb82db765c86118ae5a0bf1d2d17762fb
2461 Author: Vladimir Davydov <vdavydov@parallels.com>
2462 Date: Fri Mar 22 15:04:51 2013 -0700
2464 Upstream commit: 38d78e587d4960d0db94add518d27ee74bad2301
2466 mqueue: sys_mq_open: do not call mnt_drop_write() if read-only
2468 mnt_drop_write() must be called only if mnt_want_write() succeeded,
2469 otherwise the mnt_writers counter will diverge.
2471 mnt_writers counters are used to check if remounting FS as read-only is
2472 OK, so after an extra mnt_drop_write() call, it would be impossible to
2473 remount mqueue FS as read-only. Besides, on umount a warning would be
2474 printed like this one:
2476 =====================================
2477 [ BUG: bad unlock balance detected! ]
2478 3.9.0-rc3 #5 Not tainted
2479 -------------------------------------
2480 a.out/12486 is trying to release lock (sb_writers) at:
2481 mnt_drop_write+0x1f/0x30
2482 but there are no more locks to release!
2484 Signed-off-by: Vladimir Davydov <vdavydov@parallels.com>
2485 Cc: Doug Ledford <dledford@redhat.com>
2486 Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
2487 Cc: "Eric W. Biederman" <ebiederm@xmission.com>
2488 Cc: Al Viro <viro@zeniv.linux.org.uk>
2489 Cc: <stable@vger.kernel.org>
2490 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2491 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2493 ipc/mqueue.c | 3 ++-
2494 1 files changed, 2 insertions(+), 1 deletions(-)
2496 commit d3859c71e2ec174b6f3e5cbe06d3011cdddaa59e
2497 Author: Brad Spengler <spender@grsecurity.net>
2498 Date: Sat Mar 23 13:02:32 2013 -0400
2500 Don't use constify plugin if not enabled in config,
2501 reported by Alexey Vlasov
2504 1 files changed, 1 insertions(+), 1 deletions(-)
2506 commit 3afb82e020593249ac394e9859397c3e0ef5341c
2507 Author: Brad Spengler <spender@grsecurity.net>
2508 Date: Sat Mar 23 12:50:13 2013 -0400
2511 http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
2514 drivers/net/ethernet/broadcom/tg3.c | 6 ++++--
2515 1 files changed, 4 insertions(+), 2 deletions(-)
2517 commit 4cc4b98b29faff2530540be16e0fcd8a74800b06
2518 Author: Brad Spengler <spender@grsecurity.net>
2519 Date: Sat Mar 23 12:15:50 2013 -0400
2522 http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
2525 drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
2526 1 files changed, 1 insertions(+), 1 deletions(-)
2528 commit 8a3292af6fdae4b88b49a2a4ef96eee145b4d479
2529 Author: Brad Spengler <spender@grsecurity.net>
2530 Date: Sat Mar 23 12:13:12 2013 -0400
2532 remove warning on accessing this /proc entry, HIDESYM already caught the infoleak
2534 drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
2535 1 files changed, 1 insertions(+), 1 deletions(-)
2537 commit 44cb11a9470f72157601d0ad4d572d111f90f504
2538 Author: Brad Spengler <spender@grsecurity.net>
2539 Date: Fri Mar 22 18:11:42 2013 -0400
2543 fs/binfmt_elf.c | 2 +-
2544 1 files changed, 1 insertions(+), 1 deletions(-)
2546 commit 92dd7f850ae63e3ddc3d262f2b7134cf54b51abb
2547 Author: Brad Spengler <spender@grsecurity.net>
2548 Date: Fri Mar 22 17:53:09 2013 -0400
2550 fix recent RLIMIT_AS changes (due to vm_flags typo)
2556 fs/binfmt_elf.c | 2 +-
2558 2 files changed, 2 insertions(+), 2 deletions(-)
2560 commit fd5f0d92b0fbec02029dad124501a9c80e527a32
2561 Author: Brad Spengler <spender@grsecurity.net>
2562 Date: Fri Mar 22 17:08:48 2013 -0400
2564 complete_walk drops rcu-walk mode, no need for our own dropping
2565 method outside of generic_permission
2567 fs/namei.c | 30 ------------------------------
2568 1 files changed, 0 insertions(+), 30 deletions(-)
2570 commit b49ab1c73edb6442eec609b26bba4d850b3111b6
2571 Merge: 5e9a707 783ade9
2572 Author: Brad Spengler <spender@grsecurity.net>
2573 Date: Thu Mar 21 21:56:28 2013 -0400
2575 Merge branch 'pax-test' into grsec-test
2577 commit 783ade9f97f0f736e3c83275b7c9fcb2d6e9d9c4
2578 Author: Brad Spengler <spender@grsecurity.net>
2579 Date: Thu Mar 21 21:55:31 2013 -0400
2581 Update to pax-linux-3.8.3-test11.patch:
2582 - rewrote the ASLR gap accounting code once again
2583 - fixed ptrace compat bug found by the size overflow plugin
2585 fs/binfmt_elf.c | 25 ++++++++++++-------------
2586 fs/exec.c | 7 ++-----
2587 include/linux/compat.h | 2 +-
2588 include/linux/mm.h | 5 +++++
2589 include/linux/mm_types.h | 2 +-
2590 kernel/ptrace.c | 2 +-
2591 mm/mmap.c | 15 ++++++++++-----
2592 7 files changed, 32 insertions(+), 26 deletions(-)
2594 commit 5e9a7077d935b2279f25428c5d32fd53cbbfb92a
2595 Author: Brad Spengler <spender@grsecurity.net>
2596 Date: Thu Mar 21 19:37:33 2013 -0400
2598 Make the constify plugin usage actually depend on the introduced config option
2599 (it was still forced on)
2601 tools/gcc/Makefile | 2 +-
2602 1 files changed, 1 insertions(+), 1 deletions(-)
2604 commit 1974b4f58d9d729c80ac1987785446115304a54c
2605 Author: Brad Spengler <spender@grsecurity.net>
2606 Date: Thu Mar 21 16:12:38 2013 -0400
2610 arch/arm/mm/fault.c | 15 +++------------
2611 1 files changed, 3 insertions(+), 12 deletions(-)
2613 commit 675a8ab4a8fe8315df348735a37a302a7535224c
2614 Author: Brad Spengler <spender@grsecurity.net>
2615 Date: Wed Mar 20 23:36:14 2013 -0400
2617 From c4dab66c31612717f798e1e8ff11b57253a81a31 Mon Sep 17 00:00:00 2001
2618 From: Kees Cook <keescook@chromium.org>
2619 Date: Sun, 10 Mar 2013 20:09:31 +0000
2620 Subject: drm/i915: bounds check execbuffer relocation count
2622 It is possible to wrap the counter used to allocate the buffer for
2623 relocation copies. This could lead to heap writing overflows.
2627 Signed-off-by: Kees Cook <keescook@chromium.org>
2628 Reported-by: Pinkie Pie
2629 Cc: stable@vger.kernel.org
2631 drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++---
2632 1 files changed, 8 insertions(+), 3 deletions(-)
2634 commit ddeac12cbb9076bffd51c544e03463f94c9eaa39
2635 Author: Andy Honig <ahonig@google.com>
2636 Date: Wed Feb 20 14:48:10 2013 -0800
2638 Upstream commit: 0b79459b482e85cb7426aa7da683a9f2c97aeae1
2640 KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797)
2642 There is a potential use after free issue with the handling of
2643 MSR_KVM_SYSTEM_TIME. If the guest specifies a GPA in a movable or removable
2644 memory such as frame buffers then KVM might continue to write to that
2645 address even after it's removed via KVM_SET_USER_MEMORY_REGION. KVM pins
2646 the page in memory so it's unlikely to cause an issue, but if the user
2647 space component re-purposes the memory previously used for the guest, then
2648 the guest will be able to corrupt that memory.
2650 Tested: Tested against kvmclock unit test
2652 Signed-off-by: Andrew Honig <ahonig@google.com>
2653 Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
2655 arch/x86/include/asm/kvm_host.h | 4 +-
2656 arch/x86/kvm/x86.c | 47 ++++++++++++++++----------------------
2657 2 files changed, 22 insertions(+), 29 deletions(-)
2659 commit 0bcac31b57c381001feb69fd6ec8069e61e03432
2660 Author: Andy Honig <ahonig@google.com>
2661 Date: Mon Mar 11 09:34:52 2013 -0700
2663 Upstream commit: c300aa64ddf57d9c5d9c898a64b36877345dd4a9
2665 KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796)
2667 If the guest sets the GPA of the time_page so that the request to update the
2668 time straddles a page then KVM will write onto an incorrect page. The
2669 write is done byusing kmap atomic to get a pointer to the page for the time
2670 structure and then performing a memcpy to that page starting at an offset
2671 that the guest controls. Well behaved guests always provide a 32-byte aligned
2672 address, however a malicious guest could use this to corrupt host kernel
2675 Tested: Tested against kvmclock unit test.
2677 Signed-off-by: Andrew Honig <ahonig@google.com>
2678 Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
2680 arch/x86/kvm/x86.c | 5 +++++
2681 1 files changed, 5 insertions(+), 0 deletions(-)
2683 commit 695c59887e4ec10b0b695ab4f645d1226c433be0
2684 Author: Andy Honig <ahonig@google.com>
2685 Date: Wed Feb 20 14:49:16 2013 -0800
2687 Upstream commit: a2c118bfab8bc6b8bb213abfc35201e441693d55
2689 KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798)
2691 If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows
2692 that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate
2693 that request. ioapic_read_indirect contains an
2694 ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in
2695 non-debug builds. In recent kernels this allows a guest to cause a kernel
2696 oops by reading invalid memory. In older kernels (pre-3.3) this allows a
2697 guest to read from large ranges of host memory.
2699 Tested: tested against apic unit tests.
2701 Signed-off-by: Andrew Honig <ahonig@google.com>
2702 Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
2704 virt/kvm/ioapic.c | 7 +++++--
2705 1 files changed, 5 insertions(+), 2 deletions(-)
2707 commit c77e4017f6f372ac09751b6fcd85c35781dc2d9e
2708 Merge: aec3cd4 c522e3a
2709 Author: Brad Spengler <spender@grsecurity.net>
2710 Date: Wed Mar 20 19:38:25 2013 -0400
2712 Merge branch 'pax-test' into grsec-test
2714 commit c522e3a2167ff5e18996e55ca8cca5ca6f6d29e3
2715 Merge: c57d855 405acc3
2716 Author: Brad Spengler <spender@grsecurity.net>
2717 Date: Wed Mar 20 19:38:11 2013 -0400
2719 Merge branch 'linux-3.8.y' into pax-test
2721 commit aec3cd4d2bd54673b155d9ae3fb9c44becc790d1
2722 Author: Brad Spengler <spender@grsecurity.net>
2723 Date: Tue Mar 19 19:56:04 2013 -0400
2725 include linux/compiler.h
2727 include/linux/zlib.h | 1 +
2728 1 files changed, 1 insertions(+), 0 deletions(-)
2730 commit 1f1109e97bc609218e52e4bb57683d3b23cf2e8e
2731 Author: Brad Spengler <spender@grsecurity.net>
2732 Date: Tue Mar 19 18:42:20 2013 -0400
2734 fix missing sock_release()
2736 net/irda/af_irda.c | 6 ++++--
2737 1 files changed, 4 insertions(+), 2 deletions(-)
2739 commit dd65c05cd24faf8946d4941434a553ee285c35a3
2740 Author: Brad Spengler <spender@grsecurity.net>
2741 Date: Tue Mar 19 18:36:17 2013 -0400
2743 fix mpt fusion infoleak
2745 drivers/message/fusion/mptbase.c | 4 ++++
2746 1 files changed, 4 insertions(+), 0 deletions(-)
2748 commit e297b4f150b769efdc4c547d3caf1e3c0f24735f
2749 Author: Brad Spengler <spender@grsecurity.net>
2750 Date: Tue Mar 19 18:33:45 2013 -0400
2752 Fix size_overflow false positive reported by slashbeast
2754 include/linux/zlib.h | 2 +-
2755 1 files changed, 1 insertions(+), 1 deletions(-)
2757 commit 5b9982733764361c7102c2b1a9cbe42e5bf4f4be
2758 Author: Brad Spengler <spender@grsecurity.net>
2759 Date: Tue Mar 19 17:35:36 2013 -0400
2763 arch/arm/mm/fault.c | 9 ++-------
2764 1 files changed, 2 insertions(+), 7 deletions(-)
2766 commit a1bdc34d1d882da3abf47923a760e5b0bbdaf0bd
2767 Author: Brad Spengler <spender@grsecurity.net>
2768 Date: Tue Mar 19 17:34:36 2013 -0400
2770 update documentation on consequences of building without gcc plugin support
2773 1 files changed, 1 insertions(+), 1 deletions(-)
2775 commit f49ae0f6c3bbedf6b3817ee2b1b232e0da7fa537
2776 Author: Brad Spengler <spender@grsecurity.net>
2777 Date: Tue Mar 19 17:18:13 2013 -0400
2779 fix compilation failure associated with the latent entropy plugin and lack of gcc plugin support reported on the forums
2781 init/main.c | 4 ++--
2782 1 files changed, 2 insertions(+), 2 deletions(-)
2784 commit f00195c633f91cfbd8c1f530d2c371b713026e20
2785 Author: Brad Spengler <spender@grsecurity.net>
2786 Date: Mon Mar 18 22:27:33 2013 -0400
2788 Fix compile error reported by KDE on the forums
2790 kernel/user_namespace.c | 2 +-
2791 1 files changed, 1 insertions(+), 1 deletions(-)
2793 commit 2979c6ee78aabb4421873ea53581380c6bb6ed05
2794 Merge: 0949569 c57d855
2795 Author: Brad Spengler <spender@grsecurity.net>
2796 Date: Mon Mar 18 22:20:46 2013 -0400
2798 Merge branch 'pax-test' into grsec-test
2805 commit c57d8557f5f2d77c2c7fa1f58316819a5e1f9293
2806 Author: Brad Spengler <spender@grsecurity.net>
2807 Date: Mon Mar 18 21:22:03 2013 -0400
2809 Update to pax-linux-3.8.2-test9.patch:
2810 arm changes from spender
2811 - removed userland access to the vectors page
2812 - removed obsolete sigreturn trampoline handling
2813 - added emulation for __kuser_get_tls
2814 - fixed missing uderef instrumentation in unaligned memory accessors (failed safe)
2815 - fixed recent sysfs/power_supply attr breakage reported by Steven Allen
2816 - hopefully fixed the remaining issues with aslr_gap accounting (http://forums.grsecurity.net/viewtopic.php?f=3&t=2960)
2817 - changed debian packager rules to include the compiler plugins, from Tyler Coumbes <coumbes@gmail.com>
2818 - fixed the sa_restorer leak discovered and reported by Emese Revfy (CVE-2013-0914, google chromium bug #177956)
2819 - new size overflow plugin from Emese that instruments a whole lot more code due to tracking function return values
2820 and more type casts as well. this found the above mentioned sa_restorer leak and would have protected against CVE-2013-0913.
2822 arch/arm/kernel/process.c | 5 +-
2823 arch/arm/kernel/signal.c | 24 +-
2824 arch/arm/kernel/traps.c | 7 -
2825 arch/arm/mm/alignment.c | 8 +
2826 arch/arm/mm/fault.c | 23 +-
2827 arch/arm/mm/mmu.c | 2 +-
2828 arch/x86/include/asm/bitops.h | 2 +-
2829 arch/x86/include/asm/desc.h | 2 +-
2830 arch/x86/include/asm/div64.h | 2 +-
2831 arch/x86/include/asm/io.h | 8 +-
2832 arch/x86/include/asm/paravirt.h | 2 +-
2833 arch/x86/kernel/cpu/perf_event_intel_uncore.c | 16 +-
2834 arch/x86/kernel/setup_percpu.c | 2 +-
2835 arch/x86/mm/fault.c | 4 +-
2836 arch/x86/mm/numa.c | 2 +-
2837 arch/x86/mm/physaddr.c | 4 +-
2838 drivers/ata/libahci.c | 2 +-
2839 drivers/gpu/drm/i915/i915_gem_execbuffer.c | 2 +-
2840 drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +-
2841 drivers/infiniband/hw/mthca/mthca_mr.c | 2 +-
2842 drivers/lguest/page_tables.c | 2 +-
2843 drivers/net/wireless/at76c50x-usb.c | 2 +-
2844 drivers/oprofile/oprofile_files.c | 2 +-
2845 drivers/power/power_supply_core.c | 1 +
2846 drivers/usb/core/message.c | 2 +-
2847 fs/befs/endian.h | 4 +-
2848 fs/binfmt_elf.c | 5 +-
2850 fs/qnx6/qnx6.h | 4 +-
2851 fs/sysv/sysv.h | 2 +-
2852 fs/ubifs/io.c | 2 +-
2853 fs/ufs/swab.h | 4 +-
2854 include/linux/compat.h | 4 +-
2855 include/linux/completion.h | 6 +-
2856 include/linux/cpumask.h | 12 +-
2857 include/linux/ctype.h | 2 +-
2858 include/linux/err.h | 4 +-
2859 include/linux/math64.h | 6 +-
2860 include/linux/sched.h | 2 +-
2861 include/linux/unaligned/access_ok.h | 12 +-
2862 include/linux/usb.h | 2 +-
2863 include/uapi/linux/byteorder/little_endian.h | 4 +-
2864 include/uapi/linux/swab.h | 6 +-
2865 kernel/sched/core.c | 6 +-
2866 kernel/signal.c | 3 +
2867 kernel/time.c | 2 +-
2868 kernel/timer.c | 2 +-
2870 mm/page-writeback.c | 2 +-
2872 scripts/package/builddeb | 1 +
2873 tools/gcc/size_overflow_hash.data | 8869 +++++++++++++++----------
2874 tools/gcc/size_overflow_plugin.c | 1072 ++--
2875 53 files changed, 6227 insertions(+), 3951 deletions(-)
2877 commit 09495691bb31f11ec14d9127429f9a0f3f716f22
2878 Author: Brad Spengler <spender@grsecurity.net>
2879 Date: Sun Mar 17 20:51:50 2013 -0400
2883 grsecurity/gracl.c | 2 +-
2884 1 files changed, 1 insertions(+), 1 deletions(-)
2886 commit deb85b00d0f9f886e264e116313f298401ec5c59
2887 Author: Brad Spengler <spender@grsecurity.net>
2888 Date: Sun Mar 17 20:03:33 2013 -0400
2890 Call update_rlimit_cpu to immediately change RLIMIT_CPU on the task
2891 with a subject applied to it with RES_CPU. Otherwise, the limit will only
2892 begin to be applied at fork time.
2894 Thanks to Bjornar Ness for the report.
2896 grsecurity/gracl.c | 4 ++++
2897 1 files changed, 4 insertions(+), 0 deletions(-)
2899 commit 2126421f123513f604ceef2b23ba9ed516de7e58
2900 Author: Brad Spengler <spender@grsecurity.net>
2901 Date: Sat Mar 16 22:07:43 2013 -0400
2903 Move inode auditing prior to our refcnt dropping
2906 1 files changed, 1 insertions(+), 1 deletions(-)
2908 commit 4d4e665885aab4bacfe662ad6d2190fc9d817146
2909 Author: Brad Spengler <spender@grsecurity.net>
2910 Date: Sat Mar 16 22:00:30 2013 -0400
2912 Drop reference on completed path walked in RCU mode or when violating
2913 the chroot fchdir check inside a chroot -- possible culprit for a reported
2914 vfsmount_lock hang during unmount
2916 fs/namei.c | 8 ++++++--
2917 1 files changed, 6 insertions(+), 2 deletions(-)
2919 commit 53a8a413f45340ee176dd36dd283de3a1ebb7417
2920 Author: Brad Spengler <spender@grsecurity.net>
2921 Date: Sat Mar 16 16:43:45 2013 -0400
2923 add user_arg_ptr back to exec.c
2925 fs/exec.c | 12 ++++++++++++
2926 1 files changed, 12 insertions(+), 0 deletions(-)
2928 commit 83d285953c7e75db388c7f65be5cf1e16fcedec8
2929 Author: Brad Spengler <spender@grsecurity.net>
2930 Date: Sat Mar 16 11:22:36 2013 -0400
2932 Don't globally include compat.h -- with the new X32 support it
2933 changes some definitions involving ELF binaries resulting in invalid
2934 coredumps, as reported by KDE on the forums:
2935 http://forums.grsecurity.net/viewtopic.php?f=3&t=3310
2936 Thanks to the PaX Team for debugging
2939 grsecurity/grsec_exec.c | 13 +++++++++++++
2940 include/linux/grsecurity.h | 15 ---------------
2941 3 files changed, 16 insertions(+), 15 deletions(-)
2943 commit 67a94583659cf6c583fbbb023ec2a8ed471ba94a
2944 Author: Brad Spengler <spender@grsecurity.net>
2945 Date: Thu Mar 14 20:59:26 2013 -0400
2947 Add peer information to /proc/net/unix from Kenan Kalajdzic:
2948 http://marc.info/?l=linux-netdev&m=126745636809191&w=2
2950 We use a "P" prefix to the inode number instead of "peer=". This
2951 additional information can be used, for instance, to find what processes
2952 are connected to MySQL's unix domain socket.
2954 net/unix/af_unix.c | 12 +++++++++---
2955 1 files changed, 9 insertions(+), 3 deletions(-)
2957 commit 1cd623d11a462d151ea8a5cace4521e1724911a3
2958 Author: Oliver Neukum <oneukum@suse.de>
2959 Date: Tue Mar 12 14:52:42 2013 +0100
2961 Upstream commit: c0f5ecee4e741667b2493c742b60b6218d40b3aa
2963 USB: cdc-wdm: fix buffer overflow
2965 The buffer for responses must not overflow.
2966 If this would happen, set a flag, drop the data and return
2967 an error after user space has read all remaining data.
2969 Signed-off-by: Oliver Neukum <oliver@neukum.org>
2970 CC: stable@kernel.org
2971 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2973 drivers/usb/class/cdc-wdm.c | 23 ++++++++++++++++++++---
2974 1 files changed, 20 insertions(+), 3 deletions(-)
2976 commit 3e9e7beb379eaf424d0634c0c556e47c07d367fc
2977 Merge: 9cdf9bc db4cb92
2978 Author: Brad Spengler <spender@grsecurity.net>
2979 Date: Thu Mar 14 20:23:14 2013 -0400
2981 Merge branch 'pax-test' into grsec-test
2984 security/keys/compat.c
2986 commit db4cb924546e3fec3a59f78d056f48176eaf7100
2987 Author: Brad Spengler <spender@grsecurity.net>
2988 Date: Thu Mar 14 20:22:24 2013 -0400
2990 Update to pax-linux-3.8.2-test8.patch
2992 arch/arm/include/asm/cache.h | 2 ++
2993 arch/arm/mach-omap2/gpmc.c | 22 ++++++++++++----------
2994 arch/arm/mach-omap2/omap_device.c | 4 ++--
2995 arch/arm/mach-omap2/omap_device.h | 4 ++--
2996 arch/arm/plat-orion/include/plat/addr-map.h | 2 +-
2997 5 files changed, 19 insertions(+), 15 deletions(-)
2999 commit 5e72fcce7c468d29168c64c72c18ff5ff0d3b4ae
3000 Merge: 3c865f9 1a45c31
3001 Author: Brad Spengler <spender@grsecurity.net>
3002 Date: Thu Mar 14 20:20:54 2013 -0400
3004 Merge branch 'linux-3.8.y' into pax-test
3007 arch/arm/include/asm/delay.h
3008 arch/arm/include/asm/pgtable.h
3009 arch/arm/lib/delay.c
3010 security/keys/compat.c
3012 commit 9cdf9bccf22d6a6741e4152bb5d32335beb8caf1
3013 Author: Al Viro <viro@ZenIV.linux.org.uk>
3014 Date: Tue Mar 12 02:59:49 2013 +0000
3016 Upstream commit: a930d8790552658140d7d0d2e316af4f0d76a512
3018 vfs: fix pipe counter breakage
3020 If you open a pipe for neither read nor write, the pipe code will not
3021 add any usage counters to the pipe, causing the 'struct pipe_inode_info"
3022 to be potentially released early.
3024 That doesn't normally matter, since you cannot actually use the pipe,
3025 but the pipe release code - particularly fasync handling - still expects
3026 the actual pipe infrastructure to all be there. And rather than adding
3027 NULL pointer checks, let's just disallow this case, the same way we
3028 already do for the named pipe ("fifo") case.
3030 This is ancient going back to pre-2.4 days, and until trinity, nobody
3033 Reported-by: Dave Jones <davej@redhat.com>
3034 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
3037 1 files changed, 3 insertions(+), 0 deletions(-)
3039 commit c11fa4be226659a40a6c73f0fa09fee074fba1b2
3040 Author: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
3041 Date: Mon Feb 25 10:20:36 2013 -0500
3043 Upstream commit: 8aec0f5d4137532de14e6554fd5dd201ff3a3c49
3045 Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys
3047 Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to
3048 compat_process_vm_rw() shows that the compatibility code requires an
3049 explicit "access_ok()" check before calling
3050 compat_rw_copy_check_uvector(). The same difference seems to appear when
3051 we compare fs/read_write.c:do_readv_writev() to
3052 fs/compat.c:compat_do_readv_writev().
3054 This subtle difference between the compat and non-compat requirements
3055 should probably be debated, as it seems to be error-prone. In fact,
3056 there are two others sites that use this function in the Linux kernel,
3057 and they both seem to get it wrong:
3059 Now shifting our attention to fs/aio.c, we see that aio_setup_iocb()
3060 also ends up calling compat_rw_copy_check_uvector() through
3061 aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to
3062 be missing. Same situation for
3063 security/keys/compat.c:compat_keyctl_instantiate_key_iov().
3065 I propose that we add the access_ok() check directly into
3066 compat_rw_copy_check_uvector(), so callers don't have to worry about it,
3067 and it therefore makes the compat call code similar to its non-compat
3068 counterpart. Place the access_ok() check in the same location where
3069 copy_from_user() can trigger a -EFAULT error in the non-compat code, so
3070 the ABI behaviors are alike on both compat and non-compat.
3072 While we are here, fix compat_do_readv_writev() so it checks for
3073 compat_rw_copy_check_uvector() negative return values.
3075 And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error
3078 Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
3079 Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
3080 Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
3081 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
3085 security/keys/compat.c
3087 fs/compat.c | 15 +++++++--------
3088 mm/process_vm_access.c | 8 --------
3089 security/keys/compat.c | 3 ++-
3090 3 files changed, 9 insertions(+), 17 deletions(-)
3092 commit 13487f197ab2d5bc76156224c24c45a44bbd6a11
3093 Author: Brad Spengler <spender@grsecurity.net>
3094 Date: Mon Mar 11 18:38:38 2013 -0400
3096 Fix leak of signal handler addresses across execve, found by Emese Revfy
3098 kernel/signal.c | 3 +++
3099 1 files changed, 3 insertions(+), 0 deletions(-)
3101 commit 79b130c4b11c7940daf2b33d653a17666331c634
3102 Merge: 6480ce9 3c865f9
3103 Author: Brad Spengler <spender@grsecurity.net>
3104 Date: Sun Mar 10 20:04:03 2013 -0400
3106 Merge branch 'pax-test' into grsec-test
3108 commit 3c865f9184c6fd56c634bce0096cfc8039d5c43d
3109 Author: Brad Spengler <spender@grsecurity.net>
3110 Date: Sun Mar 10 20:03:12 2013 -0400
3112 Update to pax-linux-3.8.2-test7.patch:
3113 - fixed gcc asserts reported by KDE (http://forums.grsecurity.net/viewtopic.php?f=3&t=3342)
3114 - adjusted RLIMIT_AS accounting for the extra ASLR gap mappings, reported by Alexander Stoll (https://bugs.gentoo.org/show_bug.cgi?id=459268)
3116 fs/binfmt_elf.c | 3 ++-
3118 include/linux/mm_types.h | 2 +-
3119 init/main.c | 4 ++--
3121 mm/page_alloc.c | 4 ++--
3122 tools/gcc/latent_entropy_plugin.c | 11 +++++++----
3123 7 files changed, 18 insertions(+), 11 deletions(-)
3125 commit 6480ce919bd7d68ba14f3194e4bdd7b61bc8e491
3126 Merge: 4a5305e 25b3569
3127 Author: Brad Spengler <spender@grsecurity.net>
3128 Date: Sun Mar 10 10:41:16 2013 -0400
3130 Merge branch 'pax-test' into grsec-test
3132 commit 25b356980568bed9958315bb5a551fdc610055ed
3133 Author: Brad Spengler <spender@grsecurity.net>
3134 Date: Sun Mar 10 10:40:48 2013 -0400
3136 Update to pax-linux-3.8.2-test6.patch:
3137 - fixed a KERNEXEC false positive on arm reported by Gu1
3138 - fixed various compile errors reported by x14sg1 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3340)
3139 - fixed too strict mmap parameter checking on i386, reported by browndav (http://forums.grsecurity.net/viewtopic.php?f=1&t=3339)
3140 - added fix from spender for some namespace breakage reported by zakalwe
3141 - small latent entropy improvement: pass pax_extra_latent_entropy to the kernel to extract entropy from RAM content during boot
3143 Documentation/kernel-parameters.txt | 5 +++++
3144 arch/arm/kernel/patch.c | 2 ++
3145 arch/x86/kernel/sys_i386_32.c | 5 +++--
3146 drivers/acpi/blacklist.c | 2 +-
3147 drivers/video/aty/mach64_cursor.c | 1 +
3148 init/main.c | 4 ----
3149 mm/page_alloc.c | 27 +++++++++++++++++++++++++++
3150 net/ipv4/ip_fragment.c | 2 +-
3151 security/Kconfig | 5 +++++
3152 tools/gcc/latent_entropy_plugin.c | 7 +++++--
3153 10 files changed, 50 insertions(+), 10 deletions(-)
3155 commit 4a5305eb7b6c5e49c332feeca9b6bfead9ab917f
3156 Author: Brad Spengler <spender@grsecurity.net>
3157 Date: Sat Mar 9 11:19:06 2013 -0500
3159 From: Mathias Krause <minipli@googlemail.com>
3160 To: "David S. Miller" <davem@davemloft.net>
3161 Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>,
3162 Stephen Hemminger <stephen@networkplumber.org>
3163 Subject: [PATCH 1/3] bridge: fix mdb info leaks
3164 Date: Sat, 9 Mar 2013 16:52:19 +0100
3166 The bridging code discloses heap and stack bytes via the RTM_GETMDB
3167 netlink interface and via the notify messages send to group RTNLGRP_MDB
3168 afer a successful add/del.
3170 Fix both cases by initializing all unset members/padding bytes with
3173 Cc: Stephen Hemminger <stephen@networkplumber.org>
3174 Signed-off-by: Mathias Krause <minipli@googlemail.com>
3176 From: Mathias Krause <minipli@googlemail.com>
3177 To: "David S. Miller" <davem@davemloft.net>
3178 Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>
3179 Subject: [PATCH 2/3] rtnl: fix info leak on RTM_GETLINK request for VF devices
3180 Date: Sat, 9 Mar 2013 16:52:20 +0100
3182 Initialize the mac address buffer with 0 as the driver specific function
3183 will probably not fill the whole buffer. In fact, all in-kernel drivers
3184 fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible
3185 bytes. Therefore we currently leak 26 bytes of stack memory to userland
3186 via the netlink interface.
3188 Signed-off-by: Mathias Krause <minipli@googlemail.com>
3190 From: Mathias Krause <minipli@googlemail.com>
3191 To: "David S. Miller" <davem@davemloft.net>
3192 Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>
3193 Subject: [PATCH 3/3] dcbnl: fix various netlink info leaks
3194 Date: Sat, 9 Mar 2013 16:52:21 +0100
3196 The dcb netlink interface leaks stack memory in various places:
3197 * perm_addr[] buffer is only filled at max with 12 of the 32 bytes but
3199 * no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand,
3200 so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes
3201 for ieee_pfc structs, etc.,
3202 * the same is true for CEE -- no in-kernel driver fills the whole
3205 Prevent all of the above stack info leaks by properly initializing the
3206 buffers/structures involved.
3208 Signed-off-by: Mathias Krause <minipli@googlemail.com>
3210 net/bridge/br_mdb.c | 4 ++++
3211 net/core/rtnetlink.c | 1 +
3212 net/dcb/dcbnl.c | 8 ++++++++
3213 3 files changed, 13 insertions(+), 0 deletions(-)
3215 commit 601dd446f896e3a362f706943df18a68d50420a1
3216 Author: Brad Spengler <spender@grsecurity.net>
3217 Date: Sat Mar 9 09:35:25 2013 -0500
3219 add open/close wrappers in __patch_text() as reported by Gu1 on IRC
3221 arch/arm/kernel/patch.c | 2 ++
3222 1 files changed, 2 insertions(+), 0 deletions(-)
3224 commit ae39966fd85a493e9079b357e3faa62245a41222
3225 Author: Peter Hurley <peter@hurleysoftware.com>
3226 Date: Fri Mar 8 12:43:27 2013 -0800
3228 Upstream commit: 88b9e456b1649722673ffa147914299799dc9041
3230 ipc: don't allocate a copy larger than max
3232 When MSG_COPY is set, a duplicate message must be allocated for the copy
3233 before locking the queue. However, the copy could not be larger than was
3234 sent which is limited to msg_ctlmax.
3236 Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
3237 Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
3238 Cc: <stable@vger.kernel.org>
3239 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
3240 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
3242 ipc/msg.c | 6 ++++--
3243 1 files changed, 4 insertions(+), 2 deletions(-)
3245 commit 61240e99650ea3e540a03a3e994349c5086f166b
3246 Author: Peter Hurley <peter@hurleysoftware.com>
3247 Date: Fri Mar 8 12:43:26 2013 -0800
3249 Upstream commit: e1082f45f1e2bbf6e25f6b614fc6616ebf709d19
3251 ipc: fix potential oops when src msg > 4k w/ MSG_COPY
3253 If the src msg is > 4k, then dest->next points to the
3254 next allocated segment; resetting it just prior to dereferencing
3257 Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
3258 Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
3259 Cc: <stable@vger.kernel.org>
3260 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
3261 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
3263 ipc/msgutil.c | 3 ---
3264 1 files changed, 0 insertions(+), 3 deletions(-)
3266 commit 51727f602a267f34fb2e0dc9557f1714028d51a2
3267 Author: Brad Spengler <spender@grsecurity.net>
3268 Date: Fri Mar 8 22:14:06 2013 -0500
3270 add missing 'else' in recent constify fixups
3272 net/ipv4/ip_fragment.c | 2 +-
3273 1 files changed, 1 insertions(+), 1 deletions(-)
3275 commit a38c1a640729b3d8e584d1ab98e908c221bc12cf
3276 Merge: 1580bb3 47c3f47
3277 Author: Brad Spengler <spender@grsecurity.net>
3278 Date: Fri Mar 8 18:18:37 2013 -0500
3280 Merge branch 'pax-test' into grsec-test
3282 commit 47c3f47ba4f874f5c72e4c04b76b6b92e44daebe
3283 Author: Brad Spengler <spender@grsecurity.net>
3284 Date: Fri Mar 8 18:17:22 2013 -0500
3286 Update to pax-linux-3.8.2-test5.patch:
3287 - fixed some fallout after the last round of constification changes, reported by several people
3289 arch/arm/common/gic.c | 4 ++--
3290 arch/arm/include/asm/hardware/gic.h | 3 ++-
3291 arch/x86/include/asm/nmi.h | 2 +-
3292 arch/x86/kernel/nmi.c | 2 +-
3293 arch/x86/pci/irq.c | 2 +-
3294 drivers/base/power/domain.c | 4 ++--
3295 drivers/cpufreq/cpufreq_governor.c | 4 ++--
3296 drivers/mfd/twl4030-irq.c | 1 +
3297 drivers/video/vesafb.c | 7 +++++--
3298 include/linux/irq.h | 1 +
3299 include/linux/pm_domain.h | 2 +-
3300 kernel/sched/core.c | 4 ++++
3301 lib/Kconfig.debug | 4 ++--
3302 net/core/sysctl_net_core.c | 2 +-
3303 net/decnet/af_decnet.c | 1 +
3304 net/ipv4/devinet.c | 2 +-
3305 net/ipv4/ip_fragment.c | 2 +-
3306 net/ipv4/route.c | 2 +-
3307 net/ipv4/sysctl_net_ipv4.c | 2 +-
3308 net/ipv6/netfilter/nf_conntrack_reasm.c | 2 +-
3309 net/ipv6/reassembly.c | 2 +-
3310 scripts/sortextable.h | 6 +++---
3311 22 files changed, 36 insertions(+), 25 deletions(-)
3313 commit 1580bb38b4db0bf2a46316599815e8b234edad81
3314 Author: Brad Spengler <spender@grsecurity.net>
3315 Date: Thu Mar 7 22:02:59 2013 -0500
3317 add an additional open/close wrapper
3319 kernel/sched/core.c | 2 ++
3320 1 files changed, 2 insertions(+), 0 deletions(-)
3322 commit 21622672d28d58e0d93a805cd1f9650a894a752a
3323 Author: Brad Spengler <spender@grsecurity.net>
3324 Date: Thu Mar 7 21:58:24 2013 -0500
3326 fix oops at shutdown with new constify code
3328 kernel/sched/core.c | 2 ++
3329 1 files changed, 2 insertions(+), 0 deletions(-)
3331 commit f6b9ab9fcc747bb1b14a4857d59e6681936220ec
3332 Author: Brad Spengler <spender@grsecurity.net>
3333 Date: Thu Mar 7 21:18:44 2013 -0500
3335 Add PAX_CONSTIFY_PLUGIN, which we previously enabled unconditionally
3336 it currently conflicts with some lock debugging options, so made as an
3337 option to allow for debugging when necessary
3340 lib/Kconfig.debug | 6 +++---
3341 security/Kconfig | 18 ++++++++++++++++++
3342 3 files changed, 21 insertions(+), 5 deletions(-)
3344 commit 0885b00b8373a1597b69c38032a0c9eee279303b
3345 Author: Brad Spengler <spender@grsecurity.net>
3346 Date: Thu Mar 7 20:55:19 2013 -0500
3348 disable DEBUG_LOCK_ALLOC, as it conflicts with the new constify
3350 lib/Kconfig.debug | 2 +-
3351 1 files changed, 1 insertions(+), 1 deletions(-)
3353 commit c8a2617165e7127a54f293cbf57d22d50dd83abd
3354 Author: Brad Spengler <spender@grsecurity.net>
3355 Date: Thu Mar 7 20:30:41 2013 -0500
3358 drivers/video/vesafb.c:502:3: error: assignment of member ‘fb_pan_display’ in read-only object
3359 with cast and proper kernexec accessors
3361 drivers/video/vesafb.c | 7 +++++--
3362 1 files changed, 5 insertions(+), 2 deletions(-)
3364 commit 99f2814d3e2a6db25985edc47c7e09c4a2d8c408
3365 Author: Brad Spengler <spender@grsecurity.net>
3366 Date: Thu Mar 7 20:20:28 2013 -0500
3370 grsecurity/gracl.c | 2 +-
3371 1 files changed, 1 insertions(+), 1 deletions(-)
3373 commit 399674de6c42bbcae2d01b082d6d9ce9d183b000
3374 Author: Brad Spengler <spender@grsecurity.net>
3375 Date: Thu Mar 7 20:12:17 2013 -0500
3377 fix compilation error -- no reason for task_pid_nr to not take a const task ptr
3379 include/linux/sched.h | 2 +-
3380 1 files changed, 1 insertions(+), 1 deletions(-)
3382 commit a6c239eacf683f9dd2aeebb1b1adb71e5eedbd9f
3383 Author: Kees Cook <keescook@chromium.org>
3384 Date: Mon Feb 25 21:32:25 2013 +0000
3386 Upstream commit: e70ab977991964a5a7ad1182799451d067e62669
3388 proc connector: reject unprivileged listener bumps
3390 While PROC_CN_MCAST_LISTEN/IGNORE is entirely advisory, it was possible
3391 for an unprivileged user to turn off notifications for all listeners by
3392 sending PROC_CN_MCAST_IGNORE. Instead, require the same privileges as
3393 required for a multicast bind.
3395 Signed-off-by: Kees Cook <keescook@chromium.org>
3396 Cc: Evgeniy Polyakov <zbr@ioremap.net>
3397 Cc: Matt Helsley <matthltc@us.ibm.com>
3398 Cc: stable@vger.kernel.org
3399 Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
3400 Acked-by: Matt Helsley <matthltc@us.ibm.com>
3401 Signed-off-by: David S. Miller <davem@davemloft.net>
3403 drivers/connector/cn_proc.c | 8 ++++++++
3404 1 files changed, 8 insertions(+), 0 deletions(-)
3406 commit ac6014ded57101e3e608941555ff507e20c1ece3
3407 Author: Dan Carpenter <dan.carpenter@oracle.com>
3408 Date: Tue Feb 26 19:15:02 2013 +0000
3410 Upstream commit: 90c7881ecee1f08e0a49172cf61371cf2509ee4a
3412 irda: small read beyond end of array in debug code
3414 charset comes from skb->data. It's a number in the 0-255 range.
3415 If we have debugging turned on then this could cause a read beyond
3416 the end of the array.
3418 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
3419 Signed-off-by: David S. Miller <davem@davemloft.net>
3421 net/irda/iriap.c | 7 +++++--
3422 1 files changed, 5 insertions(+), 2 deletions(-)
3424 commit e60bd2aad9bfdb68731cc888eae14a7600bd2ffe
3425 Author: Guenter Roeck <linux@roeck-us.net>
3426 Date: Wed Feb 27 10:57:31 2013 +0000
3428 Upstream commit: 726bc6b092da4c093eb74d13c07184b18c1af0f1
3430 net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS
3432 Building sctp may fail with:
3434 In function ‘copy_from_user’,
3435 inlined from ‘sctp_getsockopt_assoc_stats’ at
3436 net/sctp/socket.c:5656:20:
3437 arch/x86/include/asm/uaccess_32.h:211:26: error: call to
3438 ‘copy_from_user_overflow’ declared with attribute error: copy_from_user()
3439 buffer size is not provably correct
3441 if built with W=1 due to a missing parameter size validation
3442 before the call to copy_from_user.
3444 Signed-off-by: Guenter Roeck <linux@roeck-us.net>
3445 Acked-by: Vlad Yasevich <vyasevich@gmail.com>
3446 Signed-off-by: David S. Miller <davem@davemloft.net>
3448 net/sctp/socket.c | 6 +++---
3449 1 files changed, 3 insertions(+), 3 deletions(-)
3451 commit be49e0ae9a4d0e8daa831d7d8d6f3a56beda3e3c
3452 Author: Guillaume Nault <g.nault@alphalink.fr>
3453 Date: Fri Mar 1 05:02:02 2013 +0000
3455 Upstream commit: 8b82547e33e85fc24d4d172a93c796de1fefa81a
3457 l2tp: Restore socket refcount when sendmsg succeeds
3459 The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket
3460 reference counter after successful transmissions. Any successful
3461 sendmsg() call from userspace will then increase the reference counter
3462 forever, thus preventing the kernel's session and tunnel data from
3463 being freed later on.
3465 The problem only happens when writing directly on L2TP sockets.
3466 PPP sockets attached to L2TP are unaffected as the PPP subsystem
3467 uses pppol2tp_xmit() which symmetrically increase/decrease reference
3470 This patch adds the missing call to sock_put() before returning from
3473 Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
3474 Signed-off-by: David S. Miller <davem@davemloft.net>
3476 net/l2tp/l2tp_ppp.c | 1 +
3477 1 files changed, 1 insertions(+), 0 deletions(-)
3479 commit 98a9a5f981f5deda4059a255c1196886f2f27e2f
3480 Author: Cong Wang <amwang@redhat.com>
3481 Date: Sun Mar 3 16:18:11 2013 +0000
3483 Upstream commit: ece6b0a2b25652d684a7ced4ae680a863af041e0
3485 rds: limit the size allocated by rds_message_alloc()
3487 Dave Jones reported the following bug:
3489 "When fed mangled socket data, rds will trust what userspace gives it,
3490 and tries to allocate enormous amounts of memory larger than what
3491 kmalloc can satisfy."
3493 WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0()
3494 Hardware name: GA-MA78GM-S2H
3495 Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s
3496 Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65
3498 [<ffffffff81044155>] warn_slowpath_common+0x75/0xa0
3499 [<ffffffff8104419a>] warn_slowpath_null+0x1a/0x20
3500 [<ffffffff811444ad>] __alloc_pages_nodemask+0xa0d/0xbe0
3501 [<ffffffff8100a196>] ? native_sched_clock+0x26/0x90
3502 [<ffffffff810b2128>] ? trace_hardirqs_off_caller+0x28/0xc0
3503 [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
3504 [<ffffffff811861f8>] alloc_pages_current+0xb8/0x180
3505 [<ffffffff8113eaaa>] __get_free_pages+0x2a/0x80
3506 [<ffffffff811934fe>] kmalloc_order_trace+0x3e/0x1a0
3507 [<ffffffff81193955>] __kmalloc+0x2f5/0x3a0
3508 [<ffffffff8104df0c>] ? local_bh_enable_ip+0x7c/0xf0
3509 [<ffffffffa0401ab3>] rds_message_alloc+0x23/0xb0 [rds]
3510 [<ffffffffa04043a1>] rds_sendmsg+0x2b1/0x990 [rds]
3511 [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
3512 [<ffffffff81564620>] sock_sendmsg+0xb0/0xe0
3513 [<ffffffff810b2052>] ? get_lock_stats+0x22/0x70
3514 [<ffffffff810b24be>] ? put_lock_stats.isra.23+0xe/0x40
3515 [<ffffffff81567f30>] sys_sendto+0x130/0x180
3516 [<ffffffff810b872d>] ? trace_hardirqs_on+0xd/0x10
3517 [<ffffffff816c547b>] ? _raw_spin_unlock_irq+0x3b/0x60
3518 [<ffffffff816cd767>] ? sysret_check+0x1b/0x56
3519 [<ffffffff810b8695>] ? trace_hardirqs_on_caller+0x115/0x1a0
3520 [<ffffffff81341d8e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
3521 [<ffffffff816cd742>] system_call_fastpath+0x16/0x1b
3522 ---[ end trace eed6ae990d018c8b ]---
3524 Reported-by: Dave Jones <davej@redhat.com>
3525 Cc: Dave Jones <davej@redhat.com>
3526 Cc: David S. Miller <davem@davemloft.net>
3527 Cc: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
3528 Signed-off-by: Cong Wang <amwang@redhat.com>
3529 Acked-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
3530 Signed-off-by: David S. Miller <davem@davemloft.net>
3532 net/rds/message.c | 3 +++
3533 1 files changed, 3 insertions(+), 0 deletions(-)
3535 commit b46df323e01c63c62fdb82cf2c47e4386f5a0499
3536 Author: Cong Wang <amwang@redhat.com>
3537 Date: Sun Mar 3 16:28:27 2013 +0000
3539 Upstream commit: 3f736868b47687d1336fe88185560b22bb92021e
3541 sctp: use KMALLOC_MAX_SIZE instead of its own MAX_KMALLOC_SIZE
3543 Don't definite its own MAX_KMALLOC_SIZE, use the one
3546 Cc: Vlad Yasevich <vyasevich@gmail.com>
3547 Cc: Sridhar Samudrala <sri@us.ibm.com>
3548 Cc: Neil Horman <nhorman@tuxdriver.com>
3549 Cc: David S. Miller <davem@davemloft.net>
3550 Signed-off-by: Cong Wang <amwang@redhat.com>
3551 Acked-by: Neil Horman <nhorman@tuxdriver.com>
3552 Signed-off-by: David S. Miller <davem@davemloft.net>
3554 net/sctp/ssnmap.c | 8 +++-----
3555 1 files changed, 3 insertions(+), 5 deletions(-)
3557 commit 4295a024e812f903fc580c81de5e81cc149503fa
3558 Author: Brad Spengler <spender@grsecurity.net>
3559 Date: Thu Mar 7 17:57:49 2013 -0500
3561 Upstream commit: https://lkml.org/lkml/2013/3/6/535
3563 security/keys/process_keys.c | 2 +-
3564 1 files changed, 1 insertions(+), 1 deletions(-)
3566 commit 33edd486a9899a145a15586d7134636b0300aaee
3567 Merge: 4eeeaf3 a2a2094
3568 Author: Brad Spengler <spender@grsecurity.net>
3569 Date: Thu Mar 7 17:53:00 2013 -0500
3571 Merge branch 'pax-test' into grsec-test
3574 arch/arm/include/asm/domain.h
3576 commit a2a20947f5e1332e474160a39af520738b3c8c19
3577 Author: Brad Spengler <spender@grsecurity.net>
3578 Date: Thu Mar 7 17:51:04 2013 -0500
3580 Update to pax-linux-3.8.2-test4.patch:
3581 fixed arm compilation problems reported by Michael Tremer
3582 - the constify plugin got smarter that enabled, with some additional patching,
3583 the elimination of about half the static function pointers on amd64/allmod
3584 (up from about 18%), depending on the kernel config it can be even more (70%)
3586 Documentation/dontdiff | 2 +
3587 arch/arm/include/asm/domain.h | 1 +
3588 arch/x86/include/asm/i8259.h | 2 +-
3589 arch/x86/include/asm/nmi.h | 4 +-
3590 arch/x86/kernel/acpi/boot.c | 4 +-
3591 arch/x86/kernel/apic/apic_noop.c | 2 +-
3592 arch/x86/kernel/apic/es7000_32.c | 2 +-
3593 arch/x86/kernel/apic/io_apic.c | 10 +-
3594 arch/x86/kernel/cpu/mcheck/mce.c | 2 +-
3595 arch/x86/kernel/cpu/perf_event.c | 6 +-
3596 arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +-
3597 arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
3598 arch/x86/kernel/i8259.c | 6 +-
3599 arch/x86/kernel/io_delay.c | 2 +-
3600 arch/x86/kernel/nmi.c | 6 +-
3601 arch/x86/kernel/nmi_selftest.c | 4 +-
3602 arch/x86/kernel/pci-swiotlb.c | 2 +-
3603 arch/x86/oprofile/nmi_int.c | 8 +-
3604 arch/x86/oprofile/op_model_amd.c | 8 +-
3605 arch/x86/oprofile/op_model_ppro.c | 7 +-
3606 arch/x86/oprofile/op_x86_model.h | 2 +-
3607 arch/x86/pci/irq.c | 6 +-
3608 drivers/acpi/apei/apei-internal.h | 2 +-
3609 drivers/acpi/bgrt.c | 6 +-
3610 drivers/acpi/blacklist.c | 2 +-
3611 drivers/acpi/processor_idle.c | 2 +-
3612 drivers/acpi/sysfs.c | 4 +-
3613 drivers/base/bus.c | 4 +-
3614 drivers/base/node.c | 2 +-
3615 drivers/base/syscore.c | 4 +-
3616 drivers/block/drbd/drbd_receiver.c | 4 +-
3617 drivers/char/random.c | 2 +-
3618 drivers/cpufreq/acpi-cpufreq.c | 20 ++-
3619 drivers/cpufreq/cpufreq.c | 7 +-
3620 drivers/cpufreq/cpufreq_governor.c | 4 +-
3621 drivers/cpufreq/cpufreq_governor.h | 2 +-
3622 drivers/cpufreq/p4-clockmod.c | 12 +-
3623 drivers/cpufreq/speedstep-centrino.c | 7 +-
3624 drivers/cpuidle/cpuidle.c | 2 +-
3625 drivers/cpuidle/governor.c | 4 +-
3626 drivers/cpuidle/sysfs.c | 2 +-
3627 drivers/devfreq/devfreq.c | 4 +-
3628 drivers/edac/edac_mc_sysfs.c | 2 +-
3629 drivers/edac/edac_pci_sysfs.c | 2 +-
3630 drivers/firewire/core-device.c | 2 +-
3631 drivers/firmware/dmi-id.c | 2 +-
3632 drivers/firmware/efivars.c | 2 +-
3633 drivers/firmware/google/memconsole.c | 4 +-
3634 drivers/gpio/gpio-ich.c | 2 +-
3635 drivers/gpu/drm/drm_drv.c | 2 +-
3636 drivers/gpu/drm/drm_ioc32.c | 9 +-
3637 drivers/gpu/drm/i915/i915_ioc32.c | 11 +-
3638 drivers/gpu/drm/i915/intel_display.c | 26 ++-
3639 drivers/gpu/drm/mga/mga_ioc32.c | 11 +-
3640 drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +-
3641 drivers/gpu/drm/r128/r128_ioc32.c | 11 +-
3642 drivers/gpu/drm/radeon/radeon_ioc32.c | 11 +-
3643 drivers/gpu/drm/radeon/radeon_ttm.c | 33 ++--
3644 drivers/gpu/drm/udl/udl_fb.c | 1 -
3645 drivers/hwmon/acpi_power_meter.c | 4 +-
3646 drivers/hwmon/applesmc.c | 2 +-
3647 drivers/hwmon/asus_atk0110.c | 10 +-
3648 drivers/hwmon/ibmaem.c | 2 +-
3649 drivers/hwmon/pmbus/pmbus_core.c | 2 +-
3650 drivers/iio/industrialio-core.c | 2 +-
3651 drivers/input/mouse/psmouse.h | 2 +-
3652 drivers/iommu/iommu.c | 2 +-
3653 drivers/leds/leds-clevo-mail.c | 2 +-
3654 drivers/leds/leds-ss4200.c | 2 +-
3655 drivers/media/v4l2-core/v4l2-ioctl.c | 5 +-
3656 drivers/mfd/twl4030-irq.c | 8 +-
3657 drivers/mfd/twl6030-irq.c | 10 +-
3658 drivers/misc/c2port/core.c | 4 +-
3659 drivers/mtd/sm_ftl.c | 2 +-
3660 drivers/net/bonding/bond_main.c | 2 +-
3661 drivers/net/macvlan.c | 16 +-
3662 drivers/net/vxlan.c | 2 +-
3663 drivers/pci/hotplug/acpiphp_ibm.c | 4 +-
3664 drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
3665 drivers/pci/hotplug/pciehp_core.c | 2 +-
3666 drivers/pci/pci-sysfs.c | 6 +-
3667 drivers/pci/pci.h | 2 +-
3668 drivers/platform/x86/msi-laptop.c | 14 +-
3669 drivers/platform/x86/sony-laptop.c | 2 +-
3670 drivers/power/power_supply.h | 4 +-
3671 drivers/power/power_supply_core.c | 6 +-
3672 drivers/power/power_supply_sysfs.c | 6 +-
3673 drivers/rtc/rtc-cmos.c | 4 +-
3674 drivers/rtc/rtc-ds1307.c | 2 +-
3675 drivers/rtc/rtc-m48t59.c | 4 +-
3676 drivers/scsi/bfa/bfa.h | 2 +-
3677 drivers/staging/iio/iio_hwmon.c | 2 +-
3678 drivers/usb/storage/usb.h | 2 +-
3679 drivers/video/aty/atyfb_base.c | 8 +-
3680 drivers/video/aty/mach64_cursor.c | 4 +-
3681 drivers/video/backlight/kb3886_bl.c | 2 +-
3682 drivers/video/fb_defio.c | 6 +-
3683 drivers/video/mb862xx/mb862xxfb_accel.c | 16 +-
3684 drivers/video/nvidia/nvidia.c | 27 ++-
3685 drivers/video/s1d13xxxfb.c | 6 +-
3686 drivers/video/smscufx.c | 4 +-
3687 drivers/video/udlfb.c | 4 +-
3688 drivers/video/uvesafb.c | 14 +-
3690 fs/ext4/super.c | 2 +-
3691 fs/jfs/super.c | 4 +-
3692 fs/nfs/callback_xdr.c | 2 +-
3693 fs/nfsd/nfs4proc.c | 2 +-
3694 fs/nfsd/nfs4xdr.c | 6 +-
3695 fs/nls/nls_base.c | 18 +-
3696 fs/nls/nls_euc-jp.c | 6 +-
3697 fs/nls/nls_koi8-ru.c | 6 +-
3698 fs/proc/proc_sysctl.c | 18 +-
3699 include/drm/drmP.h | 12 +-
3700 include/keys/asymmetric-subtype.h | 2 +-
3701 include/linux/atmdev.h | 2 +-
3702 include/linux/binfmts.h | 2 +-
3703 include/linux/configfs.h | 2 +-
3704 include/linux/cpufreq.h | 3 +-
3705 include/linux/cpuidle.h | 5 +-
3706 include/linux/devfreq.h | 2 +-
3707 include/linux/device.h | 7 +-
3708 include/linux/extcon.h | 2 +-
3709 include/linux/fb.h | 2 +-
3710 include/linux/fscache.h | 2 +-
3711 include/linux/genl_magic_func.h | 2 +-
3712 include/linux/hwmon-sysfs.h | 5 +-
3713 include/linux/iommu.h | 2 +-
3714 include/linux/irq.h | 2 +-
3715 include/linux/key-type.h | 2 +-
3716 include/linux/kobject.h | 1 +
3717 include/linux/kobject_ns.h | 2 +-
3718 include/linux/list.h | 14 +-
3719 include/linux/mod_devicetable.h | 2 +-
3720 include/linux/module.h | 5 +-
3721 include/linux/net.h | 2 +-
3722 include/linux/netfilter.h | 2 +-
3723 include/linux/nls.h | 2 +-
3724 include/linux/pci_hotplug.h | 3 +-
3725 include/linux/platform_data/usb-exynos.h | 2 +-
3726 include/linux/pnp.h | 2 +-
3727 include/linux/ppp-comp.h | 2 +-
3728 include/linux/rculist.h | 16 ++
3729 include/linux/sched.h | 2 +-
3730 include/linux/sock_diag.h | 2 +-
3731 include/linux/sunrpc/clnt.h | 2 +-
3732 include/linux/sunrpc/svc.h | 2 +-
3733 include/linux/sunrpc/svcauth.h | 2 +-
3734 include/linux/swiotlb.h | 3 +-
3735 include/linux/syscore_ops.h | 2 +-
3736 include/linux/sysctl.h | 6 +-
3737 include/linux/sysfs.h | 10 +-
3738 include/linux/sysrq.h | 1 +
3739 include/linux/xattr.h | 2 +-
3740 include/net/9p/transport.h | 2 +-
3741 include/net/bluetooth/l2cap.h | 2 +-
3742 include/net/genetlink.h | 2 +-
3743 include/net/ip.h | 2 +-
3744 include/net/ip_vs.h | 4 +-
3745 include/net/llc_c_ac.h | 2 +-
3746 include/net/llc_c_ev.h | 4 +-
3747 include/net/llc_c_st.h | 2 +-
3748 include/net/llc_s_ac.h | 2 +-
3749 include/net/llc_s_st.h | 2 +-
3750 include/net/mac80211.h | 2 +-
3751 include/net/net_namespace.h | 2 +-
3752 include/net/netns/conntrack.h | 6 +-
3753 include/net/rtnetlink.h | 2 +-
3754 include/net/sctp/sm.h | 4 +-
3755 include/net/sctp/structs.h | 2 +-
3756 include/net/xfrm.h | 4 +-
3757 ipc/ipc_sysctl.c | 10 +-
3758 ipc/mq_sysctl.c | 2 +-
3759 kernel/kmod.c | 2 +-
3760 kernel/ksysfs.c | 2 +-
3761 kernel/module.c | 4 +-
3762 kernel/pid_namespace.c | 2 +-
3763 kernel/rcutree_plugin.h | 2 +-
3764 kernel/sched/core.c | 39 ++--
3765 kernel/smpboot.c | 4 +-
3766 kernel/softirq.c | 2 +-
3767 kernel/sysctl.c | 2 +-
3768 kernel/utsname_sysctl.c | 2 +-
3769 kernel/watchdog.c | 2 +-
3770 lib/Kconfig.debug | 2 +-
3771 lib/kobject.c | 4 +-
3772 lib/list_debug.c | 57 ++++-
3773 lib/swiotlb.c | 2 +-
3774 mm/hugetlb.c | 16 +-
3775 mm/memory-failure.c | 2 +-
3776 mm/slab_common.c | 2 +-
3778 net/ax25/sysctl_net_ax25.c | 2 +-
3779 net/core/neighbour.c | 2 +-
3780 net/core/net-sysfs.c | 2 +-
3781 net/core/net_namespace.c | 8 +-
3782 net/core/rtnetlink.c | 11 +-
3783 net/core/sock_diag.c | 9 +-
3784 net/core/sysctl_net_core.c | 15 +-
3785 net/ipv4/af_inet.c | 8 +-
3786 net/ipv4/devinet.c | 12 +-
3787 net/ipv4/inet_connection_sock.c | 2 +-
3788 net/ipv4/ip_fragment.c | 9 +-
3789 net/ipv4/ip_gre.c | 6 +-
3790 net/ipv4/ip_vti.c | 4 +-
3791 net/ipv4/ipip.c | 4 +-
3792 net/ipv4/route.c | 14 +-
3793 net/ipv4/sysctl_net_ipv4.c | 43 ++--
3794 net/ipv6/addrconf.c | 4 +-
3795 net/ipv6/icmp.c | 2 +-
3796 net/ipv6/ip6_gre.c | 6 +-
3797 net/ipv6/ip6_tunnel.c | 4 +-
3798 net/ipv6/netfilter/nf_conntrack_reasm.c | 12 +-
3799 net/ipv6/reassembly.c | 11 +-
3800 net/ipv6/route.c | 2 +-
3801 net/ipv6/sit.c | 4 +-
3802 net/ipv6/sysctl_net_ipv6.c | 2 +-
3803 net/netfilter/ipset/ip_set_core.c | 2 +-
3804 net/netfilter/ipvs/ip_vs_ctl.c | 4 +-
3805 net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
3806 net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
3807 net/netfilter/nf_conntrack_acct.c | 2 +-
3808 net/netfilter/nf_conntrack_ecache.c | 2 +-
3809 net/netfilter/nf_conntrack_helper.c | 2 +-
3810 net/netfilter/nf_conntrack_proto.c | 2 +-
3811 net/netfilter/nf_conntrack_standalone.c | 2 +-
3812 net/netfilter/nf_conntrack_timestamp.c | 2 +-
3813 net/netfilter/nf_log.c | 10 +-
3814 net/netfilter/nf_sockopt.c | 4 +-
3815 net/netlink/genetlink.c | 16 +-
3816 net/phonet/sysctl.c | 2 +-
3817 net/rds/rds.h | 2 +-
3818 net/sctp/ipv6.c | 6 +-
3819 net/sctp/protocol.c | 10 +-
3820 net/sctp/sm_sideeffect.c | 2 +-
3821 net/sctp/sysctl.c | 4 +-
3822 net/sunrpc/clnt.c | 4 +-
3823 net/sunrpc/svc.c | 4 +-
3824 net/unix/sysctl_net_unix.c | 2 +-
3825 net/xfrm/xfrm_policy.c | 11 +-
3826 net/xfrm/xfrm_state.c | 29 ++-
3827 net/xfrm/xfrm_sysctl.c | 2 +-
3828 security/apparmor/lsm.c | 2 +-
3829 security/keys/key.c | 18 +-
3830 security/yama/yama_lsm.c | 22 +-
3831 tools/gcc/Makefile | 4 +-
3832 tools/gcc/constify_plugin.c | 299 +++++++++++++++++++------
3833 tools/gcc/size_overflow_plugin.c | 7 +-
3834 248 files changed, 994 insertions(+), 668 deletions(-)
3836 commit 4eeeaf3a560e25d1685f8973ef676b205efaa81b
3837 Author: Brad Spengler <spender@grsecurity.net>
3838 Date: Wed Mar 6 12:58:21 2013 -0500
3840 Make slab_state __read_only, it's only written to during init
3842 mm/slab_common.c | 2 +-
3843 1 files changed, 1 insertions(+), 1 deletions(-)
3845 commit e7067b68d36fb9e0e8818de5d9ce1b4ba19ce24a
3846 Author: Brad Spengler <spender@grsecurity.net>
3847 Date: Wed Mar 6 12:31:35 2013 -0500
3849 Make two new helper functions:
3850 gr_is_global_root() and gr_is_global_nonroot()
3852 grsecurity/gracl.c | 10 +++++-----
3853 grsecurity/gracl_segv.c | 2 +-
3854 grsecurity/grsec_link.c | 4 ++--
3855 grsecurity/grsec_sig.c | 10 +++++-----
3856 grsecurity/grsec_tpe.c | 6 +++---
3857 include/linux/uidgid.h | 2 ++
3858 6 files changed, 18 insertions(+), 16 deletions(-)
3860 commit d45d88eddd4998b280b1e5b5384289ee11ca7088
3861 Author: Brad Spengler <spender@grsecurity.net>
3862 Date: Wed Mar 6 12:14:41 2013 -0500
3864 convert remaining task->pid to task_pid_nr(task)
3866 grsecurity/gracl.c | 22 +++++++++++-----------
3867 grsecurity/gracl_shm.c | 2 +-
3868 grsecurity/grsec_chroot.c | 4 ++--
3869 grsecurity/grsec_sig.c | 4 ++--
3870 4 files changed, 16 insertions(+), 16 deletions(-)
3872 commit c877f2ece03ee2232dd281c1977ae59507297124
3873 Author: Brad Spengler <spender@grsecurity.net>
3874 Date: Tue Mar 5 17:29:54 2013 -0500
3876 compat-log is only used anymore by vm86-on-64bit and allows unlimited
3877 spamming of the kernel log buffer (and since it includes the changable
3878 process name, can avoid syslog log deduplication)
3879 Turn it off by default
3882 1 files changed, 1 insertions(+), 1 deletions(-)
3884 commit 7c1964c4b7276889d7967bee70e46918cdca1b14
3885 Author: Brad Spengler <spender@grsecurity.net>
3886 Date: Mon Mar 4 17:19:10 2013 -0500
3888 fix compilation error reported on IRC and forums when GRKERNSEC_PROC_USERGROUP
3889 is enabled, introduced with recent userns support
3891 init/main.c | 4 ++--
3892 1 files changed, 2 insertions(+), 2 deletions(-)
3894 commit c3ce01b94d8dd42b9c7942c0d513b152613e0656
3895 Author: Brad Spengler <spender@grsecurity.net>
3896 Date: Sun Mar 3 18:46:12 2013 -0500
3898 Prevent TOMOYO from auto-loading modules by unprivileged users
3899 (Only reachable if TOMOYO is actually used)
3901 security/tomoyo/mount.c | 4 ++++
3902 1 files changed, 4 insertions(+), 0 deletions(-)
3904 commit 79e142f9455b398759ff9d93d4963a21b98dddda
3905 Author: Brad Spengler <spender@grsecurity.net>
3906 Date: Sun Mar 3 18:28:45 2013 -0500
3908 For now, don't permit any special access to /proc in a user namespace
3909 Later we can go back and allow a userns-uid0 special access to a /proc
3910 with a non-global pid namespace
3912 fs/proc/base.c | 2 +-
3913 1 files changed, 1 insertions(+), 1 deletions(-)
3915 commit 8b91fb393049ce5f3c0a86f62247409853fd9700
3916 Merge: d931eb8 603ef05
3917 Author: Brad Spengler <spender@grsecurity.net>
3918 Date: Sun Mar 3 17:42:09 2013 -0500
3920 Merge branch 'pax-test' into grsec-test
3922 commit 603ef0579b9c3765d999c1938cb7a120d8c8e00b
3923 Author: Brad Spengler <spender@grsecurity.net>
3924 Date: Sun Mar 3 17:41:31 2013 -0500
3926 Fix compilation error on ARM reported by Michael Tremer
3928 arch/arm/mach-omap2/wd_timer.c | 6 +++---
3929 1 files changed, 3 insertions(+), 3 deletions(-)
3931 commit b4c9ce81fdd7839a150c97873c710c479e788280
3932 Author: Brad Spengler <spender@grsecurity.net>
3933 Date: Sun Mar 3 17:39:53 2013 -0500
3935 Fix compilation error on ARM reported by Michael Tremer
3937 arch/arm/kernel/armksyms.c | 2 +-
3938 1 files changed, 1 insertions(+), 1 deletions(-)
3940 commit d931eb81ab3da46896268fd61373a6aa7bbea930
3941 Merge: bfa7f44 5948f93
3942 Author: Brad Spengler <spender@grsecurity.net>
3943 Date: Sun Mar 3 17:34:36 2013 -0500
3945 Merge branch 'pax-test' into grsec-test
3947 commit 5948f930bc1c2d22138c1c76ca7e1bc94b6a3ce0
3948 Merge: ab30472 19b00d2
3949 Author: Brad Spengler <spender@grsecurity.net>
3950 Date: Sun Mar 3 17:34:08 2013 -0500
3952 Merge branch 'linux-3.8.y' into pax-test
3954 commit bfa7f445c5d484de51a5828b92ad2ff65053cc87
3955 Author: Brad Spengler <spender@grsecurity.net>
3956 Date: Sun Mar 3 15:12:12 2013 -0500
3958 Initial support for user namespaces, as we previously didn't allow
3959 the option to be enabled at all.
3961 RBAC will act on the global uids/gids only, so all uids/gids in user
3962 namespaces will be converted
3964 Because Eric Biederman is insulted that I didn't support his
3965 backdoor prior to it receiving proper review. I still have the CAP_SYS_ADMIN
3966 check in for user namespaces, so this is generally irrelevant.
3969 fs/proc/base.c | 2 +-
3970 fs/proc/proc_net.c | 4 +-
3971 grsecurity/gracl.c | 128 +++++++++++++++++++++++++++++-------------
3972 grsecurity/gracl_cap.c | 4 +-
3973 grsecurity/gracl_ip.c | 16 +++---
3974 grsecurity/gracl_segv.c | 12 +++-
3975 grsecurity/gracl_shm.c | 4 +-
3976 grsecurity/grsec_disabled.c | 10 ++--
3977 grsecurity/grsec_fifo.c | 6 +-
3978 grsecurity/grsec_init.c | 24 ++++----
3979 grsecurity/grsec_log.c | 3 -
3980 grsecurity/grsec_tpe.c | 6 +-
3981 include/linux/grinternal.h | 12 ++--
3982 include/linux/grsecurity.h | 12 ++--
3983 include/linux/uidgid.h | 3 +
3986 kernel/cred.c | 5 +-
3987 kernel/kallsyms.c | 2 +-
3988 kernel/kmod.c | 6 +-
3989 kernel/sys.c | 12 ++--
3990 22 files changed, 166 insertions(+), 115 deletions(-)
3992 commit 27a8cc1a9f22f95de6fe8740bdc900a160274dff
3993 Author: Linus Torvalds <torvalds@linux-foundation.org>
3994 Date: Wed Feb 27 08:36:04 2013 -0800
3996 Upstream commit: 09884964335e85e897876d17783c2ad33cf8a2e0
3998 mm: do not grow the stack vma just because of an overrun on preceding vma
4000 The stack vma is designed to grow automatically (marked with VM_GROWSUP
4001 or VM_GROWSDOWN depending on architecture) when an access is made beyond
4002 the existing boundary. However, particularly if you have not limited
4003 your stack at all ("ulimit -s unlimited"), this can cause the stack to
4004 grow even if the access was really just one past *another* segment.
4006 And that's wrong, especially since we first grow the segment, but then
4007 immediately later enforce the stack guard page on the last page of the
4008 segment. So _despite_ first growing the stack segment as a result of
4009 the access, the kernel will then make the access cause a SIGSEGV anyway!
4011 So do the same logic as the guard page check does, and consider an
4012 access to within one page of the next segment to be a bad access, rather
4013 than growing the stack to abut the next segment.
4015 Reported-and-tested-by: Heiko Carstens <heiko.carstens@de.ibm.com>
4016 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
4018 mm/mmap.c | 27 +++++++++++++++++++++++++++
4019 1 files changed, 27 insertions(+), 0 deletions(-)
4021 commit 5596211af754867ca825f58e6e0300a8439950fe
4022 Author: H. Peter Anvin <hpa@linux.intel.com>
4023 Date: Wed Feb 27 12:46:40 2013 -0800
4025 Upstream commit: 7c10093692ed2e6f318387d96b829320aa0ca64c
4027 x86: Make sure we can boot in the case the BDA contains pure garbage
4029 On non-BIOS platforms it is possible that the BIOS data area contains
4030 garbage instead of being zeroed or something equivalent (firmware
4031 people: we are talking of 1.5K here, so please do the sane thing.)
4033 We need on the order of 20-30K of low memory in order to boot, which
4034 may grow up to < 64K in the future. We probably want to avoid the
4035 lowest of the low memory. At the same time, it seems extremely
4036 unlikely that a legitimate EBDA would ever reach down to the 128K
4037 (which would require it to be over half a megabyte in size.) Thus,
4038 pick 128K as the cutoff for "this is insane, ignore." We may still
4039 end up reserving a bunch of extra memory on the low megabyte, but that
4040 is not really a major issue these days. In the worst case we lose
4043 This code really should be merged with trim_bios_range() in
4044 arch/x86/kernel/setup.c, but that is a bigger patch for a later merge
4047 Reported-by: Darren Hart <dvhart@linux.intel.com>
4048 Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
4049 Cc: Matt Fleming <matt.fleming@intel.com>
4050 Cc: <stable@vger.kernel.org>
4051 Link: http://lkml.kernel.org/n/tip-oebml055yyfm8yxmria09rja@git.kernel.org
4053 arch/x86/kernel/head.c | 53 ++++++++++++++++++++++++++++++-----------------
4054 1 files changed, 34 insertions(+), 19 deletions(-)
4056 commit 10eb1dabfb743fb22dcbcf186bb8d2192d2d55ea
4057 Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
4058 Date: Wed Feb 27 17:05:46 2013 -0800
4060 Upstream commit: 940da353a83e895ea600cb8ab17dceefb1bcb469
4062 memstick: move the dereference below the NULL test
4064 The dereference should be moved below the NULL test.
4066 spatch with a semantic match is used to found this.
4067 (http://coccinelle.lip6.fr/)
4069 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
4070 Cc: Maxim Levitsky <maximlevitsky@gmail.com>
4071 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
4072 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
4074 drivers/memstick/host/r592.c | 3 ++-
4075 1 files changed, 2 insertions(+), 1 deletions(-)
4077 commit 1a63cb1ca50a10748cbf766894ecedf34a89baa3
4078 Author: Xi Wang <xi.wang@gmail.com>
4079 Date: Wed Feb 27 17:05:21 2013 -0800
4081 Upstream commit: df1778be1a33edffa51d094eeda87c858ded6560
4083 sysctl: fix null checking in bin_dn_node_address()
4085 The null check of `strchr() + 1' is broken, which is always non-null,
4086 leading to OOB read. Instead, check the result of strchr().
4088 Signed-off-by: Xi Wang <xi.wang@gmail.com>
4089 Cc: "Eric W. Biederman" <ebiederm@xmission.com>
4090 Cc: <stable@vger.kernel.org>
4091 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
4092 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
4094 kernel/sysctl_binary.c | 3 ++-
4095 1 files changed, 2 insertions(+), 1 deletions(-)
4097 commit 7ca96db0817416fd40761e7437d1939fc0731380
4098 Author: Tejun Heo <tj@kernel.org>
4099 Date: Wed Feb 27 17:03:34 2013 -0800
4101 Upstream commit: 6cdae7416a1c45c2ce105a78187d9b7e8feb9e24
4103 idr: fix a subtle bug in idr_get_next()
4105 The iteration logic of idr_get_next() is borrowed mostly verbatim from
4106 idr_for_each(). It walks down the tree looking for the slot matching
4107 the current ID. If the matching slot is not found, the ID is
4108 incremented by the distance of single slot at the given level and
4111 The implementation assumes that during the whole iteration id is aligned
4112 to the layer boundaries of the level closest to the leaf, which is true
4113 for all iterations starting from zero or an existing element and thus is
4114 fine for idr_for_each().
4116 However, idr_get_next() may be given any point and if the starting id
4117 hits in the middle of a non-existent layer, increment to the next layer
4118 will end up skipping the same offset into it. For example, an IDR with
4119 IDs filled between [64, 127] would look like the following.
4126 If idr_get_next() is called with 63 as the starting point, it will try
4127 to follow down the pointer from 0. As it is NULL, it will then try to
4128 proceed to the next slot in the same level by adding the slot distance
4129 at that level which is 64 - making the next try 127. It goes around the
4130 loop and finds and returns 127 skipping [64, 126].
4132 Note that this bug also triggers in idr_for_each_entry() loop which
4133 deletes during iteration as deletions can make layers go away leaving
4134 the iteration with unaligned ID into missing layers.
4136 Fix it by ensuring proceeding to the next slot doesn't carry over the
4137 unaligned offset - ie. use round_up(id + 1, slot_distance) instead of
4138 id += slot_distance.
4140 Signed-off-by: Tejun Heo <tj@kernel.org>
4141 Reported-by: David Teigland <teigland@redhat.com>
4142 Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
4143 Cc: <stable@vger.kernel.org>
4144 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
4145 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
4147 lib/idr.c | 9 ++++++++-
4148 1 files changed, 8 insertions(+), 1 deletions(-)
4150 commit 745362f28034f54242ba2e64eaa7374ab9869613
4151 Author: Brad Spengler <spender@grsecurity.net>
4152 Date: Fri Mar 1 20:31:42 2013 -0500
4154 Fix dentry use-after-free after failed complete_walk() with RBAC enabled
4155 Many thanks to zakalwe from #grsecurity for the report and debugging help
4157 fs/namei.c | 8 +++-----
4158 1 files changed, 3 insertions(+), 5 deletions(-)
4160 commit b53b3b14330920c6f7cfb74c8508a3026e1be620
4161 Author: Brad Spengler <spender@grsecurity.net>
4162 Date: Thu Feb 28 18:29:26 2013 -0500
4166 fs/namespace.c | 8 --------
4167 1 files changed, 0 insertions(+), 8 deletions(-)
4169 commit 71886f69ea10fa22e593dba1bdbe5c0334c6fede
4170 Merge: 1cce1dd ab30472
4171 Author: Brad Spengler <spender@grsecurity.net>
4172 Date: Thu Feb 28 17:45:14 2013 -0500
4174 Merge branch 'pax-test' into grsec-test
4177 net/core/sock_diag.c
4179 commit ab3047280e1dfb43f1b301a296123757b4ac4f6e
4180 Merge: 4b61d21 4c91a0e
4181 Author: Brad Spengler <spender@grsecurity.net>
4182 Date: Thu Feb 28 17:43:56 2013 -0500
4184 Merge branch 'linux-3.8.y' into pax-test
4186 commit 1cce1ddd17c584c80465521834c3faf1a7c607d7
4187 Author: Brad Spengler <spender@grsecurity.net>
4188 Date: Wed Feb 27 22:20:22 2013 -0500
4190 add compiler.h to sysrq.h to fix compilation problem reported by micu on forums
4192 include/linux/sysrq.h | 1 +
4193 1 files changed, 1 insertions(+), 0 deletions(-)
4195 commit 9f1e7fe130803fde83eb903b575335f59cd2bd18
4196 Author: Brad Spengler <spender@grsecurity.net>
4197 Date: Wed Feb 27 17:52:31 2013 -0500
4199 declare check_syslog_permissions() earlier in file, fix bug in syslog_action_restricted() in upstream kernel
4201 kernel/printk.c | 12 +++++++-----
4202 1 files changed, 7 insertions(+), 5 deletions(-)
4204 commit 11dd499888fa76f3466821ce4daa5e0c55e43d39
4205 Author: Brad Spengler <spender@grsecurity.net>
4206 Date: Wed Feb 27 17:23:46 2013 -0500
4208 Fix upstream vulnerability from addition of a /dev/kmsg device
4209 while neglecting to add the same set of existing permission checks
4210 from do_syslog. This bit both dmesg_restrict and GRKERNSEC_DMESG.
4211 A temporary workaround without this patch would be to
4212 chmod 0600 /dev/kmsg (and is likely a good idea anyway).
4214 Notified in #grsecurity IRC by Jason A. Donenfeld and Petr Matousek
4215 Initially reported to Redhat bugzilla by Christian Kujau:
4216 https://bugzilla.redhat.com/show_bug.cgi?id=903192
4218 kernel/printk.c | 4 ++++
4219 1 files changed, 4 insertions(+), 0 deletions(-)
4221 commit 66c04806f5660988c3cb4855e60de294e77e3d0e
4222 Author: David Howells <dhowells@redhat.com>
4223 Date: Thu Feb 21 12:00:25 2013 +0000
4225 Upstream commit: fe9453a1dcb5fb146f9653267e78f4a558066f6f
4227 KEYS: Revert one application of "Fix unreachable code" patch
4229 A patch to fix some unreachable code in search_my_process_keyrings() got
4230 applied twice by two different routes upstream as commits e67eab39bee2
4231 and b010520ab3d2 (both "fix unreachable code").
4233 Unfortunately, the second application removed something it shouldn't
4234 have and this wasn't detected by GIT. This is due to the patch not
4235 having sufficient lines of context to distinguish the two places of
4238 The effect of this is relatively minor: inside the kernel, the keyring
4239 search routines may search multiple keyrings and then prioritise the
4240 errors if no keys or negative keys are found in any of them. With the
4241 extra deletion, the presence of a negative key in the thread keyring
4242 (causing ENOKEY) is incorrectly overridden by an error searching the
4245 So revert the second application of the patch.
4247 Signed-off-by: David Howells <dhowells@redhat.com>
4248 Cc: Jiri Kosina <jkosina@suse.cz>
4249 Cc: Andrew Morton <akpm@linux-foundation.org>
4250 Cc: stable@vger.kernel.org
4251 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
4253 security/keys/process_keys.c | 2 ++
4254 1 files changed, 2 insertions(+), 0 deletions(-)
4256 commit 954b0c8a95b08c09c3d15ec38106ce403bf714da
4257 Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
4258 Date: Thu Feb 21 16:42:43 2013 -0800
4260 Upstream commit: 49deb4bc227cb9db5b8ebf9434367f8bed057c7a
4262 configfs: move the dereference below the NULL test
4264 The dereference should be moved below the NULL test.
4266 spatch with a semantic match is used to found this.
4267 (http://coccinelle.lip6.fr/)
4269 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
4270 Cc: Joel Becker <jlbec@evilplan.org>
4271 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
4272 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
4274 fs/configfs/dir.c | 5 +++--
4275 1 files changed, 3 insertions(+), 2 deletions(-)
4277 commit d16d42c4fdc8baca5816d75b4a115102bf3d3423
4278 Author: Nicolas Pitre <nicolas.pitre@linaro.org>
4279 Date: Sun Feb 24 20:06:09 2013 -0500
4281 Upstream commit: a883b70d8e0a88278c0a1f80753b4dc99962b541
4283 tty vt: fix character insertion overflow
4285 Commit 81732c3b2fed ("tty vt: Fix line garbage in virtual console on
4286 command line edition") broke insert_char() in multiple ways. Then
4287 commit b1a925f44a3a ("tty vt: Fix a regression in command line edition")
4288 partially fixed it. However, the buffer being moved is still too large
4289 and overflowing beyond the end of the current line, corrupting existing
4290 characters on the next line.
4294 echo -e "abc\nde\x1b[A\x1b[4h \x1b[4l\x1b[B"
4306 Needless to say that this is very annoying when inserting words in the
4307 middle of paragraphs with certain text editors.
4309 Signed-off-by: Nicolas Pitre <nico@linaro.org>
4310 Cc: Jean-François Moine <moinejf@free.fr>
4311 Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
4312 Cc: <stable@vger.kernel.org>
4313 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
4315 drivers/tty/vt/vt.c | 2 +-
4316 1 files changed, 1 insertions(+), 1 deletions(-)
4318 commit 6cda35071669b4aabde081bd039e0ffea36f997a
4319 Author: Robin Holt <holt@sgi.com>
4320 Date: Fri Feb 22 16:35:34 2013 -0800
4322 Upstream commit: 751efd8610d3d7d67b7bdf7f62646edea7365dd7
4324 mmu_notifier_unregister NULL Pointer deref and multiple ->release() callouts
4326 There is a race condition between mmu_notifier_unregister() and
4327 __mmu_notifier_release().
4329 Assume two tasks, one calling mmu_notifier_unregister() as a result of a
4330 filp_close() ->flush() callout (task A), and the other calling
4331 mmu_notifier_release() from an mmput() (task B).
4335 t2 if (!hlist_unhashed())
4336 t3 srcu_read_unlock()
4338 t5 hlist_del_init_rcu()
4339 t6 synchronize_srcu()
4340 t7 srcu_read_unlock()
4341 t8 hlist_del_rcu() <--- NULL pointer deref.
4343 Additionally, the list traversal in __mmu_notifier_release() is not
4344 protected by the by the mmu_notifier_mm->hlist_lock which can result in
4345 callouts to the ->release() notifier from both mmu_notifier_unregister()
4346 and __mmu_notifier_release().
4348 -stable suggestions:
4350 The stable trees prior to 3.7.y need commits 21a92735f660 and
4351 70400303ce0c cherry-picked in that order prior to cherry-picking this
4352 commit. The 3.7.y tree already has those two commits.
4354 Signed-off-by: Robin Holt <holt@sgi.com>
4355 Cc: Andrea Arcangeli <aarcange@redhat.com>
4356 Cc: Wanpeng Li <liwanp@linux.vnet.ibm.com>
4357 Cc: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
4358 Cc: Avi Kivity <avi@redhat.com>
4359 Cc: Hugh Dickins <hughd@google.com>
4360 Cc: Marcelo Tosatti <mtosatti@redhat.com>
4361 Cc: Sagi Grimberg <sagig@mellanox.co.il>
4362 Cc: Haggai Eran <haggaie@mellanox.com>
4363 Cc: <stable@vger.kernel.org>
4364 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
4365 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
4367 mm/mmu_notifier.c | 82 +++++++++++++++++++++++++++--------------------------
4368 1 files changed, 42 insertions(+), 40 deletions(-)
4370 commit bf5167ed78ba6131c6874887f714bda50c2cab83
4371 Author: Mike Galbraith <bitbucket@online.de>
4372 Date: Mon Jan 28 12:19:25 2013 +0100
4374 Upstream commit: e0a79f529d5ba2507486d498b25da40911d95cf6
4376 sched: Fix select_idle_sibling() bouncing cow syndrome
4378 If the previous CPU is cache affine and idle, select it.
4380 The current implementation simply traverses the sd_llc domain,
4381 taking the first idle CPU encountered, which walks buddy pairs
4382 hand in hand over the package, inflicting excruciating pain.
4384 1 tbench pair (worst case) in a 10 core + SMT package:
4386 pre 15.22 MB/sec 1 procs
4387 post 252.01 MB/sec 1 procs
4389 Signed-off-by: Mike Galbraith <bitbucket@online.de>
4390 Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
4391 Link: http://lkml.kernel.org/r/1359371965.5783.127.camel@marge.simpson.net
4392 Signed-off-by: Ingo Molnar <mingo@kernel.org>
4394 kernel/sched/fair.c | 21 +++++++--------------
4395 1 files changed, 7 insertions(+), 14 deletions(-)
4397 commit cf7c2d257836fdcb5d51ad142cbc56ac12f7a37c
4398 Author: Eric W. Biederman <ebiederm@xmission.com>
4399 Date: Fri Dec 28 18:58:39 2012 -0800
4401 Upstream commit: c61a2810a2161986353705b44d9503e6bb079f4f
4403 userns: Avoid recursion in put_user_ns
4405 When freeing a deeply nested user namespace free_user_ns calls
4406 put_user_ns on it's parent which may in turn call free_user_ns again.
4407 When -fno-optimize-sibling-calls is passed to gcc one stack frame per
4408 user namespace is left on the stack, potentially overflowing the
4409 kernel stack. CONFIG_FRAME_POINTER forces -fno-optimize-sibling-calls
4410 so we can't count on gcc to optimize this code.
4412 Remove struct kref and use a plain atomic_t. Making the code more
4413 flexible and easier to comprehend. Make the loop in free_user_ns
4414 explict to guarantee that the stack does not overflow with
4415 CONFIG_FRAME_POINTER enabled.
4417 I have tested this fix with a simple program that uses unshare to
4418 create a deeply nested user namespace structure and then calls exit.
4419 With 1000 nesteuser namespaces before this change running my test
4420 program causes the kernel to die a horrible death. With 10,000,000
4421 nested user namespaces after this change my test program runs to
4422 completion and causes no harm.
4424 Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
4425 Pointed-out-by: Vasily Kulikov <segoon@openwall.com>
4426 Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
4428 include/linux/user_namespace.h | 10 +++++-----
4429 kernel/user.c | 4 +---
4430 kernel/user_namespace.c | 17 +++++++++--------
4431 3 files changed, 15 insertions(+), 16 deletions(-)
4433 commit 81501c7106ccc186c94806f4db954626295b5ebe
4434 Author: Brad Spengler <spender@grsecurity.net>
4435 Date: Tue Feb 26 17:12:30 2013 -0500
4437 Pass the same flags to kern_path_create as the original function
4440 1 files changed, 2 insertions(+), 2 deletions(-)
4442 commit a677c8eee35afe48868f92c7d6745bfe809cd481
4443 Author: Al Viro <viro@zeniv.linux.org.uk>
4444 Date: Fri Feb 22 22:45:42 2013 -0500
4446 Upstream commit: 9b40bc90abd126bcc5da5658059b8e72e285e559
4448 get rid of unprotected dereferencing of mnt->mnt_ns
4450 It's safe only under namespace_sem or vfsmount_lock; all places
4451 in fs/namespace.c that want mnt->mnt_ns->user_ns actually want to use
4452 current->nsproxy->mnt_ns->user_ns (note the calls of check_mnt() in
4455 Cc: stable@vger.kernel.org
4456 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
4458 fs/namespace.c | 29 +++++++++++++++++------------
4459 1 files changed, 17 insertions(+), 12 deletions(-)
4461 commit 89298124d0c96dc34a60377e7a1308f8f532ff75
4462 Author: Greg Thelen <gthelen@google.com>
4463 Date: Fri Feb 22 16:36:01 2013 -0800
4465 Upstream fix: 5f00110f7273f9ff04ac69a5f85bb535a4fd0987
4467 tmpfs: fix use-after-free of mempolicy object
4469 The tmpfs remount logic preserves filesystem mempolicy if the mpol=M
4470 option is not specified in the remount request. A new policy can be
4471 specified if mpol=M is given.
4473 Before this patch remounting an mpol bound tmpfs without specifying
4474 mpol= mount option in the remount request would set the filesystem's
4475 mempolicy object to a freed mempolicy object.
4477 To reproduce the problem boot a DEBUG_PAGEALLOC kernel and run:
4480 # mount -t tmpfs -o size=100M,mpol=interleave nodev /tmp/x
4482 # grep /tmp/x /proc/mounts
4483 nodev /tmp/x tmpfs rw,relatime,size=102400k,mpol=interleave:0-3 0 0
4485 # mount -o remount,size=200M nodev /tmp/x
4487 # grep /tmp/x /proc/mounts
4488 nodev /tmp/x tmpfs rw,relatime,size=204800k,mpol=??? 0 0
4489 # note ? garbage in mpol=... output above
4491 # dd if=/dev/zero of=/tmp/x/f count=1
4495 BUG: unable to handle kernel NULL pointer dereference at (null)
4496 IP: [< (null)>] (null)
4498 Oops: 0010 [#1] SMP DEBUG_PAGEALLOC
4500 mpol_shared_policy_init+0xa5/0x160
4501 shmem_get_inode+0x209/0x270
4502 shmem_mknod+0x3e/0xf0
4503 shmem_create+0x18/0x20
4504 vfs_create+0xb5/0x130
4506 path_openat+0xb3/0x4d0
4507 do_filp_open+0x42/0xa0
4508 do_sys_open+0xfe/0x1e0
4509 compat_sys_open+0x1b/0x20
4510 cstar_dispatch+0x7/0x1f
4512 Non-debug kernels will not crash immediately because referencing the
4513 dangling mpol will not cause a fault. Instead the filesystem will
4514 reference a freed mempolicy object, which will cause unpredictable
4517 The problem boils down to a dropped mpol reference below if
4518 shmem_parse_options() does not allocate a new mpol:
4521 shmem_parse_options(data, &config, true)
4522 mpol_put(sbinfo->mpol)
4523 sbinfo->mpol = config.mpol /* BUG: saves unreferenced mpol */
4525 This patch avoids the crash by not releasing the mempolicy if
4526 shmem_parse_options() doesn't create a new mpol.
4528 How far back does this issue go? I see it in both 2.6.36 and 3.3. I did
4529 not look back further.
4531 Signed-off-by: Greg Thelen <gthelen@google.com>
4532 Acked-by: Hugh Dickins <hughd@google.com>
4533 Cc: <stable@vger.kernel.org>
4534 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
4535 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
4537 mm/shmem.c | 10 ++++++++--
4538 1 files changed, 8 insertions(+), 2 deletions(-)
4540 commit 614943c76d9e49f12f3e1154f1dea80dc4bb2743
4541 Author: Brad Spengler <spender@grsecurity.net>
4542 Date: Sat Feb 23 11:08:05 2013 -0500
4544 Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY
4545 with a family greater or equal then AF_MAX -- the array size of
4546 sock_diag_handlers[]. The current code does not test for this
4547 condition therefore is vulnerable to an out-of-bound access opening
4548 doors for a privilege escalation.
4550 Signed-off-by: Mathias Krause <minipli@googlemail.com>
4552 The sock_diag_lock_handler() and sock_diag_unlock_handler() actually
4553 make the code less readable. Get rid of them and make the lock usage
4554 and access to sock_diag_handlers[] clear on the first sight.
4556 Signed-off-by: Mathias Krause <minipli@googlemail.com>
4558 net/core/sock_diag.c | 27 ++++++++++-----------------
4559 1 files changed, 10 insertions(+), 17 deletions(-)
4561 commit e8d44970f8ac5ceda7b0e3f2c2ab33cefb800990
4562 Author: Brad Spengler <spender@grsecurity.net>
4563 Date: Sat Feb 23 10:58:52 2013 -0500
4565 Fix compilation failure reported by Hinnerk van Bruinehsen when CPU_USE_DOMAINS is not defined
4567 arch/arm/include/asm/domain.h | 1 +
4568 1 files changed, 1 insertions(+), 0 deletions(-)
4570 commit 7b729586eb81f344fdedf0942fab0acc738a6725
4571 Author: Brad Spengler <spender@grsecurity.net>
4572 Date: Fri Feb 22 19:02:51 2013 -0500
4574 Add back capability check for user namespaces. They have not seen enough proper review and needlessly exposes additional attack surface for all users.
4576 kernel/fork.c | 17 +++++++++++++++++
4577 1 files changed, 17 insertions(+), 0 deletions(-)
4579 commit fadc560d0c486af88da83177735f5515e88acdcc
4580 Author: Brad Spengler <spender@grsecurity.net>
4581 Date: Thu Feb 21 23:06:48 2013 -0500
4583 put is_hugetlbfs_mnt inside ifdefs
4585 grsecurity/gracl.c | 2 ++
4586 1 files changed, 2 insertions(+), 0 deletions(-)
4588 commit 8252176922d405484f986eb2cc350b7cd3ae586e
4589 Author: Brad Spengler <spender@grsecurity.net>
4590 Date: Thu Feb 21 23:02:07 2013 -0500
4594 kernel/module.c | 1 -
4595 1 files changed, 0 insertions(+), 1 deletions(-)
4597 commit dad4a980f0b625059e215d13da728aa7fd02a374
4598 Author: Brad Spengler <spender@grsecurity.net>
4599 Date: Thu Feb 21 23:00:52 2013 -0500
4604 1 files changed, 1 insertions(+), 1 deletions(-)
4606 commit 13e3266c41b98a40f3d8a4a7fb8ee5c0983156b7
4607 Author: Brad Spengler <spender@grsecurity.net>
4608 Date: Thu Feb 21 22:57:49 2013 -0500
4610 remove kmalloc_array_error for the same reasons as kcalloc_error
4612 include/linux/slab.h | 9 ---------
4613 1 files changed, 0 insertions(+), 9 deletions(-)
4615 commit 0c24df0e81ae880c4523cc78ff91609b9aa6133a
4616 Author: Brad Spengler <spender@grsecurity.net>
4617 Date: Thu Feb 21 22:49:35 2013 -0500
4619 Initial port of grsecurity for Linux 3.8
4621 Documentation/kernel-parameters.txt | 4 +
4623 arch/alpha/include/asm/cache.h | 4 +-
4624 arch/alpha/kernel/osf_sys.c | 14 +-
4625 arch/arm/include/asm/cache.h | 2 +
4626 arch/arm/include/asm/thread_info.h | 9 +-
4627 arch/arm/kernel/process.c | 4 +-
4628 arch/arm/kernel/ptrace.c | 9 +
4629 arch/arm/kernel/traps.c | 7 +-
4630 arch/arm/mm/fault.c | 27 +-
4631 arch/arm/mm/mmap.c | 6 +-
4632 arch/avr32/include/asm/cache.h | 4 +-
4633 arch/blackfin/include/asm/cache.h | 3 +-
4634 arch/cris/include/arch-v10/arch/cache.h | 3 +-
4635 arch/cris/include/arch-v32/arch/cache.h | 3 +-
4636 arch/frv/include/asm/cache.h | 3 +-
4637 arch/frv/mm/elf-fdpic.c | 7 +-
4638 arch/hexagon/include/asm/cache.h | 6 +-
4639 arch/ia64/include/asm/cache.h | 3 +-
4640 arch/ia64/kernel/sys_ia64.c | 3 +-
4641 arch/ia64/mm/hugetlbpage.c | 3 +-
4642 arch/m32r/include/asm/cache.h | 4 +-
4643 arch/m68k/include/asm/cache.h | 4 +-
4644 arch/microblaze/include/asm/cache.h | 3 +-
4645 arch/mips/include/asm/cache.h | 3 +-
4646 arch/mips/include/asm/thread_info.h | 9 +-
4647 arch/mips/kernel/ptrace.c | 9 +
4648 arch/mips/kernel/scall32-o32.S | 2 +-
4649 arch/mips/kernel/scall64-64.S | 2 +-
4650 arch/mips/kernel/scall64-n32.S | 2 +-
4651 arch/mips/kernel/scall64-o32.S | 2 +-
4652 arch/mips/mm/mmap.c | 3 +-
4653 arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +-
4654 arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +-
4655 arch/openrisc/include/asm/cache.h | 4 +-
4656 arch/parisc/include/asm/cache.h | 5 +-
4657 arch/parisc/kernel/sys_parisc.c | 19 +-
4658 arch/powerpc/include/asm/cache.h | 3 +-
4659 arch/powerpc/include/asm/thread_info.h | 8 +-
4660 arch/powerpc/kernel/process.c | 10 +-
4661 arch/powerpc/kernel/ptrace.c | 14 +
4662 arch/powerpc/kernel/traps.c | 5 +
4663 arch/powerpc/mm/slice.c | 8 +-
4664 arch/s390/include/asm/cache.h | 4 +-
4665 arch/score/include/asm/cache.h | 4 +-
4666 arch/sh/include/asm/cache.h | 3 +-
4667 arch/sh/mm/mmap.c | 6 +-
4668 arch/sparc/include/asm/cache.h | 4 +-
4669 arch/sparc/include/asm/thread_info_64.h | 9 +-
4670 arch/sparc/kernel/process_32.c | 6 +-
4671 arch/sparc/kernel/process_64.c | 8 +-
4672 arch/sparc/kernel/ptrace_64.c | 14 +
4673 arch/sparc/kernel/sys_sparc_64.c | 6 +-
4674 arch/sparc/kernel/syscalls.S | 8 +-
4675 arch/sparc/kernel/traps_32.c | 8 +-
4676 arch/sparc/kernel/traps_64.c | 28 +-
4677 arch/sparc/kernel/unaligned_64.c | 2 +-
4678 arch/sparc/mm/fault_64.c | 2 +-
4679 arch/sparc/mm/hugetlbpage.c | 3 +-
4680 arch/tile/include/asm/cache.h | 3 +-
4681 arch/um/include/asm/cache.h | 3 +-
4682 arch/unicore32/include/asm/cache.h | 6 +-
4683 arch/x86/Kconfig | 5 +-
4684 arch/x86/Kconfig.debug | 2 +-
4685 arch/x86/ia32/ia32_aout.c | 2 +
4686 arch/x86/include/asm/thread_info.h | 8 +-
4687 arch/x86/kernel/dumpstack.c | 8 +
4688 arch/x86/kernel/entry_32.S | 2 +-
4689 arch/x86/kernel/entry_64.S | 2 +-
4690 arch/x86/kernel/ioport.c | 13 +
4691 arch/x86/kernel/ptrace.c | 14 +
4692 arch/x86/kernel/smpboot.c | 3 +
4693 arch/x86/kernel/sys_i386_32.c | 14 +-
4694 arch/x86/kernel/sys_x86_64.c | 3 +-
4695 arch/x86/kernel/verify_cpu.S | 1 +
4696 arch/x86/kernel/vm86_32.c | 16 +
4697 arch/x86/mm/fault.c | 12 +-
4698 arch/x86/mm/hugetlbpage.c | 3 +-
4699 arch/x86/mm/init.c | 66 +-
4700 arch/x86/net/bpf_jit_comp.c | 126 +-
4701 arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
4702 arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
4703 arch/xtensa/variants/s6000/include/variant/core.h | 3 +-
4704 crypto/ablkcipher.c | 12 +-
4705 crypto/aead.c | 9 +-
4706 crypto/ahash.c | 2 +-
4707 crypto/blkcipher.c | 6 +-
4708 crypto/crypto_user.c | 38 +-
4709 crypto/pcompress.c | 3 +-
4711 crypto/shash.c | 3 +-
4712 drivers/block/cciss.c | 2 +
4713 drivers/char/Kconfig | 4 +-
4714 drivers/char/genrtc.c | 1 +
4715 drivers/char/mem.c | 17 +
4716 drivers/char/random.c | 12 +
4717 drivers/gpu/drm/drm_info.c | 4 +
4718 drivers/hid/hid-wiimote-debug.c | 2 +-
4719 drivers/media/radio/radio-cadet.c | 2 +-
4720 drivers/message/fusion/mptbase.c | 5 +
4721 drivers/net/phy/mdio-bitbang.c | 1 +
4722 drivers/pci/proc.c | 9 +
4723 drivers/rtc/rtc-dev.c | 3 +
4724 drivers/tty/sysrq.c | 2 +-
4725 drivers/tty/vt/keyboard.c | 22 +-
4726 drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++--------
4727 drivers/xen/xenfs/xenstored.c | 5 +
4729 fs/autofs4/waitq.c | 9 +
4730 fs/binfmt_aout.c | 7 +
4731 fs/binfmt_elf.c | 6 +
4732 fs/btrfs/inode.c | 10 +-
4733 fs/btrfs/ioctl.c | 6 +-
4735 fs/coredump.c | 10 +-
4736 fs/debugfs/inode.c | 4 +
4738 fs/ext2/balloc.c | 4 +-
4739 fs/ext3/balloc.c | 4 +-
4740 fs/ext4/balloc.c | 4 +-
4743 fs/filesystems.c | 5 +
4744 fs/fs_struct.c | 26 +-
4745 fs/hugetlbfs/inode.c | 5 +-
4746 fs/namei.c | 269 ++-
4747 fs/namespace.c | 24 +
4750 fs/proc/Kconfig | 10 +-
4751 fs/proc/array.c | 59 +-
4752 fs/proc/base.c | 168 +-
4753 fs/proc/cmdline.c | 4 +
4754 fs/proc/devices.c | 4 +
4755 fs/proc/fd.c | 17 +-
4756 fs/proc/inode.c | 17 +
4757 fs/proc/internal.h | 3 +
4758 fs/proc/kcore.c | 3 +
4759 fs/proc/proc_net.c | 12 +
4760 fs/proc/proc_sysctl.c | 43 +-
4761 fs/proc/root.c | 8 +
4762 fs/proc/task_mmu.c | 75 +-
4765 fs/seq_file.c | 12 +-
4767 fs/sysfs/dir.c | 12 +
4770 grsecurity/Kconfig | 1021 +++++
4771 grsecurity/Makefile | 38 +
4772 grsecurity/gracl.c | 4017 ++++++++++++++++++++
4773 grsecurity/gracl_alloc.c | 105 +
4774 grsecurity/gracl_cap.c | 110 +
4775 grsecurity/gracl_fs.c | 431 +++
4776 grsecurity/gracl_ip.c | 384 ++
4777 grsecurity/gracl_learn.c | 207 +
4778 grsecurity/gracl_res.c | 68 +
4779 grsecurity/gracl_segv.c | 299 ++
4780 grsecurity/gracl_shm.c | 40 +
4781 grsecurity/grsec_chdir.c | 19 +
4782 grsecurity/grsec_chroot.c | 357 ++
4783 grsecurity/grsec_disabled.c | 434 +++
4784 grsecurity/grsec_exec.c | 174 +
4785 grsecurity/grsec_fifo.c | 24 +
4786 grsecurity/grsec_fork.c | 23 +
4787 grsecurity/grsec_init.c | 283 ++
4788 grsecurity/grsec_link.c | 58 +
4789 grsecurity/grsec_log.c | 329 ++
4790 grsecurity/grsec_mem.c | 40 +
4791 grsecurity/grsec_mount.c | 62 +
4792 grsecurity/grsec_pax.c | 36 +
4793 grsecurity/grsec_ptrace.c | 30 +
4794 grsecurity/grsec_sig.c | 222 ++
4795 grsecurity/grsec_sock.c | 244 ++
4796 grsecurity/grsec_sysctl.c | 469 +++
4797 grsecurity/grsec_time.c | 16 +
4798 grsecurity/grsec_tpe.c | 73 +
4799 grsecurity/grsum.c | 61 +
4800 include/linux/capability.h | 5 +
4801 include/linux/cred.h | 3 +
4802 include/linux/fs.h | 10 +
4803 include/linux/fsnotify.h | 6 +
4804 include/linux/gracl.h | 319 ++
4805 include/linux/gralloc.h | 9 +
4806 include/linux/grdefs.h | 140 +
4807 include/linux/grinternal.h | 215 ++
4808 include/linux/grmsg.h | 111 +
4809 include/linux/grsecurity.h | 257 ++
4810 include/linux/grsock.h | 19 +
4811 include/linux/kallsyms.h | 14 +-
4812 include/linux/kmod.h | 2 +
4813 include/linux/netfilter/xt_gradm.h | 9 +
4814 include/linux/printk.h | 3 +-
4815 include/linux/proc_fs.h | 12 +
4816 include/linux/sched.h | 66 +-
4817 include/linux/security.h | 1 +
4818 include/linux/seq_file.h | 3 +
4819 include/linux/shm.h | 4 +
4820 include/linux/sysctl.h | 2 +
4821 include/linux/thread_info.h | 2 +
4822 include/linux/vermagic.h | 9 +-
4823 include/trace/events/fs.h | 53 +
4824 include/uapi/linux/personality.h | 1 +
4829 kernel/capability.c | 39 +-
4830 kernel/cgroup.c | 2 +-
4831 kernel/compat.c | 1 +
4832 kernel/configs.c | 11 +
4833 kernel/cred.c | 109 +-
4834 kernel/exit.c | 10 +-
4835 kernel/fork.c | 24 +-
4836 kernel/futex.c | 1 +
4837 kernel/kallsyms.c | 9 +
4839 kernel/kmod.c | 71 +-
4840 kernel/kprobes.c | 4 +-
4841 kernel/ksysfs.c | 2 +
4842 kernel/lockdep_proc.c | 10 +-
4843 kernel/module.c | 80 +-
4844 kernel/panic.c | 4 +-
4845 kernel/pid.c | 19 +-
4846 kernel/posix-timers.c | 8 +
4847 kernel/printk.c | 5 +
4848 kernel/ptrace.c | 20 +-
4849 kernel/resource.c | 10 +
4850 kernel/sched/core.c | 6 +-
4851 kernel/signal.c | 37 +-
4852 kernel/sys.c | 38 +-
4853 kernel/sysctl.c | 39 +-
4854 kernel/taskstats.c | 6 +
4856 kernel/time/timekeeping.c | 3 +
4857 kernel/time/timer_list.c | 12 +
4858 kernel/time/timer_stats.c | 10 +-
4859 lib/Kconfig.debug | 5 +-
4860 lib/is_single_threaded.c | 3 +
4861 lib/vsprintf.c | 35 +-
4862 localversion-grsec | 1 +
4865 mm/kmemleak.c | 4 +-
4866 mm/mempolicy.c | 12 +-
4871 mm/page_alloc.c | 6 +
4872 mm/process_vm_access.c | 6 +
4878 net/core/dev.c | 9 +
4879 net/core/sock_diag.c | 7 +
4880 net/ipv4/inet_hashtables.c | 5 +
4881 net/ipv4/ip_sockglue.c | 3 +-
4882 net/ipv4/tcp_input.c | 4 +-
4883 net/ipv4/tcp_ipv4.c | 24 +-
4884 net/ipv4/tcp_minisocks.c | 9 +-
4885 net/ipv4/tcp_timer.c | 11 +
4886 net/ipv4/udp.c | 24 +
4887 net/ipv6/tcp_ipv6.c | 23 +-
4888 net/ipv6/udp.c | 7 +
4889 net/netfilter/Kconfig | 10 +
4890 net/netfilter/Makefile | 1 +
4891 net/netfilter/nf_conntrack_core.c | 8 +
4892 net/netfilter/xt_gradm.c | 51 +
4893 net/netrom/af_netrom.c | 2 +-
4894 net/phonet/af_phonet.c | 4 +-
4895 net/sctp/proc.c | 3 +-
4896 net/socket.c | 62 +-
4897 net/sysctl_net.c | 2 +-
4898 net/unix/af_unix.c | 19 +
4899 security/Kconfig | 320 ++-
4900 security/apparmor/lsm.c | 2 +-
4901 security/commoncap.c | 29 +
4902 security/min_addr.c | 2 +
4903 security/security.c | 2 -
4904 security/selinux/hooks.c | 2 -
4905 security/yama/Kconfig | 2 +-
4906 tools/gcc/Makefile | 2 +-
4907 286 files changed, 15083 insertions(+), 2067 deletions(-)
4909 commit 4b61d2188de70da9dc9b3e67fc0565077370eb27
4910 Author: Brad Spengler <spender@grsecurity.net>
4911 Date: Wed Feb 20 21:00:42 2013 -0500
4913 Initial import of pax-linux-3.8-test3.patch
4915 Documentation/dontdiff | 43 +-
4916 Documentation/kernel-parameters.txt | 7 +
4918 arch/alpha/include/asm/atomic.h | 10 +
4919 arch/alpha/include/asm/elf.h | 7 +
4920 arch/alpha/include/asm/pgalloc.h | 6 +
4921 arch/alpha/include/asm/pgtable.h | 11 +
4922 arch/alpha/kernel/module.c | 2 +-
4923 arch/alpha/kernel/osf_sys.c | 10 +-
4924 arch/alpha/mm/fault.c | 141 +-
4925 arch/arm/Kconfig | 2 +-
4926 arch/arm/include/asm/atomic.h | 421 +++-
4927 arch/arm/include/asm/cache.h | 3 +-
4928 arch/arm/include/asm/cacheflush.h | 2 +-
4929 arch/arm/include/asm/checksum.h | 14 +-
4930 arch/arm/include/asm/cmpxchg.h | 2 +
4931 arch/arm/include/asm/delay.h | 8 +-
4932 arch/arm/include/asm/domain.h | 32 +-
4933 arch/arm/include/asm/elf.h | 13 +-
4934 arch/arm/include/asm/fncpy.h | 2 +
4935 arch/arm/include/asm/futex.h | 10 +
4936 arch/arm/include/asm/kmap_types.h | 2 +-
4937 arch/arm/include/asm/mach/dma.h | 2 +-
4938 arch/arm/include/asm/mach/map.h | 7 +-
4939 arch/arm/include/asm/outercache.h | 2 +-
4940 arch/arm/include/asm/page.h | 2 +-
4941 arch/arm/include/asm/pgalloc.h | 22 +-
4942 arch/arm/include/asm/pgtable-2level-hwdef.h | 5 +
4943 arch/arm/include/asm/pgtable-2level.h | 1 +
4944 arch/arm/include/asm/pgtable-3level-hwdef.h | 4 +
4945 arch/arm/include/asm/pgtable-3level.h | 2 +
4946 arch/arm/include/asm/pgtable.h | 56 +-
4947 arch/arm/include/asm/proc-fns.h | 2 +-
4948 arch/arm/include/asm/processor.h | 5 +-
4949 arch/arm/include/asm/smp.h | 2 +-
4950 arch/arm/include/asm/thread_info.h | 6 +-
4951 arch/arm/include/asm/uaccess.h | 92 +-
4952 arch/arm/include/uapi/asm/ptrace.h | 2 +-
4953 arch/arm/kernel/armksyms.c | 4 +-
4954 arch/arm/kernel/entry-armv.S | 107 +-
4955 arch/arm/kernel/entry-common.S | 41 +-
4956 arch/arm/kernel/entry-header.S | 60 +
4957 arch/arm/kernel/fiq.c | 2 +
4958 arch/arm/kernel/head.S | 6 +-
4959 arch/arm/kernel/hw_breakpoint.c | 2 +-
4960 arch/arm/kernel/module.c | 29 +-
4961 arch/arm/kernel/perf_event_cpu.c | 2 +-
4962 arch/arm/kernel/process.c | 10 +-
4963 arch/arm/kernel/setup.c | 22 +-
4964 arch/arm/kernel/smp.c | 2 +-
4965 arch/arm/kernel/traps.c | 8 +-
4966 arch/arm/kernel/vmlinux.lds.S | 20 +-
4967 arch/arm/lib/clear_user.S | 6 +-
4968 arch/arm/lib/copy_from_user.S | 6 +-
4969 arch/arm/lib/copy_page.S | 1 +
4970 arch/arm/lib/copy_to_user.S | 6 +-
4971 arch/arm/lib/csumpartialcopyuser.S | 4 +-
4972 arch/arm/lib/delay.c | 14 +-
4973 arch/arm/lib/uaccess_with_memcpy.c | 2 +-
4974 arch/arm/mach-kirkwood/common.c | 19 +-
4975 arch/arm/mach-omap2/board-n8x0.c | 2 +-
4976 arch/arm/mach-omap2/omap-wakeupgen.c | 2 +-
4977 arch/arm/mach-omap2/omap_hwmod.c | 4 +-
4978 arch/arm/mach-ux500/include/mach/setup.h | 7 -
4979 arch/arm/mm/Kconfig | 3 +-
4980 arch/arm/mm/fault.c | 78 +
4981 arch/arm/mm/fault.h | 12 +
4982 arch/arm/mm/init.c | 41 +
4983 arch/arm/mm/ioremap.c | 4 +-
4984 arch/arm/mm/mmap.c | 36 +-
4985 arch/arm/mm/mmu.c | 186 +-
4986 arch/arm/mm/proc-v7-2level.S | 3 +
4987 arch/arm/plat-omap/sram.c | 2 +
4988 arch/arm/plat-orion/include/plat/addr-map.h | 2 +-
4989 arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +-
4990 arch/arm64/kernel/debug-monitors.c | 2 +-
4991 arch/arm64/kernel/hw_breakpoint.c | 2 +-
4992 arch/avr32/include/asm/elf.h | 8 +-
4993 arch/avr32/include/asm/kmap_types.h | 4 +-
4994 arch/avr32/mm/fault.c | 27 +
4995 arch/frv/include/asm/atomic.h | 10 +
4996 arch/frv/include/asm/kmap_types.h | 2 +-
4997 arch/frv/mm/elf-fdpic.c | 7 +-
4998 arch/ia64/include/asm/atomic.h | 10 +
4999 arch/ia64/include/asm/elf.h | 7 +
5000 arch/ia64/include/asm/pgalloc.h | 12 +
5001 arch/ia64/include/asm/pgtable.h | 13 +-
5002 arch/ia64/include/asm/spinlock.h | 2 +-
5003 arch/ia64/include/asm/uaccess.h | 28 +-
5004 arch/ia64/kernel/err_inject.c | 2 +-
5005 arch/ia64/kernel/mca.c | 2 +-
5006 arch/ia64/kernel/module.c | 48 +-
5007 arch/ia64/kernel/palinfo.c | 2 +-
5008 arch/ia64/kernel/salinfo.c | 2 +-
5009 arch/ia64/kernel/sys_ia64.c | 13 +-
5010 arch/ia64/kernel/topology.c | 2 +-
5011 arch/ia64/kernel/vmlinux.lds.S | 2 +-
5012 arch/ia64/mm/fault.c | 32 +-
5013 arch/ia64/mm/hugetlbpage.c | 2 +-
5014 arch/ia64/mm/init.c | 13 +
5015 arch/m32r/lib/usercopy.c | 6 +
5016 arch/mips/include/asm/atomic.h | 14 +
5017 arch/mips/include/asm/elf.h | 11 +-
5018 arch/mips/include/asm/exec.h | 2 +-
5019 arch/mips/include/asm/page.h | 2 +-
5020 arch/mips/include/asm/pgalloc.h | 5 +
5021 arch/mips/kernel/binfmt_elfn32.c | 7 +
5022 arch/mips/kernel/binfmt_elfo32.c | 7 +
5023 arch/mips/kernel/process.c | 12 -
5024 arch/mips/mm/fault.c | 17 +
5025 arch/mips/mm/mmap.c | 51 +-
5026 arch/parisc/include/asm/atomic.h | 10 +
5027 arch/parisc/include/asm/elf.h | 7 +
5028 arch/parisc/include/asm/pgalloc.h | 6 +
5029 arch/parisc/include/asm/pgtable.h | 11 +
5030 arch/parisc/include/asm/uaccess.h | 4 +-
5031 arch/parisc/kernel/module.c | 50 +-
5032 arch/parisc/kernel/sys_parisc.c | 6 +-
5033 arch/parisc/kernel/traps.c | 4 +-
5034 arch/parisc/mm/fault.c | 140 +-
5035 arch/powerpc/include/asm/atomic.h | 10 +
5036 arch/powerpc/include/asm/elf.h | 19 +-
5037 arch/powerpc/include/asm/exec.h | 2 +-
5038 arch/powerpc/include/asm/kmap_types.h | 2 +-
5039 arch/powerpc/include/asm/mman.h | 2 +-
5040 arch/powerpc/include/asm/page.h | 8 +-
5041 arch/powerpc/include/asm/page_64.h | 7 +-
5042 arch/powerpc/include/asm/pgalloc-64.h | 7 +
5043 arch/powerpc/include/asm/pgtable.h | 1 +
5044 arch/powerpc/include/asm/pte-hash32.h | 1 +
5045 arch/powerpc/include/asm/reg.h | 1 +
5046 arch/powerpc/include/asm/uaccess.h | 142 +-
5047 arch/powerpc/kernel/exceptions-64e.S | 4 +-
5048 arch/powerpc/kernel/exceptions-64s.S | 2 +-
5049 arch/powerpc/kernel/module_32.c | 13 +-
5050 arch/powerpc/kernel/process.c | 55 -
5051 arch/powerpc/kernel/signal_32.c | 2 +-
5052 arch/powerpc/kernel/signal_64.c | 2 +-
5053 arch/powerpc/kernel/sysfs.c | 2 +-
5054 arch/powerpc/kernel/vdso.c | 5 +-
5055 arch/powerpc/lib/usercopy_64.c | 18 -
5056 arch/powerpc/mm/fault.c | 54 +-
5057 arch/powerpc/mm/mmap_64.c | 16 +
5058 arch/powerpc/mm/mmu_context_nohash.c | 2 +-
5059 arch/powerpc/mm/numa.c | 2 +-
5060 arch/powerpc/mm/slice.c | 23 +-
5061 arch/powerpc/platforms/powermac/smp.c | 2 +-
5062 arch/s390/include/asm/atomic.h | 10 +
5063 arch/s390/include/asm/elf.h | 13 +-
5064 arch/s390/include/asm/exec.h | 2 +-
5065 arch/s390/include/asm/uaccess.h | 15 +-
5066 arch/s390/kernel/module.c | 22 +-
5067 arch/s390/kernel/process.c | 36 -
5068 arch/s390/mm/mmap.c | 24 +
5069 arch/score/include/asm/exec.h | 2 +-
5070 arch/score/kernel/process.c | 5 -
5071 arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +-
5072 arch/sh/mm/mmap.c | 22 +-
5073 arch/sparc/include/asm/atomic_64.h | 106 +-
5074 arch/sparc/include/asm/cache.h | 2 +-
5075 arch/sparc/include/asm/elf_32.h | 7 +
5076 arch/sparc/include/asm/elf_64.h | 7 +
5077 arch/sparc/include/asm/pgalloc_32.h | 1 +
5078 arch/sparc/include/asm/pgalloc_64.h | 1 +
5079 arch/sparc/include/asm/pgtable_32.h | 15 +-
5080 arch/sparc/include/asm/pgtsrmmu.h | 5 +
5081 arch/sparc/include/asm/spinlock_64.h | 35 +-
5082 arch/sparc/include/asm/thread_info_32.h | 2 +
5083 arch/sparc/include/asm/thread_info_64.h | 2 +
5084 arch/sparc/include/asm/uaccess.h | 8 +
5085 arch/sparc/include/asm/uaccess_32.h | 27 +-
5086 arch/sparc/include/asm/uaccess_64.h | 19 +-
5087 arch/sparc/kernel/Makefile | 2 +-
5088 arch/sparc/kernel/sys_sparc_32.c | 2 +-
5089 arch/sparc/kernel/sys_sparc_64.c | 48 +-
5090 arch/sparc/kernel/sysfs.c | 2 +-
5091 arch/sparc/kernel/traps_64.c | 13 +-
5092 arch/sparc/lib/Makefile | 2 +-
5093 arch/sparc/lib/atomic_64.S | 136 +-
5094 arch/sparc/lib/ksyms.c | 6 +
5095 arch/sparc/mm/Makefile | 2 +-
5096 arch/sparc/mm/fault_32.c | 292 ++
5097 arch/sparc/mm/fault_64.c | 486 +++
5098 arch/sparc/mm/hugetlbpage.c | 21 +-
5099 arch/tile/include/asm/atomic_64.h | 10 +
5100 arch/tile/include/asm/uaccess.h | 4 +-
5101 arch/um/Makefile | 4 +
5102 arch/um/include/asm/kmap_types.h | 2 +-
5103 arch/um/include/asm/page.h | 3 +
5104 arch/um/include/asm/pgtable-3level.h | 1 +
5105 arch/um/kernel/process.c | 16 -
5106 arch/x86/Kconfig | 10 +-
5107 arch/x86/Kconfig.cpu | 6 +-
5108 arch/x86/Kconfig.debug | 6 +-
5109 arch/x86/Makefile | 10 +
5110 arch/x86/boot/Makefile | 3 +
5111 arch/x86/boot/bitops.h | 4 +-
5112 arch/x86/boot/boot.h | 4 +-
5113 arch/x86/boot/compressed/Makefile | 3 +
5114 arch/x86/boot/compressed/eboot.c | 2 -
5115 arch/x86/boot/compressed/head_32.S | 7 +-
5116 arch/x86/boot/compressed/head_64.S | 4 +-
5117 arch/x86/boot/compressed/misc.c | 4 +-
5118 arch/x86/boot/cpucheck.c | 28 +-
5119 arch/x86/boot/header.S | 6 +-
5120 arch/x86/boot/memory.c | 2 +-
5121 arch/x86/boot/video-vesa.c | 1 +
5122 arch/x86/boot/video.c | 2 +-
5123 arch/x86/crypto/aes-x86_64-asm_64.S | 4 +
5124 arch/x86/crypto/aesni-intel_asm.S | 31 +
5125 arch/x86/crypto/blowfish-x86_64-asm_64.S | 8 +
5126 arch/x86/crypto/camellia-x86_64-asm_64.S | 8 +
5127 arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 8 +
5128 arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 8 +
5129 arch/x86/crypto/salsa20-x86_64-asm_64.S | 5 +
5130 arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 8 +
5131 arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 5 +
5132 arch/x86/crypto/sha1_ssse3_asm.S | 3 +
5133 arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 8 +
5134 arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 5 +
5135 arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
5136 arch/x86/ia32/ia32_signal.c | 14 +-
5137 arch/x86/ia32/ia32entry.S | 141 +-
5138 arch/x86/ia32/sys_ia32.c | 12 +-
5139 arch/x86/include/asm/alternative-asm.h | 39 +
5140 arch/x86/include/asm/alternative.h | 4 +-
5141 arch/x86/include/asm/apic.h | 2 +-
5142 arch/x86/include/asm/apm.h | 4 +-
5143 arch/x86/include/asm/atomic.h | 307 ++-
5144 arch/x86/include/asm/atomic64_32.h | 100 +
5145 arch/x86/include/asm/atomic64_64.h | 202 ++-
5146 arch/x86/include/asm/bitops.h | 2 +-
5147 arch/x86/include/asm/boot.h | 7 +-
5148 arch/x86/include/asm/cache.h | 5 +-
5149 arch/x86/include/asm/cacheflush.h | 2 +-
5150 arch/x86/include/asm/checksum_32.h | 12 +-
5151 arch/x86/include/asm/cmpxchg.h | 35 +
5152 arch/x86/include/asm/cpufeature.h | 4 +-
5153 arch/x86/include/asm/desc.h | 65 +-
5154 arch/x86/include/asm/desc_defs.h | 6 +
5155 arch/x86/include/asm/elf.h | 31 +-
5156 arch/x86/include/asm/emergency-restart.h | 2 +-
5157 arch/x86/include/asm/fpu-internal.h | 6 +-
5158 arch/x86/include/asm/futex.h | 16 +-
5159 arch/x86/include/asm/hw_irq.h | 4 +-
5160 arch/x86/include/asm/io.h | 13 +-
5161 arch/x86/include/asm/irqflags.h | 5 +
5162 arch/x86/include/asm/kprobes.h | 9 +-
5163 arch/x86/include/asm/local.h | 142 +-
5164 arch/x86/include/asm/mman.h | 15 +
5165 arch/x86/include/asm/mmu.h | 16 +-
5166 arch/x86/include/asm/mmu_context.h | 76 +-
5167 arch/x86/include/asm/module.h | 17 +-
5168 arch/x86/include/asm/page_64_types.h | 2 +-
5169 arch/x86/include/asm/paravirt.h | 44 +-
5170 arch/x86/include/asm/paravirt_types.h | 17 +-
5171 arch/x86/include/asm/pgalloc.h | 23 +
5172 arch/x86/include/asm/pgtable-2level.h | 2 +
5173 arch/x86/include/asm/pgtable-3level.h | 4 +
5174 arch/x86/include/asm/pgtable.h | 110 +-
5175 arch/x86/include/asm/pgtable_32.h | 14 +-
5176 arch/x86/include/asm/pgtable_32_types.h | 15 +-
5177 arch/x86/include/asm/pgtable_64.h | 19 +-
5178 arch/x86/include/asm/pgtable_64_types.h | 5 +
5179 arch/x86/include/asm/pgtable_types.h | 36 +-
5180 arch/x86/include/asm/processor.h | 39 +-
5181 arch/x86/include/asm/ptrace.h | 26 +-
5182 arch/x86/include/asm/realmode.h | 4 +-
5183 arch/x86/include/asm/reboot.h | 10 +-
5184 arch/x86/include/asm/rwsem.h | 60 +-
5185 arch/x86/include/asm/segment.h | 24 +-
5186 arch/x86/include/asm/smp.h | 14 +-
5187 arch/x86/include/asm/spinlock.h | 36 +-
5188 arch/x86/include/asm/stackprotector.h | 4 +-
5189 arch/x86/include/asm/stacktrace.h | 32 +-
5190 arch/x86/include/asm/switch_to.h | 4 +-
5191 arch/x86/include/asm/thread_info.h | 83 +-
5192 arch/x86/include/asm/uaccess.h | 96 +-
5193 arch/x86/include/asm/uaccess_32.h | 106 +-
5194 arch/x86/include/asm/uaccess_64.h | 232 +-
5195 arch/x86/include/asm/word-at-a-time.h | 2 +-
5196 arch/x86/include/asm/x86_init.h | 10 +-
5197 arch/x86/include/asm/xsave.h | 10 +-
5198 arch/x86/include/uapi/asm/e820.h | 2 +-
5199 arch/x86/kernel/Makefile | 2 +-
5200 arch/x86/kernel/acpi/sleep.c | 4 +
5201 arch/x86/kernel/acpi/wakeup_32.S | 6 +-
5202 arch/x86/kernel/alternative.c | 65 +-
5203 arch/x86/kernel/apic/apic.c | 6 +-
5204 arch/x86/kernel/apic/apic_flat_64.c | 4 +-
5205 arch/x86/kernel/apic/bigsmp_32.c | 2 +-
5206 arch/x86/kernel/apic/es7000_32.c | 5 +-
5207 arch/x86/kernel/apic/io_apic.c | 8 +-
5208 arch/x86/kernel/apic/numaq_32.c | 3 +-
5209 arch/x86/kernel/apic/probe_32.c | 2 +-
5210 arch/x86/kernel/apic/summit_32.c | 2 +-
5211 arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
5212 arch/x86/kernel/apic/x2apic_phys.c | 2 +-
5213 arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
5214 arch/x86/kernel/apm_32.c | 19 +-
5215 arch/x86/kernel/asm-offsets.c | 20 +
5216 arch/x86/kernel/asm-offsets_64.c | 1 +
5217 arch/x86/kernel/cpu/Makefile | 4 -
5218 arch/x86/kernel/cpu/amd.c | 2 +-
5219 arch/x86/kernel/cpu/common.c | 75 +-
5220 arch/x86/kernel/cpu/intel.c | 2 +-
5221 arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +-
5222 arch/x86/kernel/cpu/mcheck/mce.c | 29 +-
5223 arch/x86/kernel/cpu/mcheck/p5.c | 3 +
5224 arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +-
5225 arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
5226 arch/x86/kernel/cpu/mtrr/main.c | 2 +-
5227 arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
5228 arch/x86/kernel/cpu/perf_event.c | 4 +-
5229 arch/x86/kernel/cpu/perf_event_intel.c | 6 +-
5230 arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +-
5231 arch/x86/kernel/cpuid.c | 2 +-
5232 arch/x86/kernel/crash.c | 4 +-
5233 arch/x86/kernel/doublefault_32.c | 8 +-
5234 arch/x86/kernel/dumpstack.c | 30 +-
5235 arch/x86/kernel/dumpstack_32.c | 34 +-
5236 arch/x86/kernel/dumpstack_64.c | 63 +-
5237 arch/x86/kernel/early_printk.c | 1 +
5238 arch/x86/kernel/entry_32.S | 354 ++-
5239 arch/x86/kernel/entry_64.S | 512 +++-
5240 arch/x86/kernel/ftrace.c | 14 +-
5241 arch/x86/kernel/head32.c | 4 +-
5242 arch/x86/kernel/head_32.S | 237 ++-
5243 arch/x86/kernel/head_64.S | 158 +-
5244 arch/x86/kernel/i386_ksyms_32.c | 8 +
5245 arch/x86/kernel/i387.c | 2 +-
5246 arch/x86/kernel/i8259.c | 2 +-
5247 arch/x86/kernel/ioport.c | 2 +-
5248 arch/x86/kernel/irq.c | 10 +-
5249 arch/x86/kernel/irq_32.c | 69 +-
5250 arch/x86/kernel/irq_64.c | 2 +-
5251 arch/x86/kernel/kdebugfs.c | 2 +-
5252 arch/x86/kernel/kgdb.c | 25 +-
5253 arch/x86/kernel/kprobes-opt.c | 12 +-
5254 arch/x86/kernel/kprobes.c | 30 +-
5255 arch/x86/kernel/kvm.c | 2 +-
5256 arch/x86/kernel/ldt.c | 31 +-
5257 arch/x86/kernel/machine_kexec_32.c | 6 +-
5258 arch/x86/kernel/microcode_core.c | 2 +-
5259 arch/x86/kernel/microcode_intel.c | 4 +-
5260 arch/x86/kernel/module.c | 76 +-
5261 arch/x86/kernel/msr.c | 2 +-
5262 arch/x86/kernel/nmi.c | 11 +
5263 arch/x86/kernel/paravirt-spinlocks.c | 2 +-
5264 arch/x86/kernel/paravirt.c | 43 +-
5265 arch/x86/kernel/pci-iommu_table.c | 2 +-
5266 arch/x86/kernel/process.c | 57 +-
5267 arch/x86/kernel/process_32.c | 29 +-
5268 arch/x86/kernel/process_64.c | 15 +-
5269 arch/x86/kernel/ptrace.c | 25 +-
5270 arch/x86/kernel/pvclock.c | 8 +-
5271 arch/x86/kernel/reboot.c | 44 +-
5272 arch/x86/kernel/relocate_kernel_64.S | 4 +-
5273 arch/x86/kernel/setup.c | 14 +-
5274 arch/x86/kernel/setup_percpu.c | 27 +-
5275 arch/x86/kernel/signal.c | 15 +-
5276 arch/x86/kernel/smp.c | 2 +-
5277 arch/x86/kernel/smpboot.c | 15 +-
5278 arch/x86/kernel/step.c | 10 +-
5279 arch/x86/kernel/sys_i386_32.c | 247 ++
5280 arch/x86/kernel/sys_x86_64.c | 19 +-
5281 arch/x86/kernel/tboot.c | 14 +-
5282 arch/x86/kernel/time.c | 10 +-
5283 arch/x86/kernel/tls.c | 7 +-
5284 arch/x86/kernel/traps.c | 64 +-
5285 arch/x86/kernel/uprobes.c | 2 +-
5286 arch/x86/kernel/vm86_32.c | 6 +-
5287 arch/x86/kernel/vmlinux.lds.S | 148 +-
5288 arch/x86/kernel/vsyscall_64.c | 12 +-
5289 arch/x86/kernel/x8664_ksyms_64.c | 2 -
5290 arch/x86/kernel/x86_init.c | 8 +-
5291 arch/x86/kernel/xsave.c | 2 +
5292 arch/x86/kvm/cpuid.c | 21 +-
5293 arch/x86/kvm/emulate.c | 4 +-
5294 arch/x86/kvm/lapic.c | 2 +-
5295 arch/x86/kvm/paging_tmpl.h | 2 +-
5296 arch/x86/kvm/svm.c | 8 +
5297 arch/x86/kvm/vmx.c | 47 +-
5298 arch/x86/kvm/x86.c | 10 +-
5299 arch/x86/lguest/boot.c | 3 +-
5300 arch/x86/lib/atomic64_386_32.S | 164 +
5301 arch/x86/lib/atomic64_cx8_32.S | 103 +-
5302 arch/x86/lib/checksum_32.S | 100 +-
5303 arch/x86/lib/clear_page_64.S | 5 +-
5304 arch/x86/lib/cmpxchg16b_emu.S | 2 +
5305 arch/x86/lib/copy_page_64.S | 24 +-
5306 arch/x86/lib/copy_user_64.S | 47 +-
5307 arch/x86/lib/copy_user_nocache_64.S | 20 +-
5308 arch/x86/lib/csum-copy_64.S | 2 +
5309 arch/x86/lib/csum-wrappers_64.c | 4 +-
5310 arch/x86/lib/getuser.S | 68 +-
5311 arch/x86/lib/insn.c | 6 +-
5312 arch/x86/lib/iomap_copy_64.S | 2 +
5313 arch/x86/lib/memcpy_64.S | 18 +-
5314 arch/x86/lib/memmove_64.S | 34 +-
5315 arch/x86/lib/memset_64.S | 7 +-
5316 arch/x86/lib/mmx_32.c | 243 +-
5317 arch/x86/lib/msr-reg.S | 18 +-
5318 arch/x86/lib/putuser.S | 90 +-
5319 arch/x86/lib/rwlock.S | 42 +
5320 arch/x86/lib/rwsem.S | 6 +-
5321 arch/x86/lib/thunk_64.S | 2 +
5322 arch/x86/lib/usercopy_32.c | 376 ++-
5323 arch/x86/lib/usercopy_64.c | 25 +-
5324 arch/x86/mm/extable.c | 25 +-
5325 arch/x86/mm/fault.c | 555 +++-
5326 arch/x86/mm/gup.c | 2 +-
5327 arch/x86/mm/highmem_32.c | 4 +
5328 arch/x86/mm/hugetlbpage.c | 30 +-
5329 arch/x86/mm/init.c | 92 +-
5330 arch/x86/mm/init_32.c | 122 +-
5331 arch/x86/mm/init_64.c | 48 +-
5332 arch/x86/mm/iomap_32.c | 4 +
5333 arch/x86/mm/ioremap.c | 12 +-
5334 arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
5335 arch/x86/mm/mmap.c | 41 +-
5336 arch/x86/mm/mmio-mod.c | 10 +-
5337 arch/x86/mm/pageattr-test.c | 2 +-
5338 arch/x86/mm/pageattr.c | 33 +-
5339 arch/x86/mm/pat.c | 12 +-
5340 arch/x86/mm/pf_in.c | 10 +-
5341 arch/x86/mm/pgtable.c | 137 +-
5342 arch/x86/mm/pgtable_32.c | 3 +
5343 arch/x86/mm/setup_nx.c | 7 +
5344 arch/x86/mm/tlb.c | 4 +
5345 arch/x86/net/bpf_jit.S | 14 +
5346 arch/x86/net/bpf_jit_comp.c | 37 +-
5347 arch/x86/oprofile/backtrace.c | 8 +-
5348 arch/x86/pci/amd_bus.c | 2 +-
5349 arch/x86/pci/mrst.c | 4 +-
5350 arch/x86/pci/pcbios.c | 144 +-
5351 arch/x86/platform/efi/efi_32.c | 19 +
5352 arch/x86/platform/efi/efi_stub_32.S | 64 +-
5353 arch/x86/platform/efi/efi_stub_64.S | 8 +
5354 arch/x86/platform/mrst/mrst.c | 6 +-
5355 arch/x86/platform/olpc/olpc_dt.c | 2 +-
5356 arch/x86/power/cpu.c | 4 +-
5357 arch/x86/realmode/init.c | 8 +-
5358 arch/x86/realmode/rm/Makefile | 3 +
5359 arch/x86/realmode/rm/header.S | 4 +-
5360 arch/x86/realmode/rm/trampoline_32.S | 12 +-
5361 arch/x86/realmode/rm/trampoline_64.S | 2 +-
5362 arch/x86/tools/relocs.c | 95 +-
5363 arch/x86/vdso/Makefile | 2 +-
5364 arch/x86/vdso/vdso32-setup.c | 23 +-
5365 arch/x86/vdso/vma.c | 29 +-
5366 arch/x86/xen/enlighten.c | 47 +-
5367 arch/x86/xen/mmu.c | 9 +
5368 arch/x86/xen/smp.c | 18 +-
5369 arch/x86/xen/xen-asm_32.S | 12 +-
5370 arch/x86/xen/xen-head.S | 11 +
5371 arch/x86/xen/xen-ops.h | 2 -
5372 block/blk-iopoll.c | 4 +-
5373 block/blk-map.c | 2 +-
5374 block/blk-softirq.c | 4 +-
5376 block/compat_ioctl.c | 2 +-
5377 block/partitions/efi.c | 8 +-
5378 block/scsi_ioctl.c | 27 +-
5379 crypto/cryptd.c | 4 +-
5380 drivers/acpi/apei/cper.c | 8 +-
5381 drivers/acpi/ec_sys.c | 12 +-
5382 drivers/acpi/processor_driver.c | 2 +-
5383 drivers/ata/libata-core.c | 8 +-
5384 drivers/ata/pata_arasan_cf.c | 4 +-
5385 drivers/atm/adummy.c | 2 +-
5386 drivers/atm/ambassador.c | 8 +-
5387 drivers/atm/atmtcp.c | 14 +-
5388 drivers/atm/eni.c | 10 +-
5389 drivers/atm/firestream.c | 8 +-
5390 drivers/atm/fore200e.c | 14 +-
5391 drivers/atm/he.c | 18 +-
5392 drivers/atm/horizon.c | 4 +-
5393 drivers/atm/idt77252.c | 36 +-
5394 drivers/atm/iphase.c | 34 +-
5395 drivers/atm/lanai.c | 12 +-
5396 drivers/atm/nicstar.c | 46 +-
5397 drivers/atm/solos-pci.c | 4 +-
5398 drivers/atm/suni.c | 4 +-
5399 drivers/atm/uPD98402.c | 16 +-
5400 drivers/atm/zatm.c | 6 +-
5401 drivers/base/devtmpfs.c | 2 +-
5402 drivers/base/power/wakeup.c | 8 +-
5403 drivers/block/cciss.c | 28 +-
5404 drivers/block/cciss.h | 2 +-
5405 drivers/block/cpqarray.c | 28 +-
5406 drivers/block/cpqarray.h | 2 +-
5407 drivers/block/drbd/drbd_int.h | 6 +-
5408 drivers/block/drbd/drbd_main.c | 8 +-
5409 drivers/block/drbd/drbd_receiver.c | 18 +-
5410 drivers/block/loop.c | 2 +-
5411 drivers/cdrom/cdrom.c | 9 +-
5412 drivers/cdrom/gdrom.c | 1 -
5413 drivers/char/agp/frontend.c | 2 +-
5414 drivers/char/hpet.c | 2 +-
5415 drivers/char/ipmi/ipmi_msghandler.c | 8 +-
5416 drivers/char/ipmi/ipmi_si_intf.c | 8 +-
5417 drivers/char/mem.c | 41 +-
5418 drivers/char/nvram.c | 2 +-
5419 drivers/char/pcmcia/synclink_cs.c | 18 +-
5420 drivers/char/random.c | 8 +-
5421 drivers/char/sonypi.c | 9 +-
5422 drivers/char/tpm/tpm.c | 2 +-
5423 drivers/char/tpm/tpm_acpi.c | 3 +-
5424 drivers/char/tpm/tpm_eventlog.c | 7 +-
5425 drivers/char/virtio_console.c | 4 +-
5426 drivers/clocksource/arm_generic.c | 2 +-
5427 drivers/cpufreq/cpufreq.c | 2 +-
5428 drivers/cpufreq/cpufreq_stats.c | 2 +-
5429 drivers/dma/sh/shdma.c | 2 +-
5430 drivers/edac/edac_pci_sysfs.c | 20 +-
5431 drivers/edac/mce_amd.h | 2 +-
5432 drivers/firewire/core-card.c | 2 +-
5433 drivers/firewire/core-cdev.c | 3 +-
5434 drivers/firewire/core-transaction.c | 1 +
5435 drivers/firewire/core.h | 1 +
5436 drivers/firmware/dmi_scan.c | 7 +-
5437 drivers/firmware/efivars.c | 2 +-
5438 drivers/gpio/gpio-vr41xx.c | 2 +-
5439 drivers/gpu/drm/drm_crtc_helper.c | 2 +-
5440 drivers/gpu/drm/drm_drv.c | 4 +-
5441 drivers/gpu/drm/drm_fops.c | 18 +-
5442 drivers/gpu/drm/drm_global.c | 14 +-
5443 drivers/gpu/drm/drm_info.c | 14 +-
5444 drivers/gpu/drm/drm_ioc32.c | 4 +-
5445 drivers/gpu/drm/drm_ioctl.c | 2 +-
5446 drivers/gpu/drm/drm_lock.c | 4 +-
5447 drivers/gpu/drm/drm_stub.c | 2 +-
5448 drivers/gpu/drm/i810/i810_dma.c | 8 +-
5449 drivers/gpu/drm/i810/i810_drv.h | 4 +-
5450 drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
5451 drivers/gpu/drm/i915/i915_dma.c | 2 +-
5452 drivers/gpu/drm/i915/i915_drv.h | 6 +-
5453 drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +-
5454 drivers/gpu/drm/i915/i915_irq.c | 22 +-
5455 drivers/gpu/drm/i915/intel_display.c | 9 +-
5456 drivers/gpu/drm/mga/mga_drv.h | 4 +-
5457 drivers/gpu/drm/mga/mga_irq.c | 8 +-
5458 drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +-
5459 drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +-
5460 drivers/gpu/drm/nouveau/nouveau_fence.h | 2 +-
5461 drivers/gpu/drm/nouveau/nouveau_gem.c | 2 +-
5462 drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +-
5463 drivers/gpu/drm/r128/r128_cce.c | 2 +-
5464 drivers/gpu/drm/r128/r128_drv.h | 4 +-
5465 drivers/gpu/drm/r128/r128_irq.c | 4 +-
5466 drivers/gpu/drm/r128/r128_state.c | 4 +-
5467 drivers/gpu/drm/radeon/mkregtable.c | 4 +-
5468 drivers/gpu/drm/radeon/radeon_device.c | 2 +-
5469 drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
5470 drivers/gpu/drm/radeon/radeon_ioc32.c | 2 +-
5471 drivers/gpu/drm/radeon/radeon_irq.c | 6 +-
5472 drivers/gpu/drm/radeon/radeon_state.c | 4 +-
5473 drivers/gpu/drm/radeon/radeon_ttm.c | 4 +-
5474 drivers/gpu/drm/radeon/rs690.c | 4 +-
5475 drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +-
5476 drivers/gpu/drm/via/via_drv.h | 4 +-
5477 drivers/gpu/drm/via/via_irq.c | 18 +-
5478 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
5479 drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
5480 drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
5481 drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
5482 drivers/hid/hid-core.c | 4 +-
5483 drivers/hv/channel.c | 4 +-
5484 drivers/hv/hv.c | 2 +-
5485 drivers/hv/hyperv_vmbus.h | 2 +-
5486 drivers/hv/vmbus_drv.c | 4 +-
5487 drivers/hwmon/coretemp.c | 2 +-
5488 drivers/hwmon/sht15.c | 12 +-
5489 drivers/hwmon/via-cputemp.c | 2 +-
5490 drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
5491 drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
5492 drivers/ide/ide-cd.c | 2 +-
5493 drivers/infiniband/core/cm.c | 32 +-
5494 drivers/infiniband/core/fmr_pool.c | 20 +-
5495 drivers/infiniband/hw/cxgb4/mem.c | 4 +-
5496 drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
5497 drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
5498 drivers/infiniband/hw/nes/nes.c | 4 +-
5499 drivers/infiniband/hw/nes/nes.h | 40 +-
5500 drivers/infiniband/hw/nes/nes_cm.c | 62 +-
5501 drivers/infiniband/hw/nes/nes_mgt.c | 8 +-
5502 drivers/infiniband/hw/nes/nes_nic.c | 40 +-
5503 drivers/infiniband/hw/nes/nes_verbs.c | 10 +-
5504 drivers/infiniband/hw/qib/qib.h | 1 +
5505 drivers/input/gameport/gameport.c | 4 +-
5506 drivers/input/input.c | 4 +-
5507 drivers/input/joystick/sidewinder.c | 1 +
5508 drivers/input/joystick/xpad.c | 4 +-
5509 drivers/input/mousedev.c | 2 +-
5510 drivers/input/serio/serio.c | 4 +-
5511 drivers/isdn/capi/capi.c | 10 +-
5512 drivers/isdn/gigaset/interface.c | 8 +-
5513 drivers/isdn/hardware/avm/b1.c | 4 +-
5514 drivers/isdn/i4l/isdn_tty.c | 22 +-
5515 drivers/isdn/icn/icn.c | 2 +-
5516 drivers/lguest/core.c | 10 +-
5517 drivers/lguest/x86/core.c | 12 +-
5518 drivers/lguest/x86/switcher_32.S | 27 +-
5519 drivers/md/bitmap.c | 2 +-
5520 drivers/md/dm-ioctl.c | 2 +-
5521 drivers/md/dm-raid1.c | 16 +-
5522 drivers/md/dm-stripe.c | 10 +-
5523 drivers/md/dm-table.c | 2 +-
5524 drivers/md/dm-thin-metadata.c | 4 +-
5525 drivers/md/dm.c | 16 +-
5526 drivers/md/md.c | 26 +-
5527 drivers/md/md.h | 6 +-
5528 drivers/md/persistent-data/dm-space-map.h | 1 +
5529 drivers/md/raid1.c | 4 +-
5530 drivers/md/raid10.c | 16 +-
5531 drivers/md/raid5.c | 10 +-
5532 drivers/media/dvb-core/dvbdev.c | 2 +-
5533 drivers/media/dvb-frontends/dib3000.h | 2 +-
5534 drivers/media/platform/omap/omap_vout.c | 11 +-
5535 drivers/media/platform/s5p-tv/mixer.h | 2 +-
5536 drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +-
5537 drivers/media/platform/s5p-tv/mixer_reg.c | 2 +-
5538 drivers/media/platform/s5p-tv/mixer_video.c | 24 +-
5539 drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +-
5540 drivers/media/radio/radio-cadet.c | 2 +
5541 drivers/media/usb/dvb-usb/cxusb.c | 2 +-
5542 drivers/media/usb/dvb-usb/dw2102.c | 2 +-
5543 drivers/message/fusion/mptsas.c | 34 +-
5544 drivers/message/fusion/mptscsih.c | 19 +-
5545 drivers/message/i2o/i2o_proc.c | 51 +-
5546 drivers/message/i2o/iop.c | 8 +-
5547 drivers/mfd/janz-cmodio.c | 1 +
5548 drivers/misc/kgdbts.c | 4 +-
5549 drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
5550 drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
5551 drivers/misc/sgi-gru/gruhandles.c | 4 +-
5552 drivers/misc/sgi-gru/gruprocfs.c | 8 +-
5553 drivers/misc/sgi-gru/grutables.h | 154 +-
5554 drivers/misc/sgi-xp/xp.h | 2 +-
5555 drivers/misc/sgi-xp/xpc.h | 3 +-
5556 drivers/misc/sgi-xp/xpc_main.c | 4 +-
5557 drivers/mmc/core/mmc_ops.c | 2 +-
5558 drivers/mmc/host/dw_mmc.h | 2 +-
5559 drivers/mmc/host/sdhci-s3c.c | 8 +-
5560 drivers/mtd/devices/doc2000.c | 2 +-
5561 drivers/mtd/nand/denali.c | 1 +
5562 drivers/mtd/nftlmount.c | 1 +
5563 drivers/net/ethernet/8390/ax88796.c | 4 +-
5564 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
5565 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-
5566 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +-
5567 drivers/net/ethernet/broadcom/tg3.h | 1 +
5568 drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
5569 drivers/net/ethernet/dec/tulip/de4x5.c | 4 +-
5570 drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
5571 drivers/net/ethernet/faraday/ftgmac100.c | 2 +
5572 drivers/net/ethernet/faraday/ftmac100.c | 2 +
5573 drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
5574 drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
5575 drivers/net/ethernet/realtek/r8169.c | 8 +-
5576 drivers/net/ethernet/sfc/ptp.c | 2 +-
5577 drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
5578 drivers/net/hyperv/hyperv_net.h | 2 +-
5579 drivers/net/hyperv/rndis_filter.c | 4 +-
5580 drivers/net/ieee802154/fakehard.c | 2 +-
5581 drivers/net/macvlan.c | 2 +-
5582 drivers/net/macvtap.c | 2 +-
5583 drivers/net/ppp/ppp_generic.c | 4 +-
5584 drivers/net/team/team.c | 2 +-
5585 drivers/net/tun.c | 5 +-
5586 drivers/net/usb/hso.c | 23 +-
5587 drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +-
5588 drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +-
5589 drivers/net/wireless/ath/ath9k/hw.h | 4 +-
5590 drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
5591 drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +-
5592 drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +-
5593 drivers/net/wireless/mac80211_hwsim.c | 32 +-
5594 drivers/net/wireless/rndis_wlan.c | 2 +-
5595 drivers/net/wireless/rt2x00/rt2x00.h | 2 +-
5596 drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +-
5597 drivers/net/wireless/ti/wl1251/sdio.c | 12 +-
5598 drivers/net/wireless/ti/wl12xx/main.c | 8 +-
5599 drivers/net/wireless/ti/wl18xx/main.c | 6 +-
5600 drivers/oprofile/buffer_sync.c | 8 +-
5601 drivers/oprofile/event_buffer.c | 2 +-
5602 drivers/oprofile/oprof.c | 2 +-
5603 drivers/oprofile/oprofile_stats.c | 10 +-
5604 drivers/oprofile/oprofile_stats.h | 10 +-
5605 drivers/oprofile/oprofilefs.c | 2 +-
5606 drivers/oprofile/timer_int.c | 2 +-
5607 drivers/parport/procfs.c | 4 +-
5608 drivers/pci/hotplug/cpcihp_generic.c | 6 +-
5609 drivers/pci/hotplug/cpcihp_zt5550.c | 14 +-
5610 drivers/pci/hotplug/cpqphp_nvram.c | 4 +
5611 drivers/pci/pcie/aspm.c | 6 +-
5612 drivers/pci/probe.c | 2 +-
5613 drivers/platform/x86/thinkpad_acpi.c | 70 +-
5614 drivers/pnp/pnpbios/bioscalls.c | 14 +-
5615 drivers/pnp/resource.c | 4 +-
5616 drivers/power/pda_power.c | 7 +-
5617 drivers/regulator/max8660.c | 6 +-
5618 drivers/regulator/max8973-regulator.c | 8 +-
5619 drivers/regulator/mc13892-regulator.c | 6 +-
5620 drivers/scsi/bfa/bfa.h | 2 +-
5621 drivers/scsi/bfa/bfa_fcpim.h | 2 +-
5622 drivers/scsi/bfa/bfa_ioc.h | 4 +-
5623 drivers/scsi/hosts.c | 4 +-
5624 drivers/scsi/hpsa.c | 30 +-
5625 drivers/scsi/hpsa.h | 2 +-
5626 drivers/scsi/libfc/fc_exch.c | 50 +-
5627 drivers/scsi/libsas/sas_ata.c | 2 +-
5628 drivers/scsi/lpfc/lpfc.h | 8 +-
5629 drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
5630 drivers/scsi/lpfc/lpfc_init.c | 6 +-
5631 drivers/scsi/lpfc/lpfc_scsi.c | 16 +-
5632 drivers/scsi/pmcraid.c | 20 +-
5633 drivers/scsi/pmcraid.h | 8 +-
5634 drivers/scsi/qla2xxx/qla_attr.c | 4 +-
5635 drivers/scsi/qla2xxx/qla_gbl.h | 4 +-
5636 drivers/scsi/qla2xxx/qla_os.c | 6 +-
5637 drivers/scsi/qla4xxx/ql4_def.h | 2 +-
5638 drivers/scsi/qla4xxx/ql4_os.c | 6 +-
5639 drivers/scsi/scsi.c | 2 +-
5640 drivers/scsi/scsi_lib.c | 6 +-
5641 drivers/scsi/scsi_sysfs.c | 2 +-
5642 drivers/scsi/scsi_tgt_lib.c | 2 +-
5643 drivers/scsi/scsi_transport_fc.c | 8 +-
5644 drivers/scsi/scsi_transport_iscsi.c | 6 +-
5645 drivers/scsi/scsi_transport_srp.c | 6 +-
5646 drivers/scsi/sd.c | 2 +-
5647 drivers/scsi/sg.c | 2 +-
5648 drivers/spi/spi.c | 2 +-
5649 drivers/staging/octeon/ethernet-rx.c | 12 +-
5650 drivers/staging/octeon/ethernet.c | 8 +-
5651 drivers/staging/ramster/tmem.c | 54 +-
5652 drivers/staging/rtl8712/rtl871x_io.h | 2 +-
5653 drivers/staging/sbe-2t3e3/netdev.c | 2 +-
5654 drivers/staging/usbip/vhci.h | 2 +-
5655 drivers/staging/usbip/vhci_hcd.c | 6 +-
5656 drivers/staging/usbip/vhci_rx.c | 2 +-
5657 drivers/staging/vt6655/hostap.c | 7 +-
5658 drivers/staging/vt6656/hostap.c | 7 +-
5659 drivers/staging/zcache/tmem.c | 4 +-
5660 drivers/staging/zcache/tmem.h | 2 +
5661 drivers/target/target_core_device.c | 2 +-
5662 drivers/target/target_core_transport.c | 2 +-
5663 drivers/tty/cyclades.c | 6 +-
5664 drivers/tty/hvc/hvc_console.c | 14 +-
5665 drivers/tty/hvc/hvcs.c | 21 +-
5666 drivers/tty/ipwireless/tty.c | 27 +-
5667 drivers/tty/moxa.c | 2 +-
5668 drivers/tty/n_gsm.c | 4 +-
5669 drivers/tty/n_tty.c | 3 +-
5670 drivers/tty/pty.c | 4 +-
5671 drivers/tty/rocket.c | 6 +-
5672 drivers/tty/serial/kgdboc.c | 32 +-
5673 drivers/tty/serial/samsung.c | 9 +-
5674 drivers/tty/serial/serial_core.c | 8 +-
5675 drivers/tty/synclink.c | 34 +-
5676 drivers/tty/synclink_gt.c | 28 +-
5677 drivers/tty/synclinkmp.c | 34 +-
5678 drivers/tty/tty_io.c | 2 +-
5679 drivers/tty/tty_ldisc.c | 10 +-
5680 drivers/tty/tty_port.c | 22 +-
5681 drivers/uio/uio.c | 21 +-
5682 drivers/usb/atm/cxacru.c | 2 +-
5683 drivers/usb/atm/usbatm.c | 24 +-
5684 drivers/usb/core/devices.c | 6 +-
5685 drivers/usb/core/hcd.c | 4 +-
5686 drivers/usb/core/sysfs.c | 2 +-
5687 drivers/usb/core/usb.c | 2 +-
5688 drivers/usb/early/ehci-dbgp.c | 16 +-
5689 drivers/usb/gadget/u_serial.c | 22 +-
5690 drivers/usb/serial/console.c | 6 +-
5691 drivers/usb/wusbcore/wa-hc.h | 4 +-
5692 drivers/usb/wusbcore/wa-xfer.c | 2 +-
5693 drivers/video/aty/aty128fb.c | 2 +-
5694 drivers/video/fbcmap.c | 3 +-
5695 drivers/video/fbmem.c | 6 +-
5696 drivers/video/i810/i810_accel.c | 1 +
5697 drivers/video/udlfb.c | 32 +-
5698 drivers/video/uvesafb.c | 39 +-
5699 drivers/video/vesafb.c | 51 +-
5700 drivers/video/via/via_clock.h | 2 +-
5701 fs/9p/vfs_inode.c | 2 +-
5702 fs/Kconfig.binfmt | 2 +-
5704 fs/autofs4/waitq.c | 2 +-
5705 fs/befs/linuxvfs.c | 2 +-
5706 fs/binfmt_aout.c | 23 +-
5707 fs/binfmt_elf.c | 604 ++++-
5708 fs/binfmt_flat.c | 6 +
5710 fs/block_dev.c | 2 +-
5711 fs/btrfs/ctree.c | 9 +-
5712 fs/btrfs/relocation.c | 2 +-
5713 fs/btrfs/super.c | 2 +-
5714 fs/cachefiles/bind.c | 6 +-
5715 fs/cachefiles/daemon.c | 8 +-
5716 fs/cachefiles/internal.h | 12 +-
5717 fs/cachefiles/namei.c | 2 +-
5718 fs/cachefiles/proc.c | 12 +-
5719 fs/cachefiles/rdwr.c | 2 +-
5720 fs/ceph/dir.c | 2 +-
5721 fs/cifs/cifs_debug.c | 12 +-
5722 fs/cifs/cifsfs.c | 8 +-
5723 fs/cifs/cifsglob.h | 54 +-
5724 fs/cifs/link.c | 2 +-
5725 fs/cifs/misc.c | 4 +-
5726 fs/cifs/smb1ops.c | 80 +-
5727 fs/cifs/smb2ops.c | 84 +-
5728 fs/cifs/smb2pdu.c | 3 +-
5729 fs/coda/cache.c | 10 +-
5731 fs/compat_binfmt_elf.c | 2 +
5732 fs/compat_ioctl.c | 8 +-
5733 fs/configfs/dir.c | 10 +-
5734 fs/coredump.c | 24 +-
5736 fs/ecryptfs/inode.c | 4 +-
5737 fs/ecryptfs/miscdev.c | 2 +-
5738 fs/ecryptfs/read_write.c | 4 +-
5740 fs/ext4/ext4.h | 20 +-
5741 fs/ext4/mballoc.c | 44 +-
5744 fs/fs_struct.c | 8 +-
5745 fs/fscache/cookie.c | 36 +-
5746 fs/fscache/internal.h | 196 +-
5747 fs/fscache/object.c | 28 +-
5748 fs/fscache/operation.c | 30 +-
5749 fs/fscache/page.c | 110 +-
5750 fs/fscache/stats.c | 344 +-
5751 fs/fuse/cuse.c | 10 +-
5752 fs/fuse/dev.c | 2 +-
5753 fs/fuse/dir.c | 2 +-
5754 fs/gfs2/inode.c | 2 +-
5755 fs/hugetlbfs/inode.c | 13 +-
5757 fs/jffs2/erase.c | 3 +-
5758 fs/jffs2/wbuf.c | 3 +-
5759 fs/jfs/super.c | 2 +-
5761 fs/lockd/clntproc.c | 4 +-
5764 fs/namespace.c | 2 +-
5765 fs/nfs/inode.c | 6 +-
5766 fs/nfsd/vfs.c | 6 +-
5767 fs/notify/fanotify/fanotify_user.c | 4 +-
5768 fs/notify/notification.c | 4 +-
5769 fs/ntfs/dir.c | 2 +-
5770 fs/ntfs/file.c | 4 +-
5771 fs/ocfs2/localalloc.c | 2 +-
5772 fs/ocfs2/ocfs2.h | 10 +-
5773 fs/ocfs2/suballoc.c | 12 +-
5774 fs/ocfs2/super.c | 20 +-
5776 fs/proc/array.c | 20 +
5777 fs/proc/kcore.c | 32 +-
5778 fs/proc/meminfo.c | 2 +-
5779 fs/proc/nommu.c | 2 +-
5780 fs/proc/self.c | 2 +-
5781 fs/proc/task_mmu.c | 39 +-
5782 fs/proc/task_nommu.c | 4 +-
5783 fs/quota/netlink.c | 4 +-
5785 fs/reiserfs/do_balan.c | 2 +-
5786 fs/reiserfs/procfs.c | 2 +-
5787 fs/reiserfs/reiserfs.h | 4 +-
5788 fs/seq_file.c | 2 +-
5790 fs/sysfs/file.c | 10 +-
5791 fs/sysfs/symlink.c | 2 +-
5792 fs/udf/misc.c | 2 +-
5793 fs/xattr_acl.c | 4 +-
5794 fs/xfs/xfs_bmap.c | 2 +-
5795 fs/xfs/xfs_dir2_sf.c | 10 +-
5796 fs/xfs/xfs_ioctl.c | 2 +-
5797 fs/xfs/xfs_iops.c | 2 +-
5798 include/asm-generic/4level-fixup.h | 2 +
5799 include/asm-generic/atomic-long.h | 210 ++
5800 include/asm-generic/atomic.h | 2 +-
5801 include/asm-generic/atomic64.h | 12 +
5802 include/asm-generic/cache.h | 4 +-
5803 include/asm-generic/emergency-restart.h | 2 +-
5804 include/asm-generic/kmap_types.h | 4 +-
5805 include/asm-generic/local.h | 13 +
5806 include/asm-generic/pgtable-nopmd.h | 18 +-
5807 include/asm-generic/pgtable-nopud.h | 15 +-
5808 include/asm-generic/pgtable.h | 8 +
5809 include/asm-generic/vmlinux.lds.h | 10 +-
5810 include/crypto/algapi.h | 2 +-
5811 include/drm/drmP.h | 5 +-
5812 include/drm/drm_crtc_helper.h | 2 +-
5813 include/drm/ttm/ttm_memory.h | 2 +-
5814 include/linux/atmdev.h | 2 +-
5815 include/linux/binfmts.h | 1 +
5816 include/linux/blkdev.h | 2 +-
5817 include/linux/blktrace_api.h | 2 +-
5818 include/linux/cache.h | 4 +
5819 include/linux/cdrom.h | 1 -
5820 include/linux/cleancache.h | 2 +-
5821 include/linux/compiler-gcc4.h | 20 +
5822 include/linux/compiler.h | 72 +-
5823 include/linux/cpu.h | 2 +-
5824 include/linux/crypto.h | 6 +-
5825 include/linux/decompress/mm.h | 2 +-
5826 include/linux/dma-mapping.h | 2 +-
5827 include/linux/dmaengine.h | 4 +-
5828 include/linux/efi.h | 1 +
5829 include/linux/elf.h | 2 +
5830 include/linux/filter.h | 4 +
5831 include/linux/frontswap.h | 2 +-
5832 include/linux/fs.h | 3 +-
5833 include/linux/fs_struct.h | 2 +-
5834 include/linux/fscache-cache.h | 4 +-
5835 include/linux/fsnotify.h | 2 +-
5836 include/linux/ftrace_event.h | 2 +-
5837 include/linux/genhd.h | 2 +-
5838 include/linux/gfp.h | 12 +-
5839 include/linux/highmem.h | 12 +
5840 include/linux/i2c.h | 1 +
5841 include/linux/i2o.h | 2 +-
5842 include/linux/if_pppox.h | 2 +-
5843 include/linux/init.h | 33 +-
5844 include/linux/init_task.h | 7 +
5845 include/linux/interrupt.h | 8 +-
5846 include/linux/kgdb.h | 6 +-
5847 include/linux/kobject.h | 2 +-
5848 include/linux/kref.h | 2 +-
5849 include/linux/kvm_host.h | 4 +-
5850 include/linux/libata.h | 2 +-
5851 include/linux/list.h | 3 +
5852 include/linux/mm.h | 91 +-
5853 include/linux/mm_types.h | 22 +-
5854 include/linux/mmiotrace.h | 4 +-
5855 include/linux/mmzone.h | 2 +-
5856 include/linux/mod_devicetable.h | 4 +-
5857 include/linux/module.h | 55 +-
5858 include/linux/moduleloader.h | 18 +-
5859 include/linux/moduleparam.h | 4 +-
5860 include/linux/namei.h | 6 +-
5861 include/linux/netdevice.h | 3 +-
5862 include/linux/netfilter/ipset/ip_set.h | 2 +-
5863 include/linux/netfilter/nfnetlink.h | 2 +-
5864 include/linux/notifier.h | 3 +-
5865 include/linux/oprofile.h | 4 +-
5866 include/linux/perf_event.h | 10 +-
5867 include/linux/pipe_fs_i.h | 6 +-
5868 include/linux/platform_data/usb-ehci-s5p.h | 2 +-
5869 include/linux/pm_runtime.h | 2 +-
5870 include/linux/poison.h | 4 +-
5871 include/linux/power/smartreflex.h | 2 +-
5872 include/linux/random.h | 5 +
5873 include/linux/reboot.h | 14 +-
5874 include/linux/regset.h | 3 +-
5875 include/linux/relay.h | 2 +-
5876 include/linux/rio.h | 2 +-
5877 include/linux/rmap.h | 4 +-
5878 include/linux/sched.h | 64 +-
5879 include/linux/seq_file.h | 1 +
5880 include/linux/skbuff.h | 12 +-
5881 include/linux/slab.h | 36 +-
5882 include/linux/slab_def.h | 33 +-
5883 include/linux/slob_def.h | 4 +-
5884 include/linux/slub_def.h | 10 +-
5885 include/linux/sonet.h | 2 +-
5886 include/linux/sunrpc/clnt.h | 8 +-
5887 include/linux/sunrpc/svc_rdma.h | 18 +-
5888 include/linux/sysrq.h | 2 +-
5889 include/linux/thread_info.h | 7 +
5890 include/linux/tty.h | 4 +-
5891 include/linux/tty_driver.h | 2 +-
5892 include/linux/tty_ldisc.h | 2 +-
5893 include/linux/types.h | 16 +
5894 include/linux/uaccess.h | 6 +-
5895 include/linux/unaligned/access_ok.h | 12 +-
5896 include/linux/usb.h | 2 +-
5897 include/linux/usb/renesas_usbhs.h | 2 +-
5898 include/linux/vermagic.h | 21 +-
5899 include/linux/vmalloc.h | 11 +-
5900 include/linux/vmstat.h | 20 +-
5901 include/media/v4l2-dev.h | 2 +-
5902 include/media/v4l2-ioctl.h | 1 -
5903 include/net/caif/cfctrl.h | 6 +-
5904 include/net/flow.h | 2 +-
5905 include/net/gro_cells.h | 6 +-
5906 include/net/inet_connection_sock.h | 2 +-
5907 include/net/inetpeer.h | 8 +-
5908 include/net/ip_fib.h | 2 +-
5909 include/net/ip_vs.h | 4 +-
5910 include/net/irda/ircomm_tty.h | 1 +
5911 include/net/iucv/af_iucv.h | 2 +-
5912 include/net/neighbour.h | 2 +-
5913 include/net/net_namespace.h | 6 +-
5914 include/net/netdma.h | 2 +-
5915 include/net/netlink.h | 2 +-
5916 include/net/netns/ipv4.h | 2 +-
5917 include/net/protocol.h | 4 +-
5918 include/net/sctp/sctp.h | 6 +-
5919 include/net/sctp/structs.h | 4 +-
5920 include/net/sock.h | 6 +-
5921 include/net/tcp.h | 8 +-
5922 include/net/xfrm.h | 4 +-
5923 include/rdma/iw_cm.h | 2 +-
5924 include/scsi/libfc.h | 3 +-
5925 include/scsi/scsi_device.h | 6 +-
5926 include/scsi/scsi_transport_fc.h | 3 +-
5927 include/sound/soc.h | 4 +-
5928 include/target/target_core_base.h | 2 +-
5929 include/trace/events/irq.h | 4 +-
5930 include/uapi/linux/a.out.h | 8 +
5931 include/uapi/linux/byteorder/little_endian.h | 24 +-
5932 include/uapi/linux/elf.h | 28 +
5933 include/uapi/linux/screen_info.h | 3 +-
5934 include/uapi/linux/sysctl.h | 6 +-
5935 include/uapi/linux/xattr.h | 4 +
5936 include/video/udlfb.h | 8 +-
5937 include/video/uvesafb.h | 1 +
5940 init/do_mounts.c | 14 +-
5941 init/do_mounts.h | 8 +-
5942 init/do_mounts_initrd.c | 22 +-
5943 init/do_mounts_md.c | 6 +-
5944 init/init_task.c | 4 +
5945 init/initramfs.c | 40 +-
5950 kernel/acct.c | 2 +-
5951 kernel/audit.c | 8 +-
5952 kernel/auditsc.c | 4 +-
5953 kernel/capability.c | 3 +
5954 kernel/compat.c | 40 +-
5955 kernel/debug/debug_core.c | 16 +-
5956 kernel/debug/kdb/kdb_main.c | 4 +-
5957 kernel/events/core.c | 28 +-
5958 kernel/exit.c | 4 +-
5959 kernel/fork.c | 167 +-
5960 kernel/futex.c | 9 +
5961 kernel/gcov/base.c | 7 +-
5962 kernel/hrtimer.c | 4 +-
5963 kernel/jump_label.c | 5 +
5964 kernel/kallsyms.c | 39 +-
5965 kernel/kexec.c | 3 +-
5966 kernel/kmod.c | 2 +-
5967 kernel/kprobes.c | 8 +-
5968 kernel/lockdep.c | 7 +-
5969 kernel/module.c | 333 ++-
5970 kernel/mutex-debug.c | 12 +-
5971 kernel/mutex-debug.h | 4 +-
5972 kernel/mutex.c | 7 +-
5973 kernel/notifier.c | 17 +-
5974 kernel/panic.c | 3 +-
5976 kernel/posix-cpu-timers.c | 4 +-
5977 kernel/posix-timers.c | 20 +-
5978 kernel/power/process.c | 12 +-
5979 kernel/profile.c | 14 +-
5980 kernel/ptrace.c | 6 +-
5981 kernel/rcutiny.c | 4 +-
5982 kernel/rcutiny_plugin.h | 2 +-
5983 kernel/rcutorture.c | 56 +-
5984 kernel/rcutree.c | 72 +-
5985 kernel/rcutree.h | 24 +-
5986 kernel/rcutree_plugin.h | 18 +-
5987 kernel/rcutree_trace.c | 22 +-
5988 kernel/rtmutex-tester.c | 24 +-
5989 kernel/sched/auto_group.c | 4 +-
5990 kernel/sched/core.c | 2 +-
5991 kernel/sched/fair.c | 4 +-
5992 kernel/signal.c | 12 +-
5994 kernel/softirq.c | 16 +-
5995 kernel/srcu.c | 6 +-
5996 kernel/stop_machine.c | 2 +-
5997 kernel/sys.c | 12 +-
5998 kernel/sysctl.c | 37 +-
5999 kernel/sysctl_binary.c | 14 +-
6000 kernel/time/alarmtimer.c | 2 +-
6001 kernel/time/tick-broadcast.c | 2 +-
6002 kernel/time/timer_stats.c | 10 +-
6003 kernel/timer.c | 4 +-
6004 kernel/trace/blktrace.c | 6 +-
6005 kernel/trace/ftrace.c | 20 +-
6006 kernel/trace/ring_buffer.c | 76 +-
6007 kernel/trace/trace.c | 6 +-
6008 kernel/trace/trace_events.c | 25 +-
6009 kernel/trace/trace_mmiotrace.c | 8 +-
6010 kernel/trace/trace_output.c | 12 +-
6011 kernel/trace/trace_stack.c | 2 +-
6015 lib/debugobjects.c | 2 +-
6017 lib/dma-debug.c | 4 +-
6018 lib/inflate.c | 2 +-
6019 lib/ioremap.c | 4 +-
6020 lib/list_debug.c | 89 +-
6021 lib/radix-tree.c | 2 +-
6022 lib/strncpy_from_user.c | 2 +-
6023 lib/strnlen_user.c | 2 +-
6024 lib/vsprintf.c | 12 +-
6033 mm/memory-failure.c | 18 +-
6034 mm/memory.c | 404 ++-
6035 mm/mempolicy.c | 26 +
6037 mm/mmap.c | 573 +++-
6038 mm/mprotect.c | 138 +-
6041 mm/page-writeback.c | 2 +-
6042 mm/page_alloc.c | 14 +-
6044 mm/process_vm_access.c | 14 +-
6049 mm/slab_common.c | 9 +-
6052 mm/sparse-vmemmap.c | 4 +-
6055 mm/swapfile.c | 12 +-
6057 mm/vmalloc.c | 82 +-
6059 net/8021q/vlan.c | 5 +-
6060 net/9p/trans_fd.c | 2 +-
6061 net/atm/atm_misc.c | 8 +-
6062 net/atm/lec.h | 2 +-
6063 net/atm/proc.c | 6 +-
6064 net/atm/resources.c | 4 +-
6065 net/batman-adv/bat_iv_ogm.c | 8 +-
6066 net/batman-adv/hard-interface.c | 4 +-
6067 net/batman-adv/soft-interface.c | 4 +-
6068 net/batman-adv/types.h | 6 +-
6069 net/batman-adv/unicast.c | 2 +-
6070 net/bluetooth/hci_sock.c | 2 +-
6071 net/bluetooth/l2cap_core.c | 6 +-
6072 net/bluetooth/l2cap_sock.c | 12 +-
6073 net/bluetooth/rfcomm/sock.c | 4 +-
6074 net/bluetooth/rfcomm/tty.c | 10 +-
6075 net/bridge/netfilter/ebtables.c | 6 +-
6076 net/caif/cfctrl.c | 11 +-
6077 net/can/af_can.c | 2 +-
6079 net/compat.c | 34 +-
6080 net/core/datagram.c | 2 +-
6081 net/core/dev.c | 16 +-
6082 net/core/flow.c | 8 +-
6083 net/core/iovec.c | 4 +-
6084 net/core/rtnetlink.c | 2 +-
6085 net/core/scm.c | 8 +-
6086 net/core/sock.c | 24 +-
6087 net/decnet/sysctl_net_decnet.c | 4 +-
6088 net/ipv4/ah4.c | 2 +-
6089 net/ipv4/esp4.c | 2 +-
6090 net/ipv4/fib_frontend.c | 6 +-
6091 net/ipv4/fib_semantics.c | 2 +-
6092 net/ipv4/inetpeer.c | 4 +-
6093 net/ipv4/ip_fragment.c | 2 +-
6094 net/ipv4/ip_sockglue.c | 2 +-
6095 net/ipv4/ipcomp.c | 2 +-
6096 net/ipv4/ipconfig.c | 6 +-
6097 net/ipv4/netfilter/arp_tables.c | 12 +-
6098 net/ipv4/netfilter/ip_tables.c | 12 +-
6099 net/ipv4/ping.c | 2 +-
6100 net/ipv4/raw.c | 14 +-
6101 net/ipv4/route.c | 2 +-
6102 net/ipv4/tcp_input.c | 2 +-
6103 net/ipv4/tcp_probe.c | 2 +-
6104 net/ipv4/udp.c | 10 +-
6105 net/ipv6/addrconf.c | 2 +-
6106 net/ipv6/ip6_gre.c | 2 +-
6107 net/ipv6/ipv6_sockglue.c | 2 +-
6108 net/ipv6/netfilter/ip6_tables.c | 12 +-
6109 net/ipv6/raw.c | 19 +-
6110 net/ipv6/udp.c | 8 +-
6111 net/irda/ircomm/ircomm_tty.c | 18 +-
6112 net/iucv/af_iucv.c | 4 +-
6113 net/iucv/iucv.c | 2 +-
6114 net/key/af_key.c | 4 +-
6115 net/mac80211/cfg.c | 4 +-
6116 net/mac80211/ieee80211_i.h | 3 +-
6117 net/mac80211/iface.c | 14 +-
6118 net/mac80211/main.c | 2 +-
6119 net/mac80211/pm.c | 6 +-
6120 net/mac80211/rate.c | 2 +-
6121 net/mac80211/rc80211_pid_debugfs.c | 2 +-
6122 net/mac80211/util.c | 2 +-
6123 net/netfilter/ipvs/ip_vs_conn.c | 6 +-
6124 net/netfilter/ipvs/ip_vs_core.c | 4 +-
6125 net/netfilter/ipvs/ip_vs_ctl.c | 10 +-
6126 net/netfilter/ipvs/ip_vs_sync.c | 6 +-
6127 net/netfilter/ipvs/ip_vs_xmit.c | 4 +-
6128 net/netfilter/nfnetlink_log.c | 4 +-
6129 net/netfilter/xt_statistic.c | 8 +-
6130 net/netlink/af_netlink.c | 4 +-
6131 net/packet/af_packet.c | 12 +-
6132 net/phonet/pep.c | 6 +-
6133 net/phonet/socket.c | 2 +-
6134 net/rds/cong.c | 6 +-
6136 net/rds/ib_cm.c | 2 +-
6137 net/rds/ib_recv.c | 4 +-
6139 net/rds/iw_cm.c | 2 +-
6140 net/rds/iw_recv.c | 4 +-
6141 net/rds/tcp.c | 2 +-
6142 net/rds/tcp_send.c | 2 +-
6143 net/rxrpc/af_rxrpc.c | 2 +-
6144 net/rxrpc/ar-ack.c | 14 +-
6145 net/rxrpc/ar-call.c | 2 +-
6146 net/rxrpc/ar-connection.c | 2 +-
6147 net/rxrpc/ar-connevent.c | 2 +-
6148 net/rxrpc/ar-input.c | 4 +-
6149 net/rxrpc/ar-internal.h | 8 +-
6150 net/rxrpc/ar-local.c | 2 +-
6151 net/rxrpc/ar-output.c | 4 +-
6152 net/rxrpc/ar-peer.c | 2 +-
6153 net/rxrpc/ar-proc.c | 4 +-
6154 net/rxrpc/ar-transport.c | 2 +-
6155 net/rxrpc/rxkad.c | 4 +-
6156 net/sctp/ipv6.c | 2 +-
6157 net/sctp/protocol.c | 8 +-
6158 net/sctp/socket.c | 2 +
6159 net/socket.c | 34 +-
6160 net/sunrpc/sched.c | 4 +-
6161 net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
6162 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +-
6163 net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
6164 net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +-
6165 net/tipc/link.c | 6 +-
6166 net/tipc/msg.c | 2 +-
6167 net/tipc/subscr.c | 2 +-
6168 net/wireless/wext-core.c | 19 +-
6169 net/xfrm/xfrm_policy.c | 16 +-
6170 net/xfrm/xfrm_state.c | 4 +-
6171 scripts/Makefile.build | 2 +-
6172 scripts/Makefile.clean | 3 +-
6173 scripts/Makefile.host | 28 +-
6174 scripts/basic/fixdep.c | 12 +-
6175 scripts/gcc-plugin.sh | 17 +
6176 scripts/link-vmlinux.sh | 2 +-
6177 scripts/mod/file2alias.c | 14 +-
6178 scripts/mod/modpost.c | 25 +-
6179 scripts/mod/modpost.h | 6 +-
6180 scripts/mod/sumversion.c | 2 +-
6181 scripts/pnmtologo.c | 6 +-
6182 security/Kconfig | 654 ++++-
6183 security/integrity/ima/ima.h | 4 +-
6184 security/integrity/ima/ima_api.c | 2 +-
6185 security/integrity/ima/ima_fs.c | 4 +-
6186 security/integrity/ima/ima_queue.c | 2 +-
6187 security/keys/compat.c | 2 +-
6188 security/keys/keyctl.c | 8 +-
6189 security/keys/keyring.c | 6 +-
6190 security/security.c | 9 +-
6191 security/selinux/hooks.c | 2 +-
6192 security/selinux/include/xfrm.h | 2 +-
6193 security/smack/smack_lsm.c | 2 +-
6194 security/tomoyo/tomoyo.c | 2 +-
6195 sound/aoa/codecs/onyx.c | 7 +-
6196 sound/aoa/codecs/onyx.h | 1 +
6197 sound/core/oss/pcm_oss.c | 18 +-
6198 sound/core/pcm_compat.c | 2 +-
6199 sound/core/pcm_native.c | 4 +-
6200 sound/core/seq/seq_device.c | 8 +-
6201 sound/drivers/mts64.c | 14 +-
6202 sound/drivers/opl4/opl4_lib.c | 2 +-
6203 sound/drivers/portman2x4.c | 3 +-
6204 sound/firewire/amdtp.c | 4 +-
6205 sound/firewire/amdtp.h | 2 +-
6206 sound/firewire/isight.c | 10 +-
6207 sound/firewire/scs1x.c | 8 +-
6208 sound/oss/sb_audio.c | 2 +-
6209 sound/oss/swarm_cs4297a.c | 6 +-
6210 sound/pci/ymfpci/ymfpci.h | 2 +-
6211 sound/pci/ymfpci/ymfpci_main.c | 12 +-
6212 tools/gcc/.gitignore | 1 +
6213 tools/gcc/Makefile | 43 +
6214 tools/gcc/checker_plugin.c | 171 +
6215 tools/gcc/colorize_plugin.c | 151 +
6216 tools/gcc/constify_plugin.c | 359 +++
6217 tools/gcc/generate_size_overflow_hash.sh | 94 +
6218 tools/gcc/kallocstat_plugin.c | 170 +
6219 tools/gcc/kernexec_plugin.c | 465 +++
6220 tools/gcc/latent_entropy_plugin.c | 321 ++
6221 tools/gcc/size_overflow_hash.data | 3713 ++++++++++++++++++++++
6222 tools/gcc/size_overflow_plugin.c | 1941 +++++++++++
6223 tools/gcc/stackleak_plugin.c | 327 ++
6224 tools/perf/util/include/asm/alternative-asm.h | 3 +
6225 virt/kvm/kvm_main.c | 32 +-
6226 1311 files changed, 26668 insertions(+), 6394 deletions(-)
6227 commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
6228 Merge: 0949bd4 fc53d63
6229 Author: Brad Spengler <spender@grsecurity.net>
6230 Date: Thu Mar 22 19:03:44 2012 -0400
6232 Merge branch 'pax-test' into grsec-test
6234 commit fc53d6338964741b368070ec5c935bc579b8c2a6
6235 Author: Brad Spengler <spender@grsecurity.net>
6236 Date: Thu Mar 22 19:02:45 2012 -0400
6238 Update to pax-linux-3.2.12-test33.patch
6240 commit 0949bd46a6455b308f66ad7c993bfee62412db35
6241 Author: Brad Spengler <spender@grsecurity.net>
6242 Date: Thu Mar 22 16:56:09 2012 -0400
6244 Use current_umask() instead of current->fs->umask
6246 commit 22f6432d0fe733619cfcb523782ed7d80c46d645
6247 Author: Brad Spengler <spender@grsecurity.net>
6248 Date: Wed Mar 21 19:42:42 2012 -0400
6252 commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
6253 Author: Brad Spengler <spender@grsecurity.net>
6254 Date: Wed Mar 21 19:34:56 2012 -0400
6256 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
6257 uses of domains with particular hash collisions
6259 commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
6260 Author: Brad Spengler <spender@grsecurity.net>
6261 Date: Tue Mar 20 20:25:49 2012 -0400
6265 commit b00953b43c69238d181d21121ef1577c988d5f6b
6266 Author: Brad Spengler <spender@grsecurity.net>
6267 Date: Tue Mar 20 19:29:34 2012 -0400
6269 zero real_root after releasing it
6271 commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
6272 Merge: b724f59 273f98e
6273 Author: Brad Spengler <spender@grsecurity.net>
6274 Date: Tue Mar 20 19:11:26 2012 -0400
6276 Merge branch 'pax-test' into grsec-test
6278 commit 273f98e58cdac555d3b5dce5c1ca168349f95878
6279 Author: Brad Spengler <spender@grsecurity.net>
6280 Date: Tue Mar 20 19:10:52 2012 -0400
6282 Temporary workaround for (most) size_overflow plugin false-positives
6283 Increase randomization for brk-managed heap to 21 bits
6284 Update to pax-linux-3.2.12-test32.patch
6286 commit b724f59125304460c2af8bd4b02921993afbb5d3
6287 Author: Brad Spengler <spender@grsecurity.net>
6288 Date: Tue Mar 20 18:58:53 2012 -0400
6292 commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
6293 Author: Brad Spengler <spender@grsecurity.net>
6294 Date: Tue Mar 20 18:52:23 2012 -0400
6296 Require default and kernel role
6298 commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
6299 Author: Brad Spengler <spender@grsecurity.net>
6300 Date: Tue Mar 20 18:47:28 2012 -0400
6302 Allow policies without special roles
6303 don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)
6305 commit 402ec3d24d66d38403dc543c84851f5e72d39e22
6306 Merge: 8e012dc f14661a
6307 Author: Brad Spengler <spender@grsecurity.net>
6308 Date: Mon Mar 19 18:06:59 2012 -0400
6310 Merge branch 'pax-test' into grsec-test
6315 commit f14661aaf202155c97f66626cea0269017bb7775
6316 Merge: eae671f 058b017
6317 Author: Brad Spengler <spender@grsecurity.net>
6318 Date: Mon Mar 19 18:05:44 2012 -0400
6320 Merge branch 'linux-3.2.y' into pax-test
6322 commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
6323 Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
6324 Date: Fri Mar 16 17:08:39 2012 -0700
6326 nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
6328 According to the report from Slicky Devil, nilfs caused kernel oops at
6329 nilfs_load_super_block function during mount after he shrank the
6330 partition without resizing the filesystem:
6332 BUG: unable to handle kernel NULL pointer dereference at 00000048
6333 IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
6335 Oops: 0000 [#1] PREEMPT SMP
6338 [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
6339 [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
6340 [<c0226636>] mount_fs+0x36/0x180
6341 [<c023d961>] vfs_kern_mount+0x51/0xa0
6342 [<c023ddae>] do_kern_mount+0x3e/0xe0
6343 [<c023f189>] do_mount+0x169/0x700
6344 [<c023fa9b>] sys_mount+0x6b/0xa0
6345 [<c04abd1f>] sysenter_do_call+0x12/0x28
6346 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
6347 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
6348 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
6349 EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
6350 CR2: 0000000000000048
6352 This turned out due to a defect in an error path which runs if the
6353 calculated location of the secondary super block was invalid.
6355 This patch fixes it and eliminates the reported oops.
6357 Reported-by: Slicky Devil <slicky.dvl@gmail.com>
6358 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
6359 Tested-by: Slicky Devil <slicky.dvl@gmail.com>
6360 Cc: <stable@vger.kernel.org> [2.6.30+]
6361 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
6362 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
6364 commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
6365 Author: Haogang Chen <haogangchen@gmail.com>
6366 Date: Fri Mar 16 17:08:38 2012 -0700
6368 nilfs2: clamp ns_r_segments_percentage to [1, 99]
6370 ns_r_segments_percentage is read from the disk. Bogus or malicious
6371 value could cause integer overflow and malfunction due to meaningless
6372 disk usage calculation. This patch reports error when mounting such
6375 Signed-off-by: Haogang Chen <haogangchen@gmail.com>
6376 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
6377 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
6378 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
6380 commit e1a90645643f9b0194a5984ec8febd06360d5c8b
6381 Author: Eric Dumazet <eric.dumazet@gmail.com>
6382 Date: Sat Mar 10 09:20:21 2012 +0000
6384 tcp: fix syncookie regression
6386 commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
6387 added a serious regression on synflood handling.
6389 Simon Kirby discovered a successful connection was delayed by 20 seconds
6390 before being responsive.
6392 In my tests, I discovered that xmit frames were lost, and needed ~4
6393 retransmits and a socket dst rebuild before being really sent.
6395 In case of syncookie initiated connection, we use a different path to
6396 initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
6398 As ip_queue_xmit() now depends on inet flow being setup, fix this by
6399 copying the temp flowi4 we use in cookie_v4_check().
6401 Reported-by: Simon Kirby <sim@netnation.com>
6402 Bisected-by: Simon Kirby <sim@netnation.com>
6403 Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
6404 Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
6405 Signed-off-by: David S. Miller <davem@davemloft.net>
6407 commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
6408 Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
6409 Date: Mon Mar 12 02:59:41 2012 +0000
6411 tun: don't hold network namespace by tun sockets
6413 v3: added previously removed sock_put() to the tun_release() callback, because
6414 sk_release_kernel() doesn't drop the socket reference.
6416 v2: sk_release_kernel() used for socket release. Dummy tun_release() is
6417 required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
6420 TUN was designed to destroy it's socket on network namesapce shutdown. But this
6421 will never happen for persistent device, because it's socket holds network
6423 This patch removes of holding network namespace by TUN socket and replaces it
6424 by creating socket in init_net and then changing it's net it to desired one. On
6425 shutdown socket is moved back to init_net prior to final put.
6427 Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
6428 Signed-off-by: David S. Miller <davem@davemloft.net>
6430 commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
6431 Author: Tyler Hicks <tyhicks@canonical.com>
6432 Date: Mon Dec 12 10:02:30 2011 -0600
6434 vfs: Correctly set the dir i_mutex lockdep class
6436 9a7aa12f3911853a introduced additional logic around setting the i_mutex
6437 lockdep class for directory inodes. The idea was that some filesystems
6438 may want their own special lockdep class for different directory
6439 inodes and calling unlock_new_inode() should not clobber one of
6440 those special classes.
6442 I believe that the added conditional, around the *negated* return value
6443 of lockdep_match_class(), caused directory inodes to be placed in the
6444 wrong lockdep class.
6446 inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
6447 all inodes. If the filesystem did not change the class during inode
6448 initialization, then the conditional mentioned above was false and the
6449 directory inode was incorrectly left in the non-directory lockdep class.
6450 If the filesystem did set a special lockdep class, then the conditional
6451 mentioned above was true and that class was clobbered with
6454 This patch removes the negation from the conditional so that the i_mutex
6455 lockdep class is properly set for directory inodes. Special classes are
6456 preserved and directory inodes with unmodified classes are set with
6459 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
6460 Reviewed-by: Jan Kara <jack@suse.cz>
6461 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
6463 commit 603590b0d2eca61ce26499eac9c563bc567a18c9
6464 Author: Jan Kara <jack@suse.cz>
6465 Date: Mon Feb 20 17:54:00 2012 +0100
6467 udf: Fix deadlock in udf_release_file()
6469 udf_release_file() can be called from munmap() path with mmap_sem held. Thus
6470 we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
6471 i_mutex is not needed in udf_release_file() anymore since protection by
6472 i_data_sem is enough to protect from races with write and truncate.
6474 Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
6475 Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
6476 Signed-off-by: Jan Kara <jack@suse.cz>
6477 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
6479 commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
6480 Author: Miklos Szeredi <mszeredi@suse.cz>
6481 Date: Tue Mar 6 13:56:33 2012 +0100
6483 vfs: fix double put after complete_walk()
6485 complete_walk() already puts nd->path, no need to do it again at cleanup time.
6487 This would result in Oopses if triggered, apparently the codepath is not too
6490 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
6491 CC: stable@vger.kernel.org
6492 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
6494 commit 13885ba2b18400f3ef6540497d30f1af896605e5
6495 Author: Miklos Szeredi <mszeredi@suse.cz>
6496 Date: Tue Mar 6 13:56:34 2012 +0100
6498 vfs: fix return value from do_last()
6500 complete_walk() returns either ECHILD or ESTALE. do_last() turns this into
6501 ECHILD unconditionally. If not in RCU mode, this error will reach userspace
6502 which is complete nonsense.
6504 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
6505 CC: stable@vger.kernel.org
6506 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
6512 commit f5ab7572c99ffb58953eb1070622307e904c3b7f
6513 Author: Al Viro <viro@zeniv.linux.org.uk>
6514 Date: Sat Mar 10 17:07:28 2012 -0500
6516 restore smp_mb() in unlock_new_inode()
6518 wait_on_inode() doesn't have ->i_lock
6520 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
6522 commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
6523 Author: David S. Miller <davem@davemloft.net>
6524 Date: Tue Mar 13 18:19:51 2012 -0700
6526 sparc32: Add -Av8 to assembler command line.
6528 Newer version of binutils are more strict about specifying the
6529 correct options to enable certain classes of instructions.
6531 The sparc32 build is done for v7 in order to support sun4c systems
6532 which lack hardware integer multiply and divide instructions.
6534 So we have to pass -Av8 when building the assembler routines that
6535 use these instructions and get patched into the kernel when we find
6536 out that we have a v8 capable cpu.
6538 Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
6539 Signed-off-by: David S. Miller <davem@davemloft.net>
6541 commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
6542 Author: Thomas Gleixner <tglx@linutronix.de>
6543 Date: Fri Mar 9 20:55:10 2012 +0100
6545 x86: Derandom delay_tsc for 64 bit
6547 Commit f0fbf0abc093 ("x86: integrate delay functions") converted
6548 delay_tsc() into a random delay generator for 64 bit. The reason is
6549 that it merged the mostly identical versions of delay_32.c and
6550 delay_64.c. Though the subtle difference of the result was:
6552 static void delay_tsc(unsigned long loops)
6554 - unsigned bclock, now;
6555 + unsigned long bclock, now;
6557 Now the function uses rdtscl() which returns the lower 32bit of the
6558 TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
6559 bit this fails when the lower 32bit are close to wrap around when
6560 bclock is read, because the following check
6562 if ((now - bclock) >= loops)
6565 evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
6566 because the unsigned long (now - bclock) of these values results in
6567 0xffffffff00000001 which is definitely larger than the loops
6568 value. That explains Tvortkos observation:
6570 "Because I am seeing udelay(500) (_occasionally_) being short, and
6571 that by delaying for some duration between 0us (yep) and 491us."
6573 Make those variables explicitely u32 again, so this works for both 32
6576 Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
6577 Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
6578 Cc: stable@vger.kernel.org # >= 2.6.27
6579 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
6581 commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
6582 Author: Al Viro <viro@ZenIV.linux.org.uk>
6583 Date: Thu Mar 8 17:51:19 2012 +0000
6585 aio: fix the "too late munmap()" race
6587 Current code has put_ioctx() called asynchronously from aio_fput_routine();
6588 that's done *after* we have killed the request that used to pin ioctx,
6589 so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
6590 from progressing. As the result, we can end up with async call of
6591 put_ioctx() being the last one and possibly happening during exit_mmap()
6592 or elf_core_dump(), neither of which expects stray munmap() being done
6595 We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
6596 with that, but that's all we care about - neither io_destroy() nor
6597 exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
6598 does really_put_req(), so the ioctx teardown won't be done until then
6599 and we don't care about the contents of ioctx past that point.
6601 Since actual freeing of these suckers is RCU-delayed, we don't need to
6602 bump ioctx refcount when request goes into list for async removal.
6603 All we need is rcu_read_lock held just over the ->ctx_lock-protected
6604 area in aio_fput_routine().
6606 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
6607 Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
6608 Acked-by: Benjamin LaHaise <bcrl@kvack.org>
6609 Cc: stable@vger.kernel.org
6610 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
6612 commit 002124c055afbf09b52226af65621999e8316448
6613 Author: Al Viro <viro@ZenIV.linux.org.uk>
6614 Date: Wed Mar 7 05:16:35 2012 +0000
6616 aio: fix io_setup/io_destroy race
6618 Have ioctx_alloc() return an extra reference, so that caller would drop it
6619 on success and not bother with re-grabbing it on failure exit. The current
6620 code is obviously broken - io_destroy() from another thread that managed
6621 to guess the address io_setup() would've returned would free ioctx right
6622 under us; gets especially interesting if aio_context_t * we pass to
6623 io_setup() points to PROT_READ mapping, so put_user() fails and we end
6624 up doing io_destroy() on kioctx another thread has just got freed...
6626 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
6627 Acked-by: Benjamin LaHaise <bcrl@kvack.org>
6628 Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
6629 Cc: stable@vger.kernel.org
6630 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
6632 commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
6633 Author: Dan Carpenter <dan.carpenter@oracle.com>
6634 Date: Thu Mar 15 15:17:12 2012 -0700
6636 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
6638 strict_strtoul() writes a long but ->gamma_mode only has space to store an
6639 int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
6640 well. I've changed it to use kstrtouint() instead.
6642 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
6643 Acked-by: Inki Dae <inki.dae@samsung.com>
6644 Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
6645 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
6646 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
6648 commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
6649 Merge: e4b05b6 eae671f
6650 Author: Brad Spengler <spender@grsecurity.net>
6651 Date: Fri Mar 16 21:04:27 2012 -0400
6653 Merge branch 'pax-test' into grsec-test
6658 commit eae671fafe93f04685c04a089cc13efebc05d600
6659 Author: Brad Spengler <spender@grsecurity.net>
6660 Date: Fri Mar 16 20:58:01 2012 -0400
6662 Update to pax-linux-3.2.11-test31.patch
6663 Introduction of the size_overflow plugin from Emese Revfy
6664 Many thanks to Emese for her hard work :)
6666 commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
6667 Merge: e55aa68 258c015
6668 Author: Brad Spengler <spender@grsecurity.net>
6669 Date: Thu Mar 15 20:59:19 2012 -0400
6671 Merge branch 'pax-test' into grsec-test
6673 commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
6674 Author: Brad Spengler <spender@grsecurity.net>
6675 Date: Thu Mar 15 20:59:05 2012 -0400
6679 commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
6680 Merge: 8f95ea9 55b7573
6681 Author: Brad Spengler <spender@grsecurity.net>
6682 Date: Wed Mar 14 19:33:41 2012 -0400
6684 Merge branch 'pax-test' into grsec-test
6686 commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
6687 Author: Brad Spengler <spender@grsecurity.net>
6688 Date: Wed Mar 14 19:33:15 2012 -0400
6690 Update to pax-linux-3.2.10-test28.patch
6692 commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
6693 Merge: c8786a2 886ac5e
6694 Author: Brad Spengler <spender@grsecurity.net>
6695 Date: Tue Mar 13 17:38:13 2012 -0400
6697 Merge branch 'pax-test' into grsec-test
6699 Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)
6701 commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
6702 Author: Brad Spengler <spender@grsecurity.net>
6703 Date: Tue Mar 13 17:37:44 2012 -0400
6705 Update to pax-linux-3.2.10-test26.patch
6707 commit c8786a2abed5e5327f68efa520c04db99bb6a63a
6708 Merge: 219c982 c061fcf
6709 Author: Brad Spengler <spender@grsecurity.net>
6710 Date: Tue Mar 13 17:25:06 2012 -0400
6712 Merge branch 'pax-test' into grsec-test
6714 commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
6715 Merge: 89373d2 3f4b3b2
6716 Author: Brad Spengler <spender@grsecurity.net>
6717 Date: Tue Mar 13 17:25:02 2012 -0400
6719 Merge branch 'linux-3.2.y' into pax-test
6721 commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
6722 Merge: 54e19a3 89373d2
6723 Author: Brad Spengler <spender@grsecurity.net>
6724 Date: Mon Mar 12 17:23:57 2012 -0400
6726 Merge branch 'pax-test' into grsec-test
6728 commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
6729 Merge: a778588 7459f11
6730 Author: Brad Spengler <spender@grsecurity.net>
6731 Date: Mon Mar 12 17:23:49 2012 -0400
6733 Merge branch 'linux-3.2.y' into pax-test
6735 commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
6736 Merge: c4650f1 a778588
6737 Author: Brad Spengler <spender@grsecurity.net>
6738 Date: Mon Mar 12 16:51:25 2012 -0400
6740 Merge branch 'pax-test' into grsec-test
6742 commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
6743 Author: Brad Spengler <spender@grsecurity.net>
6744 Date: Mon Mar 12 16:51:12 2012 -0400
6746 Update to pax-linux-3.2.9-test24.patch
6748 commit c4650f14b13f84735fe3de06a1f3ff5776473eff
6749 Merge: fb2abee 1015790
6750 Author: Brad Spengler <spender@grsecurity.net>
6751 Date: Sun Mar 11 21:08:28 2012 -0400
6753 Merge branch 'pax-test' into grsec-test
6758 commit 101579028a736c224e590c7e12a7357018c424e1
6759 Author: Brad Spengler <spender@grsecurity.net>
6760 Date: Sun Mar 11 21:07:27 2012 -0400
6762 Update to pax-linux-3.2.9-test22.patch
6764 commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
6765 Author: Brad Spengler <spender@grsecurity.net>
6766 Date: Sun Mar 11 11:02:17 2012 -0400
6770 commit 96bae28cbe6a41d48e3b56e5904814096e956000
6771 Author: Brad Spengler <spender@grsecurity.net>
6772 Date: Sun Mar 11 10:25:58 2012 -0400
6774 Use a per-cpu 48-bit counter instead of a global atomic64
6775 Initialize each counter to have the cpu number in the lower 16 bits
6776 instead of incrementing the counter each time by 1, perform the increments
6777 above the cpu number so that wrapping/exhausting the counter doesn't corrupt
6781 commit b975688101da6e966aebb1bc6b8c5c5983974f9c
6782 Author: Brad Spengler <spender@grsecurity.net>
6783 Date: Sat Mar 10 20:33:12 2012 -0500
6785 Special vnsec edition! :)
6786 Further reduce argv/env allowance for suid/sgid apps to 512KB
6787 Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
6788 Clear 3GB personality on suid/sgid binaries
6789 Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
6790 with the main purpose of throwing off program stack -> arg/env alignment
6791 Update documentation
6793 commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
6794 Author: Brad Spengler <spender@grsecurity.net>
6795 Date: Sat Mar 10 19:54:47 2012 -0500
6797 Resolve skbuff.h warnings that turn into errors during compilation in
6798 the grsecurity directory with -Werror
6800 commit 2023210ad43a944033fcacc660ce410888f562ee
6801 Merge: ece4383 5f66adf
6802 Author: Brad Spengler <spender@grsecurity.net>
6803 Date: Fri Mar 9 19:48:01 2012 -0500
6805 Merge branch 'pax-test' into grsec-test
6807 commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
6808 Author: Brad Spengler <spender@grsecurity.net>
6809 Date: Fri Mar 9 19:47:06 2012 -0500
6813 commit ece4383e5e91c92d138c4df84225a70b552f4d69
6814 Merge: a366d0e ab4a5a1
6815 Author: Brad Spengler <spender@grsecurity.net>
6816 Date: Fri Mar 9 17:56:46 2012 -0500
6818 Merge branch 'pax-test' into grsec-test
6820 commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
6821 Author: Brad Spengler <spender@grsecurity.net>
6822 Date: Fri Mar 9 17:56:26 2012 -0500
6824 Update to pax-linux-3.2.9-test21.patch
6826 commit a366d0ed963ce93fce10121c1100989d5f064e75
6827 Author: Mikulas Patocka <mpatocka@redhat.com>
6828 Date: Sun Mar 4 19:52:03 2012 -0500
6830 mm: fix find_vma_prev
6832 Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
6833 management on PA-RISC.
6835 After application of the patch, programs that allocate big arrays on the
6836 stack crash with segfault, for example, this will crash if compiled
6837 without optimization:
6846 The reason is that PA-RISC has up-growing stack and the stack is usually
6847 the last memory area. In the above example, a page fault happens above
6850 Previously, if we passed too high address to find_vma_prev, it returned
6851 NULL and stored the last VMA in *pprev. After "simplify find_vma_prev"
6852 change, it stores NULL in *pprev. Consequently, the stack area is not
6853 found and it is not expanded, as it used to be before the change.
6855 This patch restores the old behavior and makes it return the last VMA in
6856 *pprev if the requested address is higher than address of any other VMA.
6858 Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
6859 Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
6860 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
6862 commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
6863 Author: Hugh Dickins <hughd@google.com>
6864 Date: Tue Mar 6 12:28:52 2012 -0800
6866 mmap: EINVAL not ENOMEM when rejecting VM_GROWS
6868 Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
6869 from shared anonymous: hoist the file case's -EINVAL up for both.
6871 Signed-off-by: Hugh Dickins <hughd@google.com>
6872 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
6874 commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
6875 Author: Al Viro <viro@ZenIV.linux.org.uk>
6876 Date: Mon Mar 5 06:38:42 2012 +0000
6878 aout: move setup_arg_pages() prior to reading/mapping the binary
6880 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
6881 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
6883 commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
6884 Author: Jan Beulich <JBeulich@suse.com>
6885 Date: Mon Mar 5 16:49:24 2012 +0000
6887 vsprintf: make %pV handling compatible with kasprintf()
6889 kasprintf() (and potentially other functions that I didn't run across so
6890 far) want to evaluate argument lists twice. Caring to do so for the
6891 primary list is obviously their job, but they can't reasonably be
6892 expected to check the format string for instances of %pV, which however
6893 need special handling too: On architectures like x86-64 (as opposed to
6894 e.g. ix86), using the same argument list twice doesn't produce the
6895 expected results, as an internally managed cursor gets updated during
6898 Fix the problem by always acting on a copy of the original list when
6901 Signed-off-by: Jan Beulich <jbeulich@suse.com>
6902 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
6904 commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
6905 Author: Al Viro <viro@ZenIV.linux.org.uk>
6906 Date: Mon Mar 5 06:39:47 2012 +0000
6908 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
6910 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
6911 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
6913 commit a831bd53764695ea680cc1fa3c98759a610ed2ac
6914 Author: Christian König <deathsimple@vodafone.de>
6915 Date: Tue Feb 28 23:19:20 2012 +0100
6917 drm/radeon: fix uninitialized variable
6919 Without this fix the driver randomly treats
6920 textures as arrays and I'm really wondering
6921 why gcc isn't complaining about it.
6923 Signed-off-by: Christian König <deathsimple@vodafone.de>
6924 Reviewed-by: Jerome Glisse <jglisse@redhat.com>
6925 Signed-off-by: Dave Airlie <airlied@redhat.com>
6927 commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
6928 Author: H. Peter Anvin <hpa@zytor.com>
6929 Date: Fri Mar 2 10:43:48 2012 -0800
6931 regset: Prevent null pointer reference on readonly regsets
6933 The regset common infrastructure assumed that regsets would always
6934 have .get and .set methods, but not necessarily .active methods.
6935 Unfortunately people have since written regsets without .set methods.
6937 Rather than putting in stub functions everywhere, handle regsets with
6938 null .get or .set methods explicitly.
6940 Signed-off-by: H. Peter Anvin <hpa@zytor.com>
6941 Reviewed-by: Oleg Nesterov <oleg@redhat.com>
6942 Acked-by: Roland McGrath <roland@hack.frob.com>
6943 Cc: <stable@vger.kernel.org>
6944 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
6946 commit 072ddd99401c79b53c6bf6bff9deb93022124c79
6947 Author: Brad Spengler <spender@grsecurity.net>
6948 Date: Mon Mar 5 18:12:57 2012 -0500
6950 Fix compiler errors reported on forums
6952 commit 1606774b48af24e6f99d99c624c0e447d4b66474
6953 Merge: 3127bd5 4ca2ffd
6954 Author: Brad Spengler <spender@grsecurity.net>
6955 Date: Mon Mar 5 17:31:35 2012 -0500
6957 Merge branch 'pax-test' into grsec-test
6959 commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
6960 Author: Brad Spengler <spender@grsecurity.net>
6961 Date: Mon Mar 5 17:31:21 2012 -0500
6963 Update to pax-linux-3.2.9-test20.patch
6965 commit 3127bd581a292966b1057c7433219dac188c3720
6966 Author: Brad Spengler <spender@grsecurity.net>
6967 Date: Fri Mar 2 21:30:37 2012 -0500
6969 Fix memory leak on logged exec_id check failure in /proc/pid/statm
6970 Thanks to Djalal Harouni for the report
6972 commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
6973 Merge: 0a56be8 9aa8288
6974 Author: Brad Spengler <spender@grsecurity.net>
6975 Date: Fri Mar 2 18:38:22 2012 -0500
6977 Merge branch 'pax-test' into grsec-test
6979 commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
6980 Author: Brad Spengler <spender@grsecurity.net>
6981 Date: Fri Mar 2 18:37:43 2012 -0500
6983 Update to pax-linux-3.2.9-test19.patch
6985 commit 0a56be884bbd7ce733cac0b879c45383494d73b0
6986 Merge: 9e66745 3f5c52a
6987 Author: Brad Spengler <spender@grsecurity.net>
6988 Date: Thu Mar 1 20:18:01 2012 -0500
6990 Merge branch 'pax-test' into grsec-test
6992 commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
6993 Author: Brad Spengler <spender@grsecurity.net>
6994 Date: Thu Mar 1 20:16:56 2012 -0500
6996 Update to pax-linux-3.2.9-test18.patch
6998 commit ae53ec231d12719a36bf871f8c5841020ed692ee
6999 Merge: b255baf 44fb317
7000 Author: Brad Spengler <spender@grsecurity.net>
7001 Date: Thu Mar 1 20:15:31 2012 -0500
7003 Merge branch 'linux-3.2.y' into pax-test
7005 commit 9e667456c03eadea2f305be761abe4de9a5877a3
7006 Merge: 5e4e200 b255baf
7007 Author: Brad Spengler <spender@grsecurity.net>
7008 Date: Mon Feb 27 20:53:59 2012 -0500
7010 Merge branch 'pax-test' into grsec-test
7012 commit b255baf50365d39b406f43aab2c64745607baaa2
7013 Merge: 340ce90 1de504e
7014 Author: Brad Spengler <spender@grsecurity.net>
7015 Date: Mon Feb 27 20:53:29 2012 -0500
7017 Merge branch 'linux-3.2.y' into pax-test
7018 Update to pax-linux-3.2.8-test17.patch
7021 arch/x86/include/asm/i387.h
7022 arch/x86/kernel/process_32.c
7023 arch/x86/kernel/traps.c
7025 commit 5e4e200ac530452884b625cb75de240e1e98c731
7026 Merge: 44306d7 340ce90
7027 Author: Brad Spengler <spender@grsecurity.net>
7028 Date: Mon Feb 27 18:02:13 2012 -0500
7030 Merge branch 'pax-test' into grsec-test
7032 commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
7033 Author: Brad Spengler <spender@grsecurity.net>
7034 Date: Mon Feb 27 18:01:48 2012 -0500
7036 Update to pax-linux-3.2.7-test17.patch
7038 commit 44306d7b3097f77e73040dd25f4f6750751bae7a
7039 Merge: 29d0b07 521c411
7040 Author: Brad Spengler <spender@grsecurity.net>
7041 Date: Sun Feb 26 19:04:15 2012 -0500
7043 Merge branch 'pax-test' into grsec-test
7048 commit 521c411bb4ca66ce01146fde8bac9dd22414076d
7049 Author: Brad Spengler <spender@grsecurity.net>
7050 Date: Sun Feb 26 19:03:33 2012 -0500
7052 Update to pax-linux-3.2.7-test16.patch
7054 commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
7055 Author: Brad Spengler <spender@grsecurity.net>
7056 Date: Sun Feb 26 17:12:44 2012 -0500
7060 commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
7061 Merge: f45b3be caa8f83
7062 Author: Brad Spengler <spender@grsecurity.net>
7063 Date: Sat Feb 25 20:59:27 2012 -0500
7065 Merge branch 'pax-test' into grsec-test
7067 commit caa8f83456c4d0b204beefffaa1d1993f2348d08
7068 Author: Brad Spengler <spender@grsecurity.net>
7069 Date: Sat Feb 25 20:59:12 2012 -0500
7071 Update to pax-linux-3.2.7-test15.patch
7073 commit f45b3be34a345502a302e736af9a65742ddef7cb
7074 Merge: 62f35fd 9f1309b
7075 Author: Brad Spengler <spender@grsecurity.net>
7076 Date: Sat Feb 25 11:40:15 2012 -0500
7078 Merge branch 'pax-test' into grsec-test
7080 commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
7081 Author: Brad Spengler <spender@grsecurity.net>
7082 Date: Sat Feb 25 11:39:57 2012 -0500
7084 Update to pax-linux-3.2.7-test14.patch
7086 commit 62f35fdbecc58f2988fe13638d907b87a15776bb
7087 Author: Brad Spengler <spender@grsecurity.net>
7088 Date: Sat Feb 25 09:08:55 2012 -0500
7090 We could log on attempted exploits of writing /proc/self/mem, but the current
7091 log function declares the access a read, so just swap the ordering for now
7093 commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
7094 Author: Brad Spengler <spender@grsecurity.net>
7095 Date: Sat Feb 25 08:46:14 2012 -0500
7097 Log /proc/pid/mem attempts
7099 commit 674471e581893a94d475acac3e3c4496209b3ac9
7100 Author: Brad Spengler <spender@grsecurity.net>
7101 Date: Sat Feb 25 08:15:00 2012 -0500
7103 Make use of f_version for protecting /proc file structs (fine since we're not a directory
7106 commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
7107 Author: Brad Spengler <spender@grsecurity.net>
7108 Date: Fri Feb 24 20:02:19 2012 -0500
7110 Fix ia64 compilation
7112 commit 50dfea412fd395e0183c2ade368efa525d38b267
7113 Merge: 12db845 4c6f99b
7114 Author: Brad Spengler <spender@grsecurity.net>
7115 Date: Fri Feb 24 19:00:53 2012 -0500
7117 Merge branch 'pax-test' into grsec-test
7119 commit 4c6f99bf338e03966356b147d0360cb3b522a44f
7120 Author: Brad Spengler <spender@grsecurity.net>
7121 Date: Fri Feb 24 19:00:36 2012 -0500
7123 (6:57:09 PM) pipacs: but you can be proactive
7124 (Fix other-arch atomic64/REFCOUNT compilation failures)
7126 commit 12db8453f6bb0a756f369c9151668ba1249bc478
7127 Author: Brad Spengler <spender@grsecurity.net>
7128 Date: Thu Feb 23 21:10:12 2012 -0500
7130 Remove unnecessary copies, as suggested by solar
7132 commit cc02cab84368467ea03cb35f861a8a7092d91ab4
7133 Author: Brad Spengler <spender@grsecurity.net>
7134 Date: Thu Feb 23 20:59:35 2012 -0500
7136 Make global_exec_counter static, as suggested by solar
7138 commit e642091a475ebb3a30e81f85e7751233d0c2af43
7139 Author: Brad Spengler <spender@grsecurity.net>
7140 Date: Thu Feb 23 19:00:26 2012 -0500
7142 sync with stable tree
7144 commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
7145 Author: Brad Spengler <spender@grsecurity.net>
7146 Date: Thu Feb 23 18:48:47 2012 -0500
7148 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
7149 Remove handling of old kludge in chmod/fchmod
7151 commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
7152 Author: Brad Spengler <spender@grsecurity.net>
7153 Date: Thu Feb 23 18:18:49 2012 -0500
7155 Apply umask checks to chmod/fchmod as well, as requested by sponsor
7156 Union the enforced umask with the existing one to produce minimal privilege
7157 Change umask type to u16
7159 commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
7160 Author: Brad Spengler <spender@grsecurity.net>
7161 Date: Wed Feb 22 18:16:11 2012 -0500
7163 Add per-role umask enforcement to RBAC, requested by a sponsor
7165 commit ad5ac943fe58199f1cc475912a39edb157acb77b
7166 Merge: dda0bb5 41722e3
7167 Author: Brad Spengler <spender@grsecurity.net>
7168 Date: Mon Feb 20 20:04:42 2012 -0500
7170 Merge branch 'pax-test' into grsec-test
7172 commit 41722e342e116d95f3d3556d66c97c888d752d39
7173 Author: Brad Spengler <spender@grsecurity.net>
7174 Date: Mon Feb 20 20:04:00 2012 -0500
7176 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
7179 commit dda0bb57137846a476a866c60db2681aaf6052c0
7180 Merge: 4fd554e d70927a
7181 Author: Brad Spengler <spender@grsecurity.net>
7182 Date: Mon Feb 20 20:01:41 2012 -0500
7184 Merge branch 'pax-test' into grsec-test
7186 commit d70927afec977d489a54c106a3c3ddc32e953050
7187 Merge: 1daebf1 9d0231c
7188 Author: Brad Spengler <spender@grsecurity.net>
7189 Date: Mon Feb 20 20:01:33 2012 -0500
7191 Merge branch 'linux-3.2.y' into pax-test
7193 commit 4fd554e3a097b22c5049fcdc423897477deff5ef
7194 Author: Brad Spengler <spender@grsecurity.net>
7195 Date: Mon Feb 20 09:17:57 2012 -0500
7197 Fix wrong logic on capability checks for switching roles, broke policies
7198 Thanks to Richard Kojedzinszky for reporting
7200 commit 12f97d52ac603f24344f8d71569c412a307e9422
7201 Author: Brad Spengler <spender@grsecurity.net>
7202 Date: Thu Feb 16 21:20:10 2012 -0500
7206 commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
7207 Author: Brad Spengler <spender@grsecurity.net>
7208 Date: Thu Feb 16 18:38:32 2012 -0500
7210 Update configuration help and name for GRKERNSEC_PROC_MEMMAP
7212 commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
7213 Author: Brad Spengler <spender@grsecurity.net>
7214 Date: Thu Feb 16 18:18:01 2012 -0500
7216 optimize the check a bit
7218 commit 03159050f64989be44ae03be769cbed62a7cd2e5
7219 Author: Brad Spengler <spender@grsecurity.net>
7220 Date: Thu Feb 16 18:00:45 2012 -0500
7223 (limit argv+env to 1MB for suid/sgid binaries)
7225 commit dd759d8800d225a397e4de49fe729c7d601298d2
7226 Author: Brad Spengler <spender@grsecurity.net>
7227 Date: Thu Feb 16 17:49:33 2012 -0500
7229 Address Space Protection -> Memory Protections (suggested on IRC for consistency)
7231 commit 4de635bda8ebfb85312e3bf851bdbff93de400da
7232 Author: Brad Spengler <spender@grsecurity.net>
7233 Date: Thu Feb 16 17:45:06 2012 -0500
7235 Change the long long type for exec_id to the proper u64
7237 commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
7238 Author: Dan Carpenter <dan.carpenter@oracle.com>
7239 Date: Thu Feb 9 00:46:47 2012 +0000
7241 isdn: type bug in isdn_net_header()
7243 We use len to store the return value from eth_header(). eth_header()
7244 can return -ETH_HLEN (-14). We want to pass this back instead of
7245 truncating it to 65522 and returning that.
7247 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
7248 Acked-by: Neil Horman <nhorman@tuxdriver.com>
7249 Signed-off-by: David S. Miller <davem@davemloft.net>
7251 commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
7252 Author: Heiko Carstens <heiko.carstens@de.ibm.com>
7253 Date: Sat Feb 4 10:47:10 2012 +0100
7255 exec: fix use-after-free bug in setup_new_exec()
7257 Setting the task name is done within setup_new_exec() by accessing
7258 bprm->filename. However this happens after flush_old_exec().
7259 This may result in a use after free bug, flush_old_exec() may
7260 "complete" vfork_done, which will wake up the parent which in turn
7261 may free the passed in filename.
7262 To fix this add a new tcomm field in struct linux_binprm which
7263 contains the now early generated task name until it is used.
7265 Fixes this bug on s390:
7267 Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
7268 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
7269 Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
7271 ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
7272 [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
7273 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
7274 [<0000000000282b6c>] do_execve_common+0x410/0x514
7275 [<0000000000282cb6>] do_execve+0x46/0x58
7276 [<00000000005bce58>] kernel_execve+0x28/0x70
7277 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
7278 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
7279 [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
7280 Last Breaking-Event-Address:
7281 [<00000000002830f0>] setup_new_exec+0x2fc/0x374
7283 Kernel panic - not syncing: Fatal exception: panic_on_oops
7285 Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
7286 Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
7287 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
7289 commit d758ee9f5230893dabb5aab737b3109684bde196
7290 Author: Dan Carpenter <dan.carpenter@oracle.com>
7291 Date: Fri Feb 10 09:03:58 2012 +0100
7293 relay: prevent integer overflow in relay_open()
7295 "subbuf_size" and "n_subbufs" come from the user and they need to be
7296 capped to prevent an integer overflow.
7298 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
7299 Cc: stable@kernel.org
7300 Signed-off-by: Jens Axboe <axboe@kernel.dk>
7302 commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
7303 Merge: b1baadf 1daebf1
7304 Author: Brad Spengler <spender@grsecurity.net>
7305 Date: Mon Feb 13 17:47:04 2012 -0500
7307 Merge branch 'pax-test' into grsec-test
7312 commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
7313 Merge: 1413df2 c2db2e2
7314 Author: Brad Spengler <spender@grsecurity.net>
7315 Date: Mon Feb 13 17:45:54 2012 -0500
7317 Merge branch 'linux-3.2.y' into pax-test
7319 commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
7320 Author: Brad Spengler <spender@grsecurity.net>
7321 Date: Sun Feb 12 16:44:05 2012 -0500
7323 add missing declaration
7325 commit 3981059c35e8463002517935c28f3d74b8e3703c
7326 Author: Brad Spengler <spender@grsecurity.net>
7327 Date: Sun Feb 12 16:36:04 2012 -0500
7329 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
7330 in addition to existing checks (this handles the setresuid ruid = euid case)
7332 commit 0beab03263c773f463412c350ad9064b44b6ede0
7333 Author: Brad Spengler <spender@grsecurity.net>
7334 Date: Sun Feb 12 16:13:40 2012 -0500
7336 Revert setreuid changes when RBAC is enabled, breaks freeradius
7337 I'll fix the learning issue Lavish reported a different way through
7340 This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.
7342 commit 0c61cb1cfbbfec7d07647268c922d51434d22621
7343 Author: Brad Spengler <spender@grsecurity.net>
7344 Date: Sat Feb 11 14:22:46 2012 -0500
7346 copy exec_id on fork
7348 commit 000c08e0890630086b2ed04084050ed856a7ec31
7349 Author: Brad Spengler <spender@grsecurity.net>
7350 Date: Fri Feb 10 20:00:36 2012 -0500
7354 commit 54b8c8f54484e5ee18040657827158bc4b63bccc
7355 Author: Brad Spengler <spender@grsecurity.net>
7356 Date: Fri Feb 10 19:19:52 2012 -0500
7358 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
7359 denies reading of sensitive /proc/pid entries where the file descriptor
7360 was opened in a different task than the one performing the read
7362 commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
7363 Author: Brad Spengler <spender@grsecurity.net>
7364 Date: Fri Feb 10 17:43:24 2012 -0500
7366 Remove duplicate signal check
7368 commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
7369 Merge: 4eba97e 1413df2
7370 Author: Brad Spengler <spender@grsecurity.net>
7371 Date: Wed Feb 8 19:24:34 2012 -0500
7373 Merge branch 'pax-test' into grsec-test
7375 commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
7376 Author: Brad Spengler <spender@grsecurity.net>
7377 Date: Wed Feb 8 19:24:08 2012 -0500
7379 Merge changes from pax-linux-3.2.4-test11.patch
7381 commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
7382 Merge: 0e058dd 8dd90a2
7383 Author: Brad Spengler <spender@grsecurity.net>
7384 Date: Mon Feb 6 17:50:12 2012 -0500
7386 Merge branch 'pax-test' into grsec-test
7388 commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
7389 Author: Brad Spengler <spender@grsecurity.net>
7390 Date: Mon Feb 6 17:49:07 2012 -0500
7392 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free
7394 commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
7395 Merge: 7e4169c 6133971
7396 Author: Brad Spengler <spender@grsecurity.net>
7397 Date: Mon Feb 6 17:48:57 2012 -0500
7399 Merge branch 'linux-3.2.y' into pax-test
7401 commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
7402 Author: Brad Spengler <spender@grsecurity.net>
7403 Date: Sun Feb 5 19:24:45 2012 -0500
7405 We now allow configurations with no PaX markings, giving the system no way to override the defaults
7407 commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
7408 Author: Brad Spengler <spender@grsecurity.net>
7409 Date: Sun Feb 5 10:01:23 2012 -0500
7411 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory
7413 commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
7414 Author: Brad Spengler <spender@grsecurity.net>
7415 Date: Sat Feb 4 21:01:16 2012 -0500
7417 Improve security of ptrace-based monitoring/sandboxing
7419 http://article.gmane.org/gmane.linux.kernel.lsm/15156
7421 commit ca4ca5a1027b41f9528794e52a53ce9c47926101
7422 Author: Brad Spengler <spender@grsecurity.net>
7423 Date: Fri Feb 3 20:42:55 2012 -0500
7427 commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
7428 Author: Brad Spengler <spender@grsecurity.net>
7429 Date: Fri Feb 3 20:25:38 2012 -0500
7431 Reported by lavish on IRC:
7432 If a suid/sgid binary did not learn any setuid/setgid call during learning,
7433 we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
7434 any restrictions on uid/gid changes. uid and gid can however be changed
7435 within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
7439 POSIX doesn't specify whether unprivileged users can perform the above
7440 setresuid/setresgid as an unprivileged user, though Linux has historically
7441 permitted them. Modify this behavior when RBAC is enabled to require
7442 CAP_SETUID/CAP_SETGID for these operations.
7444 Thanks to Lavish for the report!
7450 commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
7451 Merge: ba586eb 7e4169c
7452 Author: Brad Spengler <spender@grsecurity.net>
7453 Date: Fri Feb 3 20:10:21 2012 -0500
7455 Merge branch 'pax-test' into grsec-test
7457 commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
7458 Author: Brad Spengler <spender@grsecurity.net>
7459 Date: Fri Feb 3 20:10:05 2012 -0500
7461 Merge changes from pax-linux-3.2.4-test9.patch
7463 commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
7464 Author: Christopher Yeoh <cyeoh@au1.ibm.com>
7465 Date: Thu Feb 2 11:34:09 2012 +1030
7467 Fix race in process_vm_rw_core
7469 This fixes the race in process_vm_core found by Oleg (see
7471 http://article.gmane.org/gmane.linux.kernel/1235667/
7475 This has been updated since I last sent it as the creation of the new
7476 mm_access() function did almost exactly the same thing as parts of the
7477 previous version of this patch did.
7479 In order to use mm_access() even when /proc isn't enabled, we move it to
7480 kernel/fork.c where other related process mm access functions already
7483 Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
7484 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
7489 mm/process_vm_access.c
7491 commit b9194d60fb9fe579f5c34817ed822abde18939a0
7492 Author: Oleg Nesterov <oleg@redhat.com>
7493 Date: Tue Jan 31 17:15:11 2012 +0100
7495 proc: make sure mem_open() doesn't pin the target's memory
7497 Once /proc/pid/mem is opened, the memory can't be released until
7498 mem_release() even if its owner exits.
7500 Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
7501 pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
7502 before access_remote_vm(), this verifies that this mm is still alive.
7504 I am not sure what should mem_rw() return if atomic_inc_not_zero()
7505 fails. With this patch it returns zero to match the "mm == NULL" case,
7506 may be it should return -EINVAL like it did before e268337d.
7508 Perhaps it makes sense to add the additional fatal_signal_pending()
7509 check into the main loop, to ensure we do not hold this memory if
7510 the target task was oom-killed.
7512 Cc: stable@kernel.org
7513 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
7514 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
7516 commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
7517 Author: Oleg Nesterov <oleg@redhat.com>
7518 Date: Tue Jan 31 17:14:38 2012 +0100
7520 proc: mem_release() should check mm != NULL
7522 mem_release() can hit mm == NULL, add the necessary check.
7524 Cc: stable@kernel.org
7525 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
7526 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
7528 commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
7529 Author: Oleg Nesterov <oleg@redhat.com>
7530 Date: Tue Jan 31 17:14:54 2012 +0100
7532 note: redisabled mem_write
7534 proc: unify mem_read() and mem_write()
7536 No functional changes, cleanup and preparation.
7538 mem_read() and mem_write() are very similar. Move this code into the
7539 new common helper, mem_rw(), which takes the additional "int write"
7542 Cc: stable@kernel.org
7543 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
7544 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
7550 commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
7551 Merge: 3903f01 01fee18
7552 Author: Brad Spengler <spender@grsecurity.net>
7553 Date: Fri Feb 3 19:50:40 2012 -0500
7555 Merge branch 'pax-test' into grsec-test
7557 commit 01fee1851aef26b898ccba5312cabf1f919b74cb
7558 Author: Brad Spengler <spender@grsecurity.net>
7559 Date: Fri Feb 3 19:49:46 2012 -0500
7561 Merge changes from pax-linux-3.2.4-test8.patch
7563 commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
7564 Merge: 201c0db 141936c
7565 Author: Brad Spengler <spender@grsecurity.net>
7566 Date: Fri Feb 3 19:49:01 2012 -0500
7568 Merge branch 'linux-3.2.y' into pax-test
7570 commit 3903f0172ecadf7a575ba3535402a1506133640a
7571 Author: Brad Spengler <spender@grsecurity.net>
7572 Date: Mon Jan 30 23:26:44 2012 -0500
7574 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
7576 We'll whitelist required directories for compatibility instead of requiring
7577 that people disable the feature entirely if they use SELinux, fuse, etc
7583 commit e3618feaa7e63807f1b88c199882075b3ec9bd05
7584 Author: Brad Spengler <spender@grsecurity.net>
7585 Date: Sun Jan 29 01:12:19 2012 -0500
7587 perform RBAC check if TPE is on but match fails, matches previous behavior
7589 commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
7590 Author: Brad Spengler <spender@grsecurity.net>
7591 Date: Sat Jan 28 13:17:06 2012 -0500
7593 log more information about the reason for a TPE denial for novice users, requested by a sponsor
7595 commit efefd67008cbad8a8591e2484410966a300a39a5
7596 Author: Brad Spengler <spender@grsecurity.net>
7597 Date: Fri Jan 27 19:58:53 2012 -0500
7599 merge upstream sha512 changes
7601 commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
7602 Author: Brad Spengler <spender@grsecurity.net>
7603 Date: Fri Jan 27 19:49:07 2012 -0500
7605 drop lock on error in xfs_readlink
7607 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0
7609 commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
7610 Author: Li Wang <liwang@nudt.edu.cn>
7611 Date: Thu Jan 19 09:44:36 2012 +0800
7613 eCryptfs: Infinite loop due to overflow in ecryptfs_write()
7615 ecryptfs_write() can enter an infinite loop when truncating a file to a
7616 size larger than 4G. This only happens on architectures where size_t is
7617 represented by 32 bits.
7619 This was caused by a size_t overflow due to it incorrectly being used to
7620 store the result of a calculation which uses potentially large values of
7623 [tyhicks@canonical.com: rewrite subject and commit message]
7624 Signed-off-by: Li Wang <liwang@nudt.edu.cn>
7625 Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
7626 Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
7627 Cc: <stable@vger.kernel.org>
7628 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
7630 commit a7607747d0f74f357d78bb796d70635dd05f46e8
7631 Author: Tyler Hicks <tyhicks@canonical.com>
7632 Date: Thu Jan 19 20:33:44 2012 -0600
7634 eCryptfs: Check inode changes in setattr
7636 Most filesystems call inode_change_ok() very early in ->setattr(), but
7637 eCryptfs didn't call it at all. It allowed the lower filesystem to make
7638 the call in its ->setattr() function. Then, eCryptfs would copy the
7639 appropriate inode attributes from the lower inode to the eCryptfs inode.
7641 This patch changes that and actually calls inode_change_ok() on the
7642 eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
7643 would happen earlier in ecryptfs_setattr(), but there are some possible
7644 inode initialization steps that must happen first.
7646 Since the call was already being made on the lower inode, the change in
7647 functionality should be minimal, except for the case of a file extending
7648 truncate call. In that case, inode_newsize_ok() was never being
7649 called on the eCryptfs inode. Rather than inode_newsize_ok() catching
7650 maximum file size errors early on, eCryptfs would encrypt zeroed pages
7651 and write them to the lower filesystem until the lower filesystem's
7652 write path caught the error in generic_write_checks(). This patch
7653 introduces a new function, called ecryptfs_inode_newsize_ok(), which
7654 checks if the new lower file size is within the appropriate limits when
7655 the truncate operation will be growing the lower file.
7657 In summary this change prevents eCryptfs truncate operations (and the
7658 resulting page encryptions), which would exceed the lower filesystem
7659 limits or FSIZE rlimits, from ever starting.
7661 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
7662 Reviewed-by: Li Wang <liwang@nudt.edu.cn>
7663 Cc: <stable@vger.kernel.org>
7665 commit 0d96f190a39505254ace4e9330219aaeda9b64e3
7666 Author: Tyler Hicks <tyhicks@canonical.com>
7667 Date: Wed Jan 18 18:30:04 2012 -0600
7669 eCryptfs: Make truncate path killable
7671 ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
7672 page, zeroes out the appropriate portions, and then encrypts the page
7673 before writing it to the lower filesystem. It was unkillable and due to
7674 the lack of sparse file support could result in tying up a large portion
7675 of system resources, while encrypting pages of zeros, with no way for
7676 the truncate operation to be stopped from userspace.
7678 This patch adds the ability for ecryptfs_write() to detect a pending
7679 fatal signal and return as gracefully as possible. The intent is to
7680 leave the lower file in a useable state, while still allowing a user to
7681 break out of the encryption loop. If a pending fatal signal is detected,
7682 the eCryptfs inode size is updated to reflect the modified inode size
7683 and then -EINTR is returned.
7685 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
7686 Cc: <stable@vger.kernel.org>
7688 commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
7689 Author: Tyler Hicks <tyhicks@canonical.com>
7690 Date: Tue Jan 24 10:02:22 2012 -0600
7692 eCryptfs: Fix oops when printing debug info in extent crypto functions
7694 If pages passed to the eCryptfs extent-based crypto functions are not
7695 mapped and the module parameter ecryptfs_verbosity=1 was specified at
7696 loading time, a NULL pointer dereference will occur.
7698 Note that this wouldn't happen on a production system, as you wouldn't
7699 pass ecryptfs_verbosity=1 on a production system. It leaks private
7700 information to the system logs and is for debugging only.
7702 The debugging info printed in these messages is no longer very useful
7703 and rather than doing a kmap() in these debugging paths, it will be
7704 better to simply remove the debugging paths completely.
7706 https://launchpad.net/bugs/913651
7708 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
7709 Reported-by: Daniel DeFreez
7710 Cc: <stable@vger.kernel.org>
7712 commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
7713 Author: Tyler Hicks <tyhicks@canonical.com>
7714 Date: Thu Jan 12 11:30:44 2012 +0100
7716 eCryptfs: Sanitize write counts of /dev/ecryptfs
7718 A malicious count value specified when writing to /dev/ecryptfs may
7719 result in a a very large kernel memory allocation.
7721 This patch peeks at the specified packet payload size, adds that to the
7722 size of the packet headers and compares the result with the write count
7723 value. The resulting maximum memory allocation size is approximately 532
7726 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
7727 Reported-by: Sasha Levin <levinsasha928@gmail.com>
7728 Cc: <stable@vger.kernel.org>
7730 commit 96dcb7282d323813181a1791f51c0ab7696b675b
7731 Merge: 6c09fa5 201c0db
7732 Author: Brad Spengler <spender@grsecurity.net>
7733 Date: Fri Jan 27 19:44:15 2012 -0500
7735 Merge branch 'pax-test' into grsec-test
7737 commit 201c0dbf177527367676028151e36d340923f033
7738 Author: Brad Spengler <spender@grsecurity.net>
7739 Date: Fri Jan 27 19:43:24 2012 -0500
7741 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
7742 on loading modules with empty sections
7744 commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
7745 Author: Brad Spengler <spender@grsecurity.net>
7746 Date: Fri Jan 27 19:42:13 2012 -0500
7750 commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
7751 Author: Brad Spengler <spender@grsecurity.net>
7752 Date: Fri Jan 27 19:39:28 2012 -0500
7754 use LSM flags instead of duplicating checks
7756 commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
7757 Merge: 44b9f11 558718b
7758 Author: Brad Spengler <spender@grsecurity.net>
7759 Date: Fri Jan 27 18:56:23 2012 -0500
7761 Merge branch 'pax-test' into grsec-test
7763 commit 558718b2217beff69edf60f34a6f9893d910e9ac
7764 Author: Brad Spengler <spender@grsecurity.net>
7765 Date: Fri Jan 27 18:56:04 2012 -0500
7767 Merge changes from pax-linux-3.2.2-test6.patch
7769 commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
7770 Author: Brad Spengler <spender@grsecurity.net>
7771 Date: Fri Jan 27 18:53:55 2012 -0500
7773 don't increase the size of task_struct when unnecessary
7774 change ptrace_readexec log message
7776 commit a9c9626e054adb885883aa64f85506852894dd33
7777 Author: Brad Spengler <spender@grsecurity.net>
7778 Date: Fri Jan 27 18:16:28 2012 -0500
7780 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
7781 the protection applies to all unreadable binaries.
7783 commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
7784 Merge: 7b3f3af 05a1349
7785 Author: Brad Spengler <spender@grsecurity.net>
7786 Date: Wed Jan 25 20:52:09 2012 -0500
7788 Merge branch 'pax-test' into grsec-test
7795 commit 05a134966efb9cb9346ad3422888969ffc79ac1d
7796 Author: Brad Spengler <spender@grsecurity.net>
7797 Date: Wed Jan 25 20:47:36 2012 -0500
7799 Resync with pax-linux-3.2.2-test5.patch
7801 commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
7802 Merge: c6d443d 3499d64
7803 Author: Brad Spengler <spender@grsecurity.net>
7804 Date: Wed Jan 25 20:45:16 2012 -0500
7806 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
7811 commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
7812 Author: Brad Spengler <spender@grsecurity.net>
7813 Date: Tue Jan 24 19:42:01 2012 -0500
7815 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
7816 (may be changed if it breaks some userland), the other has its own
7819 First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
7820 the syscall or /proc/sys.
7822 Second feature requires read access to a suid/sgid binary in order
7823 to ptrace it, preventing infoleaking of binaries in situations where
7824 the admin has specified 4711 or 2711 perms. Feature has been
7825 given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
7826 a sysctl entry of ptrace_readexec
7828 commit 11a7bb25c411c9dccfdca5718639b4becdffd388
7829 Author: Brad Spengler <spender@grsecurity.net>
7830 Date: Sun Jan 22 14:37:10 2012 -0500
7834 commit cd400e21c7c352baba47d6f375297a7847afb33a
7835 Author: Brad Spengler <spender@grsecurity.net>
7836 Date: Sun Jan 22 14:20:27 2012 -0500
7838 Initial port of grsecurity 2.2.2 for Linux 3.2.1
7839 Note that the new syscalls added to this kernel for remote process read/write
7840 are subject to ptrace hardening/other relevant RBAC features
7841 /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
7843 pax_track_stack has been removed from support for this kernel -- if you're running this kernel
7844 you should be using a version of gcc with plugin support
7846 commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
7847 Author: Brad Spengler <spender@grsecurity.net>
7848 Date: Sun Jan 22 11:47:31 2012 -0500
7850 Import pax-linux-3.2.1-test5.patch
7851 commit bfd7db842f835f9837cd43644459b3a95b0b488d
7852 Author: Brad Spengler <spender@grsecurity.net>
7853 Date: Sun Jan 22 11:02:02 2012 -0500
7855 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
7856 instead of returning -EACCES
7857 thanks to Wraith from irc for the report
7859 commit 873ac13576506cd48ddb527c2540f274e249da50
7860 Merge: 34083dd 8a44fcc
7861 Author: Brad Spengler <spender@grsecurity.net>
7862 Date: Fri Jan 20 18:04:02 2012 -0500
7864 Merge branch 'pax-test' into grsec-test
7866 commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
7867 Author: Brad Spengler <spender@grsecurity.net>
7868 Date: Fri Jan 20 18:02:15 2012 -0500
7870 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
7871 Denies executable shared memory when MPROTECT is active
7872 Fixes ia32 emulation crash on 64bit host introduced in a recent patch
7874 commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
7875 Author: Brad Spengler <spender@grsecurity.net>
7876 Date: Thu Jan 19 20:23:14 2012 -0500
7878 Introduce new GRKERNSEC_SETXID implementation
7879 We're not able to change the credentials of other threads in the process until at most
7880 one syscall after the first thread does it, since we mark the threads as needing rescheduling
7881 and such work occurs on syscall exit.
7882 This does however ensure that we're only modifying the current task's credentials
7883 which upholds RCU expectations
7885 Many thanks to corsac for testing
7887 commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
7888 Author: Brad Spengler <spender@grsecurity.net>
7889 Date: Thu Jan 19 17:42:48 2012 -0500
7893 commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
7894 Author: Brad Spengler <spender@grsecurity.net>
7895 Date: Thu Jan 19 17:08:16 2012 -0500
7897 Commit the latest silent fix for a local privilege escalation from Linus
7898 Also disable writing to /proc/pid/mem
7899 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc
7901 commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
7902 Merge: 0394a3f 7e6299b
7903 Author: Brad Spengler <spender@grsecurity.net>
7904 Date: Wed Jan 18 20:22:09 2012 -0500
7906 Merge branch 'pax-test' into grsec-test
7908 commit 7e6299b4733c082dde930375dd207b63237751ec
7909 Merge: 83555fb 9bb1282
7910 Author: Brad Spengler <spender@grsecurity.net>
7911 Date: Wed Jan 18 20:21:37 2012 -0500
7913 Merge branch 'linux-3.1.y' into pax-test
7915 commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
7916 Author: Jesper Juhl <jj@chaosbits.net>
7917 Date: Sun Jan 8 22:44:29 2012 +0100
7919 audit: always follow va_copy() with va_end()
7921 A call to va_copy() should always be followed by a call to va_end() in
7922 the same function. In kernel/autit.c::audit_log_vformat() this is not
7923 always done. This patch makes sure va_end() is always called.
7925 Signed-off-by: Jesper Juhl <jj@chaosbits.net>
7926 Cc: Al Viro <viro@zeniv.linux.org.uk>
7927 Cc: Eric Paris <eparis@redhat.com>
7928 Cc: Andrew Morton <akpm@linux-foundation.org>
7929 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
7931 commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
7932 Author: Andi Kleen <ak@linux.intel.com>
7933 Date: Thu Jan 12 17:20:30 2012 -0800
7935 panic: don't print redundant backtraces on oops
7937 When an oops causes a panic and panic prints another backtrace it's pretty
7938 common to have the original oops data be scrolled away on a 80x50 screen.
7940 The second backtrace is quite redundant and not needed anyways.
7942 So don't print the panic backtrace when oops_in_progress is true.
7944 [akpm@linux-foundation.org: add comment]
7945 Signed-off-by: Andi Kleen <ak@linux.intel.com>
7946 Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
7947 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
7948 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
7950 commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
7951 Author: Miklos Szeredi <mszeredi@suse.cz>
7952 Date: Thu Jan 12 17:59:46 2012 +0100
7954 fsnotify: don't BUG in fsnotify_destroy_mark()
7956 Removing the parent of a watched file results in "kernel BUG at
7957 fs/notify/mark.c:139".
7961 add "-w /tmp/audit/dir/watched_file" to audit.rules
7962 rm -rf /tmp/audit/dir
7964 This is caused by fsnotify_destroy_mark() being called without an
7965 extra reference taken by the caller.
7967 Reported by Francesco Cosoleto here:
7969 https://bugzilla.novell.com/show_bug.cgi?id=689860
7971 Fix by removing the BUG_ON and adding a comment about not accessing mark after
7974 Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
7975 CC: stable@vger.kernel.org
7976 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
7978 commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
7979 Author: Paolo Bonzini <pbonzini@redhat.com>
7980 Date: Thu Jan 12 16:01:28 2012 +0100
7982 block: fail SCSI passthrough ioctls on partition devices
7984 Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
7985 will pass the command to the underlying block device. This is
7986 well-known, but it is also a large security problem when (via Unix
7987 permissions, ACLs, SELinux or a combination thereof) a program or user
7988 needs to be granted access only to part of the disk.
7990 This patch lets partitions forward a small set of harmless ioctls;
7991 others are logged with printk so that we can see which ioctls are
7992 actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred.
7993 Of course it was being sent to a (partition on a) hard disk, so it would
7994 have failed with ENOTTY and the patch isn't changing anything in
7995 practice. Still, I'm treating it specially to avoid spamming the logs.
7997 In principle, this restriction should include programs running with
7998 CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and
7999 /dev/sdb, it still should not be able to read/write outside the
8000 boundaries of /dev/sda2 independent of the capabilities. However, for
8001 now programs with CAP_SYS_RAWIO will still be allowed to send the
8002 ioctls. Their actions will still be logged.
8004 This patch does not affect the non-libata IDE driver. That driver
8005 however already tests for bd != bd->bd_contains before issuing some
8006 ioctl; it could be restricted further to forbid these ioctls even for
8007 programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
8009 Cc: linux-scsi@vger.kernel.org
8010 Cc: Jens Axboe <axboe@kernel.dk>
8011 Cc: James Bottomley <JBottomley@parallels.com>
8012 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
8013 [ Make it also print the command name when warning - Linus ]
8014 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
8016 commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
8017 Author: Paolo Bonzini <pbonzini@redhat.com>
8018 Date: Thu Jan 12 16:01:27 2012 +0100
8020 block: add and use scsi_blk_cmd_ioctl
8022 Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
8024 The function will then be enhanced to detect partition block devices
8025 and, in that case, subject the ioctls to whitelisting.
8027 Cc: linux-scsi@vger.kernel.org
8028 Cc: Jens Axboe <axboe@kernel.dk>
8029 Cc: James Bottomley <JBottomley@parallels.com>
8030 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
8031 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
8033 commit 97a79814903fc350e1d13704ea31528a42705401
8034 Author: Kees Cook <keescook@chromium.org>
8035 Date: Sat Jan 7 10:41:04 2012 -0800
8037 audit: treat s_id as an untrusted string
8039 The use of s_id should go through the untrusted string path, just to be
8042 Signed-off-by: Kees Cook <keescook@chromium.org>
8043 Acked-by: Mimi Zohar <zohar@us.ibm.com>
8044 Signed-off-by: Eric Paris <eparis@redhat.com>
8046 commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
8047 Author: Xi Wang <xi.wang@gmail.com>
8048 Date: Tue Dec 20 18:39:41 2011 -0500
8050 audit: fix signedness bug in audit_log_execve_info()
8052 In the loop, a size_t "len" is used to hold the return value of
8053 audit_log_single_execve_arg(), which returns -1 on error. In that
8054 case the error handling (len <= 0) will be bypassed since "len" is
8055 unsigned, and the loop continues with (p += len) being wrapped.
8056 Change the type of "len" to signed int to fix the error handling.
8061 len = audit_log_single_execve_arg(...);
8067 Signed-off-by: Xi Wang <xi.wang@gmail.com>
8068 Signed-off-by: Eric Paris <eparis@redhat.com>
8070 commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
8071 Author: Dan Carpenter <dan.carpenter@oracle.com>
8072 Date: Tue Jan 17 03:28:51 2012 -0300
8074 [media] ds3000: using logical && instead of bitwise &
8076 The intent here was to test if the FE_HAS_LOCK was set. The current
8077 test is equivalent to "if (status) { ..."
8079 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
8080 Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
8082 commit 36522330dc59d2fc70c042f3f081d75c32b6259a
8083 Author: Brad Spengler <spender@grsecurity.net>
8084 Date: Mon Jan 16 13:10:38 2012 -0500
8086 Ignore the 0 signal for protected task RBAC checks
8088 commit d513acd55f7a683f6e146a4f570cdb63300479ab
8089 Author: Brad Spengler <spender@grsecurity.net>
8090 Date: Mon Jan 16 11:56:13 2012 -0500
8094 commit ced261c4b82818c700aff8487f647f6f3e5b5122
8095 Merge: d48751f 83555fb
8096 Author: Brad Spengler <spender@grsecurity.net>
8097 Date: Fri Jan 13 20:12:54 2012 -0500
8099 Merge branch 'pax-test' into grsec-test
8101 commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
8102 Merge: fcd8129 93dad39
8103 Author: Brad Spengler <spender@grsecurity.net>
8104 Date: Fri Jan 13 20:12:43 2012 -0500
8106 Merge branch 'linux-3.1.y' into pax-test
8108 commit d48751f3919ae855fda0ff6c149db82442329253
8109 Author: Brad Spengler <spender@grsecurity.net>
8110 Date: Wed Jan 11 19:05:47 2012 -0500
8112 Call our own set_user when forcing change to new id
8114 commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
8115 Merge: e6578ff fcd8129
8116 Author: Brad Spengler <spender@grsecurity.net>
8117 Date: Tue Jan 10 16:00:10 2012 -0500
8119 Merge branch 'pax-test' into grsec-test
8121 commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
8122 Author: Brad Spengler <spender@grsecurity.net>
8123 Date: Tue Jan 10 15:58:43 2012 -0500
8125 Merge changes from pax-linux-3.1.8-test23.patch
8127 commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
8128 Merge: 8859ec3 a120549
8129 Author: Brad Spengler <spender@grsecurity.net>
8130 Date: Fri Jan 6 21:45:56 2012 -0500
8132 Merge branch 'pax-test' into grsec-test
8134 commit a12054967a77090de1caa07c41e694a77db4e237
8135 Author: Brad Spengler <spender@grsecurity.net>
8136 Date: Fri Jan 6 21:45:30 2012 -0500
8138 Merge changes from pax-linux-3.1.8-test22.patch
8140 commit 8859ec32f9815c274df65448f9f2960176c380d3
8141 Merge: a5016b4 ddd4114
8142 Author: Brad Spengler <spender@grsecurity.net>
8143 Date: Fri Jan 6 21:26:08 2012 -0500
8145 Merge branch 'pax-test' into grsec-test
8151 commit ddd41147e158a79704983a409b7433eba797cf66
8152 Author: Brad Spengler <spender@grsecurity.net>
8153 Date: Fri Jan 6 21:12:42 2012 -0500
8155 Resync with PaX patch (whitespace difference)
8157 commit 29e569df8205c5f0e043fe4803aa984406c8b118
8158 Author: Brad Spengler <spender@grsecurity.net>
8159 Date: Fri Jan 6 21:09:47 2012 -0500
8161 Merge changes from pax-linux-3.1.8-test21.patch
8163 commit a5016b4f9c09c337b17e063a7f369af1e86d944d
8164 Merge: 0124c92 04231d5
8165 Author: Brad Spengler <spender@grsecurity.net>
8166 Date: Fri Jan 6 18:52:20 2012 -0500
8168 Merge branch 'pax-test' into grsec-test
8170 commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
8171 Merge: 7bdddeb a919904
8172 Author: Brad Spengler <spender@grsecurity.net>
8173 Date: Fri Jan 6 18:51:50 2012 -0500
8175 Merge branch 'linux-3.1.y' into pax-test
8180 commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
8181 Author: Brad Spengler <spender@grsecurity.net>
8182 Date: Fri Jan 6 18:33:05 2012 -0500
8184 Make GRKERNSEC_SETXID option compatible with credential debugging
8186 commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
8187 Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
8188 Date: Wed Dec 28 15:57:11 2011 -0800
8190 mm/mempolicy.c: refix mbind_range() vma issue
8192 commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
8193 slightly incorrect fix.
8195 Why? Think following case.
8197 1. map 4 pages of a file at offset 0
8201 2. map 2 pages just after the first mapping of the same file but with
8206 3. mbind() 2 pages from the first mapping at offset 2.
8207 mbind_range() should treat new vma is,
8219 Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
8221 This patch fixes it.
8224 test result - before the patch
8226 case4: 126: test failed. expect '2,4', actual '2,2,2'
8231 case_n: 246: test failed. expect '4,2', actual '1,4'
8233 ------------[ cut here ]------------
8234 kernel BUG at mm/filemap.c:135!
8235 invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
8237 (snip long bug on messages)
8239 test result - after the patch
8248 source: mbind_vma_test.c
8249 ============================================================
8252 #include <sys/mman.h>
8258 static unsigned long pagesize;
8260 struct bitmask *nmask;
8263 char retbuf[10240] = "";
8266 char *rubysrc = "ruby -e '\
8270 s = `pmap -q #{pid}`; \
8272 s.each_line {|line|; \
8273 ary=line.split(\" \"); \
8274 addr = ary[0].to_i(16); \
8275 if(vstart <= addr && addr < vend) then \
8276 rary.push(ary[1].to_i()/4); \
8279 print rary.join(\",\"); \
8287 nmask = numa_allocate_nodemask();
8288 numa_bitmask_setbit(nmask, 0);
8290 pagesize = getpagesize();
8292 sprintf(buf, "%s", "mbind_vma_XXXXXX");
8293 mapped_fd = mkstemp(buf);
8294 if (mapped_fd == -1)
8295 perror("mkstemp "), exit(1);
8298 if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
8299 perror("lseek "), exit(1);
8300 if (write(mapped_fd, "\0", 1) < 0)
8301 perror("write "), exit(1);
8303 addr = mmap(NULL, pagesize*8, PROT_NONE,
8304 MAP_SHARED, mapped_fd, 0);
8305 if (addr == MAP_FAILED)
8306 perror("mmap "), exit(1);
8308 if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
8309 perror("mprotect "), exit(1);
8311 mmap_addr = addr + pagesize;
8313 /* make page populate */
8314 memset(mmap_addr, 0, pagesize*6);
8319 void* addr = mmap_addr - pagesize;
8320 munmap(addr, pagesize*8);
8322 memset(buf, 0, sizeof(buf));
8323 memset(retbuf, 0, sizeof(retbuf));
8326 void mem_bind(int index, int len)
8330 err = mbind(mmap_addr+pagesize*index, pagesize*len,
8331 MPOL_BIND, nmask->maskp, nmask->size, 0);
8333 perror("mbind "), exit(err);
8336 void mem_interleave(int index, int len)
8340 err = mbind(mmap_addr+pagesize*index, pagesize*len,
8341 MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
8343 perror("mbind "), exit(err);
8346 void mem_unbind(int index, int len)
8350 err = mbind(mmap_addr+pagesize*index, pagesize*len,
8351 MPOL_DEFAULT, NULL, 0, 0);
8353 perror("mbind "), exit(err);
8356 void Assert(char *expected, char *value, char *name, int line)
8358 if (strcmp(expected, value) == 0) {
8359 fprintf(stderr, "%s: passed\n", name);
8363 fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
8380 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
8385 file = popen(buf, "r");
8386 fread(retbuf, sizeof(retbuf), 1, file);
8387 Assert("2,4", retbuf, "case4", __LINE__);
8402 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
8407 file = popen(buf, "r");
8408 fread(retbuf, sizeof(retbuf), 1, file);
8409 Assert("4,2", retbuf, "case5", __LINE__);
8423 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
8429 file = popen(buf, "r");
8430 fread(retbuf, sizeof(retbuf), 1, file);
8431 Assert("6", retbuf, "case6", __LINE__);
8445 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
8448 mem_interleave(4, 2);
8451 file = popen(buf, "r");
8452 fread(retbuf, sizeof(retbuf), 1, file);
8453 Assert("4,2", retbuf, "case7", __LINE__);
8467 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
8470 mem_interleave(4, 2);
8471 mem_interleave(2, 2);
8473 file = popen(buf, "r");
8474 fread(retbuf, sizeof(retbuf), 1, file);
8475 Assert("2,4", retbuf, "case8", __LINE__);
8483 sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
8485 /* make redundunt mappings [0][1234][34][7] */
8486 mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
8487 MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
8489 /* Expect to do nothing. */
8492 file = popen(buf, "r");
8493 fread(retbuf, sizeof(retbuf), 1, file);
8494 Assert("4,2", retbuf, "case_n", __LINE__);
8499 int main(int argc, char** argv)
8510 =============================================================
8512 Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
8513 Acked-by: Johannes Weiner <hannes@cmpxchg.org>
8514 Cc: Minchan Kim <minchan.kim@gmail.com>
8515 Cc: Caspar Zhang <caspar@casparzhang.com>
8516 Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
8517 Cc: Christoph Lameter <cl@linux.com>
8518 Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
8519 Cc: Mel Gorman <mel@csn.ul.ie>
8520 Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
8521 Cc: <stable@vger.kernel.org> [3.1.x]
8522 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
8523 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
8525 commit f3a1082005781777086df235049f8c0b7efe524e
8526 Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
8527 Date: Tue Dec 27 22:32:41 2011 -0500
8529 packet: fix possible dev refcnt leak when bind fail
8531 If bind is fail when bind is called after set PACKET_FANOUT
8532 sock option, the dev refcnt will leak.
8534 Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
8535 Signed-off-by: David S. Miller <davem@davemloft.net>
8537 commit 915f8b08dac68839dc7204ee81cf9852fda16d24
8538 Author: Haogang Chen <haogangchen@gmail.com>
8539 Date: Mon Dec 19 17:11:56 2011 -0800
8541 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
8543 There is a potential integer overflow in nilfs_ioctl_clean_segments().
8544 When a large argv[n].v_nmembs is passed from the userspace, the subsequent
8545 call to vmalloc() will allocate a buffer smaller than expected, which
8546 leads to out-of-bound access in nilfs_ioctl_move_blocks() and
8547 lfs_clean_segments().
8549 The following check does not prevent the overflow because nsegs is also
8550 controlled by the userspace and could be very large.
8552 if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
8555 This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
8556 returns -EINVAL when overflow.
8558 Signed-off-by: Haogang Chen <haogangchen@gmail.com>
8559 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
8560 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
8561 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
8563 commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
8564 Author: Kautuk Consul <consul.kautuk@gmail.com>
8565 Date: Mon Dec 19 17:12:04 2011 -0800
8567 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
8569 Static storage is not required for the struct vmap_area in
8572 Removing "static" to store this variable on the stack instead.
8574 Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
8575 Acked-by: David Rientjes <rientjes@google.com>
8576 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
8577 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
8579 commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
8580 Author: Michel Lespinasse <walken@google.com>
8581 Date: Mon Dec 19 17:12:06 2011 -0800
8583 binary_sysctl(): fix memory leak
8585 binary_sysctl() calls sysctl_getname() which allocates from names_cache
8586 slab usin __getname()
8588 The matching function to free the name is __putname(), and not putname()
8589 which should be used only to match getname() allocations.
8591 This is because when auditing is enabled, putname() calls audit_putname
8592 *instead* (not in addition) to __putname(). Then, if a syscall is in
8593 progress, audit_putname does not release the name - instead, it expects
8594 the name to get released when the syscall completes, but that will happen
8595 only if audit_getname() was called previously, i.e. if the name was
8596 allocated with getname() rather than the naked __getname(). So,
8597 __getname() followed by putname() ends up leaking memory.
8599 Signed-off-by: Michel Lespinasse <walken@google.com>
8600 Acked-by: Al Viro <viro@zeniv.linux.org.uk>
8601 Cc: Christoph Hellwig <hch@infradead.org>
8602 Cc: Eric Paris <eparis@redhat.com>
8603 Cc: <stable@vger.kernel.org>
8604 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
8605 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
8607 commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
8608 Author: Sean Hefty <sean.hefty@intel.com>
8609 Date: Tue Dec 6 21:17:11 2011 +0000
8611 RDMA/cma: Verify private data length
8613 private_data_len is defined as a u8. If the user specifies a large
8614 private_data size (> 220 bytes), we will calculate a total length that
8615 exceeds 255, resulting in private_data_len wrapping back to 0. This
8616 can lead to overwriting random kernel memory. Avoid this by verifying
8617 that the resulting size fits into a u8.
8619 Reported-by: B. Thery <benjamin.thery@bull.net>
8620 Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
8621 Signed-off-by: Sean Hefty <sean.hefty@intel.com>
8622 Signed-off-by: Roland Dreier <roland@purestorage.com>
8624 commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
8625 Author: Xi Wang <xi.wang@gmail.com>
8626 Date: Sun Dec 11 23:40:56 2011 -0800
8628 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
8630 The error check (intr_status < 0) didn't work because intr_status is
8631 a u8. Change its type to signed int.
8633 Signed-off-by: Xi Wang <xi.wang@gmail.com>
8634 Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
8636 commit e27f34e383d7863b2528a63b81b23db09781f6b6
8637 Author: Xi Wang <xi.wang@gmail.com>
8638 Date: Fri Dec 16 12:44:15 2011 +0000
8640 sctp: fix incorrect overflow check on autoclose
8642 Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
8643 limiting the autoclose value. If userspace passes in -1 on 32-bit
8644 platform, the overflow check didn't work and autoclose would be set
8647 This patch defines a max_autoclose (in seconds) for limiting the value
8648 and exposes it through sysctl, with the following intentions.
8650 1) Avoid overflowing autoclose * HZ.
8652 2) Keep the default autoclose bound consistent across 32- and 64-bit
8653 platforms (INT_MAX / HZ in this patch).
8655 3) Keep the autoclose value consistent between setsockopt() and
8658 Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
8659 Signed-off-by: Xi Wang <xi.wang@gmail.com>
8660 Signed-off-by: David S. Miller <davem@davemloft.net>
8662 commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
8663 Author: Xi Wang <xi.wang@gmail.com>
8664 Date: Wed Dec 21 05:18:33 2011 -0500
8666 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
8668 Commit e133e737 didn't correctly fix the integer overflow issue.
8670 - unsigned int required_size;
8671 + u64 required_size;
8673 required_size = mode_cmd->pitch * mode_cmd->height;
8674 - if (unlikely(required_size > dev_priv->vram_size)) {
8675 + if (unlikely(required_size > (u64) dev_priv->vram_size)) {
8677 Note that both pitch and height are u32. Their product is still u32 and
8678 would overflow before being assigned to required_size. A correct way is
8679 to convert pitch and height to u64 before the multiplication.
8681 required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
8683 This patch calls the existing vmw_kms_validate_mode_vram() for
8686 Signed-off-by: Xi Wang <xi.wang@gmail.com>
8687 Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
8688 Signed-off-by: Dave Airlie <airlied@redhat.com>
8692 drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
8694 commit eb8f0bd01fb994c9abc77dc84729794cd841753d
8695 Author: Xi Wang <xi.wang@gmail.com>
8696 Date: Thu Dec 22 13:35:22 2011 +0000
8698 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
8700 Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
8701 cause a kernel oops due to insufficient bounds checking.
8703 if (count > 1<<30) {
8704 /* Enforce a limit to prevent overflow */
8707 count = roundup_pow_of_two(count);
8708 table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
8710 Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
8712 ... + (count * sizeof(struct rps_dev_flow))
8714 where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow
8717 This patch replaces the magic number (1 << 30) with a symbolic bound.
8719 Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
8720 Signed-off-by: Xi Wang <xi.wang@gmail.com>
8721 Signed-off-by: David S. Miller <davem@davemloft.net>
8723 commit 648188958672024b616c42c1f6c98c8cfc85619d
8724 Author: Xi Wang <xi.wang@gmail.com>
8725 Date: Fri Dec 30 10:40:17 2011 -0500
8727 netfilter: ctnetlink: fix timeout calculation
8729 The sanity check (timeout < 0) never works; the dividend is unsigned
8730 and so is the division, which should have been a signed division.
8732 long timeout = (ct->timeout.expires - jiffies) / HZ;
8736 This patch converts the time values to signed for the division.
8738 Signed-off-by: Xi Wang <xi.wang@gmail.com>
8739 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
8741 commit ab03a0973cee73f88655ff4981812ad316a6cd59
8742 Merge: 76f82df 7bdddeb
8743 Author: Brad Spengler <spender@grsecurity.net>
8744 Date: Tue Jan 3 17:42:50 2012 -0500
8746 Merge branch 'pax-test' into grsec-test
8748 commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
8749 Merge: 3e59cb5 55cc81a
8750 Author: Brad Spengler <spender@grsecurity.net>
8751 Date: Tue Jan 3 17:42:36 2012 -0500
8753 Merge branch 'linux-3.1.y' into pax-test
8755 commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
8756 Author: Brad Spengler <spender@grsecurity.net>
8757 Date: Thu Dec 22 20:15:02 2011 -0500
8759 Only further restrict futex targeting another process -- our modified
8760 permission check also happened to allow a case where a process retaining
8761 uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
8762 being non-zero (reported on forums by ben_w)
8764 commit 6b235a4450a5fea41663ec35fa0608988b6078c6
8765 Merge: 97c16f0 3e59cb5
8766 Author: Brad Spengler <spender@grsecurity.net>
8767 Date: Thu Dec 22 19:11:06 2011 -0500
8769 Merge branch 'pax-test' into grsec-test
8774 commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
8775 Merge: 285eb4e c26f60b
8776 Author: Brad Spengler <spender@grsecurity.net>
8777 Date: Thu Dec 22 19:09:57 2011 -0500
8779 Merge branch 'linux-3.1.y' into pax-test
8782 arch/x86/kernel/process.c
8784 commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
8785 Author: Brad Spengler <spender@grsecurity.net>
8786 Date: Mon Dec 19 21:54:01 2011 -0500
8788 Add new option: "Enforce consistent multithreaded privileges"
8790 commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
8791 Author: Brad Spengler <spender@grsecurity.net>
8792 Date: Wed Dec 7 19:58:31 2011 -0500
8794 Remove harmless duplicate code -- exec_file would be null already so the
8795 second check would never pass.
8797 commit 4e3304e94aa72737810bc50169519af157dce4ce
8798 Author: Brad Spengler <spender@grsecurity.net>
8799 Date: Wed Dec 7 19:50:39 2011 -0500
8801 Revert back to (possibly?) undocumented /proc/pid behavior that gdb
8802 depended on for attaching to a thread. Entries exist in /proc for
8803 threads, but are not visible in a readdir.
8805 commit 1bd899335f23815cfe8deac44c6b346398f3b95e
8806 Author: Brad Spengler <spender@grsecurity.net>
8807 Date: Sun Dec 4 18:03:28 2011 -0500
8809 Put the already-walked path if in RCU-walk mode
8811 commit ec7ae36b7159f10649709779443a988662965d66
8812 Author: Brad Spengler <spender@grsecurity.net>
8813 Date: Sun Dec 4 17:35:21 2011 -0500
8815 Fix memory leak introduced by recent (unpublished) commit
8816 75ab998b94a29d464518d6d501bdde3fbfcbfa14
8818 commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
8819 Author: Brad Spengler <spender@grsecurity.net>
8820 Date: Sun Dec 4 13:56:10 2011 -0500
8822 Explicitly check size copied to userland in override_release to silence gcc
8824 commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
8825 Author: Brad Spengler <spender@grsecurity.net>
8826 Date: Sun Dec 4 13:54:02 2011 -0500
8828 Initialize variable to silence erroneous gcc warning
8830 commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
8831 Author: Brad Spengler <spender@grsecurity.net>
8832 Date: Sun Dec 4 13:47:47 2011 -0500
8834 Future-proof other potential RCU-aware locations where we can log.
8836 commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
8837 Author: Brad Spengler <spender@grsecurity.net>
8838 Date: Sun Dec 4 13:02:54 2011 -0500
8840 Fix freeze reported by 'vs' on the forums. Bug occurred due to
8841 MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used
8842 in generic_permission() was in the task's effective set but disallowed by
8843 RBAC, would block when acquiring locks resulting in the freeze.
8845 Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
8846 as being required when CAP_DAC_OVERRIDE is present (consistent with
8849 commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
8850 Author: Xi Wang <xi.wang@gmail.com>
8851 Date: Tue Nov 29 09:26:30 2011 +0000
8853 sctp: better integer overflow check in sctp_auth_create_key()
8855 The check from commit 30c2235c is incomplete and cannot prevent
8856 cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the
8857 left-hand side of the check (INT_MAX - key_len), which is unsigned,
8858 becomes 0xffffffff (UINT_MAX) and bypasses the check.
8860 However this shouldn't be a security issue. The function is called
8861 from the following two code paths:
8865 2) sctp_auth_asoc_set_secret()
8867 In case (1), sca_keylength is never going to exceed 65535 since it's
8868 bounded by a u16 from the user API. As such, the key length will
8871 In case (2), sca_keylength is computed based on the user key (1 short)
8872 and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
8875 In other words, this overflow check is not really necessary. Just
8876 make it more correct.
8878 Signed-off-by: Xi Wang <xi.wang@gmail.com>
8879 Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
8880 Signed-off-by: David S. Miller <davem@davemloft.net>
8882 commit e565e28c3635a1d50f80541fbf6b606d742fec76
8883 Author: Josh Boyer <jwboyer@redhat.com>
8884 Date: Fri Aug 19 14:50:26 2011 -0400
8886 fs/minix: Verify bitmap block counts before mounting
8888 Newer versions of MINIX can create filesystems that allocate an extra
8889 bitmap block. Mounting of this succeeds, but doing a statfs call will
8890 result in an oops in count_free because of a negative number being used
8893 Avoid this by verifying the number of allocated blocks at mount time,
8894 erroring out if there are not enough and make statfs ignore the extras
8895 if there are too many.
8897 This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
8899 Signed-off-by: Josh Boyer <jwboyer@redhat.com>
8900 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
8902 commit 6e134e398ec1a3f428261680e83df4319e64bed9
8903 Author: Julia Lawall <julia@diku.dk>
8904 Date: Tue Nov 15 14:53:11 2011 -0800
8906 drivers/gpu/vga/vgaarb.c: add missing kfree
8908 kbuf is a buffer that is local to this function, so all of the error paths
8909 leaving the function should release it.
8911 Signed-off-by: Julia Lawall <julia@diku.dk>
8912 Cc: Jesper Juhl <jj@chaosbits.net>
8913 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
8914 Signed-off-by: Dave Airlie <airlied@redhat.com>
8916 commit 2b9057b321e36860e8d63985b5c4e496f254b717
8917 Author: Brad Spengler <spender@grsecurity.net>
8918 Date: Sat Dec 3 21:33:28 2011 -0500
8920 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch
8922 commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
8923 Author: Brad Spengler <spender@grsecurity.net>
8924 Date: Sat Dec 3 21:29:37 2011 -0500
8926 Import pax-linux-3.1.4-test18.patch
8928 commit 285eb4ea45d853ae00426b3315a61c1368080dad
8929 Author: Brad Spengler <spender@grsecurity.net>
8930 Date: Sat Dec 10 18:33:46 2011 -0500
8932 Import changes from pax-linux-3.1.5-test20.patch
8934 commit a6bda918fc90ec1d5c387e978d147ad2044153f1
8935 Author: Brad Spengler <spender@grsecurity.net>
8936 Date: Thu Dec 8 20:55:54 2011 -0500
8938 Import changes from pax-linux-3.1.4-test19.patch
8940 commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
8941 Author: Brad Spengler <spender@grsecurity.net>
8942 Date: Sat Dec 3 21:29:37 2011 -0500
8944 Import pax-linux-3.1.4-test18.patch